cartodb-4.42/spec/requests/admin/organizations_controller_spec.rb

455 lines
16 KiB
Ruby
Raw Normal View History

2024-04-06 13:25:13 +08:00
require_relative '../../spec_helper_min'
require_relative '../../factories/organizations_contexts'
describe Admin::OrganizationsController do
include Warden::Test::Helpers
include_context 'organization with users helper'
let(:out_of_quota_message) { "Your organization has run out of quota" }
let(:out_of_seats_message) { "Your organization has run out of seats" }
before(:all) do
@org_user_2.org_admin = true
@org_user_2.save
end
describe '#settings' do
let(:payload) do
{
organization: { color: '#ff0000' }
}
end
let(:payload_password) do
{
organization: { color: '#ff0000' },
password_confirmation: @org_user_owner.password
}
end
let(:payload_wrong_password) do
{
organization: { color: '#ff0000' },
password_confirmation: 'prapra'
}
end
before(:each) do
host! "#{@organization.name}.localhost.lan"
Organization.any_instance.stubs(:update_in_central).returns(true)
end
it 'cannot be accessed by non owner users' do
login_as(@org_user_1, scope: @org_user_1.username)
get organization_settings_url(user_domain: @org_user_1.username)
response.status.should eq 404
login_as(@org_user_2, scope: @org_user_2.username)
get organization_settings_url(user_domain: @org_user_2.username)
response.status.should eq 404
end
it 'cannot be updated by non owner users' do
login_as(@org_user_1, scope: @org_user_1.username)
put organization_settings_update_url(user_domain: @org_user_1.username), payload
response.status.should eq 404
login_as(@org_user_2, scope: @org_user_2.username)
put organization_settings_update_url(user_domain: @org_user_2.username), payload
response.status.should eq 404
end
it 'can be accessed by owner user' do
login_as(@org_user_owner, scope: @org_user_owner.username)
get organization_settings_url(user_domain: @org_user_owner.username)
response.status.should eq 200
end
it 'can be updated by owner user' do
login_as(@org_user_owner, scope: @org_user_owner.username)
put organization_settings_update_url(user_domain: @org_user_owner.username), payload_password
response.status.should eq 302
end
it 'fails to update if no password_confirmation' do
login_as(@org_user_owner, scope: @org_user_owner.username)
put organization_settings_update_url(user_domain: @org_user_owner.username), payload
response.status.should eq 403
response.body.should match /Confirmation password sent does not match your current password/
end
it 'fails to update if wrong password_confirmation' do
login_as(@org_user_owner, scope: @org_user_owner.username)
put organization_settings_update_url(user_domain: @org_user_owner.username), payload_wrong_password
response.status.should eq 403
response.body.should match /Confirmation password sent does not match your current password/
end
end
describe '#regenerate_api_keys' do
it 'regenerate api keys for all org users' do
api_key = @carto_org_user_owner.api_keys.create_regular_key!(name: 'wadus', grants: [{ type: 'apis', apis: [] }])
@organization.engine_enabled = true
@organization.save
host! "#{@organization.name}.localhost.lan"
login_as(@org_user_owner, scope: @org_user_owner.username)
post regenerate_organization_users_api_key_url(
user_domain: @org_user_owner.username,
password_confirmation: @org_user_owner.password
)
response.status.should eq 302
@organization.users.each do |u|
old_api_key = u.api_key
u.reload
expect(u.api_key).to_not eq old_api_key
end
expect { api_key.reload }.to(change { api_key.token })
api_key.destroy
end
end
describe '#delete' do
before(:all) do
@delete_org = test_organization
@delete_org.save
helper = TestUserFactory.new
@delete_org_owner = helper.create_owner(@delete_org)
@delete_org_user1 = @helper.create_test_user(unique_name('user'), @delete_org)
end
after(:all) do
@delete_org.destroy_cascade if Carto::Organization.exists?(@delete_org.id)
end
before(:each) do
host! "#{@delete_org.name}.localhost.lan"
Organization.any_instance.stubs(:update_in_central).returns(true)
end
it 'cannot be accessed by non owner users' do
login_as(@delete_org_user1, scope: @delete_org_user1.username)
delete organization_destroy_url(user_domain: @delete_org_user1.username)
response.status.should eq 404
end
describe 'as owner' do
before(:each) do
login_as(@delete_org_owner, scope: @delete_org_owner.username)
end
it 'returns 400 if no password confirmation is provided' do
delete organization_destroy_url(user_domain: @delete_org_owner.username)
response.status.should eq 400
response.body.should include("Password doesn't match")
end
it 'returns 400 if password confirmation is wrong' do
payload = { deletion_password_confirmation: @delete_org_owner.password + 'wadus' }
delete organization_destroy_url(user_domain: @delete_org_owner.username), payload
response.status.should eq 400
end
it 'deletes organization and redirects if passwords match' do
payload = { deletion_password_confirmation: @delete_org_owner.password }
delete organization_destroy_url(user_domain: @delete_org_owner.username), payload
response.status.should eq 302
Carto::Organization.exists?(@delete_org.id).should be_false
end
end
end
describe '#auth' do
let(:payload) do
{
organization: {
whitelisted_email_domains: '',
auth_username_password_enabled: true,
auth_google_enabled: true,
auth_github_enabled: true,
strong_passwords_enabled: false,
password_expiration_in_d: 1
}
}
end
let(:payload_password) do
{
organization: {
whitelisted_email_domains: '',
auth_username_password_enabled: true,
auth_google_enabled: true,
auth_github_enabled: true,
strong_passwords_enabled: false,
password_expiration_in_d: 1
},
password_confirmation: @org_user_owner.password
}
end
let(:payload_wrong_password) do
{
organization: {
whitelisted_email_domains: '',
auth_username_password_enabled: true,
auth_google_enabled: true,
auth_github_enabled: true,
strong_passwords_enabled: false
},
password_confirmation: 'prapra'
}
end
before(:each) do
host! "#{@organization.name}.localhost.lan"
login_as(@org_user_owner, scope: @org_user_owner.username)
Organization.any_instance.stubs(:update_in_central).returns(true)
end
it 'cannot be accessed by non owner users' do
login_as(@org_user_1, scope: @org_user_1.username)
get organization_auth_url(user_domain: @org_user_1.username)
response.status.should eq 404
login_as(@org_user_2, scope: @org_user_2.username)
get organization_auth_url(user_domain: @org_user_2.username)
response.status.should eq 404
end
it 'cannot be updated by non owner users' do
login_as(@org_user_1, scope: @org_user_1.username)
put organization_auth_update_url(user_domain: @org_user_1.username), payload
response.status.should eq 404
login_as(@org_user_2, scope: @org_user_2.username)
put organization_auth_update_url(user_domain: @org_user_2.username), payload
response.status.should eq 404
end
it 'can be accessed by owner user' do
login_as(@org_user_owner, scope: @org_user_owner.username)
get organization_auth_url(user_domain: @org_user_owner.username)
response.status.should eq 200
end
it 'can be updated by owner user' do
login_as(@org_user_owner, scope: @org_user_owner.username)
put organization_auth_update_url(user_domain: @org_user_owner.username), payload_password
response.status.should eq 302
end
it 'cannot be updated by owner user if missing password_confirmation' do
login_as(@org_user_owner, scope: @org_user_owner.username)
put organization_auth_update_url(user_domain: @org_user_owner.username), payload
response.status.should eq 403
response.body.should match /Confirmation password sent does not match your current password/
end
it 'cannot be updated by owner user if wrong password_confirmation' do
login_as(@org_user_owner, scope: @org_user_owner.username)
put organization_auth_update_url(user_domain: @org_user_owner.username), payload_wrong_password
response.status.should eq 403
response.body.should match /Confirmation password sent does not match your current password/
end
it 'updates password_expiration_in_d' do
@organization.password_expiration_in_d = nil
@organization.save
login_as(@org_user_owner, scope: @org_user_owner.username)
put organization_auth_update_url(user_domain: @org_user_owner.username), payload_password
response.status.should eq 302
@organization.reload
@organization.password_expiration_in_d.should eq 1
payload_password[:organization][:password_expiration_in_d] = ''
host! "#{@organization.name}.localhost.lan"
login_as(@org_user_owner, scope: @org_user_owner.username)
put organization_auth_update_url(user_domain: @org_user_owner.username), payload_password
response.status.should eq 302
@organization.reload
@organization.password_expiration_in_d.should be_nil
end
describe 'signup enabled' do
before(:all) do
@organization.whitelisted_email_domains = ['carto.com']
@organization.save
end
before(:each) do
@organization.signup_page_enabled.should eq true
end
it 'does not display out warning messages if organization signup would work' do
@organization.unassigned_quota.should > @organization.default_quota_in_bytes
get organization_auth_url(user_domain: @org_user_owner.username)
response.status.should eq 200
response.body.should_not include(out_of_quota_message)
response.body.should_not include(out_of_seats_message)
end
it 'displays out of quota message if there is no remaining quota' do
old_quota_in_bytes = @organization.quota_in_bytes
old_remaining_quota = @organization.unassigned_quota
new_quota = (@organization.quota_in_bytes - old_remaining_quota) + (@organization.default_quota_in_bytes / 2)
@organization.reload
@org_user_owner.reload
@organization.quota_in_bytes = new_quota
@organization.save
get organization_auth_url(user_domain: @org_user_owner.username)
response.status.should eq 200
response.body.should include(out_of_quota_message)
@organization.quota_in_bytes = old_quota_in_bytes
@organization.save
end
it 'displays out of seats message if there are no seats left' do
old_seats = @organization.seats
new_seats = @organization.seats - @organization.remaining_seats
@organization.reload
@org_user_owner.reload
@organization.seats = new_seats
@organization.save
get organization_auth_url(user_domain: @org_user_owner.username)
response.status.should eq 200
response.body.should include(out_of_seats_message)
@organization.seats = old_seats
@organization.save
end
end
describe 'signup disabled' do
before(:all) do
@organization.whitelisted_email_domains = []
@organization.save
end
before(:each) do
@organization.signup_page_enabled.should eq false
end
it 'does not display out warning messages even without quota and seats' do
old_quota_in_bytes = @organization.quota_in_bytes
old_seats = @organization.seats
@organization.reload
@org_user_owner.reload
@organization.seats = @organization.assigned_seats
@organization.quota_in_bytes = @organization.assigned_quota + 1
@organization.save
get organization_auth_url(user_domain: @org_user_owner.username)
response.status.should eq 200
response.body.should_not include(out_of_quota_message)
response.body.should_not include(out_of_seats_message)
@organization.quota_in_bytes = old_quota_in_bytes
@organization.seats = old_seats
@organization.save
end
end
end
shared_examples_for 'notifications' do
before(:each) do
host! "#{@organization.name}.localhost.lan"
login_as(@admin_user, scope: @admin_user.username)
end
describe '#notifications' do
it 'displays last notification' do
body = 'Free meal today'
FactoryGirl.create(:notification, organization: @carto_organization, body: body)
get organization_notifications_admin_url(user_domain: @admin_user.username)
response.status.should eq 200
response.body.should include(body)
end
end
describe '#new_notification' do
it 'creates a new notification' do
params = {
body: 'the body',
recipients: Carto::Notification::RECIPIENT_ALL
}
post new_organization_notification_admin_url(
user_domain: @admin_user.username
), carto_notification: params, password_confirmation: @admin_user.password
response.status.should eq 302
flash[:success].should eq 'Notification sent!'
notification = @carto_organization.reload.notifications.first
notification.body.should eq params[:body]
notification.recipients.should eq params[:recipients]
notification.icon.should eq Carto::Notification::ICON_ALERT
end
it 'does not create a new notification if wrong password_confirmation' do
params = {
body: 'the body wrong',
recipients: Carto::Notification::RECIPIENT_ALL
}
post new_organization_notification_admin_url(
user_domain: @admin_user.username
), carto_notification: params, password_confirmation: 'prapra'
response.status.should eq 403
response.body.should match /Confirmation password sent does not match your current password/
notification = @carto_organization.reload.notifications.first
notification.body.should_not eq params[:body]
end
it 'does not create a new notification if missing password_confirmation' do
params = {
body: 'the body missing',
recipients: Carto::Notification::RECIPIENT_ALL
}
post new_organization_notification_admin_url(user_domain: @admin_user.username), carto_notification: params
response.status.should eq 403
response.body.should match /Confirmation password sent does not match your current password/
notification = @carto_organization.reload.notifications.first
notification.body.should_not eq params[:body]
end
end
describe '#destroy_notification' do
it 'destroys a notification' do
notification = @carto_organization.notifications.first
delete destroy_organization_notification_admin_url(user_domain: @admin_user.username, id: notification.id)
response.status.should eq 302
flash[:success].should eq 'Notification was successfully deleted!'
@carto_organization.reload.notifications.should_not include(notification)
end
end
end
describe 'with organization owner' do
it_behaves_like 'notifications' do
before(:all) do
@admin_user = @org_user_owner
end
end
end
describe 'with organization admin' do
it_behaves_like 'notifications' do
before(:all) do
@admin_user = @org_user_2
end
end
end
end