references/openproject
1
0
Fork 0
mirror of https://github.com/opf/openproject.git synced 2026-06-14 03:30:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
dev
openproject/spec/requests/api/v3/capability_resource_spec.rb
T
Jens Ulferts 54093a5e22 Fix/add visibibility scope to capabilities (#21993) 
* introduce visible scope to capabilities and apply it to CapabilityQuery

* remove redundant scope

Capability has the `.default` scope as its default scope

* adding spec on show action for unreadable capability

* reuse existing shared example

* move Principal.visible check into Capability.visible
2026-02-16 09:30:08 +01:00

539 lines
15 KiB
Ruby
Raw Permalink Blame History

# frozen_string_literal: true
#-- copyright
# OpenProject is an open source project management software.
# Copyright (C) the OpenProject GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2013 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# See COPYRIGHT and LICENSE files for more details.
#++
require "spec_helper"
require "rack/test"
RSpec.describe "API v3 capabilities resource", content_type: :json do
include Rack::Test::Methods
include API::V3::Utilities::PathHelper
subject(:response) { last_response }
shared_let(:project) { create(:project) }
shared_current_user do
create(:user,
member_with_permissions: { project => %i[manage_members] })
end
let(:role) do
create(:project_role, permissions: %i[manage_members])
end
let(:global_role) do
create(:global_role, permissions: %i[create_user manage_user])
end
let(:other_user) { create(:user) }
let(:other_user_global_member) do
create(:global_member,
principal: other_user,
roles: [global_role])
end
let(:other_user_member) do
create(:member,
principal: other_user,
roles: [role],
project:)
end
describe "GET api/v3/capabilities" do
let(:setup) do
other_user_global_member
other_user_member
end
let(:filters) { nil }
let(:path) { api_v3_paths.path_for(:capabilities, filters:, sort_by: [%i(id asc)]) }
before do
setup
get path
end
context "without params" do
it "responds 400 Bad Request" do
expect(subject.status).to eq(400)
end
it "communicates that either a context or a principal filter is required" do
expect(subject.body)
.to be_json_eql("Error".to_json)
.at_path("_type")
expect(subject.body)
.to be_json_eql("urn:openproject-org:api:v3:errors:InvalidQuery".to_json)
.at_path("errorIdentifier")
end
end
context "when filtering by principal id (with a user)" do
let(:filters) do
[{ "principalId" => {
"operator" => "=",
"values" => [current_user.id.to_s]
} }]
end
it "contains only the filtered capabilities in the response" do
expect(subject.body)
.to be_json_eql("4")
.at_path("total")
expect(subject.body)
.to be_json_eql(api_v3_paths.user(current_user.id).to_json)
.at_path("_embedded/elements/0/_links/principal/href")
end
end
context "with pageSize, offset and sortBy and filter" do
def expect_self_link(link, overrides = {})
href = JSON.parse(subject.body).dig("_links", link, "href").split("?")
expected_path_params = Rack::Utils.parse_nested_query(path.split("?").last)
expect(href.first)
.to eql(api_v3_paths.capabilities)
expect(Rack::Utils.parse_nested_query(href.last))
.to eql(expected_path_params.merge(overrides))
end
let(:filters) do
[{ "principal" => {
"operator" => "=",
"values" => [other_user.id.to_s]
} }]
end
let(:path) do
api_v3_paths.path_for(:capabilities,
filters:,
sort_by: [%i(id asc)],
select: "*,elements/*",
page_size: 2,
offset: 3)
end
it "returns a slice of the visible memberships" do
expect(subject.body)
.to be_json_eql("Collection".to_json)
.at_path("_type")
expect(subject.body)
.to be_json_eql("7")
.at_path("total")
expect(subject.body)
.to be_json_eql("2")
.at_path("count")
expect(subject.body)
.to be_json_eql("users/create/g-#{other_user.id}".to_json)
.at_path("_embedded/elements/0/id")
end
it "includes links for self and jumping" do
expect_self_link("self")
expect_self_link("jumpTo", "offset" => "{offset}")
expect_self_link("changeSize", "pageSize" => "{size}")
expect_self_link("previousByOffset", "offset" => "2")
expect_self_link("nextByOffset", "offset" => "4")
end
end
context "when filtering by principal id (group)" do
let(:filters) do
[{ "principalId" => {
"operator" => "=",
"values" => [group.id.to_s]
} }]
end
let(:other_user) { group }
let(:group) { create(:group) }
let(:setup) do
other_user_member
end
it "returns a collection of capabilities" do
expect(subject.body)
.to be_json_eql("Collection".to_json)
.at_path("_type")
expect(subject.body)
.to be_json_eql("4")
.at_path("total")
expect(subject.body)
.to be_json_eql("activities/read/w#{project.id}-#{other_user.id}".to_json)
.at_path("_embedded/elements/0/id")
end
end
context "when filtering by principal id (placeholder user)" do
let(:filters) do
[{ "principalId" => {
"operator" => "=",
"values" => [placeholder_user.id.to_s]
} }]
end
let(:other_user) { placeholder_user }
let(:placeholder_user) do
create(:placeholder_user)
end
let(:setup) do
other_user_member
end
it "returns a collection of capabilities" do
expect(subject.body)
.to be_json_eql("Collection".to_json)
.at_path("_type")
expect(subject.body)
.to be_json_eql("4")
.at_path("total")
expect(subject.body)
.to be_json_eql("activities/read/w#{project.id}-#{other_user.id}".to_json)
.at_path("_embedded/elements/0/id")
end
end
context "when filtering by principal id (with a user) but with the not operator" do
let(:filters) do
[{ "principalId" => {
"operator" => "!",
"values" => [current_user.id.to_s]
} }]
end
it "responds 400 Bad Request" do
expect(subject.status).to eq(400)
end
it "communicates that either a context or a principal filter is required" do
expect(subject.body)
.to be_json_eql("Error".to_json)
.at_path("_type")
expect(subject.body)
.to be_json_eql("urn:openproject-org:api:v3:errors:InvalidQuery".to_json)
.at_path("errorIdentifier")
end
end
context "with an invalid filter" do
let(:filters) do
[{ "bogus" => {
"operator" => "=",
"values" => [current_user.id.to_s]
} }]
end
it "returns 422" do
expect(subject.status)
.to be 422
end
it "communicates the error message" do
expect(subject.body)
.to be_json_eql("Error".to_json)
.at_path("_type")
expect(subject.body)
.to be_json_eql("urn:openproject-org:api:v3:errors:MultipleErrors".to_json)
.at_path("errorIdentifier")
end
end
context "when filtering by project context" do
let(:other_project) { create(:project) }
let(:empty_role) { create(:project_role, permissions: []) }
# Necessary so that the current user is allowed to see the project
let(:current_user_other_member) do
create(:member,
principal: current_user,
roles: [empty_role],
project: other_project)
end
let(:other_user_other_member) do
create(:member,
principal: other_user,
roles: [role],
project: other_project)
end
let(:filters) do
[{ "context" => {
"operator" => "=",
"values" => ["w#{other_project.id}"]
} }]
end
let(:setup) do
current_user_other_member
other_user_global_member
other_user_member
other_user_other_member
end
it "contains only the filtered capabilities in the response" do
expect(subject.body)
.to be_json_eql("5")
.at_path("total")
expect(subject.body)
.to be_json_eql(api_v3_paths.project(other_project.id).to_json)
.at_path("_embedded/elements/0/_links/context/href")
end
end
context "when filtering by global context" do
let(:filters) do
[{ "context" => {
"operator" => "=",
"values" => ["g"]
} }]
end
it "contains only the filtered capabilities in the response" do
expect(subject.body)
.to be_json_eql("3")
.at_path("total")
expect(subject.body)
.to be_json_eql(api_v3_paths.capabilities_contexts_global.to_json)
.at_path("_embedded/elements/0/_links/context/href")
end
end
context "when signaling to only include a subset of properties" do
let(:path) { api_v3_paths.path_for(:capabilities, filters:, sort_by: [%i(id asc)], select: "elements/id") }
let(:filters) do
[{ "principalId" => {
"operator" => "=",
"values" => [current_user.id.to_s]
} }]
end
it "contains only the filtered capabilities in the response" do
expected = {
_embedded: {
elements: [
{
id: "activities/read/w#{project.id}-#{current_user.id}"
},
{
id: "memberships/create/w#{project.id}-#{current_user.id}"
},
{
id: "memberships/destroy/w#{project.id}-#{current_user.id}"
},
{
id: "memberships/update/w#{project.id}-#{current_user.id}"
}
]
}
}
expect(subject.body)
.to be_json_eql(expected.to_json)
end
end
context "without permissions" do
current_user do
create(:user)
end
let(:filters) do
[{ "context" => {
"operator" => "=",
"values" => ["g"]
} }]
end
it "is empty and includes an empty element set", :aggregate_failures do
expect(subject.body)
.to be_json_eql("0")
.at_path("total")
expect(subject.body)
.to be_json_eql([].to_json)
.at_path("_embedded/elements")
end
end
context "with permissions in one project but not in the other and filtering for that invisible project" do
let(:other_project) { create(:project) }
let(:other_user_other_member) do
create(:member,
principal: other_user,
roles: [role],
project: other_project)
end
let(:setup) do
other_project
other_user_member
other_user_other_member
end
let(:filters) do
[
{
"context" => {
"operator" => "=",
"values" => ["p#{other_project.id}"]
}
}
]
end
it "is empty and includes an empty element set", :aggregate_failures do
expect(subject.body)
.to be_json_eql("0")
.at_path("total")
expect(subject.body)
.to be_json_eql([].to_json)
.at_path("_embedded/elements")
end
end
context "when filtering by action" do
let(:filters) do
[{ "action" => {
"operator" => "=",
"values" => ["memberships/create"]
} },
{ "principalId" => {
"operator" => "=",
"values" => [other_user.id.to_s]
} }]
end
let(:setup) do
other_user_member
end
it "contains only the filtered capabilities in the response" do
expect(subject.body)
.to be_json_eql("1")
.at_path("total")
expect(subject.body)
.to be_json_eql("memberships/create/w#{project.id}-#{other_user.id}".to_json)
.at_path("_embedded/elements/0/id")
end
end
end
describe "GET /api/v3/capabilities/:id" do
let(:path) { api_v3_paths.capability("memberships/create/w#{project.id}-#{other_user.id}") }
let(:setup) do
other_user_member
end
before do
setup
get path
end
it "returns 200 OK" do
expect(subject.status)
.to be(200)
end
it "returns the capability" do
expect(subject.body)
.to be_json_eql("Capability".to_json)
.at_path("_type")
expect(subject.body)
.to be_json_eql("memberships/create/w#{project.id}-#{other_user.id}".to_json)
.at_path("id")
end
context "if querying a non existing capability" do
let(:path) { api_v3_paths.capability("foo/bar/w#{project.id}-#{other_user.id}") }
it "returns 404 NOT FOUND" do
expect(subject.status)
.to be 404
end
end
context "if querying with malformed id" do
let(:path) { api_v3_paths.capability("foo/bar/baz-5") }
it "returns 404 NOT FOUND" do
expect(subject.status)
.to be 404
end
end
context "if querying for an invisible user" do
current_user do
create(:user)
end
it "returns 404 NOT FOUND" do
expect(subject.status)
.to be 404
end
end
context "with permissions in one project but querying for the project where permissions are lacking" do
let(:path) { api_v3_paths.capability("memberships/create/w#{other_project.id}-#{other_user.id}") }
let(:other_project) { create(:project) }
let(:other_user_other_member) do
create(:member,
principal: other_user,
roles: [role],
project: other_project)
end
let(:setup) do
other_project
other_user_member
other_user_other_member
end
it "returns 404 NOT FOUND" do
expect(subject.status)
.to be 404
end
end
end
end
Reference in New Issue View Git Blame Copy Permalink