|
|
@ -132,7 +132,7 @@ RSpec.describe UsersController, type: :request do |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
context "when the current user does not matches the user ID" do |
|
|
|
context "when the current user does not match the user ID" do |
|
|
|
before do |
|
|
|
before do |
|
|
|
sign_in user |
|
|
|
sign_in user |
|
|
|
get "/users/#{other_user.id}", headers: headers, params: {} |
|
|
|
get "/users/#{other_user.id}", headers: headers, params: {} |
|
|
@ -188,7 +188,7 @@ RSpec.describe UsersController, type: :request do |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
context "when the current user does not matches the user ID" do |
|
|
|
context "when the current user does not match the user ID" do |
|
|
|
before do |
|
|
|
before do |
|
|
|
sign_in user |
|
|
|
sign_in user |
|
|
|
get "/users/#{other_user.id}/edit", headers: headers, params: {} |
|
|
|
get "/users/#{other_user.id}/edit", headers: headers, params: {} |
|
|
@ -216,7 +216,7 @@ RSpec.describe UsersController, type: :request do |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
context "when the current user does not matches the user ID" do |
|
|
|
context "when the current user does not match the user ID" do |
|
|
|
before do |
|
|
|
before do |
|
|
|
sign_in user |
|
|
|
sign_in user |
|
|
|
get "/users/#{other_user.id}/edit", headers: headers, params: {} |
|
|
|
get "/users/#{other_user.id}/edit", headers: headers, params: {} |
|
|
@ -272,7 +272,7 @@ RSpec.describe UsersController, type: :request do |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
context "when the current user does not matches the user ID" do |
|
|
|
context "when the current user does not match the user ID" do |
|
|
|
let(:params) { { id: other_user.id, user: { name: new_name } } } |
|
|
|
let(:params) { { id: other_user.id, user: { name: new_name } } } |
|
|
|
|
|
|
|
|
|
|
|
before do |
|
|
|
before do |
|
|
@ -356,7 +356,7 @@ RSpec.describe UsersController, type: :request do |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
context "when the current user does not matches the user ID" do |
|
|
|
context "when the current user does not match the user ID" do |
|
|
|
before do |
|
|
|
before do |
|
|
|
sign_in user |
|
|
|
sign_in user |
|
|
|
get "/users/#{other_user.id}", headers: headers, params: {} |
|
|
|
get "/users/#{other_user.id}", headers: headers, params: {} |
|
|
@ -419,7 +419,7 @@ RSpec.describe UsersController, type: :request do |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
context "when the current user does not matches the user ID" do |
|
|
|
context "when the current user does not match the user ID" do |
|
|
|
before do |
|
|
|
before do |
|
|
|
sign_in user |
|
|
|
sign_in user |
|
|
|
get "/users/#{other_user.id}/edit", headers: headers, params: {} |
|
|
|
get "/users/#{other_user.id}/edit", headers: headers, params: {} |
|
|
@ -469,7 +469,7 @@ RSpec.describe UsersController, type: :request do |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
context "when the current user does not matches the user ID" do |
|
|
|
context "when the current user does not match the user ID" do |
|
|
|
before do |
|
|
|
before do |
|
|
|
sign_in user |
|
|
|
sign_in user |
|
|
|
end |
|
|
|
end |
|
|
@ -531,7 +531,7 @@ RSpec.describe UsersController, type: :request do |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
context "when the current user does not matches the user ID" do |
|
|
|
context "when the current user does not match the user ID" do |
|
|
|
before do |
|
|
|
before do |
|
|
|
sign_in user |
|
|
|
sign_in user |
|
|
|
end |
|
|
|
end |
|
|
@ -566,7 +566,7 @@ RSpec.describe UsersController, type: :request do |
|
|
|
expect(page).to have_content(other_user.reload.email.to_s) |
|
|
|
expect(page).to have_content(other_user.reload.email.to_s) |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
context "when we try to update the user password" do |
|
|
|
context "when the data coordinator tries to update the user’s password" do |
|
|
|
let(:params) do |
|
|
|
let(:params) do |
|
|
|
{ |
|
|
|
{ |
|
|
|
id: user.id, user: { password: new_name, password_confirmation: new_name, name: "new name" } |
|
|
|
id: user.id, user: { password: new_name, password_confirmation: new_name, name: "new name" } |
|
|
@ -585,7 +585,7 @@ RSpec.describe UsersController, type: :request do |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
context "when the current user does not matches the user ID" do |
|
|
|
context "when the current user does not match the user ID" do |
|
|
|
context "when the user is not part of the same organisation as the current user" do |
|
|
|
context "when the user is not part of the same organisation as the current user" do |
|
|
|
let(:other_user) { FactoryBot.create(:user) } |
|
|
|
let(:other_user) { FactoryBot.create(:user) } |
|
|
|
let(:params) { { id: other_user.id, user: { name: new_name } } } |
|
|
|
let(:params) { { id: other_user.id, user: { name: new_name } } } |
|
|
@ -642,10 +642,425 @@ RSpec.describe UsersController, type: :request do |
|
|
|
expect(response).to redirect_to("/organisations/#{user.organisation.id}/users") |
|
|
|
expect(response).to redirect_to("/organisations/#{user.organisation.id}/users") |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when the email is already taken" do |
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
FactoryBot.create(:user, email: "new_user@example.com") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "shows an error" do |
|
|
|
|
|
|
|
request |
|
|
|
|
|
|
|
expect(response).to have_http_status(:unprocessable_entity) |
|
|
|
|
|
|
|
expect(page).to have_content(I18n.t("validations.email.taken")) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when trying to assign support role" do |
|
|
|
|
|
|
|
let(:params) do |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
"user": { |
|
|
|
|
|
|
|
name: "new user", |
|
|
|
|
|
|
|
email: "new_user@example.com", |
|
|
|
|
|
|
|
role: "support", |
|
|
|
|
|
|
|
}, |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "shows an error" do |
|
|
|
|
|
|
|
request |
|
|
|
|
|
|
|
expect(response).to have_http_status(:unprocessable_entity) |
|
|
|
|
|
|
|
expect(page).to have_content(I18n.t("validations.role.invalid")) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
describe "#new" do |
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
sign_in user |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
it "cannot assign support role to the new user" do |
|
|
|
it "cannot assign support role to the new user" do |
|
|
|
request |
|
|
|
get "/users/new" |
|
|
|
expect(page).not_to have_field("user-role-support-field") |
|
|
|
expect(page).not_to have_field("user-role-support-field") |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when user is signed in as a support user" do |
|
|
|
|
|
|
|
let(:user) { FactoryBot.create(:user, :support) } |
|
|
|
|
|
|
|
let(:other_user) { FactoryBot.create(:user, organisation: user.organisation) } |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
allow(user).to receive(:need_two_factor_authentication?).and_return(false) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
describe "#show" do |
|
|
|
|
|
|
|
context "when the current user matches the user ID" do |
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
sign_in user |
|
|
|
|
|
|
|
get "/users/#{user.id}", headers: headers, params: {} |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "show the user details" do |
|
|
|
|
|
|
|
expect(page).to have_content("Your account") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "allows changing name, email, password, role, dpo and key contact" do |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "name") |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "email address") |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "password") |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "role") |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "are you a data protection officer?") |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "are you a key contact?") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when the current user does not match the user ID" do |
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
sign_in user |
|
|
|
|
|
|
|
get "/users/#{other_user.id}", headers: headers, params: {} |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when the user is part of the same organisation as the current user" do |
|
|
|
|
|
|
|
it "returns 200" do |
|
|
|
|
|
|
|
expect(response).to have_http_status(:ok) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "shows the user details page" do |
|
|
|
|
|
|
|
expect(page).to have_content("#{other_user.name}’s account") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "allows changing name, email, role, dpo and key contact" do |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "name") |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "email address") |
|
|
|
|
|
|
|
expect(page).not_to have_link("Change", text: "password") |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "role") |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "are they a data protection officer?") |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "are they a key contact?") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when the user is not part of the same organisation as the current user" do |
|
|
|
|
|
|
|
let(:other_user) { FactoryBot.create(:user) } |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "returns 200" do |
|
|
|
|
|
|
|
expect(response).to have_http_status(:ok) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "shows the user details page" do |
|
|
|
|
|
|
|
expect(page).to have_content("#{other_user.name}’s account") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "allows changing name, email, role, dpo and key contact" do |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "name") |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "email address") |
|
|
|
|
|
|
|
expect(page).not_to have_link("Change", text: "password") |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "role") |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "are they a data protection officer?") |
|
|
|
|
|
|
|
expect(page).to have_link("Change", text: "are they a key contact?") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
describe "#edit" do |
|
|
|
|
|
|
|
context "when the current user matches the user ID" do |
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
sign_in user |
|
|
|
|
|
|
|
get "/users/#{user.id}/edit", headers: headers, params: {} |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "show the edit personal details page" do |
|
|
|
|
|
|
|
expect(page).to have_content("Change your personal details") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "has fields for name, email, role, dpo and key contact" do |
|
|
|
|
|
|
|
expect(page).to have_field("user[name]") |
|
|
|
|
|
|
|
expect(page).to have_field("user[email]") |
|
|
|
|
|
|
|
expect(page).to have_field("user[role]") |
|
|
|
|
|
|
|
expect(page).to have_field("user[is_dpo]") |
|
|
|
|
|
|
|
expect(page).to have_field("user[is_key_contact]") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "allows setting the role to `support`" do |
|
|
|
|
|
|
|
expect(page).to have_field("user-role-support-field") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when the current user does not match the user ID" do |
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
sign_in user |
|
|
|
|
|
|
|
get "/users/#{other_user.id}/edit", headers: headers, params: {} |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when the user is part of the same organisation as the current user" do |
|
|
|
|
|
|
|
it "returns 200" do |
|
|
|
|
|
|
|
expect(response).to have_http_status(:ok) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "shows the user details page" do |
|
|
|
|
|
|
|
expect(page).to have_content("Change #{other_user.name}’s personal details") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "has fields for name, email, role, dpo and key contact" do |
|
|
|
|
|
|
|
expect(page).to have_field("user[name]") |
|
|
|
|
|
|
|
expect(page).to have_field("user[email]") |
|
|
|
|
|
|
|
expect(page).to have_field("user[role]") |
|
|
|
|
|
|
|
expect(page).to have_field("user[is_dpo]") |
|
|
|
|
|
|
|
expect(page).to have_field("user[is_key_contact]") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when the user is not part of the same organisation as the current user" do |
|
|
|
|
|
|
|
let(:other_user) { FactoryBot.create(:user) } |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "returns 200" do |
|
|
|
|
|
|
|
expect(response).to have_http_status(:ok) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "shows the user details page" do |
|
|
|
|
|
|
|
expect(page).to have_content("Change #{other_user.name}’s personal details") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "has fields for name, email, role, dpo and key contact" do |
|
|
|
|
|
|
|
expect(page).to have_field("user[name]") |
|
|
|
|
|
|
|
expect(page).to have_field("user[email]") |
|
|
|
|
|
|
|
expect(page).to have_field("user[role]") |
|
|
|
|
|
|
|
expect(page).to have_field("user[is_dpo]") |
|
|
|
|
|
|
|
expect(page).to have_field("user[is_key_contact]") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
describe "#edit_password" do |
|
|
|
|
|
|
|
context "when the current user matches the user ID" do |
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
sign_in user |
|
|
|
|
|
|
|
get "/account/edit/password", headers: headers, params: {} |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "shows the edit password page" do |
|
|
|
|
|
|
|
expect(page).to have_content("Change your password") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "shows the password requirements hint" do |
|
|
|
|
|
|
|
expect(page).to have_css("#user-password-hint") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when the current user does not match the user ID" do |
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
sign_in user |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "there is no route" do |
|
|
|
|
|
|
|
expect { |
|
|
|
|
|
|
|
get "/users/#{other_user.id}/password/edit", headers: headers, params: {} |
|
|
|
|
|
|
|
}.to raise_error(ActionController::RoutingError) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
describe "#update" do |
|
|
|
|
|
|
|
context "when the current user matches the user ID" do |
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
sign_in user |
|
|
|
|
|
|
|
patch "/users/#{user.id}", headers: headers, params: params |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "updates the user" do |
|
|
|
|
|
|
|
user.reload |
|
|
|
|
|
|
|
expect(user.name).to eq(new_name) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "tracks who updated the record" do |
|
|
|
|
|
|
|
user.reload |
|
|
|
|
|
|
|
whodunnit_actor = user.versions.last.actor |
|
|
|
|
|
|
|
expect(whodunnit_actor).to be_a(User) |
|
|
|
|
|
|
|
expect(whodunnit_actor.id).to eq(user.id) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when user changes email, dpo and key contact" do |
|
|
|
|
|
|
|
let(:params) { { id: user.id, user: { name: new_name, email: new_email, is_dpo: "true", is_key_contact: "true" } } } |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "allows changing email and dpo" do |
|
|
|
|
|
|
|
user.reload |
|
|
|
|
|
|
|
expect(user.email).to eq(new_email) |
|
|
|
|
|
|
|
expect(user.is_data_protection_officer?).to be true |
|
|
|
|
|
|
|
expect(user.is_key_contact?).to be true |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when we update the user password" do |
|
|
|
|
|
|
|
let(:params) do |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
id: user.id, user: { password: new_name, password_confirmation: "something_else" } |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
sign_in user |
|
|
|
|
|
|
|
patch "/users/#{user.id}", headers: headers, params: params |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "shows an error if passwords don't match" do |
|
|
|
|
|
|
|
expect(response).to have_http_status(:unprocessable_entity) |
|
|
|
|
|
|
|
expect(page).to have_selector("#error-summary-title") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when the current user does not match the user ID" do |
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
sign_in user |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when the user is part of the same organisation as the current user" do |
|
|
|
|
|
|
|
it "updates the user" do |
|
|
|
|
|
|
|
expect { patch "/users/#{other_user.id}", headers: headers, params: params } |
|
|
|
|
|
|
|
.to change { other_user.reload.name }.from(other_user.name).to(new_name) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "tracks who updated the record" do |
|
|
|
|
|
|
|
expect { patch "/users/#{other_user.id}", headers: headers, params: params } |
|
|
|
|
|
|
|
.to change { other_user.reload.versions.last.actor&.id }.from(nil).to(user.id) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when user changes email, dpo, key_contact" do |
|
|
|
|
|
|
|
let(:params) { { id: other_user.id, user: { name: new_name, email: new_email, is_dpo: "true", is_key_contact: "true" } } } |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "allows changing email, dpo, key_contact" do |
|
|
|
|
|
|
|
patch "/users/#{other_user.id}", headers: headers, params: params |
|
|
|
|
|
|
|
other_user.reload |
|
|
|
|
|
|
|
expect(other_user.email).to eq(new_email) |
|
|
|
|
|
|
|
expect(other_user.is_data_protection_officer?).to be true |
|
|
|
|
|
|
|
expect(other_user.is_key_contact?).to be true |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "does not bypass sign in for the support user" do |
|
|
|
|
|
|
|
patch "/users/#{other_user.id}", headers: headers, params: params |
|
|
|
|
|
|
|
follow_redirect! |
|
|
|
|
|
|
|
expect(page).to have_content("#{other_user.reload.name}’s account") |
|
|
|
|
|
|
|
expect(page).to have_content(other_user.reload.email.to_s) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when the support user tries to update the user’s password" do |
|
|
|
|
|
|
|
let(:params) do |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
id: user.id, user: { password: new_name, password_confirmation: new_name, name: "new name" } |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "does not update the password" do |
|
|
|
|
|
|
|
expect { patch "/users/#{other_user.id}", headers: headers, params: params } |
|
|
|
|
|
|
|
.not_to change(other_user, :encrypted_password) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "does update other values" do |
|
|
|
|
|
|
|
expect { patch "/users/#{other_user.id}", headers: headers, params: params } |
|
|
|
|
|
|
|
.to change { other_user.reload.name }.from("Danny Rojas").to("new name") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when the current user does not match the user ID" do |
|
|
|
|
|
|
|
context "when the user is not part of the same organisation as the current user" do |
|
|
|
|
|
|
|
let(:other_user) { FactoryBot.create(:user) } |
|
|
|
|
|
|
|
let(:params) { { id: other_user.id, user: { name: new_name } } } |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
sign_in user |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "updates the user" do |
|
|
|
|
|
|
|
expect { patch "/users/#{other_user.id}", headers: headers, params: params } |
|
|
|
|
|
|
|
.to change { other_user.reload.name }.from(other_user.name).to(new_name) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "tracks who updated the record" do |
|
|
|
|
|
|
|
expect { patch "/users/#{other_user.id}", headers: headers, params: params } |
|
|
|
|
|
|
|
.to change { other_user.reload.versions.last.actor&.id }.from(nil).to(user.id) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when user changes email, dpo, key_contact" do |
|
|
|
|
|
|
|
let(:params) { { id: other_user.id, user: { name: new_name, email: new_email, is_dpo: "true", is_key_contact: "true" } } } |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "allows changing email, dpo, key_contact" do |
|
|
|
|
|
|
|
patch "/users/#{other_user.id}", headers: headers, params: params |
|
|
|
|
|
|
|
other_user.reload |
|
|
|
|
|
|
|
expect(other_user.email).to eq(new_email) |
|
|
|
|
|
|
|
expect(other_user.is_data_protection_officer?).to be true |
|
|
|
|
|
|
|
expect(other_user.is_key_contact?).to be true |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "does not bypass sign in for the support user" do |
|
|
|
|
|
|
|
patch "/users/#{other_user.id}", headers: headers, params: params |
|
|
|
|
|
|
|
follow_redirect! |
|
|
|
|
|
|
|
expect(page).to have_content("#{other_user.reload.name}’s account") |
|
|
|
|
|
|
|
expect(page).to have_content(other_user.reload.email.to_s) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when the support user tries to update the user’s password" do |
|
|
|
|
|
|
|
let(:params) do |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
id: user.id, user: { password: new_name, password_confirmation: new_name, name: "new name" } |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "does not update the password" do |
|
|
|
|
|
|
|
expect { patch "/users/#{other_user.id}", headers: headers, params: params } |
|
|
|
|
|
|
|
.not_to change(other_user, :encrypted_password) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "does update other values" do |
|
|
|
|
|
|
|
expect { patch "/users/#{other_user.id}", headers: headers, params: params } |
|
|
|
|
|
|
|
.to change { other_user.reload.name }.from("Danny Rojas").to("new name") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when the update fails to persist" do |
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
sign_in user |
|
|
|
|
|
|
|
allow(User).to receive(:find_by).and_return(user) |
|
|
|
|
|
|
|
allow(user).to receive(:update).and_return(false) |
|
|
|
|
|
|
|
patch "/users/#{user.id}", headers: headers, params: params |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "show an error" do |
|
|
|
|
|
|
|
expect(response).to have_http_status(:unprocessable_entity) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
describe "#create" do |
|
|
|
|
|
|
|
let(:params) do |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
"user": { |
|
|
|
|
|
|
|
name: "new user", |
|
|
|
|
|
|
|
email: "new_user@example.com", |
|
|
|
|
|
|
|
role: "data_coordinator", |
|
|
|
|
|
|
|
}, |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
let(:request) { post "/users/", headers: headers, params: params } |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
sign_in user |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "invites a new user" do |
|
|
|
|
|
|
|
expect { request }.to change(User, :count).by(1) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "redirects back to organisation users page" do |
|
|
|
|
|
|
|
request |
|
|
|
|
|
|
|
expect(response).to redirect_to("/organisations/#{user.organisation.id}/users") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
context "when the email is already taken" do |
|
|
|
context "when the email is already taken" do |
|
|
|
before do |
|
|
|
before do |
|
|
@ -658,6 +1073,33 @@ RSpec.describe UsersController, type: :request do |
|
|
|
expect(page).to have_content(I18n.t("validations.email.taken")) |
|
|
|
expect(page).to have_content(I18n.t("validations.email.taken")) |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
context "when trying to assign support role" do |
|
|
|
|
|
|
|
let(:params) do |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
"user": { |
|
|
|
|
|
|
|
name: "new user", |
|
|
|
|
|
|
|
email: "new_user@example.com", |
|
|
|
|
|
|
|
role: "support", |
|
|
|
|
|
|
|
}, |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "creates a new support user" do |
|
|
|
|
|
|
|
expect(User.last.role).to eq("support") |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
describe "#new" do |
|
|
|
|
|
|
|
before do |
|
|
|
|
|
|
|
sign_in user |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "can assign support role to the new user" do |
|
|
|
|
|
|
|
get "/users/new" |
|
|
|
|
|
|
|
expect(page).to have_field("user-role-support-field") |
|
|
|
|
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|