Leatherface/mastodon
1
0
Fork 0
mirror of https://github.com/glitch-soc/mastodon.git synced 2025-12-15 16:59:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit 'f1d4be1e7509f795706ff2310c5fc36e0e79bf4d' into glitch-soc/merge-upstream

Browse Source
This commit is contained in:
Claire
2025-02-18 20:38:57 +01:00
parent e0b7ecfb0b f1d4be1e75
commit f3bc50778b
48 changed files with 1053 additions and 896 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
spec/controllers/admin/users/roles_controller_spec.rb
View File

@@ -1,77 +0,0 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe Admin::Users::RolesController do
render_views
let(:current_role) { UserRole.create(name: 'Foo', permissions: UserRole::FLAGS[:manage_roles], position: 10) }
let(:current_user) { Fabricate(:user, role: current_role) }
let(:previous_role) { nil }
let(:user) { Fabricate(:user, role: previous_role) }
before do
sign_in current_user, scope: :user
end
describe 'GET #show' do
before do
get :show, params: { user_id: user.id }
end
it 'returns http success' do
expect(response).to have_http_status(:success)
end
context 'when target user is higher ranked than current user' do
let(:previous_role) { UserRole.create(name: 'Baz', permissions: UserRole::FLAGS[:administrator], position: 100) }
it 'returns http forbidden' do
expect(response).to have_http_status(403)
end
end
end
describe 'PUT #update' do
let(:selected_role) { UserRole.create(name: 'Bar', permissions: permissions, position: position) }
before do
put :update, params: { user_id: user.id, user: { role_id: selected_role.id } }
end
context 'with manage roles permissions' do
let(:permissions) { UserRole::FLAGS[:manage_roles] }
let(:position) { 1 }
it 'updates user role and redirects' do
expect(user.reload.role_id).to eq selected_role&.id
expect(response).to redirect_to(admin_account_path(user.account_id))
end
end
context 'when selected role has higher position than current user\'s role' do
let(:permissions) { UserRole::FLAGS[:administrator] }
let(:position) { 100 }
it 'does not update user role and renders edit' do
expect(user.reload.role_id).to eq previous_role&.id
expect(response).to render_template(:show)
end
end
context 'when target user is higher ranked than current user' do
let(:previous_role) { UserRole.create(name: 'Baz', permissions: UserRole::FLAGS[:administrator], position: 100) }
let(:permissions) { UserRole::FLAGS[:manage_roles] }
let(:position) { 1 }
it 'does not update user role and returns http forbidden' do
expect(user.reload.role_id).to eq previous_role&.id
expect(response).to have_http_status(403)
end
end
end
end

30
spec/controllers/settings/two_factor_authentication/recovery_codes_controller_spec.rb
View File

@@ -1,30 +0,0 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe Settings::TwoFactorAuthentication::RecoveryCodesController do
render_views
describe 'POST #create' do
it 'updates the codes and shows them on a view when signed in' do
user = Fabricate(:user)
otp_backup_codes = user.generate_otp_backup_codes!
allow(user).to receive(:generate_otp_backup_codes!).and_return(otp_backup_codes)
allow(controller).to receive(:current_user).and_return(user)
sign_in user, scope: :user
post :create, session: { challenge_passed_at: Time.now.utc }
expect(flash[:notice]).to eq 'Recovery codes successfully regenerated'
expect(response).to have_http_status(200)
expect(response).to render_template(:index)
expect(response.body)
.to include(*otp_backup_codes)
end
it 'redirects when not signed in' do
post :create
expect(response).to redirect_to '/auth/sign_in'
end
end
end

79
spec/controllers/settings/two_factor_authentication_methods_controller_spec.rb
View File

@@ -1,79 +0,0 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe Settings::TwoFactorAuthenticationMethodsController do
render_views
context 'when not signed in' do
describe 'GET to #index' do
it 'redirects' do
get :index
expect(response).to redirect_to '/auth/sign_in'
end
end
end
context 'when signed in' do
let(:user) { Fabricate(:user) }
before do
sign_in user, scope: :user
end
describe 'GET #index' do
describe 'when user has enabled otp' do
before do
user.update(otp_required_for_login: true)
get :index
end
it 'returns http success with private cache control headers', :aggregate_failures do
expect(response).to have_http_status(200)
expect(response.headers['Cache-Control']).to include('private, no-store')
end
end
describe 'when user has not enabled otp' do
before do
user.update(otp_required_for_login: false)
get :index
end
it 'redirects to enable otp' do
expect(response).to redirect_to(settings_otp_authentication_path)
end
end
end
describe 'POST to #disable' do
before do
user.update(otp_required_for_login: true)
end
context 'when user has not passed challenge' do
it 'renders challenge page' do
post :disable
expect(response).to have_http_status(200)
expect(response).to render_template('auth/challenges/new')
end
end
context 'when user has passed challenge' do
before do
mailer = instance_double(ApplicationMailer::MessageDelivery, deliver_later!: true)
allow(UserMailer).to receive(:two_factor_disabled).with(user).and_return(mailer)
end
it 'redirects to settings page' do
post :disable, session: { challenge_passed_at: 10.minutes.ago }
expect(UserMailer).to have_received(:two_factor_disabled).with(user)
expect(response).to redirect_to(settings_otp_authentication_path)
end
end
end
end
end

192
spec/controllers/statuses_controller_spec.rb
View File

@@ -1,192 +0,0 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe StatusesController do
render_views
describe 'GET #show' do
let(:account) { Fabricate(:account) }
let(:status) { Fabricate(:status, account: account) }
context 'when signed-in' do
let(:user) { Fabricate(:user) }
before do
sign_in(user)
end
context 'when status is public' do
before do
get :show, params: { account_username: status.account.username, id: status.id, format: format }
end
context 'with HTML' do
let(:format) { 'html' }
it 'renders status successfully', :aggregate_failures do
expect(response)
.to have_http_status(200)
.and render_template(:show)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Link' => include('activity+json')
)
expect(response.body).to include status.text
end
end
context 'with JSON' do
let(:format) { 'json' }
it 'renders ActivityPub Note object successfully', :aggregate_failures do
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Content-Type' => include('application/activity+json'),
'Link' => include('activity+json')
)
expect(response.parsed_body)
.to include(content: include(status.text))
end
end
end
context 'when status is private' do
let(:status) { Fabricate(:status, account: account, visibility: :private) }
context 'when user is authorized to see it' do
before do
user.account.follow!(account)
get :show, params: { account_username: status.account.username, id: status.id, format: format }
end
context 'with HTML' do
let(:format) { 'html' }
it 'renders status successfully', :aggregate_failures do
expect(response)
.to have_http_status(200)
.and render_template(:show)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Link' => include('activity+json')
)
expect(response.body).to include status.text
end
end
context 'with JSON' do
let(:format) { 'json' }
it 'renders ActivityPub Note object successfully', :aggregate_failures do
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Content-Type' => include('application/activity+json'),
'Link' => include('activity+json')
)
expect(response.parsed_body)
.to include(content: include(status.text))
end
end
end
context 'when user is not authorized to see it' do
before do
get :show, params: { account_username: status.account.username, id: status.id, format: format }
end
context 'with JSON' do
let(:format) { 'json' }
it 'returns http not found' do
expect(response).to have_http_status(404)
end
end
context 'with HTML' do
let(:format) { 'html' }
it 'returns http not found' do
expect(response).to have_http_status(404)
end
end
end
end
context 'when status is direct' do
let(:status) { Fabricate(:status, account: account, visibility: :direct) }
context 'when user is authorized to see it' do
before do
Fabricate(:mention, account: user.account, status: status)
get :show, params: { account_username: status.account.username, id: status.id, format: format }
end
context 'with HTML' do
let(:format) { 'html' }
it 'renders status successfully', :aggregate_failures do
expect(response)
.to have_http_status(200)
.and render_template(:show)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Link' => include('activity+json')
)
expect(response.body).to include status.text
end
end
context 'with JSON' do
let(:format) { 'json' }
it 'renders ActivityPub Note object successfully' do
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Content-Type' => include('application/activity+json'),
'Link' => include('activity+json')
)
expect(response.parsed_body)
.to include(content: include(status.text))
end
end
end
context 'when user is not authorized to see it' do
before do
get :show, params: { account_username: status.account.username, id: status.id, format: format }
end
context 'with JSON' do
let(:format) { 'json' }
it 'returns http not found' do
expect(response).to have_http_status(404)
end
end
context 'with HTML' do
let(:format) { 'html' }
it 'returns http not found' do
expect(response).to have_http_status(404)
end
end
end
end
end
end
end

28
spec/requests/admin/users/roles_spec.rb
View File

@@ -3,6 +3,34 @@
require 'rails_helper'
RSpec.describe 'Admin Users Roles' do
context 'when target user is higher ranked than current user' do
let(:current_role) { UserRole.create(name: 'Foo', permissions: UserRole::FLAGS[:manage_roles], position: 10) }
let(:current_user) { Fabricate(:user, role: current_role) }
let(:previous_role) { UserRole.create(name: 'Baz', permissions: UserRole::FLAGS[:administrator], position: 100) }
let(:user) { Fabricate(:user, role: previous_role) }
before { sign_in(current_user) }
describe 'GET /admin/users/:user_id/role' do
it 'returns http forbidden' do
get admin_user_role_path(user.id)
expect(response)
.to have_http_status(403)
end
end
describe 'PUT /admin/users/:user_id/role' do
it 'returns http forbidden' do
put admin_user_role_path(user.id)
expect(response)
.to have_http_status(403)
end
end
end
describe 'PUT /admin/users/:user_id/role' do
before { sign_in Fabricate(:admin_user) }

16
spec/requests/settings/two_factor_authentication/recovery_codes_spec.rb Normal file
View File

@@ -0,0 +1,16 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe 'Settings TwoFactorAuthentication RecoveryCodes' do
describe 'POST /settings/two_factor_authentication/recovery_codes' do
context 'when signed out' do
it 'redirects to sign in page' do
post settings_two_factor_authentication_recovery_codes_path
expect(response)
.to redirect_to(new_user_session_path)
end
end
end
end

35
spec/requests/settings/two_factor_authentication_methods_spec.rb Normal file
View File

@@ -0,0 +1,35 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe 'Settings TwoFactorAuthenticationMethods' do
context 'when not signed in' do
describe 'GET to /settings/two_factor_authentication_methods' do
it 'redirects to sign in page' do
get settings_two_factor_authentication_methods_path
expect(response)
.to redirect_to(new_user_session_path)
end
end
end
context 'when signed in' do
let(:user) { Fabricate(:user) }
before { sign_in user }
describe 'GET to /settings/two_factor_authentication_methods' do
describe 'when user has not enabled otp' do
before { user.update(otp_required_for_login: false) }
it 'redirects to enable otp' do
get settings_two_factor_authentication_methods_path
expect(response)
.to redirect_to(settings_otp_authentication_path)
end
end
end
end
end

166
spec/requests/statuses_spec.rb
View File

@@ -59,7 +59,6 @@ RSpec.describe 'Statuses' do
expect(response)
.to have_http_status(200)
.and render_template(:show)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('public'),
@@ -114,9 +113,11 @@ RSpec.describe 'Statuses' do
end
context 'when signed in' do
subject { get short_account_status_path(account_username: account.username, id: status.id, format: format) }
let(:user) { Fabricate(:user) }
before { sign_in(user) }
before { sign_in_with_session(user) }
context 'when account blocks user' do
before { account.block!(user.account) }
@@ -128,6 +129,167 @@ RSpec.describe 'Statuses' do
.to have_http_status(404)
end
end
context 'when status is public' do
context 'with HTML' do
let(:format) { 'html' }
it 'renders status successfully', :aggregate_failures do
subject
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Link' => include('activity+json')
)
expect(response.body)
.to include(status.text)
end
end
context 'with JSON' do
let(:format) { 'json' }
it 'renders ActivityPub Note object successfully', :aggregate_failures do
subject
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Content-Type' => include('application/activity+json'),
'Link' => include('activity+json')
)
expect(response.parsed_body)
.to include(content: include(status.text))
end
end
end
context 'when status is private' do
let(:status) { Fabricate(:status, account: account, visibility: :private) }
context 'when user is authorized to see it' do
before { user.account.follow!(account) }
context 'with HTML' do
let(:format) { 'html' }
it 'renders status successfully', :aggregate_failures do
subject
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Link' => include('activity+json')
)
expect(response.body)
.to include(status.text)
end
end
context 'with JSON' do
let(:format) { 'json' }
it 'renders ActivityPub Note object successfully', :aggregate_failures do
subject
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Content-Type' => include('application/activity+json'),
'Link' => include('activity+json')
)
expect(response.parsed_body)
.to include(content: include(status.text))
end
end
end
context 'when user is not authorized to see it' do
let(:format) { 'html' }
it 'returns http not found' do
subject
expect(response)
.to have_http_status(404)
end
end
end
context 'when status is direct' do
let(:status) { Fabricate(:status, account: account, visibility: :direct) }
context 'when user is authorized to see it' do
before { Fabricate(:mention, account: user.account, status: status) }
context 'with HTML' do
let(:format) { 'html' }
it 'renders status successfully', :aggregate_failures do
subject
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Link' => include('activity+json')
)
expect(response.body)
.to include(status.text)
end
end
context 'with JSON' do
let(:format) { 'json' }
it 'renders ActivityPub Note object successfully' do
subject
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Content-Type' => include('application/activity+json'),
'Link' => include('activity+json')
)
expect(response.parsed_body)
.to include(content: include(status.text))
end
end
end
context 'when user is not authorized to see it' do
let(:format) { 'html' }
it 'returns http not found' do
subject
expect(response)
.to have_http_status(404)
end
end
end
private
def sign_in_with_session(user)
# The regular `sign_in` helper does not actually set session cookies
# The endpoint responses here rely on cookie/session checks to set cache privacy headers
# To enable that, perform a full sign in which will establish those cookies for subsequent spec requests
post user_session_path, params: { user: { email: user.email, password: user.password } }
end
end
context 'with "HTTP Signature" access signed by a remote account' do

38
spec/system/admin/users/roles_spec.rb Normal file
View File

@@ -0,0 +1,38 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe 'Admin Users Roles' do
let(:current_role) { UserRole.create(name: 'Foo', permissions: UserRole::FLAGS[:manage_roles], position: 10) }
let(:current_user) { Fabricate(:user, role: current_role) }
let(:previous_role) { nil }
let(:user) { Fabricate(:user, role: previous_role) }
before do
sign_in current_user, scope: :user
end
describe 'Managing user roles' do
let!(:too_high_role) { UserRole.create(name: 'TooHigh', permissions: UserRole::FLAGS[:administrator], position: 100) }
let!(:usable_role) { UserRole.create(name: 'Usable', permissions: UserRole::FLAGS[:manage_roles], position: 1) }
it 'selects and updates user roles' do
visit admin_user_role_path(user)
expect(page)
.to have_title I18n.t('admin.accounts.change_role.title', username: user.account.username)
# Fails to assign not allowed role
select too_high_role.name, from: 'user_role_id'
expect { click_on submit_button }
.to_not(change { user.reload.role_id })
expect(page)
.to have_title I18n.t('admin.accounts.change_role.title', username: user.account.username)
# Assigns allowed role
select usable_role.name, from: 'user_role_id'
expect { click_on submit_button }
.to(change { user.reload.role_id }.to(usable_role.id))
end
end
end

37
spec/system/settings/two_factor_authentication/recovery_codes_spec.rb Normal file
View File

@@ -0,0 +1,37 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe 'Settings TwoFactorAuthentication RecoveryCodes' do
describe 'Generating recovery codes' do
let(:user) { Fabricate :user, otp_required_for_login: true }
let(:backup_code) { +'147e7284c95bd260b91ed17820860019' }
before do
stub_code_generator
sign_in(user)
end
it 'updates the codes and includes them in the view' do
# Attempt to generate codes
visit settings_two_factor_authentication_methods_path
click_on I18n.t('two_factor_authentication.generate_recovery_codes')
# Fill in challenge password
fill_in 'form_challenge_current_password', with: user.password
expect { click_on I18n.t('challenge.confirm') }
.to(change { user.reload.otp_backup_codes })
expect(page)
.to have_content(I18n.t('two_factor_authentication.recovery_codes_regenerated'))
.and have_title(I18n.t('settings.two_factor_authentication'))
.and have_css('ol.recovery-codes')
.and have_content(backup_code)
end
def stub_code_generator
allow(SecureRandom).to receive(:hex).and_return(backup_code)
end
end
end

41
spec/system/settings/two_factor_authentication_methods_spec.rb Normal file
View File

@@ -0,0 +1,41 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe 'Settings TwoFactorAuthenticationMethods' do
context 'when signed in' do
let(:user) { Fabricate(:user) }
before { sign_in user }
describe 'Managing 2FA methods' do
before { user.update(otp_required_for_login: true) }
it 'disables 2FA with challenge confirmation', :inline_jobs do
visit settings_two_factor_authentication_methods_path
expect(page)
.to have_content(I18n.t('settings.two_factor_authentication'))
.and have_private_cache_control
# Attempt to disable
click_on I18n.t('two_factor_authentication.disable')
expect(page)
.to have_title(I18n.t('challenge.prompt'))
# Fill in challenge form
fill_in 'form_challenge_current_password', with: user.password
emails = capture_emails do
expect { click_on I18n.t('challenge.confirm') }
.to change { user.reload.otp_required_for_login }.to(false)
end
expect(page)
.to have_content(I18n.t('two_factor_authentication.disabled_success'))
expect(emails.first)
.to be_present
.and(deliver_to(user.email))
.and(have_subject(I18n.t('devise.mailer.two_factor_disabled.subject')))
end
end
end
end

15
spec/system/statuses_spec.rb Normal file
View File

@@ -0,0 +1,15 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe 'Status page' do
let(:status) { Fabricate :status }
it 'visits the status page and renders the web app' do
visit short_account_status_path(account_username: status.account.username, id: status.id)
expect(page)
.to have_css('noscript', text: /Mastodon/)
.and have_css('body', class: 'app-body')
end
end