rosa-build/spec/controllers/api/v1/projects_controller_spec.rb

require 'spec_helper'

shared_examples_for "api projects user with reader rights" do
  include_examples "api projects user with show rights"
end

shared_examples_for "api projects user with reader rights for hidden project" do
  before do
    project.update_column(:visibility, 'hidden')
  end

  it_should_behave_like 'api projects user with show rights'
end

shared_examples_for "api projects user without reader rights for hidden project" do
  before do
    project.update_column(:visibility, 'hidden')
  end

  it_should_behave_like 'api projects user without show rights'
end

shared_examples_for "api projects user without show rights" do
  it "to show access violation instead of project data" do
    get :show, id: project.id, format: :json
    expect(response).to_not be_success
  end

  it "to show access violation instead of project refs_list" do
    get :refs_list, id: project.id, format: :json
    expect(response).to_not be_success
  end

  it "to access violation instead of project data by get_id" do
    get :get_id, name: project.name, owner: project.owner_uname, format: :json
    expect(response).to_not be_success
  end

  it "to show access violation instead of project members data" do
    get :members, id: project.id, format: :json
    expect(response).to_not be_success
  end

end

shared_examples_for 'api projects user without fork rights' do
  before { project } # init

  it 'to not be able to perform fork action' do
    expect do
      post :fork, id: project.id, format: :json
    end.to_not change(Project, :count)
    expect(response).to_not be_success
  end
end

shared_examples_for 'api projects user with fork rights' do
  before { project } # init

  it 'to be able to perform fork action' do
    expect do
      post :fork, id: project.id, format: :json
    end.to change(Project, :count).by(1)
    expect(response).to be_success
  end

  it 'to be able to perform fork action with different name' do
    new_name = project.name + '_forked'
    expect do
      post :fork, id: project.id, fork_name: new_name, format: :json
    end.to change{ Project.where(name: new_name).count }.by(1)
    expect(response).to be_success
  end
end

shared_examples_for 'api projects user with fork rights for hidden project' do
  before { project.update_column(:visibility, 'hidden') }
  it_should_behave_like 'api projects user with fork rights'
end

shared_examples_for 'api projects user without fork rights for hidden project' do
  before { project.update_column(:visibility, 'hidden') }
  it_should_behave_like 'api projects user without fork rights'
end

shared_examples_for "api projects user with show rights" do
  it "to show project data" do
    get :show, id: project.id, format: :json
    expect(response).to render_template(:show)
  end

  it "to show refs_list of project" do
    get :refs_list, id: project.id, format: :json
    expect(response).to render_template(:refs_list)
  end

  context 'project find by get_id' do
    it "to find project by name and owner name" do
      project.reload
      get :get_id, name: project.name, owner: project.owner_uname, format: :json
      expect(assigns[:project].id).to eq project.id
    end

    it "to not find project by non existing name and owner name" do
      get :get_id, name: 'NONE_EXISTING_NAME', owner: project.owner_uname, format: :json
      expect(assigns :project).to be_blank
    end

    it "to render 404 for non existing name and owner name" do
      get :get_id, name: 'NONE_EXISTING_NAME', owner: project.owner_uname, format: :json
      expect(response.body).to eq({status: 404, message: I18n.t("flash.404_message")}.to_json)
    end
  end
end

shared_examples_for 'api projects user with admin rights' do

  it "to be able to perform members action" do
    get :members, id: project.id, format: :json
    expect(response).to be_success
  end
  it 'to not set a wrong maintainer_id' do
    put :update, project: { maintainer_id: -1 }, id: project.id, format: :json
    expect(response).to_not be_success
  end

  context 'api project user with update rights' do
    before do
      put :update, project: { description: 'new description' }, id: project.id, format: :json
    end

    it 'to be able to perform update action' do
      expect(response).to be_success
      expect(project.reload.description).to eq 'new description'
    end
  end

  context 'api project user with add_member rights' do
    let(:member) { FactoryGirl.create(:user) }
    before do
      put :add_member, member_id: member.id, type: 'User', role: 'admin', id: project.id, format: :json
    end

    it 'to be able to perform add_member action' do
      expect(response).to be_success
      expect(project.members).to include(member)
    end
  end

  context 'api project user with remove_member rights' do
    let(:member) { FactoryGirl.create(:user) }
    before do
      project.add_member(member)
      delete :remove_member, member_id: member.id, type: 'User', id: project.id, format: :json
    end

    it 'to be able to perform remove_member action' do
      expect(response).to be_success
      expect(project.members).to_not include(member)
    end
  end

  context 'api group user with update_member rights' do
    let(:member) { FactoryGirl.create(:user) }
    before do
      project.add_member(member)
      put :update_member, member_id: member.id, type: 'User', role: 'reader', id: project.id, format: :json
    end

    it 'to be able to perform update_member action' do
      expect(response).to be_success
      role = project.relations.by_actor(member).first.role
      expect(role).to eq 'reader'
    end
  end
end

shared_examples_for 'api projects user without admin rights' do

  it "to not be able to perform members action" do
    get :members, id: project.id, format: :json
    expect(response).to_not be_success
  end

  context 'api project user without update_member rights' do
    let(:member) { FactoryGirl.create(:user) }
    before do
      project.add_member(member)
      put :update_member, member_id: member.id, type: 'User', role: 'reader', id: project.id, format: :json
    end

    it 'to not be able to perform update_member action' do
      expect(response).to_not be_success
      role = project.relations.by_actor(member).first.role
      expect(role).to_not eq 'reader'
    end
  end

  context 'api project user without update rights' do
    before do
      put :update, project: {description: 'new description'}, id: project.id, format: :json
    end

    it 'to not be able to perform update action' do
      expect(response).to_not be_success
      expect(project.reload.description).to_not eq 'new description'
    end
  end

  context 'api project user without add_member rights' do
    let(:member) { FactoryGirl.create(:user) }
    before do
      put :add_member, member_id: member.id, type: 'User', role: 'admin', id: project.id, format: :json
    end

    it 'to not be able to perform add_member action' do
      expect(response).to_not be_success
      expect(project.members).to_not include(member)
    end
  end

  context 'api project user without remove_member rights' do
    let(:member) { FactoryGirl.create(:user) }
    before do
      project.add_member(member)
      delete :remove_member, member_id: member.id, type: 'User', id: project.id, format: :json
    end

    it 'to be able to perform update action' do
      expect(response).to_not be_success
      expect(project.members).to include(member)
    end
  end
end

shared_examples_for 'api projects user with owner rights' do
  before { project } # init

  context 'api project user with destroy rights' do
    it 'to be able to perform destroy action' do
      expect do
        delete :destroy, id: project.id, format: :json
      end.to change(Project, :count).by(-1)
      expect(response).to be_success
    end
  end
end

shared_examples_for 'api projects user without owner rights' do
  before { project } # init

  context 'api project user with destroy rights' do
    it 'to not be able to perform destroy action' do
      expect do
        delete :destroy, id: project.id, format: :json
      end.to_not change(Project, :count)
      expect(response).to_not be_success
    end
  end
end

describe Api::V1::ProjectsController, type: :controller do

  let(:project)        { FactoryGirl.create(:project) }
  let(:hidden_project) { FactoryGirl.create(:project) }
  let(:another_user)   { FactoryGirl.create(:user) }

  before do
    stub_symlink_methods

    # project = FactoryGirl.create(:project)
    # hidden_project = FactoryGirl.create(:project)
    # another_user = FactoryGirl.create(:user)
  end

  context 'for guest' do

    [:index, :members].each do |action|
      it "to not be able to perform #{action} action" do
        get action, id: project.id, format: :json
        expect(response).to_not be_success
      end
    end

    if APP_CONFIG['anonymous_access']
      it_should_behave_like 'api projects user with show rights'
      it_should_behave_like 'api projects user without reader rights for hidden project'
    else
      it_should_behave_like 'api projects user without show rights'
    end
    it_should_behave_like 'api projects user without fork rights'
    it_should_behave_like 'api projects user without fork rights for hidden project'
    it_should_behave_like 'api projects user without admin rights'
    it_should_behave_like 'api projects user without owner rights'
  end

  context 'for simple user' do
    let(:user) { FactoryGirl.create(:user) }

    before do
      http_login(user)
    end

    it 'to be able to perform index action' do
      get :index, format: :json
      expect(response).to be_success
    end

    context 'api project user with create rights' do
      let(:params) { {project: {name: 'test_name', owner_id: user.id, owner_type: 'User', visibility: 'open'}, format: :json} }
      it 'to be able to perform create action' do
        post :create, params, format: :json
        expect(response).to be_success
      end
      it 'ensures that project has been created' do
        expect do
          post :create, params
        end.to change(Project, :count).by(1)
      end

      it 'writer group to be able to create project for their group' do
        group = FactoryGirl.create(:group)
        create_actor_relation(group, user, 'writer')
        expect do
          post :create, params.deep_merge({project: {owner_type: 'Group', owner_id: group.id}})
        end.to change(Project, :count).by(1)
      end

      it 'reader group to not be able to create project for their group' do
        group = FactoryGirl.create(:group)
        create_actor_relation(group, user, 'reader')
        expect do
          post :create, params.deep_merge({project: {owner_type: 'Group', owner_id: group.id}})
        end.to_not change(Project, :count)
      end
    end

    it_should_behave_like 'api projects user with reader rights'
    it_should_behave_like 'api projects user without reader rights for hidden project'
    it_should_behave_like 'api projects user with fork rights'
    it_should_behave_like 'api projects user without fork rights for hidden project'
    it_should_behave_like 'api projects user without admin rights'
    it_should_behave_like 'api projects user without owner rights'

    context 'group writer' do
      before { project } # init

      it 'to be able to fork project to their group' do
        group = FactoryGirl.create(:group)
        create_actor_relation(group, user, 'writer')
        expect do
          post :fork, id: project.id, group_id: group.id, format: :json
        end.to change(Project, :count).by(1)
      end

      it 'to be able to fork project with different name to their group' do
        group = FactoryGirl.create(:group)
        create_actor_relation(group, user, 'writer')
        new_name = project.name + '_forked'
        expect do
          post :fork, id: project.id, group_id: group.id, fork_name: new_name, format: :json
        end.to change { Project.where(name: new_name).count }.by(1)
      end
    end

    context 'group reader' do
      before { project } # init

      it 'to not be able to fork project to their group' do
        group = FactoryGirl.create(:group)
        create_actor_relation(group, user, 'reader')
        expect do
          post :fork, id: project.id, group_id: group.id, format: :json
        end.to_not change(Project, :count)
      end

      it 'to not be able to fork project with different name to their group' do
        group = FactoryGirl.create(:group)
        new_name = project.name + '_forked'
        create_actor_relation(group, user, 'reader')
        expect do
          post :fork, id: project.id, group_id: group.id, fork_name: new_name, format: :json
        end.to_not change{ Project.where(name: new_name).count }
      end
    end
  end

  context 'for admin' do
    let(:admin) { FactoryGirl.create(:admin) }

    before do
      http_login(admin)
    end

    it_should_behave_like 'api projects user with reader rights'
    it_should_behave_like 'api projects user with reader rights for hidden project'
    it_should_behave_like 'api projects user with fork rights'
    it_should_behave_like 'api projects user with fork rights for hidden project'
    it_should_behave_like 'api projects user with admin rights'
    it_should_behave_like 'api projects user with owner rights'
  end

  context 'for owner user' do
    let(:user)    { FactoryGirl.create(:user) }
    let(:project) { FactoryGirl.create(:project, owner: user) }

    before do
      http_login(user)
    end

    it_should_behave_like 'api projects user with reader rights'
    it_should_behave_like 'api projects user with reader rights for hidden project'
    it_should_behave_like 'api projects user without fork rights'
    it_should_behave_like 'api projects user without fork rights for hidden project'
    it_should_behave_like 'api projects user with admin rights'
    it_should_behave_like 'api projects user with owner rights'
  end

  context 'for reader user' do
    let(:user) { FactoryGirl.create(:user) }

    before do
      http_login(user)
      create_relation(project, user, 'reader')
    end

    it_should_behave_like 'api projects user with reader rights'
    it_should_behave_like 'api projects user with reader rights for hidden project'
    it_should_behave_like 'api projects user with fork rights'
    it_should_behave_like 'api projects user with fork rights for hidden project'
    it_should_behave_like 'api projects user without admin rights'
    it_should_behave_like 'api projects user without owner rights'
  end

  context 'for writer user' do
    let(:user) { FactoryGirl.create(:user) }

    before do
      http_login(user)
      create_relation(project, user, 'writer')
    end

    it_should_behave_like 'api projects user with reader rights'
    it_should_behave_like 'api projects user with reader rights for hidden project'
    it_should_behave_like 'api projects user with fork rights'
    it_should_behave_like 'api projects user with fork rights for hidden project'
    it_should_behave_like 'api projects user without admin rights'
    it_should_behave_like 'api projects user without owner rights'
  end

  context 'for group' do
    let(:group) { FactoryGirl.create(:group) }
    let(:group_user) { FactoryGirl.create(:user) }

    before do
#      project.relations.destroy_all
      http_login(group_user)
    end

    context 'with no relations to project' do
      it_should_behave_like 'api projects user with reader rights'
      it_should_behave_like 'api projects user without reader rights for hidden project'
      it_should_behave_like 'api projects user with fork rights'
      it_should_behave_like 'api projects user without fork rights for hidden project'
      it_should_behave_like 'api projects user without admin rights'
      it_should_behave_like 'api projects user without owner rights'
    end

    context 'owner of the project' do
      let(:project) { FactoryGirl.create(:project, owner: group) }

      context 'reader user' do
        before { create_actor_relation(group, group_user, 'reader') }

        it_should_behave_like 'api projects user with reader rights'
        it_should_behave_like 'api projects user with reader rights for hidden project'
        it_should_behave_like 'api projects user with fork rights'
        it_should_behave_like 'api projects user with fork rights for hidden project'
        it_should_behave_like 'api projects user without admin rights'
        it_should_behave_like 'api projects user without owner rights'
      end

      context 'admin user' do
        before { create_actor_relation(group, group_user, 'admin') }

        it_should_behave_like 'api projects user with reader rights'
        it_should_behave_like 'api projects user with reader rights for hidden project'
        it_should_behave_like 'api projects user with fork rights'
        it_should_behave_like 'api projects user with fork rights for hidden project'
        it_should_behave_like 'api projects user with admin rights'
        it_should_behave_like 'api projects user with owner rights'
      end
    end

    context 'member of the project' do
      context 'with admin rights' do
        before do
          create_relation(project, group, 'admin')
        end

        context 'reader user' do
          before { create_actor_relation(group, group_user, 'reader') }

          it_should_behave_like 'api projects user with reader rights'
          it_should_behave_like 'api projects user with reader rights for hidden project'
          it_should_behave_like 'api projects user with fork rights'
          it_should_behave_like 'api projects user with fork rights for hidden project'
          it_should_behave_like 'api projects user with admin rights'
          it_should_behave_like 'api projects user without owner rights'
        end

        context 'admin user' do
          before { create_actor_relation(group, group_user, 'admin') }

          it_should_behave_like 'api projects user with reader rights'
          it_should_behave_like 'api projects user with reader rights for hidden project'
          it_should_behave_like 'api projects user with fork rights'
          it_should_behave_like 'api projects user with fork rights for hidden project'
          it_should_behave_like 'api projects user with admin rights'
          it_should_behave_like 'api projects user without owner rights'
        end
      end

      context 'with reader rights' do
        before { create_relation(project, group, 'reader') }

        context 'reader user' do
          before { create_actor_relation(group, group_user, 'reader') }

          it_should_behave_like 'api projects user with reader rights'
          it_should_behave_like 'api projects user with reader rights for hidden project'
          it_should_behave_like 'api projects user with fork rights'
          it_should_behave_like 'api projects user with fork rights for hidden project'
          it_should_behave_like 'api projects user without admin rights'
          it_should_behave_like 'api projects user without owner rights'

          context 'user should has best role' do
            before { create_relation(project, group_user, 'admin') }

            it_should_behave_like 'api projects user with reader rights'
            it_should_behave_like 'api projects user with fork rights'
            it_should_behave_like 'api projects user with fork rights for hidden project'
            it_should_behave_like 'api projects user with admin rights'
            it_should_behave_like 'api projects user without owner rights'
          end
        end


        context 'admin user' do
          before { create_actor_relation(group, group_user, 'admin') }

          it_should_behave_like 'api projects user with reader rights'
          it_should_behave_like 'api projects user with reader rights for hidden project'
          it_should_behave_like 'api projects user with fork rights'
          it_should_behave_like 'api projects user with fork rights for hidden project'
          it_should_behave_like 'api projects user without admin rights'
          it_should_behave_like 'api projects user without owner rights'
        end
      end
    end
  end
end