113 lines
4.0 KiB
Go
113 lines
4.0 KiB
Go
// Vikunja is a to-do list application to facilitate your life.
|
|
// Copyright 2018-present Vikunja and contributors. All rights reserved.
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
package webtests
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
"testing"
|
|
|
|
"code.vikunja.io/api/pkg/db"
|
|
"code.vikunja.io/api/pkg/license"
|
|
"code.vikunja.io/api/pkg/user"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
// The error body shape is covered by TestHuma_ErrorShapeIsRFC9457; this test
|
|
// only asserts gate status codes (404 on failure, matching v1).
|
|
func TestHumaAdminProjects(t *testing.T) {
|
|
t.Run("non-admin user gets 404", func(t *testing.T) {
|
|
e, err := setupTestEnv()
|
|
require.NoError(t, err)
|
|
license.SetForTests([]license.Feature{license.FeatureAdminPanel})
|
|
defer license.ResetForTests()
|
|
|
|
s := db.NewSession()
|
|
defer s.Close()
|
|
u, err := user.GetUserByID(s, 1)
|
|
require.NoError(t, err)
|
|
require.False(t, u.IsAdmin, "fixture precondition: user1 is not an admin")
|
|
|
|
res := adminReq(t, e, http.MethodGet, "/api/v2/admin/projects", u, "")
|
|
assert.Equal(t, http.StatusNotFound, res.Code)
|
|
})
|
|
|
|
t.Run("admin without the feature gets 404", func(t *testing.T) {
|
|
e, err := setupTestEnv()
|
|
require.NoError(t, err)
|
|
// Empty feature set = licensed instance without the admin feature.
|
|
license.SetForTests([]license.Feature{})
|
|
defer license.ResetForTests()
|
|
|
|
admin := promoteToAdmin(t, 1)
|
|
|
|
res := adminReq(t, e, http.MethodGet, "/api/v2/admin/projects", admin, "")
|
|
assert.Equal(t, http.StatusNotFound, res.Code)
|
|
})
|
|
|
|
t.Run("admin with the feature sees every project", func(t *testing.T) {
|
|
e, err := setupTestEnv()
|
|
require.NoError(t, err)
|
|
license.SetForTests([]license.Feature{license.FeatureAdminPanel})
|
|
defer license.ResetForTests()
|
|
|
|
admin := promoteToAdmin(t, 1)
|
|
|
|
res := adminReq(t, e, http.MethodGet, "/api/v2/admin/projects", admin, "")
|
|
require.Equal(t, http.StatusOK, res.Code, res.Body.String())
|
|
|
|
var envelope struct {
|
|
Items []struct {
|
|
ID int64 `json:"id"`
|
|
} `json:"items"`
|
|
Total int64 `json:"total"`
|
|
}
|
|
require.NoError(t, json.Unmarshal(res.Body.Bytes(), &envelope))
|
|
|
|
ids := make(map[int64]bool, len(envelope.Items))
|
|
for _, item := range envelope.Items {
|
|
ids[item.ID] = true
|
|
}
|
|
// Project 6 (owned by user6, not shared with user1) proves the list ignores ownership.
|
|
assert.True(t, ids[6], "expected project 6 in the admin list, got items %v", ids)
|
|
// Project 22 is archived, proving the list includes archived projects.
|
|
assert.True(t, ids[22], "expected archived project 22 in the admin list, got items %v", ids)
|
|
|
|
// Ported from v1 TestAdmin_ListProjects (admin_test.go:222-226): the
|
|
// response body must carry project fields and a hydrated owner.
|
|
body := res.Body.String()
|
|
assert.Contains(t, body, `"id":`)
|
|
assert.Contains(t, body, `"title":`)
|
|
// Owner is xorm:"-" and must be hydrated explicitly (project 1 is owned by user1).
|
|
assert.Contains(t, body, `"username":"user1"`)
|
|
assert.NotContains(t, body, `"owner":null`)
|
|
})
|
|
|
|
t.Run("unauthenticated caller gets 401", func(t *testing.T) {
|
|
e, err := setupTestEnv()
|
|
require.NoError(t, err)
|
|
license.SetForTests([]license.Feature{license.FeatureAdminPanel})
|
|
defer license.ResetForTests()
|
|
|
|
// The token middleware rejects with 401 before the gate runs, matching v1.
|
|
res := adminReq(t, e, http.MethodGet, "/api/v2/admin/projects", nil, "")
|
|
assert.Equal(t, http.StatusUnauthorized, res.Code)
|
|
})
|
|
}
|