X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/09c5740b5bb94c75a5c8c83cdbb80ae7b5ccbdf4..9813d9f1e48d575bb0e0b5029dc0ec134a011090:/test/functional/user_roles_controller_test.rb

diff --git a/test/functional/user_roles_controller_test.rb b/test/functional/user_roles_controller_test.rb
index 3bced12e4..ed5d1a17d 100644
--- a/test/functional/user_roles_controller_test.rb
+++ b/test/functional/user_roles_controller_test.rb
@@ -3,36 +3,136 @@ require File.dirname(__FILE__) + '/../test_helper'
 class UserRolesControllerTest < ActionController::TestCase
   fixtures :users, :user_roles
 
-  test "grant" do
-    check_forbidden(:grant, :public_user)
-    check_forbidden(:grant, :moderator_user)
-    check_success(:grant, :administrator_user)
+  ##
+  # test all routes which lead to this controller
+  def test_routes
+    assert_routing(
+      { :path => "/user/username/role/rolename/grant", :method => :post },
+      { :controller => "user_roles", :action => "grant", :display_name => "username", :role => "rolename" }
+    )
+    assert_routing(
+      { :path => "/user/username/role/rolename/revoke", :method => :post },
+      { :controller => "user_roles", :action => "revoke", :display_name => "username", :role => "rolename" }
+    )
   end
 
-  test "revoke" do
-    check_forbidden(:revoke, :public_user)
-    check_forbidden(:revoke, :moderator_user)
-    check_success(:revoke, :administrator_user)
-  end
+  ##
+  # test the grant action
+  def test_grant
+    # Granting should fail when not logged in
+    post :grant, :display_name => users(:normal_user).display_name, :role => "moderator"
+    assert_response :forbidden
+
+    # Login as an unprivileged user
+    session[:user] = users(:public_user).id
+    cookies["_osm_username"] = users(:public_user).display_name
+
+    # Granting should still fail
+    post :grant, :display_name => users(:normal_user).display_name, :role => "moderator"
+    assert_redirected_to user_path(users(:normal_user).display_name)
+    assert_equal "Only administrators can perform user role management, and you are not an administrator.", flash[:error]
+
+    # Login as an administrator
+    session[:user] = users(:administrator_user).id
+    cookies["_osm_username"] = users(:administrator_user).display_name
 
-  def check_forbidden(action, user)
     UserRole::ALL_ROLES.each do |role|
-      u = users(user)
-      basic_authorization(u.email, "test")
-      
-      get(action, {:display_name => users(:second_public_user).display_name, :role => role}, {'user' => u.id})
-      assert_response :redirect
-      assert_redirected_to "/403.html"
+
+      # Granting a role to a non-existent user should fail
+      assert_difference "UserRole.count", 0 do
+        post :grant, :display_name => "non_existent_user", :role => role
+      end
+      assert_response :not_found
+      assert_template "user/no_such_user"
+      assert_select "h2", "The user non_existent_user does not exist"
+
+      # Granting a role from a user that already has it should fail
+      assert_no_difference "UserRole.count" do
+        post :grant, :display_name => users(:super_user).display_name, :role => role
+      end
+      assert_redirected_to user_path(users(:super_user).display_name)
+      assert_equal "The user already has role #{role}.", flash[:error]
+
+      # Granting a role to a user that doesn't have it should work...
+      assert_difference "UserRole.count", 1 do
+        post :grant, :display_name => users(:normal_user).display_name, :role => role
+      end
+      assert_redirected_to user_path(users(:normal_user).display_name)
+
+      # ...but trying a second time should fail
+      assert_no_difference "UserRole.count" do
+        post :grant, :display_name => users(:normal_user).display_name, :role => role
+      end
+      assert_redirected_to user_path(users(:normal_user).display_name)
+      assert_equal "The user already has role #{role}.", flash[:error]
+
+    end
+
+    # Granting a non-existent role should fail
+    assert_difference "UserRole.count", 0 do
+      post :grant, :display_name => users(:normal_user).display_name, :role => "no_such_role"
     end
+    assert_redirected_to user_path(users(:normal_user).display_name)
+    assert_equal "The string `no_such_role' is not a valid role.", flash[:error]
   end
 
-  def check_success(action, user)
+  ##
+  # test the revoke action
+  def test_revoke
+    # Revoking should fail when not logged in
+    post :revoke, :display_name => users(:normal_user).display_name, :role => "moderator"
+    assert_response :forbidden
+
+    # Login as an unprivileged user
+    session[:user] = users(:public_user).id
+    cookies["_osm_username"] = users(:public_user).display_name
+
+    # Revoking should still fail
+    post :revoke, :display_name => users(:normal_user).display_name, :role => "moderator"
+    assert_redirected_to user_path(users(:normal_user).display_name)
+    assert_equal "Only administrators can perform user role management, and you are not an administrator.", flash[:error]
+
+    # Login as an administrator
+    session[:user] = users(:administrator_user).id
+    cookies["_osm_username"] = users(:administrator_user).display_name
+
     UserRole::ALL_ROLES.each do |role|
-      u = users(user)
-      basic_authorization(u.email, "test")
-      
-      get(action, {:display_name => users(:second_public_user).display_name, :role => role}, {'user' => u.id})
-      assert_response :success
+
+      # Removing a role from a non-existent user should fail
+      assert_difference "UserRole.count", 0 do
+        post :revoke, :display_name => "non_existent_user", :role => role
+      end
+      assert_response :not_found
+      assert_template "user/no_such_user"
+      assert_select "h2", "The user non_existent_user does not exist"
+
+      # Removing a role from a user that doesn't have it should fail
+      assert_no_difference "UserRole.count" do
+        post :revoke, :display_name => users(:normal_user).display_name, :role => role
+      end
+      assert_redirected_to user_path(users(:normal_user).display_name)
+      assert_equal "The user does not have role #{role}.", flash[:error]
+
+      # Removing a role' from a user that has it should work...
+      assert_difference "UserRole.count", -1 do
+        post :revoke, :display_name => users(:super_user).display_name, :role => role
+      end
+      assert_redirected_to user_path(users(:super_user).display_name)
+
+      # ...but trying a second time should fail
+      assert_no_difference "UserRole.count" do
+        post :revoke, :display_name => users(:super_user).display_name, :role => role
+      end
+      assert_redirected_to user_path(users(:super_user).display_name)
+      assert_equal "The user does not have role #{role}.", flash[:error]
+
+    end
+
+    # Revoking a non-existent role should fail
+    assert_difference "UserRole.count", 0 do
+      post :revoke, :display_name => users(:normal_user).display_name, :role => "no_such_role"
     end
+    assert_redirected_to user_path(users(:normal_user).display_name)
+    assert_equal "The string `no_such_role' is not a valid role.", flash[:error]
   end
 end