Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix leaking emails on admin user search controller #14

Merged
merged 1 commit into from
Aug 26, 2022
Merged

fix leaking emails on admin user search controller #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions decidim-admin/app/controllers/decidim/admin/organization_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,11 @@ def update
end

def users
search(current_organization.users)
search(current_organization.users.available)
end

def user_entities
search(current_organization.user_entities)
search(current_organization.user_entities.available)
end

private
Expand All @@ -51,7 +51,7 @@ def search(relation)
query.where("email ILIKE ?", "%#{term}%")
)
end
render json: query.all.collect { |u| { value: u.id, label: "#{u.name} (@#{u.nickname}) #{u.email}" } }
render json: query.all.collect { |u| { value: u.id, label: "#{u.name} (@#{u.nickname})" } }
else
render json: []
end
Expand Down
115 changes: 0 additions & 115 deletions decidim-admin/spec/controllers/organizations_contoller_spec.rb
View file
Open in desktop

This file was deleted.

181 changes: 181 additions & 0 deletions decidim-admin/spec/controllers/organizations_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,181 @@
# frozen_string_literal: true

require "spec_helper"

module Decidim
module Admin
describe OrganizationController, type: :controller do
routes { Decidim::Admin::Engine.routes }

let(:organization) { create :organization }
let(:current_user) { create(:user, :admin, :confirmed, organization: organization) }

before do
request.env["decidim.current_organization"] = organization
sign_in current_user, scope: :user
end

describe "GET users and user groups in json format" do
let!(:user) { create(:user, name: "Daisy Miller", nickname: "daisy_m", organization: organization, email: "[email protected]") }
let!(:blocked_user) { create(:user, :blocked, name: "Daisy Blocked", nickname: "daisy_b", organization: organization, email: "[email protected]") }
let!(:managed_user) { create(:user, :managed, name: "Daisy Managed", nickname: "daisy_g", organization: organization, email: "[email protected]") }
let!(:deleted_user) { create(:user, :deleted, name: "Daisy Deleted", nickname: "daisy_d", organization: organization, email: "[email protected]") }
let!(:other_user) { create(:user, name: "Daisy O'connor", nickname: "daisy_o", email: "[email protected]") }
let!(:user_group) do
create(
:user_group,
:verified,
name: "Daisy Organization",
nickname: "daisy_org",
email: "[email protected]",
users: [user],
organization: organization
)
end
let(:parsed_response) { JSON.parse(response.body).map(&:symbolize_keys) }

context "when searching by name" do
it "returns the id, name and nickname for filtered users and user groups" do
get :user_entities, format: :json, params: { term: "daisy" }
expect(parsed_response).to include({ value: user.id, label: "#{user.name} (@#{user.nickname})" })
expect(parsed_response).to include({ value: user_group.id, label: "#{user_group.name} (@#{user_group.nickname})" })
expect(parsed_response).not_to include({ value: other_user.id, label: "#{other_user.name} (@#{other_user.nickname})" })
expect(parsed_response).not_to include({ value: blocked_user.id, label: "#{blocked_user.name} (@#{blocked_user.nickname})" })
expect(parsed_response).not_to include({ value: deleted_user.id, label: "#{deleted_user.name} (@#{deleted_user.nickname})" })
expect(parsed_response).not_to include({ value: managed_user.id, label: "#{managed_user.name} (@#{managed_user.nickname})" })
end
end

context "when searching by nickname" do
it "returns the id, name and nickname for filtered users and user groups" do
get :user_entities, format: :json, params: { term: "@daisy" }
expect(parsed_response).to include({ value: user.id, label: "#{user.name} (@#{user.nickname})" })
expect(parsed_response).to include({ value: user_group.id, label: "#{user_group.name} (@#{user_group.nickname})" })
expect(parsed_response).not_to include({ value: other_user.id, label: "#{other_user.name} (@#{other_user.nickname})" })
expect(parsed_response).not_to include({ value: blocked_user.id, label: "#{blocked_user.name} (@#{blocked_user.nickname})" })
expect(parsed_response).not_to include({ value: deleted_user.id, label: "#{deleted_user.name} (@#{deleted_user.nickname})" })
expect(parsed_response).not_to include({ value: managed_user.id, label: "#{managed_user.name} (@#{managed_user.nickname})" })
end
end

context "when searching by email" do
it "returns the id, name and nickname for filtered users and user groups" do
get :user_entities, format: :json, params: { term: "d.mail" }
expect(parsed_response).to include({ value: user.id, label: "#{user.name} (@#{user.nickname})" })
expect(parsed_response).to include({ value: user_group.id, label: "#{user_group.name} (@#{user_group.nickname})" })
expect(parsed_response).not_to include({ value: other_user.id, label: "#{other_user.name} (@#{other_user.nickname})" })
expect(parsed_response).not_to include({ value: blocked_user.id, label: "#{blocked_user.name} (@#{blocked_user.nickname})" })
expect(parsed_response).not_to include({ value: deleted_user.id, label: "#{deleted_user.name} (@#{deleted_user.nickname})" })
expect(parsed_response).not_to include({ value: managed_user.id, label: "#{managed_user.name} (@#{managed_user.nickname})" })
end
end

context "when user is blocked" do
let!(:user) { create(:user, :blocked, name: "Daisy Miller", nickname: "daisy_m", organization: organization) }

it "returns an empty json array" do
get :users, format: :json, params: { term: "daisy" }
expect(parsed_response).to eq([])
end
end

context "when user is managed" do
let!(:user) { create(:user, :managed, name: "Daisy Miller", nickname: "daisy_m", organization: organization) }

it "returns an empty json array" do
get :users, format: :json, params: { term: "daisy" }
expect(parsed_response).to eq([])
end
end

context "when user is deleted" do
let!(:user) { create(:user, :deleted, name: "Daisy Miller", nickname: "daisy_m", organization: organization) }

it "returns an empty json array" do
get :users, format: :json, params: { term: "daisy" }
expect(parsed_response).to eq([])
end
end
end

describe "GET users in json format" do
let!(:user) { create(:user, name: "Daisy Miller", nickname: "daisy_m", organization: organization) }
let!(:other_user) { create(:user, name: "Daisy O'connor", nickname: "daisy_o") }
let!(:user_group) do
create(
:user_group,
:verified,
name: "Daisy Organization",
nickname: "daysy_org",
users: [user],
organization: organization
)
end

let(:parsed_response) { JSON.parse(response.body).map(&:symbolize_keys) }

context "when no search term is provided" do
it "returns an empty result set" do
get :users, format: :json, params: {}
expect(parsed_response).to eq([])
end
end

context "when there are no results" do
it "returns an empty json array" do
get :users, format: :json, params: { term: "#0" }
expect(parsed_response).to eq([])
end
end

context "when searching by name" do
it "returns the id, name and nickname for filtered users" do
get :users, format: :json, params: { term: "daisy" }
expect(parsed_response).to eq([{ value: user.id, label: "#{user.name} (@#{user.nickname})" }])
end
end

context "when searching by nickname" do
it "returns the id, name and nickname for filtered users" do
get :users, format: :json, params: { term: "@daisy" }
expect(parsed_response).to eq([{ value: user.id, label: "#{user.name} (@#{user.nickname})" }])
end
end

context "when searching by email" do
it "returns the id, name and nickname for filtered users" do
get :users, format: :json, params: { term: user.email }
expect(parsed_response).to eq([{ value: user.id, label: "#{user.name} (@#{user.nickname})" }])
end
end

context "when user is blocked" do
let!(:user) { create(:user, :blocked, name: "Daisy Miller", nickname: "daisy_m", organization: organization) }

it "returns an empty json array" do
get :users, format: :json, params: { term: "daisy" }
expect(parsed_response).to eq([])
end
end

context "when user is managed" do
let!(:user) { create(:user, :managed, name: "Daisy Miller", nickname: "daisy_m", organization: organization) }

it "returns an empty json array" do
get :users, format: :json, params: { term: "daisy" }
expect(parsed_response).to eq([])
end
end

context "when user is deleted" do
let!(:user) { create(:user, :deleted, name: "Daisy Miller", nickname: "daisy_m", organization: organization) }

it "returns an empty json array" do
get :users, format: :json, params: { term: "daisy" }
expect(parsed_response).to eq([])
end
end
end
end
end
end
1 change: 1 addition & 0 deletions decidim-core/app/models/decidim/user_base_entity.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ class UserBaseEntity < ApplicationRecord

scope :blocked, -> { where(blocked: true) }
scope :not_blocked, -> { where(blocked: false) }
scope :available, -> { where(deleted_at: nil, blocked: false, managed: false) }

# Public: Returns a collection with all the public entities this user is following.
#
Expand Down