mirror of
https://github.com/lingble/chatwoot.git
synced 2025-11-03 20:48:07 +00:00
8d8ec23aa1
 ### Snyk has created this PR to fix 1 vulnerabilities in the rubygems dependencies of this project. #### Snyk changed the following file(s): - `Gemfile` <details> <summary>⚠️ <b>Warning</b></summary> ``` Failed to update the Gemfile.lock, please update manually before merging. ``` </details> #### Vulnerabilities that will be fixed with an upgrade: | | Issue | Score | :-------------------------:|:-------------------------|:-------------------------  | Web Cache Poisoning <br/>[SNYK-RUBY-RACK-1061917](https://snyk.io/vuln/SNYK-RUBY-RACK-1061917) | **616** --- > [!IMPORTANT] > > - Check the changes in this PR to ensure they won't cause issues with your project. > - Max score is 1000. Note that the real score may have changed since the PR was raised. > - This PR was automatically created by Snyk using the credentials of a real user. --- **Note:** _You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs._ For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJhMWE2MzkzZS03ODdhLTRmYWItOGY1MS0zZjdmN2YzNzVlZDYiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImExYTYzOTNlLTc4N2EtNGZhYi04ZjUxLTNmN2Y3ZjM3NWVkNiJ9fQ==" width="0" height="0"/> 🧐 [View latest project report](https://app.snyk.io/org/chatwoot/project/b7197bbd-6200-4f23-931d-c39928584360?utm_source=github&utm_medium=referral&page=fix-pr) 📜 [Customise PR templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates) 🛠 [Adjust project settings](https://app.snyk.io/org/chatwoot/project/b7197bbd-6200-4f23-931d-c39928584360?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read about Snyk's upgrade logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Learn about vulnerability in an interactive lesson of Snyk Learn.](https://learn.snyk.io/?loc=fix-pr) [//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"rspec-rails","from":"6.1.4","to":"6.1.5"}],"env":"prod","issuesToFix":[{"exploit_maturity":"Proof of Concept","id":"SNYK-RUBY-RACK-1061917","priority_score":616,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.9","score":295},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Web Cache Poisoning"},{"exploit_maturity":"Proof of Concept","id":"SNYK-RUBY-RACK-1061917","priority_score":616,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.9","score":295},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Web Cache Poisoning"},{"exploit_maturity":"Proof of Concept","id":"SNYK-RUBY-RACK-1061917","priority_score":616,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.9","score":295},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Web Cache Poisoning"},{"exploit_maturity":"Proof of Concept","id":"SNYK-RUBY-RACK-1061917","priority_score":616,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.9","score":295},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Web Cache Poisoning"}],"prId":"a1a6393e-787a-4fab-8f51-3f7f7f375ed6","prPublicId":"a1a6393e-787a-4fab-8f51-3f7f7f375ed6","packageManager":"rubygems","priorityScoreList":[616],"projectPublicId":"b7197bbd-6200-4f23-931d-c39928584360","projectUrl":"https://app.snyk.io/org/chatwoot/project/b7197bbd-6200-4f23-931d-c39928584360?utm_source=github&utm_medium=referral&page=fix-pr","prType":"fix","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":["updated-fix-title","pr-warning-shown","priorityScore"],"type":"auto","upgrade":["SNYK-RUBY-RACK-1061917"],"vulns":["SNYK-RUBY-RACK-1061917"],"patch":[],"isBreakingChange":false,"remediationStrategy":"vuln"}' --------- Co-authored-by: snyk-bot <snyk-bot@snyk.io>
221 lines
9.2 KiB
Ruby
221 lines
9.2 KiB
Ruby
require 'rails_helper'
|
|
|
|
RSpec.describe 'Platform Users API', type: :request do
|
|
let!(:user) { create(:user, email: 'dev+testing@chatwoot.com', custom_attributes: { test: 'test' }) }
|
|
|
|
describe 'GET /platform/api/v1/users/{user_id}' do
|
|
context 'when it is an unauthenticated platform app' do
|
|
it 'returns unauthorized' do
|
|
get "/platform/api/v1/users/#{user.id}"
|
|
expect(response).to have_http_status(:unauthorized)
|
|
end
|
|
end
|
|
|
|
context 'when it is an invalid platform app token' do
|
|
it 'returns unauthorized' do
|
|
get "/platform/api/v1/users/#{user.id}", headers: { api_access_token: 'invalid' }, as: :json
|
|
expect(response).to have_http_status(:unauthorized)
|
|
end
|
|
end
|
|
|
|
context 'when it is an authenticated platform app' do
|
|
let(:platform_app) { create(:platform_app) }
|
|
|
|
it 'returns unauthorized when its not a permissible object' do
|
|
get "/platform/api/v1/users/#{user.id}", headers: { api_access_token: platform_app.access_token.token }, as: :json
|
|
expect(response).to have_http_status(:unauthorized)
|
|
end
|
|
|
|
it 'shows a user when its permissible object' do
|
|
create(:platform_app_permissible, platform_app: platform_app, permissible: user)
|
|
|
|
get "/platform/api/v1/users/#{user.id}",
|
|
headers: { api_access_token: platform_app.access_token.token }, as: :json
|
|
|
|
expect(response).to have_http_status(:success)
|
|
data = response.parsed_body
|
|
expect(data['email']).to eq(user.email)
|
|
expect(data['custom_attributes']['test']).to eq('test')
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'GET /platform/api/v1/users/{user_id}/login' do
|
|
context 'when it is an unauthenticated platform app' do
|
|
it 'returns unauthorized' do
|
|
get "/platform/api/v1/users/#{user.id}/login"
|
|
expect(response).to have_http_status(:unauthorized)
|
|
end
|
|
end
|
|
|
|
context 'when it is an invalid platform app token' do
|
|
it 'returns unauthorized' do
|
|
get "/platform/api/v1/users/#{user.id}/login", headers: { api_access_token: 'invalid' }, as: :json
|
|
expect(response).to have_http_status(:unauthorized)
|
|
end
|
|
end
|
|
|
|
context 'when it is an authenticated platform app' do
|
|
let(:platform_app) { create(:platform_app) }
|
|
|
|
it 'returns unauthorized when its not a permissible object' do
|
|
get "/platform/api/v1/users/#{user.id}/login", headers: { api_access_token: platform_app.access_token.token }, as: :json
|
|
expect(response).to have_http_status(:unauthorized)
|
|
end
|
|
|
|
it 'return login link for user' do
|
|
create(:platform_app_permissible, platform_app: platform_app, permissible: user)
|
|
|
|
get "/platform/api/v1/users/#{user.id}/login",
|
|
headers: { api_access_token: platform_app.access_token.token }, as: :json
|
|
|
|
expect(response).to have_http_status(:success)
|
|
data = response.parsed_body
|
|
expect(data['url']).to include('email=dev%2Btesting%40chatwoot.com&sso_auth_token=')
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'POST /platform/api/v1/users/' do
|
|
context 'when it is an unauthenticated platform app' do
|
|
it 'returns unauthorized' do
|
|
post '/platform/api/v1/users'
|
|
expect(response).to have_http_status(:unauthorized)
|
|
end
|
|
end
|
|
|
|
context 'when it is an invalid platform app token' do
|
|
it 'returns unauthorized' do
|
|
post '/platform/api/v1/users/', headers: { api_access_token: 'invalid' }, as: :json
|
|
expect(response).to have_http_status(:unauthorized)
|
|
end
|
|
end
|
|
|
|
context 'when it is an authenticated platform app' do
|
|
let(:platform_app) { create(:platform_app) }
|
|
|
|
it 'creates a new user and permissible for the user without sending an email' do
|
|
# TODO: enqueued mail check failes because of : https://github.com/rspec/rspec-rails/pull/2793
|
|
# revert to this block when the issue is fixed
|
|
|
|
# expect do
|
|
# post '/platform/api/v1/users/', params: { name: 'test', display_name: 'displaytest',
|
|
# email: 'test@test.com', password: 'Password1!',
|
|
# custom_attributes: { test: 'test_create' } },
|
|
# headers: { api_access_token: platform_app.access_token.token }, as: :json
|
|
# byebug
|
|
# end.not_to have_enqueued_mail
|
|
|
|
##------ revert this block when the issue is fixed
|
|
post '/platform/api/v1/users/', params: { name: 'test', display_name: 'displaytest',
|
|
email: 'test@test.com', password: 'Password1!',
|
|
custom_attributes: { test: 'test_create' } },
|
|
headers: { api_access_token: platform_app.access_token.token }, as: :json
|
|
mail_jobs = ActiveJob::Base.queue_adapter.enqueued_jobs.select do |job|
|
|
job[:job] == 'ActionMailer::MailDeliveryJob'
|
|
end
|
|
expect(mail_jobs.count).to eq(0)
|
|
##------ revert this block when the issue is fixed
|
|
|
|
expect(response).to have_http_status(:success)
|
|
data = response.parsed_body
|
|
expect(data).to match(
|
|
hash_including(
|
|
'name' => 'test',
|
|
'display_name' => 'displaytest',
|
|
'email' => 'test@test.com',
|
|
'custom_attributes' => {
|
|
'test' => 'test_create'
|
|
}
|
|
)
|
|
)
|
|
expect(platform_app.platform_app_permissibles.first.permissible_id).to eq data['id']
|
|
end
|
|
|
|
it 'fetch existing user and creates permissible for the user' do
|
|
create(:user, name: 'old test', email: 'test@test.com')
|
|
post '/platform/api/v1/users/', params: { name: 'test', email: 'test@test.com', password: 'Password1!' },
|
|
headers: { api_access_token: platform_app.access_token.token }, as: :json
|
|
|
|
expect(response).to have_http_status(:success)
|
|
data = response.parsed_body
|
|
expect(data['name']).to eq('old test')
|
|
expect(platform_app.platform_app_permissibles.first.permissible_id).to eq data['id']
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'PATCH /platform/api/v1/users/{user_id}' do
|
|
context 'when it is an unauthenticated platform app' do
|
|
it 'returns unauthorized' do
|
|
patch "/platform/api/v1/users/#{user.id}"
|
|
expect(response).to have_http_status(:unauthorized)
|
|
end
|
|
end
|
|
|
|
context 'when it is an invalid platform app token' do
|
|
it 'returns unauthorized' do
|
|
patch "/platform/api/v1/users/#{user.id}", headers: { api_access_token: 'invalid' }, as: :json
|
|
expect(response).to have_http_status(:unauthorized)
|
|
end
|
|
end
|
|
|
|
context 'when it is an authenticated platform app' do
|
|
let(:platform_app) { create(:platform_app) }
|
|
|
|
it 'returns unauthorized when its not a permissible object' do
|
|
patch "/platform/api/v1/users/#{user.id}", params: { name: 'test' },
|
|
headers: { api_access_token: platform_app.access_token.token }, as: :json
|
|
expect(response).to have_http_status(:unauthorized)
|
|
end
|
|
|
|
it 'updates the user attributes' do
|
|
create(:platform_app_permissible, platform_app: platform_app, permissible: user)
|
|
patch "/platform/api/v1/users/#{user.id}", params: {
|
|
name: 'test123', email: 'newtestemail@test.com', custom_attributes: { test: 'test_update' }
|
|
},
|
|
headers: { api_access_token: platform_app.access_token.token }, as: :json
|
|
|
|
expect(response).to have_http_status(:success)
|
|
data = response.parsed_body
|
|
expect(data['name']).to eq('test123')
|
|
expect(data['email']).to eq('newtestemail@test.com')
|
|
expect(data['custom_attributes']['test']).to eq('test_update')
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'DELETE /platform/api/v1/users/{user_id}' do
|
|
context 'when it is an unauthenticated platform app' do
|
|
it 'returns unauthorized' do
|
|
delete "/platform/api/v1/users/#{user.id}"
|
|
expect(response).to have_http_status(:unauthorized)
|
|
end
|
|
end
|
|
|
|
context 'when it is an invalid platform app token' do
|
|
it 'returns unauthorized' do
|
|
delete "/platform/api/v1/users/#{user.id}", headers: { api_access_token: 'invalid' }, as: :json
|
|
expect(response).to have_http_status(:unauthorized)
|
|
end
|
|
end
|
|
|
|
context 'when it is an authenticated platform app' do
|
|
let(:platform_app) { create(:platform_app) }
|
|
|
|
it 'returns unauthorized when its not a permissible object' do
|
|
delete "/platform/api/v1/users/#{user.id}", headers: { api_access_token: platform_app.access_token.token }, as: :json
|
|
expect(response).to have_http_status(:unauthorized)
|
|
end
|
|
|
|
it 'deletes the user' do
|
|
create(:platform_app_permissible, platform_app: platform_app, permissible: user)
|
|
expect(DeleteObjectJob).to receive(:perform_later).with(user).once
|
|
delete "/platform/api/v1/users/#{user.id}",
|
|
headers: { api_access_token: platform_app.access_token.token }, as: :json
|
|
expect(response).to have_http_status(:success)
|
|
end
|
|
end
|
|
end
|
|
end
|