From d407b22e34ffd9c4705dfd60a00c014ebdf9f120 Mon Sep 17 00:00:00 2001 From: yuenmichelle1 Date: Fri, 6 Sep 2024 13:29:32 -0500 Subject: [PATCH] Disallow membership creation/reactivation if user_group is inactive (#4385) * disallow membership creation/reactivation if user_group is inactive * update formatting and spacing per hound sniffs * update specs to ensure custom error message is returned --- app/operations/memberships/create.rb | 1 + .../api/v1/memberships_controller_spec.rb | 47 ++++++++++++++++++- spec/operations/memberships/create_spec.rb | 7 +++ 3 files changed, 53 insertions(+), 2 deletions(-) diff --git a/app/operations/memberships/create.rb b/app/operations/memberships/create.rb index 0ce11a6a4..2bcd84a05 100644 --- a/app/operations/memberships/create.rb +++ b/app/operations/memberships/create.rb @@ -11,6 +11,7 @@ def execute raise Unauthenticated unless api_user.logged_in? raise Unauthorized unless user_group.verify_join_token(join_token) raise Unauthorized unless user.id == api_user.id + raise Unauthorized, 'Group is inactive' if user_group.disabled? membership = Membership.find_or_initialize_by(user: api_user.user, user_group: user_group) membership.state = :active diff --git a/spec/controllers/api/v1/memberships_controller_spec.rb b/spec/controllers/api/v1/memberships_controller_spec.rb index a6ebe9d9f..5309ed5d7 100644 --- a/spec/controllers/api/v1/memberships_controller_spec.rb +++ b/spec/controllers/api/v1/memberships_controller_spec.rb @@ -57,7 +57,7 @@ describe "#create" do let(:test_attr) { :state } let(:test_attr_value) { "active" } - let(:user_group) { create :user_group } + let(:user_group) { create(:user_group) } let(:create_params) do { memberships: { @@ -70,7 +70,50 @@ } end - it_behaves_like "is creatable" + it_behaves_like 'is creatable' + + it 're-activates a membership' do + membership = create(:membership, user_id: authorized_user.id, user_group_id: user_group.id, state: :inactive) + default_request scopes: scopes, user_id: authorized_user.id + post :create, params: create_params + expect(response).to have_http_status(:created) + expect(membership.reload.state).to eq('active') + end + + context 'with an inactive user_group' do + let(:inactive_user_group) { create(:user_group, activated_state: :inactive) } + let(:params) do + { + memberships: { + join_token: inactive_user_group.join_token, + links: { + user: authorized_user.id.to_s, + user_group: inactive_user_group.id.to_s + } + } + } + end + + before do + default_request scopes: scopes, user_id: authorized_user.id + post :create, params: params + end + + it 'disallows membership creation' do + expect(response).to have_http_status(:unprocessable_entity) + end + + it 'responds with group is inactive error message' do + response_body = JSON.parse(response.body) + expect(response_body['errors'][0]['message']).to eq('Group is inactive') + end + + it 'disallows membership re-activation' do + membership = create(:membership, user_id: authorized_user.id, user_group_id: inactive_user_group.id, state: :inactive) + expect(response).to have_http_status(:unprocessable_entity) + expect(membership.reload.state).to eq('inactive') + end + end end describe "#destroy" do diff --git a/spec/operations/memberships/create_spec.rb b/spec/operations/memberships/create_spec.rb index f034d291c..8493626ca 100644 --- a/spec/operations/memberships/create_spec.rb +++ b/spec/operations/memberships/create_spec.rb @@ -34,6 +34,13 @@ end.to raise_error(Operation::Unauthorized) end + it 'disallows you to add yourself to an inactive group' do + inactive_user_group = create(:user_group, activated_state: :inactive) + expect do + operation.run links: { user: you.id, user_group: inactive_user_group.id }, join_token: inactive_user_group.join_token + end.to raise_error(Operation::Unauthorized, 'Group is inactive') + end + it 'does not work for missing groups' do expect do operation.run links: {user: you.id, user_group: 0}, join_token: 'wrong_token'