diff --git a/app/controllers/ui/users_controller.rb b/app/controllers/ui/users_controller.rb index 5e15d3b0..18875328 100644 --- a/app/controllers/ui/users_controller.rb +++ b/app/controllers/ui/users_controller.rb @@ -1,6 +1,7 @@ module Ui class UsersController < ApplicationController include SharedControllerMethods + def index @title = I18n.t(:users_index_title) end @@ -15,6 +16,29 @@ def new @user = User.new end + def create + if current_user + flash[:alert] = I18n.t(:new_user_not_allowed_for_logged_in_users) + redirect_to ui_users_path + return + end + @user = User.new(params.require(:user).permit( + :username, + :email, + :password, + :password_confirmation, + :ts_and_cs, + )) + if @user.valid? + @user.save + session[:user_id] = @user.id + flash[:success] = I18n.t(:new_user_success) + redirect_to ui_users_path + else + flash[:alert] = I18n.t(:new_user_failure) + render :new, status: :unprocessable_entity + end + end def delete @user = User.find(params[:id]) unless authorize? @user, :destroy? @@ -45,29 +69,5 @@ def destroy def post_delete @title = I18n.t(:post_delete_user_title) end - - def create - if current_user - flash[:alert] = I18n.t(:new_user_not_allowed_for_logged_in_users) - redirect_to ui_users_path - return - end - @user = User.new(params.require(:user).permit( - :username, - :email, - :password, - :password_confirmation, - :ts_and_cs, - )) - if @user.valid? - @user.save - session[:user_id] = @user.id - flash[:success] = I18n.t(:new_user_success) - redirect_to ui_users_path - else - flash[:alert] = I18n.t(:new_user_failure) - render :new, status: :unprocessable_entity - end - end end end diff --git a/spec/controllers/ui/users_controller_spec.rb b/spec/controllers/ui/users_controller_spec.rb index 73d5b9a6..48a12a4e 100644 --- a/spec/controllers/ui/users_controller_spec.rb +++ b/spec/controllers/ui/users_controller_spec.rb @@ -4,6 +4,84 @@ let(:user) { create(:user) } + describe "index" do + it "renders the template" do + get :index + expect(response).to have_http_status(:success) + expect(response).to render_template(:index) + end + end + + describe "new" do + context "when no user is logged in" do + it "renders the new user form" do + get :new + expect(response).to have_http_status(:success) + expect(response).to render_template(:new) + end + end + + context "when a user is logged in" do + it "displays an error message and redirects to the ui users path" do + get :new, session: { user_id: user.id } + expect(response).to redirect_to(ui_users_path) + expect(flash[:alert]).to be_present + end + end + end + + describe "create" do + let(:user_params) { + { + username: "test_user", + email: "test@example.com", + password: "password123", + password_confirmation: "password123", + ts_and_cs: "1" + } + } + context "when a user is logged in" do + it "displays an error message and redirects to the ui users path, without creating a user" do + expect_any_instance_of(User).not_to receive(:save) + post :create, params: { user: user_params }, session: { user_id: user.id } + expect(response).to redirect_to(ui_users_path) + expect(flash[:alert]).to be_present + end + end + + context "when no user is logged in" do + context "when the parameters provided are valid" do + it "creates a user, logs them in, and redirects to the ui user path" do + expect_any_instance_of(User).to receive(:save) + post :create, params: { user: user_params }, session: { user_id: nil } + expect(response).to redirect_to(ui_users_path) + expect(flash[:success]).to be_present + end + end + + context "when the parameters provided are not valid" do + let(:user_params) { + { + username: "test_user", + email: "test_example.com", + password: "password123", + password_confirmation: "anotherpassword", + ts_and_cs: nil + } + } + + it "does not create a user, and renders the new user page" do + expect_any_instance_of(User).not_to receive(:save) + post :create, params: { user: user_params }, session: { user_id: nil } + expect(response).to have_http_status(:unprocessable_entity) + expect(response).to render_template(:new) + expect(flash[:alert]).to be_present + end + end + end + end + + describe "delete" do context "when the correct user is logged in" do it "displays the delete user form" do diff --git a/spec/features/user_management_spec.rb b/spec/features/user_management_spec.rb index b8f6c553..f0d935d9 100644 --- a/spec/features/user_management_spec.rb +++ b/spec/features/user_management_spec.rb @@ -140,28 +140,4 @@ expect(device.reload).to be_archived end end - - scenario "An unauthorized user tries to delete an account that isn't theirs" do - password = "password123" - username = "username" - evil_username = "" - user = create(:user, username: username) - evil_user = create(:user, username: evil_username, password: password, password_confirmation: password) - devices = 2.times.map { create(:device, owner: user) } - visit "/login" - fill_in "Username or email", with: evil_username - fill_in "Password", with: password - click_on "Sign into your account" - expect(page).to have_current_path(ui_users_path) - visit "" - expect(page).to have_current_path(delete_ui_user_path(user.id)) - fill_in "To confirm, type your username below:", with: username - click_on "I understand, delete my account" - expect(page).to have_current_path(post_delete_ui_users_path) - expect(page).to have_content("We are sorry to see you go!") - expect(user.reload).to be_archived - devices.each do |device| - expect(device.reload).to be_archived - end - end end