Merge commit from fork

* Fix domain blocks/rationales being visible to unapproved/unconfirmed users * Fix domain blocks/rationales being visible to suspended users Co-authored-by: Claire <claire.github-309c@sitedethib.com> * Allow moved users to view domain blocks * Add authorization specs for `/api/v1/instance/domain_blocks` spec * Fix tests * Fix incorrect test setup --------- Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2025-02-27 15:49:57 +01:00 · 2025-02-27 15:49:57 +01:00 · 6b519cfefa
parent 06f879ce9b
commit 6b519cfefa
2 changed files with 94 additions and 9 deletions
--- a/app/controllers/api/v1/instances/domain_blocks_controller.rb
+++ b/app/controllers/api/v1/instances/domain_blocks_controller.rb
@ -31,7 +31,7 @@ class Api::V1::Instances::DomainBlocksController < Api::V1::Instances::BaseContr
  end

  def show_domain_blocks_to_user?
-    Setting.show_domain_blocks == 'users' && user_signed_in?
+    Setting.show_domain_blocks == 'users' && user_signed_in? && current_user.functional_or_moved?
  end

  def set_domain_blocks
@ -47,6 +47,6 @@ class Api::V1::Instances::DomainBlocksController < Api::V1::Instances::BaseContr
  end

  def show_rationale_for_user?
-    Setting.show_domain_blocks_rationale == 'users' && user_signed_in?
+    Setting.show_domain_blocks_rationale == 'users' && user_signed_in? && current_user.functional_or_moved?
  end
 end
--- a/spec/requests/api/v1/instances/domain_blocks_spec.rb
+++ b/spec/requests/api/v1/instances/domain_blocks_spec.rb
@ -4,9 +4,10 @@ require 'rails_helper'

 RSpec.describe 'Domain Blocks' do
  describe 'GET /api/v1/instance/domain_blocks' do
-    before do
-      Fabricate(:domain_block)
-    end
+    let(:user) { Fabricate(:user) }
+    let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id).token }
+
+    before { Fabricate(:domain_block) }

    context 'with domain blocks set to all' do
      before { Setting.show_domain_blocks = 'all' }
@ -30,11 +31,95 @@ RSpec.describe 'Domain Blocks' do
    context 'with domain blocks set to users' do
      before { Setting.show_domain_blocks = 'users' }

-      it 'returns http not found' do
-        get api_v1_instance_domain_blocks_path
+      context 'without authentication token' do
+        it 'returns http not found' do
+          get api_v1_instance_domain_blocks_path

-        expect(response)
-          .to have_http_status(404)
+          expect(response)
+            .to have_http_status(404)
+        end
+      end
+
+      context 'with authentication token' do
+        context 'with unapproved user' do
+          before { user.update(approved: false) }
+
+          it 'returns http not found' do
+            get api_v1_instance_domain_blocks_path, headers: { 'Authorization' => "Bearer #{token}" }
+
+            expect(response)
+              .to have_http_status(404)
+          end
+        end
+
+        context 'with unconfirmed user' do
+          before { user.update(confirmed_at: nil) }
+
+          it 'returns http not found' do
+            get api_v1_instance_domain_blocks_path, headers: { 'Authorization' => "Bearer #{token}" }
+
+            expect(response)
+              .to have_http_status(404)
+          end
+        end
+
+        context 'with disabled user' do
+          before { user.update(disabled: true) }
+
+          it 'returns http not found' do
+            get api_v1_instance_domain_blocks_path, headers: { 'Authorization' => "Bearer #{token}" }
+
+            expect(response)
+              .to have_http_status(404)
+          end
+        end
+
+        context 'with suspended user' do
+          before { user.account.update(suspended_at: Time.zone.now) }
+
+          it 'returns http not found' do
+            get api_v1_instance_domain_blocks_path, headers: { 'Authorization' => "Bearer #{token}" }
+
+            expect(response)
+              .to have_http_status(403)
+          end
+        end
+
+        context 'with moved user' do
+          before { user.account.update(moved_to_account_id: Fabricate(:account).id) }
+
+          it 'returns http success' do
+            get api_v1_instance_domain_blocks_path, headers: { 'Authorization' => "Bearer #{token}" }
+
+            expect(response)
+              .to have_http_status(200)
+
+            expect(response.content_type)
+              .to start_with('application/json')
+
+            expect(response.parsed_body)
+              .to be_present
+              .and(be_an(Array))
+              .and(have_attributes(size: 1))
+          end
+        end
+
+        context 'with normal user' do
+          it 'returns http success' do
+            get api_v1_instance_domain_blocks_path, headers: { 'Authorization' => "Bearer #{token}" }
+
+            expect(response)
+              .to have_http_status(200)
+
+            expect(response.content_type)
+              .to start_with('application/json')
+
+            expect(response.parsed_body)
+              .to be_present
+              .and(be_an(Array))
+              .and(have_attributes(size: 1))
+          end
+        end
      end
    end