outboxes_controller_spec.rb 7.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236
  1. require 'rails_helper'
  2. RSpec.describe ActivityPub::OutboxesController, type: :controller do
  3. let!(:account) { Fabricate(:account) }
  4. shared_examples 'cacheable response' do
  5. it 'does not set cookies' do
  6. expect(response.cookies).to be_empty
  7. expect(response.headers['Set-Cookies']).to be nil
  8. end
  9. it 'does not set sessions' do
  10. response
  11. expect(session).to be_empty
  12. end
  13. it 'returns public Cache-Control header' do
  14. expect(response.headers['Cache-Control']).to include 'public'
  15. end
  16. end
  17. before do
  18. Fabricate(:status, account: account, visibility: :public)
  19. Fabricate(:status, account: account, visibility: :unlisted)
  20. Fabricate(:status, account: account, visibility: :private)
  21. Fabricate(:status, account: account, visibility: :direct)
  22. Fabricate(:status, account: account, visibility: :limited)
  23. end
  24. before do
  25. allow(controller).to receive(:signed_request_account).and_return(remote_account)
  26. end
  27. describe 'GET #show' do
  28. context 'without signature' do
  29. let(:remote_account) { nil }
  30. subject(:response) { get :show, params: { account_username: account.username, page: page } }
  31. subject(:body) { body_as_json }
  32. context 'with page not requested' do
  33. let(:page) { nil }
  34. it 'returns http success' do
  35. expect(response).to have_http_status(200)
  36. end
  37. it 'returns application/activity+json' do
  38. expect(response.media_type).to eq 'application/activity+json'
  39. end
  40. it 'returns totalItems' do
  41. expect(body[:totalItems]).to eq 4
  42. end
  43. it_behaves_like 'cacheable response'
  44. it 'does not have a Vary header' do
  45. expect(response.headers['Vary']).to be_nil
  46. end
  47. context 'when account is permanently suspended' do
  48. before do
  49. account.suspend!
  50. account.deletion_request.destroy
  51. end
  52. it 'returns http gone' do
  53. expect(response).to have_http_status(410)
  54. end
  55. end
  56. context 'when account is temporarily suspended' do
  57. before do
  58. account.suspend!
  59. end
  60. it 'returns http forbidden' do
  61. expect(response).to have_http_status(403)
  62. end
  63. end
  64. end
  65. context 'with page requested' do
  66. let(:page) { 'true' }
  67. it 'returns http success' do
  68. expect(response).to have_http_status(200)
  69. end
  70. it 'returns application/activity+json' do
  71. expect(response.media_type).to eq 'application/activity+json'
  72. end
  73. it 'returns orderedItems with public or unlisted statuses' do
  74. expect(body[:orderedItems]).to be_an Array
  75. expect(body[:orderedItems].size).to eq 2
  76. expect(body[:orderedItems].all? { |item| item[:to].include?(ActivityPub::TagManager::COLLECTIONS[:public]) || item[:cc].include?(ActivityPub::TagManager::COLLECTIONS[:public]) }).to be true
  77. end
  78. it_behaves_like 'cacheable response'
  79. it 'returns Vary header with Signature' do
  80. expect(response.headers['Vary']).to include 'Signature'
  81. end
  82. context 'when account is permanently suspended' do
  83. before do
  84. account.suspend!
  85. account.deletion_request.destroy
  86. end
  87. it 'returns http gone' do
  88. expect(response).to have_http_status(410)
  89. end
  90. end
  91. context 'when account is temporarily suspended' do
  92. before do
  93. account.suspend!
  94. end
  95. it 'returns http forbidden' do
  96. expect(response).to have_http_status(403)
  97. end
  98. end
  99. end
  100. end
  101. context 'with signature' do
  102. let(:remote_account) { Fabricate(:account, domain: 'example.com') }
  103. let(:page) { 'true' }
  104. context 'when signed request account does not follow account' do
  105. before do
  106. get :show, params: { account_username: account.username, page: page }
  107. end
  108. it 'returns http success' do
  109. expect(response).to have_http_status(200)
  110. end
  111. it 'returns application/activity+json' do
  112. expect(response.media_type).to eq 'application/activity+json'
  113. end
  114. it 'returns orderedItems with public or unlisted statuses' do
  115. json = body_as_json
  116. expect(json[:orderedItems]).to be_an Array
  117. expect(json[:orderedItems].size).to eq 2
  118. expect(json[:orderedItems].all? { |item| item[:to].include?(ActivityPub::TagManager::COLLECTIONS[:public]) || item[:cc].include?(ActivityPub::TagManager::COLLECTIONS[:public]) }).to be true
  119. end
  120. it 'returns private Cache-Control header' do
  121. expect(response.headers['Cache-Control']).to eq 'max-age=60, private'
  122. end
  123. end
  124. context 'when signed request account follows account' do
  125. before do
  126. remote_account.follow!(account)
  127. get :show, params: { account_username: account.username, page: page }
  128. end
  129. it 'returns http success' do
  130. expect(response).to have_http_status(200)
  131. end
  132. it 'returns application/activity+json' do
  133. expect(response.media_type).to eq 'application/activity+json'
  134. end
  135. it 'returns orderedItems with private statuses' do
  136. json = body_as_json
  137. expect(json[:orderedItems]).to be_an Array
  138. expect(json[:orderedItems].size).to eq 3
  139. expect(json[:orderedItems].all? { |item| item[:to].include?(ActivityPub::TagManager::COLLECTIONS[:public]) || item[:cc].include?(ActivityPub::TagManager::COLLECTIONS[:public]) || item[:to].include?(account_followers_url(account, ActionMailer::Base.default_url_options)) }).to be true
  140. end
  141. it 'returns private Cache-Control header' do
  142. expect(response.headers['Cache-Control']).to eq 'max-age=60, private'
  143. end
  144. end
  145. context 'when signed request account is blocked' do
  146. before do
  147. account.block!(remote_account)
  148. get :show, params: { account_username: account.username, page: page }
  149. end
  150. it 'returns http success' do
  151. expect(response).to have_http_status(200)
  152. end
  153. it 'returns application/activity+json' do
  154. expect(response.media_type).to eq 'application/activity+json'
  155. end
  156. it 'returns empty orderedItems' do
  157. json = body_as_json
  158. expect(json[:orderedItems]).to be_an Array
  159. expect(json[:orderedItems].size).to eq 0
  160. end
  161. it 'returns private Cache-Control header' do
  162. expect(response.headers['Cache-Control']).to eq 'max-age=60, private'
  163. end
  164. end
  165. context 'when signed request account is domain blocked' do
  166. before do
  167. account.block_domain!(remote_account.domain)
  168. get :show, params: { account_username: account.username, page: page }
  169. end
  170. it 'returns http success' do
  171. expect(response).to have_http_status(200)
  172. end
  173. it 'returns application/activity+json' do
  174. expect(response.media_type).to eq 'application/activity+json'
  175. end
  176. it 'returns empty orderedItems' do
  177. json = body_as_json
  178. expect(json[:orderedItems]).to be_an Array
  179. expect(json[:orderedItems].size).to eq 0
  180. end
  181. it 'returns private Cache-Control header' do
  182. expect(response.headers['Cache-Control']).to eq 'max-age=60, private'
  183. end
  184. end
  185. end
  186. end
  187. end