1
0

statuses_controller_spec.rb 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739
  1. # frozen_string_literal: true
  2. require 'rails_helper'
  3. RSpec.describe StatusesController do
  4. render_views
  5. describe 'GET #show' do
  6. let(:account) { Fabricate(:account) }
  7. let(:status) { Fabricate(:status, account: account) }
  8. context 'when account is permanently suspended' do
  9. before do
  10. account.suspend!
  11. account.deletion_request.destroy
  12. get :show, params: { account_username: account.username, id: status.id }
  13. end
  14. it 'returns http gone' do
  15. expect(response).to have_http_status(410)
  16. end
  17. end
  18. context 'when account is temporarily suspended' do
  19. before do
  20. account.suspend!
  21. get :show, params: { account_username: account.username, id: status.id }
  22. end
  23. it 'returns http forbidden' do
  24. expect(response).to have_http_status(403)
  25. end
  26. end
  27. context 'when status is a reblog' do
  28. let(:original_account) { Fabricate(:account, domain: 'example.com') }
  29. let(:original_status) { Fabricate(:status, account: original_account, url: 'https://example.com/123') }
  30. let(:status) { Fabricate(:status, account: account, reblog: original_status) }
  31. before do
  32. get :show, params: { account_username: status.account.username, id: status.id }
  33. end
  34. it 'redirects to the original status' do
  35. expect(response).to redirect_to(original_status.url)
  36. end
  37. end
  38. context 'when status is public' do
  39. before do
  40. get :show, params: { account_username: status.account.username, id: status.id, format: format }
  41. end
  42. context 'with HTML' do
  43. let(:format) { 'html' }
  44. it 'renders status successfully', :aggregate_failures do
  45. expect(response)
  46. .to have_http_status(200)
  47. .and render_template(:show)
  48. expect(response.headers).to include(
  49. 'Vary' => 'Accept, Accept-Language, Cookie',
  50. 'Cache-Control' => include('public'),
  51. 'Link' => include('activity+json')
  52. )
  53. expect(response.body).to include status.text
  54. end
  55. end
  56. context 'with JSON' do
  57. let(:format) { 'json' }
  58. it 'renders ActivityPub Note object successfully', :aggregate_failures do
  59. expect(response)
  60. .to have_http_status(200)
  61. .and have_cacheable_headers.with_vary('Accept, Accept-Language, Cookie')
  62. expect(response.headers).to include(
  63. 'Content-Type' => include('application/activity+json'),
  64. 'Link' => include('activity+json')
  65. )
  66. expect(response.parsed_body)
  67. .to include(content: include(status.text))
  68. end
  69. end
  70. end
  71. context 'when status is private' do
  72. let(:status) { Fabricate(:status, account: account, visibility: :private) }
  73. before do
  74. get :show, params: { account_username: status.account.username, id: status.id, format: format }
  75. end
  76. context 'with JSON' do
  77. let(:format) { 'json' }
  78. it 'returns http not found' do
  79. expect(response).to have_http_status(404)
  80. end
  81. end
  82. context 'with HTML' do
  83. let(:format) { 'html' }
  84. it 'returns http not found' do
  85. expect(response).to have_http_status(404)
  86. end
  87. end
  88. end
  89. context 'when status is direct' do
  90. let(:status) { Fabricate(:status, account: account, visibility: :direct) }
  91. before do
  92. get :show, params: { account_username: status.account.username, id: status.id, format: format }
  93. end
  94. context 'with JSON' do
  95. let(:format) { 'json' }
  96. it 'returns http not found' do
  97. expect(response).to have_http_status(404)
  98. end
  99. end
  100. context 'with HTML' do
  101. let(:format) { 'html' }
  102. it 'returns http not found' do
  103. expect(response).to have_http_status(404)
  104. end
  105. end
  106. end
  107. context 'when signed-in' do
  108. let(:user) { Fabricate(:user) }
  109. before do
  110. sign_in(user)
  111. end
  112. context 'when account blocks user' do
  113. before do
  114. account.block!(user.account)
  115. get :show, params: { account_username: status.account.username, id: status.id }
  116. end
  117. it 'returns http not found' do
  118. expect(response).to have_http_status(404)
  119. end
  120. end
  121. context 'when status is public' do
  122. before do
  123. get :show, params: { account_username: status.account.username, id: status.id, format: format }
  124. end
  125. context 'with HTML' do
  126. let(:format) { 'html' }
  127. it 'renders status successfully', :aggregate_failures do
  128. expect(response)
  129. .to have_http_status(200)
  130. .and render_template(:show)
  131. expect(response.headers).to include(
  132. 'Vary' => 'Accept, Accept-Language, Cookie',
  133. 'Cache-Control' => include('private'),
  134. 'Link' => include('activity+json')
  135. )
  136. expect(response.body).to include status.text
  137. end
  138. end
  139. context 'with JSON' do
  140. let(:format) { 'json' }
  141. it 'renders ActivityPub Note object successfully', :aggregate_failures do
  142. expect(response)
  143. .to have_http_status(200)
  144. expect(response.headers).to include(
  145. 'Vary' => 'Accept, Accept-Language, Cookie',
  146. 'Cache-Control' => include('private'),
  147. 'Content-Type' => include('application/activity+json'),
  148. 'Link' => include('activity+json')
  149. )
  150. expect(response.parsed_body)
  151. .to include(content: include(status.text))
  152. end
  153. end
  154. end
  155. context 'when status is private' do
  156. let(:status) { Fabricate(:status, account: account, visibility: :private) }
  157. context 'when user is authorized to see it' do
  158. before do
  159. user.account.follow!(account)
  160. get :show, params: { account_username: status.account.username, id: status.id, format: format }
  161. end
  162. context 'with HTML' do
  163. let(:format) { 'html' }
  164. it 'renders status successfully', :aggregate_failures do
  165. expect(response)
  166. .to have_http_status(200)
  167. .and render_template(:show)
  168. expect(response.headers).to include(
  169. 'Vary' => 'Accept, Accept-Language, Cookie',
  170. 'Cache-Control' => include('private'),
  171. 'Link' => include('activity+json')
  172. )
  173. expect(response.body).to include status.text
  174. end
  175. end
  176. context 'with JSON' do
  177. let(:format) { 'json' }
  178. it 'renders ActivityPub Note object successfully', :aggregate_failures do
  179. expect(response)
  180. .to have_http_status(200)
  181. expect(response.headers).to include(
  182. 'Vary' => 'Accept, Accept-Language, Cookie',
  183. 'Cache-Control' => include('private'),
  184. 'Content-Type' => include('application/activity+json'),
  185. 'Link' => include('activity+json')
  186. )
  187. expect(response.parsed_body)
  188. .to include(content: include(status.text))
  189. end
  190. end
  191. end
  192. context 'when user is not authorized to see it' do
  193. before do
  194. get :show, params: { account_username: status.account.username, id: status.id, format: format }
  195. end
  196. context 'with JSON' do
  197. let(:format) { 'json' }
  198. it 'returns http not found' do
  199. expect(response).to have_http_status(404)
  200. end
  201. end
  202. context 'with HTML' do
  203. let(:format) { 'html' }
  204. it 'returns http not found' do
  205. expect(response).to have_http_status(404)
  206. end
  207. end
  208. end
  209. end
  210. context 'when status is direct' do
  211. let(:status) { Fabricate(:status, account: account, visibility: :direct) }
  212. context 'when user is authorized to see it' do
  213. before do
  214. Fabricate(:mention, account: user.account, status: status)
  215. get :show, params: { account_username: status.account.username, id: status.id, format: format }
  216. end
  217. context 'with HTML' do
  218. let(:format) { 'html' }
  219. it 'renders status successfully', :aggregate_failures do
  220. expect(response)
  221. .to have_http_status(200)
  222. .and render_template(:show)
  223. expect(response.headers).to include(
  224. 'Vary' => 'Accept, Accept-Language, Cookie',
  225. 'Cache-Control' => include('private'),
  226. 'Link' => include('activity+json')
  227. )
  228. expect(response.body).to include status.text
  229. end
  230. end
  231. context 'with JSON' do
  232. let(:format) { 'json' }
  233. it 'renders ActivityPub Note object successfully' do
  234. expect(response)
  235. .to have_http_status(200)
  236. expect(response.headers).to include(
  237. 'Vary' => 'Accept, Accept-Language, Cookie',
  238. 'Cache-Control' => include('private'),
  239. 'Content-Type' => include('application/activity+json'),
  240. 'Link' => include('activity+json')
  241. )
  242. expect(response.parsed_body)
  243. .to include(content: include(status.text))
  244. end
  245. end
  246. end
  247. context 'when user is not authorized to see it' do
  248. before do
  249. get :show, params: { account_username: status.account.username, id: status.id, format: format }
  250. end
  251. context 'with JSON' do
  252. let(:format) { 'json' }
  253. it 'returns http not found' do
  254. expect(response).to have_http_status(404)
  255. end
  256. end
  257. context 'with HTML' do
  258. let(:format) { 'html' }
  259. it 'returns http not found' do
  260. expect(response).to have_http_status(404)
  261. end
  262. end
  263. end
  264. end
  265. end
  266. context 'with signature' do
  267. let(:remote_account) { Fabricate(:account, domain: 'example.com') }
  268. before do
  269. allow(controller).to receive(:signed_request_actor).and_return(remote_account)
  270. end
  271. context 'when account blocks account' do
  272. before do
  273. account.block!(remote_account)
  274. get :show, params: { account_username: status.account.username, id: status.id }
  275. end
  276. it 'returns http not found' do
  277. expect(response).to have_http_status(404)
  278. end
  279. end
  280. context 'when account domain blocks account' do
  281. before do
  282. account.block_domain!(remote_account.domain)
  283. get :show, params: { account_username: status.account.username, id: status.id }
  284. end
  285. it 'returns http not found' do
  286. expect(response).to have_http_status(404)
  287. end
  288. end
  289. context 'when status is public' do
  290. before do
  291. get :show, params: { account_username: status.account.username, id: status.id, format: format }
  292. end
  293. context 'with HTML' do
  294. let(:format) { 'html' }
  295. it 'renders status successfully', :aggregate_failures do
  296. expect(response)
  297. .to have_http_status(200)
  298. .and render_template(:show)
  299. expect(response.headers).to include(
  300. 'Vary' => 'Accept, Accept-Language, Cookie',
  301. 'Cache-Control' => include('private'),
  302. 'Link' => include('activity+json')
  303. )
  304. expect(response.body).to include status.text
  305. end
  306. end
  307. context 'with JSON' do
  308. let(:format) { 'json' }
  309. it 'renders ActivityPub Note object successfully', :aggregate_failures do
  310. expect(response)
  311. .to have_http_status(200)
  312. .and have_cacheable_headers.with_vary('Accept, Accept-Language, Cookie')
  313. expect(response.headers).to include(
  314. 'Content-Type' => include('application/activity+json'),
  315. 'Link' => include('activity+json')
  316. )
  317. expect(response.parsed_body)
  318. .to include(content: include(status.text))
  319. end
  320. end
  321. end
  322. context 'when status is private' do
  323. let(:status) { Fabricate(:status, account: account, visibility: :private) }
  324. context 'when user is authorized to see it' do
  325. before do
  326. remote_account.follow!(account)
  327. get :show, params: { account_username: status.account.username, id: status.id, format: format }
  328. end
  329. context 'with HTML' do
  330. let(:format) { 'html' }
  331. it 'renders status successfully', :aggregate_failures do
  332. expect(response)
  333. .to have_http_status(200)
  334. .and render_template(:show)
  335. expect(response.headers).to include(
  336. 'Vary' => 'Accept, Accept-Language, Cookie',
  337. 'Cache-Control' => include('private'),
  338. 'Link' => include('activity+json')
  339. )
  340. expect(response.body).to include status.text
  341. end
  342. end
  343. context 'with JSON' do
  344. let(:format) { 'json' }
  345. it 'renders ActivityPub Note object successfully' do
  346. expect(response)
  347. .to have_http_status(200)
  348. expect(response.headers).to include(
  349. 'Vary' => 'Accept, Accept-Language, Cookie',
  350. 'Cache-Control' => include('private'),
  351. 'Content-Type' => include('application/activity+json'),
  352. 'Link' => include('activity+json')
  353. )
  354. expect(response.parsed_body)
  355. .to include(content: include(status.text))
  356. end
  357. end
  358. end
  359. context 'when user is not authorized to see it' do
  360. before do
  361. get :show, params: { account_username: status.account.username, id: status.id, format: format }
  362. end
  363. context 'with JSON' do
  364. let(:format) { 'json' }
  365. it 'returns http not found' do
  366. expect(response).to have_http_status(404)
  367. end
  368. end
  369. context 'with HTML' do
  370. let(:format) { 'html' }
  371. it 'returns http not found' do
  372. expect(response).to have_http_status(404)
  373. end
  374. end
  375. end
  376. end
  377. context 'when status is direct' do
  378. let(:status) { Fabricate(:status, account: account, visibility: :direct) }
  379. context 'when user is authorized to see it' do
  380. before do
  381. Fabricate(:mention, account: remote_account, status: status)
  382. get :show, params: { account_username: status.account.username, id: status.id, format: format }
  383. end
  384. context 'with HTML' do
  385. let(:format) { 'html' }
  386. it 'renders status successfully', :aggregate_failures do
  387. expect(response)
  388. .to have_http_status(200)
  389. .and render_template(:show)
  390. expect(response.headers).to include(
  391. 'Vary' => 'Accept, Accept-Language, Cookie',
  392. 'Cache-Control' => include('private'),
  393. 'Link' => include('activity+json')
  394. )
  395. expect(response.body).to include status.text
  396. end
  397. end
  398. context 'with JSON' do
  399. let(:format) { 'json' }
  400. it 'renders ActivityPub Note object', :aggregate_failures do
  401. expect(response)
  402. .to have_http_status(200)
  403. expect(response.headers).to include(
  404. 'Vary' => 'Accept, Accept-Language, Cookie',
  405. 'Cache-Control' => include('private'),
  406. 'Content-Type' => include('application/activity+json'),
  407. 'Link' => include('activity+json')
  408. )
  409. expect(response.parsed_body)
  410. .to include(content: include(status.text))
  411. end
  412. end
  413. end
  414. context 'when user is not authorized to see it' do
  415. before do
  416. get :show, params: { account_username: status.account.username, id: status.id, format: format }
  417. end
  418. context 'with JSON' do
  419. let(:format) { 'json' }
  420. it 'returns http not found' do
  421. expect(response).to have_http_status(404)
  422. end
  423. end
  424. context 'with HTML' do
  425. let(:format) { 'html' }
  426. it 'returns http not found' do
  427. expect(response).to have_http_status(404)
  428. end
  429. end
  430. end
  431. end
  432. end
  433. end
  434. describe 'GET #activity' do
  435. let(:account) { Fabricate(:account) }
  436. let(:status) { Fabricate(:status, account: account) }
  437. context 'when account is permanently suspended' do
  438. before do
  439. account.suspend!
  440. account.deletion_request.destroy
  441. get :activity, params: { account_username: account.username, id: status.id }
  442. end
  443. it 'returns http gone' do
  444. expect(response).to have_http_status(410)
  445. end
  446. end
  447. context 'when account is temporarily suspended' do
  448. before do
  449. account.suspend!
  450. get :activity, params: { account_username: account.username, id: status.id }
  451. end
  452. it 'returns http forbidden' do
  453. expect(response).to have_http_status(403)
  454. end
  455. end
  456. context 'when status is public' do
  457. before do
  458. status.update(visibility: :public)
  459. get :activity, params: { account_username: account.username, id: status.id }
  460. end
  461. it 'returns http success' do
  462. expect(response).to have_http_status(:success)
  463. end
  464. end
  465. context 'when status is private' do
  466. before do
  467. status.update(visibility: :private)
  468. get :activity, params: { account_username: account.username, id: status.id }
  469. end
  470. it 'returns http not_found' do
  471. expect(response).to have_http_status(404)
  472. end
  473. end
  474. context 'when status is direct' do
  475. before do
  476. status.update(visibility: :direct)
  477. get :activity, params: { account_username: account.username, id: status.id }
  478. end
  479. it 'returns http not_found' do
  480. expect(response).to have_http_status(404)
  481. end
  482. end
  483. context 'when signed-in' do
  484. let(:user) { Fabricate(:user) }
  485. before do
  486. sign_in(user)
  487. end
  488. context 'when status is public' do
  489. before do
  490. status.update(visibility: :public)
  491. get :activity, params: { account_username: account.username, id: status.id }
  492. end
  493. it 'returns http success' do
  494. expect(response).to have_http_status(:success)
  495. end
  496. end
  497. context 'when status is private' do
  498. before do
  499. status.update(visibility: :private)
  500. end
  501. context 'when user is authorized to see it' do
  502. before do
  503. user.account.follow!(account)
  504. get :activity, params: { account_username: account.username, id: status.id }
  505. end
  506. it 'returns http success' do
  507. expect(response).to have_http_status(200)
  508. end
  509. end
  510. context 'when user is not authorized to see it' do
  511. before do
  512. get :activity, params: { account_username: account.username, id: status.id }
  513. end
  514. it 'returns http not_found' do
  515. expect(response).to have_http_status(404)
  516. end
  517. end
  518. end
  519. context 'when status is direct' do
  520. before do
  521. status.update(visibility: :direct)
  522. end
  523. context 'when user is authorized to see it' do
  524. before do
  525. Fabricate(:mention, account: user.account, status: status)
  526. get :activity, params: { account_username: account.username, id: status.id }
  527. end
  528. it 'returns http success' do
  529. expect(response).to have_http_status(200)
  530. end
  531. end
  532. context 'when user is not authorized to see it' do
  533. before do
  534. get :activity, params: { account_username: account.username, id: status.id }
  535. end
  536. it 'returns http not_found' do
  537. expect(response).to have_http_status(404)
  538. end
  539. end
  540. end
  541. end
  542. context 'with signature' do
  543. let(:remote_account) { Fabricate(:account, domain: 'example.com') }
  544. before do
  545. allow(controller).to receive(:signed_request_actor).and_return(remote_account)
  546. end
  547. context 'when status is public' do
  548. before do
  549. status.update(visibility: :public)
  550. get :activity, params: { account_username: account.username, id: status.id }
  551. end
  552. it 'returns http success' do
  553. expect(response).to have_http_status(:success)
  554. end
  555. end
  556. context 'when status is private' do
  557. before do
  558. status.update(visibility: :private)
  559. end
  560. context 'when user is authorized to see it' do
  561. before do
  562. remote_account.follow!(account)
  563. get :activity, params: { account_username: account.username, id: status.id }
  564. end
  565. it 'returns http success' do
  566. expect(response).to have_http_status(200)
  567. end
  568. end
  569. context 'when user is not authorized to see it' do
  570. before do
  571. get :activity, params: { account_username: account.username, id: status.id }
  572. end
  573. it 'returns http not_found' do
  574. expect(response).to have_http_status(404)
  575. end
  576. end
  577. end
  578. context 'when status is direct' do
  579. before do
  580. status.update(visibility: :direct)
  581. end
  582. context 'when user is authorized to see it' do
  583. before do
  584. Fabricate(:mention, account: remote_account, status: status)
  585. get :activity, params: { account_username: account.username, id: status.id }
  586. end
  587. it 'returns http success' do
  588. expect(response).to have_http_status(200)
  589. end
  590. end
  591. context 'when user is not authorized to see it' do
  592. before do
  593. get :activity, params: { account_username: account.username, id: status.id }
  594. end
  595. it 'returns http not_found' do
  596. expect(response).to have_http_status(404)
  597. end
  598. end
  599. end
  600. end
  601. end
  602. end