diff --git a/spec/controllers/auth/registrations_controller_spec.rb b/spec/controllers/auth/registrations_controller_spec.rb index 0b7f02f59..75ab28765 100644 --- a/spec/controllers/auth/registrations_controller_spec.rb +++ b/spec/controllers/auth/registrations_controller_spec.rb @@ -44,27 +44,93 @@ RSpec.describe Auth::RegistrationsController do end end - describe 'GET #update' do - let(:user) { Fabricate(:user) } + describe 'PUT #update' do + let(:current_password) { 'current password' } + let(:user) { Fabricate(:user, password: current_password) } before do request.env['devise.mapping'] = Devise.mappings[:user] sign_in(user, scope: :user) - post :update end it 'returns http success' do + put :update expect(response).to have_http_status(200) end it 'returns private cache control headers' do + put :update expect(response.headers['Cache-Control']).to include('private, no-store') end + it 'can update the user email' do + expect do + put :update, params: { + user: { + email: 'newemail@example.com', + current_password: current_password, + }, + } + expect(response).to redirect_to(edit_user_registration_path) + end.to change { user.reload.unconfirmed_email }.to('newemail@example.com') + end + + it 'requires the current password to update the email' do + expect do + put :update, params: { + user: { + email: 'newemail@example.com', + current_password: 'something', + }, + } + expect(response).to have_http_status(200) + end.to_not(change { user.reload.unconfirmed_email }) + end + + it 'can update the user password' do + expect do + put :update, params: { + user: { + password: 'new password', + password_confirmation: 'new password', + current_password: current_password, + }, + } + expect(response).to redirect_to(edit_user_registration_path) + end.to(change { user.reload.encrypted_password }) + end + + it 'requires the password confirmation' do + expect do + put :update, params: { + user: { + password: 'new password', + password_confirmation: 'something else', + current_password: current_password, + }, + } + expect(response).to have_http_status(200) + end.to_not(change { user.reload.encrypted_password }) + end + + it 'requires the current password to update the password' do + expect do + put :update, params: { + user: { + password: 'new password', + password_confirmation: 'new password', + current_password: 'something', + }, + } + expect(response).to have_http_status(200) + end.to_not(change { user.reload.encrypted_password }) + end + context 'when suspended' do let(:user) { Fabricate(:user, account_attributes: { username: 'test', suspended_at: Time.now.utc }) } it 'returns http forbidden' do + put :update expect(response).to have_http_status(403) end end