spec/controllers/activitypub/collections_controller_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

# frozen_string_literal: true

require 'rails_helper'

RSpec.describe ActivityPub::CollectionsController, type: :controller do
  let!(:account) { Fabricate(:account) }
  let(:remote_account) { nil }

  shared_examples 'cachable response' do
    it 'does not set cookies' do
      expect(response.cookies).to be_empty
      expect(response.headers['Set-Cookies']).to be nil
    end

    it 'does not set sessions' do
      response
      expect(session).to be_empty
    end

    it 'returns public Cache-Control header' do
      expect(response.headers['Cache-Control']).to include 'public'
    end
  end

  before do
    allow(controller).to receive(:signed_request_account).and_return(remote_account)

    Fabricate(:status_pin, account: account)
    Fabricate(:status_pin, account: account)
    Fabricate(:status, account: account, visibility: :private)
  end

  describe 'GET #show' do
    context 'when id is "featured"' do
      context 'without signature' do
        let(:remote_account) { nil }

        subject(:response) { get :show, params: { id: 'featured', account_username: account.username } }
        subject(:body) { body_as_json }

        it 'returns http success' do
          expect(response).to have_http_status(200)
        end

        it 'returns application/activity+json' do
          expect(response.media_type).to eq 'application/activity+json'
        end

        it_behaves_like 'cachable response'

        it 'returns orderedItems with pinned statuses' do
          expect(body[:orderedItems]).to be_an Array
          expect(body[:orderedItems].size).to eq 2
        end

        context 'when account is permanently suspended' do
          before do
            account.suspend!
            account.deletion_request.destroy
          end

          it 'returns http gone' do
            expect(response).to have_http_status(410)
          end
        end

        context 'when account is temporarily suspended' do
          before do
            account.suspend!
          end

          it 'returns http forbidden' do
            expect(response).to have_http_status(403)
          end
        end
      end

      context 'with signature' do
        let(:remote_account) { Fabricate(:account, domain: 'example.com') }

        context do
          before do
            get :show, params: { id: 'featured', account_username: account.username }
          end

          it 'returns http success' do
            expect(response).to have_http_status(200)
          end

          it 'returns application/activity+json' do
            expect(response.media_type).to eq 'application/activity+json'
          end

          it_behaves_like 'cachable response'

          it 'returns orderedItems with pinned statuses' do
            json = body_as_json
            expect(json[:orderedItems]).to be_an Array
            expect(json[:orderedItems].size).to eq 2
          end
        end

        context 'in authorized fetch mode' do
          before do
            allow(controller).to receive(:authorized_fetch_mode?).and_return(true)
          end

          context 'when signed request account is blocked' do
            before do
              account.block!(remote_account)
              get :show, params: { id: 'featured', account_username: account.username }
            end

            it 'returns http success' do
              expect(response).to have_http_status(200)
            end

            it 'returns application/activity+json' do
              expect(response.media_type).to eq 'application/activity+json'
            end

            it 'returns private Cache-Control header' do
              expect(response.headers['Cache-Control']).to include 'private'
            end

            it 'returns empty orderedItems' do
              json = body_as_json
              expect(json[:orderedItems]).to be_an Array
              expect(json[:orderedItems].size).to eq 0
            end
          end

          context 'when signed request account is domain blocked' do
            before do
              account.block_domain!(remote_account.domain)
              get :show, params: { id: 'featured', account_username: account.username }
            end

            it 'returns http success' do
              expect(response).to have_http_status(200)
            end

            it 'returns application/activity+json' do
              expect(response.media_type).to eq 'application/activity+json'
            end

            it 'returns private Cache-Control header' do
              expect(response.headers['Cache-Control']).to include 'private'
            end

            it 'returns empty orderedItems' do
              json = body_as_json
              expect(json[:orderedItems]).to be_an Array
              expect(json[:orderedItems].size).to eq 0
            end
          end
        end
      end
    end

    context 'when id is not "featured"' do
      it 'returns http not found' do
        get :show, params: { id: 'hoge', account_username: account.username }
        expect(response).to have_http_status(404)
      end
    end
  end
end