add force_validations parameter to the user create api

refs CAT-861 Test Plan 1. With an admin user, submit a POST request to the canvas api to create a new user with the [:force_validations] parameter set to true and with invalid data set for the [:user][:name] and [:pseudonym][:unique_id] and [:user][:terms_of_use] parameters 2. Ensure that the json payload returned contains errors as expected for the invalid parameters 3. Submit the request again without the [:force_validations] parameter and with the same invalid data, and ensure that errors are not returned for [:name], [:terms_of_use] or [:unique_id] Change-Id: I07d8ce719ecbb43af93c50fafa1b1b12f74c535f Reviewed-on: https://gerrit.instructure.com/48426 Tested-by: Jenkins Reviewed-by: Dave Donahue <ddonahue@instructure.com> Product-Review: Adam Phillipps <adam@instructure.com> QA-Review: Adam Phillipps <adam@instructure.com> Reviewed-by: Jon Jensen <jon@instructure.com>
2015-02-05 22:27:38 -06:00 · 2015-02-05 22:27:38 -06:00 · 3308ba8cbe
parent 925f936907
commit 3308ba8cbe
2 changed files with 64 additions and 2 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -1080,6 +1080,15 @@ class UsersController < ApplicationController
  #   Otherwise, the user must respond to a confirmation message to confirm the
  #   channel.
  #
+  # @argument force_validations [Boolean]
+  #   If true, validations are performed on the newly created user (and their associated pseudonym)
+  #   even if the request is made by a privileged user like an admin. When set to false,
+  #   or not included in the request parameters, any newly created users are subject to
+  #   validations unless the request is made by a user with a 'manage_user_logins' right.
+  #   In which case, certain validations such as 'require_acceptance_of_terms' and
+  #   'require_presence_of_name' are not enforced. Use this parameter to return helpful json
+  #   errors while building users with an admin request.
+  #
  # @returns User
  def create
    run_login_hooks
@ -1088,9 +1097,10 @@ class UsersController < ApplicationController
    # Setting it to nil will cause us to try and create a new one, and give user the login already exists error
    @pseudonym = nil if @pseudonym && !['creation_pending', 'pending_approval'].include?(@pseudonym.user.workflow_state)

+    force_validations = value_to_boolean(params[:force_validations])
    manage_user_logins = @context.grants_right?(@current_user, session, :manage_user_logins)
    self_enrollment = params[:self_enrollment].present?
-    allow_non_email_pseudonyms = manage_user_logins || self_enrollment && params[:pseudonym_type] == 'username'
+    allow_non_email_pseudonyms = !force_validations && manage_user_logins || self_enrollment && params[:pseudonym_type] == 'username'
    require_password = self_enrollment && allow_non_email_pseudonyms
    allow_password = require_password || manage_user_logins

@ -1151,7 +1161,7 @@ class UsersController < ApplicationController
        'pre_registered'
      end
    end
-    if !manage_user_logins # i.e. a new user signing up
+    if force_validations || !manage_user_logins
      @user.require_acceptance_of_terms = @domain_root_account.terms_required?
      @user.require_presence_of_name = true
      @user.require_self_enrollment_code = self_enrollment
--- a/spec/apis/v1/users_api_spec.rb
+++ b/spec/apis/v1/users_api_spec.rb
@ -458,6 +458,58 @@ describe "Users API", type: :request do
        Account.site_admin.account_users.create!(user: @site_admin)
      end

+      context 'using force_validations param' do
+        it "validates with force_validations set to true" do
+          raw_api_call(:post, "/api/v1/accounts/#{@site_admin.account.id}/users",
+            { :controller => 'users', :action => 'create', :format => 'json', :account_id => @site_admin.account.id.to_s },
+            {
+              :user => {
+                :name => ""
+              },
+              :pseudonym => {
+                :unique_id  => "bademail@",
+              },
+              :force_validations => true
+            }
+          )
+
+          assert_status(400)
+          errors = JSON.parse(response.body)['errors']
+          expect(errors['user']['name']).to be_present
+          expect(errors['user']['terms_of_use']).to be_present
+          expect(errors['pseudonym']).to be_present
+          expect(errors['pseudonym']['unique_id']).to be_present
+        end
+
+        it "does not validate when force_validations is not set to true" do
+          # successful request even with oddball user params because we're making the request as an admin
+          json = api_call(:post, "/api/v1/accounts/#{@site_admin.account.id}/users",
+            { :controller => 'users', :action => 'create', :format => 'json', :account_id => @site_admin.account.id.to_s },
+            {
+              :user => {
+                :name => ""
+              },
+              :pseudonym => {
+                :unique_id  => "bademail@",
+              }
+            }
+          )
+
+          users = User.where(name: "").to_a
+          expect(users.length).to eql 1
+          user = users.first
+
+          expect(json).to eq({
+            "id"            => user.id,
+            "name"          => "",
+            "sortable_name" => "",
+            "short_name"    => "",
+            "login_id"      => "bademail@",
+            "locale"        => nil
+          })
+        end
+      end
+
      it "should allow site admins to create users" do
        json = api_call(:post, "/api/v1/accounts/#{@site_admin.account.id}/users",
          { :controller => 'users', :action => 'create', :format => 'json', :account_id => @site_admin.account.id.to_s },