Merge branch 'api' of gitlab.com:participa/noosfero into serpro_api

Leandro Santos
2 parents 5fc16fc4 648ba45f
Showing 8 changed files with 226 additions and 9 deletions Show diff stats
lib/noosfero/api/api.rb
lib/noosfero/api/entities.rb
lib/noosfero/api/helpers.rb
lib/noosfero/api/session.rb
lib/noosfero/api/v1/articles.rb
test/unit/api/articles_test.rb
test/unit/api/helpers_test.rb
test/unit/api/session_test.rb
@@ -29,6 +29,7 @@ module Noosfero
       before { setup_multitenancy }
       before { detect_stuff_by_domain }
       before { filter_disabled_plugins_endpoints }
+      before { init_noosfero_plugins }
       after { set_session_cookie }
       version 'v1'
@@ -113,6 +113,7 @@ module Noosfero
         expose :id
         expose :login
         expose :person, :using => Profile
+        expose :activated?, as: :activated
         expose :permissions do |user, options|
           output = {}
           user.person.role_assignments.map do |role_assigment|
@@ -6,11 +6,18 @@
       DEFAULT_ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type]
       include SanitizeParams
+      include Noosfero::Plugin::HotSpot
+      include ForgotPasswordHelper
       def set_locale
         I18n.locale = (params[:lang] || request.env['HTTP_ACCEPT_LANGUAGE'] || 'en')
       end
-      
+
+      # FIXME this filter just loads @plugins
+      def init_noosfero_plugins
+        plugins
+      end
+
       def current_user
         private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
         @current_user ||= User.find_by_private_token(private_token)
@@ -57,7 +64,7 @@
       def find_article(articles, id)
         article = articles.find(id)
-        article.display_to?(current_user.person) ? article : forbidden!
+        article.display_to?(current_person) ? article : forbidden!
       end
       def post_article(asset, params)
@@ -350,6 +357,7 @@
         begin
           body = https.request(request).body
         rescue Exception => e
+          logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] || 'production'}_api.log"))
           logger.error e
           return _("Google recaptcha error: #{e.message}")
         end
@@ -375,6 +383,7 @@
         begin
           body = https.request(request).body
         rescue Exception => e
+          logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] || 'production'}_api.log"))
           logger.error e
           return _("Google recaptcha error: #{e.message}")
         end
@@ -393,6 +402,7 @@
         begin
           body = http.request(request).body
         rescue Exception => e
+          logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] || 'production'}_api.log"))
           logger.error e
           return _("Serpro captcha error: #{e.message}")
         end
@@ -41,21 +41,96 @@ module Noosfero
         attrs = attributes_for_keys [:email, :login, :password, :password_confirmation] + environment.signup_person_fields
         remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
-        unless test_captcha(remote_ip, params, environment) == true
-          render_api_error!(_('Please solve the test in order to register.'), 401)
+        result = test_captcha(remote_ip, params, environment)
+        unless result == true
+          render_api_error!(result, 401)
           return
         end
         user = User.new(attrs)
-        if  user.save
-          user.activate
-          user.generate_private_token!
+        if user.save
+          user.generate_private_token! if user.activated?
           present user, :with => Entities::UserLogin
         else
           message = user.errors.to_json
           render_api_error!(message, 400)
         end
       end
+
+      params do
+        requires :activation_code, type: String, desc: _("Activation token")
+      end
+
+      # Activate a user.
+      #
+      # Parameter:
+      #   activation_code (required)                  - Activation token
+      # Example Request:
+      #   PATCH /activate?activation_code=28259abd12cc6a64ef9399cf3286cb998b96aeaf
+      patch "/activate" do
+        user = User.find_by_activation_code(params[:activation_code])
+        if user
+          unless user.environment.enabled?('admin_must_approve_new_users')
+            if user.activate
+                user.generate_private_token!
+                present user, :with => Entities::UserLogin
+            end
+          else
+            if user.create_moderate_task
+              user.activation_code = nil
+              user.save!
+
+              # Waiting for admin moderate user registration
+              status 202
+              body({
+                :message => 'Waiting for admin moderate user registration'
+              })
+            end
+          end
+        else
+          # Token not found in database
+          render_api_error!(_('Token is invalid'), 412)
+        end
+      end
+
+      # Request a new password.
+      #
+      # Parameters:
+      #   value (required)                  - Email or login
+      # Example Request:
+      #   POST /forgot_password?value=some@mail.com
+      post "/forgot_password" do
+        requestors = fetch_requestors(params[:value])
+        not_found! if requestors.blank?
+
+        requestors.each do |requestor|
+          ChangePassword.create!(:requestor => requestor)
+        end
+      end
+
+      params do
+        requires :code, type: String, desc: _("Forgot password code")
+      end
+      # Change password
+      #
+      # Parameters:
+      #   code (required)                  - Change password code
+      #   password (required)
+      #   password_confirmation (required)
+      # Example Request:
+      #   PATCH /new_password?code=xxxx&password=secret&password_confirmation=secret
+      patch "/new_password" do
+        change_password = ChangePassword.find_by_code(params[:code])
+        not_found! if change_password.nil?
+
+        if change_password.update_attributes(:password => params[:password], :password_confirmation => params[:password_confirmation])
+          change_password.finish
+          present change_password.requestor.user, :with => Entities::UserLogin
+        else
+          something_wrong!
+        end
+      end
+
     end
   end
 end
@@ -96,7 +96,7 @@ module Noosfero
             #TODO make tests for this situation
             votes_order = params.delete(:order) if params[:order]=='votes_score'
             articles = select_filtered_collection_of(article, 'children', params)
-            articles = articles.display_filter(current_person, nil)
+            articles = articles.display_filter(current_person, article.profile)
             #TODO make tests for this situation
@@ -48,6 +48,15 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     assert_equivalent [child1.id, child2.id], json["articles"].map { |a| a["id"] }
   end
+  should 'list public article children for not logged in access' do
+    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+    child1 = fast_create(Article, :parent_id => article.id, :profile_id => user.person.id, :name => "Some thing")
+    child2 = fast_create(Article, :parent_id => article.id, :profile_id => user.person.id, :name => "Some thing")
+    get "/api/v1/articles/#{article.id}/children"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [child1.id, child2.id], json["articles"].map { |a| a["id"] }
+  end
+
   should 'not list children of forbidden article' do
     person = fast_create(Person, :environment_id => environment.id)
     article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
@@ -236,7 +236,7 @@ class APIHelpersTest &lt; ActiveSupport::TestCase
   end
-  should 'captcha serpro say Name or service not known' do
+  should 'captcha serpro say name or service not known' do
     environment = Environment.new
     environment.api_captcha_settings = {
         enabled: true,
@@ -21,9 +21,22 @@ class SessionTest &lt; ActiveSupport::TestCase
   end
   should 'register a user' do
+    Environment.default.enable('skip_new_user_email_confirmation')
     params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com" }
     post "/api/v1/register?#{params.to_query}"
     assert_equal 201, last_response.status
+    json = JSON.parse(last_response.body)
+    assert json['activated']
+    assert json['private_token'].present?
+  end
+
+  should 'register an inactive user' do
+    params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com" }
+    post "/api/v1/register?#{params.to_query}"
+    assert_equal 201, last_response.status
+    json = JSON.parse(last_response.body)
+    assert !json['activated']
+    assert json['private_token'].blank?
   end
   should 'do not register a user without email' do
@@ -39,4 +52,112 @@ class SessionTest &lt; ActiveSupport::TestCase
     assert_equal 400, last_response.status
   end
+  should 'detected error, Name or service not known, for Serpro Captcha communication' do
+    environment = Environment.default
+    environment.api_captcha_settings = {
+        enabled: true,
+        provider: 'serpro',
+        serpro_client_id:  '0000000000000000',
+        verify_uri:  'http://someserverthatdoesnotexist.mycompanythatdoesnotexist.com/validate',
+    }
+    environment.save!
+    params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com",
+              :txtToken_captcha_serpro_gov_br => '4324343', :captcha_text => '4030320'}
+    post "/api/v1/register?#{params.to_query}"
+    assert_equal "Serpro captcha error: getaddrinfo: Name or service not known", JSON.parse(last_response.body)["message"]
+  end
+
+  # TODO: Add another test cases to check register situations
+  should 'activate a user' do
+    params = {
+      :login => "newuserapi",
+      :password => "newuserapi",
+      :password_confirmation => "newuserapi",
+      :email => "newuserapi@email.com"
+    }
+    user = User.new(params)
+    user.save!
+
+    params = { activation_code: user.activation_code}
+    patch "/api/v1/activate?#{params.to_query}"
+    assert_equal 200, last_response.status
+  end
+
+  should 'do not activate a user if admin must approve him' do
+    params = {
+      :login => "newuserapi",
+      :password => "newuserapi",
+      :password_confirmation => "newuserapi",
+      :email => "newuserapi@email.com",
+      :environment => Environment.default
+    }
+    user = User.new(params)
+    user.environment.enable('admin_must_approve_new_users')
+    user.save!
+
+    params = { activation_code: user.activation_code}
+    patch "/api/v1/activate?#{params.to_query}"
+    assert_equal 202, last_response.status
+    assert_equal 'Waiting for admin moderate user registration', JSON.parse(last_response.body)["message"]
+  end
+
+  should 'do not activate a user if the token is invalid' do
+    params = {
+      :login => "newuserapi",
+      :password => "newuserapi",
+      :password_confirmation => "newuserapi",
+      :email => "newuserapi@email.com",
+      :environment => Environment.default
+    }
+    user = User.new(params)
+    user.save!
+
+    params = { activation_code: '70250abe20cc6a67ef9399cf3286cb998b96aeaf'}
+    patch "/api/v1/activate?#{params.to_query}"
+    assert_equal 412, last_response.status
+  end
+
+  should 'create task to change password by user login' do
+    user = create_user
+    params = {:value => user.login}
+    assert_difference 'ChangePassword.count' do
+      post "/api/v1/forgot_password?#{params.to_query}"
+    end
+  end
+
+  should 'not create task to change password when user is not found' do
+    params = {:value => 'wronglogin'}
+    assert_no_difference 'ChangePassword.count' do
+      post "/api/v1/forgot_password?#{params.to_query}"
+    end
+    assert_equal 404, last_response.status
+  end
+
+  should 'change user password and close task' do
+    user = create_user
+    task = ChangePassword.create!(:requestor => user.person)
+    params = {:code => task.code, :password => 'secret', :password_confirmation => 'secret'}
+    patch "/api/v1/new_password?#{params.to_query}"
+    assert_equal Task::Status::FINISHED, task.reload.status
+    assert user.reload.authenticated?('secret')
+    json = JSON.parse(last_response.body)
+    assert_equal user.id, json['id']
+  end
+
+  should 'do not change user password when password confirmation is wrong' do
+    user = create_user
+    task = ChangePassword.create!(:requestor => user.person)
+    params = {:code => task.code, :password => 'secret', :password_confirmation => 's3cret'}
+    patch "/api/v1/new_password?#{params.to_query}"
+    assert_equal Task::Status::ACTIVE, task.reload.status
+    assert !user.reload.authenticated?('secret')
+    assert_equal 400, last_response.status
+  end
+
+  should 'render not found when provide a wrong code on password change' do
+    params = {:code => "wrongcode", :password => 'secret', :password_confirmation => 'secret'}
+    patch "/api/v1/new_password?#{params.to_query}"
+    assert_equal 404, last_response.status
+  end
+
 end
	@@ -29,6 +29,7 @@ module Noosfero		@@ -29,6 +29,7 @@ module Noosfero
29	before { setup_multitenancy }	29	before { setup_multitenancy }
30	before { detect_stuff_by_domain }	30	before { detect_stuff_by_domain }
31	before { filter_disabled_plugins_endpoints }	31	before { filter_disabled_plugins_endpoints }
		32	+ before { init_noosfero_plugins }
32	after { set_session_cookie }	33	after { set_session_cookie }
33		34
34	version 'v1'	35	version 'v1'
	@@ -41,21 +41,96 @@ module Noosfero		@@ -41,21 +41,96 @@ module Noosfero
41	attrs = attributes_for_keys [:email, :login, :password, :password_confirmation] + environment.signup_person_fields	41	attrs = attributes_for_keys [:email, :login, :password, :password_confirmation] + environment.signup_person_fields
42	remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) \|\| (env && env['REMOTE_ADDR'])	42	remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) \|\| (env && env['REMOTE_ADDR'])
43		43
44	- unless test_captcha(remote_ip, params, environment) == true
45	- render_api_error!(_('Please solve the test in order to register.'), 401)	44	+ result = test_captcha(remote_ip, params, environment)
		45	+ unless result == true
		46	+ render_api_error!(result, 401)
46	return	47	return
47	end	48	end
48		49
49	user = User.new(attrs)	50	user = User.new(attrs)
50	- if user.save
51	- user.activate
52	- user.generate_private_token!	51	+ if user.save
		52	+ user.generate_private_token! if user.activated?
53	present user, :with => Entities::UserLogin	53	present user, :with => Entities::UserLogin
54	else	54	else
55	message = user.errors.to_json	55	message = user.errors.to_json
56	render_api_error!(message, 400)	56	render_api_error!(message, 400)
57	end	57	end
58	end	58	end
		59	+
		60	+ params do
		61	+ requires :activation_code, type: String, desc: _("Activation token")
		62	+ end
		63	+
		64	+ # Activate a user.
		65	+ #
		66	+ # Parameter:
		67	+ # activation_code (required) - Activation token
		68	+ # Example Request:
		69	+ # PATCH /activate?activation_code=28259abd12cc6a64ef9399cf3286cb998b96aeaf
		70	+ patch "/activate" do
		71	+ user = User.find_by_activation_code(params[:activation_code])
		72	+ if user
		73	+ unless user.environment.enabled?('admin_must_approve_new_users')
		74	+ if user.activate
		75	+ user.generate_private_token!
		76	+ present user, :with => Entities::UserLogin
		77	+ end
		78	+ else
		79	+ if user.create_moderate_task
		80	+ user.activation_code = nil
		81	+ user.save!
		82	+
		83	+ # Waiting for admin moderate user registration
		84	+ status 202
		85	+ body({
		86	+ :message => 'Waiting for admin moderate user registration'
		87	+ })
		88	+ end
		89	+ end
		90	+ else
		91	+ # Token not found in database
		92	+ render_api_error!(_('Token is invalid'), 412)
		93	+ end
		94	+ end
		95	+
		96	+ # Request a new password.
		97	+ #
		98	+ # Parameters:
		99	+ # value (required) - Email or login
		100	+ # Example Request:
		101	+ # POST /forgot_password?value=some@mail.com
		102	+ post "/forgot_password" do
		103	+ requestors = fetch_requestors(params[:value])
		104	+ not_found! if requestors.blank?
		105	+
		106	+ requestors.each do \|requestor\|
		107	+ ChangePassword.create!(:requestor => requestor)
		108	+ end
		109	+ end
		110	+
		111	+ params do
		112	+ requires :code, type: String, desc: _("Forgot password code")
		113	+ end
		114	+ # Change password
		115	+ #
		116	+ # Parameters:
		117	+ # code (required) - Change password code
		118	+ # password (required)
		119	+ # password_confirmation (required)
		120	+ # Example Request:
		121	+ # PATCH /new_password?code=xxxx&password=secret&password_confirmation=secret
		122	+ patch "/new_password" do
		123	+ change_password = ChangePassword.find_by_code(params[:code])
		124	+ not_found! if change_password.nil?
		125	+
		126	+ if change_password.update_attributes(:password => params[:password], :password_confirmation => params[:password_confirmation])
		127	+ change_password.finish
		128	+ present change_password.requestor.user, :with => Entities::UserLogin
		129	+ else
		130	+ something_wrong!
		131	+ end
		132	+ end
		133	+
59	end	134	end
60	end	135	end
61	end	136	end
	@@ -96,7 +96,7 @@ module Noosfero		@@ -96,7 +96,7 @@ module Noosfero
96	#TODO make tests for this situation	96	#TODO make tests for this situation
97	votes_order = params.delete(:order) if params[:order]=='votes_score'	97	votes_order = params.delete(:order) if params[:order]=='votes_score'
98	articles = select_filtered_collection_of(article, 'children', params)	98	articles = select_filtered_collection_of(article, 'children', params)
99	- articles = articles.display_filter(current_person, nil)	99	+ articles = articles.display_filter(current_person, article.profile)
100		100
101		101
102	#TODO make tests for this situation	102	#TODO make tests for this situation
	@@ -48,6 +48,15 @@ class ArticlesTest < ActiveSupport::TestCase		@@ -48,6 +48,15 @@ class ArticlesTest < ActiveSupport::TestCase
48	assert_equivalent [child1.id, child2.id], json["articles"].map { \|a\| a["id"] }	48	assert_equivalent [child1.id, child2.id], json["articles"].map { \|a\| a["id"] }
49	end	49	end
50		50
		51	+ should 'list public article children for not logged in access' do
		52	+ article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
		53	+ child1 = fast_create(Article, :parent_id => article.id, :profile_id => user.person.id, :name => "Some thing")
		54	+ child2 = fast_create(Article, :parent_id => article.id, :profile_id => user.person.id, :name => "Some thing")
		55	+ get "/api/v1/articles/#{article.id}/children"
		56	+ json = JSON.parse(last_response.body)
		57	+ assert_equivalent [child1.id, child2.id], json["articles"].map { \|a\| a["id"] }
		58	+ end
		59	+
51	should 'not list children of forbidden article' do	60	should 'not list children of forbidden article' do
52	person = fast_create(Person, :environment_id => environment.id)	61	person = fast_create(Person, :environment_id => environment.id)
53	article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)	62	article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
	@@ -236,7 +236,7 @@ class APIHelpersTest < ActiveSupport::TestCase		@@ -236,7 +236,7 @@ class APIHelpersTest < ActiveSupport::TestCase
236		236
237	end	237	end
238		238
239	- should 'captcha serpro say Name or service not known' do	239	+ should 'captcha serpro say name or service not known' do
240	environment = Environment.new	240	environment = Environment.new
241	environment.api_captcha_settings = {	241	environment.api_captcha_settings = {
242	enabled: true,	242	enabled: true,
	@@ -21,9 +21,22 @@ class SessionTest < ActiveSupport::TestCase		@@ -21,9 +21,22 @@ class SessionTest < ActiveSupport::TestCase
21	end	21	end
22		22
23	should 'register a user' do	23	should 'register a user' do
		24	+ Environment.default.enable('skip_new_user_email_confirmation')
24	params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com" }	25	params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com" }
25	post "/api/v1/register?#{params.to_query}"	26	post "/api/v1/register?#{params.to_query}"
26	assert_equal 201, last_response.status	27	assert_equal 201, last_response.status
		28	+ json = JSON.parse(last_response.body)
		29	+ assert json['activated']
		30	+ assert json['private_token'].present?
		31	+ end
		32	+
		33	+ should 'register an inactive user' do
		34	+ params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com" }
		35	+ post "/api/v1/register?#{params.to_query}"
		36	+ assert_equal 201, last_response.status
		37	+ json = JSON.parse(last_response.body)
		38	+ assert !json['activated']
		39	+ assert json['private_token'].blank?
27	end	40	end
28		41
29	should 'do not register a user without email' do	42	should 'do not register a user without email' do
	@@ -39,4 +52,112 @@ class SessionTest < ActiveSupport::TestCase		@@ -39,4 +52,112 @@ class SessionTest < ActiveSupport::TestCase
39	assert_equal 400, last_response.status	52	assert_equal 400, last_response.status
40	end	53	end
41		54
		55	+ should 'detected error, Name or service not known, for Serpro Captcha communication' do
		56	+ environment = Environment.default
		57	+ environment.api_captcha_settings = {
		58	+ enabled: true,
		59	+ provider: 'serpro',
		60	+ serpro_client_id: '0000000000000000',
		61	+ verify_uri: 'http://someserverthatdoesnotexist.mycompanythatdoesnotexist.com/validate',
		62	+ }
		63	+ environment.save!
		64	+ params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com",
		65	+ :txtToken_captcha_serpro_gov_br => '4324343', :captcha_text => '4030320'}
		66	+ post "/api/v1/register?#{params.to_query}"
		67	+ assert_equal "Serpro captcha error: getaddrinfo: Name or service not known", JSON.parse(last_response.body)["message"]
		68	+ end
		69	+
		70	+ # TODO: Add another test cases to check register situations
		71	+ should 'activate a user' do
		72	+ params = {
		73	+ :login => "newuserapi",
		74	+ :password => "newuserapi",
		75	+ :password_confirmation => "newuserapi",
		76	+ :email => "newuserapi@email.com"
		77	+ }
		78	+ user = User.new(params)
		79	+ user.save!
		80	+
		81	+ params = { activation_code: user.activation_code}
		82	+ patch "/api/v1/activate?#{params.to_query}"
		83	+ assert_equal 200, last_response.status
		84	+ end
		85	+
		86	+ should 'do not activate a user if admin must approve him' do
		87	+ params = {
		88	+ :login => "newuserapi",
		89	+ :password => "newuserapi",
		90	+ :password_confirmation => "newuserapi",
		91	+ :email => "newuserapi@email.com",
		92	+ :environment => Environment.default
		93	+ }
		94	+ user = User.new(params)
		95	+ user.environment.enable('admin_must_approve_new_users')
		96	+ user.save!
		97	+
		98	+ params = { activation_code: user.activation_code}
		99	+ patch "/api/v1/activate?#{params.to_query}"
		100	+ assert_equal 202, last_response.status
		101	+ assert_equal 'Waiting for admin moderate user registration', JSON.parse(last_response.body)["message"]
		102	+ end
		103	+
		104	+ should 'do not activate a user if the token is invalid' do
		105	+ params = {
		106	+ :login => "newuserapi",
		107	+ :password => "newuserapi",
		108	+ :password_confirmation => "newuserapi",
		109	+ :email => "newuserapi@email.com",
		110	+ :environment => Environment.default
		111	+ }
		112	+ user = User.new(params)
		113	+ user.save!
		114	+
		115	+ params = { activation_code: '70250abe20cc6a67ef9399cf3286cb998b96aeaf'}
		116	+ patch "/api/v1/activate?#{params.to_query}"
		117	+ assert_equal 412, last_response.status
		118	+ end
		119	+
		120	+ should 'create task to change password by user login' do
		121	+ user = create_user
		122	+ params = {:value => user.login}
		123	+ assert_difference 'ChangePassword.count' do
		124	+ post "/api/v1/forgot_password?#{params.to_query}"
		125	+ end
		126	+ end
		127	+
		128	+ should 'not create task to change password when user is not found' do
		129	+ params = {:value => 'wronglogin'}
		130	+ assert_no_difference 'ChangePassword.count' do
		131	+ post "/api/v1/forgot_password?#{params.to_query}"
		132	+ end
		133	+ assert_equal 404, last_response.status
		134	+ end
		135	+
		136	+ should 'change user password and close task' do
		137	+ user = create_user
		138	+ task = ChangePassword.create!(:requestor => user.person)
		139	+ params = {:code => task.code, :password => 'secret', :password_confirmation => 'secret'}
		140	+ patch "/api/v1/new_password?#{params.to_query}"
		141	+ assert_equal Task::Status::FINISHED, task.reload.status
		142	+ assert user.reload.authenticated?('secret')
		143	+ json = JSON.parse(last_response.body)
		144	+ assert_equal user.id, json['id']
		145	+ end
		146	+
		147	+ should 'do not change user password when password confirmation is wrong' do
		148	+ user = create_user
		149	+ task = ChangePassword.create!(:requestor => user.person)
		150	+ params = {:code => task.code, :password => 'secret', :password_confirmation => 's3cret'}
		151	+ patch "/api/v1/new_password?#{params.to_query}"
		152	+ assert_equal Task::Status::ACTIVE, task.reload.status
		153	+ assert !user.reload.authenticated?('secret')
		154	+ assert_equal 400, last_response.status
		155	+ end
		156	+
		157	+ should 'render not found when provide a wrong code on password change' do
		158	+ params = {:code => "wrongcode", :password => 'secret', :password_confirmation => 'secret'}
		159	+ patch "/api/v1/new_password?#{params.to_query}"
		160	+ assert_equal 404, last_response.status
		161	+ end
		162	+
42	end	163	end