ghost/test/unit/server/web/admin/controller.test.js

require('should');
const sinon = require('sinon');
const path = require('path');
const configUtils = require('../../../../utils/configUtils');
const controller = require('../../../../../core/server/web/admin/controller');

describe('Admin App', function () {
    describe('controller', function () {
        const req = {};
        let res;

        beforeEach(function () {
            res = {
                sendFile: sinon.spy()
            };

            configUtils.restore();
            configUtils.set('paths:adminViews', path.resolve('test/utils/fixtures/admin-views'));
        });

        afterEach(function () {
            sinon.restore();
        });

        it('adds x-frame-options header when adminFrameProtection is enabled (default)', function () {
            // default config: configUtils.set('adminFrameProtection', true);
            controller(req, res);

            res.sendFile.called.should.be.true();
            res.sendFile.calledWith(
                sinon.match.string,
                sinon.match.hasNested('headers.X-Frame-Options', sinon.match('sameorigin'))
            ).should.be.true();
        });

        it('doesn\'t add x-frame-options header when adminFrameProtection is disabled', function () {
            configUtils.set('adminFrameProtection', false);
            controller(req, res);

            res.sendFile.called.should.be.true();
            res.sendFile.calledWith(
                sinon.match.string,
                sinon.match.hasNested('headers.X-Frame-Options')
            ).should.be.false();
        });
    });
});
Added x-frame-options header to /ghost/ route (#10760) no issue - by default the `/ghost/` route will add an `x-frame-options: sameorigin` header to the response to help protect the admin area against clickjacking - the header can be disabled by adding `"adminFrameProtection": false` to the `config.{env}.json` configuration file Credits: Muhammad Fawwad Obaida 2019-05-28 09:04:48 +01:00			`require('should');`
			`const sinon = require('sinon');`
Fixed admin views path mocking override in tests - for some reason, this test seems to be failing now we've pulled it out of the general CI - it makes sense when the repo is clean, because the html files don't exist, but I don't understand how they were working before... 🤔 - anyway, we should be overriding the path to the test fixtures admin view files here - this fixes the unit tests 2022-02-16 19:04:57 +01:00			`const path = require('path');`
Moved server unit tests into the server folder - this is a small part of a bit of cleanup of our test files - the goal is to make the existing tests clearer with a view to making it easier to write more tests - this makes the test structure follow the codebase structure more closely - eventually we will colocate the tests as we break the codebase down further 2021-10-06 11:12:21 +01:00			`const configUtils = require('../../../../utils/configUtils');`
			`const controller = require('../../../../../core/server/web/admin/controller');`
Added x-frame-options header to /ghost/ route (#10760) no issue - by default the `/ghost/` route will add an `x-frame-options: sameorigin` header to the response to help protect the admin area against clickjacking - the header can be disabled by adding `"adminFrameProtection": false` to the `config.{env}.json` configuration file Credits: Muhammad Fawwad Obaida 2019-05-28 09:04:48 +01:00
			`describe('Admin App', function () {`
Updated tests eslint config to use eslint-plugin-ghost@0.5.0 no issue - bump eslint-plugin-ghost to v0.5.0 - update core/test eslint config to use "ghost:test" in place of custom ruleset - apply automated eslint fixes 2019-08-19 12:41:09 +01:00			`describe('controller', function () {`
Added x-frame-options header to /ghost/ route (#10760) no issue - by default the `/ghost/` route will add an `x-frame-options: sameorigin` header to the response to help protect the admin area against clickjacking - the header can be disabled by adding `"adminFrameProtection": false` to the `config.{env}.json` configuration file Credits: Muhammad Fawwad Obaida 2019-05-28 09:04:48 +01:00			`const req = {};`
			`let res;`

			`beforeEach(function () {`
			`res = {`
			`sendFile: sinon.spy()`
			`};`

			`configUtils.restore();`
Fixed admin views path mocking override in tests - for some reason, this test seems to be failing now we've pulled it out of the general CI - it makes sense when the repo is clean, because the html files don't exist, but I don't understand how they were working before... 🤔 - anyway, we should be overriding the path to the test fixtures admin view files here - this fixes the unit tests 2022-02-16 19:04:57 +01:00			`configUtils.set('paths:adminViews', path.resolve('test/utils/fixtures/admin-views'));`
Added x-frame-options header to /ghost/ route (#10760) no issue - by default the `/ghost/` route will add an `x-frame-options: sameorigin` header to the response to help protect the admin area against clickjacking - the header can be disabled by adding `"adminFrameProtection": false` to the `config.{env}.json` configuration file Credits: Muhammad Fawwad Obaida 2019-05-28 09:04:48 +01:00			`});`

			`afterEach(function () {`
			`sinon.restore();`
			`});`

			`it('adds x-frame-options header when adminFrameProtection is enabled (default)', function () {`
			`// default config: configUtils.set('adminFrameProtection', true);`
			`controller(req, res);`

			`res.sendFile.called.should.be.true();`
			`res.sendFile.calledWith(`
			`sinon.match.string,`
			`sinon.match.hasNested('headers.X-Frame-Options', sinon.match('sameorigin'))`
			`).should.be.true();`
			`});`

			`it('doesn\'t add x-frame-options header when adminFrameProtection is disabled', function () {`
			`configUtils.set('adminFrameProtection', false);`
			`controller(req, res);`

			`res.sendFile.called.should.be.true();`
			`res.sendFile.calledWith(`
			`sinon.match.string,`
			`sinon.match.hasNested('headers.X-Frame-Options')`
			`).should.be.false();`
			`});`
Updated tests eslint config to use eslint-plugin-ghost@0.5.0 no issue - bump eslint-plugin-ghost to v0.5.0 - update core/test eslint config to use "ghost:test" in place of custom ruleset - apply automated eslint fixes 2019-08-19 12:41:09 +01:00			`});`
Added x-frame-options header to /ghost/ route (#10760) no issue - by default the `/ghost/` route will add an `x-frame-options: sameorigin` header to the response to help protect the admin area against clickjacking - the header can be disabled by adding `"adminFrameProtection": false` to the `config.{env}.json` configuration file Credits: Muhammad Fawwad Obaida 2019-05-28 09:04:48 +01:00			`});`