Pass user to ApiAbility

diff --git a/app/abilities/api_ability.rb b/app/abilities/api_ability.rb
index e774f6820df3f364c3d766f1c2bd25129f12a0dc..3bc82eab290b714670f41288ba47fccc03eda980 100644 (file)
--- a/app/abilities/api_ability.rb
+++ b/app/abilities/api_ability.rb
@@ -3,14 +3,12 @@
 class ApiAbility
   include CanCan::Ability
 
-  def initialize(token)
+  def initialize(user, token)
     can :read, [:version, :capability, :permission, :map]
 
     if Settings.status != "database_offline"
-      user = User.find(token.resource_owner_id) if token
-
       can [:read, :feed, :search], Note
-      can :create, Note unless token
+      can :create, Note unless user
 
       can [:read, :download], Changeset
       can :read, Tracepoint

diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
index 5faa39165d089a249179b506ddaf9ee5dea6dedb..27f262d00341aa8cabfcf7e5d54e6c11f0541c95 100644 (file)
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@@ -65,9 +65,10 @@ class ApiController < ApplicationController
   def current_ability
     # Use capabilities from the oauth token if it exists and is a valid access token
     if doorkeeper_token&.accessible?
-      ApiAbility.new(doorkeeper_token)
+      user = User.find(doorkeeper_token.resource_owner_id)
+      ApiAbility.new(user, doorkeeper_token)
     else
-      ApiAbility.new(nil)
+      ApiAbility.new(nil, nil)
     end
   end
 

diff --git a/test/abilities/api_abilities_test.rb b/test/abilities/api_abilities_test.rb
index 0c97dc6a0b58ad099b18b443e78c615059630ced..c32300c60997297aabc7e85240f2e95dba0bf811 100644 (file)
--- a/test/abilities/api_abilities_test.rb
+++ b/test/abilities/api_abilities_test.rb
@@ -7,7 +7,7 @@ end
 
 class GuestApiAbilityTest < ApiAbilityTest
   test "note permissions for a guest" do
-    ability = ApiAbility.new nil
+    ability = ApiAbility.new nil, nil
 
     [:index, :create, :feed, :show, :search].each do |action|
       assert ability.can?(action, Note), "should be able to #{action} Notes"
@@ -21,8 +21,9 @@ end
 
 class UserApiAbilityTest < ApiAbilityTest
   test "Note permissions" do
-    token = create(:oauth_access_token, :scopes => %w[write_notes])
-    ability = ApiAbility.new token
+    user = create(:user)
+    token = create(:oauth_access_token, :user => user, :scopes => %w[write_notes])
+    ability = ApiAbility.new user, token
 
     [:index, :create, :comment, :feed, :show, :search, :close, :reopen].each do |action|
       assert ability.can?(action, Note), "should be able to #{action} Notes"
@@ -36,8 +37,9 @@ end
 
 class ModeratorApiAbilityTest < ApiAbilityTest
   test "Note permissions" do
-    token = create(:oauth_access_token, :scopes => %w[write_notes], :user => create(:moderator_user))
-    ability = ApiAbility.new token
+    user = create(:moderator_user)
+    token = create(:oauth_access_token, :user => user, :scopes => %w[write_notes])
+    ability = ApiAbility.new user, token
 
     [:index, :create, :comment, :feed, :show, :search, :close, :reopen, :destroy].each do |action|
       assert ability.can?(action, Note), "should be able to #{action} Notes"

diff --git a/test/abilities/api_capability_test.rb b/test/abilities/api_capability_test.rb
index ca679dd717f338b5f7edb1e6f6fb4d57bbeeb1bf..12bbc49658075d27b8e1c5ff5e3fbb154260bea5 100644 (file)
--- a/test/abilities/api_capability_test.rb
+++ b/test/abilities/api_capability_test.rb
@@ -4,8 +4,9 @@ require "test_helper"
 
 class ChangesetCommentApiCapabilityTest < ActiveSupport::TestCase
   test "as a normal user with permissionless token" do
-    token = create(:oauth_access_token)
-    ability = ApiAbility.new token
+    user = create(:user)
+    token = create(:oauth_access_token, :user => user)
+    ability = ApiAbility.new user, token
 
     [:create, :destroy, :restore].each do |action|
       assert ability.cannot? action, ChangesetComment
@@ -13,8 +14,9 @@ class ChangesetCommentApiCapabilityTest < ActiveSupport::TestCase
   end
 
   test "as a normal user with write_api token" do
-    token = create(:oauth_access_token, :scopes => %w[write_api])
-    ability = ApiAbility.new token
+    user = create(:user)
+    token = create(:oauth_access_token, :user => user, :scopes => %w[write_api])
+    ability = ApiAbility.new user, token
 
     [:destroy, :restore].each do |action|
       assert ability.cannot? action, ChangesetComment
@@ -26,8 +28,9 @@ class ChangesetCommentApiCapabilityTest < ActiveSupport::TestCase
   end
 
   test "as a moderator with permissionless token" do
-    token = create(:oauth_access_token, :user => create(:moderator_user))
-    ability = ApiAbility.new token
+    user = create(:moderator_user)
+    token = create(:oauth_access_token, :user => user)
+    ability = ApiAbility.new user, token
 
     [:create, :destroy, :restore].each do |action|
       assert ability.cannot? action, ChangesetComment
@@ -35,8 +38,9 @@ class ChangesetCommentApiCapabilityTest < ActiveSupport::TestCase
   end
 
   test "as a moderator with write_api token" do
-    token = create(:oauth_access_token, :user => create(:moderator_user), :scopes => %w[write_api])
-    ability = ApiAbility.new token
+    user = create(:moderator_user)
+    token = create(:oauth_access_token, :user => user, :scopes => %w[write_api])
+    ability = ApiAbility.new user, token
 
     [:create, :destroy, :restore].each do |action|
       assert ability.can? action, ChangesetComment
@@ -46,8 +50,9 @@ end
 
 class NoteApiCapabilityTest < ActiveSupport::TestCase
   test "as a normal user with permissionless token" do
-    token = create(:oauth_access_token)
-    ability = ApiAbility.new token
+    user = create(:user)
+    token = create(:oauth_access_token, :user => user)
+    ability = ApiAbility.new user, token
 
     [:create, :comment, :close, :reopen, :destroy].each do |action|
       assert ability.cannot? action, Note
@@ -55,8 +60,9 @@ class NoteApiCapabilityTest < ActiveSupport::TestCase
   end
 
   test "as a normal user with write_notes token" do
-    token = create(:oauth_access_token, :scopes => %w[write_notes])
-    ability = ApiAbility.new token
+    user = create(:user)
+    token = create(:oauth_access_token, :user => user, :scopes => %w[write_notes])
+    ability = ApiAbility.new user, token
 
     [:destroy].each do |action|
       assert ability.cannot? action, Note
@@ -68,8 +74,9 @@ class NoteApiCapabilityTest < ActiveSupport::TestCase
   end
 
   test "as a moderator with permissionless token" do
-    token = create(:oauth_access_token, :user => create(:moderator_user))
-    ability = ApiAbility.new token
+    user = create(:moderator_user)
+    token = create(:oauth_access_token, :user => user)
+    ability = ApiAbility.new user, token
 
     [:destroy].each do |action|
       assert ability.cannot? action, Note
@@ -77,8 +84,9 @@ class NoteApiCapabilityTest < ActiveSupport::TestCase
   end
 
   test "as a moderator with write_notes token" do
-    token = create(:oauth_access_token, :user => create(:moderator_user), :scopes => %w[write_notes])
-    ability = ApiAbility.new token
+    user = create(:moderator_user)
+    token = create(:oauth_access_token, :user => user, :scopes => %w[write_notes])
+    ability = ApiAbility.new user, token
 
     [:destroy].each do |action|
       assert ability.can? action, Note
@@ -89,15 +97,16 @@ end
 class UserApiCapabilityTest < ActiveSupport::TestCase
   test "user preferences" do
     # A user with empty tokens
-    token = create(:oauth_access_token)
-    ability = ApiAbility.new token
+    user = create(:user)
+    token = create(:oauth_access_token, :user => user)
+    ability = ApiAbility.new user, token
 
     [:index, :show, :update_all, :update, :destroy].each do |act|
       assert ability.cannot? act, UserPreference
     end
 
-    token = create(:oauth_access_token, :scopes => %w[read_prefs])
-    ability = ApiAbility.new token
+    token = create(:oauth_access_token, :user => user, :scopes => %w[read_prefs])
+    ability = ApiAbility.new user, token
 
     [:update_all, :update, :destroy].each do |act|
       assert ability.cannot? act, UserPreference
@@ -107,8 +116,8 @@ class UserApiCapabilityTest < ActiveSupport::TestCase
       assert ability.can? act, UserPreference
     end
 
-    token = create(:oauth_access_token, :scopes => %w[write_prefs])
-    ability = ApiAbility.new token
+    token = create(:oauth_access_token, :user => user, :scopes => %w[write_prefs])
+    ability = ApiAbility.new user, token
 
     [:index, :show].each do |act|
       assert ability.cannot? act, UserPreference