include CanCan::Ability
def initialize(user)
- can [:map, :changes, :permissions], :api
+ can [:map, :changes], :api
can [:relation, :relation_history, :way, :way_history, :node, :node_history,
:changeset, :note, :new_note, :query], :browse
can :show, :capability
:search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder
can [:index, :create, :comment, :feed, :show, :search, :mine], Note
can [:token, :request_token, :access_token, :test_request], :oauth
+ can :show, :permission
can [:index, :show], Redaction
can [:search_all, :search_nodes, :search_ways, :search_relations], :search
can [:trackpoints], :swf
--- /dev/null
+module Api
+ class PermissionsController < ApplicationController
+ skip_before_action :verify_authenticity_token
+ before_action :api_deny_access_handler
+
+ authorize_resource :class => false
+
+ before_action :check_api_readable
+ before_action :setup_user_auth
+ around_action :api_call_handle_error, :api_call_timeout
+
+ # External apps that use the api are able to query which permissions
+ # they have. This currently returns a list of permissions granted to the current user:
+ # * if authenticated via OAuth, this list will contain all permissions granted by the user to the access_token.
+ # * if authenticated via basic auth all permissions are granted, so the list will contain all permissions.
+ # * unauthenticated users have no permissions, so the list will be empty.
+ def show
+ @permissions = if current_token.present?
+ ClientApplication.all_permissions.select { |p| current_token.read_attribute(p) }
+ elsif current_user
+ ClientApplication.all_permissions
+ else
+ []
+ end
+ end
+ end
+end
authorize_resource :class => false
before_action :check_api_readable
- before_action :setup_user_auth, :only => [:permissions]
around_action :api_call_handle_error, :api_call_timeout
# This is probably the most common call of all. It is used for getting the
render :plain => "Requested zoom is invalid, or the supplied start is after the end time, or the start duration is more than 24 hours", :status => :bad_request
end
end
-
- # External apps that use the api are able to query which permissions
- # they have. This currently returns a list of permissions granted to the current user:
- # * if authenticated via OAuth, this list will contain all permissions granted by the user to the access_token.
- # * if authenticated via basic auth all permissions are granted, so the list will contain all permissions.
- # * unauthenticated users have no permissions, so the list will be empty.
- def permissions
- @permissions = if current_token.present?
- ClientApplication.all_permissions.select { |p| current_token.read_attribute(p) }
- elsif current_user
- ClientApplication.all_permissions
- else
- []
- end
- end
end
scope "api/0.6" do
get "capabilities" => "api/capabilities#show"
- get "permissions" => "api#permissions"
+ get "permissions" => "api/permissions#show"
put "changeset/create" => "changesets#create"
post "changeset/:id/upload" => "changesets#upload", :id => /\d+/
--- /dev/null
+require "test_helper"
+
+module Api
+ class PermissionsControllerTest < ActionController::TestCase
+ ##
+ # test all routes which lead to this controller
+ def test_routes
+ assert_routing(
+ { :path => "/api/0.6/permissions", :method => :get },
+ { :controller => "api/permissions", :action => "show" }
+ )
+ end
+
+ def test_permissions_anonymous
+ get :show
+ assert_response :success
+ assert_select "osm > permissions", :count => 1 do
+ assert_select "permission", :count => 0
+ end
+ end
+
+ def test_permissions_basic_auth
+ basic_authorization create(:user).email, "test"
+ get :show
+ assert_response :success
+ assert_select "osm > permissions", :count => 1 do
+ assert_select "permission", :count => ClientApplication.all_permissions.size
+ ClientApplication.all_permissions.each do |p|
+ assert_select "permission[name='#{p}']", :count => 1
+ end
+ end
+ end
+
+ def test_permissions_oauth
+ @request.env["oauth.token"] = AccessToken.new do |token|
+ # Just to test a few
+ token.allow_read_prefs = true
+ token.allow_write_api = true
+ token.allow_read_gpx = false
+ end
+ get :show
+ assert_response :success
+ assert_select "osm > permissions", :count => 1 do
+ assert_select "permission", :count => 2
+ assert_select "permission[name='allow_read_prefs']", :count => 1
+ assert_select "permission[name='allow_write_api']", :count => 1
+ assert_select "permission[name='allow_read_gpx']", :count => 0
+ end
+ end
+ end
+end
##
# test all routes which lead to this controller
def test_routes
- assert_routing(
- { :path => "/api/0.6/permissions", :method => :get },
- { :controller => "api", :action => "permissions" }
- )
assert_routing(
{ :path => "/api/0.6/map", :method => :get },
{ :controller => "api", :action => "map" }
get :changes, :params => { :start => "2010-04-03 09:55:00", :end => "2010-04-03 10:55:00" }
assert_response :success
end
-
- def test_permissions_anonymous
- get :permissions
- assert_response :success
- assert_select "osm > permissions", :count => 1 do
- assert_select "permission", :count => 0
- end
- end
-
- def test_permissions_basic_auth
- basic_authorization create(:user).email, "test"
- get :permissions
- assert_response :success
- assert_select "osm > permissions", :count => 1 do
- assert_select "permission", :count => ClientApplication.all_permissions.size
- ClientApplication.all_permissions.each do |p|
- assert_select "permission[name='#{p}']", :count => 1
- end
- end
- end
-
- def test_permissions_oauth
- @request.env["oauth.token"] = AccessToken.new do |token|
- # Just to test a few
- token.allow_read_prefs = true
- token.allow_write_api = true
- token.allow_read_gpx = false
- end
- get :permissions
- assert_response :success
- assert_select "osm > permissions", :count => 1 do
- assert_select "permission", :count => 2
- assert_select "permission[name='allow_read_prefs']", :count => 1
- assert_select "permission[name='allow_write_api']", :count => 1
- assert_select "permission[name='allow_read_gpx']", :count => 0
- end
- end
end
projects / rails.git / commitdiff