end
if user.moderator?
- can [:destroy, :restore], ChangesetComment if scopes.include?("write_changeset_comments")
+ can [:create, :destroy], :changeset_comment_visibility if scopes.include?("write_changeset_comments")
can :destroy, Note if scopes.include?("write_notes")
--- /dev/null
+module Api
+ module ChangesetComments
+ class VisibilitiesController < ApiController
+ before_action :check_api_writable
+ before_action :authorize
+
+ authorize_resource :class => :changeset_comment_visibility
+
+ before_action :set_request_formats
+
+ ##
+ # Sets visible flag on comment to true
+ def create
+ # Check the arguments are sane
+ raise OSM::APIBadUserInput, "No id was given" unless params[:changeset_comment_id]
+
+ # Extract the arguments
+ changeset_comment_id = params[:changeset_comment_id].to_i
+
+ # Find the changeset
+ comment = ChangesetComment.find(changeset_comment_id)
+
+ # Unhide the comment
+ comment.update(:visible => true)
+
+ # Return a copy of the updated changeset
+ @changeset = comment.changeset
+
+ respond_to do |format|
+ format.xml
+ format.json
+ end
+ end
+
+ ##
+ # Sets visible flag on comment to false
+ def destroy
+ # Check the arguments are sane
+ raise OSM::APIBadUserInput, "No id was given" unless params[:changeset_comment_id]
+
+ # Extract the arguments
+ changeset_comment_id = params[:changeset_comment_id].to_i
+
+ # Find the changeset
+ comment = ChangesetComment.find(changeset_comment_id)
+
+ # Hide the comment
+ comment.update(:visible => false)
+
+ # Return a copy of the updated changeset
+ @changeset = comment.changeset
+
+ respond_to do |format|
+ format.xml
+ format.json
+ end
+ end
+ end
+ end
+end
end
end
- ##
- # Sets visible flag on comment to false
- def destroy
- # Check the arguments are sane
- raise OSM::APIBadUserInput, "No id was given" unless params[:id]
-
- # Extract the arguments
- id = params[:id].to_i
-
- # Find the changeset
- comment = ChangesetComment.find(id)
-
- # Hide the comment
- comment.update(:visible => false)
-
- # Return a copy of the updated changeset
- @changeset = comment.changeset
- render "api/changesets/show"
-
- respond_to do |format|
- format.xml
- format.json
- end
- end
-
- ##
- # Sets visible flag on comment to true
- def restore
- # Check the arguments are sane
- raise OSM::APIBadUserInput, "No id was given" unless params[:id]
-
- # Extract the arguments
- id = params[:id].to_i
-
- # Find the changeset
- comment = ChangesetComment.find(id)
-
- # Unhide the comment
- comment.update(:visible => true)
-
- # Return a copy of the updated changeset
- @changeset = comment.changeset
- render "api/changesets/show"
-
- respond_to do |format|
- format.xml
- format.json
- end
- end
-
private
##
@changeset = Changeset.find(params[:id])
if params[:include_discussion].presence
@comments = @changeset.comments
- @comments = @comments.unscope(:where => :visible) if params[:show_hidden_comments].presence && can?(:restore, ChangesetComment)
+ @comments = @comments.unscope(:where => :visible) if params[:show_hidden_comments].presence && can?(:create, :changeset_comment_visibility)
@comments = @comments.includes(:author)
end
--- /dev/null
+json.partial! "api/root_attributes"
+
+json.changeset do
+ json.partial! "api/changesets/changeset", :changeset => @changeset
+end
--- /dev/null
+xml.instruct! :xml, :version => "1.0"
+
+xml.osm(OSM::API.new.xml_root_attributes) do |osm|
+ osm << render(:partial => "api/changesets/changeset", :object => @changeset)
+end
--- /dev/null
+json.partial! "api/root_attributes"
+
+json.changeset do
+ json.partial! "api/changesets/changeset", :changeset => @changeset
+end
--- /dev/null
+xml.instruct! :xml, :version => "1.0"
+
+xml.osm(OSM::API.new.xml_root_attributes) do |osm|
+ osm << render(:partial => "api/changesets/changeset", :object => @changeset)
+end
—
<%= tag.button t(".#{comment.visible ? 'hide' : 'unhide'}_comment"),
:class => "btn btn-sm small btn-link link-secondary p-0 align-baseline",
- :data => { :method => "POST",
- :url => comment.visible ? changeset_comment_hide_url(comment) : changeset_comment_unhide_url(comment) } %>
+ :data => { :method => comment.visible ? "DELETE" : "POST",
+ :url => api_changeset_comment_visibility_path(comment) } %>
<% end %>
</small>
<div class="mx-2">
post "changeset/:id/subscribe" => "changesets#subscribe", :as => :api_changeset_subscribe, :id => /\d+/
post "changeset/:id/unsubscribe" => "changesets#unsubscribe", :as => :api_changeset_unsubscribe, :id => /\d+/
put "changeset/:id/close" => "changesets#close", :as => :changeset_close, :id => /\d+/
- post "changeset/comment/:id/hide" => "changeset_comments#destroy", :as => :changeset_comment_hide, :id => /\d+/
- post "changeset/comment/:id/unhide" => "changeset_comments#restore", :as => :changeset_comment_unhide, :id => /\d+/
end
namespace :api, :path => "api/0.6" do
end
put "changeset/create" => "changesets#create", :as => nil
- resources :changeset_comments, :only => :index
+ resources :changeset_comments, :id => /\d+/, :only => :index do
+ resource :visibility, :module => :changeset_comments, :only => [:create, :destroy]
+ end
+ post "changeset/comment/:changeset_comment_id/unhide" => "changeset_comments/visibilities#create", :changeset_comment_id => /\d+/, :as => nil
+ post "changeset/comment/:changeset_comment_id/hide" => "changeset_comments/visibilities#destroy", :changeset_comment_id => /\d+/, :as => nil
resources :nodes, :only => [:index, :create]
resources :nodes, :path => "node", :id => /\d+/, :only => [:show, :update, :destroy] do
scopes = Set.new
ability = ApiAbility.new user, scopes
- [:create, :destroy, :restore].each do |action|
- assert ability.cannot? action, ChangesetComment
- end
+ assert ability.cannot? :create, ChangesetComment
+ assert ability.cannot? :create, :changeset_comment_visibility
+ assert ability.cannot? :destroy, :changeset_comment_visibility
end
test "as a normal user with write_changeset_comments scope" do
scopes = Set.new %w[write_changeset_comments]
ability = ApiAbility.new user, scopes
- [:destroy, :restore].each do |action|
- assert ability.cannot? action, ChangesetComment
- end
-
- [:create].each do |action|
- assert ability.can? action, ChangesetComment
- end
+ assert ability.can? :create, ChangesetComment
+ assert ability.cannot? :create, :changeset_comment_visibility
+ assert ability.cannot? :destroy, :changeset_comment_visibility
end
test "as a moderator without scopes" do
scopes = Set.new
ability = ApiAbility.new user, scopes
- [:create, :destroy, :restore].each do |action|
- assert ability.cannot? action, ChangesetComment
- end
+ assert ability.cannot? :create, ChangesetComment
+ assert ability.cannot? :create, :changeset_comment_visibility
+ assert ability.cannot? :destroy, :changeset_comment_visibility
end
test "as a moderator with write_changeset_comments scope" do
scopes = Set.new %w[write_changeset_comments]
ability = ApiAbility.new user, scopes
- [:create, :destroy, :restore].each do |action|
- assert ability.can? action, ChangesetComment
- end
+ assert ability.can? :create, ChangesetComment
+ assert ability.can? :create, :changeset_comment_visibility
+ assert ability.can? :destroy, :changeset_comment_visibility
end
end
--- /dev/null
+require "test_helper"
+
+module Api
+ module ChangesetComments
+ class VisibilitiesControllerTest < ActionDispatch::IntegrationTest
+ ##
+ # test all routes which lead to this controller
+ def test_routes
+ assert_routing(
+ { :path => "/api/0.6/changeset_comments/1/visibility", :method => :post },
+ { :controller => "api/changeset_comments/visibilities", :action => "create", :changeset_comment_id => "1" }
+ )
+ assert_routing(
+ { :path => "/api/0.6/changeset_comments/1/visibility.json", :method => :post },
+ { :controller => "api/changeset_comments/visibilities", :action => "create", :changeset_comment_id => "1", :format => "json" }
+ )
+ assert_routing(
+ { :path => "/api/0.6/changeset_comments/1/visibility", :method => :delete },
+ { :controller => "api/changeset_comments/visibilities", :action => "destroy", :changeset_comment_id => "1" }
+ )
+ assert_routing(
+ { :path => "/api/0.6/changeset_comments/1/visibility.json", :method => :delete },
+ { :controller => "api/changeset_comments/visibilities", :action => "destroy", :changeset_comment_id => "1", :format => "json" }
+ )
+
+ assert_recognizes(
+ { :controller => "api/changeset_comments/visibilities", :action => "create", :changeset_comment_id => "1" },
+ { :path => "/api/0.6/changeset/comment/1/unhide", :method => :post }
+ )
+ assert_recognizes(
+ { :controller => "api/changeset_comments/visibilities", :action => "create", :changeset_comment_id => "1", :format => "json" },
+ { :path => "/api/0.6/changeset/comment/1/unhide.json", :method => :post }
+ )
+ assert_recognizes(
+ { :controller => "api/changeset_comments/visibilities", :action => "destroy", :changeset_comment_id => "1" },
+ { :path => "/api/0.6/changeset/comment/1/hide", :method => :post }
+ )
+ assert_recognizes(
+ { :controller => "api/changeset_comments/visibilities", :action => "destroy", :changeset_comment_id => "1", :format => "json" },
+ { :path => "/api/0.6/changeset/comment/1/hide.json", :method => :post }
+ )
+ end
+
+ def test_create_by_unauthorized
+ comment = create(:changeset_comment, :visible => false)
+
+ post api_changeset_comment_visibility_path(comment)
+
+ assert_response :unauthorized
+ assert_not comment.reload.visible
+ end
+
+ def test_create_by_normal_user
+ comment = create(:changeset_comment, :visible => false)
+ auth_header = bearer_authorization_header
+
+ post api_changeset_comment_visibility_path(comment), :headers => auth_header
+
+ assert_response :forbidden
+ assert_not comment.reload.visible
+ end
+
+ def test_create_on_missing_comment
+ auth_header = bearer_authorization_header create(:moderator_user)
+
+ post api_changeset_comment_visibility_path(999111), :headers => auth_header
+
+ assert_response :not_found
+ end
+
+ def test_create_without_required_scope
+ comment = create(:changeset_comment, :visible => false)
+ auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[read_prefs]
+
+ post api_changeset_comment_visibility_path(comment), :headers => auth_header
+
+ assert_response :forbidden
+ assert_not comment.reload.visible
+ end
+
+ def test_create_with_write_changeset_comments_scope
+ comment = create(:changeset_comment, :visible => false)
+ auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_changeset_comments]
+
+ post api_changeset_comment_visibility_path(comment), :headers => auth_header
+
+ assert_response :success
+ assert_equal "application/xml", response.media_type
+ assert_dom "osm", 1 do
+ assert_dom "> changeset", 1 do
+ assert_dom "> @id", comment.changeset_id.to_s
+ assert_dom "> @comments_count", "1"
+ end
+ end
+
+ assert comment.reload.visible
+ end
+
+ def test_create_with_write_changeset_comments_scope_json
+ comment = create(:changeset_comment, :visible => false)
+ auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_changeset_comments]
+
+ post api_changeset_comment_visibility_path(comment, :format => "json"), :headers => auth_header
+
+ assert_response :success
+ assert_equal "application/json", response.media_type
+ js = ActiveSupport::JSON.decode(@response.body)
+ assert_not_nil js["changeset"]
+ assert_equal comment.changeset_id, js["changeset"]["id"]
+ assert_equal 1, js["changeset"]["comments_count"]
+
+ assert comment.reload.visible
+ end
+
+ def test_create_with_write_api_scope
+ comment = create(:changeset_comment, :visible => false)
+ auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_api]
+
+ post api_changeset_comment_visibility_path(comment), :headers => auth_header
+
+ assert_response :success
+ assert_equal "application/xml", response.media_type
+ assert_dom "osm", 1 do
+ assert_dom "> changeset", 1 do
+ assert_dom "> @id", comment.changeset_id.to_s
+ assert_dom "> @comments_count", "1"
+ end
+ end
+
+ assert comment.reload.visible
+ end
+
+ def test_create_with_write_api_scope_json
+ comment = create(:changeset_comment, :visible => false)
+ auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_api]
+
+ post api_changeset_comment_visibility_path(comment, :format => "json"), :headers => auth_header
+
+ assert_response :success
+ js = ActiveSupport::JSON.decode(@response.body)
+ assert_equal "application/json", response.media_type
+ assert_not_nil js["changeset"]
+ assert_equal comment.changeset_id, js["changeset"]["id"]
+ assert_equal 1, js["changeset"]["comments_count"]
+
+ assert comment.reload.visible
+ end
+
+ def test_destroy_by_unauthorized
+ comment = create(:changeset_comment)
+
+ delete api_changeset_comment_visibility_path(comment)
+
+ assert_response :unauthorized
+ assert comment.reload.visible
+ end
+
+ def test_destroy_by_normal_user
+ comment = create(:changeset_comment)
+ auth_header = bearer_authorization_header
+
+ delete api_changeset_comment_visibility_path(comment), :headers => auth_header
+
+ assert_response :forbidden
+ assert comment.reload.visible
+ end
+
+ def test_destroy_on_missing_comment
+ auth_header = bearer_authorization_header create(:moderator_user)
+
+ delete api_changeset_comment_visibility_path(999111), :headers => auth_header
+
+ assert_response :not_found
+ end
+
+ def test_destroy_without_required_scope
+ comment = create(:changeset_comment)
+ auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[read_prefs]
+
+ delete api_changeset_comment_visibility_path(comment), :headers => auth_header
+
+ assert_response :forbidden
+ assert comment.reload.visible
+ end
+
+ def test_destroy_with_write_changeset_comments_scope
+ comment = create(:changeset_comment)
+ auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_changeset_comments]
+
+ delete api_changeset_comment_visibility_path(comment), :headers => auth_header
+
+ assert_response :success
+ assert_equal "application/xml", response.media_type
+ assert_dom "osm", 1 do
+ assert_dom "> changeset", 1 do
+ assert_dom "> @id", comment.changeset_id.to_s
+ assert_dom "> @comments_count", "0"
+ end
+ end
+
+ assert_not comment.reload.visible
+ end
+
+ def test_destroy_with_write_changeset_comments_scope_json
+ comment = create(:changeset_comment)
+ auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_changeset_comments]
+
+ delete api_changeset_comment_visibility_path(comment, :format => "json"), :headers => auth_header
+
+ assert_response :success
+ assert_equal "application/json", response.media_type
+ js = ActiveSupport::JSON.decode(@response.body)
+ assert_not_nil js["changeset"]
+ assert_equal comment.changeset_id, js["changeset"]["id"]
+ assert_equal 0, js["changeset"]["comments_count"]
+
+ assert_not comment.reload.visible
+ end
+
+ def test_destroy_with_write_api_scope
+ comment = create(:changeset_comment)
+ auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_api]
+
+ delete api_changeset_comment_visibility_path(comment), :headers => auth_header
+
+ assert_response :success
+ assert_equal "application/xml", response.media_type
+ assert_dom "osm", 1 do
+ assert_dom "> changeset", 1 do
+ assert_dom "> @id", comment.changeset_id.to_s
+ assert_dom "> @comments_count", "0"
+ end
+ end
+
+ assert_not comment.reload.visible
+ end
+
+ def test_destroy_with_write_api_scope_json
+ comment = create(:changeset_comment)
+ auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_api]
+
+ delete api_changeset_comment_visibility_path(comment, :format => "json"), :headers => auth_header
+
+ assert_response :success
+ assert_equal "application/json", response.media_type
+ js = ActiveSupport::JSON.decode(@response.body)
+ assert_not_nil js["changeset"]
+ assert_equal comment.changeset_id, js["changeset"]["id"]
+ assert_equal 0, js["changeset"]["comments_count"]
+
+ assert_not comment.reload.visible
+ end
+ end
+ end
+end
{ :path => "/api/0.6/changeset/1/comment.json", :method => :post },
{ :controller => "api/changeset_comments", :action => "create", :changeset_id => "1", :format => "json" }
)
- assert_routing(
- { :path => "/api/0.6/changeset/comment/1/hide", :method => :post },
- { :controller => "api/changeset_comments", :action => "destroy", :id => "1" }
- )
- assert_routing(
- { :path => "/api/0.6/changeset/comment/1/hide.json", :method => :post },
- { :controller => "api/changeset_comments", :action => "destroy", :id => "1", :format => "json" }
- )
- assert_routing(
- { :path => "/api/0.6/changeset/comment/1/unhide", :method => :post },
- { :controller => "api/changeset_comments", :action => "restore", :id => "1" }
- )
- assert_routing(
- { :path => "/api/0.6/changeset/comment/1/unhide.json", :method => :post },
- { :controller => "api/changeset_comments", :action => "restore", :id => "1", :format => "json" }
- )
end
def test_index
end
end
- def test_hide_by_unauthorized
- comment = create(:changeset_comment)
-
- post changeset_comment_hide_path(comment)
-
- assert_response :unauthorized
- assert comment.reload.visible
- end
-
- def test_hide_by_normal_user
- comment = create(:changeset_comment)
- auth_header = bearer_authorization_header
-
- post changeset_comment_hide_path(comment), :headers => auth_header
-
- assert_response :forbidden
- assert comment.reload.visible
- end
-
- def test_hide_missing_comment
- auth_header = bearer_authorization_header create(:moderator_user)
-
- post changeset_comment_hide_path(999111), :headers => auth_header
-
- assert_response :not_found
- end
-
- def test_hide_without_required_scope
- comment = create(:changeset_comment)
- auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[read_prefs]
-
- post changeset_comment_hide_path(comment), :headers => auth_header
-
- assert_response :forbidden
- assert comment.reload.visible
- end
-
- def test_hide_with_write_changeset_comments_scope
- comment = create(:changeset_comment)
- auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_changeset_comments]
-
- post changeset_comment_hide_path(comment), :headers => auth_header
-
- assert_response :success
- assert_equal "application/xml", response.media_type
- assert_dom "osm", 1 do
- assert_dom "> changeset", 1 do
- assert_dom "> @id", comment.changeset_id.to_s
- assert_dom "> @comments_count", "0"
- end
- end
-
- assert_not comment.reload.visible
- end
-
- def test_hide_with_write_changeset_comments_scope_json
- comment = create(:changeset_comment)
- auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_changeset_comments]
-
- post changeset_comment_hide_path(comment, :format => "json"), :headers => auth_header
-
- assert_response :success
- assert_equal "application/json", response.media_type
- js = ActiveSupport::JSON.decode(@response.body)
- assert_not_nil js["changeset"]
- assert_equal comment.changeset_id, js["changeset"]["id"]
- assert_equal 0, js["changeset"]["comments_count"]
-
- assert_not comment.reload.visible
- end
-
- def test_hide_with_write_api_scope
- comment = create(:changeset_comment)
- auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_api]
-
- post changeset_comment_hide_path(comment), :headers => auth_header
-
- assert_response :success
- assert_equal "application/xml", response.media_type
- assert_dom "osm", 1 do
- assert_dom "> changeset", 1 do
- assert_dom "> @id", comment.changeset_id.to_s
- assert_dom "> @comments_count", "0"
- end
- end
-
- assert_not comment.reload.visible
- end
-
- def test_hide_with_write_api_scope_json
- comment = create(:changeset_comment)
- auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_api]
-
- post changeset_comment_hide_path(comment, :format => "json"), :headers => auth_header
-
- assert_response :success
- assert_equal "application/json", response.media_type
- js = ActiveSupport::JSON.decode(@response.body)
- assert_not_nil js["changeset"]
- assert_equal comment.changeset_id, js["changeset"]["id"]
- assert_equal 0, js["changeset"]["comments_count"]
-
- assert_not comment.reload.visible
- end
-
- def test_unhide_by_unauthorized
- comment = create(:changeset_comment, :visible => false)
-
- post changeset_comment_unhide_path(comment)
-
- assert_response :unauthorized
- assert_not comment.reload.visible
- end
-
- def test_unhide_by_normal_user
- comment = create(:changeset_comment, :visible => false)
- auth_header = bearer_authorization_header
-
- post changeset_comment_unhide_path(comment), :headers => auth_header
-
- assert_response :forbidden
- assert_not comment.reload.visible
- end
-
- def test_unhide_missing_comment
- auth_header = bearer_authorization_header create(:moderator_user)
-
- post changeset_comment_unhide_path(999111), :headers => auth_header
-
- assert_response :not_found
- end
-
- def test_unhide_without_required_scope
- comment = create(:changeset_comment, :visible => false)
- auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[read_prefs]
-
- post changeset_comment_unhide_path(comment), :headers => auth_header
-
- assert_response :forbidden
- assert_not comment.reload.visible
- end
-
- def test_unhide_with_write_changeset_comments_scope
- comment = create(:changeset_comment, :visible => false)
- auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_changeset_comments]
-
- post changeset_comment_unhide_path(comment), :headers => auth_header
-
- assert_response :success
- assert_equal "application/xml", response.media_type
- assert_dom "osm", 1 do
- assert_dom "> changeset", 1 do
- assert_dom "> @id", comment.changeset_id.to_s
- assert_dom "> @comments_count", "1"
- end
- end
-
- assert comment.reload.visible
- end
-
- def test_unhide_with_write_changeset_comments_scope_json
- comment = create(:changeset_comment, :visible => false)
- auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_changeset_comments]
-
- post changeset_comment_unhide_path(comment, :format => "json"), :headers => auth_header
-
- assert_response :success
- assert_equal "application/json", response.media_type
- js = ActiveSupport::JSON.decode(@response.body)
- assert_not_nil js["changeset"]
- assert_equal comment.changeset_id, js["changeset"]["id"]
- assert_equal 1, js["changeset"]["comments_count"]
-
- assert comment.reload.visible
- end
-
- def test_unhide_with_write_api_scope
- comment = create(:changeset_comment, :visible => false)
- auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_api]
-
- post changeset_comment_unhide_path(comment), :headers => auth_header
-
- assert_response :success
- assert_equal "application/xml", response.media_type
- assert_dom "osm", 1 do
- assert_dom "> changeset", 1 do
- assert_dom "> @id", comment.changeset_id.to_s
- assert_dom "> @comments_count", "1"
- end
- end
-
- assert comment.reload.visible
- end
-
- def test_unhide_with_write_api_scope_json
- comment = create(:changeset_comment, :visible => false)
- auth_header = bearer_authorization_header create(:moderator_user), :scopes => %w[write_api]
-
- post changeset_comment_unhide_path(comment, :format => "json"), :headers => auth_header
-
- assert_response :success
- js = ActiveSupport::JSON.decode(@response.body)
- assert_equal "application/json", response.media_type
- assert_not_nil js["changeset"]
- assert_equal comment.changeset_id, js["changeset"]["id"]
- assert_equal 1, js["changeset"]["comments_count"]
-
- assert comment.reload.visible
- end
-
private
##
projects / rails.git / commitdiff