# External apps that use the api are able to query which permissions
# they have. This currently returns a list of permissions granted to the current user:
# * if authenticated via OAuth, this list will contain all permissions granted by the user to the access_token.
- # * if authenticated via basic auth all permissions are granted, so the list will contain all permissions.
# * unauthenticated users have no permissions, so the list will be empty.
def show
@permissions = if doorkeeper_token.present?
doorkeeper_token.scopes.map { |s| :"allow_#{s}" }
- elsif current_user
- Oauth.scopes.map { |s| :"allow_#{s.name}" }
else
[]
end
end
end
- def authorize(realm = "Web Password", errormessage = "Couldn't authenticate you")
+ def authorize(errormessage = "Couldn't authenticate you")
# make the current_user object from any auth sources we have
setup_user_auth
# handle authenticate pass/fail
unless current_user
# no auth, the user does not exist or the password was wrong
- if Settings.basic_auth_support
- response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
- render :plain => errormessage, :status => :unauthorized
- else
- render :plain => errormessage, :status => :forbidden
- end
+ render :plain => errormessage, :status => :unauthorized
false
end
report_error t("oauth.permissions.missing"), :forbidden
elsif current_user
head :forbidden
- elsif Settings.basic_auth_support
- realm = "Web Password"
- errormessage = "Couldn't authenticate you"
- response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
- render :plain => errormessage, :status => :unauthorized
else
- render :plain => errormessage, :status => :forbidden
+ head :unauthorized
end
end
def setup_user_auth
logger.info " setup_user_auth"
# try and setup using OAuth
- if doorkeeper_token&.accessible?
- self.current_user = User.find(doorkeeper_token.resource_owner_id)
- else
- username, passwd = auth_data # parse from headers
- # authenticate per-scheme
- self.current_user = if username.nil?
- nil # no authentication provided - perhaps first connect (client should retry after 401)
- else
- User.authenticate(:username => username, :password => passwd) # basic auth
- end
- if username && current_user
- if Settings.basic_auth_support
- # log if we have authenticated using basic auth
- logger.info "Authenticated as user #{current_user.id} using basic authentication"
- else
- report_error t("application.basic_auth_disabled", :link => t("application.auth_disabled_link")), :forbidden
- end
- end
- end
+ self.current_user = User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token&.accessible?
# have we identified the user?
if current_user
end
end
- # extract authorisation credentials from headers, returns user = nil if none
- def auth_data
- if request.env.key? "X-HTTP_AUTHORIZATION" # where mod_rewrite might have put it
- authdata = request.env["X-HTTP_AUTHORIZATION"].to_s.split
- elsif request.env.key? "REDIRECT_X_HTTP_AUTHORIZATION" # mod_fcgi
- authdata = request.env["REDIRECT_X_HTTP_AUTHORIZATION"].to_s.split
- elsif request.env.key? "HTTP_AUTHORIZATION" # regular location
- authdata = request.env["HTTP_AUTHORIZATION"].to_s.split
- end
- # only basic authentication supported
- user, pass = Base64.decode64(authdata[1]).split(":", 2) if authdata && authdata[0] == "Basic"
- [user, pass]
- end
-
# clean any referer parameter
def safe_referer(referer)
begin
other: "GPX file with %{count} points from %{user}"
description_without_count: "GPX file from %{user}"
application:
- basic_auth_disabled: "HTTP Basic Authentication is disabled: %{link}"
- auth_disabled_link: "https://wiki.openstreetmap.org/wiki/2024_authentication_update"
permission_denied: You do not have permission to access that action
require_cookies:
cookies_needed: "You appear to have cookies disabled - please enable cookies in your browser before continuing."
#logstash_path: ""
# List of memcache servers to use for caching
#memcache_servers: []
-# Enable HTTP basic authentication support
-basic_auth_support: true
# URL of Nominatim instance to use for geocoding
nominatim_url: "https://nominatim.openstreetmap.org/"
# Default editor
deleted_user = create(:user, :deleted)
private_user_closed_changeset = create(:changeset, :closed, :user => private_user)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
assert_difference "ChangesetComment.count", 1 do
assert_no_difference "ActionMailer::Base.deliveries.size" do
ActionMailer::Base.deliveries.clear
- auth_header = basic_authorization_header user2.email, "test"
+ auth_header = bearer_authorization_header user2
assert_difference "ChangesetComment.count", 1 do
assert_difference "ActionMailer::Base.deliveries.size", 2 do
post changeset_comment_path(create(:changeset, :closed), :text => "This is a comment")
assert_response :unauthorized
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# bad changeset id
assert_no_difference "ChangesetComment.count" do
changeset = create(:changeset, :closed)
user = create(:user)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
assert_difference "ChangesetComment.count", Settings.initial_changeset_comments_per_hour do
1.upto(Settings.initial_changeset_comments_per_hour) do |count|
user = create(:user)
create_list(:changeset_comment, 200, :author_id => user.id, :created_at => Time.now.utc - 1.day)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
assert_difference "ChangesetComment.count", Settings.max_changeset_comments_per_hour do
1.upto(Settings.max_changeset_comments_per_hour) do |count|
user = create(:user)
create(:issue_with_reports, :reportable => user, :reported_user => user)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
assert_difference "ChangesetComment.count", Settings.initial_changeset_comments_per_hour / 2 do
1.upto(Settings.initial_changeset_comments_per_hour / 2) do |count|
changeset = create(:changeset, :closed)
user = create(:moderator_user)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
assert_difference "ChangesetComment.count", Settings.moderator_changeset_comments_per_hour do
1.upto(Settings.moderator_changeset_comments_per_hour) do |count|
assert_response :unauthorized
assert comment.reload.visible
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# not a moderator
post changeset_comment_hide_path(comment), :headers => auth_header
assert_response :forbidden
assert comment.reload.visible
- auth_header = basic_authorization_header create(:moderator_user).email, "test"
+ auth_header = bearer_authorization_header create(:moderator_user)
# bad comment id
post changeset_comment_hide_path(999111), :headers => auth_header
comment = create(:changeset_comment)
assert comment.visible
- auth_header = basic_authorization_header create(:moderator_user).email, "test"
+ auth_header = bearer_authorization_header create(:moderator_user)
post changeset_comment_hide_path(comment), :headers => auth_header
assert_response :success
assert_response :unauthorized
assert_not comment.reload.visible
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# not a moderator
post changeset_comment_unhide_path(comment), :headers => auth_header
assert_response :forbidden
assert_not comment.reload.visible
- auth_header = basic_authorization_header create(:moderator_user).email, "test"
+ auth_header = bearer_authorization_header create(:moderator_user)
# bad comment id
post changeset_comment_unhide_path(999111), :headers => auth_header
comment = create(:changeset_comment, :visible => false)
assert_not comment.visible
- auth_header = basic_authorization_header create(:moderator_user).email, "test"
+ auth_header = bearer_authorization_header create(:moderator_user)
post changeset_comment_unhide_path(comment), :headers => auth_header
assert_response :success
end
assert_response :success
end
-
- # This test does the same as above, but with basic auth, to similarly test that the
- # abilities take into account terms agreement too.
- def test_api_write_and_terms_agreed_via_basic_auth
- user = create(:user, :terms_agreed => nil)
- changeset = create(:changeset, :closed)
-
- auth_header = basic_authorization_header user.email, "test"
-
- assert_difference "ChangesetComment.count", 0 do
- post changeset_comment_path(changeset, :text => "This is a comment"), :headers => auth_header
- end
- assert_response :forbidden
-
- # Try again, after agreement with the terms
- user.terms_agreed = Time.now.utc
- user.save!
-
- assert_difference "ChangesetComment.count", 1 do
- post changeset_comment_path(changeset, :text => "This is a comment"), :headers => auth_header
- end
- assert_response :success
- end
end
end
# -----------------------
def test_create
- auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+ auth_header = bearer_authorization_header create(:user, :data_public => false)
# Create the first user's changeset
xml = "<osm><changeset>" \
"<tag k='created_by' v='osm test suite checking changesets'/>" \
put changeset_create_path, :params => xml, :headers => auth_header
assert_require_public_data
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# Create the first user's changeset
xml = "<osm><changeset>" \
"<tag k='created_by' v='osm test suite checking changesets'/>" \
end
def test_create_invalid
- auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+ auth_header = bearer_authorization_header create(:user, :data_public => false)
xml = "<osm><changeset></osm>"
put changeset_create_path, :params => xml, :headers => auth_header
assert_require_public_data
## Try the public user
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
xml = "<osm><changeset></osm>"
put changeset_create_path, :params => xml, :headers => auth_header
assert_response :bad_request, "creating a invalid changeset should fail"
assert_response :unauthorized, "shouldn't be able to create a changeset with no auth"
## Now try to with a non-public user
- auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+ auth_header = bearer_authorization_header create(:user, :data_public => false)
put changeset_create_path, :headers => auth_header
assert_require_public_data
## Try an inactive user
- auth_header = basic_authorization_header create(:user, :pending).email, "test"
+ auth_header = bearer_authorization_header create(:user, :pending)
put changeset_create_path, :headers => auth_header
assert_inactive_user
## Now try to use a normal user
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
put changeset_create_path, :headers => auth_header
assert_response :bad_request, "creating a changeset with no content should fail"
end
def test_create_wrong_method
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
get changeset_create_path, :headers => auth_header
assert_response :not_found
# one hidden comment shown to moderators
moderator_user = create(:moderator_user)
- auth_header = basic_authorization_header moderator_user.email, "test"
+ auth_header = bearer_authorization_header moderator_user
get changeset_show_path(changeset), :params => { :include_discussion => true, :show_hidden_comments => true },
:headers => auth_header
assert_response :success, "cannot get closed changeset with comments"
# one hidden comment shown to moderators
moderator_user = create(:moderator_user)
- auth_header = basic_authorization_header moderator_user.email, "test"
+ auth_header = bearer_authorization_header moderator_user
get changeset_show_path(changeset), :params => { :format => "json", :include_discussion => true, :show_hidden_comments => true },
:headers => auth_header
assert_response :success, "cannot get closed changeset with comments"
assert_response :unauthorized
## Try using the non-public user
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
put changeset_close_path(private_changeset), :headers => auth_header
assert_require_public_data
## The try with the public user
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
cs_id = changeset.id
put changeset_close_path(cs_id), :headers => auth_header
user = create(:user)
changeset = create(:changeset)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
put changeset_close_path(changeset), :headers => auth_header
assert_response :conflict
user = create(:user)
changeset = create(:changeset, :user => user)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
get changeset_close_path(changeset), :headers => auth_header
assert_response :not_found
end
# Now try with auth
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
cs_ids.each do |id|
put changeset_close_path(id), :headers => auth_header
assert_response :not_found, "The changeset #{id} doesn't exist, so can't be closed"
"shouldn't be able to upload a simple valid diff to changeset: #{@response.body}"
## Now try with a private user
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
changeset_id = private_changeset.id
# simple diff to change a node, way and relation by removing
"can't upload a simple valid diff to changeset: #{@response.body}"
## Now try with the public user
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
changeset_id = changeset.id
# simple diff to change a node, way and relation by removing
way = create(:way_with_nodes, :nodes_count => 2)
relation = create(:relation)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# simple diff to create a node way and relation using placeholders
diff = <<~CHANGESET
create(:relation_member, :relation => super_relation, :member => used_way)
create(:relation_member, :relation => super_relation, :member => used_node)
- auth_header = basic_authorization_header changeset.user.display_name, "test"
+ auth_header = bearer_authorization_header changeset.user
diff = XML::Document.new
diff.root = XML::Node.new "osmChange"
node = create(:node)
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.display_name, "test"
+ auth_header = bearer_authorization_header changeset.user
diff = "<osmChange><delete><node id='#{node.id}' version='#{node.version}' changeset='#{changeset.id}'/></delete></osmChange>"
# upload it
def test_repeated_changeset_create
3.times do
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# create a temporary changeset
xml = "<osm><changeset>" \
def test_upload_large_changeset
user = create(:user)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# create an old changeset to ensure we have the maximum rate limit
create(:changeset, :user => user, :created_at => Time.now.utc - 28.days)
create(:relation_member, :relation => relation, :member => used_way)
create(:relation_member, :relation => relation, :member => used_node)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
diff = XML::Document.new
diff.root = XML::Node.new "osmChange"
create(:relation_member, :relation => super_relation, :member => used_way)
create(:relation_member, :relation => super_relation, :member => used_node)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
diff = XML::Document.new
diff.root = XML::Node.new "osmChange"
def test_upload_invalid_too_long_tag
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
# simple diff to create a node way and relation using placeholders
diff = <<~CHANGESET
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
# simple diff to create a node way and relation using placeholders
diff = <<~CHANGESET
relation = create(:relation)
other_relation = create(:relation)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
# simple diff to create a node way and relation using placeholders
diff = <<~CHANGESET
def test_upload_multiple_valid
node = create(:node)
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
# change the location of a node multiple times, each time referencing
# the last version. doesn't this depend on version numbers being
node = create(:node)
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
diff = <<~CHANGESET
<osmChange>
def test_upload_missing_version
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
diff = <<~CHANGESET
<osmChange>
def test_action_upload_invalid
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
diff = <<~CHANGESET
<osmChange>
other_relation = create(:relation)
create(:relation_tag, :relation => relation)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
diff = <<~CHANGESET
<osmChange>
def test_upload_reuse_placeholder_valid
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
diff = <<~CHANGESET
<osmChange>
def test_upload_placeholder_invalid
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
diff = <<~CHANGESET
<osmChange>
def test_upload_process_order
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
diff = <<~CHANGESET
<osmChange>
def test_upload_duplicate_delete
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
diff = <<~CHANGESET
<osmChange>
changeset = create(:changeset)
way = create(:way)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
diff = <<~CHANGESET
<osmChange>
changeset = create(:changeset)
relation = create(:relation)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
diff = <<~CHANGESET
<osmChange>
# test what happens if a diff is uploaded containing only a node
# move.
def test_upload_node_move
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
xml = "<osm><changeset>" \
"<tag k='created_by' v='osm test suite checking changesets'/>" \
##
# test what happens if a diff is uploaded adding a node to a way.
def test_upload_way_extend
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
xml = "<osm><changeset>" \
"<tag k='created_by' v='osm test suite checking changesets'/>" \
def test_upload_empty_invalid
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
["<osmChange/>",
"<osmChange></osmChange>",
node = create(:node)
create(:relation_member, :member => node)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
# try and delete a node that is in use
diff = XML::Document.new
def test_upload_not_found
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
# modify node
diff = <<~CHANGESET
def test_upload_relation_placeholder_not_fix
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
# modify node
diff = <<~CHANGESET
def test_upload_multiple_delete_block
changeset = create(:changeset)
- auth_header = basic_authorization_header changeset.user.email, "test"
+ auth_header = bearer_authorization_header changeset.user
node = create(:node)
way = create(:way)
:num_changes => Settings.initial_changes_per_hour - 2)
# create authentication header
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# simple diff to create a node way and relation using placeholders
diff = <<~CHANGESET
end
# create authentication header
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# simple diff to create a node way and relation using placeholders
diff = <<~CHANGESET
:max_lat => (0.5 * GeoRecord::SCALE).round, :max_lon => (2.5 * GeoRecord::SCALE).round)
# create authentication header
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# simple diff to create a node
diff = <<~CHANGESET
:max_lat => (0.5 * GeoRecord::SCALE).round, :max_lon => (2.5 * GeoRecord::SCALE).round)
# create authentication header
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# simple diff to create a node way and relation using placeholders
diff = <<~CHANGESET
node = create(:node)
## First try with a non-public user, which should get a forbidden
- auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+ auth_header = bearer_authorization_header create(:user, :data_public => false)
# create a temporary changeset
xml = "<osm><changeset>" \
assert_response :forbidden
## Now try with a normal user
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# create a temporary changeset
xml = "<osm><changeset>" \
#
# NOTE: the error turned out to be something else completely!
def test_josm_upload
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# create a temporary changeset
xml = "<osm><changeset>" \
node = create(:node)
node2 = create(:node)
way = create(:way)
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# create a temporary changeset
xml = "<osm><changeset>" \
way = create(:way)
create(:way_node, :way => way, :node => create(:node, :lat => 0.3, :lon => 0.3))
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# create a new changeset
xml = "<osm><changeset/></osm>"
assert_response :not_found, "shouldn't be able to get changesets by non-public user (name)"
# but this should work
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
get changesets_path(:user => private_user.id), :headers => auth_header
assert_response :success, "can't get changesets by user ID"
assert_changesets_in_order [private_user_changeset, private_user_closed_changeset]
assert_response :unauthorized
# try with the wrong authorization
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
put changeset_show_path(private_changeset), :params => new_changeset.to_s, :headers => auth_header
assert_response :conflict
# now this should get an unauthorized
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
put changeset_show_path(private_changeset), :params => new_changeset.to_s, :headers => auth_header
assert_require_public_data "user with their data non-public, shouldn't be able to edit their changeset"
assert_response :unauthorized
# try with the wrong authorization
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
put changeset_show_path(changeset), :params => new_changeset.to_s, :headers => auth_header
assert_response :conflict
# now this should work...
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
put changeset_show_path(changeset), :params => new_changeset.to_s, :headers => auth_header
assert_response :success
# check that a user different from the one who opened the changeset
# can't modify it.
def test_changeset_update_invalid
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
changeset = create(:changeset)
new_changeset = create_changeset_xml(:user => changeset.user, :id => changeset.id)
## FIXME should be changed to an integration test due to the with_controller
def test_changeset_limits
user = create(:user)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# create an old changeset to ensure we have the maximum rate limit
create(:changeset, :user => user, :created_at => Time.now.utc - 28.days)
##
# test subscribe success
def test_subscribe_success
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
changeset = create(:changeset, :closed)
assert_difference "changeset.subscribers.count", 1 do
end
assert_response :unauthorized
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# bad changeset id
assert_no_difference "changeset.subscribers.count" do
# test unsubscribe success
def test_unsubscribe_success
user = create(:user)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
changeset = create(:changeset, :closed)
changeset.subscribers.push(user)
end
assert_response :unauthorized
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# bad changeset id
assert_no_difference "changeset.subscribers.count" do
assert_response :unauthorized, "node upload did not return unauthorized status"
## Now try with the user which doesn't have their data public
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
# create a minimal xml file
xml = "<osm><node lat='#{lat}' lon='#{lon}' changeset='#{private_changeset.id}'/></osm>"
assert_require_public_data "node create did not return forbidden status"
## Now try with the user that has the public data
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# create a minimal xml file
xml = "<osm><node lat='#{lat}' lon='#{lon}' changeset='#{changeset.id}'/></osm>"
user = create(:user)
changeset = create(:changeset, :user => user)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
lat = 3.434
lon = 3.23
assert_response :unauthorized
## now set auth for the non-data public user
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
# try to delete with an invalid (closed) changeset
xml = update_changeset(xml_for_node(private_node), private_user_closed_changeset.id)
changeset = create(:changeset, :user => user)
closed_changeset = create(:changeset, :closed, :user => user)
node = create(:node, :changeset => changeset)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# try to delete with an invalid (closed) changeset
xml = update_changeset(xml_for_node(node), closed_changeset.id)
## Second test with the private user
# setup auth
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
## trying to break changesets
assert_response :forbidden
# setup auth
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
## trying to break changesets
existing_tag = create(:node_tag)
assert existing_tag.node.changeset.user.data_public
# setup auth
- auth_header = basic_authorization_header existing_tag.node.changeset.user.email, "test"
+ auth_header = bearer_authorization_header existing_tag.node.changeset.user
# add an identical tag to the node
tag_xml = XML::Node.new("tag")
changeset = create(:changeset, :user => user)
## First try with the non-data public user
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
# try and put something into a string that the API might
# use unquoted and therefore allow code injection...
assert_require_public_data "Shouldn't be able to create with non-public user"
## Then try with the public data user
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# try and put something into a string that the API might
# use unquoted and therefore allow code injection...
:num_changes => Settings.initial_changes_per_hour - 1)
# create authentication header
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# try creating a node
xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'/></osm>"
end
# create authentication header
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# try creating a node
xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'/></osm>"
def test_comment_success
open_note_with_comment = create(:note_with_comments)
user = create(:user)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
assert_difference "NoteComment.count", 1 do
assert_no_difference "ActionMailer::Base.deliveries.size" do
perform_enqueued_jobs do
create(:note_comment, :note => note, :author => second_user)
end
- auth_header = basic_authorization_header third_user.email, "test"
+ auth_header = bearer_authorization_header third_user
assert_difference "NoteComment.count", 1 do
assert_difference "ActionMailer::Base.deliveries.size", 2 do
assert_response :unauthorized
end
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
assert_no_difference "NoteComment.count" do
post comment_api_note_path(open_note_with_comment), :headers => auth_header
post close_api_note_path(open_note_with_comment, :text => "This is a close comment", :format => "json")
assert_response :unauthorized
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
post close_api_note_path(open_note_with_comment, :text => "This is a close comment", :format => "json"), :headers => auth_header
assert_response :success
post close_api_note_path(12345)
assert_response :unauthorized
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
post close_api_note_path(12345), :headers => auth_header
assert_response :not_found
post reopen_api_note_path(closed_note_with_comment, :text => "This is a reopen comment", :format => "json")
assert_response :unauthorized
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
post reopen_api_note_path(closed_note_with_comment, :text => "This is a reopen comment", :format => "json"), :headers => auth_header
assert_response :success
post reopen_api_note_path(hidden_note_with_comment)
assert_response :unauthorized
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
post reopen_api_note_path(12345), :headers => auth_header
assert_response :not_found
delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json")
assert_response :unauthorized
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json"), :headers => auth_header
assert_response :forbidden
- auth_header = basic_authorization_header moderator_user.email, "test"
+ auth_header = bearer_authorization_header moderator_user
delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json"), :headers => auth_header
assert_response :success
get api_note_path(open_note_with_comment, :format => "json"), :headers => auth_header
assert_response :success
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
get api_note_path(open_note_with_comment, :format => "json"), :headers => auth_header
assert_response :gone
delete api_note_path(12345, :format => "json")
assert_response :unauthorized
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
delete api_note_path(12345, :format => "json"), :headers => auth_header
assert_response :forbidden
- auth_header = basic_authorization_header moderator_user.email, "test"
+ auth_header = bearer_authorization_header moderator_user
delete api_note_path(12345, :format => "json"), :headers => auth_header
assert_response :not_found
propagate_tags(node, node.old_nodes.last)
## First try this with a non-public user
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
# setup a simple XML node
xml_doc = xml_for_node(private_node)
# probably should check that they didn't get written to the database
## Now do it with the public user
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# setup a simple XML node
# test the redaction of an old version of a node, while being
# authorised as a normal user.
def test_redact_node_normal_user
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
node = create(:node, :with_history, :version => 4)
node_v3 = node.old_nodes.find_by(:version => 3)
# test that, even as moderator, the current version of a node
# can't be redacted.
def test_redact_node_current_version
- auth_header = basic_authorization_header create(:moderator_user).email, "test"
+ auth_header = bearer_authorization_header create(:moderator_user)
node = create(:node, :with_history, :version => 4)
node_v4 = node.old_nodes.find_by(:version => 4)
assert_response :forbidden, "Redacted node shouldn't be visible via the version API."
# not even to a logged-in user
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
get api_old_node_path(node_v1.node_id, node_v1.version), :headers => auth_header
assert_response :forbidden, "Redacted node shouldn't be visible via the version API, even when logged in."
end
"redacted node #{node_v1.node_id} version #{node_v1.version} shouldn't be present in the history."
# not even to a logged-in user
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
get api_node_history_path(node), :headers => auth_header
assert_response :success, "Redaction shouldn't have stopped history working."
assert_select "osm node[id='#{node_v1.node_id}'][version='#{node_v1.version}']", 0,
def test_redact_node_moderator
node = create(:node, :with_history, :version => 4)
node_v3 = node.old_nodes.find_by(:version => 3)
- auth_header = basic_authorization_header create(:moderator_user).email, "test"
+ auth_header = bearer_authorization_header create(:moderator_user)
do_redact_node(node_v3, create(:redaction), auth_header)
assert_response :success, "should be OK to redact old version as moderator."
def test_redact_node_is_redacted
node = create(:node, :with_history, :version => 4)
node_v3 = node.old_nodes.find_by(:version => 3)
- auth_header = basic_authorization_header create(:moderator_user).email, "test"
+ auth_header = bearer_authorization_header create(:moderator_user)
do_redact_node(node_v3, create(:redaction), auth_header)
assert_response :success, "should be OK to redact old version as moderator."
# re-auth as non-moderator
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# check can't see the redacted data
get api_old_node_path(node_v3.node_id, node_v3.version), :headers => auth_header
node_v1 = node.old_nodes.find_by(:version => 1)
node_v1.redact!(create(:redaction))
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
post node_version_redact_path(node_v1.node_id, node_v1.version), :headers => auth_header
assert_response :forbidden, "should need to be moderator to unredact."
node_v1 = node.old_nodes.find_by(:version => 1)
node_v1.redact!(create(:redaction))
- auth_header = basic_authorization_header moderator_user.email, "test"
+ auth_header = bearer_authorization_header moderator_user
post node_version_redact_path(node_v1.node_id, node_v1.version), :headers => auth_header
assert_response :success, "should be OK to unredact old version as moderator."
assert_select "osm node[id='#{node_v1.node_id}'][version='#{node_v1.version}']", 1,
"node #{node_v1.node_id} version #{node_v1.version} should now be present in the history for moderators without passing flag."
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# check normal user can now see the redacted data
get api_old_node_path(node_v1.node_id, node_v1.version), :headers => auth_header
relation = create(:relation, :with_history, :version => 4)
relation_v3 = relation.old_relations.find_by(:version => 3)
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
do_redact_relation(relation_v3, create(:redaction), auth_header)
assert_response :forbidden, "should need to be moderator to redact."
relation = create(:relation, :with_history, :version => 4)
relation_latest = relation.old_relations.last
- auth_header = basic_authorization_header create(:moderator_user).email, "test"
+ auth_header = bearer_authorization_header create(:moderator_user)
do_redact_relation(relation_latest, create(:redaction), auth_header)
assert_response :bad_request, "shouldn't be OK to redact current version as moderator."
assert_response :forbidden, "Redacted relation shouldn't be visible via the version API."
# not even to a logged-in user
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
assert_response :forbidden, "Redacted relation shouldn't be visible via the version API, even when logged in."
end
"redacted relation #{relation_v1.relation_id} version #{relation_v1.version} shouldn't be present in the history."
# not even to a logged-in user
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
get api_relation_history_path(relation), :headers => auth_header
assert_response :success, "Redaction shouldn't have stopped history working."
relation = create(:relation, :with_history, :version => 4)
relation_v3 = relation.old_relations.find_by(:version => 3)
- auth_header = basic_authorization_header create(:moderator_user).email, "test"
+ auth_header = bearer_authorization_header create(:moderator_user)
do_redact_relation(relation_v3, create(:redaction), auth_header)
assert_response :success, "should be OK to redact old version as moderator."
relation = create(:relation, :with_history, :version => 4)
relation_v3 = relation.old_relations.find_by(:version => 3)
- auth_header = basic_authorization_header create(:moderator_user).email, "test"
+ auth_header = bearer_authorization_header create(:moderator_user)
do_redact_relation(relation_v3, create(:redaction), auth_header)
assert_response :success, "should be OK to redact old version as moderator."
# re-auth as non-moderator
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# check can't see the redacted data
get api_old_relation_path(relation_v3.relation_id, relation_v3.version), :headers => auth_header
relation_v1 = relation.old_relations.find_by(:version => 1)
relation_v1.redact!(create(:redaction))
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
post relation_version_redact_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
assert_response :forbidden, "should need to be moderator to unredact."
relation_v1 = relation.old_relations.find_by(:version => 1)
relation_v1.redact!(create(:redaction))
- auth_header = basic_authorization_header create(:moderator_user).email, "test"
+ auth_header = bearer_authorization_header create(:moderator_user)
post relation_version_redact_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
assert_response :success, "should be OK to unredact old version as moderator."
assert_select "osm relation[id='#{relation_v1.relation_id}'][version='#{relation_v1.version}']", 1,
"relation #{relation_v1.relation_id} version #{relation_v1.version} should still be present in the history for moderators."
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# check normal user can now see the redacted data
get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
# test the redaction of an old version of a way, while being
# authorised as a normal user.
def test_redact_way_normal_user
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
way = create(:way, :with_history, :version => 4)
way_v3 = way.old_ways.find_by(:version => 3)
# test that, even as moderator, the current version of a way
# can't be redacted.
def test_redact_way_current_version
- auth_header = basic_authorization_header create(:moderator_user).email, "test"
+ auth_header = bearer_authorization_header create(:moderator_user)
way = create(:way, :with_history, :version => 4)
way_latest = way.old_ways.last
assert_response :forbidden, "Redacted way shouldn't be visible via the version API."
# not even to a logged-in user
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
get api_old_way_path(way_v1.way_id, way_v1.version), :headers => auth_header
assert_response :forbidden, "Redacted way shouldn't be visible via the version API, even when logged in."
end
"redacted way #{way_v1.way_id} version #{way_v1.version} shouldn't be present in the history."
# not even to a logged-in user
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
get api_way_history_path(way), :headers => auth_header
assert_response :success, "Redaction shouldn't have stopped history working."
assert_select "osm way[id='#{way_v1.way_id}'][version='#{way_v1.version}']", 0,
def test_redact_way_moderator
way = create(:way, :with_history, :version => 4)
way_v3 = way.old_ways.find_by(:version => 3)
- auth_header = basic_authorization_header create(:moderator_user).email, "test"
+ auth_header = bearer_authorization_header create(:moderator_user)
do_redact_way(way_v3, create(:redaction), auth_header)
assert_response :success, "should be OK to redact old version as moderator."
def test_redact_way_is_redacted
way = create(:way, :with_history, :version => 4)
way_v3 = way.old_ways.find_by(:version => 3)
- auth_header = basic_authorization_header create(:moderator_user).email, "test"
+ auth_header = bearer_authorization_header create(:moderator_user)
do_redact_way(way_v3, create(:redaction), auth_header)
assert_response :success, "should be OK to redact old version as moderator."
# re-auth as non-moderator
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# check can't see the redacted data
get api_old_way_path(way_v3.way_id, way_v3.version), :headers => auth_header
way_v1 = way.old_ways.find_by(:version => 1)
way_v1.redact!(create(:redaction))
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
post way_version_redact_path(way_v1.way_id, way_v1.version), :headers => auth_header
assert_response :forbidden, "should need to be moderator to unredact."
way_v1 = way.old_ways.find_by(:version => 1)
way_v1.redact!(create(:redaction))
- auth_header = basic_authorization_header moderator_user.email, "test"
+ auth_header = bearer_authorization_header moderator_user
post way_version_redact_path(way_v1.way_id, way_v1.version), :headers => auth_header
assert_response :success, "should be OK to unredact old version as moderator."
assert_select "osm way[id='#{way_v1.way_id}'][version='#{way_v1.version}']", 1,
"way #{way_v1.way_id} version #{way_v1.version} should still be present in the history for moderators."
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# check normal user can now see the unredacted data
get api_old_way_path(way_v1.way_id, way_v1.version), :headers => auth_header
assert_equal 0, js["permissions"].count
end
- def test_permissions_basic_auth
- auth_header = basic_authorization_header create(:user).email, "test"
- get permissions_path, :headers => auth_header
- assert_response :success
- assert_select "osm > permissions", :count => 1 do
- assert_select "permission", :count => Oauth.scopes.size
- Oauth.scopes.each do |p|
- assert_select "permission[name='allow_#{p.name}']", :count => 1
- end
- end
-
- # Test json
- get permissions_path(:format => "json"), :headers => auth_header
- assert_response :success
- assert_equal "application/json", @response.media_type
-
- js = ActiveSupport::JSON.decode(@response.body)
- assert_not_nil js
- assert_equal Oauth.scopes.size, js["permissions"].count
- Oauth.scopes.each do |p|
- assert_includes js["permissions"], "allow_#{p.name}"
- end
- end
-
def test_permissions_oauth2
user = create(:user)
token = create(:oauth_access_token,
node = create(:node)
way = create(:way_with_nodes, :nodes_count => 2)
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
# create an relation without members
xml = "<osm><relation changeset='#{private_changeset.id}'><tag k='test' v='yes' /></relation></osm>"
"relation upload did not return success status"
## Now try with the public user
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# create an relation without members
xml = "<osm><relation changeset='#{changeset.id}'><tag k='test' v='yes' /></relation></osm>"
relation = create(:relation)
create_list(:relation_tag, 4, :relation => relation)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
with_relation(relation.id) do |rel|
# alter one of the tags
relation = create(:relation)
create_list(:relation_tag, 4, :relation => relation)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
with_relation(relation.id) do |rel|
# alter one of the tags
relation = create(:relation)
other_relation = create(:relation)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
with_relation(relation.id) do |rel|
update_changeset(rel, changeset.id)
put api_relation_path(other_relation), :params => rel.to_s, :headers => auth_header
user = create(:user)
changeset = create(:changeset, :user => user)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# create a relation with non-existing node as member
xml = "<osm><relation changeset='#{changeset.id}'>" \
changeset = create(:changeset, :user => user)
node = create(:node)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# create some xml that should return an error
xml = "<osm><relation changeset='#{changeset.id}'>" \
assert_response :unauthorized
## Then try with the private user, to make sure that you get a forbidden
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
# this shouldn't work, as we should need the payload...
delete api_relation_path(relation), :headers => auth_header
assert_response :forbidden
## now set auth for the public user
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# this shouldn't work, as we should need the payload...
delete api_relation_path(relation), :headers => auth_header
way1 = create(:way_with_nodes, :nodes_count => 2)
way2 = create(:way_with_nodes, :nodes_count => 2)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
doc_str = <<~OSM
<osm>
doc = XML::Parser.string(doc_str).parse
## First try with the private user
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
put relation_create_path, :params => doc.to_s, :headers => auth_header
assert_response :forbidden
## Now try with the public user
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
put relation_create_path, :params => doc.to_s, :headers => auth_header
assert_response :success, "can't create a relation: #{@response.body}"
</osm>
OSM
doc = XML::Parser.string(doc_str).parse
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
put relation_create_path, :params => doc.to_s, :headers => auth_header
assert_response :success, "can't create a relation: #{@response.body}"
:num_changes => Settings.initial_changes_per_hour - 1)
# create authentication header
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# try creating a relation
xml = "<osm><relation changeset='#{changeset.id}'>" \
end
# create authentication header
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# try creating a relation
xml = "<osm><relation changeset='#{changeset.id}'>" \
# that the changeset bounding box is +bbox+.
def check_changeset_modify(bbox)
## First test with the private user to check that you get a forbidden
- auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+ auth_header = bearer_authorization_header create(:user, :data_public => false)
# create a new changeset for this operation, so we are assured
# that the bounding box will be newly-generated.
end
## Now do the whole thing with the public user
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# create a new changeset for this operation, so we are assured
# that the bounding box will be newly-generated.
assert_response :unauthorized
# Now with some other user, which should work since the trace is public
- auth_header = basic_authorization_header create(:user).display_name, "test"
+ auth_header = bearer_authorization_header
get api_trace_path(public_trace_file), :headers => auth_header
assert_response :success
# And finally we should be able to do it with the owner of the trace
- auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+ auth_header = bearer_authorization_header public_trace_file.user
get api_trace_path(public_trace_file), :headers => auth_header
assert_response :success
assert_select "gpx_file[id='#{public_trace_file.id}'][uid='#{public_trace_file.user.id}']", 1
assert_response :unauthorized
# Now try with another user, which shouldn't work since the trace is anon
- auth_header = basic_authorization_header create(:user).display_name, "test"
+ auth_header = bearer_authorization_header
get api_trace_path(anon_trace_file), :headers => auth_header
assert_response :forbidden
# And finally we should be able to get the trace details with the trace owner
- auth_header = basic_authorization_header anon_trace_file.user.display_name, "test"
+ auth_header = bearer_authorization_header anon_trace_file.user
get api_trace_path(anon_trace_file), :headers => auth_header
assert_response :success
end
assert_response :unauthorized
# Login, and try again
- auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test"
+ auth_header = bearer_authorization_header deleted_trace_file.user
get api_trace_path(:id => 0), :headers => auth_header
assert_response :not_found
# Now try a trace which did exist but has been deleted
- auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test"
+ auth_header = bearer_authorization_header deleted_trace_file.user
get api_trace_path(deleted_trace_file), :headers => auth_header
assert_response :not_found
end
assert_response :unauthorized
# Now with some other user, which should work since the trace is public
- auth_header = basic_authorization_header create(:user).display_name, "test"
+ auth_header = bearer_authorization_header
get api_trace_data_path(public_trace_file), :headers => auth_header
follow_redirect!
follow_redirect!
check_trace_data public_trace_file, "848caa72f2f456d1bd6a0fdf228aa1b9"
# And finally we should be able to do it with the owner of the trace
- auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+ auth_header = bearer_authorization_header public_trace_file.user
get api_trace_data_path(public_trace_file), :headers => auth_header
follow_redirect!
follow_redirect!
identifiable_trace_file = create(:trace, :visibility => "identifiable", :fixture => "d")
# Authenticate as the owner of the trace we will be using
- auth_header = basic_authorization_header identifiable_trace_file.user.display_name, "test"
+ auth_header = bearer_authorization_header identifiable_trace_file.user
# First get the data as is
get api_trace_data_path(identifiable_trace_file), :headers => auth_header
assert_response :unauthorized
# Now with some other user, which shouldn't work since the trace is anon
- auth_header = basic_authorization_header create(:user).display_name, "test"
+ auth_header = bearer_authorization_header
get api_trace_data_path(anon_trace_file), :headers => auth_header
assert_response :forbidden
# And finally we should be able to do it with the owner of the trace
- auth_header = basic_authorization_header anon_trace_file.user.display_name, "test"
+ auth_header = bearer_authorization_header anon_trace_file.user
get api_trace_data_path(anon_trace_file), :headers => auth_header
follow_redirect!
follow_redirect!
assert_response :unauthorized
# Login, and try again
- auth_header = basic_authorization_header create(:user).display_name, "test"
+ auth_header = bearer_authorization_header
get api_trace_data_path(:id => 0), :headers => auth_header
assert_response :not_found
# Now try a trace which did exist but has been deleted
- auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test"
+ auth_header = bearer_authorization_header deleted_trace_file.user
get api_trace_data_path(deleted_trace_file), :headers => auth_header
assert_response :not_found
end
# Now authenticated
create(:user_preference, :user => user, :k => "gps.trace.visibility", :v => "identifiable")
assert_not_equal "trackable", user.preferences.find_by(:k => "gps.trace.visibility").v
- auth_header = basic_authorization_header user.display_name, "test"
+ auth_header = bearer_authorization_header user
post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :visibility => "trackable" }, :headers => auth_header
assert_response :success
trace = Trace.find(response.body.to_i)
# Now authenticated, with the legacy public flag
assert_not_equal "public", user.preferences.find_by(:k => "gps.trace.visibility").v
- auth_header = basic_authorization_header user.display_name, "test"
+ auth_header = bearer_authorization_header user
post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 1 }, :headers => auth_header
assert_response :success
trace = Trace.find(response.body.to_i)
# Now authenticated, with the legacy private flag
second_user = create(:user)
assert_nil second_user.preferences.find_by(:k => "gps.trace.visibility")
- auth_header = basic_authorization_header second_user.display_name, "test"
+ auth_header = bearer_authorization_header second_user
post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 0 }, :headers => auth_header
assert_response :success
trace = Trace.find(response.body.to_i)
assert_response :unauthorized
# Now with some other user, which should fail
- auth_header = basic_authorization_header create(:user).display_name, "test"
+ auth_header = bearer_authorization_header
put api_trace_path(public_trace_file), :params => create_trace_xml(public_trace_file), :headers => auth_header
assert_response :forbidden
# Now with a trace which doesn't exist
- auth_header = basic_authorization_header create(:user).display_name, "test"
+ auth_header = bearer_authorization_header
put api_trace_path(:id => 0), :params => create_trace_xml(public_trace_file), :headers => auth_header
assert_response :not_found
# Now with a trace which did exist but has been deleted
- auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test"
+ auth_header = bearer_authorization_header deleted_trace_file.user
put api_trace_path(deleted_trace_file), :params => create_trace_xml(deleted_trace_file), :headers => auth_header
assert_response :not_found
# Now try an update with the wrong ID
- auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+ auth_header = bearer_authorization_header public_trace_file.user
put api_trace_path(public_trace_file), :params => create_trace_xml(anon_trace_file), :headers => auth_header
assert_response :bad_request,
"should not be able to update a trace with a different ID from the XML"
# And finally try an update that should work
- auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+ auth_header = bearer_authorization_header public_trace_file.user
t = public_trace_file
t.description = "Changed description"
t.visibility = "private"
def test_update_tags
tracetag = create(:tracetag)
trace = tracetag.trace
- auth_header = basic_authorization_header trace.user.display_name, "test"
+ auth_header = bearer_authorization_header trace.user
put api_trace_path(trace), :params => create_trace_xml(trace), :headers => auth_header
assert_response :success
assert_response :unauthorized
# Now with some other user, which should fail
- auth_header = basic_authorization_header create(:user).display_name, "test"
+ auth_header = bearer_authorization_header
delete api_trace_path(public_trace_file), :headers => auth_header
assert_response :forbidden
# Now with a trace which doesn't exist
- auth_header = basic_authorization_header create(:user).display_name, "test"
+ auth_header = bearer_authorization_header
delete api_trace_path(:id => 0), :headers => auth_header
assert_response :not_found
# And finally we should be able to do it with the owner of the trace
- auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+ auth_header = bearer_authorization_header public_trace_file.user
delete api_trace_path(public_trace_file), :headers => auth_header
assert_response :success
# Try it a second time, which should fail
- auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+ auth_header = bearer_authorization_header public_trace_file.user
delete api_trace_path(public_trace_file), :headers => auth_header
assert_response :not_found
end
assert_response :unauthorized, "should be authenticated"
# authenticate as a user with no preferences
- auth_header = basic_authorization_header create(:user).email, "test"
+ auth_header = bearer_authorization_header
# try the read again
get user_preferences_path, :headers => auth_header
user = create(:user)
user_preference = create(:user_preference, :user => user)
user_preference2 = create(:user_preference, :user => user)
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header(user)
# try the read again
get user_preferences_path, :headers => auth_header
assert_response :unauthorized, "should be authenticated"
# authenticate as a user with preferences
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header(user)
# try the read again
get user_preference_path(:preference_key => "key"), :headers => auth_header
end
# authenticate as a user with preferences
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header(user)
# try the put again
assert_no_difference "UserPreference.count" do
end
# authenticate as a user with preferences
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header(user)
# try adding a new preference
assert_difference "UserPreference.count", 1 do
assert_equal "value", UserPreference.find([user.id, "key"]).v
# authenticate as a user with preferences
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header(user)
# try the delete again
assert_difference "UserPreference.count", -1 do
assert_response :unauthorized
# check that we get a response when logged in
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
get user_details_path, :headers => auth_header
assert_response :success
assert_equal "application/xml", response.media_type
check_xml_details(user, true, false)
# check that data is returned properly in json
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
get user_details_path(:format => "json"), :headers => auth_header
assert_response :success
assert_equal "application/json", response.media_type
assert_response :unauthorized
# check that we get a response when logged in
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
get user_gpx_files_path, :headers => auth_header
assert_response :success
assert_equal "application/xml", response.media_type
changeset = create(:changeset, :user => user)
## First check that it fails when creating a way using a non-public user
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
# use the first user's open changeset
changeset_id = private_changeset.id
"way upload did not return forbidden status"
## Now use a public user
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# use the first user's open changeset
changeset_id = changeset.id
closed_changeset = create(:changeset, :closed, :user => user)
## First test with a private user to make sure that they are not authorized
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
# use the first user's open changeset
# create a way with non-existing node
"way upload to closed changeset with a private user did not return 'forbidden'"
## Now test with a public user
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# use the first user's open changeset
# create a way with non-existing node
assert_response :unauthorized
# now set auth using the private user
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
# this shouldn't work as with the 0.6 api we need pay load to delete
delete api_way_path(private_way), :headers => auth_header
### Now check with a public user
# now set auth
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# this shouldn't work as with the 0.6 api we need pay load to delete
delete api_way_path(way), :headers => auth_header
## Second test with the private user
# setup auth
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
## trying to break changesets
## Finally test with the public user
# setup auth
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
## trying to break changesets
## Try with the non-public user
# setup auth
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
# add an identical tag to the way
tag_xml = XML::Node.new("tag")
## Now try with the public user
# setup auth
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# add an identical tag to the way
tag_xml = XML::Node.new("tag")
## Try with the non-public user
# setup auth
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
# add an identical tag to the way
tag_xml = XML::Node.new("tag")
## Now try with the public user
# setup auth
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# add an identical tag to the way
tag_xml = XML::Node.new("tag")
## First test with the non-public user so should be rejected
# setup auth
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
# create duplicate tag
tag_xml = XML::Node.new("tag")
## Now test with the public user
# setup auth
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# create duplicate tag
tag_xml = XML::Node.new("tag")
## First make sure that you can't with a non-public user
# setup auth
- auth_header = basic_authorization_header private_user.email, "test"
+ auth_header = bearer_authorization_header private_user
# add the tag into the existing xml
way_str = "<osm><way changeset='#{private_changeset.id}'>"
## Now do it with a public user
# setup auth
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# add the tag into the existing xml
way_str = "<osm><way changeset='#{changeset.id}'>"
:num_changes => Settings.initial_changes_per_hour - 1)
# create authentication header
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# try creating a way
xml = "<osm><way changeset='#{changeset.id}'>" \
end
# create authentication header
- auth_header = basic_authorization_header user.email, "test"
+ auth_header = bearer_authorization_header user
# try creating a way
xml = "<osm><way changeset='#{changeset.id}'>" \
# upload it
post "/api/0.6/changeset/#{changeset.id}/upload",
:params => diff,
- :headers => {
- "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user.display_name}:test")),
+ :headers => bearer_authorization_header(user).merge(
"HTTP_CONTENT_TYPE" => "application/xml"
- }
+ )
assert_response :success,
"can't upload an uncompressed diff to changeset: #{@response.body}"
# upload it
post "/api/0.6/changeset/#{changeset.id}/upload",
:params => gzip_content(diff),
- :headers => {
- "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user.display_name}:test")),
+ :headers => bearer_authorization_header(user).merge(
"HTTP_CONTENT_ENCODING" => "gzip",
"HTTP_CONTENT_TYPE" => "application/xml"
- }
+ )
assert_response :success,
"can't upload a gzip compressed diff to changeset: #{@response.body}"
# upload it
post "/api/0.6/changeset/#{changeset.id}/upload",
:params => deflate_content(diff),
- :headers => {
- "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user.display_name}:test")),
+ :headers => bearer_authorization_header(user).merge(
"HTTP_CONTENT_ENCODING" => "deflate",
"HTTP_CONTENT_TYPE" => "application/xml"
- }
+ )
assert_response :success,
"can't upload a deflate compressed diff to changeset: #{@response.body}"
# upload it
post "/api/0.6/changeset/#{changeset.id}/upload",
:params => "",
- :headers => {
- "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user.display_name}:test")),
+ :headers => bearer_authorization_header(user).merge(
"HTTP_CONTENT_ENCODING" => "unknown",
"HTTP_CONTENT_TYPE" => "application/xml"
- }
+ )
assert_response :unsupported_media_type
end
get "/api/#{Settings.api_version}/user/details"
assert_response :unauthorized
- get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test")
+ get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user)
assert_response :success
# now block the user
:ends_at => Time.now.utc + 5.minutes,
:deactivates_at => Time.now.utc + 5.minutes
)
- get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test")
+ get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user)
assert_response :forbidden
end
:ends_at => Time.now.utc + 5.minutes,
:deactivates_at => Time.now.utc + 5.minutes
)
- get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test")
+ get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user)
assert_response :forbidden
# revoke the ban
reset!
# access the API again. this time it should work
- get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test")
+ get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user)
assert_response :success
end
end
def test_api_blocked
user = create(:user, :terms_seen => false, :terms_agreed => nil)
- get "/api/#{Settings.api_version}/user/preferences", :headers => auth_header(user.display_name, "test")
+ get "/api/#{Settings.api_version}/user/preferences", :headers => bearer_authorization_header(user)
assert_response :forbidden
# touch it so that the user has seen the terms
user.terms_seen = true
user.save
- get "/api/#{Settings.api_version}/user/preferences", :headers => auth_header(user.display_name, "test")
+ get "/api/#{Settings.api_version}/user/preferences", :headers => bearer_authorization_header(user)
assert_response :success
end
get "/traces/mine", :params => { :referer => "/diary/new" }
assert_redirected_to :controller => :users, :action => :terms, :referer => "/diary/new"
end
-
- private
-
- def auth_header(user, pass)
- { "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user}:#{pass}")) }
- end
end
assert_equal a.tags, b.tags, "tags on node #{a.id}"
end
- ##
- # return request header for HTTP Basic Authorization
- def basic_authorization_header(user, pass)
- { "Authorization" => format("Basic %<auth>s", :auth => Base64.encode64("#{user}:#{pass}")) }
- end
-
##
# return request header for HTTP Bearer Authorization
- def bearer_authorization_header(token)
+ def bearer_authorization_header(token_or_user = nil, scopes: Oauth::SCOPES)
+ token = case token_or_user
+ when nil then create(:oauth_access_token, :scopes => scopes).token
+ when User then create(:oauth_access_token, :resource_owner_id => token_or_user.id, :scopes => scopes).token
+ when Doorkeeper::AccessToken then token_or_user.token
+ when String then token_or_user
+ end
+
{ "Authorization" => "Bearer #{token}" }
end
##
# Not sure this is the best response we could give
def assert_inactive_user(msg = "an inactive user shouldn't be able to access the API")
- assert_response :unauthorized, msg
+ assert_response :forbidden, msg
# assert_equal @response.headers['Error'], ""
end
projects / rails.git / commitdiff