From: Anton Khorev Date: Fri, 24 Jan 2025 03:16:11 +0000 (+0300) Subject: Simplify write_notes scope check in api notes controller X-Git-Tag: live~233^2 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/47d55a2b0f6057cb96b2bd4c98748f87365d8d02 Simplify write_notes scope check in api notes controller --- diff --git a/app/controllers/api/notes_controller.rb b/app/controllers/api/notes_controller.rb index 7e2e7fb79..eca0728b6 100644 --- a/app/controllers/api/notes_controller.rb +++ b/app/controllers/api/notes_controller.rb @@ -384,11 +384,7 @@ module Api def add_comment(note, text, event, notify: true) attributes = { :visible => true, :event => event, :body => text } - if doorkeeper_token - author = current_user if scope_enabled?(:write_notes) - else - author = current_user - end + author = current_user if scope_enabled?(:write_notes) if author attributes[:author_id] = author.id diff --git a/test/controllers/api/notes_controller_test.rb b/test/controllers/api/notes_controller_test.rb index 5f69e6a2a..17ceb1b9e 100644 --- a/test/controllers/api/notes_controller_test.rb +++ b/test/controllers/api/notes_controller_test.rb @@ -230,6 +230,17 @@ module Api assert_equal note, subscription.note end + def test_create_no_scope_fail + user = create(:user) + auth_header = bearer_authorization_header user, :scopes => %w[read_prefs] + + assert_no_difference "Note.count" do + post api_notes_path(:lat => -1.0, :lon => -1.0, :text => "This is a description", :format => "json"), :headers => auth_header + + assert_response :forbidden + end + end + def test_comment_success open_note_with_comment = create(:note_with_comments) user = create(:user)