From: Andy Allan Date: Sun, 24 Feb 2019 15:21:29 +0000 (+0100) Subject: Move the api trace methods into a separate controller under the api namespace X-Git-Tag: live~3252^2 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/5f59845575ed313688eca669fd73f4f6a5993c23?ds=inline;hp=--cc Move the api trace methods into a separate controller under the api namespace --- 5f59845575ed313688eca669fd73f4f6a5993c23 diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index 73928271e..25a30bf40 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -13,6 +13,7 @@ Lint/AssignmentInCondition: - 'app/controllers/application_controller.rb' - 'app/controllers/geocoder_controller.rb' - 'app/controllers/notes_controller.rb' + - 'app/controllers/api/traces_controller.rb' - 'app/controllers/traces_controller.rb' - 'app/controllers/users_controller.rb' - 'app/controllers/api/user_preferences_controller.rb' diff --git a/app/controllers/api/traces_controller.rb b/app/controllers/api/traces_controller.rb new file mode 100644 index 000000000..8401e78ae --- /dev/null +++ b/app/controllers/api/traces_controller.rb @@ -0,0 +1,169 @@ +module Api + class TracesController < ApplicationController + layout "site", :except => :georss + + skip_before_action :verify_authenticity_token + before_action :authorize_web + before_action :set_locale + before_action :authorize + before_action :api_deny_access_handler + + authorize_resource + + before_action :check_database_readable, :except => [:api_read, :api_data] + before_action :check_database_writable, :only => [:api_create, :api_update, :api_delete] + before_action :check_api_readable, :only => [:api_read, :api_data] + before_action :check_api_writable, :only => [:api_create, :api_update, :api_delete] + before_action :offline_redirect, :only => [:api_create, :api_delete, :api_data] + around_action :api_call_handle_error + + def api_read + trace = Trace.visible.find(params[:id]) + + if trace.public? || trace.user == current_user + render :xml => trace.to_xml.to_s + else + head :forbidden + end + end + + def api_update + trace = Trace.visible.find(params[:id]) + + if trace.user == current_user + trace.update_from_xml(request.raw_post) + trace.save! + + head :ok + else + head :forbidden + end + end + + def api_delete + trace = Trace.visible.find(params[:id]) + + if trace.user == current_user + trace.visible = false + trace.save! + + head :ok + else + head :forbidden + end + end + + def api_data + trace = Trace.visible.find(params[:id]) + + if trace.public? || trace.user == current_user + if request.format == Mime[:xml] + send_data(trace.xml_file.read, :filename => "#{trace.id}.xml", :type => request.format.to_s, :disposition => "attachment") + elsif request.format == Mime[:gpx] + send_data(trace.xml_file.read, :filename => "#{trace.id}.gpx", :type => request.format.to_s, :disposition => "attachment") + else + send_file(trace.trace_name, :filename => "#{trace.id}#{trace.extension_name}", :type => trace.mime_type, :disposition => "attachment") + end + else + head :forbidden + end + end + + def api_create + tags = params[:tags] || "" + description = params[:description] || "" + visibility = params[:visibility] + + if visibility.nil? + visibility = if params[:public]&.to_i&.nonzero? + "public" + else + "private" + end + end + + if params[:file].respond_to?(:read) + trace = do_create(params[:file], tags, description, visibility) + + if trace.id + render :plain => trace.id.to_s + elsif trace.valid? + head :internal_server_error + else + head :bad_request + end + else + head :bad_request + end + end + + private + + def do_create(file, tags, description, visibility) + # Sanitise the user's filename + name = file.original_filename.gsub(/[^a-zA-Z0-9.]/, "_") + + # Get a temporary filename... + filename = "/tmp/#{rand}" + + # ...and save the uploaded file to that location + File.open(filename, "wb") { |f| f.write(file.read) } + + # Create the trace object, falsely marked as already + # inserted to stop the import daemon trying to load it + trace = Trace.new( + :name => name, + :tagstring => tags, + :description => description, + :visibility => visibility, + :inserted => true, + :user => current_user, + :timestamp => Time.now.getutc + ) + + if trace.valid? + Trace.transaction do + begin + # Save the trace object + trace.save! + + # Rename the temporary file to the final name + FileUtils.mv(filename, trace.trace_name) + rescue StandardError + # Remove the file as we have failed to update the database + FileUtils.rm_f(filename) + + # Pass the exception on + raise + end + + begin + # Clear the inserted flag to make the import daemon load the trace + trace.inserted = false + trace.save! + rescue StandardError + # Remove the file as we have failed to update the database + FileUtils.rm_f(trace.trace_name) + + # Pass the exception on + raise + end + end + end + + # Finally save the user's preferred privacy level + if pref = current_user.preferences.where(:k => "gps.trace.visibility").first + pref.v = visibility + pref.save + else + current_user.preferences.create(:k => "gps.trace.visibility", :v => visibility) + end + + trace + end + + def offline_redirect + redirect_to :action => :offline if STATUS == :gpx_offline + end + end +end diff --git a/app/controllers/traces_controller.rb b/app/controllers/traces_controller.rb index 2e4997877..b488d717a 100644 --- a/app/controllers/traces_controller.rb +++ b/app/controllers/traces_controller.rb @@ -1,21 +1,15 @@ class TracesController < ApplicationController layout "site", :except => :georss - skip_before_action :verify_authenticity_token, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data] before_action :authorize_web before_action :set_locale - before_action :authorize, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data] - before_action :api_deny_access_handler, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data] authorize_resource - before_action :check_database_readable, :except => [:api_read, :api_data] - before_action :check_database_writable, :only => [:new, :create, :edit, :delete, :api_create, :api_update, :api_delete] - before_action :check_api_readable, :only => [:api_read, :api_data] - before_action :check_api_writable, :only => [:api_create, :api_update, :api_delete] + before_action :check_database_readable + before_action :check_database_writable, :only => [:new, :create, :edit, :delete] before_action :offline_warning, :only => [:mine, :show] - before_action :offline_redirect, :only => [:new, :create, :edit, :delete, :data, :api_create, :api_delete, :api_data] - around_action :api_call_handle_error, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data] + before_action :offline_redirect, :only => [:new, :create, :edit, :delete, :data] # Counts and selects pages of GPX traces for various criteria (by user, tags, public etc.). # target_user - if set, specifies the user to fetch traces for. if not set will fetch all traces @@ -263,86 +257,6 @@ class TracesController < ApplicationController head :not_found end - def api_read - trace = Trace.visible.find(params[:id]) - - if trace.public? || trace.user == current_user - render :xml => trace.to_xml.to_s - else - head :forbidden - end - end - - def api_update - trace = Trace.visible.find(params[:id]) - - if trace.user == current_user - trace.update_from_xml(request.raw_post) - trace.save! - - head :ok - else - head :forbidden - end - end - - def api_delete - trace = Trace.visible.find(params[:id]) - - if trace.user == current_user - trace.visible = false - trace.save! - - head :ok - else - head :forbidden - end - end - - def api_data - trace = Trace.visible.find(params[:id]) - - if trace.public? || trace.user == current_user - if request.format == Mime[:xml] - send_data(trace.xml_file.read, :filename => "#{trace.id}.xml", :type => request.format.to_s, :disposition => "attachment") - elsif request.format == Mime[:gpx] - send_data(trace.xml_file.read, :filename => "#{trace.id}.gpx", :type => request.format.to_s, :disposition => "attachment") - else - send_file(trace.trace_name, :filename => "#{trace.id}#{trace.extension_name}", :type => trace.mime_type, :disposition => "attachment") - end - else - head :forbidden - end - end - - def api_create - tags = params[:tags] || "" - description = params[:description] || "" - visibility = params[:visibility] - - if visibility.nil? - visibility = if params[:public]&.to_i&.nonzero? - "public" - else - "private" - end - end - - if params[:file].respond_to?(:read) - trace = do_create(params[:file], tags, description, visibility) - - if trace.id - render :plain => trace.id.to_s - elsif trace.valid? - head :internal_server_error - else - head :bad_request - end - else - head :bad_request - end - end - private def do_create(file, tags, description, visibility) diff --git a/config/routes.rb b/config/routes.rb index 631f31459..32cd397aa 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -77,12 +77,12 @@ OpenStreetMap::Application.routes.draw do put "user/preferences/:preference_key" => "api/user_preferences#update_one" delete "user/preferences/:preference_key" => "api/user_preferences#delete_one" - post "gpx/create" => "traces#api_create" - get "gpx/:id" => "traces#api_read", :id => /\d+/ - put "gpx/:id" => "traces#api_update", :id => /\d+/ - delete "gpx/:id" => "traces#api_delete", :id => /\d+/ - get "gpx/:id/details" => "traces#api_read", :id => /\d+/ - get "gpx/:id/data" => "traces#api_data" + post "gpx/create" => "api/traces#api_create" + get "gpx/:id" => "api/traces#api_read", :id => /\d+/ + put "gpx/:id" => "api/traces#api_update", :id => /\d+/ + delete "gpx/:id" => "api/traces#api_delete", :id => /\d+/ + get "gpx/:id/details" => "api/traces#api_read", :id => /\d+/ + get "gpx/:id/data" => "api/traces#api_data" # AMF (ActionScript) API post "amf/read" => "api/amf#amf_read" diff --git a/test/controllers/api/traces_controller_test.rb b/test/controllers/api/traces_controller_test.rb new file mode 100644 index 000000000..4f2851477 --- /dev/null +++ b/test/controllers/api/traces_controller_test.rb @@ -0,0 +1,357 @@ +require "test_helper" +require "minitest/mock" + +module Api + class TracesControllerTest < ActionController::TestCase + def setup + @gpx_trace_dir = Object.send("remove_const", "GPX_TRACE_DIR") + Object.const_set("GPX_TRACE_DIR", Rails.root.join("test", "gpx", "traces")) + + @gpx_image_dir = Object.send("remove_const", "GPX_IMAGE_DIR") + Object.const_set("GPX_IMAGE_DIR", Rails.root.join("test", "gpx", "images")) + end + + def teardown + File.unlink(*Dir.glob(File.join(GPX_TRACE_DIR, "*.gpx"))) + File.unlink(*Dir.glob(File.join(GPX_IMAGE_DIR, "*.gif"))) + + Object.send("remove_const", "GPX_TRACE_DIR") + Object.const_set("GPX_TRACE_DIR", @gpx_trace_dir) + + Object.send("remove_const", "GPX_IMAGE_DIR") + Object.const_set("GPX_IMAGE_DIR", @gpx_image_dir) + end + + ## + # test all routes which lead to this controller + def test_routes + assert_routing( + { :path => "/api/0.6/gpx/create", :method => :post }, + { :controller => "api/traces", :action => "api_create" } + ) + assert_routing( + { :path => "/api/0.6/gpx/1", :method => :get }, + { :controller => "api/traces", :action => "api_read", :id => "1" } + ) + assert_routing( + { :path => "/api/0.6/gpx/1", :method => :put }, + { :controller => "api/traces", :action => "api_update", :id => "1" } + ) + assert_routing( + { :path => "/api/0.6/gpx/1", :method => :delete }, + { :controller => "api/traces", :action => "api_delete", :id => "1" } + ) + assert_recognizes( + { :controller => "api/traces", :action => "api_read", :id => "1" }, + { :path => "/api/0.6/gpx/1/details", :method => :get } + ) + assert_routing( + { :path => "/api/0.6/gpx/1/data", :method => :get }, + { :controller => "api/traces", :action => "api_data", :id => "1" } + ) + assert_routing( + { :path => "/api/0.6/gpx/1/data.xml", :method => :get }, + { :controller => "api/traces", :action => "api_data", :id => "1", :format => "xml" } + ) + end + + # Check getting a specific trace through the api + def test_api_read + public_trace_file = create(:trace, :visibility => "public") + + # First with no auth + get :api_read, :params => { :id => public_trace_file.id } + assert_response :unauthorized + + # Now with some other user, which should work since the trace is public + basic_authorization create(:user).display_name, "test" + get :api_read, :params => { :id => public_trace_file.id } + assert_response :success + + # And finally we should be able to do it with the owner of the trace + basic_authorization public_trace_file.user.display_name, "test" + get :api_read, :params => { :id => public_trace_file.id } + assert_response :success + end + + # Check an anoymous trace can't be specifically fetched by another user + def test_api_read_anon + anon_trace_file = create(:trace, :visibility => "private") + + # First with no auth + get :api_read, :params => { :id => anon_trace_file.id } + assert_response :unauthorized + + # Now try with another user, which shouldn't work since the trace is anon + basic_authorization create(:user).display_name, "test" + get :api_read, :params => { :id => anon_trace_file.id } + assert_response :forbidden + + # And finally we should be able to get the trace details with the trace owner + basic_authorization anon_trace_file.user.display_name, "test" + get :api_read, :params => { :id => anon_trace_file.id } + assert_response :success + end + + # Check the api details for a trace that doesn't exist + def test_api_read_not_found + deleted_trace_file = create(:trace, :deleted) + + # Try first with no auth, as it should require it + get :api_read, :params => { :id => 0 } + assert_response :unauthorized + + # Login, and try again + basic_authorization deleted_trace_file.user.display_name, "test" + get :api_read, :params => { :id => 0 } + assert_response :not_found + + # Now try a trace which did exist but has been deleted + basic_authorization deleted_trace_file.user.display_name, "test" + get :api_read, :params => { :id => deleted_trace_file.id } + assert_response :not_found + end + + # Test downloading a trace through the api + def test_api_data + public_trace_file = create(:trace, :visibility => "public", :fixture => "a") + + # First with no auth + get :api_data, :params => { :id => public_trace_file.id } + assert_response :unauthorized + + # Now with some other user, which should work since the trace is public + basic_authorization create(:user).display_name, "test" + get :api_data, :params => { :id => public_trace_file.id } + check_trace_data public_trace_file, "848caa72f2f456d1bd6a0fdf228aa1b9" + + # And finally we should be able to do it with the owner of the trace + basic_authorization public_trace_file.user.display_name, "test" + get :api_data, :params => { :id => public_trace_file.id } + check_trace_data public_trace_file, "848caa72f2f456d1bd6a0fdf228aa1b9" + end + + # Test downloading a compressed trace through the api + def test_api_data_compressed + identifiable_trace_file = create(:trace, :visibility => "identifiable", :fixture => "d") + + # Authenticate as the owner of the trace we will be using + basic_authorization identifiable_trace_file.user.display_name, "test" + + # First get the data as is + get :api_data, :params => { :id => identifiable_trace_file.id } + check_trace_data identifiable_trace_file, "c6422a3d8750faae49ed70e7e8a51b93", "application/x-gzip", "gpx.gz" + + # Now ask explicitly for XML format + get :api_data, :params => { :id => identifiable_trace_file.id, :format => "xml" } + check_trace_data identifiable_trace_file, "abd6675fdf3024a84fc0a1deac147c0d", "application/xml", "xml" + + # Now ask explicitly for GPX format + get :api_data, :params => { :id => identifiable_trace_file.id, :format => "gpx" } + check_trace_data identifiable_trace_file, "abd6675fdf3024a84fc0a1deac147c0d" + end + + # Check an anonymous trace can't be downloaded by another user through the api + def test_api_data_anon + anon_trace_file = create(:trace, :visibility => "private", :fixture => "b") + + # First with no auth + get :api_data, :params => { :id => anon_trace_file.id } + assert_response :unauthorized + + # Now with some other user, which shouldn't work since the trace is anon + basic_authorization create(:user).display_name, "test" + get :api_data, :params => { :id => anon_trace_file.id } + assert_response :forbidden + + # And finally we should be able to do it with the owner of the trace + basic_authorization anon_trace_file.user.display_name, "test" + get :api_data, :params => { :id => anon_trace_file.id } + check_trace_data anon_trace_file, "66179ca44f1e93d8df62e2b88cbea732" + end + + # Test downloading a trace that doesn't exist through the api + def test_api_data_not_found + deleted_trace_file = create(:trace, :deleted) + + # Try first with no auth, as it should require it + get :api_data, :params => { :id => 0 } + assert_response :unauthorized + + # Login, and try again + basic_authorization create(:user).display_name, "test" + get :api_data, :params => { :id => 0 } + assert_response :not_found + + # Now try a trace which did exist but has been deleted + basic_authorization deleted_trace_file.user.display_name, "test" + get :api_data, :params => { :id => deleted_trace_file.id } + assert_response :not_found + end + + # Test creating a trace through the api + def test_api_create + # Get file to use + fixture = Rails.root.join("test", "gpx", "fixtures", "a.gpx") + file = Rack::Test::UploadedFile.new(fixture, "application/gpx+xml") + user = create(:user) + + # First with no auth + post :api_create, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :visibility => "trackable" } + assert_response :unauthorized + + # Rewind the file + file.rewind + + # Now authenticated + create(:user_preference, :user => user, :k => "gps.trace.visibility", :v => "identifiable") + assert_not_equal "trackable", user.preferences.where(:k => "gps.trace.visibility").first.v + basic_authorization user.display_name, "test" + post :api_create, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :visibility => "trackable" } + assert_response :success + trace = Trace.find(response.body.to_i) + assert_equal "a.gpx", trace.name + assert_equal "New Trace", trace.description + assert_equal %w[new trace], trace.tags.order(:tag).collect(&:tag) + assert_equal "trackable", trace.visibility + assert_equal false, trace.inserted + assert_equal File.new(fixture).read, File.new(trace.trace_name).read + trace.destroy + assert_equal "trackable", user.preferences.where(:k => "gps.trace.visibility").first.v + + # Rewind the file + file.rewind + + # Now authenticated, with the legacy public flag + assert_not_equal "public", user.preferences.where(:k => "gps.trace.visibility").first.v + basic_authorization user.display_name, "test" + post :api_create, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 1 } + assert_response :success + trace = Trace.find(response.body.to_i) + assert_equal "a.gpx", trace.name + assert_equal "New Trace", trace.description + assert_equal %w[new trace], trace.tags.order(:tag).collect(&:tag) + assert_equal "public", trace.visibility + assert_equal false, trace.inserted + assert_equal File.new(fixture).read, File.new(trace.trace_name).read + trace.destroy + assert_equal "public", user.preferences.where(:k => "gps.trace.visibility").first.v + + # Rewind the file + file.rewind + + # Now authenticated, with the legacy private flag + second_user = create(:user) + assert_nil second_user.preferences.where(:k => "gps.trace.visibility").first + basic_authorization second_user.display_name, "test" + post :api_create, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 0 } + assert_response :success + trace = Trace.find(response.body.to_i) + assert_equal "a.gpx", trace.name + assert_equal "New Trace", trace.description + assert_equal %w[new trace], trace.tags.order(:tag).collect(&:tag) + assert_equal "private", trace.visibility + assert_equal false, trace.inserted + assert_equal File.new(fixture).read, File.new(trace.trace_name).read + trace.destroy + assert_equal "private", second_user.preferences.where(:k => "gps.trace.visibility").first.v + end + + # Check updating a trace through the api + def test_api_update + public_trace_file = create(:trace, :visibility => "public", :fixture => "a") + deleted_trace_file = create(:trace, :deleted) + anon_trace_file = create(:trace, :visibility => "private") + + # First with no auth + put :api_update, :params => { :id => public_trace_file.id }, :body => public_trace_file.to_xml.to_s + assert_response :unauthorized + + # Now with some other user, which should fail + basic_authorization create(:user).display_name, "test" + put :api_update, :params => { :id => public_trace_file.id }, :body => public_trace_file.to_xml.to_s + assert_response :forbidden + + # Now with a trace which doesn't exist + basic_authorization create(:user).display_name, "test" + put :api_update, :params => { :id => 0 }, :body => public_trace_file.to_xml.to_s + assert_response :not_found + + # Now with a trace which did exist but has been deleted + basic_authorization deleted_trace_file.user.display_name, "test" + put :api_update, :params => { :id => deleted_trace_file.id }, :body => deleted_trace_file.to_xml.to_s + assert_response :not_found + + # Now try an update with the wrong ID + basic_authorization public_trace_file.user.display_name, "test" + put :api_update, :params => { :id => public_trace_file.id }, :body => anon_trace_file.to_xml.to_s + assert_response :bad_request, + "should not be able to update a trace with a different ID from the XML" + + # And finally try an update that should work + basic_authorization public_trace_file.user.display_name, "test" + t = public_trace_file + t.description = "Changed description" + t.visibility = "private" + put :api_update, :params => { :id => t.id }, :body => t.to_xml.to_s + assert_response :success + nt = Trace.find(t.id) + assert_equal nt.description, t.description + assert_equal nt.visibility, t.visibility + end + + # Test that updating a trace doesn't duplicate the tags + def test_api_update_tags + tracetag = create(:tracetag) + trace = tracetag.trace + basic_authorization trace.user.display_name, "test" + + put :api_update, :params => { :id => trace.id }, :body => trace.to_xml.to_s + assert_response :success + + updated = Trace.find(trace.id) + # Ensure there's only one tag in the database after updating + assert_equal Tracetag.count, 1 + # The new tag object might have a different id, so check the string representation + assert_equal trace.tagstring, updated.tagstring + end + + # Check deleting a trace through the api + def test_api_delete + public_trace_file = create(:trace, :visibility => "public") + + # First with no auth + delete :api_delete, :params => { :id => public_trace_file.id } + assert_response :unauthorized + + # Now with some other user, which should fail + basic_authorization create(:user).display_name, "test" + delete :api_delete, :params => { :id => public_trace_file.id } + assert_response :forbidden + + # Now with a trace which doesn't exist + basic_authorization create(:user).display_name, "test" + delete :api_delete, :params => { :id => 0 } + assert_response :not_found + + # And finally we should be able to do it with the owner of the trace + basic_authorization public_trace_file.user.display_name, "test" + delete :api_delete, :params => { :id => public_trace_file.id } + assert_response :success + + # Try it a second time, which should fail + basic_authorization public_trace_file.user.display_name, "test" + delete :api_delete, :params => { :id => public_trace_file.id } + assert_response :not_found + end + + private + + def check_trace_data(trace, digest, content_type = "application/gpx+xml", extension = "gpx") + assert_response :success + assert_equal digest, Digest::MD5.hexdigest(response.body) + assert_equal content_type, response.content_type + assert_equal "attachment; filename=\"#{trace.id}.#{extension}\"", @response.header["Content-Disposition"] + end + end +end diff --git a/test/controllers/traces_controller_test.rb b/test/controllers/traces_controller_test.rb index 179070e00..84469437a 100644 --- a/test/controllers/traces_controller_test.rb +++ b/test/controllers/traces_controller_test.rb @@ -24,35 +24,6 @@ class TracesControllerTest < ActionController::TestCase ## # test all routes which lead to this controller def test_routes - assert_routing( - { :path => "/api/0.6/gpx/create", :method => :post }, - { :controller => "traces", :action => "api_create" } - ) - assert_routing( - { :path => "/api/0.6/gpx/1", :method => :get }, - { :controller => "traces", :action => "api_read", :id => "1" } - ) - assert_routing( - { :path => "/api/0.6/gpx/1", :method => :put }, - { :controller => "traces", :action => "api_update", :id => "1" } - ) - assert_routing( - { :path => "/api/0.6/gpx/1", :method => :delete }, - { :controller => "traces", :action => "api_delete", :id => "1" } - ) - assert_recognizes( - { :controller => "traces", :action => "api_read", :id => "1" }, - { :path => "/api/0.6/gpx/1/details", :method => :get } - ) - assert_routing( - { :path => "/api/0.6/gpx/1/data", :method => :get }, - { :controller => "traces", :action => "api_data", :id => "1" } - ) - assert_routing( - { :path => "/api/0.6/gpx/1/data.xml", :method => :get }, - { :controller => "traces", :action => "api_data", :id => "1", :format => "xml" } - ) - assert_routing( { :path => "/traces", :method => :get }, { :controller => "traces", :action => "index" } @@ -719,296 +690,6 @@ class TracesControllerTest < ActionController::TestCase assert_equal false, trace.visible end - # Check getting a specific trace through the api - def test_api_read - public_trace_file = create(:trace, :visibility => "public") - - # First with no auth - get :api_read, :params => { :id => public_trace_file.id } - assert_response :unauthorized - - # Now with some other user, which should work since the trace is public - basic_authorization create(:user).display_name, "test" - get :api_read, :params => { :id => public_trace_file.id } - assert_response :success - - # And finally we should be able to do it with the owner of the trace - basic_authorization public_trace_file.user.display_name, "test" - get :api_read, :params => { :id => public_trace_file.id } - assert_response :success - end - - # Check an anoymous trace can't be specifically fetched by another user - def test_api_read_anon - anon_trace_file = create(:trace, :visibility => "private") - - # First with no auth - get :api_read, :params => { :id => anon_trace_file.id } - assert_response :unauthorized - - # Now try with another user, which shouldn't work since the trace is anon - basic_authorization create(:user).display_name, "test" - get :api_read, :params => { :id => anon_trace_file.id } - assert_response :forbidden - - # And finally we should be able to get the trace details with the trace owner - basic_authorization anon_trace_file.user.display_name, "test" - get :api_read, :params => { :id => anon_trace_file.id } - assert_response :success - end - - # Check the api details for a trace that doesn't exist - def test_api_read_not_found - deleted_trace_file = create(:trace, :deleted) - - # Try first with no auth, as it should require it - get :api_read, :params => { :id => 0 } - assert_response :unauthorized - - # Login, and try again - basic_authorization deleted_trace_file.user.display_name, "test" - get :api_read, :params => { :id => 0 } - assert_response :not_found - - # Now try a trace which did exist but has been deleted - basic_authorization deleted_trace_file.user.display_name, "test" - get :api_read, :params => { :id => deleted_trace_file.id } - assert_response :not_found - end - - # Test downloading a trace through the api - def test_api_data - public_trace_file = create(:trace, :visibility => "public", :fixture => "a") - - # First with no auth - get :api_data, :params => { :id => public_trace_file.id } - assert_response :unauthorized - - # Now with some other user, which should work since the trace is public - basic_authorization create(:user).display_name, "test" - get :api_data, :params => { :id => public_trace_file.id } - check_trace_data public_trace_file, "848caa72f2f456d1bd6a0fdf228aa1b9" - - # And finally we should be able to do it with the owner of the trace - basic_authorization public_trace_file.user.display_name, "test" - get :api_data, :params => { :id => public_trace_file.id } - check_trace_data public_trace_file, "848caa72f2f456d1bd6a0fdf228aa1b9" - end - - # Test downloading a compressed trace through the api - def test_api_data_compressed - identifiable_trace_file = create(:trace, :visibility => "identifiable", :fixture => "d") - - # Authenticate as the owner of the trace we will be using - basic_authorization identifiable_trace_file.user.display_name, "test" - - # First get the data as is - get :api_data, :params => { :id => identifiable_trace_file.id } - check_trace_data identifiable_trace_file, "c6422a3d8750faae49ed70e7e8a51b93", "application/x-gzip", "gpx.gz" - - # Now ask explicitly for XML format - get :api_data, :params => { :id => identifiable_trace_file.id, :format => "xml" } - check_trace_data identifiable_trace_file, "abd6675fdf3024a84fc0a1deac147c0d", "application/xml", "xml" - - # Now ask explicitly for GPX format - get :api_data, :params => { :id => identifiable_trace_file.id, :format => "gpx" } - check_trace_data identifiable_trace_file, "abd6675fdf3024a84fc0a1deac147c0d" - end - - # Check an anonymous trace can't be downloaded by another user through the api - def test_api_data_anon - anon_trace_file = create(:trace, :visibility => "private", :fixture => "b") - - # First with no auth - get :api_data, :params => { :id => anon_trace_file.id } - assert_response :unauthorized - - # Now with some other user, which shouldn't work since the trace is anon - basic_authorization create(:user).display_name, "test" - get :api_data, :params => { :id => anon_trace_file.id } - assert_response :forbidden - - # And finally we should be able to do it with the owner of the trace - basic_authorization anon_trace_file.user.display_name, "test" - get :api_data, :params => { :id => anon_trace_file.id } - check_trace_data anon_trace_file, "66179ca44f1e93d8df62e2b88cbea732" - end - - # Test downloading a trace that doesn't exist through the api - def test_api_data_not_found - deleted_trace_file = create(:trace, :deleted) - - # Try first with no auth, as it should require it - get :api_data, :params => { :id => 0 } - assert_response :unauthorized - - # Login, and try again - basic_authorization create(:user).display_name, "test" - get :api_data, :params => { :id => 0 } - assert_response :not_found - - # Now try a trace which did exist but has been deleted - basic_authorization deleted_trace_file.user.display_name, "test" - get :api_data, :params => { :id => deleted_trace_file.id } - assert_response :not_found - end - - # Test creating a trace through the api - def test_api_create - # Get file to use - fixture = Rails.root.join("test", "gpx", "fixtures", "a.gpx") - file = Rack::Test::UploadedFile.new(fixture, "application/gpx+xml") - user = create(:user) - - # First with no auth - post :api_create, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :visibility => "trackable" } - assert_response :unauthorized - - # Rewind the file - file.rewind - - # Now authenticated - create(:user_preference, :user => user, :k => "gps.trace.visibility", :v => "identifiable") - assert_not_equal "trackable", user.preferences.where(:k => "gps.trace.visibility").first.v - basic_authorization user.display_name, "test" - post :api_create, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :visibility => "trackable" } - assert_response :success - trace = Trace.find(response.body.to_i) - assert_equal "a.gpx", trace.name - assert_equal "New Trace", trace.description - assert_equal %w[new trace], trace.tags.order(:tag).collect(&:tag) - assert_equal "trackable", trace.visibility - assert_equal false, trace.inserted - assert_equal File.new(fixture).read, File.new(trace.trace_name).read - trace.destroy - assert_equal "trackable", user.preferences.where(:k => "gps.trace.visibility").first.v - - # Rewind the file - file.rewind - - # Now authenticated, with the legacy public flag - assert_not_equal "public", user.preferences.where(:k => "gps.trace.visibility").first.v - basic_authorization user.display_name, "test" - post :api_create, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 1 } - assert_response :success - trace = Trace.find(response.body.to_i) - assert_equal "a.gpx", trace.name - assert_equal "New Trace", trace.description - assert_equal %w[new trace], trace.tags.order(:tag).collect(&:tag) - assert_equal "public", trace.visibility - assert_equal false, trace.inserted - assert_equal File.new(fixture).read, File.new(trace.trace_name).read - trace.destroy - assert_equal "public", user.preferences.where(:k => "gps.trace.visibility").first.v - - # Rewind the file - file.rewind - - # Now authenticated, with the legacy private flag - second_user = create(:user) - assert_nil second_user.preferences.where(:k => "gps.trace.visibility").first - basic_authorization second_user.display_name, "test" - post :api_create, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 0 } - assert_response :success - trace = Trace.find(response.body.to_i) - assert_equal "a.gpx", trace.name - assert_equal "New Trace", trace.description - assert_equal %w[new trace], trace.tags.order(:tag).collect(&:tag) - assert_equal "private", trace.visibility - assert_equal false, trace.inserted - assert_equal File.new(fixture).read, File.new(trace.trace_name).read - trace.destroy - assert_equal "private", second_user.preferences.where(:k => "gps.trace.visibility").first.v - end - - # Check updating a trace through the api - def test_api_update - public_trace_file = create(:trace, :visibility => "public", :fixture => "a") - deleted_trace_file = create(:trace, :deleted) - anon_trace_file = create(:trace, :visibility => "private") - - # First with no auth - put :api_update, :params => { :id => public_trace_file.id }, :body => public_trace_file.to_xml.to_s - assert_response :unauthorized - - # Now with some other user, which should fail - basic_authorization create(:user).display_name, "test" - put :api_update, :params => { :id => public_trace_file.id }, :body => public_trace_file.to_xml.to_s - assert_response :forbidden - - # Now with a trace which doesn't exist - basic_authorization create(:user).display_name, "test" - put :api_update, :params => { :id => 0 }, :body => public_trace_file.to_xml.to_s - assert_response :not_found - - # Now with a trace which did exist but has been deleted - basic_authorization deleted_trace_file.user.display_name, "test" - put :api_update, :params => { :id => deleted_trace_file.id }, :body => deleted_trace_file.to_xml.to_s - assert_response :not_found - - # Now try an update with the wrong ID - basic_authorization public_trace_file.user.display_name, "test" - put :api_update, :params => { :id => public_trace_file.id }, :body => anon_trace_file.to_xml.to_s - assert_response :bad_request, - "should not be able to update a trace with a different ID from the XML" - - # And finally try an update that should work - basic_authorization public_trace_file.user.display_name, "test" - t = public_trace_file - t.description = "Changed description" - t.visibility = "private" - put :api_update, :params => { :id => t.id }, :body => t.to_xml.to_s - assert_response :success - nt = Trace.find(t.id) - assert_equal nt.description, t.description - assert_equal nt.visibility, t.visibility - end - - # Test that updating a trace doesn't duplicate the tags - def test_api_update_tags - tracetag = create(:tracetag) - trace = tracetag.trace - basic_authorization trace.user.display_name, "test" - - put :api_update, :params => { :id => trace.id }, :body => trace.to_xml.to_s - assert_response :success - - updated = Trace.find(trace.id) - # Ensure there's only one tag in the database after updating - assert_equal Tracetag.count, 1 - # The new tag object might have a different id, so check the string representation - assert_equal trace.tagstring, updated.tagstring - end - - # Check deleting a trace through the api - def test_api_delete - public_trace_file = create(:trace, :visibility => "public") - - # First with no auth - delete :api_delete, :params => { :id => public_trace_file.id } - assert_response :unauthorized - - # Now with some other user, which should fail - basic_authorization create(:user).display_name, "test" - delete :api_delete, :params => { :id => public_trace_file.id } - assert_response :forbidden - - # Now with a trace which doesn't exist - basic_authorization create(:user).display_name, "test" - delete :api_delete, :params => { :id => 0 } - assert_response :not_found - - # And finally we should be able to do it with the owner of the trace - basic_authorization public_trace_file.user.display_name, "test" - delete :api_delete, :params => { :id => public_trace_file.id } - assert_response :success - - # Try it a second time, which should fail - basic_authorization public_trace_file.user.display_name, "test" - delete :api_delete, :params => { :id => public_trace_file.id } - assert_response :not_found - end - private def check_trace_feed(traces)