From: Anton Khorev Date: Sun, 8 Sep 2024 09:31:31 +0000 (+0300) Subject: Disable redactions with write_api scope X-Git-Tag: live~145^2 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/8b024f48c1debe5de4bc8819962c783af2e404f9 Disable redactions with write_api scope Requires write_redactions scope to redact. Previously it was possible to redact with either write_redactions or write_api. --- diff --git a/app/abilities/api_capability.rb b/app/abilities/api_capability.rb index 07345d254..d8be13643 100644 --- a/app/abilities/api_capability.rb +++ b/app/abilities/api_capability.rb @@ -27,7 +27,7 @@ class ApiCapability if user.moderator? can [:destroy, :restore], ChangesetComment if scope?(token, :write_api) can :destroy, Note if scope?(token, :write_notes) - can :redact, [OldNode, OldWay, OldRelation] if user&.terms_agreed? && (scope?(token, :write_api) || scope?(token, :write_redactions)) + can :redact, [OldNode, OldWay, OldRelation] if user&.terms_agreed? && scope?(token, :write_redactions) end end end diff --git a/test/controllers/api/old_nodes_controller_test.rb b/test/controllers/api/old_nodes_controller_test.rb index 64325fd28..8ce19f3ea 100644 --- a/test/controllers/api/old_nodes_controller_test.rb +++ b/test/controllers/api/old_nodes_controller_test.rb @@ -238,14 +238,8 @@ module Api assert_response :bad_request, "shouldn't be OK to redact current version as moderator." end - def test_redact_node_by_regular_with_read_prefs_scope - auth_header = bearer_authorization_header(create(:user), :scopes => %w[read_prefs]) - do_redact_redactable_node(auth_header) - assert_response :forbidden, "should need to be moderator to redact." - end - - def test_redact_node_by_regular_with_write_api_scope - auth_header = bearer_authorization_header(create(:user), :scopes => %w[write_api]) + def test_redact_node_by_regular_without_write_redactions_scope + auth_header = bearer_authorization_header(create(:user), :scopes => %w[read_prefs write_api]) do_redact_redactable_node(auth_header) assert_response :forbidden, "should need to be moderator to redact." end @@ -256,19 +250,12 @@ module Api assert_response :forbidden, "should need to be moderator to redact." end - def test_redact_node_by_moderator_with_read_prefs_scope - auth_header = bearer_authorization_header(create(:moderator_user), :scopes => %w[read_prefs]) + def test_redact_node_by_moderator_without_write_redactions_scope + auth_header = bearer_authorization_header(create(:moderator_user), :scopes => %w[read_prefs write_api]) do_redact_redactable_node(auth_header) assert_response :forbidden, "should need to have write_redactions scope to redact." end - def test_redact_node_by_moderator_with_write_api_scope - auth_header = bearer_authorization_header(create(:moderator_user), :scopes => %w[write_api]) - do_redact_redactable_node(auth_header) - assert_response :success, "should be OK to redact old version as moderator with write_api scope." - # assert_response :forbidden, "should need to have write_redactions scope to redact." - end - def test_redact_node_by_moderator_with_write_redactions_scope auth_header = bearer_authorization_header(create(:moderator_user), :scopes => %w[write_redactions]) do_redact_redactable_node(auth_header) diff --git a/test/controllers/api/old_relations_controller_test.rb b/test/controllers/api/old_relations_controller_test.rb index 8d750542f..880c34011 100644 --- a/test/controllers/api/old_relations_controller_test.rb +++ b/test/controllers/api/old_relations_controller_test.rb @@ -77,14 +77,8 @@ module Api assert_response :bad_request, "shouldn't be OK to redact current version as moderator." end - def test_redact_relation_by_regular_with_read_prefs_scope - auth_header = bearer_authorization_header(create(:user), :scopes => %w[read_prefs]) - do_redact_redactable_relation(auth_header) - assert_response :forbidden, "should need to be moderator to redact." - end - - def test_redact_relation_by_regular_with_write_api_scope - auth_header = bearer_authorization_header(create(:user), :scopes => %w[write_api]) + def test_redact_relation_by_regular_without_write_redactions_scope + auth_header = bearer_authorization_header(create(:user), :scopes => %w[read_prefs write_api]) do_redact_redactable_relation(auth_header) assert_response :forbidden, "should need to be moderator to redact." end @@ -95,19 +89,12 @@ module Api assert_response :forbidden, "should need to be moderator to redact." end - def test_redact_relation_by_moderator_with_read_prefs_scope - auth_header = bearer_authorization_header(create(:moderator_user), :scopes => %w[read_prefs]) + def test_redact_relation_by_moderator_without_write_redactions_scope + auth_header = bearer_authorization_header(create(:moderator_user), :scopes => %w[read_prefs write_api]) do_redact_redactable_relation(auth_header) assert_response :forbidden, "should need to have write_redactions scope to redact." end - def test_redact_relation_by_moderator_with_write_api_scope - auth_header = bearer_authorization_header(create(:moderator_user), :scopes => %w[write_api]) - do_redact_redactable_relation(auth_header) - assert_response :success, "should be OK to redact old version as moderator with write_api scope." - # assert_response :forbidden, "should need to have write_redactions scope to redact." - end - def test_redact_relation_by_moderator_with_write_redactions_scope auth_header = bearer_authorization_header(create(:moderator_user), :scopes => %w[write_redactions]) do_redact_redactable_relation(auth_header) diff --git a/test/controllers/api/old_ways_controller_test.rb b/test/controllers/api/old_ways_controller_test.rb index c6596ec34..cc9eaf312 100644 --- a/test/controllers/api/old_ways_controller_test.rb +++ b/test/controllers/api/old_ways_controller_test.rb @@ -118,14 +118,8 @@ module Api assert_response :bad_request, "shouldn't be OK to redact current version as moderator." end - def test_redact_way_by_regular_with_read_prefs_scope - auth_header = bearer_authorization_header(create(:user), :scopes => %w[read_prefs]) - do_redact_redactable_way(auth_header) - assert_response :forbidden, "should need to be moderator to redact." - end - - def test_redact_way_by_regular_with_write_api_scope - auth_header = bearer_authorization_header(create(:user), :scopes => %w[write_api]) + def test_redact_way_by_regular_without_write_redactions_scope + auth_header = bearer_authorization_header(create(:user), :scopes => %w[read_prefs write_api]) do_redact_redactable_way(auth_header) assert_response :forbidden, "should need to be moderator to redact." end @@ -136,19 +130,12 @@ module Api assert_response :forbidden, "should need to be moderator to redact." end - def test_redact_way_by_moderator_with_read_prefs_scope - auth_header = bearer_authorization_header(create(:moderator_user), :scopes => %w[read_prefs]) + def test_redact_way_by_moderator_without_write_redactions_scope + auth_header = bearer_authorization_header(create(:moderator_user), :scopes => %w[read_prefs write_api]) do_redact_redactable_way(auth_header) assert_response :forbidden, "should need to have write_redactions scope to redact." end - def test_redact_way_by_moderator_with_write_api_scope - auth_header = bearer_authorization_header(create(:moderator_user), :scopes => %w[write_api]) - do_redact_redactable_way(auth_header) - assert_response :success, "should be OK to redact old version as moderator with write_api scope." - # assert_response :forbidden, "should need to have write_redactions scope to redact." - end - def test_redact_way_by_moderator_with_write_redactions_scope auth_header = bearer_authorization_header(create(:moderator_user), :scopes => %w[write_redactions]) do_redact_redactable_way(auth_header)