From: Anton Khorev Date: Sun, 3 Dec 2023 03:00:54 +0000 (+0300) Subject: Add oauth scope for redactions X-Git-Tag: live~987^2~1 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/daa254351106c4d2c1bef08a88aa946dec6f6411 Add oauth scope for redactions --- diff --git a/app/abilities/api_capability.rb b/app/abilities/api_capability.rb index 8c52327cf..95d7ab9ab 100644 --- a/app/abilities/api_capability.rb +++ b/app/abilities/api_capability.rb @@ -32,9 +32,9 @@ class ApiCapability can [:destroy, :restore], ChangesetComment if scope?(token, :write_api) can :destroy, Note if scope?(token, :write_notes) if user&.terms_agreed? - can :redact, OldNode if scope?(token, :write_api) - can :redact, OldWay if scope?(token, :write_api) - can :redact, OldRelation if scope?(token, :write_api) + can :redact, OldNode if scope?(token, :write_api) || scope?(token, :write_redactions) + can :redact, OldWay if scope?(token, :write_api) || scope?(token, :write_redactions) + can :redact, OldRelation if scope?(token, :write_api) || scope?(token, :write_redactions) end end end diff --git a/config/locales/en.yml b/config/locales/en.yml index 7ff2bfd06..7ed296695 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -2609,6 +2609,7 @@ en: read_gpx: Read private GPS traces write_gpx: Upload GPS traces write_notes: Modify notes + write_redactions: Redact map data read_email: Read user email address skip_authorization: Auto approve application oauth_clients: diff --git a/lib/oauth.rb b/lib/oauth.rb index e5642163d..88db38eb4 100644 --- a/lib/oauth.rb +++ b/lib/oauth.rb @@ -1,8 +1,8 @@ module Oauth SCOPES = %w[read_prefs write_prefs write_diary write_api read_gpx write_gpx write_notes].freeze PRIVILEGED_SCOPES = %w[read_email skip_authorization].freeze - MODERATOR_SCOPES = %w[].freeze - OAUTH2_SCOPES = %w[openid].freeze + MODERATOR_SCOPES = %w[write_redactions].freeze + OAUTH2_SCOPES = %w[write_redactions openid].freeze class Scope attr_reader :name diff --git a/test/controllers/api/old_nodes_controller_test.rb b/test/controllers/api/old_nodes_controller_test.rb index a87f30258..737f11c73 100644 --- a/test/controllers/api/old_nodes_controller_test.rb +++ b/test/controllers/api/old_nodes_controller_test.rb @@ -238,6 +238,43 @@ module Api assert_response :bad_request, "shouldn't be OK to redact current version as moderator." end + def test_redact_node_by_regular_with_read_prefs_scope + auth_header = create_bearer_auth_header(create(:user), %w[read_prefs]) + do_redact_redactable_node(auth_header) + assert_response :forbidden, "should need to be moderator to redact." + end + + def test_redact_node_by_regular_with_write_api_scope + auth_header = create_bearer_auth_header(create(:user), %w[write_api]) + do_redact_redactable_node(auth_header) + assert_response :forbidden, "should need to be moderator to redact." + end + + def test_redact_node_by_regular_with_write_redactions_scope + auth_header = create_bearer_auth_header(create(:user), %w[write_redactions]) + do_redact_redactable_node(auth_header) + assert_response :forbidden, "should need to be moderator to redact." + end + + def test_redact_node_by_moderator_with_read_prefs_scope + auth_header = create_bearer_auth_header(create(:moderator_user), %w[read_prefs]) + do_redact_redactable_node(auth_header) + assert_response :forbidden, "should need to have write_redactions scope to redact." + end + + def test_redact_node_by_moderator_with_write_api_scope + auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_api]) + do_redact_redactable_node(auth_header) + assert_response :success, "should be OK to redact old version as moderator with write_api scope." + # assert_response :forbidden, "should need to have write_redactions scope to redact." + end + + def test_redact_node_by_moderator_with_write_redactions_scope + auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_redactions]) + do_redact_redactable_node(auth_header) + assert_response :success, "should be OK to redact old version as moderator with write_redactions scope." + end + ## # test that redacted nodes aren't visible, regardless of # authorisation except as moderator... @@ -395,6 +432,19 @@ module Api private + def create_bearer_auth_header(user, scopes) + token = create(:oauth_access_token, + :resource_owner_id => user.id, + :scopes => scopes) + bearer_authorization_header(token.token) + end + + def do_redact_redactable_node(headers = {}) + node = create(:node, :with_history, :version => 4) + node_v3 = node.old_nodes.find_by(:version => 3) + do_redact_node(node_v3, create(:redaction), headers) + end + def do_redact_node(node, redaction, headers = {}) get node_version_path(:id => node.node_id, :version => node.version), :headers => headers assert_response :success, "should be able to get version #{node.version} of node #{node.node_id}." diff --git a/test/controllers/api/old_relations_controller_test.rb b/test/controllers/api/old_relations_controller_test.rb index d51665b03..ea26e5cb7 100644 --- a/test/controllers/api/old_relations_controller_test.rb +++ b/test/controllers/api/old_relations_controller_test.rb @@ -77,6 +77,43 @@ module Api assert_response :bad_request, "shouldn't be OK to redact current version as moderator." end + def test_redact_relation_by_regular_with_read_prefs_scope + auth_header = create_bearer_auth_header(create(:user), %w[read_prefs]) + do_redact_redactable_relation(auth_header) + assert_response :forbidden, "should need to be moderator to redact." + end + + def test_redact_relation_by_regular_with_write_api_scope + auth_header = create_bearer_auth_header(create(:user), %w[write_api]) + do_redact_redactable_relation(auth_header) + assert_response :forbidden, "should need to be moderator to redact." + end + + def test_redact_relation_by_regular_with_write_redactions_scope + auth_header = create_bearer_auth_header(create(:user), %w[write_redactions]) + do_redact_redactable_relation(auth_header) + assert_response :forbidden, "should need to be moderator to redact." + end + + def test_redact_relation_by_moderator_with_read_prefs_scope + auth_header = create_bearer_auth_header(create(:moderator_user), %w[read_prefs]) + do_redact_redactable_relation(auth_header) + assert_response :forbidden, "should need to have write_redactions scope to redact." + end + + def test_redact_relation_by_moderator_with_write_api_scope + auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_api]) + do_redact_redactable_relation(auth_header) + assert_response :success, "should be OK to redact old version as moderator with write_api scope." + # assert_response :forbidden, "should need to have write_redactions scope to redact." + end + + def test_redact_relation_by_moderator_with_write_redactions_scope + auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_redactions]) + do_redact_redactable_relation(auth_header) + assert_response :success, "should be OK to redact old version as moderator with write_redactions scope." + end + ## # test that redacted relations aren't visible, regardless of # authorisation except as moderator... @@ -278,6 +315,19 @@ module Api end end + def create_bearer_auth_header(user, scopes) + token = create(:oauth_access_token, + :resource_owner_id => user.id, + :scopes => scopes) + bearer_authorization_header(token.token) + end + + def do_redact_redactable_relation(headers = {}) + relation = create(:relation, :with_history, :version => 4) + relation_v3 = relation.old_relations.find_by(:version => 3) + do_redact_relation(relation_v3, create(:redaction), headers) + end + def do_redact_relation(relation, redaction, headers = {}) get relation_version_path(:id => relation.relation_id, :version => relation.version) assert_response :success, "should be able to get version #{relation.version} of relation #{relation.relation_id}." diff --git a/test/controllers/api/old_ways_controller_test.rb b/test/controllers/api/old_ways_controller_test.rb index 6c4eb16a1..4c225fb33 100644 --- a/test/controllers/api/old_ways_controller_test.rb +++ b/test/controllers/api/old_ways_controller_test.rb @@ -118,6 +118,43 @@ module Api assert_response :bad_request, "shouldn't be OK to redact current version as moderator." end + def test_redact_way_by_regular_with_read_prefs_scope + auth_header = create_bearer_auth_header(create(:user), %w[read_prefs]) + do_redact_redactable_way(auth_header) + assert_response :forbidden, "should need to be moderator to redact." + end + + def test_redact_way_by_regular_with_write_api_scope + auth_header = create_bearer_auth_header(create(:user), %w[write_api]) + do_redact_redactable_way(auth_header) + assert_response :forbidden, "should need to be moderator to redact." + end + + def test_redact_way_by_regular_with_write_redactions_scope + auth_header = create_bearer_auth_header(create(:user), %w[write_redactions]) + do_redact_redactable_way(auth_header) + assert_response :forbidden, "should need to be moderator to redact." + end + + def test_redact_way_by_moderator_with_read_prefs_scope + auth_header = create_bearer_auth_header(create(:moderator_user), %w[read_prefs]) + do_redact_redactable_way(auth_header) + assert_response :forbidden, "should need to have write_redactions scope to redact." + end + + def test_redact_way_by_moderator_with_write_api_scope + auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_api]) + do_redact_redactable_way(auth_header) + assert_response :success, "should be OK to redact old version as moderator with write_api scope." + # assert_response :forbidden, "should need to have write_redactions scope to redact." + end + + def test_redact_way_by_moderator_with_write_redactions_scope + auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_redactions]) + do_redact_redactable_way(auth_header) + assert_response :success, "should be OK to redact old version as moderator with write_redactions scope." + end + ## # test that redacted ways aren't visible, regardless of # authorisation except as moderator... @@ -318,6 +355,19 @@ module Api end end + def create_bearer_auth_header(user, scopes) + token = create(:oauth_access_token, + :resource_owner_id => user.id, + :scopes => scopes) + bearer_authorization_header(token.token) + end + + def do_redact_redactable_way(headers = {}) + way = create(:way, :with_history, :version => 4) + way_v3 = way.old_ways.find_by(:version => 3) + do_redact_way(way_v3, create(:redaction), headers) + end + def do_redact_way(way, redaction, headers = {}) get way_version_path(:id => way.way_id, :version => way.version) assert_response :success, "should be able to get version #{way.version} of way #{way.way_id}."