From: Tom Hughes Date: Thu, 23 Nov 2023 16:46:36 +0000 (+0000) Subject: Prevent unauthenticated users commenting on notes via the API X-Git-Tag: live~959 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/efd2b92a806882da1ded6e3be7c96ffeca54e235 Prevent unauthenticated users commenting on notes via the API --- diff --git a/app/abilities/api_ability.rb b/app/abilities/api_ability.rb index fe39f5eb5..4876380d0 100644 --- a/app/abilities/api_ability.rb +++ b/app/abilities/api_ability.rb @@ -12,7 +12,7 @@ class ApiAbility if Settings.status != "database_offline" can [:show, :download, :query], Changeset - can [:index, :create, :comment, :feed, :show, :search], Note + can [:index, :create, :feed, :show, :search], Note can :index, Tracepoint can [:index, :show], User can [:index, :show], Node @@ -31,7 +31,7 @@ class ApiAbility if Settings.status != "database_offline" can [:index, :new, :create, :show, :edit, :update, :destroy], ClientApplication can [:new, :create, :reply, :show, :inbox, :outbox, :mark, :destroy], Message - can [:close, :reopen], Note + can [:comment, :close, :reopen], Note can [:new, :create], Report can [:create, :show, :update, :destroy, :data], Trace can [:details, :gpx_files], User diff --git a/test/abilities/api_abilities_test.rb b/test/abilities/api_abilities_test.rb index 7734ce996..8ddc54561 100644 --- a/test/abilities/api_abilities_test.rb +++ b/test/abilities/api_abilities_test.rb @@ -9,11 +9,11 @@ class GuestApiAbilityTest < ApiAbilityTest test "note permissions for a guest" do ability = ApiAbility.new nil - [:index, :create, :comment, :feed, :show, :search].each do |action| + [:index, :create, :feed, :show, :search].each do |action| assert ability.can?(action, Note), "should be able to #{action} Notes" end - [:close, :reopen, :destroy].each do |action| + [:comment, :close, :reopen, :destroy].each do |action| assert ability.cannot?(action, Note), "should not be able to #{action} Notes" end end