From 304e0ef63843ddcb55aab62312ff18be8a5b4703 Mon Sep 17 00:00:00 2001 From: Anton Khorev Date: Wed, 12 Feb 2025 17:14:21 +0300 Subject: [PATCH] Pass user to ApiAbility --- app/abilities/api_ability.rb | 6 +-- app/controllers/api_controller.rb | 5 ++- test/abilities/api_abilities_test.rb | 12 +++--- test/abilities/api_capability_test.rb | 53 ++++++++++++++++----------- 4 files changed, 43 insertions(+), 33 deletions(-) diff --git a/app/abilities/api_ability.rb b/app/abilities/api_ability.rb index e774f6820..3bc82eab2 100644 --- a/app/abilities/api_ability.rb +++ b/app/abilities/api_ability.rb @@ -3,14 +3,12 @@ class ApiAbility include CanCan::Ability - def initialize(token) + def initialize(user, token) can :read, [:version, :capability, :permission, :map] if Settings.status != "database_offline" - user = User.find(token.resource_owner_id) if token - can [:read, :feed, :search], Note - can :create, Note unless token + can :create, Note unless user can [:read, :download], Changeset can :read, Tracepoint diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index 5faa39165..27f262d00 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -65,9 +65,10 @@ class ApiController < ApplicationController def current_ability # Use capabilities from the oauth token if it exists and is a valid access token if doorkeeper_token&.accessible? - ApiAbility.new(doorkeeper_token) + user = User.find(doorkeeper_token.resource_owner_id) + ApiAbility.new(user, doorkeeper_token) else - ApiAbility.new(nil) + ApiAbility.new(nil, nil) end end diff --git a/test/abilities/api_abilities_test.rb b/test/abilities/api_abilities_test.rb index 0c97dc6a0..c32300c60 100644 --- a/test/abilities/api_abilities_test.rb +++ b/test/abilities/api_abilities_test.rb @@ -7,7 +7,7 @@ end class GuestApiAbilityTest < ApiAbilityTest test "note permissions for a guest" do - ability = ApiAbility.new nil + ability = ApiAbility.new nil, nil [:index, :create, :feed, :show, :search].each do |action| assert ability.can?(action, Note), "should be able to #{action} Notes" @@ -21,8 +21,9 @@ end class UserApiAbilityTest < ApiAbilityTest test "Note permissions" do - token = create(:oauth_access_token, :scopes => %w[write_notes]) - ability = ApiAbility.new token + user = create(:user) + token = create(:oauth_access_token, :user => user, :scopes => %w[write_notes]) + ability = ApiAbility.new user, token [:index, :create, :comment, :feed, :show, :search, :close, :reopen].each do |action| assert ability.can?(action, Note), "should be able to #{action} Notes" @@ -36,8 +37,9 @@ end class ModeratorApiAbilityTest < ApiAbilityTest test "Note permissions" do - token = create(:oauth_access_token, :scopes => %w[write_notes], :user => create(:moderator_user)) - ability = ApiAbility.new token + user = create(:moderator_user) + token = create(:oauth_access_token, :user => user, :scopes => %w[write_notes]) + ability = ApiAbility.new user, token [:index, :create, :comment, :feed, :show, :search, :close, :reopen, :destroy].each do |action| assert ability.can?(action, Note), "should be able to #{action} Notes" diff --git a/test/abilities/api_capability_test.rb b/test/abilities/api_capability_test.rb index ca679dd71..12bbc4965 100644 --- a/test/abilities/api_capability_test.rb +++ b/test/abilities/api_capability_test.rb @@ -4,8 +4,9 @@ require "test_helper" class ChangesetCommentApiCapabilityTest < ActiveSupport::TestCase test "as a normal user with permissionless token" do - token = create(:oauth_access_token) - ability = ApiAbility.new token + user = create(:user) + token = create(:oauth_access_token, :user => user) + ability = ApiAbility.new user, token [:create, :destroy, :restore].each do |action| assert ability.cannot? action, ChangesetComment @@ -13,8 +14,9 @@ class ChangesetCommentApiCapabilityTest < ActiveSupport::TestCase end test "as a normal user with write_api token" do - token = create(:oauth_access_token, :scopes => %w[write_api]) - ability = ApiAbility.new token + user = create(:user) + token = create(:oauth_access_token, :user => user, :scopes => %w[write_api]) + ability = ApiAbility.new user, token [:destroy, :restore].each do |action| assert ability.cannot? action, ChangesetComment @@ -26,8 +28,9 @@ class ChangesetCommentApiCapabilityTest < ActiveSupport::TestCase end test "as a moderator with permissionless token" do - token = create(:oauth_access_token, :user => create(:moderator_user)) - ability = ApiAbility.new token + user = create(:moderator_user) + token = create(:oauth_access_token, :user => user) + ability = ApiAbility.new user, token [:create, :destroy, :restore].each do |action| assert ability.cannot? action, ChangesetComment @@ -35,8 +38,9 @@ class ChangesetCommentApiCapabilityTest < ActiveSupport::TestCase end test "as a moderator with write_api token" do - token = create(:oauth_access_token, :user => create(:moderator_user), :scopes => %w[write_api]) - ability = ApiAbility.new token + user = create(:moderator_user) + token = create(:oauth_access_token, :user => user, :scopes => %w[write_api]) + ability = ApiAbility.new user, token [:create, :destroy, :restore].each do |action| assert ability.can? action, ChangesetComment @@ -46,8 +50,9 @@ end class NoteApiCapabilityTest < ActiveSupport::TestCase test "as a normal user with permissionless token" do - token = create(:oauth_access_token) - ability = ApiAbility.new token + user = create(:user) + token = create(:oauth_access_token, :user => user) + ability = ApiAbility.new user, token [:create, :comment, :close, :reopen, :destroy].each do |action| assert ability.cannot? action, Note @@ -55,8 +60,9 @@ class NoteApiCapabilityTest < ActiveSupport::TestCase end test "as a normal user with write_notes token" do - token = create(:oauth_access_token, :scopes => %w[write_notes]) - ability = ApiAbility.new token + user = create(:user) + token = create(:oauth_access_token, :user => user, :scopes => %w[write_notes]) + ability = ApiAbility.new user, token [:destroy].each do |action| assert ability.cannot? action, Note @@ -68,8 +74,9 @@ class NoteApiCapabilityTest < ActiveSupport::TestCase end test "as a moderator with permissionless token" do - token = create(:oauth_access_token, :user => create(:moderator_user)) - ability = ApiAbility.new token + user = create(:moderator_user) + token = create(:oauth_access_token, :user => user) + ability = ApiAbility.new user, token [:destroy].each do |action| assert ability.cannot? action, Note @@ -77,8 +84,9 @@ class NoteApiCapabilityTest < ActiveSupport::TestCase end test "as a moderator with write_notes token" do - token = create(:oauth_access_token, :user => create(:moderator_user), :scopes => %w[write_notes]) - ability = ApiAbility.new token + user = create(:moderator_user) + token = create(:oauth_access_token, :user => user, :scopes => %w[write_notes]) + ability = ApiAbility.new user, token [:destroy].each do |action| assert ability.can? action, Note @@ -89,15 +97,16 @@ end class UserApiCapabilityTest < ActiveSupport::TestCase test "user preferences" do # A user with empty tokens - token = create(:oauth_access_token) - ability = ApiAbility.new token + user = create(:user) + token = create(:oauth_access_token, :user => user) + ability = ApiAbility.new user, token [:index, :show, :update_all, :update, :destroy].each do |act| assert ability.cannot? act, UserPreference end - token = create(:oauth_access_token, :scopes => %w[read_prefs]) - ability = ApiAbility.new token + token = create(:oauth_access_token, :user => user, :scopes => %w[read_prefs]) + ability = ApiAbility.new user, token [:update_all, :update, :destroy].each do |act| assert ability.cannot? act, UserPreference @@ -107,8 +116,8 @@ class UserApiCapabilityTest < ActiveSupport::TestCase assert ability.can? act, UserPreference end - token = create(:oauth_access_token, :scopes => %w[write_prefs]) - ability = ApiAbility.new token + token = create(:oauth_access_token, :user => user, :scopes => %w[write_prefs]) + ability = ApiAbility.new user, token [:index, :show].each do |act| assert ability.cannot? act, UserPreference -- 2.39.5