From 9cb7a7b36b8ee68502d5da94db6bc3dda29051b4 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Fri, 23 Dec 2022 16:25:03 +0000 Subject: [PATCH 1/1] Don't allow any abilities for inactive users --- .rubocop_todo.yml | 4 +-- app/abilities/ability.rb | 2 +- app/abilities/api_ability.rb | 2 +- app/abilities/api_capability.rb | 44 ++++++++++++++------------- test/abilities/api_capability_test.rb | 28 ++++++----------- 5 files changed, 37 insertions(+), 43 deletions(-) diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index c03cf665c..bb0d7750a 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -65,7 +65,7 @@ Metrics/ClassLength: # Offense count: 58 # Configuration parameters: AllowedMethods, AllowedPatterns, IgnoredMethods. Metrics/CyclomaticComplexity: - Max: 25 + Max: 26 # Offense count: 751 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, AllowedMethods, AllowedPatterns, IgnoredMethods. @@ -80,7 +80,7 @@ Metrics/ParameterLists: # Offense count: 57 # Configuration parameters: AllowedMethods, AllowedPatterns, IgnoredMethods. Metrics/PerceivedComplexity: - Max: 26 + Max: 27 # Offense count: 2495 # This cop supports safe autocorrection (--autocorrect). diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index e022f7993..bb9cd6300 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -33,7 +33,7 @@ class Ability can [:history, :version], OldRelation end - if user + if user&.active? can :welcome, :site can [:revoke, :authorize], :oauth can [:show], :deletion diff --git a/app/abilities/api_ability.rb b/app/abilities/api_ability.rb index 62cd2b17e..9b274ec84 100644 --- a/app/abilities/api_ability.rb +++ b/app/abilities/api_ability.rb @@ -23,7 +23,7 @@ class ApiAbility can [:history, :version], OldRelation end - if user + if user&.active? can :welcome, :site can [:revoke, :authorize], :oauth diff --git a/app/abilities/api_capability.rb b/app/abilities/api_capability.rb index 04d7fe10a..8c52327cf 100644 --- a/app/abilities/api_capability.rb +++ b/app/abilities/api_capability.rb @@ -11,29 +11,31 @@ class ApiCapability token.user end - can [:create, :comment, :close, :reopen], Note if scope?(token, :write_notes) - can [:show, :data], Trace if scope?(token, :read_gpx) - can [:create, :update, :destroy], Trace if scope?(token, :write_gpx) - can [:details], User if scope?(token, :read_prefs) - can [:gpx_files], User if scope?(token, :read_gpx) - can [:index, :show], UserPreference if scope?(token, :read_prefs) - can [:update, :update_all, :destroy], UserPreference if scope?(token, :write_prefs) + if user&.active? + can [:create, :comment, :close, :reopen], Note if scope?(token, :write_notes) + can [:show, :data], Trace if scope?(token, :read_gpx) + can [:create, :update, :destroy], Trace if scope?(token, :write_gpx) + can [:details], User if scope?(token, :read_prefs) + can [:gpx_files], User if scope?(token, :read_gpx) + can [:index, :show], UserPreference if scope?(token, :read_prefs) + can [:update, :update_all, :destroy], UserPreference if scope?(token, :write_prefs) - if user&.terms_agreed? - can [:create, :update, :upload, :close, :subscribe, :unsubscribe], Changeset if scope?(token, :write_api) - can :create, ChangesetComment if scope?(token, :write_api) - can [:create, :update, :delete], Node if scope?(token, :write_api) - can [:create, :update, :delete], Way if scope?(token, :write_api) - can [:create, :update, :delete], Relation if scope?(token, :write_api) - end + if user.terms_agreed? + can [:create, :update, :upload, :close, :subscribe, :unsubscribe], Changeset if scope?(token, :write_api) + can :create, ChangesetComment if scope?(token, :write_api) + can [:create, :update, :delete], Node if scope?(token, :write_api) + can [:create, :update, :delete], Way if scope?(token, :write_api) + can [:create, :update, :delete], Relation if scope?(token, :write_api) + end - if user&.moderator? - can [:destroy, :restore], ChangesetComment if scope?(token, :write_api) - can :destroy, Note if scope?(token, :write_notes) - if user&.terms_agreed? - can :redact, OldNode if scope?(token, :write_api) - can :redact, OldWay if scope?(token, :write_api) - can :redact, OldRelation if scope?(token, :write_api) + if user.moderator? + can [:destroy, :restore], ChangesetComment if scope?(token, :write_api) + can :destroy, Note if scope?(token, :write_notes) + if user&.terms_agreed? + can :redact, OldNode if scope?(token, :write_api) + can :redact, OldWay if scope?(token, :write_api) + can :redact, OldRelation if scope?(token, :write_api) + end end end end diff --git a/test/abilities/api_capability_test.rb b/test/abilities/api_capability_test.rb index dccde5758..10419c0f8 100644 --- a/test/abilities/api_capability_test.rb +++ b/test/abilities/api_capability_test.rb @@ -2,19 +2,7 @@ require "test_helper" -class ApiCapabilityTest < ActiveSupport::TestCase - private - - def tokens(*toks) - AccessToken.new do |token| - toks.each do |t| - token.public_send("#{t}=", true) - end - end - end -end - -class ChangesetCommentApiCapabilityTest < ApiCapabilityTest +class ChangesetCommentApiCapabilityTest < ActiveSupport::TestCase test "as a normal user with permissionless token" do token = create(:access_token) capability = ApiCapability.new token @@ -56,7 +44,7 @@ class ChangesetCommentApiCapabilityTest < ApiCapabilityTest end end -class NoteApiCapabilityTest < ApiCapabilityTest +class NoteApiCapabilityTest < ActiveSupport::TestCase test "as a normal user with permissionless token" do token = create(:access_token) capability = ApiCapability.new token @@ -98,7 +86,7 @@ class NoteApiCapabilityTest < ApiCapabilityTest end end -class UserApiCapabilityTest < ApiCapabilityTest +class UserApiCapabilityTest < ActiveSupport::TestCase test "user preferences" do # a user with no tokens capability = ApiCapability.new nil @@ -107,13 +95,15 @@ class UserApiCapabilityTest < ApiCapabilityTest end # A user with empty tokens - capability = ApiCapability.new tokens + token = create(:access_token) + capability = ApiCapability.new token [:index, :show, :update_all, :update, :destroy].each do |act| assert capability.cannot? act, UserPreference end - capability = ApiCapability.new tokens(:allow_read_prefs) + token = create(:access_token, :allow_read_prefs => true) + capability = ApiCapability.new token [:update_all, :update, :destroy].each do |act| assert capability.cannot? act, UserPreference @@ -123,7 +113,9 @@ class UserApiCapabilityTest < ApiCapabilityTest assert capability.can? act, UserPreference end - capability = ApiCapability.new tokens(:allow_write_prefs) + token = create(:access_token, :allow_write_prefs => true) + capability = ApiCapability.new token + [:index, :show].each do |act| assert capability.cannot? act, UserPreference end -- 2.39.5