Filter auth feeds by authorized podcasts

PRX · Nov 8, 2023 · 0cd4cb0 · 0cd4cb0
1 parent 3c6c4cb
commit 0cd4cb0
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 14 deletions.
diff --git a/app/controllers/api/auth/feeds_controller.rb b/app/controllers/api/auth/feeds_controller.rb
@@ -1,4 +1,6 @@
 class Api::Auth::FeedsController < Api::BaseController
+  include ApiAuthenticated
+
   api_versions :v1
   represent_with Api::Auth::FeedRepresenter
   filter_resources_by :podcast_id
@@ -8,4 +10,8 @@ class Api::Auth::FeedsController < Api::BaseController
   def publish
     resource.podcast.publish! if resource&.podcast
   end
+
+  def resources_base
+    @feeds ||= super.merge(authorization.token_auth_feeds)
+  end
 end
diff --git a/app/models/authorization.rb b/app/models/authorization.rb
@@ -40,12 +40,20 @@ def token_auth_podcasts
     end
   end
 
+  def token_auth_feeds
+    if token.globally_authorized?("read-private")
+      Feed.with_deleted.all
+    else
+      Feed.where("podcast_id IN (SELECT id FROM podcasts WHERE prx_account_uri IN (?))", token_auth_account_uris)
+    end
+  end
+
   # avoid joining podcasts here, as it breaks a bunch of other queries
   def token_auth_episodes
     if token.globally_authorized?("read-private")
       Episode.with_deleted.all
     else
-      Episode.where(podcast_id: token_auth_podcasts.pluck(:id))
+      Episode.where("podcast_id IN (SELECT id FROM podcasts WHERE prx_account_uri IN (?))", token_auth_account_uris)
     end
   end
 end
diff --git a/test/controllers/api/auth/feeds_controller_test.rb b/test/controllers/api/auth/feeds_controller_test.rb
@@ -4,8 +4,8 @@
   let(:account_id) { 123 }
   let(:podcast) { create(:podcast, prx_account_uri: "/api/v1/accounts/#{account_id}") }
   let(:feed) { create(:feed, podcast: podcast, slug: "test-slug") }
-  let(:token) { StubToken.new(account_id, ["podcast_edit"]) }
-  let(:bad_token) { StubToken.new(account_id + 100, ["podcast_edit"]) }
+  let(:token) { StubToken.new(account_id, "feeder:read-private feeder:podcast-edit") }
+  let(:bad_token) { StubToken.new(account_id + 100, "feeder:read-private feeder:podcast-edit") }
 
   let(:feed_hash) do
     {
@@ -148,20 +148,26 @@ class << @controller; attr_accessor :prx_auth_token; end
 
       put(:update, body: update_hash.to_json, as: :json,
         params: {api_version: "v1", format: "json", podcast_id: feed.podcast_id, id: feed.id})
-      assert_response 401
+      assert_response :not_found
     end
-  end
 
-  it "should show" do
-    get(:show, params: {api_version: "v1", format: "json", podcast_id: feed.podcast_id, id: feed.id})
-    assert_response :success
+    it "rejects show for unauthorized token" do
+      @controller.prx_auth_token = bad_token
+
+      get(:show, params: {api_version: "v1", format: "json", podcast_id: feed.podcast_id, id: feed.id})
+      assert_response :not_found
+    end
   end
 
-  it "should list" do
-    _(feed.id).wont_be_nil
-    get(:index, params: {api_version: "v1", format: "json", podcast_id: feed.podcast_id})
-    assert_response :success
-    ids = JSON.parse(response.body)["_embedded"]["prx:items"].map { |p| p["id"] }
-    _(ids).must_include(feed.id)
+  describe "without a token" do
+    it "should not show" do
+      get(:show, params: {api_version: "v1", format: "json", podcast_id: feed.podcast_id, id: feed.id})
+      assert_response :unauthorized
+    end
+
+    it "should not list" do
+      get(:index, params: {api_version: "v1", format: "json", podcast_id: feed.podcast_id})
+      assert_response :unauthorized
+    end
   end
 end