Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/pull/5429'
Browse files Browse the repository at this point in the history
  • Loading branch information
tomhughes committed Dec 20, 2024
2 parents e2904da + cdce867 commit 175bb0d
Show file tree
Hide file tree
Showing 5 changed files with 65 additions and 84 deletions.
45 changes: 33 additions & 12 deletions app/abilities/api_ability.rb
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,16 @@
class ApiAbility
include CanCan::Ability

def initialize(user)
def initialize(token)
can :read, [:version, :capability, :permission, :map]

if Settings.status != "database_offline"
user = User.find(token.resource_owner_id) if token

can [:read, :feed, :search], Note
can :create, Note unless token

can [:read, :download], Changeset
can [:read, :create, :feed, :search], Note
can :read, Tracepoint
can :read, User
can :read, Node
Expand All @@ -18,22 +22,33 @@ def initialize(user)
can :read, UserBlock

if user&.active?
can [:comment, :close, :reopen], Note
can [:read, :create, :update, :destroy], Trace
can [:details, :gpx_files], User
can [:read, :update, :update_all, :destroy], UserPreference
can [:create, :comment, :close, :reopen], Note if scope?(token, :write_notes)
can [:create, :destroy], NoteSubscription if scope?(token, :write_notes)

can :read, Trace if scope?(token, :read_gpx)
can [:create, :update, :destroy], Trace if scope?(token, :write_gpx)

can :details, User if scope?(token, :read_prefs)
can :gpx_files, User if scope?(token, :read_gpx)

can :read, UserPreference if scope?(token, :read_prefs)
can [:update, :update_all, :destroy], UserPreference if scope?(token, :write_prefs)

can [:inbox, :outbox, :read, :update, :destroy], Message if scope?(token, :consume_messages)
can :create, Message if scope?(token, :send_messages)

if user.terms_agreed?
can [:create, :update, :upload, :close, :subscribe, :unsubscribe], Changeset
can :create, ChangesetComment
can [:create, :update, :delete], [Node, Way, Relation]
can [:create, :update, :upload, :close, :subscribe, :unsubscribe], Changeset if scope?(token, :write_api)
can :create, ChangesetComment if scope?(token, :write_api)
can [:create, :update, :delete], [Node, Way, Relation] if scope?(token, :write_api)
end

if user.moderator?
can [:destroy, :restore], ChangesetComment
can :destroy, Note
can [:destroy, :restore], ChangesetComment if scope?(token, :write_api)

can :destroy, Note if scope?(token, :write_notes)

can :redact, [OldNode, OldWay, OldRelation] if user.terms_agreed?
can :redact, [OldNode, OldWay, OldRelation] if user&.terms_agreed? && scope?(token, :write_redactions)
end
end
end
Expand Down Expand Up @@ -65,4 +80,10 @@ def initialize(user)
# See the wiki for details:
# https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
end

private

def scope?(token, scope)
token&.includes_scope?(scope)
end
end
42 changes: 0 additions & 42 deletions app/abilities/api_capability.rb

This file was deleted.

4 changes: 2 additions & 2 deletions app/controllers/api_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -65,9 +65,9 @@ def authorize(errormessage = "Couldn't authenticate you")
def current_ability
# Use capabilities from the oauth token if it exists and is a valid access token
if doorkeeper_token&.accessible?
ApiAbility.new(nil).merge(ApiCapability.new(doorkeeper_token))
ApiAbility.new(doorkeeper_token)
else
ApiAbility.new(current_user)
ApiAbility.new(nil)
end
end

Expand Down
6 changes: 4 additions & 2 deletions test/abilities/api_abilities_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@ class GuestApiAbilityTest < ApiAbilityTest

class UserApiAbilityTest < ApiAbilityTest
test "Note permissions" do
ability = ApiAbility.new create(:user)
token = create(:oauth_access_token, :scopes => %w[write_notes])
ability = ApiAbility.new token

[:index, :create, :comment, :feed, :show, :search, :close, :reopen].each do |action|
assert ability.can?(action, Note), "should be able to #{action} Notes"
Expand All @@ -35,7 +36,8 @@ class UserApiAbilityTest < ApiAbilityTest

class ModeratorApiAbilityTest < ApiAbilityTest
test "Note permissions" do
ability = ApiAbility.new create(:moderator_user)
token = create(:oauth_access_token, :scopes => %w[write_notes], :resource_owner_id => create(:moderator_user).id)
ability = ApiAbility.new token

[:index, :create, :comment, :feed, :show, :search, :close, :reopen, :destroy].each do |action|
assert ability.can?(action, Note), "should be able to #{action} Notes"
Expand Down
52 changes: 26 additions & 26 deletions test/abilities/api_capability_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -5,83 +5,83 @@
class ChangesetCommentApiCapabilityTest < ActiveSupport::TestCase
test "as a normal user with permissionless token" do
token = create(:oauth_access_token)
capability = ApiCapability.new token
ability = ApiAbility.new token

[:create, :destroy, :restore].each do |action|
assert capability.cannot? action, ChangesetComment
assert ability.cannot? action, ChangesetComment
end
end

test "as a normal user with write_api token" do
token = create(:oauth_access_token, :scopes => %w[write_api])
capability = ApiCapability.new token
ability = ApiAbility.new token

[:destroy, :restore].each do |action|
assert capability.cannot? action, ChangesetComment
assert ability.cannot? action, ChangesetComment
end

[:create].each do |action|
assert capability.can? action, ChangesetComment
assert ability.can? action, ChangesetComment
end
end

test "as a moderator with permissionless token" do
token = create(:oauth_access_token, :resource_owner_id => create(:moderator_user).id)
capability = ApiCapability.new token
ability = ApiAbility.new token

[:create, :destroy, :restore].each do |action|
assert capability.cannot? action, ChangesetComment
assert ability.cannot? action, ChangesetComment
end
end

test "as a moderator with write_api token" do
token = create(:oauth_access_token, :resource_owner_id => create(:moderator_user).id, :scopes => %w[write_api])
capability = ApiCapability.new token
ability = ApiAbility.new token

[:create, :destroy, :restore].each do |action|
assert capability.can? action, ChangesetComment
assert ability.can? action, ChangesetComment
end
end
end

class NoteApiCapabilityTest < ActiveSupport::TestCase
test "as a normal user with permissionless token" do
token = create(:oauth_access_token)
capability = ApiCapability.new token
ability = ApiAbility.new token

[:create, :comment, :close, :reopen, :destroy].each do |action|
assert capability.cannot? action, Note
assert ability.cannot? action, Note
end
end

test "as a normal user with write_notes token" do
token = create(:oauth_access_token, :scopes => %w[write_notes])
capability = ApiCapability.new token
ability = ApiAbility.new token

[:destroy].each do |action|
assert capability.cannot? action, Note
assert ability.cannot? action, Note
end

[:create, :comment, :close, :reopen].each do |action|
assert capability.can? action, Note
assert ability.can? action, Note
end
end

test "as a moderator with permissionless token" do
token = create(:oauth_access_token, :resource_owner_id => create(:moderator_user).id)
capability = ApiCapability.new token
ability = ApiAbility.new token

[:destroy].each do |action|
assert capability.cannot? action, Note
assert ability.cannot? action, Note
end
end

test "as a moderator with write_notes token" do
token = create(:oauth_access_token, :resource_owner_id => create(:moderator_user).id, :scopes => %w[write_notes])
capability = ApiCapability.new token
ability = ApiAbility.new token

[:destroy].each do |action|
assert capability.can? action, Note
assert ability.can? action, Note
end
end
end
Expand All @@ -90,32 +90,32 @@ class UserApiCapabilityTest < ActiveSupport::TestCase
test "user preferences" do
# A user with empty tokens
token = create(:oauth_access_token)
capability = ApiCapability.new token
ability = ApiAbility.new token

[:index, :show, :update_all, :update, :destroy].each do |act|
assert capability.cannot? act, UserPreference
assert ability.cannot? act, UserPreference
end

token = create(:oauth_access_token, :scopes => %w[read_prefs])
capability = ApiCapability.new token
ability = ApiAbility.new token

[:update_all, :update, :destroy].each do |act|
assert capability.cannot? act, UserPreference
assert ability.cannot? act, UserPreference
end

[:index, :show].each do |act|
assert capability.can? act, UserPreference
assert ability.can? act, UserPreference
end

token = create(:oauth_access_token, :scopes => %w[write_prefs])
capability = ApiCapability.new token
ability = ApiAbility.new token

[:index, :show].each do |act|
assert capability.cannot? act, UserPreference
assert ability.cannot? act, UserPreference
end

[:update_all, :update, :destroy].each do |act|
assert capability.can? act, UserPreference
assert ability.can? act, UserPreference
end
end
end

0 comments on commit 175bb0d

Please sign in to comment.