diff --git a/TODO.md b/TODO.md index 3212f18c..dba48be6 100644 --- a/TODO.md +++ b/TODO.md @@ -14,6 +14,11 @@ Do we need dotenv rails? * Check with nick about removing pfsx * Update essence after_create :update_catalog_file efore_destroy :update_catalog_file +## API +We are using Doorkeeper to provide oauth tokens +These are for API access not to act on behalf of users +If we give tokens to more than paragest we need to rethink this + ## Need Nick * Rotate the recaptcha keys and switch to v3 diff --git a/app/controllers/api/v1/application_controller.rb b/app/controllers/api/v1/application_controller.rb index eec6f463..1c67b040 100644 --- a/app/controllers/api/v1/application_controller.rb +++ b/app/controllers/api/v1/application_controller.rb @@ -11,6 +11,10 @@ def authenticated !!doorkeeper_token.id end + def admin_authenticated + !!doorkeeper_token.id && doorkeeper_token.scopes.include?('admin') + end + def current_user @current_user ||= User.find_by(id: doorkeeper_token[:resource_owner_id]) end diff --git a/app/controllers/api/v1/graphql_controller.rb b/app/controllers/api/v1/graphql_controller.rb index 34d1112e..e34499fb 100644 --- a/app/controllers/api/v1/graphql_controller.rb +++ b/app/controllers/api/v1/graphql_controller.rb @@ -13,14 +13,15 @@ def execute context = { # Query context goes here, for example: current_user:, - authenticated: + authenticated:, + admin_authenticated: } result = NabuSchema.execute(query, variables:, context:, operation_name:) render json: result - rescue StandardError => error - raise error unless Rails.env.development? + rescue StandardError => e + raise e unless Rails.env.development? - handle_error_in_development(error) + handle_error_in_development(e) end private diff --git a/app/graphql/types/query_type.rb b/app/graphql/types/query_type.rb index 7710e8f4..2ec95d9b 100644 --- a/app/graphql/types/query_type.rb +++ b/app/graphql/types/query_type.rb @@ -31,7 +31,13 @@ def item(full_identifier:) argument :full_identifier, ID end def item_bwf_xml(full_identifier:) - raise(GraphQL::ExecutionError, 'Not authorised') unless context[:current_user]&.admin? + p 'MOO' + p 'MOO' + p 'MOO' + p 'MOO' + p 'MOO' + p context + raise(GraphQL::ExecutionError, 'Not authorised') unless context[:admin_authenticated] collection_identifier, item_identifier = full_identifier.split('-') collection = Collection.find_by(identifier: collection_identifier) diff --git a/config/initializers/active_admin.rb b/config/initializers/active_admin.rb index 1de90279..e7794ffa 100644 --- a/config/initializers/active_admin.rb +++ b/config/initializers/active_admin.rb @@ -4,12 +4,12 @@ # Set the title that is displayed on the main layout # for each of the active admin pages. # - config.site_title = "Nabu" + config.site_title = 'Nabu' # Set the link url for the title. For example, to take # users to your main site. Defaults to no link. # - config.site_title_link = "/" + config.site_title_link = '/' # Set an optional image to be displayed for the header # instead of a string (overrides :site_title) @@ -157,7 +157,7 @@ # You can exclude possibly sensitive model attributes from being displayed, # added to forms, or exported by default by ActiveAdmin # - config.filter_attributes = [:encrypted_password, :password, :password_confirmation] + config.filter_attributes = %i[encrypted_password password password_confirmation] # == Localize Date/Time Format # @@ -241,7 +241,8 @@ # config.namespace :admin do |admin| admin.build_menu :default do |menu| - menu.add label: "Jobs", url: "/jobs" + menu.add label: 'Jobs', url: '/jobs' + menu.add label: 'OAUTH Tokens', url: '/oauth/applications' end end diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb index 74f74c74..36a3939c 100644 --- a/config/initializers/doorkeeper.rb +++ b/config/initializers/doorkeeper.rb @@ -25,7 +25,7 @@ if current_user head :forbidden unless current_user.admin? else - redirect_to sign_in_url + redirect_to new_user_session_url end end