ptch: Adds check for project's collaborators which user has no access to

CircuitVerse · Jun 25, 2020 · f48db35 · f48db35
1 parent fc0796a
commit f48db35
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 6 deletions.
diff --git a/app/controllers/api/v1/collaborators_controller.rb b/app/controllers/api/v1/collaborators_controller.rb
@@ -4,6 +4,7 @@ class Api::V1::CollaboratorsController < Api::V1::BaseController
   before_action :authenticate_user!
   before_action :set_project
   before_action :check_author_access, except: %i[index]
+  before_action :check_view_access, only: %i[index]
   before_action :set_collaborator, only: %i[destroy]
 
   # /api/v1/projects/:project_id/collaborators
@@ -48,6 +49,10 @@ def check_author_access
       authorize @project, :author_access?
     end
 
+    def check_view_access
+      authorize @project, :check_view_access?
+    end
+
     def set_collaborator
       @collaborator = @project.collaborators.find(params[:id])
     end

diff --git a/spec/requests/api/v1/collaborators_controller/index_spec.rb b/spec/requests/api/v1/collaborators_controller/index_spec.rb
@@ -5,11 +5,14 @@
 RSpec.describe Api::V1::CollaboratorsController, "#index", type: :request do
   describe "list all collaborators" do
     let!(:author) { FactoryBot.create(:user) }
-    let!(:project) { FactoryBot.create(:project, author: author) }
+    let!(:public_project) do
+      FactoryBot.create(:project, author: author, project_access_type: "Public")
+    end
+    let!(:private_project) { FactoryBot.create(:project, author: author) }
 
     context "when not authenticated" do
       before do
-        get "/api/v1/projects/#{project.id}/collaborators/", as: :json
+        get "/api/v1/projects/#{public_project.id}/collaborators/", as: :json
       end
 
       it "returns status unauthorized" do
@@ -31,14 +34,14 @@
       end
     end
 
-    context "when authorized to fetch project collaborators" do
+    context "when authorized to fetch project's collaborators which user has view access to" do
       before do
-        # create 3 collaborators for a project
+        # create 3 collaborators for a public project
         FactoryBot.create_list(:user, 3).each do |u|
-          FactoryBot.create(:collaboration, user: u, project: project)
+          FactoryBot.create(:collaboration, user: u, project: public_project)
         end
         token = get_auth_token(FactoryBot.create(:user))
-        get "/api/v1/projects/#{project.id}/collaborators/",
+        get "/api/v1/projects/#{public_project.id}/collaborators/",
             headers: { "Authorization": "Token #{token}" }, as: :json
       end
 
@@ -48,5 +51,22 @@
         expect(response.parsed_body["data"].length).to eq(3)
       end
     end
+
+    context "when fetching project's collaborators which user doesn't have view access to" do
+      before do
+        # create 3 collaborators for a private project
+        FactoryBot.create_list(:user, 3).each do |u|
+          FactoryBot.create(:collaboration, user: u, project: private_project)
+        end
+        token = get_auth_token(FactoryBot.create(:user))
+        get "/api/v1/projects/#{private_project.id}/collaborators/",
+            headers: { "Authorization": "Token #{token}" }, as: :json
+      end
+
+      it "returns status unauthorized" do
+        expect(response).to have_http_status(403)
+        expect(response.parsed_body).to have_jsonapi_errors
+      end
+    end
   end
 end