From 472bcbee9f86b9b8f4e10153f20850c623f84b82 Mon Sep 17 00:00:00 2001 From: sHtev Date: Fri, 1 Apr 2022 10:53:16 +0000 Subject: [PATCH 1/7] Create draft PR for #50 From 4ba3c3a87a76b425fd5cba9360342e9e4939f56b Mon Sep 17 00:00:00 2001 From: Steve Gilroy Date: Tue, 5 Apr 2022 11:25:53 +0100 Subject: [PATCH 2/7] ignore Mac metadata --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index f3acc7ce2..f7030f272 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,8 @@ # or operating system, you probably want to add a global ignore instead: # git config --global core.excludesfile '~/.gitignore_global' +.DS_Store + .env # Ignore bundler config. From d597bd932732503ce9b2a22004e0a887e819dfdd Mon Sep 17 00:00:00 2001 From: Steve Gilroy Date: Tue, 5 Apr 2022 11:27:14 +0100 Subject: [PATCH 3/7] tweak logic of base controller --- app/controllers/api_controller.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index fecf2da8c..13ab4543a 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -4,8 +4,8 @@ class ApiController < ActionController::API include OauthUser unless Rails.application.config.consider_all_requests_local - rescue_from ActiveRecord::RecordNotFound, with: -> { return404 } - rescue_from CanCan::AccessDenied, with: -> { return401 } + rescue_from ActiveRecord::RecordNotFound, with: -> { notfound } + rescue_from CanCan::AccessDenied, with: -> { denied } end private @@ -19,11 +19,11 @@ def current_user oauth_user_id end - def return404 + def notfound head :not_found end - def return401 - head :unauthorized + def denied + head :forbidden end end From d019e211304df71499c3810e88a646b37a80441b Mon Sep 17 00:00:00 2001 From: Steve Gilroy Date: Tue, 5 Apr 2022 11:27:37 +0100 Subject: [PATCH 4/7] authorize on project update for image attach --- app/controllers/api/projects/images_controller.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/app/controllers/api/projects/images_controller.rb b/app/controllers/api/projects/images_controller.rb index 88b1b1ff8..e9c849caf 100644 --- a/app/controllers/api/projects/images_controller.rb +++ b/app/controllers/api/projects/images_controller.rb @@ -7,6 +7,7 @@ class ImagesController < ApiController def create @project = Project.find_by!(identifier: params[:project_id]) + authorize! :update, @project @project.images.attach(params[:images]) render '/api/projects/images', formats: [:json] end From c2d065cff225d3614512acb57527850aa6d28e70 Mon Sep 17 00:00:00 2001 From: Steve Gilroy Date: Tue, 5 Apr 2022 11:27:57 +0100 Subject: [PATCH 5/7] update tests and distinguish forbidden from unauthorized --- spec/request/projects/images_spec.rb | 16 ++++++++++++++-- spec/request/projects/update_spec.rb | 4 ++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/spec/request/projects/images_spec.rb b/spec/request/projects/images_spec.rb index c0d5fba69..8364be4a6 100644 --- a/spec/request/projects/images_spec.rb +++ b/spec/request/projects/images_spec.rb @@ -3,8 +3,8 @@ require 'rails_helper' RSpec.describe 'Images requests', type: :request do - let!(:project) { create(:project) } let(:user_id) { 'e0675b6c-dc48-4cd6-8c04-0f7ac05af51a' } + let(:project) { create(:project, user_id: user_id) } let(:image_filename) { 'test_image_1.png' } let(:params) { { images: [fixture_file_upload(image_filename, 'image/png')] } } let(:expected_json) do @@ -21,7 +21,7 @@ describe 'create' do context 'when auth is correct' do before do - mock_oauth_user + mock_oauth_user(user_id) end it 'attaches file to project' do @@ -47,6 +47,18 @@ end end + context 'when authed user is not creator' do + + before do + mock_oauth_user + end + + it 'returns forbidden response' do + post "/api/projects/#{project.identifier}/images", params: params + expect(response.status).to eq(403) + end + end + context 'when auth is invalid' do it 'returns unauthorized' do post "/api/projects/#{project.identifier}/images" diff --git a/spec/request/projects/update_spec.rb b/spec/request/projects/update_spec.rb index dcaaa422f..68ef58f39 100644 --- a/spec/request/projects/update_spec.rb +++ b/spec/request/projects/update_spec.rb @@ -68,9 +68,9 @@ mock_oauth_user(user_id) end - it 'returns unauthorized response' do + it 'returns forbidden response' do put "/api/projects/#{project.identifier}", params: params - expect(response.status).to eq(401) + expect(response.status).to eq(403) end end From 4ef2cb58ca00f9ce46a7a6935e793b6e1443891f Mon Sep 17 00:00:00 2001 From: Steve Gilroy Date: Tue, 5 Apr 2022 11:30:31 +0100 Subject: [PATCH 6/7] rubocop --- spec/request/projects/images_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/request/projects/images_spec.rb b/spec/request/projects/images_spec.rb index 8364be4a6..74941fb9b 100644 --- a/spec/request/projects/images_spec.rb +++ b/spec/request/projects/images_spec.rb @@ -48,11 +48,11 @@ end context 'when authed user is not creator' do - + before do mock_oauth_user end - + it 'returns forbidden response' do post "/api/projects/#{project.identifier}/images", params: params expect(response.status).to eq(403) From 6748c83f98714386775910807ec94765721ec98a Mon Sep 17 00:00:00 2001 From: Steve Gilroy Date: Tue, 5 Apr 2022 11:32:10 +0100 Subject: [PATCH 7/7] rubocop --- spec/request/projects/images_spec.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/spec/request/projects/images_spec.rb b/spec/request/projects/images_spec.rb index 74941fb9b..132887ae3 100644 --- a/spec/request/projects/images_spec.rb +++ b/spec/request/projects/images_spec.rb @@ -48,7 +48,6 @@ end context 'when authed user is not creator' do - before do mock_oauth_user end