Skip to content
Permalink
Browse files

Force signin on API if the organization requires it (#5859)

* Force signin on API if the org requires it

* Add changelog

* Fix typo

* Fix class name

* Fix docs

* Add tests

* Lint code
  • Loading branch information
mrcasals committed Mar 26, 2020
1 parent d463ce7 commit 544d3600aac64edc29942d7c9ee83383b2b6f544
@@ -36,6 +36,7 @@ After this, `Decidim::Proposals::ProposalEndorsement` and the corresponding coun
- **decidim-admin**: Fix: let components without step settings be added [\#5568](https://github.com/decidim/decidim/pull/5568)
- **decidim-proposals**: Fix proposals that have their state not published [\#5832](https://github.com/decidim/decidim/pull/5832)
- **decidim-core**: Fix missing tribute source map [\#5869](https://github.com/decidim/decidim/pull/5869)
- **decidim-api**: Force signin on API if the organization requires it [\#5859](https://github.com/decidim/decidim/pull/5859)
- **decidim-core**: Apply security patch for GHSA-65cv-r6x7-79hv [\#5896](https://github.com/decidim/decidim/pull/5896)

### Removed
@@ -8,6 +8,7 @@ class ApplicationController < ::DecidimController
include NeedsOrganization
include NeedsPermission
include ImpersonateUsers
include ForceAuthentication

register_permissions(::Decidim::Api::ApplicationController,
::Decidim::Permissions)
@@ -0,0 +1,16 @@
# frozen_string_literal: true

module Decidim
module Api
# Controller to serve the GraphiQL client. Used so that we can hook the
# `ForceAuthentication` module.
class GraphiQLController < ::GraphiQL::Rails::EditorsController
include NeedsOrganization
include ForceAuthentication

def self.controller_path
"graphiql/rails/editors"
end
end
end
end
@@ -1,7 +1,7 @@
# frozen_string_literal: true

Decidim::Api::Engine.routes.draw do
mount GraphiQL::Rails::Engine, at: "/graphiql", graphql_path: "/api", as: :graphiql
get "/graphiql", to: "graphiql#show", graphql_path: "/api", as: :graphiql
get "/docs", to: "documentation#show", as: :documentation
get "/", to: redirect("/api/docs")
post "/" => "queries#create", as: :root
@@ -7,8 +7,25 @@ module Api
describe QueriesController, type: :controller do
routes { Decidim::Api::Engine.routes }

let(:organization) { create :organization }

before do
request.env["decidim.current_organization"] = create(:organization)
request.env["decidim.current_organization"] = organization
end

context "when the organization has private access" do
let(:organization) do
create(
:organization,
force_users_to_authenticate_before_access_organization: true
)
end

it "doesn't accept queries" do
post :create, params: { query: "{ __schema { queryType { name } } }" }

expect(response).to redirect_to("/users/sign_in")
end
end

it "executes a query" do
@@ -14,6 +14,20 @@
visit decidim_api.graphiql_path
end

context "when the organization has private access" do
let(:organization) do
create(
:organization,
force_users_to_authenticate_before_access_organization: true
)
end

it "forces the user to login" do
expect(page).to have_current_path("/users/sign_in")
expect(page).to have_content("Please, login with your account before access")
end
end

it "is able to execute the default query" do
find(".execute-button").click
within ".result-window" do

0 comments on commit 544d360

Please sign in to comment.
You can’t perform that action at this time.