Merge pull request #2238 from bgeuken/anonymous_access

Anonymous access for orderkiwirepos API call
openSUSE · Oct 18, 2016 · b5dea42 · b5dea42
2 parents 18d112c + c9c4f0f
commit b5dea42
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 35 deletions.
diff --git a/src/api/app/controllers/source_controller.rb b/src/api/app/controllers/source_controller.rb
@@ -19,10 +19,12 @@ class IllegalRequest < APIException
   validate_action update_project_meta: { request: :project, response: :status}
   validate_action update_package_meta: { request: :package, response: :status}
 
-  skip_before_action :extract_user, only: [:lastevents_public]
-  skip_before_action :require_login, only: [:lastevents_public]
+  skip_before_action :extract_user, only: [:lastevents_public, :global_command_orderkiwirepos]
+  skip_before_action :require_login, only: [:lastevents_public, :global_command_orderkiwirepos]
 
-  before_action :require_valid_project_name, except: [:index, :lastevents, :lastevents_public, :global_command]
+  before_action :require_valid_project_name, except: [ :index, :lastevents, :lastevents_public,
+                                                       :global_command_orderkiwirepos, :global_command_branch,
+                                                       :global_command_createmaintenanceincident ]
 
   class NoPermissionForDeleted < APIException
     setup 403, 'only admins can see deleted projects'
@@ -46,14 +48,6 @@ def index
     end
   end
 
-  # POST /source
-  def global_command
-    unless %w(createmaintenanceincident branch orderkiwirepos).include? params[:cmd]
-      raise UnknownCommandError.new "Unknown command '#{params[:cmd]}' for path #{request.path}"
-    end
-    dispatch_command(:global_command, params[:cmd])
-  end
-
   def projectlist
     # list all projects (visible to user)
     output = Rails.cache.fetch(['projectlist', Project.maximum(:updated_at), Relationship.forbidden_project_ids]) do
@@ -846,16 +840,6 @@ def lastevents
     volley_backend_path(path) unless forward_from_backend(path)
   end
 
-  private
-
-  class AttributeNotFound < APIException
-    setup 'not_found', 404
-  end
-
-  class ModifyProjectNoPermission < APIException
-    setup 403
-  end
-
   # POST /source?cmd=createmaintenanceincident
   def global_command_createmaintenanceincident
     # set defaults
@@ -870,6 +854,26 @@ def global_command_createmaintenanceincident
     actually_create_incident(prj)
   end
 
+  # POST /source?cmd=branch (aka osc mbranch)
+  def global_command_branch
+    private_branch_command
+  end
+
+  # POST /source?cmd=orderkiwirepos
+  def global_command_orderkiwirepos
+    pass_to_backend
+  end
+
+  private
+
+  class AttributeNotFound < APIException
+    setup 'not_found', 404
+  end
+
+  class ModifyProjectNoPermission < APIException
+    setup 403
+  end
+
   def actually_create_incident(project)
     unless User.current.can_modify_project?(project)
       raise ModifyProjectNoPermission, "no permission to modify project '#{project.name}'"
@@ -888,16 +892,6 @@ def actually_create_incident(project)
   class RepoDependency < APIException
   end
 
-  # POST /source?cmd=branch (aka osc mbranch)
-  def global_command_branch
-    private_branch_command
-  end
-
-  # POST /source?cmd=orderkiwirepos
-  def global_command_orderkiwirepos
-    pass_to_backend
-  end
-
   # create a id collection of all projects doing a project link to this one
   # POST /source/<project>?cmd=showlinked
   def project_command_showlinked

diff --git a/src/api/config/routes.rb b/src/api/config/routes.rb
@@ -637,7 +637,9 @@ def self.matches?(request)
 
   controller :source do
     get 'source' => :index
-    post 'source' => :global_command
+    post 'source' => :global_command_createmaintenanceincident, constraints: -> (req) { req.params[:cmd] == "createmaintenanceincident" }
+    post 'source' => :global_command_branch,                    constraints: -> (req) { req.params[:cmd] == "branch" }
+    post 'source' => :global_command_orderkiwirepos,            constraints: -> (req) { req.params[:cmd] == "orderkiwirepos" }
 
     # project level
     get 'source/:project' => :show_project, constraints: cons

diff --git a/src/api/test/functional/source_controller_test.rb b/src/api/test/functional/source_controller_test.rb
@@ -61,16 +61,25 @@ def test_get_packagelist
   end
 
   def test_post_orderkiwirepos
-    post '/source?cmd=orderkiwirepos'
-    assert_response 401
-
     login_tom
     post '/source?cmd=orderkiwirepos'
     assert_response 400
     assert_xml_tag tag: 'status', attributes: { code: "400", origin: "backend" }
     # api handed it over to backend, enough tested here
   end
 
+  def test_anonymous_access_for_global_commands
+    post '/source?cmd=orderkiwirepos'
+    # anonymous access allowed here, just forwarding the request to backend fails
+    assert_response 400
+
+    post '/source?cmd=createmaintenanceincident'
+    assert_response 401
+
+    post '/source/kde4?cmd=branch'
+    assert_response 401
+  end
+
   def test_get_packagelist_with_hidden_project
     login_tom
     get '/source/HiddenProject'