From f00ba04fb91b3eced37317e11670bf8ff4ba52cd Mon Sep 17 00:00:00 2001
From: Paul Chavard <pro@paul.chavard.net>
Date: Fri, 13 Sep 2024 14:27:59 +0200
Subject: [PATCH] graphql(playground): fix acl

---
 app/controllers/api/v2/base_controller.rb     |   2 +-
 .../api/v2/base_controller_spec.rb            | 101 ++++++++++++------
 2 files changed, 70 insertions(+), 33 deletions(-)

diff --git a/app/controllers/api/v2/base_controller.rb b/app/controllers/api/v2/base_controller.rb
index d30c92b39..abc0e6722 100644
--- a/app/controllers/api/v2/base_controller.rb
+++ b/app/controllers/api/v2/base_controller.rb
@@ -12,7 +12,7 @@ class API::V2::BaseController < ApplicationController
   before_action :authenticate_from_token
   before_action :ensure_authorized_network, if: -> { @api_token.present? }
   before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
-  before_action :allow_only_persisted_queries, if: -> { @api_token.blank? }
+  before_action :allow_only_persisted_queries, if: -> { @api_token.blank? && current_administrateur.blank? }
 
   before_action do
     Current.browser = 'api'
diff --git a/spec/controllers/api/v2/base_controller_spec.rb b/spec/controllers/api/v2/base_controller_spec.rb
index 3fb34d4d8..4a98d4948 100644
--- a/spec/controllers/api/v2/base_controller_spec.rb
+++ b/spec/controllers/api/v2/base_controller_spec.rb
@@ -10,52 +10,89 @@ describe API::V2::BaseController, type: :controller do
 
     controller(API::V2::BaseController) { def fake_action = render(plain: 'Hello, World!') }
 
-    before do
-      routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
-      valid_headers = { 'Authorization' => "Bearer token=#{bearer}" }
-      request.headers.merge!(valid_headers)
-      request.remote_ip = remote_ip
-    end
-
-    describe 'GET #index' do
-      subject { get :fake_action }
-
-      context 'when no authorized networks are defined and the token is not expired' do
-        it { is_expected.to have_http_status(:ok) }
+    describe 'with token' do
+      before do
+        routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
+        valid_headers = { 'Authorization' => "Bearer token=#{bearer}" }
+        request.headers.merge!(valid_headers)
+        request.remote_ip = remote_ip
       end
 
-      context 'when the token is expired' do
-        before do
-          token.update!(expires_at: 1.day.ago)
+      describe 'GET #index' do
+        subject { get :fake_action }
+
+        context 'when no authorized networks are defined and the token is not expired' do
+          it { is_expected.to have_http_status(:ok) }
         end
 
-        it { is_expected.to have_http_status(:unauthorized) }
-      end
+        context 'when the token is expired' do
+          before do
+            token.update!(expires_at: 1.day.ago)
+          end
 
-      context 'when this is precisely the day the token expires' do
-        before do
-          token.update!(expires_at: Time.zone.today)
+          it { is_expected.to have_http_status(:unauthorized) }
         end
 
-        it { is_expected.to have_http_status(:ok) }
-      end
-
-      context 'when a single authorized network is defined' do
-        before do
-          token.update!(authorized_networks: [IPAddr.new('192.168.1.0/24')])
-        end
-
-        context 'and the request comes from it' do
-          let(:remote_ip) { '192.168.1.23' }
+        context 'when this is precisely the day the token expires' do
+          before do
+            token.update!(expires_at: Time.zone.today)
+          end
 
           it { is_expected.to have_http_status(:ok) }
         end
 
-        context 'and the request does not come from it' do
-          let(:remote_ip) { '192.168.2.2' }
+        context 'when a single authorized network is defined' do
+          before do
+            token.update!(authorized_networks: [IPAddr.new('192.168.1.0/24')])
+          end
 
+          context 'and the request comes from it' do
+            let(:remote_ip) { '192.168.1.23' }
+
+            it { is_expected.to have_http_status(:ok) }
+          end
+
+          context 'and the request does not come from it' do
+            let(:remote_ip) { '192.168.2.2' }
+
+            it { is_expected.to have_http_status(:forbidden) }
+          end
+        end
+      end
+    end
+
+    describe 'with admin' do
+      before do
+        routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
+        sign_in(admin.user)
+      end
+
+      describe 'GET #index' do
+        subject { get :fake_action }
+
+        context 'when admin is logged in' do
+          it { is_expected.to have_http_status(:ok) }
+        end
+      end
+    end
+
+    describe 'without token or admin' do
+      before do
+        routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
+      end
+
+      describe 'GET #index' do
+        let(:params) { {} }
+        subject { get :fake_action, params: }
+
+        context 'without token and not logged in' do
           it { is_expected.to have_http_status(:forbidden) }
         end
+
+        context 'with queryId' do
+          let(:params) { { queryId: '123' } }
+          it { is_expected.to have_http_status(:ok) }
+        end
       end
     end
   end