Merge pull request #10796 from tchak/fix-graphql-playground
graphql(playground): fix acl
This commit is contained in:
Paul Chavard
GitHub
commit
240640226a
2 changed files with 70 additions and 33 deletions
|
|
@ -12,7 +12,7 @@ class API::V2::BaseController < ApplicationController
|
||||||
before_action :authenticate_from_token
|
before_action :authenticate_from_token
|
||||||
before_action :ensure_authorized_network, if: -> { @api_token.present? }
|
before_action :ensure_authorized_network, if: -> { @api_token.present? }
|
||||||
before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
|
before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
|
||||||
before_action :allow_only_persisted_queries, if: -> { @api_token.blank? }
|
before_action :allow_only_persisted_queries, if: -> { @api_token.blank? && current_administrateur.blank? }
|
||||||
|
|
||||||
before_action do
|
before_action do
|
||||||
Current.browser = 'api'
|
Current.browser = 'api'
|
||||||
|
|
|
||||||
|
|
@ -10,52 +10,89 @@ describe API::V2::BaseController, type: :controller do
|
||||||
|
|
||||||
controller(API::V2::BaseController) { def fake_action = render(plain: 'Hello, World!') }
|
controller(API::V2::BaseController) { def fake_action = render(plain: 'Hello, World!') }
|
||||||
|
|
||||||
before do
|
describe 'with token' do
|
||||||
routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
|
before do
|
||||||
valid_headers = { 'Authorization' => "Bearer token=#{bearer}" }
|
routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
|
||||||
request.headers.merge!(valid_headers)
|
valid_headers = { 'Authorization' => "Bearer token=#{bearer}" }
|
||||||
request.remote_ip = remote_ip
|
request.headers.merge!(valid_headers)
|
||||||
end
|
request.remote_ip = remote_ip
|
||||||
|
|
||||||
describe 'GET #index' do
|
|
||||||
subject { get :fake_action }
|
|
||||||
|
|
||||||
context 'when no authorized networks are defined and the token is not expired' do
|
|
||||||
it { is_expected.to have_http_status(:ok) }
|
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when the token is expired' do
|
describe 'GET #index' do
|
||||||
before do
|
subject { get :fake_action }
|
||||||
token.update!(expires_at: 1.day.ago)
|
|
||||||
|
context 'when no authorized networks are defined and the token is not expired' do
|
||||||
|
it { is_expected.to have_http_status(:ok) }
|
||||||
end
|
end
|
||||||
|
|
||||||
it { is_expected.to have_http_status(:unauthorized) }
|
context 'when the token is expired' do
|
||||||
end
|
before do
|
||||||
|
token.update!(expires_at: 1.day.ago)
|
||||||
|
end
|
||||||
|
|
||||||
context 'when this is precisely the day the token expires' do
|
it { is_expected.to have_http_status(:unauthorized) }
|
||||||
before do
|
|
||||||
token.update!(expires_at: Time.zone.today)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
it { is_expected.to have_http_status(:ok) }
|
context 'when this is precisely the day the token expires' do
|
||||||
end
|
before do
|
||||||
|
token.update!(expires_at: Time.zone.today)
|
||||||
context 'when a single authorized network is defined' do
|
end
|
||||||
before do
|
|
||||||
token.update!(authorized_networks: [IPAddr.new('192.168.1.0/24')])
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'and the request comes from it' do
|
|
||||||
let(:remote_ip) { '192.168.1.23' }
|
|
||||||
|
|
||||||
it { is_expected.to have_http_status(:ok) }
|
it { is_expected.to have_http_status(:ok) }
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'and the request does not come from it' do
|
context 'when a single authorized network is defined' do
|
||||||
let(:remote_ip) { '192.168.2.2' }
|
before do
|
||||||
|
token.update!(authorized_networks: [IPAddr.new('192.168.1.0/24')])
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'and the request comes from it' do
|
||||||
|
let(:remote_ip) { '192.168.1.23' }
|
||||||
|
|
||||||
|
it { is_expected.to have_http_status(:ok) }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'and the request does not come from it' do
|
||||||
|
let(:remote_ip) { '192.168.2.2' }
|
||||||
|
|
||||||
|
it { is_expected.to have_http_status(:forbidden) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'with admin' do
|
||||||
|
before do
|
||||||
|
routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
|
||||||
|
sign_in(admin.user)
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'GET #index' do
|
||||||
|
subject { get :fake_action }
|
||||||
|
|
||||||
|
context 'when admin is logged in' do
|
||||||
|
it { is_expected.to have_http_status(:ok) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'without token or admin' do
|
||||||
|
before do
|
||||||
|
routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'GET #index' do
|
||||||
|
let(:params) { {} }
|
||||||
|
subject { get :fake_action, params: }
|
||||||
|
|
||||||
|
context 'without token and not logged in' do
|
||||||
it { is_expected.to have_http_status(:forbidden) }
|
it { is_expected.to have_http_status(:forbidden) }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with queryId' do
|
||||||
|
let(:params) { { queryId: '123' } }
|
||||||
|
it { is_expected.to have_http_status(:ok) }
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue