Merge pull request #10796 from tchak/fix-graphql-playground

graphql(playground): fix acl
2024-09-13 13:33:50 +00:00 · 2024-09-13 13:33:50 +00:00 · 240640226a
commit 240640226a
parent 52610010b7 f00ba04fb9
2 changed files with 70 additions and 33 deletions
--- a/app/controllers/api/v2/base_controller.rb
+++ b/app/controllers/api/v2/base_controller.rb
@ -12,7 +12,7 @@ class API::V2::BaseController < ApplicationController
  before_action :authenticate_from_token
  before_action :ensure_authorized_network, if: -> { @api_token.present? }
  before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
-  before_action :allow_only_persisted_queries, if: -> { @api_token.blank? }
+  before_action :allow_only_persisted_queries, if: -> { @api_token.blank? && current_administrateur.blank? }

  before_action do
    Current.browser = 'api'
--- a/spec/controllers/api/v2/base_controller_spec.rb
+++ b/spec/controllers/api/v2/base_controller_spec.rb
@ -10,6 +10,7 @@ describe API::V2::BaseController, type: :controller do

    controller(API::V2::BaseController) { def fake_action = render(plain: 'Hello, World!') }

+    describe 'with token' do
      before do
        routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
        valid_headers = { 'Authorization' => "Bearer token=#{bearer}" }
@ -59,4 +60,40 @@ describe API::V2::BaseController, type: :controller do
        end
      end
    end
+
+    describe 'with admin' do
+      before do
+        routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
+        sign_in(admin.user)
+      end
+
+      describe 'GET #index' do
+        subject { get :fake_action }
+
+        context 'when admin is logged in' do
+          it { is_expected.to have_http_status(:ok) }
+        end
+      end
+    end
+
+    describe 'without token or admin' do
+      before do
+        routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
+      end
+
+      describe 'GET #index' do
+        let(:params) { {} }
+        subject { get :fake_action, params: }
+
+        context 'without token and not logged in' do
+          it { is_expected.to have_http_status(:forbidden) }
+        end
+
+        context 'with queryId' do
+          let(:params) { { queryId: '123' } }
+          it { is_expected.to have_http_status(:ok) }
+        end
+      end
+    end
+  end
 end