DGNum/demarches-normaliennes
15
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

graphql(playground): fix acl

Browse source
This commit is contained in:
Paul Chavard 2024-09-13 14:27:59 +02:00
parent 52610010b7
commit f00ba04fb9
No known key found for this signature in database
2 changed files with 70 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/controllers/api/v2/base_controller.rb
View file

@ -12,7 +12,7 @@ class API::V2::BaseController < ApplicationController
before_action :authenticate_from_token
before_action :ensure_authorized_network, if: -> { @api_token.present? }
before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
before_action :allow_only_persisted_queries, if: -> { @api_token.blank? }
before_action :allow_only_persisted_queries, if: -> { @api_token.blank? && current_administrateur.blank? }
before_action do
Current.browser = 'api'

101
spec/controllers/api/v2/base_controller_spec.rb
View file

@ -10,52 +10,89 @@ describe API::V2::BaseController, type: :controller do
controller(API::V2::BaseController) { def fake_action = render(plain: 'Hello, World!') }
before do
routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
valid_headers = { 'Authorization' => "Bearer token=#{bearer}" }
request.headers.merge!(valid_headers)
request.remote_ip = remote_ip
end
describe 'GET #index' do
subject { get :fake_action }
context 'when no authorized networks are defined and the token is not expired' do
it { is_expected.to have_http_status(:ok) }
describe 'with token' do
before do
routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
valid_headers = { 'Authorization' => "Bearer token=#{bearer}" }
request.headers.merge!(valid_headers)
request.remote_ip = remote_ip
end
context 'when the token is expired' do
before do
token.update!(expires_at: 1.day.ago)
describe 'GET #index' do
subject { get :fake_action }
context 'when no authorized networks are defined and the token is not expired' do
it { is_expected.to have_http_status(:ok) }
end
it { is_expected.to have_http_status(:unauthorized) }
end
context 'when the token is expired' do
before do
token.update!(expires_at: 1.day.ago)
end
context 'when this is precisely the day the token expires' do
before do
token.update!(expires_at: Time.zone.today)
it { is_expected.to have_http_status(:unauthorized) }
end
it { is_expected.to have_http_status(:ok) }
end
context 'when a single authorized network is defined' do
before do
token.update!(authorized_networks: [IPAddr.new('192.168.1.0/24')])
end
context 'and the request comes from it' do
let(:remote_ip) { '192.168.1.23' }
context 'when this is precisely the day the token expires' do
before do
token.update!(expires_at: Time.zone.today)
end
it { is_expected.to have_http_status(:ok) }
end
context 'and the request does not come from it' do
let(:remote_ip) { '192.168.2.2' }
context 'when a single authorized network is defined' do
before do
token.update!(authorized_networks: [IPAddr.new('192.168.1.0/24')])
end
context 'and the request comes from it' do
let(:remote_ip) { '192.168.1.23' }
it { is_expected.to have_http_status(:ok) }
end
context 'and the request does not come from it' do
let(:remote_ip) { '192.168.2.2' }
it { is_expected.to have_http_status(:forbidden) }
end
end
end
end
describe 'with admin' do
before do
routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
sign_in(admin.user)
end
describe 'GET #index' do
subject { get :fake_action }
context 'when admin is logged in' do
it { is_expected.to have_http_status(:ok) }
end
end
end
describe 'without token or admin' do
before do
routes.draw { get 'fake_action' => 'api/v2/base#fake_action' }
end
describe 'GET #index' do
let(:params) { {} }
subject { get :fake_action, params: }
context 'without token and not logged in' do
it { is_expected.to have_http_status(:forbidden) }
end
context 'with queryId' do
let(:params) { { queryId: '123' } }
it { is_expected.to have_http_status(:ok) }
end
end
end
end