cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Don't allow any abilities for inactive users

Browse source
This commit is contained in:
Tom Hughes 2022-12-23 16:25:03 +00:00
parent 445e8162e9
commit 9cb7a7b36b
5 changed files with 37 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.rubocop_todo.yml
View file

@ -65,7 +65,7 @@ Metrics/ClassLength:
# Offense count: 58
# Configuration parameters: AllowedMethods, AllowedPatterns, IgnoredMethods.
Metrics/CyclomaticComplexity:
Max: 25
Max: 26
# Offense count: 751
# Configuration parameters: CountComments, CountAsOne, ExcludedMethods, AllowedMethods, AllowedPatterns, IgnoredMethods.
@ -80,7 +80,7 @@ Metrics/ParameterLists:
# Offense count: 57
# Configuration parameters: AllowedMethods, AllowedPatterns, IgnoredMethods.
Metrics/PerceivedComplexity:
Max: 26
Max: 27
# Offense count: 2495
# This cop supports safe autocorrection (--autocorrect).

2
app/abilities/ability.rb
View file

@ -33,7 +33,7 @@ class Ability
can [:history, :version], OldRelation
end
if user
if user&.active?
can :welcome, :site
can [:revoke, :authorize], :oauth
can [:show], :deletion

2
app/abilities/api_ability.rb
View file

@ -23,7 +23,7 @@ class ApiAbility
can [:history, :version], OldRelation
end
if user
if user&.active?
can :welcome, :site
can [:revoke, :authorize], :oauth

44
app/abilities/api_capability.rb
View file

@ -11,29 +11,31 @@ class ApiCapability
token.user
end
can [:create, :comment, :close, :reopen], Note if scope?(token, :write_notes)
can [:show, :data], Trace if scope?(token, :read_gpx)
can [:create, :update, :destroy], Trace if scope?(token, :write_gpx)
can [:details], User if scope?(token, :read_prefs)
can [:gpx_files], User if scope?(token, :read_gpx)
can [:index, :show], UserPreference if scope?(token, :read_prefs)
can [:update, :update_all, :destroy], UserPreference if scope?(token, :write_prefs)
if user&.active?
can [:create, :comment, :close, :reopen], Note if scope?(token, :write_notes)
can [:show, :data], Trace if scope?(token, :read_gpx)
can [:create, :update, :destroy], Trace if scope?(token, :write_gpx)
can [:details], User if scope?(token, :read_prefs)
can [:gpx_files], User if scope?(token, :read_gpx)
can [:index, :show], UserPreference if scope?(token, :read_prefs)
can [:update, :update_all, :destroy], UserPreference if scope?(token, :write_prefs)
if user&.terms_agreed?
can [:create, :update, :upload, :close, :subscribe, :unsubscribe], Changeset if scope?(token, :write_api)
can :create, ChangesetComment if scope?(token, :write_api)
can [:create, :update, :delete], Node if scope?(token, :write_api)
can [:create, :update, :delete], Way if scope?(token, :write_api)
can [:create, :update, :delete], Relation if scope?(token, :write_api)
end
if user.terms_agreed?
can [:create, :update, :upload, :close, :subscribe, :unsubscribe], Changeset if scope?(token, :write_api)
can :create, ChangesetComment if scope?(token, :write_api)
can [:create, :update, :delete], Node if scope?(token, :write_api)
can [:create, :update, :delete], Way if scope?(token, :write_api)
can [:create, :update, :delete], Relation if scope?(token, :write_api)
end
if user&.moderator?
can [:destroy, :restore], ChangesetComment if scope?(token, :write_api)
can :destroy, Note if scope?(token, :write_notes)
if user&.terms_agreed?
can :redact, OldNode if scope?(token, :write_api)
can :redact, OldWay if scope?(token, :write_api)
can :redact, OldRelation if scope?(token, :write_api)
if user.moderator?
can [:destroy, :restore], ChangesetComment if scope?(token, :write_api)
can :destroy, Note if scope?(token, :write_notes)
if user&.terms_agreed?
can :redact, OldNode if scope?(token, :write_api)
can :redact, OldWay if scope?(token, :write_api)
can :redact, OldRelation if scope?(token, :write_api)
end
end
end
end

28
test/abilities/api_capability_test.rb
View file

@ -2,19 +2,7 @@
require "test_helper"
class ApiCapabilityTest < ActiveSupport::TestCase
private
def tokens(*toks)
AccessToken.new do |token|
toks.each do |t|
token.public_send("#{t}=", true)
end
end
end
end
class ChangesetCommentApiCapabilityTest < ApiCapabilityTest
class ChangesetCommentApiCapabilityTest < ActiveSupport::TestCase
test "as a normal user with permissionless token" do
token = create(:access_token)
capability = ApiCapability.new token
@ -56,7 +44,7 @@ class ChangesetCommentApiCapabilityTest < ApiCapabilityTest
end
end
class NoteApiCapabilityTest < ApiCapabilityTest
class NoteApiCapabilityTest < ActiveSupport::TestCase
test "as a normal user with permissionless token" do
token = create(:access_token)
capability = ApiCapability.new token
@ -98,7 +86,7 @@ class NoteApiCapabilityTest < ApiCapabilityTest
end
end
class UserApiCapabilityTest < ApiCapabilityTest
class UserApiCapabilityTest < ActiveSupport::TestCase
test "user preferences" do
# a user with no tokens
capability = ApiCapability.new nil
@ -107,13 +95,15 @@ class UserApiCapabilityTest < ApiCapabilityTest
end
# A user with empty tokens
capability = ApiCapability.new tokens
token = create(:access_token)
capability = ApiCapability.new token
[:index, :show, :update_all, :update, :destroy].each do |act|
assert capability.cannot? act, UserPreference
end
capability = ApiCapability.new tokens(:allow_read_prefs)
token = create(:access_token, :allow_read_prefs => true)
capability = ApiCapability.new token
[:update_all, :update, :destroy].each do |act|
assert capability.cannot? act, UserPreference
@ -123,7 +113,9 @@ class UserApiCapabilityTest < ApiCapabilityTest
assert capability.can? act, UserPreference
end
capability = ApiCapability.new tokens(:allow_write_prefs)
token = create(:access_token, :allow_write_prefs => true)
capability = ApiCapability.new token
[:index, :show].each do |act|
assert capability.cannot? act, UserPreference
end