Skip blocks check when getting active blocks list

2025-01-01 05:31:05 +03:00 · 2025-01-01 05:31:05 +03:00 · 9ec7e8c888
commit 9ec7e8c888
parent 6d558003aa
3 changed files with 39 additions and 11 deletions
--- a/app/controllers/api/user_blocks/active_lists_controller.rb
+++ b/app/controllers/api/user_blocks/active_lists_controller.rb
@ -1,7 +1,7 @@
 module Api
  module UserBlocks
    class ActiveListsController < ApiController
-      before_action :authorize
+      before_action -> { authorize(:skip_blocks => true) }

      authorize_resource :class => :active_user_blocks_list

--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@ -49,9 +49,9 @@ class ApiController < ApplicationController
    end
  end

-  def authorize(errormessage: "Couldn't authenticate you", skip_terms: false)
+  def authorize(errormessage: "Couldn't authenticate you", skip_blocks: false, skip_terms: false)
    # make the current_user object from any auth sources we have
-    setup_user_auth(:skip_terms => skip_terms)
+    setup_user_auth(:skip_blocks => skip_blocks, :skip_terms => skip_terms)

    # handle authenticate pass/fail
    unless current_user
@ -99,7 +99,7 @@ class ApiController < ApplicationController
  # sets up the current_user for use by other methods. this is mostly called
  # from the authorize method, but can be called elsewhere if authorisation
  # is optional.
-  def setup_user_auth(skip_terms: false)
+  def setup_user_auth(skip_blocks: false, skip_terms: false)
    logger.info " setup_user_auth"
    # try and setup using OAuth
    self.current_user = User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token&.accessible?
@ -107,6 +107,7 @@ class ApiController < ApplicationController
    # have we identified the user?
    if current_user
      # check if the user has been banned
+      unless skip_blocks
        user_block = current_user.blocks.active.take
        unless user_block.nil?
          set_locale
@ -116,6 +117,7 @@ class ApiController < ApplicationController
            report_error t("application.setup_user_auth.blocked"), :forbidden
          end
        end
+      end

      # if the user hasn't seen the contributor terms then don't
      # allow editing - they have to go to the web site and see
--- a/test/controllers/api/user_blocks/active_lists_controller_test.rb
+++ b/test/controllers/api/user_blocks/active_lists_controller_test.rb
@ -38,6 +38,32 @@ module Api
        assert_response :success
        assert_dom "user_block", :count => 0
      end
+
+      def test_show
+        user = create(:moderator_user)
+        user_auth_header = bearer_authorization_header(user, :scopes => %w[read_prefs])
+        create(:user_block, :expired, :user => user)
+        block0 = create(:user_block, :user => user)
+        block1 = create(:user_block, :user => user)
+        create(:user_block)
+        create(:user_block, :creator => user)
+
+        get api_user_blocks_active_list_path, :headers => user_auth_header
+        assert_response :success
+      end
+
+      def test_show_json
+        user = create(:moderator_user)
+        user_auth_header = bearer_authorization_header(user, :scopes => %w[read_prefs])
+        create(:user_block, :expired, :user => user)
+        block0 = create(:user_block, :user => user)
+        block1 = create(:user_block, :user => user)
+        create(:user_block)
+        create(:user_block, :creator => user)
+
+        get api_user_blocks_active_list_path(:format => "json"), :headers => user_auth_header
+        assert_response :success
+      end
    end
  end
 end