cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge ApiCapability class into ApiAbility

Browse source
This commit is contained in:
Anton Khorev 2024-12-20 17:46:45 +03:00
parent e2904daf77
commit cdce867183
5 changed files with 65 additions and 84 deletions
Download patch file Download diff file Expand all files Collapse all files

45
app/abilities/api_ability.rb
View file

@ -3,12 +3,16 @@
class ApiAbility class ApiAbility
include CanCan::Ability include CanCan::Ability
def initialize(user) def initialize(token)
can :read, [:version, :capability, :permission, :map] can :read, [:version, :capability, :permission, :map]
if Settings.status != "database_offline" if Settings.status != "database_offline"
user = User.find(token.resource_owner_id) if token
can [:read, :feed, :search], Note
can :create, Note unless token
can [:read, :download], Changeset can [:read, :download], Changeset
can [:read, :create, :feed, :search], Note
can :read, Tracepoint can :read, Tracepoint
can :read, User can :read, User
can :read, Node can :read, Node
@ -18,22 +22,33 @@ class ApiAbility
can :read, UserBlock can :read, UserBlock
if user&.active? if user&.active?
can [:comment, :close, :reopen], Note can [:create, :comment, :close, :reopen], Note if scope?(token, :write_notes)
can [:read, :create, :update, :destroy], Trace can [:create, :destroy], NoteSubscription if scope?(token, :write_notes)
can [:details, :gpx_files], User
can [:read, :update, :update_all, :destroy], UserPreference can :read, Trace if scope?(token, :read_gpx)
can [:create, :update, :destroy], Trace if scope?(token, :write_gpx)
can :details, User if scope?(token, :read_prefs)
can :gpx_files, User if scope?(token, :read_gpx)
can :read, UserPreference if scope?(token, :read_prefs)
can [:update, :update_all, :destroy], UserPreference if scope?(token, :write_prefs)
can [:inbox, :outbox, :read, :update, :destroy], Message if scope?(token, :consume_messages)
can :create, Message if scope?(token, :send_messages)
if user.terms_agreed? if user.terms_agreed?
can [:create, :update, :upload, :close, :subscribe, :unsubscribe], Changeset can [:create, :update, :upload, :close, :subscribe, :unsubscribe], Changeset if scope?(token, :write_api)
can :create, ChangesetComment can :create, ChangesetComment if scope?(token, :write_api)
can [:create, :update, :delete], [Node, Way, Relation] can [:create, :update, :delete], [Node, Way, Relation] if scope?(token, :write_api)
end end
if user.moderator? if user.moderator?
can [:destroy, :restore], ChangesetComment can [:destroy, :restore], ChangesetComment if scope?(token, :write_api)
can :destroy, Note
can :redact, [OldNode, OldWay, OldRelation] if user.terms_agreed? can :destroy, Note if scope?(token, :write_notes)
can :redact, [OldNode, OldWay, OldRelation] if user&.terms_agreed? && scope?(token, :write_redactions)
end end
end end
end end
@ -65,4 +80,10 @@ class ApiAbility
# See the wiki for details: # See the wiki for details:
# https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
end end
private
def scope?(token, scope)
token&.includes_scope?(scope)
end
end end

42
app/abilities/api_capability.rb
View file

@ -1,42 +0,0 @@
# frozen_string_literal: true
class ApiCapability
include CanCan::Ability
def initialize(token)
if Settings.status != "database_offline"
user = User.find(token.resource_owner_id)
if user&.active?
can [:create, :comment, :close, :reopen], Note if scope?(token, :write_notes)
can [:create, :destroy], NoteSubscription if scope?(token, :write_notes)
can [:read, :data], Trace if scope?(token, :read_gpx)
can [:create, :update, :destroy], Trace if scope?(token, :write_gpx)
can [:details], User if scope?(token, :read_prefs)
can [:gpx_files], User if scope?(token, :read_gpx)
can :read, UserPreference if scope?(token, :read_prefs)
can [:update, :update_all, :destroy], UserPreference if scope?(token, :write_prefs)
can [:inbox, :outbox, :read, :update, :destroy], Message if scope?(token, :consume_messages)
can [:create], Message if scope?(token, :send_messages)
if user.terms_agreed?
can [:create, :update, :upload, :close, :subscribe, :unsubscribe], Changeset if scope?(token, :write_api)
can :create, ChangesetComment if scope?(token, :write_api)
can [:create, :update, :delete], [Node, Way, Relation] if scope?(token, :write_api)
end
if user.moderator?
can [:destroy, :restore], ChangesetComment if scope?(token, :write_api)
can :destroy, Note if scope?(token, :write_notes)
can :redact, [OldNode, OldWay, OldRelation] if user&.terms_agreed? && scope?(token, :write_redactions)
end
end
end
end
private
def scope?(token, scope)
token&.includes_scope?(scope)
end
end

4
app/controllers/api_controller.rb
View file

@ -65,9 +65,9 @@ class ApiController < ApplicationController
def current_ability def current_ability
# Use capabilities from the oauth token if it exists and is a valid access token # Use capabilities from the oauth token if it exists and is a valid access token
if doorkeeper_token&.accessible? if doorkeeper_token&.accessible?
ApiAbility.new(nil).merge(ApiCapability.new(doorkeeper_token)) ApiAbility.new(doorkeeper_token)
else else
ApiAbility.new(current_user) ApiAbility.new(nil)
end end
end end

6
test/abilities/api_abilities_test.rb
View file

@ -21,7 +21,8 @@ end
class UserApiAbilityTest < ApiAbilityTest class UserApiAbilityTest < ApiAbilityTest
test "Note permissions" do test "Note permissions" do
ability = ApiAbility.new create(:user) token = create(:oauth_access_token, :scopes => %w[write_notes])
ability = ApiAbility.new token
[:index, :create, :comment, :feed, :show, :search, :close, :reopen].each do |action| [:index, :create, :comment, :feed, :show, :search, :close, :reopen].each do |action|
assert ability.can?(action, Note), "should be able to #{action} Notes" assert ability.can?(action, Note), "should be able to #{action} Notes"
@ -35,7 +36,8 @@ end
class ModeratorApiAbilityTest < ApiAbilityTest class ModeratorApiAbilityTest < ApiAbilityTest
test "Note permissions" do test "Note permissions" do
ability = ApiAbility.new create(:moderator_user) token = create(:oauth_access_token, :scopes => %w[write_notes], :resource_owner_id => create(:moderator_user).id)
ability = ApiAbility.new token
[:index, :create, :comment, :feed, :show, :search, :close, :reopen, :destroy].each do |action| [:index, :create, :comment, :feed, :show, :search, :close, :reopen, :destroy].each do |action|
assert ability.can?(action, Note), "should be able to #{action} Notes" assert ability.can?(action, Note), "should be able to #{action} Notes"

52
test/abilities/api_capability_test.rb
View file

@ -5,41 +5,41 @@ require "test_helper"
class ChangesetCommentApiCapabilityTest < ActiveSupport::TestCase class ChangesetCommentApiCapabilityTest < ActiveSupport::TestCase
test "as a normal user with permissionless token" do test "as a normal user with permissionless token" do
token = create(:oauth_access_token) token = create(:oauth_access_token)
capability = ApiCapability.new token ability = ApiAbility.new token
[:create, :destroy, :restore].each do |action| [:create, :destroy, :restore].each do |action|
assert capability.cannot? action, ChangesetComment assert ability.cannot? action, ChangesetComment
end end
end end
test "as a normal user with write_api token" do test "as a normal user with write_api token" do
token = create(:oauth_access_token, :scopes => %w[write_api]) token = create(:oauth_access_token, :scopes => %w[write_api])
capability = ApiCapability.new token ability = ApiAbility.new token
[:destroy, :restore].each do |action| [:destroy, :restore].each do |action|
assert capability.cannot? action, ChangesetComment assert ability.cannot? action, ChangesetComment
end end
[:create].each do |action| [:create].each do |action|
assert capability.can? action, ChangesetComment assert ability.can? action, ChangesetComment
end end
end end
test "as a moderator with permissionless token" do test "as a moderator with permissionless token" do
token = create(:oauth_access_token, :resource_owner_id => create(:moderator_user).id) token = create(:oauth_access_token, :resource_owner_id => create(:moderator_user).id)
capability = ApiCapability.new token ability = ApiAbility.new token
[:create, :destroy, :restore].each do |action| [:create, :destroy, :restore].each do |action|
assert capability.cannot? action, ChangesetComment assert ability.cannot? action, ChangesetComment
end end
end end
test "as a moderator with write_api token" do test "as a moderator with write_api token" do
token = create(:oauth_access_token, :resource_owner_id => create(:moderator_user).id, :scopes => %w[write_api]) token = create(:oauth_access_token, :resource_owner_id => create(:moderator_user).id, :scopes => %w[write_api])
capability = ApiCapability.new token ability = ApiAbility.new token
[:create, :destroy, :restore].each do |action| [:create, :destroy, :restore].each do |action|
assert capability.can? action, ChangesetComment assert ability.can? action, ChangesetComment
end end
end end
end end
@ -47,41 +47,41 @@ end
class NoteApiCapabilityTest < ActiveSupport::TestCase class NoteApiCapabilityTest < ActiveSupport::TestCase
test "as a normal user with permissionless token" do test "as a normal user with permissionless token" do
token = create(:oauth_access_token) token = create(:oauth_access_token)
capability = ApiCapability.new token ability = ApiAbility.new token
[:create, :comment, :close, :reopen, :destroy].each do |action| [:create, :comment, :close, :reopen, :destroy].each do |action|
assert capability.cannot? action, Note assert ability.cannot? action, Note
end end
end end
test "as a normal user with write_notes token" do test "as a normal user with write_notes token" do
token = create(:oauth_access_token, :scopes => %w[write_notes]) token = create(:oauth_access_token, :scopes => %w[write_notes])
capability = ApiCapability.new token ability = ApiAbility.new token
[:destroy].each do |action| [:destroy].each do |action|
assert capability.cannot? action, Note assert ability.cannot? action, Note
end end
[:create, :comment, :close, :reopen].each do |action| [:create, :comment, :close, :reopen].each do |action|
assert capability.can? action, Note assert ability.can? action, Note
end end
end end
test "as a moderator with permissionless token" do test "as a moderator with permissionless token" do
token = create(:oauth_access_token, :resource_owner_id => create(:moderator_user).id) token = create(:oauth_access_token, :resource_owner_id => create(:moderator_user).id)
capability = ApiCapability.new token ability = ApiAbility.new token
[:destroy].each do |action| [:destroy].each do |action|
assert capability.cannot? action, Note assert ability.cannot? action, Note
end end
end end
test "as a moderator with write_notes token" do test "as a moderator with write_notes token" do
token = create(:oauth_access_token, :resource_owner_id => create(:moderator_user).id, :scopes => %w[write_notes]) token = create(:oauth_access_token, :resource_owner_id => create(:moderator_user).id, :scopes => %w[write_notes])
capability = ApiCapability.new token ability = ApiAbility.new token
[:destroy].each do |action| [:destroy].each do |action|
assert capability.can? action, Note assert ability.can? action, Note
end end
end end
end end
@ -90,32 +90,32 @@ class UserApiCapabilityTest < ActiveSupport::TestCase
test "user preferences" do test "user preferences" do
# A user with empty tokens # A user with empty tokens
token = create(:oauth_access_token) token = create(:oauth_access_token)
capability = ApiCapability.new token ability = ApiAbility.new token
[:index, :show, :update_all, :update, :destroy].each do |act| [:index, :show, :update_all, :update, :destroy].each do |act|
assert capability.cannot? act, UserPreference assert ability.cannot? act, UserPreference
end end
token = create(:oauth_access_token, :scopes => %w[read_prefs]) token = create(:oauth_access_token, :scopes => %w[read_prefs])
capability = ApiCapability.new token ability = ApiAbility.new token
[:update_all, :update, :destroy].each do |act| [:update_all, :update, :destroy].each do |act|
assert capability.cannot? act, UserPreference assert ability.cannot? act, UserPreference
end end
[:index, :show].each do |act| [:index, :show].each do |act|
assert capability.can? act, UserPreference assert ability.can? act, UserPreference
end end
token = create(:oauth_access_token, :scopes => %w[write_prefs]) token = create(:oauth_access_token, :scopes => %w[write_prefs])
capability = ApiCapability.new token ability = ApiAbility.new token
[:index, :show].each do |act| [:index, :show].each do |act|
assert capability.cannot? act, UserPreference assert ability.cannot? act, UserPreference
end end
[:update_all, :update, :destroy].each do |act| [:update_all, :update, :destroy].each do |act|
assert capability.can? act, UserPreference assert ability.can? act, UserPreference
end end
end end
end end