Prevent unauthenticated users commenting on notes via the API

2023-11-23 16:46:36 +00:00 · 2023-11-23 16:46:36 +00:00 · efd2b92a80
commit efd2b92a80
parent 5d916975db
2 changed files with 4 additions and 4 deletions
--- a/app/abilities/api_ability.rb
+++ b/app/abilities/api_ability.rb
@ -12,7 +12,7 @@ class ApiAbility

    if Settings.status != "database_offline"
      can [:show, :download, :query], Changeset
-      can [:index, :create, :comment, :feed, :show, :search], Note
+      can [:index, :create, :feed, :show, :search], Note
      can :index, Tracepoint
      can [:index, :show], User
      can [:index, :show], Node
@ -31,7 +31,7 @@ class ApiAbility
      if Settings.status != "database_offline"
        can [:index, :new, :create, :show, :edit, :update, :destroy], ClientApplication
        can [:new, :create, :reply, :show, :inbox, :outbox, :mark, :destroy], Message
-        can [:close, :reopen], Note
+        can [:comment, :close, :reopen], Note
        can [:new, :create], Report
        can [:create, :show, :update, :destroy, :data], Trace
        can [:details, :gpx_files], User
--- a/test/abilities/api_abilities_test.rb
+++ b/test/abilities/api_abilities_test.rb
@ -9,11 +9,11 @@ class GuestApiAbilityTest < ApiAbilityTest
  test "note permissions for a guest" do
    ability = ApiAbility.new nil

-    [:index, :create, :comment, :feed, :show, :search].each do |action|
+    [:index, :create, :feed, :show, :search].each do |action|
      assert ability.can?(action, Note), "should be able to #{action} Notes"
    end

-    [:close, :reopen, :destroy].each do |action|
+    [:comment, :close, :reopen, :destroy].each do |action|
      assert ability.cannot?(action, Note), "should not be able to #{action} Notes"
    end
  end