Commit 6c0f66e47712fb719747e37dcfc2ec9c702749d3
Committed by
Rodrigo Souto
Rodrigo Souto
1 parent
c46ace11
Exists in
api_tasks
and in
4 other branches
api: prevent users to access forbidden articles
Showing
3 changed files
with
107 additions
and
13 deletions
Show diff stats
lib/api/helpers.rb
| @@ -47,6 +47,11 @@ module API | @@ -47,6 +47,11 @@ module API | ||
| 47 | end | 47 | end |
| 48 | end | 48 | end |
| 49 | 49 | ||
| 50 | + def find_article(articles, id) | ||
| 51 | + article = articles.find(id) | ||
| 52 | + article.display_to?(current_user.person) ? article : forbidden! | ||
| 53 | + end | ||
| 54 | + | ||
| 50 | def make_conditions_with_parameter(params = {}) | 55 | def make_conditions_with_parameter(params = {}) |
| 51 | conditions = {} | 56 | conditions = {} |
| 52 | from_date = DateTime.parse(params[:from]) if params[:from] | 57 | from_date = DateTime.parse(params[:from]) if params[:from] |
| @@ -64,9 +69,9 @@ module API | @@ -64,9 +69,9 @@ module API | ||
| 64 | conditions = make_conditions_with_parameter(params) | 69 | conditions = make_conditions_with_parameter(params) |
| 65 | 70 | ||
| 66 | if params[:reference_id] | 71 | if params[:reference_id] |
| 67 | - objects = object.send(method).send("#{params.key?(:oldest) ? 'older_than' : 'newer_than'}", params[:reference_id]).find(:all, :conditions => conditions, :limit => limit, :order => "created_at DESC") | 72 | + objects = object.send(method).send("#{params.key?(:oldest) ? 'older_than' : 'newer_than'}", params[:reference_id]).where(conditions).limit(limit).order("created_at DESC") |
| 68 | else | 73 | else |
| 69 | - objects = object.send(method).find(:all, :conditions => conditions, :limit => limit, :order => "created_at DESC") | 74 | + objects = object.send(method).where(conditions).limit(limit).order("created_at DESC") |
| 70 | end | 75 | end |
| 71 | objects | 76 | objects |
| 72 | end | 77 | end |
lib/api/v1/articles.rb
| @@ -19,30 +19,28 @@ module API | @@ -19,30 +19,28 @@ module API | ||
| 19 | # } | 19 | # } |
| 20 | get do | 20 | get do |
| 21 | articles = select_filtered_collection_of(environment, 'articles', params) | 21 | articles = select_filtered_collection_of(environment, 'articles', params) |
| 22 | + articles = articles.where(Article.display_filter(current_user.person, nil)[:conditions]) | ||
| 22 | present articles, :with => Entities::Article | 23 | present articles, :with => Entities::Article |
| 23 | end | 24 | end |
| 24 | 25 | ||
| 25 | desc "Return the article id" | 26 | desc "Return the article id" |
| 26 | get ':id' do | 27 | get ':id' do |
| 27 | - present environment.articles.find(params[:id]), :with => Entities::Article | 28 | + article = find_article(environment.articles, params[:id]) |
| 29 | + present article, :with => Entities::Article | ||
| 28 | end | 30 | end |
| 29 | 31 | ||
| 30 | get ':id/children' do | 32 | get ':id/children' do |
| 31 | - | ||
| 32 | - conditions = make_conditions_with_parameter(params) | ||
| 33 | - if params[:reference_id] | ||
| 34 | - articles = environment.articles.find(params[:id]).children.send("#{params.key?(:oldest) ? 'older_than' : 'newer_than'}", params[:reference_id]).find(:all, :conditions => conditions, :limit => limit, :order => "created_at DESC") | ||
| 35 | - else | ||
| 36 | - articles = environment.articles.find(params[:id]).children.find(:all, :conditions => conditions, :limit => limit, :order => "created_at DESC") | ||
| 37 | - end | 33 | + article = find_article(environment.articles, params[:id]) |
| 34 | + articles = select_filtered_collection_of(article, 'children', params) | ||
| 35 | + articles = articles.where(Article.display_filter(current_user.person, nil)[:conditions]) | ||
| 38 | present articles, :with => Entities::Article | 36 | present articles, :with => Entities::Article |
| 39 | end | 37 | end |
| 40 | 38 | ||
| 41 | get ':id/children/:child_id' do | 39 | get ':id/children/:child_id' do |
| 42 | - present environment.articles.find(params[:id]).children.find(params[:child_id]), :with => Entities::Article | 40 | + article = find_article(environment.articles, params[:id]) |
| 41 | + present find_article(article.children, params[:child_id]), :with => Entities::Article | ||
| 43 | end | 42 | end |
| 44 | 43 | ||
| 45 | - | ||
| 46 | end | 44 | end |
| 47 | 45 | ||
| 48 | resource :communities do | 46 | resource :communities do |
| @@ -51,12 +49,14 @@ module API | @@ -51,12 +49,14 @@ module API | ||
| 51 | get do | 49 | get do |
| 52 | community = environment.communities.find(params[:community_id]) | 50 | community = environment.communities.find(params[:community_id]) |
| 53 | articles = select_filtered_collection_of(community, 'articles', params) | 51 | articles = select_filtered_collection_of(community, 'articles', params) |
| 52 | + articles = articles.where(Article.display_filter(current_user.person, community)[:conditions]) | ||
| 54 | present articles, :with => Entities::Article | 53 | present articles, :with => Entities::Article |
| 55 | end | 54 | end |
| 56 | 55 | ||
| 57 | get '/:id' do | 56 | get '/:id' do |
| 58 | community = environment.communities.find(params[:community_id]) | 57 | community = environment.communities.find(params[:community_id]) |
| 59 | - present community.articles.find(params[:id]), :with => Entities::Article | 58 | + article = find_article(community.articles, params[:id]) |
| 59 | + present article, :with => Entities::Article | ||
| 60 | end | 60 | end |
| 61 | 61 | ||
| 62 | # Example Request: | 62 | # Example Request: |
test/unit/api_test.rb
| @@ -59,6 +59,16 @@ class APITest < ActiveSupport::TestCase | @@ -59,6 +59,16 @@ class APITest < ActiveSupport::TestCase | ||
| 59 | assert_includes json["articles"].map { |a| a["id"] }, article.id | 59 | assert_includes json["articles"].map { |a| a["id"] }, article.id |
| 60 | end | 60 | end |
| 61 | 61 | ||
| 62 | + should 'not list forbidden article when listing articles' do | ||
| 63 | + person = fast_create(Person) | ||
| 64 | + article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false) | ||
| 65 | + assert !article.published? | ||
| 66 | + | ||
| 67 | + get "/api/v1/articles?#{params.to_query}" | ||
| 68 | + json = JSON.parse(last_response.body) | ||
| 69 | + assert_not_includes json['articles'].map {|a| a['id']}, article.id | ||
| 70 | + end | ||
| 71 | + | ||
| 62 | should 'return article by id' do | 72 | should 'return article by id' do |
| 63 | article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing") | 73 | article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing") |
| 64 | get "/api/v1/articles/#{article.id}?#{params.to_query}" | 74 | get "/api/v1/articles/#{article.id}?#{params.to_query}" |
| @@ -66,6 +76,15 @@ class APITest < ActiveSupport::TestCase | @@ -66,6 +76,15 @@ class APITest < ActiveSupport::TestCase | ||
| 66 | assert_equal article.id, json["article"]["id"] | 76 | assert_equal article.id, json["article"]["id"] |
| 67 | end | 77 | end |
| 68 | 78 | ||
| 79 | + should 'not return article if user has no permission to view it' do | ||
| 80 | + person = fast_create(Person) | ||
| 81 | + article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false) | ||
| 82 | + assert !article.published? | ||
| 83 | + | ||
| 84 | + get "/api/v1/articles/#{article.id}?#{params.to_query}" | ||
| 85 | + assert_equal 403, last_response.status | ||
| 86 | + end | ||
| 87 | + | ||
| 69 | should 'return comments of an article' do | 88 | should 'return comments of an article' do |
| 70 | article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing") | 89 | article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing") |
| 71 | article.comments.create!(:body => "some comment", :author => user.person) | 90 | article.comments.create!(:body => "some comment", :author => user.person) |
| @@ -104,4 +123,74 @@ class APITest < ActiveSupport::TestCase | @@ -104,4 +123,74 @@ class APITest < ActiveSupport::TestCase | ||
| 104 | assert_equal category.name, json["category"]["name"] | 123 | assert_equal category.name, json["category"]["name"] |
| 105 | end | 124 | end |
| 106 | 125 | ||
| 126 | + should 'return article by community' do | ||
| 127 | + community = fast_create(Community) | ||
| 128 | + article = fast_create(Article, :profile_id => community.id, :name => "Some thing") | ||
| 129 | + get "/api/v1/communities/#{community.id}/articles/#{article.id}?#{params.to_query}" | ||
| 130 | + json = JSON.parse(last_response.body) | ||
| 131 | + assert_equal article.id, json["article"]["id"] | ||
| 132 | + end | ||
| 133 | + | ||
| 134 | + should 'not return article by community if user has no permission to view it' do | ||
| 135 | + community = fast_create(Community) | ||
| 136 | + article = fast_create(Article, :profile_id => community.id, :name => "Some thing", :published => false) | ||
| 137 | + assert !article.published? | ||
| 138 | + | ||
| 139 | + get "/api/v1/communities/#{community.id}/articles/#{article.id}?#{params.to_query}" | ||
| 140 | + assert_equal 403, last_response.status | ||
| 141 | + end | ||
| 142 | + | ||
| 143 | + should 'not list forbidden article when listing articles by community' do | ||
| 144 | + community = fast_create(Community) | ||
| 145 | + article = fast_create(Article, :profile_id => community.id, :name => "Some thing", :published => false) | ||
| 146 | + assert !article.published? | ||
| 147 | + | ||
| 148 | + get "/api/v1/communities/#{community.id}/articles?#{params.to_query}" | ||
| 149 | + json = JSON.parse(last_response.body) | ||
| 150 | + assert_not_includes json['articles'].map {|a| a['id']}, article.id | ||
| 151 | + end | ||
| 152 | + | ||
| 153 | + should 'list article children' do | ||
| 154 | + article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing") | ||
| 155 | + child1 = fast_create(Article, :parent_id => article.id, :profile_id => user.person.id, :name => "Some thing") | ||
| 156 | + child2 = fast_create(Article, :parent_id => article.id, :profile_id => user.person.id, :name => "Some thing") | ||
| 157 | + get "/api/v1/articles/#{article.id}/children?#{params.to_query}" | ||
| 158 | + json = JSON.parse(last_response.body) | ||
| 159 | + assert_equivalent [child1.id, child2.id], json["articles"].map { |a| a["id"] } | ||
| 160 | + end | ||
| 161 | + | ||
| 162 | + should 'not list children of forbidden article' do | ||
| 163 | + person = fast_create(Person) | ||
| 164 | + article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false) | ||
| 165 | + child1 = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing") | ||
| 166 | + child2 = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing") | ||
| 167 | + get "/api/v1/articles/#{article.id}/children?#{params.to_query}" | ||
| 168 | + assert_equal 403, last_response.status | ||
| 169 | + end | ||
| 170 | + | ||
| 171 | + should 'not return child of forbidden article' do | ||
| 172 | + person = fast_create(Person) | ||
| 173 | + article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false) | ||
| 174 | + child = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing") | ||
| 175 | + get "/api/v1/articles/#{article.id}/children/#{child.id}?#{params.to_query}" | ||
| 176 | + assert_equal 403, last_response.status | ||
| 177 | + end | ||
| 178 | + | ||
| 179 | + should 'not return private child' do | ||
| 180 | + person = fast_create(Person) | ||
| 181 | + article = fast_create(Article, :profile_id => person.id, :name => "Some thing") | ||
| 182 | + child = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing", :published => false) | ||
| 183 | + get "/api/v1/articles/#{article.id}/children/#{child.id}?#{params.to_query}" | ||
| 184 | + assert_equal 403, last_response.status | ||
| 185 | + end | ||
| 186 | + | ||
| 187 | + should 'not list private child' do | ||
| 188 | + person = fast_create(Person) | ||
| 189 | + article = fast_create(Article, :profile_id => person.id, :name => "Some thing") | ||
| 190 | + child = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing", :published => false) | ||
| 191 | + get "/api/v1/articles/#{article.id}/children?#{params.to_query}" | ||
| 192 | + json = JSON.parse(last_response.body) | ||
| 193 | + assert_not_includes json['articles'].map {|a| a['id']}, child.id | ||
| 194 | + end | ||
| 195 | + | ||
| 107 | end | 196 | end |