github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-30 07:11:34 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

DEV: Add support for allowed parameters in user api key scopes

Browse Source 
Initially, this feature is only intended for use in core/plugins, so there is no API for requesting a parameter-scoped key. That may change in future.
This commit is contained in:
David Taylor
2020-10-08 17:38:54 +01:00
parent 1cec333f48
commit 23e5c605f6
5 changed files with 53 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
spec/integration/api_keys_spec.rb
View File

@ -99,4 +99,33 @@ describe 'user api keys' do
expect(response.status).to eq(302)
end
it "can restrict scopes by parameters" do
admin = Fabricate(:admin)
calendar_key = Fabricate(:bookmarks_calendar_user_api_key, user: admin)
get "/u/#{user.username}/bookmarks.json", headers: {
HTTP_USER_API_KEY: calendar_key.key,
}
expect(response.status).to eq(403) # Does not allow json
get "/u/#{user.username}/bookmarks.ics", headers: {
HTTP_USER_API_KEY: calendar_key.key,
}
expect(response.status).to eq(200) # Allows ICS
# Now restrict the key
calendar_key.scopes.first.update(allowed_parameters: { username: admin.username })
get "/u/#{user.username}/bookmarks.ics", headers: {
HTTP_USER_API_KEY: calendar_key.key,
}
expect(response.status).to eq(403) # Cannot access another users calendar
get "/u/#{admin.username}/bookmarks.ics", headers: {
HTTP_USER_API_KEY: calendar_key.key,
}
expect(response.status).to eq(200) # Can access own calendar
end
end