FIX: add support for missing verbs in user api key

Previously "write" scope was missing put and delete verbs which should be allowed. Also closes: #6982
2025-05-22 06:41:25 +08:00 · 2019-02-13 15:49:25 +11:00
parent 1328a127ee
commit 641b079c78
2 changed files with 13 additions and 3 deletions
--- a/spec/models/user_api_key_spec.rb
+++ b/spec/models/user_api_key_spec.rb
@ -16,9 +16,20 @@ describe UserApiKey do

    end

+    it "can allow all correct scopes to write" do
+
+      key = UserApiKey.new(scopes: ["write"])
+
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "GET")).to eq(true)
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "PUT")).to eq(true)
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "PATCH")).to eq(true)
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "DELETE")).to eq(true)
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "POST")).to eq(true)
+    end
+
    it "can allow blanket read" do

-      key = UserApiKey.new(scopes: ['read'])
+      key = UserApiKey.new(scopes: ["read"])

      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "GET")).to eq(true)
      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "PUT")).to eq(false)