FEATURE: user API now contains scopes so permission is granular

previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer.
2025-05-21 18:12:32 +08:00 · 2016-10-14 16:05:27 +11:00
parent becff2de4d
commit f4f5524190
16 changed files with 164 additions and 75 deletions
--- a/spec/models/user_api_key_spec.rb
+++ b/spec/models/user_api_key_spec.rb
@ -0,0 +1,28 @@
+require 'rails_helper'
+
+describe UserApiKey do
+  context "#allow?" do
+    it "can look up permissions correctly" do
+      key = UserApiKey.new(scopes: ['message_bus', 'notifications'])
+
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "GET")).to eq(false)
+      expect(key.allow?("PATH_INFO" => "/message-bus/1234/poll", "REQUEST_METHOD" => "POST")).to eq(true)
+
+      expect(key.allow?("action_dispatch.request.path_parameters" => {:controller => "notifications", :action => "mark_read"},
+                        "PATH_INFO" => "/xyz", "REQUEST_METHOD" => "PUT")).to eq(true)
+
+
+      expect(key.allow?("action_dispatch.request.path_parameters" => {:controller => "user_api_keys", :action => "revoke"},
+                        "PATH_INFO" => "/xyz", "REQUEST_METHOD" => "POST")).to eq(true)
+
+    end
+
+    it "can allow blanket read" do
+
+      key = UserApiKey.new(scopes: ['read'])
+
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "GET")).to eq(true)
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "PUT")).to eq(false)
+    end
+  end
+end