MetuFSS
/
metu.life
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove API authentication for public statuses (after review) (#1919)

Browse Source
master
happycoloredbanana 7 years ago committed by Eugen
parent 3ed219f907
commit 0a7588282a
2 changed files with 236 additions and 121 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 7
      app/controllers/api/v1/statuses_controller.rb
  2. 110
      spec/controllers/api/v1/statuses_controller_spec.rb

7
app/controllers/api/v1/statuses_controller.rb
Unescape View File

@ -1,7 +1,7 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::V1::StatusesController < ApiController class Api::V1::StatusesController < ApiController
before_action -> { doorkeeper_authorize! :read }, except: [:create, :destroy, :reblog, :unreblog, :favourite, :unfavourite] before_action :authorize_if_got_token, except: [:create, :destroy, :reblog, :unreblog, :favourite, :unfavourite]
before_action -> { doorkeeper_authorize! :write }, only: [:create, :destroy, :reblog, :unreblog, :favourite, :unfavourite] before_action -> { doorkeeper_authorize! :write }, only: [:create, :destroy, :reblog, :unreblog, :favourite, :unfavourite]
before_action :require_user!, except: [:show, :context, :card, :reblogged_by, :favourited_by] before_action :require_user!, except: [:show, :context, :card, :reblogged_by, :favourited_by]
before_action :set_status, only: [:show, :context, :card, :reblogged_by, :favourited_by] before_action :set_status, only: [:show, :context, :card, :reblogged_by, :favourited_by]
@ -114,4 +114,9 @@ class Api::V1::StatusesController < ApiController
def pagination_params(core_params) def pagination_params(core_params)
params.permit(:limit).merge(core_params) params.permit(:limit).merge(core_params)
end end
def authorize_if_got_token
request_token = Doorkeeper::OAuth::Token.from_request(request, *Doorkeeper.configuration.access_token_methods)
doorkeeper_authorize! :read if request_token
end
end end

110
spec/controllers/api/v1/statuses_controller_spec.rb
Unescape View File

@ -7,6 +7,7 @@ RSpec.describe Api::V1::StatusesController, type: :controller do
let(:app) { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } let(:app) { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') }
let(:token) { double acceptable?: true, resource_owner_id: user.id, application: app } let(:token) { double acceptable?: true, resource_owner_id: user.id, application: app }
context 'with an oauth token' do
before do before do
allow(controller).to receive(:doorkeeper_token) { token } allow(controller).to receive(:doorkeeper_token) { token }
end end
@ -182,4 +183,113 @@ RSpec.describe Api::V1::StatusesController, type: :controller do
expect(user.account.favourited?(status)).to be false expect(user.account.favourited?(status)).to be false
end end
end end
end
context 'without an oauth token' do
before do
allow(controller).to receive(:doorkeeper_token) { nil }
end
context 'with a private status' do
let(:status) { Fabricate(:status, account: user.account, visibility: :private) }
describe 'GET #show' do
it 'returns http unautharized' do
get :show, params: { id: status.id }
expect(response).to have_http_status(:missing)
end
end
describe 'GET #context' do
before do
Fabricate(:status, account: user.account, thread: status)
end
it 'returns http unautharized' do
get :context, params: { id: status.id }
expect(response).to have_http_status(:missing)
end
end
describe 'GET #card' do
it 'returns http unautharized' do
get :card, params: { id: status.id }
expect(response).to have_http_status(:missing)
end
end
describe 'GET #reblogged_by' do
before do
post :reblog, params: { id: status.id }
end
it 'returns http unautharized' do
get :reblogged_by, params: { id: status.id }
expect(response).to have_http_status(:missing)
end
end
describe 'GET #favourited_by' do
before do
post :favourite, params: { id: status.id }
end
it 'returns http unautharized' do
get :favourited_by, params: { id: status.id }
expect(response).to have_http_status(:missing)
end
end
end
context 'with a public status' do
let(:status) { Fabricate(:status, account: user.account, visibility: :public) }
describe 'GET #show' do
it 'returns http success' do
get :show, params: { id: status.id }
expect(response).to have_http_status(:success)
end
end
describe 'GET #context' do
before do
Fabricate(:status, account: user.account, thread: status)
end
it 'returns http success' do
get :context, params: { id: status.id }
expect(response).to have_http_status(:success)
end
end
describe 'GET #card' do
it 'returns http success' do
get :card, params: { id: status.id }
expect(response).to have_http_status(:success)
end
end
describe 'GET #reblogged_by' do
before do
post :reblog, params: { id: status.id }
end
it 'returns http success' do
get :reblogged_by, params: { id: status.id }
expect(response).to have_http_status(:success)
end
end
describe 'GET #favourited_by' do
before do
post :favourite, params: { id: status.id }
end
it 'returns http success' do
get :favourited_by, params: { id: status.id }
expect(response).to have_http_status(:success)
end
end
end
end
end end

Write Preview
Loading…
Cancel
Save