FIX: add support for missing verbs in user api key

Previously "write" scope was missing put and delete verbs which should be allowed. Also closes: #6982
2025-03-20 04:07:56 +08:00 · 2019-02-13 15:49:25 +11:00 · 2019-02-13 15:49:25 +11:00 · 641b079c78
commit 641b079c78
parent 1328a127ee
2 changed files with 13 additions and 3 deletions
--- a/app/models/user_api_key.rb
+++ b/app/models/user_api_key.rb
@ -2,7 +2,7 @@ class UserApiKey < ActiveRecord::Base

  SCOPES = {
    read: [:get],
-    write: [:get, :post, :patch],
+    write: [:get, :post, :patch, :put, :delete],
    message_bus: [[:post, 'message_bus']],
    push: nil,
    notifications: [[:post, 'message_bus'], [:get, 'notifications#index'], [:put, 'notifications#mark_read']],
@ -29,7 +29,6 @@ class UserApiKey < ActiveRecord::Base
    verb, action = permission
    actual_verb = env["REQUEST_METHOD"] || ""

-    # safe in Ruby 2.3 which is only one supported
    return false unless actual_verb.downcase == verb.to_s
    return true unless action

--- a/spec/models/user_api_key_spec.rb
+++ b/spec/models/user_api_key_spec.rb
@ -16,9 +16,20 @@ describe UserApiKey do

    end

+    it "can allow all correct scopes to write" do
+
+      key = UserApiKey.new(scopes: ["write"])
+
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "GET")).to eq(true)
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "PUT")).to eq(true)
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "PATCH")).to eq(true)
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "DELETE")).to eq(true)
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "POST")).to eq(true)
+    end
+
    it "can allow blanket read" do

-      key = UserApiKey.new(scopes: ['read'])
+      key = UserApiKey.new(scopes: ["read"])

      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "GET")).to eq(true)
      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "PUT")).to eq(false)