mirror of
https://github.com/discourse/discourse.git
synced 2024-11-30 19:15:32 +08:00
f4f5524190
previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer.
29 lines
1.1 KiB
Ruby
29 lines
1.1 KiB
Ruby
require 'rails_helper'
|
|
|
|
describe UserApiKey do
|
|
context "#allow?" do
|
|
it "can look up permissions correctly" do
|
|
key = UserApiKey.new(scopes: ['message_bus', 'notifications'])
|
|
|
|
expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "GET")).to eq(false)
|
|
expect(key.allow?("PATH_INFO" => "/message-bus/1234/poll", "REQUEST_METHOD" => "POST")).to eq(true)
|
|
|
|
expect(key.allow?("action_dispatch.request.path_parameters" => {:controller => "notifications", :action => "mark_read"},
|
|
"PATH_INFO" => "/xyz", "REQUEST_METHOD" => "PUT")).to eq(true)
|
|
|
|
|
|
expect(key.allow?("action_dispatch.request.path_parameters" => {:controller => "user_api_keys", :action => "revoke"},
|
|
"PATH_INFO" => "/xyz", "REQUEST_METHOD" => "POST")).to eq(true)
|
|
|
|
end
|
|
|
|
it "can allow blanket read" do
|
|
|
|
key = UserApiKey.new(scopes: ['read'])
|
|
|
|
expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "GET")).to eq(true)
|
|
expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "PUT")).to eq(false)
|
|
end
|
|
end
|
|
end
|