From 5fb163c09a39c961b3074c1c37433d3812e199ee Mon Sep 17 00:00:00 2001 From: Oleksii Kriuchykhin Date: Tue, 21 Sep 2021 16:15:41 +0200 Subject: [PATCH] Update/implement permission checks in the _my_modules_tags_ controller [SCI-6062] --- app/controllers/my_module_tags_controller.rb | 13 ++-- .../my_module_tags_controller_spec.rb | 68 +++++++++++++++++++ 2 files changed, 74 insertions(+), 7 deletions(-) create mode 100644 spec/permissions/controllers/my_module_tags_controller_spec.rb diff --git a/app/controllers/my_module_tags_controller.rb b/app/controllers/my_module_tags_controller.rb index edf403020..2c28c3be3 100644 --- a/app/controllers/my_module_tags_controller.rb +++ b/app/controllers/my_module_tags_controller.rb @@ -2,7 +2,7 @@ class MyModuleTagsController < ApplicationController include InputSanitizeHelper before_action :load_vars, except: :canvas_index - before_action :check_view_permissions, only: %i(index index_edit) + before_action :check_view_permissions, except: %i(canvas_index create destroy destroy_by_tag_id) before_action :check_manage_permissions, only: %i(create destroy destroy_by_tag_id) def index_edit @@ -38,7 +38,8 @@ class MyModuleTagsController < ApplicationController def canvas_index experiment = Experiment.find(params[:id]) - render_403 unless can_read_experiment?(experiment) + return render_403 unless can_read_experiment?(experiment) + res = [] experiment.my_modules.active.each do |my_module| res << { @@ -157,17 +158,15 @@ class MyModuleTagsController < ApplicationController def load_vars @my_module = MyModule.find_by_id(params[:my_module_id]) - unless @my_module - render_404 - end + render_404 if @my_module.blank? end def check_view_permissions - render_403 unless can_read_experiment?(@my_module.experiment) + render_403 unless can_read_my_module?(@my_module) end def check_manage_permissions - render_403 unless can_manage_my_module?(@my_module) + render_403 unless can_manage_my_module_tags?(@my_module) end def mt_params diff --git a/spec/permissions/controllers/my_module_tags_controller_spec.rb b/spec/permissions/controllers/my_module_tags_controller_spec.rb new file mode 100644 index 000000000..84985bea1 --- /dev/null +++ b/spec/permissions/controllers/my_module_tags_controller_spec.rb @@ -0,0 +1,68 @@ +# frozen_string_literal: true + +require 'rails_helper' + +describe MyModuleTagsController, type: :controller do + include PermissionExtends + + it_behaves_like "a controller with authentication", { + index_edit: { my_module_id: 1 }, + index: { my_module_id: 1 }, + canvas_index: { id: 1 }, + create: { my_module_id: 1 }, + destroy: { my_module_id: 1, id: 1 }, + search_tags: { my_module_id: 1 }, + destroy_by_tag_id: { my_module_id: 1, id: 1 } + }, [] + + login_user + + describe 'permissions checking' do + include_context 'reference_project_structure', { + team_role: :normal_user, + tag: true + } + + it_behaves_like "a controller action with permissions checking", :get, :index_edit do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::READ] } + let(:action_params) { { my_module_id: my_module.id } } + end + + it_behaves_like "a controller action with permissions checking", :get, :index do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::READ] } + let(:action_params) { { my_module_id: my_module.id } } + end + + it_behaves_like "a controller action with permissions checking", :get, :canvas_index do + let(:testable) { experiment } + let(:permissions) { [ExperimentPermissions::READ] } + let(:action_params) { { id: experiment.id } } + end + + it_behaves_like "a controller action with permissions checking", :post, :create do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::TAGS_MANAGE] } + let(:action_params) { { my_module_id: my_module.id } } + end + + it_behaves_like "a controller action with permissions checking", :post, :destroy do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::TAGS_MANAGE] } + let(:action_params) { { my_module_id: my_module.id, id: tag.id } } + end + + it_behaves_like "a controller action with permissions checking", :get, :search_tags do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::READ] } + let(:action_params) { { my_module_id: my_module.id } } + end + + it_behaves_like "a controller action with permissions checking", :post, :destroy_by_tag_id do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::TAGS_MANAGE] } + let(:action_params) { { my_module_id: my_module.id, id: tag.id } } + end + end +end