[40228] added permission check for file links

pull/10133/head
Eric Schubert 3 years ago
parent 3495ae9c85
commit b5ce5bf737
No known key found for this signature in database
GPG Key ID: 1D346C019BD4BAA2
  1. 1
      modules/storages/app/models/queries/storages/file_links/file_link_query.rb
  2. 7
      modules/storages/app/models/storages/file_link.rb
  3. 36
      modules/storages/lib/api/v3/file_links/file_link_collection_representer.rb
  4. 11
      modules/storages/lib/api/v3/file_links/file_links_api.rb
  5. 14
      modules/storages/spec/requests/api/v3/file_links/file_links_spec.rb

@ -0,0 +1 @@
class Queries::Storages::FileLinks::FileLinkQuery < Queries::BaseQuery; end

@ -30,4 +30,11 @@ class Storages::FileLink < ApplicationRecord
belongs_to :storage
belongs_to :creator, foreign_key: 'creator_id', class_name: 'User'
belongs_to :container, foreign_key: 'container_id', class_name: 'WorkPackage' # This needs to become more flexible in the future
scope :visible, ->(user = User.current) {
includes(:container)
.includes(container: :project)
.references(:projects)
.merge(Project.allowed_to(user, :view_file_links))
}
end

@ -0,0 +1,36 @@
#-- copyright
# OpenProject is an open source project management software.
# Copyright (C) 2012-2022 the OpenProject GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2013 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# See COPYRIGHT and LICENSE files for more details.
#++
module API
module V3
module FileLinks
class FileLinkCollectionRepresenter < ::API::Decorators::OffsetPaginatedCollection
end
end
end
end

@ -30,7 +30,16 @@ module API
module V3
module FileLinks
class FileLinksAPI < ::API::OpenProjectAPI
helpers do
def visible_file_links_scope
::Storages::FileLink.visible(current_user)
end
end
resources :file_links do
# get &::API::V3::Utilities::Endpoints::Index
# .new(model: ::Storages::FileLink, scope: -> { visible_file_links_scope })
# .mount
get do
raise ::API::Errors::NotImplemented
end
@ -41,7 +50,7 @@ module API
route_param :file_link_id, type: Integer, desc: 'File link id' do
after_validation do
@file_link = ::Storages::FileLink.find(params[:file_link_id])
@file_link = visible_file_links_scope.find(params[:file_link_id])
end
get &::API::V3::Utilities::Endpoints::Show.new(model: ::Storages::FileLink).mount

@ -31,7 +31,7 @@ require 'spec_helper'
describe 'API v3 file links resource', type: :request do
include API::V3::Utilities::PathHelper
let(:permissions) { %i(view_work_packages) }
let(:permissions) { %i(view_work_packages view_file_links) }
let(:project) { create(:project) }
let(:current_user) do
@ -91,6 +91,18 @@ describe 'API v3 file links resource', type: :request do
it 'is successful' do
expect(subject.status).to be 200
end
context 'if user has not sufficient permissions' do
let(:permissions) { %i(view_work_packages) }
it_behaves_like 'not found'
end
context 'if no storage with that id exists' do
let(:path) { api_v3_paths.file_link(work_package.id, 1337) }
it_behaves_like 'not found'
end
end
describe 'DELETE /api/v3/work_packages/:work_package_id/file_links/:file_link_id' do

Loading…
Cancel
Save