# Offense count: 59
# Configuration parameters: AllowedMethods, AllowedPatterns.
Metrics/CyclomaticComplexity:
- Max: 26
+ Max: 29
# Offense count: 753
# Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns.
# Offense count: 56
# Configuration parameters: AllowedMethods, AllowedPatterns.
Metrics/PerceivedComplexity:
- Max: 29
+ Max: 30
# Offense count: 2394
# This cop supports safe autocorrection (--autocorrect).
can [:destroy, :restore], ChangesetComment if scope?(token, :write_api)
can :destroy, Note if scope?(token, :write_notes)
if user&.terms_agreed?
- can :redact, OldNode if scope?(token, :write_api)
- can :redact, OldWay if scope?(token, :write_api)
- can :redact, OldRelation if scope?(token, :write_api)
+ can :redact, OldNode if scope?(token, :write_api) || scope?(token, :write_redactions)
+ can :redact, OldWay if scope?(token, :write_api) || scope?(token, :write_redactions)
+ can :redact, OldRelation if scope?(token, :write_api) || scope?(token, :write_redactions)
end
end
end
--- /dev/null
+module AuthorizationHelper
+ include ActionView::Helpers::TranslationHelper
+
+ def authorization_scope(scope)
+ html = []
+ html << t("oauth.scopes.#{scope}")
+ if Oauth::MODERATOR_SCOPES.include? scope
+ html << " "
+ html << image_tag("roles/moderator.png", :srcset => image_path("roles/moderator.svg", :class => "align-text-bottom"), :size => "20x20")
+ end
+ safe_join(html)
+ end
+end
<td class="align-middle">
<ul class="list-unstyled mb-0">
<% application.scopes.each do |scope| -%>
- <li><%= t "oauth.scopes.#{scope}" %> <code class="text-muted">(<%= scope %>)</code></li>
+ <li><%= authorization_scope(scope) %> <code class="text-muted">(<%= scope %>)</code></li>
<% end -%>
</ul>
</td>
<ul>
<% @pre_auth.scopes.each do |scope| -%>
- <li><%= t "oauth.scopes.#{scope}" %></li>
+ <li><%= authorization_scope(scope) %></li>
<% end -%>
</ul>
<td class="align-middle">
<ul class="list-unstyled mb-0">
<% application.authorized_scopes_for(current_user).each do |scope| -%>
- <li><%= t "oauth.scopes.#{scope}" %></li>
+ <li><%= authorization_scope(scope) %></li>
<% end -%>
</ul>
</td>
read_gpx: Read private GPS traces
write_gpx: Upload GPS traces
write_notes: Modify notes
+ write_redactions: Redact map data
read_email: Read user email address
skip_authorization: Auto approve application
oauth_clients:
module Oauth
SCOPES = %w[read_prefs write_prefs write_diary write_api read_gpx write_gpx write_notes].freeze
PRIVILEGED_SCOPES = %w[read_email skip_authorization].freeze
- OAUTH2_SCOPES = %w[openid].freeze
+ MODERATOR_SCOPES = %w[write_redactions].freeze
+ OAUTH2_SCOPES = %w[write_redactions openid].freeze
class Scope
attr_reader :name
assert_response :bad_request, "shouldn't be OK to redact current version as moderator."
end
+ def test_redact_node_by_regular_with_read_prefs_scope
+ auth_header = create_bearer_auth_header(create(:user), %w[read_prefs])
+ do_redact_redactable_node(auth_header)
+ assert_response :forbidden, "should need to be moderator to redact."
+ end
+
+ def test_redact_node_by_regular_with_write_api_scope
+ auth_header = create_bearer_auth_header(create(:user), %w[write_api])
+ do_redact_redactable_node(auth_header)
+ assert_response :forbidden, "should need to be moderator to redact."
+ end
+
+ def test_redact_node_by_regular_with_write_redactions_scope
+ auth_header = create_bearer_auth_header(create(:user), %w[write_redactions])
+ do_redact_redactable_node(auth_header)
+ assert_response :forbidden, "should need to be moderator to redact."
+ end
+
+ def test_redact_node_by_moderator_with_read_prefs_scope
+ auth_header = create_bearer_auth_header(create(:moderator_user), %w[read_prefs])
+ do_redact_redactable_node(auth_header)
+ assert_response :forbidden, "should need to have write_redactions scope to redact."
+ end
+
+ def test_redact_node_by_moderator_with_write_api_scope
+ auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_api])
+ do_redact_redactable_node(auth_header)
+ assert_response :success, "should be OK to redact old version as moderator with write_api scope."
+ # assert_response :forbidden, "should need to have write_redactions scope to redact."
+ end
+
+ def test_redact_node_by_moderator_with_write_redactions_scope
+ auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_redactions])
+ do_redact_redactable_node(auth_header)
+ assert_response :success, "should be OK to redact old version as moderator with write_redactions scope."
+ end
+
##
# test that redacted nodes aren't visible, regardless of
# authorisation except as moderator...
private
+ def create_bearer_auth_header(user, scopes)
+ token = create(:oauth_access_token,
+ :resource_owner_id => user.id,
+ :scopes => scopes)
+ bearer_authorization_header(token.token)
+ end
+
+ def do_redact_redactable_node(headers = {})
+ node = create(:node, :with_history, :version => 4)
+ node_v3 = node.old_nodes.find_by(:version => 3)
+ do_redact_node(node_v3, create(:redaction), headers)
+ end
+
def do_redact_node(node, redaction, headers = {})
get node_version_path(:id => node.node_id, :version => node.version), :headers => headers
assert_response :success, "should be able to get version #{node.version} of node #{node.node_id}."
assert_response :bad_request, "shouldn't be OK to redact current version as moderator."
end
+ def test_redact_relation_by_regular_with_read_prefs_scope
+ auth_header = create_bearer_auth_header(create(:user), %w[read_prefs])
+ do_redact_redactable_relation(auth_header)
+ assert_response :forbidden, "should need to be moderator to redact."
+ end
+
+ def test_redact_relation_by_regular_with_write_api_scope
+ auth_header = create_bearer_auth_header(create(:user), %w[write_api])
+ do_redact_redactable_relation(auth_header)
+ assert_response :forbidden, "should need to be moderator to redact."
+ end
+
+ def test_redact_relation_by_regular_with_write_redactions_scope
+ auth_header = create_bearer_auth_header(create(:user), %w[write_redactions])
+ do_redact_redactable_relation(auth_header)
+ assert_response :forbidden, "should need to be moderator to redact."
+ end
+
+ def test_redact_relation_by_moderator_with_read_prefs_scope
+ auth_header = create_bearer_auth_header(create(:moderator_user), %w[read_prefs])
+ do_redact_redactable_relation(auth_header)
+ assert_response :forbidden, "should need to have write_redactions scope to redact."
+ end
+
+ def test_redact_relation_by_moderator_with_write_api_scope
+ auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_api])
+ do_redact_redactable_relation(auth_header)
+ assert_response :success, "should be OK to redact old version as moderator with write_api scope."
+ # assert_response :forbidden, "should need to have write_redactions scope to redact."
+ end
+
+ def test_redact_relation_by_moderator_with_write_redactions_scope
+ auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_redactions])
+ do_redact_redactable_relation(auth_header)
+ assert_response :success, "should be OK to redact old version as moderator with write_redactions scope."
+ end
+
##
# test that redacted relations aren't visible, regardless of
# authorisation except as moderator...
end
end
+ def create_bearer_auth_header(user, scopes)
+ token = create(:oauth_access_token,
+ :resource_owner_id => user.id,
+ :scopes => scopes)
+ bearer_authorization_header(token.token)
+ end
+
+ def do_redact_redactable_relation(headers = {})
+ relation = create(:relation, :with_history, :version => 4)
+ relation_v3 = relation.old_relations.find_by(:version => 3)
+ do_redact_relation(relation_v3, create(:redaction), headers)
+ end
+
def do_redact_relation(relation, redaction, headers = {})
get relation_version_path(:id => relation.relation_id, :version => relation.version)
assert_response :success, "should be able to get version #{relation.version} of relation #{relation.relation_id}."
assert_response :bad_request, "shouldn't be OK to redact current version as moderator."
end
+ def test_redact_way_by_regular_with_read_prefs_scope
+ auth_header = create_bearer_auth_header(create(:user), %w[read_prefs])
+ do_redact_redactable_way(auth_header)
+ assert_response :forbidden, "should need to be moderator to redact."
+ end
+
+ def test_redact_way_by_regular_with_write_api_scope
+ auth_header = create_bearer_auth_header(create(:user), %w[write_api])
+ do_redact_redactable_way(auth_header)
+ assert_response :forbidden, "should need to be moderator to redact."
+ end
+
+ def test_redact_way_by_regular_with_write_redactions_scope
+ auth_header = create_bearer_auth_header(create(:user), %w[write_redactions])
+ do_redact_redactable_way(auth_header)
+ assert_response :forbidden, "should need to be moderator to redact."
+ end
+
+ def test_redact_way_by_moderator_with_read_prefs_scope
+ auth_header = create_bearer_auth_header(create(:moderator_user), %w[read_prefs])
+ do_redact_redactable_way(auth_header)
+ assert_response :forbidden, "should need to have write_redactions scope to redact."
+ end
+
+ def test_redact_way_by_moderator_with_write_api_scope
+ auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_api])
+ do_redact_redactable_way(auth_header)
+ assert_response :success, "should be OK to redact old version as moderator with write_api scope."
+ # assert_response :forbidden, "should need to have write_redactions scope to redact."
+ end
+
+ def test_redact_way_by_moderator_with_write_redactions_scope
+ auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_redactions])
+ do_redact_redactable_way(auth_header)
+ assert_response :success, "should be OK to redact old version as moderator with write_redactions scope."
+ end
+
##
# test that redacted ways aren't visible, regardless of
# authorisation except as moderator...
end
end
+ def create_bearer_auth_header(user, scopes)
+ token = create(:oauth_access_token,
+ :resource_owner_id => user.id,
+ :scopes => scopes)
+ bearer_authorization_header(token.token)
+ end
+
+ def do_redact_redactable_way(headers = {})
+ way = create(:way, :with_history, :version => 4)
+ way_v3 = way.old_ways.find_by(:version => 3)
+ do_redact_way(way_v3, create(:redaction), headers)
+ end
+
def do_redact_way(way, redaction, headers = {})
get way_version_path(:id => way.way_id, :version => way.version)
assert_response :success, "should be able to get version #{way.version} of way #{way.way_id}."