Merge remote-tracking branch 'upstream/pull/4387'

diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
index e6772b8a4fc6d764a35eca646cd41609e406abb1..deaea8e2da3cbf11308aafa86c66b7d65f5f5d1a 100644 (file)
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -66,7 +66,7 @@ Metrics/ClassLength:
 # Offense count: 59
 # Configuration parameters: AllowedMethods, AllowedPatterns.
 Metrics/CyclomaticComplexity:
-  Max: 26
+  Max: 29
 
 # Offense count: 753
 # Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns.
@@ -81,7 +81,7 @@ Metrics/ParameterLists:
 # Offense count: 56
 # Configuration parameters: AllowedMethods, AllowedPatterns.
 Metrics/PerceivedComplexity:
-  Max: 29
+  Max: 30
 
 # Offense count: 2394
 # This cop supports safe autocorrection (--autocorrect).

diff --git a/app/abilities/api_capability.rb b/app/abilities/api_capability.rb
index 8c52327cfe488cc0d4e0710d85c48625dd7a166d..95d7ab9ab92d2145b90f11373a69416aacc9f959 100644 (file)
--- a/app/abilities/api_capability.rb
+++ b/app/abilities/api_capability.rb
@@ -32,9 +32,9 @@ class ApiCapability
           can [:destroy, :restore], ChangesetComment if scope?(token, :write_api)
           can :destroy, Note if scope?(token, :write_notes)
           if user&.terms_agreed?
-            can :redact, OldNode if scope?(token, :write_api)
-            can :redact, OldWay if scope?(token, :write_api)
-            can :redact, OldRelation if scope?(token, :write_api)
+            can :redact, OldNode if scope?(token, :write_api) || scope?(token, :write_redactions)
+            can :redact, OldWay if scope?(token, :write_api) || scope?(token, :write_redactions)
+            can :redact, OldRelation if scope?(token, :write_api) || scope?(token, :write_redactions)
           end
         end
       end

diff --git a/app/helpers/authorization_helper.rb b/app/helpers/authorization_helper.rb
new file mode 100644 (file)
index 0000000..11c8c29
--- /dev/null
+++ b/app/helpers/authorization_helper.rb
@@ -0,0 +1,13 @@
+module AuthorizationHelper
+  include ActionView::Helpers::TranslationHelper
+
+  def authorization_scope(scope)
+    html = []
+    html << t("oauth.scopes.#{scope}")
+    if Oauth::MODERATOR_SCOPES.include? scope
+      html << " "
+      html << image_tag("roles/moderator.png", :srcset => image_path("roles/moderator.svg", :class => "align-text-bottom"), :size => "20x20")
+    end
+    safe_join(html)
+  end
+end

diff --git a/app/views/oauth2_applications/_application.html.erb b/app/views/oauth2_applications/_application.html.erb
index 564fa81ebf33ad83ce07f55b2d8af173de932466..57e852182941301acd09cb75543270dc149a406b 100644 (file)
--- a/app/views/oauth2_applications/_application.html.erb
+++ b/app/views/oauth2_applications/_application.html.erb
@@ -10,7 +10,7 @@
   <td class="align-middle">
     <ul class="list-unstyled mb-0">
       <% application.scopes.each do |scope| -%>
-        <li><%= t "oauth.scopes.#{scope}" %> <code class="text-muted">(<%= scope %>)</code></li>
+        <li><%= authorization_scope(scope) %> <code class="text-muted">(<%= scope %>)</code></li>
       <% end -%>
     </ul>
   </td>

diff --git a/app/views/oauth2_authorizations/new.html.erb b/app/views/oauth2_authorizations/new.html.erb
index ac9c7c6c598404131f12fc790444d43b6b21fa36..8720bf05a6461bee51d96a9ec83ccc154e5dde24 100644 (file)
--- a/app/views/oauth2_authorizations/new.html.erb
+++ b/app/views/oauth2_authorizations/new.html.erb
@@ -6,7 +6,7 @@
 
 <ul>
   <% @pre_auth.scopes.each do |scope| -%>
-    <li><%= t "oauth.scopes.#{scope}" %></li>
+    <li><%= authorization_scope(scope) %></li>
   <% end -%>
 </ul>
 

diff --git a/app/views/oauth2_authorized_applications/_application.html.erb b/app/views/oauth2_authorized_applications/_application.html.erb
index 8abbb26ed8bb46e83e7830d7d2c97f3f979a96b8..28d048c4a098a727d7f289aec84c61ebce69cd6e 100644 (file)
--- a/app/views/oauth2_authorized_applications/_application.html.erb
+++ b/app/views/oauth2_authorized_applications/_application.html.erb
@@ -5,7 +5,7 @@
   <td class="align-middle">
     <ul class="list-unstyled mb-0">
       <% application.authorized_scopes_for(current_user).each do |scope| -%>
-        <li><%= t "oauth.scopes.#{scope}" %></li>
+        <li><%= authorization_scope(scope) %></li>
       <% end -%>
     </ul>
   </td>

diff --git a/config/locales/en.yml b/config/locales/en.yml
index b157e8cbc61d466d762e106e04436737c8d6854c..fa10f018f8de2283a1e212cc09123a936eda738b 100644 (file)
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -2598,6 +2598,7 @@ en:
       read_gpx: Read private GPS traces
       write_gpx: Upload GPS traces
       write_notes: Modify notes
+      write_redactions: Redact map data
       read_email: Read user email address
       skip_authorization: Auto approve application
   oauth_clients:

diff --git a/lib/oauth.rb b/lib/oauth.rb
index 0456c08732a927eb1c944f74b5ccc969f9971ce4..88db38eb4bf914b8331655e134cbdf70b243c4ee 100644 (file)
--- a/lib/oauth.rb
+++ b/lib/oauth.rb
@@ -1,7 +1,8 @@
 module Oauth
   SCOPES = %w[read_prefs write_prefs write_diary write_api read_gpx write_gpx write_notes].freeze
   PRIVILEGED_SCOPES = %w[read_email skip_authorization].freeze
-  OAUTH2_SCOPES = %w[openid].freeze
+  MODERATOR_SCOPES = %w[write_redactions].freeze
+  OAUTH2_SCOPES = %w[write_redactions openid].freeze
 
   class Scope
     attr_reader :name

diff --git a/test/controllers/api/old_nodes_controller_test.rb b/test/controllers/api/old_nodes_controller_test.rb
index a87f3025860729ecd1f035b1f6a16d58287bc9d0..737f11c7317b697406e954500e32339a89bd5067 100644 (file)
--- a/test/controllers/api/old_nodes_controller_test.rb
+++ b/test/controllers/api/old_nodes_controller_test.rb
@@ -238,6 +238,43 @@ module Api
       assert_response :bad_request, "shouldn't be OK to redact current version as moderator."
     end
 
+    def test_redact_node_by_regular_with_read_prefs_scope
+      auth_header = create_bearer_auth_header(create(:user), %w[read_prefs])
+      do_redact_redactable_node(auth_header)
+      assert_response :forbidden, "should need to be moderator to redact."
+    end
+
+    def test_redact_node_by_regular_with_write_api_scope
+      auth_header = create_bearer_auth_header(create(:user), %w[write_api])
+      do_redact_redactable_node(auth_header)
+      assert_response :forbidden, "should need to be moderator to redact."
+    end
+
+    def test_redact_node_by_regular_with_write_redactions_scope
+      auth_header = create_bearer_auth_header(create(:user), %w[write_redactions])
+      do_redact_redactable_node(auth_header)
+      assert_response :forbidden, "should need to be moderator to redact."
+    end
+
+    def test_redact_node_by_moderator_with_read_prefs_scope
+      auth_header = create_bearer_auth_header(create(:moderator_user), %w[read_prefs])
+      do_redact_redactable_node(auth_header)
+      assert_response :forbidden, "should need to have write_redactions scope to redact."
+    end
+
+    def test_redact_node_by_moderator_with_write_api_scope
+      auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_api])
+      do_redact_redactable_node(auth_header)
+      assert_response :success, "should be OK to redact old version as moderator with write_api scope."
+      # assert_response :forbidden, "should need to have write_redactions scope to redact."
+    end
+
+    def test_redact_node_by_moderator_with_write_redactions_scope
+      auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_redactions])
+      do_redact_redactable_node(auth_header)
+      assert_response :success, "should be OK to redact old version as moderator with write_redactions scope."
+    end
+
     ##
     # test that redacted nodes aren't visible, regardless of
     # authorisation except as moderator...
@@ -395,6 +432,19 @@ module Api
 
     private
 
+    def create_bearer_auth_header(user, scopes)
+      token = create(:oauth_access_token,
+                     :resource_owner_id => user.id,
+                     :scopes => scopes)
+      bearer_authorization_header(token.token)
+    end
+
+    def do_redact_redactable_node(headers = {})
+      node = create(:node, :with_history, :version => 4)
+      node_v3 = node.old_nodes.find_by(:version => 3)
+      do_redact_node(node_v3, create(:redaction), headers)
+    end
+
     def do_redact_node(node, redaction, headers = {})
       get node_version_path(:id => node.node_id, :version => node.version), :headers => headers
       assert_response :success, "should be able to get version #{node.version} of node #{node.node_id}."

diff --git a/test/controllers/api/old_relations_controller_test.rb b/test/controllers/api/old_relations_controller_test.rb
index d51665b03c70b59d6c11a8676675471699f94fb0..ea26e5cb795c60bfa523f411fb458b4c2dfc0037 100644 (file)
--- a/test/controllers/api/old_relations_controller_test.rb
+++ b/test/controllers/api/old_relations_controller_test.rb
@@ -77,6 +77,43 @@ module Api
       assert_response :bad_request, "shouldn't be OK to redact current version as moderator."
     end
 
+    def test_redact_relation_by_regular_with_read_prefs_scope
+      auth_header = create_bearer_auth_header(create(:user), %w[read_prefs])
+      do_redact_redactable_relation(auth_header)
+      assert_response :forbidden, "should need to be moderator to redact."
+    end
+
+    def test_redact_relation_by_regular_with_write_api_scope
+      auth_header = create_bearer_auth_header(create(:user), %w[write_api])
+      do_redact_redactable_relation(auth_header)
+      assert_response :forbidden, "should need to be moderator to redact."
+    end
+
+    def test_redact_relation_by_regular_with_write_redactions_scope
+      auth_header = create_bearer_auth_header(create(:user), %w[write_redactions])
+      do_redact_redactable_relation(auth_header)
+      assert_response :forbidden, "should need to be moderator to redact."
+    end
+
+    def test_redact_relation_by_moderator_with_read_prefs_scope
+      auth_header = create_bearer_auth_header(create(:moderator_user), %w[read_prefs])
+      do_redact_redactable_relation(auth_header)
+      assert_response :forbidden, "should need to have write_redactions scope to redact."
+    end
+
+    def test_redact_relation_by_moderator_with_write_api_scope
+      auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_api])
+      do_redact_redactable_relation(auth_header)
+      assert_response :success, "should be OK to redact old version as moderator with write_api scope."
+      # assert_response :forbidden, "should need to have write_redactions scope to redact."
+    end
+
+    def test_redact_relation_by_moderator_with_write_redactions_scope
+      auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_redactions])
+      do_redact_redactable_relation(auth_header)
+      assert_response :success, "should be OK to redact old version as moderator with write_redactions scope."
+    end
+
     ##
     # test that redacted relations aren't visible, regardless of
     # authorisation except as moderator...
@@ -278,6 +315,19 @@ module Api
       end
     end
 
+    def create_bearer_auth_header(user, scopes)
+      token = create(:oauth_access_token,
+                     :resource_owner_id => user.id,
+                     :scopes => scopes)
+      bearer_authorization_header(token.token)
+    end
+
+    def do_redact_redactable_relation(headers = {})
+      relation = create(:relation, :with_history, :version => 4)
+      relation_v3 = relation.old_relations.find_by(:version => 3)
+      do_redact_relation(relation_v3, create(:redaction), headers)
+    end
+
     def do_redact_relation(relation, redaction, headers = {})
       get relation_version_path(:id => relation.relation_id, :version => relation.version)
       assert_response :success, "should be able to get version #{relation.version} of relation #{relation.relation_id}."

diff --git a/test/controllers/api/old_ways_controller_test.rb b/test/controllers/api/old_ways_controller_test.rb
index 6c4eb16a12dc772a9a3f7cf13ed899475fb61263..4c225fb3347febcaecb710b8913a0686d3065f86 100644 (file)
--- a/test/controllers/api/old_ways_controller_test.rb
+++ b/test/controllers/api/old_ways_controller_test.rb
@@ -118,6 +118,43 @@ module Api
       assert_response :bad_request, "shouldn't be OK to redact current version as moderator."
     end
 
+    def test_redact_way_by_regular_with_read_prefs_scope
+      auth_header = create_bearer_auth_header(create(:user), %w[read_prefs])
+      do_redact_redactable_way(auth_header)
+      assert_response :forbidden, "should need to be moderator to redact."
+    end
+
+    def test_redact_way_by_regular_with_write_api_scope
+      auth_header = create_bearer_auth_header(create(:user), %w[write_api])
+      do_redact_redactable_way(auth_header)
+      assert_response :forbidden, "should need to be moderator to redact."
+    end
+
+    def test_redact_way_by_regular_with_write_redactions_scope
+      auth_header = create_bearer_auth_header(create(:user), %w[write_redactions])
+      do_redact_redactable_way(auth_header)
+      assert_response :forbidden, "should need to be moderator to redact."
+    end
+
+    def test_redact_way_by_moderator_with_read_prefs_scope
+      auth_header = create_bearer_auth_header(create(:moderator_user), %w[read_prefs])
+      do_redact_redactable_way(auth_header)
+      assert_response :forbidden, "should need to have write_redactions scope to redact."
+    end
+
+    def test_redact_way_by_moderator_with_write_api_scope
+      auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_api])
+      do_redact_redactable_way(auth_header)
+      assert_response :success, "should be OK to redact old version as moderator with write_api scope."
+      # assert_response :forbidden, "should need to have write_redactions scope to redact."
+    end
+
+    def test_redact_way_by_moderator_with_write_redactions_scope
+      auth_header = create_bearer_auth_header(create(:moderator_user), %w[write_redactions])
+      do_redact_redactable_way(auth_header)
+      assert_response :success, "should be OK to redact old version as moderator with write_redactions scope."
+    end
+
     ##
     # test that redacted ways aren't visible, regardless of
     # authorisation except as moderator...
@@ -318,6 +355,19 @@ module Api
       end
     end
 
+    def create_bearer_auth_header(user, scopes)
+      token = create(:oauth_access_token,
+                     :resource_owner_id => user.id,
+                     :scopes => scopes)
+      bearer_authorization_header(token.token)
+    end
+
+    def do_redact_redactable_way(headers = {})
+      way = create(:way, :with_history, :version => 4)
+      way_v3 = way.old_ways.find_by(:version => 3)
+      do_redact_way(way_v3, create(:redaction), headers)
+    end
+
     def do_redact_way(way, redaction, headers = {})
       get way_version_path(:id => way.way_id, :version => way.version)
       assert_response :success, "should be able to get version #{way.version} of way #{way.way_id}."