Revision 548f822d
Added by Tom Caspy about 8 years ago
| app/controllers/api/v1/bookmarks_controller.rb | ||
|---|---|---|
|
module Api
|
||
|
module V1
|
||
|
class BookmarksController < V1::BaseController
|
||
|
include Foreman::Controller::BookmarkCommon
|
||
|
|
||
|
before_filter :find_resource, :only => [:show, :update, :destroy]
|
||
|
|
||
|
api :GET, "/bookmarks/", "List all bookmarks."
|
||
| ... | ... | |
|
param :per_page, String, :desc => "number of entries per request"
|
||
|
|
||
|
def index
|
||
|
@bookmarks = Bookmark.paginate(paginate_options)
|
||
|
@bookmarks = Bookmark.my_bookmarks.paginate(paginate_options)
|
||
|
end
|
||
|
|
||
|
api :GET, "/bookmarks/:id/", "Show a bookmark."
|
||
| app/controllers/api/v2/bookmarks_controller.rb | ||
|---|---|---|
|
module Api
|
||
|
module V2
|
||
|
class BookmarksController < V2::BaseController
|
||
|
include Foreman::Controller::BookmarkCommon
|
||
|
|
||
|
before_filter :find_resource, :only => [:show, :update, :destroy]
|
||
|
|
||
|
api :GET, "/bookmarks/", N_("List all bookmarks")
|
||
| app/controllers/bookmarks_controller.rb | ||
|---|---|---|
|
class BookmarksController < ApplicationController
|
||
|
include Foreman::Controller::BookmarkCommon
|
||
|
|
||
|
before_filter :find_resource, :only => [:edit, :update, :destroy]
|
||
|
|
||
|
def index
|
||
| app/controllers/concerns/foreman/controller/bookmark_common.rb | ||
|---|---|---|
|
module Foreman::Controller::BookmarkCommon
|
||
|
def resource_base
|
||
|
super.my_bookmarks
|
||
|
end
|
||
|
|
||
|
def resource_scope(*args)
|
||
|
super.my_bookmarks
|
||
|
end
|
||
|
end
|
||
| test/functional/api/v1/bookmarks_controller_test.rb | ||
|---|---|---|
|
end
|
||
|
assert_response :success
|
||
|
end
|
||
|
|
||
|
test "should only show public and user's bookmarks" do
|
||
|
get :index, {}, set_session_user
|
||
|
assert_response :success
|
||
|
assert_includes assigns(:bookmarks), bookmarks(:one)
|
||
|
refute_includes assigns(:bookmarks), bookmarks(:two)
|
||
|
end
|
||
|
|
||
|
test "should not allow actions on non public/non user bookmarks" do
|
||
|
put :update, {:id => bookmarks(:two).to_param, :bookmark => { :name => 'bar' }}, set_session_user
|
||
|
assert_response 404
|
||
|
end
|
||
|
end
|
||
| test/functional/api/v2/bookmarks_controller_test.rb | ||
|---|---|---|
|
end
|
||
|
assert_response :success
|
||
|
end
|
||
|
|
||
|
test "should only show public and user's bookmarks" do
|
||
|
get :index, {}, set_session_user
|
||
|
assert_response :success
|
||
|
assert_includes assigns(:bookmarks), bookmarks(:one)
|
||
|
refute_includes assigns(:bookmarks), bookmarks(:two)
|
||
|
end
|
||
|
|
||
|
test "should not allow actions on non public/non user bookmarks" do
|
||
|
put :update, {:id => bookmarks(:two).to_param, :bookmark => { :name => 'bar' }}, set_session_user
|
||
|
assert_response 404
|
||
|
end
|
||
|
end
|
||
| test/functional/bookmarks_controller_test.rb | ||
|---|---|---|
|
end
|
||
|
assert_redirected_to bookmarks_path
|
||
|
end
|
||
|
|
||
|
test "should only show public and user's bookmarks" do
|
||
|
get :index, {}, set_session_user
|
||
|
assert_response :success
|
||
|
assert_includes assigns(:bookmarks), bookmarks(:one)
|
||
|
refute_includes assigns(:bookmarks), bookmarks(:two)
|
||
|
end
|
||
|
|
||
|
test "should not allow actions on non public/non user bookmarks" do
|
||
|
put :update, {:id => bookmarks(:two).to_param, :bookmark => { :name => 'bar' }}, set_session_user
|
||
|
assert_response 404
|
||
|
|
||
|
get :edit, {:id => bookmarks(:two).to_param}, set_session_user
|
||
|
assert_response 404
|
||
|
end
|
||
|
end
|
||
Also available in: Unified diff
fixes #13828 - CVE-2016-2100 - only showing relevant bookmarks
(cherry picked from commit a61344da14f73920b4bdc7ad8220e7a0ed998031)