Revision 548f822d
Added by Tom Caspy about 8 years ago
app/controllers/api/v1/bookmarks_controller.rb | ||
---|---|---|
module Api
|
||
module V1
|
||
class BookmarksController < V1::BaseController
|
||
include Foreman::Controller::BookmarkCommon
|
||
|
||
before_filter :find_resource, :only => [:show, :update, :destroy]
|
||
|
||
api :GET, "/bookmarks/", "List all bookmarks."
|
||
... | ... | |
param :per_page, String, :desc => "number of entries per request"
|
||
|
||
def index
|
||
@bookmarks = Bookmark.paginate(paginate_options)
|
||
@bookmarks = Bookmark.my_bookmarks.paginate(paginate_options)
|
||
end
|
||
|
||
api :GET, "/bookmarks/:id/", "Show a bookmark."
|
app/controllers/api/v2/bookmarks_controller.rb | ||
---|---|---|
module Api
|
||
module V2
|
||
class BookmarksController < V2::BaseController
|
||
include Foreman::Controller::BookmarkCommon
|
||
|
||
before_filter :find_resource, :only => [:show, :update, :destroy]
|
||
|
||
api :GET, "/bookmarks/", N_("List all bookmarks")
|
app/controllers/bookmarks_controller.rb | ||
---|---|---|
class BookmarksController < ApplicationController
|
||
include Foreman::Controller::BookmarkCommon
|
||
|
||
before_filter :find_resource, :only => [:edit, :update, :destroy]
|
||
|
||
def index
|
app/controllers/concerns/foreman/controller/bookmark_common.rb | ||
---|---|---|
module Foreman::Controller::BookmarkCommon
|
||
def resource_base
|
||
super.my_bookmarks
|
||
end
|
||
|
||
def resource_scope(*args)
|
||
super.my_bookmarks
|
||
end
|
||
end
|
test/functional/api/v1/bookmarks_controller_test.rb | ||
---|---|---|
end
|
||
assert_response :success
|
||
end
|
||
|
||
test "should only show public and user's bookmarks" do
|
||
get :index, {}, set_session_user
|
||
assert_response :success
|
||
assert_includes assigns(:bookmarks), bookmarks(:one)
|
||
refute_includes assigns(:bookmarks), bookmarks(:two)
|
||
end
|
||
|
||
test "should not allow actions on non public/non user bookmarks" do
|
||
put :update, {:id => bookmarks(:two).to_param, :bookmark => { :name => 'bar' }}, set_session_user
|
||
assert_response 404
|
||
end
|
||
end
|
test/functional/api/v2/bookmarks_controller_test.rb | ||
---|---|---|
end
|
||
assert_response :success
|
||
end
|
||
|
||
test "should only show public and user's bookmarks" do
|
||
get :index, {}, set_session_user
|
||
assert_response :success
|
||
assert_includes assigns(:bookmarks), bookmarks(:one)
|
||
refute_includes assigns(:bookmarks), bookmarks(:two)
|
||
end
|
||
|
||
test "should not allow actions on non public/non user bookmarks" do
|
||
put :update, {:id => bookmarks(:two).to_param, :bookmark => { :name => 'bar' }}, set_session_user
|
||
assert_response 404
|
||
end
|
||
end
|
test/functional/bookmarks_controller_test.rb | ||
---|---|---|
end
|
||
assert_redirected_to bookmarks_path
|
||
end
|
||
|
||
test "should only show public and user's bookmarks" do
|
||
get :index, {}, set_session_user
|
||
assert_response :success
|
||
assert_includes assigns(:bookmarks), bookmarks(:one)
|
||
refute_includes assigns(:bookmarks), bookmarks(:two)
|
||
end
|
||
|
||
test "should not allow actions on non public/non user bookmarks" do
|
||
put :update, {:id => bookmarks(:two).to_param, :bookmark => { :name => 'bar' }}, set_session_user
|
||
assert_response 404
|
||
|
||
get :edit, {:id => bookmarks(:two).to_param}, set_session_user
|
||
assert_response 404
|
||
end
|
||
end
|
Also available in: Unified diff
fixes #13828 - CVE-2016-2100 - only showing relevant bookmarks
(cherry picked from commit a61344da14f73920b4bdc7ad8220e7a0ed998031)