Project

General

Profile

« Previous | Next » 

Revision 5f65c486

Added by Dominic Cleal about 10 years ago

fixes #5612 - use correct permissions for authz in parameters API

(cherry picked from commit 7cb05aa94e942bd3917c6cde33957288ea84a735)

View differences:

app/controllers/api/base_controller.rb
resource_identifying_attributes.each do |key|
find_method = "find_by_#{key}"
model = md[1].classify.constantize
controller = "#{md[1].pluralize}_#{controller_name}"
controller = md[1].pluralize
authorized_scope = model.authorized("#{action_permission}_#{controller}")
@nested_obj ||= authorized_scope.send(find_method, params[param])
end
app/controllers/api/v1/common_parameters_controller.rb
def index
@common_parameters = CommonParameter.
authorized(:view_globals).
authorized(:view_globals, CommonParameter).
search_for(*search_options).
paginate(paginate_options)
end
app/controllers/api/v2/common_parameters_controller.rb
def index
@common_parameters = CommonParameter.
authorized(:view_globals).
authorized(:view_globals, CommonParameter).
search_for(*search_options).
paginate(paginate_options)
end
test/functional/api/base_controller_subclass_test.rb
assert_response :success
end
end
context 'nested objects' do
it "should use auth scope of nested object" do
ctrl = Api::TestableController.new
ctrl.expects(:params).at_least_once.returns(HashWithIndifferentAccess.new(:domain_id => 1, :action => 'index'))
ctrl.expects(:allowed_nested_id).at_least_once.returns(['domain_id'])
ctrl.expects(:resource_identifying_attributes).at_least_once.returns(['id'])
scope = mock('scope')
obj = mock('domain')
scope.expects(:find_by_id).with(1).returns(obj)
Domain.expects(:authorized).with('view_domains').returns(scope)
assert_equal obj, ctrl.send(:find_required_nested_object)
end
end
end

Also available in: Unified diff