Locked down all endpoints (#4071)

3edb3868 · Ahmad Farhat · GitHub · 77527327 · 3edb3868 · 3edb3868
Unverified Commit 3edb3868 authored Nov 4, 2022 by Ahmad Farhat Committed by GitHub Nov 4, 2022
--- a/app/controllers/api/v1/recordings_controller.rb
+++ b/app/controllers/api/v1/recordings_controller.rb
@@ -7,7 +7,7 @@ module Api
      before_action only: %i[update destroy update_visibility] do
        ensure_authorized('ManageRecordings', record_id: params[:id])
      end
-      before_action do
+      before_action only: %i[index recordings_count] do
        ensure_authorized('CreateRoom')
      end


--- a/app/controllers/api/v1/room_settings_controller.rb
+++ b/app/controllers/api/v1/room_settings_controller.rb
@@ -5,6 +5,10 @@ module Api
    class RoomSettingsController < ApiController
      before_action :find_room, only: %i[show update]

+      before_action only: %i[show update] do
+        ensure_authorized('ManageRooms', friendly_id: params[:friendly_id])
+      end
+
      # GET /api/v1/room_settings/:friendly_id
      def show
        options = RoomSettingsGetter.new(room_id: @room.id, provider: current_provider, current_user:, show_codes: true,

--- a/app/controllers/api/v1/rooms_configurations_controller.rb
+++ b/app/controllers/api/v1/rooms_configurations_controller.rb
@@ -3,6 +3,10 @@
 module Api
  module V1
    class RoomsConfigurationsController < ApiController
+      before_action only: %i[index] do
+        ensure_authorized(%w[CreateRoom ManageSiteSettings ManageRoles], friendly_id: params[:friendly_id])
+      end
+
      # GET /api/v1/rooms_configurations.json
      # Expects: {}
      # Returns: { data: Array[serializable objects] , errors: Array[String] }

--- a/app/controllers/api/v1/rooms_controller.rb
+++ b/app/controllers/api/v1/rooms_controller.rb
@@ -6,7 +6,8 @@ module Api
      skip_before_action :ensure_authenticated, only: %i[public_show]

      before_action :find_room, only: %i[show update destroy recordings recordings_processing purge_presentation public_show]
-      before_action except: %i[public_show] do
+
+      before_action only: %i[create index] do
        ensure_authorized('CreateRoom')
      end
      before_action only: %i[create] do
@@ -15,7 +16,7 @@ module Api
      before_action only: %i[show] do
        ensure_authorized(%w[ManageRooms SharedRoom], friendly_id: params[:friendly_id])
      end
-      before_action only: %i[destroy] do
+      before_action only: %i[update destroy recordings recordings_processing purge_presentation] do
        ensure_authorized('ManageRooms', friendly_id: params[:friendly_id])
      end


--- a/app/controllers/api/v1/shared_accesses_controller.rb
+++ b/app/controllers/api/v1/shared_accesses_controller.rb
@@ -5,6 +5,10 @@ module Api
    class SharedAccessesController < ApiController
      before_action :find_room

+      before_action only: %i[show create destroy shareable_users] do
+        ensure_authorized('ManageRooms', friendly_id: params[:friendly_id])
+      end
+
      # POST /api/v1/shared_accesses.json
      def create
        shared_users_ids = Array(params[:shared_users])

--- a/app/controllers/api/v1/site_settings_controller.rb
+++ b/app/controllers/api/v1/site_settings_controller.rb
@@ -7,7 +7,7 @@ module Api

      # GET /api/v1/site_settings/:name
      def show
-        render_data data: SettingGetter.new(setting_name: params[:name], provider: current_provider).call, status: :ok # TODO: - ahmad: fix provider
+        render_data data: SettingGetter.new(setting_name: params[:name], provider: current_provider).call, status: :ok
      end
    end
  end

--- a/app/controllers/api/v1/users_controller.rb
+++ b/app/controllers/api/v1/users_controller.rb
@@ -7,7 +7,7 @@ module Api

      skip_before_action :ensure_authenticated, only: %i[create]

-      before_action only: %i[update destroy purge_avatar] do
+      before_action only: %i[show update destroy purge_avatar] do
        ensure_authorized('ManageUsers', user_id: params[:id])
      end


--- a/spec/controllers/recordings_controller_spec.rb
+++ b/spec/controllers/recordings_controller_spec.rb
@@ -5,7 +5,6 @@ require 'rails_helper'
 RSpec.describe Api::V1::RecordingsController, type: :controller do
  before do
    request.headers['ACCEPT'] = 'application/json'
-    create_default_permissions
    sign_in_user(user)
  end


--- a/spec/controllers/rooms_controller_spec.rb
+++ b/spec/controllers/rooms_controller_spec.rb
@@ -5,7 +5,6 @@ require 'rails_helper'
 RSpec.describe Api::V1::RoomsController, type: :controller do
  before do
    request.headers['ACCEPT'] = 'application/json'
-    create_default_permissions
    sign_in_user(user)
  end

@@ -242,7 +241,7 @@ RSpec.describe Api::V1::RoomsController, type: :controller do

  describe '#purge_presentation' do
    it 'deletes the presentation' do
-      room = create(:room, presentation: fixture_file_upload(file_fixture('default-avatar.png'), 'image/png'))
+      room = create(:room, user:, presentation: fixture_file_upload(file_fixture('default-avatar.png'), 'image/png'))
      expect(room.reload.presentation).to be_attached
      delete :purge_presentation, params: { friendly_id: room.friendly_id }
      expect(room.reload.presentation).not_to be_attached

--- a/spec/controllers/shared_accesses_controller_spec.rb
+++ b/spec/controllers/shared_accesses_controller_spec.rb
@@ -3,36 +3,33 @@
 require 'rails_helper'

 RSpec.describe Api::V1::SharedAccessesController, type: :controller do
+  let(:user) { create(:user) }
+  let(:room) { create(:room, user:) }
+
  before do
    request.headers['ACCEPT'] = 'application/json'
-    create_default_permissions
    sign_in_user(user)
  end

-  let(:user) { create(:user) }
-
  describe '#create' do
    it 'shares a room with a user' do
-      room = create(:room)
-      user = create(:user)
-      post :create, params: { friendly_id: room.friendly_id, shared_users: [user.id] }
-      expect(user.shared_rooms).to include(room)
+      new_user = create(:user)
+      post :create, params: { friendly_id: room.friendly_id, shared_users: [new_user.id] }
+      expect(new_user.shared_rooms).to include(room)
    end
  end

  describe '#destroy' do
    it 'unshares a room with a user' do
-      room = create(:room)
-      user = create(:user)
-      create(:shared_access, user_id: user.id, room_id: room.id)
-      delete :destroy, params: { friendly_id: room.friendly_id, user_id: user.id }
-      expect(user.shared_rooms).not_to include(room)
+      new_user = create(:user)
+      create(:shared_access, user_id: new_user.id, room_id: room.id)
+      delete :destroy, params: { friendly_id: room.friendly_id, user_id: new_user.id }
+      expect(new_user.shared_rooms).not_to include(room)
    end
  end

  describe '#show' do
    it 'returns all the users that the room has been shared to' do
-      room = create(:room)
      shared_users = create_list(:user, 5)
      unshared_users = create_list(:user, 5)
      room.shared_users = shared_users
@@ -44,7 +41,6 @@ RSpec.describe Api::V1::SharedAccessesController, type: :controller do
    end

    it 'returns the shared users according to the query' do
-      room = create(:room)
      room.shared_users = create_list(:user, 5)
      searched_users = create_list(:user, 5, name: 'John Doe')
      room.shared_users << searched_users
@@ -57,7 +53,6 @@ RSpec.describe Api::V1::SharedAccessesController, type: :controller do

  describe '#shareable_users' do
    it 'does not return any users if the search params is empty' do
-      room = create(:room)
      shareable_users = create_list(:user, 5, name: 'John Doe')
      shareable_users << user

@@ -66,7 +61,6 @@ RSpec.describe Api::V1::SharedAccessesController, type: :controller do
    end

    it 'does not return any users if the search params has less than 3 characters' do
-      room = create(:room)
      shareable_users = create_list(:user, 5, name: 'John Doe')
      shareable_users << user

@@ -75,7 +69,6 @@ RSpec.describe Api::V1::SharedAccessesController, type: :controller do
    end

    it 'returns the users that the room can be shared to' do
-      room = create(:room)
      room.shared_users = create_list(:user, 5)
      shareable_users = create_list(:user, 5, name: 'John Doe')

@@ -85,7 +78,6 @@ RSpec.describe Api::V1::SharedAccessesController, type: :controller do
    end

    it 'returns the shareable users according to the query' do
-      room = create(:room)
      room.shared_users = create_list(:user, 5)
      shareable_users = create_list(:user, 5, name: 'Jane Doe')

@@ -96,7 +88,6 @@ RSpec.describe Api::V1::SharedAccessesController, type: :controller do

    context 'user without SharedList permission' do
      it 'does not return the users without SharedList permission' do
-        room = create(:room)
        room.shared_users = create_list(:user, 5)
        create(:user, :without_shared_list_permission, name: 'John Doe')


--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -197,17 +197,10 @@ RSpec.describe Api::V1::UsersController, type: :controller do
    end

    it 'returns a user if id is valid' do
-      user = create(:user)
      get :show, params: { id: user.id }
      expect(response).to have_http_status(:ok)
      expect(JSON.parse(response.body)['data']['id']).to eq(user.id)
    end
-
-    it 'returns :not_found if the user doesnt exist' do
-      get :show, params: { id: 'invalid__id' }
-      expect(response).to have_http_status(:not_found)
-      expect(JSON.parse(response.body)['data']).to be_nil
-    end
  end

  describe '#update' do

--- a/spec/factories/role_factory.rb
+++ b/spec/factories/role_factory.rb
@@ -4,5 +4,14 @@ FactoryBot.define do
  factory :role do
    name { Faker::Job.unique.title }
    provider { 'greenlight' }
+
+    after(:create) do |role|
+      perm = Permission.find_or_create_by(name: 'CreateRoom')
+      perm2 = Permission.find_or_create_by(name: 'RoomLimit')
+      perm3 = Permission.find_or_create_by(name: 'SharedList')
+      RolePermission.find_or_create_by(permission: perm, role:, value: 'true')
+      RolePermission.find_or_create_by(permission: perm2, role:, value: '100')
+      RolePermission.find_or_create_by(permission: perm3, role:, value: 'true')
+    end
  end
 end
--- a/spec/factories/user_factory.rb
+++ b/spec/factories/user_factory.rb
@@ -56,7 +56,7 @@ FactoryBot.define do

    trait :without_can_record_permission do
      after(:create) do |user|
-        RolePermission.find_by(role: user.role, permission: Permission.find_by(name: 'CanRecord')).update(value: 'false')
+        RolePermission.find_or_create_by(role: user.role, permission: Permission.find_or_create_by(name: 'CanRecord')).update(value: 'false')
      end
    end
  end

--- a/spec/helpers.rb
+++ b/spec/helpers.rb
@@ -4,12 +4,4 @@ module Helpers
  def sign_in_user(user)
    session[:session_token] = user.session_token
  end
-
-  # Populate the permissions that are enabled by default on the 'User' role and custom Roles
-  def create_default_permissions
-    create(:permission, name: 'CreateRoom')
-    create(:permission, name: 'CanRecord')
-    create(:permission, name: 'SharedList')
-    create(:permission, name: 'RoomLimit')
-  end
 end
--- a/spec/services/room_settings_getter_spec.rb
+++ b/spec/services/room_settings_getter_spec.rb
@@ -3,10 +3,6 @@
 require 'rails_helper'

 describe RoomSettingsGetter, type: :service do
-  before do
-    create_default_permissions
-  end
-
  let(:user) { create(:user) }

  describe '#call' do
@@ -230,6 +226,8 @@ describe RoomSettingsGetter, type: :service do
          end

          it 'room_setting record value remains true if room_configuration record value is optional and CanRecord permission is set to true' do
+            RolePermission.find_or_create_by(role: user.role, permission: Permission.find_or_create_by(name: 'CanRecord')).update(value: 'true')
+
            room = create(:room)
            setting1 = create(:meeting_option, name: 'record')