Remove API authentication for public statuses (after review) (#1919)

2017-04-18 22:58:57 +03:00 · 2017-04-18 22:58:57 +03:00 · 0a7588282a
parent 3ed219f907
commit 0a7588282a
2 changed files with 268 additions and 153 deletions
--- a/app/controllers/api/v1/statuses_controller.rb
+++ b/app/controllers/api/v1/statuses_controller.rb
@ -1,7 +1,7 @@
 # frozen_string_literal: true

 class Api::V1::StatusesController < ApiController
-  before_action -> { doorkeeper_authorize! :read }, except: [:create, :destroy, :reblog, :unreblog, :favourite, :unfavourite]
+  before_action :authorize_if_got_token, except:            [:create, :destroy, :reblog, :unreblog, :favourite, :unfavourite]
  before_action -> { doorkeeper_authorize! :write }, only:  [:create, :destroy, :reblog, :unreblog, :favourite, :unfavourite]
  before_action :require_user!, except: [:show, :context, :card, :reblogged_by, :favourited_by]
  before_action :set_status, only:      [:show, :context, :card, :reblogged_by, :favourited_by]
@ -114,4 +114,9 @@ class Api::V1::StatusesController < ApiController
  def pagination_params(core_params)
    params.permit(:limit).merge(core_params)
  end
+
+  def authorize_if_got_token
+    request_token = Doorkeeper::OAuth::Token.from_request(request, *Doorkeeper.configuration.access_token_methods)
+    doorkeeper_authorize! :read if request_token
+  end
 end
--- a/spec/controllers/api/v1/statuses_controller_spec.rb
+++ b/spec/controllers/api/v1/statuses_controller_spec.rb
@ -7,6 +7,7 @@ RSpec.describe Api::V1::StatusesController, type: :controller do
  let(:app)   { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') }
  let(:token) { double acceptable?: true, resource_owner_id: user.id, application: app }

+  context 'with an oauth token' do
    before do
      allow(controller).to receive(:doorkeeper_token) { token }
    end
@ -183,3 +184,112 @@ RSpec.describe Api::V1::StatusesController, type: :controller do
      end
    end
  end
+
+  context 'without an oauth token' do
+    before do
+      allow(controller).to receive(:doorkeeper_token) { nil }
+    end
+
+    context 'with a private status' do
+      let(:status) { Fabricate(:status, account: user.account, visibility: :private) }
+
+      describe 'GET #show' do
+        it 'returns http unautharized' do
+          get :show, params: { id: status.id }
+          expect(response).to have_http_status(:missing)
+        end
+      end
+
+      describe 'GET #context' do
+        before do
+          Fabricate(:status, account: user.account, thread: status)
+        end
+
+        it 'returns http unautharized' do
+          get :context, params: { id: status.id }
+          expect(response).to have_http_status(:missing)
+        end
+      end
+
+      describe 'GET #card' do
+        it 'returns http unautharized' do
+          get :card, params: { id: status.id }
+          expect(response).to have_http_status(:missing)
+        end
+      end
+
+      describe 'GET #reblogged_by' do
+        before do
+          post :reblog, params: { id: status.id }
+        end
+
+        it 'returns http unautharized' do
+          get :reblogged_by, params: { id: status.id }
+          expect(response).to have_http_status(:missing)
+        end
+      end
+
+      describe 'GET #favourited_by' do
+        before do
+          post :favourite, params: { id: status.id }
+        end
+
+        it 'returns http unautharized' do
+          get :favourited_by, params: { id: status.id }
+          expect(response).to have_http_status(:missing)
+        end
+      end
+    end
+
+    context 'with a public status' do
+      let(:status) { Fabricate(:status, account: user.account, visibility: :public) }
+
+      describe 'GET #show' do
+        it 'returns http success' do
+          get :show, params: { id: status.id }
+          expect(response).to have_http_status(:success)
+        end
+      end
+
+      describe 'GET #context' do
+        before do
+          Fabricate(:status, account: user.account, thread: status)
+        end
+
+        it 'returns http success' do
+          get :context, params: { id: status.id }
+          expect(response).to have_http_status(:success)
+        end
+      end
+
+      describe 'GET #card' do
+        it 'returns http success' do
+          get :card, params: { id: status.id }
+          expect(response).to have_http_status(:success)
+        end
+      end
+
+      describe 'GET #reblogged_by' do
+        before do
+          post :reblog, params: { id: status.id }
+        end
+
+        it 'returns http success' do
+          get :reblogged_by, params: { id: status.id }
+          expect(response).to have_http_status(:success)
+        end
+      end
+
+      describe 'GET #favourited_by' do
+        before do
+          post :favourite, params: { id: status.id }
+        end
+
+        it 'returns http success' do
+          get :favourited_by, params: { id: status.id }
+          expect(response).to have_http_status(:success)
+        end
+      end
+    end
+  end
+end