From dc88b378d50c0af78ef5bec32d2555f145a70385 Mon Sep 17 00:00:00 2001 From: Tim Cowlishaw Date: Wed, 31 Jan 2024 15:50:34 +0100 Subject: [PATCH] dont show hardware_info to unauthorized users --- app/controllers/v0/devices_controller.rb | 23 ++--------------------- app/models/device.rb | 8 ++++---- app/views/v0/devices/_device.jbuilder | 7 +++++-- spec/requests/v0/devices_spec.rb | 23 ++++++++++++++++++++++- 4 files changed, 33 insertions(+), 28 deletions(-) diff --git a/app/controllers/v0/devices_controller.rb b/app/controllers/v0/devices_controller.rb index 9ae77afa..514b350b 100644 --- a/app/controllers/v0/devices_controller.rb +++ b/app/controllers/v0/devices_controller.rb @@ -76,26 +76,7 @@ def destroy # debug method, must be refactored def fresh_world_map - @devices = Device.where.not(latitude: nil).where.not(data: nil).includes(:owner,:tags).map do |device| - { - id: device.id, - name: device.name, - description: (device.description.present? ? device.description : nil), - owner_id: device.owner_id, - owner_username: device.owner_id ? device.owner_username : nil, - latitude: device.latitude, - longitude: device.longitude, - city: device.city, - country_code: device.country_code, - is_private: device.is_private, - state: device.state, - system_tags: device.system_tags, - user_tags: device.user_tags, - updated_at: device.updated_at, - last_reading_at: (device.last_reading_at.present? ? device.last_reading_at : nil) - } - end - render json: @devices + render json: Device.for_world_map(current_user&.is_admin?) end def world_map @@ -103,7 +84,7 @@ def world_map expires_in 30.seconds, public: true # CRON cURL every 60 seconds to cache end - render json: Device.for_world_map + render json: Device.for_world_map(current_user&.is_admin?) end private diff --git a/app/models/device.rb b/app/models/device.rb index b10106bf..e27fe54c 100644 --- a/app/models/device.rb +++ b/app/models/device.rb @@ -225,7 +225,7 @@ def self.geocode_all_without_location end end - def self.for_world_map + def self.for_world_map(authorized=false) Rails.cache.fetch("world_map", expires_in: 10.seconds) do where .not(latitude: nil) @@ -242,7 +242,7 @@ def self.for_world_map latitude: device.latitude, longitude: device.longitude, city: device.city, - hardware: device.hardware, + hardware: device.hardware(authorized), country_code: device.country_code, state: device.state, system_tags: device.system_tags, @@ -264,14 +264,14 @@ def update_component_timestamps(timestamp, sensor_ids) end end - def hardware + def hardware(authorized=false) { name: hardware_name, type: hardware_type, description: hardware_description, version: hardware_version, slug: hardware_slug, - info: hardware_info, + info: authorized ? hardware_info : "[FILTERED]", } end diff --git a/app/views/v0/devices/_device.jbuilder b/app/views/v0/devices/_device.jbuilder index dd18b389..8b00ae18 100644 --- a/app/views/v0/devices/_device.jbuilder +++ b/app/views/v0/devices/_device.jbuilder @@ -15,12 +15,13 @@ json.( :notify_low_battery, :notify_stopped_publishing, :last_reading_at, - :hardware, :created_at, :updated_at ) -if current_user and (current_user.is_admin? or (device.owner_id and current_user.id == device.owner_id)) +authorized = current_user && (current_user.is_admin? || (device.owner_id && current_user.id == device.owner_id)) + +if authorized json.merge! mac_address: device.mac_address json.merge! device_token: device.device_token else @@ -28,6 +29,8 @@ else json.merge! device_token: '[FILTERED]' end +json.merge!(hardware: device.hardware(authorized)) + if with_owner && device.owner json.owner do json.id device.owner.id diff --git a/spec/requests/v0/devices_spec.rb b/spec/requests/v0/devices_spec.rb index 88db0cf3..17fa50ad 100644 --- a/spec/requests/v0/devices_spec.rb +++ b/spec/requests/v0/devices_spec.rb @@ -24,7 +24,7 @@ expect(json.length).to eq(2) # expect(json[0]['name']).to eq(first.name) # expect(json[1]['name']).to eq(second.name) - expect(json[0].keys).to eq(%w(id uuid name description state postprocessing system_tags user_tags is_private notify_low_battery notify_stopped_publishing last_reading_at hardware created_at updated_at mac_address device_token owner data)) + expect(json[0].keys).to eq(%w(id uuid name description state postprocessing system_tags user_tags is_private notify_low_battery notify_stopped_publishing last_reading_at created_at updated_at mac_address device_token hardware owner data)) end describe "when not logged in" do @@ -39,6 +39,13 @@ expect(j.count).to eq(1) expect(j[0]['id']).to eq(device.id) end + + it "does not show hardware_info" do + first = create(:device) + second = create(:device) + json = api_get 'devices' + expect(json[0]['hardware']['info']).to eq("[FILTERED]") + end end describe "when logged in as a normal user" do @@ -53,6 +60,13 @@ expect(j.count).to eq(2) expect(j[0]['id']).to be_in([device1.id, device2.id]) end + + it "does not show hardware_info" do + first = create(:device) + second = create(:device) + json = api_get 'devices', { access_token: token.token } + expect(json[0]['hardware']['info']).to eq("[FILTERED]") + end end describe "when logged in as an admin" do @@ -67,6 +81,13 @@ expect(j.count).to eq(3) expect(j[0]['id']).to be_in([device1.id, device2.id, device3.id]) end + + it "shows hardware_info" do + first = create(:device) + second = create(:device) + json = api_get 'devices', { access_token: admin_token.token} + expect(json[0]['hardware']['info']).not_to eq('[FILTERED]') + end end describe "world map" do