From 03f6809b7a235997de426c26fff6fceae8b5b612 Mon Sep 17 00:00:00 2001 From: Syphax Bouazzouni Date: Tue, 28 Nov 2023 05:50:07 +0100 Subject: [PATCH] update slices controller to enforce admin security --- bin/ontoportal | 7 ++++-- controllers/slices_controller.rb | 5 ++++- test/controllers/test_slices_controller.rb | 26 ++++++++++++++-------- 3 files changed, 26 insertions(+), 12 deletions(-) diff --git a/bin/ontoportal b/bin/ontoportal index 573b49c7..4168a726 100755 --- a/bin/ontoportal +++ b/bin/ontoportal @@ -52,8 +52,7 @@ create_config_files() { # Function to handle the "dev" option dev() { echo "Starting Ontoportal API development server..." - - create_config_files + local reset_cache=false local api_url="" @@ -145,6 +144,10 @@ run() { docker compose run --rm -it api bash -c "$*" } + + +create_config_files + # Main script logic case "$1" in "run") diff --git a/controllers/slices_controller.rb b/controllers/slices_controller.rb index a31f799e..9033222c 100644 --- a/controllers/slices_controller.rb +++ b/controllers/slices_controller.rb @@ -41,17 +41,20 @@ class SlicesController < ApplicationController ## # Create a new slice post do + error 403, "Access denied" unless current_user && current_user.admin? create_slice end # Delete a slice delete '/:slice' do + error 403, "Access denied" unless current_user && current_user.admin? LinkedData::Models::Slice.find(params[:slice]).first.delete halt 204 end # Update an existing slice patch '/:slice' do + error 403, "Access denied" unless current_user && current_user.admin? slice = LinkedData::Models::Slice.find(params[:slice]).include(LinkedData::Models::Slice.attributes(:all)).first populate_from_params(slice, params) if slice.valid? @@ -61,7 +64,7 @@ class SlicesController < ApplicationController end halt 204 end - + private def create_slice diff --git a/test/controllers/test_slices_controller.rb b/test/controllers/test_slices_controller.rb index 9eb9c404..601b15a7 100644 --- a/test/controllers/test_slices_controller.rb +++ b/test/controllers/test_slices_controller.rb @@ -3,11 +3,19 @@ class TestSlicesController < TestCase def self.before_suite - onts = LinkedData::SampleData::Ontology.create_ontologies_and_submissions(ont_count: 1, submission_count: 0)[2] + ont_count, ont_acronyms, @@onts = LinkedData::SampleData::Ontology.create_ontologies_and_submissions(ont_count: 1, submission_count: 0) @@slice_acronyms = ["tst-a", "tst-b"].sort - _create_slice(@@slice_acronyms[0], "Test Slice A", onts) - _create_slice(@@slice_acronyms[1], "Test Slice B", onts) + _create_slice(@@slice_acronyms[0], "Test Slice A", @@onts) + _create_slice(@@slice_acronyms[1], "Test Slice B", @@onts) + + @@user = User.new({ + username: "test-slice", + email: "test-slice@example.org", + password: "12345" + }).save + @@new_slice_data = { acronym: 'tst-c', name: "Test Slice C", ontologies: ont_acronyms} + @@old_security_setting = LinkedData.settings.enable_security end def self.after_suite @@ -26,7 +34,7 @@ def test_all_slices get "/slices" assert last_response.ok? slices = MultiJson.load(last_response.body) - assert_equal @@slice_acronyms, slices.map {|s| s["acronym"]}.sort + assert_equal @@slice_acronyms, slices.map { |s| s["acronym"] }.sort end def test_create_slices @@ -61,11 +69,11 @@ def test_delete_slices def self._create_slice(acronym, name, ontologies) slice = LinkedData::Models::Slice.new({ - acronym: acronym, - name: "Test #{name}", - ontologies: ontologies - }) + acronym: acronym, + name: "Test #{name}", + ontologies: ontologies + }) slice.save end -end +end \ No newline at end of file