Discource-C
/
discourse-data-explorer
mirror of https://github.com/discourse/discourse-data-explorer.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse-data-explorer/spec/integration/custom_api_key_scopes_spec.rb

103 lines
3.1 KiB
Ruby
Raw Normal View History

FEATURE: Add an API scope for running queries (#154)
2022-01-20 23:15:04 -05:00
# frozen_string_literal: true
require 'rails_helper'
describe 'API keys scoped to query#run' do
before do
SiteSetting.data_explorer_enabled = true
end
fab!(:query1) { DataExplorer::Query.create!(name: "Query 1", sql: "SELECT 1 AS query1_res") }
fab!(:query2) { DataExplorer::Query.create!(name: "Query 2", sql: "SELECT 1 AS query2_res") }
fab!(:admin) { Fabricate(:admin) }
let(:all_queries_api_key) do
key = ApiKey.create!
ApiKeyScope.create!(
resource: "data_explorer",
action: "run_queries",
api_key_id: key.id
)
key
end
let(:single_query_api_key) do
key = ApiKey.create!
ApiKeyScope.create!(
resource: "data_explorer",
action: "run_queries",
api_key_id: key.id,
allowed_parameters: { "id" => [query1.id.to_s] }
)
key
end
it 'cannot hit any other endpoints' do
get "/latest.json", headers: {
"Api-Key" => all_queries_api_key.key,
"Api-Username" => admin.username
}
expect(response.status).to eq(403)
get "/latest.json", headers: {
"Api-Key" => single_query_api_key.key,
"Api-Username" => admin.username
}
expect(response.status).to eq(403)
get "/u/#{admin.username}.json", headers: {
"Api-Key" => all_queries_api_key.key,
"Api-Username" => admin.username
}
expect(response.status).to eq(403)
get "/u/#{admin.username}.json", headers: {
"Api-Key" => single_query_api_key.key,
"Api-Username" => admin.username
}
expect(response.status).to eq(403)
end
it "can only run the queries they're allowed to run" do
expect {
post "/admin/plugins/explorer/queries/#{query1.id}/run.json", headers: {
"Api-Key" => single_query_api_key.key,
"Api-Username" => admin.username
}
}.to change { query1.reload.last_run_at }
expect(response.status).to eq(200)
expect(response.parsed_body["success"]).to eq(true)
expect(response.parsed_body["columns"]).to eq(["query1_res"])
expect {
post "/admin/plugins/explorer/queries/#{query2.id}/run.json", headers: {
"Api-Key" => single_query_api_key.key,
"Api-Username" => admin.username
}
}.not_to change { query2.reload.last_run_at }
expect(response.status).to eq(403)
end
it "can run all queries if they're not restricted to any queries" do
expect {
post "/admin/plugins/explorer/queries/#{query1.id}/run.json", headers: {
"Api-Key" => all_queries_api_key.key,
"Api-Username" => admin.username
}
}.to change { query1.reload.last_run_at }
expect(response.status).to eq(200)
expect(response.parsed_body["success"]).to eq(true)
expect(response.parsed_body["columns"]).to eq(["query1_res"])
expect {
post "/admin/plugins/explorer/queries/#{query2.id}/run.json", headers: {
"Api-Key" => all_queries_api_key.key,
"Api-Username" => admin.username
}
}.to change { query2.reload.last_run_at }
expect(response.status).to eq(200)
expect(response.parsed_body["success"]).to eq(true)
expect(response.parsed_body["columns"]).to eq(["query2_res"])
end
end