115 lines
3.3 KiB
Ruby
115 lines
3.3 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require "rails_helper"
|
|
|
|
describe "API keys scoped to query#run" do
|
|
before { SiteSetting.data_explorer_enabled = true }
|
|
|
|
fab!(:query1) do
|
|
DiscourseDataExplorer::Query.create!(name: "Query 1", sql: "SELECT 1 AS query1_res")
|
|
end
|
|
fab!(:query2) do
|
|
DiscourseDataExplorer::Query.create!(name: "Query 2", sql: "SELECT 1 AS query2_res")
|
|
end
|
|
fab!(:admin)
|
|
|
|
let(:all_queries_api_key) do
|
|
key = ApiKey.create!
|
|
ApiKeyScope.create!(
|
|
resource: "discourse_data_explorer",
|
|
action: "run_queries",
|
|
api_key_id: key.id,
|
|
)
|
|
key
|
|
end
|
|
|
|
let(:single_query_api_key) do
|
|
key = ApiKey.create!
|
|
ApiKeyScope.create!(
|
|
resource: "discourse_data_explorer",
|
|
action: "run_queries",
|
|
api_key_id: key.id,
|
|
allowed_parameters: {
|
|
"id" => [query1.id.to_s],
|
|
},
|
|
)
|
|
key
|
|
end
|
|
|
|
it "cannot hit any other endpoints" do
|
|
get "/latest.json",
|
|
headers: {
|
|
"Api-Key" => all_queries_api_key.key,
|
|
"Api-Username" => admin.username,
|
|
}
|
|
expect(response.status).to eq(403)
|
|
|
|
get "/latest.json",
|
|
headers: {
|
|
"Api-Key" => single_query_api_key.key,
|
|
"Api-Username" => admin.username,
|
|
}
|
|
expect(response.status).to eq(403)
|
|
|
|
get "/u/#{admin.username}.json",
|
|
headers: {
|
|
"Api-Key" => all_queries_api_key.key,
|
|
"Api-Username" => admin.username,
|
|
}
|
|
expect(response.status).to eq(403)
|
|
|
|
get "/u/#{admin.username}.json",
|
|
headers: {
|
|
"Api-Key" => single_query_api_key.key,
|
|
"Api-Username" => admin.username,
|
|
}
|
|
expect(response.status).to eq(403)
|
|
end
|
|
|
|
it "can only run the queries they're allowed to run" do
|
|
expect {
|
|
post "/admin/plugins/explorer/queries/#{query1.id}/run.json",
|
|
headers: {
|
|
"Api-Key" => single_query_api_key.key,
|
|
"Api-Username" => admin.username,
|
|
}
|
|
}.to change { query1.reload.last_run_at }
|
|
expect(response.status).to eq(200)
|
|
expect(response.parsed_body["success"]).to eq(true)
|
|
expect(response.parsed_body["columns"]).to eq(["query1_res"])
|
|
|
|
expect {
|
|
post "/admin/plugins/explorer/queries/#{query2.id}/run.json",
|
|
headers: {
|
|
"Api-Key" => single_query_api_key.key,
|
|
"Api-Username" => admin.username,
|
|
}
|
|
}.not_to change { query2.reload.last_run_at }
|
|
expect(response.status).to eq(403)
|
|
end
|
|
|
|
it "can run all queries if they're not restricted to any queries" do
|
|
expect {
|
|
post "/admin/plugins/explorer/queries/#{query1.id}/run.json",
|
|
headers: {
|
|
"Api-Key" => all_queries_api_key.key,
|
|
"Api-Username" => admin.username,
|
|
}
|
|
}.to change { query1.reload.last_run_at }
|
|
expect(response.status).to eq(200)
|
|
expect(response.parsed_body["success"]).to eq(true)
|
|
expect(response.parsed_body["columns"]).to eq(["query1_res"])
|
|
|
|
expect {
|
|
post "/admin/plugins/explorer/queries/#{query2.id}/run.json",
|
|
headers: {
|
|
"Api-Key" => all_queries_api_key.key,
|
|
"Api-Username" => admin.username,
|
|
}
|
|
}.to change { query2.reload.last_run_at }
|
|
expect(response.status).to eq(200)
|
|
expect(response.parsed_body["success"]).to eq(true)
|
|
expect(response.parsed_body["columns"]).to eq(["query2_res"])
|
|
end
|
|
end
|