discourse/app/models/api_key_scope.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

179 lines
6.0 KiB
Ruby
Raw Normal View History

# frozen_string_literal: true
class ApiKeyScope < ActiveRecord::Base
validates_presence_of :resource
validates_presence_of :action
class << self
def list_actions
actions = %w[list#category_feed]
%i[latest unread new top].each { |f| actions.concat(["list#category_#{f}", "list##{f}"]) }
actions
end
def default_mappings
2020-08-24 11:15:08 -04:00
return @default_mappings unless @default_mappings.nil?
2020-08-24 11:15:08 -04:00
mappings = {
global: {
read: { methods: %i[get] }
},
topics: {
2020-08-24 11:15:08 -04:00
write: { actions: %w[posts#create], params: %i[topic_id] },
update: { actions: %w[topics#update], params: %i[topic_id] },
read: {
2020-08-24 11:15:08 -04:00
actions: %w[topics#show topics#feed topics#posts],
params: %i[topic_id], aliases: { topic_id: :id }
},
read_lists: {
actions: list_actions, params: %i[category_id],
2020-08-24 11:15:08 -04:00
aliases: { category_id: :category_slug_path_with_id }
}
2020-08-24 11:15:08 -04:00
},
posts: {
edit: { actions: %w[posts#update], params: %i[id] }
},
categories: {
list: { actions: %w[categories#index] },
show: { actions: %w[categories#show], params: %i[id] }
},
uploads: {
create: {
actions: %w[
uploads#create
uploads#generate_presigned_put
uploads#complete_external_upload
uploads#create_multipart
uploads#batch_presign_multipart_parts
uploads#abort_multipart
uploads#complete_multipart
]
}
},
2020-08-24 11:15:08 -04:00
users: {
bookmarks: { actions: %w[users#bookmarks], params: %i[username] },
sync_sso: { actions: %w[admin/users#sync_sso], params: %i[sso sig] },
show: { actions: %w[users#show], params: %i[username external_id external_provider] },
check_emails: { actions: %w[users#check_emails], params: %i[username] },
update: { actions: %w[users#update], params: %i[username] },
log_out: { actions: %w[admin/users#log_out] },
anonymize: { actions: %w[admin/users#anonymize] },
delete: { actions: %w[admin/users#destroy] },
list: { actions: %w[admin/users#index] },
},
email: {
receive_emails: { actions: %w[admin/email#handle_mail admin/email#smtp_should_reject] }
},
badges: {
create: { actions: %w[admin/badges#create] },
show: { actions: %w[badges#show] },
update: { actions: %w[admin/badges#update] },
delete: { actions: %w[admin/badges#destroy] },
list_user_badges: { actions: %w[user_badges#username], params: %i[username] },
assign_badge_to_user: { actions: %w[user_badges#create], params: %i[username] },
revoke_badge_from_user: { actions: %w[user_badges#destroy] },
},
wordpress: {
publishing: { actions: %w[site#site posts#create topics#update topics#status topics#show] },
commenting: { actions: %w[topics#wordpress] },
discourse_connect: { actions: %w[admin/users#sync_sso admin/users#log_out admin/users#index users#show] },
utilities: { actions: %w[users#create groups#index] }
}
}
2020-08-24 11:15:08 -04:00
parse_resources!(mappings)
2020-08-24 11:15:08 -04:00
@default_mappings = mappings
end
def scope_mappings
plugin_mappings = DiscoursePluginRegistry.api_key_scope_mappings
return default_mappings if plugin_mappings.empty?
default_mappings.deep_dup.tap do |mappings|
plugin_mappings.each do |plugin_mapping|
parse_resources!(plugin_mapping)
mappings.deep_merge!(plugin_mapping)
end
end
end
def parse_resources!(mappings)
mappings.each_value do |resource_actions|
resource_actions.each_value do |action_data|
action_data[:urls] = find_urls(actions: action_data[:actions], methods: action_data[:methods])
end
end
end
def find_urls(actions:, methods:)
urls = Set.new
if actions.present?
route_sets = [Rails.application.routes]
Rails::Engine.descendants.each do |engine|
next if engine == Rails::Application # abstract engine, can't call routes on it
next if engine == Discourse::Application # equiv. to Rails.application
route_sets << engine.routes
end
route_sets.each do |set|
engine_mount_path = set.find_script_name({}).presence
engine_mount_path = nil if engine_mount_path == "/"
set.routes.each do |route|
defaults = route.defaults
action = "#{defaults[:controller].to_s}##{defaults[:action]}"
path = route.path.spec.to_s.gsub(/\(\.:format\)/, '')
api_supported_path = (
path.end_with?('.rss') ||
!route.path.requirements[:format] ||
route.path.requirements[:format].match?('json')
)
excluded_paths = %w[/new-topic /new-message /exception]
if actions.include?(action) && api_supported_path && !excluded_paths.include?(path)
urls << "#{engine_mount_path}#{path} (#{route.verb})"
end
end
end
end
if methods.present?
methods.each do |method|
urls << "* (#{method})"
end
end
urls.to_a
end
end
def permits?(env)
RouteMatcher.new(**mapping.except(:urls), allowed_param_values: allowed_parameters).match?(env: env)
end
private
def mapping
@mapping ||= self.class.scope_mappings.dig(resource.to_sym, action.to_sym)
end
end
# == Schema Information
#
# Table name: api_key_scopes
#
# id :bigint not null, primary key
# api_key_id :integer not null
# resource :string not null
# action :string not null
# allowed_parameters :json
# created_at :datetime not null
# updated_at :datetime not null
#
# Indexes
#
# index_api_key_scopes_on_api_key_id (api_key_id)
#