Skip to content

Modify abilities to prevent link sharing #90

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Dec 5, 2022
Merged

Modify abilities to prevent link sharing #90

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
c818509
Create draft PR for #89
loiswells97 Nov 25, 2022
08a3888
Update ability to prevent link sharing unless starter or example project
loiswells97 Nov 25, 2022
e9f94fc
Merge branch 'main' into issues/89-Modify_abilities_to_prevent_link_s…
loiswells97 Nov 28, 2022
356c737
some fixes
loiswells97 Dec 1, 2022
201efff
adding project show tests for new abilities
loiswells97 Dec 1, 2022
7606480
removing files added by mistake
loiswells97 Dec 1, 2022
7c25431
Adding ability spec and fixing rubocop
loiswells97 Dec 1, 2022
d349a28
Merge branch 'main' into issues/89-Modify_abilities_to_prevent_link_s…
patch0 Dec 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions Gemfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ GEM
public_suffix (>= 2.0.2, < 6.0)
ast (2.4.2)
aws-eventstream (1.2.0)
aws-partitions (1.664.0)
aws-partitions (1.666.0)
aws-sdk-core (3.168.1)
aws-eventstream (~> 1, >= 1.0.2)
aws-partitions (~> 1, >= 1.651.0)
Expand All @@ -85,7 +85,7 @@ GEM
aws-sigv4 (~> 1.4)
aws-sigv4 (1.5.2)
aws-eventstream (~> 1, >= 1.0.2)
bootsnap (1.14.0)
bootsnap (1.15.0)
msgpack (~> 1.2)
builder (3.2.4)
byebug (11.1.3)
Expand Down Expand Up @@ -124,7 +124,7 @@ GEM
jbuilder (2.11.5)
actionview (>= 5.0.0)
activesupport (>= 5.0.0)
jmespath (1.6.1)
jmespath (1.6.2)
json (2.6.2)
loofah (2.19.0)
crass (~> 1.0.2)
Expand All @@ -150,7 +150,7 @@ GEM
nokogiri (1.13.9-x86_64-linux)
racc (~> 1.4)
parallel (1.22.1)
parser (3.1.2.1)
parser (3.1.3.0)
ast (~> 2.4.1)
pg (1.4.5)
pry (0.14.1)
Expand Down Expand Up @@ -261,7 +261,7 @@ GEM
actionpack (>= 5.2)
activesupport (>= 5.2)
sprockets (>= 3.0.0)
stimulus-rails (1.1.1)
stimulus-rails (1.2.0)
railties (>= 6.0.0)
thor (1.2.1)
timeout (0.3.0)
Expand Down Expand Up @@ -315,7 +315,7 @@ DEPENDENCIES
webmock

RUBY VERSION
ruby 3.1.2p20
ruby 3.1.3p185

BUNDLED WITH
2.3.7
2.3.26
4 changes: 2 additions & 2 deletions app/models/ability.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@ class Ability
include CanCan::Ability

def initialize(user)
can :show, Project
can :show, Project, user_id: nil

return if user.blank?

can %i[create index destroy update], Project, user_id: user
can %i[create show index destroy update], Project, user_id: user
end
end
3 changes: 1 addition & 2 deletions lib/concepts/project/operations/create.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ class Create
class << self
def call(project_hash:)
response = OperationResponse.new

response[:project] = build_project(project_hash)
response[:project].save!
response
Expand All @@ -22,7 +21,7 @@ def build_project(project_hash)
new_project = Project.new(project_hash.except(:components, :image_list).merge(identifier:))
new_project.components.build(project_hash[:components])

project_hash[:image_list].each do |image|
(project_hash[:image_list] || []).each do |image|
new_project.images.attach(image.blob)
end

Expand Down
60 changes: 60 additions & 0 deletions spec/models/ability_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# frozen_string_literal: true

require 'cancan/matchers'
require 'rails_helper'

RSpec.describe Ability do
subject { described_class.new(user) }

let(:project) { build(:project) }
let(:another_project) { build(:project) }
let(:starter_project) { build(:project, user_id: nil) }

context 'when no user' do
let(:user) { nil }

context 'with a starter project' do
it { is_expected.not_to be_able_to(:index, starter_project) }
it { is_expected.to be_able_to(:show, starter_project) }
it { is_expected.not_to be_able_to(:create, starter_project) }
it { is_expected.not_to be_able_to(:update, starter_project) }
it { is_expected.not_to be_able_to(:destroy, starter_project) }
end

context 'with an owned project' do
it { is_expected.not_to be_able_to(:index, project) }
it { is_expected.not_to be_able_to(:show, project) }
it { is_expected.not_to be_able_to(:create, project) }
it { is_expected.not_to be_able_to(:update, project) }
it { is_expected.not_to be_able_to(:destroy, project) }
end
end

context 'when user present' do
let(:user) { project.user_id }

context 'with a starter project' do
it { is_expected.not_to be_able_to(:index, starter_project) }
it { is_expected.to be_able_to(:show, starter_project) }
it { is_expected.not_to be_able_to(:create, starter_project) }
it { is_expected.not_to be_able_to(:update, starter_project) }
it { is_expected.not_to be_able_to(:destroy, starter_project) }
end

context 'with own project' do
it { is_expected.to be_able_to(:index, project) }
it { is_expected.to be_able_to(:show, project) }
it { is_expected.to be_able_to(:create, project) }
it { is_expected.to be_able_to(:update, project) }
it { is_expected.to be_able_to(:destroy, project) }
end

context 'with another user\'s project' do
it { is_expected.not_to be_able_to(:index, another_project) }
it { is_expected.not_to be_able_to(:show, another_project) }
it { is_expected.not_to be_able_to(:create, another_project) }
it { is_expected.not_to be_able_to(:update, another_project) }
it { is_expected.not_to be_able_to(:destroy, another_project) }
end
end
end
107 changes: 92 additions & 15 deletions spec/request/projects/show_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

RSpec.describe 'Project show requests', type: :request do
let!(:project) { create(:project) }
let(:expected_json) do
let(:project_json) do
{
identifier: project.identifier,
project_type: 'python',
Expand All @@ -15,25 +15,102 @@
}.to_json
end

it 'returns success response' do
get "/api/projects/#{project.identifier}"
context 'when user is logged in' do
before do
mock_oauth_user(project.user_id)
end

expect(response).to have_http_status(:ok)
end
context 'when loading own project' do
it 'returns success response' do
get "/api/projects/#{project.identifier}"

it 'returns json' do
get "/api/projects/#{project.identifier}"
expect(response.content_type).to eq('application/json; charset=utf-8')
end
expect(response).to have_http_status(:ok)
end

it 'returns json' do
get "/api/projects/#{project.identifier}"
expect(response.content_type).to eq('application/json; charset=utf-8')
end

it 'returns the project json' do
get "/api/projects/#{project.identifier}"
expect(response.body).to eq(project_json)
end
end

context 'when loading another user\'s project' do
let!(:another_project) { create(:project) }
let(:another_project_json) do
{
identifier: another_project.identifier,
project_type: 'python',
name: another_project.name,
user_id: another_project.user_id,
components: [],
image_list: []
}.to_json
end

it 'returns forbidden response' do
get "/api/projects/#{another_project.identifier}"

expect(response).to have_http_status(:forbidden)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I'd rather this was :not_found (no immediate information leakage about whether a project exists)

Timing attacks would still give it away though, as less work is (probably) being done if no project is found.

Happy for this to be pushed into a new issue.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interestingly, we now have separate design for these two cases, so maybe this is part of a wider discussion...

end

it 'returns the project json' do
get "/api/projects/#{project.identifier}"
expect(response.body).to eq(expected_json)
it 'does not return the project json' do
get "/api/projects/#{another_project.identifier}"
expect(response.body).not_to include(another_project_json)
end
end
end

it 'returns 404 response if invalid project' do
get '/api/projects/no-such-project'
context 'when user is not logged in' do
context 'when loading a starter project' do
let!(:starter_project) { create(:project, user_id: nil) }
let(:starter_project_json) do
{
identifier: starter_project.identifier,
project_type: 'python',
name: starter_project.name,
user_id: starter_project.user_id,
components: [],
image_list: []
}.to_json
end

it 'returns success response' do
get "/api/projects/#{starter_project.identifier}"

expect(response).to have_http_status(:ok)
end

it 'returns json' do
get "/api/projects/#{starter_project.identifier}"
expect(response.content_type).to eq('application/json; charset=utf-8')
end

it 'returns the project json' do
get "/api/projects/#{starter_project.identifier}"
expect(response.body).to eq(starter_project_json)
end

it 'returns 404 response if invalid project' do
get '/api/projects/no-such-project'
expect(response).to have_http_status(:not_found)
end
end

context 'when loading an owned project' do
it 'returns forbidden response' do
get "/api/projects/#{project.identifier}"

expect(response).to have_http_status(:forbidden)
end

expect(response).to have_http_status(:not_found)
it 'does not return the project json' do
get "/api/projects/#{project.identifier}"
expect(response.body).not_to include(project_json)
end
end
end
end
Empty file removed tmp/pids/.keep
View file
Open in desktop
Empty file.
Empty file removed tmp/storage/.keep
View file
Open in desktop
Empty file.