From ce2cfcfb0b060d2983d23ee1957503aa069a1069 Mon Sep 17 00:00:00 2001 From: Rick Carlino Date: Tue, 6 Dec 2016 09:42:02 -0600 Subject: [PATCH] Authorization --- Gemfile | 2 +- Gemfile.lock | 4 +++- app/controllers/api/tools_controller.rb | 6 +++--- app/mutations/tools/base.rb | 19 +++++++++++++++++++ app/mutations/tools/create.rb | 11 +++-------- app/mutations/tools/update.rb | 11 ++++++++--- 6 files changed, 37 insertions(+), 16 deletions(-) create mode 100644 app/mutations/tools/base.rb diff --git a/Gemfile b/Gemfile index 2e8e48ded..cf1065fa8 100755 --- a/Gemfile +++ b/Gemfile @@ -18,7 +18,7 @@ group :development, :test do gem "pry" gem "factory_girl_rails" gem "faker" - gem "smarf_doc", github: "RickCarlino/smarf_doc" + gem "smarf_doc", git: "https://github.com/RickCarlino/smarf_doc.git" gem "rails-erd" gem "rspec" gem "rspec-rails" diff --git a/Gemfile.lock b/Gemfile.lock index 37110b383..028776084 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,5 +1,5 @@ GIT - remote: git://github.com/RickCarlino/smarf_doc.git + remote: https://github.com/RickCarlino/smarf_doc.git revision: 40dc733363431c6153ccebbeb80df942a77f0b02 specs: smarf_doc (1.0.0) @@ -90,6 +90,7 @@ GEM mutations (0.8.0) activesupport mysql (2.9.1) + mysql2 (0.4.5) nio4r (1.2.1) nokogiri (1.6.8.1) mini_portile2 (~> 2.1.0) @@ -202,6 +203,7 @@ DEPENDENCIES jwt mutations mysql + mysql2 pg pry rack-cors diff --git a/app/controllers/api/tools_controller.rb b/app/controllers/api/tools_controller.rb index 8e0e6739f..5c05605a8 100644 --- a/app/controllers/api/tools_controller.rb +++ b/app/controllers/api/tools_controller.rb @@ -25,8 +25,8 @@ private def update_params output = {tool: tool} - output[:name] = params[:name] if params[:name] - output[:tool_slot] = tool_slot if params[:tool_slot_id] + output[:name] = params[:name] if params[:name] + output[:tool_slot] = params[:tool_slot_id] if params[:tool_slot_id] output end @@ -34,9 +34,9 @@ private if @create_params @create_params else - tsid = params[:tool_slot_id] @create_params = { name: params[:name], device: current_device } + tsid = params[:tool_slot_id] @create_params[:tool_slot_id] = tsid if tsid @create_params end diff --git a/app/mutations/tools/base.rb b/app/mutations/tools/base.rb new file mode 100644 index 000000000..3b97deb69 --- /dev/null +++ b/app/mutations/tools/base.rb @@ -0,0 +1,19 @@ +module Tools + class Base < Mutations::Command + def it_is_your_tool_slot + (tool_slot.tool_bay.device_id == device.id) + end + + def tool_slot + @tool_slot ||= ToolSlot.find_by(id: tool_slot_id) + end + + def forbidden! + raise Errors::Forbidden + end + + def bad_tool_slot_id! + add_error :tool_slot, :bad, "Bad tool slot ID" + end + end +end \ No newline at end of file diff --git a/app/mutations/tools/create.rb b/app/mutations/tools/create.rb index 4e3cc7ad4..52d0cefb0 100644 --- a/app/mutations/tools/create.rb +++ b/app/mutations/tools/create.rb @@ -1,5 +1,5 @@ module Tools - class Create < Mutations::Command + class Create < Tools::Base required do string :name model :device, class: Device @@ -10,17 +10,12 @@ module Tools end def validate - puts "TODO: Validate user authorizations" + bad_tool_slot_id! unless tool_slot + forbidden! if tool_slot_id && !it_is_your_tool_slot end def execute Tool.create!(inputs) end - - private - - def query - @query ||= ToolBay::DeviceQuery.new(device) - end end end diff --git a/app/mutations/tools/update.rb b/app/mutations/tools/update.rb index bc041c873..b6063ba7a 100644 --- a/app/mutations/tools/update.rb +++ b/app/mutations/tools/update.rb @@ -1,12 +1,17 @@ module Tools - class Update < Mutations::Command + class Update < Tools::Base required do - model :tool, class: Tool + model :tool, class: Tool end optional do string :name - model :tool_slot, class: ToolSlot + integer :tool_slot_id + end + + def validate + bad_tool_slot_id! if tool_slot_id && !tool_slot + forbidden! if tool_slot_id && !it_is_your_tool_slot end def execute