From f41f16d450d29f16070dddad63547666817c4cbb Mon Sep 17 00:00:00 2001 From: Anton Khorev Date: Tue, 10 Dec 2024 12:31:35 +0300 Subject: [PATCH 1/3] Use resourceful routes for api trace show, update, destroy --- config/routes.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/config/routes.rb b/config/routes.rb index f65042dd7d..cf5a380666 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -88,14 +88,13 @@ post "/user/messages/:id" => "messages#update", :as => :api_message_update post "gpx/create" => "traces#create" - get "gpx/:id" => "traces#show", :as => :api_trace, :id => /\d+/ - put "gpx/:id" => "traces#update", :id => /\d+/ - delete "gpx/:id" => "traces#destroy", :id => /\d+/ - get "gpx/:id/details" => "traces#show", :id => /\d+/ get "gpx/:id/data" => "traces#data", :as => :api_trace_data end namespace :api, :path => "api/0.6" do + resources :traces, :path => "gpx", :only => [:show, :update, :destroy], :id => /\d+/ + get "gpx/:id/details" => "traces#show", :id => /\d+/, :as => :trace_details + # Map notes API resources :notes, :except => [:new, :edit, :update], :id => /\d+/, :controller => "notes" do collection do From db3debdd9e5dd09717a7ed144b34158619c85e08 Mon Sep 17 00:00:00 2001 From: Anton Khorev Date: Sun, 8 Dec 2024 16:02:51 +0300 Subject: [PATCH 2/3] Use resourceful routes for api trace create --- config/routes.rb | 4 ++-- test/controllers/api/traces_controller_test.rb | 14 +++++++++----- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/config/routes.rb b/config/routes.rb index cf5a380666..3fe62dcb33 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -87,12 +87,12 @@ post "/user/messages/:id" => "messages#update", :as => :api_message_update - post "gpx/create" => "traces#create" get "gpx/:id/data" => "traces#data", :as => :api_trace_data end namespace :api, :path => "api/0.6" do - resources :traces, :path => "gpx", :only => [:show, :update, :destroy], :id => /\d+/ + resources :traces, :path => "gpx", :only => [:create, :show, :update, :destroy], :id => /\d+/ + post "gpx/create" => "traces#create", :id => /\d+/, :as => :trace_create get "gpx/:id/details" => "traces#show", :id => /\d+/, :as => :trace_details # Map notes API diff --git a/test/controllers/api/traces_controller_test.rb b/test/controllers/api/traces_controller_test.rb index 6ce35bc7cb..0bc5a8d36c 100644 --- a/test/controllers/api/traces_controller_test.rb +++ b/test/controllers/api/traces_controller_test.rb @@ -6,9 +6,13 @@ class TracesControllerTest < ActionDispatch::IntegrationTest # test all routes which lead to this controller def test_routes assert_routing( - { :path => "/api/0.6/gpx/create", :method => :post }, + { :path => "/api/0.6/gpx", :method => :post }, { :controller => "api/traces", :action => "create" } ) + assert_recognizes( + { :controller => "api/traces", :action => "create" }, + { :path => "/api/0.6/gpx/create", :method => :post } + ) assert_routing( { :path => "/api/0.6/gpx/1", :method => :get }, { :controller => "api/traces", :action => "show", :id => "1" } @@ -186,7 +190,7 @@ def test_create user = create(:user) # First with no auth - post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :visibility => "trackable" } + post api_traces_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :visibility => "trackable" } assert_response :unauthorized # Rewind the file @@ -200,7 +204,7 @@ def test_create # Create trace and import tracepoints in background job perform_enqueued_jobs do - post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :visibility => "trackable" }, :headers => auth_header + post api_traces_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :visibility => "trackable" }, :headers => auth_header end assert_response :success @@ -232,7 +236,7 @@ def test_create # Now authenticated, with the legacy public flag assert_not_equal "public", user.preferences.find_by(:k => "gps.trace.visibility").v auth_header = bearer_authorization_header user - post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 1 }, :headers => auth_header + post api_traces_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 1 }, :headers => auth_header assert_response :success trace = Trace.find(response.body.to_i) assert_equal "a.gpx", trace.name @@ -251,7 +255,7 @@ def test_create second_user = create(:user) assert_nil second_user.preferences.find_by(:k => "gps.trace.visibility") auth_header = bearer_authorization_header second_user - post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 0 }, :headers => auth_header + post api_traces_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 0 }, :headers => auth_header assert_response :success trace = Trace.find(response.body.to_i) assert_equal "a.gpx", trace.name From 3adb697385824cb7b7208825d9ba3535d8f4d67f Mon Sep 17 00:00:00 2001 From: Anton Khorev Date: Tue, 10 Dec 2024 14:06:26 +0300 Subject: [PATCH 3/3] Use resourceful routes for api trace data --- app/abilities/api_ability.rb | 2 +- app/controllers/api/traces/data_controller.rb | 36 ++++++ app/controllers/api/traces_controller.rb | 20 +-- config/routes.rb | 8 +- .../api/traces/data_controller_test.rb | 114 ++++++++++++++++++ .../controllers/api/traces_controller_test.rb | 100 --------------- 6 files changed, 157 insertions(+), 123 deletions(-) create mode 100644 app/controllers/api/traces/data_controller.rb create mode 100644 test/controllers/api/traces/data_controller_test.rb diff --git a/app/abilities/api_ability.rb b/app/abilities/api_ability.rb index 96ed9b080f..c790da66ab 100644 --- a/app/abilities/api_ability.rb +++ b/app/abilities/api_ability.rb @@ -22,7 +22,7 @@ def initialize(user) if user&.active? can [:comment, :close, :reopen], Note - can [:create, :show, :update, :destroy, :data], Trace + can [:create, :show, :update, :destroy], Trace can [:details, :gpx_files], User can [:index, :show, :update, :update_all, :destroy], UserPreference diff --git a/app/controllers/api/traces/data_controller.rb b/app/controllers/api/traces/data_controller.rb new file mode 100644 index 0000000000..e04931cfbb --- /dev/null +++ b/app/controllers/api/traces/data_controller.rb @@ -0,0 +1,36 @@ +module Api + module Traces + class DataController < ApiController + before_action :set_locale + before_action :authorize + + authorize_resource :trace + + before_action :offline_error + + def show + trace = Trace.visible.find(params[:trace_id]) + + if trace.public? || trace.user == current_user + if request.format == Mime[:xml] + send_data(trace.xml_file.read, :filename => "#{trace.id}.xml", :type => request.format.to_s, :disposition => "attachment") + elsif request.format == Mime[:gpx] + send_data(trace.xml_file.read, :filename => "#{trace.id}.gpx", :type => request.format.to_s, :disposition => "attachment") + elsif trace.file.attached? + redirect_to rails_blob_path(trace.file, :disposition => "attachment") + else + send_file(trace.trace_name, :filename => "#{trace.id}#{trace.extension_name}", :type => trace.mime_type, :disposition => "attachment") + end + else + head :forbidden + end + end + + private + + def offline_error + report_error "GPX files offline for maintenance", :service_unavailable if Settings.status == "gpx_offline" + end + end + end +end diff --git a/app/controllers/api/traces_controller.rb b/app/controllers/api/traces_controller.rb index 76dfb3a2dc..e91261058e 100644 --- a/app/controllers/api/traces_controller.rb +++ b/app/controllers/api/traces_controller.rb @@ -6,7 +6,7 @@ class TracesController < ApiController authorize_resource - before_action :offline_error, :only => [:create, :destroy, :data] + before_action :offline_error, :only => [:create, :destroy] skip_around_action :api_call_timeout, :only => :create def show @@ -71,24 +71,6 @@ def destroy end end - def data - trace = Trace.visible.find(params[:id]) - - if trace.public? || trace.user == current_user - if request.format == Mime[:xml] - send_data(trace.xml_file.read, :filename => "#{trace.id}.xml", :type => request.format.to_s, :disposition => "attachment") - elsif request.format == Mime[:gpx] - send_data(trace.xml_file.read, :filename => "#{trace.id}.gpx", :type => request.format.to_s, :disposition => "attachment") - elsif trace.file.attached? - redirect_to rails_blob_path(trace.file, :disposition => "attachment") - else - send_file(trace.trace_name, :filename => "#{trace.id}#{trace.extension_name}", :type => trace.mime_type, :disposition => "attachment") - end - else - head :forbidden - end - end - private def do_create(file, tags, description, visibility) diff --git a/config/routes.rb b/config/routes.rb index 3fe62dcb33..871fef1bf2 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -86,12 +86,14 @@ end post "/user/messages/:id" => "messages#update", :as => :api_message_update - - get "gpx/:id/data" => "traces#data", :as => :api_trace_data end namespace :api, :path => "api/0.6" do - resources :traces, :path => "gpx", :only => [:create, :show, :update, :destroy], :id => /\d+/ + resources :traces, :path => "gpx", :only => [:create, :show, :update, :destroy], :id => /\d+/ do + scope :module => :traces do + resource :data, :only => :show + end + end post "gpx/create" => "traces#create", :id => /\d+/, :as => :trace_create get "gpx/:id/details" => "traces#show", :id => /\d+/, :as => :trace_details diff --git a/test/controllers/api/traces/data_controller_test.rb b/test/controllers/api/traces/data_controller_test.rb new file mode 100644 index 0000000000..b4aa399bef --- /dev/null +++ b/test/controllers/api/traces/data_controller_test.rb @@ -0,0 +1,114 @@ +require "test_helper" + +module Api + module Traces + class DataControllerTest < ActionDispatch::IntegrationTest + ## + # test all routes which lead to this controller + def test_routes + assert_routing( + { :path => "/api/0.6/gpx/1/data", :method => :get }, + { :controller => "api/traces/data", :action => "show", :trace_id => "1" } + ) + assert_routing( + { :path => "/api/0.6/gpx/1/data.xml", :method => :get }, + { :controller => "api/traces/data", :action => "show", :trace_id => "1", :format => "xml" } + ) + end + + # Test downloading a trace through the api + def test_show + public_trace_file = create(:trace, :visibility => "public", :fixture => "a") + + # First with no auth + get api_trace_data_path(public_trace_file) + assert_response :unauthorized + + # Now with some other user, which should work since the trace is public + auth_header = bearer_authorization_header + get api_trace_data_path(public_trace_file), :headers => auth_header + follow_redirect! + follow_redirect! + check_trace_data public_trace_file, "848caa72f2f456d1bd6a0fdf228aa1b9" + + # And finally we should be able to do it with the owner of the trace + auth_header = bearer_authorization_header public_trace_file.user + get api_trace_data_path(public_trace_file), :headers => auth_header + follow_redirect! + follow_redirect! + check_trace_data public_trace_file, "848caa72f2f456d1bd6a0fdf228aa1b9" + end + + # Test downloading a compressed trace through the api + def test_data_compressed + identifiable_trace_file = create(:trace, :visibility => "identifiable", :fixture => "d") + + # Authenticate as the owner of the trace we will be using + auth_header = bearer_authorization_header identifiable_trace_file.user + + # First get the data as is + get api_trace_data_path(identifiable_trace_file), :headers => auth_header + follow_redirect! + follow_redirect! + check_trace_data identifiable_trace_file, "c6422a3d8750faae49ed70e7e8a51b93", "application/gzip", "gpx.gz" + + # Now ask explicitly for XML format + get api_trace_data_path(identifiable_trace_file, :format => "xml"), :headers => auth_header + check_trace_data identifiable_trace_file, "abd6675fdf3024a84fc0a1deac147c0d", "application/xml", "xml" + + # Now ask explicitly for GPX format + get api_trace_data_path(identifiable_trace_file, :format => "gpx"), :headers => auth_header + check_trace_data identifiable_trace_file, "abd6675fdf3024a84fc0a1deac147c0d" + end + + # Check an anonymous trace can't be downloaded by another user through the api + def test_data_anon + anon_trace_file = create(:trace, :visibility => "private", :fixture => "b") + + # First with no auth + get api_trace_data_path(anon_trace_file) + assert_response :unauthorized + + # Now with some other user, which shouldn't work since the trace is anon + auth_header = bearer_authorization_header + get api_trace_data_path(anon_trace_file), :headers => auth_header + assert_response :forbidden + + # And finally we should be able to do it with the owner of the trace + auth_header = bearer_authorization_header anon_trace_file.user + get api_trace_data_path(anon_trace_file), :headers => auth_header + follow_redirect! + follow_redirect! + check_trace_data anon_trace_file, "db4cb5ed2d7d2b627b3b504296c4f701" + end + + # Test downloading a trace that doesn't exist through the api + def test_data_not_found + deleted_trace_file = create(:trace, :deleted) + + # Try first with no auth, as it should require it + get api_trace_data_path(0) + assert_response :unauthorized + + # Login, and try again + auth_header = bearer_authorization_header + get api_trace_data_path(0), :headers => auth_header + assert_response :not_found + + # Now try a trace which did exist but has been deleted + auth_header = bearer_authorization_header deleted_trace_file.user + get api_trace_data_path(deleted_trace_file), :headers => auth_header + assert_response :not_found + end + + private + + def check_trace_data(trace, digest, content_type = "application/gpx+xml", extension = "gpx") + assert_response :success + assert_equal digest, Digest::MD5.hexdigest(response.body) + assert_equal content_type, response.media_type + assert_equal "attachment; filename=\"#{trace.id}.#{extension}\"; filename*=UTF-8''#{trace.id}.#{extension}", @response.header["Content-Disposition"] + end + end + end +end diff --git a/test/controllers/api/traces_controller_test.rb b/test/controllers/api/traces_controller_test.rb index 0bc5a8d36c..367bb6d21e 100644 --- a/test/controllers/api/traces_controller_test.rb +++ b/test/controllers/api/traces_controller_test.rb @@ -29,14 +29,6 @@ def test_routes { :controller => "api/traces", :action => "show", :id => "1" }, { :path => "/api/0.6/gpx/1/details", :method => :get } ) - assert_routing( - { :path => "/api/0.6/gpx/1/data", :method => :get }, - { :controller => "api/traces", :action => "data", :id => "1" } - ) - assert_routing( - { :path => "/api/0.6/gpx/1/data.xml", :method => :get }, - { :controller => "api/traces", :action => "data", :id => "1", :format => "xml" } - ) end # Check getting a specific trace through the api @@ -97,91 +89,6 @@ def test_show_not_found assert_response :not_found end - # Test downloading a trace through the api - def test_data - public_trace_file = create(:trace, :visibility => "public", :fixture => "a") - - # First with no auth - get api_trace_data_path(public_trace_file) - assert_response :unauthorized - - # Now with some other user, which should work since the trace is public - auth_header = bearer_authorization_header - get api_trace_data_path(public_trace_file), :headers => auth_header - follow_redirect! - follow_redirect! - check_trace_data public_trace_file, "848caa72f2f456d1bd6a0fdf228aa1b9" - - # And finally we should be able to do it with the owner of the trace - auth_header = bearer_authorization_header public_trace_file.user - get api_trace_data_path(public_trace_file), :headers => auth_header - follow_redirect! - follow_redirect! - check_trace_data public_trace_file, "848caa72f2f456d1bd6a0fdf228aa1b9" - end - - # Test downloading a compressed trace through the api - def test_data_compressed - identifiable_trace_file = create(:trace, :visibility => "identifiable", :fixture => "d") - - # Authenticate as the owner of the trace we will be using - auth_header = bearer_authorization_header identifiable_trace_file.user - - # First get the data as is - get api_trace_data_path(identifiable_trace_file), :headers => auth_header - follow_redirect! - follow_redirect! - check_trace_data identifiable_trace_file, "c6422a3d8750faae49ed70e7e8a51b93", "application/gzip", "gpx.gz" - - # Now ask explicitly for XML format - get api_trace_data_path(identifiable_trace_file, :format => "xml"), :headers => auth_header - check_trace_data identifiable_trace_file, "abd6675fdf3024a84fc0a1deac147c0d", "application/xml", "xml" - - # Now ask explicitly for GPX format - get api_trace_data_path(identifiable_trace_file, :format => "gpx"), :headers => auth_header - check_trace_data identifiable_trace_file, "abd6675fdf3024a84fc0a1deac147c0d" - end - - # Check an anonymous trace can't be downloaded by another user through the api - def test_data_anon - anon_trace_file = create(:trace, :visibility => "private", :fixture => "b") - - # First with no auth - get api_trace_data_path(anon_trace_file) - assert_response :unauthorized - - # Now with some other user, which shouldn't work since the trace is anon - auth_header = bearer_authorization_header - get api_trace_data_path(anon_trace_file), :headers => auth_header - assert_response :forbidden - - # And finally we should be able to do it with the owner of the trace - auth_header = bearer_authorization_header anon_trace_file.user - get api_trace_data_path(anon_trace_file), :headers => auth_header - follow_redirect! - follow_redirect! - check_trace_data anon_trace_file, "db4cb5ed2d7d2b627b3b504296c4f701" - end - - # Test downloading a trace that doesn't exist through the api - def test_data_not_found - deleted_trace_file = create(:trace, :deleted) - - # Try first with no auth, as it should require it - get api_trace_data_path(:id => 0) - assert_response :unauthorized - - # Login, and try again - auth_header = bearer_authorization_header - get api_trace_data_path(:id => 0), :headers => auth_header - assert_response :not_found - - # Now try a trace which did exist but has been deleted - auth_header = bearer_authorization_header deleted_trace_file.user - get api_trace_data_path(deleted_trace_file), :headers => auth_header - assert_response :not_found - end - # Test creating a trace through the api def test_create # Get file to use @@ -358,13 +265,6 @@ def test_destroy private - def check_trace_data(trace, digest, content_type = "application/gpx+xml", extension = "gpx") - assert_response :success - assert_equal digest, Digest::MD5.hexdigest(response.body) - assert_equal content_type, response.media_type - assert_equal "attachment; filename=\"#{trace.id}.#{extension}\"; filename*=UTF-8''#{trace.id}.#{extension}", @response.header["Content-Disposition"] - end - ## # build XML for traces # this builds a minimum viable XML for the tests in this suite