removes blacklist prototype and adds auth check for app

artsy · Nov 17, 2017 · d665a5b · d665a5b
1 parent aafd13d
commit d665a5b
Show file tree

Hide file tree

Showing 9 changed files with 41 additions and 56 deletions.
diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
@@ -25,10 +25,6 @@ def set_submission
       @submission = Submission.find(submission_id)
     end
 
-    def set_current_user_roles
-      current_user_roles
-    end
-
     def require_authentication
       raise ApplicationController::NotAuthorized unless current_app && current_user
     end
@@ -57,7 +53,7 @@ def current_user
     end
 
     def current_user_roles
-      @current_user_roles ||= jwt_payload&.fetch('roles', [])&.split(',')
+      @current_user_roles ||= jwt_payload&.fetch('roles', '')&.split(',')
     end
   end
 end
diff --git a/app/controllers/api/graphql_controller.rb b/app/controllers/api/graphql_controller.rb
@@ -8,8 +8,7 @@ def execute
           current_application: current_app,
           current_user: current_user,
           current_user_roles: current_user_roles
-        },
-        except: Util::PermissionBlacklist
+        }
       )
       render json: result, status: 200
     end

diff --git a/app/graph/mutations.rb b/app/graph/mutations.rb
@@ -17,9 +17,9 @@ module Mutations
       argument :submission, Inputs::SubmissionInput::Update
       permit ['user']
 
-      resolve ->(_obj, args, _context) {
-        submission = Submission.find_by(id: args[:submission][:id]) ||
-                     raise(GraphQL::ExecutionError, 'Submission Not Found')
+      resolve ->(_obj, args, context) {
+        submission = Submission.find_by(id: args[:submission][:id])
+        raise(GraphQL::ExecutionError, 'Submission Not Found') unless submission && submission.user_id == context[:current_user]
         SubmissionService.update_submission(submission, args[:submission].to_h.except(:id))
         submission.reload
       }

diff --git a/app/graph/types/query_type.rb b/app/graph/types/query_type.rb
@@ -3,7 +3,7 @@ module Types
     name 'Query'
     description 'Query root for this schema'
     field :submission, types[Types::SubmissionType] do
-      description 'Find Submissions'
+      description 'Find a Submission'
       argument :ids, types[types.ID]
       argument :id, types.ID
       permit ['admin']

diff --git a/app/graph/util/authorization_instrumentation.rb b/app/graph/util/authorization_instrumentation.rb
@@ -27,7 +27,7 @@ def requires_authorization?(field)
 
     def can_access?(field, ctx)
       if field.metadata[:permit]
-        return false unless ctx[:current_user_roles]
+        return false unless ctx[:current_user_roles] && ctx[:current_application]
         !(ctx[:current_user_roles] & field.metadata[:permit]).empty?
       else
         field

diff --git a/app/graph/util/permission_blacklist.rb b/app/graph/util/permission_blacklist.rb
diff --git a/spec/requests/api/graphql/create_spec.rb b/spec/requests/api/graphql/create_spec.rb
@@ -37,6 +37,17 @@
       expect(body['errors'][0]['message']).to eq "Can't access createSubmission"
     end
 
+    it 'rejects requests without an app token' do
+      user_token = JWT.encode({ sub: 'userid', roles: 'user' }, Convection.config.jwt_secret)
+      post '/api/graphql', params: {
+        query: create_mutation
+      }, headers: { 'Authorization' => "Bearer #{user_token}" }
+      expect(response.status).to eq 200
+      body = JSON.parse(response.body)
+      expect(body['data']['createSubmission']).to eq nil
+      expect(body['errors'][0]['message']).to eq "Can't access createSubmission"
+    end
+
     it 'rejects when missing artist_id' do
       post '/api/graphql', params: { query: create_mutation_no_artist_id }, headers: headers
       expect(response.status).to eq 200

diff --git a/spec/requests/api/graphql/query_spec.rb b/spec/requests/api/graphql/query_spec.rb
@@ -21,42 +21,6 @@
   end
 
   describe 'POST /graphql' do
-    it 'does not return the user_id if there is no user' do
-      introspection_query = <<-graphql
-        query {
-          __type(name: "Submission") {
-            name
-            fields {
-              name
-            }
-          }
-        }
-      graphql
-      post '/api/graphql', params: {
-        query: introspection_query
-      }
-      expect(JSON.parse(response.body)['data']['__type']['fields'].map { |f| f['name'] }).to_not include('user_id')
-      expect(response.status).to eq 200
-    end
-
-    it 'includes the user_id param if there is a user present' do
-      introspection_query = <<-graphql
-        query {
-          __type(name: "Submission") {
-            name
-            fields {
-              name
-            }
-          }
-        }
-      graphql
-      post '/api/graphql', params: {
-        query: introspection_query
-      }, headers: headers
-      expect(JSON.parse(response.body)['data']['__type']['fields'].map { |f| f['name'] }).to include('user_id')
-      expect(response.status).to eq 200
-    end
-
     it 'finds two existing submissions' do
       post '/api/graphql', params: {
         query: query_submissions

diff --git a/spec/requests/api/graphql/update_spec.rb b/spec/requests/api/graphql/update_spec.rb
@@ -3,7 +3,7 @@
 describe 'Update Submission With Graphql' do
   let(:jwt_token) { JWT.encode({ aud: 'gravity', sub: 'userid', roles: 'user' }, Convection.config.jwt_secret) }
   let(:headers) { { 'Authorization' => "Bearer #{jwt_token}" } }
-  let(:submission) { Fabricate(:submission, artist_id: 'abbas-kiarostami', title: 'rain') }
+  let(:submission) { Fabricate(:submission, artist_id: 'abbas-kiarostami', title: 'rain', user_id: 'userid') }
 
   let(:update_mutation) do
     <<-graphql
@@ -39,6 +39,28 @@
       expect(body['errors'][0]['message']).to eq "Can't access updateSubmission"
     end
 
+    it 'rejects requests without and app token' do
+      user_token = JWT.encode({ sub: 'userid', roles: 'user' }, Convection.config.jwt_secret)
+      post '/api/graphql', params: {
+        query: update_mutation
+      }, headers: { 'Authorization' => "Bearer #{user_token}" }
+      expect(response.status).to eq 200
+      body = JSON.parse(response.body)
+      expect(body['data']['updateSubmission']).to eq nil
+      expect(body['errors'][0]['message']).to eq "Can't access updateSubmission"
+    end
+
+    it 'rejects requests to update a submission that you do not own' do
+      another_token = JWT.encode({ aud: 'app', sub: 'userid2', roles: 'user' }, Convection.config.jwt_secret)
+      post '/api/graphql', params: {
+        query: update_mutation
+      }, headers: { 'Authorization' => "Bearer #{another_token}" }
+      expect(response.status).to eq 200
+      body = JSON.parse(response.body)
+      expect(body['data']['updateSubmission']).to eq nil
+      expect(body['errors'][0]['message']).to eq 'Submission Not Found'
+    end
+
     it 'errors for unkown submission id' do
       post '/api/graphql', params: { query: update_mutation_random_id }, headers: headers
       expect(response.status).to eq 200