-
+
<%= t('.auth_type') %>
-
+
<%= t('.organization_perm') %>
+
+
+
+
+
+
<%= t('.user_perm') %>
+
+
+
+
-
+
<%= t('.rails_perm') %>
-
+
+
+ <%= form.submit t(".update_permissions"), class: "button button__sm md:button__lg button__primary" %>
+
+<% end %>
<% end %>
\ No newline at end of file
diff --git a/config/locales/decidim_rest_full.en.yml b/config/locales/decidim_rest_full.en.yml
index 8ab1392..c58123c 100644
--- a/config/locales/decidim_rest_full.en.yml
+++ b/config/locales/decidim_rest_full.en.yml
@@ -12,6 +12,22 @@ en:
scope_meetings: "Meeting: manage meeting components"
scope_debates: "Debate: manage debate components"
scope_pages: "Page: manage page components"
+ permission:
+ oauth:
+ impersonate: "impersonate: Login as another user"
+ login: "login: login with username/password"
+ system:
+ organizations:
+ read: "read: List and detail of organizations"
+ update: "update: Update an organization"
+ destroy: "destroy: Remove definitly an organization"
+ users:
+ read: "read: List and detail of users"
+ update: "update: Update a user"
+ destroy: "destroy: Remove definitly a user"
+ server:
+ restart: "restart: Soft restart the server"
+ exec: "exec: Execute jobs"
admin:
menu:
api_clients: "API Clients"
@@ -38,7 +54,9 @@ en:
client_secret: "Client Secret"
auth_type: "Auth Type"
organization_perm: "Organization"
+ user_perm: "User"
rails_perm: "Ruby on Rails"
+ update_permissions: "Update permissions"
show:
go_back: "Back to the list"
create:
diff --git a/config/routes.rb b/config/routes.rb
index 805ca51..86fca3a 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -6,6 +6,7 @@
authenticate(:admin) do
namespace "system" do
resources :api_clients, controller: "/decidim/rest_full/system/api_clients"
+ resources :api_permissions, only: [:create], controller: "/decidim/rest_full/system/permissions"
end
end
diff --git a/db/migrate/20241125061513_create_api_client_permissions.rb b/db/migrate/20241125061513_create_api_client_permissions.rb
new file mode 100644
index 0000000..e123a30
--- /dev/null
+++ b/db/migrate/20241125061513_create_api_client_permissions.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class CreateApiClientPermissions < ActiveRecord::Migration[6.1]
+ def change
+ create_table :decidim_rest_full_api_client_permissions do |t|
+ t.references :api_client, null: false, foreign_key: { to_table: "oauth_applications" }
+ t.string :permission, null: false
+ t.timestamps
+ end
+ add_index :decidim_rest_full_api_client_permissions, [:api_client_id, :permission], unique: true, name: "index_decidim_restfull_permissions"
+ end
+end
diff --git a/decidim-rest_full.gemspec b/decidim-rest_full.gemspec
index e0b0a17..9787d6c 100644
--- a/decidim-rest_full.gemspec
+++ b/decidim-rest_full.gemspec
@@ -25,13 +25,13 @@ Gem::Specification.new do |s|
s.require_paths = ["lib"]
s.add_dependency "api-pagination", "~> 6.0"
+ s.add_dependency "cancancan"
s.add_dependency "decidim-admin", Decidim::RestFull.decidim_version
s.add_dependency "decidim-comments", Decidim::RestFull.decidim_version
s.add_dependency "decidim-core", Decidim::RestFull.decidim_version
s.add_dependency "doorkeeper"
s.add_dependency "jsonapi-serializer"
s.add_dependency "rswag-api"
- s.add_dependency "rswag-ui"
s.metadata["rubygems_mfa_required"] = "true"
end
diff --git a/lib/decidim/rest_full.rb b/lib/decidim/rest_full.rb
index 0f57c1b..07347f7 100644
--- a/lib/decidim/rest_full.rb
+++ b/lib/decidim/rest_full.rb
@@ -2,7 +2,7 @@
require "rails"
require "active_support/all"
-
+require "cancan"
require "rswag/api"
require "jsonapi/serializer"
require "api-pagination"
diff --git a/lib/decidim/rest_full/api_exception.rb b/lib/decidim/rest_full/api_exception.rb
index 8bd9922..bb5d3dd 100644
--- a/lib/decidim/rest_full/api_exception.rb
+++ b/lib/decidim/rest_full/api_exception.rb
@@ -20,7 +20,7 @@ module ApiException
# Parsing Errors
"ActionDispatch::Http::Parameters::ParseError" => { status: 400, message: "Malformed JSON request" },
-
+ "CanCan::AccessDenied" => { status: 401, message: "Unauthorized access" },
# Generic Application-Level Errors
"BadRequest" => { status: 400, message: "Bad request" },
"Unauthorized" => { status: 401, message: "Unauthorized access" },
diff --git a/lib/decidim/rest_full/engine.rb b/lib/decidim/rest_full/engine.rb
index d149032..7257193 100644
--- a/lib/decidim/rest_full/engine.rb
+++ b/lib/decidim/rest_full/engine.rb
@@ -32,13 +32,14 @@ class Engine < ::Rails::Engine
api_client = Decidim::RestFull::ApiClient.find_by(
uid: client_id,
-
organization: current_organization
)
raise ::Doorkeeper::Errors::DoorkeeperError, "Invalid Api Client, check credentials" unless api_client
+ ability = Decidim::RestFull::Ability.new(api_client)
case auth_type
when "impersonate"
+ ability.authorize! :impersonate, Decidim::RestFull::ApiClient
username = params.require("username")
user = Decidim::User.find_by(
nickname: username,
@@ -110,6 +111,7 @@ class Engine < ::Rails::Engine
end
user
when "login"
+ ability.authorize! :login, Decidim::RestFull::ApiClient
user = Decidim::User.find_by(
nickname: params.require("username"),
organization: current_organization
diff --git a/spec/decidim/rest_full/oauth/token_client_credential_spec.rb b/spec/decidim/rest_full/oauth/token_client_credential_spec.rb
index edf9333..2946d74 100644
--- a/spec/decidim/rest_full/oauth/token_client_credential_spec.rb
+++ b/spec/decidim/rest_full/oauth/token_client_credential_spec.rb
@@ -6,6 +6,13 @@
let!(:organization) { create(:organization) }
let!(:user) { create(:user, organization: organization, password: "decidim123456789!", password_confirmation: "decidim123456789!") }
let!(:api_client) { create(:api_client, organization: organization) }
+ let!(:permissions) do
+ api_client.permissions = [
+ api_client.permissions.build(permission: "oauth.impersonate"),
+ api_client.permissions.build(permission: "oauth.login")
+ ]
+ api_client.save!
+ end
before do
host! api_client.organization.host
diff --git a/spec/decidim/rest_full/oauth/token_ropc_spec.rb b/spec/decidim/rest_full/oauth/token_ropc_spec.rb
index 9d09949..8a67cb2 100644
--- a/spec/decidim/rest_full/oauth/token_ropc_spec.rb
+++ b/spec/decidim/rest_full/oauth/token_ropc_spec.rb
@@ -14,7 +14,15 @@ def uniq_nickname
RSpec.describe "Decidim::Api::RestFull::System::ApplicationController", type: :request do
let!(:organization) { create(:organization) }
let!(:user) { create(:user, organization: organization, password: "decidim123456789!", password_confirmation: "decidim123456789!") }
- let!(:api_client) { create(:api_client, organization: organization) }
+ let!(:api_client) do
+ api_client = create(:api_client, organization: organization)
+ api_client.permissions = [
+ api_client.permissions.build(permission: "oauth.impersonate"),
+ api_client.permissions.build(permission: "oauth.login")
+ ]
+ api_client.save!
+ api_client.reload
+ end
before do
host! organization.host
@@ -177,7 +185,14 @@ def uniq_nickname
end
context "with auth_type=login" do
- let(:proposal_api_client) { create(:api_client, organization: organization, scopes: "proposals public") }
+ let(:proposal_api_client) do
+ api_client = create(:api_client, organization: organization, scopes: "proposals public")
+ api_client.permissions = [
+ api_client.permissions.build(permission: "oauth.login")
+ ]
+ api_client.save!
+ api_client
+ end
let(:body) do
{
diff --git a/spec/decidim/rest_full/public/spaces_index_spec.rb b/spec/decidim/rest_full/public/spaces_index_spec.rb
index ee5ac76..59202ed 100644
--- a/spec/decidim/rest_full/public/spaces_index_spec.rb
+++ b/spec/decidim/rest_full/public/spaces_index_spec.rb
@@ -23,6 +23,7 @@
let!(:organization) { create(:organization) }
let!(:api_client) { create(:api_client, organization: organization) }
let!(:impersonation_token) { create(:oauth_access_token, scopes: "public", resource_owner_id: nil, application: api_client) }
+
let(:Authorization) { "Bearer #{impersonation_token.token}" }
let!(:assembly) { create(:assembly, id: 6, organization: organization, title: { en: "My assembly for testing purpose", fr: "c'est une assemblée" }) }
diff --git a/spec/decidim/rest_full/system/organization_index_spec.rb b/spec/decidim/rest_full/system/organization_index_spec.rb
index 697f8f2..72418e2 100644
--- a/spec/decidim/rest_full/system/organization_index_spec.rb
+++ b/spec/decidim/rest_full/system/organization_index_spec.rb
@@ -7,20 +7,36 @@
tags "System"
produces "application/json"
security [{ credentialFlowBearer: ["system"] }]
- parameter name: "populate[]", in: :query, style: :form, explode: true, schema: Api::Definitions::POPULATE_PARAM.call(Decidim::Api::RestFull::OrganizationSerializer), required: false
+
parameter name: "locales[]", in: :query, style: :form, explode: true, schema: Api::Definitions::LOCALES_PARAM, required: false
parameter name: :page, in: :query, type: :integer, description: "Page number for pagination", required: false
parameter name: :per_page, in: :query, type: :integer, description: "Number of items per page", required: false
+ let(:organization) { create(:organization) }
+ let(:api_client) do
+ api_client = create(:api_client, organization: organization, scopes: "system")
+ api_client.permissions = [
+ api_client.permissions.build(permission: "oauth.impersonate"),
+ api_client.permissions.build(permission: "oauth.login"),
+ api_client.permissions.build(permission: "system.organizations.read")
+ ]
+ api_client.save!
+ api_client
+ end
+ let!(:user) { create(:user) }
+ let!(:impersonation_token) { create(:oauth_access_token, scopes: "system", resource_owner_id: user.id, application: api_client) }
- let(:Authorization) { "Bearer #{create(:oauth_access_token, scopes: "system").token}" }
+ let(:Authorization) { "Bearer #{impersonation_token.token}" }
+
+ before do
+ create(:rest_full_permission, api_client: api_client, permission: "system.organization.read")
+ end
response "200", "Organizations listed" do
consumes "application/json"
produces "application/json"
schema "$ref" => "#/components/schemas/organizations_response"
- context "with populate[] and locale[] filter displayed fields and translated results" do
- let(:"populate[]") { Decidim::Api::RestFull::OrganizationSerializer.db_fields }
+ context "with locale[] filter translated results" do
let(:"locales[]") { %w(en fr) }
let(:page) { 1 }
let(:per_page) { 10 }
@@ -49,14 +65,6 @@
consumes "application/json"
produces "application/json"
schema "$ref" => "#/components/schemas/api_error"
- context "with invalid populate[] fields" do
- let(:"populate[]") { ["invalid_field"] }
-
- run_test!(example_name: :bad_format) do |example|
- message = JSON.parse(example.body)["detail"]
- expect(message).to start_with("Not allowed populate param: invalid_field")
- end
- end
context "with invalid locales[] fields" do
let(:"locales[]") { ["invalid_locale"] }
diff --git a/spec/decidim/rest_full/system/users_spec.rb b/spec/decidim/rest_full/system/users_spec.rb
index eb03517..641c152 100644
--- a/spec/decidim/rest_full/system/users_spec.rb
+++ b/spec/decidim/rest_full/system/users_spec.rb
@@ -16,7 +16,16 @@
let!(:organization) { create(:organization) }
let(:Authorization) { "Bearer #{impersonation_token.token}" }
- let!(:api_client) { create(:api_client, organization: organization) }
+ let(:api_client) do
+ api_client = create(:api_client, organization: organization, scopes: "system")
+ api_client.permissions = [
+ api_client.permissions.build(permission: "oauth.impersonate"),
+ api_client.permissions.build(permission: "oauth.login"),
+ api_client.permissions.build(permission: "system.users.read")
+ ]
+ api_client.save!
+ api_client
+ end
let!(:impersonation_token) { create(:oauth_access_token, scopes: "system", resource_owner_id: nil, application: api_client) }
before do
diff --git a/spec/decidim/rest_full/test/factories/api_client.rb b/spec/decidim/rest_full/test/factories/api_client.rb
index 00c4983..72f8ace 100644
--- a/spec/decidim/rest_full/test/factories/api_client.rb
+++ b/spec/decidim/rest_full/test/factories/api_client.rb
@@ -2,10 +2,16 @@
# spec/factories/oauth_applications.rb
FactoryBot.define do
+ factory :rest_full_permission, class: "Decidim::RestFull::Permission" do
+ api_client { create(:api_client) }
+ permission { "dummy" }
+ end
+
factory :api_client, class: "Decidim::RestFull::ApiClient" do
name { Faker::App.name } # Generate a random app name
redirect_uri { Faker::Internet.url } # Generate a random URL
scopes { "public" }
- organization { create(:organization) }
+ association :organization, factory: :organization
+ permissions { [] }
end
end