[ARVADOS] created: 7ba3707abe8370a7ba7dd373be1fd7e2dbebedd7

git at public.curoverse.com git at public.curoverse.com
Thu Nov 6 11:59:03 EST 2014


        at  7ba3707abe8370a7ba7dd373be1fd7e2dbebedd7 (commit)


commit 7ba3707abe8370a7ba7dd373be1fd7e2dbebedd7
Author: Brett Smith <brett at curoverse.com>
Date:   Thu Nov 6 11:59:00 2014 -0500

    4408: Workbench Collection sharing allows file downloads again.
    
    Earlier we refactored our API token loading code to load User.current
    to check that it was valid.  This approach doesn't work when we're
    presenting shared Collections, because the token usually won't be
    scoped to get user information.  Skip the check for this specific
    case.

diff --git a/apps/workbench/app/controllers/application_controller.rb b/apps/workbench/app/controllers/application_controller.rb
index 27e388b..0737c31 100644
--- a/apps/workbench/app/controllers/application_controller.rb
+++ b/apps/workbench/app/controllers/application_controller.rb
@@ -399,12 +399,17 @@ class ApplicationController < ActionController::Base
     false  # For convenience to return from callbacks
   end
 
-  def using_specific_api_token(api_token)
+  def using_specific_api_token(api_token, opts={})
     start_values = {}
     [:arvados_api_token, :user].each do |key|
       start_values[key] = Thread.current[key]
     end
-    load_api_token(api_token)
+    if opts.fetch(:load_user, true)
+      load_api_token(api_token)
+    else
+      Thread.current[:arvados_api_token] = api_token
+      Thread.current[:user] = nil
+    end
     begin
       yield
     ensure
diff --git a/apps/workbench/app/controllers/collections_controller.rb b/apps/workbench/app/controllers/collections_controller.rb
index e869824..5ddf93c 100644
--- a/apps/workbench/app/controllers/collections_controller.rb
+++ b/apps/workbench/app/controllers/collections_controller.rb
@@ -1,3 +1,5 @@
+require "arvados/keep"
+
 class CollectionsController < ApplicationController
   include ActionController::Live
 
@@ -298,7 +300,9 @@ class CollectionsController < ApplicationController
     most_specific_error = [401]
     token_list.each do |api_token|
       begin
-        using_specific_api_token(api_token) do
+        # We can't load the corresponding user, because the token may not
+        # be scoped for that.
+        using_specific_api_token(api_token, load_user: false) do
           yield
           return api_token
         end
diff --git a/apps/workbench/test/functional/collections_controller_test.rb b/apps/workbench/test/functional/collections_controller_test.rb
index e621010..6c64ac9 100644
--- a/apps/workbench/test/functional/collections_controller_test.rb
+++ b/apps/workbench/test/functional/collections_controller_test.rb
@@ -86,14 +86,26 @@ class CollectionsControllerTest < ActionController::TestCase
 
   test "viewing collection files with a reader token" do
     params = collection_params(:foo_file)
-    params[:reader_token] =
-      api_fixture('api_client_authorizations')['active']['api_token']
+    params[:reader_token] = api_fixture("api_client_authorizations",
+                                        "active_all_collections", "api_token")
     get(:show_file_links, params)
     assert_response :success
     assert_equal([['.', 'foo', 3]], assigns(:object).files)
     assert_no_session
   end
 
+  test "fetching collection file with reader token" do
+    expected = stub_file_content
+    params = collection_params(:foo_file, "foo")
+    params[:reader_token] = api_fixture("api_client_authorizations",
+                                        "active_all_collections", "api_token")
+    get(:show_file, params)
+    assert_response :success
+    assert_equal(expected, @response.body,
+                 "failed to fetch a Collection file with a reader token")
+    assert_no_session
+  end
+
   test "reader token Collection links end with trailing slash" do
     # Testing the fix for #2937.
     session = session_for(:active_trustedclient)
diff --git a/apps/workbench/test/integration/collections_test.rb b/apps/workbench/test/integration/collections_test.rb
index 3abbf6f..e2c5d84 100644
--- a/apps/workbench/test/integration/collections_test.rb
+++ b/apps/workbench/test/integration/collections_test.rb
@@ -35,6 +35,8 @@ class CollectionsTest < ActionDispatch::IntegrationTest
   end
 
   test "can download an entire collection with a reader token" do
+    CollectionsController.any_instance.
+      stubs(:file_enumerator).returns(["foo\n", "file\n"])
     uuid = api_fixture('collections')['foo_file']['uuid']
     token = api_fixture('api_client_authorizations')['active_all_collections']['api_token']
     url_head = "/collections/download/#{uuid}/#{token}/"
@@ -43,9 +45,8 @@ class CollectionsTest < ActionDispatch::IntegrationTest
     # a very blunt approach.
     assert_no_match(/<\s*meta[^>]+\bnofollow\b/i, page.html,
                     "wget prohibited from recursing the collection page")
-    # TODO: When we can test against a Keep server, actually follow links
-    # and check their contents, rather than testing the href directly
-    # (this is too closely tied to implementation details).
+    # Look at all the links that wget would recurse through using our
+    # recommended options, and check that it's exactly the file list.
     hrefs = page.all('a').map do |anchor|
       link = anchor[:href] || ''
       if link.start_with? url_head
@@ -58,6 +59,10 @@ class CollectionsTest < ActionDispatch::IntegrationTest
     end
     assert_equal(['foo'], hrefs.compact.sort,
                  "download page did provide strictly file links")
+    within "#collection_files" do
+      click_link "foo"
+      assert_equal("foo\nfile\n", page.html)
+    end
   end
 
   test "can view empty collection" do

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list