[ARVADOS] created: 80abb8a0e679f4dd1a7ac00cd629f854af160de5

git at public.curoverse.com git at public.curoverse.com
Mon Aug 3 17:32:11 EDT 2015 

        at  80abb8a0e679f4dd1a7ac00cd629f854af160de5 (commit)


commit 80abb8a0e679f4dd1a7ac00cd629f854af160de5
Merge: b3a2502 15c86f8
Author: radhika <radhika at curoverse.com>
Date:   Mon Aug 3 17:31:53 2015 -0400

    Merge branch 'master' into 6476-actions-show-not-need-token


commit b3a25028eaf04bf77e1f0665968527a9084a84dc
Author: radhika <radhika at curoverse.com>
Date:   Mon Aug 3 17:31:17 2015 -0400

    6476: skip require_thread_api_token filter when anonymous browsing is enabled and one of the supported types is being accessed.

diff --git a/apps/workbench/app/controllers/actions_controller.rb b/apps/workbench/app/controllers/actions_controller.rb
index cbe7e37..926cdef 100644
--- a/apps/workbench/app/controllers/actions_controller.rb
+++ b/apps/workbench/app/controllers/actions_controller.rb
@@ -2,6 +2,16 @@ require "arvados/collection"
 
 class ActionsController < ApplicationController
 
+  skip_around_filter :require_thread_api_token, if: proc { |ctrl|
+    Rails.configuration.anonymous_user_token and
+    'show' == ctrl.action_name and
+    params['uuid'] and
+    (model_class == Collection or
+     model_class == Group or
+     model_class == Job or
+     model_class == PipelineInstance or
+     model_class == PipelineTemplate)
+  }
   skip_filter :require_thread_api_token, only: [:report_issue_popup, :report_issue]
   skip_filter :check_user_agreements, only: [:report_issue_popup, :report_issue]
 
@@ -21,6 +31,8 @@ class ActionsController < ApplicationController
         @object.link_class == 'name' and
         ArvadosBase::resource_class_for_uuid(@object.head_uuid) == Collection
       redirect_to collection_path(id: @object.uuid)
+    elsif @object.is_a?(Group) and @object.group_class == 'project'
+      redirect_to project_path(id: @object.uuid)
     elsif @object
       redirect_to @object
     else
diff --git a/apps/workbench/test/controllers/actions_controller_test.rb b/apps/workbench/test/controllers/actions_controller_test.rb
index 26ef67b..9f561aa 100644
--- a/apps/workbench/test/controllers/actions_controller_test.rb
+++ b/apps/workbench/test/controllers/actions_controller_test.rb
@@ -160,4 +160,43 @@ class ActionsControllerTest < ActionController::TestCase
     assert_includes(manifest_text, 'foo')
     assert_includes(manifest_text, 'foo(1)')
   end
+
+  [
+    ['collections', 'user_agreement_in_anonymously_accessible_project'],
+    ['groups', 'anonymously_accessible_project'],
+    ['jobs', 'running_job_in_publicly_accessible_project'],
+    ['pipeline_instances', 'pipeline_in_publicly_accessible_project'],
+    ['pipeline_templates', 'pipeline_template_in_publicly_accessible_project'],
+  ].each do |dm, fixture|
+    test "access show method for public #{dm} and expect to see page" do
+      Rails.configuration.anonymous_user_token = api_fixture('api_client_authorizations')['anonymous']['api_token']
+      get(:show, {uuid: api_fixture(dm)[fixture]['uuid']})
+      assert_response :redirect
+      if dm == 'groups'
+        assert_includes @response.redirect_url, "projects/#{fixture['uuid']}"
+      else
+        assert_includes @response.redirect_url, "#{dm}/#{fixture['uuid']}"
+      end
+    end
+  end
+
+  [
+    ['collections', 'foo_collection_in_aproject', 404],
+    ['groups', 'subproject_in_asubproject_with_same_name_as_one_in_active_user_home', 404],
+    ['jobs', 'job_with_latest_version', 404],
+    ['pipeline_instances', 'pipeline_owned_by_active_in_home', 404],
+    ['pipeline_templates', 'template_in_asubproject_with_same_name_as_one_in_active_user_home', 404],
+    ['traits', 'owned_by_aproject_with_no_name', :redirect],
+  ].each do |dm, fixture, expected|
+    test "access show method for non-public #{dm} and expect #{expected}" do
+      Rails.configuration.anonymous_user_token = api_fixture('api_client_authorizations')['anonymous']['api_token']
+      get(:show, {uuid: api_fixture(dm)[fixture]['uuid']})
+      assert_response expected
+      if expected == 404
+        assert_includes @response.inspect, 'Log in'
+      else
+        assert_match /\/users\/welcome/, @response.redirect_url
+      end
+    end
+  end
 end

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list