[ARVADOS] created: 1.1.0-164-gb305489

Git user git at public.curoverse.com
Wed Nov 22 17:54:25 EST 2017


        at  b30548921f19177256890ad58b90dbf66d8407ef (commit)


commit b30548921f19177256890ad58b90dbf66d8407ef
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Wed Nov 22 17:49:08 2017 -0500

    12627: Ensure current_user relates to the token that permits scope.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index 9826cf2..ba0efa7 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -365,7 +365,7 @@ class ApplicationController < ActionController::Base
   end
 
   def require_auth_scope
-    if @read_auths.empty?
+    if @read_auths.empty? || @read_auths[0] != current_api_client_authorization
       if require_login != false
         send_error("Forbidden", status: 403)
       end
diff --git a/services/api/test/integration/api_client_authorizations_scopes_test.rb b/services/api/test/integration/api_client_authorizations_scopes_test.rb
index dba8019..dfb5749 100644
--- a/services/api/test/integration/api_client_authorizations_scopes_test.rb
+++ b/services/api/test/integration/api_client_authorizations_scopes_test.rb
@@ -27,6 +27,20 @@ class ApiTokensScopeTest < ActionDispatch::IntegrationTest
     assert_response 403
   end
 
+  test "narrow + wide scoped tokens for different users" do
+    get_args = [{
+                  reader_tokens: [api_client_authorizations(:anonymous).api_token]
+                }, auth(:active_userlist)]
+    get(v1_url('users'), *get_args)
+    assert_response :success
+    get(v1_url('users', ''), *get_args)  # Add trailing slash.
+    assert_response :success
+    get(v1_url('users', 'current'), *get_args)
+    assert_response 403
+    get(v1_url('virtual_machines'), *get_args)
+    assert_response 403
+   end
+
   test "specimens token can see exactly owned specimens" do
     get_args = [{}, auth(:active_specimens)]
     get(v1_url('specimens'), *get_args)
diff --git a/services/api/test/integration/reader_tokens_test.rb b/services/api/test/integration/reader_tokens_test.rb
index dd59f74..60b06a9 100644
--- a/services/api/test/integration/reader_tokens_test.rb
+++ b/services/api/test/integration/reader_tokens_test.rb
@@ -50,22 +50,15 @@ class ReaderTokensTest < ActionDispatch::IntegrationTest
 
   [nil, :active_noscope].each do |main_auth|
     [:spectator, :spectator_specimens].each do |read_auth|
-      test "#{main_auth} auth with reader token #{read_auth} can read" do
-        assert_includes(get_specimen_uuids(main_auth, read_auth),
-                        spectator_specimen, "did not find spectator specimen")
-      end
-
-      test "#{main_auth} auth with JSON read token #{read_auth} can read" do
-        assert_includes(get_specimen_uuids(main_auth, read_auth, :to_json),
-                        spectator_specimen, "did not find spectator specimen")
-      end
-
-      test "#{main_auth} auth with reader token #{read_auth} can't write" do
-        assert_post_denied(main_auth, read_auth)
-      end
+      [:to_a, :to_json].each do |formatter|
+        test "#{main_auth.inspect} auth with #{formatter} reader token #{read_auth} can't read" do
+          get_specimens(main_auth, read_auth)
+          assert_response(if main_auth then 403 else 302 end)
+        end
 
-      test "#{main_auth} auth with JSON read token #{read_auth} can't write" do
-        assert_post_denied(main_auth, read_auth, :to_json)
+        test "#{main_auth.inspect} auth with #{formatter} reader token #{read_auth} can't write" do
+          assert_post_denied(main_auth, read_auth, formatter)
+        end
       end
     end
   end

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list