Merge commit from fork

* Fix domain blocks/rationales being visible to unapproved/unconfirmed users

* Fix domain blocks/rationales being visible to suspended users

Co-authored-by: Claire <claire.github-309c@sitedethib.com>

* Allow moved users to view domain blocks

* Add authorization specs for `/api/v1/instance/domain_blocks` spec

* Fix tests

* Fix incorrect test setup

---------

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
This commit is contained in:
Jeremy Kescher 2025-02-27 15:49:57 +01:00 committed by GitHub
commit 6b519cfefa
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 94 additions and 9 deletions

View file

@ -31,7 +31,7 @@ class Api::V1::Instances::DomainBlocksController < Api::V1::Instances::BaseContr
end end
def show_domain_blocks_to_user? def show_domain_blocks_to_user?
Setting.show_domain_blocks == 'users' && user_signed_in? Setting.show_domain_blocks == 'users' && user_signed_in? && current_user.functional_or_moved?
end end
def set_domain_blocks def set_domain_blocks
@ -47,6 +47,6 @@ class Api::V1::Instances::DomainBlocksController < Api::V1::Instances::BaseContr
end end
def show_rationale_for_user? def show_rationale_for_user?
Setting.show_domain_blocks_rationale == 'users' && user_signed_in? Setting.show_domain_blocks_rationale == 'users' && user_signed_in? && current_user.functional_or_moved?
end end
end end

View file

@ -4,9 +4,10 @@ require 'rails_helper'
RSpec.describe 'Domain Blocks' do RSpec.describe 'Domain Blocks' do
describe 'GET /api/v1/instance/domain_blocks' do describe 'GET /api/v1/instance/domain_blocks' do
before do let(:user) { Fabricate(:user) }
Fabricate(:domain_block) let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id).token }
end
before { Fabricate(:domain_block) }
context 'with domain blocks set to all' do context 'with domain blocks set to all' do
before { Setting.show_domain_blocks = 'all' } before { Setting.show_domain_blocks = 'all' }
@ -30,11 +31,95 @@ RSpec.describe 'Domain Blocks' do
context 'with domain blocks set to users' do context 'with domain blocks set to users' do
before { Setting.show_domain_blocks = 'users' } before { Setting.show_domain_blocks = 'users' }
it 'returns http not found' do context 'without authentication token' do
get api_v1_instance_domain_blocks_path it 'returns http not found' do
get api_v1_instance_domain_blocks_path
expect(response) expect(response)
.to have_http_status(404) .to have_http_status(404)
end
end
context 'with authentication token' do
context 'with unapproved user' do
before { user.update(approved: false) }
it 'returns http not found' do
get api_v1_instance_domain_blocks_path, headers: { 'Authorization' => "Bearer #{token}" }
expect(response)
.to have_http_status(404)
end
end
context 'with unconfirmed user' do
before { user.update(confirmed_at: nil) }
it 'returns http not found' do
get api_v1_instance_domain_blocks_path, headers: { 'Authorization' => "Bearer #{token}" }
expect(response)
.to have_http_status(404)
end
end
context 'with disabled user' do
before { user.update(disabled: true) }
it 'returns http not found' do
get api_v1_instance_domain_blocks_path, headers: { 'Authorization' => "Bearer #{token}" }
expect(response)
.to have_http_status(404)
end
end
context 'with suspended user' do
before { user.account.update(suspended_at: Time.zone.now) }
it 'returns http not found' do
get api_v1_instance_domain_blocks_path, headers: { 'Authorization' => "Bearer #{token}" }
expect(response)
.to have_http_status(403)
end
end
context 'with moved user' do
before { user.account.update(moved_to_account_id: Fabricate(:account).id) }
it 'returns http success' do
get api_v1_instance_domain_blocks_path, headers: { 'Authorization' => "Bearer #{token}" }
expect(response)
.to have_http_status(200)
expect(response.content_type)
.to start_with('application/json')
expect(response.parsed_body)
.to be_present
.and(be_an(Array))
.and(have_attributes(size: 1))
end
end
context 'with normal user' do
it 'returns http success' do
get api_v1_instance_domain_blocks_path, headers: { 'Authorization' => "Bearer #{token}" }
expect(response)
.to have_http_status(200)
expect(response.content_type)
.to start_with('application/json')
expect(response.parsed_body)
.to be_present
.and(be_an(Array))
.and(have_attributes(size: 1))
end
end
end end
end end