Added permissions and an internal API layer

- It introduces the `permissions` object to the namespace entity. - Some fields will now be returned only to the web application, but not to external clients. Signed-off-by: Miquel Sabaté Solà <msabate@suse.com>
SUSE · Sep 21, 2017 · 185f18e · 185f18e
1 parent cb88ebb
commit 185f18e
Show file tree

Hide file tree

Showing 6 changed files with 67 additions and 32 deletions.
diff --git a/app/helpers/namespaces_helper.rb b/app/helpers/namespaces_helper.rb
@@ -13,10 +13,6 @@ def can_change_visibility?(namespace)
                             APP_CONFIG.enabled?("user_permission.change_visibility"))
   end
 
-  def can_view_webhooks?(namespace)
-    current_user.admin? || namespace.team.users.include?(current_user)
-  end
-
   def owner?(namespace)
     namespace.team.owners.exists?(current_user.id)
   end

diff --git a/app/models/namespace.rb b/app/models/namespace.rb
@@ -27,8 +27,8 @@ class Namespace < ActiveRecord::Base
     attributes :name, :description
   end
 
-  scope :special_for, -> (user) {
-    where("global = ? OR namespaces.name = ?", true, user.username)
+  scope :special_for, lambda { |user|
+    where("global = ? OR namespaces.id = ?", true, user.namespace_id)
   }
 
   # This regexp is extracted from the reference package of Docker Distribution

diff --git a/lib/api/entities.rb b/lib/api/entities.rb
@@ -95,15 +95,11 @@ class Namespaces < Grape::Entity
       expose :repositories_count, documentation: {
         type: Integer,
         desc: "The number of repositories that belong to this namespace"
-      } { |n| n.repositories.count }
+      }, if: { type: :internal } { |n| n.repositories.count }
       expose :webhooks_count, documentation: {
         type: Integer,
         desc: "The number of webooks that belong to this namespace"
-      } { |n| n.webhooks.count }
-      expose :registry_id, documentation: {
-        type: Integer,
-        desc: "The ID of the registry containing this namespace"
-      }
+      }, if: { type: :internal } { |n| n.webhooks.count }
       expose :visibility, documentation: {
         type: String,
         desc: "The visibility of namespaces by other people"
@@ -114,6 +110,19 @@ class Namespaces < Grape::Entity
         type: "Boolean",
         desc: "Whether this is the global namespace or not"
       }
+      expose :permissions, documentation: {
+        desc: "Different permissions for the current user"
+      }, if: { type: :internal } do |namespace, options|
+        user = options[:current_user]
+        # TODO: taken from NamespacesHelper. Avoid duplication! (e.g. owner?)
+        {
+          webhooks:   user.admin? ||
+            namespace.team.users.include?(user),
+          visibility: user.admin? ||
+            (namespace.team.owners.exists?(user.id) &&
+              APP_CONFIG.enabled?("user_permission.change_visibility"))
+        }
+      end
     end
   end
 end
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
@@ -15,29 +15,57 @@ module Helpers
     # The `force_admin` option should be used when the endpoints affected by
     # this should only apply to Portus administrators (e.g. user management).
     def authorization!(force_admin: true)
-      return if current_user
       return if request.request_method == "OPTIONS"
-      @user = authenticate_user_from_authentication_token!
+
+      current_user
+
       error!("Authentication fails.", 401) unless @user
       raise Pundit::NotAuthorizedError if force_admin && !@user.admin
     end
 
-    # Helper method to make Pundit happy. It will return the `@user` instance
-    # variable set by the `authorization!` method or the current user as stored
-    # by Devise.
-    def current_user
-      return @user if @user
-
+    # Authenticate from the warden session if possible.
+    def authenticate_from_warden
       warden = env["warden"]
       return unless warden
 
-      @user = env["warden"].authenticate(scope: "user")
+      env["warden"].authenticate(scope: "user")
+    end
+
+    # Helper method to make Pundit happy. It will set a `@user` instance
+    # variable with either the current user as stored by Devise or the one taken
+    # from the authentication token.
+    def current_user
+      @user = authenticate_from_warden
+      if @user
+        @type = :internal
+      else
+        @type = :official
+        @user = authenticate_user_from_authentication_token!
+      end
       @user
     end
 
     # TODO: really ?
     def user_session
       current_user && warden.session(:user)
     end
+
+    # Returns the current type of API presentation. The two options available
+    # are: :official and :internal. The :internal type is the same as the
+    # official one, but with some extensions that come in handy for the client
+    # side.
+    def current_type
+      @type
+    end
+
+    # Helpers for namespaces
+    module Namespaces
+      # Returns an aggregate of the accessible namespaces for the current user.
+      def accessible_namespaces
+        special = Namespace.special_for(current_user).order(created_at: :asc)
+        normal  = policy_scope(Namespace).order(created_at: :asc)
+        special + normal
+      end
+    end
   end
 end
diff --git a/lib/api/v1/namespaces.rb b/lib/api/v1/namespaces.rb
@@ -8,13 +8,7 @@ class Namespaces < Grape::API
           authorization!(force_admin: false)
         end
 
-        helpers do
-          def accessible_namespaces
-            special = Namespace.special_for(current_user).order(created_at: :asc)
-            normal  = policy_scope(Namespace).order(created_at: :asc)
-            special + normal
-          end
-        end
+        helpers ::API::Helpers::Namespaces
 
         desc "Returns a list of namespaces.",
           tags:     ["namespaces"],
@@ -27,7 +21,10 @@ def accessible_namespaces
           ]
 
         get do
-          present accessible_namespaces, with: API::Entities::Namespaces
+          present accessible_namespaces,
+                  with:         API::Entities::Namespaces,
+                  current_user: current_user,
+                  type:         current_type
         end
 
         route_param :id, type: String, requirements: { id: /.*/ } do
@@ -45,7 +42,9 @@ def accessible_namespaces
             get do
               namespace = Namespace.find params[:id]
               authorize namespace, :show?
-              present namespace.repositories, with: API::Entities::Repositories
+              present namespace.repositories,
+                      with: API::Entities::Repositories,
+                      type: current_type
             end
           end
 
@@ -64,7 +63,10 @@ def accessible_namespaces
           get do
             namespace = Namespace.find(params[:id])
             authorize namespace, :show?
-            present namespace, with: API::Entities::Namespaces
+            present namespace,
+                    with:         API::Entities::Namespaces,
+                    current_user: current_user,
+                    type:         current_type
           end
         end
       end

diff --git a/lib/api/v1/teams.rb b/lib/api/v1/teams.rb
@@ -37,7 +37,7 @@ class Teams < Grape::API
             get do
               team = Team.find params[:id]
               authorize team, :show?
-              present team.namespaces, with: API::Entities::Namespaces
+              present team.namespaces, with: API::Entities::Namespaces, type: current_type
             end
           end