Skip to content

Commit 29c4126

Browse files
aaronskibaaaronskiba
committed
DRY up 'read' scope auth in v2 API controllers
Move the "read" scope authorization check to a shared `before_action` in `BaseApiController` - Removes redundant checks from individual actions in `PlansController` and `TemplatesController` - Allows for the safe removal of `@scopes` from `base_response_content`
1 parent 22b9401 commit 29c4126

3 files changed

Lines changed: 5 additions & 7 deletions

File tree

app/controllers/api/v2/base_api_controller.rb

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ class BaseApiController < ApplicationController # rubocop:todo Style/Documentati
1313

1414
before_action :log_access
1515

16+
before_action :require_read_scope, except: %i[heartbeat me]
1617
# controller can respond to json format requests
1718
respond_to :json
1819

@@ -43,7 +44,6 @@ def base_response_content
4344
@application = ApplicationService.application_name
4445
@client = doorkeeper_token&.application
4546
@caller = @client&.name || request.remote_ip
46-
@scopes = doorkeeper_token.scopes.to_a if doorkeeper_token
4747
return unless doorkeeper_token&.resource_owner_id
4848

4949
@resource_owner = User.find(doorkeeper_token.resource_owner_id)
@@ -95,6 +95,10 @@ def paginate_response(results:)
9595
@total_items = results.total_count
9696
results
9797
end
98+
99+
def require_read_scope
100+
raise Pundit::NotAuthorizedError unless doorkeeper_token.scopes.include?('read')
101+
end
98102
end
99103
end
100104
end

app/controllers/api/v2/plans_controller.rb

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,6 @@ class PlansController < BaseApiController # rubocop:todo Style/Documentation
88

99
# GET /api/v2/plans/:id
1010
def show
11-
raise Pundit::NotAuthorizedError unless @scopes.include?('read')
12-
1311
@plan = Plan.includes(roles: :user).find_by(id: params[:id])
1412

1513
raise Pundit::NotAuthorizedError unless @plan.present?
@@ -23,8 +21,6 @@ def show
2321

2422
# GET /api/v2/plans
2523
def index
26-
raise Pundit::NotAuthorizedError unless @scopes.include?('read')
27-
2824
@plans = PlansPolicy::Scope.new(@resource_owner).resolve
2925
@plans = @plans.includes(answers: { question: :section }) if @complete
3026
@items = paginate_response(results: @plans)

app/controllers/api/v2/templates_controller.rb

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,6 @@ class TemplatesController < BaseApiController
88

99
# GET /api/v2/templates
1010
def index
11-
raise Pundit::NotAuthorizedError unless @scopes.include?('read')
12-
1311
templates = Api::V2::TemplatesPolicy::Scope.new(@resource_owner).resolve
1412
@items = paginate_response(results: templates)
1513
render '/api/v2/templates/index', status: :ok

0 commit comments

Comments
 (0)