Add ability to revoke recorder tokens
parent
fd03554e2e
commit
e05fbd574f
@ -0,0 +1,9 @@
|
||||
class ApiTokenPolicy < ApplicationPolicy
|
||||
|
||||
def destroy?
|
||||
return false unless user
|
||||
|
||||
user.admin? || record.user == user
|
||||
end
|
||||
|
||||
end
|
@ -0,0 +1,27 @@
|
||||
class UserEditPagePresenter
|
||||
|
||||
attr_reader :user
|
||||
|
||||
def initialize(user)
|
||||
@user = user
|
||||
end
|
||||
|
||||
def active_tokens
|
||||
sort(user.active_api_tokens)
|
||||
end
|
||||
|
||||
def revoked_tokens
|
||||
sort(user.revoked_api_tokens)
|
||||
end
|
||||
|
||||
def show_tokens?
|
||||
!active_tokens.empty? || !revoked_tokens.empty?
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def sort(tokens)
|
||||
tokens.sort_by { |token| token.created_at }.reverse
|
||||
end
|
||||
|
||||
end
|
@ -0,0 +1,5 @@
|
||||
class AddRevokedAtToApiTokens < ActiveRecord::Migration
|
||||
def change
|
||||
add_column :api_tokens, :revoked_at, :datetime
|
||||
end
|
||||
end
|
@ -0,0 +1,38 @@
|
||||
require 'rails_helper'
|
||||
|
||||
feature "Recorder tokens management" do
|
||||
|
||||
let!(:user) { create(:user) }
|
||||
|
||||
scenario 'Listing tokens when user has none' do
|
||||
login_as user
|
||||
visit edit_user_path
|
||||
|
||||
expect(page).to have_content('asciinema auth')
|
||||
end
|
||||
|
||||
scenario 'Listing tokens when user has some' do
|
||||
api_token = create(:api_token, user: user)
|
||||
|
||||
login_as user
|
||||
visit edit_user_path
|
||||
|
||||
expect(page).to have_content(api_token.token)
|
||||
expect(page).to have_link('Revoke')
|
||||
expect(page).to have_no_content('asciinema auth')
|
||||
end
|
||||
|
||||
scenario 'Revoking a token' do
|
||||
api_token = create(:api_token, user: user)
|
||||
|
||||
login_as user
|
||||
visit edit_user_path
|
||||
|
||||
click_on "Revoke"
|
||||
|
||||
expect(page).to have_content(api_token.token)
|
||||
expect(page).to have_no_link('Revoke')
|
||||
end
|
||||
|
||||
end
|
||||
|
@ -0,0 +1,27 @@
|
||||
require 'rails_helper'
|
||||
|
||||
describe ApiTokenPolicy do
|
||||
|
||||
subject { described_class }
|
||||
|
||||
permissions :destroy? do
|
||||
it "denies access if user is nil" do
|
||||
expect(subject).not_to permit(nil, ApiToken.new)
|
||||
end
|
||||
|
||||
it "grants access if user is admin" do
|
||||
user = stub_model(User, admin?: true)
|
||||
expect(subject).to permit(user, ApiToken.new)
|
||||
end
|
||||
|
||||
it "grants access if user is the owner of the token" do
|
||||
user = stub_model(User, admin?: false)
|
||||
expect(subject).to permit(user, ApiToken.new(user: user))
|
||||
end
|
||||
|
||||
it "denies access if user isn't the owner of the token" do
|
||||
expect(subject).not_to permit(User.new, ApiToken.new(user: User.new))
|
||||
end
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue