require an active pseudonym (in the applicable account) for API requests

test plan: * issue an access_token * delete the user's pseudonym(s) * the access token should no longer work Change-Id: Ib4ecee6b3713827dd997e06481ddae1175042a9b Reviewed-on: https://gerrit.instructure.com/7637 Reviewed-by: Brian Palmer <brianp@instructure.com> Tested-by: Cody Cutrer <cody@instructure.com>
2011-12-21 11:59:05 -07:00 · 2011-12-21 11:59:05 -07:00 · 0b15b31cff
parent 95235f3e2c
commit 0b15b31cff
6 changed files with 21 additions and 4 deletions
--- a/lib/authentication_methods.rb
+++ b/lib/authentication_methods.rb
@ -58,8 +58,8 @@ module AuthenticationMethods
        return false
      end
      @current_user = @access_token.user
-      @current_pseudonym = @current_user.pseudonym
-      unless @current_user
+      @current_pseudonym = @current_user.find_pseudonym_for_account(@domain_root_account)
+      unless @current_user && @current_pseudonym
        render :json => {:errors => "Invalid access token"}, :status => :bad_request
        return false
      end
--- a/spec/apis/api_spec_helper.rb
+++ b/spec/apis/api_spec_helper.rb
@ -70,6 +70,7 @@ def raw_api_call(method, path, params, body_params = {}, headers = {}, opts = {}
      token = @user.access_tokens.first
      token ||= @user.access_tokens.create!(:purpose => 'test')
      params[:access_token] = token.token
+      @user.pseudonyms.create!(:unique_id => "#{@user.id}@example.com", :account => opts[:domain_root_account]) unless @user.pseudonym(true)
    end

    LoadAccount.stubs(:default_domain_root_account).returns(opts[:domain_root_account]) if opts.has_key?(:domain_root_account)
--- a/spec/apis/v1/account_authorization_configs_api_spec.rb
+++ b/spec/apis/v1/account_authorization_configs_api_spec.rb
@ -20,8 +20,8 @@ require File.expand_path(File.dirname(__FILE__) + '/../api_spec_helper')

 describe "AccountAuthorizationConfigs API", :type => :integration do
  before do
-    user_with_pseudonym(:active_all => true)
    @account = account_model(:name => 'root')
+    user_with_pseudonym(:active_all => true, :account => @account)
    @account.add_user(@user)
  end

--- a/spec/apis/v1/accounts_api_spec.rb
+++ b/spec/apis/v1/accounts_api_spec.rb
@ -20,6 +20,7 @@ require File.expand_path(File.dirname(__FILE__) + '/../api_spec_helper')

 describe "Accounts API", :type => :integration do
  before do
+    Pseudonym.any_instance.stubs(:works_for_account?).returns(true)
    user_with_pseudonym(:active_all => true)
    @a1 = account_model(:name => 'root')
    @a1.add_user(@user)
--- a/spec/apis/v1/general_auth_spec.rb
+++ b/spec/apis/v1/general_auth_spec.rb
@ -27,6 +27,7 @@ describe CoursesController, :type => :integration do
  end
  
  it "should accept access_token" do
+    @user.pseudonyms.create!(:unique_id => 'test@example.com')
    @token = @user.access_tokens.create!(:purpose => "test")

    @token.last_used_at.should be_nil
@ -42,6 +43,7 @@ describe CoursesController, :type => :integration do
  end
  
  it "should not accept an invalid access_token" do
+    @user.pseudonyms.create!(:unique_id => 'test@example.com')
    @token = @user.access_tokens.create!(:purpose => "test")

    raw_api_call(:get, "/api/v1/courses/#{@course2.id}/students.json?access_token=1234",
@ -52,6 +54,7 @@ describe CoursesController, :type => :integration do
  end
  
  it "should not accept an expired access_token" do
+    @user.pseudonyms.create!(:unique_id => 'test@example.com')
    @token = @user.access_tokens.create!(:purpose => "test", :expires_at => 2.weeks.ago)

    raw_api_call(:get, "/api/v1/courses/#{@course2.id}/students.json?access_token=#{@token.token}",
@ -61,6 +64,18 @@ describe CoursesController, :type => :integration do
    json['errors'].should == "Invalid access token"
  end

+  it "should require an active pseudonym" do
+    @token = @user.access_tokens.create!(:purpose => "test")
+
+    @token.last_used_at.should be_nil
+
+    raw_api_call(:get, "/api/v1/courses/#{@course2.id}/students.json?access_token=#{@token.token}",
+            { :access_token => @token.token, :controller => 'courses', :action => 'students', :course_id => @course2.id.to_s, :format => 'json' })
+    response.status.to_i.should == 400
+    json = JSON.parse(response.body)
+    json['errors'].should == "Invalid access token"
+  end
+
  it "should allow as_user_id" do
    account_admin_user(:account => Account.site_admin)
    user_with_pseudonym(:user => @user)
--- a/spec/apis/v1/sis_imports_api_spec.rb
+++ b/spec/apis/v1/sis_imports_api_spec.rb
@ -20,7 +20,7 @@ require File.expand_path(File.dirname(__FILE__) + '/../api_spec_helper')

 describe SisImportsApiController, :type => :integration do
  before do
-    @user = user :active_all => true
+    @user = user_with_pseudonym :active_all => true
    user_session @user
    @account = Account.default
    @account.allow_sis_import = true