From e1a2ee2381fdcc9b6353d5b5ffcc4f9e3a8ffda2 Mon Sep 17 00:00:00 2001
From: Eneko Lakasta <eneko@cartodb.com>
Date: Thu, 8 Feb 2018 13:07:25 +0100
Subject: [PATCH] control API access grants

---
 lib/cartodb/api/auth_api.js           |  9 +++++++++
 test/acceptance/auth/authorization.js | 29 ++++++++++++++++++++++++++-
 test/support/prepare_db.sh            | 11 ++++++++++
 test/support/test_helper.js           |  3 ++-
 4 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/lib/cartodb/api/auth_api.js b/lib/cartodb/api/auth_api.js
index 3f92c6d9..ca4c2724 100644
--- a/lib/cartodb/api/auth_api.js
+++ b/lib/cartodb/api/auth_api.js
@@ -81,6 +81,15 @@ AuthApi.prototype.authorizedByAPIKey = function(user, req, callback) {
             return callback(error);
         }
 
+        if (!apikey.grantsMaps) {
+            const error = new Error('Forbidden');
+            error.type = 'auth';
+            error.subtype = 'api-key-does-not-grant-access';
+            error.http_status = 403;
+
+            return callback(error);
+        }
+
         return callback(null, true);
     });
 };
diff --git a/test/acceptance/auth/authorization.js b/test/acceptance/auth/authorization.js
index e5f493b4..7904d424 100644
--- a/test/acceptance/auth/authorization.js
+++ b/test/acceptance/auth/authorization.js
@@ -44,7 +44,7 @@ describe('authorization', function() {
         };
         const testClient = new TestClient(mapConfig); //no apikey provided, using default
 
-        testClient.getLayergroup({response: {status:403}}, function (err, layergroupResult) {
+        testClient.getLayergroup({ response: { status: 403 } }, function (err, layergroupResult) { //TODO 401
             assert.ifError(err);
 
             assert.ok(layergroupResult.hasOwnProperty('errors'));
@@ -54,4 +54,31 @@ describe('authorization', function() {
             testClient.drain(done);
         });
     });
+
+    it('should forbide access to API if API key does not grant access', function (done) {
+        const apikeyToken = 'regular2';
+        const mapConfig = {
+            version: '1.7.0',
+            layers: [
+                {
+                    options: {
+                        sql: 'select * FROM test_table_localhost_regular1',
+                        cartocss: TestClient.CARTOCSS.POINTS,
+                        cartocss_version: '2.3.0'
+                    }
+                }
+            ]
+        };
+        const testClient = new TestClient(mapConfig, apikeyToken);
+
+        testClient.getLayergroup({ response: { status: 403 } }, function (err, layergroupResult) {
+            assert.ifError(err);
+
+            assert.ok(layergroupResult.hasOwnProperty('errors'));
+            assert.equal(layergroupResult.errors.length, 1);
+            assert.ok(layergroupResult.errors[0].match(/Forbidden/), layergroupResult.errors[0]);
+
+            testClient.drain(done);
+        });
+    });
 });
diff --git a/test/support/prepare_db.sh b/test/support/prepare_db.sh
index b2ac8688..f4e3388f 100755
--- a/test/support/prepare_db.sh
+++ b/test/support/prepare_db.sh
@@ -171,6 +171,17 @@ cat <<EOF | redis-cli -p ${REDIS_PORT} -n 5
     database_password "regular1"
 EOF
 
+# API Key Regular 2 no Maps API access, only to check grants permissions to the API
+cat <<EOF | redis-cli -p ${REDIS_PORT} -n 5
+  HMSET api_keys:localhost:regular2 \
+    user "localhost" \
+    type "regular" \
+    grants_sql "true" \
+    grants_maps "false" \
+    database_role "test_windshaft_publicuser" \
+    database_password "public"
+EOF
+
 cat <<EOF | redis-cli -p ${REDIS_PORT} -n 5
   HMSET api_keys:cartodb250user:4321 \
     user "localhost" \
diff --git a/test/support/test_helper.js b/test/support/test_helper.js
index d131c089..5059c269 100644
--- a/test/support/test_helper.js
+++ b/test/support/test_helper.js
@@ -118,7 +118,8 @@ afterEach(function(done) {
         'api_keys:localhost:default_public': true,
         'api_keys:cartodb250user:4321': true,
         'api_keys:cartodb250user:default_public': true,
-        'api_keys:localhost:regular1': true
+        'api_keys:localhost:regular1': true,
+        'api_keys:localhost:regular2': true,
     };
     var databasesTasks = { 0: 'users', 5: 'meta'};