OauthApps restricted by default and add tests

3 years ago · 51257f5dd1
parent 52fd2eee0b
commit 51257f5dd1
2 changed files with 48 additions and 0 deletions
--- a/app/models/carto/oauth_app.rb
+++ b/app/models/carto/oauth_app.rb
@ -24,6 +24,7 @@ module Carto

    before_validation :ensure_keys_generated

+    before_create :restrict_app_to_organization_users, if: ->(app) { app.user.organization_user? }
    after_create :create_central, if: :sync_with_central?
    after_update :update_central, if: :sync_with_central?
    after_destroy :delete_central, if: :sync_with_central?
@ -88,6 +89,14 @@ module Carto
      errors.add(:redirect_uris, "must be valid")
    end

+    def restrict_app_to_organization_users
+      self.restricted = true
+      self.oauth_app_organizations.new(
+        organization: user.organization,
+        seats: user.organization.seats
+      )
+    end
+
    def create_central
      cartodb_central_client.create_oauth_app(user.username, sync_attributes)
    end
--- a/spec/models/carto/oauth_app_spec.rb
+++ b/spec/models/carto/oauth_app_spec.rb
@ -31,6 +31,45 @@ module Carto
        expect(app.errors[:icon_url]).to(include("must be a valid URL"))
      end

+      describe 'restriction' do
+        before(:all) do
+          @organization_owner = create(:carto_user)
+          @organization = create(:organization, :with_owner, owner: @organization_owner)
+          @organization_owner.reload
+        end
+
+        it 'restrict the access to the user\'s organization if it exists' do
+          app = OauthApp.new(user: @organization_owner,
+                             name: 'name',
+                             redirect_uris: ['https://re.dir'],
+                             website_url: 'http://localhost')
+          expect(app).to(be_valid)
+
+          app.save!
+
+          expect(app.restricted).to(be_true)
+          expect(app.oauth_app_organizations).not_to(be_empty)
+
+          oauth_app_organization = app.oauth_app_organizations.take
+
+          expect(oauth_app_organization.organization_id).to eq(@organization_owner.organization_id)
+          expect(oauth_app_organization.seats).to eq(@organization_owner.organization.seats)
+        end
+
+        it 'doesn\'t add restrictions if the user has no organization' do
+          app = OauthApp.new(user: @user,
+                             name: 'name',
+                             redirect_uris: ['https://re.dir'],
+                             website_url: 'http://localhost')
+          expect(app).to(be_valid)
+
+          app.save!
+
+          expect(app.restricted).to(be_false)
+          expect(app.oauth_app_organizations).to(be_empty)
+        end
+      end
+
      describe 'redirection uri' do
        it 'rejects if empty' do
          app = OauthApp.new