dont show hardware_info to unauthorized users

fablabbcn · Jan 31, 2024 · dc88b37 · dc88b37
1 parent 8196c95
commit dc88b37
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 28 deletions.
diff --git a/app/controllers/v0/devices_controller.rb b/app/controllers/v0/devices_controller.rb
@@ -76,34 +76,15 @@ def destroy
 
     # debug method, must be refactored
     def fresh_world_map
-      @devices = Device.where.not(latitude: nil).where.not(data: nil).includes(:owner,:tags).map do |device|
-        {
-          id: device.id,
-          name: device.name,
-          description: (device.description.present? ? device.description : nil),
-          owner_id: device.owner_id,
-          owner_username: device.owner_id ? device.owner_username : nil,
-          latitude: device.latitude,
-          longitude: device.longitude,
-          city: device.city,
-          country_code: device.country_code,
-          is_private: device.is_private,
-          state: device.state,
-          system_tags: device.system_tags,
-          user_tags: device.user_tags,
-          updated_at: device.updated_at,
-          last_reading_at: (device.last_reading_at.present? ? device.last_reading_at : nil)
-        }
-      end
-      render json: @devices
+      render json: Device.for_world_map(current_user&.is_admin?)
     end
 
     def world_map
       unless params[:cachebuster]
         expires_in 30.seconds, public: true # CRON cURL every 60 seconds to cache
       end
 
-      render json: Device.for_world_map
+      render json: Device.for_world_map(current_user&.is_admin?)
     end
 
 private

diff --git a/app/models/device.rb b/app/models/device.rb
@@ -225,7 +225,7 @@ def self.geocode_all_without_location
     end
   end
 
-  def self.for_world_map
+  def self.for_world_map(authorized=false)
     Rails.cache.fetch("world_map", expires_in: 10.seconds) do
       where
         .not(latitude: nil)
@@ -242,7 +242,7 @@ def self.for_world_map
           latitude: device.latitude,
           longitude: device.longitude,
           city: device.city,
-          hardware: device.hardware,
+          hardware: device.hardware(authorized),
           country_code: device.country_code,
           state: device.state,
           system_tags: device.system_tags,
@@ -264,14 +264,14 @@ def update_component_timestamps(timestamp, sensor_ids)
     end
   end
 
-  def hardware
+  def hardware(authorized=false)
     {
       name: hardware_name,
       type: hardware_type,
       description: hardware_description,
       version: hardware_version,
       slug: hardware_slug,
-      info: hardware_info,
+      info: authorized ? hardware_info : "[FILTERED]",
     }
   end
 

diff --git a/app/views/v0/devices/_device.jbuilder b/app/views/v0/devices/_device.jbuilder
@@ -15,19 +15,22 @@ json.(
   :notify_low_battery,
   :notify_stopped_publishing,
   :last_reading_at,
-  :hardware,
   :created_at,
   :updated_at
 )
 
-if current_user and (current_user.is_admin? or (device.owner_id and current_user.id == device.owner_id))
+authorized = current_user && (current_user.is_admin? || (device.owner_id && current_user.id == device.owner_id))
+
+if authorized
   json.merge! mac_address: device.mac_address
   json.merge! device_token: device.device_token
 else
   json.merge! mac_address: '[FILTERED]'
   json.merge! device_token: '[FILTERED]'
 end
 
+json.merge!(hardware: device.hardware(authorized))
+
 if with_owner && device.owner
   json.owner do
     json.id device.owner.id

diff --git a/spec/requests/v0/devices_spec.rb b/spec/requests/v0/devices_spec.rb
@@ -24,7 +24,7 @@
       expect(json.length).to eq(2)
       # expect(json[0]['name']).to eq(first.name)
       # expect(json[1]['name']).to eq(second.name)
-      expect(json[0].keys).to eq(%w(id uuid name description state postprocessing system_tags user_tags is_private notify_low_battery notify_stopped_publishing last_reading_at hardware created_at updated_at mac_address device_token owner data))
+      expect(json[0].keys).to eq(%w(id uuid name description state postprocessing system_tags user_tags is_private notify_low_battery notify_stopped_publishing last_reading_at created_at updated_at mac_address device_token hardware owner data))
     end
 
     describe "when not logged in" do
@@ -39,6 +39,13 @@
         expect(j.count).to eq(1)
         expect(j[0]['id']).to eq(device.id)
       end
+
+      it "does not show hardware_info" do
+        first = create(:device)
+        second = create(:device)
+        json = api_get 'devices'
+        expect(json[0]['hardware']['info']).to eq("[FILTERED]")
+      end
     end
 
     describe "when logged in as a normal user" do
@@ -53,6 +60,13 @@
         expect(j.count).to eq(2)
         expect(j[0]['id']).to be_in([device1.id, device2.id])
       end
+
+      it "does not show hardware_info" do
+        first = create(:device)
+        second = create(:device)
+        json = api_get 'devices', { access_token: token.token }
+        expect(json[0]['hardware']['info']).to eq("[FILTERED]")
+      end
     end
 
     describe "when logged in as an admin" do
@@ -67,6 +81,13 @@
         expect(j.count).to eq(3)
         expect(j[0]['id']).to be_in([device1.id, device2.id, device3.id])
       end
+
+      it "shows hardware_info" do
+        first = create(:device)
+        second = create(:device)
+        json = api_get 'devices', { access_token: admin_token.token}
+        expect(json[0]['hardware']['info']).not_to eq('[FILTERED]')
+      end
     end
 
     describe "world map" do