Allow anonymous access to Users API but exclude details

Summary: - Restore allowed_methods to post and layers API - Use CRUD privs not REST methods for for allowed* response - Allow read access to all users, but strip most details in formatter Test Plan: - bin/behat - Check API responses in browser console - allow_privileges should now get returned for posts - Should see read/create/update/delete, instead of REST verbs - Access users api with client creds should see only username and realname Reviewers: vladimir, aMoniker Reviewed By: aMoniker Differential Revision: https://phabricator.ushahidi.com/D666
ushahidi · Feb 19, 2015 · 14682cc · 14682cc
1 parent 5c8be4b
commit 14682cc
Show file tree

Hide file tree

Showing 9 changed files with 80 additions and 8 deletions.
diff --git a/application/classes/Ushahidi/Core.php b/application/classes/Ushahidi/Core.php
@@ -187,8 +187,10 @@ public static function init()
 			'form',
 			'form_attribute',
 			'form_group',
+			'layer',
 			'media',
 			'message',
+			'post',
 			'tag',
 			'user',
 			'set',

diff --git a/application/classes/Ushahidi/Formatter/Layer.php b/application/classes/Ushahidi/Formatter/Layer.php
@@ -9,8 +9,12 @@
  * @license    https://www.gnu.org/licenses/agpl-3.0.html GNU Affero General Public License Version 3 (AGPL3)
  */
 
+use Ushahidi\Core\Traits\FormatterAuthorizerMetadata;
+
 class Ushahidi_Formatter_Layer extends Ushahidi_Formatter_API
 {
+	use FormatterAuthorizerMetadata;
+
 	protected function get_field_name($field)
 	{
 		$remap = [

diff --git a/application/classes/Ushahidi/Formatter/Media.php b/application/classes/Ushahidi/Formatter/Media.php
@@ -34,7 +34,7 @@ protected function add_metadata(Array $data, Entity $media)
 			'thumbnail_height'   => $thumbnail_height,
 
 			// Add the allowed HTTP methods
-			'allowed_methods' => $this->getAllowedMethods($media),
+			'allowed_methods' => $this->getAllowedPrivs($media),
 		];
 	}
 

diff --git a/application/classes/Ushahidi/Formatter/Post.php b/application/classes/Ushahidi/Formatter/Post.php
@@ -10,9 +10,12 @@
  */
 
 use Ushahidi\Core\Tool\Formatter;
+use Ushahidi\Core\Traits\FormatterAuthorizerMetadata;
 
 class Ushahidi_Formatter_Post extends Ushahidi_Formatter_API
 {
+	use FormatterAuthorizerMetadata;
+
 	protected function get_field_name($field)
 	{
 		$remap = [

diff --git a/application/classes/Ushahidi/Formatter/User.php b/application/classes/Ushahidi/Formatter/User.php
@@ -17,7 +17,7 @@ class Ushahidi_Formatter_User extends Ushahidi_Formatter_API
 {
 	use FormatterAuthorizerMetadata;
 
-	public function __invoke($user) 
+	public function __invoke($user)
 	{ // prefer doing it here untill we implement parent method for filtering results - mixing and matching with metadata is just plain ugly
 		$data = parent::__invoke($user);
 
@@ -26,6 +26,12 @@ public function __invoke($user)
 			unset($data['password']);
 		}
 
+		if (!in_array('read_full', $data['allowed_privileges']))
+		{
+			// Remove sensitive fields
+			$data = array_intersect_key($data, array_fill_keys(['id', 'url', 'username', 'realname', 'allowed_privileges'], TRUE));
+		}
+
 		return $data;
 	}
 }
diff --git a/application/tests/features/api.users.feature b/application/tests/features/api.users.feature
@@ -109,6 +109,48 @@ Feature: Testing the Users API
 		Then the response is JSON
 		And the response has a "id" property
 		And the type of the "id" property is "numeric"
+		And the "username" property equals "robbie"
+		Then the guzzle status code should be 200
+
+	Scenario: Finding a User as admin gives full details
+		Given that I want to find a "User"
+		And that its "id" is "3"
+		And that the request "Authorization" header is "Bearer defaulttoken"
+		When I request "/users"
+		Then the response is JSON
+		And the response has a "id" property
+		And the type of the "id" property is "numeric"
+		And the "username" property equals "test"
+		And the "email" property equals "[email protected]"
+		Then the guzzle status code should be 200
+
+	Scenario: Loading own user gives full details
+		Given that I want to find a "User"
+		And that its "id" is "me"
+		And that the request "Authorization" header is "Bearer testbasicuser"
+		When I request "/users"
+		Then the response is JSON
+		And the response has a "id" property
+		And the type of the "id" property is "numeric"
+		And the "username" property equals "robbie"
+		And the "email" property equals "[email protected]"
+		Then the guzzle status code should be 200
+
+	Scenario: Finding a User as anonymous user gives partial details
+		Given that I want to find a "User"
+		And that its "id" is "1"
+		And that the request "Authorization" header is "Bearer testanon"
+		When I request "/users"
+		Then the response is JSON
+		And the response has a "id" property
+		And the type of the "id" property is "numeric"
+		And the response has a "realname" property
+		And the response has a "username" property
+		And the response does not have a "email" property
+		And the response does not have a "logins" property
+		And the response does not have a "failed_attempts" property
+		And the response does not have a "last_login" property
+		And the response does not have a "last_attempt" property
 		Then the guzzle status code should be 200
 
 	Scenario: Finding a non-existent user

diff --git a/src/Core/Tool/Authorizer/UserAuthorizer.php b/src/Core/Tool/Authorizer/UserAuthorizer.php
@@ -30,6 +30,16 @@ class UserAuthorizer implements Authorizer
 	// It uses `PrivAccess` to provide the `getAllowedPrivs` method.
 	use PrivAccess;
 
+	/**
+	 * Get a list of all possible privilges.
+	 * By default, returns standard HTTP REST methods.
+	 * @return Array
+	 */
+	protected function getAllPrivs()
+	{
+		return ['read', 'create', 'update', 'delete', 'read_full'];
+	}
+
 	/* Authorizer */
 	public function isAllowed(Entity $entity, $privilege)
 	{
@@ -51,8 +61,13 @@ public function isAllowed(Entity $entity, $privilege)
 			return false;
 		}
 
-		// Regular user should be able to update and read only self
-		if ($this->isUserSelf($entity) && in_array($privilege, ['read', 'update'])) {
+		// Regular user should be able to update and read_full only self
+		if ($this->isUserSelf($entity) && in_array($privilege, ['update', 'read_full'])) {
+			return true;
+		}
+
+		// Regular user can always read
+		if ($privilege === 'read') {
 			return true;
 		}
 

diff --git a/src/Core/Traits/FormatterAuthorizerMetadata.php b/src/Core/Traits/FormatterAuthorizerMetadata.php
@@ -3,7 +3,7 @@
 /**
  * Ushahidi Formatter + Authorizer Trait
  *
- * Injects "allowed_methods" into formatted data using an Authorizer.
+ * Injects "allowed_privileges" into formatted data using an Authorizer.
  *
  * @author     Ushahidi Team <[email protected]>
  * @package    Ushahidi\Platform
@@ -26,7 +26,7 @@ public function setAuth(Authorizer $auth)
 		return $this;
 	}
 
-	protected function getAllowedMethods(Entity $entity)
+	protected function getAllowedPrivs(Entity $entity)
 	{
 		if (!$this->auth) {
 			throw new \LogicException('Authorizer must be defined by calling setAuth');
@@ -39,7 +39,7 @@ protected function getAllowedMethods(Entity $entity)
 	protected function add_metadata(Array $data, Entity $entity)
 	{
 		return $data + [
-			'allowed_methods' => $this->getAllowedMethods($entity),
+			'allowed_privileges' => $this->getAllowedPrivs($entity),
 		];
 	}
 }
diff --git a/src/Core/Traits/PrivAccess.php b/src/Core/Traits/PrivAccess.php
@@ -24,7 +24,7 @@ trait PrivAccess
 	 */
 	protected function getAllPrivs()
 	{
-		return ['get', 'post', 'put', 'delete'];
+		return ['read', 'create', 'update', 'delete'];
 	}
 
 	// Authorizer