added nil authorization and 404 json return for a bunch of endpoints …

…in generic files controller and intellectual objects controller
APTrust · Sep 19, 2019 · 016d68a · 016d68a
1 parent e957237
commit 016d68a
Show file tree

Hide file tree

Showing 2 changed files with 172 additions and 125 deletions.
diff --git a/app/controllers/generic_files_controller.rb b/app/controllers/generic_files_controller.rb
@@ -51,7 +51,7 @@ def show
     else
       authorize current_user, :nil_file?
       respond_to do |format|
-        format.json { render json: { status: 'error', message: 'This file could not be found. Please check to make sure the identifier was properly escaped.' }, status: :not_found }
+        format.json { render json: { status: 'error', message: 'This file could not be found. Please check to make sure the identifier was properly escaped.', url: request.original_url }, status: 404 }
         format.html { redirect_to root_url, alert: "A Generic File with identifier: #{params[:generic_file_identifier]} was not found. Please check to make sure the identifier was properly escaped." }
       end
     end
@@ -106,40 +106,56 @@ def update
     # nested params cause new events to be created,
     # and it would require too much logic to determine which
     # events should not be duplicated.
-    authorize @generic_file
-    @generic_file.state = 'A'
-    if resource.update(single_generic_file_params)
-      render json: object_as_json, status: :ok
+    if @generic_file
+      authorize @generic_file
+      @generic_file.state = 'A'
+      if resource.update(single_generic_file_params)
+        render json: object_as_json, status: :ok
+      else
+        log_model_error(resource)
+        render json: resource.errors, status: :unprocessable_entity
+      end
     else
-      log_model_error(resource)
-      render json: resource.errors, status: :unprocessable_entity
+      authorize current_user, :nil_file?
+      respond_to do |format|
+        format.json { render json: { status: 'error', message: 'This file could not be found. Please check to make sure the identifier was properly escaped.', url: request.original_url }, status: 404 }
+        format.html { redirect_to root_url, alert: "A Generic File with identifier: #{params[:generic_file_identifier]} was not found. Please check to make sure the identifier was properly escaped." }
+      end
     end
   end
 
   def destroy
-    authorize @generic_file, :soft_delete?
-    # Don't allow a delete request if an ingest or restore is in process
-    # for this object. OK to delete if another delete request is in process.
-    result = WorkItem.can_delete_file?(@generic_file.intellectual_object.identifier, @generic_file.identifier)
-    if @generic_file.state == 'D'
-      redirect_to @generic_file
-      flash[:alert] = 'This file has already been deleted.'
-    elsif result == 'true'
-      log = Email.log_deletion_request(@generic_file)
-      ConfirmationToken.where(generic_file_id: @generic_file.id).delete_all #delete any old tokens. Only the new one should be valid
-      token = ConfirmationToken.create(generic_file: @generic_file, token: SecureRandom.hex)
-      token.save!
-      NotificationMailer.deletion_request(@generic_file, current_user, log, token).deliver!
-      respond_to do |format|
-        format.json { head :no_content }
-        format.html {
-          redirect_to @generic_file
-          flash[:notice] = 'An email has been sent to the administrators of this institution to confirm deletion of this file.'
-        }
+    if @generic_file
+      authorize @generic_file, :soft_delete?
+      # Don't allow a delete request if an ingest or restore is in process
+      # for this object. OK to delete if another delete request is in process.
+      result = WorkItem.can_delete_file?(@generic_file.intellectual_object.identifier, @generic_file.identifier)
+      if @generic_file.state == 'D'
+        redirect_to @generic_file
+        flash[:alert] = 'This file has already been deleted.'
+      elsif result == 'true'
+        log = Email.log_deletion_request(@generic_file)
+        ConfirmationToken.where(generic_file_id: @generic_file.id).delete_all #delete any old tokens. Only the new one should be valid
+        token = ConfirmationToken.create(generic_file: @generic_file, token: SecureRandom.hex)
+        token.save!
+        NotificationMailer.deletion_request(@generic_file, current_user, log, token).deliver!
+        respond_to do |format|
+          format.json { head :no_content }
+          format.html {
+            redirect_to @generic_file
+            flash[:notice] = 'An email has been sent to the administrators of this institution to confirm deletion of this file.'
+          }
+        end
+      else
+        redirect_to @generic_file
+        flash[:alert] = "Your file cannot be deleted at this time due to a pending #{result} request."
       end
     else
-      redirect_to @generic_file
-      flash[:alert] = "Your file cannot be deleted at this time due to a pending #{result} request."
+      authorize current_user, :nil_file?
+      respond_to do |format|
+        format.json { render json: { status: 'error', message: 'This file could not be found. Please check to make sure the identifier was properly escaped.', url: request.original_url }, status: 404 }
+        format.html { redirect_to root_url, alert: "A Generic File with identifier: #{params[:generic_file_identifier]} was not found. Please check to make sure the identifier was properly escaped." }
+      end
     end
   end
 
@@ -194,37 +210,44 @@ def finished_destroy
     end
   end
 
-
   def restore
-    authorize @generic_file, :restore?
-    message = ""
-    api_status_code = :ok
-    restore_item = nil
-    pending = WorkItem.pending_action_for_file(@generic_file.identifier)
-    if @generic_file.state == 'D'
-      api_status_code = :conflict
-      message = 'This file has been deleted and cannot be queued for restoration.'
-    elsif pending.nil?
-      restore_item = WorkItem.create_restore_request_for_file(@generic_file, current_user.email)
-      message = 'Your file has been queued for restoration.'
+    if @generic_file
+      authorize @generic_file, :restore?
+      message = ""
+      api_status_code = :ok
+      restore_item = nil
+      pending = WorkItem.pending_action_for_file(@generic_file.identifier)
+      if @generic_file.state == 'D'
+        api_status_code = :conflict
+        message = 'This file has been deleted and cannot be queued for restoration.'
+      elsif pending.nil?
+        restore_item = WorkItem.create_restore_request_for_file(@generic_file, current_user.email)
+        message = 'Your file has been queued for restoration.'
+      else
+        api_status_code = :conflict
+        message = "Your file cannot be queued for restoration at this time due to a pending #{pending.action} request."
+      end
+      respond_to do |format|
+        status = restore_item.nil? ? 'error' : 'ok'
+        item_id = restore_item.nil? ? 0 : restore_item.id
+        format.json {
+          render :json => { status: status, message: message, work_item_id: item_id }, :status => api_status_code
+        }
+        format.html {
+          if restore_item.nil?
+            flash[:alert] = message
+          else
+            flash[:notice] = message
+          end
+          redirect_to @generic_file
+        }
+      end
     else
-      api_status_code = :conflict
-      message = "Your file cannot be queued for restoration at this time due to a pending #{pending.action} request."
-    end
-    respond_to do |format|
-      status = restore_item.nil? ? 'error' : 'ok'
-      item_id = restore_item.nil? ? 0 : restore_item.id
-      format.json {
-        render :json => { status: status, message: message, work_item_id: item_id }, :status => api_status_code
-      }
-      format.html {
-        if restore_item.nil?
-          flash[:alert] = message
-        else
-          flash[:notice] = message
-        end
-        redirect_to @generic_file
-      }
+      authorize current_user, :nil_file?
+      respond_to do |format|
+        format.json { render json: { status: 'error', message: 'This file could not be found. Please check to make sure the identifier was properly escaped.', url: request.original_url }, status: 404 }
+        format.html { redirect_to root_url, alert: "A Generic File with identifier: #{params[:generic_file_identifier]} was not found. Please check to make sure the identifier was properly escaped." }
+      end
     end
   end
 

diff --git a/app/controllers/intellectual_objects_controller.rb b/app/controllers/intellectual_objects_controller.rb
@@ -54,7 +54,7 @@ def show
     else
       authorize current_user, :nil_object?
       respond_to do |format|
-        format.json { render json: { status: 'error', message: 'This object could not be found.' }, :status => 404 }
+        format.json { render json: { status: 'error', message: 'This object could not be found.', url: request.original_url }, :status => 404 }
         format.html { redirect_to root_url, alert: "An intellectual object with identifer: #{params[:intellectual_object_identifier]} could not be found." }
       end
     end
@@ -66,49 +66,65 @@ def edit
   end
 
   def update
-    authorize @intellectual_object
-    @intellectual_object.update!(update_params)
-    respond_to do |format|
-      format.json { render json: object_as_json }
-      format.html { redirect_to intellectual_object_path(@intellectual_object) }
+    if @intellectual_object
+      authorize @intellectual_object
+      @intellectual_object.update!(update_params)
+      respond_to do |format|
+        format.json { render json: object_as_json }
+        format.html { redirect_to intellectual_object_path(@intellectual_object) }
+      end
+    else
+      authorize current_user, :nil_object?
+      respond_to do |format|
+        format.json { render json: { status: 'error', message: 'This object could not be found.', url: request.original_url }, :status => 404 }
+        format.html { redirect_to root_url, alert: "An intellectual object with identifer: #{params[:intellectual_object_identifier]} could not be found." }
+      end
     end
   end
 
   def destroy
-    authorize @intellectual_object, :soft_delete?
-    pending = WorkItem.pending_action(@intellectual_object.identifier)
-    if @intellectual_object.state == 'D'
-      respond_to do |format|
-        format.json { head :conflict }
-        format.html {
-          redirect_to @intellectual_object
-          flash[:alert] = 'This item has already been deleted.'
-        }
-      end
-    elsif pending.nil?
-      log = Email.log_deletion_request(@intellectual_object)
-      ConfirmationToken.where(intellectual_object_id: @intellectual_object.id).delete_all #delete any old tokens. Only the new one should be valid
-      token = ConfirmationToken.create(intellectual_object: @intellectual_object, token: SecureRandom.hex)
-      token.save!
-      NotificationMailer.deletion_request(@intellectual_object, current_user, log, token).deliver!
-      respond_to do |format|
-        format.json { head :no_content }
-        format.html {
-          redirect_to @intellectual_object
-          flash[:notice] = 'An email has been sent to the administrators of this institution to confirm deletion of this object.'
-        }
+    if @intellectual_object
+      authorize @intellectual_object, :soft_delete?
+      pending = WorkItem.pending_action(@intellectual_object.identifier)
+      if @intellectual_object.state == 'D'
+        respond_to do |format|
+          format.json { head :conflict }
+          format.html {
+            redirect_to @intellectual_object
+            flash[:alert] = 'This item has already been deleted.'
+          }
+        end
+      elsif pending.nil?
+        log = Email.log_deletion_request(@intellectual_object)
+        ConfirmationToken.where(intellectual_object_id: @intellectual_object.id).delete_all #delete any old tokens. Only the new one should be valid
+        token = ConfirmationToken.create(intellectual_object: @intellectual_object, token: SecureRandom.hex)
+        token.save!
+        NotificationMailer.deletion_request(@intellectual_object, current_user, log, token).deliver!
+        respond_to do |format|
+          format.json { head :no_content }
+          format.html {
+            redirect_to @intellectual_object
+            flash[:notice] = 'An email has been sent to the administrators of this institution to confirm deletion of this object.'
+          }
+        end
+      else
+        respond_to do |format|
+          message = "Your object cannot be deleted at this time due to a pending #{pending.action} request. " +
+              "You may delete this object after the #{pending.action} request has completed."
+          format.json {
+            render :json => { status: 'error', message: message }, :status => :conflict
+          }
+          format.html {
+            redirect_to @intellectual_object
+            flash[:alert] = message
+          }
+        end
       end
     else
+      authorize current_user, :nil_object?
       respond_to do |format|
-        message = "Your object cannot be deleted at this time due to a pending #{pending.action} request. " +
-            "You may delete this object after the #{pending.action} request has completed."
-        format.json {
-          render :json => { status: 'error', message: message }, :status => :conflict
-        }
-        format.html {
-          redirect_to @intellectual_object
-          flash[:alert] = message
-        }
+        format.json { render json: { status: 'error', message: 'This object could not be found.', url: request.original_url }, :status => 404 }
+        format.html { redirect_to root_url, alert: "An intellectual object with identifer: #{params[:intellectual_object_identifier]} could not be found." }
       end
     end
   end
@@ -227,40 +243,48 @@ def send_to_dpn
   end
 
   def restore
-    authorize @intellectual_object, :restore?
-    message = ""
-    api_status_code = :ok
-    restore_item = nil
-    pending = WorkItem.pending_action(@intellectual_object.identifier)
-    if @intellectual_object.state == 'D'
-      api_status_code = :conflict
-      message = 'This item has been deleted and cannot be queued for restoration.'
-    elsif pending.nil?
-      if @intellectual_object.storage_option == 'Standard'
-        restore_item = WorkItem.create_restore_request(@intellectual_object.identifier, current_user.email)
+    if @intellectual_object
+      authorize @intellectual_object, :restore?
+      message = ""
+      api_status_code = :ok
+      restore_item = nil
+      pending = WorkItem.pending_action(@intellectual_object.identifier)
+      if @intellectual_object.state == 'D'
+        api_status_code = :conflict
+        message = 'This item has been deleted and cannot be queued for restoration.'
+      elsif pending.nil?
+        if @intellectual_object.storage_option == 'Standard'
+          restore_item = WorkItem.create_restore_request(@intellectual_object.identifier, current_user.email)
+        else
+          restore_item = WorkItem.create_glacier_restore_request(@intellectual_object.identifier, current_user.email)
+        end
+
+        message = 'Your item has been queued for restoration.'
       else
-        restore_item = WorkItem.create_glacier_restore_request(@intellectual_object.identifier, current_user.email)
+        api_status_code = :conflict
+        message = "Your object cannot be queued for restoration at this time due to a pending #{pending.action} request."
+      end
+      respond_to do |format|
+        status = restore_item.nil? ? 'error' : 'ok'
+        item_id = restore_item.nil? ? 0 : restore_item.id
+        format.json {
+          render :json => { status: status, message: message, work_item_id: item_id }, :status => api_status_code
+        }
+        format.html {
+          if restore_item.nil?
+            flash[:alert] = message
+          else
+            flash[:notice] = message
+          end
+          redirect_to @intellectual_object
+        }
       end
-
-      message = 'Your item has been queued for restoration.'
     else
-      api_status_code = :conflict
-      message = "Your object cannot be queued for restoration at this time due to a pending #{pending.action} request."
-    end
-    respond_to do |format|
-      status = restore_item.nil? ? 'error' : 'ok'
-      item_id = restore_item.nil? ? 0 : restore_item.id
-      format.json {
-        render :json => { status: status, message: message, work_item_id: item_id }, :status => api_status_code
-      }
-      format.html {
-        if restore_item.nil?
-          flash[:alert] = message
-        else
-          flash[:notice] = message
-        end
-        redirect_to @intellectual_object
-      }
+      authorize current_user, :nil_object?
+      respond_to do |format|
+        format.json { render json: { status: 'error', message: 'This object could not be found.', url: request.original_url }, :status => 404 }
+        format.html { redirect_to root_url, alert: "An intellectual object with identifer: #{params[:intellectual_object_identifier]} could not be found." }
+      end
     end
   end