Make users bannable.

- Short-circuit non-get requests for banned users - Close zooniverse#247
edpaget · Dec 1, 2014 · bf55784 · bf55784
1 parent 3bb1dd1
commit bf55784
Show file tree

Hide file tree

Showing 6 changed files with 90 additions and 7 deletions.
diff --git a/app/controllers/api/api_controller.rb b/app/controllers/api/api_controller.rb
@@ -26,11 +26,12 @@ class ApiController < ApplicationController
     before_action ContentTypeFilter.new(*API_ACCEPTED_CONTENT_TYPES,
                                         API_ALLOWED_METHOD_OVERRIDES)
 
-    before_filter :require_login, only: [:create, :update, :destroy]
+    before_action :require_login, only: [:create, :update, :destroy]
+    before_action :ban_user, only: [:create, :update, :destroy]
     skip_before_action :verify_authenticity_token
 
     access_control_for :update, :destroy, :create,
-      [:update_links, :update], [:destroy_links, :update]
+                       [:update_links, :update], [:destroy_links, :update]
 
     def current_resource_owner
       if doorkeeper_token
@@ -57,7 +58,7 @@ def user_accept_languages
 
     def parse_http_accept_languages
       language_extractor = AcceptLanguageExtractor
-        .new(request.env['HTTP_ACCEPT_LANGUAGE'])
+                           .new(request.env['HTTP_ACCEPT_LANGUAGE'])
 
       language_extractor.parse_languages
     end
@@ -78,5 +79,18 @@ def request_ip
     def require_login
       raise Api::NotLoggedIn unless api_user.logged_in?
     end
+
+    def ban_user
+      if api_user.banned
+        case action_name
+        when "update"
+          head :ok
+        when "create"
+          head :created
+        when "destroy"
+          head :no_content
+        end
+      end
+    end
   end
 end
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
@@ -27,6 +27,14 @@ def id
     user.try(:id)
   end
 
+  def banned
+    if user
+      user.banned
+    else
+      false
+    end
+  end
+
   def languages
     user.try(:languages)
   end

diff --git a/db/migrate/20141201164157_add_banned_flag_to_user.rb b/db/migrate/20141201164157_add_banned_flag_to_user.rb
@@ -0,0 +1,5 @@
+class AddBannedFlagToUser < ActiveRecord::Migration
+  def change
+    add_column :users, :banned, :boolean, default: false, null: false
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20141119150447) do
+ActiveRecord::Schema.define(version: 20141201164157) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -302,6 +302,7 @@
     t.boolean  "global_email_communication"
     t.boolean  "project_email_communication"
     t.boolean  "admin",                       default: false,    null: false
+    t.boolean  "banned",                      default: false,    null: false
   end
 
   add_index "users", ["email"], name: "index_users_on_email", unique: true, using: :btree

diff --git a/spec/controllers/api/api_controller_spec.rb b/spec/controllers/api/api_controller_spec.rb
@@ -68,9 +68,11 @@ def index
     describe "when a user has an incorrect scope" do
 
       it "should return 403 with a logged in user" do
-        allow(controller).to receive(:doorkeeper_token) { double( accessible?: true,
-                                                                 acceptable?: false,
-                                                                 includes_scope?: false ) }
+        allow(controller).to receive(:doorkeeper_token) {
+          double( accessible?: true,
+                  acceptable?: false,
+                  includes_scope?: false,
+                  resource_owner_id: user.id ) }
         get :index
         expect(response.status).to eq(403)
       end
@@ -207,4 +209,56 @@ def resource_class
       end
     end
   end
+
+  describe "when a banned user attempts to take an action" do
+    let(:user) { create(:user, banned: true) }
+
+    controller do
+      def update
+        render nothing: true
+      end
+
+      def create
+        render nothing: true
+      end
+
+      def destroy
+        render nothing: true
+      end
+    end
+
+    let(:api_user) { ApiUser.new(user) }
+
+    before(:each) do
+      routes.draw do 
+        put "update" => "api/api#update"
+        post "create" => "api/api#create"
+        delete "destroy" => "api/api#destroy"
+      end
+
+      allow(controller).to receive(:api_user).and_return(api_user)
+      @request.env["CONTENT_TYPE"] = "application/json"
+    end
+
+    context "create action" do
+      it 'should return an empty created response' do
+        post :create
+        expect(response.status).to eq(201)
+      end
+    end
+
+    context "update action" do
+      it 'should return an empty okay response' do
+        put :update
+        expect(response.status).to eq(200)
+      end
+    end
+
+    context "destroy action" do
+      it 'should return an empty no content response' do
+        delete :destroy
+        expect(response.status).to eq(204)
+      end
+    end
+  end
 end
diff --git a/spec/factories/users.rb b/spec/factories/users.rb
@@ -11,6 +11,7 @@
     global_email_communication true
     project_email_communication true
     admin false
+    banned false
 
     after(:build) do |user|
       unless user.owner_name