Refactoring and test clean up

494c6dde · Darby Frey · a2eba097 · 494c6dde · 494c6dde · 494c6dde
Commit 494c6dde authored Mar 11, 2022 by Darby Frey
4 changed files
--- a/app/controllers/projects/ci/secure_files_controller.rb
+++ b/app/controllers/projects/ci/secure_files_controller.rb
 # frozen_string_literal: true

 class Projects::Ci::SecureFilesController < Projects::ApplicationController
-  before_action :check_can_collaborate!
+  before_action :authorize_read_secure_files!

  feature_category :pipeline_authoring

  def show
  end
-
-  private
-
-  def check_can_collaborate!
-    render_404 unless can?(current_user, :read_secure_files, project)
-  end
 end
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -463,7 +463,6 @@ class ProjectPolicy < BasePolicy
    enable :register_project_runners
    enable :update_runners_registration_token
    enable :admin_project_google_cloud
-    enable :read_secure_files
    enable :admin_secure_files
  end


--- a/lib/api/ci/secure_files.rb
+++ b/lib/api/ci/secure_files.rb
@@ -52,17 +52,18 @@ module API
          body secure_file.file.read
        end

+        # Additional authorization check for admin endpoints
+        # All APIs defined below this block will require admin level permissions
+        before do
+          authorize! :admin_secure_files, user_project
+        end
+
        desc 'Upload a Secure File'
        params do
          requires :name, type: String, desc: 'The name of the file'
          requires :file, types: [Rack::Multipart::UploadedFile, ::API::Validations::Types::WorkhorseFile], desc: 'The secure file to be uploaded'
          optional :permissions, type: String, desc: 'The file permissions', default: 'read_only', values: %w[read_only read_write execute]
        end
-
-        before do
-          authorize! :admin_secure_files, user_project
-        end
-
        route_setting :authentication, basic_auth_personal_access_token: true, job_token_allowed: true
        post ':id/secure_files' do
          secure_file = user_project.secure_files.new(
@@ -82,11 +83,6 @@ module API
        end

        desc 'Delete an individual Secure File'
-
-        before do
-          authorize! :admin_secure_files, user_project
-        end
-
        route_setting :authentication, basic_auth_personal_access_token: true, job_token_allowed: true
        delete ':id/secure_files/:secure_file_id' do
          secure_file = user_project.secure_files.find(params[:secure_file_id])

--- a/spec/requests/api/ci/secure_files_spec.rb
+++ b/spec/requests/api/ci/secure_files_spec.rb