[openstreetmap/openstreetmap-website] Add user block api call (PR #4301)

Tom Hughes notifications at github.com
Sat Oct 21 10:24:59 UTC 2023 

@tomhughes requested changes on this pull request.



> @@ -14,5 +16,30 @@ def show
     rescue ActiveRecord::RecordNotFound
       raise OSM::APINotFoundError
     end
+
+    def create
+      raise OSM::APIBadUserInput, "No user was given" unless params[:user]
+
+      user = User.visible.find_by(:id => params[:user])
+      raise OSM::APINotFoundError unless user
+      raise OSM::APIBadUserInput, "No reason was given" unless params[:reason]
+      raise OSM::APIBadUserInput, "No period was given" unless params[:period]
+
+      period = Integer(params[:period], :exception => false)
+      raise OSM::APIBadUserInput, "Period one is in a wrong format" unless period

I'm not sure what `one` is referring to in this message? It should also be `the wrong format` but overall I'd probably replace the whole thing with something like `Period should be a number of hours`.

> +      post api_user_blocks_path(:user => blocked_user.id, :reason => "because", :period => 1), :headers => auth_header
+      assert_response :not_found
+      assert_equal "text/plain", @response.media_type
+
+      assert_empty blocked_user.blocks
+    end
+
+    [
+      ["missing reason", "No reason was given", { :period => "10" }],
+      ["missing period", "No period was given", { :reason => "because" }],
+      ["non-numeric period", "Period one is in a wrong format", { :reason => "because", :period => "one" }],
+      ["negative period", "Period must be between 0 and #{UserBlock::PERIODS.max}", { :reason => "go away", :period => "-1" }],
+      ["excessive period", "Period must be between 0 and #{UserBlock::PERIODS.max}", { :reason => "go away", :period => "10000000" }],
+      ["unknown needs_view", "Needs_view must be true if provided", { :reason => "because", :period => "1", :needs_view => "maybe" }]
+    ].each do |name, message, params|
+      test "create invalid because #{name}" do

I'm not sure I like this - yes it's valid ruby but it strikes me as a bit too clever for it's own good.

What I would probably have done is put the body of the text in a private method and then write each test method just to invoke the private method with the right arguments. It's not quite as concise as this but I think it's probably easier to read and understand.

> +      assert_predicate block, :active?
+      assert_equal "because", block.reason
+      assert_equal creator_user, block.creator
+
+      assert_equal "application/xml", @response.media_type
+      assert_select "osm>user_block", 1
+      assert_select "osm>user_block>@id", block.id.to_s
+      assert_select "osm>user_block>@needs_view", "false"
+      assert_select "osm>user_block>user", 1
+      assert_select "osm>user_block>user>@uid", blocked_user.id.to_s
+      assert_select "osm>user_block>creator", 1
+      assert_select "osm>user_block>creator>@uid", creator_user.id.to_s
+      assert_select "osm>user_block>revoker", 0
+      assert_select "osm>user_block>reason", 1
+      assert_select "osm>user_block>reason", "because"
+    end

You can nest these rather than keep repeating the same path prefix, so do something like:

```ruby
assert_select "osm>user_block", 1 do
   assert_select "@id", block.id.to_s
   ...
end
```

>  
       get api_user_block_path(:id => block)
       assert_response :success
-      assert_select "user_block[id='#{block.id}']", 1
+      assert_select "osm>user_block", 1
+      assert_select "osm>user_block>@id", block.id.to_s
+      assert_select "osm>user_block>user", 1
+      assert_select "osm>user_block>user>@uid", blocked_user.id.to_s
+      assert_select "osm>user_block>creator", 1
+      assert_select "osm>user_block>creator>@uid", creator_user.id.to_s
+      assert_select "osm>user_block>revoker", 0
+      assert_select "osm>user_block>reason", 1
+      assert_select "osm>user_block>reason", "because running tests"

See previous comment about nesting selects.

> @@ -1,7 +1,7 @@
 module Oauth
   SCOPES = %w[read_prefs write_prefs write_diary write_api read_gpx write_gpx write_notes].freeze
   PRIVILEGED_SCOPES = %w[read_email skip_authorization].freeze
-  OAUTH2_SCOPES = %w[openid].freeze
+  OAUTH2_SCOPES = %w[write_blocks openid].freeze

I'm not bothered about this - you still need to be a moderator to actually apply blocks so there's no real security issue. If DWG think it's important for the reasons @mmd-osm mentions then fine.

If we do want to restrict it then we'll need to add a new concept of scopes that moderators can use as the current privileged scopes are restricted to administrators only.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/4301#pullrequestreview-1691229213
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/pull/4301/review/1691229213 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20231021/7c42de78/attachment.htm>

More information about the rails-dev mailing list