FIX: add support for missing verbs in user api key

FIX: add support for missing verbs in user api key

Previously “write” scope was missing put and delete verbs which should be allowed.

Also closes: #6982

diff --git a/app/models/user_api_key.rb b/app/models/user_api_key.rb
index cf9bc31..7a3747f 100644
--- a/app/models/user_api_key.rb
+++ b/app/models/user_api_key.rb
@@ -2,7 +2,7 @@ class UserApiKey < ActiveRecord::Base
 
   SCOPES = {
     read: [:get],
-    write: [:get, :post, :patch],
+    write: [:get, :post, :patch, :put, :delete],
     message_bus: [[:post, 'message_bus']],
     push: nil,
     notifications: [[:post, 'message_bus'], [:get, 'notifications#index'], [:put, 'notifications#mark_read']],
@@ -29,7 +29,6 @@ class UserApiKey < ActiveRecord::Base
     verb, action = permission
     actual_verb = env["REQUEST_METHOD"] || ""
 
-    # safe in Ruby 2.3 which is only one supported
     return false unless actual_verb.downcase == verb.to_s
     return true unless action
 
diff --git a/spec/models/user_api_key_spec.rb b/spec/models/user_api_key_spec.rb
index 90293fc..9543f01 100644
--- a/spec/models/user_api_key_spec.rb
+++ b/spec/models/user_api_key_spec.rb
@@ -16,9 +16,20 @@ describe UserApiKey do
 
     end
 
+    it "can allow all correct scopes to write" do
+
+      key = UserApiKey.new(scopes: ["write"])
+
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "GET")).to eq(true)
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "PUT")).to eq(true)
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "PATCH")).to eq(true)
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "DELETE")).to eq(true)
+      expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "POST")).to eq(true)
+    end
+
     it "can allow blanket read" do
 
-      key = UserApiKey.new(scopes: ['read'])
+      key = UserApiKey.new(scopes: ["read"])
 
       expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "GET")).to eq(true)
       expect(key.allow?("PATH_INFO" => "/random", "REQUEST_METHOD" => "PUT")).to eq(false)

GitHub sha: 641b079c

1 Like