AO3-6754 Restrict access to API tokens (#4871)

* AO3-6754 Added authorization and policy on controller to ensure only superadmin can access /api paths * AO3-6754 Only show Manage API Tokens in header for super admins * AO3-6754 Remove Manage from API Tokens heading * AO3-6754 Rename browser titles for api tokens * AO3-6754 Add authorization for POST api token endpoints * AO3-6754 Add newline to end of file * AO3-6754 Normalize I18n en files * AO3-6754 override page_subtitle instead of page_title * AO3-6754 authorize ApiKey in one line * AO3-6754 use index policy to show/hide API Tokens link * AO3-6754 use better naming for note key in form * AO3-6754 normalize i18n file
otwcode · Aug 14, 2024 · fff3a6d · fff3a6d
1 parent f7c1111
commit fff3a6d
Show file tree

Hide file tree

Showing 6 changed files with 412 additions and 153 deletions.
diff --git a/app/controllers/admin/api_controller.rb b/app/controllers/admin/api_controller.rb
@@ -2,23 +2,27 @@ class Admin::ApiController < Admin::BaseController
   before_action :check_for_cancel, only: [:create, :update]
 
   def index
+    @page_subtitle = t(".page_title")
     @api_keys = if params[:query]
                   sql_query = "%" + params[:query] + "%"
                   ApiKey.where("name LIKE ?", sql_query).order("name").paginate(page: params[:page])
                 else
                   ApiKey.order("name").paginate(page: params[:page])
                 end
+    authorize @api_keys
   end
 
   def show
     redirect_to action: "index"
   end
 
   def new
-    @api_key = ApiKey.new
+    @page_subtitle = t(".page_title")
+    @api_key = authorize ApiKey.new
   end
 
   def create
+    authorize ApiKey
     # Use provided api key params if available otherwise fallback to empty
     # ApiKey object
     @api_key = params[:api_key].nil? ? ApiKey.new : ApiKey.new(api_key_params)
@@ -31,11 +35,12 @@ def create
   end
 
   def edit
-    @api_key = ApiKey.find(params[:id])
+    @page_subtitle = t(".page_title")
+    @api_key = authorize ApiKey.find(params[:id])
   end
 
   def update
-    @api_key = ApiKey.find(params[:id])
+    @api_key = authorize ApiKey.find(params[:id])
     if @api_key.update(api_key_params)
       flash[:notice] = ts("Access token was successfully updated")
       redirect_to action: "index"
@@ -45,7 +50,7 @@ def update
   end
 
   def destroy
-    @api_key = ApiKey.find(params[:id])
+    @api_key = authorize ApiKey.find(params[:id])
     @api_key.destroy
     redirect_to(admin_api_path)
   end

diff --git a/app/policies/api_key_policy.rb b/app/policies/api_key_policy.rb
@@ -0,0 +1,14 @@
+class ApiKeyPolicy < ApplicationPolicy
+  PERMITTED_ROLES = %w[superadmin].freeze
+
+  def index?
+    user_has_roles?(PERMITTED_ROLES)
+  end
+
+  alias show? index?
+  alias new? index?
+  alias edit? index?
+  alias create? index?
+  alias update? index?
+  alias destroy? index?
+end
diff --git a/app/views/admin/_header.html.erb b/app/views/admin/_header.html.erb
@@ -68,6 +68,8 @@
       <li><%= link_to t(".nav.activities"), admin_activities_path %></li>
     <% end %>
 
-    <li><%= link_to t(".nav.api_tokens"), admin_api_index_path %></li>
+    <% if policy(ApiKey).index? %>
+      <li><%= link_to t(".nav.api_tokens"), admin_api_index_path %></li>
+    <% end %>
   </ul>
 </nav>
diff --git a/app/views/admin/api/index.html.erb b/app/views/admin/api/index.html.erb
@@ -1,5 +1,5 @@
 <div class="admin">
-  <h2 class="heading"><%= ts("API Tokens") %></h2>
+  <h2 class="heading"><%= t(".page_heading") %></h2>
 
   <!--subnav-->
   <%= render "navigation" %>
@@ -9,25 +9,25 @@
 
   <!--main content-->
   <%= form_tag url_for(controller: "admin/api", action: "index"), method: :get, class: "search", role: "search" do %>
-    <p class="note"><%= ts("Search for an API token by name") %></p>
+    <p class="note"><%= t(".search_by_name") %></p>
     <dl>
-      <dt><%= label_tag "query", ts("Name") %></dt>
+      <dt><%= label_tag "query", t(".search_box.label") %></dt>
       <dd><%= text_field_tag "query", params[:query] %>
         </dd>
     </dl>
-    <p class="submit actions"><%= submit_tag ts("Find") %></p>
+    <p class="submit actions"><%= submit_tag t(".actions.find") %></p>
   <% end %>
 
-  <table summary="<%= ts("Existing API tokens along with the dates they were created and updated and options for editing them.") %>">
-    <caption><%= ts("API Tokens") %></caption>
+  <table summary="<%= t(".table.summary") %>">
+    <caption><%= t(".table.caption") %></caption>
     <thead>
     <tr>
-      <th scope="col"><%= ts("Name") %></th>
-      <th scope="col"><%= ts("Token") %></th>
-      <th scope="col"><%= ts("Banned?") %></th>
-      <th scope="col"><%= ts("Created") %></th>
-      <th scope="col"><%= ts("Updated") %></th>
-      <th scope="col"><%= ts("Actions") %></th>
+      <th scope="col"><%= t(".table.headings.name") %></th>
+      <th scope="col"><%= t(".table.headings.token") %></th>
+      <th scope="col"><%= t(".table.headings.banned") %></th>
+      <th scope="col"><%= t(".table.headings.created") %></th>
+      <th scope="col"><%= t(".table.headings.updated") %></th>
+      <th scope="col"><%= t(".table.headings.actions") %></th>
     </tr>
     </thead>
     <tbody>
@@ -40,7 +40,7 @@
         <td><%= api_key.updated_at %></td>
         <td>
           <ul class="actions">
-            <li><%= link_to ts("Edit"), edit_admin_api_path(api_key) %></li>
+            <li><%= link_to t(".table.actions.edit"), edit_admin_api_path(api_key) %></li>
           </ul>
         </td>
       </tr>

diff --git a/config/locales/views/en.yml b/config/locales/views/en.yml
@@ -178,6 +178,31 @@ en:
               required: Required when adding or removing a warning or suspension to an account.
             submit: Update
           heading: Record Warnings, Suspensions, or Notes
+    api:
+      edit:
+        page_title: Edit API Token
+      index:
+        actions:
+          find: Find
+        page_heading: API Tokens
+        page_title: API Tokens
+        search_box:
+          label: Name
+        search_by_name: Search for an API token by name
+        table:
+          actions:
+            edit: Edit
+          caption: API Tokens
+          headings:
+            actions: Actions
+            banned: Banned?
+            created: Created
+            name: Name
+            token: Token
+            updated: Updated
+          summary: Existing API tokens along with the dates they were created and updated and options for editing them.
+      new:
+        page_title: New API Token
     banners:
       index:
         actions:
@@ -218,7 +243,7 @@ en:
     header:
       nav:
         activities: Activities
-        api_tokens: Manage API Tokens
+        api_tokens: API Tokens
         banned_emails: Banned Emails
         banners: Banners
         invitations: