Merge pull request #68 from jedmund/unauth-teams

Allow editing of unauth teams

app/blueprints/api/v1/party_blueprint.rb

@@ -68,9 +68,10 @@ module Api
         include_view :characters
         include_view :job_skills
 
+        fields :local_id, :description, :charge_attack, :button_count, :turn_count, :chain_count
+
         association :accessory,
                     blueprint: JobAccessoryBlueprint
-        fields :description, :charge_attack, :button_count, :turn_count, :chain_count
 
         association :source_party,
                     blueprint: PartyBlueprint,
@@ -86,6 +87,11 @@ module Api
         include_view :preview
       end
 
+      view :created do
+        include_view :full
+        fields :edit_key
+      end
+
       view :destroyed do
         fields :name, :description, :created_at, :updated_at
       end

app/controllers/api/v1/api_controller.rb

@@ -50,6 +50,12 @@ module Api
         @current_user
       end
 
+      def edit_key
+        @edit_key ||= request.headers['X-Edit-Key'] if request.headers['X-Edit-Key']
+        
+        @edit_key
+      end
+
       # Set the response content-type
       def content_type(content_type)
         response.headers['Content-Type'] = content_type

app/controllers/api/v1/grid_characters_controller.rb

@@ -7,7 +7,7 @@ module Api
 
       before_action :find_party, only: :create
       before_action :set, only: %i[update destroy]
-      before_action :check_authorization, only: %i[update destroy]
+      before_action :authorize, only: %i[create update destroy]
       before_action :find_incoming_character, only: :create
       before_action :find_current_characters, only: :create
 
@@ -135,8 +135,12 @@ module Api
         render_unauthorized_response if current_user && (party.user != current_user)
       end
 
-      def check_authorization
+      def authorize
-        render_unauthorized_response if @character.party.user != current_user
+        # Create
+        unauthorized_create = @party && (@party.user != current_user || @party.edit_key != edit_key)
+        unauthorized_update = @character && @character.party && (@character.party.user != current_user || @character.party.edit_key != edit_key)
+
+        render_unauthorized_response if unauthorized_create || unauthorized_update
       end
 
       # Specify whitelisted properties that can be modified.

app/controllers/api/v1/grid_summons_controller.rb

@@ -3,12 +3,12 @@
 module Api
   module V1
     class GridSummonsController < Api::V1::ApiController
-      before_action :set, only: %w[update destroy]
-
       attr_reader :party, :incoming_summon
-
+      
+      before_action :set, only: %w[update destroy]
       before_action :find_party, only: :create
       before_action :find_incoming_summon, only: :create
+      before_action :authorize, only: %i[create update destroy]
 
       def create
         # Create the GridSummon with the desired parameters
@@ -94,6 +94,14 @@ module Api
                                    meta: { replaced: conflict_position })
       end
 
+      def authorize
+        # Create
+        unauthorized_create = @party && (@party.user != current_user || @party.edit_key != edit_key)
+        unauthorized_update = @summon && @summon.party && (@summon.party.user != current_user || @summon.party.edit_key != edit_key)
+
+        render_unauthorized_response if unauthorized_create || unauthorized_update
+      end
+
       def set
         @summon = GridSummon.where('id = ?', params[:id]).first
       end

app/controllers/api/v1/grid_weapons_controller.rb

@@ -3,12 +3,12 @@
 module Api
   module V1
     class GridWeaponsController < Api::V1::ApiController
-      before_action :set, except: %w[create update_uncap_level]
-
       attr_reader :party, :incoming_weapon
 
+      before_action :set, except: %w[create update_uncap_level]
       before_action :find_party, only: :create
       before_action :find_incoming_weapon, only: :create
+      before_action :authorize, only: %i[create update destroy]
 
       def create
         # Create the GridWeapon with the desired parameters
@@ -121,15 +121,15 @@ module Api
       # Render the conflict view as a string
       def render_conflict_view(conflict_weapon, incoming_weapon, incoming_position)
         ConflictBlueprint.render(nil, view: :weapons,
-                                      conflict_weapon: conflict_weapon,
+                                 conflict_weapon: conflict_weapon,
-                                      incoming_weapon: incoming_weapon,
+                                 incoming_weapon: incoming_weapon,
-                                      incoming_position: incoming_position)
+                                 incoming_position: incoming_position)
       end
 
       def render_grid_weapon_view(grid_weapon, conflict_position)
         GridWeaponBlueprint.render(grid_weapon, view: :full,
-                                                root: :grid_weapon,
+                                   root: :grid_weapon,
-                                                meta: { replaced: conflict_position })
+                                   meta: { replaced: conflict_position })
       end
 
       def save_weapon(weapon)
@@ -183,6 +183,15 @@ module Api
         @weapon = GridWeapon.where('id = ?', params[:id]).first
       end
 
+      def authorize
+        # Create
+        ap @party
+        unauthorized_create = @party && (@party.user != current_user || @party.edit_key != edit_key)
+        unauthorized_update = @weapon && @weapon.party && (@weapon.party.user != current_user || @weapon.party.edit_key != edit_key)
+
+        render_unauthorized_response if unauthorized_create || unauthorized_update
+      end
+
       # Specify whitelisted properties that can be modified.
       def weapon_params
         params.require(:weapon).permit(

app/controllers/api/v1/jobs_controller.rb

@@ -4,6 +4,7 @@ module Api
   module V1
     class JobsController < Api::V1::ApiController
       before_action :set, only: %w[update_job update_job_skills]
+      before_action :authorize, only: %w[update_job update_job_skills]
 
       def all
         render json: JobBlueprint.render(Job.all)
@@ -165,6 +166,10 @@ module Api
         end
       end
 
+      def authorize
+        render_unauthorized_response if @party.user != current_user || @party.edit_key != edit_key
+      end
+
       def set
         @party = Party.where('id = ?', params[:id]).first
       end

app/controllers/api/v1/parties_controller.rb

@@ -6,6 +6,7 @@ module Api
       before_action :set_from_slug,
                     except: %w[create destroy update index favorites]
       before_action :set, only: %w[update destroy]
+      before_action :authorize, only: %w[update destroy]
 
       def create
         party = Party.new
@@ -26,7 +27,7 @@ module Api
         # end
 
         if party.save!
-          return render json: PartyBlueprint.render(party, view: :full, root: :party),
+          return render json: PartyBlueprint.render(party, view: :created, root: :party),
                         status: :created
         end
 
@@ -40,8 +41,6 @@ module Api
       end
 
       def update
-        render_unauthorized_response if @party.user != current_user
-
         @party.attributes = party_params.except(:skill1_id, :skill2_id, :skill3_id)
 
         # TODO: Validate accessory with job
@@ -52,7 +51,6 @@ module Api
       end
 
       def destroy
-        render_unauthorized_response if @party.user != current_user
         return render json: PartyBlueprint.render(@party, view: :destroyed, root: :checkin) if @party.destroy
       end
 
@@ -123,6 +121,10 @@ module Api
 
       private
 
+      def authorize
+        render_unauthorized_response if @character.party.user != current_user || @party.edit_key != edit_key
+      end
+
       def build_conditions(params)
         unless params['recency'].blank?
           start_time = (DateTime.current - params['recency'].to_i.seconds)
@@ -173,6 +175,8 @@ module Api
 
         params.require(:party).permit(
           :user_id,
+          :local_id,
+          :edit_key,
           :extra,
           :name,
           :description,

app/models/party.rb

@@ -62,6 +62,7 @@ class Party < ApplicationRecord
   has_many :favorites
 
   before_create :set_shortcode
+  before_create :set_edit_key
 
   ##### Amoeba configuration
   amoeba do
@@ -100,6 +101,12 @@ class Party < ApplicationRecord
     self.shortcode = random_string
   end
 
+  def set_edit_key
+    if !self.user
+      self.edit_key = Digest::SHA1.hexdigest([Time.now, rand].join)
+    end
+  end
+
   def random_string
     num_chars = 6
     o = [('a'..'z'), ('A'..'Z'), (0..9)].map(&:to_a).flatten

db/migrate/20230131082521_add_edit_key_to_parties.rb

@@ -0,0 +1,5 @@
+class AddEditKeyToParties < ActiveRecord::Migration[7.0]
+  def change
+    add_column :parties, :edit_key, :string, unique: true, null: true
+  end
+end

db/migrate/20230131084343_add_local_id_to_parties.rb

@@ -0,0 +1,5 @@
+class AddLocalIdToParties < ActiveRecord::Migration[7.0]
+  def change
+    add_column :parties, :local_id, :uuid, null: true, unique: true
+  end
+end

db/schema.rb

@@ -10,13 +10,12 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.0].define(version: 2023_01_30_114432) do
+ActiveRecord::Schema[7.0].define(version: 2023_01_31_084343) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "btree_gin"
   enable_extension "pg_trgm"
   enable_extension "pgcrypto"
   enable_extension "plpgsql"
-  enable_extension "timescaledb"
 
   create_table "app_updates", primary_key: "updated_at", id: :datetime, force: :cascade do |t|
     t.string "update_type", null: false
@@ -226,6 +225,8 @@ ActiveRecord::Schema[7.0].define(version: 2023_01_30_114432) do
     t.uuid "accessory_id"
     t.integer "characters_count"
     t.integer "summons_count"
+    t.string "edit_key"
+    t.uuid "local_id"
     t.index ["accessory_id"], name: "index_parties_on_accessory_id"
     t.index ["job_id"], name: "index_parties_on_job_id"
     t.index ["skill0_id"], name: "index_parties_on_skill0_id"