IIIF #30 - Enabling /public/resources route with required "project_id…

…" parameter
performant-software · Apr 25, 2023 · a23a9dc · a23a9dc
1 parent 803ebff
commit a23a9dc
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 1 deletion.
diff --git a/app/controllers/api/resources_controller.rb b/app/controllers/api/resources_controller.rb
@@ -13,6 +13,7 @@ class Api::ResourcesController < Api::BaseController
   before_action :set_defineable_params, only: :index
   before_action :validate_new_resource, unless: -> { current_user.admin? }, only: :create
   before_action :validate_resource, unless: -> { current_user.admin? }, only: [:update, :destroy]
+  before_action :validate_resources, unless: -> { current_user.admin? }, only: :index
 
   protected
 
@@ -48,4 +49,9 @@ def validate_resource
     resource = Resource.find(params[:id])
     check_authorization resource.project.organization_id
   end
+
+  def validate_resources
+    project = Project.find(params[:project_id])
+    check_authorization project.organization_id
+  end
 end
diff --git a/app/controllers/public/resources_controller.rb b/app/controllers/public/resources_controller.rb
@@ -1,6 +1,7 @@
 class Public::ResourcesController < Api::ResourcesController
   # Actions
   prepend_before_action :set_project, only: [:create, :update]
+  prepend_before_action :set_project_id, only: :index
   prepend_before_action :set_resource, only: [:show, :destroy, :update, :manifest]
 
   def manifest
@@ -29,11 +30,22 @@ def render_unauthorized(errors)
 
   def set_project
     project = Project.find_by_uuid(params[:resource][:project_id])
+    render_unauthorized I18n.t('errors.unauthorized') and return if project.nil?
+
     params[:resource][:project_id] = project.id
   end
 
+  def set_project_id
+    project = Project.find_by_uuid(params[:project_id])
+    render_unauthorized I18n.t('errors.unauthorized') and return if project.nil?
+
+    params[:project_id] = project.id
+  end
+
   def set_resource
     resource = Resource.find_by_uuid(params[:id])
+    render_unauthorized I18n.t('errors.unauthorized') and return if resource.nil?
+
     params[:id] = resource.id
   end
 end
diff --git a/config/routes.rb b/config/routes.rb
@@ -14,7 +14,7 @@
   end
 
   namespace :public do
-    resources :resources, only: [:create, :show, :destroy, :update] do
+    resources :resources, only: [:index, :create, :show, :destroy, :update] do
       member do
         get :manifest
       end