decidim-api 0.30.8 → 0.31.0.rc1

data/lib/decidim/api/graphql_permissions.rb

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Api
+    # Adds methods to Authorize the API objects.
+    module GraphqlPermissions
+      extend ActiveSupport::Concern
+
+      include Decidim::Api::RequiredScopes
+
+      class_methods do
+        def authorized?(object, context)
+          return false unless scope_authorized?(context)
+
+          chain = []
+
+          subject = determine_subject_name(object)
+          context[subject] = object
+
+          chain.unshift(allowed_to?(:read, :participatory_space, object, context)) if object.respond_to?(:participatory_space)
+          chain.unshift(allowed_to?(:read, :component, object, context)) if object.respond_to?(:component) && object.component.present?
+
+          super && chain.all?
+        end
+
+        def determine_subject_name(object)
+          object.class.name.split("::").last.underscore.to_sym
+        end
+
+        # This is a simplified adaptation of allowed_to? from NeedsPermission concern
+        # @param action [Symbol] The action performed. Most cases the action is :read
+        # @param subject [Object] The name of the subject. Ex: :participatory_space, :component, or object
+        # @param object [ActiveModel::Base] The object that is being represented.
+        # @param context [GraphQL::Query::Context] The GraphQL context
+        #
+        # @return Boolean
+        def allowed_to?(action, subject, object, context, scope: :public)
+          unless subject.is_a?(::Symbol)
+            subject = determine_subject_name(object)
+            context[subject] = object
+          end
+
+          permission_action = Decidim::PermissionAction.new(scope:, action:, subject:)
+
+          permission_chain(object).inject(permission_action) do |current_permission_action, permission_class|
+            permission_context =
+              if scope == :admin
+                local_admin_context(object, context)
+              else
+                local_context(object, context)
+              end
+
+            permission_class.new(
+              context[:current_user],
+              current_permission_action,
+              permission_context
+            ).permissions
+          end.allowed?
+        end
+
+        # Injects into context object current_participatory_space and current_component keys as they are needed
+        #
+        # @param object [ActiveModel::Base] The object that is being represented.
+        # @param context [GraphQL::Query::Context] The GraphQL context
+        #
+        # @return Hash
+        def local_context(object, context)
+          context[:current_participatory_space] = object.participatory_space if object.respond_to?(:participatory_space)
+          context[:current_component] =
+            if object.is_a?(Decidim::Component)
+              object
+            elsif object.respond_to?(:component)
+              object.component
+            end
+
+          context.to_h
+        end
+
+        def local_admin_context(object, context)
+          context = local_context(object, context)
+
+          component = context[:current_component]
+          return context unless component
+          return context unless component.respond_to?(:current_settings)
+          return context unless component.respond_to?(:settings)
+          return context unless component.respond_to?(:organization)
+
+          context[:current_settings] = component.current_settings
+          context[:component_settings] = component.settings
+          context[:current_organization] = component.organization
+
+          context
+        end
+
+        # Creates the permission chain arrau that contains all the permission classes required to authorize a certain resource
+        # We are using unshift as we need the Admin and base permissions to be last in the chain
+        # @param object [ActiveModel::Base] The object that is being represented.
+        #
+        # @return [Decidim::DefaultPermissions]
+        def permission_chain(object)
+          permissions = [
+            Decidim::Admin::Permissions,
+            Decidim::Permissions
+          ]
+
+          if object.is_a?(Decidim::Component)
+            permissions.unshift(object.participatory_space.manifest.permissions_class)
+            permissions.unshift(object.manifest.permissions_class)
+          else
+            permissions.unshift(object.participatory_space.manifest.permissions_class) if object.respond_to?(:participatory_space)
+            permissions.unshift(object.component.manifest.permissions_class) if object.respond_to?(:component) && object.component.present?
+          end
+
+          permissions
+        end
+      end
+
+      private
+
+      delegate :allowed_to?, to: :class
+
+      attr_reader :action
+    end
+  end
+end

data/lib/decidim/api/mutation_type.rb

@@ -5,6 +5,16 @@ module Decidim
     # This type represents the root mutation type of the whole API
     class MutationType < Decidim::Api::Types::BaseObject
       description "The root mutation of this schema"
+
+      required_scopes "api:write"
+
+      field :component, Decidim::Api::ComponentMutationType, "The component of this schema", null: false do
+        argument :id, GraphQL::Types::ID, "The Comment's unique ID", required: true
+      end
+
+      def component(id:)
+        context[:current_organization]&.published_components&.find(id)
+      end
     end
   end
 end

data/lib/decidim/api/required_scopes.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Api
+    # Adds methods to the API objects for validating the API scopes.
+    module RequiredScopes
+      extend ActiveSupport::Concern
+
+      class_methods do
+        def required_scopes(*scopes)
+          @required_scopes = scopes
+        end
+
+        def determine_required_scopes
+          return @required_scopes if @required_scopes.present?
+          return unless superclass.respond_to?(:determine_required_scopes)
+
+          superclass.determine_required_scopes
+        end
+
+        def scope_authorized?(context)
+          req_scopes = determine_required_scopes
+          return true unless req_scopes.is_a?(Array)
+
+          scopes = context[:scopes] # ::Doorkeeper::OAuth::Scopes
+          scopes.scopes?(req_scopes)
+        end
+      end
+    end
+  end
+end

data/lib/decidim/api/schema.rb

@@ -7,16 +7,10 @@ module Decidim
       mutation(MutationType)
       query(QueryType)
 
-      introspection(DecidimIntrospection)
-      query_analyzer RecursionAnalyzer
-      query_analyzer AliasAnalyzer
-
       default_max_page_size Decidim::Api.schema_max_per_page
       max_depth Decidim::Api.schema_max_depth
       max_complexity Decidim::Api.schema_max_complexity
 
-      query_analyzer AliasAnalyzer
-
       orphan_types(Api.orphan_types)
     end
   end

data/lib/decidim/api/test/component_context.rb

@@ -1,10 +1,7 @@
 # frozen_string_literal: true
 
-require "decidim/api/test/type_context"
-
 shared_context "with a graphql decidim component" do
   include_context "with a graphql class type"
-  include_examples "when the introspection is disabled"
 
   let(:schema) { Decidim::Api::Schema }
 
@@ -25,6 +22,7 @@ shared_context "with a graphql decidim component" do
           name {
             translation(locale: "#{locale}")
           }
+          url
           weight
           __typename
           ...fooComponent
@@ -107,9 +105,9 @@ shared_examples "with resource visibility" do
         it_behaves_like "graphQL visible resource"
       end
 
-      context "when the user is space valuator" do
+      context "when the user is space evaluator" do
         let!(:current_user) { create(:user, :confirmed, organization: current_organization) }
-        let!(:role) { create(:participatory_process_user_role, participatory_process:, user: current_user, role: "valuator") }
+        let!(:role) { create(:participatory_process_user_role, participatory_process:, user: current_user, role: "evaluator") }
         it_behaves_like "graphQL visible resource"
       end
 
@@ -159,9 +157,9 @@ shared_examples "with resource visibility" do
         it_behaves_like "graphQL hidden component"
       end
 
-      context "when the user is space valuator" do
+      context "when the user is space evaluator" do
         let!(:current_user) { create(:user, :confirmed, organization: current_organization) }
-        let!(:role) { create(:participatory_process_user_role, participatory_process:, user: current_user, role: "valuator") }
+        let!(:role) { create(:participatory_process_user_role, participatory_process:, user: current_user, role: "evaluator") }
         it_behaves_like "graphQL visible resource"
       end
 
@@ -229,9 +227,9 @@ shared_examples "with resource visibility" do
         it_behaves_like "graphQL visible resource"
       end
 
-      context "when the user is space valuator" do
+      context "when the user is space evaluator" do
         let!(:current_user) { create(:user, :confirmed, organization: current_organization) }
-        let!(:role) { create(:assembly_user_role, assembly: participatory_process, user: current_user, role: "valuator") }
+        let!(:role) { create(:assembly_user_role, assembly: participatory_process, user: current_user, role: "evaluator") }
         it_behaves_like "graphQL visible resource"
       end
 
@@ -275,9 +273,9 @@ shared_examples "with resource visibility" do
         it_behaves_like "graphQL hidden component"
       end
 
-      context "when the user is space valuator" do
+      context "when the user is space evaluator" do
         let!(:current_user) { create(:user, :confirmed, organization: current_organization) }
-        let!(:role) { create(:assembly_user_role, assembly: participatory_process, user: current_user, role: "valuator") }
+        let!(:role) { create(:assembly_user_role, assembly: participatory_process, user: current_user, role: "evaluator") }
         it_behaves_like "graphQL visible resource"
       end
 
@@ -326,9 +324,9 @@ shared_examples "with resource visibility" do
         it_behaves_like "graphQL hidden space"
       end
 
-      context "when the user is space valuator" do
+      context "when the user is space evaluator" do
         let!(:current_user) { create(:user, :confirmed, organization: current_organization) }
-        let!(:role) { create(:participatory_process_user_role, participatory_process:, user: current_user, role: "valuator") }
+        let!(:role) { create(:participatory_process_user_role, participatory_process:, user: current_user, role: "evaluator") }
         it_behaves_like "graphQL hidden space"
       end
 
@@ -369,9 +367,9 @@ shared_examples "with resource visibility" do
         it_behaves_like "graphQL hidden space"
       end
 
-      context "when the user is space valuator" do
+      context "when the user is space evaluator" do
         let!(:current_user) { create(:user, :confirmed, organization: current_organization) }
-        let!(:role) { create(:participatory_process_user_role, participatory_process:, user: current_user, role: "valuator") }
+        let!(:role) { create(:participatory_process_user_role, participatory_process:, user: current_user, role: "evaluator") }
         it_behaves_like "graphQL hidden space"
       end
       it_behaves_like "graphQL space hidden to visitor"
@@ -414,9 +412,9 @@ shared_examples "with resource visibility" do
         it_behaves_like "graphQL hidden space"
       end
 
-      context "when the user is space valuator" do
+      context "when the user is space evaluator" do
         let!(:current_user) { create(:user, :confirmed, organization: current_organization) }
-        let!(:role) { create(:participatory_process_user_role, participatory_process:, user: current_user, role: "valuator") }
+        let!(:role) { create(:participatory_process_user_role, participatory_process:, user: current_user, role: "evaluator") }
         it_behaves_like "graphQL hidden space"
       end
 
@@ -457,9 +455,9 @@ shared_examples "with resource visibility" do
         it_behaves_like "graphQL hidden space"
       end
 
-      context "when the user is space valuator" do
+      context "when the user is space evaluator" do
         let!(:current_user) { create(:user, :confirmed, organization: current_organization) }
-        let!(:role) { create(:participatory_process_user_role, participatory_process:, user: current_user, role: "valuator") }
+        let!(:role) { create(:participatory_process_user_role, participatory_process:, user: current_user, role: "evaluator") }
         it_behaves_like "graphQL hidden space"
       end
       it_behaves_like "graphQL space hidden to visitor"

data/lib/decidim/api/test/factories.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  sequence :api_key do |n|
+    "api_user_#{n}"
+  end
+
+  factory :api_user, class: "Decidim::Api::ApiUser" do
+    transient do
+      api_secret { "decidim123456789" }
+    end
+
+    name { generate(:name) }
+    api_key { generate(:api_key) }
+    nickname { generate(:nickname) }
+    organization
+    locale { organization.default_locale }
+    tos_agreement { "1" }
+    confirmation_sent_at { Time.current }
+    accepted_tos_version { organization.tos_version }
+    admin { true }
+    admin_terms_accepted_at { Time.current }
+    notifications_sending_frequency { "none" }
+    email_on_moderations { false }
+    password_updated_at { Time.current }
+    previous_passwords { [] }
+    extended_data { {} }
+
+    after(:build) do |user, evaluator|
+      user.api_secret = evaluator.api_secret
+    end
+  end
+end

data/lib/decidim/api/test/mutation_context.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require "decidim/api/test/type_context"
+shared_context "with a graphql class mutation" do
+  include_context "with a graphql class type"
+
+  let!(:current_user) do
+    case user_type
+    when :admin
+      create(:user, :admin, :confirmed, organization: current_organization)
+    when :api_user
+      create(:api_user, organization: current_organization)
+    else
+      create(:user, :confirmed, organization: current_organization)
+    end
+  end
+  let(:user_type) { :user }
+  let(:api_scopes) do
+    if user_type == :api_user
+      Doorkeeper::OAuth::Scopes.from_array(["api:read", "api:write"])
+    else
+      Doorkeeper::OAuth::Scopes.from_array(Doorkeeper.config.scopes.all)
+    end
+  end
+
+  let(:schema) do
+    klass = type_class
+    field_name = klass.graphql_name.underscore.to_sym
+    root = root_klass
+    Class.new(Decidim::Api::Schema) do
+      mutation(Class.new(root) do
+        graphql_name klass.graphql_name
+
+        field field_name, mutation: klass
+      end)
+    end
+  end
+end

data/lib/decidim/api/test/shared_examples/amendable_interface_examples.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+shared_examples_for "amendable interface" do
+  describe "amendments" do
+    let(:query) { "{ amendments { id } }" }
+
+    it "includes the amendments id" do
+      amendments_ids = response["amendments"].map { |amendment| amendment["id"].to_i }
+      expect(amendments_ids).to include(*model.amendments.map(&:id))
+    end
+  end
+end

data/lib/decidim/api/test/shared_examples/amendable_proposals_interface_examples.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+shared_examples_for "amendable proposals interface" do
+  describe "amendments" do
+    let(:query) do
+      '{ amendments {
+      state
+      amendable { ...on Proposal { title { translation(locale: "en") } } }
+      amendableType
+      emendation { ...on Proposal { title { translation(locale: "en") } } }
+      emendationType
+      amender { name }
+    } }'
+    end
+
+    it "includes the amendments states" do
+      amendments_states = response["amendments"].map { |amendment| amendment["state"] }
+      expect(amendments_states).to include(*model.amendments.map(&:state))
+    end
+
+    it "amendable types matches Proposals Type" do
+      response["amendments"].each do |amendment|
+        expect(amendment["amendableType"]).to eq("Decidim::Proposals::Proposal")
+      end
+    end
+
+    it "emendation types matches Proposals Type" do
+      response["amendments"].each do |amendment|
+        expect(amendment["emendationType"]).to eq("Decidim::Proposals::Proposal")
+      end
+    end
+
+    it "returns amendable as parent proposal" do
+      amendment_amendables = response["amendments"].map { |amendment| amendment["amendable"] }.map { |title| title["title"]["translation"] }
+      expect(amendment_amendables).to include(*model.amendments.map(&:amendable).map { |p| p.title["en"] })
+    end
+
+    it "returns emendations received" do
+      amendment_emendations = response["amendments"].map { |amendment| amendment["emendation"] }.map { |title| title["title"]["translation"] }
+      expect(amendment_emendations).to include(*model.amendments.map(&:emendation).map { |p| p.title["en"] })
+    end
+
+    it "returns amender as emendation author" do
+      amendment_amenders = response["amendments"].map { |amendment| amendment["amender"] }
+      expect(amendment_amenders).to include(*model.amendments.map(&:amender).map { |p| { "name" => p.name } })
+    end
+  end
+end

data/lib/decidim/api/test/shared_examples/attachable_interface_examples.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+shared_examples_for "attachable interface" do
+  let!(:attached_to) { model }
+  let!(:attachments) { create_list(:attachment, 3, attached_to:) }
+
+  describe "attachments" do
+    let(:query) { "{ attachments { url } }" }
+
+    it "includes the attachment urls" do
+      attachment_urls = response["attachments"].map { |attachment| attachment["url"] }
+      expect(attachment_urls).to include_blob_urls(*attachments.map(&:file).map(&:blob))
+    end
+  end
+end
+
+shared_examples_for "attachable collection interface with attachment" do
+  context "when the model has an attachment collection" do
+    let!(:attachment_collection) { create(:attachment_collection, collection_for: model) }
+
+    describe "attachment_collections" do
+      let(:query) { '{ attachmentCollections { name { translation(locale:"en") } } }' }
+
+      it "includes the name of collection" do
+        expect(response["attachmentCollections"][0]["name"]["translation"]).to include(translated(attachment_collection.name))
+      end
+    end
+
+    describe "attachments" do
+      let(:attached_to) { attachment_collection }
+      let(:query) { "{ attachmentCollections { attachments { url } } }" }
+
+      include_examples "attachable interface" do
+        let!(:attached_to) { attachment_collection }
+      end
+    end
+  end
+end

data/lib/decidim/api/test/shared_examples/authorable_interface_examples.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+shared_examples_for "authorable interface" do
+  describe "author" do
+    describe "when author is not present" do
+      let(:author) { nil }
+      let(:query) { "{ author { name } }" }
+
+      before do
+        model.update(author:)
+      end
+
+      it "does not include the author" do
+        expect(response["author"]).to be_nil
+      end
+    end
+
+    describe "with a regular user" do
+      let(:author) { create(:user, :confirmed, organization: model.participatory_space.organization) }
+      let(:query) { "{ author { name } }" }
+
+      before do
+        model.update(author:)
+      end
+
+      it "includes the user's name" do
+        expect(response["author"]["name"]).to eq(author.name)
+      end
+    end
+
+    describe "with an organization" do
+      let(:organization) { model.participatory_space.organization }
+      let(:query) { "{ author { name } }" }
+
+      before do
+        model.update(author: organization)
+      end
+
+      it "does not return a main author" do
+        expect(response["author"]).to eq(nil)
+      end
+    end
+  end
+end

data/lib/decidim/api/test/shared_examples/categories_container_examples.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+shared_examples_for "categories container interface" do
+  describe "categories" do
+    let!(:categories) { create_list(:category, 3, participatory_space: model) }
+    let!(:subcategories) do
+      categories.map { |cat| create_list(:subcategory, 3, parent: cat) }.flatten
+    end
+    let(:other_space) { create(:participatory_process, organization: model.organization) }
+    let!(:other_categories) { create_list(:category, 3, participatory_space: other_space) }
+    let(:category_ids) { [categories.map(&:id), subcategories.map(&:id)].flatten }
+    let(:query) { "{ categories { id } }" }
+
+    it "returns its categories" do
+      ids = response["categories"].map { |cat| cat["id"].to_i }
+      expect(ids).to match_array(category_ids)
+      expect(ids).not_to include(*other_categories.map(&:id))
+    end
+  end
+end

data/lib/decidim/api/test/shared_examples/categorizable_interface_examples.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+shared_examples_for "categorizable interface" do
+  let!(:category) { create(:category, participatory_space: model.participatory_space) }
+
+  describe "category" do
+    let(:query) { "{ category { id } }" }
+
+    context "when model has category" do
+      before do
+        model.update(category:)
+      end
+
+      it "has a category" do
+        expect(response).to include("category" => { "id" => category.id.to_s })
+      end
+    end
+
+    context "when model has no category" do
+      it "returns null" do
+        expect(response).to include("category" => nil)
+      end
+    end
+  end
+end

data/lib/decidim/api/test/shared_examples/coauthorable_interface_examples.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+shared_examples_for "coauthorable interface" do
+  describe "author" do
+    let(:author) { model.creator_author }
+
+    describe "with a regular user" do
+      let(:query) { "{ author { name } }" }
+
+      it "returns the user's name as the author name" do
+        expect(response["author"]["name"]).to eq(author.name)
+      end
+    end
+
+    describe "with a several coauthors" do
+      let(:query) { "{ author { name } authors { name } authorsCount }" }
+      let(:coauthor) { create(:user, :confirmed, organization: model.participatory_space.organization) }
+
+      before do
+        model.add_coauthor coauthor
+        model.save!
+      end
+
+      context "when both are users" do
+        it "returns 2 total co-authors" do
+          expect(response["authorsCount"]).to eq(2)
+        end
+
+        it "returns an array of authors" do
+          expect(response["authors"].count).to eq(2)
+          expect(response["authors"]).to include("name" => author.name)
+          expect(response["authors"]).to include("name" => coauthor.name)
+        end
+
+        it "returns a main author" do
+          expect(response["author"]["name"]).to eq(author.name)
+        end
+      end
+
+      context "when author is the organization" do
+        let(:model) { create(:proposal, :official, component:) }
+
+        it "returns 2 total co-authors" do
+          expect(response["authorsCount"]).to eq(2)
+        end
+
+        it "returns 1 author in authors array" do
+          expect(response["authors"].count).to eq(1)
+          expect(response["authors"]).to include("name" => coauthor.name)
+        end
+
+        it "does not return a main author" do
+          expect(response["author"]).to eq(nil)
+        end
+      end
+
+      context "when author is a meeting" do
+        let(:model) { create(:proposal, :official_meeting, component:) }
+
+        it "returns 2 total co-authors" do
+          expect(response["authorsCount"]).to eq(2)
+        end
+
+        it "returns 1 author in authors array" do
+          expect(response["authors"].count).to eq(1)
+          expect(response["authors"]).to include("name" => coauthor.name)
+        end
+
+        it "does not return a main author" do
+          expect(response["author"]).to eq(nil)
+        end
+      end
+    end
+  end
+end

data/lib/decidim/api/test/shared_examples/commentable_interface_examples.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+shared_examples_for "commentable interface" do
+  describe "total_comments_count" do
+    let(:query) { "{ totalCommentsCount }" }
+
+    it "includes the field" do
+      expect(response["totalCommentsCount"]).to eq(model.comments_count)
+    end
+  end
+end