projects
/
arvados.git
/ blobdiff
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
14196: Don't crash if element of params[:reader_tokens] is not a String
[arvados.git]
/
services
/
api
/
app
/
controllers
/
application_controller.rb
diff --git
a/services/api/app/controllers/application_controller.rb
b/services/api/app/controllers/application_controller.rb
index c4f64f6039b3683127d2b5735ae11064446d10cb..a0555d13d762a495d9e30a57347ed3336f0e0984 100644
(file)
--- a/
services/api/app/controllers/application_controller.rb
+++ b/
services/api/app/controllers/application_controller.rb
@@
-3,6
+3,7
@@
# SPDX-License-Identifier: AGPL-3.0
require 'safe_json'
# SPDX-License-Identifier: AGPL-3.0
require 'safe_json'
+require 'request_error'
module ApiTemplateOverride
def allowed_to_render?(fieldset, field, model, options)
module ApiTemplateOverride
def allowed_to_render?(fieldset, field, model, options)
@@
-77,14
+78,21
@@
class ApplicationController < ActionController::Base
@distinct = nil
@response_resource_name = nil
@attrs = nil
@distinct = nil
@response_resource_name = nil
@attrs = nil
+ @extra_included = nil
end
def default_url_options
end
def default_url_options
+ options = {}
if Rails.configuration.host
if Rails.configuration.host
- {:host => Rails.configuration.host}
- else
- {}
+ options[:host] = Rails.configuration.host
+ end
+ if Rails.configuration.port
+ options[:port] = Rails.configuration.port
+ end
+ if Rails.configuration.protocol
+ options[:protocol] = Rails.configuration.protocol
end
end
+ options
end
def index
end
def index
@@
-137,7
+145,7
@@
class ApplicationController < ActionController::Base
def render_error(e)
logger.error e.inspect
def render_error(e)
logger.error e.inspect
- if
e.respond_to? :backtrace and e.backtrace
+ if
!e.is_a? RequestError and (e.respond_to? :backtrace and e.backtrace)
logger.error e.backtrace.collect { |x| x + "\n" }.join('')
end
if (@object.respond_to? :errors and
logger.error e.backtrace.collect { |x| x + "\n" }.join('')
end
if (@object.respond_to? :errors and
@@
-336,13
+344,20
@@
class ApplicationController < ActionController::Base
# If there are too many reader tokens, assume the request is malicious
# and ignore it.
if request.get? and params[:reader_tokens] and
# If there are too many reader tokens, assume the request is malicious
# and ignore it.
if request.get? and params[:reader_tokens] and
- params[:reader_tokens].size < 100
+ params[:reader_tokens].size < 100
+ secrets = params[:reader_tokens].map { |t|
+ if t.is_a? String and t.starts_with? "v2/"
+ t.split("/")[2]
+ else
+ t
+ end
+ }
@read_auths += ApiClientAuthorization
.includes(:user)
.where('api_token IN (?) AND
(expires_at IS NULL OR expires_at > CURRENT_TIMESTAMP)',
@read_auths += ApiClientAuthorization
.includes(:user)
.where('api_token IN (?) AND
(expires_at IS NULL OR expires_at > CURRENT_TIMESTAMP)',
-
params[:reader_tokens]
)
- .
all
+
secrets
)
+ .
to_a
end
@read_auths.select! { |auth| auth.scopes_allow_request? request }
@read_users = @read_auths.map(&:user).uniq
end
@read_auths.select! { |auth| auth.scopes_allow_request? request }
@read_users = @read_auths.map(&:user).uniq
@@
-381,7
+396,9
@@
class ApplicationController < ActionController::Base
req_id = "req-" + Random::DEFAULT.rand(2**128).to_s(36)[0..19]
end
response.headers['X-Request-Id'] = Thread.current[:request_id] = req_id
req_id = "req-" + Random::DEFAULT.rand(2**128).to_s(36)[0..19]
end
response.headers['X-Request-Id'] = Thread.current[:request_id] = req_id
- yield
+ Rails.logger.tagged(req_id) do
+ yield
+ end
Thread.current[:request_id] = nil
end
Thread.current[:request_id] = nil
end
@@
-491,6
+508,9
@@
class ApplicationController < ActionController::Base
:limit => @limit,
:items => @objects.as_api_response(nil, {select: @select})
}
:limit => @limit,
:items => @objects.as_api_response(nil, {select: @select})
}
+ if @extra_included
+ list[:included] = @extra_included.as_api_response(nil, {select: @select})
+ end
case params[:count]
when nil, '', 'exact'
if @objects.respond_to? :except
case params[:count]
when nil, '', 'exact'
if @objects.respond_to? :except
@@
-550,7
+570,13
@@
class ApplicationController < ActionController::Base
location: "query",
required: false,
default: false
location: "query",
required: false,
default: false
- }
+ },
+ cluster_id: {
+ type: 'string',
+ description: "Create object on a remote federated cluster instead of the current one.",
+ location: "query",
+ required: false,
+ },
}
end
}
end