Added always_200 param to /api/user to make it not return 403 errors (#…

…1239) * Added always_200 param to /api/user to make it not return 403 errors * Added description for the new param
openstax · Feb 7, 2024 · ebad9a1 · ebad9a1
1 parent aeae093
commit ebad9a1
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb
@@ -108,11 +108,18 @@ def index
   api :GET, '/user', 'Gets the current user\'s data.'
   description <<-EOS
     Returns the current user's data.
+    For users that are not logged in, a 403 forbidden response is normally returned.
+    However, if always_200 is set to true, then a 200 OK with a blank object is returned instead.
 
     #{json_schema(Api::V1::UserRepresenter, include: :readable)}
   EOS
   def show
-    OSU::AccessPolicy.require_action_allowed!(:read, current_api_user, current_human_user)
+    begin
+      OSU::AccessPolicy.require_action_allowed!(:read, current_api_user, current_human_user)
+    rescue SecurityTransgression => error
+      return render(plain: {}) if params[:always_200] == 'true'
+      raise error
+    end
 
     SetGdprData.call(user: current_human_user,
                      headers: request.headers,

diff --git a/spec/controllers/api/v1/users_controller_spec.rb b/spec/controllers/api/v1/users_controller_spec.rb
@@ -116,19 +116,34 @@
     it "should let a User get his info" do
       api_get :show, user_1_token
       expect(response.code).to eq('200')
+      expected_response = user_matcher(user_1, include_private_data: true)
+      expect(response.body_as_hash).to match(expected_response)
+    end
+
+    it "should let a User get his info when if always_200 is set" do
+      api_get :show, user_1_token, params: { always_200: true }
+      expect(response.code).to eq('200')
+      expected_response = user_matcher(user_1, include_private_data: true)
+      expect(response.body_as_hash).to match(expected_response)
     end
 
     it "should not let id be specified" do
-      api_get :show, user_1_token, params: {id: admin_user.id}
+      api_get :show, user_1_token, params: { id: admin_user.id }
       expected_response = user_matcher(user_1, include_private_data: true)
       expect(response.body_as_hash).to match(expected_response)
     end
 
     it "should not let an application get a User without a token" do
-      api_get :show, trusted_application_token, params: {id: admin_user.id}
+      api_get :show, trusted_application_token, params: { id: admin_user.id }
       expect(response).to have_http_status :forbidden
     end
 
+    it "should return an empty object if always_200 is set" do
+      api_get :show, trusted_application_token, params: { always_200: true }
+      expect(response).to have_http_status :ok
+      expect(response.body_as_hash).to match({})
+    end
+
     it "should return a properly formatted JSON response for low-info user" do
       api_get :show, user_1_token
       expected_response = user_matcher(user_1, include_private_data: true)