openstreetmap · gravitystorm · Jan 15, 2025 · Dec 20, 2024 · Dec 20, 2024 · Dec 27, 2024
diff --git a/app/abilities/api_ability.rb b/app/abilities/api_ability.rb
@@ -29,8 +29,6 @@ def initialize(token)
         can [:create, :update, :destroy], Trace if scope?(token, :write_gpx)
 
         can :details, User if scope?(token, :read_prefs)
-        can :gpx_files, User if scope?(token, :read_gpx)
-
         can :read, UserPreference if scope?(token, :read_prefs)
         can [:update, :update_all, :destroy], UserPreference if scope?(token, :write_prefs)
 

diff --git a/app/controllers/api/users/traces_controller.rb b/app/controllers/api/users/traces_controller.rb
@@ -0,0 +1,14 @@
+module Api
+  module Users
+    class TracesController < ApiController
+      before_action :authorize
+
+      authorize_resource :trace
+
+      def index
+        @traces = current_user.traces.reload
+        render :content_type => "application/xml"
+      end
+    end
+  end
+end
diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb
@@ -2,13 +2,13 @@ module Api
   class UsersController < ApiController
     before_action :disable_terms_redirect, :only => [:details]
     before_action :setup_user_auth, :only => [:show, :index]
-    before_action :authorize, :only => [:details, :gpx_files]
+    before_action :authorize, :only => [:details]
 
     authorize_resource
 
     load_resource :only => :show
 
-    before_action :set_request_formats, :except => [:gpx_files]
+    before_action :set_request_formats
 
     def index
       raise OSM::APIBadUserInput, "The parameter users is required, and must be of the form users=id[,id[,id...]]" unless params["users"]
@@ -47,11 +47,6 @@ def details
       end
     end
 
-    def gpx_files
-      @traces = current_user.traces.reload
-      render :content_type => "application/xml"
-    end
-
     private
 
     def disable_terms_redirect

diff --git a/app/views/api/users/gpx_files.builder → app/views/api/users/traces/index.builder b/app/views/api/users/gpx_files.builder → app/views/api/users/traces/index.builder
diff --git a/config/routes.rb b/config/routes.rb
@@ -66,14 +66,14 @@
     get "map" => "map#index"
 
     get "trackpoints" => "tracepoints#index"
-
-    get "user/:id" => "users#show", :id => /\d+/, :as => :api_user
-    get "user/details" => "users#details"
-    get "user/gpx_files" => "users#gpx_files"
-    get "users" => "users#index", :as => :api_users
   end
 
   namespace :api, :path => "api/0.6" do
+    resources :users, :only => :index
+    resources :users, :path => "user", :id => /\d+/, :only => :show
+    resources :user_traces, :path => "user/gpx_files", :module => :users, :controller => :traces, :only => :index
+    get "user/details" => "users#details"
+
     resources :user_preferences, :except => [:new, :create, :edit], :param => :preference_key, :path => "user/preferences" do
       collection do
         put "" => "user_preferences#update_all", :as => ""

diff --git a/test/controllers/api/users/traces_controller_test.rb b/test/controllers/api/users/traces_controller_test.rb
@@ -0,0 +1,53 @@
+require "test_helper"
+
+module Api
+  module Users
+    class TracesControllerTest < ActionDispatch::IntegrationTest
+      ##
+      # test all routes which lead to this controller
+      def test_routes
+        assert_routing(
+          { :path => "/api/0.6/user/gpx_files", :method => :get },
+          { :controller => "api/users/traces", :action => "index" }
+        )
+      end
+
+      def test_index
+        user = create(:user)
+        trace1 = create(:trace, :user => user) do |trace|
+          create(:tracetag, :trace => trace, :tag => "London")
+        end
+        trace2 = create(:trace, :user => user) do |trace|
+          create(:tracetag, :trace => trace, :tag => "Birmingham")
+        end
+
+        # check that we get a response when logged in
+        auth_header = bearer_authorization_header user, :scopes => %w[read_gpx]
+        get api_user_traces_path, :headers => auth_header
+        assert_response :success
+        assert_equal "application/xml", response.media_type
+
+        # check the data that is returned
+        assert_select "gpx_file[id='#{trace1.id}']", 1 do
+          assert_select "tag", "London"
+        end
+        assert_select "gpx_file[id='#{trace2.id}']", 1 do
+          assert_select "tag", "Birmingham"
+        end
+      end
+
+      def test_index_anonymous
+        get api_user_traces_path
+        assert_response :unauthorized
+      end
+
+      def test_index_no_scope
+        user = create(:user)
+        bad_auth = bearer_authorization_header user, :scopes => %w[]
+
+        get api_user_traces_path, :headers => bad_auth
+        assert_response :forbidden
+      end
+    end
+  end
+end
diff --git a/test/controllers/api/users_controller_test.rb b/test/controllers/api/users_controller_test.rb
@@ -21,10 +21,6 @@ def test_routes
         { :path => "/api/0.6/user/details.json", :method => :get },
         { :controller => "api/users", :action => "details", :format => "json" }
       )
-      assert_routing(
-        { :path => "/api/0.6/user/gpx_files", :method => :get },
-        { :controller => "api/users", :action => "gpx_files" }
-      )
       assert_routing(
         { :path => "/api/0.6/users", :method => :get },
         { :controller => "api/users", :action => "index" }
@@ -156,12 +152,12 @@ def test_details
       create(:message, :sender => user)
 
       # check that nothing is returned when not logged in
-      get user_details_path
+      get api_user_details_path
       assert_response :unauthorized
 
       # check that we get a response when logged in
       auth_header = bearer_authorization_header user
-      get user_details_path, :headers => auth_header
+      get api_user_details_path, :headers => auth_header
       assert_response :success
       assert_equal "application/xml", response.media_type
 
@@ -170,7 +166,7 @@ def test_details
 
       # check that data is returned properly in json
       auth_header = bearer_authorization_header user
-      get user_details_path(:format => "json"), :headers => auth_header
+      get api_user_details_path(:format => "json"), :headers => auth_header
       assert_response :success
       assert_equal "application/json", response.media_type
 
@@ -191,31 +187,31 @@ def test_details_oauth2
       email_auth = bearer_authorization_header(user, :scopes => %w[read_prefs read_email])
 
       # check that we can't fetch details as XML without read_prefs
-      get user_details_path, :headers => bad_auth
+      get api_user_details_path, :headers => bad_auth
       assert_response :forbidden
 
       # check that we can fetch details as XML without read_email
-      get user_details_path, :headers => good_auth
+      get api_user_details_path, :headers => good_auth
       assert_response :success
       assert_equal "application/xml", response.media_type
 
       # check the data that is returned
       check_xml_details(user, true, false)
 
       # check that we can fetch details as XML with read_email
-      get user_details_path, :headers => email_auth
+      get api_user_details_path, :headers => email_auth
       assert_response :success
       assert_equal "application/xml", response.media_type
 
       # check the data that is returned
       check_xml_details(user, true, true)
 
       # check that we can't fetch details as JSON without read_prefs
-      get user_details_path(:format => "json"), :headers => bad_auth
+      get api_user_details_path(:format => "json"), :headers => bad_auth
       assert_response :forbidden
 
       # check that we can fetch details as JSON without read_email
-      get user_details_path(:format => "json"), :headers => good_auth
+      get api_user_details_path(:format => "json"), :headers => good_auth
       assert_response :success
       assert_equal "application/json", response.media_type
 
@@ -227,7 +223,7 @@ def test_details_oauth2
       check_json_details(js, user, true, false)
 
       # check that we can fetch details as JSON with read_email
-      get user_details_path(:format => "json"), :headers => email_auth
+      get api_user_details_path(:format => "json"), :headers => email_auth
       assert_response :success
       assert_equal "application/json", response.media_type
 
@@ -405,33 +401,6 @@ def test_index_oauth2
       assert_select "user", :count => 0
     end
 
-    def test_gpx_files
-      user = create(:user)
-      trace1 = create(:trace, :user => user) do |trace|
-        create(:tracetag, :trace => trace, :tag => "London")
-      end
-      trace2 = create(:trace, :user => user) do |trace|
-        create(:tracetag, :trace => trace, :tag => "Birmingham")
-      end
-      # check that nothing is returned when not logged in
-      get user_gpx_files_path
-      assert_response :unauthorized
-
-      # check that we get a response when logged in
-      auth_header = bearer_authorization_header user
-      get user_gpx_files_path, :headers => auth_header
-      assert_response :success
-      assert_equal "application/xml", response.media_type
-
-      # check the data that is returned
-      assert_select "gpx_file[id='#{trace1.id}']", 1 do
-        assert_select "tag", "London"
-      end
-      assert_select "gpx_file[id='#{trace2.id}']", 1 do
-        assert_select "tag", "Birmingham"
-      end
-    end
-
     private
 
     def check_xml_details(user, include_private, include_email)