Disable auth for rss feed and json representations of works (#424)

* Disable auth for rss feed and json representations of works * Protect json representation of works that are not yet approved Co-authored-by: Robert-Anthony Lee-Faison <leefaisonr@users.noreply.github.com>
pulibrary · Sep 22, 2022 · 431e625 · 431e625
1 parent cf673eb
commit 431e625
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 4 deletions.
diff --git a/app/controllers/works_controller.rb b/app/controllers/works_controller.rb
@@ -10,6 +10,20 @@
 class WorksController < ApplicationController
   around_action :rescue_aasm_error, only: [:approve, :withdraw, :resubmit, :validate, :create]
 
+  skip_before_action :authenticate_user!
+  before_action :authenticate_user!, unless: :public_request?
+
+  ##
+  # Public requests are requests that do not require authentication.
+  # This is to enable PDC Discovery to index approved content via the RSS feed and
+  # .json calls to individual works without needing to log in as a user.
+  # Note that only approved works can be fetched for indexing.
+  def public_request?
+    return true if action_name == "index" && request.format.symbol == :rss
+    return true if action_name == "show" && request.format.symbol == :json && Work.find(params[:id]).state == "approved"
+    false
+  end
+
   def index
     @works = Work.all
     respond_to do |format|
@@ -51,9 +65,11 @@ def new_submission
   # When requested as .json, return the internal json resource
   def show
     @work = Work.find(params[:id])
-    @can_curate = current_user.can_admin?(@work.collection)
     respond_to do |format|
-      format.html { @work.mark_new_notifications_as_read(current_user.id) }
+      format.html do
+        @can_curate = current_user.can_admin?(@work.collection)
+        @work.mark_new_notifications_as_read(current_user.id)
+      end
       format.json { render json: @work.resource }
     end
   end

diff --git a/spec/system/rss_spec.rb b/spec/system/rss_spec.rb
@@ -6,7 +6,6 @@
   let(:work2) { FactoryBot.create(:draft_work) }
   let(:work3) { FactoryBot.create(:draft_work) }
   let(:admin) { FactoryBot.create(:super_admin_user) }
-  let(:user) { FactoryBot.create(:princeton_submitter) }
 
   before do
     stub_datacite(host: "api.datacite.org", body: datacite_register_body(prefix: "10.34770"))
@@ -25,13 +24,23 @@
     work3
   end
 
+  ##
+  # Note that we do not require sign in for getting a list of approved works
+  # or the JSON representation of a work
   it "provides a list of approved works, with links to their datacite records" do
-    sign_in user
     visit "/works.rss"
     doc = Nokogiri::XML(page.body)
     expect(doc.xpath("//item").size).to eq 2
     urls = doc.xpath("//item/url/text()").map(&:to_s)
     expect(urls.include?(work_url(work1, format: "json"))).to eq true
     expect(urls.include?(work_url(work2, format: "json"))).to eq true
+
+    # Fetching the JSON for an approved work doesn't require authentication
+    visit "/works/#{work1.id}.json"
+    expect(JSON.parse(page.body)["titles"][0]["title"]).to eq work1.title
+
+    # Fetching the JSON for a work that is not yet approved doesn't work
+    visit "/works/#{work3.id}.json"
+    expect(page).to have_content "You need to sign in"
   end
 end