From 504deb8f6a6caef5ce2248bb673695da551c5f13 Mon Sep 17 00:00:00 2001
From: Cody Ross <codycooperross@gmail.com>
Date: Tue, 9 May 2023 12:07:12 -0400
Subject: [PATCH] Restrict anonymous role_id user to findable DOIs at /dois
 endpoint

---
 app/controllers/datacite_dois_controller.rb |  4 +-
 spec/requests/datacite_dois_spec.rb         | 64 ++++++++++++++++++++-
 2 files changed, 64 insertions(+), 4 deletions(-)

diff --git a/app/controllers/datacite_dois_controller.rb b/app/controllers/datacite_dois_controller.rb
index a2981cf37..57a55db5a 100644
--- a/app/controllers/datacite_dois_controller.rb
+++ b/app/controllers/datacite_dois_controller.rb
@@ -67,8 +67,8 @@ def index
         "types.resourceTypeGeneral"
       end
 
-    # only show findable DOIs to anonymous users and role user
-    if current_user.nil? || current_user.role_id == "user"
+    # only show findable DOIs to no user, role user, and role anonymous
+    if current_user.nil? || current_user.role_id == "user" || current_user.role_id == "anonymous"
       params[:state] = "findable"
     end
 
diff --git a/spec/requests/datacite_dois_spec.rb b/spec/requests/datacite_dois_spec.rb
index 4e71d4bed..4cb9ae5f6 100755
--- a/spec/requests/datacite_dois_spec.rb
+++ b/spec/requests/datacite_dois_spec.rb
@@ -1,14 +1,15 @@
 # frozen_string_literal: true
 
 require "rails_helper"
+include Passwordable
 
 describe DataciteDoisController, type: :request, vcr: true do
   let(:admin) { create(:provider, symbol: "ADMIN") }
   let(:admin_bearer) { Client.generate_token(role_id: "staff_admin", uid: admin.symbol, password: admin.password) }
   let(:admin_headers) { { "HTTP_ACCEPT" => "application/vnd.api+json", "HTTP_AUTHORIZATION" => "Bearer " + admin_bearer } }
 
-  let(:provider) { create(:provider, symbol: "DATACITE") }
-  let(:client) { create(:client, provider: provider, symbol: ENV["MDS_USERNAME"], password: ENV["MDS_PASSWORD"], re3data_id: "10.17616/r3xs37") }
+  let(:provider) { create(:provider, symbol: "DATACITE", password: encrypt_password_sha256(ENV["MDS_PASSWORD"])) }
+  let(:client) { create(:client, provider: provider, symbol: ENV["MDS_USERNAME"], password: encrypt_password_sha256(ENV["MDS_PASSWORD"]), re3data_id: "10.17616/r3xs37") }
   let!(:prefix) { create(:prefix, uid: "10.14454") }
   let!(:client_prefix) { create(:client_prefix, client: client, prefix: prefix) }
 
@@ -437,6 +438,65 @@
     end
   end
 
+  describe "GET /dois with authorization headers", elasticsearch: true do
+    let!(:dois) { create_list(:doi, 10, client: client, aasm_state: "findable") }
+    let!(:doi_draft) { create(:doi, client: client, aasm_state: "draft") }
+    let!(:doi_registered) { create(:doi, client: client, aasm_state: "registered") }
+    let(:anonymous_basic_auth_headers) { { "HTTP_ACCEPT" => "application/vnd.api+json", "HTTP_AUTHORIZATION" => ActionController::HttpAuthentication::Basic.encode_credentials(client.symbol, "") } }
+    let(:client_basic_auth_headers) { { "HTTP_ACCEPT" => "application/vnd.api+json", "HTTP_AUTHORIZATION" => ActionController::HttpAuthentication::Basic.encode_credentials(client.symbol, ENV["MDS_PASSWORD"]) } }
+    let(:provider_basic_auth_headers) { { "HTTP_ACCEPT" => "application/vnd.api+json", "HTTP_AUTHORIZATION" => ActionController::HttpAuthentication::Basic.encode_credentials(provider.symbol, ENV["MDS_PASSWORD"]) } }
+
+    before do
+      DataciteDoi.import
+      sleep 2
+    end
+
+    it "return only findable dois with no authorization" do
+      get "/dois"
+
+      expect(json.dig("meta", "total")).to eq(10)
+      expect(json.dig("meta", "states", 0, "count")).to eq(10)
+      expect(json.dig("meta", "states", 1)).to eq(nil)
+      expect(json.dig("meta", "states", 2)).to eq(nil)
+    end
+
+    it "return only findable dois with anonymous user" do
+      get "/dois", nil, anonymous_basic_auth_headers
+
+      expect(json.dig("meta", "total")).to eq(10)
+      expect(json.dig("meta", "states", 0, "count")).to eq(10)
+      expect(json.dig("meta", "states", 1)).to eq(nil)
+      expect(json.dig("meta", "states", 2)).to eq(nil)
+    end
+
+    it "return dois in all states with authenticated client user" do
+      get "/dois", nil, client_basic_auth_headers
+
+      expect(json.dig("meta", "total")).to eq(12)
+      expect(json.dig("meta", "states", 0, "count")).to eq(10)
+      expect(json.dig("meta", "states", 1, "count")).to eq(1)
+      expect(json.dig("meta", "states", 2, "count")).to eq(1)
+    end
+
+    it "return dois in all states with authenticated provider user" do
+      get "/dois", nil, provider_basic_auth_headers
+
+      expect(json.dig("meta", "total")).to eq(12)
+      expect(json.dig("meta", "states", 0, "count")).to eq(10)
+      expect(json.dig("meta", "states", 1, "count")).to eq(1)
+      expect(json.dig("meta", "states", 2, "count")).to eq(1)
+    end
+
+    it "return dois in all states with authenticated admin user" do
+      get "/dois", nil, admin_headers
+
+      expect(json.dig("meta", "total")).to eq(12)
+      expect(json.dig("meta", "states", 0, "count")).to eq(10)
+      expect(json.dig("meta", "states", 1, "count")).to eq(1)
+      expect(json.dig("meta", "states", 2, "count")).to eq(1)
+    end
+  end
+
   describe "GET /dois/:id", elasticsearch: true do
     let!(:doi) { create(:doi, client: client) }