Merge branch 'connorshea/gitlab-ce-revoke-authorized-application' into 'master'

Fix revoking of authorized OAuth applications Users were not able to revoke access to authorized OAuth applications. Clicking the "Revoke" button would result in a 404 page, and the application would still be authorized. Added a spec and also found that the `gon` variables were not being set for this view. Closes #14370 See merge request !3690

Merge branch 'connorshea/gitlab-ce-revoke-authorized-application' into 'master'
Fix revoking of authorized OAuth applications Users were not able to revoke access to authorized OAuth applications. Clicking the "Revoke" button would result in a 404 page, and the application would still be authorized. Added a spec and also found that the `gon` variables were not being set for this view. Closes #14370 See merge request !3690
dd9ced0a · Rémy Coutable · 4a514b27 · e450892f · dd9ced0a · dd9ced0a
Commit dd9ced0a authored Apr 14, 2016 by Rémy Coutable
10 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.

 v 8.7.0 (unreleased)
  - The Projects::HousekeepingService class has extra instrumentation (Yorick Peterse)
+  - Fix revoking of authorized OAuth applications (Connor Shea)
  - All service classes (those residing in app/services) are now instrumented (Yorick Peterse)
  - Developers can now add custom tags to transactions (Yorick Peterse)
  - Loading of an issue's referenced merge requests and related branches is now done asynchronously (Yorick Peterse)

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -3,6 +3,7 @@ require 'fogbugz'

 class ApplicationController < ActionController::Base
  include Gitlab::CurrentSettings
+  include Gitlab::GonHelper
  include GitlabRoutingHelper
  include PageLayoutHelper

@@ -158,20 +159,6 @@ class ApplicationController < ActionController::Base
    end
  end

-  def add_gon_variables
-    gon.api_version            = API::API.version
-    gon.default_avatar_url     = URI::join(Gitlab.config.gitlab.url, ActionController::Base.helpers.image_path('no_avatar.png')).to_s
-    gon.default_issues_tracker = Project.new.default_issue_tracker.to_param
-    gon.max_file_size          = current_application_settings.max_attachment_size
-    gon.relative_url_root      = Gitlab.config.gitlab.relative_url_root
-    gon.user_color_scheme      = Gitlab::ColorSchemes.for_user(current_user).css_class
-
-    if current_user
-      gon.current_user_id = current_user.id
-      gon.api_token = current_user.private_token
-    end
-  end
-
  def validate_user_service_ticket!
    return unless signed_in? && session[:service_tickets]


--- a/app/controllers/oauth/applications_controller.rb
+++ b/app/controllers/oauth/applications_controller.rb
 class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
  include Gitlab::CurrentSettings
+  include Gitlab::GonHelper
  include PageLayoutHelper

  before_action :verify_user_oauth_applications_enabled
  before_action :authenticate_user!
+  before_action :add_gon_variables

  layout 'profile'


--- a/app/models/oauth_access_token.rb
+++ b/app/models/oauth_access_token.rb
+# == Schema Information
+#
+# Table name: oauth_access_tokens
+#
+#  id                :integer          not null, primary key
+#  resource_owner_id :integer
+#  application_id    :integer
+#  token             :string           not null
+#  refresh_token     :string
+#  expires_in        :integer
+#  revoked_at        :datetime
+#  created_at        :datetime         not null
+#  scopes            :string
+#
+
+class OauthAccessToken < ActiveRecord::Base
+  belongs_to :resource_owner, class_name: 'User'
+  belongs_to :application, class_name: 'Doorkeeper::Application'
+end
--- a/app/views/doorkeeper/applications/index.html.haml
+++ b/app/views/doorkeeper/applications/index.html.haml
@@ -68,7 +68,7 @@
                  %td= app.name
                  %td= token.created_at
                  %td= token.scopes
-                  %td= render 'delete_form', application: app
+                  %td= render 'doorkeeper/authorized_applications/delete_form', application: app
              - @authorized_anonymous_tokens.each do |token|
                %tr
                  %td

--- a/lib/gitlab/gon_helper.rb
+++ b/lib/gitlab/gon_helper.rb
+module Gitlab
+  module GonHelper
+    def add_gon_variables
+      gon.api_version            = API::API.version
+      gon.default_avatar_url     = URI::join(Gitlab.config.gitlab.url, ActionController::Base.helpers.image_path('no_avatar.png')).to_s
+      gon.default_issues_tracker = Project.new.default_issue_tracker.to_param
+      gon.max_file_size          = current_application_settings.max_attachment_size
+      gon.relative_url_root      = Gitlab.config.gitlab.relative_url_root
+      gon.user_color_scheme      = Gitlab::ColorSchemes.for_user(current_user).css_class
+
+      if current_user
+        gon.current_user_id = current_user.id
+        gon.api_token = current_user.private_token
+      end
+    end
+  end
+end
--- a/spec/factories/oauth_access_tokens.rb
+++ b/spec/factories/oauth_access_tokens.rb
+# == Schema Information
+#
+# Table name: oauth_access_tokens
+#
+#  id                :integer          not null, primary key
+#  resource_owner_id :integer
+#  application_id    :integer
+#  token             :string           not null
+#  refresh_token     :string
+#  expires_in        :integer
+#  revoked_at        :datetime
+#  created_at        :datetime         not null
+#  scopes            :string
+#
+
+FactoryGirl.define do
+  factory :oauth_access_token do
+    resource_owner
+    application
+    token '123456'
+  end
+end
--- a/spec/factories/oauth_applications.rb
+++ b/spec/factories/oauth_applications.rb
+FactoryGirl.define do
+  factory :oauth_application, class: 'Doorkeeper::Application', aliases: [:application] do
+    name { FFaker::Name.name }
+    uid { FFaker::Name.name }
+    redirect_uri { FFaker::Internet.uri('http') }
+    owner
+    owner_type 'User'
+  end
+end
--- a/spec/factories/users.rb
+++ b/spec/factories/users.rb
 FactoryGirl.define do
  sequence(:name) { FFaker::Name.name }

-  factory :user, aliases: [:author, :assignee, :recipient, :owner, :creator] do
+  factory :user, aliases: [:author, :assignee, :recipient, :owner, :creator, :resource_owner] do
    email { FFaker::Internet.email }
    name
    sequence(:username) { |n| "#{FFaker::Internet.user_name}#{n}" }

--- a/spec/features/profiles/oauth_applications_spec.rb
+++ b/spec/features/profiles/oauth_applications_spec.rb
+require 'spec_helper'
+
+describe 'Profile > Applications', feature: true do
+  let(:user) { create(:user) }
+
+  before do
+    login_as(user)
+  end
+
+  describe 'User manages applications', js: true do
+    it 'deletes an application' do
+      create(:oauth_application, owner: user)
+      visit oauth_applications_path
+
+      page.within('.oauth-applications') do
+        expect(page).to have_content('Your applications (1)')
+        click_button 'Destroy'
+      end
+
+      expect(page).to have_content('The application was deleted successfully')
+      expect(page).to have_content('Your applications (0)')
+      expect(page).to have_content('Authorized applications (0)')
+    end
+
+    it 'deletes an authorized application' do
+      create(:oauth_access_token, resource_owner: user)
+      visit oauth_applications_path
+
+      page.within('.oauth-authorized-applications') do
+        expect(page).to have_content('Authorized applications (1)')
+        click_button 'Revoke'
+      end
+
+      expect(page).to have_content('The application was revoked access.')
+      expect(page).to have_content('Your applications (0)')
+      expect(page).to have_content('Authorized applications (0)')
+    end
+  end
+end