[B] Ensure that project creators can read ingestion messages

scryptmouse · scryptmouse · commit f85e2845f483 · 2025-11-25T11:51:14.000-08:00
diff --git a/api/app/controllers/api/v1/ingestions/relationships/ingestion_messages_controller.rb b/api/app/controllers/api/v1/ingestions/relationships/ingestion_messages_controller.rb
@@ -5,25 +5,20 @@ module V1
     module Ingestions
       module Relationships
         class IngestionMessagesController < ApplicationController
-          before_action :set_project
-
-          resourceful! Ingestion do
-            @project.nil? ? Ingestion : @project.ingestions
-          end
+          resourceful! Ingestion, authorize_options: { except: %i[index] }
 
           def index
             @ingestion = load_ingestion
+
+            authorize_action_for @ingestion
+
             permitted = params.permit(:starting_at)
-            time = permitted[:starting_at] ? DateTime.parse(permitted[:starting_at]) : DateTime.new
-            render_multiple_resources @ingestion.ingestion_messages.where(
-              created_at: time..DateTime.now
-            )
-          end
 
-          private
+            time = permitted[:starting_at].present? ? Time.zone.parse(permitted[:starting_at]) : nil
 
-          def set_project
-            @project = Project.friendly.find(params[:project_id]) if params[:project_id]
+            render_multiple_resources @ingestion.ingestion_messages.where(
+              created_at: time..Time.current
+            )
           end
         end
       end
diff --git a/api/spec/requests/ingestions/relationships/ingestion_messages_spec.rb b/api/spec/requests/ingestions/relationships/ingestion_messages_spec.rb
@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+RSpec.describe API::V1::Ingestions::Relationships::IngestionMessagesController, type: :request do
+  let_it_be(:project, refind: true) { FactoryBot.create(:project, creator: project_creator) }
+  let_it_be(:ingestion, refind: true) { FactoryBot.create(:ingestion, project:) }
+  let_it_be(:other_ingestion, refind: true) { FactoryBot.create(:ingestion) }
+
+  let_it_be(:ingestion_messages, refind: true) do
+    [
+      FactoryBot.create(:ingestion_message, :start_message, ingestion:, created_at: 2.hours.ago),
+      FactoryBot.create(:ingestion_message, :info, ingestion:, created_at: 90.minutes.ago),
+      FactoryBot.create(:ingestion_message, :warn, ingestion:, created_at: 70.minutes.ago),
+      FactoryBot.create(:ingestion_message, :unknown, ingestion:, created_at: 50.minutes.ago),
+      FactoryBot.create(:ingestion_message, :end_message, ingestion:),
+    ]
+  end
+
+  let(:starting_at) { nil }
+  let(:params) { { starting_at: } }
+
+  shared_examples_for "visible ingestion messages" do
+    it "returns ingestion messages" do
+      expect do
+        get path, headers:
+      end.to execute_safely
+
+      expect(response).to have_http_status(:ok)
+      expect(response.parsed_body["data"]).to have(5).items
+    end
+
+    context "when filtering by starting_at" do
+      let(:starting_at) { 40.minutes.ago.iso8601 }
+
+      it "returns ingestion messages created after the starting_at time" do
+        expect do
+          get path, headers:
+        end.to execute_safely
+
+        expect(response).to have_http_status(:ok)
+
+        expect(response.parsed_body["data"]).to have(1).item
+      end
+    end
+  end
+
+  context "GET /api/v1/ingestions/:ingestion_id/relationships/ingestion_messages" do
+    let(:path) { api_v1_ingestion_relationships_ingestion_messages_path(ingestion, params:) }
+    let(:other_path) { api_v1_ingestion_relationships_ingestion_messages_path(other_ingestion, params:) }
+
+    context "as an admin" do
+      let(:headers) { admin_headers }
+
+      it_behaves_like "visible ingestion messages"
+
+      context "when trying to read messages for an unaffiliated ingestion" do
+        let(:path) { other_path }
+
+        it "allows access" do
+          expect do
+            get path, headers:
+          end.to execute_safely
+
+          expect(response).to have_http_status(:ok)
+        end
+      end
+    end
+
+    context "as the project creator" do
+      let(:headers) { project_creator_headers }
+
+      it_behaves_like "visible ingestion messages"
+
+      context "when trying to read messages for an unaffiliated ingestion" do
+        let(:path) { other_path }
+
+        it "forbids access" do
+          expect do
+            get path, headers:
+          end.to execute_safely
+
+          expect(response).to have_http_status(:forbidden)
+        end
+      end
+    end
+
+    context "as a marketeer" do
+      let(:headers) { marketeer_headers }
+
+      it_behaves_like "visible ingestion messages"
+    end
+
+    context "as a reader" do
+      let(:headers) { reader_headers }
+
+      it "forbids access" do
+        expect do
+          get path, headers:
+        end.to execute_safely
+
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+  end
+end
diff --git a/api/spec/requests/projects_spec.rb b/api/spec/requests/projects_spec.rb
@@ -81,6 +81,25 @@
       end
     end
 
+    context "when the user is a project creator" do
+      let(:headers) { project_creator_headers }
+
+      it "creates the project and assigns the creator as an editor on the newly created project" do
+        params = build_json_payload(attributes: { title: "foo" })
+
+        expect do
+          post(path, headers:, params:)
+        end.to change(Project, :count).by(1)
+
+        expect(response).to have_http_status(:created)
+
+        project_id = response.parsed_body.dig("data", "id")
+        created_project = Project.find(project_id)
+
+        expect(project_creator).to have_role(:project_editor, created_project)
+      end
+    end
+
     context "when the user is not logged in" do
       it "has a 401 status code" do
         params = build_json_payload(attributes: { title: "foo" })
