Support displaying TOS and policy

2015-10-10 14:41:16 +02:00 · 2015-10-10 14:41:16 +02:00 · 7b2be0d3c6
commit 7b2be0d3c6
parent 6fcb9a9d3a
9 changed files with 66 additions and 9 deletions
--- a/app/assets/stylesheets/user_applications.scss
+++ b/app/assets/stylesheets/user_applications.scss
@ -25,5 +25,10 @@
  float: right;
 }

+.application-tos-policy > b {
+  &:first-child { margin-right: 5px; }
+  &:nth-child(2) { margin-left: 5px; }
+}
+
 .user-consent { margin-top: 20px; }
 .approval-button { display: inline; }
--- a/app/controllers/api/openid_connect/authorizations_controller.rb
+++ b/app/controllers/api/openid_connect/authorizations_controller.rb
@ -189,7 +189,7 @@ module Api
            redirect_prompt_error_display(error, error_description)
          else
            render json: {error:       "bad_request",
-                          description: "No client with client_id " + params[:client_id] + " found"}
+                          description: "No client with client_id #{params[:client_id]} found"}
          end
        else
          render json: {error: "bad_request", description: "Missing client id or redirect URI"}
--- a/app/helpers/user_applications_helper.rb
+++ b/app/helpers/user_applications_helper.rb
@ -1,7 +1,7 @@
 module UserApplicationsHelper
  def user_application_name(app)
    if app.name?
-      "#{app.name} (#{link_to(app.url, app.url)})"
+      "#{html_escape app.name} (#{link_to(app.url, app.url)})"
    else
      link_to(app.url, app.url)
    end
--- a/app/presenters/user_application_presenter.rb
+++ b/app/presenters/user_application_presenter.rb
@ -14,19 +14,31 @@ class UserApplicationPresenter
  end

  def name
-    CGI::escape @app.client_name
+    @app.client_name
  end

  def image
    @app.image_uri
  end

+  def terms_of_services
+    @app.tos_uri
+  end
+
+  def policy
+    @app.policy_uri
+  end
+
  def name?
-    if @app.client_name
-      true
-    else
-      false
-    end
+    @app.client_name.present?
+  end
+
+  def terms_of_services?
+    @app.tos_uri.present?
+  end
+
+  def policy?
+    @app.policy_uri.present?
  end

  def url
--- a/app/views/api/openid_connect/authorizations/_grants_list.haml
+++ b/app/views/api/openid_connect/authorizations/_grants_list.haml
@ -15,3 +15,17 @@
  - else
    .well
      = t("api.openid_connect.authorizations.new.no_requirement", name: user_application_name(app)).html_safe
+
+  .small-horizontal-spacer
+  .application-tos-policy
+    - if app.terms_of_services?
+      %b= link_to t("api.openid_connect.user_applications.tos"), app.terms_of_services
+
+    - if app.policy? && app.terms_of_services?
+      |
+
+    - if app.policy?
+      %b= link_to t("api.openid_connect.user_applications.policy"), app.policy
+
+    - if app.policy? || app.terms_of_services?
+      .small-horizontal-spacer
--- a/app/views/api/openid_connect/user_applications/_grants_list.haml
+++ b/app/views/api/openid_connect/user_applications/_grants_list.haml
@ -14,3 +14,17 @@
  - else
    .well
      = t("api.openid_connect.user_applications.index.no_requirement", name: user_application_name(app)).html_safe
+
+  .small-horizontal-spacer
+  .application-tos-policy
+    - if app.terms_of_services?
+      %b= link_to t("api.openid_connect.user_applications.tos"), app.terms_of_services
+
+    - if app.policy? && app.terms_of_services?
+      |
+
+    - if app.policy?
+      %b= link_to t("api.openid_connect.user_applications.policy"), app.policy
+
+    - if app.policy? || app.terms_of_services?
+      .small-horizontal-spacer
--- a/config/locales/diaspora/en.yml
+++ b/config/locales/diaspora/en.yml
@ -900,6 +900,8 @@ en:
          no_requirement: "%{name} requires no permissions"
        no_applications: "You have no authorized applications"
        revoke_autorization: "Revoke"
+        tos: "See the application's ToS"
+        policy: "See the application's privacy policy"
      scopes:
        openid:
          name: "basic profile"
--- a/db/schema.rb
+++ b/db/schema.rb
@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20150828132451) do
+ActiveRecord::Schema.define(version: 20151003142048) do

  create_table "account_deletions", force: :cascade do |t|
    t.string   "diaspora_handle", limit: 255
--- a/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
+++ b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
@ -2,6 +2,7 @@ require "spec_helper"

 describe Api::OpenidConnect::AuthorizationsController, type: :controller do
  let!(:client) { FactoryGirl.create(:o_auth_application) }
+  let!(:client_with_xss) { FactoryGirl.create(:o_auth_application_with_xss) }
  let!(:client_with_multiple_redirects) { FactoryGirl.create(:o_auth_application_with_multiple_redirects) }
  let!(:auth_with_read) { FactoryGirl.create(:auth_with_read) }

@ -129,7 +130,16 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
          expect(json_body["error"]).to match("bad_request")
        end
      end
+
+      context "when XSS script is passed as name" do
+        it "should escape html" do
+          post :new, client_id: client_with_xss.client_id, redirect_uri: "http://localhost:3000/",
+               response_type: "id_token", scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
+          expect(response.body).to_not include("<script>alert(0);</script>")
+        end
+      end
    end
+
    context "when already authorized" do
      let!(:auth) {
        Api::OpenidConnect::Authorization.find_or_create_by(o_auth_application: client, user: alice,