fix: user permission is now checked for api key authorizer

src/Core/Tool/Authorizer/ApiKeyAuthorizer.php

@@ -12,11 +12,13 @@
 namespace Ushahidi\Core\Tool\Authorizer;
 
 use Ushahidi\Core\Entity;
+use Ushahidi\Core\Entity\Permission;
 use Ushahidi\Core\Tool\Authorizer;
 use Ushahidi\Core\Traits\AdminAccess;
 use Ushahidi\Core\Traits\UserContext;
 use Ushahidi\Core\Traits\PrivAccess;
 use Ushahidi\Core\Traits\PrivateDeployment;
+use Ushahidi\Core\Tool\Permissions\AclTrait;
 
 class ApiKeyAuthorizer implements Authorizer
 {
@@ -32,6 +34,9 @@ class ApiKeyAuthorizer implements Authorizer
     // It uses `PrivateDeployment` to check whether a deployment is private
     use PrivateDeployment;
 
+    // Check that the user has the necessary permissions
+    use AclTrait;
+
     /* Authorizer */
     public function isAllowed(Entity $entity, $privilege)
     {
@@ -44,6 +49,11 @@ public function isAllowed(Entity $entity, $privilege)
             return false;
         }
 
+        // Role with the Manage Settings permission can have access
+        if ($this->acl->hasPermission($user, Permission::MANAGE_SETTINGS)) {
+            return true;
+        }
+
         // Admin is allowed access to everything
         if ($this->isUserAdmin($user)) {
             return true;

tests/datasets/ushahidi/Base.yml

@@ -27,6 +27,10 @@ roles:
     name: "noedit"
     display_name: "User cant edit posts"
     protected: 0
+  -
+    name: "settingsmanager"
+    display_name: "Settings Manager"
+    protected: 0
 users:
   -
     id: 1
@@ -82,6 +86,12 @@ users:
     realname: Sets
     email: "sets@ushahidi.com"
     role: "sets"
+  -
+    id: 10
+    password: "$2y$15$iWANGZn.DomLWU.YtjUcX.HEq1hoMGauzXFRubKgar/BRaAj9zQ9q"
+    realname: Settings Manager
+    email: "settingsmanager@ushahidi.com"
+    role: "settingsmanager"
 user_settings:
  -
    id: 1
@@ -1674,6 +1684,12 @@ oauth_access_tokens:
     user_id: 9
     scopes: '["*"]'
     expires_at: "2031-01-01"
+  -
+    id: testsettingsmanager
+    client_id: demoapp
+    user_id: 10
+    scopes: '["*"]'
+    expires_at: "2031-01-01"
 
 oauth_refresh_tokens:
 oauth_personal_access_clients:
@@ -2244,6 +2260,9 @@ roles_permissions:
   -
     role: manager
     permission: Manage Settings
+  -
+    role: settingsmanager
+    permission: Manage Settings
   -
     role: sets
     permission: Manage Collections and Saved Searches

tests/integration/api.apikeys.feature

@@ -55,3 +55,14 @@ Feature: Testing the ApiKey API
         And the type of the "count" property is "numeric"
         And the "count" property equals "1"
         Then the guzzle status code should be 200
+
+    @rolesEnabled
+    Scenario: User with only Manage Settings permission can list Apikeys
+        Given that I want to get all "Apikeys"
+        And that the oauth token is "testsettingsmanager"
+        When I request "/apikeys"
+        Then the response is JSON
+        And the response has a "count" property
+        And the type of the "count" property is "numeric"
+        And the "count" property equals "1"
+        Then the guzzle status code should be 200

tests/integration/bootstrap/RestContext.php

@@ -740,6 +740,7 @@ public function thatIWantToCountAll($objectType)
         'missingtoken' => 99,
         'testnoedit' => 8,
         'testsets' => 9,
+        'testsettingsmanager' => 10,
     ];
 
     /**

tests/integration/users.feature

@@ -108,7 +108,7 @@ Feature: Testing the Users API
 		Then the response is JSON
 		And the response has a "count" property
 		And the type of the "count" property is "numeric"
-		And the "count" property equals "9"
+		And the "count" property equals "10"
 		Then the guzzle status code should be 200
 
 	@resetFixture