Files
sure/test/architecture/api_current_usage_test.rb
Orange🍊 30780a5961 refactor(api): scope controllers through current_resource_owner (#2414)
Follow-up to #2405. Replace remaining API controller reads of
Current.user, Current.family, and Current.session with
current_resource_owner. Add an architecture guard test to prevent
regression.

Scope is limited to the Current sweep only:
- Revert balance_sheet user-scoping (moves to account-auth PR B).
- Revert provider_connections DebugLogEntry logging (separate PR).
- Remove UsersController#destroy attempt to destroy unsaved API session.
2026-06-28 21:59:44 +02:00

50 lines
1.8 KiB
Ruby

# frozen_string_literal: true
require "test_helper"
class ApiCurrentUsageTest < ActiveSupport::TestCase
API_CONTROLLER_GLOB = Rails.root.join("app/controllers/api/**/*.rb").to_s
BASE_CONTROLLER = Rails.root.join("app/controllers/api/v1/base_controller.rb").to_s
DISALLOWED_CURRENT_REFERENCES = [
"Current.user",
"Current.family",
"Current.session"
].freeze
# Api::V1::BaseController may set an unsaved session as a compatibility bridge
# for code paths that still derive Current.user from Current.session.user.
# Add new entries only when they are part of that bridge and document why.
ALLOWED_BASE_CONTROLLER_REFERENCES = [
"Current.session = @current_user.sessions.build(",
"Current.session.active_impersonator_session = nil"
].freeze
test "api controllers scope through current_resource_owner instead of Current" do
violations = []
Dir.glob(API_CONTROLLER_GLOB).sort.each do |path|
File.readlines(path).each.with_index(1) do |line, line_number|
next unless DISALLOWED_CURRENT_REFERENCES.any? { |reference| line.include?(reference) }
next if allowed_base_controller_reference?(path, line)
relative_path = Pathname.new(path).relative_path_from(Rails.root)
violations << "#{relative_path}:#{line_number}: #{line.strip}"
end
end
assert_empty violations, <<~MESSAGE
API controllers should not read Current.user, Current.family, or Current.session.
Use current_resource_owner/current_resource_owner.family for API auth scoping.
The only allowed Current.session usage is the compatibility bridge in Api::V1::BaseController.
#{violations.join("\n")}
MESSAGE
end
private
def allowed_base_controller_reference?(path, line)
path == BASE_CONTROLLER && ALLOWED_BASE_CONTROLLER_REFERENCES.any? { |reference| line.include?(reference) }
end
end