api: make IP addresses in the API.

Make the following fields visible in API responses: * ip_bans.ip_addr * ip_geolocations.ip_addr * ip_geolocations.network * users.last_ip_addr (mod only) * user_sessions.ip_addr * api_keys.last_ip_address * api_keys.permitted_ip_addresses Before IP addresses were globally hidden in API responses because IPs were present in a lot of tables and we didn't want to accidentally leak them. Now that we've gotten rid of IPs from most tables, it's safe to unhide them.
2022-09-24 00:09:36 -05:00
parent 7bf824f0dd
commit adba70a0de
9 changed files with 34 additions and 32 deletions
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -127,21 +127,28 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
      end

      should "show hidden attributes to the owner" do
-        get_auth user_path(@user), @user, params: {format: :json}
-        json = JSON.parse(response.body)
+        get_auth user_path(@user), @user, as: :json

        assert_response :success
-        assert_not_nil(json["last_logged_in_at"])
+        assert_not_nil(response.parsed_body["last_logged_in_at"])
+      end
+
+      should "show the last_ip_addr to mods" do
+        user = create(:user, last_ip_addr: "1.2.3.4")
+        get_auth user_path(user), create(:mod_user), as: :json
+
+        assert_response :success
+        assert_equal("1.2.3.4", response.parsed_body["last_ip_addr"])
      end

      should "not show hidden attributes to others" do
        @another = create(:user)

-        get_auth user_path(@another), @user, params: {format: :json}
-        json = JSON.parse(response.body)
+        get_auth user_path(@another), @user, as: :json

        assert_response :success
-        assert_nil(json["last_logged_in_at"])
+        assert_nil(response.parsed_body["last_logged_in_at"])
+        assert_nil(response.parsed_body["last_ip_addr"])
      end

      should "strip '?' from attributes" do