Restrict background jobs to self-hosted mode

2026-01-10 17:21:38 -05:00 · 2025-02-15 11:40:51 +01:00 · 2025-02-15 11:40:51 +01:00 · 74cfc9020e
commit 74cfc9020e
parent 86fd2311f9
2 changed files with 169 additions and 63 deletions
--- a/app/controllers/settings/background_jobs_controller.rb
+++ b/app/controllers/settings/background_jobs_controller.rb
@ -1,6 +1,7 @@
 # frozen_string_literal: true

 class Settings::BackgroundJobsController < ApplicationController
+  before_action :authenticate_self_hosted!
  before_action :authenticate_user!
  before_action :authenticate_admin!, unless: lambda {
    %w[start_immich_import start_photoprism_import].include?(params[:job_name])
--- a/spec/requests/settings/background_jobs_spec.rb
+++ b/spec/requests/settings/background_jobs_spec.rb
@ -8,97 +8,202 @@ RSpec.describe '/settings/background_jobs', type: :request do
      .to_return(status: 200, body: '[{"name": "1.0.0"}]', headers: {})
  end

-  context 'when user is not authenticated' do
-    it 'redirects to sign in page' do
-      get settings_background_jobs_url
-
-      expect(response).to redirect_to(new_user_session_url)
+  context 'when Dawarich is in self-hosted mode' do
+    before do
+      allow(DawarichSettings).to receive(:self_hosted?).and_return(true)
    end
-  end

-  context 'when user is authenticated' do
-    let(:user) { create(:user, admin: false) }
-
-    before { sign_in user }
-
-    context 'when user is not an admin' do
-      it 'redirects to root page' do
+    context 'when user is not authenticated' do
+      it 'redirects to sign in page' do
        get settings_background_jobs_url

-        expect(response).to redirect_to(root_url)
-        expect(flash[:notice]).to eq('You are not authorized to perform this action.')
-      end
-
-      context 'when job name is start_immich_import' do
-        it 'redirects to imports page' do
-          post settings_background_jobs_url, params: { job_name: 'start_immich_import' }
-
-          expect(response).to redirect_to(imports_url)
-        end
-
-        it 'enqueues a new job' do
-          expect do
-            post settings_background_jobs_url, params: { job_name: 'start_immich_import' }
-          end.to have_enqueued_job(EnqueueBackgroundJob)
-        end
-      end
-
-      context 'when job name is start_photoprism_import' do
-        it 'redirects to imports page' do
-          get settings_background_jobs_url, params: { job_name: 'start_photoprism_import' }
-        end
-
-        it 'enqueues a new job' do
-          expect do
-            post settings_background_jobs_url, params: { job_name: 'start_photoprism_import' }
-          end.to have_enqueued_job(EnqueueBackgroundJob)
-        end
+        expect(response).to redirect_to(new_user_session_url)
      end
    end

-    context 'when user is an admin' do
-      before { sign_in create(:user, :admin) }
+    context 'when user is authenticated' do
+      let(:user) { create(:user, admin: false) }

-      describe 'GET /index' do
-        it 'renders a successful response' do
+      before { sign_in user }
+
+      context 'when user is not an admin' do
+        it 'redirects to root page' do
          get settings_background_jobs_url

-          expect(response).to be_successful
+          expect(response).to redirect_to(root_url)
+          expect(flash[:notice]).to eq('You are not authorized to perform this action.')
+        end
+
+        context 'when job name is start_immich_import' do
+          it 'redirects to imports page' do
+            post settings_background_jobs_url, params: { job_name: 'start_immich_import' }
+
+            expect(response).to redirect_to(imports_url)
+          end
+
+          it 'enqueues a new job' do
+            expect do
+              post settings_background_jobs_url, params: { job_name: 'start_immich_import' }
+            end.to have_enqueued_job(EnqueueBackgroundJob)
+          end
+        end
+
+        context 'when job name is start_photoprism_import' do
+          it 'redirects to imports page' do
+            get settings_background_jobs_url, params: { job_name: 'start_photoprism_import' }
+          end
+
+          it 'enqueues a new job' do
+            expect do
+              post settings_background_jobs_url, params: { job_name: 'start_photoprism_import' }
+            end.to have_enqueued_job(EnqueueBackgroundJob)
+          end
        end
      end

-      describe 'POST /create' do
-        let(:params) { { job_name: 'start_reverse_geocoding' } }
+      context 'when user is an admin' do
+        before { sign_in create(:user, :admin) }

-        context 'with valid parameters' do
-          it 'enqueues a new job' do
-            expect do
-              post settings_background_jobs_url, params:
-            end.to have_enqueued_job(EnqueueBackgroundJob)
+        describe 'GET /index' do
+          it 'renders a successful response' do
+            get settings_background_jobs_url
+
+            expect(response).to be_successful
+          end
+        end
+
+        describe 'POST /create' do
+          let(:params) { { job_name: 'start_reverse_geocoding' } }
+
+          context 'with valid parameters' do
+            it 'enqueues a new job' do
+              expect do
+                post settings_background_jobs_url, params:
+              end.to have_enqueued_job(EnqueueBackgroundJob)
+            end
+
+            it 'redirects to the created settings_background_job' do
+              post(settings_background_jobs_url, params:)
+
+              expect(response).to redirect_to(settings_background_jobs_url)
+            end
+          end
+        end
+
+        describe 'DELETE /destroy' do
+          it 'clears the Sidekiq queue' do
+            queue = instance_double(Sidekiq::Queue)
+            allow(Sidekiq::Queue).to receive(:new).and_return(queue)
+
+            expect(queue).to receive(:clear)
+
+            delete settings_background_job_url('queue_name')
          end

-          it 'redirects to the created settings_background_job' do
-            post(settings_background_jobs_url, params:)
+          it 'redirects to the settings_background_jobs list' do
+            delete settings_background_job_url('queue_name')

            expect(response).to redirect_to(settings_background_jobs_url)
          end
        end
      end
+    end
+  end

-      describe 'DELETE /destroy' do
-        it 'clears the Sidekiq queue' do
-          queue = instance_double(Sidekiq::Queue)
-          allow(Sidekiq::Queue).to receive(:new).and_return(queue)
+  context 'when Dawarich is not in self-hosted mode' do
+    before do
+      allow(DawarichSettings).to receive(:self_hosted?).and_return(false)
+    end

-          expect(queue).to receive(:clear)
+    context 'when user is not authenticated' do
+      it 'redirects to sign in page' do
+        get settings_background_jobs_url

-          delete settings_background_job_url('queue_name')
+        expect(response).to redirect_to(root_url)
+        expect(flash[:notice]).to eq('You are not authorized to perform this action.')
+      end
+    end
+
+    context 'when user is authenticated' do
+      let(:user) { create(:user) }
+
+      before { sign_in user }
+
+      describe 'GET /index' do
+        it 'redirects to root page' do
+          get settings_background_jobs_url
+
+          expect(response).to redirect_to(root_url)
+          expect(flash[:notice]).to eq('You are not authorized to perform this action.')
        end

-        it 'redirects to the settings_background_jobs list' do
+        context 'when user is an admin' do
+          before { sign_in create(:user, :admin) }
+
+          it 'redirects to root page' do
+            get settings_background_jobs_url
+
+            expect(response).to redirect_to(root_url)
+            expect(flash[:notice]).to eq('You are not authorized to perform this action.')
+          end
+        end
+      end
+
+      describe 'POST /create' do
+        it 'redirects to root page' do
+          post settings_background_jobs_url, params: { job_name: 'start_reverse_geocoding' }
+
+          expect(response).to redirect_to(root_url)
+          expect(flash[:notice]).to eq('You are not authorized to perform this action.')
+        end
+
+        context 'when job name is start_immich_import' do
+          it 'redirects to imports page' do
+            post settings_background_jobs_url, params: { job_name: 'start_immich_import' }
+
+            expect(response).to redirect_to(root_url)
+            expect(flash[:notice]).to eq('You are not authorized to perform this action.')
+          end
+        end
+
+        context 'when job name is start_photoprism_import' do
+          it 'redirects to imports page' do
+            post settings_background_jobs_url, params: { job_name: 'start_photoprism_import' }
+
+            expect(response).to redirect_to(root_url)
+            expect(flash[:notice]).to eq('You are not authorized to perform this action.')
+          end
+        end
+
+        context 'when user is an admin' do
+          before { sign_in create(:user, :admin) }
+
+          it 'redirects to root page' do
+            get settings_background_jobs_url
+
+            expect(response).to redirect_to(root_url)
+            expect(flash[:notice]).to eq('You are not authorized to perform this action.')
+          end
+        end
+      end
+
+      describe 'DELETE /destroy' do
+        it 'redirects to root page' do
          delete settings_background_job_url('queue_name')

-          expect(response).to redirect_to(settings_background_jobs_url)
+          expect(response).to redirect_to(root_url)
+          expect(flash[:notice]).to eq('You are not authorized to perform this action.')
+        end
+      end
+
+      context 'when user is an admin' do
+        before { sign_in create(:user, :admin) }
+
+        it 'redirects to root page' do
+          get settings_background_jobs_url
+
+          expect(response).to redirect_to(root_url)
+          expect(flash[:notice]).to eq('You are not authorized to perform this action.')
        end
      end
    end