Commit 8a9e86e2b0c8f935780ee2e0874246843cda2995
1 parent
add73ad6
Exists in
api_visitor
Added tests to filter anonymous access and removed some api restrictions
Showing
7 changed files
with
126 additions
and
9 deletions
Show diff stats
lib/noosfero/api/v1/enterprises.rb
lib/noosfero/api/v1/users.rb
| @@ -2,7 +2,6 @@ module Noosfero | @@ -2,7 +2,6 @@ module Noosfero | ||
| 2 | module API | 2 | module API |
| 3 | module V1 | 3 | module V1 |
| 4 | class Users < Grape::API | 4 | class Users < Grape::API |
| 5 | - before { authenticate! } | ||
| 6 | 5 | ||
| 7 | resource :users do | 6 | resource :users do |
| 8 | 7 | ||
| @@ -13,6 +12,7 @@ module Noosfero | @@ -13,6 +12,7 @@ module Noosfero | ||
| 13 | end | 12 | end |
| 14 | 13 | ||
| 15 | get "/me" do | 14 | get "/me" do |
| 15 | + authenticate! | ||
| 16 | present current_user, :with => Entities::User, :current_person => current_person | 16 | present current_user, :with => Entities::User, :current_person => current_person |
| 17 | end | 17 | end |
| 18 | 18 | ||
| @@ -25,6 +25,7 @@ module Noosfero | @@ -25,6 +25,7 @@ module Noosfero | ||
| 25 | end | 25 | end |
| 26 | 26 | ||
| 27 | get ":id/permissions" do | 27 | get ":id/permissions" do |
| 28 | + authenticate! | ||
| 28 | user = environment.users.find(params[:id]) | 29 | user = environment.users.find(params[:id]) |
| 29 | output = {} | 30 | output = {} |
| 30 | user.person.role_assignments.map do |role_assigment| | 31 | user.person.role_assignments.map do |role_assigment| |
test/api/communities_test.rb
| @@ -283,4 +283,30 @@ class CommunitiesTest < ActiveSupport::TestCase | @@ -283,4 +283,30 @@ class CommunitiesTest < ActiveSupport::TestCase | ||
| 283 | assert_not_includes json["communities"].map { |a| a["id"] }, community2.id | 283 | assert_not_includes json["communities"].map { |a| a["id"] }, community2.id |
| 284 | end | 284 | end |
| 285 | 285 | ||
| 286 | + should 'display public custom fields to anonymous' do | ||
| 287 | + anonymous_setup | ||
| 288 | + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default) | ||
| 289 | + some_community = fast_create(Community) | ||
| 290 | + some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} } | ||
| 291 | + some_community.save! | ||
| 292 | + | ||
| 293 | + get "/api/v1/communities/#{some_community.id}?#{params.to_query}" | ||
| 294 | + json = JSON.parse(last_response.body) | ||
| 295 | + assert json['community']['additional_data'].has_key?('Rating') | ||
| 296 | + assert_equal "Five stars", json['community']['additional_data']['Rating'] | ||
| 297 | + end | ||
| 298 | + | ||
| 299 | + should 'not display private custom fields to anonymous' do | ||
| 300 | + anonymous_setup | ||
| 301 | + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default) | ||
| 302 | + some_community = fast_create(Community) | ||
| 303 | + some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} } | ||
| 304 | + some_community.save! | ||
| 305 | + | ||
| 306 | + get "/api/v1/communities/#{some_community.id}?#{params.to_query}" | ||
| 307 | + json = JSON.parse(last_response.body) | ||
| 308 | + refute json['community']['additional_data'].has_key?('Rating') | ||
| 309 | + end | ||
| 310 | + | ||
| 311 | + | ||
| 286 | end | 312 | end |
test/api/enterprises_test.rb
| @@ -107,4 +107,29 @@ class EnterprisesTest < ActiveSupport::TestCase | @@ -107,4 +107,29 @@ class EnterprisesTest < ActiveSupport::TestCase | ||
| 107 | assert_equivalent [c1.id], json['enterprises'].map {|c| c['id']} | 107 | assert_equivalent [c1.id], json['enterprises'].map {|c| c['id']} |
| 108 | end | 108 | end |
| 109 | 109 | ||
| 110 | + should 'display public custom fields to anonymous' do | ||
| 111 | + anonymous_setup | ||
| 112 | + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default) | ||
| 113 | + some_enterprise = fast_create(Enterprise) | ||
| 114 | + some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} } | ||
| 115 | + some_enterprise.save! | ||
| 116 | + | ||
| 117 | + get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}" | ||
| 118 | + json = JSON.parse(last_response.body) | ||
| 119 | + assert json['enterprise']['additional_data'].has_key?('Rating') | ||
| 120 | + assert_equal "Five stars", json['enterprise']['additional_data']['Rating'] | ||
| 121 | + end | ||
| 122 | + | ||
| 123 | + should 'not display public custom fields to anonymous' do | ||
| 124 | + anonymous_setup | ||
| 125 | + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default) | ||
| 126 | + some_enterprise = fast_create(Enterprise) | ||
| 127 | + some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} } | ||
| 128 | + some_enterprise.save! | ||
| 129 | + | ||
| 130 | + get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}" | ||
| 131 | + json = JSON.parse(last_response.body) | ||
| 132 | + refute json['enterprise']['additional_data'].has_key?('Rating') | ||
| 133 | + end | ||
| 134 | + | ||
| 110 | end | 135 | end |
test/api/people_test.rb
| @@ -348,6 +348,17 @@ class PeopleTest < ActiveSupport::TestCase | @@ -348,6 +348,17 @@ class PeopleTest < ActiveSupport::TestCase | ||
| 348 | assert_equal json['person']['additional_data'], {} | 348 | assert_equal json['person']['additional_data'], {} |
| 349 | end | 349 | end |
| 350 | 350 | ||
| 351 | + should 'hide private fields to anonymous' do | ||
| 352 | + anonymous_setup | ||
| 353 | + target_person = create_user('some-user').person | ||
| 354 | + target_person.save! | ||
| 355 | + | ||
| 356 | + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" | ||
| 357 | + json = JSON.parse(last_response.body) | ||
| 358 | + refute json["user"].has_key?("permissions") | ||
| 359 | + refute json["user"].has_key?("activated") | ||
| 360 | + end | ||
| 361 | + | ||
| 351 | should 'display non-public custom fields to friend' do | 362 | should 'display non-public custom fields to friend' do |
| 352 | login_api | 363 | login_api |
| 353 | CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) | 364 | CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) |
test/api/profiles_test.rb
| @@ -55,4 +55,30 @@ class ProfilesTest < ActiveSupport::TestCase | @@ -55,4 +55,30 @@ class ProfilesTest < ActiveSupport::TestCase | ||
| 55 | assert_equal community.id, json['id'] | 55 | assert_equal community.id, json['id'] |
| 56 | end | 56 | end |
| 57 | 57 | ||
| 58 | + should 'display public custom fields to anonymous' do | ||
| 59 | + anonymous_setup | ||
| 60 | + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default) | ||
| 61 | + some_profile = fast_create(Profile) | ||
| 62 | + some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} } | ||
| 63 | + some_profile.save! | ||
| 64 | + | ||
| 65 | + get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}" | ||
| 66 | + json = JSON.parse(last_response.body) | ||
| 67 | + assert json['additional_data'].has_key?('Rating') | ||
| 68 | + assert_equal "Five stars", json['additional_data']['Rating'] | ||
| 69 | + end | ||
| 70 | + | ||
| 71 | + should 'not display private custom fields to anonymous' do | ||
| 72 | + anonymous_setup | ||
| 73 | + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default) | ||
| 74 | + some_profile = fast_create(Profile) | ||
| 75 | + some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} } | ||
| 76 | + some_profile.save! | ||
| 77 | + | ||
| 78 | + get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}" | ||
| 79 | + json = JSON.parse(last_response.body) | ||
| 80 | + refute json.has_key?('Rating') | ||
| 81 | + end | ||
| 82 | + | ||
| 83 | + | ||
| 58 | end | 84 | end |
test/api/users_test.rb
| @@ -3,23 +3,22 @@ require_relative 'test_helper' | @@ -3,23 +3,22 @@ require_relative 'test_helper' | ||
| 3 | 3 | ||
| 4 | class UsersTest < ActiveSupport::TestCase | 4 | class UsersTest < ActiveSupport::TestCase |
| 5 | 5 | ||
| 6 | - def setup | 6 | + should 'logger user list users' do |
| 7 | login_api | 7 | login_api |
| 8 | - end | ||
| 9 | - | ||
| 10 | - should 'list users' do | ||
| 11 | get "/api/v1/users/?#{params.to_query}" | 8 | get "/api/v1/users/?#{params.to_query}" |
| 12 | json = JSON.parse(last_response.body) | 9 | json = JSON.parse(last_response.body) |
| 13 | assert_includes json["users"].map { |a| a["login"] }, user.login | 10 | assert_includes json["users"].map { |a| a["login"] }, user.login |
| 14 | end | 11 | end |
| 15 | 12 | ||
| 16 | - should 'get user' do | 13 | + should 'logger user get user info' do |
| 14 | + login_api | ||
| 17 | get "/api/v1/users/#{user.id}?#{params.to_query}" | 15 | get "/api/v1/users/#{user.id}?#{params.to_query}" |
| 18 | json = JSON.parse(last_response.body) | 16 | json = JSON.parse(last_response.body) |
| 19 | assert_equal user.id, json['user']['id'] | 17 | assert_equal user.id, json['user']['id'] |
| 20 | end | 18 | end |
| 21 | 19 | ||
| 22 | - should 'list user permissions' do | 20 | + should 'logger user list user permissions' do |
| 21 | + login_api | ||
| 23 | community = fast_create(Community) | 22 | community = fast_create(Community) |
| 24 | community.add_admin(person) | 23 | community.add_admin(person) |
| 25 | get "/api/v1/users/#{user.id}/?#{params.to_query}" | 24 | get "/api/v1/users/#{user.id}/?#{params.to_query}" |
| @@ -28,25 +27,29 @@ class UsersTest < ActiveSupport::TestCase | @@ -28,25 +27,29 @@ class UsersTest < ActiveSupport::TestCase | ||
| 28 | end | 27 | end |
| 29 | 28 | ||
| 30 | should 'get logged user' do | 29 | should 'get logged user' do |
| 30 | + login_api | ||
| 31 | get "/api/v1/users/me?#{params.to_query}" | 31 | get "/api/v1/users/me?#{params.to_query}" |
| 32 | json = JSON.parse(last_response.body) | 32 | json = JSON.parse(last_response.body) |
| 33 | assert_equal user.id, json['user']['id'] | 33 | assert_equal user.id, json['user']['id'] |
| 34 | end | 34 | end |
| 35 | 35 | ||
| 36 | should 'not show permissions to logged user' do | 36 | should 'not show permissions to logged user' do |
| 37 | + login_api | ||
| 37 | target_person = create_user('some-user').person | 38 | target_person = create_user('some-user').person |
| 38 | get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" | 39 | get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" |
| 39 | json = JSON.parse(last_response.body) | 40 | json = JSON.parse(last_response.body) |
| 40 | refute json["user"].has_key?("permissions") | 41 | refute json["user"].has_key?("permissions") |
| 41 | end | 42 | end |
| 42 | 43 | ||
| 43 | - should 'show permissions to self' do | 44 | + should 'logger user show permissions to self' do |
| 45 | + login_api | ||
| 44 | get "/api/v1/users/#{user.id}/?#{params.to_query}" | 46 | get "/api/v1/users/#{user.id}/?#{params.to_query}" |
| 45 | json = JSON.parse(last_response.body) | 47 | json = JSON.parse(last_response.body) |
| 46 | assert json["user"].has_key?("permissions") | 48 | assert json["user"].has_key?("permissions") |
| 47 | end | 49 | end |
| 48 | 50 | ||
| 49 | should 'not show permissions to friend' do | 51 | should 'not show permissions to friend' do |
| 52 | + login_api | ||
| 50 | target_person = create_user('some-user').person | 53 | target_person = create_user('some-user').person |
| 51 | 54 | ||
| 52 | f = Friendship.new | 55 | f = Friendship.new |
| @@ -60,6 +63,7 @@ class UsersTest < ActiveSupport::TestCase | @@ -60,6 +63,7 @@ class UsersTest < ActiveSupport::TestCase | ||
| 60 | end | 63 | end |
| 61 | 64 | ||
| 62 | should 'not show private attribute to logged user' do | 65 | should 'not show private attribute to logged user' do |
| 66 | + login_api | ||
| 63 | target_person = create_user('some-user').person | 67 | target_person = create_user('some-user').person |
| 64 | get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" | 68 | get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" |
| 65 | json = JSON.parse(last_response.body) | 69 | json = JSON.parse(last_response.body) |
| @@ -67,6 +71,7 @@ class UsersTest < ActiveSupport::TestCase | @@ -67,6 +71,7 @@ class UsersTest < ActiveSupport::TestCase | ||
| 67 | end | 71 | end |
| 68 | 72 | ||
| 69 | should 'show private attr to friend' do | 73 | should 'show private attr to friend' do |
| 74 | + login_api | ||
| 70 | target_person = create_user('some-user').person | 75 | target_person = create_user('some-user').person |
| 71 | f = Friendship.new | 76 | f = Friendship.new |
| 72 | f.friend = target_person | 77 | f.friend = target_person |
| @@ -79,6 +84,7 @@ class UsersTest < ActiveSupport::TestCase | @@ -79,6 +84,7 @@ class UsersTest < ActiveSupport::TestCase | ||
| 79 | end | 84 | end |
| 80 | 85 | ||
| 81 | should 'show public attribute to logged user' do | 86 | should 'show public attribute to logged user' do |
| 87 | + login_api | ||
| 82 | target_person = create_user('some-user').person | 88 | target_person = create_user('some-user').person |
| 83 | target_person.fields_privacy={:email=> 'public'} | 89 | target_person.fields_privacy={:email=> 'public'} |
| 84 | target_person.save! | 90 | target_person.save! |
| @@ -89,6 +95,7 @@ class UsersTest < ActiveSupport::TestCase | @@ -89,6 +95,7 @@ class UsersTest < ActiveSupport::TestCase | ||
| 89 | end | 95 | end |
| 90 | 96 | ||
| 91 | should 'show public and private field to admin' do | 97 | should 'show public and private field to admin' do |
| 98 | + login_api | ||
| 92 | Environment.default.add_admin(person) | 99 | Environment.default.add_admin(person) |
| 93 | 100 | ||
| 94 | target_person = create_user('some-user').person | 101 | target_person = create_user('some-user').person |
| @@ -102,4 +109,26 @@ class UsersTest < ActiveSupport::TestCase | @@ -102,4 +109,26 @@ class UsersTest < ActiveSupport::TestCase | ||
| 102 | assert json["user"].has_key?("activated") | 109 | assert json["user"].has_key?("activated") |
| 103 | end | 110 | end |
| 104 | 111 | ||
| 112 | + should 'show public fields to anonymous' do | ||
| 113 | + anonymous_setup | ||
| 114 | + target_person = create_user('some-user').person | ||
| 115 | + target_person.fields_privacy={:email=> 'public'} | ||
| 116 | + target_person.save! | ||
| 117 | + | ||
| 118 | + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" | ||
| 119 | + json = JSON.parse(last_response.body) | ||
| 120 | + assert json["user"].has_key?("email") | ||
| 121 | + end | ||
| 122 | + | ||
| 123 | + should 'hide private fields to anonymous' do | ||
| 124 | + anonymous_setup | ||
| 125 | + target_person = create_user('some-user').person | ||
| 126 | + target_person.save! | ||
| 127 | + | ||
| 128 | + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" | ||
| 129 | + json = JSON.parse(last_response.body) | ||
| 130 | + refute json["user"].has_key?("permissions") | ||
| 131 | + refute json["user"].has_key?("activated") | ||
| 132 | + end | ||
| 133 | + | ||
| 105 | end | 134 | end |