Merge branch 'api' into stable

Conflicts: config.ru lib/noosfero/plugin.rb

Merge branch 'api' into stable
Conflicts: config.ru lib/noosfero/plugin.rb
Victor Costa
2 parents 96cb988c 3ffde53a
Showing 35 changed files with 2079 additions and 21 deletions Show diff stats
Gemfile
Rakefile
app/controllers/my_profile/cms_controller.rb
app/models/article.rb
app/models/organization.rb
app/models/person.rb
app/models/profile.rb
app/models/user.rb
config.ru
config/application.rb
db/migrate/20150223180807_add_private_token_info_to_users.rb
db/schema.rb
lib/noosfero/api/api.rb
lib/noosfero/api/entities.rb
lib/noosfero/api/helpers.rb
lib/noosfero/api/session.rb
lib/noosfero/api/v1/articles.rb
lib/noosfero/api/v1/categories.rb
lib/noosfero/api/v1/comments.rb
lib/noosfero/api/v1/communities.rb
@@ -20,6 +20,16 @@ gem &#39;gettext&#39;,                  &#39;~&gt; 2.2.1&#39;, :require =&gt; false
 gem 'locale',                   '~> 2.0.5'
 gem 'whenever', :require => false
 gem 'eita-jrails', '>= 0.9.5', :require => 'jrails'
+gem 'grape',                    '~> 0.8.0'
+gem 'grape-entity'
+gem 'grape-swagger'
+gem 'rack-cors'
+gem 'rack-contrib'
+
+#gem 'grape-swagger-rails'
+
+# FIXME list here all actual dependencies (i.e. the ones in debian/control),
+# with their GEM names (not the Debian package names)
  
 group :assets do
   gem 'uglifier', '>= 1.0.3'
@@ -15,4 +15,21 @@ Noosfero::Application.load_tasks
   Dir.glob(pattern).sort
 end.flatten.each do |taskfile|
   load taskfile
+end 
+
+# plugins' tasks
+plugins_tasks = Dir.glob("config/plugins/*/{tasks,lib/tasks,rails/tasks}/**/*.rake").sort +
+  Dir.glob("config/plugins/*/vendor/plugins/*/{tasks,lib/tasks,rails/tasks}/**/*.rake").sort
+plugins_tasks.each{ |ext| load ext }
+
+
+desc "Print out grape routes"
+task :grape_routes => :environment do
+  #require 'api/api.rb'
+  Noosfero::API::API.routes.each do |route|
+    puts route
+    method = route.route_method
+    path = route.route_path
+    puts "     #{method} #{path}"
+  end
 end
@@ -27,20 +27,13 @@ class CmsController &lt; MyProfileController
  
   helper_method :file_types
  
-  protect_if :only => :upload_files do |c, user, profile|
-    article_id = c.params[:parent_id]
-    (!article_id.blank? && profile.articles.find(article_id).allow_create?(user)) ||
-    (user && (user.has_permission?('post_content', profile) || user.has_permission?('publish_content', profile)))
-  end
-
-  protect_if :except => [:suggest_an_article, :set_home_page, :edit, :destroy, :publish, :publish_on_portal_community, :publish_on_communities, :search_communities_to_publish, :upload_files, :new] do |c, user, profile|
+  protect_if :except => [:suggest_an_article, :set_home_page, :edit, :destroy, :publish, :upload_files, :new] do |c, user, profile|
     user && (user.has_permission?('post_content', profile) || user.has_permission?('publish_content', profile))
   end
  
-  protect_if :only => :new do |c, user, profile|
-    article = profile.articles.find_by_id(c.params[:parent_id])
-    (!article.nil? && (article.allow_create?(user) || article.parent.allow_create?(user))) ||
-    (user && (user.has_permission?('post_content', profile) || user.has_permission?('publish_content', profile)))
+  protect_if :only => [:new, :upload_files] do |c, user, profile|
+    parent = profile.articles.find_by_id(c.params[:parent_id])
+    user && user.can_post_content?(profile, parent)
   end
  
   protect_if :only => :destroy do |c, user, profile|
@@ -702,6 +702,11 @@ class Article &lt; ActiveRecord::Base
     person ? person.id : nil
   end
  
+  #FIXME make this test
+  def author_custom_image(size = :icon)
+    author ? author.profile_custom_image(size) : nil
+  end
+
   def version_license(version_number = nil)
     return license if version_number.nil?
     profile.environment.licenses.find_by_id(get_version(version_number).license_id)
@@ -8,6 +8,13 @@ class Organization &lt; Profile
     :display => %w[compact]
   }
  
+  scope :visible_for_person, lambda { |person|
+    joins('LEFT JOIN "role_assignments" ON "role_assignments"."resource_id" = "profiles"."id" AND "role_assignments"."resource_type" = \'Profile\'')
+    .where(
+      ['( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR 
+          (profiles.public_profile = ?)) AND (profiles.visible = ?)', Profile.name, person.id,  true, true]
+    ).uniq
+  }
  
   settings_items :closed, :type => :boolean, :default => false
   def closed?
@@ -39,6 +39,14 @@ roles] }
     { :select => 'DISTINCT profiles.*', :conditions => ['"profiles"."id" NOT IN (SELECT DISTINCT profiles.id FROM "profiles" INNER JOIN "friendships" ON "friendships"."person_id" = "profiles"."id" WHERE "friendships"."friend_id" IN (%s))' % resources.map(&:id)] }
   }
  
+  scope :visible_for_person, lambda { |person|
+    joins('LEFT JOIN "friendships" ON "friendships"."friend_id" = "profiles"."id"')
+    .where(
+      ['( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?)', person.id,  true, true]
+    ).uniq
+  }
+
+
   def has_permission_with_admin?(permission, resource)
     return true if resource.blank? || resource.admins.include?(self)
     return true if resource.kind_of?(Profile) && resource.environment.admins.include?(self)
@@ -123,6 +131,11 @@ roles] }
     self.tracked_notifications.exists?(activity)
   end
  
+  def can_post_content?(profile, parent=nil)
+    (!parent.nil? && (parent.allow_create?(self))) ||
+      (self.has_permission?('post_content', profile) || self.has_permission?('publish_content', profile))
+  end
+
   # Sets the identifier for this person. Raises an exception when called on a
   # existing person (since peoples' identifiers cannot be changed)
   def identifier=(value)
@@ -124,6 +124,16 @@ class Profile &lt; ActiveRecord::Base
   }
   scope :no_templates, {:conditions => {:is_template => false}}
  
+  #FIXME make this test
+  scope :newer_than, lambda { |reference_id|
+    {:conditions => ["profiles.id > #{reference_id}"]}
+  }
+
+  #FIXME make this test
+  scope :older_than, lambda { |reference_id|
+    {:conditions => ["profiles.id < #{reference_id}"]}
+  }
+
   def members
     scopes = plugins.dispatch_scopes(:organization_members, self)
     scopes << Person.members_of(self)
@@ -947,6 +957,13 @@ private :generate_url, :url_options
     image.public_filename(:icon) if image.present?
   end
  
+  #FIXME make this test
+  def profile_custom_image(size = :icon)
+    image_path = profile_custom_icon if size == :icon
+    image_path ||= image.public_filename(size) if image.present?
+    image_path
+  end
+
   def jid(options = {})
     domain = options[:domain] || environment.default_hostname
     "#{identifier}@#{domain}"
 require 'digest/sha1'
 require 'user_activation_job'
+require 'securerandom'
  
 # User models the system users, and is generated by the acts_as_authenticated
 # Rails generator.
@@ -119,6 +120,18 @@ class User &lt; ActiveRecord::Base
     self.update_attribute :last_login_at, Time.now
   end
  
+  #FIXME make this test
+  def generate_private_token!
+    self.private_token = SecureRandom.hex
+    self.private_token_generated_at = DateTime.now
+    save(:validate => false)
+  end
+
+  #FIXME make this test
+  def private_token_expired?
+    self.generate_private_token! if self.private_token.nil? || (self.private_token_generated_at + 2.weeks < DateTime.now)
+  end
+
   # Activates the user in the database.
   def activate
     return false unless self.person
@@ -2,11 +2,15 @@
  
 require ::File.expand_path('../config/environment',  __FILE__)
  
+#use Rails::Rack::LogTailer
+#use Rails::Rack::Static
+#run ActionController::Dispatcher.news
+
 rails_app = Rack::Builder.new do
   run Noosfero::Application
 end
  
 run Rack::Cascade.new([
-  API::API,
+  Noosfero::API::API,
   rails_app
 ])
@@ -135,5 +135,12 @@ module Noosfero
  
     Noosfero::Plugin.setup(config)
  
+    config.middleware.use Rack::Cors do
+      allow do
+        origins '*'
+        resource 'api/*', :headers => :any, :methods => [:get, :post]
+      end
+    end
+
   end
 end
@@ -0,0 +1,11 @@
+class AddPrivateTokenInfoToUsers < ActiveRecord::Migration
+  def self.up
+    add_column :users, :private_token, :string
+    add_column :users, :private_token_generated_at, :datetime
+  end
+
+  def self.down
+    remove_column :users, :private_token
+    remove_column :users, :private_token_generated_at
+  end
+end
@@ -720,21 +720,21 @@ ActiveRecord::Schema.define(:version =&gt; 20150408231524) do
   create_table "users", :force => true do |t|
     t.string   "login"
     t.string   "email"
-    t.string   "crypted_password",          :limit => 40
-    t.string   "salt",                      :limit => 40
+    t.string   "crypted_password",           :limit => 40
+    t.string   "salt",                       :limit => 40
     t.datetime "created_at"
     t.datetime "updated_at"
     t.string   "remember_token"
     t.datetime "remember_token_expires_at"
     t.text     "terms_of_use"
-    t.string   "terms_accepted",            :limit => 1
+    t.string   "terms_accepted",             :limit => 1
     t.integer  "environment_id"
     t.string   "password_type"
-    t.boolean  "enable_email",                            :default => false
-    t.string   "last_chat_status",                        :default => ""
-    t.string   "chat_status",                             :default => ""
+    t.boolean  "enable_email",                             :default => false
+    t.string   "last_chat_status",                         :default => ""
+    t.string   "chat_status",                              :default => ""
     t.datetime "chat_status_at"
-    t.string   "activation_code",           :limit => 40
+    t.string   "activation_code",            :limit => 40
     t.datetime "activated_at"
     t.string   "return_to"
     t.datetime "last_login_at"
@@ -0,0 +1,42 @@
+require 'grape'
+#require 'rack/contrib'
+Dir["#{Rails.root}/lib/noosfero/api/*.rb"].each {|file| require file}
+module Noosfero
+  module API
+    class API < Grape::API
+      use Rack::JSONP
+
+      before { start_log }
+      before { setup_multitenancy }
+      before { detect_stuff_by_domain }
+      after { end_log }
+  
+      version 'v1'
+      prefix "api"
+      format :json
+      content_type :txt, "text/plain"
+  
+      helpers APIHelpers
+  
+      mount V1::Articles
+      mount V1::Comments
+      mount V1::Users
+      mount V1::Communities
+      mount V1::People
+      mount V1::Enterprises
+      mount V1::Categories
+      mount Session
+  
+      # hook point which allow plugins to add Grape::API extensions to API::API
+      #finds for plugins which has api mount points classes defined (the class should extends Grape::API)
+      @plugins = Noosfero::Plugin.all.map { |p| p.constantize }
+      @plugins.each do |klass|
+        if klass.public_methods.include? 'api_mount_points'
+          klass.api_mount_points.each do |mount_class|
+              mount mount_class if mount_class && ( mount_class < Grape::API )
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,94 @@
+module Noosfero
+  module API
+    module Entities
+  
+      Grape::Entity.format_with :timestamp do |date|
+        date.strftime('%Y/%m/%d %H:%M:%S') if date
+      end
+  
+      class Image < Grape::Entity
+        root 'images', 'image'
+  
+        expose  :icon_url do |image, options|
+          image.public_filename(:icon)
+        end
+  
+        expose  :minor_url do |image, options|
+          image.public_filename(:minor)
+        end
+  
+        expose  :portrait_url do |image, options|
+          image.public_filename(:portrait)
+        end
+  
+        expose  :thumb_url do |image, options|
+          image.public_filename(:thumb)
+        end
+      end
+  
+      class Profile < Grape::Entity
+        expose :identifier, :name, :id
+        expose :created_at, :format_with => :timestamp
+        expose :image, :using => Image
+      end
+  
+      class Person < Profile
+        root 'people', 'person'
+      end
+      class Enterprise < Profile
+        root 'enterprises', 'enterprise'
+      end
+      class Community < Profile
+        root 'communities', 'community'
+        expose :description
+      end
+  
+      class Category < Grape::Entity
+        root 'categories', 'category'
+        expose :name, :id, :slug
+        expose :image, :using => Image
+      end
+  
+  
+      class Article < Grape::Entity
+        root 'articles', 'article'
+        expose :id, :body
+        expose :created_at, :format_with => :timestamp
+        expose :title, :documentation => {:type => "String", :desc => "Title of the article"}
+        expose :created_by, :as => :author, :using => Profile
+        expose :profile, :using => Profile
+        expose :categories, :using => Category
+        expose :parent, :using => Article
+      end
+  
+      class Comment < Grape::Entity
+        root 'comments', 'comment'
+        expose :body, :title, :id
+        expose :created_at, :format_with => :timestamp
+        expose :author, :using => Profile
+      end
+  
+  
+      class User < Grape::Entity
+        root 'users', 'user'
+        expose :id
+        expose :login
+        expose :person, :using => Profile
+        expose :permissions do |user, options|
+          output = {}
+          user.person.role_assignments.map do |role_assigment|
+            if role_assigment.resource.respond_to?(:identifier)
+              output[role_assigment.resource.identifier] = role_assigment.role.permissions 
+            end
+          end
+          output
+        end
+      end
+  
+      class UserLogin < User
+        expose :private_token
+      end
+  
+    end
+  end
+end
@@ -0,0 +1,196 @@
+module Noosfero
+  module API
+    module APIHelpers
+      PRIVATE_TOKEN_PARAM = :private_token
+      ALLOWED_PARAMETERS = ['parent_id', 'from', 'until', 'content_type'] 
+  
+      def logger
+        @logger ||= Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV']}_api.log"))
+      end
+  
+      def current_user
+        private_token = params[PRIVATE_TOKEN_PARAM].to_s if params
+        @current_user ||= User.find_by_private_token(private_token)
+        @current_user = nil if !@current_user.nil? && @current_user.private_token_expired?
+        @current_user
+      end
+  
+      def current_person
+        current_user.person unless current_user.nil?
+      end
+  
+      def logout
+        @current_user = nil
+      end
+  
+      def environment
+        @environment
+      end
+  
+      def limit
+        limit = params[:limit].to_i
+        limit = default_limit if limit <= 0
+        limit
+      end
+  
+      def period(from_date, until_date)
+        return nil if from_date.nil? && until_date.nil?
+  
+        begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
+        end_period = until_date.nil? ? DateTime.now : until_date
+  
+        begin_period..end_period
+      end
+  
+      def parse_content_type(content_type)
+        return nil if content_type.blank?
+        content_type.split(',').map do |content_type|
+          content_type.camelcase
+        end
+      end
+  
+      def find_article(articles, id)
+        article = articles.find(id)
+        article.display_to?(current_user.person) ? article : forbidden!
+      end
+
+      def make_conditions_with_parameter(params = {})
+        parsed_params = parser_params(params)
+        conditions = {}
+        from_date = DateTime.parse(parsed_params.delete('from')) if parsed_params['from']
+        until_date = DateTime.parse(parsed_params.delete('until')) if parsed_params['until']
+  
+        conditions[:type] = parse_content_type(parsed_params.delete('content_type')) unless parsed_params['content_type'].nil?
+  
+        conditions[:created_at] = period(from_date, until_date) if from_date || until_date
+        conditions.merge!(parsed_params)
+  
+        conditions
+      end
+  
+  
+      def select_filtered_collection_of(object, method, params)
+        conditions = make_conditions_with_parameter(params)
+                 
+        if params[:reference_id]
+          objects = object.send(method).send("#{params.key?(:oldest) ? 'older_than' : 'newer_than'}", params[:reference_id]).where(conditions).limit(limit).order("created_at DESC")
+        else
+          objects = object.send(method).where(conditions).limit(limit).order("created_at DESC")
+        end
+        objects
+      end
+  
+      def authenticate!
+        unauthorized! unless current_user
+      end
+  
+      # Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
+      # or a Bad Request error is invoked.
+      #
+      # Parameters:
+      #   keys (unique) - A hash consisting of keys that must be unique
+      def unique_attributes!(obj, keys)
+        keys.each do |key|
+          cant_be_saved_request!(key) if obj.send("find_by_#{key.to_s}", params[key])
+        end
+      end
+  
+      def attributes_for_keys(keys)
+        attrs = {}
+        keys.each do |key|
+          attrs[key] = params[key] if params[key].present? or (params.has_key?(key) and params[key] == false)
+        end
+        attrs
+      end
+      
+      ##########################################
+      #              error helpers             #
+      ##########################################
+  
+      def forbidden!
+        render_api_error!('403 Forbidden', 403)
+      end
+  
+      def cant_be_saved_request!(attribute)
+        message = _("(Invalid request) #{attribute} can't be saved")
+        render_api_error!(message, 400)
+      end
+  
+      def bad_request!(attribute)
+        message = _("(Bad request) #{attribute} not given")
+        render_api_error!(message, 400)
+      end
+  
+      def something_wrong!
+        message = _("Something wrong happened")
+        render_api_error!(message, 400)
+      end
+  
+      def unauthorized!
+        render_api_error!(_('Unauthorized'), 401)
+      end
+  
+      def not_allowed!
+        render_api_error!(_('Method Not Allowed'), 405)
+      end
+  
+      def render_api_error!(message, status)
+        error!({'message' => message, :code => status}, status)
+      end
+  
+      def render_api_errors!(messages)
+        render_api_error!(messages.join(','), 400)
+      end
+      protected
+  
+      def start_log
+        logger.info "Started #{request.path} #{request.params.except('password')}"
+      end
+      def end_log
+        logger.info "Completed #{request.path}"
+      end
+  
+      def setup_multitenancy
+        Noosfero::MultiTenancy.setup!(request.host)
+      end
+  
+      def detect_stuff_by_domain
+        @domain = Domain.find_by_name(request.host)
+        if @domain.nil?
+          @environment = Environment.default
+          if @environment.nil? && Rails.env.development?
+            # This should only happen in development ...
+            @environment = Environment.create!(:name => "Noosfero", :is_default => true)
+          end
+        else
+          @environment = @domain.environment
+        end
+      end
+  
+      private
+
+      def parser_params(params) 
+        params.select{|k,v| ALLOWED_PARAMETERS.include?(k)}
+      end
+  
+      def default_limit
+        20
+      end
+  
+      def parse_content_type(content_type)
+        return nil if content_type.blank?
+        content_type.split(',').map do |content_type|
+          content_type.camelcase
+        end
+      end
+  
+      def period(from_date, until_date)
+        begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
+        end_period = until_date.nil? ? DateTime.now : until_date
+  
+        begin_period..end_period
+      end
+  
+    end
+  end
+end
@@ -0,0 +1,50 @@
+module Noosfero
+  module API
+  
+    class Session < Grape::API
+  
+      # Login to get token
+      #
+      # Parameters:
+      #   login (*required) - user login or email
+      #   password (required) - user password
+      #
+      # Example Request:
+      #  POST http://localhost:3000/api/v1/login?login=adminuser&password=admin
+      post "/login" do
+        user ||= User.authenticate(params[:login], params[:password], environment)
+  
+        return unauthorized! unless user
+        user.generate_private_token!
+        present user, :with => Entities::UserLogin
+      end
+  
+      # Create user.
+      #
+      # Parameters:
+      #   email (required)                  - Email
+      #   password (required)               - Password
+      #   login                             - login
+      # Example Request:
+      #   POST /register?email=some@mail.com&password=pas&login=some
+      params do
+        requires :email, type: String, desc: _("Email")
+        requires :login, type: String, desc: _("Login")
+        requires :password, type: String, desc: _("Password")
+      end
+      post "/register" do
+        unique_attributes! User, [:email, :login]
+        attrs = attributes_for_keys [:email, :login, :password]
+        attrs[:password_confirmation] = attrs[:password]
+        user = User.new(attrs)
+        if user.save
+          user.activate
+          present user, :with => Entities::User
+        else
+          something_wrong!
+        end
+      end
+  
+    end
+  end
+end
@@ -0,0 +1,169 @@
+module Noosfero
+  module API
+    module V1
+      class Articles < Grape::API
+        before { authenticate! }
+  
+        ARTICLE_TYPES = Article.descendants.map{|a| a.to_s}
+  
+        resource :articles do
+  
+          # Collect articles
+          #
+          # Parameters:
+          #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+          #   oldest           - Collect the oldest articles. If nothing is passed the newest articles are collected
+          #   limit            - amount of articles returned. The default value is 20
+          #
+          # Example Request:
+          #  GET host/api/v1/articles?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
+          get do
+            articles = select_filtered_collection_of(environment, 'articles', params)
+            articles = articles.display_filter(current_person, nil)
+            present articles, :with => Entities::Article
+          end
+  
+          desc "Return the article id"
+          get ':id' do
+            article = find_article(environment.articles, params[:id])
+            present article, :with => Entities::Article
+          end
+  
+          get ':id/children' do
+            article = find_article(environment.articles, params[:id])
+            articles = select_filtered_collection_of(article, 'children', params)
+            articles = articles.display_filter(current_person, nil)
+            present articles, :with => Entities::Article
+          end
+  
+          get ':id/children/:child_id' do
+            article = find_article(environment.articles, params[:id])
+            present find_article(article.children, params[:child_id]), :with => Entities::Article
+          end
+  
+        end
+  
+        resource :communities do
+          segment '/:community_id' do
+            resource :articles do
+              get do
+                community = environment.communities.find(params[:community_id])
+                articles = select_filtered_collection_of(community, 'articles', params)
+                articles = articles.display_filter(current_person, community)
+                present articles, :with => Entities::Article
+              end
+  
+              get ':id' do
+                community = environment.communities.find(params[:community_id])
+                article = find_article(community.articles, params[:id])
+                present article, :with => Entities::Article
+              end
+  
+              # Example Request:
+              #  POST api/v1/communites/:community_id/articles?private_token=234298743290432&article[name]=title&article[body]=body
+              post do
+                community = environment.communities.find(params[:community_id])
+                return forbidden! unless current_person.can_post_content?(community)
+  
+                klass_type= params[:content_type].nil? ? 'TinyMceArticle' : params[:content_type]
+                return forbidden! unless ARTICLE_TYPES.include?(klass_type)
+  
+                article = klass_type.constantize.new(params[:article])
+                article.last_changed_by = current_person
+                article.created_by= current_person
+                article.profile = community
+  
+                if !article.save
+                  render_api_errors!(article.errors.full_messages)
+                end
+                present article, :with => Entities::Article
+              end
+  
+            end
+          end
+  
+        end
+  
+        resource :people do
+          segment '/:person_id' do
+            resource :articles do
+              get do
+                person = environment.people.find(params[:person_id])
+                articles = select_filtered_collection_of(person, 'articles', params)
+                articles = articles.display_filter(current_person, person)
+                present articles, :with => Entities::Article
+              end
+  
+              get ':id' do
+                person = environment.people.find(params[:person_id])
+                article = find_article(person.articles, params[:id])
+                present article, :with => Entities::Article
+              end
+  
+              post do
+                person = environment.people.find(params[:person_id])
+                return forbidden! unless current_person.can_post_content?(person)
+  
+                klass_type= params[:content_type].nil? ? 'TinyMceArticle' : params[:content_type]
+                return forbidden! unless ARTICLE_TYPES.include?(klass_type)
+  
+                article = klass_type.constantize.new(params[:article])
+                article.last_changed_by = current_person
+                article.created_by= current_person
+                article.profile = person
+  
+                if !article.save
+                  render_api_errors!(article.errors.full_messages)
+                end
+                present article, :with => Entities::Article
+              end
+  
+            end
+          end
+  
+        end
+  
+        resource :enterprises do
+          segment '/:enterprise_id' do
+            resource :articles do
+              get do
+                enterprise = environment.enterprises.find(params[:enterprise_id])
+                articles = select_filtered_collection_of(enterprise, 'articles', params)
+                articles = articles.display_filter(current_person, enterprise)
+                present articles, :with => Entities::Article
+              end
+  
+              get ':id' do
+                enterprise = environment.enterprises.find(params[:enterprise_id])
+                article = find_article(enterprise.articles, params[:id])
+                present article, :with => Entities::Article
+              end
+  
+              post do
+                enterprise = environment.enterprises.find(params[:enterprise_id])
+                return forbidden! unless current_person.can_post_content?(enterprise)
+  
+                klass_type= params[:content_type].nil? ? 'TinyMceArticle' : params[:content_type]
+                return forbidden! unless ARTICLE_TYPES.include?(klass_type)
+  
+                article = klass_type.constantize.new(params[:article])
+                article.last_changed_by = current_person
+                article.created_by= current_person
+                article.profile = enterprise
+  
+                if !article.save
+                  render_api_errors!(article.errors.full_messages)
+                end
+                present article, :with => Entities::Article
+              end
+  
+            end
+          end
+  
+        end
+  
+  
+      end
+    end
+  end
+end
@@ -0,0 +1,25 @@
+module Noosfero
+  module API
+    module V1
+      class Categories < Grape::API
+        before { authenticate! }
+     
+        resource :categories do
+  
+          get do
+            type = params[:category_type]
+            categories = type.nil? ?  environment.categories : environment.categories.find(:all, :conditions => {:type => type})
+            present categories, :with => Entities::Category
+          end
+    
+          desc "Return the category by id" 
+          get ':id' do
+            present environment.categories.find(params[:id]), :with => Entities::Category
+          end
+  
+        end
+     
+      end
+    end
+  end
+end
@@ -0,0 +1,47 @@
+module Noosfero
+  module API
+    module V1
+      class Comments < Grape::API
+        before { authenticate! }
+  
+        resource :articles do
+          # Collect comments from articles
+          #
+          # Parameters:
+          #   reference_id     - comment id used as reference to collect comment
+          #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+          #   limit            - amount of comments returned. The default value is 20
+          #
+          # Example Request:
+          #  GET /articles/12/comments?oldest&limit=10&reference_id=23
+          get ":id/comments" do
+  
+            conditions = make_conditions_with_parameter(params)
+            article = find_article(environment.articles, params[:id])
+  
+            if params[:reference_id]
+              comments = article.comments.send("#{params.key?(:oldest) ? 'older_than' : 'newer_than'}", params[:reference_id]).reorder("created_at DESC").find(:all, :conditions => conditions, :limit => limit)
+            else
+              comments = article.comments.reorder("created_at DESC").find(:all, :conditions => conditions, :limit => limit)
+            end
+            present comments, :with => Entities::Comment
+  
+          end
+  
+          get ":id/comments/:comment_id" do
+            article = find_article(environment.articles, params[:id])
+            present article.comments.find(params[:comment_id]), :with => Entities::Comment
+          end
+  
+          # Example Request:
+          #  POST api/v1/articles/12/comments?private_toke=234298743290432&body=new comment
+          post ":id/comments" do
+            article = find_article(environment.articles, params[:id])
+            present article.comments.create(:author => current_person, :body => params[:body]), :with => Entities::Comment
+          end
+        end
+  
+      end
+    end
+  end
+end
@@ -0,0 +1,72 @@
+module Noosfero
+  module API
+    module V1
+      class Communities < Grape::API
+        before { authenticate! }
+     
+        resource :communities do
+  
+          # Collect comments from articles
+          #
+          # Parameters:
+          #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+          #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+          #   limit            - amount of comments returned. The default value is 20
+          #
+          # Example Request:
+          #  GET /communities?from=2013-04-04-14:41:43&until=2014-04-04-14:41:43&limit=10
+          #  GET /communities?reference_id=10&limit=10&oldest
+          get do
+            communities = select_filtered_collection_of(environment, 'communities', params)
+            communities = communities.visible_for_person(current_person)
+            present communities, :with => Entities::Community
+          end
+  
+  
+          # Example Request:
+          #  POST api/v1/communties?private_token=234298743290432&community[name]=some_name
+          post do
+            params[:community] ||= {}
+            begin
+              community = Community.create_after_moderation(current_person, params[:community].merge({:environment => environment}))
+            rescue
+              community = Community.new(params[:community])
+            end
+  
+            if !community.save
+              render_api_errors!(community.errors.full_messages)
+            end
+  
+            present community, :with => Entities::Community
+          end
+  
+          get ':id' do
+            community = environment.communities.visible.find_by_id(params[:id])
+            present community, :with => Entities::Community
+          end
+  
+        end
+  
+        resource :people do
+  
+          segment '/:person_id' do
+  
+            resource :communities do
+  
+              get do
+                person = environment.people.find(params[:person_id])
+                communities = select_filtered_collection_of(person, 'communities', params)
+                communities = communities.visible
+                present communities, :with => Entities::Community
+              end
+  
+            end
+  
+          end
+  
+        end
+  
+      end
+    end
+  end
+end
@@ -0,0 +1,56 @@
+module Noosfero
+  module API
+    module V1
+      class Enterprises < Grape::API
+        before { authenticate! }
+  
+        resource :enterprises do
+  
+          # Collect comments from articles
+          #
+          # Parameters:
+          #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+          #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+          #   limit            - amount of comments returned. The default value is 20
+          #
+          # Example Request:
+          #  GET /enterprises?from=2013-04-04-14:41:43&until=2014-04-04-14:41:43&limit=10
+          #  GET /enterprises?reference_id=10&limit=10&oldest
+          get do
+            enterprises = select_filtered_collection_of(environment, 'enterprises', params)
+            enterprises = enterprises.visible_for_person(current_person)
+            present enterprises, :with => Entities::Enterprise
+          end
+  
+          desc "Return one enterprise by id"
+          get ':id' do
+            enterprise = environment.enterprises.visible.find_by_id(params[:id])
+            present enterprise, :with => Entities::Enterprise
+          end
+  
+        end
+  
+        resource :people do
+  
+          segment '/:person_id' do
+  
+            resource :enterprises do
+  
+              get do
+                person = environment.people.find(params[:person_id])
+                enterprises = select_filtered_collection_of(person, 'enterprises', params)
+                enterprises = enterprises.visible
+                present enterprises, :with => Entities::Enterprise
+              end
+  
+            end
+  
+          end
+  
+        end
+  
+  
+      end
+    end
+  end
+end
@@ -0,0 +1,42 @@
+module Noosfero
+  module API
+    module V1
+      class People < Grape::API
+        before { authenticate! }
+  
+        resource :people do
+  
+          # Collect comments from articles
+          #
+          # Parameters:
+          #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+          #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+          #   limit            - amount of comments returned. The default value is 20
+          #
+          # Example Request:
+          #  GET /people?from=2013-04-04-14:41:43&until=2014-04-04-14:41:43&limit=10
+          #  GET /people?reference_id=10&limit=10&oldest
+          get do
+            people = select_filtered_collection_of(environment, 'people', params)
+            people = people.visible_for_person(current_person)
+            present people, :with => Entities::Person
+          end
+  
+          desc "Return the person information"
+          get ':id' do
+            person = environment.people.visible.find_by_id(params[:id])
+            present person, :with => Entities::Person
+          end
+  
+          desc "Return the person friends"
+          get ':id/friends' do
+            friends = current_person.friends.visible
+            present friends, :with => Entities::Person
+          end
+  
+        end
+  
+      end
+    end
+  end
+end
@@ -0,0 +1,48 @@
+module Noosfero
+  module API
+    module V1
+      class Users < Grape::API
+        before { authenticate! }
+  
+        resource :users do
+  
+          #FIXME make the pagination
+          #FIXME put it on environment context
+          get do
+            present environment.users, :with => Entities::User
+          end
+  
+          # Example Request:
+          #  POST api/v1/users?user[login]=some_login&user[password]=some
+          post do
+            user = User.new(params[:user])
+            user.terms_of_use = environment.terms_of_use
+            user.environment = environment
+            if !user.save
+              render_api_errors!(user.errors.full_messages)
+            end
+           
+            present user, :with => Entities::User
+          end
+  
+          get ":id" do
+            present environment.users.find_by_id(params[:id]), :with => Entities::User
+          end
+  
+          get ":id/permissions" do
+            user = environment.users.find(params[:id])
+            output = {}
+            user.person.role_assignments.map do |role_assigment|
+              if role_assigment.resource.respond_to?(:identifier) && role_assigment.resource.identifier == params[:profile]
+                output[:permissions] = role_assigment.role.permissions 
+              end
+            end
+            present output
+          end
+    
+        end
+  
+      end
+    end
+  end
+end
@@ -141,7 +141,7 @@ class Noosfero::Plugin
     def available_plugin_names
       available_plugins.map { |f| File.basename(f).camelize }
     end
- 
+
     def all
       @all ||= available_plugins.map{ |dir| (File.basename(dir) + "_plugin").camelize }
     end
@@ -711,7 +711,6 @@ class Noosfero::Plugin
     %w[edit delete spread locale suggest home new upload undo]
   end
  
-
 end
  
 require 'noosfero/plugin/hot_spot'
@@ -0,0 +1,446 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class ArticlesTest < ActiveSupport::TestCase
+
+  def setup
+    login_api
+  end
+
+  should 'list articles' do
+    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+    get "/api/v1/articles/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_includes json["articles"].map { |a| a["id"] }, article.id
+  end
+
+  should 'not list forbidden article when listing articles' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+    assert !article.published?
+
+    get "/api/v1/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_not_includes json['articles'].map {|a| a['id']}, article.id
+  end
+
+  should 'return article by id' do
+    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+    get "/api/v1/articles/#{article.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal article.id, json["article"]["id"]
+  end
+
+  should 'not return article if user has no permission to view it' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+    assert !article.published?
+
+    get "/api/v1/articles/#{article.id}?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'list article children' do
+    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+    child1 = fast_create(Article, :parent_id => article.id, :profile_id => user.person.id, :name => "Some thing")
+    child2 = fast_create(Article, :parent_id => article.id, :profile_id => user.person.id, :name => "Some thing")
+    get "/api/v1/articles/#{article.id}/children?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [child1.id, child2.id], json["articles"].map { |a| a["id"] }
+  end
+
+  should 'not list children of forbidden article' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+    child1 = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing")
+    child2 = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing")
+    get "/api/v1/articles/#{article.id}/children?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'not return child of forbidden article' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+    child = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing")
+    get "/api/v1/articles/#{article.id}/children/#{child.id}?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'not return private child' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing")
+    child = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing", :published => false)
+    get "/api/v1/articles/#{article.id}/children/#{child.id}?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'not list private child' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing")
+    child = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing", :published => false)
+    get "/api/v1/articles/#{article.id}/children?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_not_includes json['articles'].map {|a| a['id']}, child.id
+  end
+
+  #############################
+  #     Community Articles    #
+  #############################
+
+  should 'return article by community' do
+    community = fast_create(Community)
+    article = fast_create(Article, :profile_id => community.id, :name => "Some thing")
+    get "/api/v1/communities/#{community.id}/articles/#{article.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal article.id, json["article"]["id"]
+  end
+
+  should 'not return article by community if user has no permission to view it' do
+    community = fast_create(Community)
+    article = fast_create(Article, :profile_id => community.id, :name => "Some thing", :published => false)
+    assert !article.published?
+
+    get "/api/v1/communities/#{community.id}/articles/#{article.id}?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'not list forbidden article when listing articles by community' do
+    community = fast_create(Community)
+    article = fast_create(Article, :profile_id => community.id, :name => "Some thing", :published => false)
+    assert !article.published?
+
+    get "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_not_includes json['articles'].map {|a| a['id']}, article.id
+  end
+
+  should 'create article in a community' do
+    community = fast_create(Community)
+    give_permission(user.person, 'post_content', community)
+    params[:article] = {:name => "Title"}
+    post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal "Title", json["article"]["title"]
+  end
+
+  should 'do not create article if user has no permission to post content' do
+    community = fast_create(Community)
+    give_permission(user.person, 'invite_members', community)
+    params[:article] = {:name => "Title"}
+    post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'create article with parent' do
+    community = fast_create(Community)
+    community.add_member(user.person)
+    article = fast_create(Article)
+
+    params[:article] = {:name => "Title", :parent_id => article.id}
+    post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal article.id, json["article"]["parent"]["id"]
+  end
+
+  should 'create article with content type passed as parameter' do
+    community = fast_create(Community)
+    community.add_member(user.person)
+
+    Article.delete_all
+    params[:article] = {:name => "Title"}
+    params[:content_type] = 'TextArticle'
+    post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_kind_of TextArticle, Article.last
+  end
+  
+  should 'create article of TinyMceArticle type if no content type is passed as parameter' do
+    community = fast_create(Community)
+    community.add_member(user.person)
+
+    params[:article] = {:name => "Title"}
+    post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_kind_of TinyMceArticle, Article.last
+  end
+
+  should 'not create article with invalid article content type' do
+    community = fast_create(Community)
+    community.add_member(user.person)
+
+    params[:article] = {:name => "Title"}
+    params[:content_type] = 'Person'
+    post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_equal 403, last_response.status
+  end
+
+  should 'create article defining the correct profile' do
+    community = fast_create(Community)
+    community.add_member(user.person)
+
+    params[:article] = {:name => "Title"}
+    post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_equal community, Article.last.profile
+  end
+
+  should 'create article defining the created_by' do
+    community = fast_create(Community)
+    community.add_member(user.person)
+
+    params[:article] = {:name => "Title"}
+    post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_equal user.person, Article.last.created_by
+  end
+
+  should 'create article defining the last_changed_by' do
+    community = fast_create(Community)
+    community.add_member(user.person)
+
+    params[:article] = {:name => "Title"}
+    post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_equal user.person, Article.last.last_changed_by
+  end
+
+  #############################
+  #       Person Articles     #
+  #############################
+
+  should 'return article by person' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing")
+    get "/api/v1/people/#{person.id}/articles/#{article.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal article.id, json["article"]["id"]
+  end
+
+  should 'not return article by person if user has no permission to view it' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+    assert !article.published?
+
+    get "/api/v1/people/#{person.id}/articles/#{article.id}?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'not list forbidden article when listing articles by person' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+    assert !article.published?
+    get "/api/v1/people/#{person.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_not_includes json['articles'].map {|a| a['id']}, article.id
+  end
+
+  should 'create article in a person' do
+    params[:article] = {:name => "Title"}
+    post "/api/v1/people/#{user.person.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal "Title", json["article"]["title"]
+  end
+
+  should 'person do not create article if user has no permission to post content' do
+    person = fast_create(Person)
+    params[:article] = {:name => "Title"}
+    post "/api/v1/people/#{person.id}/articles?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'person create article with parent' do
+    article = fast_create(Article)
+
+    params[:article] = {:name => "Title", :parent_id => article.id}
+    post "/api/v1/people/#{user.person.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal article.id, json["article"]["parent"]["id"]
+  end
+
+  should 'person create article with content type passed as parameter' do
+    Article.delete_all
+    params[:article] = {:name => "Title"}
+    params[:content_type] = 'TextArticle'
+    post "/api/v1/people/#{user.person.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_kind_of TextArticle, Article.last
+  end
+  
+  should 'person create article of TinyMceArticle type if no content type is passed as parameter' do
+    params[:article] = {:name => "Title"}
+    post "/api/v1/people/#{user.person.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_kind_of TinyMceArticle, Article.last
+  end
+
+  should 'person not create article with invalid article content type' do
+    params[:article] = {:name => "Title"}
+    params[:content_type] = 'Person'
+    post "/api/v1/people/#{user.person.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_equal 403, last_response.status
+  end
+
+  should 'person create article defining the correct profile' do
+    params[:article] = {:name => "Title"}
+    post "/api/v1/people/#{user.person.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_equal user.person, Article.last.profile
+  end
+
+  should 'person create article defining the created_by' do
+    params[:article] = {:name => "Title"}
+    post "/api/v1/people/#{user.person.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_equal user.person, Article.last.created_by
+  end
+
+  should 'person create article defining the last_changed_by' do
+    params[:article] = {:name => "Title"}
+    post "/api/v1/people/#{user.person.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_equal user.person, Article.last.last_changed_by
+  end
+
+  #############################
+  #     Enterprise Articles    #
+  #############################
+
+  should 'return article by enterprise' do
+    enterprise = fast_create(Enterprise)
+    article = fast_create(Article, :profile_id => enterprise.id, :name => "Some thing")
+    get "/api/v1/enterprises/#{enterprise.id}/articles/#{article.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal article.id, json["article"]["id"]
+  end
+
+  should 'not return article by enterprise if user has no permission to view it' do
+    enterprise = fast_create(Enterprise)
+    article = fast_create(Article, :profile_id => enterprise.id, :name => "Some thing", :published => false)
+    assert !article.published?
+
+    get "/api/v1/enterprises/#{enterprise.id}/articles/#{article.id}?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'not list forbidden article when listing articles by enterprise' do
+    enterprise = fast_create(Enterprise)
+    article = fast_create(Article, :profile_id => enterprise.id, :name => "Some thing", :published => false)
+    assert !article.published?
+
+    get "/api/v1/enterprises/#{enterprise.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_not_includes json['articles'].map {|a| a['id']}, article.id
+  end
+
+  should 'create article in a enterprise' do
+    enterprise = fast_create(Enterprise)
+    give_permission(user.person, 'post_content', enterprise)
+    params[:article] = {:name => "Title"}
+    post "/api/v1/enterprises/#{enterprise.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal "Title", json["article"]["title"]
+  end
+
+  should 'enterprise: do not create article if user has no permission to post content' do
+    enterprise = fast_create(Enterprise)
+    give_permission(user.person, 'invite_members', enterprise)
+    params[:article] = {:name => "Title"}
+    post "/api/v1/enterprises/#{enterprise.id}/articles?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'enterprise: create article with parent' do
+    enterprise = fast_create(Enterprise)
+    enterprise.add_member(user.person)
+    article = fast_create(Article)
+
+    params[:article] = {:name => "Title", :parent_id => article.id}
+    post "/api/v1/enterprises/#{enterprise.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal article.id, json["article"]["parent"]["id"]
+  end
+
+  should 'enterprise: create article with content type passed as parameter' do
+    enterprise = fast_create(Enterprise)
+    enterprise.add_member(user.person)
+
+    Article.delete_all
+    params[:article] = {:name => "Title"}
+    params[:content_type] = 'TextArticle'
+    post "/api/v1/enterprises/#{enterprise.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_kind_of TextArticle, Article.last
+  end
+  
+  should 'enterprise: create article of TinyMceArticle type if no content type is passed as parameter' do
+    enterprise = fast_create(Enterprise)
+    enterprise.add_member(user.person)
+
+    params[:article] = {:name => "Title"}
+    post "/api/v1/enterprises/#{enterprise.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_kind_of TinyMceArticle, Article.last
+  end
+
+  should 'enterprise: not create article with invalid article content type' do
+    enterprise = fast_create(Enterprise)
+    enterprise.add_member(user.person)
+
+    params[:article] = {:name => "Title"}
+    params[:content_type] = 'Person'
+    post "/api/v1/enterprises/#{enterprise.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_equal 403, last_response.status
+  end
+
+  should 'enterprise: create article defining the correct profile' do
+    enterprise = fast_create(Enterprise)
+    enterprise.add_member(user.person)
+
+    params[:article] = {:name => "Title"}
+    post "/api/v1/enterprises/#{enterprise.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_equal enterprise, Article.last.profile
+  end
+
+  should 'enterprise: create article defining the created_by' do
+    enterprise = fast_create(Enterprise)
+    enterprise.add_member(user.person)
+
+    params[:article] = {:name => "Title"}
+    post "/api/v1/enterprises/#{enterprise.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_equal user.person, Article.last.created_by
+  end
+
+  should 'enterprise: create article defining the last_changed_by' do
+    enterprise = fast_create(Enterprise)
+    enterprise.add_member(user.person)
+
+    params[:article] = {:name => "Title"}
+    post "/api/v1/enterprises/#{enterprise.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_equal user.person, Article.last.last_changed_by
+  end
+
+
+end
@@ -0,0 +1,23 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class CategoriesTest < ActiveSupport::TestCase
+
+  def setup
+    login_api
+  end
+
+  should 'list categories' do
+    category = fast_create(Category)
+    get "/api/v1/categories/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_includes json["categories"].map { |c| c["name"] }, category.name
+  end
+
+  should 'get category by id' do
+    category = fast_create(Category)
+    get "/api/v1/categories/#{category.id}/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal category.name, json["category"]["name"]
+  end
+
+end
@@ -0,0 +1,47 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class CommentsTest < ActiveSupport::TestCase
+
+  def setup
+    login_api
+  end
+
+  should 'not list comments if user has no permission to view the source article' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+    assert !article.published?
+
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'not return comment if user has no permission to view the source article' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+    comment = article.comments.create!(:body => "another comment", :author => user.person)
+    assert !article.published?
+
+    get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'not comment a article if user has no permission to view it' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+    assert !article.published?
+
+    post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'return comments of an article' do
+    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+    article.comments.create!(:body => "some comment", :author => user.person)
+    article.comments.create!(:body => "another comment", :author => user.person)
+
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 2, json["comments"].length
+  end
+
+end
@@ -0,0 +1,114 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class CommunitiesTest < ActiveSupport::TestCase
+
+  def setup
+    Community.delete_all
+    login_api
+  end
+
+  should 'list all communities' do
+    community1 = fast_create(Community, :public_profile => true)
+    community2 = fast_create(Community)
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'not list invisible communities' do
+    community1 = fast_create(Community)
+    fast_create(Community, :visible => false)
+
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [community1.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'not list private communities without permission' do
+    community1 = fast_create(Community)
+    fast_create(Community, :public_profile => false)
+
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [community1.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'list private community for members' do
+    c1 = fast_create(Community)
+    c2 = fast_create(Community, :public_profile => false)
+    c2.add_member(person)
+
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [c1.id, c2.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'create a community' do
+    params[:community] = {:name => 'some'}
+    post "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 'some', json['community']['name']
+  end
+
+  should 'return 400 status for invalid community creation' do
+    post "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 400, last_response.status
+  end
+
+  should 'get community' do
+    community = fast_create(Community)
+
+    get "/api/v1/communities/#{community.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal community.id, json['community']['id']
+  end
+
+  should 'not get invisible community' do
+    community = fast_create(Community, :visible => false)
+
+    get "/api/v1/communities/#{community.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['community'].blank?
+  end
+
+  should 'not get private communities without permission' do
+    community = fast_create(Community)
+    fast_create(Community, :public_profile => false)
+
+    get "/api/v1/communities/#{community.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal community.id, json['community']['id']
+  end
+
+  should 'get private community for members' do
+    community = fast_create(Community, :public_profile => false)
+    community.add_member(person)
+
+    get "/api/v1/communities/#{community.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal community.id, json['community']['id']
+  end
+
+  should 'list person communities' do
+    community = fast_create(Community)
+    fast_create(Community)
+    community.add_member(person)
+
+    get "/api/v1/people/#{person.id}/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [community.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'not list person communities invisible' do
+    c1 = fast_create(Community)
+    c2 = fast_create(Community, :visible => false)
+    c1.add_member(person)
+    c2.add_member(person)
+
+    get "/api/v1/people/#{person.id}/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [c1.id], json['communities'].map {|c| c['id']}
+  end
+
+end
@@ -0,0 +1,101 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class EnterprisesTest < ActiveSupport::TestCase
+
+  def setup
+    Enterprise.delete_all
+    login_api
+  end
+
+  should 'list all enterprises' do
+    enterprise1 = fast_create(Enterprise, :public_profile => true)
+    enterprise2 = fast_create(Enterprise)
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
+  end
+
+  should 'not list invisible enterprises' do
+    enterprise1 = fast_create(Enterprise)
+    fast_create(Enterprise, :visible => false)
+
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
+  end
+
+  should 'not list private enterprises without permission' do
+    enterprise1 = fast_create(Enterprise)
+    fast_create(Enterprise, :public_profile => false)
+
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
+  end
+
+  should 'list private enterprise for members' do
+    c1 = fast_create(Enterprise)
+    c2 = fast_create(Enterprise, :public_profile => false)
+    c2.add_member(person)
+
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [c1.id, c2.id], json['enterprises'].map {|c| c['id']}
+  end
+
+  should 'get enterprise' do
+    enterprise = fast_create(Enterprise)
+
+    get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal enterprise.id, json['enterprise']['id']
+  end
+
+  should 'not get invisible enterprise' do
+    enterprise = fast_create(Enterprise, :visible => false)
+
+    get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['enterprise'].blank?
+  end
+
+  should 'not get private enterprises without permission' do
+    enterprise = fast_create(Enterprise)
+    fast_create(Enterprise, :public_profile => false)
+
+    get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal enterprise.id, json['enterprise']['id']
+  end
+
+  should 'get private enterprise for members' do
+    enterprise = fast_create(Enterprise, :public_profile => false)
+    enterprise.add_member(person)
+
+    get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal enterprise.id, json['enterprise']['id']
+  end
+
+  should 'list person enterprises' do
+    enterprise = fast_create(Enterprise)
+    fast_create(Enterprise)
+    enterprise.add_member(person)
+
+    get "/api/v1/people/#{person.id}/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [enterprise.id], json['enterprises'].map {|c| c['id']}
+  end
+
+  should 'not list person enterprises invisible' do
+    c1 = fast_create(Enterprise)
+    c2 = fast_create(Enterprise, :visible => false)
+    c1.add_member(person)
+    c2.add_member(person)
+
+    get "/api/v1/people/#{person.id}/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [c1.id], json['enterprises'].map {|c| c['id']}
+  end
+
+end
@@ -0,0 +1,157 @@
+require File.dirname(__FILE__) + '/test_helper'
+require File.expand_path(File.dirname(__FILE__) + "/../../../lib/noosfero/api/helpers")
+
+class APITest < ActiveSupport::TestCase
+
+  include Noosfero::API::APIHelpers
+
+  should 'get the current user with valid token' do
+    user = create_user('someuser')
+    user.generate_private_token!
+    self.params = {:private_token => user.private_token}
+    assert_equal user, current_user
+  end
+
+  should 'not get the current user with expired token' do
+    user = create_user('someuser')
+    user.generate_private_token!
+    user.private_token_generated_at = DateTime.now.prev_year
+    user.save
+    self.params = {:private_token => user.private_token}
+    assert_nil current_user
+  end
+
+  should 'get the person of current user' do
+    user = create_user('someuser')
+    user.generate_private_token!
+    self.params = {:private_token => user.private_token}
+    assert_equal user.person, current_person
+  end
+
+#  #FIXME see how to make this test. Get the current_user variable
+#  should 'set current_user to nil after logout' do
+#    user = create_user('someuser')
+#    user.stubs(:private_token_expired?).returns(false)
+#    User.stubs(:find_by_private_token).returns(user)
+#    assert_not_nil current_user
+#    assert false
+#    logout
+#  end
+
+  should 'limit be defined as the params limit value' do
+    local_limit = 30
+    self.params= {:limit => local_limit}
+    assert_equal local_limit, limit 
+  end
+
+  should 'return default limit if the limit parameter is minor than zero' do
+    self.params= {:limit => -1}
+    assert_equal 20, limit 
+  end
+
+  should 'the default limit be 20' do
+    assert_equal 20, limit 
+  end
+
+  should 'the beginning of the period be the first existent date if no from date is passsed as parameter' do
+    assert_equal Time.at(0).to_datetime, period(nil, nil).to_a[0]
+  end 
+
+  should 'the beginning of the period be from date passsed as parameter' do
+    from = DateTime.now
+    assert_equal from, period(from, nil).min
+  end 
+
+  should 'the end of the period be now if no until date is passsed as parameter' do
+    assert_in_delta DateTime.now, period(nil, nil).max
+  end 
+
+  should 'the end of the period be until date passsed as parameter' do
+    until_date = DateTime.now
+    assert_equal until_date, period(nil, until_date).max
+  end 
+
+  should 'parse_content_type return nil if its blank' do
+    assert_nil parse_content_type("")
+  end
+
+  should 'parse_content_type be an array' do
+    assert_kind_of Array, parse_content_type("text_article")
+  end
+
+  should 'parse_content_type return all content types as an array' do
+    assert_equivalent ['TextArticle','TinyMceArticle'], parse_content_type("TextArticle,TinyMceArticle")
+  end
+
+  should 'find_article return article by id in list passed for user with permission' do 
+    user = create_user('someuser')
+    a = fast_create(Article, :profile_id => user.person.id)
+    fast_create(Article, :profile_id => user.person.id)
+    fast_create(Article, :profile_id => user.person.id)
+ 
+    user.generate_private_token!
+    User.expects(:find_by_private_token).returns(user)
+    assert_equal a, find_article(user.person.articles, a.id)
+  end
+
+  should 'find_article return forbidden when a user try to access an article without permission' do 
+    user = create_user('someuser')
+    p = fast_create(Profile)
+    a = fast_create(Article, :published => false, :profile_id => p.id)
+    fast_create(Article, :profile_id => p.id)
+ 
+    user.generate_private_token!
+    User.expects(:find_by_private_token).returns(user)
+    assert_equal 403, find_article(p.articles, a.id).last
+  end
+
+  should 'make_conditions_with_parameter return no created at parameter if it was not defined from or until parameters' do
+    assert_nil make_conditions_with_parameter[:created_at]
+  end
+
+  should 'make_conditions_with_parameter return created_at parameter if from period is defined' do
+    assert_not_nil make_conditions_with_parameter(:from => '2010-10-10')[:created_at]
+  end
+
+  should 'make_conditions_with_parameter return created_at parameter if until period is defined' do
+    assert_not_nil make_conditions_with_parameter(:until => '2010-10-10')[:created_at]
+  end
+
+#  should 'the beginning of the period be the first existent date if no from date is passsed as parameter' do
+  should 'make_conditions_with_parameter return created_at as the first existent date as parameter if only until is defined' do
+    assert_equal Time.at(0).to_datetime, make_conditions_with_parameter(:until => '2010-10-10')[:created_at].min
+  end
+
+  should 'make_conditions_with_parameter: the minimal created_at date be the from date passed as parameter' do
+    date = '2010-10-10'
+    assert_equal DateTime.parse(date), make_conditions_with_parameter(:from => date)[:created_at].min
+  end
+
+  should 'make_conditions_with_parameter: the maximum created_at date be the until date passed as parameter' do
+    date = '2010-10-10'
+    assert_equal DateTime.parse(date), make_conditions_with_parameter(:until => date)[:created_at].max
+  end
+
+  should 'make_conditions_with_parameter return the until date passed as parameter' do
+    date = '2010-10-10'
+    assert_equal DateTime.parse(date), make_conditions_with_parameter(:from => '2010-10-10')[:created_at].min
+  end
+
+  should 'make_conditions_with_parameter return no type parameter if it was not defined any content type' do
+    assert_nil make_conditions_with_parameter[:type]
+  end
+
+  protected
+
+  def error!(info, status)
+    [info, status]
+  end
+
+  def params
+    @params ||= {}
+  end
+
+  def params= value
+    @params = value
+  end
+end
@@ -0,0 +1,102 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class PeopleTest < ActiveSupport::TestCase
+
+  def setup
+    Person.delete_all
+    login_api
+  end
+
+  should 'list all people' do
+    person1 = fast_create(Person, :public_profile => true)
+    person2 = fast_create(Person)
+    get "/api/v1/people?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [person1.id, person2.id, person.id], json['people'].map {|c| c['id']}
+  end
+
+  should 'not list invisible people' do
+    person1 = fast_create(Person)
+    fast_create(Person, :visible => false)
+
+    get "/api/v1/people?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [person1.id, person.id], json['people'].map {|c| c['id']}
+  end
+
+  should 'not list private people without permission' do
+    person1 = fast_create(Person)
+    fast_create(Person, :public_profile => false)
+
+    get "/api/v1/people?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [person1.id, person.id], json['people'].map {|c| c['id']}
+  end
+
+  should 'list private person for friends' do
+    p1 = fast_create(Person)
+    p2 = fast_create(Person, :public_profile => false)
+    person.add_friend(p2)
+    p2.add_friend(person)
+
+    get "/api/v1/people?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [p1.id, p2.id, person.id], json['people'].map {|c| c['id']}
+  end
+
+  should 'get person' do
+    person = fast_create(Person)
+
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal person.id, json['person']['id']
+  end
+
+  should 'not get invisible person' do
+    person = fast_create(Person, :visible => false)
+
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['person'].blank?
+  end
+
+  should 'not get private people without permission' do
+    person = fast_create(Person)
+    fast_create(Person, :public_profile => false)
+
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal person.id, json['person']['id']
+  end
+
+  should 'get private person for friends' do
+    person = fast_create(Person, :public_profile => false)
+    person.add_friend(person)
+
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal person.id, json['person']['id']
+  end
+
+  should 'list person friends' do
+    p = fast_create(Person)
+    fast_create(Person)
+    person.add_friend(p)
+
+    get "/api/v1/people/#{person.id}/friends?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [p.id], json['people'].map {|c| c['id']}
+  end
+
+  should 'not list person friends invisible' do
+    p1 = fast_create(Person)
+    p2 = fast_create(Person, :visible => false)
+    person.add_friend(p1)
+    person.add_friend(p2)
+
+    get "/api/v1/people/#{person.id}/friends?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [p1.id], json['people'].map {|c| c['id']}
+  end
+
+end
@@ -0,0 +1,42 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class APITest < ActiveSupport::TestCase
+
+  def setup
+    login_api
+  end
+
+  should 'generate private token when login' do
+    params = {:login => "testapi", :password => "testapi"}
+    post "/api/v1/login?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert !json["private_token"].blank?
+  end
+
+  should 'return 401 when login fails' do
+    user.destroy
+    params = {:login => "testapi", :password => "testapi"}
+    post "/api/v1/login?#{params.to_query}"
+    assert_equal 401, last_response.status
+  end
+
+  should 'register a user' do
+    params = {:login => "newuserapi", :password => "newuserapi", :email => "newuserapi@email.com" }
+    post "/api/v1/register?#{params.to_query}"
+    assert_equal 201, last_response.status
+  end
+
+  should 'do not register a user without email' do
+    params = {:login => "newuserapi", :password => "newuserapi", :email => nil }
+    post "/api/v1/register?#{params.to_query}"
+    assert_equal 400, last_response.status
+  end
+
+  should 'do not register a duplicated user' do
+    params = {:login => "newuserapi", :password => "newuserapi", :email => "newuserapi@email.com" }
+    post "/api/v1/register?#{params.to_query}"
+    post "/api/v1/register?#{params.to_query}"
+    assert_equal 400, last_response.status
+  end
+
+end
@@ -0,0 +1,23 @@
+require File.dirname(__FILE__) + '/../../test_helper'
+
+class ActiveSupport::TestCase
+
+  include Rack::Test::Methods
+
+  def app
+    Noosfero::API::API
+  end
+
+  def login_api
+    @user = User.create!(:login => 'testapi', :password => 'testapi', :password_confirmation => 'testapi', :email => 'test@test.org', :environment => Environment.default)
+    @user.activate
+    @person = @user.person
+
+    post "/api/v1/login?login=testapi&password=testapi"
+    json = JSON.parse(last_response.body)
+    @private_token = json["private_token"]
+    @params = {:private_token => @private_token}
+  end
+  attr_accessor :private_token, :user, :person, :params
+
+end
@@ -0,0 +1,43 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class UsersTest < ActiveSupport::TestCase
+
+  def setup
+    login_api
+  end
+
+  should 'list users' do
+    get "/api/v1/users/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_includes json["users"].map { |a| a["login"] }, user.login
+  end
+
+  should 'create a user' do
+    params[:user] = {:login => 'some', :password => '123456', :password_confirmation => '123456', :email => 'some@some.com'}
+    post "/api/v1/users?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 'some', json['user']['login']
+  end
+
+  should 'return 400 status for invalid user creation' do
+    params[:user] = {:login => 'some'}
+    post "/api/v1/users?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 400, last_response.status
+  end
+
+  should 'get user' do
+    get "/api/v1/users/#{user.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal user.id, json['user']['id']
+  end
+
+  should 'list user permissions' do
+    community = fast_create(Community)
+    community.add_admin(person)
+    get "/api/v1/users/#{user.id}/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_includes json["user"]["permissions"], community.identifier
+  end
+
+end
@@ -1638,4 +1638,27 @@ class PersonTest &lt; ActiveSupport::TestCase
     assert_equal false, person.follows?(nil)
   end
  
+  should 'allow posting content when has post_content permission' do
+    person = create_user('person').person
+    profile = mock
+    person.expects(:has_permission?).with('post_content', profile).returns(true)
+    assert person.can_post_content?(profile)
+  end
+
+  should 'allow posting content when has publish_content permission' do
+    person = create_user('person').person
+    profile = mock
+    person.expects(:has_permission?).with('post_content', profile).returns(false)
+    person.expects(:has_permission?).with('publish_content', profile).returns(true)
+    assert person.can_post_content?(profile)
+  end
+
+  should 'allow posting content when has permission in the parent' do
+    person = create_user('person').person
+    profile = mock
+    parent = mock
+    parent.expects(:allow_create?).with(person).returns(true)
+    assert person.can_post_content?(profile, parent)
+  end
+
 end
...	...	@@ -20,6 +20,16 @@ gem 'gettext', '~> 2.2.1', :require => false
20	20	gem 'locale', '~> 2.0.5'
21	21	gem 'whenever', :require => false
22	22	gem 'eita-jrails', '>= 0.9.5', :require => 'jrails'
	23	+gem 'grape', '~> 0.8.0'
	24	+gem 'grape-entity'
	25	+gem 'grape-swagger'
	26	+gem 'rack-cors'
	27	+gem 'rack-contrib'
	28	+
	29	+#gem 'grape-swagger-rails'
	30	+
	31	+# FIXME list here all actual dependencies (i.e. the ones in debian/control),
	32	+# with their GEM names (not the Debian package names)
23	33
24	34	group :assets do
25	35	gem 'uglifier', '>= 1.0.3'
...	...
...	...	@@ -15,4 +15,21 @@ Noosfero::Application.load_tasks
15	15	Dir.glob(pattern).sort
16	16	end.flatten.each do \|taskfile\|
17	17	load taskfile
	18	+end
	19	+
	20	+# plugins' tasks
	21	+plugins_tasks = Dir.glob("config/plugins//{tasks,lib/tasks,rails/tasks}//.rake").sort +
	22	+ Dir.glob("config/plugins//vendor/plugins//{tasks,lib/tasks,rails/tasks}/*/.rake").sort
	23	+plugins_tasks.each{ \|ext\| load ext }
	24	+
	25	+
	26	+desc "Print out grape routes"
	27	+task :grape_routes => :environment do
	28	+ #require 'api/api.rb'
	29	+ Noosfero::API::API.routes.each do \|route\|
	30	+ puts route
	31	+ method = route.route_method
	32	+ path = route.route_path
	33	+ puts " #{method} #{path}"
	34	+ end
18	35	end
...	...
...	...	@@ -27,20 +27,13 @@ class CmsController < MyProfileController
27	27
28	28	helper_method :file_types
29	29
30		- protect_if :only => :upload_files do \|c, user, profile\|
31		- article_id = c.params[:parent_id]
32		- (!article_id.blank? && profile.articles.find(article_id).allow_create?(user)) \|\|
33		- (user && (user.has_permission?('post_content', profile) \|\| user.has_permission?('publish_content', profile)))
34		- end
35		-
36		- protect_if :except => [:suggest_an_article, :set_home_page, :edit, :destroy, :publish, :publish_on_portal_community, :publish_on_communities, :search_communities_to_publish, :upload_files, :new] do \|c, user, profile\|
	30	+ protect_if :except => [:suggest_an_article, :set_home_page, :edit, :destroy, :publish, :upload_files, :new] do \|c, user, profile\|
37	31	user && (user.has_permission?('post_content', profile) \|\| user.has_permission?('publish_content', profile))
38	32	end
39	33
40		- protect_if :only => :new do \|c, user, profile\|
41		- article = profile.articles.find_by_id(c.params[:parent_id])
42		- (!article.nil? && (article.allow_create?(user) \|\| article.parent.allow_create?(user))) \|\|
43		- (user && (user.has_permission?('post_content', profile) \|\| user.has_permission?('publish_content', profile)))
	34	+ protect_if :only => [:new, :upload_files] do \|c, user, profile\|
	35	+ parent = profile.articles.find_by_id(c.params[:parent_id])
	36	+ user && user.can_post_content?(profile, parent)
44	37	end
45	38
46	39	protect_if :only => :destroy do \|c, user, profile\|
...	...
...	...	@@ -702,6 +702,11 @@ class Article < ActiveRecord::Base
702	702	person ? person.id : nil
703	703	end
704	704
	705	+ #FIXME make this test
	706	+ def author_custom_image(size = :icon)
	707	+ author ? author.profile_custom_image(size) : nil
	708	+ end
	709	+
705	710	def version_license(version_number = nil)
706	711	return license if version_number.nil?
707	712	profile.environment.licenses.find_by_id(get_version(version_number).license_id)
...	...
...	...	@@ -8,6 +8,13 @@ class Organization < Profile
8	8	:display => %w[compact]
9	9	}
10	10
	11	+ scope :visible_for_person, lambda { \|person\|
	12	+ joins('LEFT JOIN "role_assignments" ON "role_assignments"."resource_id" = "profiles"."id" AND "role_assignments"."resource_type" = \'Profile\'')
	13	+ .where(
	14	+ ['( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
	15	+ (profiles.public_profile = ?)) AND (profiles.visible = ?)', Profile.name, person.id, true, true]
	16	+ ).uniq
	17	+ }
11	18
12	19	settings_items :closed, :type => :boolean, :default => false
13	20	def closed?
...	...
...	...	@@ -39,6 +39,14 @@ roles] }
39	39	{ :select => 'DISTINCT profiles.*', :conditions => ['"profiles"."id" NOT IN (SELECT DISTINCT profiles.id FROM "profiles" INNER JOIN "friendships" ON "friendships"."person_id" = "profiles"."id" WHERE "friendships"."friend_id" IN (%s))' % resources.map(&:id)] }
40	40	}
41	41
	42	+ scope :visible_for_person, lambda { \|person\|
	43	+ joins('LEFT JOIN "friendships" ON "friendships"."friend_id" = "profiles"."id"')
	44	+ .where(
	45	+ ['( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?)', person.id, true, true]
	46	+ ).uniq
	47	+ }
	48	+
	49	+
42	50	def has_permission_with_admin?(permission, resource)
43	51	return true if resource.blank? \|\| resource.admins.include?(self)
44	52	return true if resource.kind_of?(Profile) && resource.environment.admins.include?(self)
...	...	@@ -123,6 +131,11 @@ roles] }
123	131	self.tracked_notifications.exists?(activity)
124	132	end
125	133
	134	+ def can_post_content?(profile, parent=nil)
	135	+ (!parent.nil? && (parent.allow_create?(self))) \|\|
	136	+ (self.has_permission?('post_content', profile) \|\| self.has_permission?('publish_content', profile))
	137	+ end
	138	+
126	139	# Sets the identifier for this person. Raises an exception when called on a
127	140	# existing person (since peoples' identifiers cannot be changed)
128	141	def identifier=(value)
...	...
...	...	@@ -124,6 +124,16 @@ class Profile < ActiveRecord::Base
124	124	}
125	125	scope :no_templates, {:conditions => {:is_template => false}}
126	126
	127	+ #FIXME make this test
	128	+ scope :newer_than, lambda { \|reference_id\|
	129	+ {:conditions => ["profiles.id > #{reference_id}"]}
	130	+ }
	131	+
	132	+ #FIXME make this test
	133	+ scope :older_than, lambda { \|reference_id\|
	134	+ {:conditions => ["profiles.id < #{reference_id}"]}
	135	+ }
	136	+
127	137	def members
128	138	scopes = plugins.dispatch_scopes(:organization_members, self)
129	139	scopes << Person.members_of(self)
...	...	@@ -947,6 +957,13 @@ private :generate_url, :url_options
947	957	image.public_filename(:icon) if image.present?
948	958	end
949	959
	960	+ #FIXME make this test
	961	+ def profile_custom_image(size = :icon)
	962	+ image_path = profile_custom_icon if size == :icon
	963	+ image_path \|\|= image.public_filename(size) if image.present?
	964	+ image_path
	965	+ end
	966	+
950	967	def jid(options = {})
951	968	domain = options[:domain] \|\| environment.default_hostname
952	969	"#{identifier}@#{domain}"
...	...
1	1	require 'digest/sha1'
2	2	require 'user_activation_job'
	3	+require 'securerandom'
3	4
4	5	# User models the system users, and is generated by the acts_as_authenticated
5	6	# Rails generator.
...	...	@@ -119,6 +120,18 @@ class User < ActiveRecord::Base
119	120	self.update_attribute :last_login_at, Time.now
120	121	end
121	122
	123	+ #FIXME make this test
	124	+ def generate_private_token!
	125	+ self.private_token = SecureRandom.hex
	126	+ self.private_token_generated_at = DateTime.now
	127	+ save(:validate => false)
	128	+ end
	129	+
	130	+ #FIXME make this test
	131	+ def private_token_expired?
	132	+ self.generate_private_token! if self.private_token.nil? \|\| (self.private_token_generated_at + 2.weeks < DateTime.now)
	133	+ end
	134	+
122	135	# Activates the user in the database.
123	136	def activate
124	137	return false unless self.person
...	...
...	...	@@ -2,11 +2,15 @@
2	2
3	3	require ::File.expand_path('../config/environment', __FILE__)
4	4
	5	+#use Rails::Rack::LogTailer
	6	+#use Rails::Rack::Static
	7	+#run ActionController::Dispatcher.news
	8	+
5	9	rails_app = Rack::Builder.new do
6	10	run Noosfero::Application
7	11	end
8	12
9	13	run Rack::Cascade.new([
10		- API::API,
	14	+ Noosfero::API::API,
11	15	rails_app
12	16	])
...	...
...	...	@@ -135,5 +135,12 @@ module Noosfero
135	135
136	136	Noosfero::Plugin.setup(config)
137	137
	138	+ config.middleware.use Rack::Cors do
	139	+ allow do
	140	+ origins '*'
	141	+ resource 'api/*', :headers => :any, :methods => [:get, :post]
	142	+ end
	143	+ end
	144	+
138	145	end
139	146	end
...	...