merge with master

Leandro Santos
2 parents 1cf85a75 c10cc29c
Showing 24 changed files with 842 additions and 153 deletions Show diff stats
app/models/organization.rb
app/models/person.rb
app/views/profile_search/_results_list.html.erb
app/views/search/_search_content.html.erb
lib/noosfero/api/entities.rb
lib/noosfero/api/v1/categories.rb
lib/noosfero/api/v1/comments.rb
lib/noosfero/api/v1/communities.rb
lib/noosfero/api/v1/enterprises.rb
lib/noosfero/api/v1/people.rb
lib/noosfero/api/v1/profiles.rb
lib/noosfero/api/v1/users.rb
test/api/articles_test.rb
test/api/categories_test.rb
test/api/comments_test.rb
test/api/communities_test.rb
test/api/enterprises_test.rb
test/api/helpers_test.rb
test/api/people_test.rb
test/api/profiles_test.rb
@@ -17,6 +17,8 @@ class Organization &lt; Profile
 #   4) The user is not a member of the organization but the organization is
 #   visible, public and enabled.
   def self.visible_for_person(person)
+    # Visitor if person.nil?
+    person_id = person.nil? ? nil : person.id
     joins('LEFT JOIN "role_assignments" ON ("role_assignments"."resource_id" = "profiles"."id"
           AND "role_assignments"."resource_type" = \'Profile\') OR (
           "role_assignments"."resource_id" = "profiles"."environment_id" AND
@@ -28,8 +30,8 @@ class Organization &lt; Profile
         ( ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
             ( profiles.public_profile = ? AND profiles.enabled = ? ) ) AND
           ( profiles.visible = ? ) )',
-      'profile_admin', 'environment_administrator', Profile.name, person.id,
-      Profile.name, person.id,  true, true, true]
+      'profile_admin', 'environment_administrator', Profile.name, person_id,
+      Profile.name, person_id,  true, true, true]
     ).uniq
   end
  
@@ -42,6 +42,8 @@ class Person &lt; Profile
   }
  
   scope :visible_for_person, lambda { |person|
+    # Visitor if person.nil?
+    person_id = person.nil? ? nil : person.id
     joins('LEFT JOIN "role_assignments" ON
           "role_assignments"."resource_id" = "profiles"."environment_id" AND
           "role_assignments"."resource_type" = \'Environment\'')
@@ -49,9 +51,10 @@ class Person &lt; Profile
     .joins('LEFT JOIN "friendships" ON "friendships"."friend_id" = "profiles"."id"')
     .where(
       ['( roles.key = ? AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR (
-        ( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?) )', 'environment_administrator', Profile.name, person.id, person.id,  true, true]
+        ( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?) )',
+         'environment_administrator', Profile.name, person_id, person_id,  true, true]
     ).uniq
-    }
+  }
  
   def has_permission_with_admin?(permission, resource)
     return true if resource.blank? || resource.admins.include?(self)
 <div id='search-content'>
   <% if @results %>
     <div class='results-found-message'>
-      <%= _("%s results found") % @results.total_entries %>
+      <%= n_("%s result found", "%s results found", @results.total_entries) % @results.total_entries %>
     </div>
  
     <ul class='results-list'>
 <div id='search-content'>
   <div class='total'>
-    <%= _('Total of %s results ') % @searches[@asset][:results].total_entries.inspect %>
+    <%= n_('Total of 1 result', 'Total of %s results', @searches[@asset][:results].total_entries) % @searches[@asset][:results].total_entries.inspect %>
   </div>
  
 <%= display_results(@searches, @asset) %>
@@ -197,7 +197,7 @@ module Noosfero
       class Article < ArticleBase
         root 'articles', 'article'
         expose :parent, :using => ArticleBase
-        expose :children, using: ArticleBase do |article, options|
+        expose :children, :using => ArticleBase do |article, options|
           article.children.limit(Noosfero::API::V1::Articles::MAX_PER_PAGE)
         end
       end
@@ -2,7 +2,6 @@ module Noosfero
   module API
     module V1
       class Categories < Grape::API
-        before { authenticate! }
  
         resource :categories do
  
@@ -4,7 +4,6 @@ module Noosfero
       class Comments < Grape::API
         MAX_PER_PAGE = 20
  
-        before { authenticate! }
  
         resource :articles do
           paginate max_per_page: MAX_PER_PAGE
@@ -34,6 +33,7 @@ module Noosfero
           # Example Request:
           #  POST api/v1/articles/12/comments?private_token=2298743290432&body=new comment&title=New
           post ":id/comments" do
+            authenticate!
             article = find_article(environment.articles, params[:id])
             options = params.select { |key,v| !['id','private_token'].include?(key) }.merge(:author => current_person, :source => article)
             begin
@@ -2,7 +2,6 @@ module Noosfero
   module API
     module V1
       class Communities < Grape::API
-        before { authenticate! }
  
         resource :communities do
  
@@ -18,7 +17,7 @@ module Noosfero
           #  GET /communities?reference_id=10&limit=10&oldest
           get do
             communities = select_filtered_collection_of(environment, 'communities', params)
-            communities = communities.visible_for_person(current_person)
+            communities = communities.visible
             communities = communities.by_location(params) # Must be the last. May return Exception obj.
             present communities, :with => Entities::Community, :current_person => current_person
           end
@@ -28,6 +27,7 @@ module Noosfero
           #  POST api/v1/communties?private_token=234298743290432&community[name]=some_name
           #  for each custom field for community, add &community[field_name]=field_value to the request
           post do
+            authenticate!
             params[:community] ||= {}
  
             params[:community][:custom_values]={}
@@ -49,7 +49,7 @@ module Noosfero
           end
  
           get ':id' do
-            community = environment.communities.visible_for_person(current_person).find_by id: params[:id]
+            community = environment.communities.visible.find_by(id: params[:id])
             present community, :with => Entities::Community, :current_person => current_person
           end
  
@@ -2,7 +2,6 @@ module Noosfero
   module API
     module V1
       class Enterprises < Grape::API
-        before { authenticate! }
  
         resource :enterprises do
  
@@ -19,14 +18,14 @@ module Noosfero
           #  GET /enterprises?reference_id=10&limit=10&oldest
           get do
             enterprises = select_filtered_collection_of(environment, 'enterprises', params)
-            enterprises = enterprises.visible_for_person(current_person)
+            enterprises = enterprises.visible
             enterprises = enterprises.by_location(params) # Must be the last. May return Exception obj.
             present enterprises, :with => Entities::Enterprise, :current_person => current_person
           end
  
           desc "Return one enterprise by id"
           get ':id' do
-            enterprise = environment.enterprises.visible_for_person(current_person).find_by id: params[:id]
+            enterprise = environment.enterprises.visible.find_by(id: params[:id])
             present enterprise, :with => Entities::Enterprise, :current_person => current_person
           end
  
@@ -2,7 +2,6 @@ module Noosfero
   module API
     module V1
       class People < Grape::API
-        before { authenticate! }
  
         MAX_PER_PAGE = 50
  
@@ -35,24 +34,26 @@ module Noosfero
           desc "Find environment's people"
           get do
             people = select_filtered_collection_of(environment, 'people', params)
-            people = people.visible_for_person(current_person)
+            people = people.visible
             present_partial people, :with => Entities::Person, :current_person => current_person
           end
  
           desc "Return the logged user information"
           get "/me" do
+            authenticate!
             present_partial current_person, :with => Entities::Person, :current_person => current_person
           end
  
           desc "Return the person information"
           get ':id' do
-            person = environment.people.visible_for_person(current_person).find_by id: params[:id]
+            person = environment.people.visible.find_by(id: params[:id])
             return not_found! if person.blank?
             present person, :with => Entities::Person, :current_person => current_person
           end
  
           desc "Update person information"
           post ':id' do
+            authenticate!
             return forbidden! if current_person.id.to_s != params[:id]
             current_person.update_attributes!(params[:person])
             present current_person, :with => Entities::Person, :current_person => current_person
@@ -63,6 +64,7 @@ module Noosfero
           #  for each custom field for person, add &person[field_name]=field_value to the request
           desc "Create person"
           post do
+            authenticate!
             user_data = {}
             user_data[:login] = params[:person].delete(:login) || params[:person][:identifier]
             user_data[:email] = params[:person].delete(:email)
@@ -87,7 +89,7 @@ module Noosfero
  
           desc "Return the person friends"
           get ':id/friends' do
-            person = environment.people.visible_for_person(current_person).find_by id: params[:id]
+            person = environment.people.visible.find_by(id: params[:id])
             return not_found! if person.blank?
             friends = person.friends.visible
             present friends, :with => Entities::Person, :current_person => current_person
@@ -95,6 +97,7 @@ module Noosfero
  
           desc "Return the person permissions on other profiles"
           get ":id/permissions" do
+            authenticate!
             person = environment.people.find(params[:id])
             return not_found! if person.blank?
             return forbidden! unless current_person == person || environment.admins.include?(current_person)
@@ -2,25 +2,25 @@ module Noosfero
   module API
     module V1
       class Profiles < Grape::API
-        before { authenticate! }
  
         resource :profiles do
  
           get do
             profiles = select_filtered_collection_of(environment, 'profiles', params)
-            profiles = profiles.visible_for_person(current_person)
+            profiles = profiles.visible
             profiles = profiles.by_location(params) # Must be the last. May return Exception obj.
             present profiles, :with => Entities::Profile, :current_person => current_person
           end
  
           get ':id' do
             profiles = environment.profiles
-            profiles = profiles.visible_for_person(current_person)
+            profiles = profiles.visible
             profile = profiles.find_by id: params[:id]
             present profile, :with => Entities::Profile, :current_person => current_person
           end
  
           delete ':id' do
+            authenticate!
             profiles = environment.profiles
             profile = profiles.find_by id: params[:id]
  
@@ -2,7 +2,6 @@ module Noosfero
   module API
     module V1
       class Users < Grape::API
-        before { authenticate! }
  
         resource :users do
  
@@ -13,6 +12,7 @@ module Noosfero
           end
  
           get "/me" do
+            authenticate!
             present current_user, :with => Entities::User, :current_person => current_person
           end
  
@@ -25,6 +25,7 @@ module Noosfero
           end
  
           get ":id/permissions" do
+            authenticate!
             user = environment.users.find(params[:id])
             output = {}
             user.person.role_assignments.map do |role_assigment|
@@ -177,7 +177,6 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     assert_equal 400, last_response.status
   end
  
-
   should 'perform a vote in a article identified by id' do
     article = fast_create(Article, :profile_id => @person.id, :name => "Some thing")
     @params[:value] = 1
@@ -192,10 +191,8 @@ class ArticlesTest &lt; ActiveSupport::TestCase
   should 'not perform a vote in a archived article' do
     article = fast_create(Article, :profile_id => @person.id, :name => "Some thing", :archived => true)
     @params[:value] = 1
-
     post "/api/v1/articles/#{article.id}/vote?#{params.to_query}"
-    json = JSON.parse(last_response.body)
-
+    puts JSON.parse(last_response.body)
     assert_equal 400, last_response.status
   end
  
@@ -210,6 +207,24 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     end
   end
  
+  should 'not update hit attribute of a specific child if a article is archived' do
+    folder = fast_create(Folder, :profile_id => user.person.id, :archived => true)
+    article = fast_create(Article, :parent_id => folder.id, :profile_id => user.person.id)
+    get "/api/v1/articles/#{folder.id}/children/#{article.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 0, json['article']['hits']
+  end
+
+  should 'find archived articles' do
+    article1 = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+    article2 = fast_create(Article, :profile_id => user.person.id, :name => "Some thing", :archived => true)
+    params[:archived] = true
+    get "/api/v1/articles/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_not_includes json["articles"].map { |a| a["id"] }, article1.id
+    assert_includes json["articles"].map { |a| a["id"] }, article2.id
+  end
+
   should "update body of article created by me" do
     new_value = "Another body"
     params[:article] = {:body => new_value}
@@ -676,16 +691,6 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     assert_equal json['articles'].count, 2
   end
  
-  should 'find archived articles' do
-    article1 = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
-    article2 = fast_create(Article, :profile_id => user.person.id, :name => "Some thing", :archived => true)
-    params[:archived] = true
-    get "/api/v1/articles/?#{params.to_query}"
-    json = JSON.parse(last_response.body)
-    assert_not_includes json["articles"].map { |a| a["id"] }, article1.id
-    assert_includes json["articles"].map { |a| a["id"] }, article2.id
-  end
-
   ARTICLE_ATTRIBUTES = %w(followers_count votes_count comments_count)
  
   ARTICLE_ATTRIBUTES.map do |attribute|
@@ -2,25 +2,25 @@ require_relative &#39;test_helper&#39;
  
 class CategoriesTest < ActiveSupport::TestCase
  
-  def setup
-    login_api
-  end
  
-  should 'list categories' do
+  should 'logged user list categories' do
+    login_api
     category = fast_create(Category, :environment_id => environment.id)
     get "/api/v1/categories/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_includes json["categories"].map { |c| c["name"] }, category.name
   end
  
-  should 'get category by id' do
+  should 'logged user get category by id' do
+    login_api
     category = fast_create(Category, :environment_id => environment.id)
     get "/api/v1/categories/#{category.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal category.name, json["category"]["name"]
   end
  
-  should 'list parent and children when get category by id' do
+  should 'logged user list parent and children when get category by id' do
+    login_api
     parent = fast_create(Category, :environment_id => environment.id)
     child_1 = fast_create(Category, :environment_id => environment.id)
     child_2 = fast_create(Category, :environment_id => environment.id)
@@ -37,7 +37,8 @@ class CategoriesTest &lt; ActiveSupport::TestCase
     assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { |c| c['id'] }
   end
  
-  should 'include parent in categories list if params is true' do
+  should 'logged user include parent in categories list if params is true' do
+    login_api
     parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
     child_1 = fast_create(Category, :environment_id => environment.id)
     child_2 = fast_create(Category, :environment_id => environment.id)
@@ -59,7 +60,8 @@ class CategoriesTest &lt; ActiveSupport::TestCase
       json["categories"].map { |c| c['parent'] && c['parent']['id'] }
   end
  
-  should 'include children in categories list if params is true' do
+  should 'logged user include children in categories list if params is true' do
+    login_api
     category = fast_create(Category, :environment_id => environment.id)
     child_1 = fast_create(Category, :environment_id => environment.id)
     child_2 = fast_create(Category, :environment_id => environment.id)
@@ -86,7 +88,8 @@ class CategoriesTest &lt; ActiveSupport::TestCase
   expose_attributes = %w(id name full_name image display_color)
  
   expose_attributes.each do |attr|
-    should "expose category #{attr} attribute by default" do
+    should "logged user expose category #{attr} attribute by default" do
+      login_api
       category = fast_create(Category, :environment_id => environment.id)
       get "/api/v1/categories/?#{params.to_query}"
       json = JSON.parse(last_response.body)
@@ -94,4 +97,98 @@ class CategoriesTest &lt; ActiveSupport::TestCase
     end
   end
  
+  should 'anonymous list categories' do
+    anonymous_setup
+    category = fast_create(Category, :environment_id => environment.id)
+    get "/api/v1/categories/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_includes json["categories"].map { |c| c["name"] }, category.name
+  end
+
+  should 'anonymous get category by id' do
+    anonymous_setup
+    category = fast_create(Category, :environment_id => environment.id)
+    get "/api/v1/categories/#{category.id}/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal category.name, json["category"]["name"]
+  end
+
+  should 'anonymous list parent and children when get category by id' do
+    anonymous_setup
+    parent = fast_create(Category, :environment_id => environment.id)
+    child_1 = fast_create(Category, :environment_id => environment.id)
+    child_2 = fast_create(Category, :environment_id => environment.id)
+
+    category = fast_create(Category, :environment_id => environment.id)
+    category.parent = parent
+    category.children << child_1
+    category.children << child_2
+    category.save
+
+    get "/api/v1/categories/#{category.id}/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal({'id' => parent.id, 'name' => parent.name, 'slug' => parent.slug}, json['category']['parent'])
+    assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { |c| c['id'] }
+  end
+
+  should 'anonymous include parent in categories list if params is true' do
+    anonymous_setup
+    parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
+    child_1 = fast_create(Category, :environment_id => environment.id)
+    child_2 = fast_create(Category, :environment_id => environment.id)
+
+    parent_2 = fast_create(Category, :environment_id => environment.id)
+    parent_2.parent = parent_1
+    parent_2.children << child_1
+    parent_2.children << child_2
+    parent_2.save
+
+    get "/api/v1/categories/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [nil], json['categories'].map { |c| c['parent'] }.uniq
+
+    params[:include_parent] = true
+    get "/api/v1/categories/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [parent_1.parent, parent_2.parent.id, child_1.parent.id, child_2.parent.id],
+      json["categories"].map { |c| c['parent'] && c['parent']['id'] }
+  end
+
+  should 'anonymous include children in categories list if params is true' do
+    anonymous_setup
+    category = fast_create(Category, :environment_id => environment.id)
+    child_1 = fast_create(Category, :environment_id => environment.id)
+    child_2 = fast_create(Category, :environment_id => environment.id)
+    child_3 = fast_create(Category, :environment_id => environment.id)
+
+    category.children << child_1
+    category.children << child_2
+    category.save
+
+    child_1.children << child_3
+    child_1.save
+
+    get "/api/v1/categories/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [nil], json['categories'].map { |c| c['children'] }.uniq
+
+    params[:include_children] = true
+    get "/api/v1/categories/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [category.children.map(&:id).sort, child_1.children.map(&:id).sort, child_2.children.map(&:id).sort, child_3.children.map(&:id).sort],
+      json["categories"].map{ |c| c['children'].map{ |child| child['id'] }.sort  }
+  end
+
+  expose_attributes.each do |attr|
+    should "anonymous expose category #{attr} attribute by default" do
+      anonymous_setup
+      category = fast_create(Category, :environment_id => environment.id)
+      get "/api/v1/categories/?#{params.to_query}"
+      json = JSON.parse(last_response.body)
+     assert json["categories"].last.has_key?(attr)
+    end
+  end
+
+
+
 end
@@ -3,41 +3,44 @@ require_relative &#39;test_helper&#39;
 class CommentsTest < ActiveSupport::TestCase
  
   def setup
-    login_api
+    @local_person = fast_create(Person)
+    anonymous_setup
   end
+  attr_reader :local_person
  
-  should 'not list comments if user has no permission to view the source article' do
-    person = fast_create(Person)
-    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+  should 'logged user not list comments if user has no permission to view the source article' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
     assert !article.published?
  
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     assert_equal 403, last_response.status
   end
  
-  should 'not return comment if user has no permission to view the source article' do
-    person = fast_create(Person)
-    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
-    comment = article.comments.create!(:body => "another comment", :author => user.person)
+  should 'logged user not return comment if user has no permission to view the source article' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
+    comment = article.comments.create!(:body => "another comment", :author => local_person)
     assert !article.published?
  
     get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
     assert_equal 403, last_response.status
   end
  
-  should 'not comment an article if user has no permission to view it' do
-    person = fast_create(Person)
-    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+  should 'logged user not comment an article if user has no permission to view it' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
     assert !article.published?
  
     post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     assert_equal 403, last_response.status
   end
  
-  should 'return comments of an article' do
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
-    article.comments.create!(:body => "some comment", :author => user.person)
-    article.comments.create!(:body => "another comment", :author => user.person)
+  should 'logged user return comments of an article' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    article.comments.create!(:body => "some comment", :author => local_person)
+    article.comments.create!(:body => "another comment", :author => local_person)
  
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -45,9 +48,10 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal 2, json["comments"].length
   end
  
-  should 'return comment of an article' do
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
-    comment = article.comments.create!(:body => "another comment", :author => user.person)
+  should 'logged user return comment of an article' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    comment = article.comments.create!(:body => "another comment", :author => local_person)
  
     get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -55,8 +59,9 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal comment.id, json['comment']['id']
   end
  
-  should 'comment an article' do
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+  should 'logged user comment an article' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
     body = 'My comment'
     params.merge!({:body => body})
  
@@ -66,7 +71,8 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal body, json['comment']['body']
   end
  
-  should 'not comment an archived article' do
+  should 'logged user not comment an archived article' do
+    login_api
     article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing", :archived => true)
     body = 'My comment'
     params.merge!({:body => body})
@@ -75,9 +81,10 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal 400, last_response.status
   end
  
-  should 'comment creation define the source' do
+  should 'logged user comment creation define the source' do
+    login_api
     amount = Comment.count
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
     body = 'My comment'
     params.merge!({:body => body})
  
@@ -87,29 +94,6 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_not_nil comment.source
   end
  
-  should 'paginate comments' do
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
-    5.times { article.comments.create!(:body => "some comment", :author => user.person) }
-    params[:per_page] = 3
-
-    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
-    json = JSON.parse(last_response.body)
-    assert_equal 200, last_response.status
-    assert_equal 3, json["comments"].length
-  end
-
-  should 'return only root comments' do
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
-    comment1 = article.comments.create!(:body => "some comment", :author => user.person)
-    comment2 = article.comments.create!(:body => "another comment", :author => user.person, :reply_of_id => comment1.id)
-    params[:without_reply] = true
-
-    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
-    json = JSON.parse(last_response.body)
-    assert_equal 200, last_response.status
-    assert_equal [comment1.id], json["comments"].map { |c| c['id'] }
-  end
-
   should 'call plugin hotspot to filter unavailable comments' do
     class Plugin1 < Noosfero::Plugin
       def unavailable_comments(scope)
@@ -119,7 +103,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
     Noosfero::Plugin.stubs(:all).returns([Plugin1.name])
     Environment.default.enable_plugin(Plugin1)
  
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
     c1 = fast_create(Comment, source_id: article.id, body: "comment 1")
     c2 = fast_create(Comment, source_id: article.id, body: "comment 2", :user_agent => 'Jack')
  
@@ -128,13 +112,78 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal ["comment 2"], json["comments"].map {|c| c["body"]}
   end
  
-  should 'do not return comments marked as spam' do
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+  should 'anonymous do not return comments marked as spam' do
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
     c1 = fast_create(Comment, source_id: article.id, body: "comment 1", spam: true)
     c2 = fast_create(Comment, source_id: article.id, body: "comment 2")
-
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal ["comment 2"], json["comments"].map {|c| c["body"]}
   end
+
+  should 'not, anonymous list comments if has no permission to view the source article' do
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
+    assert !article.published?
+  
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+  
+  should 'anonymous return comments of an article' do
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    article.comments.create!(:body => "some comment", :author => local_person)
+    article.comments.create!(:body => "another comment", :author => local_person)
+  
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 200, last_response.status
+    assert_equal 2, json["comments"].length
+  end
+  
+  should 'anonymous return comment of an article' do
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    comment = article.comments.create!(:body => "another comment", :author => local_person)
+  
+    get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 200, last_response.status
+    assert_equal comment.id, json['comment']['id']
+  end
+
+  should 'not, anonymous comment an article (at least so far...)' do
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    body = 'My comment'
+    name = "John Doe"
+    email = "JohnDoe@gmail.com"
+    params.merge!({:body => body, name: name, email: email})
+    post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
+  should 'logged user paginate comments' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    5.times { article.comments.create!(:body => "some comment", :author => local_person) }
+    params[:per_page] = 3
+
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 200, last_response.status
+    assert_equal 3, json["comments"].length
+  end
+
+  should 'logged user return only root comments' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    comment1 = article.comments.create!(:body => "some comment", :author => local_person)
+    comment2 = article.comments.create!(:body => "another comment", :author => local_person, :reply_of_id => comment1.id)
+    params[:without_reply] = true
+
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 200, last_response.status
+    assert_equal [comment1.id], json["comments"].map { |c| c['id'] }
+  end
+
 end
@@ -4,10 +4,10 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
  
   def setup
     Community.delete_all
-    login_api
   end
  
-  should 'list only communities' do
+  should 'logged user list only communities' do
+    login_api
     community = fast_create(Community, :environment_id => environment.id)
     enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
     get "/api/v1/communities?#{params.to_query}"
@@ -16,7 +16,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_includes json['communities'].map {|c| c['id']}, community.id
   end
  
-  should 'list all communities' do
+  should 'logged user list all communities' do
+    login_api
     community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
     community2 = fast_create(Community, :environment_id => environment.id)
     get "/api/v1/communities?#{params.to_query}"
@@ -24,7 +25,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'not list invisible communities' do
+  should 'not, logged user list invisible communities' do
+    login_api
     community1 = fast_create(Community, :environment_id => environment.id)
     fast_create(Community, :environment_id => environment.id, :visible => false)
  
@@ -33,16 +35,18 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equal [community1.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'not list private communities without permission' do
-    community1 = fast_create(Community, :environment_id => environment.id)
-    fast_create(Community, :environment_id => environment.id, :public_profile => false)
+  should 'logged user list private communities' do
+      login_api
+      community1 = fast_create(Community, :environment_id => environment.id)
+      community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
  
-    get "/api/v1/communities?#{params.to_query}"
-    json = JSON.parse(last_response.body)
-    assert_equal [community1.id], json['communities'].map {|c| c['id']}
+      get "/api/v1/communities?#{params.to_query}"
+      json = JSON.parse(last_response.body)
+      assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'list private community for members' do
+  should 'logged user list private community for members' do
+    login_api
     c1 = fast_create(Community, :environment_id => environment.id)
     c2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
     c2.add_member(person)
@@ -52,20 +56,23 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equivalent [c1.id, c2.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'create a community' do
+  should 'logged user create a community' do
+    login_api
     params[:community] = {:name => 'some'}
     post "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal 'some', json['community']['name']
   end
  
-  should 'return 400 status for invalid community creation' do
+  should 'logged user return 400 status for invalid community creation' do
+    login_api
     post "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal 400, last_response.status
   end
  
-  should 'get community' do
+  should 'logged user get community' do
+    login_api
     community = fast_create(Community, :environment_id => environment.id)
  
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
@@ -73,7 +80,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equal community.id, json['community']['id']
   end
  
-  should 'not get invisible community' do
+  should 'not, logged user get invisible community' do
+    login_api
     community = fast_create(Community, :environment_id => environment.id, :visible => false)
  
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
@@ -81,7 +89,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert json['community'].blank?
   end
  
-  should 'not get private communities without permission' do
+  should 'not, logged user get private communities without permission' do
+    login_api
     community = fast_create(Community, :environment_id => environment.id)
     fast_create(Community, :environment_id => environment.id, :public_profile => false)
  
@@ -90,17 +99,18 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equal community.id, json['community']['id']
   end
  
-  should 'get private community for members' do
+  should 'logged user get private community for members' do
+    login_api
     community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :visible => true)
     community.add_member(person)
  
-
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal community.id, json['community']['id']
   end
  
-  should 'list person communities' do
+  should 'logged user list person communities' do
+    login_api
     community = fast_create(Community, :environment_id => environment.id)
     fast_create(Community, :environment_id => environment.id)
     community.add_member(person)
@@ -110,7 +120,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equivalent [community.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'not list person communities invisible' do
+  should 'not, logged user list person communities invisible' do
+    login_api
     c1 = fast_create(Community, :environment_id => environment.id)
     c2 = fast_create(Community, :environment_id => environment.id, :visible => false)
     c1.add_member(person)
@@ -121,7 +132,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equivalent [c1.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'list communities with pagination' do
+  should 'logged user list communities with pagination' do
+    login_api
     community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago)
     community2 = fast_create(Community, :created_at => 2.days.ago)
  
@@ -143,7 +155,118 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id
   end
  
-  should 'list communities with timestamp' do
+  should 'logged user list communities with timestamp' do
+    login_api
+    community1 = fast_create(Community, :public_profile => true)
+    community2 = fast_create(Community)
+
+    community1.updated_at = Time.now + 3.hours
+    community1.save!
+
+    params[:timestamp] = Time.now + 1.hours
+    get "/api/v1/communities/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+
+    assert_includes json["communities"].map { |a| a["id"] }, community1.id
+    assert_not_includes json["communities"].map { |a| a["id"] }, community2.id
+  end
+
+  should 'anonymous list only communities' do
+    anonymous_setup
+    community = fast_create(Community, :environment_id => environment.id)
+    enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_not_includes json['communities'].map {|c| c['id']}, enterprise.id
+    assert_includes json['communities'].map {|c| c['id']}, community.id
+  end
+
+  should 'anonymous list all communities' do
+    anonymous_setup
+    community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
+    community2 = fast_create(Community, :environment_id => environment.id)
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'not, anonymous list invisible communities' do
+    anonymous_setup
+    community1 = fast_create(Community, :environment_id => environment.id)
+    fast_create(Community, :environment_id => environment.id, :visible => false)
+
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [community1.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'anonymous list private communities' do
+    anonymous_setup
+    community1 = fast_create(Community, :environment_id => environment.id)
+    community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
+
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'not, anonymous create a community' do
+    anonymous_setup
+    params[:community] = {:name => 'some'}
+    post "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
+  should 'anonymous get community' do
+    anonymous_setup
+    community = fast_create(Community, :environment_id => environment.id)
+    get "/api/v1/communities/#{community.id}"
+    json = JSON.parse(last_response.body)
+    assert_equal community.id, json['community']['id']
+  end
+
+  should 'not, anonymous get invisible community' do
+    anonymous_setup
+    community = fast_create(Community, :environment_id => environment.id, :visible => false)
+    get "/api/v1/communities/#{community.id}"
+    json = JSON.parse(last_response.body)
+    assert json['community'].blank?
+  end
+
+  should 'not, anonymous get private communities' do
+    anonymous_setup
+    community = fast_create(Community, :environment_id => environment.id)
+    fast_create(Community, :environment_id => environment.id, :public_profile => false)
+    get "/api/v1/communities/#{community.id}"
+    json = JSON.parse(last_response.body)
+    assert_equal community.id, json['community']['id']
+  end
+
+  should 'anonymous list communities with pagination' do
+    anonymous_setup
+    community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago)
+    community2 = fast_create(Community, :created_at => 2.days.ago)
+
+    params[:page] = 2
+    params[:per_page] = 1
+    get "/api/v1/communities?#{params.to_query}"
+    json_page_two = JSON.parse(last_response.body)
+
+    params[:page] = 1
+    params[:per_page] = 1
+    get "/api/v1/communities?#{params.to_query}"
+    json_page_one = JSON.parse(last_response.body)
+
+    assert_includes json_page_one["communities"].map { |a| a["id"] }, community1.id
+    assert_not_includes json_page_one["communities"].map { |a| a["id"] }, community2.id
+
+    assert_includes json_page_two["communities"].map { |a| a["id"] }, community2.id
+    assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id
+  end
+
+  should 'anonymous list communities with timestamp' do
+    anonymous_setup
     community1 = fast_create(Community, :public_profile => true)
     community2 = fast_create(Community)
  
@@ -157,4 +280,31 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_includes json["communities"].map { |a| a["id"] }, community1.id
     assert_not_includes json["communities"].map { |a| a["id"] }, community2.id
   end
+
+  should 'display public custom fields to anonymous' do
+    anonymous_setup
+    CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
+    some_community = fast_create(Community)
+    some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
+    some_community.save!
+
+    get "/api/v1/communities/#{some_community.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['community']['additional_data'].has_key?('Rating')
+    assert_equal "Five stars", json['community']['additional_data']['Rating']
+  end
+
+  should 'not display private custom fields to anonymous' do
+    anonymous_setup
+    CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
+    some_community = fast_create(Community)
+    some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
+    some_community.save!
+
+    get "/api/v1/communities/#{some_community.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    refute json['community']['additional_data'].has_key?('Rating')
+  end
+
+
 end
@@ -4,10 +4,20 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
  
   def setup
     Enterprise.delete_all
+  end
+
+  should 'logger user list only enterprises' do
     login_api
+    community = fast_create(Community, :environment_id => environment.id) # should not list this community
+    enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_includes json['enterprises'].map {|c| c['id']}, enterprise.id
+    assert_not_includes json['enterprises'].map {|c| c['id']}, community.id
   end
  
-  should 'list only enterprises' do
+  should 'anonymous list only enterprises' do
+    anonymous_setup
     community = fast_create(Community, :environment_id => environment.id) # should not list this community
     enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
     get "/api/v1/enterprises?#{params.to_query}"
@@ -16,7 +26,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
     assert_not_includes json['enterprises'].map {|c| c['id']}, community.id
   end
  
-  should 'list all enterprises' do
+  should 'anonymous list all enterprises' do
+    anonymous_setup
+    enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
+    enterprise2 = fast_create(Enterprise, :environment_id => environment.id)
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
+  end
+
+  should 'logger user list all enterprises' do
+    login_api
     enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
     enterprise2 = fast_create(Enterprise, :environment_id => environment.id)
     get "/api/v1/enterprises?#{params.to_query}"
@@ -25,6 +45,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not list invisible enterprises' do
+    login_api
     enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
     fast_create(Enterprise, :visible => false)
  
@@ -33,16 +54,48 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
     assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
   end
  
-  should 'not list private enterprises without permission' do
+  should 'not, anonymous list invisible enterprises' do
+    anonymous_setup
     enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
-    fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
+    fast_create(Enterprise, :visible => false)
+
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
+  end
+
+  should 'not, logger user list invisible enterprises' do
+    login_api
+    enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
+    fast_create(Enterprise, :visible => false)
  
     get "/api/v1/enterprises?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
   end
  
-  should 'list private enterprise for members' do
+  should 'anonymous list private enterprises' do
+    anonymous_setup
+    enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
+    enterprise2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
+
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
+  end
+
+  should 'logged user list private enterprises' do
+    login_api
+    enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
+    enterprise2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
+
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
+  end
+
+  should 'logged user list private enterprise for members' do
+    login_api
     c1 = fast_create(Enterprise, :environment_id => environment.id)
     c2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
     c2.add_member(person)
@@ -52,7 +105,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
     assert_equivalent [c1.id, c2.id], json['enterprises'].map {|c| c['id']}
   end
  
-  should 'get enterprise' do
+  should 'anonymous get enterprise' do
+    anonymous_setup
+    enterprise = fast_create(Enterprise, :environment_id => environment.id)
+
+    get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal enterprise.id, json['enterprise']['id']
+  end
+
+  should 'logged user get enterprise' do
+    login_api
     enterprise = fast_create(Enterprise, :environment_id => environment.id)
  
     get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
@@ -60,7 +123,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
     assert_equal enterprise.id, json['enterprise']['id']
   end
  
-  should 'not get invisible enterprise' do
+  should 'not, logger user get invisible enterprise' do
+    login_api
+    enterprise = fast_create(Enterprise, :visible => false)
+
+    get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['enterprise'].blank?
+  end
+
+  should 'not, anonymous get invisible enterprise' do
+    anonymous_setup
     enterprise = fast_create(Enterprise, :visible => false)
  
     get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
@@ -69,6 +142,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not get private enterprises without permission' do
+    login_api
+    enterprise = fast_create(Enterprise, :environment_id => environment.id)
+    fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
+
+    get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal enterprise.id, json['enterprise']['id']
+  end
+
+  should 'not, anonymous get private enterprises' do
+    anonymous_setup
     enterprise = fast_create(Enterprise, :environment_id => environment.id)
     fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
  
@@ -78,6 +162,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'get private enterprise for members' do
+    login_api
     enterprise = fast_create(Enterprise, :public_profile => false)
     enterprise.add_member(person)
  
@@ -87,6 +172,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'list person enterprises' do
+    login_api
     enterprise = fast_create(Enterprise, :environment_id => environment.id)
     fast_create(Enterprise, :environment_id => environment.id)
     enterprise.add_member(person)
@@ -97,6 +183,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not list person enterprises invisible' do
+    login_api
     c1 = fast_create(Enterprise, :environment_id => environment.id)
     c2 = fast_create(Enterprise, :environment_id => environment.id, :visible => false)
     c1.add_member(person)
@@ -107,4 +194,29 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
     assert_equivalent [c1.id], json['enterprises'].map {|c| c['id']}
   end
  
+  should 'display public custom fields to anonymous' do
+    anonymous_setup
+    CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
+    some_enterprise = fast_create(Enterprise)
+    some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
+    some_enterprise.save!
+
+    get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['enterprise']['additional_data'].has_key?('Rating')
+    assert_equal "Five stars", json['enterprise']['additional_data']['Rating']
+  end
+
+  should 'not display public custom fields to anonymous' do
+    anonymous_setup
+    CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
+    some_enterprise = fast_create(Enterprise)
+    some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
+    some_enterprise.save!
+
+    get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    refute json['enterprise']['additional_data'].has_key?('Rating')
+  end
+
 end
@@ -167,6 +167,10 @@ class APIHelpersTest &lt; ActiveSupport::TestCase
     assert_nil make_conditions_with_parameter[:type]
   end
  
+  should 'make_conditions_with_parameter return archived parameter if archived was defined' do
+    assert_not_nil make_conditions_with_parameter('archived' => true)[:archived]
+  end
+
   #test_should_make_order_with_parameters_return_order_if attribute_is_found_at_object_association
   should 'make_order_with_parameters return order if attribute is found at object association' do
     environment = Environment.new
@@ -4,10 +4,10 @@ class PeopleTest &lt; ActiveSupport::TestCase
  
   def setup
     Person.delete_all
-    login_api
   end
  
-  should 'list all people' do
+  should 'logged user list all people' do
+    login_api
     person1 = fast_create(Person, :public_profile => true)
     person2 = fast_create(Person)
     get "/api/v1/people?#{params.to_query}"
@@ -15,7 +15,31 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equivalent [person1.id, person2.id, person.id], json['people'].map {|c| c['id']}
   end
  
-  should 'list all members of a community' do
+  should 'anonymous list all people' do
+    anonymous_setup
+    person1 = fast_create(Person, :public_profile => true)
+    person2 = fast_create(Person)
+    get "/api/v1/people?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [person1.id, person2.id], json['people'].map {|c| c['id']}
+  end
+
+  should 'logged user list all members of a community' do
+    login_api
+    person1 = fast_create(Person)
+    person2 = fast_create(Person)
+    community = fast_create(Community)
+    community.add_member(person1)
+    community.add_member(person2)
+
+    get "/api/v1/profiles/#{community.id}/members?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 2, json["people"].count
+    assert_equivalent [person1.id,person2.id], json["people"].map{|p| p["id"]}
+  end
+
+  should 'anonymous list all members of a community' do
+    anonymous_setup
     person1 = fast_create(Person)
     person2 = fast_create(Person)
     community = fast_create(Community)
@@ -28,21 +52,40 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equivalent [person1.id,person2.id], json["people"].map{|p| p["id"]}
   end
  
-  should 'not list invisible people' do
+  should 'logged user not list invisible people' do
+    login_api
+    invisible_person = fast_create(Person, :visible => false)
+
+    get "/api/v1/people?#{params.to_query}"
+    assert_not_includes json_response_ids(:people), invisible_person.id
+  end
+
+  should 'annoymous not list invisible people' do
+    anonymous_setup
     invisible_person = fast_create(Person, :visible => false)
  
     get "/api/v1/people?#{params.to_query}"
     assert_not_includes json_response_ids(:people), invisible_person.id
   end
  
-  should 'not list private people without permission' do
+  should 'logged user list private people' do
+    login_api
     private_person = fast_create(Person, :public_profile => false)
  
     get "/api/v1/people?#{params.to_query}"
-    assert_not_includes json_response_ids(:people), private_person.id
+    assert_includes json_response_ids(:people), private_person.id
   end
  
-  should 'list private person for friends' do
+  should 'anonymous list private people' do
+    anonymous_setup
+    private_person = fast_create(Person, :public_profile => false)
+
+    get "/api/v1/people?#{params.to_query}"
+    assert_includes json_response_ids(:people), private_person.id
+  end
+
+  should 'logged user list private person for friends' do
+    login_api
     p1 = fast_create(Person)
     p2 = fast_create(Person, :public_profile => false)
     person.add_friend(p2)
@@ -52,7 +95,8 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_includes json_response_ids(:people), p2.id
   end
  
-  should 'get person' do
+  should 'logged user get person' do
+    login_api
     some_person = fast_create(Person)
  
     get "/api/v1/people/#{some_person.id}?#{params.to_query}"
@@ -60,14 +104,26 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal some_person.id, json['person']['id']
   end
  
-  should 'people endpoint filter by fields parameter' do
+  should 'anonymous get person' do
+    anonymous_setup
+    some_person = fast_create(Person)
+
+    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal some_person.id, json['person']['id']
+  end
+
+
+  should 'people endpoint filter by fields parameter for logged user' do
+    login_api
     get "/api/v1/people?#{params.to_query}&fields=name"
     json = JSON.parse(last_response.body)
     expected = {'people' => [{'name' => person.name}]}
     assert_equal expected, json
   end
  
-  should 'people endpoint filter by fields parameter with hierarchy' do
+  should 'people endpoint filter by fields parameter with hierarchy for logged user' do
+    login_api
     fields = URI.encode({only: [:name, {user: [:login]}]}.to_json.to_str)
     get "/api/v1/people?#{params.to_query}&fields=#{fields}"
     json = JSON.parse(last_response.body)
@@ -76,19 +132,22 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'get logged person' do
+    login_api
     get "/api/v1/people/me?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal person.id, json['person']['id']
   end
  
-  should 'me endpoint filter by fields parameter' do
+  should 'access me endpoint filter by fields parameter' do
+    login_api
     get "/api/v1/people/me?#{params.to_query}&fields=name"
     json = JSON.parse(last_response.body)
     expected = {'person' => {'name' => person.name}}
     assert_equal expected, json
   end
  
-  should 'not get invisible person' do
+  should 'logged user not get invisible person' do
+    login_api
     person = fast_create(Person, :visible => false)
  
     get "/api/v1/people/#{person.id}?#{params.to_query}"
@@ -96,15 +155,35 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert json['person'].blank?
   end
  
-  should 'not get private people without permission' do
+  should 'anonymous not get invisible person' do
+    anonymous_setup
+    person = fast_create(Person, :visible => false)
+
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['person'].blank?
+  end
+
+  should 'get private people' do
+    login_api
     private_person = fast_create(Person, :public_profile => false)
  
     get "/api/v1/people/#{private_person.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
-    assert json['person'].blank?
+    assert_equal json['person']['id'], private_person.id
+  end
+
+  should 'anonymous get private people' do
+    anonymous_setup
+    private_person = fast_create(Person, :public_profile => false)
+
+    get "/api/v1/people/#{private_person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal json['person']['id'], private_person.id
   end
  
   should 'get private person for friends' do
+    login_api
     private_person = fast_create(Person, :public_profile => false)
     person.add_friend(private_person)
     private_person.add_friend(person)
@@ -115,15 +194,26 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'list person friends' do
+    login_api
     friend = fast_create(Person)
     person.add_friend(friend)
     friend.add_friend(person)
+    get "/api/v1/people/#{friend.id}/friends?#{params.to_query}"
+    assert_includes json_response_ids(:people), person.id
+  end
  
+  should 'anonymous list person friends' do
+    anonymous_setup
+    person = fast_create(Person)
+    friend = fast_create(Person)
+    person.add_friend(friend)
+    friend.add_friend(person)
     get "/api/v1/people/#{friend.id}/friends?#{params.to_query}"
     assert_includes json_response_ids(:people), person.id
   end
  
   should 'not list person invisible friends' do
+    login_api
     friend = fast_create(Person)
     invisible_friend = fast_create(Person, :visible => false)
     person.add_friend(friend)
@@ -138,6 +228,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'create a person' do
+    login_api
     login = 'some'
     params[:person] = {:login => login, :password => '123456', :password_confirmation => '123456', :email => 'some@some.com'}
     post "/api/v1/people?#{params.to_query}"
@@ -146,6 +237,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'return 400 status for invalid person creation' do
+    login_api
     params[:person] = {:login => 'some'}
     post "/api/v1/people?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -153,6 +245,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'display permissions' do
+    login_api
     community = fast_create(Community)
     community.add_member(fast_create(Person))
     community.add_member(person)
@@ -164,11 +257,13 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'display permissions if self' do
+    login_api
     get "/api/v1/people/#{person.id}/permissions?#{params.to_query}"
     assert_equal 200, last_response.status
   end
  
   should 'display permissions if admin' do
+    login_api
     environment = person.environment
     environment.add_admin(person)
     some_person = fast_create(Person)
@@ -178,6 +273,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'not display permissions if not admin or self' do
+    login_api
     some_person = create_user('some-person').person
  
     get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
@@ -185,12 +281,14 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'not update another person' do
+    login_api
     person = fast_create(Person, :environment_id => environment.id)
     post "/api/v1/people/#{person.id}?#{params.to_query}"
     assert_equal 403, last_response.status
   end
  
   should 'update yourself' do
+    login_api
     another_name = 'Another Name'
     params[:person] = {}
     params[:person][:name] = another_name
@@ -200,7 +298,33 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal another_name, person.name
   end
  
-  should 'display public custom fields' do
+  should 'logged user display public custom fields' do
+    login_api
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
+    some_person = create_user('some-person').person
+    some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
+    some_person.save!
+
+    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['person']['additional_data'].has_key?('Custom Blog')
+    assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
+  end
+
+  should 'logged user not display non-public custom fields' do
+    login_api
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
+    some_person = create_user('some-person').person
+    some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
+    some_person.save!
+
+    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal json['person']['additional_data'], {}
+  end
+
+  should 'display public custom fields to anonymous' do
+    anonymous_setup
     CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
     some_person = create_user('some-person').person
     some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
@@ -212,7 +336,8 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
   end
  
-  should 'not display non-public custom fields' do
+  should 'not display non-public custom fields to anonymous' do
+    anonymous_setup
     CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
     some_person = create_user('some-person').person
     some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
@@ -223,7 +348,19 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal json['person']['additional_data'], {}
   end
  
+  should 'hide private fields to anonymous' do
+    anonymous_setup
+    target_person = create_user('some-user').person
+    target_person.save!
+
+    get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    refute json["user"].has_key?("permissions")
+    refute json["user"].has_key?("activated")
+  end
+
   should 'display non-public custom fields to friend' do
+    login_api
     CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
     some_person = create_user('some-person').person
     some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
@@ -245,12 +382,14 @@ class PeopleTest &lt; ActiveSupport::TestCase
   PERSON_ATTRIBUTES.map do |attribute|
  
     define_method "test_should_not_expose_#{attribute}_attribute_in_person_enpoint_if_field_parameter_does_not_contain_the_attribute" do
+      login_api
       get "/api/v1/people/me?#{params.to_query}&fields=name"
       json = JSON.parse(last_response.body)
       assert_nil json['person'][attribute]
     end
  
     define_method "test_should_expose_#{attribute}_attribute_in_person_enpoints_if_field_parameter_is_passed" do
+      login_api
       get "/api/v1/people/me?#{params.to_query}&fields=#{attribute}"
       json = JSON.parse(last_response.body)
       assert_not_nil json['person'][attribute]
@@ -4,10 +4,10 @@ class ProfilesTest &lt; ActiveSupport::TestCase
  
   def setup
     Profile.delete_all
-    login_api
   end
  
-  should 'list all profiles' do
+  should 'logged user list all profiles' do
+    login_api
     person1 = fast_create(Person)
     person2 = fast_create(Person)
     community = fast_create(Community)
@@ -16,14 +16,16 @@ class ProfilesTest &lt; ActiveSupport::TestCase
     assert_equivalent [person.id, person1.id, person2.id, community.id], json.map {|p| p['id']}
   end
  
-  should 'get person from profile id' do
+  should 'logged user get person from profile id' do
+    login_api
     some_person = fast_create(Person)
     get "/api/v1/profiles/#{some_person.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal some_person.id, json['id']
   end
  
-  should 'get community from profile id' do
+  should 'logged user get community from profile id' do
+    login_api
     community = fast_create(Community)
     get "/api/v1/profiles/#{community.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -33,6 +35,7 @@ class ProfilesTest &lt; ActiveSupport::TestCase
   group_kinds = %w(community enterprise)
   group_kinds.each do |kind|
     should "delete #{kind} from profile id with permission" do
+      login_api
       profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
       give_permission(@person, 'destroy_profile', profile)
       assert_not_nil Profile.find_by_id profile.id
@@ -44,6 +47,7 @@ class ProfilesTest &lt; ActiveSupport::TestCase
     end
  
     should "not delete #{kind} from profile id without permission" do
+      login_api
       profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
       assert_not_nil Profile.find_by_id profile.id
  
@@ -55,12 +59,14 @@ class ProfilesTest &lt; ActiveSupport::TestCase
   end
  
   should 'person delete itself' do
+    login_api
     delete "/api/v1/profiles/#{@person.id}?#{params.to_query}"
     assert_equal 200, last_response.status
     assert_nil Profile.find_by_id @person.id
   end
  
   should 'only admin delete other people' do
+    login_api
     profile = fast_create(Person, :environment_id => environment.id)
     assert_not_nil Profile.find_by_id profile.id
  
@@ -77,4 +83,62 @@ class ProfilesTest &lt; ActiveSupport::TestCase
     assert_nil Profile.find_by_id profile.id
  
   end
+
+  should 'anonymous user access delete action' do
+    anonymous_setup
+    profile = fast_create(Person, :environment_id => environment.id)
+
+    delete "/api/v1/profiles/#{profile.id}?#{params.to_query}"
+    assert_equal 401, last_response.status
+    assert_not_nil Profile.find_by_id profile.id
+  end
+
+  should 'anonymous list all profiles' do
+    person1 = fast_create(Person)
+    person2 = fast_create(Person)
+    community = fast_create(Community)
+    get "/api/v1/profiles"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [person1.id, person2.id, community.id], json.map {|p| p['id']}
+  end
+
+  should 'anonymous get person from profile id' do
+    some_person = fast_create(Person)
+    get "/api/v1/profiles/#{some_person.id}"
+    json = JSON.parse(last_response.body)
+    assert_equal some_person.id, json['id']
+  end
+
+  should 'anonymous get community from profile id' do
+    community = fast_create(Community)
+    get "/api/v1/profiles/#{community.id}"
+    json = JSON.parse(last_response.body)
+    assert_equal community.id, json['id']
+  end
+
+  should 'display public custom fields to anonymous' do
+    anonymous_setup
+    CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
+    some_profile = fast_create(Profile)
+    some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
+    some_profile.save!
+
+    get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['additional_data'].has_key?('Rating')
+    assert_equal "Five stars", json['additional_data']['Rating']
+  end
+
+  should 'not display private custom fields to anonymous' do
+    anonymous_setup
+    CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
+    some_profile = fast_create(Profile)
+    some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
+    some_profile.save!
+
+    get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    refute json.has_key?('Rating')
+  end
+
 end
@@ -62,6 +62,12 @@ class ActiveSupport::TestCase
  
     @params = {:private_token => @private_token}
   end
+
+  def anonymous_setup
+    @environment = Environment.default
+    @params = {}
+  end
+
   attr_accessor :private_token, :user, :person, :params, :environment
  
   private
@@ -3,23 +3,22 @@ require_relative &#39;test_helper&#39;
  
 class UsersTest < ActiveSupport::TestCase
  
-  def setup
+  should 'logger user list users' do
     login_api
-  end
-
-  should 'list users' do
     get "/api/v1/users/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_includes json["users"].map { |a| a["login"] }, user.login
   end
  
-  should 'get user' do
+  should 'logger user get user info' do
+    login_api
     get "/api/v1/users/#{user.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal user.id, json['user']['id']
   end
  
-  should 'list user permissions' do
+  should 'logger user list user permissions' do
+    login_api
     community = fast_create(Community)
     community.add_admin(person)
     get "/api/v1/users/#{user.id}/?#{params.to_query}"
@@ -28,25 +27,29 @@ class UsersTest &lt; ActiveSupport::TestCase
   end
  
   should 'get logged user' do
+    login_api
     get "/api/v1/users/me?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal user.id, json['user']['id']
   end
  
   should 'not show permissions to logged user' do
+    login_api
     target_person = create_user('some-user').person
     get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     refute json["user"].has_key?("permissions")
   end
  
-  should 'show permissions to self' do
+  should 'logger user show permissions to self' do
+    login_api
     get "/api/v1/users/#{user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert json["user"].has_key?("permissions")
   end
  
   should 'not show permissions to friend' do
+    login_api
     target_person = create_user('some-user').person
  
     f = Friendship.new
@@ -60,6 +63,7 @@ class UsersTest &lt; ActiveSupport::TestCase
   end
  
   should 'not show private attribute to logged user' do
+    login_api
     target_person = create_user('some-user').person
     get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -67,6 +71,7 @@ class UsersTest &lt; ActiveSupport::TestCase
   end
  
   should 'show private attr to friend' do
+    login_api
     target_person = create_user('some-user').person
     f = Friendship.new
     f.friend = target_person
@@ -79,6 +84,7 @@ class UsersTest &lt; ActiveSupport::TestCase
   end
  
   should 'show public attribute to logged user' do
+    login_api
     target_person = create_user('some-user').person
     target_person.fields_privacy={:email=> 'public'}
     target_person.save!
@@ -89,6 +95,7 @@ class UsersTest &lt; ActiveSupport::TestCase
   end
  
   should 'show public and private field to admin' do
+    login_api
     Environment.default.add_admin(person)
  
     target_person = create_user('some-user').person
@@ -102,4 +109,26 @@ class UsersTest &lt; ActiveSupport::TestCase
     assert json["user"].has_key?("activated")
   end
  
+  should 'show public fields to anonymous' do
+    anonymous_setup
+    target_person = create_user('some-user').person
+    target_person.fields_privacy={:email=> 'public'}
+    target_person.save!
+
+    get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json["user"].has_key?("email")
+  end
+
+  should 'hide private fields to anonymous' do
+    anonymous_setup
+    target_person = create_user('some-user').person
+    target_person.save!
+
+    get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    refute json["user"].has_key?("permissions")
+    refute json["user"].has_key?("activated")
+  end
+
 end
@@ -437,7 +437,7 @@ class OrganizationTest &lt; ActiveSupport::TestCase
     c = fast_create(Organization, :name => 'my test profile', :identifier => 'mytestprofile')
     admin = create_user('adminuser').person
     c.add_admin(admin)
-   
+
     assert c.is_admin?(admin)
   end
  
@@ -513,4 +513,18 @@ class OrganizationTest &lt; ActiveSupport::TestCase
     assert_includes     env_admin_orgs, o7
   end
  
+  should 'fetch organizations there are visible for a visitor' do
+    visitor = nil
+    Organization.destroy_all
+    o1 = fast_create(Organization, :public_profile => true , :visible => true )
+    o2 = fast_create(Organization, :public_profile => false, :visible => true )
+    o3 = fast_create(Organization, :public_profile => true , :visible => false)
+    o4 = fast_create(Organization, :public_profile => false, :visible => false)
+    person_orgs    = Organization.visible_for_person(visitor)
+    assert_includes       person_orgs,    o1
+    assert_not_includes   person_orgs,    o2
+    assert_not_includes   person_orgs,    o3
+    assert_not_includes   person_orgs,    o4
+  end
+
 end
@@ -1951,4 +1951,17 @@ class PersonTest &lt; ActiveSupport::TestCase
     person.save!
   end
  
+  should 'fetch people there are visible for a visitor' do
+    person = nil
+    p1 = fast_create(Person, :public_profile => true , :visible => true)
+    p2 = fast_create(Person, :public_profile => false, :visible => true)
+    p3 = fast_create(Person, :public_profile => true , :visible => false)
+    p4 = fast_create(Person, :public_profile => false, :visible => false)
+    people_visible_by_visitor = Person.visible_for_person(person)
+    assert_includes     people_visible_by_visitor, p1
+    assert_not_includes people_visible_by_visitor, p2
+    assert_not_includes people_visible_by_visitor, p3
+    assert_not_includes people_visible_by_visitor, p4
+  end
+
 end
...	...	@@ -17,6 +17,8 @@ class Organization < Profile
17	17	# 4) The user is not a member of the organization but the organization is
18	18	# visible, public and enabled.
19	19	def self.visible_for_person(person)
	20	+ # Visitor if person.nil?
	21	+ person_id = person.nil? ? nil : person.id
20	22	joins('LEFT JOIN "role_assignments" ON ("role_assignments"."resource_id" = "profiles"."id"
21	23	AND "role_assignments"."resource_type" = \'Profile\') OR (
22	24	"role_assignments"."resource_id" = "profiles"."environment_id" AND
...	...	@@ -28,8 +30,8 @@ class Organization < Profile
28	30	( ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
29	31	( profiles.public_profile = ? AND profiles.enabled = ? ) ) AND
30	32	( profiles.visible = ? ) )',
31		- 'profile_admin', 'environment_administrator', Profile.name, person.id,
32		- Profile.name, person.id, true, true, true]
	33	+ 'profile_admin', 'environment_administrator', Profile.name, person_id,
	34	+ Profile.name, person_id, true, true, true]
33	35	).uniq
34	36	end
35	37
...	...
...	...	@@ -42,6 +42,8 @@ class Person < Profile
42	42	}
43	43
44	44	scope :visible_for_person, lambda { \|person\|
	45	+ # Visitor if person.nil?
	46	+ person_id = person.nil? ? nil : person.id
45	47	joins('LEFT JOIN "role_assignments" ON
46	48	"role_assignments"."resource_id" = "profiles"."environment_id" AND
47	49	"role_assignments"."resource_type" = \'Environment\'')
...	...	@@ -49,9 +51,10 @@ class Person < Profile
49	51	.joins('LEFT JOIN "friendships" ON "friendships"."friend_id" = "profiles"."id"')
50	52	.where(
51	53	['( roles.key = ? AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR (
52		- ( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?) )', 'environment_administrator', Profile.name, person.id, person.id, true, true]
	54	+ ( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?) )',
	55	+ 'environment_administrator', Profile.name, person_id, person_id, true, true]
53	56	).uniq
54		- }
	57	+ }
55	58
56	59	def has_permission_with_admin?(permission, resource)
57	60	return true if resource.blank? \|\| resource.admins.include?(self)
...	...
1	1	<div id='search-content'>
2	2	<% if @results %>
3	3	<div class='results-found-message'>
4		- <%= _("%s results found") % @results.total_entries %>
	4	+ <%= n_("%s result found", "%s results found", @results.total_entries) % @results.total_entries %>
5	5	</div>
6	6
7	7	<ul class='results-list'>
...	...
1	1	<div id='search-content'>
2	2	<div class='total'>
3		- <%= _('Total of %s results ') % @searches[@asset][:results].total_entries.inspect %>
	3	+ <%= n_('Total of 1 result', 'Total of %s results', @searches[@asset][:results].total_entries) % @searches[@asset][:results].total_entries.inspect %>
4	4	</div>
5	5
6	6	<%= display_results(@searches, @asset) %>
...	...
...	...	@@ -197,7 +197,7 @@ module Noosfero
197	197	class Article < ArticleBase
198	198	root 'articles', 'article'
199	199	expose :parent, :using => ArticleBase
200		- expose :children, using: ArticleBase do \|article, options\|
	200	+ expose :children, :using => ArticleBase do \|article, options\|
201	201	article.children.limit(Noosfero::API::V1::Articles::MAX_PER_PAGE)
202	202	end
203	203	end
...	...
...	...	@@ -2,7 +2,6 @@ module Noosfero
2	2	module API
3	3	module V1
4	4	class Categories < Grape::API
5		- before { authenticate! }
6	5
7	6	resource :categories do
8	7
...	...
...	...	@@ -4,7 +4,6 @@ module Noosfero
4	4	class Comments < Grape::API
5	5	MAX_PER_PAGE = 20
6	6
7		- before { authenticate! }
8	7
9	8	resource :articles do
10	9	paginate max_per_page: MAX_PER_PAGE
...	...	@@ -34,6 +33,7 @@ module Noosfero
34	33	# Example Request:
35	34	# POST api/v1/articles/12/comments?private_token=2298743290432&body=new comment&title=New
36	35	post ":id/comments" do
	36	+ authenticate!
37	37	article = find_article(environment.articles, params[:id])
38	38	options = params.select { \|key,v\| !['id','private_token'].include?(key) }.merge(:author => current_person, :source => article)
39	39	begin
...	...
...	...	@@ -2,25 +2,25 @@ module Noosfero
2	2	module API
3	3	module V1
4	4	class Profiles < Grape::API
5		- before { authenticate! }
6	5
7	6	resource :profiles do
8	7
9	8	get do
10	9	profiles = select_filtered_collection_of(environment, 'profiles', params)
11		- profiles = profiles.visible_for_person(current_person)
	10	+ profiles = profiles.visible
12	11	profiles = profiles.by_location(params) # Must be the last. May return Exception obj.
13	12	present profiles, :with => Entities::Profile, :current_person => current_person
14	13	end
15	14
16	15	get ':id' do
17	16	profiles = environment.profiles
18		- profiles = profiles.visible_for_person(current_person)
	17	+ profiles = profiles.visible
19	18	profile = profiles.find_by id: params[:id]
20	19	present profile, :with => Entities::Profile, :current_person => current_person
21	20	end
22	21
23	22	delete ':id' do
	23	+ authenticate!
24	24	profiles = environment.profiles
25	25	profile = profiles.find_by id: params[:id]
26	26
...	...
...	...	@@ -177,7 +177,6 @@ class ArticlesTest < ActiveSupport::TestCase
177	177	assert_equal 400, last_response.status
178	178	end
179	179
180		-
181	180	should 'perform a vote in a article identified by id' do
182	181	article = fast_create(Article, :profile_id => @person.id, :name => "Some thing")
183	182	@params[:value] = 1
...	...	@@ -192,10 +191,8 @@ class ArticlesTest < ActiveSupport::TestCase
192	191	should 'not perform a vote in a archived article' do
193	192	article = fast_create(Article, :profile_id => @person.id, :name => "Some thing", :archived => true)
194	193	@params[:value] = 1
195		-
196	194	post "/api/v1/articles/#{article.id}/vote?#{params.to_query}"
197		- json = JSON.parse(last_response.body)
198		-
	195	+ puts JSON.parse(last_response.body)
199	196	assert_equal 400, last_response.status
200	197	end
201	198
...	...	@@ -210,6 +207,24 @@ class ArticlesTest < ActiveSupport::TestCase
210	207	end
211	208	end
212	209
	210	+ should 'not update hit attribute of a specific child if a article is archived' do
	211	+ folder = fast_create(Folder, :profile_id => user.person.id, :archived => true)
	212	+ article = fast_create(Article, :parent_id => folder.id, :profile_id => user.person.id)
	213	+ get "/api/v1/articles/#{folder.id}/children/#{article.id}?#{params.to_query}"
	214	+ json = JSON.parse(last_response.body)
	215	+ assert_equal 0, json['article']['hits']
	216	+ end
	217	+
	218	+ should 'find archived articles' do
	219	+ article1 = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
	220	+ article2 = fast_create(Article, :profile_id => user.person.id, :name => "Some thing", :archived => true)
	221	+ params[:archived] = true
	222	+ get "/api/v1/articles/?#{params.to_query}"
	223	+ json = JSON.parse(last_response.body)
	224	+ assert_not_includes json["articles"].map { \|a\| a["id"] }, article1.id
	225	+ assert_includes json["articles"].map { \|a\| a["id"] }, article2.id
	226	+ end
	227	+
213	228	should "update body of article created by me" do
214	229	new_value = "Another body"
215	230	params[:article] = {:body => new_value}
...	...	@@ -676,16 +691,6 @@ class ArticlesTest < ActiveSupport::TestCase
676	691	assert_equal json['articles'].count, 2
677	692	end
678	693
679		- should 'find archived articles' do
680		- article1 = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
681		- article2 = fast_create(Article, :profile_id => user.person.id, :name => "Some thing", :archived => true)
682		- params[:archived] = true
683		- get "/api/v1/articles/?#{params.to_query}"
684		- json = JSON.parse(last_response.body)
685		- assert_not_includes json["articles"].map { \|a\| a["id"] }, article1.id
686		- assert_includes json["articles"].map { \|a\| a["id"] }, article2.id
687		- end
688		-
689	694	ARTICLE_ATTRIBUTES = %w(followers_count votes_count comments_count)
690	695
691	696	ARTICLE_ATTRIBUTES.map do \|attribute\|
...	...
...	...	@@ -2,25 +2,25 @@ require_relative 'test_helper'
2	2
3	3	class CategoriesTest < ActiveSupport::TestCase
4	4
5		- def setup
6		- login_api
7		- end
8	5
9		- should 'list categories' do
	6	+ should 'logged user list categories' do
	7	+ login_api
10	8	category = fast_create(Category, :environment_id => environment.id)
11	9	get "/api/v1/categories/?#{params.to_query}"
12	10	json = JSON.parse(last_response.body)
13	11	assert_includes json["categories"].map { \|c\| c["name"] }, category.name
14	12	end
15	13
16		- should 'get category by id' do
	14	+ should 'logged user get category by id' do
	15	+ login_api
17	16	category = fast_create(Category, :environment_id => environment.id)
18	17	get "/api/v1/categories/#{category.id}/?#{params.to_query}"
19	18	json = JSON.parse(last_response.body)
20	19	assert_equal category.name, json["category"]["name"]
21	20	end
22	21
23		- should 'list parent and children when get category by id' do
	22	+ should 'logged user list parent and children when get category by id' do
	23	+ login_api
24	24	parent = fast_create(Category, :environment_id => environment.id)
25	25	child_1 = fast_create(Category, :environment_id => environment.id)
26	26	child_2 = fast_create(Category, :environment_id => environment.id)
...	...	@@ -37,7 +37,8 @@ class CategoriesTest < ActiveSupport::TestCase
37	37	assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { \|c\| c['id'] }
38	38	end
39	39
40		- should 'include parent in categories list if params is true' do
	40	+ should 'logged user include parent in categories list if params is true' do
	41	+ login_api
41	42	parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
42	43	child_1 = fast_create(Category, :environment_id => environment.id)
43	44	child_2 = fast_create(Category, :environment_id => environment.id)
...	...	@@ -59,7 +60,8 @@ class CategoriesTest < ActiveSupport::TestCase
59	60	json["categories"].map { \|c\| c['parent'] && c['parent']['id'] }
60	61	end
61	62
62		- should 'include children in categories list if params is true' do
	63	+ should 'logged user include children in categories list if params is true' do
	64	+ login_api
63	65	category = fast_create(Category, :environment_id => environment.id)
64	66	child_1 = fast_create(Category, :environment_id => environment.id)
65	67	child_2 = fast_create(Category, :environment_id => environment.id)
...	...	@@ -86,7 +88,8 @@ class CategoriesTest < ActiveSupport::TestCase
86	88	expose_attributes = %w(id name full_name image display_color)
87	89
88	90	expose_attributes.each do \|attr\|
89		- should "expose category #{attr} attribute by default" do
	91	+ should "logged user expose category #{attr} attribute by default" do
	92	+ login_api
90	93	category = fast_create(Category, :environment_id => environment.id)
91	94	get "/api/v1/categories/?#{params.to_query}"
92	95	json = JSON.parse(last_response.body)
...	...	@@ -94,4 +97,98 @@ class CategoriesTest < ActiveSupport::TestCase
94	97	end
95	98	end
96	99
	100	+ should 'anonymous list categories' do
	101	+ anonymous_setup
	102	+ category = fast_create(Category, :environment_id => environment.id)
	103	+ get "/api/v1/categories/?#{params.to_query}"
	104	+ json = JSON.parse(last_response.body)
	105	+ assert_includes json["categories"].map { \|c\| c["name"] }, category.name
	106	+ end
	107	+
	108	+ should 'anonymous get category by id' do
	109	+ anonymous_setup
	110	+ category = fast_create(Category, :environment_id => environment.id)
	111	+ get "/api/v1/categories/#{category.id}/?#{params.to_query}"
	112	+ json = JSON.parse(last_response.body)
	113	+ assert_equal category.name, json["category"]["name"]
	114	+ end
	115	+
	116	+ should 'anonymous list parent and children when get category by id' do
	117	+ anonymous_setup
	118	+ parent = fast_create(Category, :environment_id => environment.id)
	119	+ child_1 = fast_create(Category, :environment_id => environment.id)
	120	+ child_2 = fast_create(Category, :environment_id => environment.id)
	121	+
	122	+ category = fast_create(Category, :environment_id => environment.id)
	123	+ category.parent = parent
	124	+ category.children << child_1
	125	+ category.children << child_2
	126	+ category.save
	127	+
	128	+ get "/api/v1/categories/#{category.id}/?#{params.to_query}"
	129	+ json = JSON.parse(last_response.body)
	130	+ assert_equal({'id' => parent.id, 'name' => parent.name, 'slug' => parent.slug}, json['category']['parent'])
	131	+ assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { \|c\| c['id'] }
	132	+ end
	133	+
	134	+ should 'anonymous include parent in categories list if params is true' do
	135	+ anonymous_setup
	136	+ parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
	137	+ child_1 = fast_create(Category, :environment_id => environment.id)
	138	+ child_2 = fast_create(Category, :environment_id => environment.id)
	139	+
	140	+ parent_2 = fast_create(Category, :environment_id => environment.id)
	141	+ parent_2.parent = parent_1
	142	+ parent_2.children << child_1
	143	+ parent_2.children << child_2
	144	+ parent_2.save
	145	+
	146	+ get "/api/v1/categories/?#{params.to_query}"
	147	+ json = JSON.parse(last_response.body)
	148	+ assert_equal [nil], json['categories'].map { \|c\| c['parent'] }.uniq
	149	+
	150	+ params[:include_parent] = true
	151	+ get "/api/v1/categories/?#{params.to_query}"
	152	+ json = JSON.parse(last_response.body)
	153	+ assert_equivalent [parent_1.parent, parent_2.parent.id, child_1.parent.id, child_2.parent.id],
	154	+ json["categories"].map { \|c\| c['parent'] && c['parent']['id'] }
	155	+ end
	156	+
	157	+ should 'anonymous include children in categories list if params is true' do
	158	+ anonymous_setup
	159	+ category = fast_create(Category, :environment_id => environment.id)
	160	+ child_1 = fast_create(Category, :environment_id => environment.id)
	161	+ child_2 = fast_create(Category, :environment_id => environment.id)
	162	+ child_3 = fast_create(Category, :environment_id => environment.id)
	163	+
	164	+ category.children << child_1
	165	+ category.children << child_2
	166	+ category.save
	167	+
	168	+ child_1.children << child_3
	169	+ child_1.save
	170	+
	171	+ get "/api/v1/categories/?#{params.to_query}"
	172	+ json = JSON.parse(last_response.body)
	173	+ assert_equal [nil], json['categories'].map { \|c\| c['children'] }.uniq
	174	+
	175	+ params[:include_children] = true
	176	+ get "/api/v1/categories/?#{params.to_query}"
	177	+ json = JSON.parse(last_response.body)
	178	+ assert_equivalent [category.children.map(&:id).sort, child_1.children.map(&:id).sort, child_2.children.map(&:id).sort, child_3.children.map(&:id).sort],
	179	+ json["categories"].map{ \|c\| c['children'].map{ \|child\| child['id'] }.sort }
	180	+ end
	181	+
	182	+ expose_attributes.each do \|attr\|
	183	+ should "anonymous expose category #{attr} attribute by default" do
	184	+ anonymous_setup
	185	+ category = fast_create(Category, :environment_id => environment.id)
	186	+ get "/api/v1/categories/?#{params.to_query}"
	187	+ json = JSON.parse(last_response.body)
	188	+ assert json["categories"].last.has_key?(attr)
	189	+ end
	190	+ end
	191	+
	192	+
	193	+
97	194	end
...	...