Commit 1af52164cce8b6179e6c4fc309c76e8ee0b7f02e
Exists in
staging
and in
4 other branches
Merge branch 'comments_permissions' into 'master'
Exposing permission to delete comment Exposing permission to delete comments in the API See merge request !991
Showing
4 changed files
with
43 additions
and
0 deletions
Show diff stats
app/api/entities.rb
| ... | ... | @@ -174,6 +174,10 @@ module Api |
| 174 | 174 | expose :created_at, :format_with => :timestamp |
| 175 | 175 | expose :author, :using => Profile |
| 176 | 176 | expose :reply_of, :using => CommentBase |
| 177 | + expose :permissions do |comment, options| | |
| 178 | + Entities.permissions_for_entity(comment, options[:current_person], | |
| 179 | + :allow_destroy?) | |
| 180 | + end | |
| 177 | 181 | end |
| 178 | 182 | |
| 179 | 183 | class Comment < CommentBase | ... | ... |
app/models/comment.rb
| ... | ... | @@ -212,6 +212,9 @@ class Comment < ApplicationRecord |
| 212 | 212 | user == author || user == profile || user.has_permission?(:moderate_comments, profile) |
| 213 | 213 | end |
| 214 | 214 | |
| 215 | + # method used by the API | |
| 216 | + alias_method :allow_destroy?, :can_be_destroyed_by? | |
| 217 | + | |
| 215 | 218 | def can_be_marked_as_spam_by?(user) |
| 216 | 219 | return if user.nil? |
| 217 | 220 | user == profile || user.has_permission?(:moderate_comments, profile) | ... | ... |
test/api/comments_test.rb
| ... | ... | @@ -245,4 +245,34 @@ class CommentsTest < ActiveSupport::TestCase |
| 245 | 245 | assert_equal 500, last_response.status |
| 246 | 246 | assert_includes article.comments, comment |
| 247 | 247 | end |
| 248 | + | |
| 249 | + should 'list allow_destroy permission when get your own comment' do | |
| 250 | + login_api | |
| 251 | + article = fast_create(Article, :profile_id => @person.id, :name => "Some thing") | |
| 252 | + article.comments.create!(:body => "some comment", :author => @person) | |
| 253 | + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" | |
| 254 | + json = JSON.parse(last_response.body) | |
| 255 | + assert_equal 200, last_response.status | |
| 256 | + assert_includes json["comments"][0]["permissions"], 'allow_destroy' | |
| 257 | + end | |
| 258 | + | |
| 259 | + should 'anonymous not allowed to destroy comments' do | |
| 260 | + article = fast_create(Article, :profile_id => @person.id, :name => "Some thing") | |
| 261 | + article.comments.create!(:body => "some comment", :author => @person) | |
| 262 | + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" | |
| 263 | + json = JSON.parse(last_response.body) | |
| 264 | + assert_equal 200, last_response.status | |
| 265 | + assert_not_includes json["comments"][0]["permissions"], 'allow_destroy' | |
| 266 | + end | |
| 267 | + | |
| 268 | + should 'unprivileged user not be allowed to destroy other people comments' do | |
| 269 | + article = fast_create(Article, profile_id: @local_person.id, name: "Some thing") | |
| 270 | + comment = article.comments.create!(body: "some comment", author: @local_person) | |
| 271 | + login_api | |
| 272 | + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" | |
| 273 | + json = JSON.parse(last_response.body) | |
| 274 | + assert_equal 200, last_response.status | |
| 275 | + assert_not_includes json["comments"][0]["permissions"], 'allow_destroy' | |
| 276 | + end | |
| 277 | + | |
| 248 | 278 | end | ... | ... |
test/unit/comment_test.rb
| ... | ... | @@ -597,6 +597,12 @@ class CommentTest < ActiveSupport::TestCase |
| 597 | 597 | refute comment.can_be_destroyed_by?(nil) |
| 598 | 598 | end |
| 599 | 599 | |
| 600 | + should 'anonymous has no allow_destroy? permission' do | |
| 601 | + comment = Comment.new | |
| 602 | + | |
| 603 | + refute comment.allow_destroy?(nil) | |
| 604 | + end | |
| 605 | + | |
| 600 | 606 | should 'not be able to destroy comment' do |
| 601 | 607 | user = Person.new |
| 602 | 608 | profile = Profile.new | ... | ... |