Merge branch 'comments_permissions' into 'master'

Exposing permission to delete comment Exposing permission to delete comments in the API See merge request !991

Merge branch 'comments_permissions' into 'master'
Exposing permission to delete comment Exposing permission to delete comments in the API See merge request !991
Leandro Santos
2 parents 7836ee6e c58dacfa
Showing 4 changed files with 43 additions and 0 deletions Show diff stats
app/api/entities.rb
app/models/comment.rb
test/api/comments_test.rb
test/unit/comment_test.rb
@@ -174,6 +174,10 @@ module Api
       expose :created_at, :format_with => :timestamp
       expose :author, :using => Profile
       expose :reply_of, :using => CommentBase
+      expose :permissions do |comment, options|
+        Entities.permissions_for_entity(comment, options[:current_person],
+        :allow_destroy?)
+      end
     end
     class Comment < CommentBase
@@ -212,6 +212,9 @@ class Comment &lt; ApplicationRecord
     user == author || user == profile || user.has_permission?(:moderate_comments, profile)
   end
+  # method used by the API
+  alias_method :allow_destroy?, :can_be_destroyed_by?
+
   def can_be_marked_as_spam_by?(user)
     return if user.nil?
     user == profile || user.has_permission?(:moderate_comments, profile)
@@ -245,4 +245,34 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal 500, last_response.status
     assert_includes article.comments, comment
   end
+
+  should 'list allow_destroy permission when get your own comment' do
+    login_api
+    article = fast_create(Article, :profile_id => @person.id, :name => "Some thing")
+    article.comments.create!(:body => "some comment", :author => @person)
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 200, last_response.status
+    assert_includes json["comments"][0]["permissions"], 'allow_destroy'
+  end
+
+  should 'anonymous not allowed to destroy comments' do
+    article = fast_create(Article, :profile_id => @person.id, :name => "Some thing")
+    article.comments.create!(:body => "some comment", :author => @person)
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 200, last_response.status
+    assert_not_includes json["comments"][0]["permissions"], 'allow_destroy'
+  end
+
+  should 'unprivileged user not be allowed to destroy other people comments' do
+    article = fast_create(Article, profile_id: @local_person.id, name: "Some thing")
+    comment = article.comments.create!(body: "some comment", author: @local_person)
+    login_api
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 200, last_response.status
+    assert_not_includes json["comments"][0]["permissions"], 'allow_destroy'
+  end
+
 end
@@ -597,6 +597,12 @@ class CommentTest &lt; ActiveSupport::TestCase
     refute comment.can_be_destroyed_by?(nil)
   end
+  should 'anonymous has no allow_destroy? permission' do
+    comment = Comment.new
+
+    refute comment.allow_destroy?(nil)
+  end
+
   should 'not be able to destroy comment' do
     user = Person.new
     profile = Profile.new
	@@ -245,4 +245,34 @@ class CommentsTest < ActiveSupport::TestCase		@@ -245,4 +245,34 @@ class CommentsTest < ActiveSupport::TestCase
245	assert_equal 500, last_response.status	245	assert_equal 500, last_response.status
246	assert_includes article.comments, comment	246	assert_includes article.comments, comment
247	end	247	end
		248	+
		249	+ should 'list allow_destroy permission when get your own comment' do
		250	+ login_api
		251	+ article = fast_create(Article, :profile_id => @person.id, :name => "Some thing")
		252	+ article.comments.create!(:body => "some comment", :author => @person)
		253	+ get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
		254	+ json = JSON.parse(last_response.body)
		255	+ assert_equal 200, last_response.status
		256	+ assert_includes json["comments"][0]["permissions"], 'allow_destroy'
		257	+ end
		258	+
		259	+ should 'anonymous not allowed to destroy comments' do
		260	+ article = fast_create(Article, :profile_id => @person.id, :name => "Some thing")
		261	+ article.comments.create!(:body => "some comment", :author => @person)
		262	+ get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
		263	+ json = JSON.parse(last_response.body)
		264	+ assert_equal 200, last_response.status
		265	+ assert_not_includes json["comments"][0]["permissions"], 'allow_destroy'
		266	+ end
		267	+
		268	+ should 'unprivileged user not be allowed to destroy other people comments' do
		269	+ article = fast_create(Article, profile_id: @local_person.id, name: "Some thing")
		270	+ comment = article.comments.create!(body: "some comment", author: @local_person)
		271	+ login_api
		272	+ get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
		273	+ json = JSON.parse(last_response.body)
		274	+ assert_equal 200, last_response.status
		275	+ assert_not_includes json["comments"][0]["permissions"], 'allow_destroy'
		276	+ end
		277	+
248	end	278	end
	@@ -597,6 +597,12 @@ class CommentTest < ActiveSupport::TestCase		@@ -597,6 +597,12 @@ class CommentTest < ActiveSupport::TestCase
597	refute comment.can_be_destroyed_by?(nil)	597	refute comment.can_be_destroyed_by?(nil)
598	end	598	end
599		599
		600	+ should 'anonymous has no allow_destroy? permission' do
		601	+ comment = Comment.new
		602	+
		603	+ refute comment.allow_destroy?(nil)
		604	+ end
		605	+
600	should 'not be able to destroy comment' do	606	should 'not be able to destroy comment' do
601	user = Person.new	607	user = Person.new
602	profile = Profile.new	608	profile = Profile.new