Commit 233fde062217f9e527c8f796ce01ba854c7fe156
Exists in
staging
and in
1 other branch
Merge branch 'master' into staging
Showing
5 changed files
with
114 additions
and
1 deletions
Show diff stats
app/api/entities.rb
| ... | ... | @@ -88,6 +88,9 @@ module Api |
| 88 | 88 | expose :id, :type, :settings, :position, :enabled |
| 89 | 89 | expose :mirror, :mirror_block_id, :title |
| 90 | 90 | expose :api_content, if: lambda { |object, options| options[:display_api_content] || object.display_api_content_by_default? } |
| 91 | + expose :permissions do |block, options| | |
| 92 | + Entities.permissions_for_entity(block, options[:current_person], :allow_edit?) | |
| 93 | + end | |
| 91 | 94 | end |
| 92 | 95 | |
| 93 | 96 | class Box < Entity | ... | ... |
app/api/v1/blocks.rb
| ... | ... | @@ -6,7 +6,14 @@ module Api |
| 6 | 6 | get ':id' do |
| 7 | 7 | block = Block.find(params["id"]) |
| 8 | 8 | return forbidden! unless block.visible_to_user?(current_person) |
| 9 | - present block, :with => Entities::Block, display_api_content: true | |
| 9 | + present block, :with => Entities::Block, display_api_content: true, current_person: current_person | |
| 10 | + end | |
| 11 | + | |
| 12 | + post ':id' do | |
| 13 | + block = Block.find(params["id"]) | |
| 14 | + return forbidden! unless block.allow_edit?(current_person) | |
| 15 | + block.update_attributes!(params[:block]) | |
| 16 | + present block, :with => Entities::Block, display_api_content: true, current_person: current_person | |
| 10 | 17 | end |
| 11 | 18 | end |
| 12 | 19 | end | ... | ... |
app/models/block.rb
| ... | ... | @@ -309,6 +309,16 @@ class Block < ApplicationRecord |
| 309 | 309 | false |
| 310 | 310 | end |
| 311 | 311 | |
| 312 | + def allow_edit?(person) | |
| 313 | + return false if person.nil? || (!person.is_admin? && !editable?(person)) | |
| 314 | + if self.owner.kind_of?(Profile) | |
| 315 | + return person.has_permission?(:edit_profile_design, owner) | |
| 316 | + elsif self.owner.kind_of?(Environment) | |
| 317 | + return person.has_permission?(:edit_environment_design, owner) | |
| 318 | + end | |
| 319 | + false | |
| 320 | + end | |
| 321 | + | |
| 312 | 322 | private |
| 313 | 323 | |
| 314 | 324 | def home_page_path | ... | ... |
test/api/blocks_test.rb
| ... | ... | @@ -94,4 +94,41 @@ class BlocksTest < ActiveSupport::TestCase |
| 94 | 94 | assert_equal "<div>test</div>", json["block"]["api_content"]["html"] |
| 95 | 95 | end |
| 96 | 96 | |
| 97 | + should 'not allow block edition when user has not the permission for profile' do | |
| 98 | + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name) | |
| 99 | + block = fast_create(Block, box_id: box.id) | |
| 100 | + post "/api/v1/blocks/#{block.id}?#{params.to_query}" | |
| 101 | + assert_equal 403, last_response.status | |
| 102 | + end | |
| 103 | + | |
| 104 | + should 'allow block edition when user has permission to edit profile design' do | |
| 105 | + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name) | |
| 106 | + block = fast_create(Block, box_id: box.id) | |
| 107 | + give_permission(person, 'edit_profile_design', profile) | |
| 108 | + params[:block] = {title: 'block title'} | |
| 109 | + post "/api/v1/blocks/#{block.id}?#{params.to_query}" | |
| 110 | + json = JSON.parse(last_response.body) | |
| 111 | + assert_equal 201, last_response.status | |
| 112 | + assert_equal 'block title', json['block']['title'] | |
| 113 | + end | |
| 114 | + | |
| 115 | + should 'save custom block parameters' do | |
| 116 | + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name) | |
| 117 | + block = fast_create(RawHTMLBlock, box_id: box.id) | |
| 118 | + Environment.default.add_admin(person) | |
| 119 | + params[:block] = {title: 'block title', html: "block content"} | |
| 120 | + post "/api/v1/blocks/#{block.id}?#{params.to_query}" | |
| 121 | + json = JSON.parse(last_response.body) | |
| 122 | + assert_equal 201, last_response.status | |
| 123 | + assert_equal 'block content', json['block']['api_content']['html'] | |
| 124 | + end | |
| 125 | + | |
| 126 | + should 'list block permissions when get a block' do | |
| 127 | + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name) | |
| 128 | + block = fast_create(Block, box_id: box.id) | |
| 129 | + give_permission(person, 'edit_profile_design', profile) | |
| 130 | + get "/api/v1/blocks/#{block.id}?#{params.to_query}" | |
| 131 | + json = JSON.parse(last_response.body) | |
| 132 | + assert_includes json["block"]["permissions"], 'allow_edit' | |
| 133 | + end | |
| 97 | 134 | end | ... | ... |
test/unit/block_test.rb
| ... | ... | @@ -454,4 +454,60 @@ class BlockTest < ActiveSupport::TestCase |
| 454 | 454 | block.expects(:display_to_user?).returns(false) |
| 455 | 455 | assert !block.visible_to_user?(nil) |
| 456 | 456 | end |
| 457 | + | |
| 458 | + should 'not allow block edition when user has not the permission for profile design' do | |
| 459 | + block = Block.new | |
| 460 | + profile = fast_create(Profile) | |
| 461 | + block.stubs(:owner).returns(profile) | |
| 462 | + person = create_user('person_one').person | |
| 463 | + assert !block.allow_edit?(person) | |
| 464 | + end | |
| 465 | + | |
| 466 | + should 'allow block edition when user has permission to edit profile design' do | |
| 467 | + block = Block.new | |
| 468 | + profile = fast_create(Profile) | |
| 469 | + block.stubs(:owner).returns(profile) | |
| 470 | + person = create_user('person_one').person | |
| 471 | + give_permission(person, 'edit_profile_design', profile) | |
| 472 | + assert block.allow_edit?(person) | |
| 473 | + end | |
| 474 | + | |
| 475 | + should 'not allow block edition when user is nil' do | |
| 476 | + block = Block.new | |
| 477 | + assert !block.allow_edit?(nil) | |
| 478 | + end | |
| 479 | + | |
| 480 | + should 'not allow block edition when block is not editable' do | |
| 481 | + block = Block.new | |
| 482 | + person = create_user('person_one').person | |
| 483 | + block.expects(:editable?).returns(false) | |
| 484 | + assert !block.allow_edit?(person) | |
| 485 | + end | |
| 486 | + | |
| 487 | + should 'allow block edition when block is not editable but user is admin' do | |
| 488 | + block = Block.new | |
| 489 | + profile = fast_create(Profile) | |
| 490 | + block.stubs(:owner).returns(profile) | |
| 491 | + person = create_user('person_one').person | |
| 492 | + Environment.default.add_admin(person) | |
| 493 | + block.stubs(:editable?).returns(false) | |
| 494 | + assert block.allow_edit?(person) | |
| 495 | + end | |
| 496 | + | |
| 497 | + should 'not allow block edition when user has not the permission for environment design' do | |
| 498 | + block = Block.new | |
| 499 | + environment = Environment.default | |
| 500 | + block.stubs(:owner).returns(environment) | |
| 501 | + person = create_user('person_one').person | |
| 502 | + assert !block.allow_edit?(person) | |
| 503 | + end | |
| 504 | + | |
| 505 | + should 'allow block edition when user has the permission for environment design' do | |
| 506 | + block = Block.new | |
| 507 | + environment = Environment.default | |
| 508 | + block.stubs(:owner).returns(environment) | |
| 509 | + person = create_user('person_one').person | |
| 510 | + give_permission(person, 'edit_environment_design', environment) | |
| 511 | + assert block.allow_edit?(person) | |
| 512 | + end | |
| 457 | 513 | end | ... | ... |