Download as
Browse Code »

Commit 2af0cb9b45316a28662d90032c5101ad7518e44f

Authored by Victor Costa
1 parent 733814ea
Exists in staging and in 21 other branches all_pending_tasks_api, api_roles, comments_permissions, elasticsearch, elasticsearch_categories, elasticsearch_filter, elasticsearch_sort, elasticsearch_to_merge, environment-exposes-api, external_followers, federation_oauth_provider, follower_permition, master, master_profile_followers, oauth_external_login, oauth_login, private-scraps, private-scraps-rebase, production, profile_api_improvements, user_mention

api: endpoint to edit blocks

Showing 4 changed files with 101 additions and 0 deletions   Show diff stats
app/api/v1/blocks.rb
  Diff comments   View file @2af0cb9
... ... @@ -8,6 +8,13 @@ module Api
8 8 return forbidden! unless block.visible_to_user?(current_person)
9 9 present block, :with => Entities::Block, display_api_content: true
10 10 end
  11 +
  12 + post ':id' do
  13 + block = Block.find(params["id"])
  14 + return forbidden! unless block.allow_edit?(current_person)
  15 + block.update_attributes!(params[:block])
  16 + present block, :with => Entities::Block, display_api_content: true
  17 + end
11 18 end
12 19 end
13 20  
... ...
app/models/block.rb
  Diff comments   View file @2af0cb9
... ... @@ -309,6 +309,16 @@ class Block < ApplicationRecord
309 309 false
310 310 end
311 311  
  312 + def allow_edit?(person)
  313 + return false if person.nil? || (!person.is_admin? && !editable?(person))
  314 + if self.owner.kind_of?(Profile)
  315 + return person.has_permission?(:edit_profile_design, owner)
  316 + elsif self.owner.kind_of?(Environment)
  317 + return person.has_permission?(:edit_environment_design, owner)
  318 + end
  319 + false
  320 + end
  321 +
312 322 private
313 323  
314 324 def home_page_path
... ...
test/api/blocks_test.rb
  Diff comments   View file @2af0cb9
... ... @@ -94,4 +94,32 @@ class BlocksTest < ActiveSupport::TestCase
94 94 assert_equal "<div>test</div>", json["block"]["api_content"]["html"]
95 95 end
96 96  
  97 + should 'not allow block edition when user has not the permission for profile' do
  98 + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
  99 + block = fast_create(Block, box_id: box.id)
  100 + post "/api/v1/blocks/#{block.id}?#{params.to_query}"
  101 + assert_equal 403, last_response.status
  102 + end
  103 +
  104 + should 'allow block edition when user has permission to edit profile design' do
  105 + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
  106 + block = fast_create(Block, box_id: box.id)
  107 + give_permission(person, 'edit_profile_design', profile)
  108 + params[:block] = {title: 'block title'}
  109 + post "/api/v1/blocks/#{block.id}?#{params.to_query}"
  110 + json = JSON.parse(last_response.body)
  111 + assert_equal 201, last_response.status
  112 + assert_equal 'block title', json['block']['title']
  113 + end
  114 +
  115 + should 'save custom block parameters' do
  116 + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
  117 + block = fast_create(RawHTMLBlock, box_id: box.id)
  118 + Environment.default.add_admin(person)
  119 + params[:block] = {title: 'block title', html: "block content"}
  120 + post "/api/v1/blocks/#{block.id}?#{params.to_query}"
  121 + json = JSON.parse(last_response.body)
  122 + assert_equal 201, last_response.status
  123 + assert_equal 'block content', json['block']['api_content']['html']
  124 + end
97 125 end
... ...
test/unit/block_test.rb
  Diff comments   View file @2af0cb9
... ... @@ -421,4 +421,60 @@ class BlockTest &lt; ActiveSupport::TestCase
421 421 block.expects(:display_to_user?).returns(false)
422 422 assert !block.visible_to_user?(nil)
423 423 end
  424 +
  425 + should 'not allow block edition when user has not the permission for profile design' do
  426 + block = Block.new
  427 + profile = fast_create(Profile)
  428 + block.stubs(:owner).returns(profile)
  429 + person = create_user('person_one').person
  430 + assert !block.allow_edit?(person)
  431 + end
  432 +
  433 + should 'allow block edition when user has permission to edit profile design' do
  434 + block = Block.new
  435 + profile = fast_create(Profile)
  436 + block.stubs(:owner).returns(profile)
  437 + person = create_user('person_one').person
  438 + give_permission(person, 'edit_profile_design', profile)
  439 + assert block.allow_edit?(person)
  440 + end
  441 +
  442 + should 'not allow block edition when user is nil' do
  443 + block = Block.new
  444 + assert !block.allow_edit?(nil)
  445 + end
  446 +
  447 + should 'not allow block edition when block is not editable' do
  448 + block = Block.new
  449 + person = create_user('person_one').person
  450 + block.expects(:editable?).returns(false)
  451 + assert !block.allow_edit?(person)
  452 + end
  453 +
  454 + should 'allow block edition when block is not editable but user is admin' do
  455 + block = Block.new
  456 + profile = fast_create(Profile)
  457 + block.stubs(:owner).returns(profile)
  458 + person = create_user('person_one').person
  459 + Environment.default.add_admin(person)
  460 + block.stubs(:editable?).returns(false)
  461 + assert block.allow_edit?(person)
  462 + end
  463 +
  464 + should 'not allow block edition when user has not the permission for environment design' do
  465 + block = Block.new
  466 + environment = Environment.default
  467 + block.stubs(:owner).returns(environment)
  468 + person = create_user('person_one').person
  469 + assert !block.allow_edit?(person)
  470 + end
  471 +
  472 + should 'allow block edition when user has the permission for environment design' do
  473 + block = Block.new
  474 + environment = Environment.default
  475 + block.stubs(:owner).returns(environment)
  476 + person = create_user('person_one').person
  477 + give_permission(person, 'edit_environment_design', environment)
  478 + assert block.allow_edit?(person)
  479 + end
424 480 end
... ...