Commit 3aab4dac27a96bff644f7dae7ac5cf860e808618
1 parent
733814ea
Exists in
staging
and in
22 other branches
api: return permissions for user in profile entity
Showing
6 changed files
with
47 additions
and
3 deletions
Show diff stats
app/api/entities.rb
| @@ -121,6 +121,10 @@ module Api | @@ -121,6 +121,10 @@ module Api | ||
| 121 | expose :type | 121 | expose :type |
| 122 | expose :custom_header | 122 | expose :custom_header |
| 123 | expose :custom_footer | 123 | expose :custom_footer |
| 124 | + expose :permissions do |profile, options| | ||
| 125 | + Entities.permissions_for_entity(profile, options[:current_person], | ||
| 126 | + :allow_post_content?, :allow_edit?, :allow_destroy?) | ||
| 127 | + end | ||
| 124 | end | 128 | end |
| 125 | 129 | ||
| 126 | class UserBasic < Entity | 130 | class UserBasic < Entity |
app/api/v1/profiles.rb
| @@ -27,7 +27,7 @@ module Api | @@ -27,7 +27,7 @@ module Api | ||
| 27 | post ':id' do | 27 | post ':id' do |
| 28 | authenticate! | 28 | authenticate! |
| 29 | profile = environment.profiles.find_by(id: params[:id]) | 29 | profile = environment.profiles.find_by(id: params[:id]) |
| 30 | - return forbidden! unless current_person.has_permission?(:edit_profile, profile) | 30 | + return forbidden! unless profile.allow_edit?(current_person) |
| 31 | profile.update_attributes!(params[:profile]) | 31 | profile.update_attributes!(params[:profile]) |
| 32 | present profile, :with => Entities::Profile, :current_person => current_person | 32 | present profile, :with => Entities::Profile, :current_person => current_person |
| 33 | end | 33 | end |
| @@ -39,7 +39,7 @@ module Api | @@ -39,7 +39,7 @@ module Api | ||
| 39 | 39 | ||
| 40 | not_found! if profile.blank? | 40 | not_found! if profile.blank? |
| 41 | 41 | ||
| 42 | - if current_person.has_permission?(:destroy_profile, profile) | 42 | + if profile.allow_destroy?(current_person) |
| 43 | profile.destroy | 43 | profile.destroy |
| 44 | else | 44 | else |
| 45 | forbidden! | 45 | forbidden! |
app/models/article.rb
| @@ -567,7 +567,7 @@ class Article < ApplicationRecord | @@ -567,7 +567,7 @@ class Article < ApplicationRecord | ||
| 567 | 567 | ||
| 568 | def allow_post_content?(user = nil) | 568 | def allow_post_content?(user = nil) |
| 569 | return true if allow_edit_topic?(user) | 569 | return true if allow_edit_topic?(user) |
| 570 | - user && (user.has_permission?('post_content', profile) || allow_publish_content?(user) && (user == author)) | 570 | + user && (profile.allow_post_content?(user) || allow_publish_content?(user) && (user == author)) |
| 571 | end | 571 | end |
| 572 | 572 | ||
| 573 | def allow_publish_content?(user = nil) | 573 | def allow_publish_content?(user = nil) |
app/models/profile.rb
| @@ -1137,4 +1137,15 @@ private :generate_url, :url_options | @@ -1137,4 +1137,15 @@ private :generate_url, :url_options | ||
| 1137 | false | 1137 | false |
| 1138 | end | 1138 | end |
| 1139 | 1139 | ||
| 1140 | + def allow_post_content?(person = nil) | ||
| 1141 | + person.kind_of?(Profile) && person.has_permission?('post_content', self) | ||
| 1142 | + end | ||
| 1143 | + | ||
| 1144 | + def allow_edit?(person = nil) | ||
| 1145 | + person.kind_of?(Profile) && person.has_permission?('edit_profile', self) | ||
| 1146 | + end | ||
| 1147 | + | ||
| 1148 | + def allow_destroy?(person = nil) | ||
| 1149 | + person.kind_of?(Profile) && person.has_permission?('destroy_profile', self) | ||
| 1150 | + end | ||
| 1140 | end | 1151 | end |
test/api/profiles_test.rb
| @@ -191,4 +191,13 @@ class ProfilesTest < ActiveSupport::TestCase | @@ -191,4 +191,13 @@ class ProfilesTest < ActiveSupport::TestCase | ||
| 191 | post "/api/v1/profiles/#{profile.id}?#{params.to_query}" | 191 | post "/api/v1/profiles/#{profile.id}?#{params.to_query}" |
| 192 | assert_equal 403, last_response.status | 192 | assert_equal 403, last_response.status |
| 193 | end | 193 | end |
| 194 | + | ||
| 195 | + should 'list profile permissions when get an article' do | ||
| 196 | + login_api | ||
| 197 | + profile = fast_create(Profile) | ||
| 198 | + give_permission(person, 'post_content', profile) | ||
| 199 | + get "/api/v1/profiles/#{profile.id}?#{params.to_query}" | ||
| 200 | + json = JSON.parse(last_response.body) | ||
| 201 | + assert_includes json["permissions"], 'allow_post_content' | ||
| 202 | + end | ||
| 194 | end | 203 | end |
test/unit/profile_test.rb
| @@ -2204,4 +2204,24 @@ class ProfileTest < ActiveSupport::TestCase | @@ -2204,4 +2204,24 @@ class ProfileTest < ActiveSupport::TestCase | ||
| 2204 | assert_not_includes profiles, p3 | 2204 | assert_not_includes profiles, p3 |
| 2205 | assert_not_includes profiles, p4 | 2205 | assert_not_includes profiles, p4 |
| 2206 | end | 2206 | end |
| 2207 | + | ||
| 2208 | + ['post_content', 'edit_profile', 'destroy_profile'].each do |permission| | ||
| 2209 | + should "return true in #{permission} when user has this permission" do | ||
| 2210 | + profile = fast_create(Profile) | ||
| 2211 | + person = fast_create(Person) | ||
| 2212 | + give_permission(person, permission, profile) | ||
| 2213 | + assert profile.send("allow_#{permission.gsub(/_profile/,'')}?", person) | ||
| 2214 | + end | ||
| 2215 | + | ||
| 2216 | + should "return false in #{permission} when user doesn't have this permission" do | ||
| 2217 | + profile = fast_create(Profile) | ||
| 2218 | + person = fast_create(Person) | ||
| 2219 | + assert !profile.send("allow_#{permission.gsub(/_profile/,'')}?", person) | ||
| 2220 | + end | ||
| 2221 | + | ||
| 2222 | + should "return false in #{permission} when user is nil" do | ||
| 2223 | + profile = fast_create(Profile) | ||
| 2224 | + assert !profile.send("allow_#{permission.gsub(/_profile/,'')}?", nil) | ||
| 2225 | + end | ||
| 2226 | + end | ||
| 2207 | end | 2227 | end |