Merge branch 'task_management_permission' into 'master'

should task endpoints be accessed only by logged users See merge request !980

Merge branch 'task_management_permission' into 'master'
should task endpoints be accessed only by logged users See merge request !980
Victor Costa
2 parents 56cc28dc 4ab09e4f
Showing 2 changed files with 79 additions and 3 deletions Show diff stats
app/api/v1/tasks.rb
test/api/task_test.rb
 module Api
   module V1
     class Tasks < Grape::API
-#      before { authenticate! }
-
-#      ARTICLE_TYPES = Article.descendants.map{|a| a.to_s}
+      before { authenticate! }
  
       resource :tasks do
  
@@ -19,6 +19,15 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_includes json["tasks"].map { |a| a["id"] }, task.id
   end
  
+  should 'not list tasks of environment for unlogged users' do
+    logout_api
+    environment.add_admin(person)
+    task = create(Task, :requestor => person, :target => environment)
+    get "/api/v1/tasks?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'return environment task by id' do
     environment.add_admin(person)
     task = create(Task, :requestor => person, :target => environment)
@@ -27,6 +36,15 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_equal task.id, json["task"]["id"]
   end
  
+  should 'not return environment task by id for unlogged users' do
+    logout_api
+    environment.add_admin(person)
+    task = create(Task, :requestor => person, :target => environment)
+    get "/api/v1/tasks/#{task.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'not return environmet task if user has no permission to view it' do
     person = fast_create(Person)
     task = create(Task, :requestor => person, :target => environment)
@@ -51,6 +69,19 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_equal task.id, json["task"]["id"]
   end
  
+  should 'not return task by community for unlogged users' do
+    logout_api
+    community = fast_create(Community)
+    community.add_admin(person)
+
+    task = create(Task, :requestor => person, :target => community)
+    assert person.is_member_of?(community)
+
+    get "/api/v1/communities/#{community.id}/tasks/#{task.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'not return task by community if user has no permission to view it' do
     community = fast_create(Community)
     task = create(Task, :requestor => person, :target => community)
@@ -68,6 +99,15 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_not_nil json["task"]["id"]
   end
  
+  should 'not create task in a community for unlogged users' do
+    logout_api
+    community = fast_create(Community)
+    give_permission(person, 'perform_task', community)
+    post "/api/v1/communities/#{community.id}/tasks?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'create task defining the requestor as current profile logged in' do
     community = fast_create(Community)
     community.add_member(person)
@@ -99,6 +139,14 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_equal task.id, json["task"]["id"]
   end
  
+  should 'not return task by person for unlogged users' do
+    logout_api
+    task = create(Task, :requestor => person, :target => person)
+    get "/api/v1/people/#{person.id}/tasks/#{task.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'not return task by person if user has no permission to view it' do
     some_person = fast_create(Person)
     task = create(Task, :requestor => person, :target => some_person)
@@ -113,6 +161,13 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_not_nil json["task"]["id"]
   end
  
+  should 'not create task in person for unlogged users' do
+    logout_api
+    post "/api/v1/people/#{person.id}/tasks?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'create task for another person' do
     some_person = fast_create(Person)
     post "/api/v1/people/#{some_person.id}/tasks?#{params.to_query}"
@@ -144,6 +199,19 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_equal task.id, json["task"]["id"]
   end
  
+  should 'not return task by enterprise for unlogged users' do
+    logout_api
+    enterprise = fast_create(Enterprise)
+    enterprise.add_admin(person)
+
+    task = create(Task, :requestor => person, :target => enterprise)
+    assert person.is_member_of?(enterprise)
+
+    get "/api/v1/enterprises/#{enterprise.id}/tasks/#{task.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'not return task by enterprise if user has no permission to view it' do
     enterprise = fast_create(Enterprise)
     task = create(Task, :requestor => person, :target => enterprise)
@@ -161,6 +229,15 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_not_nil json["task"]["id"]
   end
  
+  should 'not create task in a enterprise for unlogged users' do
+    logout_api
+    enterprise = fast_create(Enterprise)
+    give_permission(person, 'perform_task', enterprise)
+    post "/api/v1/enterprises/#{enterprise.id}/tasks?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'create task defining the target as the enterprise' do
     enterprise = fast_create(Enterprise)
     enterprise.add_member(person)
@@ -170,4 +247,5 @@ class TasksTest &lt; ActiveSupport::TestCase
  
     assert_equal enterprise, Task.last.target
   end
+
 end
1	1	module Api
2	2	module V1
3	3	class Tasks < Grape::API
4		-# before { authenticate! }
5		-
6		-# ARTICLE_TYPES = Article.descendants.map{\|a\| a.to_s}
	4	+ before { authenticate! }
7	5
8	6	resource :tasks do
9	7
...	...
...	...	@@ -19,6 +19,15 @@ class TasksTest < ActiveSupport::TestCase
19	19	assert_includes json["tasks"].map { \|a\| a["id"] }, task.id
20	20	end
21	21
	22	+ should 'not list tasks of environment for unlogged users' do
	23	+ logout_api
	24	+ environment.add_admin(person)
	25	+ task = create(Task, :requestor => person, :target => environment)
	26	+ get "/api/v1/tasks?#{params.to_query}"
	27	+ json = JSON.parse(last_response.body)
	28	+ assert_equal 401, last_response.status
	29	+ end
	30	+
22	31	should 'return environment task by id' do
23	32	environment.add_admin(person)
24	33	task = create(Task, :requestor => person, :target => environment)
...	...	@@ -27,6 +36,15 @@ class TasksTest < ActiveSupport::TestCase
27	36	assert_equal task.id, json["task"]["id"]
28	37	end
29	38
	39	+ should 'not return environment task by id for unlogged users' do
	40	+ logout_api
	41	+ environment.add_admin(person)
	42	+ task = create(Task, :requestor => person, :target => environment)
	43	+ get "/api/v1/tasks/#{task.id}?#{params.to_query}"
	44	+ json = JSON.parse(last_response.body)
	45	+ assert_equal 401, last_response.status
	46	+ end
	47	+
30	48	should 'not return environmet task if user has no permission to view it' do
31	49	person = fast_create(Person)
32	50	task = create(Task, :requestor => person, :target => environment)
...	...	@@ -51,6 +69,19 @@ class TasksTest < ActiveSupport::TestCase
51	69	assert_equal task.id, json["task"]["id"]
52	70	end
53	71
	72	+ should 'not return task by community for unlogged users' do
	73	+ logout_api
	74	+ community = fast_create(Community)
	75	+ community.add_admin(person)
	76	+
	77	+ task = create(Task, :requestor => person, :target => community)
	78	+ assert person.is_member_of?(community)
	79	+
	80	+ get "/api/v1/communities/#{community.id}/tasks/#{task.id}?#{params.to_query}"
	81	+ json = JSON.parse(last_response.body)
	82	+ assert_equal 401, last_response.status
	83	+ end
	84	+
54	85	should 'not return task by community if user has no permission to view it' do
55	86	community = fast_create(Community)
56	87	task = create(Task, :requestor => person, :target => community)
...	...	@@ -68,6 +99,15 @@ class TasksTest < ActiveSupport::TestCase
68	99	assert_not_nil json["task"]["id"]
69	100	end
70	101
	102	+ should 'not create task in a community for unlogged users' do
	103	+ logout_api
	104	+ community = fast_create(Community)
	105	+ give_permission(person, 'perform_task', community)
	106	+ post "/api/v1/communities/#{community.id}/tasks?#{params.to_query}"
	107	+ json = JSON.parse(last_response.body)
	108	+ assert_equal 401, last_response.status
	109	+ end
	110	+
71	111	should 'create task defining the requestor as current profile logged in' do
72	112	community = fast_create(Community)
73	113	community.add_member(person)
...	...	@@ -99,6 +139,14 @@ class TasksTest < ActiveSupport::TestCase
99	139	assert_equal task.id, json["task"]["id"]
100	140	end
101	141
	142	+ should 'not return task by person for unlogged users' do
	143	+ logout_api
	144	+ task = create(Task, :requestor => person, :target => person)
	145	+ get "/api/v1/people/#{person.id}/tasks/#{task.id}?#{params.to_query}"
	146	+ json = JSON.parse(last_response.body)
	147	+ assert_equal 401, last_response.status
	148	+ end
	149	+
102	150	should 'not return task by person if user has no permission to view it' do
103	151	some_person = fast_create(Person)
104	152	task = create(Task, :requestor => person, :target => some_person)
...	...	@@ -113,6 +161,13 @@ class TasksTest < ActiveSupport::TestCase
113	161	assert_not_nil json["task"]["id"]
114	162	end
115	163
	164	+ should 'not create task in person for unlogged users' do
	165	+ logout_api
	166	+ post "/api/v1/people/#{person.id}/tasks?#{params.to_query}"
	167	+ json = JSON.parse(last_response.body)
	168	+ assert_equal 401, last_response.status
	169	+ end
	170	+
116	171	should 'create task for another person' do
117	172	some_person = fast_create(Person)
118	173	post "/api/v1/people/#{some_person.id}/tasks?#{params.to_query}"
...	...	@@ -144,6 +199,19 @@ class TasksTest < ActiveSupport::TestCase
144	199	assert_equal task.id, json["task"]["id"]
145	200	end
146	201
	202	+ should 'not return task by enterprise for unlogged users' do
	203	+ logout_api
	204	+ enterprise = fast_create(Enterprise)
	205	+ enterprise.add_admin(person)
	206	+
	207	+ task = create(Task, :requestor => person, :target => enterprise)
	208	+ assert person.is_member_of?(enterprise)
	209	+
	210	+ get "/api/v1/enterprises/#{enterprise.id}/tasks/#{task.id}?#{params.to_query}"
	211	+ json = JSON.parse(last_response.body)
	212	+ assert_equal 401, last_response.status
	213	+ end
	214	+
147	215	should 'not return task by enterprise if user has no permission to view it' do
148	216	enterprise = fast_create(Enterprise)
149	217	task = create(Task, :requestor => person, :target => enterprise)
...	...	@@ -161,6 +229,15 @@ class TasksTest < ActiveSupport::TestCase
161	229	assert_not_nil json["task"]["id"]
162	230	end
163	231
	232	+ should 'not create task in a enterprise for unlogged users' do
	233	+ logout_api
	234	+ enterprise = fast_create(Enterprise)
	235	+ give_permission(person, 'perform_task', enterprise)
	236	+ post "/api/v1/enterprises/#{enterprise.id}/tasks?#{params.to_query}"
	237	+ json = JSON.parse(last_response.body)
	238	+ assert_equal 401, last_response.status
	239	+ end
	240	+
164	241	should 'create task defining the target as the enterprise' do
165	242	enterprise = fast_create(Enterprise)
166	243	enterprise.add_member(person)
...	...	@@ -170,4 +247,5 @@ class TasksTest < ActiveSupport::TestCase
170	247
171	248	assert_equal enterprise, Task.last.target
172	249	end
	250	+
173	251	end
...	...