Commit 441955c7a0d94eee1ddec2bab60117695fd6a774
Exists in
staging
and in
10 other branches
Merge branch 'task_management_permission' into 'master'
should task endpoints be accessed only by logged users See merge request !980
Showing
2 changed files
with
79 additions
and
3 deletions
Show diff stats
app/api/v1/tasks.rb
test/api/task_test.rb
... | ... | @@ -19,6 +19,15 @@ class TasksTest < ActiveSupport::TestCase |
19 | 19 | assert_includes json["tasks"].map { |a| a["id"] }, task.id |
20 | 20 | end |
21 | 21 | |
22 | + should 'not list tasks of environment for unlogged users' do | |
23 | + logout_api | |
24 | + environment.add_admin(person) | |
25 | + task = create(Task, :requestor => person, :target => environment) | |
26 | + get "/api/v1/tasks?#{params.to_query}" | |
27 | + json = JSON.parse(last_response.body) | |
28 | + assert_equal 401, last_response.status | |
29 | + end | |
30 | + | |
22 | 31 | should 'return environment task by id' do |
23 | 32 | environment.add_admin(person) |
24 | 33 | task = create(Task, :requestor => person, :target => environment) |
... | ... | @@ -27,6 +36,15 @@ class TasksTest < ActiveSupport::TestCase |
27 | 36 | assert_equal task.id, json["task"]["id"] |
28 | 37 | end |
29 | 38 | |
39 | + should 'not return environment task by id for unlogged users' do | |
40 | + logout_api | |
41 | + environment.add_admin(person) | |
42 | + task = create(Task, :requestor => person, :target => environment) | |
43 | + get "/api/v1/tasks/#{task.id}?#{params.to_query}" | |
44 | + json = JSON.parse(last_response.body) | |
45 | + assert_equal 401, last_response.status | |
46 | + end | |
47 | + | |
30 | 48 | should 'not return environmet task if user has no permission to view it' do |
31 | 49 | person = fast_create(Person) |
32 | 50 | task = create(Task, :requestor => person, :target => environment) |
... | ... | @@ -51,6 +69,19 @@ class TasksTest < ActiveSupport::TestCase |
51 | 69 | assert_equal task.id, json["task"]["id"] |
52 | 70 | end |
53 | 71 | |
72 | + should 'not return task by community for unlogged users' do | |
73 | + logout_api | |
74 | + community = fast_create(Community) | |
75 | + community.add_admin(person) | |
76 | + | |
77 | + task = create(Task, :requestor => person, :target => community) | |
78 | + assert person.is_member_of?(community) | |
79 | + | |
80 | + get "/api/v1/communities/#{community.id}/tasks/#{task.id}?#{params.to_query}" | |
81 | + json = JSON.parse(last_response.body) | |
82 | + assert_equal 401, last_response.status | |
83 | + end | |
84 | + | |
54 | 85 | should 'not return task by community if user has no permission to view it' do |
55 | 86 | community = fast_create(Community) |
56 | 87 | task = create(Task, :requestor => person, :target => community) |
... | ... | @@ -68,6 +99,15 @@ class TasksTest < ActiveSupport::TestCase |
68 | 99 | assert_not_nil json["task"]["id"] |
69 | 100 | end |
70 | 101 | |
102 | + should 'not create task in a community for unlogged users' do | |
103 | + logout_api | |
104 | + community = fast_create(Community) | |
105 | + give_permission(person, 'perform_task', community) | |
106 | + post "/api/v1/communities/#{community.id}/tasks?#{params.to_query}" | |
107 | + json = JSON.parse(last_response.body) | |
108 | + assert_equal 401, last_response.status | |
109 | + end | |
110 | + | |
71 | 111 | should 'create task defining the requestor as current profile logged in' do |
72 | 112 | community = fast_create(Community) |
73 | 113 | community.add_member(person) |
... | ... | @@ -99,6 +139,14 @@ class TasksTest < ActiveSupport::TestCase |
99 | 139 | assert_equal task.id, json["task"]["id"] |
100 | 140 | end |
101 | 141 | |
142 | + should 'not return task by person for unlogged users' do | |
143 | + logout_api | |
144 | + task = create(Task, :requestor => person, :target => person) | |
145 | + get "/api/v1/people/#{person.id}/tasks/#{task.id}?#{params.to_query}" | |
146 | + json = JSON.parse(last_response.body) | |
147 | + assert_equal 401, last_response.status | |
148 | + end | |
149 | + | |
102 | 150 | should 'not return task by person if user has no permission to view it' do |
103 | 151 | some_person = fast_create(Person) |
104 | 152 | task = create(Task, :requestor => person, :target => some_person) |
... | ... | @@ -113,6 +161,13 @@ class TasksTest < ActiveSupport::TestCase |
113 | 161 | assert_not_nil json["task"]["id"] |
114 | 162 | end |
115 | 163 | |
164 | + should 'not create task in person for unlogged users' do | |
165 | + logout_api | |
166 | + post "/api/v1/people/#{person.id}/tasks?#{params.to_query}" | |
167 | + json = JSON.parse(last_response.body) | |
168 | + assert_equal 401, last_response.status | |
169 | + end | |
170 | + | |
116 | 171 | should 'create task for another person' do |
117 | 172 | some_person = fast_create(Person) |
118 | 173 | post "/api/v1/people/#{some_person.id}/tasks?#{params.to_query}" |
... | ... | @@ -144,6 +199,19 @@ class TasksTest < ActiveSupport::TestCase |
144 | 199 | assert_equal task.id, json["task"]["id"] |
145 | 200 | end |
146 | 201 | |
202 | + should 'not return task by enterprise for unlogged users' do | |
203 | + logout_api | |
204 | + enterprise = fast_create(Enterprise) | |
205 | + enterprise.add_admin(person) | |
206 | + | |
207 | + task = create(Task, :requestor => person, :target => enterprise) | |
208 | + assert person.is_member_of?(enterprise) | |
209 | + | |
210 | + get "/api/v1/enterprises/#{enterprise.id}/tasks/#{task.id}?#{params.to_query}" | |
211 | + json = JSON.parse(last_response.body) | |
212 | + assert_equal 401, last_response.status | |
213 | + end | |
214 | + | |
147 | 215 | should 'not return task by enterprise if user has no permission to view it' do |
148 | 216 | enterprise = fast_create(Enterprise) |
149 | 217 | task = create(Task, :requestor => person, :target => enterprise) |
... | ... | @@ -161,6 +229,15 @@ class TasksTest < ActiveSupport::TestCase |
161 | 229 | assert_not_nil json["task"]["id"] |
162 | 230 | end |
163 | 231 | |
232 | + should 'not create task in a enterprise for unlogged users' do | |
233 | + logout_api | |
234 | + enterprise = fast_create(Enterprise) | |
235 | + give_permission(person, 'perform_task', enterprise) | |
236 | + post "/api/v1/enterprises/#{enterprise.id}/tasks?#{params.to_query}" | |
237 | + json = JSON.parse(last_response.body) | |
238 | + assert_equal 401, last_response.status | |
239 | + end | |
240 | + | |
164 | 241 | should 'create task defining the target as the enterprise' do |
165 | 242 | enterprise = fast_create(Enterprise) |
166 | 243 | enterprise.add_member(person) |
... | ... | @@ -170,4 +247,5 @@ class TasksTest < ActiveSupport::TestCase |
170 | 247 | |
171 | 248 | assert_equal enterprise, Task.last.target |
172 | 249 | end |
250 | + | |
173 | 251 | end | ... | ... |