Commit 52a0efb067dcd141039ea7b199aca15f484b3032

Authored by Evandro Junior
Committed by Leandro Santos
1 parent 669be165

Added tests to filter anonymous access and removed some api restrictions

lib/noosfero/api/v1/enterprises.rb
@@ -2,7 +2,6 @@ module Noosfero @@ -2,7 +2,6 @@ module Noosfero
2 module API 2 module API
3 module V1 3 module V1
4 class Enterprises < Grape::API 4 class Enterprises < Grape::API
5 - before { authenticate! }  
6 5
7 resource :enterprises do 6 resource :enterprises do
8 7
lib/noosfero/api/v1/users.rb
@@ -2,7 +2,6 @@ module Noosfero @@ -2,7 +2,6 @@ module Noosfero
2 module API 2 module API
3 module V1 3 module V1
4 class Users < Grape::API 4 class Users < Grape::API
5 - before { authenticate! }  
6 5
7 resource :users do 6 resource :users do
8 7
@@ -13,6 +12,7 @@ module Noosfero @@ -13,6 +12,7 @@ module Noosfero
13 end 12 end
14 13
15 get "/me" do 14 get "/me" do
  15 + authenticate!
16 present current_user, :with => Entities::User, :current_person => current_person 16 present current_user, :with => Entities::User, :current_person => current_person
17 end 17 end
18 18
@@ -25,6 +25,7 @@ module Noosfero @@ -25,6 +25,7 @@ module Noosfero
25 end 25 end
26 26
27 get ":id/permissions" do 27 get ":id/permissions" do
  28 + authenticate!
28 user = environment.users.find(params[:id]) 29 user = environment.users.find(params[:id])
29 output = {} 30 output = {}
30 user.person.role_assignments.map do |role_assigment| 31 user.person.role_assignments.map do |role_assigment|
test/api/communities_test.rb
@@ -283,4 +283,30 @@ class CommunitiesTest &lt; ActiveSupport::TestCase @@ -283,4 +283,30 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
283 assert_not_includes json["communities"].map { |a| a["id"] }, community2.id 283 assert_not_includes json["communities"].map { |a| a["id"] }, community2.id
284 end 284 end
285 285
  286 + should 'display public custom fields to anonymous' do
  287 + anonymous_setup
  288 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
  289 + some_community = fast_create(Community)
  290 + some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
  291 + some_community.save!
  292 +
  293 + get "/api/v1/communities/#{some_community.id}?#{params.to_query}"
  294 + json = JSON.parse(last_response.body)
  295 + assert json['community']['additional_data'].has_key?('Rating')
  296 + assert_equal "Five stars", json['community']['additional_data']['Rating']
  297 + end
  298 +
  299 + should 'not display private custom fields to anonymous' do
  300 + anonymous_setup
  301 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
  302 + some_community = fast_create(Community)
  303 + some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
  304 + some_community.save!
  305 +
  306 + get "/api/v1/communities/#{some_community.id}?#{params.to_query}"
  307 + json = JSON.parse(last_response.body)
  308 + refute json['community']['additional_data'].has_key?('Rating')
  309 + end
  310 +
  311 +
286 end 312 end
test/api/enterprises_test.rb
@@ -107,4 +107,29 @@ class EnterprisesTest &lt; ActiveSupport::TestCase @@ -107,4 +107,29 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
107 assert_equivalent [c1.id], json['enterprises'].map {|c| c['id']} 107 assert_equivalent [c1.id], json['enterprises'].map {|c| c['id']}
108 end 108 end
109 109
  110 + should 'display public custom fields to anonymous' do
  111 + anonymous_setup
  112 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
  113 + some_enterprise = fast_create(Enterprise)
  114 + some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
  115 + some_enterprise.save!
  116 +
  117 + get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}"
  118 + json = JSON.parse(last_response.body)
  119 + assert json['enterprise']['additional_data'].has_key?('Rating')
  120 + assert_equal "Five stars", json['enterprise']['additional_data']['Rating']
  121 + end
  122 +
  123 + should 'not display public custom fields to anonymous' do
  124 + anonymous_setup
  125 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
  126 + some_enterprise = fast_create(Enterprise)
  127 + some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
  128 + some_enterprise.save!
  129 +
  130 + get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}"
  131 + json = JSON.parse(last_response.body)
  132 + refute json['enterprise']['additional_data'].has_key?('Rating')
  133 + end
  134 +
110 end 135 end
test/api/people_test.rb
@@ -348,6 +348,17 @@ class PeopleTest &lt; ActiveSupport::TestCase @@ -348,6 +348,17 @@ class PeopleTest &lt; ActiveSupport::TestCase
348 assert_equal json['person']['additional_data'], {} 348 assert_equal json['person']['additional_data'], {}
349 end 349 end
350 350
  351 + should 'hide private fields to anonymous' do
  352 + anonymous_setup
  353 + target_person = create_user('some-user').person
  354 + target_person.save!
  355 +
  356 + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
  357 + json = JSON.parse(last_response.body)
  358 + refute json["user"].has_key?("permissions")
  359 + refute json["user"].has_key?("activated")
  360 + end
  361 +
351 should 'display non-public custom fields to friend' do 362 should 'display non-public custom fields to friend' do
352 login_api 363 login_api
353 CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) 364 CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
test/api/profiles_test.rb
@@ -103,4 +103,30 @@ class ProfilesTest &lt; ActiveSupport::TestCase @@ -103,4 +103,30 @@ class ProfilesTest &lt; ActiveSupport::TestCase
103 assert_equal community.id, json['id'] 103 assert_equal community.id, json['id']
104 end 104 end
105 105
  106 + should 'display public custom fields to anonymous' do
  107 + anonymous_setup
  108 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
  109 + some_profile = fast_create(Profile)
  110 + some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
  111 + some_profile.save!
  112 +
  113 + get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}"
  114 + json = JSON.parse(last_response.body)
  115 + assert json['additional_data'].has_key?('Rating')
  116 + assert_equal "Five stars", json['additional_data']['Rating']
  117 + end
  118 +
  119 + should 'not display private custom fields to anonymous' do
  120 + anonymous_setup
  121 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
  122 + some_profile = fast_create(Profile)
  123 + some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
  124 + some_profile.save!
  125 +
  126 + get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}"
  127 + json = JSON.parse(last_response.body)
  128 + refute json.has_key?('Rating')
  129 + end
  130 +
  131 +
106 end 132 end
test/api/users_test.rb
@@ -3,23 +3,22 @@ require_relative &#39;test_helper&#39; @@ -3,23 +3,22 @@ require_relative &#39;test_helper&#39;
3 3
4 class UsersTest < ActiveSupport::TestCase 4 class UsersTest < ActiveSupport::TestCase
5 5
6 - def setup 6 + should 'logger user list users' do
7 login_api 7 login_api
8 - end  
9 -  
10 - should 'list users' do  
11 get "/api/v1/users/?#{params.to_query}" 8 get "/api/v1/users/?#{params.to_query}"
12 json = JSON.parse(last_response.body) 9 json = JSON.parse(last_response.body)
13 assert_includes json["users"].map { |a| a["login"] }, user.login 10 assert_includes json["users"].map { |a| a["login"] }, user.login
14 end 11 end
15 12
16 - should 'get user' do 13 + should 'logger user get user info' do
  14 + login_api
17 get "/api/v1/users/#{user.id}?#{params.to_query}" 15 get "/api/v1/users/#{user.id}?#{params.to_query}"
18 json = JSON.parse(last_response.body) 16 json = JSON.parse(last_response.body)
19 assert_equal user.id, json['user']['id'] 17 assert_equal user.id, json['user']['id']
20 end 18 end
21 19
22 - should 'list user permissions' do 20 + should 'logger user list user permissions' do
  21 + login_api
23 community = fast_create(Community) 22 community = fast_create(Community)
24 community.add_admin(person) 23 community.add_admin(person)
25 get "/api/v1/users/#{user.id}/?#{params.to_query}" 24 get "/api/v1/users/#{user.id}/?#{params.to_query}"
@@ -28,25 +27,29 @@ class UsersTest &lt; ActiveSupport::TestCase @@ -28,25 +27,29 @@ class UsersTest &lt; ActiveSupport::TestCase
28 end 27 end
29 28
30 should 'get logged user' do 29 should 'get logged user' do
  30 + login_api
31 get "/api/v1/users/me?#{params.to_query}" 31 get "/api/v1/users/me?#{params.to_query}"
32 json = JSON.parse(last_response.body) 32 json = JSON.parse(last_response.body)
33 assert_equal user.id, json['user']['id'] 33 assert_equal user.id, json['user']['id']
34 end 34 end
35 35
36 should 'not show permissions to logged user' do 36 should 'not show permissions to logged user' do
  37 + login_api
37 target_person = create_user('some-user').person 38 target_person = create_user('some-user').person
38 get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" 39 get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
39 json = JSON.parse(last_response.body) 40 json = JSON.parse(last_response.body)
40 refute json["user"].has_key?("permissions") 41 refute json["user"].has_key?("permissions")
41 end 42 end
42 43
43 - should 'show permissions to self' do 44 + should 'logger user show permissions to self' do
  45 + login_api
44 get "/api/v1/users/#{user.id}/?#{params.to_query}" 46 get "/api/v1/users/#{user.id}/?#{params.to_query}"
45 json = JSON.parse(last_response.body) 47 json = JSON.parse(last_response.body)
46 assert json["user"].has_key?("permissions") 48 assert json["user"].has_key?("permissions")
47 end 49 end
48 50
49 should 'not show permissions to friend' do 51 should 'not show permissions to friend' do
  52 + login_api
50 target_person = create_user('some-user').person 53 target_person = create_user('some-user').person
51 54
52 f = Friendship.new 55 f = Friendship.new
@@ -60,6 +63,7 @@ class UsersTest &lt; ActiveSupport::TestCase @@ -60,6 +63,7 @@ class UsersTest &lt; ActiveSupport::TestCase
60 end 63 end
61 64
62 should 'not show private attribute to logged user' do 65 should 'not show private attribute to logged user' do
  66 + login_api
63 target_person = create_user('some-user').person 67 target_person = create_user('some-user').person
64 get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" 68 get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
65 json = JSON.parse(last_response.body) 69 json = JSON.parse(last_response.body)
@@ -67,6 +71,7 @@ class UsersTest &lt; ActiveSupport::TestCase @@ -67,6 +71,7 @@ class UsersTest &lt; ActiveSupport::TestCase
67 end 71 end
68 72
69 should 'show private attr to friend' do 73 should 'show private attr to friend' do
  74 + login_api
70 target_person = create_user('some-user').person 75 target_person = create_user('some-user').person
71 f = Friendship.new 76 f = Friendship.new
72 f.friend = target_person 77 f.friend = target_person
@@ -79,6 +84,7 @@ class UsersTest &lt; ActiveSupport::TestCase @@ -79,6 +84,7 @@ class UsersTest &lt; ActiveSupport::TestCase
79 end 84 end
80 85
81 should 'show public attribute to logged user' do 86 should 'show public attribute to logged user' do
  87 + login_api
82 target_person = create_user('some-user').person 88 target_person = create_user('some-user').person
83 target_person.fields_privacy={:email=> 'public'} 89 target_person.fields_privacy={:email=> 'public'}
84 target_person.save! 90 target_person.save!
@@ -89,6 +95,7 @@ class UsersTest &lt; ActiveSupport::TestCase @@ -89,6 +95,7 @@ class UsersTest &lt; ActiveSupport::TestCase
89 end 95 end
90 96
91 should 'show public and private field to admin' do 97 should 'show public and private field to admin' do
  98 + login_api
92 Environment.default.add_admin(person) 99 Environment.default.add_admin(person)
93 100
94 target_person = create_user('some-user').person 101 target_person = create_user('some-user').person
@@ -102,4 +109,26 @@ class UsersTest &lt; ActiveSupport::TestCase @@ -102,4 +109,26 @@ class UsersTest &lt; ActiveSupport::TestCase
102 assert json["user"].has_key?("activated") 109 assert json["user"].has_key?("activated")
103 end 110 end
104 111
  112 + should 'show public fields to anonymous' do
  113 + anonymous_setup
  114 + target_person = create_user('some-user').person
  115 + target_person.fields_privacy={:email=> 'public'}
  116 + target_person.save!
  117 +
  118 + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
  119 + json = JSON.parse(last_response.body)
  120 + assert json["user"].has_key?("email")
  121 + end
  122 +
  123 + should 'hide private fields to anonymous' do
  124 + anonymous_setup
  125 + target_person = create_user('some-user').person
  126 + target_person.save!
  127 +
  128 + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
  129 + json = JSON.parse(last_response.body)
  130 + refute json["user"].has_key?("permissions")
  131 + refute json["user"].has_key?("activated")
  132 + end
  133 +
105 end 134 end