Download as
Browse Code »

Commit 55c72be93e86011d7b78bc70dec6c0c75bbe83b6

Authored by Leandro Santos
2 parents 1ebe6924 f306fc96
Exists in staging and in 31 other branches all_pending_tasks_api, api-articles-period, api_roles, comments_permissions, elasticsearch, elasticsearch_api, elasticsearch_categories, elasticsearch_filter, elasticsearch_sort, elasticsearch_to_merge, elasticsearch_view, environment-exposes-api, export-comment-api, export_data, external_followers, federation-webfinger, federation_followers, federation_followers_backend, federation_oauth_provider, federation_webfinger, fix_notification_email, follower_permition, master, master_profile_followers, oauth_external_login, oauth_login, private-scraps, private-scraps-rebase, production, profile_api_improvements, user_mention

Merge branch 'api_visitor' into 'master' 

Some API methods unlocked for visitor

Enable visitor to browser some of the API methods


See merge request !863
Showing 19 changed files with 816 additions and 136 deletions   Show diff stats
app/models/organization.rb
  Diff comments   View file @55c72be
... ... @@ -17,6 +17,8 @@ class Organization < Profile
17 17 # 4) The user is not a member of the organization but the organization is
18 18 # visible, public and enabled.
19 19 def self.visible_for_person(person)
  20 + # Visitor if person.nil?
  21 + person_id = person.nil? ? nil : person.id
20 22 joins('LEFT JOIN "role_assignments" ON ("role_assignments"."resource_id" = "profiles"."id"
21 23 AND "role_assignments"."resource_type" = \'Profile\') OR (
22 24 "role_assignments"."resource_id" = "profiles"."environment_id" AND
... ... @@ -28,8 +30,8 @@ class Organization < Profile
28 30 ( ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
29 31 ( profiles.public_profile = ? AND profiles.enabled = ? ) ) AND
30 32 ( profiles.visible = ? ) )',
31   - 'profile_admin', 'environment_administrator', Profile.name, person.id,
32   - Profile.name, person.id, true, true, true]
  33 + 'profile_admin', 'environment_administrator', Profile.name, person_id,
  34 + Profile.name, person_id, true, true, true]
33 35 ).uniq
34 36 end
35 37  
... ...
app/models/person.rb
  Diff comments   View file @55c72be
... ... @@ -42,6 +42,8 @@ class Person < Profile
42 42 }
43 43  
44 44 scope :visible_for_person, lambda { |person|
  45 + # Visitor if person.nil?
  46 + person_id = person.nil? ? nil : person.id
45 47 joins('LEFT JOIN "role_assignments" ON
46 48 "role_assignments"."resource_id" = "profiles"."environment_id" AND
47 49 "role_assignments"."resource_type" = \'Environment\'')
... ... @@ -49,9 +51,10 @@ class Person < Profile
49 51 .joins('LEFT JOIN "friendships" ON "friendships"."friend_id" = "profiles"."id"')
50 52 .where(
51 53 ['( roles.key = ? AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR (
52   - ( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?) )', 'environment_administrator', Profile.name, person.id, person.id, true, true]
  54 + ( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?) )',
  55 + 'environment_administrator', Profile.name, person_id, person_id, true, true]
53 56 ).uniq
54   - }
  57 + }
55 58  
56 59 def has_permission_with_admin?(permission, resource)
57 60 return true if resource.blank? || resource.admins.include?(self)
... ...
lib/noosfero/api/v1/categories.rb
  Diff comments   View file @55c72be
... ... @@ -2,7 +2,6 @@ module Noosfero
2 2 module API
3 3 module V1
4 4 class Categories < Grape::API
5   - before { authenticate! }
6 5  
7 6 resource :categories do
8 7  
... ...
lib/noosfero/api/v1/comments.rb
  Diff comments   View file @55c72be
... ... @@ -4,7 +4,6 @@ module Noosfero
4 4 class Comments < Grape::API
5 5 MAX_PER_PAGE = 20
6 6  
7   - before { authenticate! }
8 7  
9 8 resource :articles do
10 9 paginate max_per_page: MAX_PER_PAGE
... ... @@ -34,6 +33,7 @@ module Noosfero
34 33 # Example Request:
35 34 # POST api/v1/articles/12/comments?private_token=2298743290432&body=new comment&title=New
36 35 post ":id/comments" do
  36 + authenticate!
37 37 article = find_article(environment.articles, params[:id])
38 38 options = params.select { |key,v| !['id','private_token'].include?(key) }.merge(:author => current_person, :source => article)
39 39 begin
... ...
lib/noosfero/api/v1/communities.rb
  Diff comments   View file @55c72be
... ... @@ -2,7 +2,6 @@ module Noosfero
2 2 module API
3 3 module V1
4 4 class Communities < Grape::API
5   - before { authenticate! }
6 5  
7 6 resource :communities do
8 7  
... ... @@ -18,7 +17,7 @@ module Noosfero
18 17 # GET /communities?reference_id=10&limit=10&oldest
19 18 get do
20 19 communities = select_filtered_collection_of(environment, 'communities', params)
21   - communities = communities.visible_for_person(current_person)
  20 + communities = communities.visible
22 21 communities = communities.by_location(params) # Must be the last. May return Exception obj.
23 22 present communities, :with => Entities::Community, :current_person => current_person
24 23 end
... ... @@ -28,6 +27,7 @@ module Noosfero
28 27 # POST api/v1/communties?private_token=234298743290432&community[name]=some_name
29 28 # for each custom field for community, add &community[field_name]=field_value to the request
30 29 post do
  30 + authenticate!
31 31 params[:community] ||= {}
32 32  
33 33 params[:community][:custom_values]={}
... ... @@ -49,7 +49,7 @@ module Noosfero
49 49 end
50 50  
51 51 get ':id' do
52   - community = environment.communities.visible_for_person(current_person).find_by id: params[:id]
  52 + community = environment.communities.visible.find_by(id: params[:id])
53 53 present community, :with => Entities::Community, :current_person => current_person
54 54 end
55 55  
... ...
lib/noosfero/api/v1/enterprises.rb
  Diff comments   View file @55c72be
... ... @@ -2,7 +2,6 @@ module Noosfero
2 2 module API
3 3 module V1
4 4 class Enterprises < Grape::API
5   - before { authenticate! }
6 5  
7 6 resource :enterprises do
8 7  
... ... @@ -19,14 +18,14 @@ module Noosfero
19 18 # GET /enterprises?reference_id=10&limit=10&oldest
20 19 get do
21 20 enterprises = select_filtered_collection_of(environment, 'enterprises', params)
22   - enterprises = enterprises.visible_for_person(current_person)
  21 + enterprises = enterprises.visible
23 22 enterprises = enterprises.by_location(params) # Must be the last. May return Exception obj.
24 23 present enterprises, :with => Entities::Enterprise, :current_person => current_person
25 24 end
26 25  
27 26 desc "Return one enterprise by id"
28 27 get ':id' do
29   - enterprise = environment.enterprises.visible_for_person(current_person).find_by id: params[:id]
  28 + enterprise = environment.enterprises.visible.find_by(id: params[:id])
30 29 present enterprise, :with => Entities::Enterprise, :current_person => current_person
31 30 end
32 31  
... ...
lib/noosfero/api/v1/people.rb
  Diff comments   View file @55c72be
... ... @@ -2,7 +2,6 @@ module Noosfero
2 2 module API
3 3 module V1
4 4 class People < Grape::API
5   - before { authenticate! }
6 5  
7 6 MAX_PER_PAGE = 50
8 7  
... ... @@ -35,24 +34,26 @@ module Noosfero
35 34 desc "Find environment's people"
36 35 get do
37 36 people = select_filtered_collection_of(environment, 'people', params)
38   - people = people.visible_for_person(current_person)
  37 + people = people.visible
39 38 present_partial people, :with => Entities::Person, :current_person => current_person
40 39 end
41 40  
42 41 desc "Return the logged user information"
43 42 get "/me" do
  43 + authenticate!
44 44 present_partial current_person, :with => Entities::Person, :current_person => current_person
45 45 end
46 46  
47 47 desc "Return the person information"
48 48 get ':id' do
49   - person = environment.people.visible_for_person(current_person).find_by id: params[:id]
  49 + person = environment.people.visible.find_by(id: params[:id])
50 50 return not_found! if person.blank?
51 51 present person, :with => Entities::Person, :current_person => current_person
52 52 end
53 53  
54 54 desc "Update person information"
55 55 post ':id' do
  56 + authenticate!
56 57 return forbidden! if current_person.id.to_s != params[:id]
57 58 current_person.update_attributes!(params[:person])
58 59 present current_person, :with => Entities::Person, :current_person => current_person
... ... @@ -63,6 +64,7 @@ module Noosfero
63 64 # for each custom field for person, add &person[field_name]=field_value to the request
64 65 desc "Create person"
65 66 post do
  67 + authenticate!
66 68 user_data = {}
67 69 user_data[:login] = params[:person].delete(:login) || params[:person][:identifier]
68 70 user_data[:email] = params[:person].delete(:email)
... ... @@ -87,7 +89,7 @@ module Noosfero
87 89  
88 90 desc "Return the person friends"
89 91 get ':id/friends' do
90   - person = environment.people.visible_for_person(current_person).find_by id: params[:id]
  92 + person = environment.people.visible.find_by(id: params[:id])
91 93 return not_found! if person.blank?
92 94 friends = person.friends.visible
93 95 present friends, :with => Entities::Person, :current_person => current_person
... ... @@ -95,6 +97,7 @@ module Noosfero
95 97  
96 98 desc "Return the person permissions on other profiles"
97 99 get ":id/permissions" do
  100 + authenticate!
98 101 person = environment.people.find(params[:id])
99 102 return not_found! if person.blank?
100 103 return forbidden! unless current_person == person || environment.admins.include?(current_person)
... ...
lib/noosfero/api/v1/profiles.rb
  Diff comments   View file @55c72be
... ... @@ -2,25 +2,25 @@ module Noosfero
2 2 module API
3 3 module V1
4 4 class Profiles < Grape::API
5   - before { authenticate! }
6 5  
7 6 resource :profiles do
8 7  
9 8 get do
10 9 profiles = select_filtered_collection_of(environment, 'profiles', params)
11   - profiles = profiles.visible_for_person(current_person)
  10 + profiles = profiles.visible
12 11 profiles = profiles.by_location(params) # Must be the last. May return Exception obj.
13 12 present profiles, :with => Entities::Profile, :current_person => current_person
14 13 end
15 14  
16 15 get ':id' do
17 16 profiles = environment.profiles
18   - profiles = profiles.visible_for_person(current_person)
  17 + profiles = profiles.visible
19 18 profile = profiles.find_by id: params[:id]
20 19 present profile, :with => Entities::Profile, :current_person => current_person
21 20 end
22 21  
23 22 delete ':id' do
  23 + authenticate!
24 24 profiles = environment.profiles
25 25 profile = profiles.find_by id: params[:id]
26 26  
... ...
lib/noosfero/api/v1/users.rb
  Diff comments   View file @55c72be
... ... @@ -2,7 +2,6 @@ module Noosfero
2 2 module API
3 3 module V1
4 4 class Users < Grape::API
5   - before { authenticate! }
6 5  
7 6 resource :users do
8 7  
... ... @@ -13,6 +12,7 @@ module Noosfero
13 12 end
14 13  
15 14 get "/me" do
  15 + authenticate!
16 16 present current_user, :with => Entities::User, :current_person => current_person
17 17 end
18 18  
... ... @@ -25,6 +25,7 @@ module Noosfero
25 25 end
26 26  
27 27 get ":id/permissions" do
  28 + authenticate!
28 29 user = environment.users.find(params[:id])
29 30 output = {}
30 31 user.person.role_assignments.map do |role_assigment|
... ...
test/api/categories_test.rb
  Diff comments   View file @55c72be
... ... @@ -2,25 +2,25 @@ require_relative &#39;test_helper&#39;
2 2  
3 3 class CategoriesTest < ActiveSupport::TestCase
4 4  
5   - def setup
6   - login_api
7   - end
8 5  
9   - should 'list categories' do
  6 + should 'logged user list categories' do
  7 + login_api
10 8 category = fast_create(Category, :environment_id => environment.id)
11 9 get "/api/v1/categories/?#{params.to_query}"
12 10 json = JSON.parse(last_response.body)
13 11 assert_includes json["categories"].map { |c| c["name"] }, category.name
14 12 end
15 13  
16   - should 'get category by id' do
  14 + should 'logged user get category by id' do
  15 + login_api
17 16 category = fast_create(Category, :environment_id => environment.id)
18 17 get "/api/v1/categories/#{category.id}/?#{params.to_query}"
19 18 json = JSON.parse(last_response.body)
20 19 assert_equal category.name, json["category"]["name"]
21 20 end
22 21  
23   - should 'list parent and children when get category by id' do
  22 + should 'logged user list parent and children when get category by id' do
  23 + login_api
24 24 parent = fast_create(Category, :environment_id => environment.id)
25 25 child_1 = fast_create(Category, :environment_id => environment.id)
26 26 child_2 = fast_create(Category, :environment_id => environment.id)
... ... @@ -37,7 +37,8 @@ class CategoriesTest &lt; ActiveSupport::TestCase
37 37 assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { |c| c['id'] }
38 38 end
39 39  
40   - should 'include parent in categories list if params is true' do
  40 + should 'logged user include parent in categories list if params is true' do
  41 + login_api
41 42 parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
42 43 child_1 = fast_create(Category, :environment_id => environment.id)
43 44 child_2 = fast_create(Category, :environment_id => environment.id)
... ... @@ -59,7 +60,8 @@ class CategoriesTest &lt; ActiveSupport::TestCase
59 60 json["categories"].map { |c| c['parent'] && c['parent']['id'] }
60 61 end
61 62  
62   - should 'include children in categories list if params is true' do
  63 + should 'logged user include children in categories list if params is true' do
  64 + login_api
63 65 category = fast_create(Category, :environment_id => environment.id)
64 66 child_1 = fast_create(Category, :environment_id => environment.id)
65 67 child_2 = fast_create(Category, :environment_id => environment.id)
... ... @@ -86,7 +88,8 @@ class CategoriesTest &lt; ActiveSupport::TestCase
86 88 expose_attributes = %w(id name full_name image display_color)
87 89  
88 90 expose_attributes.each do |attr|
89   - should "expose category #{attr} attribute by default" do
  91 + should "logged user expose category #{attr} attribute by default" do
  92 + login_api
90 93 category = fast_create(Category, :environment_id => environment.id)
91 94 get "/api/v1/categories/?#{params.to_query}"
92 95 json = JSON.parse(last_response.body)
... ... @@ -94,4 +97,98 @@ class CategoriesTest &lt; ActiveSupport::TestCase
94 97 end
95 98 end
96 99  
  100 + should 'anonymous list categories' do
  101 + anonymous_setup
  102 + category = fast_create(Category, :environment_id => environment.id)
  103 + get "/api/v1/categories/?#{params.to_query}"
  104 + json = JSON.parse(last_response.body)
  105 + assert_includes json["categories"].map { |c| c["name"] }, category.name
  106 + end
  107 +
  108 + should 'anonymous get category by id' do
  109 + anonymous_setup
  110 + category = fast_create(Category, :environment_id => environment.id)
  111 + get "/api/v1/categories/#{category.id}/?#{params.to_query}"
  112 + json = JSON.parse(last_response.body)
  113 + assert_equal category.name, json["category"]["name"]
  114 + end
  115 +
  116 + should 'anonymous list parent and children when get category by id' do
  117 + anonymous_setup
  118 + parent = fast_create(Category, :environment_id => environment.id)
  119 + child_1 = fast_create(Category, :environment_id => environment.id)
  120 + child_2 = fast_create(Category, :environment_id => environment.id)
  121 +
  122 + category = fast_create(Category, :environment_id => environment.id)
  123 + category.parent = parent
  124 + category.children << child_1
  125 + category.children << child_2
  126 + category.save
  127 +
  128 + get "/api/v1/categories/#{category.id}/?#{params.to_query}"
  129 + json = JSON.parse(last_response.body)
  130 + assert_equal({'id' => parent.id, 'name' => parent.name, 'slug' => parent.slug}, json['category']['parent'])
  131 + assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { |c| c['id'] }
  132 + end
  133 +
  134 + should 'anonymous include parent in categories list if params is true' do
  135 + anonymous_setup
  136 + parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
  137 + child_1 = fast_create(Category, :environment_id => environment.id)
  138 + child_2 = fast_create(Category, :environment_id => environment.id)
  139 +
  140 + parent_2 = fast_create(Category, :environment_id => environment.id)
  141 + parent_2.parent = parent_1
  142 + parent_2.children << child_1
  143 + parent_2.children << child_2
  144 + parent_2.save
  145 +
  146 + get "/api/v1/categories/?#{params.to_query}"
  147 + json = JSON.parse(last_response.body)
  148 + assert_equal [nil], json['categories'].map { |c| c['parent'] }.uniq
  149 +
  150 + params[:include_parent] = true
  151 + get "/api/v1/categories/?#{params.to_query}"
  152 + json = JSON.parse(last_response.body)
  153 + assert_equivalent [parent_1.parent, parent_2.parent.id, child_1.parent.id, child_2.parent.id],
  154 + json["categories"].map { |c| c['parent'] && c['parent']['id'] }
  155 + end
  156 +
  157 + should 'anonymous include children in categories list if params is true' do
  158 + anonymous_setup
  159 + category = fast_create(Category, :environment_id => environment.id)
  160 + child_1 = fast_create(Category, :environment_id => environment.id)
  161 + child_2 = fast_create(Category, :environment_id => environment.id)
  162 + child_3 = fast_create(Category, :environment_id => environment.id)
  163 +
  164 + category.children << child_1
  165 + category.children << child_2
  166 + category.save
  167 +
  168 + child_1.children << child_3
  169 + child_1.save
  170 +
  171 + get "/api/v1/categories/?#{params.to_query}"
  172 + json = JSON.parse(last_response.body)
  173 + assert_equal [nil], json['categories'].map { |c| c['children'] }.uniq
  174 +
  175 + params[:include_children] = true
  176 + get "/api/v1/categories/?#{params.to_query}"
  177 + json = JSON.parse(last_response.body)
  178 + assert_equivalent [category.children.map(&:id).sort, child_1.children.map(&:id).sort, child_2.children.map(&:id).sort, child_3.children.map(&:id).sort],
  179 + json["categories"].map{ |c| c['children'].map{ |child| child['id'] }.sort }
  180 + end
  181 +
  182 + expose_attributes.each do |attr|
  183 + should "anonymous expose category #{attr} attribute by default" do
  184 + anonymous_setup
  185 + category = fast_create(Category, :environment_id => environment.id)
  186 + get "/api/v1/categories/?#{params.to_query}"
  187 + json = JSON.parse(last_response.body)
  188 + assert json["categories"].last.has_key?(attr)
  189 + end
  190 + end
  191 +
  192 +
  193 +
97 194 end
... ...
test/api/comments_test.rb
  Diff comments   View file @55c72be
... ... @@ -3,41 +3,44 @@ require_relative &#39;test_helper&#39;
3 3 class CommentsTest < ActiveSupport::TestCase
4 4  
5 5 def setup
6   - login_api
  6 + @local_person = fast_create(Person)
  7 + anonymous_setup
7 8 end
  9 + attr_reader :local_person
8 10  
9   - should 'not list comments if user has no permission to view the source article' do
10   - person = fast_create(Person)
11   - article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
  11 + should 'logged user not list comments if user has no permission to view the source article' do
  12 + login_api
  13 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
12 14 assert !article.published?
13 15  
14 16 get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
15 17 assert_equal 403, last_response.status
16 18 end
17 19  
18   - should 'not return comment if user has no permission to view the source article' do
19   - person = fast_create(Person)
20   - article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
21   - comment = article.comments.create!(:body => "another comment", :author => user.person)
  20 + should 'logged user not return comment if user has no permission to view the source article' do
  21 + login_api
  22 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
  23 + comment = article.comments.create!(:body => "another comment", :author => local_person)
22 24 assert !article.published?
23 25  
24 26 get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
25 27 assert_equal 403, last_response.status
26 28 end
27 29  
28   - should 'not comment an article if user has no permission to view it' do
29   - person = fast_create(Person)
30   - article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
  30 + should 'logged user not comment an article if user has no permission to view it' do
  31 + login_api
  32 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
31 33 assert !article.published?
32 34  
33 35 post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
34 36 assert_equal 403, last_response.status
35 37 end
36 38  
37   - should 'return comments of an article' do
38   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
39   - article.comments.create!(:body => "some comment", :author => user.person)
40   - article.comments.create!(:body => "another comment", :author => user.person)
  39 + should 'logged user return comments of an article' do
  40 + login_api
  41 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  42 + article.comments.create!(:body => "some comment", :author => local_person)
  43 + article.comments.create!(:body => "another comment", :author => local_person)
41 44  
42 45 get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
43 46 json = JSON.parse(last_response.body)
... ... @@ -45,9 +48,10 @@ class CommentsTest &lt; ActiveSupport::TestCase
45 48 assert_equal 2, json["comments"].length
46 49 end
47 50  
48   - should 'return comment of an article' do
49   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
50   - comment = article.comments.create!(:body => "another comment", :author => user.person)
  51 + should 'logged user return comment of an article' do
  52 + login_api
  53 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  54 + comment = article.comments.create!(:body => "another comment", :author => local_person)
51 55  
52 56 get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
53 57 json = JSON.parse(last_response.body)
... ... @@ -55,8 +59,9 @@ class CommentsTest &lt; ActiveSupport::TestCase
55 59 assert_equal comment.id, json['comment']['id']
56 60 end
57 61  
58   - should 'comment an article' do
59   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
  62 + should 'logged user comment an article' do
  63 + login_api
  64 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
60 65 body = 'My comment'
61 66 params.merge!({:body => body})
62 67  
... ... @@ -66,7 +71,8 @@ class CommentsTest &lt; ActiveSupport::TestCase
66 71 assert_equal body, json['comment']['body']
67 72 end
68 73  
69   - should 'not comment an archived article' do
  74 + should 'logged user not comment an archived article' do
  75 + login_api
70 76 article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing", :archived => true)
71 77 body = 'My comment'
72 78 params.merge!({:body => body})
... ... @@ -75,9 +81,10 @@ class CommentsTest &lt; ActiveSupport::TestCase
75 81 assert_equal 400, last_response.status
76 82 end
77 83  
78   - should 'comment creation define the source' do
  84 + should 'logged user comment creation define the source' do
  85 + login_api
79 86 amount = Comment.count
80   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
  87 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
81 88 body = 'My comment'
82 89 params.merge!({:body => body})
83 90  
... ... @@ -87,29 +94,6 @@ class CommentsTest &lt; ActiveSupport::TestCase
87 94 assert_not_nil comment.source
88 95 end
89 96  
90   - should 'paginate comments' do
91   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
92   - 5.times { article.comments.create!(:body => "some comment", :author => user.person) }
93   - params[:per_page] = 3
94   -
95   - get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
96   - json = JSON.parse(last_response.body)
97   - assert_equal 200, last_response.status
98   - assert_equal 3, json["comments"].length
99   - end
100   -
101   - should 'return only root comments' do
102   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
103   - comment1 = article.comments.create!(:body => "some comment", :author => user.person)
104   - comment2 = article.comments.create!(:body => "another comment", :author => user.person, :reply_of_id => comment1.id)
105   - params[:without_reply] = true
106   -
107   - get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
108   - json = JSON.parse(last_response.body)
109   - assert_equal 200, last_response.status
110   - assert_equal [comment1.id], json["comments"].map { |c| c['id'] }
111   - end
112   -
113 97 should 'call plugin hotspot to filter unavailable comments' do
114 98 class Plugin1 < Noosfero::Plugin
115 99 def unavailable_comments(scope)
... ... @@ -119,7 +103,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
119 103 Noosfero::Plugin.stubs(:all).returns([Plugin1.name])
120 104 Environment.default.enable_plugin(Plugin1)
121 105  
122   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
  106 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
123 107 c1 = fast_create(Comment, source_id: article.id, body: "comment 1")
124 108 c2 = fast_create(Comment, source_id: article.id, body: "comment 2", :user_agent => 'Jack')
125 109  
... ... @@ -128,13 +112,78 @@ class CommentsTest &lt; ActiveSupport::TestCase
128 112 assert_equal ["comment 2"], json["comments"].map {|c| c["body"]}
129 113 end
130 114  
131   - should 'do not return comments marked as spam' do
132   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
  115 + should 'anonymous do not return comments marked as spam' do
  116 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
133 117 c1 = fast_create(Comment, source_id: article.id, body: "comment 1", spam: true)
134 118 c2 = fast_create(Comment, source_id: article.id, body: "comment 2")
135   -
136 119 get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
137 120 json = JSON.parse(last_response.body)
138 121 assert_equal ["comment 2"], json["comments"].map {|c| c["body"]}
139 122 end
  123 +
  124 + should 'not, anonymous list comments if has no permission to view the source article' do
  125 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
  126 + assert !article.published?
  127 +
  128 + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  129 + assert_equal 403, last_response.status
  130 + end
  131 +
  132 + should 'anonymous return comments of an article' do
  133 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  134 + article.comments.create!(:body => "some comment", :author => local_person)
  135 + article.comments.create!(:body => "another comment", :author => local_person)
  136 +
  137 + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  138 + json = JSON.parse(last_response.body)
  139 + assert_equal 200, last_response.status
  140 + assert_equal 2, json["comments"].length
  141 + end
  142 +
  143 + should 'anonymous return comment of an article' do
  144 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  145 + comment = article.comments.create!(:body => "another comment", :author => local_person)
  146 +
  147 + get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
  148 + json = JSON.parse(last_response.body)
  149 + assert_equal 200, last_response.status
  150 + assert_equal comment.id, json['comment']['id']
  151 + end
  152 +
  153 + should 'not, anonymous comment an article (at least so far...)' do
  154 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  155 + body = 'My comment'
  156 + name = "John Doe"
  157 + email = "JohnDoe@gmail.com"
  158 + params.merge!({:body => body, name: name, email: email})
  159 + post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  160 + json = JSON.parse(last_response.body)
  161 + assert_equal 401, last_response.status
  162 + end
  163 +
  164 + should 'logged user paginate comments' do
  165 + login_api
  166 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  167 + 5.times { article.comments.create!(:body => "some comment", :author => local_person) }
  168 + params[:per_page] = 3
  169 +
  170 + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  171 + json = JSON.parse(last_response.body)
  172 + assert_equal 200, last_response.status
  173 + assert_equal 3, json["comments"].length
  174 + end
  175 +
  176 + should 'logged user return only root comments' do
  177 + login_api
  178 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  179 + comment1 = article.comments.create!(:body => "some comment", :author => local_person)
  180 + comment2 = article.comments.create!(:body => "another comment", :author => local_person, :reply_of_id => comment1.id)
  181 + params[:without_reply] = true
  182 +
  183 + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  184 + json = JSON.parse(last_response.body)
  185 + assert_equal 200, last_response.status
  186 + assert_equal [comment1.id], json["comments"].map { |c| c['id'] }
  187 + end
  188 +
140 189 end
... ...
test/api/communities_test.rb
  Diff comments   View file @55c72be
... ... @@ -4,10 +4,10 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
4 4  
5 5 def setup
6 6 Community.delete_all
7   - login_api
8 7 end
9 8  
10   - should 'list only communities' do
  9 + should 'logged user list only communities' do
  10 + login_api
11 11 community = fast_create(Community, :environment_id => environment.id)
12 12 enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
13 13 get "/api/v1/communities?#{params.to_query}"
... ... @@ -16,7 +16,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
16 16 assert_includes json['communities'].map {|c| c['id']}, community.id
17 17 end
18 18  
19   - should 'list all communities' do
  19 + should 'logged user list all communities' do
  20 + login_api
20 21 community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
21 22 community2 = fast_create(Community, :environment_id => environment.id)
22 23 get "/api/v1/communities?#{params.to_query}"
... ... @@ -24,7 +25,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
24 25 assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
25 26 end
26 27  
27   - should 'not list invisible communities' do
  28 + should 'not, logged user list invisible communities' do
  29 + login_api
28 30 community1 = fast_create(Community, :environment_id => environment.id)
29 31 fast_create(Community, :environment_id => environment.id, :visible => false)
30 32  
... ... @@ -33,16 +35,18 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
33 35 assert_equal [community1.id], json['communities'].map {|c| c['id']}
34 36 end
35 37  
36   - should 'not list private communities without permission' do
37   - community1 = fast_create(Community, :environment_id => environment.id)
38   - fast_create(Community, :environment_id => environment.id, :public_profile => false)
  38 + should 'logged user list private communities' do
  39 + login_api
  40 + community1 = fast_create(Community, :environment_id => environment.id)
  41 + community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
39 42  
40   - get "/api/v1/communities?#{params.to_query}"
41   - json = JSON.parse(last_response.body)
42   - assert_equal [community1.id], json['communities'].map {|c| c['id']}
  43 + get "/api/v1/communities?#{params.to_query}"
  44 + json = JSON.parse(last_response.body)
  45 + assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
43 46 end
44 47  
45   - should 'list private community for members' do
  48 + should 'logged user list private community for members' do
  49 + login_api
46 50 c1 = fast_create(Community, :environment_id => environment.id)
47 51 c2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
48 52 c2.add_member(person)
... ... @@ -52,20 +56,23 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
52 56 assert_equivalent [c1.id, c2.id], json['communities'].map {|c| c['id']}
53 57 end
54 58  
55   - should 'create a community' do
  59 + should 'logged user create a community' do
  60 + login_api
56 61 params[:community] = {:name => 'some'}
57 62 post "/api/v1/communities?#{params.to_query}"
58 63 json = JSON.parse(last_response.body)
59 64 assert_equal 'some', json['community']['name']
60 65 end
61 66  
62   - should 'return 400 status for invalid community creation' do
  67 + should 'logged user return 400 status for invalid community creation' do
  68 + login_api
63 69 post "/api/v1/communities?#{params.to_query}"
64 70 json = JSON.parse(last_response.body)
65 71 assert_equal 400, last_response.status
66 72 end
67 73  
68   - should 'get community' do
  74 + should 'logged user get community' do
  75 + login_api
69 76 community = fast_create(Community, :environment_id => environment.id)
70 77  
71 78 get "/api/v1/communities/#{community.id}?#{params.to_query}"
... ... @@ -73,7 +80,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
73 80 assert_equal community.id, json['community']['id']
74 81 end
75 82  
76   - should 'not get invisible community' do
  83 + should 'not, logged user get invisible community' do
  84 + login_api
77 85 community = fast_create(Community, :environment_id => environment.id, :visible => false)
78 86  
79 87 get "/api/v1/communities/#{community.id}?#{params.to_query}"
... ... @@ -81,7 +89,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
81 89 assert json['community'].blank?
82 90 end
83 91  
84   - should 'not get private communities without permission' do
  92 + should 'not, logged user get private communities without permission' do
  93 + login_api
85 94 community = fast_create(Community, :environment_id => environment.id)
86 95 fast_create(Community, :environment_id => environment.id, :public_profile => false)
87 96  
... ... @@ -90,17 +99,18 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
90 99 assert_equal community.id, json['community']['id']
91 100 end
92 101  
93   - should 'get private community for members' do
  102 + should 'logged user get private community for members' do
  103 + login_api
94 104 community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :visible => true)
95 105 community.add_member(person)
96 106  
97   -
98 107 get "/api/v1/communities/#{community.id}?#{params.to_query}"
99 108 json = JSON.parse(last_response.body)
100 109 assert_equal community.id, json['community']['id']
101 110 end
102 111  
103   - should 'list person communities' do
  112 + should 'logged user list person communities' do
  113 + login_api
104 114 community = fast_create(Community, :environment_id => environment.id)
105 115 fast_create(Community, :environment_id => environment.id)
106 116 community.add_member(person)
... ... @@ -110,7 +120,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
110 120 assert_equivalent [community.id], json['communities'].map {|c| c['id']}
111 121 end
112 122  
113   - should 'not list person communities invisible' do
  123 + should 'not, logged user list person communities invisible' do
  124 + login_api
114 125 c1 = fast_create(Community, :environment_id => environment.id)
115 126 c2 = fast_create(Community, :environment_id => environment.id, :visible => false)
116 127 c1.add_member(person)
... ... @@ -121,7 +132,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
121 132 assert_equivalent [c1.id], json['communities'].map {|c| c['id']}
122 133 end
123 134  
124   - should 'list communities with pagination' do
  135 + should 'logged user list communities with pagination' do
  136 + login_api
125 137 community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago)
126 138 community2 = fast_create(Community, :created_at => 2.days.ago)
127 139  
... ... @@ -143,7 +155,118 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
143 155 assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id
144 156 end
145 157  
146   - should 'list communities with timestamp' do
  158 + should 'logged user list communities with timestamp' do
  159 + login_api
  160 + community1 = fast_create(Community, :public_profile => true)
  161 + community2 = fast_create(Community)
  162 +
  163 + community1.updated_at = Time.now + 3.hours
  164 + community1.save!
  165 +
  166 + params[:timestamp] = Time.now + 1.hours
  167 + get "/api/v1/communities/?#{params.to_query}"
  168 + json = JSON.parse(last_response.body)
  169 +
  170 + assert_includes json["communities"].map { |a| a["id"] }, community1.id
  171 + assert_not_includes json["communities"].map { |a| a["id"] }, community2.id
  172 + end
  173 +
  174 + should 'anonymous list only communities' do
  175 + anonymous_setup
  176 + community = fast_create(Community, :environment_id => environment.id)
  177 + enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
  178 + get "/api/v1/communities?#{params.to_query}"
  179 + json = JSON.parse(last_response.body)
  180 + assert_not_includes json['communities'].map {|c| c['id']}, enterprise.id
  181 + assert_includes json['communities'].map {|c| c['id']}, community.id
  182 + end
  183 +
  184 + should 'anonymous list all communities' do
  185 + anonymous_setup
  186 + community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
  187 + community2 = fast_create(Community, :environment_id => environment.id)
  188 + get "/api/v1/communities?#{params.to_query}"
  189 + json = JSON.parse(last_response.body)
  190 + assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
  191 + end
  192 +
  193 + should 'not, anonymous list invisible communities' do
  194 + anonymous_setup
  195 + community1 = fast_create(Community, :environment_id => environment.id)
  196 + fast_create(Community, :environment_id => environment.id, :visible => false)
  197 +
  198 + get "/api/v1/communities?#{params.to_query}"
  199 + json = JSON.parse(last_response.body)
  200 + assert_equal [community1.id], json['communities'].map {|c| c['id']}
  201 + end
  202 +
  203 + should 'anonymous list private communities' do
  204 + anonymous_setup
  205 + community1 = fast_create(Community, :environment_id => environment.id)
  206 + community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
  207 +
  208 + get "/api/v1/communities?#{params.to_query}"
  209 + json = JSON.parse(last_response.body)
  210 + assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
  211 + end
  212 +
  213 + should 'not, anonymous create a community' do
  214 + anonymous_setup
  215 + params[:community] = {:name => 'some'}
  216 + post "/api/v1/communities?#{params.to_query}"
  217 + json = JSON.parse(last_response.body)
  218 + assert_equal 401, last_response.status
  219 + end
  220 +
  221 + should 'anonymous get community' do
  222 + anonymous_setup
  223 + community = fast_create(Community, :environment_id => environment.id)
  224 + get "/api/v1/communities/#{community.id}"
  225 + json = JSON.parse(last_response.body)
  226 + assert_equal community.id, json['community']['id']
  227 + end
  228 +
  229 + should 'not, anonymous get invisible community' do
  230 + anonymous_setup
  231 + community = fast_create(Community, :environment_id => environment.id, :visible => false)
  232 + get "/api/v1/communities/#{community.id}"
  233 + json = JSON.parse(last_response.body)
  234 + assert json['community'].blank?
  235 + end
  236 +
  237 + should 'not, anonymous get private communities' do
  238 + anonymous_setup
  239 + community = fast_create(Community, :environment_id => environment.id)
  240 + fast_create(Community, :environment_id => environment.id, :public_profile => false)
  241 + get "/api/v1/communities/#{community.id}"
  242 + json = JSON.parse(last_response.body)
  243 + assert_equal community.id, json['community']['id']
  244 + end
  245 +
  246 + should 'anonymous list communities with pagination' do
  247 + anonymous_setup
  248 + community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago)
  249 + community2 = fast_create(Community, :created_at => 2.days.ago)
  250 +
  251 + params[:page] = 2
  252 + params[:per_page] = 1
  253 + get "/api/v1/communities?#{params.to_query}"
  254 + json_page_two = JSON.parse(last_response.body)
  255 +
  256 + params[:page] = 1
  257 + params[:per_page] = 1
  258 + get "/api/v1/communities?#{params.to_query}"
  259 + json_page_one = JSON.parse(last_response.body)
  260 +
  261 + assert_includes json_page_one["communities"].map { |a| a["id"] }, community1.id
  262 + assert_not_includes json_page_one["communities"].map { |a| a["id"] }, community2.id
  263 +
  264 + assert_includes json_page_two["communities"].map { |a| a["id"] }, community2.id
  265 + assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id
  266 + end
  267 +
  268 + should 'anonymous list communities with timestamp' do
  269 + anonymous_setup
147 270 community1 = fast_create(Community, :public_profile => true)
148 271 community2 = fast_create(Community)
149 272  
... ... @@ -157,4 +280,31 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
157 280 assert_includes json["communities"].map { |a| a["id"] }, community1.id
158 281 assert_not_includes json["communities"].map { |a| a["id"] }, community2.id
159 282 end
  283 +
  284 + should 'display public custom fields to anonymous' do
  285 + anonymous_setup
  286 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
  287 + some_community = fast_create(Community)
  288 + some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
  289 + some_community.save!
  290 +
  291 + get "/api/v1/communities/#{some_community.id}?#{params.to_query}"
  292 + json = JSON.parse(last_response.body)
  293 + assert json['community']['additional_data'].has_key?('Rating')
  294 + assert_equal "Five stars", json['community']['additional_data']['Rating']
  295 + end
  296 +
  297 + should 'not display private custom fields to anonymous' do
  298 + anonymous_setup
  299 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
  300 + some_community = fast_create(Community)
  301 + some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
  302 + some_community.save!
  303 +
  304 + get "/api/v1/communities/#{some_community.id}?#{params.to_query}"
  305 + json = JSON.parse(last_response.body)
  306 + refute json['community']['additional_data'].has_key?('Rating')
  307 + end
  308 +
  309 +
160 310 end
... ...
test/api/enterprises_test.rb
  Diff comments   View file @55c72be
... ... @@ -4,10 +4,20 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
4 4  
5 5 def setup
6 6 Enterprise.delete_all
  7 + end
  8 +
  9 + should 'logger user list only enterprises' do
7 10 login_api
  11 + community = fast_create(Community, :environment_id => environment.id) # should not list this community
  12 + enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
  13 + get "/api/v1/enterprises?#{params.to_query}"
  14 + json = JSON.parse(last_response.body)
  15 + assert_includes json['enterprises'].map {|c| c['id']}, enterprise.id
  16 + assert_not_includes json['enterprises'].map {|c| c['id']}, community.id
8 17 end
9 18  
10   - should 'list only enterprises' do
  19 + should 'anonymous list only enterprises' do
  20 + anonymous_setup
11 21 community = fast_create(Community, :environment_id => environment.id) # should not list this community
12 22 enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
13 23 get "/api/v1/enterprises?#{params.to_query}"
... ... @@ -16,7 +26,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
16 26 assert_not_includes json['enterprises'].map {|c| c['id']}, community.id
17 27 end
18 28  
19   - should 'list all enterprises' do
  29 + should 'anonymous list all enterprises' do
  30 + anonymous_setup
  31 + enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
  32 + enterprise2 = fast_create(Enterprise, :environment_id => environment.id)
  33 + get "/api/v1/enterprises?#{params.to_query}"
  34 + json = JSON.parse(last_response.body)
  35 + assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
  36 + end
  37 +
  38 + should 'logger user list all enterprises' do
  39 + login_api
20 40 enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
21 41 enterprise2 = fast_create(Enterprise, :environment_id => environment.id)
22 42 get "/api/v1/enterprises?#{params.to_query}"
... ... @@ -25,6 +45,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
25 45 end
26 46  
27 47 should 'not list invisible enterprises' do
  48 + login_api
28 49 enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
29 50 fast_create(Enterprise, :visible => false)
30 51  
... ... @@ -33,16 +54,48 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
33 54 assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
34 55 end
35 56  
36   - should 'not list private enterprises without permission' do
  57 + should 'not, anonymous list invisible enterprises' do
  58 + anonymous_setup
37 59 enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
38   - fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
  60 + fast_create(Enterprise, :visible => false)
  61 +
  62 + get "/api/v1/enterprises?#{params.to_query}"
  63 + json = JSON.parse(last_response.body)
  64 + assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
  65 + end
  66 +
  67 + should 'not, logger user list invisible enterprises' do
  68 + login_api
  69 + enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
  70 + fast_create(Enterprise, :visible => false)
39 71  
40 72 get "/api/v1/enterprises?#{params.to_query}"
41 73 json = JSON.parse(last_response.body)
42 74 assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
43 75 end
44 76  
45   - should 'list private enterprise for members' do
  77 + should 'anonymous list private enterprises' do
  78 + anonymous_setup
  79 + enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
  80 + enterprise2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
  81 +
  82 + get "/api/v1/enterprises?#{params.to_query}"
  83 + json = JSON.parse(last_response.body)
  84 + assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
  85 + end
  86 +
  87 + should 'logged user list private enterprises' do
  88 + login_api
  89 + enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
  90 + enterprise2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
  91 +
  92 + get "/api/v1/enterprises?#{params.to_query}"
  93 + json = JSON.parse(last_response.body)
  94 + assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
  95 + end
  96 +
  97 + should 'logged user list private enterprise for members' do
  98 + login_api
46 99 c1 = fast_create(Enterprise, :environment_id => environment.id)
47 100 c2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
48 101 c2.add_member(person)
... ... @@ -52,7 +105,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
52 105 assert_equivalent [c1.id, c2.id], json['enterprises'].map {|c| c['id']}
53 106 end
54 107  
55   - should 'get enterprise' do
  108 + should 'anonymous get enterprise' do
  109 + anonymous_setup
  110 + enterprise = fast_create(Enterprise, :environment_id => environment.id)
  111 +
  112 + get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
  113 + json = JSON.parse(last_response.body)
  114 + assert_equal enterprise.id, json['enterprise']['id']
  115 + end
  116 +
  117 + should 'logged user get enterprise' do
  118 + login_api
56 119 enterprise = fast_create(Enterprise, :environment_id => environment.id)
57 120  
58 121 get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
... ... @@ -60,7 +123,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
60 123 assert_equal enterprise.id, json['enterprise']['id']
61 124 end
62 125  
63   - should 'not get invisible enterprise' do
  126 + should 'not, logger user get invisible enterprise' do
  127 + login_api
  128 + enterprise = fast_create(Enterprise, :visible => false)
  129 +
  130 + get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
  131 + json = JSON.parse(last_response.body)
  132 + assert json['enterprise'].blank?
  133 + end
  134 +
  135 + should 'not, anonymous get invisible enterprise' do
  136 + anonymous_setup
64 137 enterprise = fast_create(Enterprise, :visible => false)
65 138  
66 139 get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
... ... @@ -69,6 +142,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
69 142 end
70 143  
71 144 should 'not get private enterprises without permission' do
  145 + login_api
  146 + enterprise = fast_create(Enterprise, :environment_id => environment.id)
  147 + fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
  148 +
  149 + get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
  150 + json = JSON.parse(last_response.body)
  151 + assert_equal enterprise.id, json['enterprise']['id']
  152 + end
  153 +
  154 + should 'not, anonymous get private enterprises' do
  155 + anonymous_setup
72 156 enterprise = fast_create(Enterprise, :environment_id => environment.id)
73 157 fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
74 158  
... ... @@ -78,6 +162,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
78 162 end
79 163  
80 164 should 'get private enterprise for members' do
  165 + login_api
81 166 enterprise = fast_create(Enterprise, :public_profile => false)
82 167 enterprise.add_member(person)
83 168  
... ... @@ -87,6 +172,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
87 172 end
88 173  
89 174 should 'list person enterprises' do
  175 + login_api
90 176 enterprise = fast_create(Enterprise, :environment_id => environment.id)
91 177 fast_create(Enterprise, :environment_id => environment.id)
92 178 enterprise.add_member(person)
... ... @@ -97,6 +183,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
97 183 end
98 184  
99 185 should 'not list person enterprises invisible' do
  186 + login_api
100 187 c1 = fast_create(Enterprise, :environment_id => environment.id)
101 188 c2 = fast_create(Enterprise, :environment_id => environment.id, :visible => false)
102 189 c1.add_member(person)
... ... @@ -107,4 +194,29 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
107 194 assert_equivalent [c1.id], json['enterprises'].map {|c| c['id']}
108 195 end
109 196  
  197 + should 'display public custom fields to anonymous' do
  198 + anonymous_setup
  199 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
  200 + some_enterprise = fast_create(Enterprise)
  201 + some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
  202 + some_enterprise.save!
  203 +
  204 + get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}"
  205 + json = JSON.parse(last_response.body)
  206 + assert json['enterprise']['additional_data'].has_key?('Rating')
  207 + assert_equal "Five stars", json['enterprise']['additional_data']['Rating']
  208 + end
  209 +
  210 + should 'not display public custom fields to anonymous' do
  211 + anonymous_setup
  212 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
  213 + some_enterprise = fast_create(Enterprise)
  214 + some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
  215 + some_enterprise.save!
  216 +
  217 + get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}"
  218 + json = JSON.parse(last_response.body)
  219 + refute json['enterprise']['additional_data'].has_key?('Rating')
  220 + end
  221 +
110 222 end
... ...
test/api/people_test.rb
  Diff comments   View file @55c72be
... ... @@ -4,10 +4,10 @@ class PeopleTest &lt; ActiveSupport::TestCase
4 4  
5 5 def setup
6 6 Person.delete_all
7   - login_api
8 7 end
9 8  
10   - should 'list all people' do
  9 + should 'logged user list all people' do
  10 + login_api
11 11 person1 = fast_create(Person, :public_profile => true)
12 12 person2 = fast_create(Person)
13 13 get "/api/v1/people?#{params.to_query}"
... ... @@ -15,7 +15,31 @@ class PeopleTest &lt; ActiveSupport::TestCase
15 15 assert_equivalent [person1.id, person2.id, person.id], json['people'].map {|c| c['id']}
16 16 end
17 17  
18   - should 'list all members of a community' do
  18 + should 'anonymous list all people' do
  19 + anonymous_setup
  20 + person1 = fast_create(Person, :public_profile => true)
  21 + person2 = fast_create(Person)
  22 + get "/api/v1/people?#{params.to_query}"
  23 + json = JSON.parse(last_response.body)
  24 + assert_equivalent [person1.id, person2.id], json['people'].map {|c| c['id']}
  25 + end
  26 +
  27 + should 'logged user list all members of a community' do
  28 + login_api
  29 + person1 = fast_create(Person)
  30 + person2 = fast_create(Person)
  31 + community = fast_create(Community)
  32 + community.add_member(person1)
  33 + community.add_member(person2)
  34 +
  35 + get "/api/v1/profiles/#{community.id}/members?#{params.to_query}"
  36 + json = JSON.parse(last_response.body)
  37 + assert_equal 2, json["people"].count
  38 + assert_equivalent [person1.id,person2.id], json["people"].map{|p| p["id"]}
  39 + end
  40 +
  41 + should 'anonymous list all members of a community' do
  42 + anonymous_setup
19 43 person1 = fast_create(Person)
20 44 person2 = fast_create(Person)
21 45 community = fast_create(Community)
... ... @@ -28,21 +52,40 @@ class PeopleTest &lt; ActiveSupport::TestCase
28 52 assert_equivalent [person1.id,person2.id], json["people"].map{|p| p["id"]}
29 53 end
30 54  
31   - should 'not list invisible people' do
  55 + should 'logged user not list invisible people' do
  56 + login_api
  57 + invisible_person = fast_create(Person, :visible => false)
  58 +
  59 + get "/api/v1/people?#{params.to_query}"
  60 + assert_not_includes json_response_ids(:people), invisible_person.id
  61 + end
  62 +
  63 + should 'annoymous not list invisible people' do
  64 + anonymous_setup
32 65 invisible_person = fast_create(Person, :visible => false)
33 66  
34 67 get "/api/v1/people?#{params.to_query}"
35 68 assert_not_includes json_response_ids(:people), invisible_person.id
36 69 end
37 70  
38   - should 'not list private people without permission' do
  71 + should 'logged user list private people' do
  72 + login_api
39 73 private_person = fast_create(Person, :public_profile => false)
40 74  
41 75 get "/api/v1/people?#{params.to_query}"
42   - assert_not_includes json_response_ids(:people), private_person.id
  76 + assert_includes json_response_ids(:people), private_person.id
43 77 end
44 78  
45   - should 'list private person for friends' do
  79 + should 'anonymous list private people' do
  80 + anonymous_setup
  81 + private_person = fast_create(Person, :public_profile => false)
  82 +
  83 + get "/api/v1/people?#{params.to_query}"
  84 + assert_includes json_response_ids(:people), private_person.id
  85 + end
  86 +
  87 + should 'logged user list private person for friends' do
  88 + login_api
46 89 p1 = fast_create(Person)
47 90 p2 = fast_create(Person, :public_profile => false)
48 91 person.add_friend(p2)
... ... @@ -52,7 +95,8 @@ class PeopleTest &lt; ActiveSupport::TestCase
52 95 assert_includes json_response_ids(:people), p2.id
53 96 end
54 97  
55   - should 'get person' do
  98 + should 'logged user get person' do
  99 + login_api
56 100 some_person = fast_create(Person)
57 101  
58 102 get "/api/v1/people/#{some_person.id}?#{params.to_query}"
... ... @@ -60,14 +104,26 @@ class PeopleTest &lt; ActiveSupport::TestCase
60 104 assert_equal some_person.id, json['person']['id']
61 105 end
62 106  
63   - should 'people endpoint filter by fields parameter' do
  107 + should 'anonymous get person' do
  108 + anonymous_setup
  109 + some_person = fast_create(Person)
  110 +
  111 + get "/api/v1/people/#{some_person.id}?#{params.to_query}"
  112 + json = JSON.parse(last_response.body)
  113 + assert_equal some_person.id, json['person']['id']
  114 + end
  115 +
  116 +
  117 + should 'people endpoint filter by fields parameter for logged user' do
  118 + login_api
64 119 get "/api/v1/people?#{params.to_query}&fields=name"
65 120 json = JSON.parse(last_response.body)
66 121 expected = {'people' => [{'name' => person.name}]}
67 122 assert_equal expected, json
68 123 end
69 124  
70   - should 'people endpoint filter by fields parameter with hierarchy' do
  125 + should 'people endpoint filter by fields parameter with hierarchy for logged user' do
  126 + login_api
71 127 fields = URI.encode({only: [:name, {user: [:login]}]}.to_json.to_str)
72 128 get "/api/v1/people?#{params.to_query}&fields=#{fields}"
73 129 json = JSON.parse(last_response.body)
... ... @@ -76,19 +132,22 @@ class PeopleTest &lt; ActiveSupport::TestCase
76 132 end
77 133  
78 134 should 'get logged person' do
  135 + login_api
79 136 get "/api/v1/people/me?#{params.to_query}"
80 137 json = JSON.parse(last_response.body)
81 138 assert_equal person.id, json['person']['id']
82 139 end
83 140  
84   - should 'me endpoint filter by fields parameter' do
  141 + should 'access me endpoint filter by fields parameter' do
  142 + login_api
85 143 get "/api/v1/people/me?#{params.to_query}&fields=name"
86 144 json = JSON.parse(last_response.body)
87 145 expected = {'person' => {'name' => person.name}}
88 146 assert_equal expected, json
89 147 end
90 148  
91   - should 'not get invisible person' do
  149 + should 'logged user not get invisible person' do
  150 + login_api
92 151 person = fast_create(Person, :visible => false)
93 152  
94 153 get "/api/v1/people/#{person.id}?#{params.to_query}"
... ... @@ -96,15 +155,35 @@ class PeopleTest &lt; ActiveSupport::TestCase
96 155 assert json['person'].blank?
97 156 end
98 157  
99   - should 'not get private people without permission' do
  158 + should 'anonymous not get invisible person' do
  159 + anonymous_setup
  160 + person = fast_create(Person, :visible => false)
  161 +
  162 + get "/api/v1/people/#{person.id}?#{params.to_query}"
  163 + json = JSON.parse(last_response.body)
  164 + assert json['person'].blank?
  165 + end
  166 +
  167 + should 'get private people' do
  168 + login_api
100 169 private_person = fast_create(Person, :public_profile => false)
101 170  
102 171 get "/api/v1/people/#{private_person.id}?#{params.to_query}"
103 172 json = JSON.parse(last_response.body)
104   - assert json['person'].blank?
  173 + assert_equal json['person']['id'], private_person.id
  174 + end
  175 +
  176 + should 'anonymous get private people' do
  177 + anonymous_setup
  178 + private_person = fast_create(Person, :public_profile => false)
  179 +
  180 + get "/api/v1/people/#{private_person.id}?#{params.to_query}"
  181 + json = JSON.parse(last_response.body)
  182 + assert_equal json['person']['id'], private_person.id
105 183 end
106 184  
107 185 should 'get private person for friends' do
  186 + login_api
108 187 private_person = fast_create(Person, :public_profile => false)
109 188 person.add_friend(private_person)
110 189 private_person.add_friend(person)
... ... @@ -115,15 +194,26 @@ class PeopleTest &lt; ActiveSupport::TestCase
115 194 end
116 195  
117 196 should 'list person friends' do
  197 + login_api
118 198 friend = fast_create(Person)
119 199 person.add_friend(friend)
120 200 friend.add_friend(person)
  201 + get "/api/v1/people/#{friend.id}/friends?#{params.to_query}"
  202 + assert_includes json_response_ids(:people), person.id
  203 + end
121 204  
  205 + should 'anonymous list person friends' do
  206 + anonymous_setup
  207 + person = fast_create(Person)
  208 + friend = fast_create(Person)
  209 + person.add_friend(friend)
  210 + friend.add_friend(person)
122 211 get "/api/v1/people/#{friend.id}/friends?#{params.to_query}"
123 212 assert_includes json_response_ids(:people), person.id
124 213 end
125 214  
126 215 should 'not list person invisible friends' do
  216 + login_api
127 217 friend = fast_create(Person)
128 218 invisible_friend = fast_create(Person, :visible => false)
129 219 person.add_friend(friend)
... ... @@ -138,6 +228,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
138 228 end
139 229  
140 230 should 'create a person' do
  231 + login_api
141 232 login = 'some'
142 233 params[:person] = {:login => login, :password => '123456', :password_confirmation => '123456', :email => 'some@some.com'}
143 234 post "/api/v1/people?#{params.to_query}"
... ... @@ -146,6 +237,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
146 237 end
147 238  
148 239 should 'return 400 status for invalid person creation' do
  240 + login_api
149 241 params[:person] = {:login => 'some'}
150 242 post "/api/v1/people?#{params.to_query}"
151 243 json = JSON.parse(last_response.body)
... ... @@ -153,6 +245,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
153 245 end
154 246  
155 247 should 'display permissions' do
  248 + login_api
156 249 community = fast_create(Community)
157 250 community.add_member(fast_create(Person))
158 251 community.add_member(person)
... ... @@ -164,11 +257,13 @@ class PeopleTest &lt; ActiveSupport::TestCase
164 257 end
165 258  
166 259 should 'display permissions if self' do
  260 + login_api
167 261 get "/api/v1/people/#{person.id}/permissions?#{params.to_query}"
168 262 assert_equal 200, last_response.status
169 263 end
170 264  
171 265 should 'display permissions if admin' do
  266 + login_api
172 267 environment = person.environment
173 268 environment.add_admin(person)
174 269 some_person = fast_create(Person)
... ... @@ -178,6 +273,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
178 273 end
179 274  
180 275 should 'not display permissions if not admin or self' do
  276 + login_api
181 277 some_person = create_user('some-person').person
182 278  
183 279 get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
... ... @@ -185,12 +281,14 @@ class PeopleTest &lt; ActiveSupport::TestCase
185 281 end
186 282  
187 283 should 'not update another person' do
  284 + login_api
188 285 person = fast_create(Person, :environment_id => environment.id)
189 286 post "/api/v1/people/#{person.id}?#{params.to_query}"
190 287 assert_equal 403, last_response.status
191 288 end
192 289  
193 290 should 'update yourself' do
  291 + login_api
194 292 another_name = 'Another Name'
195 293 params[:person] = {}
196 294 params[:person][:name] = another_name
... ... @@ -200,7 +298,33 @@ class PeopleTest &lt; ActiveSupport::TestCase
200 298 assert_equal another_name, person.name
201 299 end
202 300  
203   - should 'display public custom fields' do
  301 + should 'logged user display public custom fields' do
  302 + login_api
  303 + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
  304 + some_person = create_user('some-person').person
  305 + some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
  306 + some_person.save!
  307 +
  308 + get "/api/v1/people/#{some_person.id}?#{params.to_query}"
  309 + json = JSON.parse(last_response.body)
  310 + assert json['person']['additional_data'].has_key?('Custom Blog')
  311 + assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
  312 + end
  313 +
  314 + should 'logged user not display non-public custom fields' do
  315 + login_api
  316 + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
  317 + some_person = create_user('some-person').person
  318 + some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
  319 + some_person.save!
  320 +
  321 + get "/api/v1/people/#{some_person.id}?#{params.to_query}"
  322 + json = JSON.parse(last_response.body)
  323 + assert_equal json['person']['additional_data'], {}
  324 + end
  325 +
  326 + should 'display public custom fields to anonymous' do
  327 + anonymous_setup
204 328 CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
205 329 some_person = create_user('some-person').person
206 330 some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
... ... @@ -212,7 +336,8 @@ class PeopleTest &lt; ActiveSupport::TestCase
212 336 assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
213 337 end
214 338  
215   - should 'not display non-public custom fields' do
  339 + should 'not display non-public custom fields to anonymous' do
  340 + anonymous_setup
216 341 CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
217 342 some_person = create_user('some-person').person
218 343 some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
... ... @@ -223,7 +348,19 @@ class PeopleTest &lt; ActiveSupport::TestCase
223 348 assert_equal json['person']['additional_data'], {}
224 349 end
225 350  
  351 + should 'hide private fields to anonymous' do
  352 + anonymous_setup
  353 + target_person = create_user('some-user').person
  354 + target_person.save!
  355 +
  356 + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
  357 + json = JSON.parse(last_response.body)
  358 + refute json["user"].has_key?("permissions")
  359 + refute json["user"].has_key?("activated")
  360 + end
  361 +
226 362 should 'display non-public custom fields to friend' do
  363 + login_api
227 364 CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
228 365 some_person = create_user('some-person').person
229 366 some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
... ... @@ -244,12 +381,14 @@ class PeopleTest &lt; ActiveSupport::TestCase
244 381  
245 382 PERSON_ATTRIBUTES.map do |attribute|
246 383 define_method "test_should_not_expose_#{attribute}_attribute_in_person_enpoint_if_field_parameter_does_not_contain_the_attribute" do
  384 + login_api
247 385 get "/api/v1/people/me?#{params.to_query}&fields=name"
248 386 json = JSON.parse(last_response.body)
249 387 assert_nil json['person'][attribute]
250 388 end
251 389  
252 390 define_method "test_should_expose_#{attribute}_attribute_in_person_enpoints_if_field_parameter_is_passed" do
  391 + login_api
253 392 get "/api/v1/people/me?#{params.to_query}&fields=#{attribute}"
254 393 json = JSON.parse(last_response.body)
255 394 assert_not_nil json['person'][attribute]
... ...
test/api/profiles_test.rb
  Diff comments   View file @55c72be
... ... @@ -4,10 +4,10 @@ class ProfilesTest &lt; ActiveSupport::TestCase
4 4  
5 5 def setup
6 6 Profile.delete_all
7   - login_api
8 7 end
9 8  
10   - should 'list all profiles' do
  9 + should 'logged user list all profiles' do
  10 + login_api
11 11 person1 = fast_create(Person)
12 12 person2 = fast_create(Person)
13 13 community = fast_create(Community)
... ... @@ -16,14 +16,16 @@ class ProfilesTest &lt; ActiveSupport::TestCase
16 16 assert_equivalent [person.id, person1.id, person2.id, community.id], json.map {|p| p['id']}
17 17 end
18 18  
19   - should 'get person from profile id' do
  19 + should 'logged user get person from profile id' do
  20 + login_api
20 21 some_person = fast_create(Person)
21 22 get "/api/v1/profiles/#{some_person.id}?#{params.to_query}"
22 23 json = JSON.parse(last_response.body)
23 24 assert_equal some_person.id, json['id']
24 25 end
25 26  
26   - should 'get community from profile id' do
  27 + should 'logged user get community from profile id' do
  28 + login_api
27 29 community = fast_create(Community)
28 30 get "/api/v1/profiles/#{community.id}?#{params.to_query}"
29 31 json = JSON.parse(last_response.body)
... ... @@ -33,6 +35,7 @@ class ProfilesTest &lt; ActiveSupport::TestCase
33 35 group_kinds = %w(community enterprise)
34 36 group_kinds.each do |kind|
35 37 should "delete #{kind} from profile id with permission" do
  38 + login_api
36 39 profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
37 40 give_permission(@person, 'destroy_profile', profile)
38 41 assert_not_nil Profile.find_by_id profile.id
... ... @@ -44,6 +47,7 @@ class ProfilesTest &lt; ActiveSupport::TestCase
44 47 end
45 48  
46 49 should "not delete #{kind} from profile id without permission" do
  50 + login_api
47 51 profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
48 52 assert_not_nil Profile.find_by_id profile.id
49 53  
... ... @@ -55,12 +59,14 @@ class ProfilesTest &lt; ActiveSupport::TestCase
55 59 end
56 60  
57 61 should 'person delete itself' do
  62 + login_api
58 63 delete "/api/v1/profiles/#{@person.id}?#{params.to_query}"
59 64 assert_equal 200, last_response.status
60 65 assert_nil Profile.find_by_id @person.id
61 66 end
62 67  
63 68 should 'only admin delete other people' do
  69 + login_api
64 70 profile = fast_create(Person, :environment_id => environment.id)
65 71 assert_not_nil Profile.find_by_id profile.id
66 72  
... ... @@ -77,4 +83,62 @@ class ProfilesTest &lt; ActiveSupport::TestCase
77 83 assert_nil Profile.find_by_id profile.id
78 84  
79 85 end
  86 +
  87 + should 'anonymous user access delete action' do
  88 + anonymous_setup
  89 + profile = fast_create(Person, :environment_id => environment.id)
  90 +
  91 + delete "/api/v1/profiles/#{profile.id}?#{params.to_query}"
  92 + assert_equal 401, last_response.status
  93 + assert_not_nil Profile.find_by_id profile.id
  94 + end
  95 +
  96 + should 'anonymous list all profiles' do
  97 + person1 = fast_create(Person)
  98 + person2 = fast_create(Person)
  99 + community = fast_create(Community)
  100 + get "/api/v1/profiles"
  101 + json = JSON.parse(last_response.body)
  102 + assert_equivalent [person1.id, person2.id, community.id], json.map {|p| p['id']}
  103 + end
  104 +
  105 + should 'anonymous get person from profile id' do
  106 + some_person = fast_create(Person)
  107 + get "/api/v1/profiles/#{some_person.id}"
  108 + json = JSON.parse(last_response.body)
  109 + assert_equal some_person.id, json['id']
  110 + end
  111 +
  112 + should 'anonymous get community from profile id' do
  113 + community = fast_create(Community)
  114 + get "/api/v1/profiles/#{community.id}"
  115 + json = JSON.parse(last_response.body)
  116 + assert_equal community.id, json['id']
  117 + end
  118 +
  119 + should 'display public custom fields to anonymous' do
  120 + anonymous_setup
  121 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
  122 + some_profile = fast_create(Profile)
  123 + some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
  124 + some_profile.save!
  125 +
  126 + get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}"
  127 + json = JSON.parse(last_response.body)
  128 + assert json['additional_data'].has_key?('Rating')
  129 + assert_equal "Five stars", json['additional_data']['Rating']
  130 + end
  131 +
  132 + should 'not display private custom fields to anonymous' do
  133 + anonymous_setup
  134 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
  135 + some_profile = fast_create(Profile)
  136 + some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
  137 + some_profile.save!
  138 +
  139 + get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}"
  140 + json = JSON.parse(last_response.body)
  141 + refute json.has_key?('Rating')
  142 + end
  143 +
80 144 end
... ...
test/api/test_helper.rb
  Diff comments   View file @55c72be
... ... @@ -24,6 +24,12 @@ class ActiveSupport::TestCase
24 24  
25 25 @params = {:private_token => @private_token}
26 26 end
  27 +
  28 + def anonymous_setup
  29 + @environment = Environment.default
  30 + @params = {}
  31 + end
  32 +
27 33 attr_accessor :private_token, :user, :person, :params, :environment
28 34  
29 35 private
... ...
test/api/users_test.rb
  Diff comments   View file @55c72be
... ... @@ -3,23 +3,22 @@ require_relative &#39;test_helper&#39;
3 3  
4 4 class UsersTest < ActiveSupport::TestCase
5 5  
6   - def setup
  6 + should 'logger user list users' do
7 7 login_api
8   - end
9   -
10   - should 'list users' do
11 8 get "/api/v1/users/?#{params.to_query}"
12 9 json = JSON.parse(last_response.body)
13 10 assert_includes json["users"].map { |a| a["login"] }, user.login
14 11 end
15 12  
16   - should 'get user' do
  13 + should 'logger user get user info' do
  14 + login_api
17 15 get "/api/v1/users/#{user.id}?#{params.to_query}"
18 16 json = JSON.parse(last_response.body)
19 17 assert_equal user.id, json['user']['id']
20 18 end
21 19  
22   - should 'list user permissions' do
  20 + should 'logger user list user permissions' do
  21 + login_api
23 22 community = fast_create(Community)
24 23 community.add_admin(person)
25 24 get "/api/v1/users/#{user.id}/?#{params.to_query}"
... ... @@ -28,25 +27,29 @@ class UsersTest &lt; ActiveSupport::TestCase
28 27 end
29 28  
30 29 should 'get logged user' do
  30 + login_api
31 31 get "/api/v1/users/me?#{params.to_query}"
32 32 json = JSON.parse(last_response.body)
33 33 assert_equal user.id, json['user']['id']
34 34 end
35 35  
36 36 should 'not show permissions to logged user' do
  37 + login_api
37 38 target_person = create_user('some-user').person
38 39 get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
39 40 json = JSON.parse(last_response.body)
40 41 refute json["user"].has_key?("permissions")
41 42 end
42 43  
43   - should 'show permissions to self' do
  44 + should 'logger user show permissions to self' do
  45 + login_api
44 46 get "/api/v1/users/#{user.id}/?#{params.to_query}"
45 47 json = JSON.parse(last_response.body)
46 48 assert json["user"].has_key?("permissions")
47 49 end
48 50  
49 51 should 'not show permissions to friend' do
  52 + login_api
50 53 target_person = create_user('some-user').person
51 54  
52 55 f = Friendship.new
... ... @@ -60,6 +63,7 @@ class UsersTest &lt; ActiveSupport::TestCase
60 63 end
61 64  
62 65 should 'not show private attribute to logged user' do
  66 + login_api
63 67 target_person = create_user('some-user').person
64 68 get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
65 69 json = JSON.parse(last_response.body)
... ... @@ -67,6 +71,7 @@ class UsersTest &lt; ActiveSupport::TestCase
67 71 end
68 72  
69 73 should 'show private attr to friend' do
  74 + login_api
70 75 target_person = create_user('some-user').person
71 76 f = Friendship.new
72 77 f.friend = target_person
... ... @@ -79,6 +84,7 @@ class UsersTest &lt; ActiveSupport::TestCase
79 84 end
80 85  
81 86 should 'show public attribute to logged user' do
  87 + login_api
82 88 target_person = create_user('some-user').person
83 89 target_person.fields_privacy={:email=> 'public'}
84 90 target_person.save!
... ... @@ -89,6 +95,7 @@ class UsersTest &lt; ActiveSupport::TestCase
89 95 end
90 96  
91 97 should 'show public and private field to admin' do
  98 + login_api
92 99 Environment.default.add_admin(person)
93 100  
94 101 target_person = create_user('some-user').person
... ... @@ -102,4 +109,26 @@ class UsersTest &lt; ActiveSupport::TestCase
102 109 assert json["user"].has_key?("activated")
103 110 end
104 111  
  112 + should 'show public fields to anonymous' do
  113 + anonymous_setup
  114 + target_person = create_user('some-user').person
  115 + target_person.fields_privacy={:email=> 'public'}
  116 + target_person.save!
  117 +
  118 + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
  119 + json = JSON.parse(last_response.body)
  120 + assert json["user"].has_key?("email")
  121 + end
  122 +
  123 + should 'hide private fields to anonymous' do
  124 + anonymous_setup
  125 + target_person = create_user('some-user').person
  126 + target_person.save!
  127 +
  128 + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
  129 + json = JSON.parse(last_response.body)
  130 + refute json["user"].has_key?("permissions")
  131 + refute json["user"].has_key?("activated")
  132 + end
  133 +
105 134 end
... ...
test/unit/organization_test.rb
  Diff comments   View file @55c72be
... ... @@ -437,7 +437,7 @@ class OrganizationTest &lt; ActiveSupport::TestCase
437 437 c = fast_create(Organization, :name => 'my test profile', :identifier => 'mytestprofile')
438 438 admin = create_user('adminuser').person
439 439 c.add_admin(admin)
440   -
  440 +
441 441 assert c.is_admin?(admin)
442 442 end
443 443  
... ... @@ -513,4 +513,18 @@ class OrganizationTest &lt; ActiveSupport::TestCase
513 513 assert_includes env_admin_orgs, o7
514 514 end
515 515  
  516 + should 'fetch organizations there are visible for a visitor' do
  517 + visitor = nil
  518 + Organization.destroy_all
  519 + o1 = fast_create(Organization, :public_profile => true , :visible => true )
  520 + o2 = fast_create(Organization, :public_profile => false, :visible => true )
  521 + o3 = fast_create(Organization, :public_profile => true , :visible => false)
  522 + o4 = fast_create(Organization, :public_profile => false, :visible => false)
  523 + person_orgs = Organization.visible_for_person(visitor)
  524 + assert_includes person_orgs, o1
  525 + assert_not_includes person_orgs, o2
  526 + assert_not_includes person_orgs, o3
  527 + assert_not_includes person_orgs, o4
  528 + end
  529 +
516 530 end
... ...
test/unit/person_test.rb
  Diff comments   View file @55c72be
... ... @@ -1951,4 +1951,17 @@ class PersonTest &lt; ActiveSupport::TestCase
1951 1951 person.save!
1952 1952 end
1953 1953  
  1954 + should 'fetch people there are visible for a visitor' do
  1955 + person = nil
  1956 + p1 = fast_create(Person, :public_profile => true , :visible => true)
  1957 + p2 = fast_create(Person, :public_profile => false, :visible => true)
  1958 + p3 = fast_create(Person, :public_profile => true , :visible => false)
  1959 + p4 = fast_create(Person, :public_profile => false, :visible => false)
  1960 + people_visible_by_visitor = Person.visible_for_person(person)
  1961 + assert_includes people_visible_by_visitor, p1
  1962 + assert_not_includes people_visible_by_visitor, p2
  1963 + assert_not_includes people_visible_by_visitor, p3
  1964 + assert_not_includes people_visible_by_visitor, p4
  1965 + end
  1966 +
1954 1967 end
... ...