Commit 55c72be93e86011d7b78bc70dec6c0c75bbe83b6

Authored by Leandro Santos
2 parents 1ebe6924 f306fc96

Merge branch 'api_visitor' into 'master'

Some API methods unlocked for visitor

Enable visitor to browser some of the API methods


See merge request !863
app/models/organization.rb
... ... @@ -17,6 +17,8 @@ class Organization < Profile
17 17 # 4) The user is not a member of the organization but the organization is
18 18 # visible, public and enabled.
19 19 def self.visible_for_person(person)
  20 + # Visitor if person.nil?
  21 + person_id = person.nil? ? nil : person.id
20 22 joins('LEFT JOIN "role_assignments" ON ("role_assignments"."resource_id" = "profiles"."id"
21 23 AND "role_assignments"."resource_type" = \'Profile\') OR (
22 24 "role_assignments"."resource_id" = "profiles"."environment_id" AND
... ... @@ -28,8 +30,8 @@ class Organization < Profile
28 30 ( ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
29 31 ( profiles.public_profile = ? AND profiles.enabled = ? ) ) AND
30 32 ( profiles.visible = ? ) )',
31   - 'profile_admin', 'environment_administrator', Profile.name, person.id,
32   - Profile.name, person.id, true, true, true]
  33 + 'profile_admin', 'environment_administrator', Profile.name, person_id,
  34 + Profile.name, person_id, true, true, true]
33 35 ).uniq
34 36 end
35 37  
... ...
app/models/person.rb
... ... @@ -42,6 +42,8 @@ class Person < Profile
42 42 }
43 43  
44 44 scope :visible_for_person, lambda { |person|
  45 + # Visitor if person.nil?
  46 + person_id = person.nil? ? nil : person.id
45 47 joins('LEFT JOIN "role_assignments" ON
46 48 "role_assignments"."resource_id" = "profiles"."environment_id" AND
47 49 "role_assignments"."resource_type" = \'Environment\'')
... ... @@ -49,9 +51,10 @@ class Person < Profile
49 51 .joins('LEFT JOIN "friendships" ON "friendships"."friend_id" = "profiles"."id"')
50 52 .where(
51 53 ['( roles.key = ? AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR (
52   - ( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?) )', 'environment_administrator', Profile.name, person.id, person.id, true, true]
  54 + ( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?) )',
  55 + 'environment_administrator', Profile.name, person_id, person_id, true, true]
53 56 ).uniq
54   - }
  57 + }
55 58  
56 59 def has_permission_with_admin?(permission, resource)
57 60 return true if resource.blank? || resource.admins.include?(self)
... ...
lib/noosfero/api/v1/categories.rb
... ... @@ -2,7 +2,6 @@ module Noosfero
2 2 module API
3 3 module V1
4 4 class Categories < Grape::API
5   - before { authenticate! }
6 5  
7 6 resource :categories do
8 7  
... ...
lib/noosfero/api/v1/comments.rb
... ... @@ -4,7 +4,6 @@ module Noosfero
4 4 class Comments < Grape::API
5 5 MAX_PER_PAGE = 20
6 6  
7   - before { authenticate! }
8 7  
9 8 resource :articles do
10 9 paginate max_per_page: MAX_PER_PAGE
... ... @@ -34,6 +33,7 @@ module Noosfero
34 33 # Example Request:
35 34 # POST api/v1/articles/12/comments?private_token=2298743290432&body=new comment&title=New
36 35 post ":id/comments" do
  36 + authenticate!
37 37 article = find_article(environment.articles, params[:id])
38 38 options = params.select { |key,v| !['id','private_token'].include?(key) }.merge(:author => current_person, :source => article)
39 39 begin
... ...
lib/noosfero/api/v1/communities.rb
... ... @@ -2,7 +2,6 @@ module Noosfero
2 2 module API
3 3 module V1
4 4 class Communities < Grape::API
5   - before { authenticate! }
6 5  
7 6 resource :communities do
8 7  
... ... @@ -18,7 +17,7 @@ module Noosfero
18 17 # GET /communities?reference_id=10&limit=10&oldest
19 18 get do
20 19 communities = select_filtered_collection_of(environment, 'communities', params)
21   - communities = communities.visible_for_person(current_person)
  20 + communities = communities.visible
22 21 communities = communities.by_location(params) # Must be the last. May return Exception obj.
23 22 present communities, :with => Entities::Community, :current_person => current_person
24 23 end
... ... @@ -28,6 +27,7 @@ module Noosfero
28 27 # POST api/v1/communties?private_token=234298743290432&community[name]=some_name
29 28 # for each custom field for community, add &community[field_name]=field_value to the request
30 29 post do
  30 + authenticate!
31 31 params[:community] ||= {}
32 32  
33 33 params[:community][:custom_values]={}
... ... @@ -49,7 +49,7 @@ module Noosfero
49 49 end
50 50  
51 51 get ':id' do
52   - community = environment.communities.visible_for_person(current_person).find_by id: params[:id]
  52 + community = environment.communities.visible.find_by(id: params[:id])
53 53 present community, :with => Entities::Community, :current_person => current_person
54 54 end
55 55  
... ...
lib/noosfero/api/v1/enterprises.rb
... ... @@ -2,7 +2,6 @@ module Noosfero
2 2 module API
3 3 module V1
4 4 class Enterprises < Grape::API
5   - before { authenticate! }
6 5  
7 6 resource :enterprises do
8 7  
... ... @@ -19,14 +18,14 @@ module Noosfero
19 18 # GET /enterprises?reference_id=10&limit=10&oldest
20 19 get do
21 20 enterprises = select_filtered_collection_of(environment, 'enterprises', params)
22   - enterprises = enterprises.visible_for_person(current_person)
  21 + enterprises = enterprises.visible
23 22 enterprises = enterprises.by_location(params) # Must be the last. May return Exception obj.
24 23 present enterprises, :with => Entities::Enterprise, :current_person => current_person
25 24 end
26 25  
27 26 desc "Return one enterprise by id"
28 27 get ':id' do
29   - enterprise = environment.enterprises.visible_for_person(current_person).find_by id: params[:id]
  28 + enterprise = environment.enterprises.visible.find_by(id: params[:id])
30 29 present enterprise, :with => Entities::Enterprise, :current_person => current_person
31 30 end
32 31  
... ...
lib/noosfero/api/v1/people.rb
... ... @@ -2,7 +2,6 @@ module Noosfero
2 2 module API
3 3 module V1
4 4 class People < Grape::API
5   - before { authenticate! }
6 5  
7 6 MAX_PER_PAGE = 50
8 7  
... ... @@ -35,24 +34,26 @@ module Noosfero
35 34 desc "Find environment's people"
36 35 get do
37 36 people = select_filtered_collection_of(environment, 'people', params)
38   - people = people.visible_for_person(current_person)
  37 + people = people.visible
39 38 present_partial people, :with => Entities::Person, :current_person => current_person
40 39 end
41 40  
42 41 desc "Return the logged user information"
43 42 get "/me" do
  43 + authenticate!
44 44 present_partial current_person, :with => Entities::Person, :current_person => current_person
45 45 end
46 46  
47 47 desc "Return the person information"
48 48 get ':id' do
49   - person = environment.people.visible_for_person(current_person).find_by id: params[:id]
  49 + person = environment.people.visible.find_by(id: params[:id])
50 50 return not_found! if person.blank?
51 51 present person, :with => Entities::Person, :current_person => current_person
52 52 end
53 53  
54 54 desc "Update person information"
55 55 post ':id' do
  56 + authenticate!
56 57 return forbidden! if current_person.id.to_s != params[:id]
57 58 current_person.update_attributes!(params[:person])
58 59 present current_person, :with => Entities::Person, :current_person => current_person
... ... @@ -63,6 +64,7 @@ module Noosfero
63 64 # for each custom field for person, add &person[field_name]=field_value to the request
64 65 desc "Create person"
65 66 post do
  67 + authenticate!
66 68 user_data = {}
67 69 user_data[:login] = params[:person].delete(:login) || params[:person][:identifier]
68 70 user_data[:email] = params[:person].delete(:email)
... ... @@ -87,7 +89,7 @@ module Noosfero
87 89  
88 90 desc "Return the person friends"
89 91 get ':id/friends' do
90   - person = environment.people.visible_for_person(current_person).find_by id: params[:id]
  92 + person = environment.people.visible.find_by(id: params[:id])
91 93 return not_found! if person.blank?
92 94 friends = person.friends.visible
93 95 present friends, :with => Entities::Person, :current_person => current_person
... ... @@ -95,6 +97,7 @@ module Noosfero
95 97  
96 98 desc "Return the person permissions on other profiles"
97 99 get ":id/permissions" do
  100 + authenticate!
98 101 person = environment.people.find(params[:id])
99 102 return not_found! if person.blank?
100 103 return forbidden! unless current_person == person || environment.admins.include?(current_person)
... ...
lib/noosfero/api/v1/profiles.rb
... ... @@ -2,25 +2,25 @@ module Noosfero
2 2 module API
3 3 module V1
4 4 class Profiles < Grape::API
5   - before { authenticate! }
6 5  
7 6 resource :profiles do
8 7  
9 8 get do
10 9 profiles = select_filtered_collection_of(environment, 'profiles', params)
11   - profiles = profiles.visible_for_person(current_person)
  10 + profiles = profiles.visible
12 11 profiles = profiles.by_location(params) # Must be the last. May return Exception obj.
13 12 present profiles, :with => Entities::Profile, :current_person => current_person
14 13 end
15 14  
16 15 get ':id' do
17 16 profiles = environment.profiles
18   - profiles = profiles.visible_for_person(current_person)
  17 + profiles = profiles.visible
19 18 profile = profiles.find_by id: params[:id]
20 19 present profile, :with => Entities::Profile, :current_person => current_person
21 20 end
22 21  
23 22 delete ':id' do
  23 + authenticate!
24 24 profiles = environment.profiles
25 25 profile = profiles.find_by id: params[:id]
26 26  
... ...
lib/noosfero/api/v1/users.rb
... ... @@ -2,7 +2,6 @@ module Noosfero
2 2 module API
3 3 module V1
4 4 class Users < Grape::API
5   - before { authenticate! }
6 5  
7 6 resource :users do
8 7  
... ... @@ -13,6 +12,7 @@ module Noosfero
13 12 end
14 13  
15 14 get "/me" do
  15 + authenticate!
16 16 present current_user, :with => Entities::User, :current_person => current_person
17 17 end
18 18  
... ... @@ -25,6 +25,7 @@ module Noosfero
25 25 end
26 26  
27 27 get ":id/permissions" do
  28 + authenticate!
28 29 user = environment.users.find(params[:id])
29 30 output = {}
30 31 user.person.role_assignments.map do |role_assigment|
... ...
test/api/categories_test.rb
... ... @@ -2,25 +2,25 @@ require_relative &#39;test_helper&#39;
2 2  
3 3 class CategoriesTest < ActiveSupport::TestCase
4 4  
5   - def setup
6   - login_api
7   - end
8 5  
9   - should 'list categories' do
  6 + should 'logged user list categories' do
  7 + login_api
10 8 category = fast_create(Category, :environment_id => environment.id)
11 9 get "/api/v1/categories/?#{params.to_query}"
12 10 json = JSON.parse(last_response.body)
13 11 assert_includes json["categories"].map { |c| c["name"] }, category.name
14 12 end
15 13  
16   - should 'get category by id' do
  14 + should 'logged user get category by id' do
  15 + login_api
17 16 category = fast_create(Category, :environment_id => environment.id)
18 17 get "/api/v1/categories/#{category.id}/?#{params.to_query}"
19 18 json = JSON.parse(last_response.body)
20 19 assert_equal category.name, json["category"]["name"]
21 20 end
22 21  
23   - should 'list parent and children when get category by id' do
  22 + should 'logged user list parent and children when get category by id' do
  23 + login_api
24 24 parent = fast_create(Category, :environment_id => environment.id)
25 25 child_1 = fast_create(Category, :environment_id => environment.id)
26 26 child_2 = fast_create(Category, :environment_id => environment.id)
... ... @@ -37,7 +37,8 @@ class CategoriesTest &lt; ActiveSupport::TestCase
37 37 assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { |c| c['id'] }
38 38 end
39 39  
40   - should 'include parent in categories list if params is true' do
  40 + should 'logged user include parent in categories list if params is true' do
  41 + login_api
41 42 parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
42 43 child_1 = fast_create(Category, :environment_id => environment.id)
43 44 child_2 = fast_create(Category, :environment_id => environment.id)
... ... @@ -59,7 +60,8 @@ class CategoriesTest &lt; ActiveSupport::TestCase
59 60 json["categories"].map { |c| c['parent'] && c['parent']['id'] }
60 61 end
61 62  
62   - should 'include children in categories list if params is true' do
  63 + should 'logged user include children in categories list if params is true' do
  64 + login_api
63 65 category = fast_create(Category, :environment_id => environment.id)
64 66 child_1 = fast_create(Category, :environment_id => environment.id)
65 67 child_2 = fast_create(Category, :environment_id => environment.id)
... ... @@ -86,7 +88,8 @@ class CategoriesTest &lt; ActiveSupport::TestCase
86 88 expose_attributes = %w(id name full_name image display_color)
87 89  
88 90 expose_attributes.each do |attr|
89   - should "expose category #{attr} attribute by default" do
  91 + should "logged user expose category #{attr} attribute by default" do
  92 + login_api
90 93 category = fast_create(Category, :environment_id => environment.id)
91 94 get "/api/v1/categories/?#{params.to_query}"
92 95 json = JSON.parse(last_response.body)
... ... @@ -94,4 +97,98 @@ class CategoriesTest &lt; ActiveSupport::TestCase
94 97 end
95 98 end
96 99  
  100 + should 'anonymous list categories' do
  101 + anonymous_setup
  102 + category = fast_create(Category, :environment_id => environment.id)
  103 + get "/api/v1/categories/?#{params.to_query}"
  104 + json = JSON.parse(last_response.body)
  105 + assert_includes json["categories"].map { |c| c["name"] }, category.name
  106 + end
  107 +
  108 + should 'anonymous get category by id' do
  109 + anonymous_setup
  110 + category = fast_create(Category, :environment_id => environment.id)
  111 + get "/api/v1/categories/#{category.id}/?#{params.to_query}"
  112 + json = JSON.parse(last_response.body)
  113 + assert_equal category.name, json["category"]["name"]
  114 + end
  115 +
  116 + should 'anonymous list parent and children when get category by id' do
  117 + anonymous_setup
  118 + parent = fast_create(Category, :environment_id => environment.id)
  119 + child_1 = fast_create(Category, :environment_id => environment.id)
  120 + child_2 = fast_create(Category, :environment_id => environment.id)
  121 +
  122 + category = fast_create(Category, :environment_id => environment.id)
  123 + category.parent = parent
  124 + category.children << child_1
  125 + category.children << child_2
  126 + category.save
  127 +
  128 + get "/api/v1/categories/#{category.id}/?#{params.to_query}"
  129 + json = JSON.parse(last_response.body)
  130 + assert_equal({'id' => parent.id, 'name' => parent.name, 'slug' => parent.slug}, json['category']['parent'])
  131 + assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { |c| c['id'] }
  132 + end
  133 +
  134 + should 'anonymous include parent in categories list if params is true' do
  135 + anonymous_setup
  136 + parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
  137 + child_1 = fast_create(Category, :environment_id => environment.id)
  138 + child_2 = fast_create(Category, :environment_id => environment.id)
  139 +
  140 + parent_2 = fast_create(Category, :environment_id => environment.id)
  141 + parent_2.parent = parent_1
  142 + parent_2.children << child_1
  143 + parent_2.children << child_2
  144 + parent_2.save
  145 +
  146 + get "/api/v1/categories/?#{params.to_query}"
  147 + json = JSON.parse(last_response.body)
  148 + assert_equal [nil], json['categories'].map { |c| c['parent'] }.uniq
  149 +
  150 + params[:include_parent] = true
  151 + get "/api/v1/categories/?#{params.to_query}"
  152 + json = JSON.parse(last_response.body)
  153 + assert_equivalent [parent_1.parent, parent_2.parent.id, child_1.parent.id, child_2.parent.id],
  154 + json["categories"].map { |c| c['parent'] && c['parent']['id'] }
  155 + end
  156 +
  157 + should 'anonymous include children in categories list if params is true' do
  158 + anonymous_setup
  159 + category = fast_create(Category, :environment_id => environment.id)
  160 + child_1 = fast_create(Category, :environment_id => environment.id)
  161 + child_2 = fast_create(Category, :environment_id => environment.id)
  162 + child_3 = fast_create(Category, :environment_id => environment.id)
  163 +
  164 + category.children << child_1
  165 + category.children << child_2
  166 + category.save
  167 +
  168 + child_1.children << child_3
  169 + child_1.save
  170 +
  171 + get "/api/v1/categories/?#{params.to_query}"
  172 + json = JSON.parse(last_response.body)
  173 + assert_equal [nil], json['categories'].map { |c| c['children'] }.uniq
  174 +
  175 + params[:include_children] = true
  176 + get "/api/v1/categories/?#{params.to_query}"
  177 + json = JSON.parse(last_response.body)
  178 + assert_equivalent [category.children.map(&:id).sort, child_1.children.map(&:id).sort, child_2.children.map(&:id).sort, child_3.children.map(&:id).sort],
  179 + json["categories"].map{ |c| c['children'].map{ |child| child['id'] }.sort }
  180 + end
  181 +
  182 + expose_attributes.each do |attr|
  183 + should "anonymous expose category #{attr} attribute by default" do
  184 + anonymous_setup
  185 + category = fast_create(Category, :environment_id => environment.id)
  186 + get "/api/v1/categories/?#{params.to_query}"
  187 + json = JSON.parse(last_response.body)
  188 + assert json["categories"].last.has_key?(attr)
  189 + end
  190 + end
  191 +
  192 +
  193 +
97 194 end
... ...
test/api/comments_test.rb
... ... @@ -3,41 +3,44 @@ require_relative &#39;test_helper&#39;
3 3 class CommentsTest < ActiveSupport::TestCase
4 4  
5 5 def setup
6   - login_api
  6 + @local_person = fast_create(Person)
  7 + anonymous_setup
7 8 end
  9 + attr_reader :local_person
8 10  
9   - should 'not list comments if user has no permission to view the source article' do
10   - person = fast_create(Person)
11   - article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
  11 + should 'logged user not list comments if user has no permission to view the source article' do
  12 + login_api
  13 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
12 14 assert !article.published?
13 15  
14 16 get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
15 17 assert_equal 403, last_response.status
16 18 end
17 19  
18   - should 'not return comment if user has no permission to view the source article' do
19   - person = fast_create(Person)
20   - article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
21   - comment = article.comments.create!(:body => "another comment", :author => user.person)
  20 + should 'logged user not return comment if user has no permission to view the source article' do
  21 + login_api
  22 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
  23 + comment = article.comments.create!(:body => "another comment", :author => local_person)
22 24 assert !article.published?
23 25  
24 26 get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
25 27 assert_equal 403, last_response.status
26 28 end
27 29  
28   - should 'not comment an article if user has no permission to view it' do
29   - person = fast_create(Person)
30   - article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
  30 + should 'logged user not comment an article if user has no permission to view it' do
  31 + login_api
  32 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
31 33 assert !article.published?
32 34  
33 35 post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
34 36 assert_equal 403, last_response.status
35 37 end
36 38  
37   - should 'return comments of an article' do
38   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
39   - article.comments.create!(:body => "some comment", :author => user.person)
40   - article.comments.create!(:body => "another comment", :author => user.person)
  39 + should 'logged user return comments of an article' do
  40 + login_api
  41 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  42 + article.comments.create!(:body => "some comment", :author => local_person)
  43 + article.comments.create!(:body => "another comment", :author => local_person)
41 44  
42 45 get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
43 46 json = JSON.parse(last_response.body)
... ... @@ -45,9 +48,10 @@ class CommentsTest &lt; ActiveSupport::TestCase
45 48 assert_equal 2, json["comments"].length
46 49 end
47 50  
48   - should 'return comment of an article' do
49   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
50   - comment = article.comments.create!(:body => "another comment", :author => user.person)
  51 + should 'logged user return comment of an article' do
  52 + login_api
  53 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  54 + comment = article.comments.create!(:body => "another comment", :author => local_person)
51 55  
52 56 get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
53 57 json = JSON.parse(last_response.body)
... ... @@ -55,8 +59,9 @@ class CommentsTest &lt; ActiveSupport::TestCase
55 59 assert_equal comment.id, json['comment']['id']
56 60 end
57 61  
58   - should 'comment an article' do
59   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
  62 + should 'logged user comment an article' do
  63 + login_api
  64 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
60 65 body = 'My comment'
61 66 params.merge!({:body => body})
62 67  
... ... @@ -66,7 +71,8 @@ class CommentsTest &lt; ActiveSupport::TestCase
66 71 assert_equal body, json['comment']['body']
67 72 end
68 73  
69   - should 'not comment an archived article' do
  74 + should 'logged user not comment an archived article' do
  75 + login_api
70 76 article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing", :archived => true)
71 77 body = 'My comment'
72 78 params.merge!({:body => body})
... ... @@ -75,9 +81,10 @@ class CommentsTest &lt; ActiveSupport::TestCase
75 81 assert_equal 400, last_response.status
76 82 end
77 83  
78   - should 'comment creation define the source' do
  84 + should 'logged user comment creation define the source' do
  85 + login_api
79 86 amount = Comment.count
80   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
  87 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
81 88 body = 'My comment'
82 89 params.merge!({:body => body})
83 90  
... ... @@ -87,29 +94,6 @@ class CommentsTest &lt; ActiveSupport::TestCase
87 94 assert_not_nil comment.source
88 95 end
89 96  
90   - should 'paginate comments' do
91   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
92   - 5.times { article.comments.create!(:body => "some comment", :author => user.person) }
93   - params[:per_page] = 3
94   -
95   - get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
96   - json = JSON.parse(last_response.body)
97   - assert_equal 200, last_response.status
98   - assert_equal 3, json["comments"].length
99   - end
100   -
101   - should 'return only root comments' do
102   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
103   - comment1 = article.comments.create!(:body => "some comment", :author => user.person)
104   - comment2 = article.comments.create!(:body => "another comment", :author => user.person, :reply_of_id => comment1.id)
105   - params[:without_reply] = true
106   -
107   - get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
108   - json = JSON.parse(last_response.body)
109   - assert_equal 200, last_response.status
110   - assert_equal [comment1.id], json["comments"].map { |c| c['id'] }
111   - end
112   -
113 97 should 'call plugin hotspot to filter unavailable comments' do
114 98 class Plugin1 < Noosfero::Plugin
115 99 def unavailable_comments(scope)
... ... @@ -119,7 +103,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
119 103 Noosfero::Plugin.stubs(:all).returns([Plugin1.name])
120 104 Environment.default.enable_plugin(Plugin1)
121 105  
122   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
  106 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
123 107 c1 = fast_create(Comment, source_id: article.id, body: "comment 1")
124 108 c2 = fast_create(Comment, source_id: article.id, body: "comment 2", :user_agent => 'Jack')
125 109  
... ... @@ -128,13 +112,78 @@ class CommentsTest &lt; ActiveSupport::TestCase
128 112 assert_equal ["comment 2"], json["comments"].map {|c| c["body"]}
129 113 end
130 114  
131   - should 'do not return comments marked as spam' do
132   - article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
  115 + should 'anonymous do not return comments marked as spam' do
  116 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
133 117 c1 = fast_create(Comment, source_id: article.id, body: "comment 1", spam: true)
134 118 c2 = fast_create(Comment, source_id: article.id, body: "comment 2")
135   -
136 119 get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
137 120 json = JSON.parse(last_response.body)
138 121 assert_equal ["comment 2"], json["comments"].map {|c| c["body"]}
139 122 end
  123 +
  124 + should 'not, anonymous list comments if has no permission to view the source article' do
  125 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
  126 + assert !article.published?
  127 +
  128 + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  129 + assert_equal 403, last_response.status
  130 + end
  131 +
  132 + should 'anonymous return comments of an article' do
  133 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  134 + article.comments.create!(:body => "some comment", :author => local_person)
  135 + article.comments.create!(:body => "another comment", :author => local_person)
  136 +
  137 + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  138 + json = JSON.parse(last_response.body)
  139 + assert_equal 200, last_response.status
  140 + assert_equal 2, json["comments"].length
  141 + end
  142 +
  143 + should 'anonymous return comment of an article' do
  144 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  145 + comment = article.comments.create!(:body => "another comment", :author => local_person)
  146 +
  147 + get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
  148 + json = JSON.parse(last_response.body)
  149 + assert_equal 200, last_response.status
  150 + assert_equal comment.id, json['comment']['id']
  151 + end
  152 +
  153 + should 'not, anonymous comment an article (at least so far...)' do
  154 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  155 + body = 'My comment'
  156 + name = "John Doe"
  157 + email = "JohnDoe@gmail.com"
  158 + params.merge!({:body => body, name: name, email: email})
  159 + post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  160 + json = JSON.parse(last_response.body)
  161 + assert_equal 401, last_response.status
  162 + end
  163 +
  164 + should 'logged user paginate comments' do
  165 + login_api
  166 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  167 + 5.times { article.comments.create!(:body => "some comment", :author => local_person) }
  168 + params[:per_page] = 3
  169 +
  170 + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  171 + json = JSON.parse(last_response.body)
  172 + assert_equal 200, last_response.status
  173 + assert_equal 3, json["comments"].length
  174 + end
  175 +
  176 + should 'logged user return only root comments' do
  177 + login_api
  178 + article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  179 + comment1 = article.comments.create!(:body => "some comment", :author => local_person)
  180 + comment2 = article.comments.create!(:body => "another comment", :author => local_person, :reply_of_id => comment1.id)
  181 + params[:without_reply] = true
  182 +
  183 + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  184 + json = JSON.parse(last_response.body)
  185 + assert_equal 200, last_response.status
  186 + assert_equal [comment1.id], json["comments"].map { |c| c['id'] }
  187 + end
  188 +
140 189 end
... ...
test/api/communities_test.rb
... ... @@ -4,10 +4,10 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
4 4  
5 5 def setup
6 6 Community.delete_all
7   - login_api
8 7 end
9 8  
10   - should 'list only communities' do
  9 + should 'logged user list only communities' do
  10 + login_api
11 11 community = fast_create(Community, :environment_id => environment.id)
12 12 enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
13 13 get "/api/v1/communities?#{params.to_query}"
... ... @@ -16,7 +16,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
16 16 assert_includes json['communities'].map {|c| c['id']}, community.id
17 17 end
18 18  
19   - should 'list all communities' do
  19 + should 'logged user list all communities' do
  20 + login_api
20 21 community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
21 22 community2 = fast_create(Community, :environment_id => environment.id)
22 23 get "/api/v1/communities?#{params.to_query}"
... ... @@ -24,7 +25,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
24 25 assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
25 26 end
26 27  
27   - should 'not list invisible communities' do
  28 + should 'not, logged user list invisible communities' do
  29 + login_api
28 30 community1 = fast_create(Community, :environment_id => environment.id)
29 31 fast_create(Community, :environment_id => environment.id, :visible => false)
30 32  
... ... @@ -33,16 +35,18 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
33 35 assert_equal [community1.id], json['communities'].map {|c| c['id']}
34 36 end
35 37  
36   - should 'not list private communities without permission' do
37   - community1 = fast_create(Community, :environment_id => environment.id)
38   - fast_create(Community, :environment_id => environment.id, :public_profile => false)
  38 + should 'logged user list private communities' do
  39 + login_api
  40 + community1 = fast_create(Community, :environment_id => environment.id)
  41 + community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
39 42  
40   - get "/api/v1/communities?#{params.to_query}"
41   - json = JSON.parse(last_response.body)
42   - assert_equal [community1.id], json['communities'].map {|c| c['id']}
  43 + get "/api/v1/communities?#{params.to_query}"
  44 + json = JSON.parse(last_response.body)
  45 + assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
43 46 end
44 47  
45   - should 'list private community for members' do
  48 + should 'logged user list private community for members' do
  49 + login_api
46 50 c1 = fast_create(Community, :environment_id => environment.id)
47 51 c2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
48 52 c2.add_member(person)
... ... @@ -52,20 +56,23 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
52 56 assert_equivalent [c1.id, c2.id], json['communities'].map {|c| c['id']}
53 57 end
54 58  
55   - should 'create a community' do
  59 + should 'logged user create a community' do
  60 + login_api
56 61 params[:community] = {:name => 'some'}
57 62 post "/api/v1/communities?#{params.to_query}"
58 63 json = JSON.parse(last_response.body)
59 64 assert_equal 'some', json['community']['name']
60 65 end
61 66  
62   - should 'return 400 status for invalid community creation' do
  67 + should 'logged user return 400 status for invalid community creation' do
  68 + login_api
63 69 post "/api/v1/communities?#{params.to_query}"
64 70 json = JSON.parse(last_response.body)
65 71 assert_equal 400, last_response.status
66 72 end
67 73  
68   - should 'get community' do
  74 + should 'logged user get community' do
  75 + login_api
69 76 community = fast_create(Community, :environment_id => environment.id)
70 77  
71 78 get "/api/v1/communities/#{community.id}?#{params.to_query}"
... ... @@ -73,7 +80,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
73 80 assert_equal community.id, json['community']['id']
74 81 end
75 82  
76   - should 'not get invisible community' do
  83 + should 'not, logged user get invisible community' do
  84 + login_api
77 85 community = fast_create(Community, :environment_id => environment.id, :visible => false)
78 86  
79 87 get "/api/v1/communities/#{community.id}?#{params.to_query}"
... ... @@ -81,7 +89,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
81 89 assert json['community'].blank?
82 90 end
83 91  
84   - should 'not get private communities without permission' do
  92 + should 'not, logged user get private communities without permission' do
  93 + login_api
85 94 community = fast_create(Community, :environment_id => environment.id)
86 95 fast_create(Community, :environment_id => environment.id, :public_profile => false)
87 96  
... ... @@ -90,17 +99,18 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
90 99 assert_equal community.id, json['community']['id']
91 100 end
92 101  
93   - should 'get private community for members' do
  102 + should 'logged user get private community for members' do
  103 + login_api
94 104 community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :visible => true)
95 105 community.add_member(person)
96 106  
97   -
98 107 get "/api/v1/communities/#{community.id}?#{params.to_query}"
99 108 json = JSON.parse(last_response.body)
100 109 assert_equal community.id, json['community']['id']
101 110 end
102 111  
103   - should 'list person communities' do
  112 + should 'logged user list person communities' do
  113 + login_api
104 114 community = fast_create(Community, :environment_id => environment.id)
105 115 fast_create(Community, :environment_id => environment.id)
106 116 community.add_member(person)
... ... @@ -110,7 +120,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
110 120 assert_equivalent [community.id], json['communities'].map {|c| c['id']}
111 121 end
112 122  
113   - should 'not list person communities invisible' do
  123 + should 'not, logged user list person communities invisible' do
  124 + login_api
114 125 c1 = fast_create(Community, :environment_id => environment.id)
115 126 c2 = fast_create(Community, :environment_id => environment.id, :visible => false)
116 127 c1.add_member(person)
... ... @@ -121,7 +132,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
121 132 assert_equivalent [c1.id], json['communities'].map {|c| c['id']}
122 133 end
123 134  
124   - should 'list communities with pagination' do
  135 + should 'logged user list communities with pagination' do
  136 + login_api
125 137 community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago)
126 138 community2 = fast_create(Community, :created_at => 2.days.ago)
127 139  
... ... @@ -143,7 +155,118 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
143 155 assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id
144 156 end
145 157  
146   - should 'list communities with timestamp' do
  158 + should 'logged user list communities with timestamp' do
  159 + login_api
  160 + community1 = fast_create(Community, :public_profile => true)
  161 + community2 = fast_create(Community)
  162 +
  163 + community1.updated_at = Time.now + 3.hours
  164 + community1.save!
  165 +
  166 + params[:timestamp] = Time.now + 1.hours
  167 + get "/api/v1/communities/?#{params.to_query}"
  168 + json = JSON.parse(last_response.body)
  169 +
  170 + assert_includes json["communities"].map { |a| a["id"] }, community1.id
  171 + assert_not_includes json["communities"].map { |a| a["id"] }, community2.id
  172 + end
  173 +
  174 + should 'anonymous list only communities' do
  175 + anonymous_setup
  176 + community = fast_create(Community, :environment_id => environment.id)
  177 + enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
  178 + get "/api/v1/communities?#{params.to_query}"
  179 + json = JSON.parse(last_response.body)
  180 + assert_not_includes json['communities'].map {|c| c['id']}, enterprise.id
  181 + assert_includes json['communities'].map {|c| c['id']}, community.id
  182 + end
  183 +
  184 + should 'anonymous list all communities' do
  185 + anonymous_setup
  186 + community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
  187 + community2 = fast_create(Community, :environment_id => environment.id)
  188 + get "/api/v1/communities?#{params.to_query}"
  189 + json = JSON.parse(last_response.body)
  190 + assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
  191 + end
  192 +
  193 + should 'not, anonymous list invisible communities' do
  194 + anonymous_setup
  195 + community1 = fast_create(Community, :environment_id => environment.id)
  196 + fast_create(Community, :environment_id => environment.id, :visible => false)
  197 +
  198 + get "/api/v1/communities?#{params.to_query}"
  199 + json = JSON.parse(last_response.body)
  200 + assert_equal [community1.id], json['communities'].map {|c| c['id']}
  201 + end
  202 +
  203 + should 'anonymous list private communities' do
  204 + anonymous_setup
  205 + community1 = fast_create(Community, :environment_id => environment.id)
  206 + community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
  207 +
  208 + get "/api/v1/communities?#{params.to_query}"
  209 + json = JSON.parse(last_response.body)
  210 + assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
  211 + end
  212 +
  213 + should 'not, anonymous create a community' do
  214 + anonymous_setup
  215 + params[:community] = {:name => 'some'}
  216 + post "/api/v1/communities?#{params.to_query}"
  217 + json = JSON.parse(last_response.body)
  218 + assert_equal 401, last_response.status
  219 + end
  220 +
  221 + should 'anonymous get community' do
  222 + anonymous_setup
  223 + community = fast_create(Community, :environment_id => environment.id)
  224 + get "/api/v1/communities/#{community.id}"
  225 + json = JSON.parse(last_response.body)
  226 + assert_equal community.id, json['community']['id']
  227 + end
  228 +
  229 + should 'not, anonymous get invisible community' do
  230 + anonymous_setup
  231 + community = fast_create(Community, :environment_id => environment.id, :visible => false)
  232 + get "/api/v1/communities/#{community.id}"
  233 + json = JSON.parse(last_response.body)
  234 + assert json['community'].blank?
  235 + end
  236 +
  237 + should 'not, anonymous get private communities' do
  238 + anonymous_setup
  239 + community = fast_create(Community, :environment_id => environment.id)
  240 + fast_create(Community, :environment_id => environment.id, :public_profile => false)
  241 + get "/api/v1/communities/#{community.id}"
  242 + json = JSON.parse(last_response.body)
  243 + assert_equal community.id, json['community']['id']
  244 + end
  245 +
  246 + should 'anonymous list communities with pagination' do
  247 + anonymous_setup
  248 + community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago)
  249 + community2 = fast_create(Community, :created_at => 2.days.ago)
  250 +
  251 + params[:page] = 2
  252 + params[:per_page] = 1
  253 + get "/api/v1/communities?#{params.to_query}"
  254 + json_page_two = JSON.parse(last_response.body)
  255 +
  256 + params[:page] = 1
  257 + params[:per_page] = 1
  258 + get "/api/v1/communities?#{params.to_query}"
  259 + json_page_one = JSON.parse(last_response.body)
  260 +
  261 + assert_includes json_page_one["communities"].map { |a| a["id"] }, community1.id
  262 + assert_not_includes json_page_one["communities"].map { |a| a["id"] }, community2.id
  263 +
  264 + assert_includes json_page_two["communities"].map { |a| a["id"] }, community2.id
  265 + assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id
  266 + end
  267 +
  268 + should 'anonymous list communities with timestamp' do
  269 + anonymous_setup
147 270 community1 = fast_create(Community, :public_profile => true)
148 271 community2 = fast_create(Community)
149 272  
... ... @@ -157,4 +280,31 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
157 280 assert_includes json["communities"].map { |a| a["id"] }, community1.id
158 281 assert_not_includes json["communities"].map { |a| a["id"] }, community2.id
159 282 end
  283 +
  284 + should 'display public custom fields to anonymous' do
  285 + anonymous_setup
  286 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
  287 + some_community = fast_create(Community)
  288 + some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
  289 + some_community.save!
  290 +
  291 + get "/api/v1/communities/#{some_community.id}?#{params.to_query}"
  292 + json = JSON.parse(last_response.body)
  293 + assert json['community']['additional_data'].has_key?('Rating')
  294 + assert_equal "Five stars", json['community']['additional_data']['Rating']
  295 + end
  296 +
  297 + should 'not display private custom fields to anonymous' do
  298 + anonymous_setup
  299 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
  300 + some_community = fast_create(Community)
  301 + some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
  302 + some_community.save!
  303 +
  304 + get "/api/v1/communities/#{some_community.id}?#{params.to_query}"
  305 + json = JSON.parse(last_response.body)
  306 + refute json['community']['additional_data'].has_key?('Rating')
  307 + end
  308 +
  309 +
160 310 end
... ...
test/api/enterprises_test.rb
... ... @@ -4,10 +4,20 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
4 4  
5 5 def setup
6 6 Enterprise.delete_all
  7 + end
  8 +
  9 + should 'logger user list only enterprises' do
7 10 login_api
  11 + community = fast_create(Community, :environment_id => environment.id) # should not list this community
  12 + enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
  13 + get "/api/v1/enterprises?#{params.to_query}"
  14 + json = JSON.parse(last_response.body)
  15 + assert_includes json['enterprises'].map {|c| c['id']}, enterprise.id
  16 + assert_not_includes json['enterprises'].map {|c| c['id']}, community.id
8 17 end
9 18  
10   - should 'list only enterprises' do
  19 + should 'anonymous list only enterprises' do
  20 + anonymous_setup
11 21 community = fast_create(Community, :environment_id => environment.id) # should not list this community
12 22 enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
13 23 get "/api/v1/enterprises?#{params.to_query}"
... ... @@ -16,7 +26,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
16 26 assert_not_includes json['enterprises'].map {|c| c['id']}, community.id
17 27 end
18 28  
19   - should 'list all enterprises' do
  29 + should 'anonymous list all enterprises' do
  30 + anonymous_setup
  31 + enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
  32 + enterprise2 = fast_create(Enterprise, :environment_id => environment.id)
  33 + get "/api/v1/enterprises?#{params.to_query}"
  34 + json = JSON.parse(last_response.body)
  35 + assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
  36 + end
  37 +
  38 + should 'logger user list all enterprises' do
  39 + login_api
20 40 enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
21 41 enterprise2 = fast_create(Enterprise, :environment_id => environment.id)
22 42 get "/api/v1/enterprises?#{params.to_query}"
... ... @@ -25,6 +45,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
25 45 end
26 46  
27 47 should 'not list invisible enterprises' do
  48 + login_api
28 49 enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
29 50 fast_create(Enterprise, :visible => false)
30 51  
... ... @@ -33,16 +54,48 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
33 54 assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
34 55 end
35 56  
36   - should 'not list private enterprises without permission' do
  57 + should 'not, anonymous list invisible enterprises' do
  58 + anonymous_setup
37 59 enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
38   - fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
  60 + fast_create(Enterprise, :visible => false)
  61 +
  62 + get "/api/v1/enterprises?#{params.to_query}"
  63 + json = JSON.parse(last_response.body)
  64 + assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
  65 + end
  66 +
  67 + should 'not, logger user list invisible enterprises' do
  68 + login_api
  69 + enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
  70 + fast_create(Enterprise, :visible => false)
39 71  
40 72 get "/api/v1/enterprises?#{params.to_query}"
41 73 json = JSON.parse(last_response.body)
42 74 assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
43 75 end
44 76  
45   - should 'list private enterprise for members' do
  77 + should 'anonymous list private enterprises' do
  78 + anonymous_setup
  79 + enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
  80 + enterprise2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
  81 +
  82 + get "/api/v1/enterprises?#{params.to_query}"
  83 + json = JSON.parse(last_response.body)
  84 + assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
  85 + end
  86 +
  87 + should 'logged user list private enterprises' do
  88 + login_api
  89 + enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
  90 + enterprise2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
  91 +
  92 + get "/api/v1/enterprises?#{params.to_query}"
  93 + json = JSON.parse(last_response.body)
  94 + assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
  95 + end
  96 +
  97 + should 'logged user list private enterprise for members' do
  98 + login_api
46 99 c1 = fast_create(Enterprise, :environment_id => environment.id)
47 100 c2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
48 101 c2.add_member(person)
... ... @@ -52,7 +105,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
52 105 assert_equivalent [c1.id, c2.id], json['enterprises'].map {|c| c['id']}
53 106 end
54 107  
55   - should 'get enterprise' do
  108 + should 'anonymous get enterprise' do
  109 + anonymous_setup
  110 + enterprise = fast_create(Enterprise, :environment_id => environment.id)
  111 +
  112 + get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
  113 + json = JSON.parse(last_response.body)
  114 + assert_equal enterprise.id, json['enterprise']['id']
  115 + end
  116 +
  117 + should 'logged user get enterprise' do
  118 + login_api
56 119 enterprise = fast_create(Enterprise, :environment_id => environment.id)
57 120  
58 121 get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
... ... @@ -60,7 +123,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
60 123 assert_equal enterprise.id, json['enterprise']['id']
61 124 end
62 125  
63   - should 'not get invisible enterprise' do
  126 + should 'not, logger user get invisible enterprise' do
  127 + login_api
  128 + enterprise = fast_create(Enterprise, :visible => false)
  129 +
  130 + get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
  131 + json = JSON.parse(last_response.body)
  132 + assert json['enterprise'].blank?
  133 + end
  134 +
  135 + should 'not, anonymous get invisible enterprise' do
  136 + anonymous_setup
64 137 enterprise = fast_create(Enterprise, :visible => false)
65 138  
66 139 get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
... ... @@ -69,6 +142,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
69 142 end
70 143  
71 144 should 'not get private enterprises without permission' do
  145 + login_api
  146 + enterprise = fast_create(Enterprise, :environment_id => environment.id)
  147 + fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
  148 +
  149 + get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
  150 + json = JSON.parse(last_response.body)
  151 + assert_equal enterprise.id, json['enterprise']['id']
  152 + end
  153 +
  154 + should 'not, anonymous get private enterprises' do
  155 + anonymous_setup
72 156 enterprise = fast_create(Enterprise, :environment_id => environment.id)
73 157 fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
74 158  
... ... @@ -78,6 +162,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
78 162 end
79 163  
80 164 should 'get private enterprise for members' do
  165 + login_api
81 166 enterprise = fast_create(Enterprise, :public_profile => false)
82 167 enterprise.add_member(person)
83 168  
... ... @@ -87,6 +172,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
87 172 end
88 173  
89 174 should 'list person enterprises' do
  175 + login_api
90 176 enterprise = fast_create(Enterprise, :environment_id => environment.id)
91 177 fast_create(Enterprise, :environment_id => environment.id)
92 178 enterprise.add_member(person)
... ... @@ -97,6 +183,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
97 183 end
98 184  
99 185 should 'not list person enterprises invisible' do
  186 + login_api
100 187 c1 = fast_create(Enterprise, :environment_id => environment.id)
101 188 c2 = fast_create(Enterprise, :environment_id => environment.id, :visible => false)
102 189 c1.add_member(person)
... ... @@ -107,4 +194,29 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
107 194 assert_equivalent [c1.id], json['enterprises'].map {|c| c['id']}
108 195 end
109 196  
  197 + should 'display public custom fields to anonymous' do
  198 + anonymous_setup
  199 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
  200 + some_enterprise = fast_create(Enterprise)
  201 + some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
  202 + some_enterprise.save!
  203 +
  204 + get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}"
  205 + json = JSON.parse(last_response.body)
  206 + assert json['enterprise']['additional_data'].has_key?('Rating')
  207 + assert_equal "Five stars", json['enterprise']['additional_data']['Rating']
  208 + end
  209 +
  210 + should 'not display public custom fields to anonymous' do
  211 + anonymous_setup
  212 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
  213 + some_enterprise = fast_create(Enterprise)
  214 + some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
  215 + some_enterprise.save!
  216 +
  217 + get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}"
  218 + json = JSON.parse(last_response.body)
  219 + refute json['enterprise']['additional_data'].has_key?('Rating')
  220 + end
  221 +
110 222 end
... ...
test/api/people_test.rb
... ... @@ -4,10 +4,10 @@ class PeopleTest &lt; ActiveSupport::TestCase
4 4  
5 5 def setup
6 6 Person.delete_all
7   - login_api
8 7 end
9 8  
10   - should 'list all people' do
  9 + should 'logged user list all people' do
  10 + login_api
11 11 person1 = fast_create(Person, :public_profile => true)
12 12 person2 = fast_create(Person)
13 13 get "/api/v1/people?#{params.to_query}"
... ... @@ -15,7 +15,31 @@ class PeopleTest &lt; ActiveSupport::TestCase
15 15 assert_equivalent [person1.id, person2.id, person.id], json['people'].map {|c| c['id']}
16 16 end
17 17  
18   - should 'list all members of a community' do
  18 + should 'anonymous list all people' do
  19 + anonymous_setup
  20 + person1 = fast_create(Person, :public_profile => true)
  21 + person2 = fast_create(Person)
  22 + get "/api/v1/people?#{params.to_query}"
  23 + json = JSON.parse(last_response.body)
  24 + assert_equivalent [person1.id, person2.id], json['people'].map {|c| c['id']}
  25 + end
  26 +
  27 + should 'logged user list all members of a community' do
  28 + login_api
  29 + person1 = fast_create(Person)
  30 + person2 = fast_create(Person)
  31 + community = fast_create(Community)
  32 + community.add_member(person1)
  33 + community.add_member(person2)
  34 +
  35 + get "/api/v1/profiles/#{community.id}/members?#{params.to_query}"
  36 + json = JSON.parse(last_response.body)
  37 + assert_equal 2, json["people"].count
  38 + assert_equivalent [person1.id,person2.id], json["people"].map{|p| p["id"]}
  39 + end
  40 +
  41 + should 'anonymous list all members of a community' do
  42 + anonymous_setup
19 43 person1 = fast_create(Person)
20 44 person2 = fast_create(Person)
21 45 community = fast_create(Community)
... ... @@ -28,21 +52,40 @@ class PeopleTest &lt; ActiveSupport::TestCase
28 52 assert_equivalent [person1.id,person2.id], json["people"].map{|p| p["id"]}
29 53 end
30 54  
31   - should 'not list invisible people' do
  55 + should 'logged user not list invisible people' do
  56 + login_api
  57 + invisible_person = fast_create(Person, :visible => false)
  58 +
  59 + get "/api/v1/people?#{params.to_query}"
  60 + assert_not_includes json_response_ids(:people), invisible_person.id
  61 + end
  62 +
  63 + should 'annoymous not list invisible people' do
  64 + anonymous_setup
32 65 invisible_person = fast_create(Person, :visible => false)
33 66  
34 67 get "/api/v1/people?#{params.to_query}"
35 68 assert_not_includes json_response_ids(:people), invisible_person.id
36 69 end
37 70  
38   - should 'not list private people without permission' do
  71 + should 'logged user list private people' do
  72 + login_api
39 73 private_person = fast_create(Person, :public_profile => false)
40 74  
41 75 get "/api/v1/people?#{params.to_query}"
42   - assert_not_includes json_response_ids(:people), private_person.id
  76 + assert_includes json_response_ids(:people), private_person.id
43 77 end
44 78  
45   - should 'list private person for friends' do
  79 + should 'anonymous list private people' do
  80 + anonymous_setup
  81 + private_person = fast_create(Person, :public_profile => false)
  82 +
  83 + get "/api/v1/people?#{params.to_query}"
  84 + assert_includes json_response_ids(:people), private_person.id
  85 + end
  86 +
  87 + should 'logged user list private person for friends' do
  88 + login_api
46 89 p1 = fast_create(Person)
47 90 p2 = fast_create(Person, :public_profile => false)
48 91 person.add_friend(p2)
... ... @@ -52,7 +95,8 @@ class PeopleTest &lt; ActiveSupport::TestCase
52 95 assert_includes json_response_ids(:people), p2.id
53 96 end
54 97  
55   - should 'get person' do
  98 + should 'logged user get person' do
  99 + login_api
56 100 some_person = fast_create(Person)
57 101  
58 102 get "/api/v1/people/#{some_person.id}?#{params.to_query}"
... ... @@ -60,14 +104,26 @@ class PeopleTest &lt; ActiveSupport::TestCase
60 104 assert_equal some_person.id, json['person']['id']
61 105 end
62 106  
63   - should 'people endpoint filter by fields parameter' do
  107 + should 'anonymous get person' do
  108 + anonymous_setup
  109 + some_person = fast_create(Person)
  110 +
  111 + get "/api/v1/people/#{some_person.id}?#{params.to_query}"
  112 + json = JSON.parse(last_response.body)
  113 + assert_equal some_person.id, json['person']['id']
  114 + end
  115 +
  116 +
  117 + should 'people endpoint filter by fields parameter for logged user' do
  118 + login_api
64 119 get "/api/v1/people?#{params.to_query}&fields=name"
65 120 json = JSON.parse(last_response.body)
66 121 expected = {'people' => [{'name' => person.name}]}
67 122 assert_equal expected, json
68 123 end
69 124  
70   - should 'people endpoint filter by fields parameter with hierarchy' do
  125 + should 'people endpoint filter by fields parameter with hierarchy for logged user' do
  126 + login_api
71 127 fields = URI.encode({only: [:name, {user: [:login]}]}.to_json.to_str)
72 128 get "/api/v1/people?#{params.to_query}&fields=#{fields}"
73 129 json = JSON.parse(last_response.body)
... ... @@ -76,19 +132,22 @@ class PeopleTest &lt; ActiveSupport::TestCase
76 132 end
77 133  
78 134 should 'get logged person' do
  135 + login_api
79 136 get "/api/v1/people/me?#{params.to_query}"
80 137 json = JSON.parse(last_response.body)
81 138 assert_equal person.id, json['person']['id']
82 139 end
83 140  
84   - should 'me endpoint filter by fields parameter' do
  141 + should 'access me endpoint filter by fields parameter' do
  142 + login_api
85 143 get "/api/v1/people/me?#{params.to_query}&fields=name"
86 144 json = JSON.parse(last_response.body)
87 145 expected = {'person' => {'name' => person.name}}
88 146 assert_equal expected, json
89 147 end
90 148  
91   - should 'not get invisible person' do
  149 + should 'logged user not get invisible person' do
  150 + login_api
92 151 person = fast_create(Person, :visible => false)
93 152  
94 153 get "/api/v1/people/#{person.id}?#{params.to_query}"
... ... @@ -96,15 +155,35 @@ class PeopleTest &lt; ActiveSupport::TestCase
96 155 assert json['person'].blank?
97 156 end
98 157  
99   - should 'not get private people without permission' do
  158 + should 'anonymous not get invisible person' do
  159 + anonymous_setup
  160 + person = fast_create(Person, :visible => false)
  161 +
  162 + get "/api/v1/people/#{person.id}?#{params.to_query}"
  163 + json = JSON.parse(last_response.body)
  164 + assert json['person'].blank?
  165 + end
  166 +
  167 + should 'get private people' do
  168 + login_api
100 169 private_person = fast_create(Person, :public_profile => false)
101 170  
102 171 get "/api/v1/people/#{private_person.id}?#{params.to_query}"
103 172 json = JSON.parse(last_response.body)
104   - assert json['person'].blank?
  173 + assert_equal json['person']['id'], private_person.id
  174 + end
  175 +
  176 + should 'anonymous get private people' do
  177 + anonymous_setup
  178 + private_person = fast_create(Person, :public_profile => false)
  179 +
  180 + get "/api/v1/people/#{private_person.id}?#{params.to_query}"
  181 + json = JSON.parse(last_response.body)
  182 + assert_equal json['person']['id'], private_person.id
105 183 end
106 184  
107 185 should 'get private person for friends' do
  186 + login_api
108 187 private_person = fast_create(Person, :public_profile => false)
109 188 person.add_friend(private_person)
110 189 private_person.add_friend(person)
... ... @@ -115,15 +194,26 @@ class PeopleTest &lt; ActiveSupport::TestCase
115 194 end
116 195  
117 196 should 'list person friends' do
  197 + login_api
118 198 friend = fast_create(Person)
119 199 person.add_friend(friend)
120 200 friend.add_friend(person)
  201 + get "/api/v1/people/#{friend.id}/friends?#{params.to_query}"
  202 + assert_includes json_response_ids(:people), person.id
  203 + end
121 204  
  205 + should 'anonymous list person friends' do
  206 + anonymous_setup
  207 + person = fast_create(Person)
  208 + friend = fast_create(Person)
  209 + person.add_friend(friend)
  210 + friend.add_friend(person)
122 211 get "/api/v1/people/#{friend.id}/friends?#{params.to_query}"
123 212 assert_includes json_response_ids(:people), person.id
124 213 end
125 214  
126 215 should 'not list person invisible friends' do
  216 + login_api
127 217 friend = fast_create(Person)
128 218 invisible_friend = fast_create(Person, :visible => false)
129 219 person.add_friend(friend)
... ... @@ -138,6 +228,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
138 228 end
139 229  
140 230 should 'create a person' do
  231 + login_api
141 232 login = 'some'
142 233 params[:person] = {:login => login, :password => '123456', :password_confirmation => '123456', :email => 'some@some.com'}
143 234 post "/api/v1/people?#{params.to_query}"
... ... @@ -146,6 +237,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
146 237 end
147 238  
148 239 should 'return 400 status for invalid person creation' do
  240 + login_api
149 241 params[:person] = {:login => 'some'}
150 242 post "/api/v1/people?#{params.to_query}"
151 243 json = JSON.parse(last_response.body)
... ... @@ -153,6 +245,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
153 245 end
154 246  
155 247 should 'display permissions' do
  248 + login_api
156 249 community = fast_create(Community)
157 250 community.add_member(fast_create(Person))
158 251 community.add_member(person)
... ... @@ -164,11 +257,13 @@ class PeopleTest &lt; ActiveSupport::TestCase
164 257 end
165 258  
166 259 should 'display permissions if self' do
  260 + login_api
167 261 get "/api/v1/people/#{person.id}/permissions?#{params.to_query}"
168 262 assert_equal 200, last_response.status
169 263 end
170 264  
171 265 should 'display permissions if admin' do
  266 + login_api
172 267 environment = person.environment
173 268 environment.add_admin(person)
174 269 some_person = fast_create(Person)
... ... @@ -178,6 +273,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
178 273 end
179 274  
180 275 should 'not display permissions if not admin or self' do
  276 + login_api
181 277 some_person = create_user('some-person').person
182 278  
183 279 get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
... ... @@ -185,12 +281,14 @@ class PeopleTest &lt; ActiveSupport::TestCase
185 281 end
186 282  
187 283 should 'not update another person' do
  284 + login_api
188 285 person = fast_create(Person, :environment_id => environment.id)
189 286 post "/api/v1/people/#{person.id}?#{params.to_query}"
190 287 assert_equal 403, last_response.status
191 288 end
192 289  
193 290 should 'update yourself' do
  291 + login_api
194 292 another_name = 'Another Name'
195 293 params[:person] = {}
196 294 params[:person][:name] = another_name
... ... @@ -200,7 +298,33 @@ class PeopleTest &lt; ActiveSupport::TestCase
200 298 assert_equal another_name, person.name
201 299 end
202 300  
203   - should 'display public custom fields' do
  301 + should 'logged user display public custom fields' do
  302 + login_api
  303 + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
  304 + some_person = create_user('some-person').person
  305 + some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
  306 + some_person.save!
  307 +
  308 + get "/api/v1/people/#{some_person.id}?#{params.to_query}"
  309 + json = JSON.parse(last_response.body)
  310 + assert json['person']['additional_data'].has_key?('Custom Blog')
  311 + assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
  312 + end
  313 +
  314 + should 'logged user not display non-public custom fields' do
  315 + login_api
  316 + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
  317 + some_person = create_user('some-person').person
  318 + some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
  319 + some_person.save!
  320 +
  321 + get "/api/v1/people/#{some_person.id}?#{params.to_query}"
  322 + json = JSON.parse(last_response.body)
  323 + assert_equal json['person']['additional_data'], {}
  324 + end
  325 +
  326 + should 'display public custom fields to anonymous' do
  327 + anonymous_setup
204 328 CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
205 329 some_person = create_user('some-person').person
206 330 some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
... ... @@ -212,7 +336,8 @@ class PeopleTest &lt; ActiveSupport::TestCase
212 336 assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
213 337 end
214 338  
215   - should 'not display non-public custom fields' do
  339 + should 'not display non-public custom fields to anonymous' do
  340 + anonymous_setup
216 341 CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
217 342 some_person = create_user('some-person').person
218 343 some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
... ... @@ -223,7 +348,19 @@ class PeopleTest &lt; ActiveSupport::TestCase
223 348 assert_equal json['person']['additional_data'], {}
224 349 end
225 350  
  351 + should 'hide private fields to anonymous' do
  352 + anonymous_setup
  353 + target_person = create_user('some-user').person
  354 + target_person.save!
  355 +
  356 + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
  357 + json = JSON.parse(last_response.body)
  358 + refute json["user"].has_key?("permissions")
  359 + refute json["user"].has_key?("activated")
  360 + end
  361 +
226 362 should 'display non-public custom fields to friend' do
  363 + login_api
227 364 CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
228 365 some_person = create_user('some-person').person
229 366 some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
... ... @@ -244,12 +381,14 @@ class PeopleTest &lt; ActiveSupport::TestCase
244 381  
245 382 PERSON_ATTRIBUTES.map do |attribute|
246 383 define_method "test_should_not_expose_#{attribute}_attribute_in_person_enpoint_if_field_parameter_does_not_contain_the_attribute" do
  384 + login_api
247 385 get "/api/v1/people/me?#{params.to_query}&fields=name"
248 386 json = JSON.parse(last_response.body)
249 387 assert_nil json['person'][attribute]
250 388 end
251 389  
252 390 define_method "test_should_expose_#{attribute}_attribute_in_person_enpoints_if_field_parameter_is_passed" do
  391 + login_api
253 392 get "/api/v1/people/me?#{params.to_query}&fields=#{attribute}"
254 393 json = JSON.parse(last_response.body)
255 394 assert_not_nil json['person'][attribute]
... ...
test/api/profiles_test.rb
... ... @@ -4,10 +4,10 @@ class ProfilesTest &lt; ActiveSupport::TestCase
4 4  
5 5 def setup
6 6 Profile.delete_all
7   - login_api
8 7 end
9 8  
10   - should 'list all profiles' do
  9 + should 'logged user list all profiles' do
  10 + login_api
11 11 person1 = fast_create(Person)
12 12 person2 = fast_create(Person)
13 13 community = fast_create(Community)
... ... @@ -16,14 +16,16 @@ class ProfilesTest &lt; ActiveSupport::TestCase
16 16 assert_equivalent [person.id, person1.id, person2.id, community.id], json.map {|p| p['id']}
17 17 end
18 18  
19   - should 'get person from profile id' do
  19 + should 'logged user get person from profile id' do
  20 + login_api
20 21 some_person = fast_create(Person)
21 22 get "/api/v1/profiles/#{some_person.id}?#{params.to_query}"
22 23 json = JSON.parse(last_response.body)
23 24 assert_equal some_person.id, json['id']
24 25 end
25 26  
26   - should 'get community from profile id' do
  27 + should 'logged user get community from profile id' do
  28 + login_api
27 29 community = fast_create(Community)
28 30 get "/api/v1/profiles/#{community.id}?#{params.to_query}"
29 31 json = JSON.parse(last_response.body)
... ... @@ -33,6 +35,7 @@ class ProfilesTest &lt; ActiveSupport::TestCase
33 35 group_kinds = %w(community enterprise)
34 36 group_kinds.each do |kind|
35 37 should "delete #{kind} from profile id with permission" do
  38 + login_api
36 39 profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
37 40 give_permission(@person, 'destroy_profile', profile)
38 41 assert_not_nil Profile.find_by_id profile.id
... ... @@ -44,6 +47,7 @@ class ProfilesTest &lt; ActiveSupport::TestCase
44 47 end
45 48  
46 49 should "not delete #{kind} from profile id without permission" do
  50 + login_api
47 51 profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
48 52 assert_not_nil Profile.find_by_id profile.id
49 53  
... ... @@ -55,12 +59,14 @@ class ProfilesTest &lt; ActiveSupport::TestCase
55 59 end
56 60  
57 61 should 'person delete itself' do
  62 + login_api
58 63 delete "/api/v1/profiles/#{@person.id}?#{params.to_query}"
59 64 assert_equal 200, last_response.status
60 65 assert_nil Profile.find_by_id @person.id
61 66 end
62 67  
63 68 should 'only admin delete other people' do
  69 + login_api
64 70 profile = fast_create(Person, :environment_id => environment.id)
65 71 assert_not_nil Profile.find_by_id profile.id
66 72  
... ... @@ -77,4 +83,62 @@ class ProfilesTest &lt; ActiveSupport::TestCase
77 83 assert_nil Profile.find_by_id profile.id
78 84  
79 85 end
  86 +
  87 + should 'anonymous user access delete action' do
  88 + anonymous_setup
  89 + profile = fast_create(Person, :environment_id => environment.id)
  90 +
  91 + delete "/api/v1/profiles/#{profile.id}?#{params.to_query}"
  92 + assert_equal 401, last_response.status
  93 + assert_not_nil Profile.find_by_id profile.id
  94 + end
  95 +
  96 + should 'anonymous list all profiles' do
  97 + person1 = fast_create(Person)
  98 + person2 = fast_create(Person)
  99 + community = fast_create(Community)
  100 + get "/api/v1/profiles"
  101 + json = JSON.parse(last_response.body)
  102 + assert_equivalent [person1.id, person2.id, community.id], json.map {|p| p['id']}
  103 + end
  104 +
  105 + should 'anonymous get person from profile id' do
  106 + some_person = fast_create(Person)
  107 + get "/api/v1/profiles/#{some_person.id}"
  108 + json = JSON.parse(last_response.body)
  109 + assert_equal some_person.id, json['id']
  110 + end
  111 +
  112 + should 'anonymous get community from profile id' do
  113 + community = fast_create(Community)
  114 + get "/api/v1/profiles/#{community.id}"
  115 + json = JSON.parse(last_response.body)
  116 + assert_equal community.id, json['id']
  117 + end
  118 +
  119 + should 'display public custom fields to anonymous' do
  120 + anonymous_setup
  121 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
  122 + some_profile = fast_create(Profile)
  123 + some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
  124 + some_profile.save!
  125 +
  126 + get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}"
  127 + json = JSON.parse(last_response.body)
  128 + assert json['additional_data'].has_key?('Rating')
  129 + assert_equal "Five stars", json['additional_data']['Rating']
  130 + end
  131 +
  132 + should 'not display private custom fields to anonymous' do
  133 + anonymous_setup
  134 + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
  135 + some_profile = fast_create(Profile)
  136 + some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
  137 + some_profile.save!
  138 +
  139 + get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}"
  140 + json = JSON.parse(last_response.body)
  141 + refute json.has_key?('Rating')
  142 + end
  143 +
80 144 end
... ...
test/api/test_helper.rb
... ... @@ -24,6 +24,12 @@ class ActiveSupport::TestCase
24 24  
25 25 @params = {:private_token => @private_token}
26 26 end
  27 +
  28 + def anonymous_setup
  29 + @environment = Environment.default
  30 + @params = {}
  31 + end
  32 +
27 33 attr_accessor :private_token, :user, :person, :params, :environment
28 34  
29 35 private
... ...
test/api/users_test.rb
... ... @@ -3,23 +3,22 @@ require_relative &#39;test_helper&#39;
3 3  
4 4 class UsersTest < ActiveSupport::TestCase
5 5  
6   - def setup
  6 + should 'logger user list users' do
7 7 login_api
8   - end
9   -
10   - should 'list users' do
11 8 get "/api/v1/users/?#{params.to_query}"
12 9 json = JSON.parse(last_response.body)
13 10 assert_includes json["users"].map { |a| a["login"] }, user.login
14 11 end
15 12  
16   - should 'get user' do
  13 + should 'logger user get user info' do
  14 + login_api
17 15 get "/api/v1/users/#{user.id}?#{params.to_query}"
18 16 json = JSON.parse(last_response.body)
19 17 assert_equal user.id, json['user']['id']
20 18 end
21 19  
22   - should 'list user permissions' do
  20 + should 'logger user list user permissions' do
  21 + login_api
23 22 community = fast_create(Community)
24 23 community.add_admin(person)
25 24 get "/api/v1/users/#{user.id}/?#{params.to_query}"
... ... @@ -28,25 +27,29 @@ class UsersTest &lt; ActiveSupport::TestCase
28 27 end
29 28  
30 29 should 'get logged user' do
  30 + login_api
31 31 get "/api/v1/users/me?#{params.to_query}"
32 32 json = JSON.parse(last_response.body)
33 33 assert_equal user.id, json['user']['id']
34 34 end
35 35  
36 36 should 'not show permissions to logged user' do
  37 + login_api
37 38 target_person = create_user('some-user').person
38 39 get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
39 40 json = JSON.parse(last_response.body)
40 41 refute json["user"].has_key?("permissions")
41 42 end
42 43  
43   - should 'show permissions to self' do
  44 + should 'logger user show permissions to self' do
  45 + login_api
44 46 get "/api/v1/users/#{user.id}/?#{params.to_query}"
45 47 json = JSON.parse(last_response.body)
46 48 assert json["user"].has_key?("permissions")
47 49 end
48 50  
49 51 should 'not show permissions to friend' do
  52 + login_api
50 53 target_person = create_user('some-user').person
51 54  
52 55 f = Friendship.new
... ... @@ -60,6 +63,7 @@ class UsersTest &lt; ActiveSupport::TestCase
60 63 end
61 64  
62 65 should 'not show private attribute to logged user' do
  66 + login_api
63 67 target_person = create_user('some-user').person
64 68 get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
65 69 json = JSON.parse(last_response.body)
... ... @@ -67,6 +71,7 @@ class UsersTest &lt; ActiveSupport::TestCase
67 71 end
68 72  
69 73 should 'show private attr to friend' do
  74 + login_api
70 75 target_person = create_user('some-user').person
71 76 f = Friendship.new
72 77 f.friend = target_person
... ... @@ -79,6 +84,7 @@ class UsersTest &lt; ActiveSupport::TestCase
79 84 end
80 85  
81 86 should 'show public attribute to logged user' do
  87 + login_api
82 88 target_person = create_user('some-user').person
83 89 target_person.fields_privacy={:email=> 'public'}
84 90 target_person.save!
... ... @@ -89,6 +95,7 @@ class UsersTest &lt; ActiveSupport::TestCase
89 95 end
90 96  
91 97 should 'show public and private field to admin' do
  98 + login_api
92 99 Environment.default.add_admin(person)
93 100  
94 101 target_person = create_user('some-user').person
... ... @@ -102,4 +109,26 @@ class UsersTest &lt; ActiveSupport::TestCase
102 109 assert json["user"].has_key?("activated")
103 110 end
104 111  
  112 + should 'show public fields to anonymous' do
  113 + anonymous_setup
  114 + target_person = create_user('some-user').person
  115 + target_person.fields_privacy={:email=> 'public'}
  116 + target_person.save!
  117 +
  118 + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
  119 + json = JSON.parse(last_response.body)
  120 + assert json["user"].has_key?("email")
  121 + end
  122 +
  123 + should 'hide private fields to anonymous' do
  124 + anonymous_setup
  125 + target_person = create_user('some-user').person
  126 + target_person.save!
  127 +
  128 + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
  129 + json = JSON.parse(last_response.body)
  130 + refute json["user"].has_key?("permissions")
  131 + refute json["user"].has_key?("activated")
  132 + end
  133 +
105 134 end
... ...
test/unit/organization_test.rb
... ... @@ -437,7 +437,7 @@ class OrganizationTest &lt; ActiveSupport::TestCase
437 437 c = fast_create(Organization, :name => 'my test profile', :identifier => 'mytestprofile')
438 438 admin = create_user('adminuser').person
439 439 c.add_admin(admin)
440   -
  440 +
441 441 assert c.is_admin?(admin)
442 442 end
443 443  
... ... @@ -513,4 +513,18 @@ class OrganizationTest &lt; ActiveSupport::TestCase
513 513 assert_includes env_admin_orgs, o7
514 514 end
515 515  
  516 + should 'fetch organizations there are visible for a visitor' do
  517 + visitor = nil
  518 + Organization.destroy_all
  519 + o1 = fast_create(Organization, :public_profile => true , :visible => true )
  520 + o2 = fast_create(Organization, :public_profile => false, :visible => true )
  521 + o3 = fast_create(Organization, :public_profile => true , :visible => false)
  522 + o4 = fast_create(Organization, :public_profile => false, :visible => false)
  523 + person_orgs = Organization.visible_for_person(visitor)
  524 + assert_includes person_orgs, o1
  525 + assert_not_includes person_orgs, o2
  526 + assert_not_includes person_orgs, o3
  527 + assert_not_includes person_orgs, o4
  528 + end
  529 +
516 530 end
... ...
test/unit/person_test.rb
... ... @@ -1951,4 +1951,17 @@ class PersonTest &lt; ActiveSupport::TestCase
1951 1951 person.save!
1952 1952 end
1953 1953  
  1954 + should 'fetch people there are visible for a visitor' do
  1955 + person = nil
  1956 + p1 = fast_create(Person, :public_profile => true , :visible => true)
  1957 + p2 = fast_create(Person, :public_profile => false, :visible => true)
  1958 + p3 = fast_create(Person, :public_profile => true , :visible => false)
  1959 + p4 = fast_create(Person, :public_profile => false, :visible => false)
  1960 + people_visible_by_visitor = Person.visible_for_person(person)
  1961 + assert_includes people_visible_by_visitor, p1
  1962 + assert_not_includes people_visible_by_visitor, p2
  1963 + assert_not_includes people_visible_by_visitor, p3
  1964 + assert_not_includes people_visible_by_visitor, p4
  1965 + end
  1966 +
1954 1967 end
... ...