Merge branch 'api_visitor' into 'master'

Some API methods unlocked for visitor Enable visitor to browser some of the API methods See merge request !863

Merge branch 'api_visitor' into 'master'
Some API methods unlocked for visitor Enable visitor to browser some of the API methods See merge request !863
Leandro Santos
2 parents 1ebe6924 f306fc96
Showing 19 changed files with 816 additions and 136 deletions Show diff stats
app/models/organization.rb
app/models/person.rb
lib/noosfero/api/v1/categories.rb
lib/noosfero/api/v1/comments.rb
lib/noosfero/api/v1/communities.rb
lib/noosfero/api/v1/enterprises.rb
lib/noosfero/api/v1/people.rb
lib/noosfero/api/v1/profiles.rb
lib/noosfero/api/v1/users.rb
test/api/categories_test.rb
test/api/comments_test.rb
test/api/communities_test.rb
test/api/enterprises_test.rb
test/api/people_test.rb
test/api/profiles_test.rb
test/api/test_helper.rb
test/api/users_test.rb
test/unit/organization_test.rb
test/unit/person_test.rb
@@ -17,6 +17,8 @@ class Organization &lt; Profile
   #   4) The user is not a member of the organization but the organization is
   #   visible, public and enabled.
   def self.visible_for_person(person)
+    # Visitor if person.nil?
+    person_id = person.nil? ? nil : person.id
     joins('LEFT JOIN "role_assignments" ON ("role_assignments"."resource_id" = "profiles"."id"
           AND "role_assignments"."resource_type" = \'Profile\') OR (
           "role_assignments"."resource_id" = "profiles"."environment_id" AND
@@ -28,8 +30,8 @@ class Organization &lt; Profile
         ( ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
             ( profiles.public_profile = ? AND profiles.enabled = ? ) ) AND
           ( profiles.visible = ? ) )',
-      'profile_admin', 'environment_administrator', Profile.name, person.id,
-      Profile.name, person.id,  true, true, true]
+      'profile_admin', 'environment_administrator', Profile.name, person_id,
+      Profile.name, person_id,  true, true, true]
     ).uniq
   end
@@ -42,6 +42,8 @@ class Person &lt; Profile
   }
   scope :visible_for_person, lambda { |person|
+    # Visitor if person.nil?
+    person_id = person.nil? ? nil : person.id
     joins('LEFT JOIN "role_assignments" ON
           "role_assignments"."resource_id" = "profiles"."environment_id" AND
           "role_assignments"."resource_type" = \'Environment\'')
@@ -49,9 +51,10 @@ class Person &lt; Profile
     .joins('LEFT JOIN "friendships" ON "friendships"."friend_id" = "profiles"."id"')
     .where(
       ['( roles.key = ? AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR (
-        ( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?) )', 'environment_administrator', Profile.name, person.id, person.id,  true, true]
+        ( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?) )',
+         'environment_administrator', Profile.name, person_id, person_id,  true, true]
     ).uniq
-    }
+  }
   def has_permission_with_admin?(permission, resource)
     return true if resource.blank? || resource.admins.include?(self)
@@ -2,7 +2,6 @@ module Noosfero
   module API
     module V1
       class Categories < Grape::API
-        before { authenticate! }
         resource :categories do
@@ -4,7 +4,6 @@ module Noosfero
       class Comments < Grape::API
         MAX_PER_PAGE = 20
-        before { authenticate! }
         resource :articles do
           paginate max_per_page: MAX_PER_PAGE
@@ -34,6 +33,7 @@ module Noosfero
           # Example Request:
           #  POST api/v1/articles/12/comments?private_token=2298743290432&body=new comment&title=New
           post ":id/comments" do
+            authenticate!
             article = find_article(environment.articles, params[:id])
             options = params.select { |key,v| !['id','private_token'].include?(key) }.merge(:author => current_person, :source => article)
             begin
@@ -2,7 +2,6 @@ module Noosfero
   module API
     module V1
       class Communities < Grape::API
-        before { authenticate! }
         resource :communities do
@@ -18,7 +17,7 @@ module Noosfero
           #  GET /communities?reference_id=10&limit=10&oldest
           get do
             communities = select_filtered_collection_of(environment, 'communities', params)
-            communities = communities.visible_for_person(current_person)
+            communities = communities.visible
             communities = communities.by_location(params) # Must be the last. May return Exception obj.
             present communities, :with => Entities::Community, :current_person => current_person
           end
@@ -28,6 +27,7 @@ module Noosfero
           #  POST api/v1/communties?private_token=234298743290432&community[name]=some_name
           #  for each custom field for community, add &community[field_name]=field_value to the request
           post do
+            authenticate!
             params[:community] ||= {}
             params[:community][:custom_values]={}
@@ -49,7 +49,7 @@ module Noosfero
           end
           get ':id' do
-            community = environment.communities.visible_for_person(current_person).find_by id: params[:id]
+            community = environment.communities.visible.find_by(id: params[:id])
             present community, :with => Entities::Community, :current_person => current_person
           end
@@ -2,7 +2,6 @@ module Noosfero
   module API
     module V1
       class Enterprises < Grape::API
-        before { authenticate! }
         resource :enterprises do
@@ -19,14 +18,14 @@ module Noosfero
           #  GET /enterprises?reference_id=10&limit=10&oldest
           get do
             enterprises = select_filtered_collection_of(environment, 'enterprises', params)
-            enterprises = enterprises.visible_for_person(current_person)
+            enterprises = enterprises.visible
             enterprises = enterprises.by_location(params) # Must be the last. May return Exception obj.
             present enterprises, :with => Entities::Enterprise, :current_person => current_person
           end
           desc "Return one enterprise by id"
           get ':id' do
-            enterprise = environment.enterprises.visible_for_person(current_person).find_by id: params[:id]
+            enterprise = environment.enterprises.visible.find_by(id: params[:id])
             present enterprise, :with => Entities::Enterprise, :current_person => current_person
           end
@@ -2,7 +2,6 @@ module Noosfero
   module API
     module V1
       class People < Grape::API
-        before { authenticate! }
         MAX_PER_PAGE = 50
@@ -35,24 +34,26 @@ module Noosfero
           desc "Find environment's people"
           get do
             people = select_filtered_collection_of(environment, 'people', params)
-            people = people.visible_for_person(current_person)
+            people = people.visible
             present_partial people, :with => Entities::Person, :current_person => current_person
           end
           desc "Return the logged user information"
           get "/me" do
+            authenticate!
             present_partial current_person, :with => Entities::Person, :current_person => current_person
           end
           desc "Return the person information"
           get ':id' do
-            person = environment.people.visible_for_person(current_person).find_by id: params[:id]
+            person = environment.people.visible.find_by(id: params[:id])
             return not_found! if person.blank?
             present person, :with => Entities::Person, :current_person => current_person
           end
           desc "Update person information"
           post ':id' do
+            authenticate!
             return forbidden! if current_person.id.to_s != params[:id]
             current_person.update_attributes!(params[:person])
             present current_person, :with => Entities::Person, :current_person => current_person
@@ -63,6 +64,7 @@ module Noosfero
           #  for each custom field for person, add &person[field_name]=field_value to the request
           desc "Create person"
           post do
+            authenticate!
             user_data = {}
             user_data[:login] = params[:person].delete(:login) || params[:person][:identifier]
             user_data[:email] = params[:person].delete(:email)
@@ -87,7 +89,7 @@ module Noosfero
           desc "Return the person friends"
           get ':id/friends' do
-            person = environment.people.visible_for_person(current_person).find_by id: params[:id]
+            person = environment.people.visible.find_by(id: params[:id])
             return not_found! if person.blank?
             friends = person.friends.visible
             present friends, :with => Entities::Person, :current_person => current_person
@@ -95,6 +97,7 @@ module Noosfero
           desc "Return the person permissions on other profiles"
           get ":id/permissions" do
+            authenticate!
             person = environment.people.find(params[:id])
             return not_found! if person.blank?
             return forbidden! unless current_person == person || environment.admins.include?(current_person)
@@ -2,25 +2,25 @@ module Noosfero
   module API
     module V1
       class Profiles < Grape::API
-        before { authenticate! }
         resource :profiles do
           get do
             profiles = select_filtered_collection_of(environment, 'profiles', params)
-            profiles = profiles.visible_for_person(current_person)
+            profiles = profiles.visible
             profiles = profiles.by_location(params) # Must be the last. May return Exception obj.
             present profiles, :with => Entities::Profile, :current_person => current_person
           end
           get ':id' do
             profiles = environment.profiles
-            profiles = profiles.visible_for_person(current_person)
+            profiles = profiles.visible
             profile = profiles.find_by id: params[:id]
             present profile, :with => Entities::Profile, :current_person => current_person
           end
           delete ':id' do
+            authenticate!
             profiles = environment.profiles
             profile = profiles.find_by id: params[:id]
@@ -2,7 +2,6 @@ module Noosfero
   module API
     module V1
       class Users < Grape::API
-        before { authenticate! }
         resource :users do
@@ -13,6 +12,7 @@ module Noosfero
           end
           get "/me" do
+            authenticate!
             present current_user, :with => Entities::User, :current_person => current_person
           end
@@ -25,6 +25,7 @@ module Noosfero
           end
           get ":id/permissions" do
+            authenticate!
             user = environment.users.find(params[:id])
             output = {}
             user.person.role_assignments.map do |role_assigment|
@@ -2,25 +2,25 @@ require_relative &#39;test_helper&#39;
 class CategoriesTest < ActiveSupport::TestCase
-  def setup
-    login_api
-  end
-  should 'list categories' do
+  should 'logged user list categories' do
+    login_api
     category = fast_create(Category, :environment_id => environment.id)
     get "/api/v1/categories/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_includes json["categories"].map { |c| c["name"] }, category.name
   end
-  should 'get category by id' do
+  should 'logged user get category by id' do
+    login_api
     category = fast_create(Category, :environment_id => environment.id)
     get "/api/v1/categories/#{category.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal category.name, json["category"]["name"]
   end
-  should 'list parent and children when get category by id' do
+  should 'logged user list parent and children when get category by id' do
+    login_api
     parent = fast_create(Category, :environment_id => environment.id)
     child_1 = fast_create(Category, :environment_id => environment.id)
     child_2 = fast_create(Category, :environment_id => environment.id)
@@ -37,7 +37,8 @@ class CategoriesTest &lt; ActiveSupport::TestCase
     assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { |c| c['id'] }
   end
-  should 'include parent in categories list if params is true' do
+  should 'logged user include parent in categories list if params is true' do
+    login_api
     parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
     child_1 = fast_create(Category, :environment_id => environment.id)
     child_2 = fast_create(Category, :environment_id => environment.id)
@@ -59,7 +60,8 @@ class CategoriesTest &lt; ActiveSupport::TestCase
       json["categories"].map { |c| c['parent'] && c['parent']['id'] }
   end
-  should 'include children in categories list if params is true' do
+  should 'logged user include children in categories list if params is true' do
+    login_api
     category = fast_create(Category, :environment_id => environment.id)
     child_1 = fast_create(Category, :environment_id => environment.id)
     child_2 = fast_create(Category, :environment_id => environment.id)
@@ -86,7 +88,8 @@ class CategoriesTest &lt; ActiveSupport::TestCase
   expose_attributes = %w(id name full_name image display_color)
   expose_attributes.each do |attr|
-    should "expose category #{attr} attribute by default" do
+    should "logged user expose category #{attr} attribute by default" do
+      login_api
       category = fast_create(Category, :environment_id => environment.id)
       get "/api/v1/categories/?#{params.to_query}"
       json = JSON.parse(last_response.body)
@@ -94,4 +97,98 @@ class CategoriesTest &lt; ActiveSupport::TestCase
     end
   end
+  should 'anonymous list categories' do
+    anonymous_setup
+    category = fast_create(Category, :environment_id => environment.id)
+    get "/api/v1/categories/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_includes json["categories"].map { |c| c["name"] }, category.name
+  end
+
+  should 'anonymous get category by id' do
+    anonymous_setup
+    category = fast_create(Category, :environment_id => environment.id)
+    get "/api/v1/categories/#{category.id}/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal category.name, json["category"]["name"]
+  end
+
+  should 'anonymous list parent and children when get category by id' do
+    anonymous_setup
+    parent = fast_create(Category, :environment_id => environment.id)
+    child_1 = fast_create(Category, :environment_id => environment.id)
+    child_2 = fast_create(Category, :environment_id => environment.id)
+
+    category = fast_create(Category, :environment_id => environment.id)
+    category.parent = parent
+    category.children << child_1
+    category.children << child_2
+    category.save
+
+    get "/api/v1/categories/#{category.id}/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal({'id' => parent.id, 'name' => parent.name, 'slug' => parent.slug}, json['category']['parent'])
+    assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { |c| c['id'] }
+  end
+
+  should 'anonymous include parent in categories list if params is true' do
+    anonymous_setup
+    parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
+    child_1 = fast_create(Category, :environment_id => environment.id)
+    child_2 = fast_create(Category, :environment_id => environment.id)
+
+    parent_2 = fast_create(Category, :environment_id => environment.id)
+    parent_2.parent = parent_1
+    parent_2.children << child_1
+    parent_2.children << child_2
+    parent_2.save
+
+    get "/api/v1/categories/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [nil], json['categories'].map { |c| c['parent'] }.uniq
+
+    params[:include_parent] = true
+    get "/api/v1/categories/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [parent_1.parent, parent_2.parent.id, child_1.parent.id, child_2.parent.id],
+      json["categories"].map { |c| c['parent'] && c['parent']['id'] }
+  end
+
+  should 'anonymous include children in categories list if params is true' do
+    anonymous_setup
+    category = fast_create(Category, :environment_id => environment.id)
+    child_1 = fast_create(Category, :environment_id => environment.id)
+    child_2 = fast_create(Category, :environment_id => environment.id)
+    child_3 = fast_create(Category, :environment_id => environment.id)
+
+    category.children << child_1
+    category.children << child_2
+    category.save
+
+    child_1.children << child_3
+    child_1.save
+
+    get "/api/v1/categories/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [nil], json['categories'].map { |c| c['children'] }.uniq
+
+    params[:include_children] = true
+    get "/api/v1/categories/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [category.children.map(&:id).sort, child_1.children.map(&:id).sort, child_2.children.map(&:id).sort, child_3.children.map(&:id).sort],
+      json["categories"].map{ |c| c['children'].map{ |child| child['id'] }.sort  }
+  end
+
+  expose_attributes.each do |attr|
+    should "anonymous expose category #{attr} attribute by default" do
+      anonymous_setup
+      category = fast_create(Category, :environment_id => environment.id)
+      get "/api/v1/categories/?#{params.to_query}"
+      json = JSON.parse(last_response.body)
+     assert json["categories"].last.has_key?(attr)
+    end
+  end
+
+
+
 end
@@ -3,41 +3,44 @@ require_relative &#39;test_helper&#39;
 class CommentsTest < ActiveSupport::TestCase
   def setup
-    login_api
+    @local_person = fast_create(Person)
+    anonymous_setup
   end
+  attr_reader :local_person
-  should 'not list comments if user has no permission to view the source article' do
-    person = fast_create(Person)
-    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+  should 'logged user not list comments if user has no permission to view the source article' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
     assert !article.published?
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     assert_equal 403, last_response.status
   end
-  should 'not return comment if user has no permission to view the source article' do
-    person = fast_create(Person)
-    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
-    comment = article.comments.create!(:body => "another comment", :author => user.person)
+  should 'logged user not return comment if user has no permission to view the source article' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
+    comment = article.comments.create!(:body => "another comment", :author => local_person)
     assert !article.published?
     get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
     assert_equal 403, last_response.status
   end
-  should 'not comment an article if user has no permission to view it' do
-    person = fast_create(Person)
-    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+  should 'logged user not comment an article if user has no permission to view it' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
     assert !article.published?
     post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     assert_equal 403, last_response.status
   end
-  should 'return comments of an article' do
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
-    article.comments.create!(:body => "some comment", :author => user.person)
-    article.comments.create!(:body => "another comment", :author => user.person)
+  should 'logged user return comments of an article' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    article.comments.create!(:body => "some comment", :author => local_person)
+    article.comments.create!(:body => "another comment", :author => local_person)
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -45,9 +48,10 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal 2, json["comments"].length
   end
-  should 'return comment of an article' do
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
-    comment = article.comments.create!(:body => "another comment", :author => user.person)
+  should 'logged user return comment of an article' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    comment = article.comments.create!(:body => "another comment", :author => local_person)
     get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -55,8 +59,9 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal comment.id, json['comment']['id']
   end
-  should 'comment an article' do
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+  should 'logged user comment an article' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
     body = 'My comment'
     params.merge!({:body => body})
@@ -66,7 +71,8 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal body, json['comment']['body']
   end
-  should 'not comment an archived article' do
+  should 'logged user not comment an archived article' do
+    login_api
     article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing", :archived => true)
     body = 'My comment'
     params.merge!({:body => body})
@@ -75,9 +81,10 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal 400, last_response.status
   end
-  should 'comment creation define the source' do
+  should 'logged user comment creation define the source' do
+    login_api
     amount = Comment.count
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
     body = 'My comment'
     params.merge!({:body => body})
@@ -87,29 +94,6 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_not_nil comment.source
   end
-  should 'paginate comments' do
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
-    5.times { article.comments.create!(:body => "some comment", :author => user.person) }
-    params[:per_page] = 3
-
-    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
-    json = JSON.parse(last_response.body)
-    assert_equal 200, last_response.status
-    assert_equal 3, json["comments"].length
-  end
-
-  should 'return only root comments' do
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
-    comment1 = article.comments.create!(:body => "some comment", :author => user.person)
-    comment2 = article.comments.create!(:body => "another comment", :author => user.person, :reply_of_id => comment1.id)
-    params[:without_reply] = true
-
-    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
-    json = JSON.parse(last_response.body)
-    assert_equal 200, last_response.status
-    assert_equal [comment1.id], json["comments"].map { |c| c['id'] }
-  end
-
   should 'call plugin hotspot to filter unavailable comments' do
     class Plugin1 < Noosfero::Plugin
       def unavailable_comments(scope)
@@ -119,7 +103,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
     Noosfero::Plugin.stubs(:all).returns([Plugin1.name])
     Environment.default.enable_plugin(Plugin1)
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
     c1 = fast_create(Comment, source_id: article.id, body: "comment 1")
     c2 = fast_create(Comment, source_id: article.id, body: "comment 2", :user_agent => 'Jack')
@@ -128,13 +112,78 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal ["comment 2"], json["comments"].map {|c| c["body"]}
   end
-  should 'do not return comments marked as spam' do
-    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+  should 'anonymous do not return comments marked as spam' do
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
     c1 = fast_create(Comment, source_id: article.id, body: "comment 1", spam: true)
     c2 = fast_create(Comment, source_id: article.id, body: "comment 2")
-
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal ["comment 2"], json["comments"].map {|c| c["body"]}
   end
+
+  should 'not, anonymous list comments if has no permission to view the source article' do
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
+    assert !article.published?
+  
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+  
+  should 'anonymous return comments of an article' do
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    article.comments.create!(:body => "some comment", :author => local_person)
+    article.comments.create!(:body => "another comment", :author => local_person)
+  
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 200, last_response.status
+    assert_equal 2, json["comments"].length
+  end
+  
+  should 'anonymous return comment of an article' do
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    comment = article.comments.create!(:body => "another comment", :author => local_person)
+  
+    get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 200, last_response.status
+    assert_equal comment.id, json['comment']['id']
+  end
+
+  should 'not, anonymous comment an article (at least so far...)' do
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    body = 'My comment'
+    name = "John Doe"
+    email = "JohnDoe@gmail.com"
+    params.merge!({:body => body, name: name, email: email})
+    post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
+  should 'logged user paginate comments' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    5.times { article.comments.create!(:body => "some comment", :author => local_person) }
+    params[:per_page] = 3
+
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 200, last_response.status
+    assert_equal 3, json["comments"].length
+  end
+
+  should 'logged user return only root comments' do
+    login_api
+    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    comment1 = article.comments.create!(:body => "some comment", :author => local_person)
+    comment2 = article.comments.create!(:body => "another comment", :author => local_person, :reply_of_id => comment1.id)
+    params[:without_reply] = true
+
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 200, last_response.status
+    assert_equal [comment1.id], json["comments"].map { |c| c['id'] }
+  end
+
 end
@@ -4,10 +4,10 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   def setup
     Community.delete_all
-    login_api
   end
-  should 'list only communities' do
+  should 'logged user list only communities' do
+    login_api
     community = fast_create(Community, :environment_id => environment.id)
     enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
     get "/api/v1/communities?#{params.to_query}"
@@ -16,7 +16,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_includes json['communities'].map {|c| c['id']}, community.id
   end
-  should 'list all communities' do
+  should 'logged user list all communities' do
+    login_api
     community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
     community2 = fast_create(Community, :environment_id => environment.id)
     get "/api/v1/communities?#{params.to_query}"
@@ -24,7 +25,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
-  should 'not list invisible communities' do
+  should 'not, logged user list invisible communities' do
+    login_api
     community1 = fast_create(Community, :environment_id => environment.id)
     fast_create(Community, :environment_id => environment.id, :visible => false)
@@ -33,16 +35,18 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equal [community1.id], json['communities'].map {|c| c['id']}
   end
-  should 'not list private communities without permission' do
-    community1 = fast_create(Community, :environment_id => environment.id)
-    fast_create(Community, :environment_id => environment.id, :public_profile => false)
+  should 'logged user list private communities' do
+      login_api
+      community1 = fast_create(Community, :environment_id => environment.id)
+      community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
-    get "/api/v1/communities?#{params.to_query}"
-    json = JSON.parse(last_response.body)
-    assert_equal [community1.id], json['communities'].map {|c| c['id']}
+      get "/api/v1/communities?#{params.to_query}"
+      json = JSON.parse(last_response.body)
+      assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
-  should 'list private community for members' do
+  should 'logged user list private community for members' do
+    login_api
     c1 = fast_create(Community, :environment_id => environment.id)
     c2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
     c2.add_member(person)
@@ -52,20 +56,23 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equivalent [c1.id, c2.id], json['communities'].map {|c| c['id']}
   end
-  should 'create a community' do
+  should 'logged user create a community' do
+    login_api
     params[:community] = {:name => 'some'}
     post "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal 'some', json['community']['name']
   end
-  should 'return 400 status for invalid community creation' do
+  should 'logged user return 400 status for invalid community creation' do
+    login_api
     post "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal 400, last_response.status
   end
-  should 'get community' do
+  should 'logged user get community' do
+    login_api
     community = fast_create(Community, :environment_id => environment.id)
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
@@ -73,7 +80,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equal community.id, json['community']['id']
   end
-  should 'not get invisible community' do
+  should 'not, logged user get invisible community' do
+    login_api
     community = fast_create(Community, :environment_id => environment.id, :visible => false)
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
@@ -81,7 +89,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert json['community'].blank?
   end
-  should 'not get private communities without permission' do
+  should 'not, logged user get private communities without permission' do
+    login_api
     community = fast_create(Community, :environment_id => environment.id)
     fast_create(Community, :environment_id => environment.id, :public_profile => false)
@@ -90,17 +99,18 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equal community.id, json['community']['id']
   end
-  should 'get private community for members' do
+  should 'logged user get private community for members' do
+    login_api
     community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :visible => true)
     community.add_member(person)
-
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal community.id, json['community']['id']
   end
-  should 'list person communities' do
+  should 'logged user list person communities' do
+    login_api
     community = fast_create(Community, :environment_id => environment.id)
     fast_create(Community, :environment_id => environment.id)
     community.add_member(person)
@@ -110,7 +120,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equivalent [community.id], json['communities'].map {|c| c['id']}
   end
-  should 'not list person communities invisible' do
+  should 'not, logged user list person communities invisible' do
+    login_api
     c1 = fast_create(Community, :environment_id => environment.id)
     c2 = fast_create(Community, :environment_id => environment.id, :visible => false)
     c1.add_member(person)
@@ -121,7 +132,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equivalent [c1.id], json['communities'].map {|c| c['id']}
   end
-  should 'list communities with pagination' do
+  should 'logged user list communities with pagination' do
+    login_api
     community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago)
     community2 = fast_create(Community, :created_at => 2.days.ago)
@@ -143,7 +155,118 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id
   end
-  should 'list communities with timestamp' do
+  should 'logged user list communities with timestamp' do
+    login_api
+    community1 = fast_create(Community, :public_profile => true)
+    community2 = fast_create(Community)
+
+    community1.updated_at = Time.now + 3.hours
+    community1.save!
+
+    params[:timestamp] = Time.now + 1.hours
+    get "/api/v1/communities/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+
+    assert_includes json["communities"].map { |a| a["id"] }, community1.id
+    assert_not_includes json["communities"].map { |a| a["id"] }, community2.id
+  end
+
+  should 'anonymous list only communities' do
+    anonymous_setup
+    community = fast_create(Community, :environment_id => environment.id)
+    enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_not_includes json['communities'].map {|c| c['id']}, enterprise.id
+    assert_includes json['communities'].map {|c| c['id']}, community.id
+  end
+
+  should 'anonymous list all communities' do
+    anonymous_setup
+    community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
+    community2 = fast_create(Community, :environment_id => environment.id)
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'not, anonymous list invisible communities' do
+    anonymous_setup
+    community1 = fast_create(Community, :environment_id => environment.id)
+    fast_create(Community, :environment_id => environment.id, :visible => false)
+
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [community1.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'anonymous list private communities' do
+    anonymous_setup
+    community1 = fast_create(Community, :environment_id => environment.id)
+    community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
+
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'not, anonymous create a community' do
+    anonymous_setup
+    params[:community] = {:name => 'some'}
+    post "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
+  should 'anonymous get community' do
+    anonymous_setup
+    community = fast_create(Community, :environment_id => environment.id)
+    get "/api/v1/communities/#{community.id}"
+    json = JSON.parse(last_response.body)
+    assert_equal community.id, json['community']['id']
+  end
+
+  should 'not, anonymous get invisible community' do
+    anonymous_setup
+    community = fast_create(Community, :environment_id => environment.id, :visible => false)
+    get "/api/v1/communities/#{community.id}"
+    json = JSON.parse(last_response.body)
+    assert json['community'].blank?
+  end
+
+  should 'not, anonymous get private communities' do
+    anonymous_setup
+    community = fast_create(Community, :environment_id => environment.id)
+    fast_create(Community, :environment_id => environment.id, :public_profile => false)
+    get "/api/v1/communities/#{community.id}"
+    json = JSON.parse(last_response.body)
+    assert_equal community.id, json['community']['id']
+  end
+
+  should 'anonymous list communities with pagination' do
+    anonymous_setup
+    community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago)
+    community2 = fast_create(Community, :created_at => 2.days.ago)
+
+    params[:page] = 2
+    params[:per_page] = 1
+    get "/api/v1/communities?#{params.to_query}"
+    json_page_two = JSON.parse(last_response.body)
+
+    params[:page] = 1
+    params[:per_page] = 1
+    get "/api/v1/communities?#{params.to_query}"
+    json_page_one = JSON.parse(last_response.body)
+
+    assert_includes json_page_one["communities"].map { |a| a["id"] }, community1.id
+    assert_not_includes json_page_one["communities"].map { |a| a["id"] }, community2.id
+
+    assert_includes json_page_two["communities"].map { |a| a["id"] }, community2.id
+    assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id
+  end
+
+  should 'anonymous list communities with timestamp' do
+    anonymous_setup
     community1 = fast_create(Community, :public_profile => true)
     community2 = fast_create(Community)
@@ -157,4 +280,31 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_includes json["communities"].map { |a| a["id"] }, community1.id
     assert_not_includes json["communities"].map { |a| a["id"] }, community2.id
   end
+
+  should 'display public custom fields to anonymous' do
+    anonymous_setup
+    CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
+    some_community = fast_create(Community)
+    some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
+    some_community.save!
+
+    get "/api/v1/communities/#{some_community.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['community']['additional_data'].has_key?('Rating')
+    assert_equal "Five stars", json['community']['additional_data']['Rating']
+  end
+
+  should 'not display private custom fields to anonymous' do
+    anonymous_setup
+    CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
+    some_community = fast_create(Community)
+    some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
+    some_community.save!
+
+    get "/api/v1/communities/#{some_community.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    refute json['community']['additional_data'].has_key?('Rating')
+  end
+
+
 end
@@ -4,10 +4,20 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   def setup
     Enterprise.delete_all
+  end
+
+  should 'logger user list only enterprises' do
     login_api
+    community = fast_create(Community, :environment_id => environment.id) # should not list this community
+    enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_includes json['enterprises'].map {|c| c['id']}, enterprise.id
+    assert_not_includes json['enterprises'].map {|c| c['id']}, community.id
   end
-  should 'list only enterprises' do
+  should 'anonymous list only enterprises' do
+    anonymous_setup
     community = fast_create(Community, :environment_id => environment.id) # should not list this community
     enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
     get "/api/v1/enterprises?#{params.to_query}"
@@ -16,7 +26,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
     assert_not_includes json['enterprises'].map {|c| c['id']}, community.id
   end
-  should 'list all enterprises' do
+  should 'anonymous list all enterprises' do
+    anonymous_setup
+    enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
+    enterprise2 = fast_create(Enterprise, :environment_id => environment.id)
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
+  end
+
+  should 'logger user list all enterprises' do
+    login_api
     enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
     enterprise2 = fast_create(Enterprise, :environment_id => environment.id)
     get "/api/v1/enterprises?#{params.to_query}"
@@ -25,6 +45,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
   should 'not list invisible enterprises' do
+    login_api
     enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
     fast_create(Enterprise, :visible => false)
@@ -33,16 +54,48 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
     assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
   end
-  should 'not list private enterprises without permission' do
+  should 'not, anonymous list invisible enterprises' do
+    anonymous_setup
     enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
-    fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
+    fast_create(Enterprise, :visible => false)
+
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
+  end
+
+  should 'not, logger user list invisible enterprises' do
+    login_api
+    enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
+    fast_create(Enterprise, :visible => false)
     get "/api/v1/enterprises?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
   end
-  should 'list private enterprise for members' do
+  should 'anonymous list private enterprises' do
+    anonymous_setup
+    enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
+    enterprise2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
+
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
+  end
+
+  should 'logged user list private enterprises' do
+    login_api
+    enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
+    enterprise2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
+
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
+  end
+
+  should 'logged user list private enterprise for members' do
+    login_api
     c1 = fast_create(Enterprise, :environment_id => environment.id)
     c2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
     c2.add_member(person)
@@ -52,7 +105,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
     assert_equivalent [c1.id, c2.id], json['enterprises'].map {|c| c['id']}
   end
-  should 'get enterprise' do
+  should 'anonymous get enterprise' do
+    anonymous_setup
+    enterprise = fast_create(Enterprise, :environment_id => environment.id)
+
+    get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal enterprise.id, json['enterprise']['id']
+  end
+
+  should 'logged user get enterprise' do
+    login_api
     enterprise = fast_create(Enterprise, :environment_id => environment.id)
     get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
@@ -60,7 +123,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
     assert_equal enterprise.id, json['enterprise']['id']
   end
-  should 'not get invisible enterprise' do
+  should 'not, logger user get invisible enterprise' do
+    login_api
+    enterprise = fast_create(Enterprise, :visible => false)
+
+    get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['enterprise'].blank?
+  end
+
+  should 'not, anonymous get invisible enterprise' do
+    anonymous_setup
     enterprise = fast_create(Enterprise, :visible => false)
     get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
@@ -69,6 +142,17 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
   should 'not get private enterprises without permission' do
+    login_api
+    enterprise = fast_create(Enterprise, :environment_id => environment.id)
+    fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
+
+    get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal enterprise.id, json['enterprise']['id']
+  end
+
+  should 'not, anonymous get private enterprises' do
+    anonymous_setup
     enterprise = fast_create(Enterprise, :environment_id => environment.id)
     fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
@@ -78,6 +162,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
   should 'get private enterprise for members' do
+    login_api
     enterprise = fast_create(Enterprise, :public_profile => false)
     enterprise.add_member(person)
@@ -87,6 +172,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
   should 'list person enterprises' do
+    login_api
     enterprise = fast_create(Enterprise, :environment_id => environment.id)
     fast_create(Enterprise, :environment_id => environment.id)
     enterprise.add_member(person)
@@ -97,6 +183,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
   should 'not list person enterprises invisible' do
+    login_api
     c1 = fast_create(Enterprise, :environment_id => environment.id)
     c2 = fast_create(Enterprise, :environment_id => environment.id, :visible => false)
     c1.add_member(person)
@@ -107,4 +194,29 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
     assert_equivalent [c1.id], json['enterprises'].map {|c| c['id']}
   end
+  should 'display public custom fields to anonymous' do
+    anonymous_setup
+    CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
+    some_enterprise = fast_create(Enterprise)
+    some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
+    some_enterprise.save!
+
+    get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['enterprise']['additional_data'].has_key?('Rating')
+    assert_equal "Five stars", json['enterprise']['additional_data']['Rating']
+  end
+
+  should 'not display public custom fields to anonymous' do
+    anonymous_setup
+    CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
+    some_enterprise = fast_create(Enterprise)
+    some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
+    some_enterprise.save!
+
+    get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    refute json['enterprise']['additional_data'].has_key?('Rating')
+  end
+
 end
@@ -4,10 +4,10 @@ class PeopleTest &lt; ActiveSupport::TestCase
   def setup
     Person.delete_all
-    login_api
   end
-  should 'list all people' do
+  should 'logged user list all people' do
+    login_api
     person1 = fast_create(Person, :public_profile => true)
     person2 = fast_create(Person)
     get "/api/v1/people?#{params.to_query}"
@@ -15,7 +15,31 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equivalent [person1.id, person2.id, person.id], json['people'].map {|c| c['id']}
   end
-  should 'list all members of a community' do
+  should 'anonymous list all people' do
+    anonymous_setup
+    person1 = fast_create(Person, :public_profile => true)
+    person2 = fast_create(Person)
+    get "/api/v1/people?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [person1.id, person2.id], json['people'].map {|c| c['id']}
+  end
+
+  should 'logged user list all members of a community' do
+    login_api
+    person1 = fast_create(Person)
+    person2 = fast_create(Person)
+    community = fast_create(Community)
+    community.add_member(person1)
+    community.add_member(person2)
+
+    get "/api/v1/profiles/#{community.id}/members?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 2, json["people"].count
+    assert_equivalent [person1.id,person2.id], json["people"].map{|p| p["id"]}
+  end
+
+  should 'anonymous list all members of a community' do
+    anonymous_setup
     person1 = fast_create(Person)
     person2 = fast_create(Person)
     community = fast_create(Community)
@@ -28,21 +52,40 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equivalent [person1.id,person2.id], json["people"].map{|p| p["id"]}
   end
-  should 'not list invisible people' do
+  should 'logged user not list invisible people' do
+    login_api
+    invisible_person = fast_create(Person, :visible => false)
+
+    get "/api/v1/people?#{params.to_query}"
+    assert_not_includes json_response_ids(:people), invisible_person.id
+  end
+
+  should 'annoymous not list invisible people' do
+    anonymous_setup
     invisible_person = fast_create(Person, :visible => false)
     get "/api/v1/people?#{params.to_query}"
     assert_not_includes json_response_ids(:people), invisible_person.id
   end
-  should 'not list private people without permission' do
+  should 'logged user list private people' do
+    login_api
     private_person = fast_create(Person, :public_profile => false)
     get "/api/v1/people?#{params.to_query}"
-    assert_not_includes json_response_ids(:people), private_person.id
+    assert_includes json_response_ids(:people), private_person.id
   end
-  should 'list private person for friends' do
+  should 'anonymous list private people' do
+    anonymous_setup
+    private_person = fast_create(Person, :public_profile => false)
+
+    get "/api/v1/people?#{params.to_query}"
+    assert_includes json_response_ids(:people), private_person.id
+  end
+
+  should 'logged user list private person for friends' do
+    login_api
     p1 = fast_create(Person)
     p2 = fast_create(Person, :public_profile => false)
     person.add_friend(p2)
@@ -52,7 +95,8 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_includes json_response_ids(:people), p2.id
   end
-  should 'get person' do
+  should 'logged user get person' do
+    login_api
     some_person = fast_create(Person)
     get "/api/v1/people/#{some_person.id}?#{params.to_query}"
@@ -60,14 +104,26 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal some_person.id, json['person']['id']
   end
-  should 'people endpoint filter by fields parameter' do
+  should 'anonymous get person' do
+    anonymous_setup
+    some_person = fast_create(Person)
+
+    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal some_person.id, json['person']['id']
+  end
+
+
+  should 'people endpoint filter by fields parameter for logged user' do
+    login_api
     get "/api/v1/people?#{params.to_query}&fields=name"
     json = JSON.parse(last_response.body)
     expected = {'people' => [{'name' => person.name}]}
     assert_equal expected, json
   end
-  should 'people endpoint filter by fields parameter with hierarchy' do
+  should 'people endpoint filter by fields parameter with hierarchy for logged user' do
+    login_api
     fields = URI.encode({only: [:name, {user: [:login]}]}.to_json.to_str)
     get "/api/v1/people?#{params.to_query}&fields=#{fields}"
     json = JSON.parse(last_response.body)
@@ -76,19 +132,22 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'get logged person' do
+    login_api
     get "/api/v1/people/me?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal person.id, json['person']['id']
   end
-  should 'me endpoint filter by fields parameter' do
+  should 'access me endpoint filter by fields parameter' do
+    login_api
     get "/api/v1/people/me?#{params.to_query}&fields=name"
     json = JSON.parse(last_response.body)
     expected = {'person' => {'name' => person.name}}
     assert_equal expected, json
   end
-  should 'not get invisible person' do
+  should 'logged user not get invisible person' do
+    login_api
     person = fast_create(Person, :visible => false)
     get "/api/v1/people/#{person.id}?#{params.to_query}"
@@ -96,15 +155,35 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert json['person'].blank?
   end
-  should 'not get private people without permission' do
+  should 'anonymous not get invisible person' do
+    anonymous_setup
+    person = fast_create(Person, :visible => false)
+
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['person'].blank?
+  end
+
+  should 'get private people' do
+    login_api
     private_person = fast_create(Person, :public_profile => false)
     get "/api/v1/people/#{private_person.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
-    assert json['person'].blank?
+    assert_equal json['person']['id'], private_person.id
+  end
+
+  should 'anonymous get private people' do
+    anonymous_setup
+    private_person = fast_create(Person, :public_profile => false)
+
+    get "/api/v1/people/#{private_person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal json['person']['id'], private_person.id
   end
   should 'get private person for friends' do
+    login_api
     private_person = fast_create(Person, :public_profile => false)
     person.add_friend(private_person)
     private_person.add_friend(person)
@@ -115,15 +194,26 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'list person friends' do
+    login_api
     friend = fast_create(Person)
     person.add_friend(friend)
     friend.add_friend(person)
+    get "/api/v1/people/#{friend.id}/friends?#{params.to_query}"
+    assert_includes json_response_ids(:people), person.id
+  end
+  should 'anonymous list person friends' do
+    anonymous_setup
+    person = fast_create(Person)
+    friend = fast_create(Person)
+    person.add_friend(friend)
+    friend.add_friend(person)
     get "/api/v1/people/#{friend.id}/friends?#{params.to_query}"
     assert_includes json_response_ids(:people), person.id
   end
   should 'not list person invisible friends' do
+    login_api
     friend = fast_create(Person)
     invisible_friend = fast_create(Person, :visible => false)
     person.add_friend(friend)
@@ -138,6 +228,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'create a person' do
+    login_api
     login = 'some'
     params[:person] = {:login => login, :password => '123456', :password_confirmation => '123456', :email => 'some@some.com'}
     post "/api/v1/people?#{params.to_query}"
@@ -146,6 +237,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'return 400 status for invalid person creation' do
+    login_api
     params[:person] = {:login => 'some'}
     post "/api/v1/people?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -153,6 +245,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'display permissions' do
+    login_api
     community = fast_create(Community)
     community.add_member(fast_create(Person))
     community.add_member(person)
@@ -164,11 +257,13 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'display permissions if self' do
+    login_api
     get "/api/v1/people/#{person.id}/permissions?#{params.to_query}"
     assert_equal 200, last_response.status
   end
   should 'display permissions if admin' do
+    login_api
     environment = person.environment
     environment.add_admin(person)
     some_person = fast_create(Person)
@@ -178,6 +273,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'not display permissions if not admin or self' do
+    login_api
     some_person = create_user('some-person').person
     get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
@@ -185,12 +281,14 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'not update another person' do
+    login_api
     person = fast_create(Person, :environment_id => environment.id)
     post "/api/v1/people/#{person.id}?#{params.to_query}"
     assert_equal 403, last_response.status
   end
   should 'update yourself' do
+    login_api
     another_name = 'Another Name'
     params[:person] = {}
     params[:person][:name] = another_name
@@ -200,7 +298,33 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal another_name, person.name
   end
-  should 'display public custom fields' do
+  should 'logged user display public custom fields' do
+    login_api
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
+    some_person = create_user('some-person').person
+    some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
+    some_person.save!
+
+    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['person']['additional_data'].has_key?('Custom Blog')
+    assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
+  end
+
+  should 'logged user not display non-public custom fields' do
+    login_api
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
+    some_person = create_user('some-person').person
+    some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
+    some_person.save!
+
+    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal json['person']['additional_data'], {}
+  end
+
+  should 'display public custom fields to anonymous' do
+    anonymous_setup
     CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
     some_person = create_user('some-person').person
     some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
@@ -212,7 +336,8 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
   end
-  should 'not display non-public custom fields' do
+  should 'not display non-public custom fields to anonymous' do
+    anonymous_setup
     CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
     some_person = create_user('some-person').person
     some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
@@ -223,7 +348,19 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal json['person']['additional_data'], {}
   end
+  should 'hide private fields to anonymous' do
+    anonymous_setup
+    target_person = create_user('some-user').person
+    target_person.save!
+
+    get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    refute json["user"].has_key?("permissions")
+    refute json["user"].has_key?("activated")
+  end
+
   should 'display non-public custom fields to friend' do
+    login_api
     CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
     some_person = create_user('some-person').person
     some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
@@ -244,12 +381,14 @@ class PeopleTest &lt; ActiveSupport::TestCase
   PERSON_ATTRIBUTES.map do |attribute|
     define_method "test_should_not_expose_#{attribute}_attribute_in_person_enpoint_if_field_parameter_does_not_contain_the_attribute" do
+      login_api
       get "/api/v1/people/me?#{params.to_query}&fields=name"
       json = JSON.parse(last_response.body)
       assert_nil json['person'][attribute]
     end
     define_method "test_should_expose_#{attribute}_attribute_in_person_enpoints_if_field_parameter_is_passed" do
+      login_api
       get "/api/v1/people/me?#{params.to_query}&fields=#{attribute}"
       json = JSON.parse(last_response.body)
       assert_not_nil json['person'][attribute]
@@ -4,10 +4,10 @@ class ProfilesTest &lt; ActiveSupport::TestCase
   def setup
     Profile.delete_all
-    login_api
   end
-  should 'list all profiles' do
+  should 'logged user list all profiles' do
+    login_api
     person1 = fast_create(Person)
     person2 = fast_create(Person)
     community = fast_create(Community)
@@ -16,14 +16,16 @@ class ProfilesTest &lt; ActiveSupport::TestCase
     assert_equivalent [person.id, person1.id, person2.id, community.id], json.map {|p| p['id']}
   end
-  should 'get person from profile id' do
+  should 'logged user get person from profile id' do
+    login_api
     some_person = fast_create(Person)
     get "/api/v1/profiles/#{some_person.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal some_person.id, json['id']
   end
-  should 'get community from profile id' do
+  should 'logged user get community from profile id' do
+    login_api
     community = fast_create(Community)
     get "/api/v1/profiles/#{community.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -33,6 +35,7 @@ class ProfilesTest &lt; ActiveSupport::TestCase
   group_kinds = %w(community enterprise)
   group_kinds.each do |kind|
     should "delete #{kind} from profile id with permission" do
+      login_api
       profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
       give_permission(@person, 'destroy_profile', profile)
       assert_not_nil Profile.find_by_id profile.id
@@ -44,6 +47,7 @@ class ProfilesTest &lt; ActiveSupport::TestCase
     end
     should "not delete #{kind} from profile id without permission" do
+      login_api
       profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
       assert_not_nil Profile.find_by_id profile.id
@@ -55,12 +59,14 @@ class ProfilesTest &lt; ActiveSupport::TestCase
   end
   should 'person delete itself' do
+    login_api
     delete "/api/v1/profiles/#{@person.id}?#{params.to_query}"
     assert_equal 200, last_response.status
     assert_nil Profile.find_by_id @person.id
   end
   should 'only admin delete other people' do
+    login_api
     profile = fast_create(Person, :environment_id => environment.id)
     assert_not_nil Profile.find_by_id profile.id
@@ -77,4 +83,62 @@ class ProfilesTest &lt; ActiveSupport::TestCase
     assert_nil Profile.find_by_id profile.id
   end
+
+  should 'anonymous user access delete action' do
+    anonymous_setup
+    profile = fast_create(Person, :environment_id => environment.id)
+
+    delete "/api/v1/profiles/#{profile.id}?#{params.to_query}"
+    assert_equal 401, last_response.status
+    assert_not_nil Profile.find_by_id profile.id
+  end
+
+  should 'anonymous list all profiles' do
+    person1 = fast_create(Person)
+    person2 = fast_create(Person)
+    community = fast_create(Community)
+    get "/api/v1/profiles"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [person1.id, person2.id, community.id], json.map {|p| p['id']}
+  end
+
+  should 'anonymous get person from profile id' do
+    some_person = fast_create(Person)
+    get "/api/v1/profiles/#{some_person.id}"
+    json = JSON.parse(last_response.body)
+    assert_equal some_person.id, json['id']
+  end
+
+  should 'anonymous get community from profile id' do
+    community = fast_create(Community)
+    get "/api/v1/profiles/#{community.id}"
+    json = JSON.parse(last_response.body)
+    assert_equal community.id, json['id']
+  end
+
+  should 'display public custom fields to anonymous' do
+    anonymous_setup
+    CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
+    some_profile = fast_create(Profile)
+    some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
+    some_profile.save!
+
+    get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['additional_data'].has_key?('Rating')
+    assert_equal "Five stars", json['additional_data']['Rating']
+  end
+
+  should 'not display private custom fields to anonymous' do
+    anonymous_setup
+    CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
+    some_profile = fast_create(Profile)
+    some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
+    some_profile.save!
+
+    get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    refute json.has_key?('Rating')
+  end
+
 end
@@ -24,6 +24,12 @@ class ActiveSupport::TestCase
     @params = {:private_token => @private_token}
   end
+
+  def anonymous_setup
+    @environment = Environment.default
+    @params = {}
+  end
+
   attr_accessor :private_token, :user, :person, :params, :environment
   private
@@ -3,23 +3,22 @@ require_relative &#39;test_helper&#39;
 class UsersTest < ActiveSupport::TestCase
-  def setup
+  should 'logger user list users' do
     login_api
-  end
-
-  should 'list users' do
     get "/api/v1/users/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_includes json["users"].map { |a| a["login"] }, user.login
   end
-  should 'get user' do
+  should 'logger user get user info' do
+    login_api
     get "/api/v1/users/#{user.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal user.id, json['user']['id']
   end
-  should 'list user permissions' do
+  should 'logger user list user permissions' do
+    login_api
     community = fast_create(Community)
     community.add_admin(person)
     get "/api/v1/users/#{user.id}/?#{params.to_query}"
@@ -28,25 +27,29 @@ class UsersTest &lt; ActiveSupport::TestCase
   end
   should 'get logged user' do
+    login_api
     get "/api/v1/users/me?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal user.id, json['user']['id']
   end
   should 'not show permissions to logged user' do
+    login_api
     target_person = create_user('some-user').person
     get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     refute json["user"].has_key?("permissions")
   end
-  should 'show permissions to self' do
+  should 'logger user show permissions to self' do
+    login_api
     get "/api/v1/users/#{user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert json["user"].has_key?("permissions")
   end
   should 'not show permissions to friend' do
+    login_api
     target_person = create_user('some-user').person
     f = Friendship.new
@@ -60,6 +63,7 @@ class UsersTest &lt; ActiveSupport::TestCase
   end
   should 'not show private attribute to logged user' do
+    login_api
     target_person = create_user('some-user').person
     get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -67,6 +71,7 @@ class UsersTest &lt; ActiveSupport::TestCase
   end
   should 'show private attr to friend' do
+    login_api
     target_person = create_user('some-user').person
     f = Friendship.new
     f.friend = target_person
@@ -79,6 +84,7 @@ class UsersTest &lt; ActiveSupport::TestCase
   end
   should 'show public attribute to logged user' do
+    login_api
     target_person = create_user('some-user').person
     target_person.fields_privacy={:email=> 'public'}
     target_person.save!
@@ -89,6 +95,7 @@ class UsersTest &lt; ActiveSupport::TestCase
   end
   should 'show public and private field to admin' do
+    login_api
     Environment.default.add_admin(person)
     target_person = create_user('some-user').person
@@ -102,4 +109,26 @@ class UsersTest &lt; ActiveSupport::TestCase
     assert json["user"].has_key?("activated")
   end
+  should 'show public fields to anonymous' do
+    anonymous_setup
+    target_person = create_user('some-user').person
+    target_person.fields_privacy={:email=> 'public'}
+    target_person.save!
+
+    get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json["user"].has_key?("email")
+  end
+
+  should 'hide private fields to anonymous' do
+    anonymous_setup
+    target_person = create_user('some-user').person
+    target_person.save!
+
+    get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    refute json["user"].has_key?("permissions")
+    refute json["user"].has_key?("activated")
+  end
+
 end
@@ -437,7 +437,7 @@ class OrganizationTest &lt; ActiveSupport::TestCase
     c = fast_create(Organization, :name => 'my test profile', :identifier => 'mytestprofile')
     admin = create_user('adminuser').person
     c.add_admin(admin)
-   
+
     assert c.is_admin?(admin)
   end
@@ -513,4 +513,18 @@ class OrganizationTest &lt; ActiveSupport::TestCase
     assert_includes     env_admin_orgs, o7
   end
+  should 'fetch organizations there are visible for a visitor' do
+    visitor = nil
+    Organization.destroy_all
+    o1 = fast_create(Organization, :public_profile => true , :visible => true )
+    o2 = fast_create(Organization, :public_profile => false, :visible => true )
+    o3 = fast_create(Organization, :public_profile => true , :visible => false)
+    o4 = fast_create(Organization, :public_profile => false, :visible => false)
+    person_orgs    = Organization.visible_for_person(visitor)
+    assert_includes       person_orgs,    o1
+    assert_not_includes   person_orgs,    o2
+    assert_not_includes   person_orgs,    o3
+    assert_not_includes   person_orgs,    o4
+  end
+
 end
@@ -1951,4 +1951,17 @@ class PersonTest &lt; ActiveSupport::TestCase
     person.save!
   end
+  should 'fetch people there are visible for a visitor' do
+    person = nil
+    p1 = fast_create(Person, :public_profile => true , :visible => true)
+    p2 = fast_create(Person, :public_profile => false, :visible => true)
+    p3 = fast_create(Person, :public_profile => true , :visible => false)
+    p4 = fast_create(Person, :public_profile => false, :visible => false)
+    people_visible_by_visitor = Person.visible_for_person(person)
+    assert_includes     people_visible_by_visitor, p1
+    assert_not_includes people_visible_by_visitor, p2
+    assert_not_includes people_visible_by_visitor, p3
+    assert_not_includes people_visible_by_visitor, p4
+  end
+
 end
	@@ -2,7 +2,6 @@ module Noosfero		@@ -2,7 +2,6 @@ module Noosfero
2	module API	2	module API
3	module V1	3	module V1
4	class Categories < Grape::API	4	class Categories < Grape::API
5	- before { authenticate! }
6		5
7	resource :categories do	6	resource :categories do
8		7
	@@ -2,25 +2,25 @@ require_relative 'test_helper'		@@ -2,25 +2,25 @@ require_relative 'test_helper'
2		2
3	class CategoriesTest < ActiveSupport::TestCase	3	class CategoriesTest < ActiveSupport::TestCase
4		4
5	- def setup
6	- login_api
7	- end
8		5
9	- should 'list categories' do	6	+ should 'logged user list categories' do
		7	+ login_api
10	category = fast_create(Category, :environment_id => environment.id)	8	category = fast_create(Category, :environment_id => environment.id)
11	get "/api/v1/categories/?#{params.to_query}"	9	get "/api/v1/categories/?#{params.to_query}"
12	json = JSON.parse(last_response.body)	10	json = JSON.parse(last_response.body)
13	assert_includes json["categories"].map { \|c\| c["name"] }, category.name	11	assert_includes json["categories"].map { \|c\| c["name"] }, category.name
14	end	12	end
15		13
16	- should 'get category by id' do	14	+ should 'logged user get category by id' do
		15	+ login_api
17	category = fast_create(Category, :environment_id => environment.id)	16	category = fast_create(Category, :environment_id => environment.id)
18	get "/api/v1/categories/#{category.id}/?#{params.to_query}"	17	get "/api/v1/categories/#{category.id}/?#{params.to_query}"
19	json = JSON.parse(last_response.body)	18	json = JSON.parse(last_response.body)
20	assert_equal category.name, json["category"]["name"]	19	assert_equal category.name, json["category"]["name"]
21	end	20	end
22		21
23	- should 'list parent and children when get category by id' do	22	+ should 'logged user list parent and children when get category by id' do
		23	+ login_api
24	parent = fast_create(Category, :environment_id => environment.id)	24	parent = fast_create(Category, :environment_id => environment.id)
25	child_1 = fast_create(Category, :environment_id => environment.id)	25	child_1 = fast_create(Category, :environment_id => environment.id)
26	child_2 = fast_create(Category, :environment_id => environment.id)	26	child_2 = fast_create(Category, :environment_id => environment.id)
	@@ -37,7 +37,8 @@ class CategoriesTest < ActiveSupport::TestCase		@@ -37,7 +37,8 @@ class CategoriesTest < ActiveSupport::TestCase
37	assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { \|c\| c['id'] }	37	assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { \|c\| c['id'] }
38	end	38	end
39		39
40	- should 'include parent in categories list if params is true' do	40	+ should 'logged user include parent in categories list if params is true' do
		41	+ login_api
41	parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category	42	parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
42	child_1 = fast_create(Category, :environment_id => environment.id)	43	child_1 = fast_create(Category, :environment_id => environment.id)
43	child_2 = fast_create(Category, :environment_id => environment.id)	44	child_2 = fast_create(Category, :environment_id => environment.id)
	@@ -59,7 +60,8 @@ class CategoriesTest < ActiveSupport::TestCase		@@ -59,7 +60,8 @@ class CategoriesTest < ActiveSupport::TestCase
59	json["categories"].map { \|c\| c['parent'] && c['parent']['id'] }	60	json["categories"].map { \|c\| c['parent'] && c['parent']['id'] }
60	end	61	end
61		62
62	- should 'include children in categories list if params is true' do	63	+ should 'logged user include children in categories list if params is true' do
		64	+ login_api
63	category = fast_create(Category, :environment_id => environment.id)	65	category = fast_create(Category, :environment_id => environment.id)
64	child_1 = fast_create(Category, :environment_id => environment.id)	66	child_1 = fast_create(Category, :environment_id => environment.id)
65	child_2 = fast_create(Category, :environment_id => environment.id)	67	child_2 = fast_create(Category, :environment_id => environment.id)
	@@ -86,7 +88,8 @@ class CategoriesTest < ActiveSupport::TestCase		@@ -86,7 +88,8 @@ class CategoriesTest < ActiveSupport::TestCase
86	expose_attributes = %w(id name full_name image display_color)	88	expose_attributes = %w(id name full_name image display_color)
87		89
88	expose_attributes.each do \|attr\|	90	expose_attributes.each do \|attr\|
89	- should "expose category #{attr} attribute by default" do	91	+ should "logged user expose category #{attr} attribute by default" do
		92	+ login_api
90	category = fast_create(Category, :environment_id => environment.id)	93	category = fast_create(Category, :environment_id => environment.id)
91	get "/api/v1/categories/?#{params.to_query}"	94	get "/api/v1/categories/?#{params.to_query}"
92	json = JSON.parse(last_response.body)	95	json = JSON.parse(last_response.body)
	@@ -94,4 +97,98 @@ class CategoriesTest < ActiveSupport::TestCase		@@ -94,4 +97,98 @@ class CategoriesTest < ActiveSupport::TestCase
94	end	97	end
95	end	98	end
96		99
		100	+ should 'anonymous list categories' do
		101	+ anonymous_setup
		102	+ category = fast_create(Category, :environment_id => environment.id)
		103	+ get "/api/v1/categories/?#{params.to_query}"
		104	+ json = JSON.parse(last_response.body)
		105	+ assert_includes json["categories"].map { \|c\| c["name"] }, category.name
		106	+ end
		107	+
		108	+ should 'anonymous get category by id' do
		109	+ anonymous_setup
		110	+ category = fast_create(Category, :environment_id => environment.id)
		111	+ get "/api/v1/categories/#{category.id}/?#{params.to_query}"
		112	+ json = JSON.parse(last_response.body)
		113	+ assert_equal category.name, json["category"]["name"]
		114	+ end
		115	+
		116	+ should 'anonymous list parent and children when get category by id' do
		117	+ anonymous_setup
		118	+ parent = fast_create(Category, :environment_id => environment.id)
		119	+ child_1 = fast_create(Category, :environment_id => environment.id)
		120	+ child_2 = fast_create(Category, :environment_id => environment.id)
		121	+
		122	+ category = fast_create(Category, :environment_id => environment.id)
		123	+ category.parent = parent
		124	+ category.children << child_1
		125	+ category.children << child_2
		126	+ category.save
		127	+
		128	+ get "/api/v1/categories/#{category.id}/?#{params.to_query}"
		129	+ json = JSON.parse(last_response.body)
		130	+ assert_equal({'id' => parent.id, 'name' => parent.name, 'slug' => parent.slug}, json['category']['parent'])
		131	+ assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { \|c\| c['id'] }
		132	+ end
		133	+
		134	+ should 'anonymous include parent in categories list if params is true' do
		135	+ anonymous_setup
		136	+ parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
		137	+ child_1 = fast_create(Category, :environment_id => environment.id)
		138	+ child_2 = fast_create(Category, :environment_id => environment.id)
		139	+
		140	+ parent_2 = fast_create(Category, :environment_id => environment.id)
		141	+ parent_2.parent = parent_1
		142	+ parent_2.children << child_1
		143	+ parent_2.children << child_2
		144	+ parent_2.save
		145	+
		146	+ get "/api/v1/categories/?#{params.to_query}"
		147	+ json = JSON.parse(last_response.body)
		148	+ assert_equal [nil], json['categories'].map { \|c\| c['parent'] }.uniq
		149	+
		150	+ params[:include_parent] = true
		151	+ get "/api/v1/categories/?#{params.to_query}"
		152	+ json = JSON.parse(last_response.body)
		153	+ assert_equivalent [parent_1.parent, parent_2.parent.id, child_1.parent.id, child_2.parent.id],
		154	+ json["categories"].map { \|c\| c['parent'] && c['parent']['id'] }
		155	+ end
		156	+
		157	+ should 'anonymous include children in categories list if params is true' do
		158	+ anonymous_setup
		159	+ category = fast_create(Category, :environment_id => environment.id)
		160	+ child_1 = fast_create(Category, :environment_id => environment.id)
		161	+ child_2 = fast_create(Category, :environment_id => environment.id)
		162	+ child_3 = fast_create(Category, :environment_id => environment.id)
		163	+
		164	+ category.children << child_1
		165	+ category.children << child_2
		166	+ category.save
		167	+
		168	+ child_1.children << child_3
		169	+ child_1.save
		170	+
		171	+ get "/api/v1/categories/?#{params.to_query}"
		172	+ json = JSON.parse(last_response.body)
		173	+ assert_equal [nil], json['categories'].map { \|c\| c['children'] }.uniq
		174	+
		175	+ params[:include_children] = true
		176	+ get "/api/v1/categories/?#{params.to_query}"
		177	+ json = JSON.parse(last_response.body)
		178	+ assert_equivalent [category.children.map(&:id).sort, child_1.children.map(&:id).sort, child_2.children.map(&:id).sort, child_3.children.map(&:id).sort],
		179	+ json["categories"].map{ \|c\| c['children'].map{ \|child\| child['id'] }.sort }
		180	+ end
		181	+
		182	+ expose_attributes.each do \|attr\|
		183	+ should "anonymous expose category #{attr} attribute by default" do
		184	+ anonymous_setup
		185	+ category = fast_create(Category, :environment_id => environment.id)
		186	+ get "/api/v1/categories/?#{params.to_query}"
		187	+ json = JSON.parse(last_response.body)
		188	+ assert json["categories"].last.has_key?(attr)
		189	+ end
		190	+ end
		191	+
		192	+
		193	+
97	end	194	end
	@@ -4,10 +4,10 @@ class CommunitiesTest < ActiveSupport::TestCase		@@ -4,10 +4,10 @@ class CommunitiesTest < ActiveSupport::TestCase
4		4
5	def setup	5	def setup
6	Community.delete_all	6	Community.delete_all
7	- login_api
8	end	7	end
9		8
10	- should 'list only communities' do	9	+ should 'logged user list only communities' do
		10	+ login_api
11	community = fast_create(Community, :environment_id => environment.id)	11	community = fast_create(Community, :environment_id => environment.id)
12	enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise	12	enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
13	get "/api/v1/communities?#{params.to_query}"	13	get "/api/v1/communities?#{params.to_query}"
	@@ -16,7 +16,8 @@ class CommunitiesTest < ActiveSupport::TestCase		@@ -16,7 +16,8 @@ class CommunitiesTest < ActiveSupport::TestCase
16	assert_includes json['communities'].map {\|c\| c['id']}, community.id	16	assert_includes json['communities'].map {\|c\| c['id']}, community.id
17	end	17	end
18		18
19	- should 'list all communities' do	19	+ should 'logged user list all communities' do
		20	+ login_api
20	community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)	21	community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
21	community2 = fast_create(Community, :environment_id => environment.id)	22	community2 = fast_create(Community, :environment_id => environment.id)
22	get "/api/v1/communities?#{params.to_query}"	23	get "/api/v1/communities?#{params.to_query}"
	@@ -24,7 +25,8 @@ class CommunitiesTest < ActiveSupport::TestCase		@@ -24,7 +25,8 @@ class CommunitiesTest < ActiveSupport::TestCase
24	assert_equivalent [community1.id, community2.id], json['communities'].map {\|c\| c['id']}	25	assert_equivalent [community1.id, community2.id], json['communities'].map {\|c\| c['id']}
25	end	26	end
26		27
27	- should 'not list invisible communities' do	28	+ should 'not, logged user list invisible communities' do
		29	+ login_api
28	community1 = fast_create(Community, :environment_id => environment.id)	30	community1 = fast_create(Community, :environment_id => environment.id)
29	fast_create(Community, :environment_id => environment.id, :visible => false)	31	fast_create(Community, :environment_id => environment.id, :visible => false)
30		32
	@@ -33,16 +35,18 @@ class CommunitiesTest < ActiveSupport::TestCase		@@ -33,16 +35,18 @@ class CommunitiesTest < ActiveSupport::TestCase
33	assert_equal [community1.id], json['communities'].map {\|c\| c['id']}	35	assert_equal [community1.id], json['communities'].map {\|c\| c['id']}
34	end	36	end
35		37
36	- should 'not list private communities without permission' do
37	- community1 = fast_create(Community, :environment_id => environment.id)
38	- fast_create(Community, :environment_id => environment.id, :public_profile => false)	38	+ should 'logged user list private communities' do
		39	+ login_api
		40	+ community1 = fast_create(Community, :environment_id => environment.id)
		41	+ community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
39		42
40	- get "/api/v1/communities?#{params.to_query}"
41	- json = JSON.parse(last_response.body)
42	- assert_equal [community1.id], json['communities'].map {\|c\| c['id']}	43	+ get "/api/v1/communities?#{params.to_query}"
		44	+ json = JSON.parse(last_response.body)
		45	+ assert_equivalent [community1.id, community2.id], json['communities'].map {\|c\| c['id']}
43	end	46	end
44		47
45	- should 'list private community for members' do	48	+ should 'logged user list private community for members' do
		49	+ login_api
46	c1 = fast_create(Community, :environment_id => environment.id)	50	c1 = fast_create(Community, :environment_id => environment.id)
47	c2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)	51	c2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
48	c2.add_member(person)	52	c2.add_member(person)
	@@ -52,20 +56,23 @@ class CommunitiesTest < ActiveSupport::TestCase		@@ -52,20 +56,23 @@ class CommunitiesTest < ActiveSupport::TestCase
52	assert_equivalent [c1.id, c2.id], json['communities'].map {\|c\| c['id']}	56	assert_equivalent [c1.id, c2.id], json['communities'].map {\|c\| c['id']}
53	end	57	end
54		58
55	- should 'create a community' do	59	+ should 'logged user create a community' do
		60	+ login_api
56	params[:community] = {:name => 'some'}	61	params[:community] = {:name => 'some'}
57	post "/api/v1/communities?#{params.to_query}"	62	post "/api/v1/communities?#{params.to_query}"
58	json = JSON.parse(last_response.body)	63	json = JSON.parse(last_response.body)
59	assert_equal 'some', json['community']['name']	64	assert_equal 'some', json['community']['name']
60	end	65	end
61		66
62	- should 'return 400 status for invalid community creation' do	67	+ should 'logged user return 400 status for invalid community creation' do
		68	+ login_api
63	post "/api/v1/communities?#{params.to_query}"	69	post "/api/v1/communities?#{params.to_query}"
64	json = JSON.parse(last_response.body)	70	json = JSON.parse(last_response.body)
65	assert_equal 400, last_response.status	71	assert_equal 400, last_response.status
66	end	72	end
67		73
68	- should 'get community' do	74	+ should 'logged user get community' do
		75	+ login_api
69	community = fast_create(Community, :environment_id => environment.id)	76	community = fast_create(Community, :environment_id => environment.id)
70		77
71	get "/api/v1/communities/#{community.id}?#{params.to_query}"	78	get "/api/v1/communities/#{community.id}?#{params.to_query}"
	@@ -73,7 +80,8 @@ class CommunitiesTest < ActiveSupport::TestCase		@@ -73,7 +80,8 @@ class CommunitiesTest < ActiveSupport::TestCase
73	assert_equal community.id, json['community']['id']	80	assert_equal community.id, json['community']['id']
74	end	81	end
75		82
76	- should 'not get invisible community' do	83	+ should 'not, logged user get invisible community' do
		84	+ login_api
77	community = fast_create(Community, :environment_id => environment.id, :visible => false)	85	community = fast_create(Community, :environment_id => environment.id, :visible => false)
78		86
79	get "/api/v1/communities/#{community.id}?#{params.to_query}"	87	get "/api/v1/communities/#{community.id}?#{params.to_query}"
	@@ -81,7 +89,8 @@ class CommunitiesTest < ActiveSupport::TestCase		@@ -81,7 +89,8 @@ class CommunitiesTest < ActiveSupport::TestCase
81	assert json['community'].blank?	89	assert json['community'].blank?
82	end	90	end
83		91
84	- should 'not get private communities without permission' do	92	+ should 'not, logged user get private communities without permission' do
		93	+ login_api
85	community = fast_create(Community, :environment_id => environment.id)	94	community = fast_create(Community, :environment_id => environment.id)
86	fast_create(Community, :environment_id => environment.id, :public_profile => false)	95	fast_create(Community, :environment_id => environment.id, :public_profile => false)
87		96
	@@ -90,17 +99,18 @@ class CommunitiesTest < ActiveSupport::TestCase		@@ -90,17 +99,18 @@ class CommunitiesTest < ActiveSupport::TestCase
90	assert_equal community.id, json['community']['id']	99	assert_equal community.id, json['community']['id']
91	end	100	end
92		101
93	- should 'get private community for members' do	102	+ should 'logged user get private community for members' do
		103	+ login_api
94	community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :visible => true)	104	community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :visible => true)
95	community.add_member(person)	105	community.add_member(person)
96		106
97	-
98	get "/api/v1/communities/#{community.id}?#{params.to_query}"	107	get "/api/v1/communities/#{community.id}?#{params.to_query}"
99	json = JSON.parse(last_response.body)	108	json = JSON.parse(last_response.body)
100	assert_equal community.id, json['community']['id']	109	assert_equal community.id, json['community']['id']
101	end	110	end
102		111
103	- should 'list person communities' do	112	+ should 'logged user list person communities' do
		113	+ login_api
104	community = fast_create(Community, :environment_id => environment.id)	114	community = fast_create(Community, :environment_id => environment.id)
105	fast_create(Community, :environment_id => environment.id)	115	fast_create(Community, :environment_id => environment.id)
106	community.add_member(person)	116	community.add_member(person)
	@@ -110,7 +120,8 @@ class CommunitiesTest < ActiveSupport::TestCase		@@ -110,7 +120,8 @@ class CommunitiesTest < ActiveSupport::TestCase
110	assert_equivalent [community.id], json['communities'].map {\|c\| c['id']}	120	assert_equivalent [community.id], json['communities'].map {\|c\| c['id']}
111	end	121	end
112		122
113	- should 'not list person communities invisible' do	123	+ should 'not, logged user list person communities invisible' do
		124	+ login_api
114	c1 = fast_create(Community, :environment_id => environment.id)	125	c1 = fast_create(Community, :environment_id => environment.id)
115	c2 = fast_create(Community, :environment_id => environment.id, :visible => false)	126	c2 = fast_create(Community, :environment_id => environment.id, :visible => false)
116	c1.add_member(person)	127	c1.add_member(person)
	@@ -121,7 +132,8 @@ class CommunitiesTest < ActiveSupport::TestCase		@@ -121,7 +132,8 @@ class CommunitiesTest < ActiveSupport::TestCase
121	assert_equivalent [c1.id], json['communities'].map {\|c\| c['id']}	132	assert_equivalent [c1.id], json['communities'].map {\|c\| c['id']}
122	end	133	end
123		134
124	- should 'list communities with pagination' do	135	+ should 'logged user list communities with pagination' do
		136	+ login_api
125	community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago)	137	community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago)
126	community2 = fast_create(Community, :created_at => 2.days.ago)	138	community2 = fast_create(Community, :created_at => 2.days.ago)
127		139
	@@ -143,7 +155,118 @@ class CommunitiesTest < ActiveSupport::TestCase		@@ -143,7 +155,118 @@ class CommunitiesTest < ActiveSupport::TestCase
143	assert_not_includes json_page_two["communities"].map { \|a\| a["id"] }, community1.id	155	assert_not_includes json_page_two["communities"].map { \|a\| a["id"] }, community1.id
144	end	156	end
145		157
146	- should 'list communities with timestamp' do	158	+ should 'logged user list communities with timestamp' do
		159	+ login_api
		160	+ community1 = fast_create(Community, :public_profile => true)
		161	+ community2 = fast_create(Community)
		162	+
		163	+ community1.updated_at = Time.now + 3.hours
		164	+ community1.save!
		165	+
		166	+ params[:timestamp] = Time.now + 1.hours
		167	+ get "/api/v1/communities/?#{params.to_query}"
		168	+ json = JSON.parse(last_response.body)
		169	+
		170	+ assert_includes json["communities"].map { \|a\| a["id"] }, community1.id
		171	+ assert_not_includes json["communities"].map { \|a\| a["id"] }, community2.id
		172	+ end
		173	+
		174	+ should 'anonymous list only communities' do
		175	+ anonymous_setup
		176	+ community = fast_create(Community, :environment_id => environment.id)
		177	+ enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
		178	+ get "/api/v1/communities?#{params.to_query}"
		179	+ json = JSON.parse(last_response.body)
		180	+ assert_not_includes json['communities'].map {\|c\| c['id']}, enterprise.id
		181	+ assert_includes json['communities'].map {\|c\| c['id']}, community.id
		182	+ end
		183	+
		184	+ should 'anonymous list all communities' do
		185	+ anonymous_setup
		186	+ community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
		187	+ community2 = fast_create(Community, :environment_id => environment.id)
		188	+ get "/api/v1/communities?#{params.to_query}"
		189	+ json = JSON.parse(last_response.body)
		190	+ assert_equivalent [community1.id, community2.id], json['communities'].map {\|c\| c['id']}
		191	+ end
		192	+
		193	+ should 'not, anonymous list invisible communities' do
		194	+ anonymous_setup
		195	+ community1 = fast_create(Community, :environment_id => environment.id)
		196	+ fast_create(Community, :environment_id => environment.id, :visible => false)
		197	+
		198	+ get "/api/v1/communities?#{params.to_query}"
		199	+ json = JSON.parse(last_response.body)
		200	+ assert_equal [community1.id], json['communities'].map {\|c\| c['id']}
		201	+ end
		202	+
		203	+ should 'anonymous list private communities' do
		204	+ anonymous_setup
		205	+ community1 = fast_create(Community, :environment_id => environment.id)
		206	+ community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
		207	+
		208	+ get "/api/v1/communities?#{params.to_query}"
		209	+ json = JSON.parse(last_response.body)
		210	+ assert_equivalent [community1.id, community2.id], json['communities'].map {\|c\| c['id']}
		211	+ end
		212	+
		213	+ should 'not, anonymous create a community' do
		214	+ anonymous_setup
		215	+ params[:community] = {:name => 'some'}
		216	+ post "/api/v1/communities?#{params.to_query}"
		217	+ json = JSON.parse(last_response.body)
		218	+ assert_equal 401, last_response.status
		219	+ end
		220	+
		221	+ should 'anonymous get community' do
		222	+ anonymous_setup
		223	+ community = fast_create(Community, :environment_id => environment.id)
		224	+ get "/api/v1/communities/#{community.id}"
		225	+ json = JSON.parse(last_response.body)
		226	+ assert_equal community.id, json['community']['id']
		227	+ end
		228	+
		229	+ should 'not, anonymous get invisible community' do
		230	+ anonymous_setup
		231	+ community = fast_create(Community, :environment_id => environment.id, :visible => false)
		232	+ get "/api/v1/communities/#{community.id}"
		233	+ json = JSON.parse(last_response.body)
		234	+ assert json['community'].blank?
		235	+ end
		236	+
		237	+ should 'not, anonymous get private communities' do
		238	+ anonymous_setup
		239	+ community = fast_create(Community, :environment_id => environment.id)
		240	+ fast_create(Community, :environment_id => environment.id, :public_profile => false)
		241	+ get "/api/v1/communities/#{community.id}"
		242	+ json = JSON.parse(last_response.body)
		243	+ assert_equal community.id, json['community']['id']
		244	+ end
		245	+
		246	+ should 'anonymous list communities with pagination' do
		247	+ anonymous_setup
		248	+ community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago)
		249	+ community2 = fast_create(Community, :created_at => 2.days.ago)
		250	+
		251	+ params[:page] = 2
		252	+ params[:per_page] = 1
		253	+ get "/api/v1/communities?#{params.to_query}"
		254	+ json_page_two = JSON.parse(last_response.body)
		255	+
		256	+ params[:page] = 1
		257	+ params[:per_page] = 1
		258	+ get "/api/v1/communities?#{params.to_query}"
		259	+ json_page_one = JSON.parse(last_response.body)
		260	+
		261	+ assert_includes json_page_one["communities"].map { \|a\| a["id"] }, community1.id
		262	+ assert_not_includes json_page_one["communities"].map { \|a\| a["id"] }, community2.id
		263	+
		264	+ assert_includes json_page_two["communities"].map { \|a\| a["id"] }, community2.id
		265	+ assert_not_includes json_page_two["communities"].map { \|a\| a["id"] }, community1.id
		266	+ end
		267	+
		268	+ should 'anonymous list communities with timestamp' do
		269	+ anonymous_setup
147	community1 = fast_create(Community, :public_profile => true)	270	community1 = fast_create(Community, :public_profile => true)
148	community2 = fast_create(Community)	271	community2 = fast_create(Community)
149		272
	@@ -157,4 +280,31 @@ class CommunitiesTest < ActiveSupport::TestCase		@@ -157,4 +280,31 @@ class CommunitiesTest < ActiveSupport::TestCase
157	assert_includes json["communities"].map { \|a\| a["id"] }, community1.id	280	assert_includes json["communities"].map { \|a\| a["id"] }, community1.id
158	assert_not_includes json["communities"].map { \|a\| a["id"] }, community2.id	281	assert_not_includes json["communities"].map { \|a\| a["id"] }, community2.id
159	end	282	end
		283	+
		284	+ should 'display public custom fields to anonymous' do
		285	+ anonymous_setup
		286	+ CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
		287	+ some_community = fast_create(Community)
		288	+ some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
		289	+ some_community.save!
		290	+
		291	+ get "/api/v1/communities/#{some_community.id}?#{params.to_query}"
		292	+ json = JSON.parse(last_response.body)
		293	+ assert json['community']['additional_data'].has_key?('Rating')
		294	+ assert_equal "Five stars", json['community']['additional_data']['Rating']
		295	+ end
		296	+
		297	+ should 'not display private custom fields to anonymous' do
		298	+ anonymous_setup
		299	+ CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
		300	+ some_community = fast_create(Community)
		301	+ some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
		302	+ some_community.save!
		303	+
		304	+ get "/api/v1/communities/#{some_community.id}?#{params.to_query}"
		305	+ json = JSON.parse(last_response.body)
		306	+ refute json['community']['additional_data'].has_key?('Rating')
		307	+ end
		308	+
		309	+
160	end	310	end
	@@ -4,10 +4,20 @@ class EnterprisesTest < ActiveSupport::TestCase		@@ -4,10 +4,20 @@ class EnterprisesTest < ActiveSupport::TestCase
4		4
5	def setup	5	def setup
6	Enterprise.delete_all	6	Enterprise.delete_all
		7	+ end
		8	+
		9	+ should 'logger user list only enterprises' do
7	login_api	10	login_api
		11	+ community = fast_create(Community, :environment_id => environment.id) # should not list this community
		12	+ enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
		13	+ get "/api/v1/enterprises?#{params.to_query}"
		14	+ json = JSON.parse(last_response.body)
		15	+ assert_includes json['enterprises'].map {\|c\| c['id']}, enterprise.id
		16	+ assert_not_includes json['enterprises'].map {\|c\| c['id']}, community.id
8	end	17	end
9		18
10	- should 'list only enterprises' do	19	+ should 'anonymous list only enterprises' do
		20	+ anonymous_setup
11	community = fast_create(Community, :environment_id => environment.id) # should not list this community	21	community = fast_create(Community, :environment_id => environment.id) # should not list this community
12	enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)	22	enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
13	get "/api/v1/enterprises?#{params.to_query}"	23	get "/api/v1/enterprises?#{params.to_query}"
	@@ -16,7 +26,17 @@ class EnterprisesTest < ActiveSupport::TestCase		@@ -16,7 +26,17 @@ class EnterprisesTest < ActiveSupport::TestCase
16	assert_not_includes json['enterprises'].map {\|c\| c['id']}, community.id	26	assert_not_includes json['enterprises'].map {\|c\| c['id']}, community.id
17	end	27	end
18		28
19	- should 'list all enterprises' do	29	+ should 'anonymous list all enterprises' do
		30	+ anonymous_setup
		31	+ enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
		32	+ enterprise2 = fast_create(Enterprise, :environment_id => environment.id)
		33	+ get "/api/v1/enterprises?#{params.to_query}"
		34	+ json = JSON.parse(last_response.body)
		35	+ assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {\|c\| c['id']}
		36	+ end
		37	+
		38	+ should 'logger user list all enterprises' do
		39	+ login_api
20	enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)	40	enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
21	enterprise2 = fast_create(Enterprise, :environment_id => environment.id)	41	enterprise2 = fast_create(Enterprise, :environment_id => environment.id)
22	get "/api/v1/enterprises?#{params.to_query}"	42	get "/api/v1/enterprises?#{params.to_query}"
	@@ -25,6 +45,7 @@ class EnterprisesTest < ActiveSupport::TestCase		@@ -25,6 +45,7 @@ class EnterprisesTest < ActiveSupport::TestCase
25	end	45	end
26		46
27	should 'not list invisible enterprises' do	47	should 'not list invisible enterprises' do
		48	+ login_api
28	enterprise1 = fast_create(Enterprise, :environment_id => environment.id)	49	enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
29	fast_create(Enterprise, :visible => false)	50	fast_create(Enterprise, :visible => false)
30		51
	@@ -33,16 +54,48 @@ class EnterprisesTest < ActiveSupport::TestCase		@@ -33,16 +54,48 @@ class EnterprisesTest < ActiveSupport::TestCase
33	assert_equal [enterprise1.id], json['enterprises'].map {\|c\| c['id']}	54	assert_equal [enterprise1.id], json['enterprises'].map {\|c\| c['id']}
34	end	55	end
35		56
36	- should 'not list private enterprises without permission' do	57	+ should 'not, anonymous list invisible enterprises' do
		58	+ anonymous_setup
37	enterprise1 = fast_create(Enterprise, :environment_id => environment.id)	59	enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
38	- fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)	60	+ fast_create(Enterprise, :visible => false)
		61	+
		62	+ get "/api/v1/enterprises?#{params.to_query}"
		63	+ json = JSON.parse(last_response.body)
		64	+ assert_equal [enterprise1.id], json['enterprises'].map {\|c\| c['id']}
		65	+ end
		66	+
		67	+ should 'not, logger user list invisible enterprises' do
		68	+ login_api
		69	+ enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
		70	+ fast_create(Enterprise, :visible => false)
39		71
40	get "/api/v1/enterprises?#{params.to_query}"	72	get "/api/v1/enterprises?#{params.to_query}"
41	json = JSON.parse(last_response.body)	73	json = JSON.parse(last_response.body)
42	assert_equal [enterprise1.id], json['enterprises'].map {\|c\| c['id']}	74	assert_equal [enterprise1.id], json['enterprises'].map {\|c\| c['id']}
43	end	75	end
44		76
45	- should 'list private enterprise for members' do	77	+ should 'anonymous list private enterprises' do
		78	+ anonymous_setup
		79	+ enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
		80	+ enterprise2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
		81	+
		82	+ get "/api/v1/enterprises?#{params.to_query}"
		83	+ json = JSON.parse(last_response.body)
		84	+ assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {\|c\| c['id']}
		85	+ end
		86	+
		87	+ should 'logged user list private enterprises' do
		88	+ login_api
		89	+ enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
		90	+ enterprise2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
		91	+
		92	+ get "/api/v1/enterprises?#{params.to_query}"
		93	+ json = JSON.parse(last_response.body)
		94	+ assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {\|c\| c['id']}
		95	+ end
		96	+
		97	+ should 'logged user list private enterprise for members' do
		98	+ login_api
46	c1 = fast_create(Enterprise, :environment_id => environment.id)	99	c1 = fast_create(Enterprise, :environment_id => environment.id)
47	c2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)	100	c2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
48	c2.add_member(person)	101	c2.add_member(person)
	@@ -52,7 +105,17 @@ class EnterprisesTest < ActiveSupport::TestCase		@@ -52,7 +105,17 @@ class EnterprisesTest < ActiveSupport::TestCase
52	assert_equivalent [c1.id, c2.id], json['enterprises'].map {\|c\| c['id']}	105	assert_equivalent [c1.id, c2.id], json['enterprises'].map {\|c\| c['id']}
53	end	106	end
54		107
55	- should 'get enterprise' do	108	+ should 'anonymous get enterprise' do
		109	+ anonymous_setup
		110	+ enterprise = fast_create(Enterprise, :environment_id => environment.id)
		111	+
		112	+ get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
		113	+ json = JSON.parse(last_response.body)
		114	+ assert_equal enterprise.id, json['enterprise']['id']
		115	+ end
		116	+
		117	+ should 'logged user get enterprise' do
		118	+ login_api
56	enterprise = fast_create(Enterprise, :environment_id => environment.id)	119	enterprise = fast_create(Enterprise, :environment_id => environment.id)
57		120
58	get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"	121	get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
	@@ -60,7 +123,17 @@ class EnterprisesTest < ActiveSupport::TestCase		@@ -60,7 +123,17 @@ class EnterprisesTest < ActiveSupport::TestCase
60	assert_equal enterprise.id, json['enterprise']['id']	123	assert_equal enterprise.id, json['enterprise']['id']
61	end	124	end
62		125
63	- should 'not get invisible enterprise' do	126	+ should 'not, logger user get invisible enterprise' do
		127	+ login_api
		128	+ enterprise = fast_create(Enterprise, :visible => false)
		129	+
		130	+ get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
		131	+ json = JSON.parse(last_response.body)
		132	+ assert json['enterprise'].blank?
		133	+ end
		134	+
		135	+ should 'not, anonymous get invisible enterprise' do
		136	+ anonymous_setup
64	enterprise = fast_create(Enterprise, :visible => false)	137	enterprise = fast_create(Enterprise, :visible => false)
65		138
66	get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"	139	get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
	@@ -69,6 +142,17 @@ class EnterprisesTest < ActiveSupport::TestCase		@@ -69,6 +142,17 @@ class EnterprisesTest < ActiveSupport::TestCase
69	end	142	end
70		143
71	should 'not get private enterprises without permission' do	144	should 'not get private enterprises without permission' do
		145	+ login_api
		146	+ enterprise = fast_create(Enterprise, :environment_id => environment.id)
		147	+ fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
		148	+
		149	+ get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
		150	+ json = JSON.parse(last_response.body)
		151	+ assert_equal enterprise.id, json['enterprise']['id']
		152	+ end
		153	+
		154	+ should 'not, anonymous get private enterprises' do
		155	+ anonymous_setup
72	enterprise = fast_create(Enterprise, :environment_id => environment.id)	156	enterprise = fast_create(Enterprise, :environment_id => environment.id)
73	fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)	157	fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
74		158
	@@ -78,6 +162,7 @@ class EnterprisesTest < ActiveSupport::TestCase		@@ -78,6 +162,7 @@ class EnterprisesTest < ActiveSupport::TestCase
78	end	162	end
79		163
80	should 'get private enterprise for members' do	164	should 'get private enterprise for members' do
		165	+ login_api
81	enterprise = fast_create(Enterprise, :public_profile => false)	166	enterprise = fast_create(Enterprise, :public_profile => false)
82	enterprise.add_member(person)	167	enterprise.add_member(person)
83		168
	@@ -87,6 +172,7 @@ class EnterprisesTest < ActiveSupport::TestCase		@@ -87,6 +172,7 @@ class EnterprisesTest < ActiveSupport::TestCase
87	end	172	end
88		173
89	should 'list person enterprises' do	174	should 'list person enterprises' do
		175	+ login_api
90	enterprise = fast_create(Enterprise, :environment_id => environment.id)	176	enterprise = fast_create(Enterprise, :environment_id => environment.id)
91	fast_create(Enterprise, :environment_id => environment.id)	177	fast_create(Enterprise, :environment_id => environment.id)
92	enterprise.add_member(person)	178	enterprise.add_member(person)
	@@ -97,6 +183,7 @@ class EnterprisesTest < ActiveSupport::TestCase		@@ -97,6 +183,7 @@ class EnterprisesTest < ActiveSupport::TestCase
97	end	183	end
98		184
99	should 'not list person enterprises invisible' do	185	should 'not list person enterprises invisible' do
		186	+ login_api
100	c1 = fast_create(Enterprise, :environment_id => environment.id)	187	c1 = fast_create(Enterprise, :environment_id => environment.id)
101	c2 = fast_create(Enterprise, :environment_id => environment.id, :visible => false)	188	c2 = fast_create(Enterprise, :environment_id => environment.id, :visible => false)
102	c1.add_member(person)	189	c1.add_member(person)
	@@ -107,4 +194,29 @@ class EnterprisesTest < ActiveSupport::TestCase		@@ -107,4 +194,29 @@ class EnterprisesTest < ActiveSupport::TestCase
107	assert_equivalent [c1.id], json['enterprises'].map {\|c\| c['id']}	194	assert_equivalent [c1.id], json['enterprises'].map {\|c\| c['id']}
108	end	195	end
109		196
		197	+ should 'display public custom fields to anonymous' do
		198	+ anonymous_setup
		199	+ CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
		200	+ some_enterprise = fast_create(Enterprise)
		201	+ some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
		202	+ some_enterprise.save!
		203	+
		204	+ get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}"
		205	+ json = JSON.parse(last_response.body)
		206	+ assert json['enterprise']['additional_data'].has_key?('Rating')
		207	+ assert_equal "Five stars", json['enterprise']['additional_data']['Rating']
		208	+ end
		209	+
		210	+ should 'not display public custom fields to anonymous' do
		211	+ anonymous_setup
		212	+ CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
		213	+ some_enterprise = fast_create(Enterprise)
		214	+ some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
		215	+ some_enterprise.save!
		216	+
		217	+ get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}"
		218	+ json = JSON.parse(last_response.body)
		219	+ refute json['enterprise']['additional_data'].has_key?('Rating')
		220	+ end
		221	+
110	end	222	end
	@@ -4,10 +4,10 @@ class ProfilesTest < ActiveSupport::TestCase		@@ -4,10 +4,10 @@ class ProfilesTest < ActiveSupport::TestCase
4		4
5	def setup	5	def setup
6	Profile.delete_all	6	Profile.delete_all
7	- login_api
8	end	7	end
9		8
10	- should 'list all profiles' do	9	+ should 'logged user list all profiles' do
		10	+ login_api
11	person1 = fast_create(Person)	11	person1 = fast_create(Person)
12	person2 = fast_create(Person)	12	person2 = fast_create(Person)
13	community = fast_create(Community)	13	community = fast_create(Community)
	@@ -16,14 +16,16 @@ class ProfilesTest < ActiveSupport::TestCase		@@ -16,14 +16,16 @@ class ProfilesTest < ActiveSupport::TestCase
16	assert_equivalent [person.id, person1.id, person2.id, community.id], json.map {\|p\| p['id']}	16	assert_equivalent [person.id, person1.id, person2.id, community.id], json.map {\|p\| p['id']}
17	end	17	end
18		18
19	- should 'get person from profile id' do	19	+ should 'logged user get person from profile id' do
		20	+ login_api
20	some_person = fast_create(Person)	21	some_person = fast_create(Person)
21	get "/api/v1/profiles/#{some_person.id}?#{params.to_query}"	22	get "/api/v1/profiles/#{some_person.id}?#{params.to_query}"
22	json = JSON.parse(last_response.body)	23	json = JSON.parse(last_response.body)
23	assert_equal some_person.id, json['id']	24	assert_equal some_person.id, json['id']
24	end	25	end
25		26
26	- should 'get community from profile id' do	27	+ should 'logged user get community from profile id' do
		28	+ login_api
27	community = fast_create(Community)	29	community = fast_create(Community)
28	get "/api/v1/profiles/#{community.id}?#{params.to_query}"	30	get "/api/v1/profiles/#{community.id}?#{params.to_query}"
29	json = JSON.parse(last_response.body)	31	json = JSON.parse(last_response.body)
	@@ -33,6 +35,7 @@ class ProfilesTest < ActiveSupport::TestCase		@@ -33,6 +35,7 @@ class ProfilesTest < ActiveSupport::TestCase
33	group_kinds = %w(community enterprise)	35	group_kinds = %w(community enterprise)
34	group_kinds.each do \|kind\|	36	group_kinds.each do \|kind\|
35	should "delete #{kind} from profile id with permission" do	37	should "delete #{kind} from profile id with permission" do
		38	+ login_api
36	profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)	39	profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
37	give_permission(@person, 'destroy_profile', profile)	40	give_permission(@person, 'destroy_profile', profile)
38	assert_not_nil Profile.find_by_id profile.id	41	assert_not_nil Profile.find_by_id profile.id
	@@ -44,6 +47,7 @@ class ProfilesTest < ActiveSupport::TestCase		@@ -44,6 +47,7 @@ class ProfilesTest < ActiveSupport::TestCase
44	end	47	end
45		48
46	should "not delete #{kind} from profile id without permission" do	49	should "not delete #{kind} from profile id without permission" do
		50	+ login_api
47	profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)	51	profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
48	assert_not_nil Profile.find_by_id profile.id	52	assert_not_nil Profile.find_by_id profile.id
49		53
	@@ -55,12 +59,14 @@ class ProfilesTest < ActiveSupport::TestCase		@@ -55,12 +59,14 @@ class ProfilesTest < ActiveSupport::TestCase
55	end	59	end
56		60
57	should 'person delete itself' do	61	should 'person delete itself' do
		62	+ login_api
58	delete "/api/v1/profiles/#{@person.id}?#{params.to_query}"	63	delete "/api/v1/profiles/#{@person.id}?#{params.to_query}"
59	assert_equal 200, last_response.status	64	assert_equal 200, last_response.status
60	assert_nil Profile.find_by_id @person.id	65	assert_nil Profile.find_by_id @person.id
61	end	66	end
62		67
63	should 'only admin delete other people' do	68	should 'only admin delete other people' do
		69	+ login_api
64	profile = fast_create(Person, :environment_id => environment.id)	70	profile = fast_create(Person, :environment_id => environment.id)
65	assert_not_nil Profile.find_by_id profile.id	71	assert_not_nil Profile.find_by_id profile.id
66		72
	@@ -77,4 +83,62 @@ class ProfilesTest < ActiveSupport::TestCase		@@ -77,4 +83,62 @@ class ProfilesTest < ActiveSupport::TestCase
77	assert_nil Profile.find_by_id profile.id	83	assert_nil Profile.find_by_id profile.id
78		84
79	end	85	end
		86	+
		87	+ should 'anonymous user access delete action' do
		88	+ anonymous_setup
		89	+ profile = fast_create(Person, :environment_id => environment.id)
		90	+
		91	+ delete "/api/v1/profiles/#{profile.id}?#{params.to_query}"
		92	+ assert_equal 401, last_response.status
		93	+ assert_not_nil Profile.find_by_id profile.id
		94	+ end
		95	+
		96	+ should 'anonymous list all profiles' do
		97	+ person1 = fast_create(Person)
		98	+ person2 = fast_create(Person)
		99	+ community = fast_create(Community)
		100	+ get "/api/v1/profiles"
		101	+ json = JSON.parse(last_response.body)
		102	+ assert_equivalent [person1.id, person2.id, community.id], json.map {\|p\| p['id']}
		103	+ end
		104	+
		105	+ should 'anonymous get person from profile id' do
		106	+ some_person = fast_create(Person)
		107	+ get "/api/v1/profiles/#{some_person.id}"
		108	+ json = JSON.parse(last_response.body)
		109	+ assert_equal some_person.id, json['id']
		110	+ end
		111	+
		112	+ should 'anonymous get community from profile id' do
		113	+ community = fast_create(Community)
		114	+ get "/api/v1/profiles/#{community.id}"
		115	+ json = JSON.parse(last_response.body)
		116	+ assert_equal community.id, json['id']
		117	+ end
		118	+
		119	+ should 'display public custom fields to anonymous' do
		120	+ anonymous_setup
		121	+ CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
		122	+ some_profile = fast_create(Profile)
		123	+ some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
		124	+ some_profile.save!
		125	+
		126	+ get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}"
		127	+ json = JSON.parse(last_response.body)
		128	+ assert json['additional_data'].has_key?('Rating')
		129	+ assert_equal "Five stars", json['additional_data']['Rating']
		130	+ end
		131	+
		132	+ should 'not display private custom fields to anonymous' do
		133	+ anonymous_setup
		134	+ CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
		135	+ some_profile = fast_create(Profile)
		136	+ some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
		137	+ some_profile.save!
		138	+
		139	+ get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}"
		140	+ json = JSON.parse(last_response.body)
		141	+ refute json.has_key?('Rating')
		142	+ end
		143	+
80	end	144	end
	@@ -24,6 +24,12 @@ class ActiveSupport::TestCase		@@ -24,6 +24,12 @@ class ActiveSupport::TestCase
24		24
25	@params = {:private_token => @private_token}	25	@params = {:private_token => @private_token}
26	end	26	end
		27	+
		28	+ def anonymous_setup
		29	+ @environment = Environment.default
		30	+ @params = {}
		31	+ end
		32	+
27	attr_accessor :private_token, :user, :person, :params, :environment	33	attr_accessor :private_token, :user, :person, :params, :environment
28		34
29	private	35	private
	@@ -437,7 +437,7 @@ class OrganizationTest < ActiveSupport::TestCase		@@ -437,7 +437,7 @@ class OrganizationTest < ActiveSupport::TestCase
437	c = fast_create(Organization, :name => 'my test profile', :identifier => 'mytestprofile')	437	c = fast_create(Organization, :name => 'my test profile', :identifier => 'mytestprofile')
438	admin = create_user('adminuser').person	438	admin = create_user('adminuser').person
439	c.add_admin(admin)	439	c.add_admin(admin)
440	-	440	+
441	assert c.is_admin?(admin)	441	assert c.is_admin?(admin)
442	end	442	end
443		443
	@@ -513,4 +513,18 @@ class OrganizationTest < ActiveSupport::TestCase		@@ -513,4 +513,18 @@ class OrganizationTest < ActiveSupport::TestCase
513	assert_includes env_admin_orgs, o7	513	assert_includes env_admin_orgs, o7
514	end	514	end
515		515
		516	+ should 'fetch organizations there are visible for a visitor' do
		517	+ visitor = nil
		518	+ Organization.destroy_all
		519	+ o1 = fast_create(Organization, :public_profile => true , :visible => true )
		520	+ o2 = fast_create(Organization, :public_profile => false, :visible => true )
		521	+ o3 = fast_create(Organization, :public_profile => true , :visible => false)
		522	+ o4 = fast_create(Organization, :public_profile => false, :visible => false)
		523	+ person_orgs = Organization.visible_for_person(visitor)
		524	+ assert_includes person_orgs, o1
		525	+ assert_not_includes person_orgs, o2
		526	+ assert_not_includes person_orgs, o3
		527	+ assert_not_includes person_orgs, o4
		528	+ end
		529	+
516	end	530	end
	@@ -1951,4 +1951,17 @@ class PersonTest < ActiveSupport::TestCase		@@ -1951,4 +1951,17 @@ class PersonTest < ActiveSupport::TestCase
1951	person.save!	1951	person.save!
1952	end	1952	end
1953		1953
		1954	+ should 'fetch people there are visible for a visitor' do
		1955	+ person = nil
		1956	+ p1 = fast_create(Person, :public_profile => true , :visible => true)
		1957	+ p2 = fast_create(Person, :public_profile => false, :visible => true)
		1958	+ p3 = fast_create(Person, :public_profile => true , :visible => false)
		1959	+ p4 = fast_create(Person, :public_profile => false, :visible => false)
		1960	+ people_visible_by_visitor = Person.visible_for_person(person)
		1961	+ assert_includes people_visible_by_visitor, p1
		1962	+ assert_not_includes people_visible_by_visitor, p2
		1963	+ assert_not_includes people_visible_by_visitor, p3
		1964	+ assert_not_includes people_visible_by_visitor, p4
		1965	+ end
		1966	+
1954	end	1967	end