mege with master

Leandro Santos
2 parents 9719a2da a0194228
Showing 25 changed files with 107 additions and 48 deletions Show diff stats
Gemfile
Gemfile.lock
app/api/entities.rb
app/api/v1/session.rb
app/models/comment.rb
app/views/cms/edit.html.erb
app/views/layouts/application-ng.html.erb
plugins/oauth_client/lib/oauth_client_plugin.rb
plugins/oauth_provider/Gemfile
plugins/oauth_provider/controllers/doorkeeper/application_controller.rb
plugins/oauth_provider/controllers/public/oauth_provider_plugin_public_controller.rb
plugins/oauth_provider/db/migrate/20160727164530_add_scopes_to_oauth_applications.rb
plugins/oauth_provider/views/doorkeeper/applications/_delete_form.html.erb
plugins/oauth_provider/views/doorkeeper/applications/_form.html.erb
plugins/oauth_provider/views/doorkeeper/applications/index.html.erb
plugins/oauth_provider/views/doorkeeper/applications/new.html.erb
plugins/oauth_provider/views/doorkeeper/applications/show.html.erb
plugins/oauth_provider/views/doorkeeper/authorizations/error.html.erb
plugins/oauth_provider/views/doorkeeper/authorizations/new.html.erb
plugins/oauth_provider/views/doorkeeper/authorizations/show.html.erb
@@ -27,7 +27,7 @@ gem &#39;rest-client&#39;,              &#39;~&gt; 1.6&#39;
 gem 'exception_notification',   '~> 4.0.1'
 gem 'gettext',                  '~> 3.1', :require => false
 gem 'locale',                   '~> 2.1'
-gem 'whenever', :require => false
+gem 'whenever',                 '~> 0.9.4', :require => false
 gem 'eita-jrails', '~> 0.10.0', require: 'jrails'
 gem 'diffy',                    '~> 3.0'
 gem 'slim'
@@ -489,7 +489,7 @@ DEPENDENCIES
   unicorn (~> 4.8)
   validates_as_cnpj (= 0.0.0)!
   validates_multiparameter_assignments (= 0.0.0)!
-  whenever
+  whenever (~> 0.9.4)
   will_paginate (~> 3.0.7)
   xss_terminate (= 0.0.0)!
  
@@ -174,6 +174,10 @@ module Api
       expose :created_at, :format_with => :timestamp
       expose :author, :using => Profile
       expose :reply_of, :using => CommentBase
+      expose :permissions do |comment, options|
+        Entities.permissions_for_entity(comment, options[:current_person],
+        :allow_destroy?)
+      end
     end
  
     class Comment < CommentBase
@@ -174,14 +174,13 @@ module Api
       # Example Request:
       #   PATCH /new_password?code=xxxx&password=secret&password_confirmation=secret
       patch "/new_password" do
-        change_password = ChangePassword.find_by code: params[:code]
-        not_found! if change_password.nil?
-
-        if change_password.update_attributes(:password => params[:password], :password_confirmation => params[:password_confirmation])
+        begin
+          change_password = ChangePassword.find_by! code: params[:code]
+          change_password.update_attributes!(:password => params[:password], :password_confirmation => params[:password_confirmation])
           change_password.finish
           present change_password.requestor.user, :with => Entities::UserLogin, :current_person => current_person
-        else
-          something_wrong!
+        rescue Exception => ex
+          render_api_error!(ex.message, 400)
         end
       end
  
@@ -212,6 +212,9 @@ class Comment &lt; ApplicationRecord
     user == author || user == profile || user.has_permission?(:moderate_comments, profile)
   end
  
+  # method used by the API
+  alias_method :allow_destroy?, :can_be_destroyed_by?
+
   def can_be_marked_as_spam_by?(user)
     return if user.nil?
     user == profile || user.has_permission?(:moderate_comments, profile)
@@ -34,7 +34,7 @@
  
   <br />
  
-  <%= f.text_field('tag_list', :size => 64) %>
+  <%= f.text_field 'tag_list', size: 64, value: @article.tag_list.join(',') %>
   <%= content_tag( 'small', _('Separate tags with commas') ) %>
  
   <script>
@@ -86,9 +86,9 @@
     <%=
       str = (@plugins.dispatch(:body_ending).map do |content|
               if content.respond_to?(:call) then 
-                instance_exec(&content)
+                instance_exec(&content).html_safe
               else 
-                content
+                content.html_safe
               end
             end)
       safe_join(str, "\n")
@@ -72,6 +72,7 @@ class OauthClientPlugin &lt; Noosfero::Plugin
         strategy.options.merge! consumer_key: provider.client_id, consumer_secret: provider.client_secret
         strategy.options.merge! client_id: provider.client_id, client_secret: provider.client_secret
         strategy.options.merge! options
+        strategy.options.merge! provider.options
  
         request.session[:provider_id] = provider_id
       }
-source 'https://rubygems.org'
-gem 'doorkeeper', '~> 1.4.0'
-gem 'responders', '~> 2.0'
-gem 'rack', '1.6.4'
+gem 'doorkeeper', '~> 3.1.0'
@@ -2,7 +2,6 @@ module Doorkeeper
   class ApplicationController < ApplicationController
  
     include Helpers::Controller
-    helper 'doorkeeper/form_errors'
  
   end
 end
 class OauthProviderPluginPublicController < PublicController
  
-  doorkeeper_for :me
+  before_action :doorkeeper_authorize!
  
   def me
     user = environment.users.find(doorkeeper_token.resource_owner_id) if doorkeeper_token
@@ -0,0 +1,5 @@
+class AddScopesToOauthApplications < ActiveRecord::Migration
+  def change
+    add_column :oauth_applications, :scopes, :string, null: false, default: ''
+  end
+end
 <%- submit_btn_css ||= 'btn btn-link' %>
-<%= form_tag [:oauth, application] do %>
+<%= form_tag oauth_application_path(application) do %>
   <input type="hidden" name="_method" value="delete">
-  <%= submit_tag 'Destroy', onclick: "return confirm('Are you sure?')", class: submit_btn_css %>
+  <%= submit_tag _('Destroy'), onclick: "return confirm('#{ _('Are you sure?') }')", class: submit_btn_css %>
 <% end %>
-<%= form_for [:oauth, application], html: {class: 'form-horizontal', role: 'form'} do |f| %>
+<% extend Doorkeeper::DashboardHelper %>
+<%= form_for application, url: doorkeeper_submit_path(application), html: {class: 'form-horizontal', role: 'form'} do |f| %>
   <% if application.errors.any? %>
-    <div class="alert alert-danger" data-alert>
-      <p><%= _('Whoops! Check your form for possible errors') %></p>
-    </div>
+    <div class="alert alert-danger" data-alert><p><%= _('Whoops! Check your form for possible errors') %></p></div>
   <% end %>
  
   <%= content_tag :div, class: "form-group#{' has-error' if application.errors[:name].present?}" do %>
-    <%= f.label :name, class: 'col-sm-2 control-label', for: 'application_name' %>
+    <%= f.label :name, class: 'col-sm-2 control-label' %>
     <div class="col-sm-10">
       <%= f.text_field :name, class: 'form-control' %>
       <%= doorkeeper_errors_for application, :name %>
@@ -14,26 +13,36 @@
   <% end %>
  
   <%= content_tag :div, class: "form-group#{' has-error' if application.errors[:redirect_uri].present?}" do %>
-    <%= f.label :redirect_uri, class: 'col-sm-2 control-label', for: 'application_redirect_uri' %>
+    <%= f.label :redirect_uri, class: 'col-sm-2 control-label' %>
     <div class="col-sm-10">
       <%= f.text_area :redirect_uri, class: 'form-control' %>
       <%= doorkeeper_errors_for application, :redirect_uri %>
       <span class="help-block">
         <%= _('Use one line per URI') %>
-        </span>
+      </span>
       <% if Doorkeeper.configuration.native_redirect_uri %>
           <span class="help-block">
-            Use <code><%= Doorkeeper.configuration.native_redirect_uri %></code> for local tests
+            <%= raw _('Use %s to local tests') % "<code>#{ Doorkeeper.configuration.native_redirect_uri }</code>" %>
           </span>
       <% end %>
     </div>
   <% end %>
  
+  <%= content_tag :div, class: "form-group#{' has-error' if application.errors[:scopes].present?}" do %>
+    <%= f.label :scopes, class: 'col-sm-2 control-label' %>
+    <div class="col-sm-10">
+      <%= f.text_field :scopes, class: 'form-control' %>
+      <%= doorkeeper_errors_for application, :scopes %>
+      <span class="help-block">
+        <%= _('Separate scopes with spaces. Leave blank to use the default scopes.') %>
+      </span>
+    </div>
+  <% end %>
+
   <div class="form-group">
     <div class="col-sm-offset-2 col-sm-10">
       <%= f.submit _('Submit'), class: "btn btn-primary" %>
-      <%= link_to _("Cancel"), oauth_applications_path, :class => "btn btn-default" %>
+      <%= link_to _('Cancel'), oauth_applications_path, :class => "btn btn-default" %>
     </div>
   </div>
 <% end %>
-
 <div class="oauth-provider">
 <div class="page-header">
-  <h3><%= link_to _('Oauh Provider'), '/admin/plugin/oauth_provider' %></h3>
+  <h1><%= _('Oauh Provider') %></h1>
 </div>
  
 <p><%= link_to _('New Application'), new_oauth_application_path, class: 'btn btn-success' %></p>
@@ -17,7 +17,7 @@
   <tbody>
   <% @applications.each do |application| %>
     <tr id="application_<%= application.id %>">
-      <td><%= link_to application.name, [:oauth, application] %></td>
+      <td><%= link_to application.name, oauth_application_path(application) %></td>
       <td><%= application.redirect_uri %></td>
       <td><%= link_to _('Edit'), edit_oauth_application_path(application), class: 'btn btn-link' %></td>
       <td><%= render 'delete_form', application: application %></td>
 <div class="page-header">
-  <h1>New application</h1>
+  <h1><%= _('New application') %></h1>
 </div>
  
 <%= render 'form', application: @application %>
@@ -5,13 +5,14 @@
 <div class="row">
   <div class="col-md-8">
     <h4><%= _('Application Id:') %></h4>
-
     <p><code id="application_id"><%= @application.uid %></code></p>
  
     <h4><%= _('Secret:') %></h4>
-
     <p><code id="secret"><%= @application.secret %></code></p>
  
+    <h4><%= _('Scopes') %>:</h4>
+    <p><code id="scopes"><%= @application.scopes %></code></p>
+
     <h4><%= _('Callback urls:') %></h4>
  
     <table>
@@ -21,6 +22,7 @@
             <code><%= uri %></code>
           </td>
           <td>
+            <%= link_to _('Authorize'), oauth_authorization_path(client_id: @application.uid, redirect_uri: uri, response_type: 'code'), class: 'btn btn-success', target: '_blank' %>
           </td>
         </tr>
       <% end %>
 <div class="page-header">
-  <h1>An error has occurred</h1>
+  <h1><%= _('An error has occurred') %></h1>
 </div>
  
 <main role="main">
 <div class="oauth-provider-authorize">
-
 <header class="page-header" role="banner">
   <h1><%= _('Authorize required') %></h1>
 </header>
  
 <main role="main">
   <p class="h4">
-  <%= _('Authorize %s to use your account?') % "<strong class=\"text-info\">#{@pre_auth.client.name}</strong>" %>
+    <%= _('Authorize %s to use your account?') % "<strong class=\"text-info\">#{@pre_auth.client.name}</strong>" %>
   </p>
  
-  <% if @pre_auth.scopes %>
+  <% if @pre_auth.scopes.count > 0 %>
     <div id="oauth-permissions">
       <p><%= _('This application will be able to:') %></p>
  
       <ul class="text-info">
         <% @pre_auth.scopes.each do |scope| %>
-          <li><%= OauthProviderPlugin::SCOPE_TRANSLATION[scope] %></li>
+          <li><%= t scope, scope: [:doorkeeper, :scopes] %></li>
         <% end %>
       </ul>
     </div>
@@ -28,7 +27,7 @@
       <%= hidden_field_tag :state, @pre_auth.state %>
       <%= hidden_field_tag :response_type, @pre_auth.response_type %>
       <%= hidden_field_tag :scope, @pre_auth.scope %>
-      <%= submit_button :ok, _("Authorize") %>
+      <%= submit_tag _('Authorize'), class: "btn btn-success btn-lg btn-block" %>
     <% end %>
     <%= form_tag oauth_authorization_path, method: :delete do %>
       <%= hidden_field_tag :client_id, @pre_auth.client.uid %>
@@ -36,7 +35,7 @@
       <%= hidden_field_tag :state, @pre_auth.state %>
       <%= hidden_field_tag :response_type, @pre_auth.response_type %>
       <%= hidden_field_tag :scope, @pre_auth.scope %>
-      <%= submit_button :cancel, _("Deny") %>
+      <%= submit_tag _('Deny'), class: "btn btn-danger btn-lg btn-block" %>
     <% end %>
   </div>
 </main>
 <header class="page-header">
-  <h1>Authorization code:</h1>
+  <h1><%= _('Authorization code:') %></h1>
 </header>
  
 <main role="main">
 <%- submit_btn_css ||= 'btn btn-link' %>
 <%= form_tag oauth_authorized_application_path(application) do %>
   <input type="hidden" name="_method" value="delete">
-  <%= submit_tag 'Revoke', onclick: "return confirm('Are you sure?')", class: submit_btn_css %>
+  <%= submit_tag _('Revoke'), onclick: "return confirm('#{ _('Are you sure?') }')", class: submit_btn_css %>
 <% end %>
 <div class="oauth-provider">
 <header class="page-header">
-  <h1>Your authorized applications</h1>
+  <h1><%= _('Your authorized applications') %></h1>
 </header>
  
 <main role="main">
   <table class="table table-striped">
     <thead>
     <tr>
-      <th>Application</th>
-      <th>Created At</th>
+      <th><%= _('Application') %></th>
+      <th><%= _('Created at') %></th>
       <th></th>
       <th></th>
     </tr>
@@ -24,7 +24,6 @@
     </tbody>
   </table>
 </main>
-
 <div class="actions">
   <%= button(:back, _('Go back'), :back) %>
 </div>
@@ -245,4 +245,34 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal 500, last_response.status
     assert_includes article.comments, comment
   end
+
+  should 'list allow_destroy permission when get your own comment' do
+    login_api
+    article = fast_create(Article, :profile_id => @person.id, :name => "Some thing")
+    article.comments.create!(:body => "some comment", :author => @person)
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 200, last_response.status
+    assert_includes json["comments"][0]["permissions"], 'allow_destroy'
+  end
+
+  should 'anonymous not allowed to destroy comments' do
+    article = fast_create(Article, :profile_id => @person.id, :name => "Some thing")
+    article.comments.create!(:body => "some comment", :author => @person)
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 200, last_response.status
+    assert_not_includes json["comments"][0]["permissions"], 'allow_destroy'
+  end
+
+  should 'unprivileged user not be allowed to destroy other people comments' do
+    article = fast_create(Article, profile_id: @local_person.id, name: "Some thing")
+    comment = article.comments.create!(body: "some comment", author: @local_person)
+    login_api
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 200, last_response.status
+    assert_not_includes json["comments"][0]["permissions"], 'allow_destroy'
+  end
+
 end
@@ -179,13 +179,19 @@ class SessionTest &lt; ActiveSupport::TestCase
     patch "/api/v1/new_password?#{params.to_query}"
     assert_equal Task::Status::ACTIVE, task.reload.status
     assert !user.reload.authenticated?('secret')
+    json = JSON.parse(last_response.body)
+    assert_match /doesn't match/, json['message']
+
     assert_equal 400, last_response.status
   end
  
   should 'render not found when provide a wrong code on password change' do
     params = {:code => "wrongcode", :password => 'secret', :password_confirmation => 'secret'}
     patch "/api/v1/new_password?#{params.to_query}"
-    assert_equal 404, last_response.status
+    json = JSON.parse(last_response.body)
+    assert_match /Couldn't find/, json['message']
+
+    assert_equal 400, last_response.status
   end
  
 # FIXME this test fails i don't know if stil needed
@@ -597,6 +597,12 @@ class CommentTest &lt; ActiveSupport::TestCase
     refute comment.can_be_destroyed_by?(nil)
   end
  
+  should 'anonymous has no allow_destroy? permission' do
+    comment = Comment.new
+
+    refute comment.allow_destroy?(nil)
+  end
+
   should 'not be able to destroy comment' do
     user = Person.new
     profile = Profile.new
...	...	@@ -27,7 +27,7 @@ gem 'rest-client', '~> 1.6'
27	27	gem 'exception_notification', '~> 4.0.1'
28	28	gem 'gettext', '~> 3.1', :require => false
29	29	gem 'locale', '~> 2.1'
30		-gem 'whenever', :require => false
	30	+gem 'whenever', '~> 0.9.4', :require => false
31	31	gem 'eita-jrails', '~> 0.10.0', require: 'jrails'
32	32	gem 'diffy', '~> 3.0'
33	33	gem 'slim'
...	...
...	...	@@ -489,7 +489,7 @@ DEPENDENCIES
489	489	unicorn (~> 4.8)
490	490	validates_as_cnpj (= 0.0.0)!
491	491	validates_multiparameter_assignments (= 0.0.0)!
492		- whenever
	492	+ whenever (~> 0.9.4)
493	493	will_paginate (~> 3.0.7)
494	494	xss_terminate (= 0.0.0)!
495	495
...	...
...	...	@@ -174,6 +174,10 @@ module Api
174	174	expose :created_at, :format_with => :timestamp
175	175	expose :author, :using => Profile
176	176	expose :reply_of, :using => CommentBase
	177	+ expose :permissions do \|comment, options\|
	178	+ Entities.permissions_for_entity(comment, options[:current_person],
	179	+ :allow_destroy?)
	180	+ end
177	181	end
178	182
179	183	class Comment < CommentBase
...	...
...	...	@@ -174,14 +174,13 @@ module Api
174	174	# Example Request:
175	175	# PATCH /new_password?code=xxxx&password=secret&password_confirmation=secret
176	176	patch "/new_password" do
177		- change_password = ChangePassword.find_by code: params[:code]
178		- not_found! if change_password.nil?
179		-
180		- if change_password.update_attributes(:password => params[:password], :password_confirmation => params[:password_confirmation])
	177	+ begin
	178	+ change_password = ChangePassword.find_by! code: params[:code]
	179	+ change_password.update_attributes!(:password => params[:password], :password_confirmation => params[:password_confirmation])
181	180	change_password.finish
182	181	present change_password.requestor.user, :with => Entities::UserLogin, :current_person => current_person
183		- else
184		- something_wrong!
	182	+ rescue Exception => ex
	183	+ render_api_error!(ex.message, 400)
185	184	end
186	185	end
187	186
...	...
...	...	@@ -212,6 +212,9 @@ class Comment < ApplicationRecord
212	212	user == author \|\| user == profile \|\| user.has_permission?(:moderate_comments, profile)
213	213	end
214	214
	215	+ # method used by the API
	216	+ alias_method :allow_destroy?, :can_be_destroyed_by?
	217	+
215	218	def can_be_marked_as_spam_by?(user)
216	219	return if user.nil?
217	220	user == profile \|\| user.has_permission?(:moderate_comments, profile)
...	...
...	...	@@ -34,7 +34,7 @@
34	34
35	35	<br />
36	36
37		- <%= f.text_field('tag_list', :size => 64) %>
	37	+ <%= f.text_field 'tag_list', size: 64, value: @article.tag_list.join(',') %>
38	38	<%= content_tag( 'small', _('Separate tags with commas') ) %>
39	39
40	40	<script>
...	...
...	...	@@ -86,9 +86,9 @@
86	86	<%=
87	87	str = (@plugins.dispatch(:body_ending).map do \|content\|
88	88	if content.respond_to?(:call) then
89		- instance_exec(&content)
	89	+ instance_exec(&content).html_safe
90	90	else
91		- content
	91	+ content.html_safe
92	92	end
93	93	end)
94	94	safe_join(str, "\n")
...	...
...	...	@@ -72,6 +72,7 @@ class OauthClientPlugin < Noosfero::Plugin
72	72	strategy.options.merge! consumer_key: provider.client_id, consumer_secret: provider.client_secret
73	73	strategy.options.merge! client_id: provider.client_id, client_secret: provider.client_secret
74	74	strategy.options.merge! options
	75	+ strategy.options.merge! provider.options
75	76
76	77	request.session[:provider_id] = provider_id
77	78	}
...	...
1		-source 'https://rubygems.org'
2		-gem 'doorkeeper', '~> 1.4.0'
3		-gem 'responders', '~> 2.0'
4		-gem 'rack', '1.6.4'
	1	+gem 'doorkeeper', '~> 3.1.0'
...	...
...	...	@@ -2,7 +2,6 @@ module Doorkeeper
2	2	class ApplicationController < ApplicationController
3	3
4	4	include Helpers::Controller
5		- helper 'doorkeeper/form_errors'
6	5
7	6	end
8	7	end
...	...