diff --git a/lib/noosfero/api/v1/people.rb b/lib/noosfero/api/v1/people.rb index 60e42d1..316b8f1 100644 --- a/lib/noosfero/api/v1/people.rb +++ b/lib/noosfero/api/v1/people.rb @@ -2,7 +2,6 @@ module Noosfero module API module V1 class People < Grape::API - before { authenticate! } MAX_PER_PAGE = 50 @@ -41,6 +40,7 @@ module Noosfero desc "Return the logged user information" get "/me" do + authenticate! present_partial current_person, :with => Entities::Person, :current_person => current_person end @@ -53,6 +53,7 @@ module Noosfero desc "Update person information" post ':id' do + authenticate! return forbidden! if current_person.id.to_s != params[:id] current_person.update_attributes!(params[:person]) present current_person, :with => Entities::Person, :current_person => current_person @@ -63,6 +64,7 @@ module Noosfero # for each custom field for person, add &person[field_name]=field_value to the request desc "Create person" post do + authenticate! user_data = {} user_data[:login] = params[:person].delete(:login) || params[:person][:identifier] user_data[:email] = params[:person].delete(:email) @@ -95,6 +97,7 @@ module Noosfero desc "Return the person permissions on other profiles" get ":id/permissions" do + authenticate! person = environment.people.find(params[:id]) return not_found! if person.blank? return forbidden! unless current_person == person || environment.admins.include?(current_person) diff --git a/test/api/people_test.rb b/test/api/people_test.rb index 8e14e2b..41a53bb 100644 --- a/test/api/people_test.rb +++ b/test/api/people_test.rb @@ -6,7 +6,7 @@ class PeopleTest < ActiveSupport::TestCase Person.delete_all end - should 'list all people' do + should 'logged user list all people' do login_api person1 = fast_create(Person, :public_profile => true) person2 = fast_create(Person) @@ -15,7 +15,16 @@ class PeopleTest < ActiveSupport::TestCase assert_equivalent [person1.id, person2.id, person.id], json['people'].map {|c| c['id']} end - should 'list all members of a community' do + should 'anonymous list all people' do + anonymous_setup + person1 = fast_create(Person, :public_profile => true) + person2 = fast_create(Person) + get "/api/v1/people?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equivalent [person1.id, person2.id], json['people'].map {|c| c['id']} + end + + should 'logged user list all members of a community' do login_api person1 = fast_create(Person) person2 = fast_create(Person) @@ -29,7 +38,21 @@ class PeopleTest < ActiveSupport::TestCase assert_equivalent [person1.id,person2.id], json["people"].map{|p| p["id"]} end - should 'not list invisible people' do + should 'anonymous list all members of a community' do + anonymous_setup + person1 = fast_create(Person) + person2 = fast_create(Person) + community = fast_create(Community) + community.add_member(person1) + community.add_member(person2) + + get "/api/v1/profiles/#{community.id}/members?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal 2, json["people"].count + assert_equivalent [person1.id,person2.id], json["people"].map{|p| p["id"]} + end + + should 'logged user not list invisible people' do login_api invisible_person = fast_create(Person, :visible => false) @@ -37,7 +60,15 @@ class PeopleTest < ActiveSupport::TestCase assert_not_includes json_response_ids(:people), invisible_person.id end - should 'list private people' do + should 'annoymous not list invisible people' do + anonymous_setup + invisible_person = fast_create(Person, :visible => false) + + get "/api/v1/people?#{params.to_query}" + assert_not_includes json_response_ids(:people), invisible_person.id + end + + should 'logged user list private people' do login_api private_person = fast_create(Person, :public_profile => false) @@ -45,7 +76,15 @@ class PeopleTest < ActiveSupport::TestCase assert_includes json_response_ids(:people), private_person.id end - should 'list private person for friends' do + should 'anonymous list private people' do + anonymous_setup + private_person = fast_create(Person, :public_profile => false) + + get "/api/v1/people?#{params.to_query}" + assert_includes json_response_ids(:people), private_person.id + end + + should 'logged user list private person for friends' do login_api p1 = fast_create(Person) p2 = fast_create(Person, :public_profile => false) @@ -56,7 +95,7 @@ class PeopleTest < ActiveSupport::TestCase assert_includes json_response_ids(:people), p2.id end - should 'get person' do + should 'logged user get person' do login_api some_person = fast_create(Person) @@ -65,7 +104,17 @@ class PeopleTest < ActiveSupport::TestCase assert_equal some_person.id, json['person']['id'] end - should 'people endpoint filter by fields parameter' do + should 'anonymous get person' do + anonymous_setup + some_person = fast_create(Person) + + get "/api/v1/people/#{some_person.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal some_person.id, json['person']['id'] + end + + + should 'people endpoint filter by fields parameter for logged user' do login_api get "/api/v1/people?#{params.to_query}&fields=name" json = JSON.parse(last_response.body) @@ -73,7 +122,7 @@ class PeopleTest < ActiveSupport::TestCase assert_equal expected, json end - should 'people endpoint filter by fields parameter with hierarchy' do + should 'people endpoint filter by fields parameter with hierarchy for logged user' do login_api fields = URI.encode({only: [:name, {user: [:login]}]}.to_json.to_str) get "/api/v1/people?#{params.to_query}&fields=#{fields}" @@ -89,7 +138,7 @@ class PeopleTest < ActiveSupport::TestCase assert_equal person.id, json['person']['id'] end - should 'me endpoint filter by fields parameter' do + should 'access me endpoint filter by fields parameter' do login_api get "/api/v1/people/me?#{params.to_query}&fields=name" json = JSON.parse(last_response.body) @@ -97,7 +146,7 @@ class PeopleTest < ActiveSupport::TestCase assert_equal expected, json end - should 'not get invisible person' do + should 'logged user not get invisible person' do login_api person = fast_create(Person, :visible => false) @@ -106,6 +155,15 @@ class PeopleTest < ActiveSupport::TestCase assert json['person'].blank? end + should 'anonymous not get invisible person' do + anonymous_setup + person = fast_create(Person, :visible => false) + + get "/api/v1/people/#{person.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + assert json['person'].blank? + end + should 'get private people' do login_api private_person = fast_create(Person, :public_profile => false) @@ -115,6 +173,15 @@ class PeopleTest < ActiveSupport::TestCase assert_equal json['person']['id'], private_person.id end + should 'anonymous get private people' do + anonymous_setup + private_person = fast_create(Person, :public_profile => false) + + get "/api/v1/people/#{private_person.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal json['person']['id'], private_person.id + end + should 'get private person for friends' do login_api private_person = fast_create(Person, :public_profile => false) @@ -135,6 +202,16 @@ class PeopleTest < ActiveSupport::TestCase assert_includes json_response_ids(:people), person.id end + should 'anonymous list person friends' do + anonymous_setup + person = fast_create(Person) + friend = fast_create(Person) + person.add_friend(friend) + friend.add_friend(person) + get "/api/v1/people/#{friend.id}/friends?#{params.to_query}" + assert_includes json_response_ids(:people), person.id + end + should 'not list person invisible friends' do login_api friend = fast_create(Person) @@ -221,7 +298,7 @@ class PeopleTest < ActiveSupport::TestCase assert_equal another_name, person.name end - should 'display public custom fields' do + should 'logged user display public custom fields' do login_api CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) some_person = create_user('some-person').person @@ -234,7 +311,7 @@ class PeopleTest < ActiveSupport::TestCase assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog'] end - should 'not display non-public custom fields' do + should 'logged user not display non-public custom fields' do login_api CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) some_person = create_user('some-person').person @@ -246,6 +323,31 @@ class PeopleTest < ActiveSupport::TestCase assert_equal json['person']['additional_data'], {} end + should 'display public custom fields to anonymous' do + anonymous_setup + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) + some_person = create_user('some-person').person + some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} } + some_person.save! + + get "/api/v1/people/#{some_person.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + assert json['person']['additional_data'].has_key?('Custom Blog') + assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog'] + end + + should 'not display non-public custom fields to anonymous' do + anonymous_setup + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) + some_person = create_user('some-person').person + some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} } + some_person.save! + + get "/api/v1/people/#{some_person.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal json['person']['additional_data'], {} + end + should 'display non-public custom fields to friend' do login_api CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) -- libgit2 0.21.2