Commit 669be1658f40361418e9bb2cef58781a83da04f9
Committed by
Leandro Santos
Leandro Santos
1 parent
b03d485a
Exists in
staging
and in
31 other branches
added tests for anonymous
Showing
2 changed files
with
118 additions
and
13 deletions
Show diff stats
lib/noosfero/api/v1/people.rb
| ... | ... | @@ -2,7 +2,6 @@ module Noosfero |
| 2 | 2 | module API |
| 3 | 3 | module V1 |
| 4 | 4 | class People < Grape::API |
| 5 | - before { authenticate! } | |
| 6 | 5 | |
| 7 | 6 | MAX_PER_PAGE = 50 |
| 8 | 7 | |
| ... | ... | @@ -41,6 +40,7 @@ module Noosfero |
| 41 | 40 | |
| 42 | 41 | desc "Return the logged user information" |
| 43 | 42 | get "/me" do |
| 43 | + authenticate! | |
| 44 | 44 | present_partial current_person, :with => Entities::Person, :current_person => current_person |
| 45 | 45 | end |
| 46 | 46 | |
| ... | ... | @@ -53,6 +53,7 @@ module Noosfero |
| 53 | 53 | |
| 54 | 54 | desc "Update person information" |
| 55 | 55 | post ':id' do |
| 56 | + authenticate! | |
| 56 | 57 | return forbidden! if current_person.id.to_s != params[:id] |
| 57 | 58 | current_person.update_attributes!(params[:person]) |
| 58 | 59 | present current_person, :with => Entities::Person, :current_person => current_person |
| ... | ... | @@ -63,6 +64,7 @@ module Noosfero |
| 63 | 64 | # for each custom field for person, add &person[field_name]=field_value to the request |
| 64 | 65 | desc "Create person" |
| 65 | 66 | post do |
| 67 | + authenticate! | |
| 66 | 68 | user_data = {} |
| 67 | 69 | user_data[:login] = params[:person].delete(:login) || params[:person][:identifier] |
| 68 | 70 | user_data[:email] = params[:person].delete(:email) |
| ... | ... | @@ -95,6 +97,7 @@ module Noosfero |
| 95 | 97 | |
| 96 | 98 | desc "Return the person permissions on other profiles" |
| 97 | 99 | get ":id/permissions" do |
| 100 | + authenticate! | |
| 98 | 101 | person = environment.people.find(params[:id]) |
| 99 | 102 | return not_found! if person.blank? |
| 100 | 103 | return forbidden! unless current_person == person || environment.admins.include?(current_person) | ... | ... |
test/api/people_test.rb
| ... | ... | @@ -6,7 +6,7 @@ class PeopleTest < ActiveSupport::TestCase |
| 6 | 6 | Person.delete_all |
| 7 | 7 | end |
| 8 | 8 | |
| 9 | - should 'list all people' do | |
| 9 | + should 'logged user list all people' do | |
| 10 | 10 | login_api |
| 11 | 11 | person1 = fast_create(Person, :public_profile => true) |
| 12 | 12 | person2 = fast_create(Person) |
| ... | ... | @@ -15,7 +15,16 @@ class PeopleTest < ActiveSupport::TestCase |
| 15 | 15 | assert_equivalent [person1.id, person2.id, person.id], json['people'].map {|c| c['id']} |
| 16 | 16 | end |
| 17 | 17 | |
| 18 | - should 'list all members of a community' do | |
| 18 | + should 'anonymous list all people' do | |
| 19 | + anonymous_setup | |
| 20 | + person1 = fast_create(Person, :public_profile => true) | |
| 21 | + person2 = fast_create(Person) | |
| 22 | + get "/api/v1/people?#{params.to_query}" | |
| 23 | + json = JSON.parse(last_response.body) | |
| 24 | + assert_equivalent [person1.id, person2.id], json['people'].map {|c| c['id']} | |
| 25 | + end | |
| 26 | + | |
| 27 | + should 'logged user list all members of a community' do | |
| 19 | 28 | login_api |
| 20 | 29 | person1 = fast_create(Person) |
| 21 | 30 | person2 = fast_create(Person) |
| ... | ... | @@ -29,7 +38,21 @@ class PeopleTest < ActiveSupport::TestCase |
| 29 | 38 | assert_equivalent [person1.id,person2.id], json["people"].map{|p| p["id"]} |
| 30 | 39 | end |
| 31 | 40 | |
| 32 | - should 'not list invisible people' do | |
| 41 | + should 'anonymous list all members of a community' do | |
| 42 | + anonymous_setup | |
| 43 | + person1 = fast_create(Person) | |
| 44 | + person2 = fast_create(Person) | |
| 45 | + community = fast_create(Community) | |
| 46 | + community.add_member(person1) | |
| 47 | + community.add_member(person2) | |
| 48 | + | |
| 49 | + get "/api/v1/profiles/#{community.id}/members?#{params.to_query}" | |
| 50 | + json = JSON.parse(last_response.body) | |
| 51 | + assert_equal 2, json["people"].count | |
| 52 | + assert_equivalent [person1.id,person2.id], json["people"].map{|p| p["id"]} | |
| 53 | + end | |
| 54 | + | |
| 55 | + should 'logged user not list invisible people' do | |
| 33 | 56 | login_api |
| 34 | 57 | invisible_person = fast_create(Person, :visible => false) |
| 35 | 58 | |
| ... | ... | @@ -37,7 +60,15 @@ class PeopleTest < ActiveSupport::TestCase |
| 37 | 60 | assert_not_includes json_response_ids(:people), invisible_person.id |
| 38 | 61 | end |
| 39 | 62 | |
| 40 | - should 'list private people' do | |
| 63 | + should 'annoymous not list invisible people' do | |
| 64 | + anonymous_setup | |
| 65 | + invisible_person = fast_create(Person, :visible => false) | |
| 66 | + | |
| 67 | + get "/api/v1/people?#{params.to_query}" | |
| 68 | + assert_not_includes json_response_ids(:people), invisible_person.id | |
| 69 | + end | |
| 70 | + | |
| 71 | + should 'logged user list private people' do | |
| 41 | 72 | login_api |
| 42 | 73 | private_person = fast_create(Person, :public_profile => false) |
| 43 | 74 | |
| ... | ... | @@ -45,7 +76,15 @@ class PeopleTest < ActiveSupport::TestCase |
| 45 | 76 | assert_includes json_response_ids(:people), private_person.id |
| 46 | 77 | end |
| 47 | 78 | |
| 48 | - should 'list private person for friends' do | |
| 79 | + should 'anonymous list private people' do | |
| 80 | + anonymous_setup | |
| 81 | + private_person = fast_create(Person, :public_profile => false) | |
| 82 | + | |
| 83 | + get "/api/v1/people?#{params.to_query}" | |
| 84 | + assert_includes json_response_ids(:people), private_person.id | |
| 85 | + end | |
| 86 | + | |
| 87 | + should 'logged user list private person for friends' do | |
| 49 | 88 | login_api |
| 50 | 89 | p1 = fast_create(Person) |
| 51 | 90 | p2 = fast_create(Person, :public_profile => false) |
| ... | ... | @@ -56,7 +95,7 @@ class PeopleTest < ActiveSupport::TestCase |
| 56 | 95 | assert_includes json_response_ids(:people), p2.id |
| 57 | 96 | end |
| 58 | 97 | |
| 59 | - should 'get person' do | |
| 98 | + should 'logged user get person' do | |
| 60 | 99 | login_api |
| 61 | 100 | some_person = fast_create(Person) |
| 62 | 101 | |
| ... | ... | @@ -65,7 +104,17 @@ class PeopleTest < ActiveSupport::TestCase |
| 65 | 104 | assert_equal some_person.id, json['person']['id'] |
| 66 | 105 | end |
| 67 | 106 | |
| 68 | - should 'people endpoint filter by fields parameter' do | |
| 107 | + should 'anonymous get person' do | |
| 108 | + anonymous_setup | |
| 109 | + some_person = fast_create(Person) | |
| 110 | + | |
| 111 | + get "/api/v1/people/#{some_person.id}?#{params.to_query}" | |
| 112 | + json = JSON.parse(last_response.body) | |
| 113 | + assert_equal some_person.id, json['person']['id'] | |
| 114 | + end | |
| 115 | + | |
| 116 | + | |
| 117 | + should 'people endpoint filter by fields parameter for logged user' do | |
| 69 | 118 | login_api |
| 70 | 119 | get "/api/v1/people?#{params.to_query}&fields=name" |
| 71 | 120 | json = JSON.parse(last_response.body) |
| ... | ... | @@ -73,7 +122,7 @@ class PeopleTest < ActiveSupport::TestCase |
| 73 | 122 | assert_equal expected, json |
| 74 | 123 | end |
| 75 | 124 | |
| 76 | - should 'people endpoint filter by fields parameter with hierarchy' do | |
| 125 | + should 'people endpoint filter by fields parameter with hierarchy for logged user' do | |
| 77 | 126 | login_api |
| 78 | 127 | fields = URI.encode({only: [:name, {user: [:login]}]}.to_json.to_str) |
| 79 | 128 | get "/api/v1/people?#{params.to_query}&fields=#{fields}" |
| ... | ... | @@ -89,7 +138,7 @@ class PeopleTest < ActiveSupport::TestCase |
| 89 | 138 | assert_equal person.id, json['person']['id'] |
| 90 | 139 | end |
| 91 | 140 | |
| 92 | - should 'me endpoint filter by fields parameter' do | |
| 141 | + should 'access me endpoint filter by fields parameter' do | |
| 93 | 142 | login_api |
| 94 | 143 | get "/api/v1/people/me?#{params.to_query}&fields=name" |
| 95 | 144 | json = JSON.parse(last_response.body) |
| ... | ... | @@ -97,7 +146,7 @@ class PeopleTest < ActiveSupport::TestCase |
| 97 | 146 | assert_equal expected, json |
| 98 | 147 | end |
| 99 | 148 | |
| 100 | - should 'not get invisible person' do | |
| 149 | + should 'logged user not get invisible person' do | |
| 101 | 150 | login_api |
| 102 | 151 | person = fast_create(Person, :visible => false) |
| 103 | 152 | |
| ... | ... | @@ -106,6 +155,15 @@ class PeopleTest < ActiveSupport::TestCase |
| 106 | 155 | assert json['person'].blank? |
| 107 | 156 | end |
| 108 | 157 | |
| 158 | + should 'anonymous not get invisible person' do | |
| 159 | + anonymous_setup | |
| 160 | + person = fast_create(Person, :visible => false) | |
| 161 | + | |
| 162 | + get "/api/v1/people/#{person.id}?#{params.to_query}" | |
| 163 | + json = JSON.parse(last_response.body) | |
| 164 | + assert json['person'].blank? | |
| 165 | + end | |
| 166 | + | |
| 109 | 167 | should 'get private people' do |
| 110 | 168 | login_api |
| 111 | 169 | private_person = fast_create(Person, :public_profile => false) |
| ... | ... | @@ -115,6 +173,15 @@ class PeopleTest < ActiveSupport::TestCase |
| 115 | 173 | assert_equal json['person']['id'], private_person.id |
| 116 | 174 | end |
| 117 | 175 | |
| 176 | + should 'anonymous get private people' do | |
| 177 | + anonymous_setup | |
| 178 | + private_person = fast_create(Person, :public_profile => false) | |
| 179 | + | |
| 180 | + get "/api/v1/people/#{private_person.id}?#{params.to_query}" | |
| 181 | + json = JSON.parse(last_response.body) | |
| 182 | + assert_equal json['person']['id'], private_person.id | |
| 183 | + end | |
| 184 | + | |
| 118 | 185 | should 'get private person for friends' do |
| 119 | 186 | login_api |
| 120 | 187 | private_person = fast_create(Person, :public_profile => false) |
| ... | ... | @@ -135,6 +202,16 @@ class PeopleTest < ActiveSupport::TestCase |
| 135 | 202 | assert_includes json_response_ids(:people), person.id |
| 136 | 203 | end |
| 137 | 204 | |
| 205 | + should 'anonymous list person friends' do | |
| 206 | + anonymous_setup | |
| 207 | + person = fast_create(Person) | |
| 208 | + friend = fast_create(Person) | |
| 209 | + person.add_friend(friend) | |
| 210 | + friend.add_friend(person) | |
| 211 | + get "/api/v1/people/#{friend.id}/friends?#{params.to_query}" | |
| 212 | + assert_includes json_response_ids(:people), person.id | |
| 213 | + end | |
| 214 | + | |
| 138 | 215 | should 'not list person invisible friends' do |
| 139 | 216 | login_api |
| 140 | 217 | friend = fast_create(Person) |
| ... | ... | @@ -221,7 +298,7 @@ class PeopleTest < ActiveSupport::TestCase |
| 221 | 298 | assert_equal another_name, person.name |
| 222 | 299 | end |
| 223 | 300 | |
| 224 | - should 'display public custom fields' do | |
| 301 | + should 'logged user display public custom fields' do | |
| 225 | 302 | login_api |
| 226 | 303 | CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) |
| 227 | 304 | some_person = create_user('some-person').person |
| ... | ... | @@ -234,7 +311,7 @@ class PeopleTest < ActiveSupport::TestCase |
| 234 | 311 | assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog'] |
| 235 | 312 | end |
| 236 | 313 | |
| 237 | - should 'not display non-public custom fields' do | |
| 314 | + should 'logged user not display non-public custom fields' do | |
| 238 | 315 | login_api |
| 239 | 316 | CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) |
| 240 | 317 | some_person = create_user('some-person').person |
| ... | ... | @@ -246,6 +323,31 @@ class PeopleTest < ActiveSupport::TestCase |
| 246 | 323 | assert_equal json['person']['additional_data'], {} |
| 247 | 324 | end |
| 248 | 325 | |
| 326 | + should 'display public custom fields to anonymous' do | |
| 327 | + anonymous_setup | |
| 328 | + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) | |
| 329 | + some_person = create_user('some-person').person | |
| 330 | + some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} } | |
| 331 | + some_person.save! | |
| 332 | + | |
| 333 | + get "/api/v1/people/#{some_person.id}?#{params.to_query}" | |
| 334 | + json = JSON.parse(last_response.body) | |
| 335 | + assert json['person']['additional_data'].has_key?('Custom Blog') | |
| 336 | + assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog'] | |
| 337 | + end | |
| 338 | + | |
| 339 | + should 'not display non-public custom fields to anonymous' do | |
| 340 | + anonymous_setup | |
| 341 | + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) | |
| 342 | + some_person = create_user('some-person').person | |
| 343 | + some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} } | |
| 344 | + some_person.save! | |
| 345 | + | |
| 346 | + get "/api/v1/people/#{some_person.id}?#{params.to_query}" | |
| 347 | + json = JSON.parse(last_response.body) | |
| 348 | + assert_equal json['person']['additional_data'], {} | |
| 349 | + end | |
| 350 | + | |
| 249 | 351 | should 'display non-public custom fields to friend' do |
| 250 | 352 | login_api |
| 251 | 353 | CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) | ... | ... |