Commit 719cdc4629b10fea615b2578c792a57a1d2acc80
1 parent
8184feed
Exists in
staging
and in
29 other branches
api: restrict access to block endpoint based on block visibility
Showing
3 changed files
with
72 additions
and
3 deletions
Show diff stats
app/models/block.rb
| ... | ... | @@ -76,6 +76,17 @@ class Block < ApplicationRecord |
| 76 | 76 | true |
| 77 | 77 | end |
| 78 | 78 | |
| 79 | + def visible_to_user?(user) | |
| 80 | + visible = self.display_to_user?(user) | |
| 81 | + if self.owner.kind_of?(Profile) | |
| 82 | + visible &= self.owner.display_info_to?(user) | |
| 83 | + visible &= (self.visible? || user && user.has_permission?(:edit_profile_design, self.owner)) | |
| 84 | + elsif self.owner.kind_of?(Environment) | |
| 85 | + visible &= (self.visible? || user && user.has_permission?(:edit_environment_design, self.owner)) | |
| 86 | + end | |
| 87 | + visible | |
| 88 | + end | |
| 89 | + | |
| 79 | 90 | def display_to_user?(user) |
| 80 | 91 | display_user == 'all' || (user.nil? && display_user == 'not_logged') || (user && display_user == 'logged') || (user && display_user == 'followers' && user.follows?(owner)) |
| 81 | 92 | end | ... | ... |
lib/noosfero/api/v1/blocks.rb
| ... | ... | @@ -6,9 +6,7 @@ module Noosfero |
| 6 | 6 | resource :blocks do |
| 7 | 7 | get ':id' do |
| 8 | 8 | block = Block.find(params["id"]) |
| 9 | - if block.owner.kind_of?(Profile) | |
| 10 | - return forbidden! unless block.owner.display_info_to?(current_person) | |
| 11 | - end | |
| 9 | + return forbidden! unless block.visible_to_user?(current_person) | |
| 12 | 10 | present block, :with => Entities::Block, display_api_content: true |
| 13 | 11 | end |
| 14 | 12 | end | ... | ... |
test/unit/block_test.rb
| ... | ... | @@ -365,4 +365,64 @@ class BlockTest < ActiveSupport::TestCase |
| 365 | 365 | assert block.get_limit.is_a?(Fixnum) |
| 366 | 366 | end |
| 367 | 367 | |
| 368 | + should 'return true at visible_to_user? when block is visible' do | |
| 369 | + block = Block.new | |
| 370 | + person = create_user('person_one').person | |
| 371 | + assert block.visible_to_user?(person) | |
| 372 | + end | |
| 373 | + | |
| 374 | + should 'return false at visible_to_user? when block is not visible and user is nil' do | |
| 375 | + block = Block.new | |
| 376 | + person = create_user('person_one').person | |
| 377 | + block.stubs(:owner).returns(person) | |
| 378 | + block.expects(:visible?).returns(false) | |
| 379 | + assert !block.visible_to_user?(nil) | |
| 380 | + end | |
| 381 | + | |
| 382 | + should 'return false at visible_to_user? when block is not visible and user does not has permission' do | |
| 383 | + block = Block.new | |
| 384 | + person = create_user('person_one').person | |
| 385 | + community = fast_create(Community) | |
| 386 | + block.stubs(:owner).returns(community) | |
| 387 | + block.expects(:visible?).returns(false) | |
| 388 | + assert !block.visible_to_user?(person) | |
| 389 | + end | |
| 390 | + | |
| 391 | + should 'return true at visible_to_user? when block is not visible and user has permission' do | |
| 392 | + block = Block.new | |
| 393 | + person = create_user('person_one').person | |
| 394 | + community = fast_create(Community) | |
| 395 | + give_permission(person, 'edit_profile_design', community) | |
| 396 | + block.stubs(:owner).returns(community) | |
| 397 | + block.expects(:visible?).returns(false) | |
| 398 | + assert block.visible_to_user?(person) | |
| 399 | + end | |
| 400 | + | |
| 401 | + should 'return false at visible_to_user? when block is not visible and user does not has permission in environment' do | |
| 402 | + block = Block.new | |
| 403 | + environment = Environment.default | |
| 404 | + person = create_user('person_one').person | |
| 405 | + block.stubs(:owner).returns(environment) | |
| 406 | + block.expects(:visible?).returns(false) | |
| 407 | + assert !block.visible_to_user?(person) | |
| 408 | + end | |
| 409 | + | |
| 410 | + should 'return true at visible_to_user? when block is not visible and user has permission in environment' do | |
| 411 | + block = Block.new | |
| 412 | + environment = Environment.default | |
| 413 | + person = create_user('person_one').person | |
| 414 | + give_permission(person, 'edit_environment_design', environment) | |
| 415 | + block.stubs(:owner).returns(environment) | |
| 416 | + block.expects(:visible?).returns(false) | |
| 417 | + assert block.visible_to_user?(person) | |
| 418 | + end | |
| 419 | + | |
| 420 | + should 'return false at visible_to_user? when block is not visible to user' do | |
| 421 | + block = Block.new | |
| 422 | + person = create_user('person_one').person | |
| 423 | + block.stubs(:owner).returns(person) | |
| 424 | + block.expects(:visible?).returns(true) | |
| 425 | + block.expects(:display_to_user?).returns(false) | |
| 426 | + assert !block.visible_to_user?(nil) | |
| 427 | + end | |
| 368 | 428 | end | ... | ... |