api: restrict access to block endpoint based on block visibility

Victor Costa
1 parent 8184feed
Showing 3 changed files with 72 additions and 3 deletions Show diff stats
app/models/block.rb
lib/noosfero/api/v1/blocks.rb
test/unit/block_test.rb
@@ -76,6 +76,17 @@ class Block &lt; ApplicationRecord
     true
   end
+  def visible_to_user?(user)
+    visible = self.display_to_user?(user)
+    if self.owner.kind_of?(Profile)
+      visible &= self.owner.display_info_to?(user)
+      visible &= (self.visible? || user && user.has_permission?(:edit_profile_design, self.owner))
+    elsif self.owner.kind_of?(Environment)
+      visible &= (self.visible? || user && user.has_permission?(:edit_environment_design, self.owner))
+    end
+    visible
+  end
+
   def display_to_user?(user)
     display_user == 'all' || (user.nil? && display_user == 'not_logged') || (user && display_user == 'logged') || (user && display_user == 'followers' && user.follows?(owner))
   end
@@ -6,9 +6,7 @@ module Noosfero
         resource :blocks do
           get ':id' do
             block = Block.find(params["id"])
-            if block.owner.kind_of?(Profile)
-              return forbidden! unless block.owner.display_info_to?(current_person)
-            end
+            return forbidden! unless block.visible_to_user?(current_person)
             present block, :with => Entities::Block, display_api_content: true
           end
         end
@@ -365,4 +365,64 @@ class BlockTest &lt; ActiveSupport::TestCase
     assert block.get_limit.is_a?(Fixnum)
   end
+  should 'return true at visible_to_user? when block is visible' do
+    block = Block.new
+    person = create_user('person_one').person
+    assert block.visible_to_user?(person)
+  end
+
+  should 'return false at visible_to_user? when block is not visible and user is nil' do
+    block = Block.new
+    person = create_user('person_one').person
+    block.stubs(:owner).returns(person)
+    block.expects(:visible?).returns(false)
+    assert !block.visible_to_user?(nil)
+  end
+
+  should 'return false at visible_to_user? when block is not visible and user does not has permission' do
+    block = Block.new
+    person = create_user('person_one').person
+    community = fast_create(Community)
+    block.stubs(:owner).returns(community)
+    block.expects(:visible?).returns(false)
+    assert !block.visible_to_user?(person)
+  end
+
+  should 'return true at visible_to_user? when block is not visible and user has permission' do
+    block = Block.new
+    person = create_user('person_one').person
+    community = fast_create(Community)
+    give_permission(person, 'edit_profile_design', community)
+    block.stubs(:owner).returns(community)
+    block.expects(:visible?).returns(false)
+    assert block.visible_to_user?(person)
+  end
+
+  should 'return false at visible_to_user? when block is not visible and user does not has permission in environment' do
+    block = Block.new
+    environment = Environment.default
+    person = create_user('person_one').person
+    block.stubs(:owner).returns(environment)
+    block.expects(:visible?).returns(false)
+    assert !block.visible_to_user?(person)
+  end
+
+  should 'return true at visible_to_user? when block is not visible and user has permission in environment' do
+    block = Block.new
+    environment = Environment.default
+    person = create_user('person_one').person
+    give_permission(person, 'edit_environment_design', environment)
+    block.stubs(:owner).returns(environment)
+    block.expects(:visible?).returns(false)
+    assert block.visible_to_user?(person)
+  end
+
+  should 'return false at visible_to_user? when block is not visible to user' do
+    block = Block.new
+    person = create_user('person_one').person
+    block.stubs(:owner).returns(person)
+    block.expects(:visible?).returns(true)
+    block.expects(:display_to_user?).returns(false)
+    assert !block.visible_to_user?(nil)
+  end
 end
	@@ -76,6 +76,17 @@ class Block < ApplicationRecord		@@ -76,6 +76,17 @@ class Block < ApplicationRecord
76	true	76	true
77	end	77	end
78		78
		79	+ def visible_to_user?(user)
		80	+ visible = self.display_to_user?(user)
		81	+ if self.owner.kind_of?(Profile)
		82	+ visible &= self.owner.display_info_to?(user)
		83	+ visible &= (self.visible? \|\| user && user.has_permission?(:edit_profile_design, self.owner))
		84	+ elsif self.owner.kind_of?(Environment)
		85	+ visible &= (self.visible? \|\| user && user.has_permission?(:edit_environment_design, self.owner))
		86	+ end
		87	+ visible
		88	+ end
		89	+
79	def display_to_user?(user)	90	def display_to_user?(user)
80	display_user == 'all' \|\| (user.nil? && display_user == 'not_logged') \|\| (user && display_user == 'logged') \|\| (user && display_user == 'followers' && user.follows?(owner))	91	display_user == 'all' \|\| (user.nil? && display_user == 'not_logged') \|\| (user && display_user == 'logged') \|\| (user && display_user == 'followers' && user.follows?(owner))
81	end	92	end
	@@ -365,4 +365,64 @@ class BlockTest < ActiveSupport::TestCase		@@ -365,4 +365,64 @@ class BlockTest < ActiveSupport::TestCase
365	assert block.get_limit.is_a?(Fixnum)	365	assert block.get_limit.is_a?(Fixnum)
366	end	366	end
367		367
		368	+ should 'return true at visible_to_user? when block is visible' do
		369	+ block = Block.new
		370	+ person = create_user('person_one').person
		371	+ assert block.visible_to_user?(person)
		372	+ end
		373	+
		374	+ should 'return false at visible_to_user? when block is not visible and user is nil' do
		375	+ block = Block.new
		376	+ person = create_user('person_one').person
		377	+ block.stubs(:owner).returns(person)
		378	+ block.expects(:visible?).returns(false)
		379	+ assert !block.visible_to_user?(nil)
		380	+ end
		381	+
		382	+ should 'return false at visible_to_user? when block is not visible and user does not has permission' do
		383	+ block = Block.new
		384	+ person = create_user('person_one').person
		385	+ community = fast_create(Community)
		386	+ block.stubs(:owner).returns(community)
		387	+ block.expects(:visible?).returns(false)
		388	+ assert !block.visible_to_user?(person)
		389	+ end
		390	+
		391	+ should 'return true at visible_to_user? when block is not visible and user has permission' do
		392	+ block = Block.new
		393	+ person = create_user('person_one').person
		394	+ community = fast_create(Community)
		395	+ give_permission(person, 'edit_profile_design', community)
		396	+ block.stubs(:owner).returns(community)
		397	+ block.expects(:visible?).returns(false)
		398	+ assert block.visible_to_user?(person)
		399	+ end
		400	+
		401	+ should 'return false at visible_to_user? when block is not visible and user does not has permission in environment' do
		402	+ block = Block.new
		403	+ environment = Environment.default
		404	+ person = create_user('person_one').person
		405	+ block.stubs(:owner).returns(environment)
		406	+ block.expects(:visible?).returns(false)
		407	+ assert !block.visible_to_user?(person)
		408	+ end
		409	+
		410	+ should 'return true at visible_to_user? when block is not visible and user has permission in environment' do
		411	+ block = Block.new
		412	+ environment = Environment.default
		413	+ person = create_user('person_one').person
		414	+ give_permission(person, 'edit_environment_design', environment)
		415	+ block.stubs(:owner).returns(environment)
		416	+ block.expects(:visible?).returns(false)
		417	+ assert block.visible_to_user?(person)
		418	+ end
		419	+
		420	+ should 'return false at visible_to_user? when block is not visible to user' do
		421	+ block = Block.new
		422	+ person = create_user('person_one').person
		423	+ block.stubs(:owner).returns(person)
		424	+ block.expects(:visible?).returns(true)
		425	+ block.expects(:display_to_user?).returns(false)
		426	+ assert !block.visible_to_user?(nil)
		427	+ end
368	end	428	end