Merge branch 'api_visitor' into 'master'

Reviews API permissions - Reviewed Profile scopes - Removed required authentication for anonymous - Corrected records fetching (considering permission levels) - Conditionally exposes attributes **Includes all changes introduced in !863** See merge request !867

Merge branch 'api_visitor' into 'master'
Reviews API permissions - Reviewed Profile scopes - Removed required authentication for anonymous - Corrected records fetching (considering permission levels) - Conditionally exposes attributes **Includes all changes introduced in !863** See merge request !867
Marcos Pereira
2 parents 82498934 a9df0202
Showing 29 changed files with 414 additions and 292 deletions Show diff stats
app/models/organization.rb
app/models/person.rb
lib/noosfero/api/entities.rb
lib/noosfero/api/helpers.rb
lib/noosfero/api/v1/activities.rb
lib/noosfero/api/v1/communities.rb
lib/noosfero/api/v1/profiles.rb
lib/noosfero/api/v1/tags.rb
lib/noosfero/api/v1/users.rb
plugins/comment_paragraph/test/unit/api_test.rb
plugins/push_notification/test/api/api_test.rb
test/api/activities_test.rb
test/api/articles_test.rb
test/api/boxes_test.rb
test/api/categories_test.rb
test/api/comments_test.rb
test/api/communities_test.rb
test/api/enterprises_test.rb
test/api/environment_test.rb
test/api/helpers_test.rb
@@ -16,9 +16,7 @@ class Organization &lt; Profile
   #   visible.
   #   4) The user is not a member of the organization but the organization is
   #   visible, public and enabled.
-  def self.visible_for_person(person)
-    # Visitor if person.nil?
-    person_id = person.nil? ? nil : person.id
+  def self.listed_for_person(person)
     joins('LEFT JOIN "role_assignments" ON ("role_assignments"."resource_id" = "profiles"."id"
           AND "role_assignments"."resource_type" = \'Profile\') OR (
           "role_assignments"."resource_id" = "profiles"."environment_id" AND
@@ -28,13 +26,24 @@ class Organization &lt; Profile
       ['( (roles.key = ? OR roles.key = ?) AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? )
         OR
         ( ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
-            ( profiles.public_profile = ? AND profiles.enabled = ? ) ) AND
+            ( profiles.enabled = ? ) ) AND
           ( profiles.visible = ? ) )',
-      'profile_admin', 'environment_administrator', Profile.name, person_id,
-      Profile.name, person_id,  true, true, true]
+      'profile_admin', 'environment_administrator', Profile.name, person.id,
+      Profile.name, person.id, true, true]
     ).uniq
   end
  
+  def self.visible_for_person(person)
+    listed_for_person(person).where(
+      ['( (roles.key = ? OR roles.key = ?) AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? )
+        OR
+        ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
+          ( profiles.enabled = ? AND profiles.public_profile = ? ) )',
+      'profile_admin', 'environment_administrator', Profile.name, person.id,
+      Profile.name, person.id,  true, true]
+    )
+  end
+
   settings_items :closed, :type => :boolean, :default => false
   def closed?
     closed
@@ -42,8 +42,6 @@ class Person &lt; Profile
   }
  
   scope :visible_for_person, lambda { |person|
-    # Visitor if person.nil?
-    person_id = person.nil? ? nil : person.id
     joins('LEFT JOIN "role_assignments" ON
           "role_assignments"."resource_id" = "profiles"."environment_id" AND
           "role_assignments"."resource_type" = \'Environment\'')
@@ -52,7 +50,7 @@ class Person &lt; Profile
     .where(
       ['( roles.key = ? AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR (
         ( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?) )',
-         'environment_administrator', Profile.name, person_id, person_id,  true, true]
+         'environment_administrator', Profile.name, person.id, person.id,  true, true]
     ).uniq
   }
  
@@ -374,7 +372,7 @@ class Person &lt; Profile
     ['%s@%s' % [self.identifier, self.email_domain] ]
   end
  
-  def display_info_to?(user)
+  def display_private_info_to?(user)
     if friends.include?(user)
       true
     else
@@ -9,13 +9,18 @@ module Noosfero
       PERMISSIONS = {
         :admin => 0,
         :self  => 10,
-        :friend => 20,
+        :private_content => 20,
         :logged_user => 30,
         :anonymous => 40
       }
  
-      def self.can_display? profile, options, field, permission = :friend
-        return true if profile.public_fields.map{|f| f.to_sym}.include?(field.to_sym)
+      def self.can_display_profile_field? profile, options, permission_options={}
+        permissions={:field => "", :permission => :private_content}
+        permissions.merge!(permission_options)
+        field = permissions[:field]
+        permission = permissions[:permission]
+        return true if profile.public? && profile.public_fields.map{|f| f.to_sym}.include?(field.to_sym)
+
         current_person = options[:current_person]
  
         current_permission = if current_person.present?
@@ -23,8 +28,8 @@ module Noosfero
             :admin
           elsif current_person == profile
             :self
-          elsif current_person.friends.include?(profile)
-            :friend
+          elsif profile.display_private_info_to?(current_person)
+            :private_content
           else
             :logged_user
           end
@@ -103,7 +108,7 @@ module Noosfero
  
           private_values = profile.custom_field_values - profile.public_values
           private_values.each do |value|
-            if Entities.can_display?(profile,options,:custom_field)
+            if Entities.can_display_profile_field?(profile,options)
               hash[value.custom_field.name]=value.value
             end
           end
@@ -143,11 +148,11 @@ module Noosfero
       class Community < Profile
         root 'communities', 'community'
         expose :description
-        expose :admins do |community, options|
+        expose :admins, :if => lambda { |community, options| community.display_info_to? options[:current_person]} do |community, options|
           community.admins.map{|admin| {"name"=>admin.name, "id"=>admin.id, "username" => admin.identifier}}
         end
         expose :categories, :using => Category
-        expose :members, :using => Person
+        expose :members, :using => Person , :if => lambda{ |community, options| community.display_info_to? options[:current_person] }
       end
  
       class CommentBase < Entity
@@ -209,11 +214,11 @@ module Noosfero
  
         attrs.each do |attribute|
           name = aliases.has_key?(attribute) ? aliases[attribute] : attribute
-          expose attribute, :as => name, :if => lambda{|user,options| Entities.can_display?(user.person, options, attribute)}
+          expose attribute, :as => name, :if => lambda{|user,options| Entities.can_display_profile_field?(user.person, options, {:field =>  attribute})}
         end
  
-        expose :person, :using => Person
-        expose :permissions, :if => lambda{|user,options| Entities.can_display?(user.person, options, :permissions, :self)} do |user, options|
+        expose :person, :using => Person, :if => lambda{|user,options| user.person.display_info_to? options[:current_person]}
+        expose :permissions, :if => lambda{|user,options| Entities.can_display_profile_field?(user.person, options, {:field => :permissions, :permission => :self})} do |user, options|
           output = {}
           user.person.role_assignments.map do |role_assigment|
             if role_assigment.resource.respond_to?(:identifier) && !role_assigment.role.nil?
@@ -266,6 +266,13 @@ require_relative &#39;../../find_by_contents&#39;
         unauthorized! unless current_user
       end
  
+      def profiles_for_person(profiles, person)
+        if person
+          profiles.listed_for_person(person)
+        else
+          profiles.visible
+        end
+      end
  
       # Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
       # or a Bad Request error is invoked.
@@ -7,9 +7,11 @@ module Noosfero
         resource :profiles do
  
           get ':id/activities' do
-            profile = environment.profiles
-            profile = profile.visible_for_person(current_person) if profile.respond_to?(:visible_for_person)
-            profile = profile.find_by id: params[:id]
+            profile = Profile.find_by id: params[:id]
+
+            not_found! if profile.blank? || profile.secret || !profile.visible
+            forbidden! if !profile.secret && profile.visible && !profile.display_private_info_to?(current_person)
+
             activities = profile.activities.map(&:activity)
             present activities, :with => Entities::Activity, :current_person => current_person
           end
@@ -17,8 +17,8 @@ module Noosfero
           #  GET /communities?reference_id=10&limit=10&oldest
           get do
             communities = select_filtered_collection_of(environment, 'communities', params)
-            communities = communities.visible
-            communities = communities.by_location(params) # Must be the last. May return Exception obj.
+            communities = profiles_for_person(communities, current_person)
+            communities = communities.by_location(params) # Must be the last. May return Exception obj
             present communities, :with => Entities::Community, :current_person => current_person
           end
  
@@ -49,7 +49,7 @@ module Noosfero
           end
  
           get ':id' do
-            community = environment.communities.visible.find_by(id: params[:id])
+            community = profiles_for_person(environment.communities, current_person).find_by_id(params[:id])
             present community, :with => Entities::Community, :current_person => current_person
           end
  
@@ -63,6 +63,10 @@ module Noosfero
  
               get do
                 person = environment.people.find(params[:person_id])
+
+                not_found! if person.blank?
+                forbidden! if !person.display_info_to?(current_person)
+
                 communities = select_filtered_collection_of(person, 'communities', params)
                 communities = communities.visible
                 present communities, :with => Entities::Community, :current_person => current_person
@@ -16,7 +16,12 @@ module Noosfero
             profiles = environment.profiles
             profiles = profiles.visible
             profile = profiles.find_by id: params[:id]
-            present profile, :with => Entities::Profile, :current_person => current_person
+
+            if profile
+              present profile, :with => Entities::Profile, :current_person => current_person
+            else
+              not_found!
+            end
           end
  
           delete ':id' do
@@ -3,16 +3,16 @@ module Noosfero
     module V1
       class Tags < Grape::API
         before { authenticate! }
-  
+
         resource :articles do
  
           resource ':id/tags' do
-  
+
             get do
               article = find_article(environment.articles, params[:id])
               present article.tag_list
             end
-    
+
             desc "Add a tag to an article"
             post do
               article = find_article(environment.articles, params[:id])
@@ -20,10 +20,8 @@ module Noosfero
               article.save
               present article.tag_list
             end
-    
           end
         end
-  
       end
     end
   end
@@ -18,10 +18,11 @@ module Noosfero
  
           get ":id" do
             user = environment.users.find_by id: params[:id]
-            unless user.person.display_info_to? current_person
-              unauthorized!
+            if user
+              present user, :with => Entities::User, :current_person => current_person
+            else
+              not_found!
             end
-            present user, :with => Entities::User, :current_person => current_person
           end
  
           get ":id/permissions" do
@@ -4,6 +4,7 @@ require_relative &#39;../../../../test/api/test_helper&#39;
 class APITest <  ActiveSupport::TestCase
  
   def setup
+    create_and_activate_user
     login_api
     environment.enable_plugin(CommentParagraphPlugin)
   end
@@ -3,6 +3,7 @@ require_relative &#39;../../../../test/api/test_helper&#39;
 class PushNotificationApiTest < ActiveSupport::TestCase
  
   def setup
+    create_and_activate_user
     login_api
     environment = Environment.default
     environment.enable_plugin(PushNotificationPlugin)
@@ -3,20 +3,74 @@ require_relative &#39;test_helper&#39;
 class ActivitiesTest < ActiveSupport::TestCase
  
   def setup
+    create_and_activate_user
     login_api
   end
  
-  should 'get activity from profile' do
-    person = fast_create(Person)
-    organization = fast_create(Organization)
-    assert_difference 'organization.activities_count' do
-      ActionTracker::Record.create! :verb => :leave_scrap, :user => person, :target => organization
-      organization.reload
-    end
-    get "/api/v1/profiles/#{organization.id}/activities?#{params.to_query}"
+  should 'get own activities' do
+    create_activity(person)
+
+    get "/api/v1/profiles/#{person.id}/activities?#{params.to_query}"
     json = JSON.parse(last_response.body)
+
     assert 1, json["activities"].count
-    assert_equal organization.activities.map(&:activity).first.id, json["activities"].first["id"]
+    assert_equivalent person.activities.map(&:activity).map(&:id), json["activities"].map{|c| c["id"]}
+  end
+
+  should 'not get private community activities' do
+    community = fast_create(Community, :public_profile => false)
+    create_activity(community)
+
+    get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_nil json["activities"]
+    assert_equal 403, last_response.status
+  end
+
+  should 'not get community activities if not member' do
+    community = fast_create(Community)
+    other_person = fast_create(Person)
+    community.add_member(other_person) # so there is an activity in community
+
+    get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_nil json["activities"]
+    assert_equal 403, last_response.status
+  end
+
+  should 'get community activities for member' do
+    community = fast_create(Community)
+    create_activity(community)
+    community.add_member(person)
+
+    get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent community.activities.map(&:activity).map(&:id), json["activities"].map{|c| c["id"]}
+  end
+
+  should 'not get other person activities' do
+    other_person = fast_create(Person)
+    create_activity(other_person)
+
+    get "/api/v1/profiles/#{other_person.id}/activities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_nil json["activities"]
+    assert_equal 403, last_response.status
+  end
+
+  should 'get friend activities' do
+    other_person = fast_create(Person)
+    other_person.add_friend(person)
+    create_activity(other_person)
+
+    get "/api/v1/profiles/#{other_person.id}/activities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent other_person.activities.map(&:activity).map(&:id), json["activities"].map{|c| c["id"]}
+  end
+
+  def create_activity(target)
+    activity = ActionTracker::Record.create! :verb => :leave_scrap, :user => person, :target => target
+    ProfileActivity.create! profile_id: target.id, activity: activity
   end
  
 end
@@ -3,6 +3,7 @@ require_relative &#39;test_helper&#39;
 class ArticlesTest < ActiveSupport::TestCase
  
   def setup
+    create_and_activate_user
     login_api
   end
  
@@ -199,7 +200,6 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     article = fast_create(Article, :profile_id => @person.id, :name => "Some thing", :archived => true)
     @params[:value] = 1
     post "/api/v1/articles/#{article.id}/vote?#{params.to_query}"
-    puts JSON.parse(last_response.body)
     assert_equal 400, last_response.status
   end
  
@@ -3,8 +3,7 @@ require_relative &#39;test_helper&#39;
 class BoxesTest < ActiveSupport::TestCase
  
   def setup
-    @controller = AccountController.new
-    @request = ActionController::TestRequest.new
+    create_and_activate_user
     login_api
 #    @request = ActionController::TestRequest.new
   end
@@ -2,6 +2,9 @@ require_relative &#39;test_helper&#39;
  
 class CategoriesTest < ActiveSupport::TestCase
  
+  def setup
+    create_and_activate_user
+  end
  
   should 'logged user list categories' do
     login_api
@@ -11,7 +14,7 @@ class CategoriesTest &lt; ActiveSupport::TestCase
     assert_includes json["categories"].map { |c| c["name"] }, category.name
   end
  
-  should 'logged user get category by id' do
+  should 'get category by id to logged user' do
     login_api
     category = fast_create(Category, :environment_id => environment.id)
     get "/api/v1/categories/#{category.id}/?#{params.to_query}"
@@ -19,7 +22,7 @@ class CategoriesTest &lt; ActiveSupport::TestCase
     assert_equal category.name, json["category"]["name"]
   end
  
-  should 'logged user list parent and children when get category by id' do
+  should 'list parent and children when get category by id to logged user' do
     login_api
     parent = fast_create(Category, :environment_id => environment.id)
     child_1 = fast_create(Category, :environment_id => environment.id)
@@ -37,7 +40,7 @@ class CategoriesTest &lt; ActiveSupport::TestCase
     assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { |c| c['id'] }
   end
  
-  should 'logged user include parent in categories list if params is true' do
+  should 'include parent in categories list if params is true to logged_user' do
     login_api
     parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
     child_1 = fast_create(Category, :environment_id => environment.id)
@@ -60,7 +63,7 @@ class CategoriesTest &lt; ActiveSupport::TestCase
       json["categories"].map { |c| c['parent'] && c['parent']['id'] }
   end
  
-  should 'logged user include children in categories list if params is true' do
+  should 'include children in categories list if params is true to logged user' do
     login_api
     category = fast_create(Category, :environment_id => environment.id)
     child_1 = fast_create(Category, :environment_id => environment.id)
@@ -88,7 +91,7 @@ class CategoriesTest &lt; ActiveSupport::TestCase
   expose_attributes = %w(id name full_name image display_color)
  
   expose_attributes.each do |attr|
-    should "logged user expose category #{attr} attribute by default" do
+    should "expose category #{attr} attribute by default to logged user" do
       login_api
       category = fast_create(Category, :environment_id => environment.id)
       get "/api/v1/categories/?#{params.to_query}"
@@ -97,24 +100,21 @@ class CategoriesTest &lt; ActiveSupport::TestCase
     end
   end
  
-  should 'anonymous list categories' do
-    anonymous_setup
+  should 'list categories to anonymous' do
     category = fast_create(Category, :environment_id => environment.id)
     get "/api/v1/categories/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_includes json["categories"].map { |c| c["name"] }, category.name
   end
  
-  should 'anonymous get category by id' do
-    anonymous_setup
+  should 'get category by id to anonymous' do
     category = fast_create(Category, :environment_id => environment.id)
     get "/api/v1/categories/#{category.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal category.name, json["category"]["name"]
   end
  
-  should 'anonymous list parent and children when get category by id' do
-    anonymous_setup
+  should 'list parent and children when get category by id to anonymous' do
     parent = fast_create(Category, :environment_id => environment.id)
     child_1 = fast_create(Category, :environment_id => environment.id)
     child_2 = fast_create(Category, :environment_id => environment.id)
@@ -132,7 +132,6 @@ class CategoriesTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous include parent in categories list if params is true' do
-    anonymous_setup
     parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
     child_1 = fast_create(Category, :environment_id => environment.id)
     child_2 = fast_create(Category, :environment_id => environment.id)
@@ -155,7 +154,6 @@ class CategoriesTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous include children in categories list if params is true' do
-    anonymous_setup
     category = fast_create(Category, :environment_id => environment.id)
     child_1 = fast_create(Category, :environment_id => environment.id)
     child_2 = fast_create(Category, :environment_id => environment.id)
@@ -180,8 +178,7 @@ class CategoriesTest &lt; ActiveSupport::TestCase
   end
  
   expose_attributes.each do |attr|
-    should "anonymous expose category #{attr} attribute by default" do
-      anonymous_setup
+    should "expose category #{attr} attribute by default to anonymous" do
       category = fast_create(Category, :environment_id => environment.id)
       get "/api/v1/categories/?#{params.to_query}"
       json = JSON.parse(last_response.body)
@@ -189,6 +186,4 @@ class CategoriesTest &lt; ActiveSupport::TestCase
     end
   end
  
-
-
 end
@@ -4,13 +4,12 @@ class CommentsTest &lt; ActiveSupport::TestCase
  
   def setup
     @local_person = fast_create(Person)
-    anonymous_setup
+    create_and_activate_user
   end
-  attr_reader :local_person
  
   should 'logged user not list comments if user has no permission to view the source article' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing", :published => false)
     assert !article.published?
  
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
@@ -19,8 +18,8 @@ class CommentsTest &lt; ActiveSupport::TestCase
  
   should 'logged user not return comment if user has no permission to view the source article' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
-    comment = article.comments.create!(:body => "another comment", :author => local_person)
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing", :published => false)
+    comment = article.comments.create!(:body => "another comment", :author => @local_person)
     assert !article.published?
  
     get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
@@ -29,7 +28,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
  
   should 'logged user not comment an article if user has no permission to view it' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing", :published => false)
     assert !article.published?
  
     post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
@@ -38,9 +37,9 @@ class CommentsTest &lt; ActiveSupport::TestCase
  
   should 'logged user return comments of an article' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
-    article.comments.create!(:body => "some comment", :author => local_person)
-    article.comments.create!(:body => "another comment", :author => local_person)
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
+    article.comments.create!(:body => "some comment", :author => @local_person)
+    article.comments.create!(:body => "another comment", :author => @local_person)
  
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -50,8 +49,8 @@ class CommentsTest &lt; ActiveSupport::TestCase
  
   should 'logged user return comment of an article' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
-    comment = article.comments.create!(:body => "another comment", :author => local_person)
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
+    comment = article.comments.create!(:body => "another comment", :author => @local_person)
  
     get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -61,7 +60,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
  
   should 'logged user comment an article' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
     body = 'My comment'
     params.merge!({:body => body})
  
@@ -84,7 +83,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
   should 'logged user comment creation define the source' do
     login_api
     amount = Comment.count
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
     body = 'My comment'
     params.merge!({:body => body})
  
@@ -103,7 +102,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
     Noosfero::Plugin.stubs(:all).returns([Plugin1.name])
     Environment.default.enable_plugin(Plugin1)
  
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
     c1 = fast_create(Comment, source_id: article.id, body: "comment 1")
     c2 = fast_create(Comment, source_id: article.id, body: "comment 2", :user_agent => 'Jack')
  
@@ -113,7 +112,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous do not return comments marked as spam' do
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
     c1 = fast_create(Comment, source_id: article.id, body: "comment 1", spam: true)
     c2 = fast_create(Comment, source_id: article.id, body: "comment 2")
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
@@ -121,41 +120,42 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal ["comment 2"], json["comments"].map {|c| c["body"]}
   end
  
-  should 'not, anonymous list comments if has no permission to view the source article' do
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
+  should 'not list comments if anonymous has no permission to view the source article' do
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
     assert !article.published?
-  
+
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     assert_equal 403, last_response.status
   end
-  
-  should 'anonymous return comments of an article' do
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
-    article.comments.create!(:body => "some comment", :author => local_person)
-    article.comments.create!(:body => "another comment", :author => local_person)
-  
+
+  should 'return comments of an article for anonymous' do
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
+    article.comments.create!(:body => "some comment", :author => @local_person)
+    article.comments.create!(:body => "another comment", :author => @local_person)
+
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal 200, last_response.status
     assert_equal 2, json["comments"].length
   end
-  
-  should 'anonymous return comment of an article' do
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
-    comment = article.comments.create!(:body => "another comment", :author => local_person)
-  
+
+  should 'return comment of an article for anonymous' do
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
+    comment = article.comments.create!(:body => "another comment", :author => @local_person)
+
     get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal 200, last_response.status
     assert_equal comment.id, json['comment']['id']
   end
  
-  should 'not, anonymous comment an article (at least so far...)' do
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+  should 'anonymous user not comment an article' do
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing")
     body = 'My comment'
     name = "John Doe"
     email = "JohnDoe@gmail.com"
     params.merge!({:body => body, name: name, email: email})
+
     post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal 401, last_response.status
@@ -163,8 +163,8 @@ class CommentsTest &lt; ActiveSupport::TestCase
  
   should 'logged user paginate comments' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
-    5.times { article.comments.create!(:body => "some comment", :author => local_person) }
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
+    5.times { article.comments.create!(:body => "some comment", :author => @local_person) }
     params[:per_page] = 3
  
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
@@ -175,9 +175,9 @@ class CommentsTest &lt; ActiveSupport::TestCase
  
   should 'logged user return only root comments' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
-    comment1 = article.comments.create!(:body => "some comment", :author => local_person)
-    comment2 = article.comments.create!(:body => "another comment", :author => local_person, :reply_of_id => comment1.id)
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
+    comment1 = article.comments.create!(:body => "some comment", :author => @local_person)
+    comment2 = article.comments.create!(:body => "another comment", :author => @local_person, :reply_of_id => comment1.id)
     params[:without_reply] = true
  
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
@@ -4,28 +4,31 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
  
   def setup
     Community.delete_all
+    create_and_activate_user
   end
  
-  should 'logged user list only communities' do
+  should 'list only communities to logged user' do
     login_api
     community = fast_create(Community, :environment_id => environment.id)
     enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
+
     get "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_not_includes json['communities'].map {|c| c['id']}, enterprise.id
     assert_includes json['communities'].map {|c| c['id']}, community.id
   end
  
-  should 'logged user list all communities' do
+  should 'list all communities to logged user' do
     login_api
     community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
     community2 = fast_create(Community, :environment_id => environment.id)
+
     get "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'not, logged user list invisible communities' do
+  should 'not list invisible communities to logged user' do
     login_api
     community1 = fast_create(Community, :environment_id => environment.id)
     fast_create(Community, :environment_id => environment.id, :visible => false)
@@ -35,28 +38,28 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equal [community1.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'logged user list private communities' do
-      login_api
-      community1 = fast_create(Community, :environment_id => environment.id)
-      community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
+  should 'list private communities to logged user' do
+    login_api
+    community1 = fast_create(Community, :environment_id => environment.id)
+    community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
  
-      get "/api/v1/communities?#{params.to_query}"
-      json = JSON.parse(last_response.body)
-      assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'logged user list private community for members' do
+  should 'list private communities to logged members' do
     login_api
-    c1 = fast_create(Community, :environment_id => environment.id)
-    c2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
-    c2.add_member(person)
+    community1 = fast_create(Community, :environment_id => environment.id)
+    community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
+    community2.add_member(person)
  
     get "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
-    assert_equivalent [c1.id, c2.id], json['communities'].map {|c| c['id']}
+    assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'logged user create a community' do
+  should 'create a community with logged user' do
     login_api
     params[:community] = {:name => 'some'}
     post "/api/v1/communities?#{params.to_query}"
@@ -64,14 +67,14 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equal 'some', json['community']['name']
   end
  
-  should 'logged user return 400 status for invalid community creation' do
+  should 'return 400 status for invalid community creation to logged user ' do
     login_api
     post "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal 400, last_response.status
   end
  
-  should 'logged user get community' do
+  should 'get community to logged user' do
     login_api
     community = fast_create(Community, :environment_id => environment.id)
  
@@ -80,26 +83,27 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equal community.id, json['community']['id']
   end
  
-  should 'not, logged user get invisible community' do
+  should 'not list invisible community to logged users' do
     login_api
     community = fast_create(Community, :environment_id => environment.id, :visible => false)
  
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
-    assert json['community'].blank?
+
+    assert_nil json["community"]
   end
  
-  should 'not, logged user get private communities without permission' do
+  should 'not get private community content to non member' do
     login_api
-    community = fast_create(Community, :environment_id => environment.id)
-    fast_create(Community, :environment_id => environment.id, :public_profile => false)
+    community = fast_create(Community, :environment_id => environment.id, :public_profile => false)
  
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal community.id, json['community']['id']
+    assert_nil json['community']['members']
   end
  
-  should 'logged user get private community for members' do
+  should 'get private community to logged member' do
     login_api
     community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :visible => true)
     community.add_member(person)
@@ -107,9 +111,10 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal community.id, json['community']['id']
+    assert_not_nil json['community']['members']
   end
  
-  should 'logged user list person communities' do
+  should 'list person communities to logged user' do
     login_api
     community = fast_create(Community, :environment_id => environment.id)
     fast_create(Community, :environment_id => environment.id)
@@ -120,16 +125,16 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equivalent [community.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'not, logged user list person communities invisible' do
+  should 'not list person invisible communities to logged user' do
     login_api
-    c1 = fast_create(Community, :environment_id => environment.id)
-    c2 = fast_create(Community, :environment_id => environment.id, :visible => false)
-    c1.add_member(person)
-    c2.add_member(person)
+    community1 = fast_create(Community, :environment_id => environment.id)
+    community2 = fast_create(Community, :environment_id => environment.id, :visible => false)
+    community1.add_member(person)
+    community2.add_member(person)
  
     get "/api/v1/people/#{person.id}/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
-    assert_equivalent [c1.id], json['communities'].map {|c| c['id']}
+    assert_equivalent [community1.id], json['communities'].map {|c| c['id']}
   end
  
   should 'logged user list communities with pagination' do
@@ -147,7 +152,6 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     get "/api/v1/communities?#{params.to_query}"
     json_page_one = JSON.parse(last_response.body)
  
-
     assert_includes json_page_one["communities"].map { |a| a["id"] }, community1.id
     assert_not_includes json_page_one["communities"].map { |a| a["id"] }, community2.id
  
@@ -155,7 +159,7 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id
   end
  
-  should 'logged user list communities with timestamp' do
+  should 'list communities with timestamp to logged user' do
     login_api
     community1 = fast_create(Community, :public_profile => true)
     community2 = fast_create(Community)
@@ -172,9 +176,9 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous list only communities' do
-    anonymous_setup
     community = fast_create(Community, :environment_id => environment.id)
     enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
+
     get "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_not_includes json['communities'].map {|c| c['id']}, enterprise.id
@@ -182,16 +186,15 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous list all communities' do
-    anonymous_setup
     community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
     community2 = fast_create(Community, :environment_id => environment.id)
+
     get "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'not, anonymous list invisible communities' do
-    anonymous_setup
+  should 'not list invisible communities to anonymous' do
     community1 = fast_create(Community, :environment_id => environment.id)
     fast_create(Community, :environment_id => environment.id, :visible => false)
  
@@ -200,8 +203,17 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equal [community1.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'anonymous list private communities' do
-    anonymous_setup
+  should 'list all visible communities except secret ones to anonymous' do
+    community = fast_create(Community, :environment_id => environment.id)
+    private_community = fast_create(Community, :environment_id => environment.id, :public_profile => false)
+    secret_community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :secret => true)
+
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [community.id, private_community.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'list private communities to anonymous' do
     community1 = fast_create(Community, :environment_id => environment.id)
     community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
  
@@ -210,41 +222,59 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'not, anonymous create a community' do
-    anonymous_setup
+  should 'not create a community as an anonymous user' do
     params[:community] = {:name => 'some'}
+
     post "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal 401, last_response.status
   end
  
-  should 'anonymous get community' do
-    anonymous_setup
+  should 'get community for anonymous' do
     community = fast_create(Community, :environment_id => environment.id)
     get "/api/v1/communities/#{community.id}"
     json = JSON.parse(last_response.body)
     assert_equal community.id, json['community']['id']
   end
  
-  should 'not, anonymous get invisible community' do
-    anonymous_setup
+  should 'not get invisible community to anonymous user' do
     community = fast_create(Community, :environment_id => environment.id, :visible => false)
     get "/api/v1/communities/#{community.id}"
     json = JSON.parse(last_response.body)
     assert json['community'].blank?
   end
  
-  should 'not, anonymous get private communities' do
-    anonymous_setup
-    community = fast_create(Community, :environment_id => environment.id)
-    fast_create(Community, :environment_id => environment.id, :public_profile => false)
+  should 'get private community to anonymous user' do
+    community = fast_create(Community, :environment_id => environment.id, :public_profile => false)
+
     get "/api/v1/communities/#{community.id}"
     json = JSON.parse(last_response.body)
     assert_equal community.id, json['community']['id']
+    assert_nil json['community']['members']
+  end
+
+  should 'list public person communities to anonymous' do
+    community = fast_create(Community, :environment_id => environment.id)
+    fast_create(Community, :environment_id => environment.id)
+    community.add_member(person)
+
+    get "/api/v1/people/#{person.id}/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [community.id], json['communities'].map {|c| c['id']}
   end
  
-  should 'anonymous list communities with pagination' do
-    anonymous_setup
+  should 'not list private person communities to anonymous' do
+    community = fast_create(Community, :environment_id => environment.id)
+    fast_create(Community, :environment_id => environment.id)
+    person.public_profile = false
+    person.save
+    community.add_member(person)
+
+    get "/api/v1/people/#{person.id}/communities?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'list communities with pagination to anonymous' do
     community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago)
     community2 = fast_create(Community, :created_at => 2.days.ago)
  
@@ -265,8 +295,7 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id
   end
  
-  should 'anonymous list communities with timestamp' do
-    anonymous_setup
+  should 'list communities with timestamp to anonymous ' do
     community1 = fast_create(Community, :public_profile => true)
     community2 = fast_create(Community)
  
@@ -282,7 +311,6 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
  
   should 'display public custom fields to anonymous' do
-    anonymous_setup
     CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
     some_community = fast_create(Community)
     some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
@@ -295,7 +323,6 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not display private custom fields to anonymous' do
-    anonymous_setup
     CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
     some_community = fast_create(Community)
     some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
@@ -306,5 +333,4 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     refute json['community']['additional_data'].has_key?('Rating')
   end
  
-
 end
@@ -4,6 +4,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
  
   def setup
     Enterprise.delete_all
+    create_and_activate_user
   end
  
   should 'logger user list only enterprises' do
@@ -17,7 +18,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous list only enterprises' do
-    anonymous_setup
     community = fast_create(Community, :environment_id => environment.id) # should not list this community
     enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
     get "/api/v1/enterprises?#{params.to_query}"
@@ -27,7 +27,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous list all enterprises' do
-    anonymous_setup
     enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
     enterprise2 = fast_create(Enterprise, :environment_id => environment.id)
     get "/api/v1/enterprises?#{params.to_query}"
@@ -55,7 +54,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not, anonymous list invisible enterprises' do
-    anonymous_setup
     enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
     fast_create(Enterprise, :visible => false)
  
@@ -64,7 +62,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
     assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
   end
  
-  should 'not, logger user list invisible enterprises' do
+  should 'not, logged user list invisible enterprises' do
     login_api
     enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
     fast_create(Enterprise, :visible => false)
@@ -75,7 +73,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous list private enterprises' do
-    anonymous_setup
     enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
     enterprise2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
  
@@ -106,7 +103,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous get enterprise' do
-    anonymous_setup
     enterprise = fast_create(Enterprise, :environment_id => environment.id)
  
     get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
@@ -133,7 +129,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not, anonymous get invisible enterprise' do
-    anonymous_setup
     enterprise = fast_create(Enterprise, :visible => false)
  
     get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
@@ -152,7 +147,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not, anonymous get private enterprises' do
-    anonymous_setup
     enterprise = fast_create(Enterprise, :environment_id => environment.id)
     fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
  
@@ -195,7 +189,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'display public custom fields to anonymous' do
-    anonymous_setup
     CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
     some_enterprise = fast_create(Enterprise)
     some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
@@ -208,7 +201,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not display public custom fields to anonymous' do
-    anonymous_setup
     CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
     some_enterprise = fast_create(Enterprise)
     some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
@@ -2,6 +2,10 @@ require_relative &#39;test_helper&#39;
  
 class EnvironmentTest < ActiveSupport::TestCase
  
+  def setup
+    create_and_activate_user
+  end
+
   should 'return the default environment' do
     environment = Environment.default
     get "/api/v1/environment/default"
@@ -62,6 +66,6 @@ class EnvironmentTest &lt; ActiveSupport::TestCase
     get "/api/v1/environment/context"
     json = JSON.parse(last_response.body)
     assert_equal context_env.id, json['id']
-  end  
+  end
  
 end
@@ -6,28 +6,26 @@ class APIHelpersTest &lt; ActiveSupport::TestCase
   include Noosfero::API::APIHelpers
  
   def setup
+    create_and_activate_user
     @headers = {}
   end
  
   attr_accessor :headers
  
   should 'get the current user with valid token' do
-    user = create_user('someuser')
-    user.generate_private_token!
+    login_api
     self.params = {:private_token => user.private_token}
     assert_equal user, current_user
   end
  
   should 'get the current user with valid token in header' do
-    user = create_user('someuser')
-    user.generate_private_token!
+    login_api
     headers['Private-Token'] = user.private_token
     assert_equal user, current_user
   end
  
   should 'get the current user even with expired token' do
-    user = create_user('someuser')
-    user.generate_private_token!
+    login_api
     user.private_token_generated_at = DateTime.now.prev_year
     user.save
     self.params = {:private_token => user.private_token}
@@ -35,8 +33,7 @@ class APIHelpersTest &lt; ActiveSupport::TestCase
   end
  
   should 'get the person of current user' do
-    user = create_user('someuser')
-    user.generate_private_token!
+    login_api
     self.params = {:private_token => user.private_token}
     assert_equal user.person, current_person
   end
@@ -106,24 +103,22 @@ class APIHelpersTest &lt; ActiveSupport::TestCase
   end
  
   should 'find_article return article by id in list passed for user with permission' do
-    user = create_user('someuser')
+    login_api
     a = fast_create(Article, :profile_id => user.person.id)
     fast_create(Article, :profile_id => user.person.id)
     fast_create(Article, :profile_id => user.person.id)
  
-    user.generate_private_token!
     self.params = {private_token: user.private_token}
     User.expects(:find_by).with(private_token: user.private_token).returns(user)
     assert_equal a, find_article(user.person.articles, a.id)
   end
  
   should 'find_article return forbidden when a user try to access an article without permission' do
-    user = create_user('someuser')
+    login_api
     p = fast_create(Profile)
     a = fast_create(Article, :published => false, :profile_id => p.id)
     fast_create(Article, :profile_id => p.id)
  
-    user.generate_private_token!
     self.params = {private_token: user.private_token}
     User.expects(:find_by).with(private_token: user.private_token).returns(user)
     assert_equal 403, find_article(p.articles, a.id).last
@@ -3,7 +3,8 @@ require_relative &#39;test_helper&#39;
 class PeopleTest < ActiveSupport::TestCase
  
   def setup
-    Person.delete_all
+    Person.destroy_all
+    create_and_activate_user
   end
  
   should 'logged user list all people' do
@@ -16,12 +17,11 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous list all people' do
-    anonymous_setup
     person1 = fast_create(Person, :public_profile => true)
     person2 = fast_create(Person)
     get "/api/v1/people?#{params.to_query}"
     json = JSON.parse(last_response.body)
-    assert_equivalent [person1.id, person2.id], json['people'].map {|c| c['id']}
+    assert_equivalent [person.id, person1.id, person2.id], json['people'].map {|c| c['id']}
   end
  
   should 'logged user list all members of a community' do
@@ -39,7 +39,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous list all members of a community' do
-    anonymous_setup
     person1 = fast_create(Person)
     person2 = fast_create(Person)
     community = fast_create(Community)
@@ -61,7 +60,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'annoymous not list invisible people' do
-    anonymous_setup
     invisible_person = fast_create(Person, :visible => false)
  
     get "/api/v1/people?#{params.to_query}"
@@ -77,7 +75,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous list private people' do
-    anonymous_setup
     private_person = fast_create(Person, :public_profile => false)
  
     get "/api/v1/people?#{params.to_query}"
@@ -105,7 +102,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous get person' do
-    anonymous_setup
     some_person = fast_create(Person)
  
     get "/api/v1/people/#{some_person.id}?#{params.to_query}"
@@ -113,7 +109,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal some_person.id, json['person']['id']
   end
  
-
   should 'people endpoint filter by fields parameter for logged user' do
     login_api
     get "/api/v1/people?#{params.to_query}&fields=name"
@@ -156,7 +151,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous not get invisible person' do
-    anonymous_setup
     person = fast_create(Person, :visible => false)
  
     get "/api/v1/people/#{person.id}?#{params.to_query}"
@@ -174,7 +168,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous get private people' do
-    anonymous_setup
     private_person = fast_create(Person, :public_profile => false)
  
     get "/api/v1/people/#{private_person.id}?#{params.to_query}"
@@ -203,7 +196,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous list person friends' do
-    anonymous_setup
     person = fast_create(Person)
     friend = fast_create(Person)
     person.add_friend(friend)
@@ -274,7 +266,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
  
   should 'not display permissions if not admin or self' do
     login_api
-    some_person = create_user('some-person').person
+    some_person = fast_create(Person)
  
     get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
     assert_equal 403, last_response.status
@@ -300,8 +292,11 @@ class PeopleTest &lt; ActiveSupport::TestCase
  
   should 'logged user display public custom fields' do
     login_api
-    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
-    some_person = create_user('some-person').person
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
+    some_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
+    some_person.user.activate
+    some_person.reload
+
     some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
     some_person.save!
  
@@ -313,10 +308,11 @@ class PeopleTest &lt; ActiveSupport::TestCase
  
   should 'logged user not display non-public custom fields' do
     login_api
-    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
-    some_person = create_user('some-person').person
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
+    some_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
     some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
     some_person.save!
+    some_person.user.activate
  
     get "/api/v1/people/#{some_person.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -324,36 +320,31 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'display public custom fields to anonymous' do
-    anonymous_setup
-    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
-    some_person = create_user('some-person').person
-    some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
-    some_person.save!
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
+    person.reload
+    person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
+    person.save!
  
-    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert json['person']['additional_data'].has_key?('Custom Blog')
     assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
   end
  
   should 'not display non-public custom fields to anonymous' do
-    anonymous_setup
-    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
-    some_person = create_user('some-person').person
-    some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
-    some_person.save!
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
+    person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
+    person.save!
  
-    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal json['person']['additional_data'], {}
   end
  
   should 'hide private fields to anonymous' do
-    anonymous_setup
-    target_person = create_user('some-user').person
-    target_person.save!
+    target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment)
  
-    get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
+    get "/api/v1/users/#{target_user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     refute json["user"].has_key?("permissions")
     refute json["user"].has_key?("activated")
@@ -361,15 +352,16 @@ class PeopleTest &lt; ActiveSupport::TestCase
  
   should 'display non-public custom fields to friend' do
     login_api
-    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
-    some_person = create_user('some-person').person
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
+    some_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
+    some_person.user.activate
+    some_person.reload
+
     some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
     some_person.save!
  
-    f = Friendship.new
-    f.friend = some_person
-    f.person = person
-    f.save!
+    some_person.add_friend(person)
+    person.add_friend(some_person)
  
     get "/api/v1/people/#{some_person.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -4,6 +4,7 @@ class ProfilesTest &lt; ActiveSupport::TestCase
  
   def setup
     Profile.delete_all
+    create_and_activate_user
   end
  
   should 'logged user list all profiles' do
@@ -24,6 +25,13 @@ class ProfilesTest &lt; ActiveSupport::TestCase
     assert_equal some_person.id, json['id']
   end
  
+  should 'not get inexistent profile' do
+    login_api
+    get "/api/v1/profiles/invalid_id?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 404, last_response.status
+  end
+
   should 'logged user get community from profile id' do
     login_api
     community = fast_create(Community)
@@ -85,7 +93,6 @@ class ProfilesTest &lt; ActiveSupport::TestCase
   end
  
   should 'anonymous user access delete action' do
-    anonymous_setup
     profile = fast_create(Person, :environment_id => environment.id)
  
     delete "/api/v1/profiles/#{profile.id}?#{params.to_query}"
@@ -99,7 +106,7 @@ class ProfilesTest &lt; ActiveSupport::TestCase
     community = fast_create(Community)
     get "/api/v1/profiles"
     json = JSON.parse(last_response.body)
-    assert_equivalent [person1.id, person2.id, community.id], json.map {|p| p['id']}
+    assert_equivalent [person.id, person1.id, person2.id, community.id], json.map {|p| p['id']}
   end
  
   should 'anonymous get person from profile id' do
@@ -117,7 +124,6 @@ class ProfilesTest &lt; ActiveSupport::TestCase
   end
  
   should 'display public custom fields to anonymous' do
-    anonymous_setup
     CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
     some_profile = fast_create(Profile)
     some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
@@ -130,7 +136,6 @@ class ProfilesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not display private custom fields to anonymous' do
-    anonymous_setup
     CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
     some_profile = fast_create(Profile)
     some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
@@ -3,9 +3,8 @@ require_relative &#39;test_helper&#39;
 class SearchTest < ActiveSupport::TestCase
  
   def setup
-    @person = create_user('testing').person
+    create_and_activate_user
   end
-  attr_reader :person
  
   should 'not list unpublished articles' do
     Article.delete_all
@@ -3,6 +3,7 @@ require_relative &#39;test_helper&#39;
 class SessionTest < ActiveSupport::TestCase
  
   def setup
+    create_and_activate_user
     login_api
   end
  
@@ -147,10 +148,9 @@ class SessionTest &lt; ActiveSupport::TestCase
   end
  
   should 'create task to change password by user login' do
-    user = create_user
     params = {:value => user.login}
     assert_difference 'ChangePassword.count' do
-      post "/api/v1/forgot_password?#{params.to_query}"
+        post "/api/v1/forgot_password?#{params.to_query}"
     end
   end
  
@@ -173,8 +173,6 @@ class SessionTest &lt; ActiveSupport::TestCase
   end
  
   should 'do not change user password when password confirmation is wrong' do
-    user = create_user
-    user.activate
     task = ChangePassword.create!(:requestor => user.person)
     params = {:code => task.code, :password => 'secret', :password_confirmation => 's3cret'}
     patch "/api/v1/new_password?#{params.to_query}"
@@ -200,8 +198,8 @@ class SessionTest &lt; ActiveSupport::TestCase
   end
  
   should 'resend activation code for an inactive user' do
-    user = create_user
-    params = {:value => user.login}
+    another_user = User.create!(:login => "userlogin", :password => 'testapi', :password_confirmation => 'testapi', :email => 'test2@test.org', :environment => @environment)
+    params = {:value => another_user.login}
     Delayed::Job.destroy_all
     assert_difference 'ActionMailer::Base.deliveries.size' do
       post "/api/v1/resend_activation_code?#{params.to_query}"
@@ -209,13 +207,11 @@ class SessionTest &lt; ActiveSupport::TestCase
     end
     json = JSON.parse(last_response.body)
     refute json['users'].first['private_token']
-    assert_equal user.email, ActionMailer::Base.deliveries.last['to'].to_s
+    assert_equal another_user.email, ActionMailer::Base.deliveries.last['to'].to_s
   end
  
    should 'not resend activation code for an active user' do
-     user = create_user
      params = {:value => user.login}
-     user.activate
      Delayed::Job.destroy_all
      assert_no_difference 'ActionMailer::Base.deliveries.size' do
        post "/api/v1/resend_activation_code?#{params.to_query}"
@@ -3,8 +3,8 @@ require_relative &#39;test_helper&#39;
 class TasksTest < ActiveSupport::TestCase
  
   def setup
+    create_and_activate_user
     login_api
-    @person = user.person
     @community = fast_create(Community)
     @environment = Environment.default
   end
@@ -4,17 +4,23 @@ class ActiveSupport::TestCase
  
   include Rack::Test::Methods
  
+  USER_PASSWORD = "testapi"
+  USER_LOGIN = "testapi"
+
   def app
     Noosfero::API::API
   end
  
-  def login_api
+  def create_and_activate_user
     @environment = Environment.default
-    @user = User.create!(:login => 'testapi', :password => 'testapi', :password_confirmation => 'testapi', :email => 'test@test.org', :environment => @environment)
+    @user = User.create!(:login => USER_LOGIN, :password => USER_PASSWORD, :password_confirmation => USER_PASSWORD, :email => 'test@test.org', :environment => @environment)
     @user.activate
     @person = @user.person
+    @params = {}
+  end
  
-    post "/api/v1/login?login=testapi&password=testapi"
+  def login_api
+    post "/api/v1/login?login=#{USER_LOGIN}&password=#{USER_PASSWORD}"
     json = JSON.parse(last_response.body)
     @private_token = json["private_token"]
     unless @private_token
@@ -22,12 +28,7 @@ class ActiveSupport::TestCase
       @private_token = @user.private_token
     end
  
-    @params = {:private_token => @private_token}
-  end
-
-  def anonymous_setup
-    @environment = Environment.default
-    @params = {}
+    @params[:private_token] = @private_token
   end
  
   attr_accessor :private_token, :user, :person, :params, :environment
@@ -3,6 +3,10 @@ require_relative &#39;test_helper&#39;
  
 class UsersTest < ActiveSupport::TestCase
  
+  def setup
+    create_and_activate_user
+  end
+
   should 'logger user list users' do
     login_api
     get "/api/v1/users/?#{params.to_query}"
@@ -35,8 +39,8 @@ class UsersTest &lt; ActiveSupport::TestCase
  
   should 'not show permissions to logged user' do
     login_api
-    target_person = create_user('some-user').person
-    get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
+    target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment)
+    get "/api/v1/users/#{target_user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     refute json["user"].has_key?("permissions")
   end
@@ -50,12 +54,10 @@ class UsersTest &lt; ActiveSupport::TestCase
  
   should 'not show permissions to friend' do
     login_api
-    target_person = create_user('some-user').person
+    target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
  
-    f = Friendship.new
-    f.friend = target_person
-    f.person = person
-    f.save!
+    target_person.add_friend(person)
+    person.add_friend(target_person)
  
     get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -64,19 +66,21 @@ class UsersTest &lt; ActiveSupport::TestCase
  
   should 'not show private attribute to logged user' do
     login_api
-    target_person = create_user('some-user').person
-    get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
+    target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment)
+
+    get "/api/v1/users/#{target_user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
-    refute json["user"].has_key?("email")
+    assert_equal 200, last_response.status
+    assert_nil json['user']['email']
+    assert_nil json['user']['person']
   end
  
   should 'show private attr to friend' do
     login_api
-    target_person = create_user('some-user').person
-    f = Friendship.new
-    f.friend = target_person
-    f.person = person
-    f.save!
+    target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
+    target_person.add_friend(person)
+    person.add_friend(target_person)
+
     get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert json["user"].has_key?("email")
@@ -85,9 +89,12 @@ class UsersTest &lt; ActiveSupport::TestCase
  
   should 'show public attribute to logged user' do
     login_api
-    target_person = create_user('some-user').person
+    target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
+    target_person.public_profile = true
+    target_person.visible = true
     target_person.fields_privacy={:email=> 'public'}
     target_person.save!
+
     get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert json["user"].has_key?("email")
@@ -98,7 +105,7 @@ class UsersTest &lt; ActiveSupport::TestCase
     login_api
     Environment.default.add_admin(person)
  
-    target_person = create_user('some-user').person
+    target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
     target_person.fields_privacy={:email=> 'public'}
     target_person.save!
  
@@ -110,9 +117,10 @@ class UsersTest &lt; ActiveSupport::TestCase
   end
  
   should 'show public fields to anonymous' do
-    anonymous_setup
-    target_person = create_user('some-user').person
+    target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
     target_person.fields_privacy={:email=> 'public'}
+    target_person.public_profile = true
+    target_person.visible = true
     target_person.save!
  
     get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
@@ -121,11 +129,9 @@ class UsersTest &lt; ActiveSupport::TestCase
   end
  
   should 'hide private fields to anonymous' do
-    anonymous_setup
-    target_person = create_user('some-user').person
-    target_person.save!
+    target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment)
  
-    get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
+    get "/api/v1/users/#{target_user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     refute json["user"].has_key?("permissions")
     refute json["user"].has_key?("activated")
@@ -458,7 +458,7 @@ class OrganizationTest &lt; ActiveSupport::TestCase
     refute c.is_admin?(moderator)
   end
  
-  should 'fetch organizations there are visible for a user' do
+  should 'fetch organizations that are visible for users' do
     person = create_user('some-person').person
     admin = create_user('some-admin').person
     env_admin = create_user('env-admin').person
@@ -513,18 +513,58 @@ class OrganizationTest &lt; ActiveSupport::TestCase
     assert_includes     env_admin_orgs, o7
   end
  
-  should 'fetch organizations there are visible for a visitor' do
-    visitor = nil
-    Organization.destroy_all
+  should 'fetch organizations that are listed for users' do
+    person = create_user('some-person').person
+    admin = create_user('some-admin').person
+    env_admin = create_user('env-admin').person
+
     o1 = fast_create(Organization, :public_profile => true , :visible => true )
-    o2 = fast_create(Organization, :public_profile => false, :visible => true )
-    o3 = fast_create(Organization, :public_profile => true , :visible => false)
-    o4 = fast_create(Organization, :public_profile => false, :visible => false)
-    person_orgs    = Organization.visible_for_person(visitor)
-    assert_includes       person_orgs,    o1
-    assert_not_includes   person_orgs,    o2
-    assert_not_includes   person_orgs,    o3
-    assert_not_includes   person_orgs,    o4
-  end
+    o1.add_admin(admin)
+    o1.add_member(person)
+
+    o2 = fast_create(Organization, :public_profile => true , :visible => true )
+    o3 = fast_create(Organization, :public_profile => false, :visible => true )
+
+    o4 = fast_create(Organization, :public_profile => false, :visible => true)
+    o4.add_admin(admin)
+    o4.add_member(person)
+
+    o5 = fast_create(Organization, :public_profile => true , :visible => false)
+    o5.add_admin(admin)
+    o5.add_member(person)
+
+    o6 = fast_create(Enterprise, :enabled => false, :visible => true)
+    o6.add_admin(admin)
+
+    o7 = fast_create(Organization, :public_profile => false, :visible => false)
+
+    Environment.default.add_admin(env_admin)
+
+    person_orgs    = Organization.listed_for_person(person)
+    admin_orgs     = Organization.listed_for_person(admin)
+    env_admin_orgs = Organization.listed_for_person(env_admin)
+
+    assert_includes     person_orgs,    o1
+    assert_includes     admin_orgs,     o1
+    assert_includes     env_admin_orgs, o1
+
+    assert_includes     person_orgs,    o2
+    assert_includes     env_admin_orgs, o2
+    assert_includes     person_orgs,    o3
+    assert_includes     env_admin_orgs, o3
+
+    assert_includes     person_orgs,    o4
+    assert_includes     admin_orgs,     o4
+    assert_includes     env_admin_orgs, o4
+
+    assert_not_includes person_orgs,    o5
+    assert_includes     admin_orgs,     o5
+    assert_includes     env_admin_orgs, o5
  
+    assert_not_includes person_orgs,    o6
+    assert_includes     admin_orgs,     o6
+
+    assert_not_includes person_orgs,    o7
+    assert_includes     env_admin_orgs, o7
+  end
 end
@@ -1951,17 +1951,4 @@ class PersonTest &lt; ActiveSupport::TestCase
     person.save!
   end
  
-  should 'fetch people there are visible for a visitor' do
-    person = nil
-    p1 = fast_create(Person, :public_profile => true , :visible => true)
-    p2 = fast_create(Person, :public_profile => false, :visible => true)
-    p3 = fast_create(Person, :public_profile => true , :visible => false)
-    p4 = fast_create(Person, :public_profile => false, :visible => false)
-    people_visible_by_visitor = Person.visible_for_person(person)
-    assert_includes     people_visible_by_visitor, p1
-    assert_not_includes people_visible_by_visitor, p2
-    assert_not_includes people_visible_by_visitor, p3
-    assert_not_includes people_visible_by_visitor, p4
-  end
-
 end
...	...	@@ -16,9 +16,7 @@ class Organization < Profile
16	16	# visible.
17	17	# 4) The user is not a member of the organization but the organization is
18	18	# visible, public and enabled.
19		- def self.visible_for_person(person)
20		- # Visitor if person.nil?
21		- person_id = person.nil? ? nil : person.id
	19	+ def self.listed_for_person(person)
22	20	joins('LEFT JOIN "role_assignments" ON ("role_assignments"."resource_id" = "profiles"."id"
23	21	AND "role_assignments"."resource_type" = \'Profile\') OR (
24	22	"role_assignments"."resource_id" = "profiles"."environment_id" AND
...	...	@@ -28,13 +26,24 @@ class Organization < Profile
28	26	['( (roles.key = ? OR roles.key = ?) AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? )
29	27	OR
30	28	( ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
31		- ( profiles.public_profile = ? AND profiles.enabled = ? ) ) AND
	29	+ ( profiles.enabled = ? ) ) AND
32	30	( profiles.visible = ? ) )',
33		- 'profile_admin', 'environment_administrator', Profile.name, person_id,
34		- Profile.name, person_id, true, true, true]
	31	+ 'profile_admin', 'environment_administrator', Profile.name, person.id,
	32	+ Profile.name, person.id, true, true]
35	33	).uniq
36	34	end
37	35
	36	+ def self.visible_for_person(person)
	37	+ listed_for_person(person).where(
	38	+ ['( (roles.key = ? OR roles.key = ?) AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? )
	39	+ OR
	40	+ ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
	41	+ ( profiles.enabled = ? AND profiles.public_profile = ? ) )',
	42	+ 'profile_admin', 'environment_administrator', Profile.name, person.id,
	43	+ Profile.name, person.id, true, true]
	44	+ )
	45	+ end
	46	+
38	47	settings_items :closed, :type => :boolean, :default => false
39	48	def closed?
40	49	closed
...	...
...	...	@@ -42,8 +42,6 @@ class Person < Profile
42	42	}
43	43
44	44	scope :visible_for_person, lambda { \|person\|
45		- # Visitor if person.nil?
46		- person_id = person.nil? ? nil : person.id
47	45	joins('LEFT JOIN "role_assignments" ON
48	46	"role_assignments"."resource_id" = "profiles"."environment_id" AND
49	47	"role_assignments"."resource_type" = \'Environment\'')
...	...	@@ -52,7 +50,7 @@ class Person < Profile
52	50	.where(
53	51	['( roles.key = ? AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR (
54	52	( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?) )',
55		- 'environment_administrator', Profile.name, person_id, person_id, true, true]
	53	+ 'environment_administrator', Profile.name, person.id, person.id, true, true]
56	54	).uniq
57	55	}
58	56
...	...	@@ -374,7 +372,7 @@ class Person < Profile
374	372	['%s@%s' % [self.identifier, self.email_domain] ]
375	373	end
376	374
377		- def display_info_to?(user)
	375	+ def display_private_info_to?(user)
378	376	if friends.include?(user)
379	377	true
380	378	else
...	...
...	...	@@ -9,13 +9,18 @@ module Noosfero
9	9	PERMISSIONS = {
10	10	:admin => 0,
11	11	:self => 10,
12		- :friend => 20,
	12	+ :private_content => 20,
13	13	:logged_user => 30,
14	14	:anonymous => 40
15	15	}
16	16
17		- def self.can_display? profile, options, field, permission = :friend
18		- return true if profile.public_fields.map{\|f\| f.to_sym}.include?(field.to_sym)
	17	+ def self.can_display_profile_field? profile, options, permission_options={}
	18	+ permissions={:field => "", :permission => :private_content}
	19	+ permissions.merge!(permission_options)
	20	+ field = permissions[:field]
	21	+ permission = permissions[:permission]
	22	+ return true if profile.public? && profile.public_fields.map{\|f\| f.to_sym}.include?(field.to_sym)
	23	+
19	24	current_person = options[:current_person]
20	25
21	26	current_permission = if current_person.present?
...	...	@@ -23,8 +28,8 @@ module Noosfero
23	28	:admin
24	29	elsif current_person == profile
25	30	:self
26		- elsif current_person.friends.include?(profile)
27		- :friend
	31	+ elsif profile.display_private_info_to?(current_person)
	32	+ :private_content
28	33	else
29	34	:logged_user
30	35	end
...	...	@@ -103,7 +108,7 @@ module Noosfero
103	108
104	109	private_values = profile.custom_field_values - profile.public_values
105	110	private_values.each do \|value\|
106		- if Entities.can_display?(profile,options,:custom_field)
	111	+ if Entities.can_display_profile_field?(profile,options)
107	112	hash[value.custom_field.name]=value.value
108	113	end
109	114	end
...	...	@@ -143,11 +148,11 @@ module Noosfero
143	148	class Community < Profile
144	149	root 'communities', 'community'
145	150	expose :description
146		- expose :admins do \|community, options\|
	151	+ expose :admins, :if => lambda { \|community, options\| community.display_info_to? options[:current_person]} do \|community, options\|
147	152	community.admins.map{\|admin\| {"name"=>admin.name, "id"=>admin.id, "username" => admin.identifier}}
148	153	end
149	154	expose :categories, :using => Category
150		- expose :members, :using => Person
	155	+ expose :members, :using => Person , :if => lambda{ \|community, options\| community.display_info_to? options[:current_person] }
151	156	end
152	157
153	158	class CommentBase < Entity
...	...	@@ -209,11 +214,11 @@ module Noosfero
209	214
210	215	attrs.each do \|attribute\|
211	216	name = aliases.has_key?(attribute) ? aliases[attribute] : attribute
212		- expose attribute, :as => name, :if => lambda{\|user,options\| Entities.can_display?(user.person, options, attribute)}
	217	+ expose attribute, :as => name, :if => lambda{\|user,options\| Entities.can_display_profile_field?(user.person, options, {:field => attribute})}
213	218	end
214	219
215		- expose :person, :using => Person
216		- expose :permissions, :if => lambda{\|user,options\| Entities.can_display?(user.person, options, :permissions, :self)} do \|user, options\|
	220	+ expose :person, :using => Person, :if => lambda{\|user,options\| user.person.display_info_to? options[:current_person]}
	221	+ expose :permissions, :if => lambda{\|user,options\| Entities.can_display_profile_field?(user.person, options, {:field => :permissions, :permission => :self})} do \|user, options\|
217	222	output = {}
218	223	user.person.role_assignments.map do \|role_assigment\|
219	224	if role_assigment.resource.respond_to?(:identifier) && !role_assigment.role.nil?
...	...
...	...	@@ -266,6 +266,13 @@ require_relative '../../find_by_contents'
266	266	unauthorized! unless current_user
267	267	end
268	268
	269	+ def profiles_for_person(profiles, person)
	270	+ if person
	271	+ profiles.listed_for_person(person)
	272	+ else
	273	+ profiles.visible
	274	+ end
	275	+ end
269	276
270	277	# Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
271	278	# or a Bad Request error is invoked.
...	...
...	...	@@ -7,9 +7,11 @@ module Noosfero
7	7	resource :profiles do
8	8
9	9	get ':id/activities' do
10		- profile = environment.profiles
11		- profile = profile.visible_for_person(current_person) if profile.respond_to?(:visible_for_person)
12		- profile = profile.find_by id: params[:id]
	10	+ profile = Profile.find_by id: params[:id]
	11	+
	12	+ not_found! if profile.blank? \|\| profile.secret \|\| !profile.visible
	13	+ forbidden! if !profile.secret && profile.visible && !profile.display_private_info_to?(current_person)
	14	+
13	15	activities = profile.activities.map(&:activity)
14	16	present activities, :with => Entities::Activity, :current_person => current_person
15	17	end
...	...
...	...	@@ -17,8 +17,8 @@ module Noosfero
17	17	# GET /communities?reference_id=10&limit=10&oldest
18	18	get do
19	19	communities = select_filtered_collection_of(environment, 'communities', params)
20		- communities = communities.visible
21		- communities = communities.by_location(params) # Must be the last. May return Exception obj.
	20	+ communities = profiles_for_person(communities, current_person)
	21	+ communities = communities.by_location(params) # Must be the last. May return Exception obj
22	22	present communities, :with => Entities::Community, :current_person => current_person
23	23	end
24	24
...	...	@@ -49,7 +49,7 @@ module Noosfero
49	49	end
50	50
51	51	get ':id' do
52		- community = environment.communities.visible.find_by(id: params[:id])
	52	+ community = profiles_for_person(environment.communities, current_person).find_by_id(params[:id])
53	53	present community, :with => Entities::Community, :current_person => current_person
54	54	end
55	55
...	...	@@ -63,6 +63,10 @@ module Noosfero
63	63
64	64	get do
65	65	person = environment.people.find(params[:person_id])
	66	+
	67	+ not_found! if person.blank?
	68	+ forbidden! if !person.display_info_to?(current_person)
	69	+
66	70	communities = select_filtered_collection_of(person, 'communities', params)
67	71	communities = communities.visible
68	72	present communities, :with => Entities::Community, :current_person => current_person
...	...
...	...	@@ -16,7 +16,12 @@ module Noosfero
16	16	profiles = environment.profiles
17	17	profiles = profiles.visible
18	18	profile = profiles.find_by id: params[:id]
19		- present profile, :with => Entities::Profile, :current_person => current_person
	19	+
	20	+ if profile
	21	+ present profile, :with => Entities::Profile, :current_person => current_person
	22	+ else
	23	+ not_found!
	24	+ end
20	25	end
21	26
22	27	delete ':id' do
...	...
...	...	@@ -3,16 +3,16 @@ module Noosfero
3	3	module V1
4	4	class Tags < Grape::API
5	5	before { authenticate! }
6		-
	6	+
7	7	resource :articles do
8	8
9	9	resource ':id/tags' do
10		-
	10	+
11	11	get do
12	12	article = find_article(environment.articles, params[:id])
13	13	present article.tag_list
14	14	end
15		-
	15	+
16	16	desc "Add a tag to an article"
17	17	post do
18	18	article = find_article(environment.articles, params[:id])
...	...	@@ -20,10 +20,8 @@ module Noosfero
20	20	article.save
21	21	present article.tag_list
22	22	end
23		-
24	23	end
25	24	end
26		-
27	25	end
28	26	end
29	27	end
...	...
...	...	@@ -18,10 +18,11 @@ module Noosfero
18	18
19	19	get ":id" do
20	20	user = environment.users.find_by id: params[:id]
21		- unless user.person.display_info_to? current_person
22		- unauthorized!
	21	+ if user
	22	+ present user, :with => Entities::User, :current_person => current_person
	23	+ else
	24	+ not_found!
23	25	end
24		- present user, :with => Entities::User, :current_person => current_person
25	26	end
26	27
27	28	get ":id/permissions" do
...	...
...	...	@@ -4,6 +4,7 @@ require_relative '../../../../test/api/test_helper'
4	4	class APITest < ActiveSupport::TestCase
5	5
6	6	def setup
	7	+ create_and_activate_user
7	8	login_api
8	9	environment.enable_plugin(CommentParagraphPlugin)
9	10	end
...	...