Merge branch 'api_visitor' into 'master'

Reviews API permissions - Reviewed Profile scopes - Removed required authentication for anonymous - Corrected records fetching (considering permission levels) - Conditionally exposes attributes **Includes all changes introduced in !863** See merge request !867

Merge branch 'api_visitor' into 'master'
Reviews API permissions - Reviewed Profile scopes - Removed required authentication for anonymous - Corrected records fetching (considering permission levels) - Conditionally exposes attributes **Includes all changes introduced in !863** See merge request !867
Marcos Pereira
2 parents 82498934 a9df0202
Showing 29 changed files with 414 additions and 292 deletions Show diff stats
app/models/organization.rb
app/models/person.rb
lib/noosfero/api/entities.rb
lib/noosfero/api/helpers.rb
lib/noosfero/api/v1/activities.rb
lib/noosfero/api/v1/communities.rb
lib/noosfero/api/v1/profiles.rb
lib/noosfero/api/v1/tags.rb
lib/noosfero/api/v1/users.rb
plugins/comment_paragraph/test/unit/api_test.rb
plugins/push_notification/test/api/api_test.rb
test/api/activities_test.rb
test/api/articles_test.rb
test/api/boxes_test.rb
test/api/categories_test.rb
test/api/comments_test.rb
test/api/communities_test.rb
test/api/enterprises_test.rb
test/api/environment_test.rb
test/api/helpers_test.rb
@@ -16,9 +16,7 @@ class Organization &lt; Profile
   #   visible.
   #   4) The user is not a member of the organization but the organization is
   #   visible, public and enabled.
-  def self.visible_for_person(person)
-    # Visitor if person.nil?
-    person_id = person.nil? ? nil : person.id
+  def self.listed_for_person(person)
     joins('LEFT JOIN "role_assignments" ON ("role_assignments"."resource_id" = "profiles"."id"
           AND "role_assignments"."resource_type" = \'Profile\') OR (
           "role_assignments"."resource_id" = "profiles"."environment_id" AND
@@ -28,13 +26,24 @@ class Organization &lt; Profile
       ['( (roles.key = ? OR roles.key = ?) AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? )
         OR
         ( ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
-            ( profiles.public_profile = ? AND profiles.enabled = ? ) ) AND
+            ( profiles.enabled = ? ) ) AND
           ( profiles.visible = ? ) )',
-      'profile_admin', 'environment_administrator', Profile.name, person_id,
-      Profile.name, person_id,  true, true, true]
+      'profile_admin', 'environment_administrator', Profile.name, person.id,
+      Profile.name, person.id, true, true]
     ).uniq
   end
+  def self.visible_for_person(person)
+    listed_for_person(person).where(
+      ['( (roles.key = ? OR roles.key = ?) AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? )
+        OR
+        ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
+          ( profiles.enabled = ? AND profiles.public_profile = ? ) )',
+      'profile_admin', 'environment_administrator', Profile.name, person.id,
+      Profile.name, person.id,  true, true]
+    )
+  end
+
   settings_items :closed, :type => :boolean, :default => false
   def closed?
     closed
@@ -42,8 +42,6 @@ class Person &lt; Profile
   }
   scope :visible_for_person, lambda { |person|
-    # Visitor if person.nil?
-    person_id = person.nil? ? nil : person.id
     joins('LEFT JOIN "role_assignments" ON
           "role_assignments"."resource_id" = "profiles"."environment_id" AND
           "role_assignments"."resource_type" = \'Environment\'')
@@ -52,7 +50,7 @@ class Person &lt; Profile
     .where(
       ['( roles.key = ? AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR (
         ( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?) )',
-         'environment_administrator', Profile.name, person_id, person_id,  true, true]
+         'environment_administrator', Profile.name, person.id, person.id,  true, true]
     ).uniq
   }
@@ -374,7 +372,7 @@ class Person &lt; Profile
     ['%s@%s' % [self.identifier, self.email_domain] ]
   end
-  def display_info_to?(user)
+  def display_private_info_to?(user)
     if friends.include?(user)
       true
     else
@@ -9,13 +9,18 @@ module Noosfero
       PERMISSIONS = {
         :admin => 0,
         :self  => 10,
-        :friend => 20,
+        :private_content => 20,
         :logged_user => 30,
         :anonymous => 40
       }
-      def self.can_display? profile, options, field, permission = :friend
-        return true if profile.public_fields.map{|f| f.to_sym}.include?(field.to_sym)
+      def self.can_display_profile_field? profile, options, permission_options={}
+        permissions={:field => "", :permission => :private_content}
+        permissions.merge!(permission_options)
+        field = permissions[:field]
+        permission = permissions[:permission]
+        return true if profile.public? && profile.public_fields.map{|f| f.to_sym}.include?(field.to_sym)
+
         current_person = options[:current_person]
         current_permission = if current_person.present?
@@ -23,8 +28,8 @@ module Noosfero
             :admin
           elsif current_person == profile
             :self
-          elsif current_person.friends.include?(profile)
-            :friend
+          elsif profile.display_private_info_to?(current_person)
+            :private_content
           else
             :logged_user
           end
@@ -103,7 +108,7 @@ module Noosfero
           private_values = profile.custom_field_values - profile.public_values
           private_values.each do |value|
-            if Entities.can_display?(profile,options,:custom_field)
+            if Entities.can_display_profile_field?(profile,options)
               hash[value.custom_field.name]=value.value
             end
           end
@@ -143,11 +148,11 @@ module Noosfero
       class Community < Profile
         root 'communities', 'community'
         expose :description
-        expose :admins do |community, options|
+        expose :admins, :if => lambda { |community, options| community.display_info_to? options[:current_person]} do |community, options|
           community.admins.map{|admin| {"name"=>admin.name, "id"=>admin.id, "username" => admin.identifier}}
         end
         expose :categories, :using => Category
-        expose :members, :using => Person
+        expose :members, :using => Person , :if => lambda{ |community, options| community.display_info_to? options[:current_person] }
       end
       class CommentBase < Entity
@@ -209,11 +214,11 @@ module Noosfero
         attrs.each do |attribute|
           name = aliases.has_key?(attribute) ? aliases[attribute] : attribute
-          expose attribute, :as => name, :if => lambda{|user,options| Entities.can_display?(user.person, options, attribute)}
+          expose attribute, :as => name, :if => lambda{|user,options| Entities.can_display_profile_field?(user.person, options, {:field =>  attribute})}
         end
-        expose :person, :using => Person
-        expose :permissions, :if => lambda{|user,options| Entities.can_display?(user.person, options, :permissions, :self)} do |user, options|
+        expose :person, :using => Person, :if => lambda{|user,options| user.person.display_info_to? options[:current_person]}
+        expose :permissions, :if => lambda{|user,options| Entities.can_display_profile_field?(user.person, options, {:field => :permissions, :permission => :self})} do |user, options|
           output = {}
           user.person.role_assignments.map do |role_assigment|
             if role_assigment.resource.respond_to?(:identifier) && !role_assigment.role.nil?
@@ -266,6 +266,13 @@ require_relative &#39;../../find_by_contents&#39;
         unauthorized! unless current_user
       end
+      def profiles_for_person(profiles, person)
+        if person
+          profiles.listed_for_person(person)
+        else
+          profiles.visible
+        end
+      end
       # Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
       # or a Bad Request error is invoked.
@@ -7,9 +7,11 @@ module Noosfero
         resource :profiles do
           get ':id/activities' do
-            profile = environment.profiles
-            profile = profile.visible_for_person(current_person) if profile.respond_to?(:visible_for_person)
-            profile = profile.find_by id: params[:id]
+            profile = Profile.find_by id: params[:id]
+
+            not_found! if profile.blank? || profile.secret || !profile.visible
+            forbidden! if !profile.secret && profile.visible && !profile.display_private_info_to?(current_person)
+
             activities = profile.activities.map(&:activity)
             present activities, :with => Entities::Activity, :current_person => current_person
           end
@@ -17,8 +17,8 @@ module Noosfero
           #  GET /communities?reference_id=10&limit=10&oldest
           get do
             communities = select_filtered_collection_of(environment, 'communities', params)
-            communities = communities.visible
-            communities = communities.by_location(params) # Must be the last. May return Exception obj.
+            communities = profiles_for_person(communities, current_person)
+            communities = communities.by_location(params) # Must be the last. May return Exception obj
             present communities, :with => Entities::Community, :current_person => current_person
           end
@@ -49,7 +49,7 @@ module Noosfero
           end
           get ':id' do
-            community = environment.communities.visible.find_by(id: params[:id])
+            community = profiles_for_person(environment.communities, current_person).find_by_id(params[:id])
             present community, :with => Entities::Community, :current_person => current_person
           end
@@ -63,6 +63,10 @@ module Noosfero
               get do
                 person = environment.people.find(params[:person_id])
+
+                not_found! if person.blank?
+                forbidden! if !person.display_info_to?(current_person)
+
                 communities = select_filtered_collection_of(person, 'communities', params)
                 communities = communities.visible
                 present communities, :with => Entities::Community, :current_person => current_person
@@ -16,7 +16,12 @@ module Noosfero
             profiles = environment.profiles
             profiles = profiles.visible
             profile = profiles.find_by id: params[:id]
-            present profile, :with => Entities::Profile, :current_person => current_person
+
+            if profile
+              present profile, :with => Entities::Profile, :current_person => current_person
+            else
+              not_found!
+            end
           end
           delete ':id' do
@@ -3,16 +3,16 @@ module Noosfero
     module V1
       class Tags < Grape::API
         before { authenticate! }
-  
+
         resource :articles do
           resource ':id/tags' do
-  
+
             get do
               article = find_article(environment.articles, params[:id])
               present article.tag_list
             end
-    
+
             desc "Add a tag to an article"
             post do
               article = find_article(environment.articles, params[:id])
@@ -20,10 +20,8 @@ module Noosfero
               article.save
               present article.tag_list
             end
-    
           end
         end
-  
       end
     end
   end
@@ -18,10 +18,11 @@ module Noosfero
           get ":id" do
             user = environment.users.find_by id: params[:id]
-            unless user.person.display_info_to? current_person
-              unauthorized!
+            if user
+              present user, :with => Entities::User, :current_person => current_person
+            else
+              not_found!
             end
-            present user, :with => Entities::User, :current_person => current_person
           end
           get ":id/permissions" do
@@ -4,6 +4,7 @@ require_relative &#39;../../../../test/api/test_helper&#39;
 class APITest <  ActiveSupport::TestCase
   def setup
+    create_and_activate_user
     login_api
     environment.enable_plugin(CommentParagraphPlugin)
   end
@@ -3,6 +3,7 @@ require_relative &#39;../../../../test/api/test_helper&#39;
 class PushNotificationApiTest < ActiveSupport::TestCase
   def setup
+    create_and_activate_user
     login_api
     environment = Environment.default
     environment.enable_plugin(PushNotificationPlugin)
@@ -3,20 +3,74 @@ require_relative &#39;test_helper&#39;
 class ActivitiesTest < ActiveSupport::TestCase
   def setup
+    create_and_activate_user
     login_api
   end
-  should 'get activity from profile' do
-    person = fast_create(Person)
-    organization = fast_create(Organization)
-    assert_difference 'organization.activities_count' do
-      ActionTracker::Record.create! :verb => :leave_scrap, :user => person, :target => organization
-      organization.reload
-    end
-    get "/api/v1/profiles/#{organization.id}/activities?#{params.to_query}"
+  should 'get own activities' do
+    create_activity(person)
+
+    get "/api/v1/profiles/#{person.id}/activities?#{params.to_query}"
     json = JSON.parse(last_response.body)
+
     assert 1, json["activities"].count
-    assert_equal organization.activities.map(&:activity).first.id, json["activities"].first["id"]
+    assert_equivalent person.activities.map(&:activity).map(&:id), json["activities"].map{|c| c["id"]}
+  end
+
+  should 'not get private community activities' do
+    community = fast_create(Community, :public_profile => false)
+    create_activity(community)
+
+    get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_nil json["activities"]
+    assert_equal 403, last_response.status
+  end
+
+  should 'not get community activities if not member' do
+    community = fast_create(Community)
+    other_person = fast_create(Person)
+    community.add_member(other_person) # so there is an activity in community
+
+    get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_nil json["activities"]
+    assert_equal 403, last_response.status
+  end
+
+  should 'get community activities for member' do
+    community = fast_create(Community)
+    create_activity(community)
+    community.add_member(person)
+
+    get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent community.activities.map(&:activity).map(&:id), json["activities"].map{|c| c["id"]}
+  end
+
+  should 'not get other person activities' do
+    other_person = fast_create(Person)
+    create_activity(other_person)
+
+    get "/api/v1/profiles/#{other_person.id}/activities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_nil json["activities"]
+    assert_equal 403, last_response.status
+  end
+
+  should 'get friend activities' do
+    other_person = fast_create(Person)
+    other_person.add_friend(person)
+    create_activity(other_person)
+
+    get "/api/v1/profiles/#{other_person.id}/activities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent other_person.activities.map(&:activity).map(&:id), json["activities"].map{|c| c["id"]}
+  end
+
+  def create_activity(target)
+    activity = ActionTracker::Record.create! :verb => :leave_scrap, :user => person, :target => target
+    ProfileActivity.create! profile_id: target.id, activity: activity
   end
 end
@@ -3,6 +3,7 @@ require_relative &#39;test_helper&#39;
 class ArticlesTest < ActiveSupport::TestCase
   def setup
+    create_and_activate_user
     login_api
   end
@@ -199,7 +200,6 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     article = fast_create(Article, :profile_id => @person.id, :name => "Some thing", :archived => true)
     @params[:value] = 1
     post "/api/v1/articles/#{article.id}/vote?#{params.to_query}"
-    puts JSON.parse(last_response.body)
     assert_equal 400, last_response.status
   end
@@ -3,8 +3,7 @@ require_relative &#39;test_helper&#39;
 class BoxesTest < ActiveSupport::TestCase
   def setup
-    @controller = AccountController.new
-    @request = ActionController::TestRequest.new
+    create_and_activate_user
     login_api
 #    @request = ActionController::TestRequest.new
   end
@@ -2,6 +2,9 @@ require_relative &#39;test_helper&#39;
 class CategoriesTest < ActiveSupport::TestCase
+  def setup
+    create_and_activate_user
+  end
   should 'logged user list categories' do
     login_api
@@ -11,7 +14,7 @@ class CategoriesTest &lt; ActiveSupport::TestCase
     assert_includes json["categories"].map { |c| c["name"] }, category.name
   end
-  should 'logged user get category by id' do
+  should 'get category by id to logged user' do
     login_api
     category = fast_create(Category, :environment_id => environment.id)
     get "/api/v1/categories/#{category.id}/?#{params.to_query}"
@@ -19,7 +22,7 @@ class CategoriesTest &lt; ActiveSupport::TestCase
     assert_equal category.name, json["category"]["name"]
   end
-  should 'logged user list parent and children when get category by id' do
+  should 'list parent and children when get category by id to logged user' do
     login_api
     parent = fast_create(Category, :environment_id => environment.id)
     child_1 = fast_create(Category, :environment_id => environment.id)
@@ -37,7 +40,7 @@ class CategoriesTest &lt; ActiveSupport::TestCase
     assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { |c| c['id'] }
   end
-  should 'logged user include parent in categories list if params is true' do
+  should 'include parent in categories list if params is true to logged_user' do
     login_api
     parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
     child_1 = fast_create(Category, :environment_id => environment.id)
@@ -60,7 +63,7 @@ class CategoriesTest &lt; ActiveSupport::TestCase
       json["categories"].map { |c| c['parent'] && c['parent']['id'] }
   end
-  should 'logged user include children in categories list if params is true' do
+  should 'include children in categories list if params is true to logged user' do
     login_api
     category = fast_create(Category, :environment_id => environment.id)
     child_1 = fast_create(Category, :environment_id => environment.id)
@@ -88,7 +91,7 @@ class CategoriesTest &lt; ActiveSupport::TestCase
   expose_attributes = %w(id name full_name image display_color)
   expose_attributes.each do |attr|
-    should "logged user expose category #{attr} attribute by default" do
+    should "expose category #{attr} attribute by default to logged user" do
       login_api
       category = fast_create(Category, :environment_id => environment.id)
       get "/api/v1/categories/?#{params.to_query}"
@@ -97,24 +100,21 @@ class CategoriesTest &lt; ActiveSupport::TestCase
     end
   end
-  should 'anonymous list categories' do
-    anonymous_setup
+  should 'list categories to anonymous' do
     category = fast_create(Category, :environment_id => environment.id)
     get "/api/v1/categories/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_includes json["categories"].map { |c| c["name"] }, category.name
   end
-  should 'anonymous get category by id' do
-    anonymous_setup
+  should 'get category by id to anonymous' do
     category = fast_create(Category, :environment_id => environment.id)
     get "/api/v1/categories/#{category.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal category.name, json["category"]["name"]
   end
-  should 'anonymous list parent and children when get category by id' do
-    anonymous_setup
+  should 'list parent and children when get category by id to anonymous' do
     parent = fast_create(Category, :environment_id => environment.id)
     child_1 = fast_create(Category, :environment_id => environment.id)
     child_2 = fast_create(Category, :environment_id => environment.id)
@@ -132,7 +132,6 @@ class CategoriesTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous include parent in categories list if params is true' do
-    anonymous_setup
     parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
     child_1 = fast_create(Category, :environment_id => environment.id)
     child_2 = fast_create(Category, :environment_id => environment.id)
@@ -155,7 +154,6 @@ class CategoriesTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous include children in categories list if params is true' do
-    anonymous_setup
     category = fast_create(Category, :environment_id => environment.id)
     child_1 = fast_create(Category, :environment_id => environment.id)
     child_2 = fast_create(Category, :environment_id => environment.id)
@@ -180,8 +178,7 @@ class CategoriesTest &lt; ActiveSupport::TestCase
   end
   expose_attributes.each do |attr|
-    should "anonymous expose category #{attr} attribute by default" do
-      anonymous_setup
+    should "expose category #{attr} attribute by default to anonymous" do
       category = fast_create(Category, :environment_id => environment.id)
       get "/api/v1/categories/?#{params.to_query}"
       json = JSON.parse(last_response.body)
@@ -189,6 +186,4 @@ class CategoriesTest &lt; ActiveSupport::TestCase
     end
   end
-
-
 end
@@ -4,13 +4,12 @@ class CommentsTest &lt; ActiveSupport::TestCase
   def setup
     @local_person = fast_create(Person)
-    anonymous_setup
+    create_and_activate_user
   end
-  attr_reader :local_person
   should 'logged user not list comments if user has no permission to view the source article' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing", :published => false)
     assert !article.published?
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
@@ -19,8 +18,8 @@ class CommentsTest &lt; ActiveSupport::TestCase
   should 'logged user not return comment if user has no permission to view the source article' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
-    comment = article.comments.create!(:body => "another comment", :author => local_person)
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing", :published => false)
+    comment = article.comments.create!(:body => "another comment", :author => @local_person)
     assert !article.published?
     get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
@@ -29,7 +28,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
   should 'logged user not comment an article if user has no permission to view it' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing", :published => false)
     assert !article.published?
     post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
@@ -38,9 +37,9 @@ class CommentsTest &lt; ActiveSupport::TestCase
   should 'logged user return comments of an article' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
-    article.comments.create!(:body => "some comment", :author => local_person)
-    article.comments.create!(:body => "another comment", :author => local_person)
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
+    article.comments.create!(:body => "some comment", :author => @local_person)
+    article.comments.create!(:body => "another comment", :author => @local_person)
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -50,8 +49,8 @@ class CommentsTest &lt; ActiveSupport::TestCase
   should 'logged user return comment of an article' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
-    comment = article.comments.create!(:body => "another comment", :author => local_person)
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
+    comment = article.comments.create!(:body => "another comment", :author => @local_person)
     get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -61,7 +60,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
   should 'logged user comment an article' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
     body = 'My comment'
     params.merge!({:body => body})
@@ -84,7 +83,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
   should 'logged user comment creation define the source' do
     login_api
     amount = Comment.count
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
     body = 'My comment'
     params.merge!({:body => body})
@@ -103,7 +102,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
     Noosfero::Plugin.stubs(:all).returns([Plugin1.name])
     Environment.default.enable_plugin(Plugin1)
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
     c1 = fast_create(Comment, source_id: article.id, body: "comment 1")
     c2 = fast_create(Comment, source_id: article.id, body: "comment 2", :user_agent => 'Jack')
@@ -113,7 +112,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous do not return comments marked as spam' do
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
     c1 = fast_create(Comment, source_id: article.id, body: "comment 1", spam: true)
     c2 = fast_create(Comment, source_id: article.id, body: "comment 2")
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
@@ -121,41 +120,42 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal ["comment 2"], json["comments"].map {|c| c["body"]}
   end
-  should 'not, anonymous list comments if has no permission to view the source article' do
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
+  should 'not list comments if anonymous has no permission to view the source article' do
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
     assert !article.published?
-  
+
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     assert_equal 403, last_response.status
   end
-  
-  should 'anonymous return comments of an article' do
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
-    article.comments.create!(:body => "some comment", :author => local_person)
-    article.comments.create!(:body => "another comment", :author => local_person)
-  
+
+  should 'return comments of an article for anonymous' do
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
+    article.comments.create!(:body => "some comment", :author => @local_person)
+    article.comments.create!(:body => "another comment", :author => @local_person)
+
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal 200, last_response.status
     assert_equal 2, json["comments"].length
   end
-  
-  should 'anonymous return comment of an article' do
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
-    comment = article.comments.create!(:body => "another comment", :author => local_person)
-  
+
+  should 'return comment of an article for anonymous' do
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
+    comment = article.comments.create!(:body => "another comment", :author => @local_person)
+
     get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal 200, last_response.status
     assert_equal comment.id, json['comment']['id']
   end
-  should 'not, anonymous comment an article (at least so far...)' do
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
+  should 'anonymous user not comment an article' do
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing")
     body = 'My comment'
     name = "John Doe"
     email = "JohnDoe@gmail.com"
     params.merge!({:body => body, name: name, email: email})
+
     post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal 401, last_response.status
@@ -163,8 +163,8 @@ class CommentsTest &lt; ActiveSupport::TestCase
   should 'logged user paginate comments' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
-    5.times { article.comments.create!(:body => "some comment", :author => local_person) }
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
+    5.times { article.comments.create!(:body => "some comment", :author => @local_person) }
     params[:per_page] = 3
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
@@ -175,9 +175,9 @@ class CommentsTest &lt; ActiveSupport::TestCase
   should 'logged user return only root comments' do
     login_api
-    article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
-    comment1 = article.comments.create!(:body => "some comment", :author => local_person)
-    comment2 = article.comments.create!(:body => "another comment", :author => local_person, :reply_of_id => comment1.id)
+    article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
+    comment1 = article.comments.create!(:body => "some comment", :author => @local_person)
+    comment2 = article.comments.create!(:body => "another comment", :author => @local_person, :reply_of_id => comment1.id)
     params[:without_reply] = true
     get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
@@ -4,28 +4,31 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   def setup
     Community.delete_all
+    create_and_activate_user
   end
-  should 'logged user list only communities' do
+  should 'list only communities to logged user' do
     login_api
     community = fast_create(Community, :environment_id => environment.id)
     enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
+
     get "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_not_includes json['communities'].map {|c| c['id']}, enterprise.id
     assert_includes json['communities'].map {|c| c['id']}, community.id
   end
-  should 'logged user list all communities' do
+  should 'list all communities to logged user' do
     login_api
     community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
     community2 = fast_create(Community, :environment_id => environment.id)
+
     get "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
-  should 'not, logged user list invisible communities' do
+  should 'not list invisible communities to logged user' do
     login_api
     community1 = fast_create(Community, :environment_id => environment.id)
     fast_create(Community, :environment_id => environment.id, :visible => false)
@@ -35,28 +38,28 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equal [community1.id], json['communities'].map {|c| c['id']}
   end
-  should 'logged user list private communities' do
-      login_api
-      community1 = fast_create(Community, :environment_id => environment.id)
-      community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
+  should 'list private communities to logged user' do
+    login_api
+    community1 = fast_create(Community, :environment_id => environment.id)
+    community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
-      get "/api/v1/communities?#{params.to_query}"
-      json = JSON.parse(last_response.body)
-      assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
-  should 'logged user list private community for members' do
+  should 'list private communities to logged members' do
     login_api
-    c1 = fast_create(Community, :environment_id => environment.id)
-    c2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
-    c2.add_member(person)
+    community1 = fast_create(Community, :environment_id => environment.id)
+    community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
+    community2.add_member(person)
     get "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
-    assert_equivalent [c1.id, c2.id], json['communities'].map {|c| c['id']}
+    assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
-  should 'logged user create a community' do
+  should 'create a community with logged user' do
     login_api
     params[:community] = {:name => 'some'}
     post "/api/v1/communities?#{params.to_query}"
@@ -64,14 +67,14 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equal 'some', json['community']['name']
   end
-  should 'logged user return 400 status for invalid community creation' do
+  should 'return 400 status for invalid community creation to logged user ' do
     login_api
     post "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal 400, last_response.status
   end
-  should 'logged user get community' do
+  should 'get community to logged user' do
     login_api
     community = fast_create(Community, :environment_id => environment.id)
@@ -80,26 +83,27 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equal community.id, json['community']['id']
   end
-  should 'not, logged user get invisible community' do
+  should 'not list invisible community to logged users' do
     login_api
     community = fast_create(Community, :environment_id => environment.id, :visible => false)
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
-    assert json['community'].blank?
+
+    assert_nil json["community"]
   end
-  should 'not, logged user get private communities without permission' do
+  should 'not get private community content to non member' do
     login_api
-    community = fast_create(Community, :environment_id => environment.id)
-    fast_create(Community, :environment_id => environment.id, :public_profile => false)
+    community = fast_create(Community, :environment_id => environment.id, :public_profile => false)
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal community.id, json['community']['id']
+    assert_nil json['community']['members']
   end
-  should 'logged user get private community for members' do
+  should 'get private community to logged member' do
     login_api
     community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :visible => true)
     community.add_member(person)
@@ -107,9 +111,10 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal community.id, json['community']['id']
+    assert_not_nil json['community']['members']
   end
-  should 'logged user list person communities' do
+  should 'list person communities to logged user' do
     login_api
     community = fast_create(Community, :environment_id => environment.id)
     fast_create(Community, :environment_id => environment.id)
@@ -120,16 +125,16 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equivalent [community.id], json['communities'].map {|c| c['id']}
   end
-  should 'not, logged user list person communities invisible' do
+  should 'not list person invisible communities to logged user' do
     login_api
-    c1 = fast_create(Community, :environment_id => environment.id)
-    c2 = fast_create(Community, :environment_id => environment.id, :visible => false)
-    c1.add_member(person)
-    c2.add_member(person)
+    community1 = fast_create(Community, :environment_id => environment.id)
+    community2 = fast_create(Community, :environment_id => environment.id, :visible => false)
+    community1.add_member(person)
+    community2.add_member(person)
     get "/api/v1/people/#{person.id}/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
-    assert_equivalent [c1.id], json['communities'].map {|c| c['id']}
+    assert_equivalent [community1.id], json['communities'].map {|c| c['id']}
   end
   should 'logged user list communities with pagination' do
@@ -147,7 +152,6 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     get "/api/v1/communities?#{params.to_query}"
     json_page_one = JSON.parse(last_response.body)
-
     assert_includes json_page_one["communities"].map { |a| a["id"] }, community1.id
     assert_not_includes json_page_one["communities"].map { |a| a["id"] }, community2.id
@@ -155,7 +159,7 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id
   end
-  should 'logged user list communities with timestamp' do
+  should 'list communities with timestamp to logged user' do
     login_api
     community1 = fast_create(Community, :public_profile => true)
     community2 = fast_create(Community)
@@ -172,9 +176,9 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous list only communities' do
-    anonymous_setup
     community = fast_create(Community, :environment_id => environment.id)
     enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
+
     get "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_not_includes json['communities'].map {|c| c['id']}, enterprise.id
@@ -182,16 +186,15 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous list all communities' do
-    anonymous_setup
     community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
     community2 = fast_create(Community, :environment_id => environment.id)
+
     get "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
-  should 'not, anonymous list invisible communities' do
-    anonymous_setup
+  should 'not list invisible communities to anonymous' do
     community1 = fast_create(Community, :environment_id => environment.id)
     fast_create(Community, :environment_id => environment.id, :visible => false)
@@ -200,8 +203,17 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equal [community1.id], json['communities'].map {|c| c['id']}
   end
-  should 'anonymous list private communities' do
-    anonymous_setup
+  should 'list all visible communities except secret ones to anonymous' do
+    community = fast_create(Community, :environment_id => environment.id)
+    private_community = fast_create(Community, :environment_id => environment.id, :public_profile => false)
+    secret_community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :secret => true)
+
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [community.id, private_community.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'list private communities to anonymous' do
     community1 = fast_create(Community, :environment_id => environment.id)
     community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
@@ -210,41 +222,59 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
-  should 'not, anonymous create a community' do
-    anonymous_setup
+  should 'not create a community as an anonymous user' do
     params[:community] = {:name => 'some'}
+
     post "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal 401, last_response.status
   end
-  should 'anonymous get community' do
-    anonymous_setup
+  should 'get community for anonymous' do
     community = fast_create(Community, :environment_id => environment.id)
     get "/api/v1/communities/#{community.id}"
     json = JSON.parse(last_response.body)
     assert_equal community.id, json['community']['id']
   end
-  should 'not, anonymous get invisible community' do
-    anonymous_setup
+  should 'not get invisible community to anonymous user' do
     community = fast_create(Community, :environment_id => environment.id, :visible => false)
     get "/api/v1/communities/#{community.id}"
     json = JSON.parse(last_response.body)
     assert json['community'].blank?
   end
-  should 'not, anonymous get private communities' do
-    anonymous_setup
-    community = fast_create(Community, :environment_id => environment.id)
-    fast_create(Community, :environment_id => environment.id, :public_profile => false)
+  should 'get private community to anonymous user' do
+    community = fast_create(Community, :environment_id => environment.id, :public_profile => false)
+
     get "/api/v1/communities/#{community.id}"
     json = JSON.parse(last_response.body)
     assert_equal community.id, json['community']['id']
+    assert_nil json['community']['members']
+  end
+
+  should 'list public person communities to anonymous' do
+    community = fast_create(Community, :environment_id => environment.id)
+    fast_create(Community, :environment_id => environment.id)
+    community.add_member(person)
+
+    get "/api/v1/people/#{person.id}/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [community.id], json['communities'].map {|c| c['id']}
   end
-  should 'anonymous list communities with pagination' do
-    anonymous_setup
+  should 'not list private person communities to anonymous' do
+    community = fast_create(Community, :environment_id => environment.id)
+    fast_create(Community, :environment_id => environment.id)
+    person.public_profile = false
+    person.save
+    community.add_member(person)
+
+    get "/api/v1/people/#{person.id}/communities?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'list communities with pagination to anonymous' do
     community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago)
     community2 = fast_create(Community, :created_at => 2.days.ago)
@@ -265,8 +295,7 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id
   end
-  should 'anonymous list communities with timestamp' do
-    anonymous_setup
+  should 'list communities with timestamp to anonymous ' do
     community1 = fast_create(Community, :public_profile => true)
     community2 = fast_create(Community)
@@ -282,7 +311,6 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
   should 'display public custom fields to anonymous' do
-    anonymous_setup
     CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
     some_community = fast_create(Community)
     some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
@@ -295,7 +323,6 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
   should 'not display private custom fields to anonymous' do
-    anonymous_setup
     CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default)
     some_community = fast_create(Community)
     some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
@@ -306,5 +333,4 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
     refute json['community']['additional_data'].has_key?('Rating')
   end
-
 end
@@ -4,6 +4,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   def setup
     Enterprise.delete_all
+    create_and_activate_user
   end
   should 'logger user list only enterprises' do
@@ -17,7 +18,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous list only enterprises' do
-    anonymous_setup
     community = fast_create(Community, :environment_id => environment.id) # should not list this community
     enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
     get "/api/v1/enterprises?#{params.to_query}"
@@ -27,7 +27,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous list all enterprises' do
-    anonymous_setup
     enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
     enterprise2 = fast_create(Enterprise, :environment_id => environment.id)
     get "/api/v1/enterprises?#{params.to_query}"
@@ -55,7 +54,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
   should 'not, anonymous list invisible enterprises' do
-    anonymous_setup
     enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
     fast_create(Enterprise, :visible => false)
@@ -64,7 +62,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
     assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
   end
-  should 'not, logger user list invisible enterprises' do
+  should 'not, logged user list invisible enterprises' do
     login_api
     enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
     fast_create(Enterprise, :visible => false)
@@ -75,7 +73,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous list private enterprises' do
-    anonymous_setup
     enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
     enterprise2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
@@ -106,7 +103,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous get enterprise' do
-    anonymous_setup
     enterprise = fast_create(Enterprise, :environment_id => environment.id)
     get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
@@ -133,7 +129,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
   should 'not, anonymous get invisible enterprise' do
-    anonymous_setup
     enterprise = fast_create(Enterprise, :visible => false)
     get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
@@ -152,7 +147,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
   should 'not, anonymous get private enterprises' do
-    anonymous_setup
     enterprise = fast_create(Enterprise, :environment_id => environment.id)
     fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
@@ -195,7 +189,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
   should 'display public custom fields to anonymous' do
-    anonymous_setup
     CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
     some_enterprise = fast_create(Enterprise)
     some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
@@ -208,7 +201,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
   should 'not display public custom fields to anonymous' do
-    anonymous_setup
     CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
     some_enterprise = fast_create(Enterprise)
     some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
@@ -2,6 +2,10 @@ require_relative &#39;test_helper&#39;
 class EnvironmentTest < ActiveSupport::TestCase
+  def setup
+    create_and_activate_user
+  end
+
   should 'return the default environment' do
     environment = Environment.default
     get "/api/v1/environment/default"
@@ -62,6 +66,6 @@ class EnvironmentTest &lt; ActiveSupport::TestCase
     get "/api/v1/environment/context"
     json = JSON.parse(last_response.body)
     assert_equal context_env.id, json['id']
-  end  
+  end
 end
@@ -6,28 +6,26 @@ class APIHelpersTest &lt; ActiveSupport::TestCase
   include Noosfero::API::APIHelpers
   def setup
+    create_and_activate_user
     @headers = {}
   end
   attr_accessor :headers
   should 'get the current user with valid token' do
-    user = create_user('someuser')
-    user.generate_private_token!
+    login_api
     self.params = {:private_token => user.private_token}
     assert_equal user, current_user
   end
   should 'get the current user with valid token in header' do
-    user = create_user('someuser')
-    user.generate_private_token!
+    login_api
     headers['Private-Token'] = user.private_token
     assert_equal user, current_user
   end
   should 'get the current user even with expired token' do
-    user = create_user('someuser')
-    user.generate_private_token!
+    login_api
     user.private_token_generated_at = DateTime.now.prev_year
     user.save
     self.params = {:private_token => user.private_token}
@@ -35,8 +33,7 @@ class APIHelpersTest &lt; ActiveSupport::TestCase
   end
   should 'get the person of current user' do
-    user = create_user('someuser')
-    user.generate_private_token!
+    login_api
     self.params = {:private_token => user.private_token}
     assert_equal user.person, current_person
   end
@@ -106,24 +103,22 @@ class APIHelpersTest &lt; ActiveSupport::TestCase
   end
   should 'find_article return article by id in list passed for user with permission' do
-    user = create_user('someuser')
+    login_api
     a = fast_create(Article, :profile_id => user.person.id)
     fast_create(Article, :profile_id => user.person.id)
     fast_create(Article, :profile_id => user.person.id)
-    user.generate_private_token!
     self.params = {private_token: user.private_token}
     User.expects(:find_by).with(private_token: user.private_token).returns(user)
     assert_equal a, find_article(user.person.articles, a.id)
   end
   should 'find_article return forbidden when a user try to access an article without permission' do
-    user = create_user('someuser')
+    login_api
     p = fast_create(Profile)
     a = fast_create(Article, :published => false, :profile_id => p.id)
     fast_create(Article, :profile_id => p.id)
-    user.generate_private_token!
     self.params = {private_token: user.private_token}
     User.expects(:find_by).with(private_token: user.private_token).returns(user)
     assert_equal 403, find_article(p.articles, a.id).last
@@ -3,7 +3,8 @@ require_relative &#39;test_helper&#39;
 class PeopleTest < ActiveSupport::TestCase
   def setup
-    Person.delete_all
+    Person.destroy_all
+    create_and_activate_user
   end
   should 'logged user list all people' do
@@ -16,12 +17,11 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous list all people' do
-    anonymous_setup
     person1 = fast_create(Person, :public_profile => true)
     person2 = fast_create(Person)
     get "/api/v1/people?#{params.to_query}"
     json = JSON.parse(last_response.body)
-    assert_equivalent [person1.id, person2.id], json['people'].map {|c| c['id']}
+    assert_equivalent [person.id, person1.id, person2.id], json['people'].map {|c| c['id']}
   end
   should 'logged user list all members of a community' do
@@ -39,7 +39,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous list all members of a community' do
-    anonymous_setup
     person1 = fast_create(Person)
     person2 = fast_create(Person)
     community = fast_create(Community)
@@ -61,7 +60,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'annoymous not list invisible people' do
-    anonymous_setup
     invisible_person = fast_create(Person, :visible => false)
     get "/api/v1/people?#{params.to_query}"
@@ -77,7 +75,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous list private people' do
-    anonymous_setup
     private_person = fast_create(Person, :public_profile => false)
     get "/api/v1/people?#{params.to_query}"
@@ -105,7 +102,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous get person' do
-    anonymous_setup
     some_person = fast_create(Person)
     get "/api/v1/people/#{some_person.id}?#{params.to_query}"
@@ -113,7 +109,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal some_person.id, json['person']['id']
   end
-
   should 'people endpoint filter by fields parameter for logged user' do
     login_api
     get "/api/v1/people?#{params.to_query}&fields=name"
@@ -156,7 +151,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous not get invisible person' do
-    anonymous_setup
     person = fast_create(Person, :visible => false)
     get "/api/v1/people/#{person.id}?#{params.to_query}"
@@ -174,7 +168,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous get private people' do
-    anonymous_setup
     private_person = fast_create(Person, :public_profile => false)
     get "/api/v1/people/#{private_person.id}?#{params.to_query}"
@@ -203,7 +196,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous list person friends' do
-    anonymous_setup
     person = fast_create(Person)
     friend = fast_create(Person)
     person.add_friend(friend)
@@ -274,7 +266,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
   should 'not display permissions if not admin or self' do
     login_api
-    some_person = create_user('some-person').person
+    some_person = fast_create(Person)
     get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
     assert_equal 403, last_response.status
@@ -300,8 +292,11 @@ class PeopleTest &lt; ActiveSupport::TestCase
   should 'logged user display public custom fields' do
     login_api
-    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
-    some_person = create_user('some-person').person
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
+    some_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
+    some_person.user.activate
+    some_person.reload
+
     some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
     some_person.save!
@@ -313,10 +308,11 @@ class PeopleTest &lt; ActiveSupport::TestCase
   should 'logged user not display non-public custom fields' do
     login_api
-    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
-    some_person = create_user('some-person').person
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
+    some_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
     some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
     some_person.save!
+    some_person.user.activate
     get "/api/v1/people/#{some_person.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -324,36 +320,31 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'display public custom fields to anonymous' do
-    anonymous_setup
-    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
-    some_person = create_user('some-person').person
-    some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
-    some_person.save!
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
+    person.reload
+    person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
+    person.save!
-    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert json['person']['additional_data'].has_key?('Custom Blog')
     assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
   end
   should 'not display non-public custom fields to anonymous' do
-    anonymous_setup
-    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
-    some_person = create_user('some-person').person
-    some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
-    some_person.save!
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
+    person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
+    person.save!
-    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal json['person']['additional_data'], {}
   end
   should 'hide private fields to anonymous' do
-    anonymous_setup
-    target_person = create_user('some-user').person
-    target_person.save!
+    target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment)
-    get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
+    get "/api/v1/users/#{target_user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     refute json["user"].has_key?("permissions")
     refute json["user"].has_key?("activated")
@@ -361,15 +352,16 @@ class PeopleTest &lt; ActiveSupport::TestCase
   should 'display non-public custom fields to friend' do
     login_api
-    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
-    some_person = create_user('some-person').person
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
+    some_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
+    some_person.user.activate
+    some_person.reload
+
     some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
     some_person.save!
-    f = Friendship.new
-    f.friend = some_person
-    f.person = person
-    f.save!
+    some_person.add_friend(person)
+    person.add_friend(some_person)
     get "/api/v1/people/#{some_person.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -4,6 +4,7 @@ class ProfilesTest &lt; ActiveSupport::TestCase
   def setup
     Profile.delete_all
+    create_and_activate_user
   end
   should 'logged user list all profiles' do
@@ -24,6 +25,13 @@ class ProfilesTest &lt; ActiveSupport::TestCase
     assert_equal some_person.id, json['id']
   end
+  should 'not get inexistent profile' do
+    login_api
+    get "/api/v1/profiles/invalid_id?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 404, last_response.status
+  end
+
   should 'logged user get community from profile id' do
     login_api
     community = fast_create(Community)
@@ -85,7 +93,6 @@ class ProfilesTest &lt; ActiveSupport::TestCase
   end
   should 'anonymous user access delete action' do
-    anonymous_setup
     profile = fast_create(Person, :environment_id => environment.id)
     delete "/api/v1/profiles/#{profile.id}?#{params.to_query}"
@@ -99,7 +106,7 @@ class ProfilesTest &lt; ActiveSupport::TestCase
     community = fast_create(Community)
     get "/api/v1/profiles"
     json = JSON.parse(last_response.body)
-    assert_equivalent [person1.id, person2.id, community.id], json.map {|p| p['id']}
+    assert_equivalent [person.id, person1.id, person2.id, community.id], json.map {|p| p['id']}
   end
   should 'anonymous get person from profile id' do
@@ -117,7 +124,6 @@ class ProfilesTest &lt; ActiveSupport::TestCase
   end
   should 'display public custom fields to anonymous' do
-    anonymous_setup
     CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
     some_profile = fast_create(Profile)
     some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
@@ -130,7 +136,6 @@ class ProfilesTest &lt; ActiveSupport::TestCase
   end
   should 'not display private custom fields to anonymous' do
-    anonymous_setup
     CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default)
     some_profile = fast_create(Profile)
     some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
@@ -3,9 +3,8 @@ require_relative &#39;test_helper&#39;
 class SearchTest < ActiveSupport::TestCase
   def setup
-    @person = create_user('testing').person
+    create_and_activate_user
   end
-  attr_reader :person
   should 'not list unpublished articles' do
     Article.delete_all
@@ -3,6 +3,7 @@ require_relative &#39;test_helper&#39;
 class SessionTest < ActiveSupport::TestCase
   def setup
+    create_and_activate_user
     login_api
   end
@@ -147,10 +148,9 @@ class SessionTest &lt; ActiveSupport::TestCase
   end
   should 'create task to change password by user login' do
-    user = create_user
     params = {:value => user.login}
     assert_difference 'ChangePassword.count' do
-      post "/api/v1/forgot_password?#{params.to_query}"
+        post "/api/v1/forgot_password?#{params.to_query}"
     end
   end
@@ -173,8 +173,6 @@ class SessionTest &lt; ActiveSupport::TestCase
   end
   should 'do not change user password when password confirmation is wrong' do
-    user = create_user
-    user.activate
     task = ChangePassword.create!(:requestor => user.person)
     params = {:code => task.code, :password => 'secret', :password_confirmation => 's3cret'}
     patch "/api/v1/new_password?#{params.to_query}"
@@ -200,8 +198,8 @@ class SessionTest &lt; ActiveSupport::TestCase
   end
   should 'resend activation code for an inactive user' do
-    user = create_user
-    params = {:value => user.login}
+    another_user = User.create!(:login => "userlogin", :password => 'testapi', :password_confirmation => 'testapi', :email => 'test2@test.org', :environment => @environment)
+    params = {:value => another_user.login}
     Delayed::Job.destroy_all
     assert_difference 'ActionMailer::Base.deliveries.size' do
       post "/api/v1/resend_activation_code?#{params.to_query}"
@@ -209,13 +207,11 @@ class SessionTest &lt; ActiveSupport::TestCase
     end
     json = JSON.parse(last_response.body)
     refute json['users'].first['private_token']
-    assert_equal user.email, ActionMailer::Base.deliveries.last['to'].to_s
+    assert_equal another_user.email, ActionMailer::Base.deliveries.last['to'].to_s
   end
    should 'not resend activation code for an active user' do
-     user = create_user
      params = {:value => user.login}
-     user.activate
      Delayed::Job.destroy_all
      assert_no_difference 'ActionMailer::Base.deliveries.size' do
        post "/api/v1/resend_activation_code?#{params.to_query}"
@@ -3,8 +3,8 @@ require_relative &#39;test_helper&#39;
 class TasksTest < ActiveSupport::TestCase
   def setup
+    create_and_activate_user
     login_api
-    @person = user.person
     @community = fast_create(Community)
     @environment = Environment.default
   end
@@ -4,17 +4,23 @@ class ActiveSupport::TestCase
   include Rack::Test::Methods
+  USER_PASSWORD = "testapi"
+  USER_LOGIN = "testapi"
+
   def app
     Noosfero::API::API
   end
-  def login_api
+  def create_and_activate_user
     @environment = Environment.default
-    @user = User.create!(:login => 'testapi', :password => 'testapi', :password_confirmation => 'testapi', :email => 'test@test.org', :environment => @environment)
+    @user = User.create!(:login => USER_LOGIN, :password => USER_PASSWORD, :password_confirmation => USER_PASSWORD, :email => 'test@test.org', :environment => @environment)
     @user.activate
     @person = @user.person
+    @params = {}
+  end
-    post "/api/v1/login?login=testapi&password=testapi"
+  def login_api
+    post "/api/v1/login?login=#{USER_LOGIN}&password=#{USER_PASSWORD}"
     json = JSON.parse(last_response.body)
     @private_token = json["private_token"]
     unless @private_token
@@ -22,12 +28,7 @@ class ActiveSupport::TestCase
       @private_token = @user.private_token
     end
-    @params = {:private_token => @private_token}
-  end
-
-  def anonymous_setup
-    @environment = Environment.default
-    @params = {}
+    @params[:private_token] = @private_token
   end
   attr_accessor :private_token, :user, :person, :params, :environment
@@ -3,6 +3,10 @@ require_relative &#39;test_helper&#39;
 class UsersTest < ActiveSupport::TestCase
+  def setup
+    create_and_activate_user
+  end
+
   should 'logger user list users' do
     login_api
     get "/api/v1/users/?#{params.to_query}"
@@ -35,8 +39,8 @@ class UsersTest &lt; ActiveSupport::TestCase
   should 'not show permissions to logged user' do
     login_api
-    target_person = create_user('some-user').person
-    get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
+    target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment)
+    get "/api/v1/users/#{target_user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     refute json["user"].has_key?("permissions")
   end
@@ -50,12 +54,10 @@ class UsersTest &lt; ActiveSupport::TestCase
   should 'not show permissions to friend' do
     login_api
-    target_person = create_user('some-user').person
+    target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
-    f = Friendship.new
-    f.friend = target_person
-    f.person = person
-    f.save!
+    target_person.add_friend(person)
+    person.add_friend(target_person)
     get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -64,19 +66,21 @@ class UsersTest &lt; ActiveSupport::TestCase
   should 'not show private attribute to logged user' do
     login_api
-    target_person = create_user('some-user').person
-    get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
+    target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment)
+
+    get "/api/v1/users/#{target_user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
-    refute json["user"].has_key?("email")
+    assert_equal 200, last_response.status
+    assert_nil json['user']['email']
+    assert_nil json['user']['person']
   end
   should 'show private attr to friend' do
     login_api
-    target_person = create_user('some-user').person
-    f = Friendship.new
-    f.friend = target_person
-    f.person = person
-    f.save!
+    target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
+    target_person.add_friend(person)
+    person.add_friend(target_person)
+
     get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert json["user"].has_key?("email")
@@ -85,9 +89,12 @@ class UsersTest &lt; ActiveSupport::TestCase
   should 'show public attribute to logged user' do
     login_api
-    target_person = create_user('some-user').person
+    target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
+    target_person.public_profile = true
+    target_person.visible = true
     target_person.fields_privacy={:email=> 'public'}
     target_person.save!
+
     get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert json["user"].has_key?("email")
@@ -98,7 +105,7 @@ class UsersTest &lt; ActiveSupport::TestCase
     login_api
     Environment.default.add_admin(person)
-    target_person = create_user('some-user').person
+    target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
     target_person.fields_privacy={:email=> 'public'}
     target_person.save!
@@ -110,9 +117,10 @@ class UsersTest &lt; ActiveSupport::TestCase
   end
   should 'show public fields to anonymous' do
-    anonymous_setup
-    target_person = create_user('some-user').person
+    target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
     target_person.fields_privacy={:email=> 'public'}
+    target_person.public_profile = true
+    target_person.visible = true
     target_person.save!
     get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
@@ -121,11 +129,9 @@ class UsersTest &lt; ActiveSupport::TestCase
   end
   should 'hide private fields to anonymous' do
-    anonymous_setup
-    target_person = create_user('some-user').person
-    target_person.save!
+    target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment)
-    get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
+    get "/api/v1/users/#{target_user.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     refute json["user"].has_key?("permissions")
     refute json["user"].has_key?("activated")
@@ -458,7 +458,7 @@ class OrganizationTest &lt; ActiveSupport::TestCase
     refute c.is_admin?(moderator)
   end
-  should 'fetch organizations there are visible for a user' do
+  should 'fetch organizations that are visible for users' do
     person = create_user('some-person').person
     admin = create_user('some-admin').person
     env_admin = create_user('env-admin').person
@@ -513,18 +513,58 @@ class OrganizationTest &lt; ActiveSupport::TestCase
     assert_includes     env_admin_orgs, o7
   end
-  should 'fetch organizations there are visible for a visitor' do
-    visitor = nil
-    Organization.destroy_all
+  should 'fetch organizations that are listed for users' do
+    person = create_user('some-person').person
+    admin = create_user('some-admin').person
+    env_admin = create_user('env-admin').person
+
     o1 = fast_create(Organization, :public_profile => true , :visible => true )
-    o2 = fast_create(Organization, :public_profile => false, :visible => true )
-    o3 = fast_create(Organization, :public_profile => true , :visible => false)
-    o4 = fast_create(Organization, :public_profile => false, :visible => false)
-    person_orgs    = Organization.visible_for_person(visitor)
-    assert_includes       person_orgs,    o1
-    assert_not_includes   person_orgs,    o2
-    assert_not_includes   person_orgs,    o3
-    assert_not_includes   person_orgs,    o4
-  end
+    o1.add_admin(admin)
+    o1.add_member(person)
+
+    o2 = fast_create(Organization, :public_profile => true , :visible => true )
+    o3 = fast_create(Organization, :public_profile => false, :visible => true )
+
+    o4 = fast_create(Organization, :public_profile => false, :visible => true)
+    o4.add_admin(admin)
+    o4.add_member(person)
+
+    o5 = fast_create(Organization, :public_profile => true , :visible => false)
+    o5.add_admin(admin)
+    o5.add_member(person)
+
+    o6 = fast_create(Enterprise, :enabled => false, :visible => true)
+    o6.add_admin(admin)
+
+    o7 = fast_create(Organization, :public_profile => false, :visible => false)
+
+    Environment.default.add_admin(env_admin)
+
+    person_orgs    = Organization.listed_for_person(person)
+    admin_orgs     = Organization.listed_for_person(admin)
+    env_admin_orgs = Organization.listed_for_person(env_admin)
+
+    assert_includes     person_orgs,    o1
+    assert_includes     admin_orgs,     o1
+    assert_includes     env_admin_orgs, o1
+
+    assert_includes     person_orgs,    o2
+    assert_includes     env_admin_orgs, o2
+    assert_includes     person_orgs,    o3
+    assert_includes     env_admin_orgs, o3
+
+    assert_includes     person_orgs,    o4
+    assert_includes     admin_orgs,     o4
+    assert_includes     env_admin_orgs, o4
+
+    assert_not_includes person_orgs,    o5
+    assert_includes     admin_orgs,     o5
+    assert_includes     env_admin_orgs, o5
+    assert_not_includes person_orgs,    o6
+    assert_includes     admin_orgs,     o6
+
+    assert_not_includes person_orgs,    o7
+    assert_includes     env_admin_orgs, o7
+  end
 end
@@ -1951,17 +1951,4 @@ class PersonTest &lt; ActiveSupport::TestCase
     person.save!
   end
-  should 'fetch people there are visible for a visitor' do
-    person = nil
-    p1 = fast_create(Person, :public_profile => true , :visible => true)
-    p2 = fast_create(Person, :public_profile => false, :visible => true)
-    p3 = fast_create(Person, :public_profile => true , :visible => false)
-    p4 = fast_create(Person, :public_profile => false, :visible => false)
-    people_visible_by_visitor = Person.visible_for_person(person)
-    assert_includes     people_visible_by_visitor, p1
-    assert_not_includes people_visible_by_visitor, p2
-    assert_not_includes people_visible_by_visitor, p3
-    assert_not_includes people_visible_by_visitor, p4
-  end
-
 end
	@@ -266,6 +266,13 @@ require_relative '../../find_by_contents'		@@ -266,6 +266,13 @@ require_relative '../../find_by_contents'
266	unauthorized! unless current_user	266	unauthorized! unless current_user
267	end	267	end
268		268
		269	+ def profiles_for_person(profiles, person)
		270	+ if person
		271	+ profiles.listed_for_person(person)
		272	+ else
		273	+ profiles.visible
		274	+ end
		275	+ end
269		276
270	# Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash	277	# Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
271	# or a Bad Request error is invoked.	278	# or a Bad Request error is invoked.
	@@ -4,6 +4,7 @@ require_relative '../../../../test/api/test_helper'		@@ -4,6 +4,7 @@ require_relative '../../../../test/api/test_helper'
4	class APITest < ActiveSupport::TestCase	4	class APITest < ActiveSupport::TestCase
5		5
6	def setup	6	def setup
		7	+ create_and_activate_user
7	login_api	8	login_api
8	environment.enable_plugin(CommentParagraphPlugin)	9	environment.enable_plugin(CommentParagraphPlugin)
9	end	10	end
	@@ -3,6 +3,7 @@ require_relative '../../../../test/api/test_helper'		@@ -3,6 +3,7 @@ require_relative '../../../../test/api/test_helper'
3	class PushNotificationApiTest < ActiveSupport::TestCase	3	class PushNotificationApiTest < ActiveSupport::TestCase
4		4
5	def setup	5	def setup
		6	+ create_and_activate_user
6	login_api	7	login_api
7	environment = Environment.default	8	environment = Environment.default
8	environment.enable_plugin(PushNotificationPlugin)	9	environment.enable_plugin(PushNotificationPlugin)
	@@ -3,20 +3,74 @@ require_relative 'test_helper'		@@ -3,20 +3,74 @@ require_relative 'test_helper'
3	class ActivitiesTest < ActiveSupport::TestCase	3	class ActivitiesTest < ActiveSupport::TestCase
4		4
5	def setup	5	def setup
		6	+ create_and_activate_user
6	login_api	7	login_api
7	end	8	end
8		9
9	- should 'get activity from profile' do
10	- person = fast_create(Person)
11	- organization = fast_create(Organization)
12	- assert_difference 'organization.activities_count' do
13	- ActionTracker::Record.create! :verb => :leave_scrap, :user => person, :target => organization
14	- organization.reload
15	- end
16	- get "/api/v1/profiles/#{organization.id}/activities?#{params.to_query}"	10	+ should 'get own activities' do
		11	+ create_activity(person)
		12	+
		13	+ get "/api/v1/profiles/#{person.id}/activities?#{params.to_query}"
17	json = JSON.parse(last_response.body)	14	json = JSON.parse(last_response.body)
		15	+
18	assert 1, json["activities"].count	16	assert 1, json["activities"].count
19	- assert_equal organization.activities.map(&:activity).first.id, json["activities"].first["id"]	17	+ assert_equivalent person.activities.map(&:activity).map(&:id), json["activities"].map{\|c\| c["id"]}
		18	+ end
		19	+
		20	+ should 'not get private community activities' do
		21	+ community = fast_create(Community, :public_profile => false)
		22	+ create_activity(community)
		23	+
		24	+ get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}"
		25	+ json = JSON.parse(last_response.body)
		26	+ assert_nil json["activities"]
		27	+ assert_equal 403, last_response.status
		28	+ end
		29	+
		30	+ should 'not get community activities if not member' do
		31	+ community = fast_create(Community)
		32	+ other_person = fast_create(Person)
		33	+ community.add_member(other_person) # so there is an activity in community
		34	+
		35	+ get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}"
		36	+ json = JSON.parse(last_response.body)
		37	+ assert_nil json["activities"]
		38	+ assert_equal 403, last_response.status
		39	+ end
		40	+
		41	+ should 'get community activities for member' do
		42	+ community = fast_create(Community)
		43	+ create_activity(community)
		44	+ community.add_member(person)
		45	+
		46	+ get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}"
		47	+ json = JSON.parse(last_response.body)
		48	+ assert_equivalent community.activities.map(&:activity).map(&:id), json["activities"].map{\|c\| c["id"]}
		49	+ end
		50	+
		51	+ should 'not get other person activities' do
		52	+ other_person = fast_create(Person)
		53	+ create_activity(other_person)
		54	+
		55	+ get "/api/v1/profiles/#{other_person.id}/activities?#{params.to_query}"
		56	+ json = JSON.parse(last_response.body)
		57	+ assert_nil json["activities"]
		58	+ assert_equal 403, last_response.status
		59	+ end
		60	+
		61	+ should 'get friend activities' do
		62	+ other_person = fast_create(Person)
		63	+ other_person.add_friend(person)
		64	+ create_activity(other_person)
		65	+
		66	+ get "/api/v1/profiles/#{other_person.id}/activities?#{params.to_query}"
		67	+ json = JSON.parse(last_response.body)
		68	+ assert_equivalent other_person.activities.map(&:activity).map(&:id), json["activities"].map{\|c\| c["id"]}
		69	+ end
		70	+
		71	+ def create_activity(target)
		72	+ activity = ActionTracker::Record.create! :verb => :leave_scrap, :user => person, :target => target
		73	+ ProfileActivity.create! profile_id: target.id, activity: activity
20	end	74	end
21		75
22	end	76	end
	@@ -458,7 +458,7 @@ class OrganizationTest < ActiveSupport::TestCase		@@ -458,7 +458,7 @@ class OrganizationTest < ActiveSupport::TestCase
458	refute c.is_admin?(moderator)	458	refute c.is_admin?(moderator)
459	end	459	end
460		460
461	- should 'fetch organizations there are visible for a user' do	461	+ should 'fetch organizations that are visible for users' do
462	person = create_user('some-person').person	462	person = create_user('some-person').person
463	admin = create_user('some-admin').person	463	admin = create_user('some-admin').person
464	env_admin = create_user('env-admin').person	464	env_admin = create_user('env-admin').person
	@@ -513,18 +513,58 @@ class OrganizationTest < ActiveSupport::TestCase		@@ -513,18 +513,58 @@ class OrganizationTest < ActiveSupport::TestCase
513	assert_includes env_admin_orgs, o7	513	assert_includes env_admin_orgs, o7
514	end	514	end
515		515
516	- should 'fetch organizations there are visible for a visitor' do
517	- visitor = nil
518	- Organization.destroy_all	516	+ should 'fetch organizations that are listed for users' do
		517	+ person = create_user('some-person').person
		518	+ admin = create_user('some-admin').person
		519	+ env_admin = create_user('env-admin').person
		520	+
519	o1 = fast_create(Organization, :public_profile => true , :visible => true )	521	o1 = fast_create(Organization, :public_profile => true , :visible => true )
520	- o2 = fast_create(Organization, :public_profile => false, :visible => true )
521	- o3 = fast_create(Organization, :public_profile => true , :visible => false)
522	- o4 = fast_create(Organization, :public_profile => false, :visible => false)
523	- person_orgs = Organization.visible_for_person(visitor)
524	- assert_includes person_orgs, o1
525	- assert_not_includes person_orgs, o2
526	- assert_not_includes person_orgs, o3
527	- assert_not_includes person_orgs, o4
528	- end	522	+ o1.add_admin(admin)
		523	+ o1.add_member(person)
		524	+
		525	+ o2 = fast_create(Organization, :public_profile => true , :visible => true )
		526	+ o3 = fast_create(Organization, :public_profile => false, :visible => true )
		527	+
		528	+ o4 = fast_create(Organization, :public_profile => false, :visible => true)
		529	+ o4.add_admin(admin)
		530	+ o4.add_member(person)
		531	+
		532	+ o5 = fast_create(Organization, :public_profile => true , :visible => false)
		533	+ o5.add_admin(admin)
		534	+ o5.add_member(person)
		535	+
		536	+ o6 = fast_create(Enterprise, :enabled => false, :visible => true)
		537	+ o6.add_admin(admin)
		538	+
		539	+ o7 = fast_create(Organization, :public_profile => false, :visible => false)
		540	+
		541	+ Environment.default.add_admin(env_admin)
		542	+
		543	+ person_orgs = Organization.listed_for_person(person)
		544	+ admin_orgs = Organization.listed_for_person(admin)
		545	+ env_admin_orgs = Organization.listed_for_person(env_admin)
		546	+
		547	+ assert_includes person_orgs, o1
		548	+ assert_includes admin_orgs, o1
		549	+ assert_includes env_admin_orgs, o1
		550	+
		551	+ assert_includes person_orgs, o2
		552	+ assert_includes env_admin_orgs, o2
		553	+ assert_includes person_orgs, o3
		554	+ assert_includes env_admin_orgs, o3
		555	+
		556	+ assert_includes person_orgs, o4
		557	+ assert_includes admin_orgs, o4
		558	+ assert_includes env_admin_orgs, o4
		559	+
		560	+ assert_not_includes person_orgs, o5
		561	+ assert_includes admin_orgs, o5
		562	+ assert_includes env_admin_orgs, o5
529		563
		564	+ assert_not_includes person_orgs, o6
		565	+ assert_includes admin_orgs, o6
		566	+
		567	+ assert_not_includes person_orgs, o7
		568	+ assert_includes env_admin_orgs, o7
		569	+ end
530	end	570	end
	@@ -1951,17 +1951,4 @@ class PersonTest < ActiveSupport::TestCase		@@ -1951,17 +1951,4 @@ class PersonTest < ActiveSupport::TestCase
1951	person.save!	1951	person.save!
1952	end	1952	end
1953		1953
1954	- should 'fetch people there are visible for a visitor' do
1955	- person = nil
1956	- p1 = fast_create(Person, :public_profile => true , :visible => true)
1957	- p2 = fast_create(Person, :public_profile => false, :visible => true)
1958	- p3 = fast_create(Person, :public_profile => true , :visible => false)
1959	- p4 = fast_create(Person, :public_profile => false, :visible => false)
1960	- people_visible_by_visitor = Person.visible_for_person(person)
1961	- assert_includes people_visible_by_visitor, p1
1962	- assert_not_includes people_visible_by_visitor, p2
1963	- assert_not_includes people_visible_by_visitor, p3
1964	- assert_not_includes people_visible_by_visitor, p4
1965	- end
1966	-
1967	end	1954	end