Commit 9db0c7d6b0621dbf73210a0baeaa2910d68afcf7
Exists in
staging
and in
21 other branches
Merge branch 'fix-blocks-api' into 'master'
api: return invisible blocks to users with permission to edit See merge request !964
Showing
4 changed files
with
24 additions
and
2 deletions
Show diff stats
app/api/entities.rb
... | ... | @@ -97,7 +97,7 @@ module Api |
97 | 97 | root 'boxes', 'box' |
98 | 98 | expose :id, :position |
99 | 99 | expose :blocks, :using => Block do |box, options| |
100 | - box.blocks.select {|block| block.visible_to_user?(options[:current_person]) } | |
100 | + box.blocks.select {|block| block.visible_to_user?(options[:current_person]) || block.allow_edit?(options[:current_person]) } | |
101 | 101 | end |
102 | 102 | end |
103 | 103 | ... | ... |
app/api/v1/blocks.rb
... | ... | @@ -5,7 +5,7 @@ module Api |
5 | 5 | resource :blocks do |
6 | 6 | get ':id' do |
7 | 7 | block = Block.find(params["id"]) |
8 | - return forbidden! unless block.visible_to_user?(current_person) | |
8 | + return forbidden! unless block.visible_to_user?(current_person) || block.allow_edit?(current_person) | |
9 | 9 | present block, :with => Entities::Block, display_api_content: true, current_person: current_person |
10 | 10 | end |
11 | 11 | ... | ... |
test/api/blocks_test.rb
... | ... | @@ -53,6 +53,16 @@ class BlocksTest < ActiveSupport::TestCase |
53 | 53 | assert_equal 403, last_response.status |
54 | 54 | end |
55 | 55 | |
56 | + should 'get an invisible profile block for an user with permission' do | |
57 | + profile = fast_create(Profile, public_profile: false) | |
58 | + profile.add_admin(person) | |
59 | + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name) | |
60 | + block = fast_create(Block, box_id: box.id) | |
61 | + get "/api/v1/blocks/#{block.id}?#{params.to_query}" | |
62 | + json = JSON.parse(last_response.body) | |
63 | + assert_equal block.id, json["block"]["id"] | |
64 | + end | |
65 | + | |
56 | 66 | should 'get a block for an user with permission in a private profile' do |
57 | 67 | profile = fast_create(Profile, public_profile: false) |
58 | 68 | profile.add_admin(person) | ... | ... |
test/api/boxes_test.rb
... | ... | @@ -81,6 +81,18 @@ class BoxesTest < ActiveSupport::TestCase |
81 | 81 | assert_equal [block.id], json["boxes"].first["blocks"].map {|b| b['id']} |
82 | 82 | end |
83 | 83 | |
84 | + should 'list a block with not logged in display_user for an admin user' do | |
85 | + profile = fast_create(Profile) | |
86 | + profile.add_admin(person) | |
87 | + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name) | |
88 | + block = fast_create(Block, box_id: box.id) | |
89 | + block.display_user = 'not_logged' | |
90 | + block.save! | |
91 | + get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}" | |
92 | + json = JSON.parse(last_response.body) | |
93 | + assert_equal [block.id], json["boxes"].first["blocks"].map {|b| b['id']} | |
94 | + end | |
95 | + | |
84 | 96 | should 'not list boxes for user without permission' do |
85 | 97 | profile = fast_create(Profile, public_profile: false) |
86 | 98 | box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name) | ... | ... |