Merge branch 'fix-blocks-api' into 'master'

api: return invisible blocks to users with permission to edit See merge request !964

Merge branch 'fix-blocks-api' into 'master'
api: return invisible blocks to users with permission to edit See merge request !964
Victor Costa
2 parents 0848a8e7 adb9abdd
Showing 4 changed files with 24 additions and 2 deletions Show diff stats
app/api/entities.rb
app/api/v1/blocks.rb
test/api/blocks_test.rb
test/api/boxes_test.rb
@@ -97,7 +97,7 @@ module Api
       root 'boxes', 'box'
       expose :id, :position
       expose :blocks, :using => Block do |box, options|
-        box.blocks.select {|block| block.visible_to_user?(options[:current_person]) }
+        box.blocks.select {|block| block.visible_to_user?(options[:current_person]) || block.allow_edit?(options[:current_person]) }
       end
     end
  
@@ -5,7 +5,7 @@ module Api
       resource :blocks do
         get ':id' do
           block = Block.find(params["id"])
-          return forbidden! unless block.visible_to_user?(current_person)
+          return forbidden! unless block.visible_to_user?(current_person) || block.allow_edit?(current_person)
           present block, :with => Entities::Block, display_api_content: true, current_person: current_person
         end
  
@@ -53,6 +53,16 @@ class BlocksTest &lt; ActiveSupport::TestCase
     assert_equal 403, last_response.status
   end
  
+  should 'get an invisible profile block for an user with permission' do
+    profile = fast_create(Profile, public_profile: false)
+    profile.add_admin(person)
+    box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
+    block = fast_create(Block, box_id: box.id)
+    get "/api/v1/blocks/#{block.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal block.id, json["block"]["id"]
+  end
+
   should 'get a block for an user with permission in a private profile' do
     profile = fast_create(Profile, public_profile: false)
     profile.add_admin(person)
@@ -81,6 +81,18 @@ class BoxesTest &lt; ActiveSupport::TestCase
     assert_equal [block.id], json["boxes"].first["blocks"].map {|b| b['id']}
   end
  
+  should 'list a block with not logged in display_user for an admin user' do
+    profile = fast_create(Profile)
+    profile.add_admin(person)
+    box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
+    block = fast_create(Block, box_id: box.id)
+    block.display_user = 'not_logged'
+    block.save!
+    get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [block.id], json["boxes"].first["blocks"].map {|b| b['id']}
+  end
+
   should 'not list boxes for user without permission' do
     profile = fast_create(Profile, public_profile: false)
     box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
...	...	@@ -97,7 +97,7 @@ module Api
97	97	root 'boxes', 'box'
98	98	expose :id, :position
99	99	expose :blocks, :using => Block do \|box, options\|
100		- box.blocks.select {\|block\| block.visible_to_user?(options[:current_person]) }
	100	+ box.blocks.select {\|block\| block.visible_to_user?(options[:current_person]) \|\| block.allow_edit?(options[:current_person]) }
101	101	end
102	102	end
103	103
...	...
...	...	@@ -5,7 +5,7 @@ module Api
5	5	resource :blocks do
6	6	get ':id' do
7	7	block = Block.find(params["id"])
8		- return forbidden! unless block.visible_to_user?(current_person)
	8	+ return forbidden! unless block.visible_to_user?(current_person) \|\| block.allow_edit?(current_person)
9	9	present block, :with => Entities::Block, display_api_content: true, current_person: current_person
10	10	end
11	11
...	...
...	...	@@ -53,6 +53,16 @@ class BlocksTest < ActiveSupport::TestCase
53	53	assert_equal 403, last_response.status
54	54	end
55	55
	56	+ should 'get an invisible profile block for an user with permission' do
	57	+ profile = fast_create(Profile, public_profile: false)
	58	+ profile.add_admin(person)
	59	+ box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
	60	+ block = fast_create(Block, box_id: box.id)
	61	+ get "/api/v1/blocks/#{block.id}?#{params.to_query}"
	62	+ json = JSON.parse(last_response.body)
	63	+ assert_equal block.id, json["block"]["id"]
	64	+ end
	65	+
56	66	should 'get a block for an user with permission in a private profile' do
57	67	profile = fast_create(Profile, public_profile: false)
58	68	profile.add_admin(person)
...	...
...	...	@@ -81,6 +81,18 @@ class BoxesTest < ActiveSupport::TestCase
81	81	assert_equal [block.id], json["boxes"].first["blocks"].map {\|b\| b['id']}
82	82	end
83	83
	84	+ should 'list a block with not logged in display_user for an admin user' do
	85	+ profile = fast_create(Profile)
	86	+ profile.add_admin(person)
	87	+ box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
	88	+ block = fast_create(Block, box_id: box.id)
	89	+ block.display_user = 'not_logged'
	90	+ block.save!
	91	+ get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
	92	+ json = JSON.parse(last_response.body)
	93	+ assert_equal [block.id], json["boxes"].first["blocks"].map {\|b\| b['id']}
	94	+ end
	95	+
84	96	should 'not list boxes for user without permission' do
85	97	profile = fast_create(Profile, public_profile: false)
86	98	box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
...	...