api: restrict access to block endpoint based on block visibility

Victor Costa
1 parent fa9663f8
Showing 3 changed files with 72 additions and 3 deletions Show diff stats
app/models/block.rb
lib/noosfero/api/v1/blocks.rb
test/unit/block_test.rb
@@ -76,6 +76,17 @@ class Block &lt; ApplicationRecord
     true
   end
  
+  def visible_to_user?(user)
+    visible = self.display_to_user?(user)
+    if self.owner.kind_of?(Profile)
+      visible &= self.owner.display_info_to?(user)
+      visible &= (self.visible? || user && user.has_permission?(:edit_profile_design, self.owner))
+    elsif self.owner.kind_of?(Environment)
+      visible &= (self.visible? || user && user.has_permission?(:edit_environment_design, self.owner))
+    end
+    visible
+  end
+
   def display_to_user?(user)
     display_user == 'all' || (user.nil? && display_user == 'not_logged') || (user && display_user == 'logged') || (user && display_user == 'followers' && user.follows?(owner))
   end
@@ -6,9 +6,7 @@ module Noosfero
         resource :blocks do
           get ':id' do
             block = Block.find(params["id"])
-            if block.owner.kind_of?(Profile)
-              return forbidden! unless block.owner.display_info_to?(current_person)
-            end
+            return forbidden! unless block.visible_to_user?(current_person)
             present block, :with => Entities::Block, display_api_content: true
           end
         end
@@ -398,4 +398,64 @@ class BlockTest &lt; ActiveSupport::TestCase
     assert block.get_limit.is_a?(Fixnum)
   end
  
+  should 'return true at visible_to_user? when block is visible' do
+    block = Block.new
+    person = create_user('person_one').person
+    assert block.visible_to_user?(person)
+  end
+
+  should 'return false at visible_to_user? when block is not visible and user is nil' do
+    block = Block.new
+    person = create_user('person_one').person
+    block.stubs(:owner).returns(person)
+    block.expects(:visible?).returns(false)
+    assert !block.visible_to_user?(nil)
+  end
+
+  should 'return false at visible_to_user? when block is not visible and user does not has permission' do
+    block = Block.new
+    person = create_user('person_one').person
+    community = fast_create(Community)
+    block.stubs(:owner).returns(community)
+    block.expects(:visible?).returns(false)
+    assert !block.visible_to_user?(person)
+  end
+
+  should 'return true at visible_to_user? when block is not visible and user has permission' do
+    block = Block.new
+    person = create_user('person_one').person
+    community = fast_create(Community)
+    give_permission(person, 'edit_profile_design', community)
+    block.stubs(:owner).returns(community)
+    block.expects(:visible?).returns(false)
+    assert block.visible_to_user?(person)
+  end
+
+  should 'return false at visible_to_user? when block is not visible and user does not has permission in environment' do
+    block = Block.new
+    environment = Environment.default
+    person = create_user('person_one').person
+    block.stubs(:owner).returns(environment)
+    block.expects(:visible?).returns(false)
+    assert !block.visible_to_user?(person)
+  end
+
+  should 'return true at visible_to_user? when block is not visible and user has permission in environment' do
+    block = Block.new
+    environment = Environment.default
+    person = create_user('person_one').person
+    give_permission(person, 'edit_environment_design', environment)
+    block.stubs(:owner).returns(environment)
+    block.expects(:visible?).returns(false)
+    assert block.visible_to_user?(person)
+  end
+
+  should 'return false at visible_to_user? when block is not visible to user' do
+    block = Block.new
+    person = create_user('person_one').person
+    block.stubs(:owner).returns(person)
+    block.expects(:visible?).returns(true)
+    block.expects(:display_to_user?).returns(false)
+    assert !block.visible_to_user?(nil)
+  end
 end
...	...	@@ -76,6 +76,17 @@ class Block < ApplicationRecord
76	76	true
77	77	end
78	78
	79	+ def visible_to_user?(user)
	80	+ visible = self.display_to_user?(user)
	81	+ if self.owner.kind_of?(Profile)
	82	+ visible &= self.owner.display_info_to?(user)
	83	+ visible &= (self.visible? \|\| user && user.has_permission?(:edit_profile_design, self.owner))
	84	+ elsif self.owner.kind_of?(Environment)
	85	+ visible &= (self.visible? \|\| user && user.has_permission?(:edit_environment_design, self.owner))
	86	+ end
	87	+ visible
	88	+ end
	89	+
79	90	def display_to_user?(user)
80	91	display_user == 'all' \|\| (user.nil? && display_user == 'not_logged') \|\| (user && display_user == 'logged') \|\| (user && display_user == 'followers' && user.follows?(owner))
81	92	end
...	...
...	...	@@ -6,9 +6,7 @@ module Noosfero
6	6	resource :blocks do
7	7	get ':id' do
8	8	block = Block.find(params["id"])
9		- if block.owner.kind_of?(Profile)
10		- return forbidden! unless block.owner.display_info_to?(current_person)
11		- end
	9	+ return forbidden! unless block.visible_to_user?(current_person)
12	10	present block, :with => Entities::Block, display_api_content: true
13	11	end
14	12	end
...	...
...	...	@@ -398,4 +398,64 @@ class BlockTest < ActiveSupport::TestCase
398	398	assert block.get_limit.is_a?(Fixnum)
399	399	end
400	400
	401	+ should 'return true at visible_to_user? when block is visible' do
	402	+ block = Block.new
	403	+ person = create_user('person_one').person
	404	+ assert block.visible_to_user?(person)
	405	+ end
	406	+
	407	+ should 'return false at visible_to_user? when block is not visible and user is nil' do
	408	+ block = Block.new
	409	+ person = create_user('person_one').person
	410	+ block.stubs(:owner).returns(person)
	411	+ block.expects(:visible?).returns(false)
	412	+ assert !block.visible_to_user?(nil)
	413	+ end
	414	+
	415	+ should 'return false at visible_to_user? when block is not visible and user does not has permission' do
	416	+ block = Block.new
	417	+ person = create_user('person_one').person
	418	+ community = fast_create(Community)
	419	+ block.stubs(:owner).returns(community)
	420	+ block.expects(:visible?).returns(false)
	421	+ assert !block.visible_to_user?(person)
	422	+ end
	423	+
	424	+ should 'return true at visible_to_user? when block is not visible and user has permission' do
	425	+ block = Block.new
	426	+ person = create_user('person_one').person
	427	+ community = fast_create(Community)
	428	+ give_permission(person, 'edit_profile_design', community)
	429	+ block.stubs(:owner).returns(community)
	430	+ block.expects(:visible?).returns(false)
	431	+ assert block.visible_to_user?(person)
	432	+ end
	433	+
	434	+ should 'return false at visible_to_user? when block is not visible and user does not has permission in environment' do
	435	+ block = Block.new
	436	+ environment = Environment.default
	437	+ person = create_user('person_one').person
	438	+ block.stubs(:owner).returns(environment)
	439	+ block.expects(:visible?).returns(false)
	440	+ assert !block.visible_to_user?(person)
	441	+ end
	442	+
	443	+ should 'return true at visible_to_user? when block is not visible and user has permission in environment' do
	444	+ block = Block.new
	445	+ environment = Environment.default
	446	+ person = create_user('person_one').person
	447	+ give_permission(person, 'edit_environment_design', environment)
	448	+ block.stubs(:owner).returns(environment)
	449	+ block.expects(:visible?).returns(false)
	450	+ assert block.visible_to_user?(person)
	451	+ end
	452	+
	453	+ should 'return false at visible_to_user? when block is not visible to user' do
	454	+ block = Block.new
	455	+ person = create_user('person_one').person
	456	+ block.stubs(:owner).returns(person)
	457	+ block.expects(:visible?).returns(true)
	458	+ block.expects(:display_to_user?).returns(false)
	459	+ assert !block.visible_to_user?(nil)
	460	+ end
401	461	end
...	...