api: restrict access to block endpoint based on block visibility

Victor Costa
1 parent fa9663f8
Showing 3 changed files with 72 additions and 3 deletions Show diff stats
app/models/block.rb
lib/noosfero/api/v1/blocks.rb
test/unit/block_test.rb
@@ -76,6 +76,17 @@ class Block &lt; ApplicationRecord
     true
   end
+  def visible_to_user?(user)
+    visible = self.display_to_user?(user)
+    if self.owner.kind_of?(Profile)
+      visible &= self.owner.display_info_to?(user)
+      visible &= (self.visible? || user && user.has_permission?(:edit_profile_design, self.owner))
+    elsif self.owner.kind_of?(Environment)
+      visible &= (self.visible? || user && user.has_permission?(:edit_environment_design, self.owner))
+    end
+    visible
+  end
+
   def display_to_user?(user)
     display_user == 'all' || (user.nil? && display_user == 'not_logged') || (user && display_user == 'logged') || (user && display_user == 'followers' && user.follows?(owner))
   end
@@ -6,9 +6,7 @@ module Noosfero
         resource :blocks do
           get ':id' do
             block = Block.find(params["id"])
-            if block.owner.kind_of?(Profile)
-              return forbidden! unless block.owner.display_info_to?(current_person)
-            end
+            return forbidden! unless block.visible_to_user?(current_person)
             present block, :with => Entities::Block, display_api_content: true
           end
         end
@@ -398,4 +398,64 @@ class BlockTest &lt; ActiveSupport::TestCase
     assert block.get_limit.is_a?(Fixnum)
   end
+  should 'return true at visible_to_user? when block is visible' do
+    block = Block.new
+    person = create_user('person_one').person
+    assert block.visible_to_user?(person)
+  end
+
+  should 'return false at visible_to_user? when block is not visible and user is nil' do
+    block = Block.new
+    person = create_user('person_one').person
+    block.stubs(:owner).returns(person)
+    block.expects(:visible?).returns(false)
+    assert !block.visible_to_user?(nil)
+  end
+
+  should 'return false at visible_to_user? when block is not visible and user does not has permission' do
+    block = Block.new
+    person = create_user('person_one').person
+    community = fast_create(Community)
+    block.stubs(:owner).returns(community)
+    block.expects(:visible?).returns(false)
+    assert !block.visible_to_user?(person)
+  end
+
+  should 'return true at visible_to_user? when block is not visible and user has permission' do
+    block = Block.new
+    person = create_user('person_one').person
+    community = fast_create(Community)
+    give_permission(person, 'edit_profile_design', community)
+    block.stubs(:owner).returns(community)
+    block.expects(:visible?).returns(false)
+    assert block.visible_to_user?(person)
+  end
+
+  should 'return false at visible_to_user? when block is not visible and user does not has permission in environment' do
+    block = Block.new
+    environment = Environment.default
+    person = create_user('person_one').person
+    block.stubs(:owner).returns(environment)
+    block.expects(:visible?).returns(false)
+    assert !block.visible_to_user?(person)
+  end
+
+  should 'return true at visible_to_user? when block is not visible and user has permission in environment' do
+    block = Block.new
+    environment = Environment.default
+    person = create_user('person_one').person
+    give_permission(person, 'edit_environment_design', environment)
+    block.stubs(:owner).returns(environment)
+    block.expects(:visible?).returns(false)
+    assert block.visible_to_user?(person)
+  end
+
+  should 'return false at visible_to_user? when block is not visible to user' do
+    block = Block.new
+    person = create_user('person_one').person
+    block.stubs(:owner).returns(person)
+    block.expects(:visible?).returns(true)
+    block.expects(:display_to_user?).returns(false)
+    assert !block.visible_to_user?(nil)
+  end
 end
	@@ -76,6 +76,17 @@ class Block < ApplicationRecord		@@ -76,6 +76,17 @@ class Block < ApplicationRecord
76	true	76	true
77	end	77	end
78		78
		79	+ def visible_to_user?(user)
		80	+ visible = self.display_to_user?(user)
		81	+ if self.owner.kind_of?(Profile)
		82	+ visible &= self.owner.display_info_to?(user)
		83	+ visible &= (self.visible? \|\| user && user.has_permission?(:edit_profile_design, self.owner))
		84	+ elsif self.owner.kind_of?(Environment)
		85	+ visible &= (self.visible? \|\| user && user.has_permission?(:edit_environment_design, self.owner))
		86	+ end
		87	+ visible
		88	+ end
		89	+
79	def display_to_user?(user)	90	def display_to_user?(user)
80	display_user == 'all' \|\| (user.nil? && display_user == 'not_logged') \|\| (user && display_user == 'logged') \|\| (user && display_user == 'followers' && user.follows?(owner))	91	display_user == 'all' \|\| (user.nil? && display_user == 'not_logged') \|\| (user && display_user == 'logged') \|\| (user && display_user == 'followers' && user.follows?(owner))
81	end	92	end
	@@ -398,4 +398,64 @@ class BlockTest < ActiveSupport::TestCase		@@ -398,4 +398,64 @@ class BlockTest < ActiveSupport::TestCase
398	assert block.get_limit.is_a?(Fixnum)	398	assert block.get_limit.is_a?(Fixnum)
399	end	399	end
400		400
		401	+ should 'return true at visible_to_user? when block is visible' do
		402	+ block = Block.new
		403	+ person = create_user('person_one').person
		404	+ assert block.visible_to_user?(person)
		405	+ end
		406	+
		407	+ should 'return false at visible_to_user? when block is not visible and user is nil' do
		408	+ block = Block.new
		409	+ person = create_user('person_one').person
		410	+ block.stubs(:owner).returns(person)
		411	+ block.expects(:visible?).returns(false)
		412	+ assert !block.visible_to_user?(nil)
		413	+ end
		414	+
		415	+ should 'return false at visible_to_user? when block is not visible and user does not has permission' do
		416	+ block = Block.new
		417	+ person = create_user('person_one').person
		418	+ community = fast_create(Community)
		419	+ block.stubs(:owner).returns(community)
		420	+ block.expects(:visible?).returns(false)
		421	+ assert !block.visible_to_user?(person)
		422	+ end
		423	+
		424	+ should 'return true at visible_to_user? when block is not visible and user has permission' do
		425	+ block = Block.new
		426	+ person = create_user('person_one').person
		427	+ community = fast_create(Community)
		428	+ give_permission(person, 'edit_profile_design', community)
		429	+ block.stubs(:owner).returns(community)
		430	+ block.expects(:visible?).returns(false)
		431	+ assert block.visible_to_user?(person)
		432	+ end
		433	+
		434	+ should 'return false at visible_to_user? when block is not visible and user does not has permission in environment' do
		435	+ block = Block.new
		436	+ environment = Environment.default
		437	+ person = create_user('person_one').person
		438	+ block.stubs(:owner).returns(environment)
		439	+ block.expects(:visible?).returns(false)
		440	+ assert !block.visible_to_user?(person)
		441	+ end
		442	+
		443	+ should 'return true at visible_to_user? when block is not visible and user has permission in environment' do
		444	+ block = Block.new
		445	+ environment = Environment.default
		446	+ person = create_user('person_one').person
		447	+ give_permission(person, 'edit_environment_design', environment)
		448	+ block.stubs(:owner).returns(environment)
		449	+ block.expects(:visible?).returns(false)
		450	+ assert block.visible_to_user?(person)
		451	+ end
		452	+
		453	+ should 'return false at visible_to_user? when block is not visible to user' do
		454	+ block = Block.new
		455	+ person = create_user('person_one').person
		456	+ block.stubs(:owner).returns(person)
		457	+ block.expects(:visible?).returns(true)
		458	+ block.expects(:display_to_user?).returns(false)
		459	+ assert !block.visible_to_user?(nil)
		460	+ end
401	end	461	end