Download as
Browse Code »

Commit aca26513af1372a9fe398d28ee4b6b706a72d271

Authored by Victor Costa
2 parents 8c9632f9 c4505a85
Exists in staging and in 21 other branches all_pending_tasks_api, api_roles, comments_permissions, elasticsearch, elasticsearch_categories, elasticsearch_filter, elasticsearch_sort, elasticsearch_to_merge, environment-exposes-api, external_followers, federation_oauth_provider, follower_permition, master, master_profile_followers, oauth_external_login, oauth_login, private-scraps, private-scraps-rebase, production, profile_api_improvements, user_mention

Merge branch 'api-edit-block' into 'master' 

api: endpoint to edit blocks



See merge request !955
Showing 5 changed files with 114 additions and 1 deletions   Show diff stats
app/api/entities.rb
  Diff comments   View file @aca2651
@@ -88,6 +88,9 @@ module Api @@ -88,6 +88,9 @@ module Api
88 expose :id, :type, :settings, :position, :enabled 88 expose :id, :type, :settings, :position, :enabled
89 expose :mirror, :mirror_block_id, :title 89 expose :mirror, :mirror_block_id, :title
90 expose :api_content, if: lambda { |object, options| options[:display_api_content] || object.display_api_content_by_default? } 90 expose :api_content, if: lambda { |object, options| options[:display_api_content] || object.display_api_content_by_default? }
  91 + expose :permissions do |block, options|
  92 + Entities.permissions_for_entity(block, options[:current_person], :allow_edit?)
  93 + end
91 end 94 end
92 95
93 class Box < Entity 96 class Box < Entity
app/api/v1/blocks.rb
  Diff comments   View file @aca2651
@@ -6,7 +6,14 @@ module Api @@ -6,7 +6,14 @@ module Api
6 get ':id' do 6 get ':id' do
7 block = Block.find(params["id"]) 7 block = Block.find(params["id"])
8 return forbidden! unless block.visible_to_user?(current_person) 8 return forbidden! unless block.visible_to_user?(current_person)
9 - present block, :with => Entities::Block, display_api_content: true 9 + present block, :with => Entities::Block, display_api_content: true, current_person: current_person
  10 + end
  11 +
  12 + post ':id' do
  13 + block = Block.find(params["id"])
  14 + return forbidden! unless block.allow_edit?(current_person)
  15 + block.update_attributes!(params[:block])
  16 + present block, :with => Entities::Block, display_api_content: true, current_person: current_person
10 end 17 end
11 end 18 end
12 end 19 end
app/models/block.rb
  Diff comments   View file @aca2651
@@ -309,6 +309,16 @@ class Block &lt; ApplicationRecord @@ -309,6 +309,16 @@ class Block &lt; ApplicationRecord
309 false 309 false
310 end 310 end
311 311
  312 + def allow_edit?(person)
  313 + return false if person.nil? || (!person.is_admin? && !editable?(person))
  314 + if self.owner.kind_of?(Profile)
  315 + return person.has_permission?(:edit_profile_design, owner)
  316 + elsif self.owner.kind_of?(Environment)
  317 + return person.has_permission?(:edit_environment_design, owner)
  318 + end
  319 + false
  320 + end
  321 +
312 private 322 private
313 323
314 def home_page_path 324 def home_page_path
test/api/blocks_test.rb
  Diff comments   View file @aca2651
@@ -94,4 +94,41 @@ class BlocksTest &lt; ActiveSupport::TestCase @@ -94,4 +94,41 @@ class BlocksTest &lt; ActiveSupport::TestCase
94 assert_equal "<div>test</div>", json["block"]["api_content"]["html"] 94 assert_equal "<div>test</div>", json["block"]["api_content"]["html"]
95 end 95 end
96 96
  97 + should 'not allow block edition when user has not the permission for profile' do
  98 + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
  99 + block = fast_create(Block, box_id: box.id)
  100 + post "/api/v1/blocks/#{block.id}?#{params.to_query}"
  101 + assert_equal 403, last_response.status
  102 + end
  103 +
  104 + should 'allow block edition when user has permission to edit profile design' do
  105 + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
  106 + block = fast_create(Block, box_id: box.id)
  107 + give_permission(person, 'edit_profile_design', profile)
  108 + params[:block] = {title: 'block title'}
  109 + post "/api/v1/blocks/#{block.id}?#{params.to_query}"
  110 + json = JSON.parse(last_response.body)
  111 + assert_equal 201, last_response.status
  112 + assert_equal 'block title', json['block']['title']
  113 + end
  114 +
  115 + should 'save custom block parameters' do
  116 + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
  117 + block = fast_create(RawHTMLBlock, box_id: box.id)
  118 + Environment.default.add_admin(person)
  119 + params[:block] = {title: 'block title', html: "block content"}
  120 + post "/api/v1/blocks/#{block.id}?#{params.to_query}"
  121 + json = JSON.parse(last_response.body)
  122 + assert_equal 201, last_response.status
  123 + assert_equal 'block content', json['block']['api_content']['html']
  124 + end
  125 +
  126 + should 'list block permissions when get a block' do
  127 + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
  128 + block = fast_create(Block, box_id: box.id)
  129 + give_permission(person, 'edit_profile_design', profile)
  130 + get "/api/v1/blocks/#{block.id}?#{params.to_query}"
  131 + json = JSON.parse(last_response.body)
  132 + assert_includes json["block"]["permissions"], 'allow_edit'
  133 + end
97 end 134 end
test/unit/block_test.rb
  Diff comments   View file @aca2651
@@ -421,4 +421,60 @@ class BlockTest &lt; ActiveSupport::TestCase @@ -421,4 +421,60 @@ class BlockTest &lt; ActiveSupport::TestCase
421 block.expects(:display_to_user?).returns(false) 421 block.expects(:display_to_user?).returns(false)
422 assert !block.visible_to_user?(nil) 422 assert !block.visible_to_user?(nil)
423 end 423 end
  424 +
  425 + should 'not allow block edition when user has not the permission for profile design' do
  426 + block = Block.new
  427 + profile = fast_create(Profile)
  428 + block.stubs(:owner).returns(profile)
  429 + person = create_user('person_one').person
  430 + assert !block.allow_edit?(person)
  431 + end
  432 +
  433 + should 'allow block edition when user has permission to edit profile design' do
  434 + block = Block.new
  435 + profile = fast_create(Profile)
  436 + block.stubs(:owner).returns(profile)
  437 + person = create_user('person_one').person
  438 + give_permission(person, 'edit_profile_design', profile)
  439 + assert block.allow_edit?(person)
  440 + end
  441 +
  442 + should 'not allow block edition when user is nil' do
  443 + block = Block.new
  444 + assert !block.allow_edit?(nil)
  445 + end
  446 +
  447 + should 'not allow block edition when block is not editable' do
  448 + block = Block.new
  449 + person = create_user('person_one').person
  450 + block.expects(:editable?).returns(false)
  451 + assert !block.allow_edit?(person)
  452 + end
  453 +
  454 + should 'allow block edition when block is not editable but user is admin' do
  455 + block = Block.new
  456 + profile = fast_create(Profile)
  457 + block.stubs(:owner).returns(profile)
  458 + person = create_user('person_one').person
  459 + Environment.default.add_admin(person)
  460 + block.stubs(:editable?).returns(false)
  461 + assert block.allow_edit?(person)
  462 + end
  463 +
  464 + should 'not allow block edition when user has not the permission for environment design' do
  465 + block = Block.new
  466 + environment = Environment.default
  467 + block.stubs(:owner).returns(environment)
  468 + person = create_user('person_one').person
  469 + assert !block.allow_edit?(person)
  470 + end
  471 +
  472 + should 'allow block edition when user has the permission for environment design' do
  473 + block = Block.new
  474 + environment = Environment.default
  475 + block.stubs(:owner).returns(environment)
  476 + person = create_user('person_one').person
  477 + give_permission(person, 'edit_environment_design', environment)
  478 + assert block.allow_edit?(person)
  479 + end
424 end 480 end