API improvements:

- Add several endpoints - Add some API documentation - Fix plugins API hotspot Signed-off-by: Victor Costa <vfcosta@gmail.com> Signed-off-by: Leandro Nunes dos Santos <leandronunes@gmail.com> Signed-off-by: Evandro Junior <evandrojr@gmail.com> Signed-off-by: Rodrigo Souto <rodrigo@colivre.coop.br> Signed-off-by: Caio SBA <caio@colivre.coop.br> Signed-off-by: Carlos Purificacao <carloseugenio@gmail.com> Signed-off-by: Ábner Silva de Oliveira <abner.oliveira@serpro.gov.br> Signed-off-by: Aurelio A. Heckert <aurelio@colivre.coop.br> Signed-off-by: Evandro Magalhaes Leite Junior <evandro.leite@serpro.gov.br> Signed-off-by: Marcelo Júnior <maljunior@gmail.com> Signed-off-by: Michel Felipe de Oliveira Ferreira <michel.ferreira@serpro.gov.br> Signed-off-by: Larissa Reis <larissa@colivre.coop.br> Signed-off-by: ABNER SILVA DE OLIVEIRA <abner.oliveira@serpro.gov.br> Signed-off-by: Luciano Prestes Cavalcanti <lucianopcbr@gmail.com> Signed-off-by: Marcos Ronaldo <marcos.rpj2@gmail.com> Signed-off-by: Simião Carvalho <simiaosimis@gmail.com> Signed-off-by: Gabriel Silva <gabriel93.silva@gmail.com>

API improvements:
- Add several endpoints - Add some API documentation - Fix plugins API hotspot Signed-off-by: Victor Costa <vfcosta@gmail.com> Signed-off-by: Leandro Nunes dos Santos <leandronunes@gmail.com> Signed-off-by: Evandro Junior <evandrojr@gmail.com> Signed-off-by: Rodrigo Souto <rodrigo@colivre.coop.br> Signed-off-by: Caio SBA <caio@colivre.coop.br> Signed-off-by: Carlos Purificacao <carloseugenio@gmail.com> Signed-off-by: Ábner Silva de Oliveira <abner.oliveira@serpro.gov.br> Signed-off-by: Aurelio A. Heckert <aurelio@colivre.coop.br> Signed-off-by: Evandro Magalhaes Leite Junior <evandro.leite@serpro.gov.br> Signed-off-by: Marcelo Júnior <maljunior@gmail.com> Signed-off-by: Michel Felipe de Oliveira Ferreira <michel.ferreira@serpro.gov.br> Signed-off-by: Larissa Reis <larissa@colivre.coop.br> Signed-off-by: ABNER SILVA DE OLIVEIRA <abner.oliveira@serpro.gov.br> Signed-off-by: Luciano Prestes Cavalcanti <lucianopcbr@gmail.com> Signed-off-by: Marcos Ronaldo <marcos.rpj2@gmail.com> Signed-off-by: Simião Carvalho <simiaosimis@gmail.com> Signed-off-by: Gabriel Silva <gabriel93.silva@gmail.com>
Marcos Pereira · Rodrigo Souto · Marcos Pereira · Marcos Pereira
1 parent 13fd87d5
Showing 26 changed files with 1392 additions and 196 deletions Show diff stats
app/controllers/application_controller.rb
lib/find_by_contents.rb
lib/noosfero/api/api.rb
lib/noosfero/api/entities.rb
lib/noosfero/api/helpers.rb
lib/noosfero/api/session.rb
lib/noosfero/api/v1/articles.rb
lib/noosfero/api/v1/comments.rb
lib/noosfero/api/v1/contacts.rb
lib/noosfero/api/v1/environments.rb
lib/noosfero/api/v1/people.rb
lib/noosfero/api/v1/search.rb
lib/noosfero/api/v1/tags.rb
lib/noosfero/api/v1/users.rb
lib/sanitize_params.rb
test/unit/api/articles_test.rb
test/unit/api/categories_test.rb
test/unit/api/comments_test.rb
test/unit/api/communities_test.rb
test/unit/api/enterprises_test.rb
@@ -184,13 +184,7 @@ class ApplicationController &lt; ActionController::Base
   end
  
   include SearchTermHelper
-
-  def find_by_contents(asset, context, scope, query, paginate_options={:page => 1}, options={})
-    scope = scope.with_templates(options[:template_id]) unless options[:template_id].blank?
-    search = plugins.dispatch_first(:find_by_contents, asset, scope, query, paginate_options, options)
-    register_search_term(query, scope.count, search[:results].count, context, asset)
-    search
-  end
+  include FindByContents
  
   def find_suggestions(query, context, asset, options={})
     plugins.dispatch_first(:find_suggestions, query, context, asset, options)
@@ -0,0 +1,11 @@
+module FindByContents
+
+  def find_by_contents(asset, context, scope, query, paginate_options={:page => 1}, options={})
+    scope = scope.with_templates(options[:template_id]) unless options[:template_id].blank?
+    search = plugins.dispatch_first(:find_by_contents, asset, scope, query, paginate_options, options)
+    register_search_term(query, scope.count, search[:results].count, context, asset)
+    search
+  end
+
+end
+
 require 'grape'
 #require 'rack/contrib'
-
 Dir["#{Rails.root}/lib/noosfero/api/*.rb"].each {|file| require file unless file =~ /api\.rb/}
+
 module Noosfero
   module API
     class API < Grape::API
@@ -17,7 +17,6 @@ module Noosfero
       end
  
       @@NOOSFERO_CONF = nil
-
       def self.NOOSFERO_CONF
         if @@NOOSFERO_CONF
           @@NOOSFERO_CONF
@@ -27,9 +26,11 @@ module Noosfero
         end
       end
  
+      before { set_locale  }
       before { setup_multitenancy }
       before { detect_stuff_by_domain }
       before { filter_disabled_plugins_endpoints }
+      before { init_noosfero_plugins }
       after { set_session_cookie }
  
       version 'v1'
@@ -41,11 +42,17 @@ module Noosfero
  
       mount V1::Articles
       mount V1::Comments
+      mount V1::Users
       mount V1::Communities
       mount V1::People
       mount V1::Enterprises
       mount V1::Categories
       mount V1::Tasks
+      mount V1::Tags
+      mount V1::Environments
+      mount V1::Search
+      mount V1::Contacts
+
       mount Session
  
       # hook point which allow plugins to add Grape::API extensions to API::API
@@ -6,6 +6,17 @@ module Noosfero
         date.strftime('%Y/%m/%d %H:%M:%S') if date
       end
  
+      def self.can_display? profile, options, field, admin_only = false
+        current = options[:current_person]
+        admin = !current.blank? && current.is_admin?
+        owner = !current.blank? && current == profile
+        public_field = profile.public_fields.include? field.to_s
+        friend = !current.blank? && current.friends.include?(profile)
+
+        return true if admin
+        return !admin_only && (owner||friend||public_field)
+      end
+
       class Image < Entity
         root 'images', 'image'
  
@@ -30,66 +41,81 @@ module Noosfero
         end
       end
  
+      class CategoryBase < Entity
+        root 'categories', 'category'
+        expose :name, :id, :slug
+      end
+
+      class Category < CategoryBase
+        root 'categories', 'category'
+        expose :full_name do |category, options|
+          category.full_name
+        end
+        expose :parent, :using => CategoryBase, if: { parent: true }
+        expose :children, :using => CategoryBase, if: { children: true }
+        expose :image, :using => Image
+        expose :display_color
+      end
+
+      class Region < Category
+        root 'regions', 'region'
+        expose :parent_id
+      end
+
       class Profile < Entity
         expose :identifier, :name, :id
         expose :created_at, :format_with => :timestamp
         expose :updated_at, :format_with => :timestamp
         expose :image, :using => Image
+        expose :region, :using => Region
       end
  
-      class User < Entity
+      class UserBasic < Entity
         expose :id
         expose :login
       end
  
       class Person < Profile
         root 'people', 'person'
-        expose :user, :using => User
+        expose :user, :using => UserBasic, documentation: {type: 'User', desc: 'The user data of a person' }
       end
+
       class Enterprise < Profile
         root 'enterprises', 'enterprise'
       end
+
       class Community < Profile
         root 'communities', 'community'
         expose :description
-        expose :categories
-        expose :members, :using => Person
-      end
-
-      class CategoryBase < Entity
-        root 'categories', 'category'
-        expose :name, :id
-      end
-
-      class Category < CategoryBase
-        root 'categories', 'category'
-        expose :slug
-        expose :full_name do |category, options|
-          category.full_name
+        expose :admins do |community, options|
+          community.admins.map{|admin| {"name"=>admin.name, "id"=>admin.id}}
         end
-        expose :parent, :using => CategoryBase, if: { parent: true }
-        expose :children, :using => CategoryBase, if: { children: true }
-        expose :image, :using => Image
+        expose :categories, :using => Category
+        expose :members, :using => Person
       end
  
       class ArticleBase < Entity
         root 'articles', 'article'
         expose :id
         expose :body
-        expose :abstract
+        expose :abstract, documentation: {type: 'String', desc: 'Teaser of the body'}
         expose :created_at, :format_with => :timestamp
         expose :updated_at, :format_with => :timestamp
         expose :title, :documentation => {:type => "String", :desc => "Title of the article"}
-        expose :created_by, :as => :author, :using => Profile
-        expose :profile, :using => Profile
+        expose :created_by, :as => :author, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile author that create the article'}
+        expose :profile, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile associated with the article'}
         expose :categories, :using => Category
         expose :image, :using => Image
-        #TODO Apply vote stuff in core and make this test
         expose :votes_for
         expose :votes_against
         expose :setting
         expose :position
         expose :hits
+        expose :start_date
+        expose :end_date, :documentation => {type: 'DateTime', desc: 'The date of finish of the article'}
+        expose :tag_list
+        expose :children_count
+        expose :slug, :documentation => {:type => "String", :desc => "Trimmed and parsed name of a article"}
         expose :path
       end
  
@@ -106,8 +132,31 @@ module Noosfero
         expose :author, :using => Profile
       end
  
+      class User < Entity
+        root 'users', 'user'
+
+        attrs = [:id,:login,:email,:activated?]
+        aliases = {:activated? => :activated}
+
+        attrs.each do |attribute|
+          name = aliases.has_key?(attribute) ? aliases[attribute] : attribute
+          expose attribute, :as => name, :if => lambda{|user,options| Entities.can_display?(user.person, options, attribute)}
+        end
+
+        expose :person, :using => Person
+        expose :permissions, :if => lambda{|user,options| Entities.can_display?(user.person, options, :permissions, true)} do |user, options|
+          output = {}
+          user.person.role_assignments.map do |role_assigment|
+            if role_assigment.resource.respond_to?(:identifier) && !role_assigment.role.nil?
+              output[role_assigment.resource.identifier] = role_assigment.role.permissions
+            end
+          end
+          output
+        end
+      end
+
       class UserLogin < User
-        expose :private_token
+        expose :private_token, documentation: {type: 'String', desc: 'A valid authentication code for post/delete api actions'}
       end
  
       class Task < Entity
@@ -116,6 +165,16 @@ module Noosfero
         expose :type
       end
  
+      class Environment < Entity
+        expose :name
+      end
+
+      class Tag < Entity
+        root 'tags', 'tag'
+        expose :name
+      end
+
+
     end
   end
 end
-module Noosfero
-  module API
-    module APIHelpers
+require 'grape'
+require_relative '../../find_by_contents'
+
+  module Noosfero;
+    module API
+      module APIHelpers
       PRIVATE_TOKEN_PARAM = :private_token
-      DEFAULT_ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type]
+      DEFAULT_ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type, :author_id]
+
+      include SanitizeParams
+      include Noosfero::Plugin::HotSpot
+      include ForgotPasswordHelper
+      include SearchTermHelper
+
+      def set_locale
+        I18n.locale = (params[:lang] || request.env['HTTP_ACCEPT_LANGUAGE'] || 'en')
+      end
+
+      def init_noosfero_plugins
+        plugins
+      end
  
       def current_user
         private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
@@ -23,6 +39,22 @@ module Noosfero
         @environment
       end
  
+      include FindByContents
+
+      ####################################################################
+      #### SEARCH
+      ####################################################################
+      def multiple_search?(searches=nil)
+        ['index', 'category_index'].include?(params[:action]) || (searches && searches.size > 1)
+      end
+      ####################################################################
+
+      def logger
+        logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] || 'production'}_api.log"))
+        logger.formatter = GrapeLogging::Formatters::Default.new
+        logger
+      end
+
       def limit
         limit = params[:limit].to_i
         limit = default_limit if limit <= 0
@@ -50,7 +82,7 @@ module Noosfero
  
       def find_article(articles, id)
         article = articles.find(id)
-        article.display_to?(current_user.person) ? article : forbidden!
+        article.display_to?(current_person) ? article : forbidden!
       end
  
       def post_article(asset, params)
@@ -75,12 +107,25 @@ module Noosfero
         present article, :with => Entities::Article, :fields => params[:fields]
       end
  
-      def present_articles(asset)
-        articles = select_filtered_collection_of(asset, 'articles', params)
-        articles = articles.display_filter(current_person, nil)
+      def present_articles_for_asset(asset, method = 'articles')
+        articles = find_articles(asset, method)
+        present_articles(articles)
+      end
+
+      def present_articles(articles)
         present articles, :with => Entities::Article, :fields => params[:fields]
       end
  
+      def find_articles(asset, method = 'articles')
+        articles = select_filtered_collection_of(asset, method, params)
+        if current_person.present?
+          articles = articles.display_filter(current_person, nil)
+        else
+          articles = articles.published
+        end
+        articles
+      end
+
       def find_task(asset, id)
         task = asset.tasks.find(id)
         current_person.has_permission?(task.permission, asset) ? task : forbidden!
@@ -127,8 +172,27 @@ module Noosfero
         conditions
       end
  
-      def make_order_with_parameters(params)
-        params[:order] || "created_at DESC"
+      # changing make_order_with_parameters to avoid sql injection
+      def make_order_with_parameters(object, method, params)
+        order = "created_at DESC"
+        unless params[:order].blank?
+          if params[:order].include? '\'' or params[:order].include? '"'
+            order = "created_at DESC"
+          elsif ['RANDOM()', 'RANDOM'].include? params[:order].upcase
+            order = 'RANDOM()'
+          else
+            field_name, direction = params[:order].split(' ')
+            assoc = object.class.reflect_on_association(method.to_sym)
+            if !field_name.blank? and assoc
+              if assoc.klass.attribute_names.include? field_name
+                if direction.present? and ['ASC','DESC'].include? direction.upcase
+                  order = "#{field_name} #{direction.upcase}"
+                end
+              end
+            end
+          end
+        end
+        return order
       end
  
       def make_page_number_with_parameters(params)
@@ -152,25 +216,36 @@ module Noosfero
       end
  
       def by_reference(scope, params)
-        if params[:reference_id]
-          created_at = scope.find(params[:reference_id]).created_at
-          scope.send("#{params.key?(:oldest) ? 'older_than' : 'younger_than'}", created_at)
+        reference_id = params[:reference_id].to_i == 0 ? nil : params[:reference_id].to_i
+        if reference_id.nil?
+          scope
         else
+          created_at = scope.find(reference_id).created_at
+          scope.send("#{params.key?(:oldest) ? 'older_than' : 'younger_than'}", created_at)
+         end
+      end
+
+      def by_categories(scope, params)
+        category_ids = params[:category_ids]
+        if category_ids.nil?
           scope
+        else
+          scope.joins(:categories).where(:categories => {:id => category_ids})
         end
       end
  
       def select_filtered_collection_of(object, method, params)
         conditions = make_conditions_with_parameter(params)
-        order = make_order_with_parameters(params)
+        order = make_order_with_parameters(object,method,params)
         page_number = make_page_number_with_parameters(params)
         per_page = make_per_page_with_parameters(params)
         timestamp = make_timestamp_with_parameters_and_method(params, method)
  
         objects = object.send(method)
         objects = by_reference(objects, params)
+        objects = by_categories(objects, params)
  
-        objects = objects.where(conditions).where(timestamp).page(page_number).per_page(per_page).order(order)
+        objects = objects.where(conditions).where(timestamp).page(page_number).per_page(per_page).reorder(order)
  
         objects
       end
@@ -179,6 +254,7 @@ module Noosfero
         unauthorized! unless current_user
       end
  
+
       # Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
       # or a Bad Request error is invoked.
       #
@@ -198,20 +274,6 @@ module Noosfero
         attrs
       end
  
-      def verify_recaptcha_v2(remote_ip, g_recaptcha_response, private_key, api_recaptcha_verify_uri)
-        verify_hash = {
-          "secret"    => private_key,
-          "remoteip"  => remote_ip,
-          "response"  => g_recaptcha_response
-        }
-        uri = URI(api_recaptcha_verify_uri)
-        https = Net::HTTP.new(uri.host, uri.port)
-        https.use_ssl = true
-        request = Net::HTTP::Post.new(uri.path)
-        request.set_form_data(verify_hash)
-        JSON.parse(https.request(request).body)
-      end
-
       ##########################################
       #              error helpers             #
       ##########################################
@@ -247,13 +309,22 @@ module Noosfero
         render_api_error!(_('Method Not Allowed'), 405)
       end
  
-      def render_api_error!(message, status)
-        error!({'message' => message, :code => status}, status)
+      # javascript_console_message is supposed to be executed as console.log()
+      def render_api_error!(user_message, status, log_message = nil, javascript_console_message = nil)
+        message_hash = {'message' => user_message, :code => status}
+        message_hash[:javascript_console_message] = javascript_console_message if javascript_console_message.present?
+        log_msg = "#{status}, User message: #{user_message}"
+        log_msg = "#{log_message}, #{log_msg}" if log_message.present?
+        log_msg = "#{log_msg}, Javascript Console Message: #{javascript_console_message}" if javascript_console_message.present?
+        logger.error log_msg unless Rails.env.test?
+        error!(message_hash, status)
       end
  
       def render_api_errors!(messages)
+        messages = messages.to_a if messages.class == ActiveModel::Errors
         render_api_error!(messages.join(','), 400)
       end
+
       protected
  
       def set_session_cookie
@@ -278,7 +349,7 @@ module Noosfero
       end
  
       def filter_disabled_plugins_endpoints
-        not_found! if Noosfero::API::API.endpoint_unavailable?(self, !@environment)
+        not_found! if Noosfero::API::API.endpoint_unavailable?(self, @environment)
       end
  
       private
@@ -305,7 +376,6 @@ module Noosfero
       def period(from_date, until_date)
         begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
         end_period = until_date.nil? ? DateTime.now : until_date
-
         begin_period..end_period
       end
  
@@ -2,7 +2,6 @@ require &quot;uri&quot;
  
 module Noosfero
   module API
-
     class Session < Grape::API
  
       # Login to get token
@@ -14,11 +13,15 @@ module Noosfero
       # Example Request:
       #  POST http://localhost:3000/api/v1/login?login=adminuser&password=admin
       post "/login" do
-        user ||= User.authenticate(params[:login], params[:password], environment)
+        begin
+          user ||= User.authenticate(params[:login], params[:password], environment)
+        rescue NoosferoExceptions::UserNotActivated => e
+          render_api_error!(e.message, 401)
+        end
  
         return unauthorized! unless user
         @current_user = user
-        present user, :with => Entities::UserLogin
+        present user, :with => Entities::UserLogin, :current_person => current_person
       end
  
       # Create user.
@@ -28,34 +31,103 @@ module Noosfero
       #   password (required)               - Password
       #   login                             - login
       # Example Request:
-      #   POST /register?email=some@mail.com&password=pas&login=some
+      #   POST /register?email=some@mail.com&password=pas&password_confirmation=pas&login=some
       params do
         requires :email, type: String, desc: _("Email")
         requires :login, type: String, desc: _("Login")
         requires :password, type: String, desc: _("Password")
       end
+
       post "/register" do
-        unique_attributes! User, [:email, :login]
-        attrs = attributes_for_keys [:email, :login, :password]
-        attrs[:password_confirmation] = attrs[:password]
-
-        #Commented for stress tests
-
-        # remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
-        # private_key = API.NOOSFERO_CONF['api_recaptcha_private_key']
-        # api_recaptcha_verify_uri = API.NOOSFERO_CONF['api_recaptcha_verify_uri']
-        # captcha_result = verify_recaptcha_v2(remote_ip, params['g-recaptcha-response'], private_key, api_recaptcha_verify_uri)
-        user = User.new(attrs)
-#        if captcha_result["success"] and user.save
-        if user.save
-          user.activate
-          user.generate_private_token!
-          present user, :with => Entities::UserLogin
-        else
-          message = user.errors.to_json
+        attrs = attributes_for_keys [:email, :login, :password, :password_confirmation] + environment.signup_person_fields
+        name = params[:name].present? ? params[:name] : attrs[:email]
+        attrs[:password_confirmation] = attrs[:password] if !attrs.has_key?(:password_confirmation)
+        user = User.new(attrs.merge(:name => name))
+
+        begin
+          user.signup!
+          user.generate_private_token! if user.activated?
+          present user, :with => Entities::UserLogin, :current_person => current_person
+        rescue ActiveRecord::RecordInvalid
+          message = user.errors.as_json.merge((user.person.present? ? user.person.errors : {}).as_json).to_json
           render_api_error!(message, 400)
         end
       end
+
+      params do
+        requires :activation_code, type: String, desc: _("Activation token")
+      end
+
+      # Activate a user.
+      #
+      # Parameter:
+      #   activation_code (required)                  - Activation token
+      # Example Request:
+      #   PATCH /activate?activation_code=28259abd12cc6a64ef9399cf3286cb998b96aeaf
+      patch "/activate" do
+        user = User.find_by_activation_code(params[:activation_code])
+        if user
+          unless user.environment.enabled?('admin_must_approve_new_users')
+            if user.activate
+                user.generate_private_token!
+                present user, :with => Entities::UserLogin, :current_person => current_person
+            end
+          else
+            if user.create_moderate_task
+              user.activation_code = nil
+              user.save!
+
+              # Waiting for admin moderate user registration
+              status 202
+              body({
+                :message => 'Waiting for admin moderate user registration'
+              })
+            end
+          end
+        else
+          # Token not found in database
+          render_api_error!(_('Token is invalid'), 412)
+        end
+      end
+
+      # Request a new password.
+      #
+      # Parameters:
+      #   value (required)                  - Email or login
+      # Example Request:
+      #   POST /forgot_password?value=some@mail.com
+      post "/forgot_password" do
+        requestors = fetch_requestors(params[:value])
+        not_found! if requestors.blank?
+        remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
+        requestors.each do |requestor|
+          ChangePassword.create!(:requestor => requestor)
+        end
+      end
+
+      params do
+        requires :code, type: String, desc: _("Forgot password code")
+      end
+      # Change password
+      #
+      # Parameters:
+      #   code (required)                  - Change password code
+      #   password (required)
+      #   password_confirmation (required)
+      # Example Request:
+      #   PATCH /new_password?code=xxxx&password=secret&password_confirmation=secret
+      patch "/new_password" do
+        change_password = ChangePassword.find_by_code(params[:code])
+        not_found! if change_password.nil?
+
+        if change_password.update_attributes(:password => params[:password], :password_confirmation => params[:password_confirmation])
+          change_password.finish
+          present change_password.requestor.user, :with => Entities::UserLogin, :current_person => current_person
+        else
+          something_wrong!
+        end
+      end
+
     end
   end
 end
@@ -2,7 +2,6 @@ module Noosfero
   module API
     module V1
       class Articles < Grape::API
-        before { authenticate! }
  
         ARTICLE_TYPES = Article.descendants.map{|a| a.to_s}
  
@@ -17,39 +16,148 @@ module Noosfero
           #
           # Example Request:
           #  GET host/api/v1/articles?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
+
+          desc 'Return all articles of all kinds' do
+            detail 'Get all articles filtered by fields in query params'
+            params Noosfero::API::Entities::Article.documentation
+            success Noosfero::API::Entities::Article
+            failure [[403, 'Forbidden']]
+            named 'ArticlesList'
+            headers [
+              'Per-Page' => {
+                    description: 'Total number of records',
+                    required: false
+                }
+              ]
+          end
           get do
-            present_articles(environment)
+            present_articles_for_asset(environment)
           end
  
-          desc "Return the article id"
-          get ':id' do
+          desc "Return one article by id" do
+            detail 'Get only one article by id. If not found the "forbidden" http error is showed'
+            params Noosfero::API::Entities::Article.documentation
+            success Noosfero::API::Entities::Article
+            failure [[403, 'Forbidden']]
+            named 'ArticleById'
+          end
+          get ':id', requirements: {id: /[0-9]+/} do
             present_article(environment)
           end
  
+          post ':id' do
+            article = environment.articles.find(params[:id])
+            return forbidden! unless article.allow_edit?(current_person)
+            article.update_attributes!(params[:article])
+            present article, :with => Entities::Article, :fields => params[:fields]
+          end
+
+          desc 'Report a abuse and/or violent content in a article by id' do
+            detail 'Submit a abuse (in general, a content violation) report about a specific article'
+            params Noosfero::API::Entities::Article.documentation
+            failure [[400, 'Bad Request']]
+            named 'ArticleReportAbuse'
+          end
+          post ':id/report_abuse' do
+            article = find_article(environment.articles, params[:id])
+            profile = article.profile
+            begin
+              abuse_report = AbuseReport.new(:reason => params[:report_abuse])
+              if !params[:content_type].blank?
+                article = params[:content_type].constantize.find(params[:content_id])
+                abuse_report.content = article_reported_version(article)
+              end
+
+              current_person.register_report(abuse_report, profile)
+
+              if !params[:content_type].blank?
+                abuse_report = AbuseReport.find_by_reporter_id_and_abuse_complaint_id(current_person.id, profile.opened_abuse_complaint.id)
+                Delayed::Job.enqueue DownloadReportedImagesJob.new(abuse_report, article)
+              end
+
+              {
+                :success => true,
+                :message => _('Your abuse report was registered. The administrators are reviewing your report.'),
+              }
+            rescue Exception => exception
+              #logger.error(exception.to_s)
+              render_api_error!(_('Your report couldn\'t be saved due to some problem. Please contact the administrator.'), 400)
+            end
+
+          end
+
+          desc "Returns the articles I voted" do
+            detail 'Get the Articles I make a vote'
+            failure [[403, 'Forbidden']]
+            named 'ArticleFollowers'
+          end
+           #FIXME refactor this method
+          get 'voted_by_me' do
+            present_articles(current_person.votes.collect(&:voteable))
+          end
+
+          desc 'Perform a vote on a article by id' do
+            detail 'Vote on a specific article with values: 1 (if you like) or -1 (if not)'
+            params Noosfero::API::Entities::UserLogin.documentation
+            failure [[401,'Unauthorized']]
+            named 'ArticleVote'
+          end
+          post ':id/vote' do
+            authenticate!
+            value = (params[:value] || 1).to_i
+            # FIXME verify allowed values
+            render_api_error!('Vote value not allowed', 400) unless [-1, 1].include?(value)
+            article = find_article(environment.articles, params[:id])
+            vote = Vote.new(:voteable => article, :voter => current_person, :vote => value)
+            {:vote => vote.save}
+          end
+
+          desc 'Return the children of a article identified by id' do
+            detail 'Get all children articles of a specific article'
+            params Noosfero::API::Entities::Article.documentation
+            failure [[403, 'Forbidden']]
+            named 'ArticleChildren'
+          end
+
           get ':id/children' do
             article = find_article(environment.articles, params[:id])
  
             #TODO make tests for this situation
             votes_order = params.delete(:order) if params[:order]=='votes_score'
             articles = select_filtered_collection_of(article, 'children', params)
-            articles = articles.display_filter(current_person, nil)
-
+            articles = articles.display_filter(current_person, article.profile)
  
             #TODO make tests for this situation
             if votes_order
               articles = articles.joins('left join votes on articles.id=votes.voteable_id').group('articles.id').reorder('sum(coalesce(votes.vote, 0)) DESC')
             end
-
             Article.hit(articles)
-            present articles, :with => Entities::Article, :fields => params[:fields]
+            present_articles(articles)
           end
  
+          desc 'Return one child of a article identified by id' do
+            detail 'Get a child of a specific article'
+            params Noosfero::API::Entities::Article.documentation
+            success Noosfero::API::Entities::Article
+            failure [[403, 'Forbidden']]
+            named 'ArticleChild'
+          end
           get ':id/children/:child_id' do
             article = find_article(environment.articles, params[:id])
-            present find_article(article.children, params[:child_id]), :with => Entities::Article, :fields => params[:fields]
+            child = find_article(article.children, params[:child_id])
+            child.hit
+            present child, :with => Entities::Article, :fields => params[:fields]
           end
  
+          desc 'Suggest a article to another profile' do
+            detail 'Suggest a article to another profile (person, community...)'
+            params Noosfero::API::Entities::Article.documentation
+            success Noosfero::API::Entities::Task
+            failure [[401,'Unauthorized']]
+            named 'ArticleSuggest'
+          end
           post ':id/children/suggest' do
+            authenticate!
             parent_article = environment.articles.find(params[:id])
  
             suggest_article = SuggestArticle.new
@@ -66,8 +174,15 @@ module Noosfero
  
           # Example Request:
           #  POST api/v1/articles/:id/children?private_token=234298743290432&article[name]=title&article[body]=body
+          desc 'Add a child article to a parent identified by id' do
+            detail 'Create a new article and associate to a parent'
+            params Noosfero::API::Entities::Article.documentation
+            success Noosfero::API::Entities::Article
+            failure [[401,'Unauthorized']]
+            named 'ArticleAddChild'
+          end
           post ':id/children' do
-
+            authenticate!
             parent_article = environment.articles.find(params[:id])
             return forbidden! unless parent_article.allow_create?(current_person)
  
@@ -95,11 +210,37 @@ module Noosfero
           resource kind.pluralize.to_sym do
             segment "/:#{kind}_id" do
               resource :articles do
+
+                desc "Return all articles associate with a profile of type #{kind}" do
+                  detail 'Get a list of articles of a profile'
+                  params Noosfero::API::Entities::Article.documentation
+                  success Noosfero::API::Entities::Article
+                  failure [[403, 'Forbidden']]
+                  named 'ArticlesOfProfile'
+                end
                 get do
                   profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
-                  present_articles(profile)
+
+                  if params[:path].present?
+                    article = profile.articles.find_by_path(params[:path])
+                    if !article || !article.display_to?(current_person)
+                      article = forbidden!
+                    end
+
+                    present article, :with => Entities::Article, :fields => params[:fields]
+                  else
+
+                    present_articles_for_asset(profile)
+                  end
                 end
  
+                desc "Return a article associate with a profile of type #{kind}" do
+                  detail 'Get only one article of a profile'
+                  params Noosfero::API::Entities::Article.documentation
+                  success Noosfero::API::Entities::Article
+                  failure [[403, 'Forbidden']]
+                  named 'ArticleOfProfile'
+                end
                 get ':id' do
                   profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
                   present_article(profile)
@@ -107,6 +248,13 @@ module Noosfero
  
                 # Example Request:
                 #  POST api/v1/{people,communities,enterprises}/:asset_id/articles?private_token=234298743290432&article[name]=title&article[body]=body
+                desc "Add a new article associated with a profile of type #{kind}" do
+                  detail 'Create a new article and associate with a profile'
+                  params Noosfero::API::Entities::Article.documentation
+                  success Noosfero::API::Entities::Article
+                  failure [[403, 'Forbidden']]
+                  named 'ArticleCreateToProfile'
+                end
                 post do
                   profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
                   post_article(profile, params)
@@ -30,8 +30,8 @@ module Noosfero
           #  POST api/v1/articles/12/comments?private_token=2298743290432&body=new comment&title=New
           post ":id/comments" do
             article = find_article(environment.articles, params[:id])
-            options = params.select { |key,v| !['id','private_token'].include?(key) }.merge(:author => current_person)
-            present article.comments.create(options), :with => Entities::Comment
+            options = params.select { |key,v| !['id','private_token'].include?(key) }.merge(:author => current_person, :source => article)
+            present Comment.create(options), :with => Entities::Comment
           end
         end
  
@@ -0,0 +1,28 @@
+module Noosfero
+  module API
+    module V1
+      class Contacts < Grape::API
+
+        resource :communities do
+
+          resource ':id/contact' do
+            #contact => {:name => 'some name', :email => 'test@mail.com', :subject => 'some title', :message => 'some message'}
+            desc "Send a contact message"
+            post do
+              profile = environment.communities.find(params[:id])
+              forbidden! unless profile.present?
+              contact = Contact.new params[:contact].merge(dest: profile)
+              if contact.deliver
+                {:success => true}
+              else
+                {:success => false}
+              end
+            end
+
+          end
+        end
+
+      end
+    end
+  end
+end
@@ -0,0 +1,18 @@
+module Noosfero
+  module API
+    module V1
+      class Environments < Grape::API
+  
+        resource :environment do
+  
+          desc "Return the person information"
+          get '/signup_person_fields' do
+            present environment.signup_person_fields
+          end
+  
+        end
+  
+      end
+    end
+  end
+end
@@ -48,6 +48,13 @@ module Noosfero
             present person, :with => Entities::Person
           end
  
+          desc "Update person information"
+          post ':id' do
+            return forbidden! if current_person.id.to_s != params[:id]
+            current_person.update_attributes!(params[:person])
+            present current_person, :with => Entities::Person
+          end
+
           # Example Request:
           #  POST api/v1/people?person[login]=some_login&person[password]=some_password&person[name]=Jack
           desc "Create person"
@@ -0,0 +1,43 @@
+module Noosfero
+  module API
+    module V1
+      class Search < Grape::API
+
+        resource :search do
+          resource :article do
+            get do
+              # Security checks
+              sanitize_params_hash(params)
+              # APIHelpers
+              asset = :articles
+              context = environment
+
+              profile = environment.profiles.find(params[:profile_id]) if params[:profile_id]
+              scope = profile.nil? ? environment.articles.public : profile.articles.public
+              scope = scope.where(:type => params[:type]) if params[:type] && !(params[:type] == 'Article')
+              scope = scope.where(:parent_id => params[:parent_id]) if params[:parent_id].present?
+              scope = scope.joins(:categories).where(:categories => {:id => params[:category_ids]}) if params[:category_ids].present?
+              query = params[:query] || ""
+              order = "more_recent"
+
+              options = {:filter => order, :template_id => params[:template_id]}
+
+              paginate_options = params.select{|k,v| [:page, :per_page].include?(k.to_sym)}
+              paginate_options.each_pair{|k,v| v=v.to_i}
+              paginate_options[:page]=1 if !paginate_options.keys.include?(:page)
+
+              search_result = find_by_contents(asset, context, scope, query, paginate_options.symbolize_keys, options)
+
+              articles = search_result[:results]
+
+              result = present_articles(articles)
+
+              result
+            end
+          end
+        end
+
+      end
+    end
+  end
+end
@@ -0,0 +1,30 @@
+module Noosfero
+  module API
+    module V1
+      class Tags < Grape::API
+        before { authenticate! }
+  
+        resource :articles do
+
+          resource ':id/tags' do
+  
+            get do
+              article = find_article(environment.articles, params[:id])
+              present article.tag_list
+            end
+    
+            desc "Add a tag to an article"
+            post do
+              article = find_article(environment.articles, params[:id])
+              article.tag_list=params[:tags]
+              article.save
+              present article.tag_list
+            end
+    
+          end
+        end
+  
+      end
+    end
+  end
+end
@@ -0,0 +1,56 @@
+module Noosfero
+  module API
+    module V1
+      class Users < Grape::API
+        before { authenticate! }
+
+        resource :users do
+
+          get do
+            users = select_filtered_collection_of(environment, 'users', params)
+            users = users.select{|u| u.person.display_info_to? current_person}
+            present users, :with => Entities::User, :current_person => current_person
+          end
+
+          # Example Request:
+          #  POST api/v1/users?user[login]=some_login&user[password]=some
+          post do
+            user = User.new(params[:user])
+            user.terms_of_use = environment.terms_of_use
+            user.environment = environment
+            if !user.save
+              render_api_errors!(user.errors.full_messages)
+            end
+
+            present user, :with => Entities::User, :current_person => current_person
+          end
+
+          get "/me" do
+            present current_user, :with => Entities::User, :current_person => current_person
+          end
+
+          get ":id" do
+            user = environment.users.find_by_id(params[:id])
+            unless user.person.display_info_to? current_person
+              unauthorized!
+            end
+            present user, :with => Entities::User, :current_person => current_person
+          end
+
+          get ":id/permissions" do
+            user = environment.users.find(params[:id])
+            output = {}
+            user.person.role_assignments.map do |role_assigment|
+              if role_assigment.resource.respond_to?(:identifier) && role_assigment.resource.identifier == params[:profile]
+                output[:permissions] = role_assigment.role.permissions
+              end
+            end
+            present output
+          end
+
+        end
+
+      end
+    end
+  end
+end
@@ -0,0 +1,41 @@
+module SanitizeParams
+
+  protected
+
+    # Check each request parameter for 
+    # improper HTML or Script tags
+    def sanitize_params
+      sanitize_params_hash(request.params)    
+    end
+
+    # Given a params list sanitize all
+    def sanitize_params_hash(params)
+      params.each { |k, v|
+        if v.is_a?(String)        
+          params[k] = sanitize_param v
+        elsif v.is_a?(Array)
+          params[k] = sanitize_array v
+        elsif v.kind_of?(Hash)
+          params[k] = sanitize_params_hash(v)
+        end
+      }    
+    end
+
+    # If the parameter was an array, 
+    # try to sanitize each element in the array
+    def sanitize_array(array)
+      array.map! { |e| 
+        if e.is_a?(String)
+          sanitize_param e
+        end
+      }
+      return array
+    end
+
+    # Santitize a single value
+    def sanitize_param(value)
+      allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
+      ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
+    end
+
+end    
@@ -31,7 +31,7 @@ class ArticlesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not return article if user has no permission to view it' do
-    person = fast_create(Person)
+    person = fast_create(Person, :environment_id => environment.id)
     article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
     assert !article.published?
  
@@ -48,8 +48,17 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     assert_equivalent [child1.id, child2.id], json["articles"].map { |a| a["id"] }
   end
  
+  should 'list public article children for not logged in access' do
+    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+    child1 = fast_create(Article, :parent_id => article.id, :profile_id => user.person.id, :name => "Some thing")
+    child2 = fast_create(Article, :parent_id => article.id, :profile_id => user.person.id, :name => "Some thing")
+    get "/api/v1/articles/#{article.id}/children"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [child1.id, child2.id], json["articles"].map { |a| a["id"] }
+  end
+
   should 'not list children of forbidden article' do
-    person = fast_create(Person)
+    person = fast_create(Person, :environment_id => environment.id)
     article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
     child1 = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing")
     child2 = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing")
@@ -58,7 +67,7 @@ class ArticlesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not return child of forbidden article' do
-    person = fast_create(Person)
+    person = fast_create(Person, :environment_id => environment.id)
     article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
     child = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing")
     get "/api/v1/articles/#{article.id}/children/#{child.id}?#{params.to_query}"
@@ -66,7 +75,7 @@ class ArticlesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not return private child' do
-    person = fast_create(Person)
+    person = fast_create(Person, :environment_id => environment.id)
     article = fast_create(Article, :profile_id => person.id, :name => "Some thing")
     child = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing", :published => false)
     get "/api/v1/articles/#{article.id}/children/#{child.id}?#{params.to_query}"
@@ -74,7 +83,7 @@ class ArticlesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not list private child' do
-    person = fast_create(Person)
+    person = fast_create(Person, :environment_id => environment.id)
     article = fast_create(Article, :profile_id => person.id, :name => "Some thing")
     child = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing", :published => false)
     get "/api/v1/articles/#{article.id}/children?#{params.to_query}"
@@ -82,6 +91,74 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     assert_not_includes json['articles'].map {|a| a['id']}, child.id
   end
  
+  should 'perform a vote in a article identified by id' do
+    article = fast_create(Article, :profile_id => @person.id, :name => "Some thing")
+    @params[:value] = 1
+
+    post "/api/v1/articles/#{article.id}/vote?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+
+    assert_not_equal 401, last_response.status
+    assert_equal true, json['vote']
+  end
+
+  expose_attributes = %w(id body abstract created_at title author profile categories image votes_for votes_against setting position hits start_date end_date tag_list parent children children_count)
+
+  expose_attributes.each do |attr|
+    should "expose article #{attr} attribute by default" do
+      article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+      get "/api/v1/articles/?#{params.to_query}"
+      json = JSON.parse(last_response.body)
+     assert json["articles"].last.has_key?(attr)
+    end
+  end
+
+  should "update body of article created by me" do
+    new_value = "Another body"
+    params[:article] = {:body => new_value}
+    article = fast_create(Article, :profile_id => person.id)
+    post "/api/v1/articles/#{article.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal new_value, json["article"]["body"]
+  end
+
+  should "update title of article created by me" do
+    new_value = "Another name"
+    params[:article] = {:name => new_value}
+    article = fast_create(Article, :profile_id => person.id)
+    post "/api/v1/articles/#{article.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal new_value, json["article"]["title"]
+  end
+
+  should 'not update article of another user' do
+    another_person = fast_create(Person, :environment_id => environment.id)
+    article = fast_create(Article, :profile_id => another_person.id)
+    params[:article] = {:title => 'Some title'}
+    post "/api/v1/articles/#{article.id}?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'not update article without permission in community' do
+    community = fast_create(Community, :environment_id => environment.id)
+    article = fast_create(Article, :profile_id => community.id)
+    params[:article] = {:name => 'New title'}
+    post "/api/v1/articles/#{article.id}?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+
+  should 'update article of community if user has permission' do
+    community = fast_create(Community, :environment_id => environment.id)
+    give_permission(person, 'post_content', community)
+    article = fast_create(Article, :profile_id => community.id)
+    new_value = "Another body"
+    params[:article] = {:body => new_value}
+    post "/api/v1/articles/#{article.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal new_value, json["article"]["body"]
+  end
+
   should 'list articles with pagination' do
     Article.destroy_all
     article_one = fast_create(Article, :profile_id => user.person.id, :name => "Another thing", :created_at => 2.days.ago)
@@ -126,7 +203,7 @@ class ArticlesTest &lt; ActiveSupport::TestCase
   profile_kinds = %w(community person enterprise)
   profile_kinds.each do |kind|
     should "return article by #{kind}" do
-      profile = fast_create(kind.camelcase.constantize)
+      profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
       article = fast_create(Article, :profile_id => profile.id, :name => "Some thing")
       get "/api/v1/#{kind.pluralize}/#{profile.id}/articles/#{article.id}?#{params.to_query}"
       json = JSON.parse(last_response.body)
@@ -134,7 +211,7 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     end
  
     should "not return article by #{kind} if user has no permission to view it" do
-      profile = fast_create(kind.camelcase.constantize)
+      profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
       article = fast_create(Article, :profile_id => profile.id, :name => "Some thing", :published => false)
       assert !article.published?
  
@@ -143,7 +220,7 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     end
  
     should "not list forbidden article when listing articles by #{kind}" do
-      profile = fast_create(kind.camelcase.constantize)
+      profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
       article = fast_create(Article, :profile_id => profile.id, :name => "Some thing", :published => false)
       assert !article.published?
  
@@ -151,6 +228,29 @@ class ArticlesTest &lt; ActiveSupport::TestCase
       json = JSON.parse(last_response.body)
       assert_not_includes json['articles'].map {|a| a['id']}, article.id
     end
+
+    should "return article by #{kind} and path" do
+      profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
+      parent_article = Folder.create!(:profile => profile, :name => "Parent Folder")
+      article = Article.create!(:profile => profile, :name => "Some thing", :parent => parent_article)
+
+      params[:path] = parent_article.slug+'/'+article.slug
+      get "/api/v1/#{kind.pluralize}/#{profile.id}/articles?#{params.to_query}"
+      json = JSON.parse(last_response.body)
+      assert_equal article.id, json["article"]["id"]
+    end
+
+    should "not return article by #{kind} and path if user has no permission to view it" do
+      profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
+      parent_article = Folder.create!(:profile => profile, :name => "Parent Folder")
+      article = Article.create!(:profile => profile, :name => "Some thing", :parent => parent_article, :published => false)
+
+      assert !article.published?
+
+      params[:path] = parent_article.slug+'/'+article.slug
+      get "/api/v1/#{kind.pluralize}/#{profile.id}/articles?#{params.to_query}"
+      assert_equal 403, last_response.status
+    end
   end
  
   #############################
@@ -160,7 +260,7 @@ class ArticlesTest &lt; ActiveSupport::TestCase
   group_kinds = %w(community enterprise)
   group_kinds.each do |kind|
     should "#{kind}: create article" do
-      profile = fast_create(kind.camelcase.constantize)
+      profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
       give_permission(user.person, 'post_content', profile)
       params[:article] = {:name => "Title"}
       post "/api/v1/#{kind.pluralize}/#{profile.id}/articles?#{params.to_query}"
@@ -169,16 +269,16 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     end
  
     should "#{kind}: do not create article if user has no permission to post content" do
-      profile = fast_create(kind.camelcase.constantize)
+      profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
       give_permission(user.person, 'invite_members', profile)
       params[:article] = {:name => "Title"}
       post "/api/v1/#{kind.pluralize}/#{profile.id}/articles?#{params.to_query}"
       assert_equal 403, last_response.status
     end
  
-    should "#{kind}: create article with parent" do
-      profile = fast_create(kind.camelcase.constantize)
-      profile.add_member(user.person)
+    should "#{kind} create article with parent" do
+      profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
+      Person.any_instance.stubs(:can_post_content?).with(profile).returns(true)
       article = fast_create(Article)
  
       params[:article] = {:name => "Title", :parent_id => article.id}
@@ -187,9 +287,9 @@ class ArticlesTest &lt; ActiveSupport::TestCase
       assert_equal article.id, json["article"]["parent"]["id"]
     end
  
-    should "#{kind}: create article with content type passed as parameter" do
-      profile = fast_create(kind.camelcase.constantize)
-      profile.add_member(user.person)
+    should "#{kind} create article with content type passed as parameter" do
+      profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
+      Person.any_instance.stubs(:can_post_content?).with(profile).returns(true)
  
       Article.delete_all
       params[:article] = {:name => "Title"}
@@ -201,8 +301,8 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     end
  
     should "#{kind}: create article of TinyMceArticle type if no content type is passed as parameter" do
-      profile = fast_create(kind.camelcase.constantize)
-      profile.add_member(user.person)
+      profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
+      Person.any_instance.stubs(:can_post_content?).with(profile).returns(true)
  
       params[:article] = {:name => "Title"}
       post "/api/v1/#{kind.pluralize}/#{profile.id}/articles?#{params.to_query}"
@@ -212,7 +312,7 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     end
  
     should "#{kind}: not create article with invalid article content type" do
-      profile = fast_create(kind.camelcase.constantize)
+      profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
       profile.add_member(user.person)
  
       params[:article] = {:name => "Title"}
@@ -223,20 +323,20 @@ class ArticlesTest &lt; ActiveSupport::TestCase
       assert_equal 403, last_response.status
     end
  
-    should "#{kind}: create article defining the correct profile" do
-      profile = fast_create(kind.camelcase.constantize)
-      profile.add_member(user.person)
+    should "#{kind} create article defining the correct profile" do
+      profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
+      Person.any_instance.stubs(:can_post_content?).with(profile).returns(true)
  
       params[:article] = {:name => "Title"}
       post "/api/v1/#{kind.pluralize}/#{profile.id}/articles?#{params.to_query}"
       json = JSON.parse(last_response.body)
  
-      assert_equal profile, Article.last.profile
+      assert_equal profile.id, json['article']['profile']['id']
     end
  
     should "#{kind}: create article defining the created_by" do
-      profile = fast_create(kind.camelcase.constantize)
-      profile.add_member(user.person)
+      profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
+      Person.any_instance.stubs(:can_post_content?).with(profile).returns(true)
  
       params[:article] = {:name => "Title"}
       post "/api/v1/#{kind.pluralize}/#{profile.id}/articles?#{params.to_query}"
@@ -246,8 +346,8 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     end
  
     should "#{kind}: create article defining the last_changed_by" do
-      profile = fast_create(kind.camelcase.constantize)
-      profile.add_member(user.person)
+      profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
+      Person.any_instance.stubs(:can_post_content?).with(profile).returns(true)
  
       params[:article] = {:name => "Title"}
       post "/api/v1/#{kind.pluralize}/#{profile.id}/articles?#{params.to_query}"
@@ -269,7 +369,7 @@ class ArticlesTest &lt; ActiveSupport::TestCase
   end
  
   should 'person do not create article if user has no permission to post content' do
-    person = fast_create(Person)
+    person = fast_create(Person, :environment_id => environment.id)
     params[:article] = {:name => "Title"}
     post "/api/v1/people/#{person.id}/articles?#{params.to_query}"
     assert_equal 403, last_response.status
@@ -376,4 +476,99 @@ class ArticlesTest &lt; ActiveSupport::TestCase
     assert_equal [0, 1, 1], [a1.reload.hits, a2.reload.hits, a3.reload.hits]
   end
  
+  should 'update hit attribute of article specific children' do
+    a1 = fast_create(Article, :profile_id => user.person.id)
+    a2 = fast_create(Article, :parent_id => a1.id, :profile_id => user.person.id)
+    get "/api/v1/articles/#{a1.id}/children/#{a2.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 1, json['article']['hits']
+  end
+
+  should 'list all events of a community in a given category' do
+    co = Community.create(identifier: 'my-community', name: 'name-my-community')
+    c1 = Category.create(environment: Environment.default, name: 'my-category')
+    c2 = Category.create(environment: Environment.default, name: 'dont-show-me-this-category')
+    e1 = fast_create(Event, :profile_id => co.id)
+    e2 = fast_create(Event, :profile_id => co.id)
+    e1.categories << c1
+    e2.categories << c2
+    e1.save!
+    e2.save!
+    params['content_type']='Event'
+    get "api/v1/communities/#{co.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal json['articles'].count, 2
+  end
+
+  should 'list a event of a community in a given category' do
+    co = Community.create(identifier: 'my-community', name: 'name-my-community')
+    c1 = Category.create(environment: Environment.default, name: 'my-category')
+    c2 = Category.create(environment: Environment.default, name: 'dont-show-me-this-category')
+    e1 = fast_create(Event, :profile_id => co.id)
+    e2 = fast_create(Event, :profile_id => co.id)
+    e1.categories << c1
+    e2.categories << c2
+    e1.save!
+    e2.save!
+    params['category_ids[]']=c1.id
+    params['content_type']='Event'
+    get "api/v1/communities/#{co.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    #should show only one article, since the other not in the same category
+    assert_equal 1, json['articles'].count
+    assert_equal e1.id, json['articles'][0]['id']
+  end
+
+  should 'not list uncategorized event of a community if a category is given' do
+    co = Community.create(identifier: 'my-community', name: 'name-my-community')
+    c1 = Category.create(environment: Environment.default, name: 'my-category')
+    c2 = Category.create(environment: Environment.default, name: 'dont-show-me-this-category')
+    e1 = fast_create(Event, :profile_id => co.id)
+    e2 = fast_create(Event, :profile_id => co.id)
+    e3 = fast_create(Event, :profile_id => co.id)
+    e1.categories << c1
+    e2.categories << c2
+    params['category_ids[]']=c1.id
+    params['content_type']='Event'
+    get "api/v1/communities/#{co.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 1, json['articles'].count
+    assert_equal e1.id, json['articles'][0]['id']
+  end
+
+  should 'list events of a community in a given 2 categories' do
+    co = Community.create(identifier: 'my-community', name: 'name-my-community')
+    c1 = Category.create(environment: Environment.default, name: 'my-category')
+    c2 = Category.create(environment: Environment.default, name: 'dont-show-me-this-category')
+    e1 = fast_create(Event, :profile_id => co.id)
+    e2 = fast_create(Event, :profile_id => co.id)
+    e1.categories << c1
+    e2.categories << c2
+    e1.save!
+    e2.save!
+    params['content_type']='Event'
+    params['categories_ids'] = [c1.id, c2.id]
+    get "api/v1/communities/#{co.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal json['articles'].count, 2
+  end
+
+  should 'Show 2 events since it uses an IN operator for category instead of an OR' do
+    co = Community.create(identifier: 'my-community', name: 'name-my-community')
+    c1 = Category.create(environment: Environment.default, name: 'my-category')
+    c2 = Category.create(environment: Environment.default, name: 'dont-show-me-this-category')
+    c3 = Category.create(environment: Environment.default, name: 'extra-category')
+    e1 = fast_create(Event, :profile_id => co.id)
+    e2 = fast_create(Event, :profile_id => co.id)
+    e1.categories << c1
+    e2.categories << c2
+    e1.save!
+    e2.save!
+    params['content_type']='Event'
+    params['categories_ids'] = [c1.id, c2.id, c3.id]
+    get "api/v1/communities/#{co.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal json['articles'].count, 2
+  end
+
 end
@@ -7,25 +7,25 @@ class CategoriesTest &lt; ActiveSupport::TestCase
   end
  
   should 'list categories' do
-    category = fast_create(Category)
+    category = fast_create(Category, :environment_id => environment.id)
     get "/api/v1/categories/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_includes json["categories"].map { |c| c["name"] }, category.name
   end
  
   should 'get category by id' do
-    category = fast_create(Category)
+    category = fast_create(Category, :environment_id => environment.id)
     get "/api/v1/categories/#{category.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal category.name, json["category"]["name"]
   end
  
   should 'list parent and children when get category by id' do
-    parent = fast_create(Category)
-    child_1 = fast_create(Category)
-    child_2 = fast_create(Category)
+    parent = fast_create(Category, :environment_id => environment.id)
+    child_1 = fast_create(Category, :environment_id => environment.id)
+    child_2 = fast_create(Category, :environment_id => environment.id)
  
-    category = fast_create(Category)
+    category = fast_create(Category, :environment_id => environment.id)
     category.parent = parent
     category.children << child_1
     category.children << child_2
@@ -33,16 +33,16 @@ class CategoriesTest &lt; ActiveSupport::TestCase
  
     get "/api/v1/categories/#{category.id}/?#{params.to_query}"
     json = JSON.parse(last_response.body)
-    assert_equal({'id' => parent.id, 'name' => parent.name}, json['category']['parent'])
+    assert_equal({'id' => parent.id, 'name' => parent.name, 'slug' => parent.slug}, json['category']['parent'])
     assert_equivalent [child_1.id, child_2.id], json['category']['children'].map { |c| c['id'] }
   end
  
   should 'include parent in categories list if params is true' do
-    parent_1 = fast_create(Category) # parent_1 has no parent category
-    child_1 = fast_create(Category)
-    child_2 = fast_create(Category)
+    parent_1 = fast_create(Category, :environment_id => environment.id) # parent_1 has no parent category
+    child_1 = fast_create(Category, :environment_id => environment.id)
+    child_2 = fast_create(Category, :environment_id => environment.id)
  
-    parent_2 = fast_create(Category)
+    parent_2 = fast_create(Category, :environment_id => environment.id)
     parent_2.parent = parent_1
     parent_2.children << child_1
     parent_2.children << child_2
@@ -60,10 +60,10 @@ class CategoriesTest &lt; ActiveSupport::TestCase
   end
  
   should 'include children in categories list if params is true' do
-    category = fast_create(Category)
-    child_1 = fast_create(Category)
-    child_2 = fast_create(Category)
-    child_3 = fast_create(Category)
+    category = fast_create(Category, :environment_id => environment.id)
+    child_1 = fast_create(Category, :environment_id => environment.id)
+    child_2 = fast_create(Category, :environment_id => environment.id)
+    child_3 = fast_create(Category, :environment_id => environment.id)
  
     category.children << child_1
     category.children << child_2
@@ -83,4 +83,15 @@ class CategoriesTest &lt; ActiveSupport::TestCase
       json["categories"].map{ |c| c['children'].map{ |child| child['id'] }.sort  }
   end
  
+  expose_attributes = %w(id name full_name image display_color)
+
+  expose_attributes.each do |attr|
+    should "expose category #{attr} attribute by default" do
+      category = fast_create(Category, :environment_id => environment.id)
+      get "/api/v1/categories/?#{params.to_query}"
+      json = JSON.parse(last_response.body)
+     assert json["categories"].last.has_key?(attr)
+    end
+  end
+
 end
@@ -65,4 +65,17 @@ class CommentsTest &lt; ActiveSupport::TestCase
     assert_equal 201, last_response.status
     assert_equal body, json['comment']['body']
   end
+
+  should 'comment creation define the source' do
+    amount = Comment.count
+    article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
+    body = 'My comment'
+    params.merge!({:body => body})
+
+    post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    assert_equal amount + 1, Comment.count
+    comment = Comment.last
+    assert_not_nil comment.source
+  end
+
 end
@@ -8,8 +8,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
  
   should 'list only communities' do
-    community = fast_create(Community)
-    enterprise = fast_create(Enterprise) # should not list this enterprise
+    community = fast_create(Community, :environment_id => environment.id)
+    enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
     get "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_not_includes json['communities'].map {|c| c['id']}, enterprise.id
@@ -17,16 +17,16 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
  
   should 'list all communities' do
-    community1 = fast_create(Community, :public_profile => true)
-    community2 = fast_create(Community)
+    community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
+    community2 = fast_create(Community, :environment_id => environment.id)
     get "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
   end
  
   should 'not list invisible communities' do
-    community1 = fast_create(Community)
-    fast_create(Community, :visible => false)
+    community1 = fast_create(Community, :environment_id => environment.id)
+    fast_create(Community, :environment_id => environment.id, :visible => false)
  
     get "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -34,8 +34,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not list private communities without permission' do
-    community1 = fast_create(Community)
-    fast_create(Community, :public_profile => false)
+    community1 = fast_create(Community, :environment_id => environment.id)
+    fast_create(Community, :environment_id => environment.id, :public_profile => false)
  
     get "/api/v1/communities?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -43,8 +43,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
  
   should 'list private community for members' do
-    c1 = fast_create(Community)
-    c2 = fast_create(Community, :public_profile => false)
+    c1 = fast_create(Community, :environment_id => environment.id)
+    c2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
     c2.add_member(person)
  
     get "/api/v1/communities?#{params.to_query}"
@@ -66,7 +66,7 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
  
   should 'get community' do
-    community = fast_create(Community)
+    community = fast_create(Community, :environment_id => environment.id)
  
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -74,7 +74,7 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not get invisible community' do
-    community = fast_create(Community, :visible => false)
+    community = fast_create(Community, :environment_id => environment.id, :visible => false)
  
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -82,8 +82,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not get private communities without permission' do
-    community = fast_create(Community)
-    fast_create(Community, :public_profile => false)
+    community = fast_create(Community, :environment_id => environment.id)
+    fast_create(Community, :environment_id => environment.id, :public_profile => false)
  
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -91,17 +91,18 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
  
   should 'get private community for members' do
-    community = fast_create(Community, :public_profile => false)
+    community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :visible => true)
     community.add_member(person)
  
+
     get "/api/v1/communities/#{community.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal community.id, json['community']['id']
   end
  
   should 'list person communities' do
-    community = fast_create(Community)
-    fast_create(Community)
+    community = fast_create(Community, :environment_id => environment.id)
+    fast_create(Community, :environment_id => environment.id)
     community.add_member(person)
  
     get "/api/v1/people/#{person.id}/communities?#{params.to_query}"
@@ -110,8 +111,8 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not list person communities invisible' do
-    c1 = fast_create(Community)
-    c2 = fast_create(Community, :visible => false)
+    c1 = fast_create(Community, :environment_id => environment.id)
+    c2 = fast_create(Community, :environment_id => environment.id, :visible => false)
     c1.add_member(person)
     c2.add_member(person)
  
@@ -8,8 +8,8 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'list only enterprises' do
-    community = fast_create(Community) # should not list this community
-    enterprise = fast_create(Enterprise, :public_profile => true)
+    community = fast_create(Community, :environment_id => environment.id) # should not list this community
+    enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
     get "/api/v1/enterprises?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_includes json['enterprises'].map {|c| c['id']}, enterprise.id
@@ -17,15 +17,15 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'list all enterprises' do
-    enterprise1 = fast_create(Enterprise, :public_profile => true)
-    enterprise2 = fast_create(Enterprise)
+    enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
+    enterprise2 = fast_create(Enterprise, :environment_id => environment.id)
     get "/api/v1/enterprises?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equivalent [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
   end
  
   should 'not list invisible enterprises' do
-    enterprise1 = fast_create(Enterprise)
+    enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
     fast_create(Enterprise, :visible => false)
  
     get "/api/v1/enterprises?#{params.to_query}"
@@ -34,8 +34,8 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not list private enterprises without permission' do
-    enterprise1 = fast_create(Enterprise)
-    fast_create(Enterprise, :public_profile => false)
+    enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
+    fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
  
     get "/api/v1/enterprises?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -43,8 +43,8 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'list private enterprise for members' do
-    c1 = fast_create(Enterprise)
-    c2 = fast_create(Enterprise, :public_profile => false)
+    c1 = fast_create(Enterprise, :environment_id => environment.id)
+    c2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
     c2.add_member(person)
  
     get "/api/v1/enterprises?#{params.to_query}"
@@ -53,7 +53,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'get enterprise' do
-    enterprise = fast_create(Enterprise)
+    enterprise = fast_create(Enterprise, :environment_id => environment.id)
  
     get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -69,8 +69,8 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not get private enterprises without permission' do
-    enterprise = fast_create(Enterprise)
-    fast_create(Enterprise, :public_profile => false)
+    enterprise = fast_create(Enterprise, :environment_id => environment.id)
+    fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
  
     get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
@@ -87,8 +87,8 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'list person enterprises' do
-    enterprise = fast_create(Enterprise)
-    fast_create(Enterprise)
+    enterprise = fast_create(Enterprise, :environment_id => environment.id)
+    fast_create(Enterprise, :environment_id => environment.id)
     enterprise.add_member(person)
  
     get "/api/v1/people/#{person.id}/enterprises?#{params.to_query}"
@@ -97,8 +97,8 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
   end
  
   should 'not list person enterprises invisible' do
-    c1 = fast_create(Enterprise)
-    c2 = fast_create(Enterprise, :visible => false)
+    c1 = fast_create(Enterprise, :environment_id => environment.id)
+    c2 = fast_create(Enterprise, :environment_id => environment.id, :visible => false)
     c1.add_member(person)
     c2.add_member(person)
  
@@ -25,15 +25,6 @@ class APIHelpersTest &lt; ActiveSupport::TestCase
     assert_equal user, current_user
   end
  
-  should 'not get the current user with expired token' do
-    user = create_user('someuser')
-    user.generate_private_token!
-    user.private_token_generated_at = DateTime.now.prev_year
-    user.save
-    self.params = {:private_token => user.private_token}
-    assert_nil current_user
-  end
-
   should 'get the person of current user' do
     user = create_user('someuser')
     user.generate_private_token!
@@ -161,6 +152,39 @@ class APIHelpersTest &lt; ActiveSupport::TestCase
     assert_nil make_conditions_with_parameter[:type]
   end
  
+  #test_should_make_order_with_parameters_return_order_if attribute_is_found_at_object_association
+  should 'make_order_with_parameters return order if attribute is found at object association' do
+    environment = Environment.new
+    params = {:order => "name ASC"}
+    assert_equal "name ASC", make_order_with_parameters(environment, "articles", params)
+  end
+
+  # test added to check for eventual sql injection vunerabillity
+  #test_should_make_order_with_parameters_return_default_order_if_attributes_not_exists
+  should 'make_order_with_parameters return default order if attributes not exists' do
+    environment = Environment.new
+    params = {:order => "CRAZY_FIELD ASC"} # quote used to check sql injection vunerabillity
+    assert_equal "created_at DESC", make_order_with_parameters(environment, "articles", params)
+  end
+
+  should 'make_order_with_parameters return default order if sql injection detected' do
+    environment = Environment.new
+    params = {:order => "name' ASC"} # quote used to check sql injection vunerabillity
+    assert_equal "created_at DESC", make_order_with_parameters(environment, "articles", params)
+  end
+
+  should 'make_order_with_parameters return RANDOM() if random is passed' do
+    environment = Environment.new
+    params = {:order => "random"} # quote used to check sql injection vunerabillity
+    assert_equal "RANDOM()", make_order_with_parameters(environment, "articles", params)
+  end
+
+  should 'make_order_with_parameters return RANDOM() if random function is passed' do
+    environment = Environment.new
+    params = {:order => "random()"} # quote used to check sql injection vunerabillity
+    assert_equal "RANDOM()", make_order_with_parameters(environment, "articles", params)
+  end
+
   should 'render not_found if endpoint is unavailable' do
     Noosfero::API::API.stubs(:endpoint_unavailable?).returns(true)
     self.expects(:not_found!)
@@ -148,4 +148,21 @@ class PeopleTest &lt; ActiveSupport::TestCase
     get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
     assert_equal 403, last_response.status
   end
+
+  should 'not update another person' do
+    person = fast_create(Person, :environment_id => environment.id)
+    post "/api/v1/people/#{person.id}?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'update yourself' do
+    another_name = 'Another Name'
+    params[:person] = {}
+    params[:person][:name] = another_name
+    assert_not_equal another_name, person.name
+    post "/api/v1/people/#{person.id}?#{params.to_query}"
+    person.reload
+    assert_equal another_name, person.name
+  end
+
 end
@@ -0,0 +1,138 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class SearchTest < ActiveSupport::TestCase
+
+  def setup
+    @person = create_user('testing').person
+  end
+  attr_reader :person
+
+  should 'not list unpublished articles' do
+    Article.delete_all
+    article = fast_create(Article, :profile_id => person.id, :published => false)
+    assert !article.published?  	
+    get "/api/v1/search/article"
+    json = JSON.parse(last_response.body)    
+    assert_empty json['articles']
+  end
+
+  should 'list articles' do
+    fast_create(Article, :profile_id => person.id)
+    get "/api/v1/search/article"
+    json = JSON.parse(last_response.body)
+    assert_not_empty json['articles']
+  end
+
+  should 'invalid search string articles' do
+    fast_create(Article, :profile_id => person.id, :name => 'some article')
+    get "/api/v1/search/article?query=test"
+    json = JSON.parse(last_response.body)    
+    assert_empty json['articles']
+  end
+
+  should 'do not list articles of wrong type' do
+    fast_create(Article, :profile_id => person.id)
+    get "/api/v1/search/article?type=TinyMceArticle"
+    json = JSON.parse(last_response.body)
+    assert_empty json['articles']
+  end
+
+  should 'list articles of one type' do
+    fast_create(Article, :profile_id => person.id)
+    article = fast_create(TinyMceArticle, :profile_id => person.id)
+  
+    get "/api/v1/search/article?type=TinyMceArticle"
+    json = JSON.parse(last_response.body)
+    assert_equal article.id, json['articles'].first['id']
+  end
+
+  should 'list articles of one type and query string' do
+    fast_create(Article, :profile_id => person.id, :name => 'some article')
+    fast_create(Article, :profile_id => person.id, :name => 'Some thing')
+    article = fast_create(TinyMceArticle, :profile_id => person.id, :name => 'Some thing')
+    get "/api/v1/search/article?type=TinyMceArticle&query=thing"
+    json = JSON.parse(last_response.body)
+    assert_equal 1, json['articles'].count
+    assert_equal article.id, json['articles'].first['id']
+  end
+
+  should 'not return more entries than page limit' do
+    1.upto(5).each do |n|
+      fast_create(Article, :profile_id => person.id, :name => "Article #{n}")
+    end
+
+    get "/api/v1/search/article?query=Article&per_page=3"
+    json = JSON.parse(last_response.body)
+
+    assert_equal 3, json['articles'].count
+  end
+
+  should 'return entries second page' do
+    1.upto(5).each do |n|
+      fast_create(Article, :profile_id => person.id, :name => "Article #{n}")
+    end
+
+    get "/api/v1/search/article?query=Article&per_page=3&page=2"
+    json = JSON.parse(last_response.body)
+
+    assert_equal 2, json['articles'].count
+  end
+
+  should 'search articles in profile' do
+    person2 = fast_create(Person)
+    fast_create(Article, :profile_id => person.id)
+    fast_create(Article, :profile_id => person.id)
+    article = fast_create(Article, :profile_id => person2.id)
+
+    get "/api/v1/search/article?query=Article&profile_id=#{person2.id}"
+    json = JSON.parse(last_response.body)
+    assert_equal article.id, json['articles'].first['id']
+  end
+
+  should 'search and return values specified in fields parameter' do
+    fast_create(Article, :profile_id => person.id)
+    get "/api/v1/search/article?fields=title"
+    json = JSON.parse(last_response.body)
+    assert_not_empty json['articles']
+    assert_equal ['title'], json['articles'].first.keys
+  end
+
+  should 'search with parent' do
+    parent = fast_create(Folder, :profile_id => person.id)
+    fast_create(Article, :profile_id => person.id)
+    article = fast_create(Article, :profile_id => person.id, :parent_id => parent.id)
+    get "/api/v1/search/article?parent_id=#{parent.id}"
+    json = JSON.parse(last_response.body)
+    assert_equal 1, json['articles'].count
+    assert_equal article.id, json['articles'].first["id"]
+  end  
+
+  should 'search filter by category' do
+    Article.delete_all
+    fast_create(Article, :profile_id => person.id)
+    article = fast_create(Article, :profile_id => person.id)
+    category = fast_create(Category)
+    article.categories<< category
+    get "/api/v1/search/article?category_ids=#{category.id}"
+    json = JSON.parse(last_response.body)
+    assert_equal 1, json['articles'].count
+    assert_equal article.id, json['articles'].first["id"]
+  end  
+
+  should 'search filter by more than one category' do
+    Article.delete_all
+    fast_create(Article, :profile_id => person.id)
+    article1 = fast_create(Article, :profile_id => person.id)
+    article2 = fast_create(Article, :profile_id => person.id)
+    category1 = fast_create(Category)
+    category2 = fast_create(Category)
+    article1.categories<< category1
+    article2.categories<< category2
+    get "/api/v1/search/article?category_ids[]=#{category1.id}&category_ids[]=#{category2.id}"
+    json = JSON.parse(last_response.body)
+    assert_equal 2, json['articles'].count
+    assert_equal article1.id, json['articles'].first["id"]
+    assert_equal article2.id, json['articles'].last["id"]
+  end  
+
+end
@@ -10,7 +10,7 @@ class SessionTest &lt; ActiveSupport::TestCase
     params = {:login => "testapi", :password => "testapi"}
     post "/api/v1/login?#{params.to_query}"
     json = JSON.parse(last_response.body)
-    assert !json["private_token"].blank?
+    assert !json['user']["private_token"].blank?
   end
  
   should 'return 401 when login fails' do
@@ -21,22 +21,167 @@ class SessionTest &lt; ActiveSupport::TestCase
   end
  
   should 'register a user' do
-    params = {:login => "newuserapi", :password => "newuserapi", :email => "newuserapi@email.com" }
+    Environment.default.enable('skip_new_user_email_confirmation')
+    params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com" }
     post "/api/v1/register?#{params.to_query}"
     assert_equal 201, last_response.status
+    json = JSON.parse(last_response.body)
+    assert User['newuserapi'].activated?
+    assert json['user']['activated']
+    assert json['user']['private_token'].present?
+  end
+
+  should 'register a user with name' do
+    Environment.default.enable('skip_new_user_email_confirmation')
+    params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com", :name => "Little John" }
+    post "/api/v1/register?#{params.to_query}"
+    assert_equal 201, last_response.status
+    json = JSON.parse(last_response.body)
+    assert json['user']['activated']
+    assert json['user']['private_token'].present?
+  end
+
+  should 'register an inactive user' do
+    params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com" }
+    post "/api/v1/register?#{params.to_query}"
+    assert_equal 201, last_response.status
+    json = JSON.parse(last_response.body)
+    assert !json['activated']
+    assert json['private_token'].blank?
   end
  
-  should 'do not register a user without email' do
-    params = {:login => "newuserapi", :password => "newuserapi", :email => nil }
+  should 'not register a user with invalid login' do
+    params = {:login => "c", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com" }
     post "/api/v1/register?#{params.to_query}"
     assert_equal 400, last_response.status
+    json = JSON.parse(last_response.body)
+    msg = json['message'].split(':')
+    key = msg[0][2, 5]
+    val = msg[1][2, 38]
+    assert_equal "login", key
+    assert_equal "is too short (minimum is 2 characters)", val
   end
  
-  should 'do not register a duplicated user' do
-    params = {:login => "newuserapi", :password => "newuserapi", :email => "newuserapi@email.com" }
+  should 'not register a user with invalid login pt' do
+    I18n.locale = "pt-BR"
+    params = {:lang => "pt-BR", :login => "c", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com" }
     post "/api/v1/register?#{params.to_query}"
+    assert_equal 400, last_response.status
+    json = JSON.parse(last_response.body)
+    msg = json['message'].split(':')
+    key = msg[0][2, 5]
+    val = msg[1][2, 35]
+    assert_equal "login", key
+    assert val.include? "muito curto"
+  end
+
+  should 'not register a user without email' do
+    params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => nil }
     post "/api/v1/register?#{params.to_query}"
     assert_equal 400, last_response.status
   end
  
+  should 'not register a duplicated user' do
+    params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com" }
+    post "/api/v1/register?#{params.to_query}"
+    post "/api/v1/register?#{params.to_query}"
+    assert_equal 400, last_response.status
+    json = JSON.parse(last_response.body)
+  end
+
+  # TODO: Add another test cases to check register situations
+  should 'activate a user' do
+    params = {
+      :login => "newuserapi",
+      :password => "newuserapi",
+      :password_confirmation => "newuserapi",
+      :email => "newuserapi@email.com"
+    }
+    user = User.new(params)
+    user.save!
+
+    params = { activation_code: user.activation_code}
+    patch "/api/v1/activate?#{params.to_query}"
+    assert_equal 200, last_response.status
+  end
+
+  should 'do not activate a user if admin must approve him' do
+    params = {
+      :login => "newuserapi",
+      :password => "newuserapi",
+      :password_confirmation => "newuserapi",
+      :email => "newuserapi@email.com",
+      :environment => Environment.default
+    }
+    user = User.new(params)
+    user.environment.enable('admin_must_approve_new_users')
+    user.save!
+
+    params = { activation_code: user.activation_code}
+    patch "/api/v1/activate?#{params.to_query}"
+    assert_equal 202, last_response.status
+    assert_equal 'Waiting for admin moderate user registration', JSON.parse(last_response.body)["message"]
+  end
+
+  should 'do not activate a user if the token is invalid' do
+    params = {
+      :login => "newuserapi",
+      :password => "newuserapi",
+      :password_confirmation => "newuserapi",
+      :email => "newuserapi@email.com",
+      :environment => Environment.default
+    }
+    user = User.new(params)
+    user.save!
+
+    params = { activation_code: '70250abe20cc6a67ef9399cf3286cb998b96aeaf'}
+    patch "/api/v1/activate?#{params.to_query}"
+    assert_equal 412, last_response.status
+  end
+
+  should 'create task to change password by user login' do
+    user = create_user
+    params = {:value => user.login}
+    assert_difference 'ChangePassword.count' do
+      post "/api/v1/forgot_password?#{params.to_query}"
+    end
+  end
+
+  should 'not create task to change password when user is not found' do
+    params = {:value => 'wronglogin'}
+    assert_no_difference 'ChangePassword.count' do
+      post "/api/v1/forgot_password?#{params.to_query}"
+    end
+    assert_equal 404, last_response.status
+  end
+
+  should 'change user password and close task' do
+    user = create_user
+    user.activate
+    task = ChangePassword.create!(:requestor => user.person)
+    params = {:code => task.code, :password => 'secret', :password_confirmation => 'secret'}
+    patch "/api/v1/new_password?#{params.to_query}"
+    assert_equal Task::Status::FINISHED, task.reload.status
+    assert user.reload.authenticated?('secret')
+    json = JSON.parse(last_response.body)
+    assert_equal user.id, json['user']['id']
+  end
+
+  should 'do not change user password when password confirmation is wrong' do
+    user = create_user
+    user.activate
+    task = ChangePassword.create!(:requestor => user.person)
+    params = {:code => task.code, :password => 'secret', :password_confirmation => 's3cret'}
+    patch "/api/v1/new_password?#{params.to_query}"
+    assert_equal Task::Status::ACTIVE, task.reload.status
+    assert !user.reload.authenticated?('secret')
+    assert_equal 400, last_response.status
+  end
+
+  should 'render not found when provide a wrong code on password change' do
+    params = {:code => "wrongcode", :password => 'secret', :password_confirmation => 'secret'}
+    patch "/api/v1/new_password?#{params.to_query}"
+    assert_equal 404, last_response.status
+  end
+
 end
@@ -9,16 +9,22 @@ class ActiveSupport::TestCase
   end
  
   def login_api
-    @user = User.create!(:login => 'testapi', :password => 'testapi', :password_confirmation => 'testapi', :email => 'test@test.org', :environment => Environment.default)
+    @environment = Environment.default
+    @user = User.create!(:login => 'testapi', :password => 'testapi', :password_confirmation => 'testapi', :email => 'test@test.org', :environment => @environment)
     @user.activate
     @person = @user.person
  
     post "/api/v1/login?login=testapi&password=testapi"
     json = JSON.parse(last_response.body)
     @private_token = json["private_token"]
+    unless @private_token
+      @user.generate_private_token!
+      @private_token = @user.private_token
+    end
+
     @params = {:private_token => @private_token}
   end
-  attr_accessor :private_token, :user, :person, :params
+  attr_accessor :private_token, :user, :person, :params, :environment
  
   private
  
@@ -0,0 +1,62 @@
+# encoding: UTF-8
+require File.dirname(__FILE__) + '/test_helper'
+
+class UsersTest < ActiveSupport::TestCase
+
+  def setup
+    login_api
+  end
+
+  should 'list users' do
+    get "/api/v1/users/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_includes json["users"].map { |a| a["login"] }, user.login
+  end
+
+  should 'create a user' do
+    params[:user] = {:login => 'some', :password => '123456', :password_confirmation => '123456', :email => 'some@some.com'}
+    post "/api/v1/users?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 'some', json['user']['login']
+  end
+
+  should 'not create duplicate user' do
+    params[:lang] = :"pt-BR"
+    params[:user] = {:login => 'some', :password => '123456', :password_confirmation => '123456', :email => 'some@some.com'}
+    post "/api/v1/users?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 'some', json['user']['login']
+    params[:user] = {:login => 'some', :password => '123456', :password_confirmation => '123456', :email => 'some@some.com'}
+    post "/api/v1/users?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 'Username / Email já está em uso,e-Mail já está em uso', json['message']
+  end
+
+  should 'return 400 status for invalid user creation' do
+    params[:user] = {:login => 'some'}
+    post "/api/v1/users?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 400, last_response.status
+  end
+
+  should 'get user' do
+    get "/api/v1/users/#{user.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal user.id, json['user']['id']
+  end
+
+  should 'list user permissions' do
+    community = fast_create(Community)
+    community.add_admin(person)
+    get "/api/v1/users/#{user.id}/?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_includes json["user"]["permissions"], community.identifier
+  end
+
+  should 'get logged user' do
+    get "/api/v1/users/me?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal user.id, json['user']['id']
+  end
+
+end
...	...	@@ -184,13 +184,7 @@ class ApplicationController < ActionController::Base
184	184	end
185	185
186	186	include SearchTermHelper
187		-
188		- def find_by_contents(asset, context, scope, query, paginate_options={:page => 1}, options={})
189		- scope = scope.with_templates(options[:template_id]) unless options[:template_id].blank?
190		- search = plugins.dispatch_first(:find_by_contents, asset, scope, query, paginate_options, options)
191		- register_search_term(query, scope.count, search[:results].count, context, asset)
192		- search
193		- end
	187	+ include FindByContents
194	188
195	189	def find_suggestions(query, context, asset, options={})
196	190	plugins.dispatch_first(:find_suggestions, query, context, asset, options)
...	...
...	...	@@ -0,0 +1,11 @@
	1	+module FindByContents
	2	+
	3	+ def find_by_contents(asset, context, scope, query, paginate_options={:page => 1}, options={})
	4	+ scope = scope.with_templates(options[:template_id]) unless options[:template_id].blank?
	5	+ search = plugins.dispatch_first(:find_by_contents, asset, scope, query, paginate_options, options)
	6	+ register_search_term(query, scope.count, search[:results].count, context, asset)
	7	+ search
	8	+ end
	9	+
	10	+end
	11	+
...	...
1	1	require 'grape'
2	2	#require 'rack/contrib'
3		-
4	3	Dir["#{Rails.root}/lib/noosfero/api/*.rb"].each {\|file\| require file unless file =~ /api\.rb/}
	4	+
5	5	module Noosfero
6	6	module API
7	7	class API < Grape::API
...	...	@@ -17,7 +17,6 @@ module Noosfero
17	17	end
18	18
19	19	@@NOOSFERO_CONF = nil
20		-
21	20	def self.NOOSFERO_CONF
22	21	if @@NOOSFERO_CONF
23	22	@@NOOSFERO_CONF
...	...	@@ -27,9 +26,11 @@ module Noosfero
27	26	end
28	27	end
29	28
	29	+ before { set_locale }
30	30	before { setup_multitenancy }
31	31	before { detect_stuff_by_domain }
32	32	before { filter_disabled_plugins_endpoints }
	33	+ before { init_noosfero_plugins }
33	34	after { set_session_cookie }
34	35
35	36	version 'v1'
...	...	@@ -41,11 +42,17 @@ module Noosfero
41	42
42	43	mount V1::Articles
43	44	mount V1::Comments
	45	+ mount V1::Users
44	46	mount V1::Communities
45	47	mount V1::People
46	48	mount V1::Enterprises
47	49	mount V1::Categories
48	50	mount V1::Tasks
	51	+ mount V1::Tags
	52	+ mount V1::Environments
	53	+ mount V1::Search
	54	+ mount V1::Contacts
	55	+
49	56	mount Session
50	57
51	58	# hook point which allow plugins to add Grape::API extensions to API::API
...	...
...	...	@@ -6,6 +6,17 @@ module Noosfero
6	6	date.strftime('%Y/%m/%d %H:%M:%S') if date
7	7	end
8	8
	9	+ def self.can_display? profile, options, field, admin_only = false
	10	+ current = options[:current_person]
	11	+ admin = !current.blank? && current.is_admin?
	12	+ owner = !current.blank? && current == profile
	13	+ public_field = profile.public_fields.include? field.to_s
	14	+ friend = !current.blank? && current.friends.include?(profile)
	15	+
	16	+ return true if admin
	17	+ return !admin_only && (owner\|\|friend\|\|public_field)
	18	+ end
	19	+
9	20	class Image < Entity
10	21	root 'images', 'image'
11	22
...	...	@@ -30,66 +41,81 @@ module Noosfero
30	41	end
31	42	end
32	43
	44	+ class CategoryBase < Entity
	45	+ root 'categories', 'category'
	46	+ expose :name, :id, :slug
	47	+ end
	48	+
	49	+ class Category < CategoryBase
	50	+ root 'categories', 'category'
	51	+ expose :full_name do \|category, options\|
	52	+ category.full_name
	53	+ end
	54	+ expose :parent, :using => CategoryBase, if: { parent: true }
	55	+ expose :children, :using => CategoryBase, if: { children: true }
	56	+ expose :image, :using => Image
	57	+ expose :display_color
	58	+ end
	59	+
	60	+ class Region < Category
	61	+ root 'regions', 'region'
	62	+ expose :parent_id
	63	+ end
	64	+
33	65	class Profile < Entity
34	66	expose :identifier, :name, :id
35	67	expose :created_at, :format_with => :timestamp
36	68	expose :updated_at, :format_with => :timestamp
37	69	expose :image, :using => Image
	70	+ expose :region, :using => Region
38	71	end
39	72
40		- class User < Entity
	73	+ class UserBasic < Entity
41	74	expose :id
42	75	expose :login
43	76	end
44	77
45	78	class Person < Profile
46	79	root 'people', 'person'
47		- expose :user, :using => User
	80	+ expose :user, :using => UserBasic, documentation: {type: 'User', desc: 'The user data of a person' }
48	81	end
	82	+
49	83	class Enterprise < Profile
50	84	root 'enterprises', 'enterprise'
51	85	end
	86	+
52	87	class Community < Profile
53	88	root 'communities', 'community'
54	89	expose :description
55		- expose :categories
56		- expose :members, :using => Person
57		- end
58		-
59		- class CategoryBase < Entity
60		- root 'categories', 'category'
61		- expose :name, :id
62		- end
63		-
64		- class Category < CategoryBase
65		- root 'categories', 'category'
66		- expose :slug
67		- expose :full_name do \|category, options\|
68		- category.full_name
	90	+ expose :admins do \|community, options\|
	91	+ community.admins.map{\|admin\| {"name"=>admin.name, "id"=>admin.id}}
69	92	end
70		- expose :parent, :using => CategoryBase, if: { parent: true }
71		- expose :children, :using => CategoryBase, if: { children: true }
72		- expose :image, :using => Image
	93	+ expose :categories, :using => Category
	94	+ expose :members, :using => Person
73	95	end
74	96
75	97	class ArticleBase < Entity
76	98	root 'articles', 'article'
77	99	expose :id
78	100	expose :body
79		- expose :abstract
	101	+ expose :abstract, documentation: {type: 'String', desc: 'Teaser of the body'}
80	102	expose :created_at, :format_with => :timestamp
81	103	expose :updated_at, :format_with => :timestamp
82	104	expose :title, :documentation => {:type => "String", :desc => "Title of the article"}
83		- expose :created_by, :as => :author, :using => Profile
84		- expose :profile, :using => Profile
	105	+ expose :created_by, :as => :author, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile author that create the article'}
	106	+ expose :profile, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile associated with the article'}
85	107	expose :categories, :using => Category
86	108	expose :image, :using => Image
87		- #TODO Apply vote stuff in core and make this test
88	109	expose :votes_for
89	110	expose :votes_against
90	111	expose :setting
91	112	expose :position
92	113	expose :hits
	114	+ expose :start_date
	115	+ expose :end_date, :documentation => {type: 'DateTime', desc: 'The date of finish of the article'}
	116	+ expose :tag_list
	117	+ expose :children_count
	118	+ expose :slug, :documentation => {:type => "String", :desc => "Trimmed and parsed name of a article"}
93	119	expose :path
94	120	end
95	121
...	...	@@ -106,8 +132,31 @@ module Noosfero
106	132	expose :author, :using => Profile
107	133	end
108	134
	135	+ class User < Entity
	136	+ root 'users', 'user'
	137	+
	138	+ attrs = [:id,:login,:email,:activated?]
	139	+ aliases = {:activated? => :activated}
	140	+
	141	+ attrs.each do \|attribute\|
	142	+ name = aliases.has_key?(attribute) ? aliases[attribute] : attribute
	143	+ expose attribute, :as => name, :if => lambda{\|user,options\| Entities.can_display?(user.person, options, attribute)}
	144	+ end
	145	+
	146	+ expose :person, :using => Person
	147	+ expose :permissions, :if => lambda{\|user,options\| Entities.can_display?(user.person, options, :permissions, true)} do \|user, options\|
	148	+ output = {}
	149	+ user.person.role_assignments.map do \|role_assigment\|
	150	+ if role_assigment.resource.respond_to?(:identifier) && !role_assigment.role.nil?
	151	+ output[role_assigment.resource.identifier] = role_assigment.role.permissions
	152	+ end
	153	+ end
	154	+ output
	155	+ end
	156	+ end
	157	+
109	158	class UserLogin < User
110		- expose :private_token
	159	+ expose :private_token, documentation: {type: 'String', desc: 'A valid authentication code for post/delete api actions'}
111	160	end
112	161
113	162	class Task < Entity
...	...	@@ -116,6 +165,16 @@ module Noosfero
116	165	expose :type
117	166	end
118	167
	168	+ class Environment < Entity
	169	+ expose :name
	170	+ end
	171	+
	172	+ class Tag < Entity
	173	+ root 'tags', 'tag'
	174	+ expose :name
	175	+ end
	176	+
	177	+
119	178	end
120	179	end
121	180	end
...	...
1		-module Noosfero
2		- module API
3		- module APIHelpers
	1	+require 'grape'
	2	+require_relative '../../find_by_contents'
	3	+
	4	+ module Noosfero;
	5	+ module API
	6	+ module APIHelpers
4	7	PRIVATE_TOKEN_PARAM = :private_token
5		- DEFAULT_ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type]
	8	+ DEFAULT_ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type, :author_id]
	9	+
	10	+ include SanitizeParams
	11	+ include Noosfero::Plugin::HotSpot
	12	+ include ForgotPasswordHelper
	13	+ include SearchTermHelper
	14	+
	15	+ def set_locale
	16	+ I18n.locale = (params[:lang] \|\| request.env['HTTP_ACCEPT_LANGUAGE'] \|\| 'en')
	17	+ end
	18	+
	19	+ def init_noosfero_plugins
	20	+ plugins
	21	+ end
6	22
7	23	def current_user
8	24	private_token = (params[PRIVATE_TOKEN_PARAM] \|\| headers['Private-Token']).to_s
...	...	@@ -23,6 +39,22 @@ module Noosfero
23	39	@environment
24	40	end
25	41
	42	+ include FindByContents
	43	+
	44	+ ####################################################################
	45	+ #### SEARCH
	46	+ ####################################################################
	47	+ def multiple_search?(searches=nil)
	48	+ ['index', 'category_index'].include?(params[:action]) \|\| (searches && searches.size > 1)
	49	+ end
	50	+ ####################################################################
	51	+
	52	+ def logger
	53	+ logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] \|\| 'production'}_api.log"))
	54	+ logger.formatter = GrapeLogging::Formatters::Default.new
	55	+ logger
	56	+ end
	57	+
26	58	def limit
27	59	limit = params[:limit].to_i
28	60	limit = default_limit if limit <= 0
...	...	@@ -50,7 +82,7 @@ module Noosfero
50	82
51	83	def find_article(articles, id)
52	84	article = articles.find(id)
53		- article.display_to?(current_user.person) ? article : forbidden!
	85	+ article.display_to?(current_person) ? article : forbidden!
54	86	end
55	87
56	88	def post_article(asset, params)
...	...	@@ -75,12 +107,25 @@ module Noosfero
75	107	present article, :with => Entities::Article, :fields => params[:fields]
76	108	end
77	109
78		- def present_articles(asset)
79		- articles = select_filtered_collection_of(asset, 'articles', params)
80		- articles = articles.display_filter(current_person, nil)
	110	+ def present_articles_for_asset(asset, method = 'articles')
	111	+ articles = find_articles(asset, method)
	112	+ present_articles(articles)
	113	+ end
	114	+
	115	+ def present_articles(articles)
81	116	present articles, :with => Entities::Article, :fields => params[:fields]
82	117	end
83	118
	119	+ def find_articles(asset, method = 'articles')
	120	+ articles = select_filtered_collection_of(asset, method, params)
	121	+ if current_person.present?
	122	+ articles = articles.display_filter(current_person, nil)
	123	+ else
	124	+ articles = articles.published
	125	+ end
	126	+ articles
	127	+ end
	128	+
84	129	def find_task(asset, id)
85	130	task = asset.tasks.find(id)
86	131	current_person.has_permission?(task.permission, asset) ? task : forbidden!
...	...	@@ -127,8 +172,27 @@ module Noosfero
127	172	conditions
128	173	end
129	174
130		- def make_order_with_parameters(params)
131		- params[:order] \|\| "created_at DESC"
	175	+ # changing make_order_with_parameters to avoid sql injection
	176	+ def make_order_with_parameters(object, method, params)
	177	+ order = "created_at DESC"
	178	+ unless params[:order].blank?
	179	+ if params[:order].include? '\'' or params[:order].include? '"'
	180	+ order = "created_at DESC"
	181	+ elsif ['RANDOM()', 'RANDOM'].include? params[:order].upcase
	182	+ order = 'RANDOM()'
	183	+ else
	184	+ field_name, direction = params[:order].split(' ')
	185	+ assoc = object.class.reflect_on_association(method.to_sym)
	186	+ if !field_name.blank? and assoc
	187	+ if assoc.klass.attribute_names.include? field_name
	188	+ if direction.present? and ['ASC','DESC'].include? direction.upcase
	189	+ order = "#{field_name} #{direction.upcase}"
	190	+ end
	191	+ end
	192	+ end
	193	+ end
	194	+ end
	195	+ return order
132	196	end
133	197
134	198	def make_page_number_with_parameters(params)
...	...	@@ -152,25 +216,36 @@ module Noosfero
152	216	end
153	217
154	218	def by_reference(scope, params)
155		- if params[:reference_id]
156		- created_at = scope.find(params[:reference_id]).created_at
157		- scope.send("#{params.key?(:oldest) ? 'older_than' : 'younger_than'}", created_at)
	219	+ reference_id = params[:reference_id].to_i == 0 ? nil : params[:reference_id].to_i
	220	+ if reference_id.nil?
	221	+ scope
158	222	else
	223	+ created_at = scope.find(reference_id).created_at
	224	+ scope.send("#{params.key?(:oldest) ? 'older_than' : 'younger_than'}", created_at)
	225	+ end
	226	+ end
	227	+
	228	+ def by_categories(scope, params)
	229	+ category_ids = params[:category_ids]
	230	+ if category_ids.nil?
159	231	scope
	232	+ else
	233	+ scope.joins(:categories).where(:categories => {:id => category_ids})
160	234	end
161	235	end
162	236
163	237	def select_filtered_collection_of(object, method, params)
164	238	conditions = make_conditions_with_parameter(params)
165		- order = make_order_with_parameters(params)
	239	+ order = make_order_with_parameters(object,method,params)
166	240	page_number = make_page_number_with_parameters(params)
167	241	per_page = make_per_page_with_parameters(params)
168	242	timestamp = make_timestamp_with_parameters_and_method(params, method)
169	243
170	244	objects = object.send(method)
171	245	objects = by_reference(objects, params)
	246	+ objects = by_categories(objects, params)
172	247
173		- objects = objects.where(conditions).where(timestamp).page(page_number).per_page(per_page).order(order)
	248	+ objects = objects.where(conditions).where(timestamp).page(page_number).per_page(per_page).reorder(order)
174	249
175	250	objects
176	251	end
...	...	@@ -179,6 +254,7 @@ module Noosfero
179	254	unauthorized! unless current_user
180	255	end
181	256
	257	+
182	258	# Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
183	259	# or a Bad Request error is invoked.
184	260	#
...	...	@@ -198,20 +274,6 @@ module Noosfero
198	274	attrs
199	275	end
200	276
201		- def verify_recaptcha_v2(remote_ip, g_recaptcha_response, private_key, api_recaptcha_verify_uri)
202		- verify_hash = {
203		- "secret" => private_key,
204		- "remoteip" => remote_ip,
205		- "response" => g_recaptcha_response
206		- }
207		- uri = URI(api_recaptcha_verify_uri)
208		- https = Net::HTTP.new(uri.host, uri.port)
209		- https.use_ssl = true
210		- request = Net::HTTP::Post.new(uri.path)
211		- request.set_form_data(verify_hash)
212		- JSON.parse(https.request(request).body)
213		- end
214		-
215	277	##########################################
216	278	# error helpers #
217	279	##########################################
...	...	@@ -247,13 +309,22 @@ module Noosfero
247	309	render_api_error!(_('Method Not Allowed'), 405)
248	310	end
249	311
250		- def render_api_error!(message, status)
251		- error!({'message' => message, :code => status}, status)
	312	+ # javascript_console_message is supposed to be executed as console.log()
	313	+ def render_api_error!(user_message, status, log_message = nil, javascript_console_message = nil)
	314	+ message_hash = {'message' => user_message, :code => status}
	315	+ message_hash[:javascript_console_message] = javascript_console_message if javascript_console_message.present?
	316	+ log_msg = "#{status}, User message: #{user_message}"
	317	+ log_msg = "#{log_message}, #{log_msg}" if log_message.present?
	318	+ log_msg = "#{log_msg}, Javascript Console Message: #{javascript_console_message}" if javascript_console_message.present?
	319	+ logger.error log_msg unless Rails.env.test?
	320	+ error!(message_hash, status)
252	321	end
253	322
254	323	def render_api_errors!(messages)
	324	+ messages = messages.to_a if messages.class == ActiveModel::Errors
255	325	render_api_error!(messages.join(','), 400)
256	326	end
	327	+
257	328	protected
258	329
259	330	def set_session_cookie
...	...	@@ -278,7 +349,7 @@ module Noosfero
278	349	end
279	350
280	351	def filter_disabled_plugins_endpoints
281		- not_found! if Noosfero::API::API.endpoint_unavailable?(self, !@environment)
	352	+ not_found! if Noosfero::API::API.endpoint_unavailable?(self, @environment)
282	353	end
283	354
284	355	private
...	...	@@ -305,7 +376,6 @@ module Noosfero
305	376	def period(from_date, until_date)
306	377	begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
307	378	end_period = until_date.nil? ? DateTime.now : until_date
308		-
309	379	begin_period..end_period
310	380	end
311	381
...	...
...	...	@@ -2,7 +2,6 @@ require "uri"
2	2
3	3	module Noosfero
4	4	module API
5		-
6	5	class Session < Grape::API
7	6
8	7	# Login to get token
...	...	@@ -14,11 +13,15 @@ module Noosfero
14	13	# Example Request:
15	14	# POST http://localhost:3000/api/v1/login?login=adminuser&password=admin
16	15	post "/login" do
17		- user \|\|= User.authenticate(params[:login], params[:password], environment)
	16	+ begin
	17	+ user \|\|= User.authenticate(params[:login], params[:password], environment)
	18	+ rescue NoosferoExceptions::UserNotActivated => e
	19	+ render_api_error!(e.message, 401)
	20	+ end
18	21
19	22	return unauthorized! unless user
20	23	@current_user = user
21		- present user, :with => Entities::UserLogin
	24	+ present user, :with => Entities::UserLogin, :current_person => current_person
22	25	end
23	26
24	27	# Create user.
...	...	@@ -28,34 +31,103 @@ module Noosfero
28	31	# password (required) - Password
29	32	# login - login
30	33	# Example Request:
31		- # POST /register?email=some@mail.com&password=pas&login=some
	34	+ # POST /register?email=some@mail.com&password=pas&password_confirmation=pas&login=some
32	35	params do
33	36	requires :email, type: String, desc: _("Email")
34	37	requires :login, type: String, desc: _("Login")
35	38	requires :password, type: String, desc: _("Password")
36	39	end
	40	+
37	41	post "/register" do
38		- unique_attributes! User, [:email, :login]
39		- attrs = attributes_for_keys [:email, :login, :password]
40		- attrs[:password_confirmation] = attrs[:password]
41		-
42		- #Commented for stress tests
43		-
44		- # remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) \|\| (env && env['REMOTE_ADDR'])
45		- # private_key = API.NOOSFERO_CONF['api_recaptcha_private_key']
46		- # api_recaptcha_verify_uri = API.NOOSFERO_CONF['api_recaptcha_verify_uri']
47		- # captcha_result = verify_recaptcha_v2(remote_ip, params['g-recaptcha-response'], private_key, api_recaptcha_verify_uri)
48		- user = User.new(attrs)
49		-# if captcha_result["success"] and user.save
50		- if user.save
51		- user.activate
52		- user.generate_private_token!
53		- present user, :with => Entities::UserLogin
54		- else
55		- message = user.errors.to_json
	42	+ attrs = attributes_for_keys [:email, :login, :password, :password_confirmation] + environment.signup_person_fields
	43	+ name = params[:name].present? ? params[:name] : attrs[:email]
	44	+ attrs[:password_confirmation] = attrs[:password] if !attrs.has_key?(:password_confirmation)
	45	+ user = User.new(attrs.merge(:name => name))
	46	+
	47	+ begin
	48	+ user.signup!
	49	+ user.generate_private_token! if user.activated?
	50	+ present user, :with => Entities::UserLogin, :current_person => current_person
	51	+ rescue ActiveRecord::RecordInvalid
	52	+ message = user.errors.as_json.merge((user.person.present? ? user.person.errors : {}).as_json).to_json
56	53	render_api_error!(message, 400)
57	54	end
58	55	end
	56	+
	57	+ params do
	58	+ requires :activation_code, type: String, desc: _("Activation token")
	59	+ end
	60	+
	61	+ # Activate a user.
	62	+ #
	63	+ # Parameter:
	64	+ # activation_code (required) - Activation token
	65	+ # Example Request:
	66	+ # PATCH /activate?activation_code=28259abd12cc6a64ef9399cf3286cb998b96aeaf
	67	+ patch "/activate" do
	68	+ user = User.find_by_activation_code(params[:activation_code])
	69	+ if user
	70	+ unless user.environment.enabled?('admin_must_approve_new_users')
	71	+ if user.activate
	72	+ user.generate_private_token!
	73	+ present user, :with => Entities::UserLogin, :current_person => current_person
	74	+ end
	75	+ else
	76	+ if user.create_moderate_task
	77	+ user.activation_code = nil
	78	+ user.save!
	79	+
	80	+ # Waiting for admin moderate user registration
	81	+ status 202
	82	+ body({
	83	+ :message => 'Waiting for admin moderate user registration'
	84	+ })
	85	+ end
	86	+ end
	87	+ else
	88	+ # Token not found in database
	89	+ render_api_error!(_('Token is invalid'), 412)
	90	+ end
	91	+ end
	92	+
	93	+ # Request a new password.
	94	+ #
	95	+ # Parameters:
	96	+ # value (required) - Email or login
	97	+ # Example Request:
	98	+ # POST /forgot_password?value=some@mail.com
	99	+ post "/forgot_password" do
	100	+ requestors = fetch_requestors(params[:value])
	101	+ not_found! if requestors.blank?
	102	+ remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) \|\| (env && env['REMOTE_ADDR'])
	103	+ requestors.each do \|requestor\|
	104	+ ChangePassword.create!(:requestor => requestor)
	105	+ end
	106	+ end
	107	+
	108	+ params do
	109	+ requires :code, type: String, desc: _("Forgot password code")
	110	+ end
	111	+ # Change password
	112	+ #
	113	+ # Parameters:
	114	+ # code (required) - Change password code
	115	+ # password (required)
	116	+ # password_confirmation (required)
	117	+ # Example Request:
	118	+ # PATCH /new_password?code=xxxx&password=secret&password_confirmation=secret
	119	+ patch "/new_password" do
	120	+ change_password = ChangePassword.find_by_code(params[:code])
	121	+ not_found! if change_password.nil?
	122	+
	123	+ if change_password.update_attributes(:password => params[:password], :password_confirmation => params[:password_confirmation])
	124	+ change_password.finish
	125	+ present change_password.requestor.user, :with => Entities::UserLogin, :current_person => current_person
	126	+ else
	127	+ something_wrong!
	128	+ end
	129	+ end
	130	+
59	131	end
60	132	end
61	133	end
...	...
...	...	@@ -2,7 +2,6 @@ module Noosfero
2	2	module API
3	3	module V1
4	4	class Articles < Grape::API
5		- before { authenticate! }
6	5
7	6	ARTICLE_TYPES = Article.descendants.map{\|a\| a.to_s}
8	7
...	...	@@ -17,39 +16,148 @@ module Noosfero
17	16	#
18	17	# Example Request:
19	18	# GET host/api/v1/articles?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
	19	+
	20	+ desc 'Return all articles of all kinds' do
	21	+ detail 'Get all articles filtered by fields in query params'
	22	+ params Noosfero::API::Entities::Article.documentation
	23	+ success Noosfero::API::Entities::Article
	24	+ failure [[403, 'Forbidden']]
	25	+ named 'ArticlesList'
	26	+ headers [
	27	+ 'Per-Page' => {
	28	+ description: 'Total number of records',
	29	+ required: false
	30	+ }
	31	+ ]
	32	+ end
20	33	get do
21		- present_articles(environment)
	34	+ present_articles_for_asset(environment)
22	35	end
23	36
24		- desc "Return the article id"
25		- get ':id' do
	37	+ desc "Return one article by id" do
	38	+ detail 'Get only one article by id. If not found the "forbidden" http error is showed'
	39	+ params Noosfero::API::Entities::Article.documentation
	40	+ success Noosfero::API::Entities::Article
	41	+ failure [[403, 'Forbidden']]
	42	+ named 'ArticleById'
	43	+ end
	44	+ get ':id', requirements: {id: /[0-9]+/} do
26	45	present_article(environment)
27	46	end
28	47
	48	+ post ':id' do
	49	+ article = environment.articles.find(params[:id])
	50	+ return forbidden! unless article.allow_edit?(current_person)
	51	+ article.update_attributes!(params[:article])
	52	+ present article, :with => Entities::Article, :fields => params[:fields]
	53	+ end
	54	+
	55	+ desc 'Report a abuse and/or violent content in a article by id' do
	56	+ detail 'Submit a abuse (in general, a content violation) report about a specific article'
	57	+ params Noosfero::API::Entities::Article.documentation
	58	+ failure [[400, 'Bad Request']]
	59	+ named 'ArticleReportAbuse'
	60	+ end
	61	+ post ':id/report_abuse' do
	62	+ article = find_article(environment.articles, params[:id])
	63	+ profile = article.profile
	64	+ begin
	65	+ abuse_report = AbuseReport.new(:reason => params[:report_abuse])
	66	+ if !params[:content_type].blank?
	67	+ article = params[:content_type].constantize.find(params[:content_id])
	68	+ abuse_report.content = article_reported_version(article)
	69	+ end
	70	+
	71	+ current_person.register_report(abuse_report, profile)
	72	+
	73	+ if !params[:content_type].blank?
	74	+ abuse_report = AbuseReport.find_by_reporter_id_and_abuse_complaint_id(current_person.id, profile.opened_abuse_complaint.id)
	75	+ Delayed::Job.enqueue DownloadReportedImagesJob.new(abuse_report, article)
	76	+ end
	77	+
	78	+ {
	79	+ :success => true,
	80	+ :message => _('Your abuse report was registered. The administrators are reviewing your report.'),
	81	+ }
	82	+ rescue Exception => exception
	83	+ #logger.error(exception.to_s)
	84	+ render_api_error!(_('Your report couldn\'t be saved due to some problem. Please contact the administrator.'), 400)
	85	+ end
	86	+
	87	+ end
	88	+
	89	+ desc "Returns the articles I voted" do
	90	+ detail 'Get the Articles I make a vote'
	91	+ failure [[403, 'Forbidden']]
	92	+ named 'ArticleFollowers'
	93	+ end
	94	+ #FIXME refactor this method
	95	+ get 'voted_by_me' do
	96	+ present_articles(current_person.votes.collect(&:voteable))
	97	+ end
	98	+
	99	+ desc 'Perform a vote on a article by id' do
	100	+ detail 'Vote on a specific article with values: 1 (if you like) or -1 (if not)'
	101	+ params Noosfero::API::Entities::UserLogin.documentation
	102	+ failure [[401,'Unauthorized']]
	103	+ named 'ArticleVote'
	104	+ end
	105	+ post ':id/vote' do
	106	+ authenticate!
	107	+ value = (params[:value] \|\| 1).to_i
	108	+ # FIXME verify allowed values
	109	+ render_api_error!('Vote value not allowed', 400) unless [-1, 1].include?(value)
	110	+ article = find_article(environment.articles, params[:id])
	111	+ vote = Vote.new(:voteable => article, :voter => current_person, :vote => value)
	112	+ {:vote => vote.save}
	113	+ end
	114	+
	115	+ desc 'Return the children of a article identified by id' do
	116	+ detail 'Get all children articles of a specific article'
	117	+ params Noosfero::API::Entities::Article.documentation
	118	+ failure [[403, 'Forbidden']]
	119	+ named 'ArticleChildren'
	120	+ end
	121	+
29	122	get ':id/children' do
30	123	article = find_article(environment.articles, params[:id])
31	124
32	125	#TODO make tests for this situation
33	126	votes_order = params.delete(:order) if params[:order]=='votes_score'
34	127	articles = select_filtered_collection_of(article, 'children', params)
35		- articles = articles.display_filter(current_person, nil)
36		-
	128	+ articles = articles.display_filter(current_person, article.profile)
37	129
38	130	#TODO make tests for this situation
39	131	if votes_order
40	132	articles = articles.joins('left join votes on articles.id=votes.voteable_id').group('articles.id').reorder('sum(coalesce(votes.vote, 0)) DESC')
41	133	end
42		-
43	134	Article.hit(articles)
44		- present articles, :with => Entities::Article, :fields => params[:fields]
	135	+ present_articles(articles)
45	136	end
46	137
	138	+ desc 'Return one child of a article identified by id' do
	139	+ detail 'Get a child of a specific article'
	140	+ params Noosfero::API::Entities::Article.documentation
	141	+ success Noosfero::API::Entities::Article
	142	+ failure [[403, 'Forbidden']]
	143	+ named 'ArticleChild'
	144	+ end
47	145	get ':id/children/:child_id' do
48	146	article = find_article(environment.articles, params[:id])
49		- present find_article(article.children, params[:child_id]), :with => Entities::Article, :fields => params[:fields]
	147	+ child = find_article(article.children, params[:child_id])
	148	+ child.hit
	149	+ present child, :with => Entities::Article, :fields => params[:fields]
50	150	end
51	151
	152	+ desc 'Suggest a article to another profile' do
	153	+ detail 'Suggest a article to another profile (person, community...)'
	154	+ params Noosfero::API::Entities::Article.documentation
	155	+ success Noosfero::API::Entities::Task
	156	+ failure [[401,'Unauthorized']]
	157	+ named 'ArticleSuggest'
	158	+ end
52	159	post ':id/children/suggest' do
	160	+ authenticate!
53	161	parent_article = environment.articles.find(params[:id])
54	162
55	163	suggest_article = SuggestArticle.new
...	...	@@ -66,8 +174,15 @@ module Noosfero
66	174
67	175	# Example Request:
68	176	# POST api/v1/articles/:id/children?private_token=234298743290432&article[name]=title&article[body]=body
	177	+ desc 'Add a child article to a parent identified by id' do
	178	+ detail 'Create a new article and associate to a parent'
	179	+ params Noosfero::API::Entities::Article.documentation
	180	+ success Noosfero::API::Entities::Article
	181	+ failure [[401,'Unauthorized']]
	182	+ named 'ArticleAddChild'
	183	+ end
69	184	post ':id/children' do
70		-
	185	+ authenticate!
71	186	parent_article = environment.articles.find(params[:id])
72	187	return forbidden! unless parent_article.allow_create?(current_person)
73	188
...	...	@@ -95,11 +210,37 @@ module Noosfero
95	210	resource kind.pluralize.to_sym do
96	211	segment "/:#{kind}_id" do
97	212	resource :articles do
	213	+
	214	+ desc "Return all articles associate with a profile of type #{kind}" do
	215	+ detail 'Get a list of articles of a profile'
	216	+ params Noosfero::API::Entities::Article.documentation
	217	+ success Noosfero::API::Entities::Article
	218	+ failure [[403, 'Forbidden']]
	219	+ named 'ArticlesOfProfile'
	220	+ end
98	221	get do
99	222	profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
100		- present_articles(profile)
	223	+
	224	+ if params[:path].present?
	225	+ article = profile.articles.find_by_path(params[:path])
	226	+ if !article \|\| !article.display_to?(current_person)
	227	+ article = forbidden!
	228	+ end
	229	+
	230	+ present article, :with => Entities::Article, :fields => params[:fields]
	231	+ else
	232	+
	233	+ present_articles_for_asset(profile)
	234	+ end
101	235	end
102	236
	237	+ desc "Return a article associate with a profile of type #{kind}" do
	238	+ detail 'Get only one article of a profile'
	239	+ params Noosfero::API::Entities::Article.documentation
	240	+ success Noosfero::API::Entities::Article
	241	+ failure [[403, 'Forbidden']]
	242	+ named 'ArticleOfProfile'
	243	+ end
103	244	get ':id' do
104	245	profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
105	246	present_article(profile)
...	...	@@ -107,6 +248,13 @@ module Noosfero
107	248
108	249	# Example Request:
109	250	# POST api/v1/{people,communities,enterprises}/:asset_id/articles?private_token=234298743290432&article[name]=title&article[body]=body
	251	+ desc "Add a new article associated with a profile of type #{kind}" do
	252	+ detail 'Create a new article and associate with a profile'
	253	+ params Noosfero::API::Entities::Article.documentation
	254	+ success Noosfero::API::Entities::Article
	255	+ failure [[403, 'Forbidden']]
	256	+ named 'ArticleCreateToProfile'
	257	+ end
110	258	post do
111	259	profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
112	260	post_article(profile, params)
...	...
...	...	@@ -30,8 +30,8 @@ module Noosfero
30	30	# POST api/v1/articles/12/comments?private_token=2298743290432&body=new comment&title=New
31	31	post ":id/comments" do
32	32	article = find_article(environment.articles, params[:id])
33		- options = params.select { \|key,v\| !['id','private_token'].include?(key) }.merge(:author => current_person)
34		- present article.comments.create(options), :with => Entities::Comment
	33	+ options = params.select { \|key,v\| !['id','private_token'].include?(key) }.merge(:author => current_person, :source => article)
	34	+ present Comment.create(options), :with => Entities::Comment
35	35	end
36	36	end
37	37
...	...
...	...	@@ -0,0 +1,28 @@
	1	+module Noosfero
	2	+ module API
	3	+ module V1
	4	+ class Contacts < Grape::API
	5	+
	6	+ resource :communities do
	7	+
	8	+ resource ':id/contact' do
	9	+ #contact => {:name => 'some name', :email => 'test@mail.com', :subject => 'some title', :message => 'some message'}
	10	+ desc "Send a contact message"
	11	+ post do
	12	+ profile = environment.communities.find(params[:id])
	13	+ forbidden! unless profile.present?
	14	+ contact = Contact.new params[:contact].merge(dest: profile)
	15	+ if contact.deliver
	16	+ {:success => true}
	17	+ else
	18	+ {:success => false}
	19	+ end
	20	+ end
	21	+
	22	+ end
	23	+ end
	24	+
	25	+ end
	26	+ end
	27	+ end
	28	+end
...	...
...	...	@@ -0,0 +1,18 @@
	1	+module Noosfero
	2	+ module API
	3	+ module V1
	4	+ class Environments < Grape::API
	5	+
	6	+ resource :environment do
	7	+
	8	+ desc "Return the person information"
	9	+ get '/signup_person_fields' do
	10	+ present environment.signup_person_fields
	11	+ end
	12	+
	13	+ end
	14	+
	15	+ end
	16	+ end
	17	+ end
	18	+end
...	...