Merge branch 'staging' of softwarepublico.gov.br:noosferogov/noosfero into staging

Leandro Santos
2 parents 69562568 41fa795f
Showing 497 changed files with 4932 additions and 7914 deletions Show diff stats
app/api/app.rb
app/api/entities.rb
app/api/entity.rb
app/api/helpers.rb
app/api/v1/activities.rb
app/api/v1/articles.rb
app/api/v1/blocks.rb
app/api/v1/boxes.rb
app/api/v1/categories.rb
app/api/v1/comments.rb
app/api/v1/communities.rb
app/api/v1/contacts.rb
app/api/v1/enterprises.rb
app/api/v1/environments.rb
app/api/v1/people.rb
app/api/v1/profiles.rb
app/api/v1/search.rb
app/api/v1/session.rb
app/api/v1/tags.rb
app/api/v1/tasks.rb
@@ -0,0 +1,89 @@
+require_dependency 'api/helpers'
+
+module Api
+  class App < Grape::API
+    use Rack::JSONP
+
+    logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] || 'production'}_api.log"))
+    logger.formatter = GrapeLogging::Formatters::Default.new
+    #use GrapeLogging::Middleware::RequestLogger, { logger: logger }
+
+    rescue_from :all do |e|
+      logger.error e
+      error! e.message, 500
+    end unless Rails.env.test?
+
+    @@NOOSFERO_CONF = nil
+    def self.NOOSFERO_CONF
+      if @@NOOSFERO_CONF
+        @@NOOSFERO_CONF
+      else
+        file = Rails.root.join('config', 'noosfero.yml')
+        @@NOOSFERO_CONF = File.exists?(file) ? YAML.load_file(file)[Rails.env] || {} : {}
+      end
+    end
+
+    before { set_locale  }
+    before { setup_multitenancy }
+    before { detect_stuff_by_domain }
+    before { filter_disabled_plugins_endpoints }
+    before { init_noosfero_plugins }
+    after { set_session_cookie }
+
+    version 'v1'
+    prefix [ENV['RAILS_RELATIVE_URL_ROOT'], "api"].compact.join('/')
+    format :json
+    content_type :txt, "text/plain"
+
+    helpers Helpers
+
+    mount V1::Session
+    mount V1::Articles
+    mount V1::Comments
+    mount V1::Users
+    mount V1::Communities
+    mount V1::People
+    mount V1::Enterprises
+    mount V1::Categories
+    mount V1::Tasks
+    mount V1::Tags
+    mount V1::Environments
+    mount V1::Search
+    mount V1::Contacts
+    mount V1::Boxes
+    mount V1::Blocks
+    mount V1::Profiles
+    mount V1::Activities
+
+    # hook point which allow plugins to add Grape::API extensions to Api::App
+    #finds for plugins which has api mount points classes defined (the class should extends Grape::API)
+    @plugins = Noosfero::Plugin.all.map { |p| p.constantize }
+    @plugins.each do |klass|
+      if klass.public_methods.include? :api_mount_points
+        klass.api_mount_points.each do |mount_class|
+          mount mount_class if mount_class && ( mount_class < Grape::API )
+        end
+      end
+    end
+
+    def self.endpoint_unavailable?(endpoint, environment)
+      api_class = endpoint.options[:app] || endpoint.options[:for]
+      if api_class.present?
+        klass = api_class.name.deconstantize.constantize
+        return klass < Noosfero::Plugin && !environment.plugin_enabled?(klass)
+      end
+    end
+
+    class << self
+      def endpoints_with_plugins(environment = nil)
+        if environment.present?
+          cloned_endpoints = endpoints_without_plugins.dup
+          cloned_endpoints.delete_if { |endpoint| endpoint_unavailable?(endpoint, environment) }
+        else
+          endpoints_without_plugins
+        end
+      end
+      alias_method_chain :endpoints, :plugins
+    end
+  end
+end
@@ -0,0 +1,269 @@
+module Api
+  module Entities
+
+    Entity.format_with :timestamp do |date|
+      date.strftime('%Y/%m/%d %H:%M:%S') if date
+    end
+
+    PERMISSIONS = {
+      :admin => 0,
+      :self  => 10,
+      :private_content => 20,
+      :logged_user => 30,
+      :anonymous => 40
+    }
+
+    def self.can_display_profile_field? profile, options, permission_options={}
+      permissions={:field => "", :permission => :private_content}
+      permissions.merge!(permission_options)
+      field = permissions[:field]
+      permission = permissions[:permission]
+      return true if profile.public? && profile.public_fields.map{|f| f.to_sym}.include?(field.to_sym)
+
+      current_person = options[:current_person]
+
+      current_permission = if current_person.present?
+        if current_person.is_admin?
+          :admin
+        elsif current_person == profile
+          :self
+        elsif profile.display_private_info_to?(current_person)
+          :private_content
+        else
+          :logged_user
+        end
+      else
+        :anonymous
+      end
+      PERMISSIONS[current_permission] <= PERMISSIONS[permission]
+    end
+
+    class Image < Entity
+      root 'images', 'image'
+
+      expose  :url do |image, options|
+        image.public_filename
+      end
+
+      expose  :icon_url do |image, options|
+        image.public_filename(:icon)
+      end
+
+      expose  :minor_url do |image, options|
+        image.public_filename(:minor)
+      end
+
+      expose  :portrait_url do |image, options|
+        image.public_filename(:portrait)
+      end
+
+      expose  :thumb_url do |image, options|
+        image.public_filename(:thumb)
+      end
+    end
+
+    class CategoryBase < Entity
+      root 'categories', 'category'
+      expose :name, :id, :slug
+    end
+
+    class Category < CategoryBase
+      root 'categories', 'category'
+      expose :full_name do |category, options|
+        category.full_name
+      end
+      expose :parent, :using => CategoryBase, if: { parent: true }
+      expose :children, :using => CategoryBase, if: { children: true }
+      expose :image, :using => Image
+      expose :display_color
+    end
+
+    class Region < Category
+      root 'regions', 'region'
+      expose :parent_id
+    end
+
+    class Block < Entity
+      root 'blocks', 'block'
+      expose :id, :type, :settings, :position, :enabled
+      expose :mirror, :mirror_block_id, :title
+      expose :api_content, if: lambda { |object, options| options[:display_api_content] || object.display_api_content_by_default? }
+    end
+
+    class Box < Entity
+      root 'boxes', 'box'
+      expose :id, :position
+      expose :blocks, :using => Block do |box, options|
+        box.blocks.select {|block| block.visible_to_user?(options[:current_person]) }
+      end
+    end
+
+    class Profile < Entity
+      expose :identifier, :name, :id
+      expose :created_at, :format_with => :timestamp
+      expose :updated_at, :format_with => :timestamp
+      expose :additional_data do |profile, options|
+        hash ={}
+        profile.public_values.each do |value|
+          hash[value.custom_field.name]=value.value
+        end
+
+        private_values = profile.custom_field_values - profile.public_values
+        private_values.each do |value|
+          if Entities.can_display_profile_field?(profile,options)
+            hash[value.custom_field.name]=value.value
+          end
+        end
+        hash
+      end
+      expose :image, :using => Image
+      expose :region, :using => Region
+      expose :type
+      expose :custom_header
+      expose :custom_footer
+    end
+
+    class UserBasic < Entity
+      expose :id
+      expose :login
+    end
+
+    class Person < Profile
+      root 'people', 'person'
+      expose :user, :using => UserBasic, documentation: {type: 'User', desc: 'The user data of a person' }
+      expose :vote_count
+      expose :comments_count do |person, options|
+        person.comments.count
+      end
+      expose :following_articles_count do |person, options|
+        person.following_articles.count
+      end
+      expose :articles_count do |person, options|
+        person.articles.count
+      end
+    end
+
+    class Enterprise < Profile
+      root 'enterprises', 'enterprise'
+    end
+
+    class Community < Profile
+      root 'communities', 'community'
+      expose :description
+      expose :admins, :if => lambda { |community, options| community.display_info_to? options[:current_person]} do |community, options|
+        community.admins.map{|admin| {"name"=>admin.name, "id"=>admin.id, "username" => admin.identifier}}
+      end
+      expose :categories, :using => Category
+      expose :members, :using => Person , :if => lambda{ |community, options| community.display_info_to? options[:current_person] }
+    end
+
+    class CommentBase < Entity
+      expose :body, :title, :id
+      expose :created_at, :format_with => :timestamp
+      expose :author, :using => Profile
+      expose :reply_of, :using => CommentBase
+    end
+
+    class Comment < CommentBase
+      root 'comments', 'comment'
+      expose :children, as: :replies, :using => Comment
+    end
+
+    class ArticleBase < Entity
+      root 'articles', 'article'
+      expose :id
+      expose :body
+      expose :abstract, documentation: {type: 'String', desc: 'Teaser of the body'}
+      expose :created_at, :format_with => :timestamp
+      expose :updated_at, :format_with => :timestamp
+      expose :title, :documentation => {:type => "String", :desc => "Title of the article"}
+      expose :created_by, :as => :author, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile author that create the article'}
+      expose :profile, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile associated with the article'}
+      expose :categories, :using => Category
+      expose :image, :using => Image
+      expose :votes_for
+      expose :votes_against
+      expose :setting
+      expose :position
+      expose :hits
+      expose :start_date
+      expose :end_date, :documentation => {type: 'DateTime', desc: 'The date of finish of the article'}
+      expose :tag_list
+      expose :children_count
+      expose :slug, :documentation => {:type => "String", :desc => "Trimmed and parsed name of a article"}
+      expose :path
+      expose :followers_count
+      expose :votes_count
+      expose :comments_count
+      expose :archived, :documentation => {:type => "Boolean", :desc => "Defines if a article is readonly"}
+      expose :type
+      expose :comments, using: CommentBase, :if => lambda{|obj,opt| opt[:params] && ['1','true',true].include?(opt[:params][:show_comments])}
+      expose :published
+      expose :accept_comments?, as: :accept_comments
+    end
+
+    class Article < ArticleBase
+      root 'articles', 'article'
+      expose :parent, :using => ArticleBase
+      expose :children, :using => ArticleBase do |article, options|
+        article.children.published.limit(V1::Articles::MAX_PER_PAGE)
+      end
+    end
+
+    class User < Entity
+      root 'users', 'user'
+
+      attrs = [:id,:login,:email,:activated?]
+      aliases = {:activated? => :activated}
+
+      attrs.each do |attribute|
+        name = aliases.has_key?(attribute) ? aliases[attribute] : attribute
+        expose attribute, :as => name, :if => lambda{|user,options| Entities.can_display_profile_field?(user.person, options, {:field =>  attribute})}
+      end
+
+      expose :person, :using => Person, :if => lambda{|user,options| user.person.display_info_to? options[:current_person]}
+      expose :permissions, :if => lambda{|user,options| Entities.can_display_profile_field?(user.person, options, {:field => :permissions, :permission => :self})} do |user, options|
+        output = {}
+        user.person.role_assignments.map do |role_assigment|
+          if role_assigment.resource.respond_to?(:identifier) && !role_assigment.role.nil?
+            output[role_assigment.resource.identifier] = role_assigment.role.permissions
+          end
+        end
+        output
+      end
+    end
+
+    class UserLogin < User
+      root 'users', 'user'
+      expose :private_token, documentation: {type: 'String', desc: 'A valid authentication code for post/delete api actions'}, if: lambda {|object, options| object.activated? }
+    end
+
+    class Task < Entity
+      root 'tasks', 'task'
+      expose :id
+      expose :type
+    end
+
+    class Environment < Entity
+      expose :name
+      expose :id
+      expose :description
+      expose :settings, if: lambda { |instance, options| options[:is_admin] }
+    end
+
+    class Tag < Entity
+      root 'tags', 'tag'
+      expose :name
+    end
+
+    class Activity < Entity
+      root 'activities', 'activity'
+      expose :id, :params, :verb, :created_at, :updated_at, :comments_count, :visible
+      expose :user, :using => Profile
+      expose :target do |activity, opts|
+        type_map = {Profile => ::Profile, ArticleBase => ::Article}.find {|h| activity.target.kind_of?(h.last)}
+        type_map.first.represent(activity.target) unless type_map.nil?
+      end
+    end
+  end
+end
@@ -0,0 +1,27 @@
+module Api
+  class Entity < Grape::Entity
+
+    def initialize(object, options = {})
+      object = nil if object.is_a? Exception
+      super object, options
+    end
+
+    def self.represent(objects, options = {})
+      if options[:has_exception]
+        data = super objects, options.merge(is_inner_data: true)
+        if objects.is_a? Exception
+          data.merge ok: false, error: {
+            type: objects.class.name,
+            message: objects.message
+          }
+        else
+          data = data.serializable_hash if data.is_a? Entity
+          data.merge ok: true, error: { type: 'Success', message: '' }
+        end
+      else
+        super objects, options
+      end
+    end
+
+  end
+end
@@ -0,0 +1,484 @@
+require 'base64'
+require 'tempfile'
+
+module Api
+  module Helpers
+    PRIVATE_TOKEN_PARAM = :private_token
+    DEFAULT_ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type, :author_id, :identifier, :archived]
+
+    include SanitizeParams
+    include Noosfero::Plugin::HotSpot
+    include ForgotPasswordHelper
+    include SearchTermHelper
+
+    def set_locale
+      I18n.locale = (params[:lang] || request.env['HTTP_ACCEPT_LANGUAGE'] || 'en')
+    end
+
+    def init_noosfero_plugins
+      plugins
+    end
+
+    def current_tmp_user
+      private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
+      ## Get the "captcha" session store
+      @current_tmp_user = Noosfero::API::SessionStore.get("captcha##{private_token}")
+      @current_tmp_user
+    end
+
+    def logout_tmp_user
+      @current_tmp_user = nil
+    end
+
+    def current_user
+      private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
+      @current_user ||= User.find_by private_token: private_token
+      @current_user ||= plugins.dispatch("api_custom_login", request).first
+      @current_user
+    end
+
+    def current_person
+      current_user.person unless current_user.nil?
+    end
+
+    def is_admin?(environment)
+      return false unless current_user
+      return current_person.is_admin?(environment)
+    end
+
+    def logout
+      @current_user = nil
+    end
+
+    def environment
+      @environment
+    end
+
+    def present_partial(model, options)
+      if(params[:fields].present?)
+        begin
+          fields = JSON.parse(params[:fields])
+          if fields.present?
+            options.merge!(fields.symbolize_keys.slice(:only, :except))
+          end
+        rescue
+          fields = params[:fields]
+          fields = fields.split(',') if fields.kind_of?(String)
+          options[:only] = Array.wrap(fields)
+        end
+      end
+      present model, options
+    end
+
+    include FindByContents
+
+    ####################################################################
+    #### SEARCH
+    ####################################################################
+    def multiple_search?(searches=nil)
+      ['index', 'category_index'].include?(params[:action]) || (searches && searches.size > 1)
+    end
+    ####################################################################
+
+    def logger
+      logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] || 'production'}_api.log"))
+      logger.formatter = GrapeLogging::Formatters::Default.new
+      logger
+    end
+
+    def limit
+      limit = params[:limit].to_i
+      limit = default_limit if limit <= 0
+      limit
+    end
+
+    def period(from_date, until_date)
+      return nil if from_date.nil? && until_date.nil?
+
+      begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
+      end_period = until_date.nil? ? DateTime.now : until_date
+
+      begin_period..end_period
+    end
+
+    def parse_content_type(content_type)
+      return nil if content_type.blank?
+      content_type.split(',').map do |content_type|
+        content_type.camelcase
+      end
+    end
+
+    def find_article(articles, id)
+      article = articles.find(id)
+      article.display_to?(current_person) ? article : forbidden!
+    end
+
+    def post_article(asset, params)
+      return forbidden! unless current_person.can_post_content?(asset)
+
+      klass_type = params[:content_type] || params[:article].delete(:type) || TinyMceArticle.name
+      return forbidden! unless klass_type.constantize <= Article
+
+      article = klass_type.constantize.new(params[:article])
+      article.last_changed_by = current_person
+      article.created_by= current_person
+      article.profile = asset
+
+      if !article.save
+        render_api_errors!(article.errors.full_messages)
+      end
+      present_partial article, :with => Entities::Article
+    end
+
+    def present_article(asset)
+      article = find_article(asset.articles, params[:id])
+      present_partial article, :with => Entities::Article, :params => params
+    end
+
+    def present_articles_for_asset(asset, method = 'articles')
+      articles = find_articles(asset, method)
+      present_articles(articles)
+    end
+
+    def present_articles(articles)
+      present_partial paginate(articles), :with => Entities::Article, :params => params
+    end
+
+    def find_articles(asset, method = 'articles')
+      articles = select_filtered_collection_of(asset, method, params)
+      if current_person.present?
+        articles = articles.display_filter(current_person, nil)
+      else
+        articles = articles.published
+      end
+      articles
+    end
+
+    def find_task(asset, id)
+      task = asset.tasks.find(id)
+      current_person.has_permission?(task.permission, asset) ? task : forbidden!
+    end
+
+    def post_task(asset, params)
+      klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
+      return forbidden! unless klass_type.constantize <= Task
+
+      task = klass_type.constantize.new(params[:task])
+      task.requestor_id = current_person.id
+      task.target_id = asset.id
+      task.target_type = 'Profile'
+
+      if !task.save
+        render_api_errors!(task.errors.full_messages)
+      end
+      present_partial task, :with => Entities::Task
+    end
+
+    def present_task(asset)
+      task = find_task(asset, params[:id])
+      present_partial task, :with => Entities::Task
+    end
+
+    def present_tasks(asset)
+      tasks = select_filtered_collection_of(asset, 'tasks', params)
+      tasks = tasks.select {|t| current_person.has_permission?(t.permission, asset)}
+      return forbidden! if tasks.empty? && !current_person.has_permission?(:perform_task, asset)
+      present_partial tasks, :with => Entities::Task
+    end
+
+    def make_conditions_with_parameter(params = {})
+      parsed_params = parser_params(params)
+      conditions = {}
+      from_date = DateTime.parse(parsed_params.delete(:from)) if parsed_params[:from]
+      until_date = DateTime.parse(parsed_params.delete(:until)) if parsed_params[:until]
+
+      conditions[:type] = parse_content_type(parsed_params.delete(:content_type)) unless parsed_params[:content_type].nil?
+
+      conditions[:created_at] = period(from_date, until_date) if from_date || until_date
+      conditions.merge!(parsed_params)
+
+      conditions
+    end
+
+    # changing make_order_with_parameters to avoid sql injection
+    def make_order_with_parameters(object, method, params)
+      order = "created_at DESC"
+      unless params[:order].blank?
+        if params[:order].include? '\'' or params[:order].include? '"'
+          order = "created_at DESC"
+        elsif ['RANDOM()', 'RANDOM'].include? params[:order].upcase
+          order = 'RANDOM()'
+        else
+          field_name, direction = params[:order].split(' ')
+          assoc = object.class.reflect_on_association(method.to_sym)
+          if !field_name.blank? and assoc
+            if assoc.klass.attribute_names.include? field_name
+              if direction.present? and ['ASC','DESC'].include? direction.upcase
+                order = "#{field_name} #{direction.upcase}"
+              end
+            end
+          end
+        end
+      end
+      return order
+    end
+
+    def make_timestamp_with_parameters_and_method(params, method)
+      timestamp = nil
+      if params[:timestamp]
+        datetime = DateTime.parse(params[:timestamp])
+        table_name = method.to_s.singularize.camelize.constantize.table_name
+        timestamp = "#{table_name}.updated_at >= '#{datetime}'"
+      end
+
+      timestamp
+    end
+
+    def by_reference(scope, params)
+      reference_id = params[:reference_id].to_i == 0 ? nil : params[:reference_id].to_i
+      if reference_id.nil?
+        scope
+      else
+        created_at = scope.find(reference_id).created_at
+        scope.send("#{params.key?(:oldest) ? 'older_than' : 'younger_than'}", created_at)
+      end
+    end
+
+    def by_categories(scope, params)
+      category_ids = params[:category_ids]
+      if category_ids.nil?
+        scope
+      else
+        scope.joins(:categories).where(:categories => {:id => category_ids})
+      end
+    end
+
+    def by_period(scope, params, attribute)
+      from_param = "from_#{attribute}".to_sym
+      until_param = "until_#{attribute}".to_sym
+      from_date = DateTime.parse(params.delete(from_param)) if params[from_param]
+      until_date = DateTime.parse(params.delete(until_param)) if params[until_param]
+      scope = scope.where("#{attribute} >= ?", from_date) unless from_date.nil?
+      scope = scope.where("#{attribute} <= ?", until_date) unless until_date.nil?
+      scope
+    end
+
+    def select_filtered_collection_of(object, method, params)
+      conditions = make_conditions_with_parameter(params)
+      order = make_order_with_parameters(object,method,params)
+      timestamp = make_timestamp_with_parameters_and_method(params, method)
+
+      objects = object.send(method)
+      objects = by_reference(objects, params)
+      objects = by_categories(objects, params)
+      [:start_date, :end_date].each { |attribute| objects = by_period(objects, params, attribute) }
+
+      objects = objects.where(conditions).where(timestamp).reorder(order)
+
+      params[:page] ||= 1
+      params[:per_page] ||= limit
+      paginate(objects)
+    end
+
+    def authenticate!
+      unauthorized! unless current_user
+    end
+
+    # Allows the anonymous captcha user authentication
+    # to pass the check. Used by the articles/vote to allow
+    # the vote without login
+    def authenticate_allow_captcha!
+      unauthorized! unless current_tmp_user || current_user
+    end
+
+    def profiles_for_person(profiles, person)
+      if person
+        profiles.listed_for_person(person)
+      else
+        profiles.visible
+      end
+    end
+
+    # Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
+    # or a Bad Request error is invoked.
+    #
+    # Parameters:
+    #   keys (unique) - A hash consisting of keys that must be unique
+    def unique_attributes!(obj, keys)
+      keys.each do |key|
+        cant_be_saved_request!(key) if obj.find_by(key.to_s => params[key])
+      end
+    end
+
+    def attributes_for_keys(keys)
+      attrs = {}
+      keys.each do |key|
+        attrs[key] = params[key] if params[key].present? or (params.has_key?(key) and params[key] == false)
+      end
+      attrs
+    end
+
+    ##########################################
+    #              error helpers             #
+    ##########################################
+
+    def not_found!
+      render_api_error!('404 Not found', 404)
+    end
+
+    def forbidden!
+      render_api_error!('403 Forbidden', 403)
+    end
+
+    def cant_be_saved_request!(attribute)
+      message = _("(Invalid request) %s can't be saved") % attribute
+      render_api_error!(message, 400)
+    end
+
+    def bad_request!(attribute)
+      message = _("(Invalid request) %s not given") % attribute
+      render_api_error!(message, 400)
+    end
+
+    def something_wrong!
+      message = _("Something wrong happened")
+      render_api_error!(message, 400)
+    end
+
+    def unauthorized!
+      render_api_error!(_('Unauthorized'), 401)
+    end
+
+    def not_allowed!
+      render_api_error!(_('Method Not Allowed'), 405)
+    end
+
+    # javascript_console_message is supposed to be executed as console.log()
+    def render_api_error!(user_message, status, log_message = nil, javascript_console_message = nil)
+      message_hash = {'message' => user_message, :code => status}
+      message_hash[:javascript_console_message] = javascript_console_message if javascript_console_message.present?
+      log_msg = "#{status}, User message: #{user_message}"
+      log_msg = "#{log_message}, #{log_msg}" if log_message.present?
+      log_msg = "#{log_msg}, Javascript Console Message: #{javascript_console_message}" if javascript_console_message.present?
+      logger.error log_msg unless Rails.env.test?
+      error!(message_hash, status)
+    end
+
+    def render_api_errors!(messages)
+      messages = messages.to_a if messages.class == ActiveModel::Errors
+      render_api_error!(messages.join(','), 400)
+    end
+
+    ####################################################################
+    #### VOTE
+    ####################################################################
+    def do_vote(article, current_person, value)
+      begin
+        vote = Vote.new(:voteable => article, :voter => current_person, :vote => value)
+        return vote.save!
+      rescue ActiveRecord::RecordInvalid => e
+        render_api_error!(e.message, 400)
+        return false
+      end
+    end
+
+    protected
+
+    def set_session_cookie
+      cookies['_noosfero_api_session'] = { value: @current_user.private_token, httponly: true } if @current_user.present?
+      # Set also the private_token for the current_tmp_user
+      cookies['_noosfero_api_session'] = { value: @current_tmp_user.private_token, httponly: true } if @current_tmp_user.present?
+    end
+
+    def setup_multitenancy
+      Noosfero::MultiTenancy.setup!(request.host)
+    end
+
+    def detect_stuff_by_domain
+      @domain = Domain.by_name(request.host)
+      if @domain.nil?
+        @environment = Environment.default
+        if @environment.nil? && Rails.env.development?
+          # This should only happen in development ...
+          @environment = Environment.create!(:name => "Noosfero", :is_default => true)
+        end
+      else
+        @environment = @domain.environment
+      end
+    end
+
+    def filter_disabled_plugins_endpoints
+      not_found! if Api::App.endpoint_unavailable?(self, @environment)
+    end
+
+    def asset_with_image params
+      if params.has_key? :image_builder
+        asset_api_params = params
+        asset_api_params[:image_builder] = base64_to_uploadedfile(asset_api_params[:image_builder])
+        return asset_api_params
+      end
+        params
+    end
+
+    def base64_to_uploadedfile(base64_image)
+      tempfile = base64_to_tempfile base64_image
+      converted_image = base64_image
+      converted_image[:tempfile] = tempfile
+      return {uploaded_data: ActionDispatch::Http::UploadedFile.new(converted_image)}
+    end
+
+    def base64_to_tempfile base64_image
+      base64_img_str = base64_image[:tempfile]
+      decoded_base64_str = Base64.decode64(base64_img_str)
+      tempfile = Tempfile.new(base64_image[:filename])
+      tempfile.write(decoded_base64_str.encode("ascii-8bit").force_encoding("utf-8"))
+      tempfile.rewind
+      tempfile
+    end
+    private
+
+    def parser_params(params)
+      parsed_params = {}
+      params.map do |k,v|
+        parsed_params[k.to_sym] = v if DEFAULT_ALLOWED_PARAMETERS.include?(k.to_sym)
+      end
+      parsed_params
+    end
+
+    def default_limit
+      20
+    end
+
+    def parse_content_type(content_type)
+      return nil if content_type.blank?
+      content_types = content_type.split(',').map do |content_type|
+        content_type = content_type.camelcase
+        content_type == 'TextArticle' ? Article.text_article_types : content_type
+      end
+      content_types.flatten.uniq
+    end
+
+    def period(from_date, until_date)
+      begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
+      end_period = until_date.nil? ? DateTime.now : until_date
+      begin_period..end_period
+    end
+
+
+    ##########################################
+    #              captcha_helpers           #
+    ##########################################
+
+    def verify_captcha(remote_ip, params, environment)
+      captcha_plugin_enabled = plugins.dispatch(:verify_captcha, remote_ip, params, environment).map {|p| p if ! ( p===nil ) }
+      return true if captcha_plugin_enabled.size == 0
+      if captcha_plugin_enabled.size > 1
+        return render_api_error!(_("Error processing Captcha"), 500, nil, "More than one captcha plugin enabled")
+      end
+      test_result = captcha_plugin_enabled[0]
+      return true if test_result === true
+      render_api_error!(test_result[:user_message], test_result[:status], test_result[:log_message], test_result[:javascript_console_message])
+    end
+
+  end
+end
@@ -0,0 +1,20 @@
+module Api
+  module V1
+    class Activities < Grape::API
+      before { authenticate! }
+
+      resource :profiles do
+
+        get ':id/activities' do
+          profile = Profile.find_by id: params[:id]
+
+          not_found! if profile.blank? || profile.secret || !profile.visible
+          forbidden! if !profile.secret && profile.visible && !profile.display_private_info_to?(current_person)
+
+          activities = profile.activities.map(&:activity)
+          present activities, :with => Entities::Activity, :current_person => current_person
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,329 @@
+module Api
+  module V1
+    class Articles < Grape::API
+
+      ARTICLE_TYPES = Article.descendants.map{|a| a.to_s}
+
+      MAX_PER_PAGE = 50
+
+      resource :articles do
+
+        paginate max_per_page: MAX_PER_PAGE
+        # Collect articles
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest articles. If nothing is passed the newest articles are collected
+        #   limit            - amount of articles returned. The default value is 20
+        #
+        # Example Request:
+        #  GET host/api/v1/articles?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
+
+        desc 'Return all articles of all kinds' do
+          detail 'Get all articles filtered by fields in query params'
+          params Entities::Article.documentation
+          success Entities::Article
+          failure [[403, 'Forbidden']]
+          named 'ArticlesList'
+          headers [
+            'Per-Page' => {
+                  description: 'Total number of records',
+                  required: false
+              }
+            ]
+        end
+        get do
+          present_articles_for_asset(environment)
+        end
+
+        desc "Return the articles followed by me"
+        get 'followed_by_me' do
+          present_articles_for_asset(current_person, 'following_articles')
+        end
+
+        desc "Return one article by id" do
+          detail 'Get only one article by id. If not found the "forbidden" http error is showed'
+          params Entities::Article.documentation
+          success Entities::Article
+          failure [[403, 'Forbidden']]
+          named 'ArticleById'
+        end
+        get ':id', requirements: {id: /[0-9]+/} do
+          present_article(environment)
+        end
+
+        post ':id' do
+          article = environment.articles.find(params[:id])
+          return forbidden! unless article.allow_edit?(current_person)
+          article.update_attributes!(asset_with_image(params[:article]))
+          present_partial article, :with => Entities::Article
+        end
+
+        delete ':id' do
+          article = environment.articles.find(params[:id])
+          return forbidden! unless article.allow_delete?(current_person)
+          begin
+            article.destroy
+            { :success => true }
+          rescue Exception => exception
+            render_api_error!(_('The article couldn\'t be removed due to some problem. Please contact the administrator.'), 400)
+          end          
+        end
+
+        desc 'Report a abuse and/or violent content in a article by id' do
+          detail 'Submit a abuse (in general, a content violation) report about a specific article'
+          params Entities::Article.documentation
+          failure [[400, 'Bad Request']]
+          named 'ArticleReportAbuse'
+        end
+        post ':id/report_abuse' do
+          article = find_article(environment.articles, params[:id])
+          profile = article.profile
+          begin
+            abuse_report = AbuseReport.new(:reason => params[:report_abuse])
+            if !params[:content_type].blank?
+              article = params[:content_type].constantize.find(params[:content_id])
+              abuse_report.content = article_reported_version(article)
+            end
+
+            current_person.register_report(abuse_report, profile)
+
+            if !params[:content_type].blank?
+              abuse_report = AbuseReport.find_by reporter_id: current_person.id, abuse_complaint_id: profile.opened_abuse_complaint.id
+              Delayed::Job.enqueue DownloadReportedImagesJob.new(abuse_report, article)
+            end
+
+            {
+              :success => true,
+              :message => _('Your abuse report was registered. The administrators are reviewing your report.'),
+            }
+          rescue Exception => exception
+            #logger.error(exception.to_s)
+            render_api_error!(_('Your report couldn\'t be saved due to some problem. Please contact the administrator.'), 400)
+          end
+
+        end
+
+        desc "Returns the articles I voted" do
+          detail 'Get the Articles I make a vote'
+          failure [[403, 'Forbidden']]
+          named 'ArticleFollowers'
+        end
+         #FIXME refactor this method
+        get 'voted_by_me' do
+          present_articles(current_person.votes.where(:voteable_type => 'Article').collect(&:voteable))
+        end
+
+        desc 'Perform a vote on a article by id' do
+          detail 'Vote on a specific article with values: 1 (if you like) or -1 (if not)'
+          params Entities::UserLogin.documentation
+          failure [[401,'Unauthorized']]
+          named 'ArticleVote'
+        end
+        post ':id/vote' do
+          ## The vote api should allow regular login or with captcha
+          authenticate_allow_captcha!
+          value = (params[:value] || 1).to_i
+          # FIXME verify allowed values
+          render_api_error!('Vote value not allowed', 400) unless [-1, 1].include?(value)
+          article = find_article(environment.articles, params[:id])
+          ## If login with captcha
+          if @current_tmp_user
+            # Vote allowed only if data does not include this article
+            vote = (@current_tmp_user.data.include? article.id) ? false : true
+            if vote
+              @current_tmp_user.data << article.id
+              @current_tmp_user.store
+              {:vote => do_vote(article, current_person, value)}
+            else
+              {:vote => false}
+            end
+          else
+            {:vote => do_vote(article, current_person, value)}
+          end
+        end
+
+
+        desc "Returns the total followers for the article" do
+          detail 'Get the followers of a specific article by id'
+          failure [[403, 'Forbidden']]
+          named 'ArticleFollowers'
+        end
+        get ':id/followers' do
+          article = find_article(environment.articles, params[:id])
+          total = article.person_followers.count
+          {:total_followers => total}
+        end
+
+        desc "Return the articles followed by me"
+        get 'followed_by_me' do
+          present_articles_for_asset(current_person, 'following_articles')
+        end
+
+        desc "Add a follower for the article" do
+          detail 'Add the current user identified by private token, like a follower of a article'
+          params Entities::UserLogin.documentation
+          failure [[401, 'Unauthorized']]
+          named 'ArticleFollow'
+        end
+        post ':id/follow' do
+          authenticate!
+          article = find_article(environment.articles, params[:id])
+          if article.article_followers.exists?(:person_id => current_person.id)
+            {:success => false, :already_follow => true}
+          else
+            article_follower = ArticleFollower.new
+            article_follower.article = article
+            article_follower.person = current_person
+            article_follower.save!
+            {:success => true}
+          end
+        end
+
+        desc 'Return the children of a article identified by id' do
+          detail 'Get all children articles of a specific article'
+          params Entities::Article.documentation
+          failure [[403, 'Forbidden']]
+          named 'ArticleChildren'
+        end
+
+        paginate per_page: MAX_PER_PAGE, max_per_page: MAX_PER_PAGE
+        get ':id/children' do
+          article = find_article(environment.articles, params[:id])
+
+          #TODO make tests for this situation
+          votes_order = params.delete(:order) if params[:order]=='votes_score'
+          articles = select_filtered_collection_of(article, 'children', params)
+          articles = articles.display_filter(current_person, article.profile)
+
+          #TODO make tests for this situation
+          if votes_order
+            articles = articles.joins('left join votes on articles.id=votes.voteable_id').group('articles.id').reorder('sum(coalesce(votes.vote, 0)) DESC')
+          end
+          Article.hit(articles)
+          present_articles(articles)
+        end
+
+        desc 'Return one child of a article identified by id' do
+          detail 'Get a child of a specific article'
+          params Entities::Article.documentation
+          success Entities::Article
+          failure [[403, 'Forbidden']]
+          named 'ArticleChild'
+        end
+        get ':id/children/:child_id' do
+          article = find_article(environment.articles, params[:id])
+          child = find_article(article.children, params[:child_id])
+          child.hit
+          present_partial child, :with => Entities::Article
+        end
+
+        desc 'Suggest a article to another profile' do
+          detail 'Suggest a article to another profile (person, community...)'
+          params Entities::Article.documentation
+          success Entities::Task
+          failure [[401,'Unauthorized']]
+          named 'ArticleSuggest'
+        end
+        post ':id/children/suggest' do
+          authenticate!
+          parent_article = environment.articles.find(params[:id])
+
+          suggest_article = SuggestArticle.new
+          suggest_article.article = params[:article]
+          suggest_article.article[:parent_id] = parent_article.id
+          suggest_article.target = parent_article.profile
+          suggest_article.requestor = current_person
+
+          unless suggest_article.save
+            render_api_errors!(suggest_article.article_object.errors.full_messages)
+          end
+          present_partial suggest_article, :with => Entities::Task
+        end
+
+        # Example Request:
+        #  POST api/v1/articles/:id/children?private_token=234298743290432&article[name]=title&article[body]=body
+        desc 'Add a child article to a parent identified by id' do
+          detail 'Create a new article and associate to a parent'
+          params Entities::Article.documentation
+          success Entities::Article
+          failure [[401,'Unauthorized']]
+          named 'ArticleAddChild'
+        end
+        post ':id/children' do
+          parent_article = environment.articles.find(params[:id])
+          params[:article][:parent_id] = parent_article.id
+          post_article(parent_article.profile, params)
+        end
+      end
+
+      resource :profiles do
+        get ':id/home_page' do
+          profiles = environment.profiles
+          profiles = profiles.visible_for_person(current_person)
+          profile = profiles.find_by id: params[:id]
+          present_partial profile.home_page, :with => Entities::Article
+        end
+      end
+
+      kinds = %w[profile community person enterprise]
+      kinds.each do |kind|
+        resource kind.pluralize.to_sym do
+          segment "/:#{kind}_id" do
+            resource :articles do
+
+              desc "Return all articles associate with a profile of type #{kind}" do
+                detail 'Get a list of articles of a profile'
+                params Entities::Article.documentation
+                success Entities::Article
+                failure [[403, 'Forbidden']]
+                named 'ArticlesOfProfile'
+              end
+              get do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+
+                if params[:path].present?
+                  article = profile.articles.find_by path: params[:path]
+                  if !article || !article.display_to?(current_person)
+                    article = forbidden!
+                  end
+
+                  present_partial article, :with => Entities::Article
+                else
+
+                  present_articles_for_asset(profile)
+                end
+              end
+
+              desc "Return a article associate with a profile of type #{kind}" do
+                detail 'Get only one article of a profile'
+                params Entities::Article.documentation
+                success Entities::Article
+                failure [[403, 'Forbidden']]
+                named 'ArticleOfProfile'
+              end
+              get ':id' do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                present_article(profile)
+              end
+
+              # Example Request:
+              #  POST api/v1/{people,communities,enterprises}/:asset_id/articles?private_token=234298743290432&article[name]=title&article[body]=body
+              desc "Add a new article associated with a profile of type #{kind}" do
+                detail 'Create a new article and associate with a profile'
+                params Entities::Article.documentation
+                success Entities::Article
+                failure [[403, 'Forbidden']]
+                named 'ArticleCreateToProfile'
+              end
+              post do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                post_article(profile, params)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,15 @@
+module Api
+  module V1
+
+    class Blocks < Grape::API
+      resource :blocks do
+        get ':id' do
+          block = Block.find(params["id"])
+          return forbidden! unless block.visible_to_user?(current_person)
+          present block, :with => Entities::Block, display_api_content: true
+        end
+      end
+    end
+
+  end
+end
@@ -0,0 +1,45 @@
+module Api
+  module V1
+
+    class Boxes < Grape::API
+
+      kinds = %w[profile community person enterprise]
+      kinds.each do |kind|
+
+        resource kind.pluralize.to_sym do
+
+          segment "/:#{kind}_id" do
+            resource :boxes do
+              get do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                return forbidden! unless profile.display_info_to?(current_person)
+                present profile.boxes, with: Entities::Box, current_person: current_person
+              end
+            end
+          end
+        end
+
+      end
+
+      resource :environments do
+        [ '/default', '/context', ':environment_id' ].each do |route|
+          segment route do
+            resource :boxes do
+              get do
+                if (route.match(/default/))
+                  env = Environment.default
+                elsif (route.match(/context/))
+                  env = environment
+                else
+                  env = Environment.find(params[:environment_id])
+                end
+                present env.boxes, with: Entities::Box, current_person: current_person
+              end
+            end
+          end
+        end
+      end
+    end
+
+  end
+end
@@ -0,0 +1,25 @@
+module Api
+  module V1
+    class Categories < Grape::API
+
+      resource :categories do
+
+        get do
+          type = params[:category_type]
+          include_parent = params[:include_parent] == 'true'
+          include_children = params[:include_children] == 'true'
+
+          categories = type.nil? ?  environment.categories : environment.categories.where(:type => type)
+          present categories, :with => Entities::Category, parent: include_parent, children: include_children
+        end
+
+        desc "Return the category by id"
+        get ':id' do
+          present environment.categories.find(params[:id]), :with => Entities::Category, parent: true, children: true
+        end
+
+      end
+
+    end
+  end
+end
@@ -0,0 +1,63 @@
+module Api
+  module V1
+    class Comments < Grape::API
+      MAX_PER_PAGE = 20
+
+
+      resource :articles do
+        paginate max_per_page: MAX_PER_PAGE
+        # Collect comments from articles
+        #
+        # Parameters:
+        #   reference_id     - comment id used as reference to collect comment
+        #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+        #   limit            - amount of comments returned. The default value is 20
+        #
+        # Example Request:
+        #  GET /articles/12/comments?oldest&limit=10&reference_id=23
+        get ":id/comments" do
+          article = find_article(environment.articles, params[:id])
+          comments = select_filtered_collection_of(article, :comments, params)
+          comments = comments.without_spam
+          comments = comments.without_reply if(params[:without_reply].present?)
+          comments = plugins.filter(:unavailable_comments, comments)
+          present paginate(comments), :with => Entities::Comment, :current_person => current_person
+        end
+
+        get ":id/comments/:comment_id" do
+          article = find_article(environment.articles, params[:id])
+          present article.comments.find(params[:comment_id]), :with => Entities::Comment, :current_person => current_person
+        end
+
+        # Example Request:
+        #  POST api/v1/articles/12/comments?private_token=2298743290432&body=new comment&title=New
+        post ":id/comments" do
+          authenticate!
+          article = find_article(environment.articles, params[:id])
+          return forbidden! unless article.accept_comments?
+          options = params.select { |key,v| !['id','private_token'].include?(key) }.merge(:author => current_person, :source => article)
+          begin
+            comment = Comment.create!(options)
+          rescue ActiveRecord::RecordInvalid => e
+            render_api_error!(e.message, 400)
+          end
+          present comment, :with => Entities::Comment, :current_person => current_person
+        end
+
+        delete ":id/comments/:comment_id" do
+          article = find_article(environment.articles, params[:id])
+          comment = article.comments.find_by_id(params[:comment_id])
+          return not_found! if comment.nil?
+          return forbidden! unless comment.can_be_destroyed_by?(current_person)
+          begin
+            comment.destroy
+            present comment, with: Entities::Comment, :current_person => current_person
+          rescue => e
+            render_api_error!(e.message, 500)
+          end
+        end
+      end
+
+    end
+  end
+end
@@ -0,0 +1,82 @@
+module Api
+  module V1
+    class Communities < Grape::API
+
+      resource :communities do
+
+        # Collect comments from articles
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+        #   limit            - amount of comments returned. The default value is 20
+        #
+        # Example Request:
+        #  GET /communities?from=2013-04-04-14:41:43&until=2014-04-04-14:41:43&limit=10
+        #  GET /communities?reference_id=10&limit=10&oldest
+        get do
+          communities = select_filtered_collection_of(environment, 'communities', params)
+          communities = profiles_for_person(communities, current_person)
+          communities = communities.by_location(params) # Must be the last. May return Exception obj
+          present communities, :with => Entities::Community, :current_person => current_person
+        end
+
+
+        # Example Request:
+        #  POST api/v1/communties?private_token=234298743290432&community[name]=some_name
+        #  for each custom field for community, add &community[field_name]=field_value to the request
+        post do
+          authenticate!
+          params[:community] ||= {}
+
+          params[:community][:custom_values]={}
+          params[:community].keys.each do |key|
+            params[:community][:custom_values][key]=params[:community].delete(key) if Community.custom_fields(environment).any?{|cf| cf.name==key}
+          end
+
+          begin
+            community = Community.create_after_moderation(current_person, params[:community].merge({:environment => environment}))
+          rescue
+            community = Community.new(params[:community])
+          end
+
+          if !community.save
+            render_api_errors!(community.errors.full_messages)
+          end
+
+          present community, :with => Entities::Community, :current_person => current_person
+        end
+
+        get ':id' do
+          community = profiles_for_person(environment.communities, current_person).find_by_id(params[:id])
+          present community, :with => Entities::Community, :current_person => current_person
+        end
+
+      end
+
+      resource :people do
+
+        segment '/:person_id' do
+
+          resource :communities do
+
+            get do
+              person = environment.people.find(params[:person_id])
+
+              not_found! if person.blank?
+              forbidden! if !person.display_info_to?(current_person)
+
+              communities = select_filtered_collection_of(person, 'communities', params)
+              communities = communities.visible
+              present communities, :with => Entities::Community, :current_person => current_person
+            end
+
+          end
+
+        end
+
+      end
+
+    end
+  end
+end
@@ -0,0 +1,26 @@
+module Api
+  module V1
+    class Contacts < Grape::API
+
+      resource :communities do
+
+        resource ':id/contact' do
+          #contact => {:name => 'some name', :email => 'test@mail.com', :subject => 'some title', :message => 'some message'}
+          desc "Send a contact message"
+          post do
+            profile = environment.communities.find(params[:id])
+            forbidden! unless profile.present?
+            contact = Contact.new params[:contact].merge(dest: profile)
+            if contact.deliver
+              {:success => true}
+            else
+              {:success => false}
+            end
+          end
+
+        end
+      end
+
+    end
+  end
+end
@@ -0,0 +1,55 @@
+module Api
+  module V1
+    class Enterprises < Grape::API
+
+      resource :enterprises do
+
+        # Collect enterprises from environment
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+        #   limit            - amount of comments returned. The default value is 20
+        #   georef params    - read `Profile.by_location` for more information.
+        #
+        # Example Request:
+        #  GET /enterprises?from=2013-04-04-14:41:43&until=2014-04-04-14:41:43&limit=10
+        #  GET /enterprises?reference_id=10&limit=10&oldest
+        get do
+          enterprises = select_filtered_collection_of(environment, 'enterprises', params)
+          enterprises = enterprises.visible
+          enterprises = enterprises.by_location(params) # Must be the last. May return Exception obj.
+          present enterprises, :with => Entities::Enterprise, :current_person => current_person
+        end
+
+        desc "Return one enterprise by id"
+        get ':id' do
+          enterprise = environment.enterprises.visible.find_by(id: params[:id])
+          present enterprise, :with => Entities::Enterprise, :current_person => current_person
+        end
+
+      end
+
+      resource :people do
+
+        segment '/:person_id' do
+
+          resource :enterprises do
+
+            get do
+              person = environment.people.find(params[:person_id])
+              enterprises = select_filtered_collection_of(person, 'enterprises', params)
+              enterprises = enterprises.visible.by_location(params)
+              present enterprises, :with => Entities::Enterprise, :current_person => current_person
+            end
+
+          end
+
+        end
+
+      end
+
+
+    end
+  end
+end
@@ -0,0 +1,28 @@
+module Api
+  module V1
+    class Environments < Grape::API
+
+      resource :environment do
+
+        desc "Return the person information"
+        get '/signup_person_fields' do
+          present environment.signup_person_fields
+        end
+
+        get ':id' do
+          local_environment = nil
+          if (params[:id] == "default")
+            local_environment = Environment.default
+          elsif (params[:id] == "context")
+            local_environment = environment
+          else
+            local_environment = Environment.find(params[:id])
+          end
+          present_partial local_environment, :with => Entities::Environment, :is_admin => is_admin?(local_environment)
+        end
+
+      end
+
+    end
+  end
+end
@@ -0,0 +1,127 @@
+module Api
+  module V1
+    class People < Grape::API
+
+      MAX_PER_PAGE = 50
+
+      desc 'API Root'
+
+      resource :people do
+        paginate max_per_page: MAX_PER_PAGE
+
+        # -- A note about privacy --
+        # We wold find people by location, but we must test if the related
+        # fields are public. We can't do it now, with SQL, while the location
+        # data and the fields_privacy are a serialized settings.
+        # We must build a new table for profile data, where we can set meta-data
+        # like:
+        # | id | profile_id | key  | value    | privacy_level | source    |
+        # |  1 |         99 | city | Salvador | friends       | user      |
+        # |  2 |         99 | lng  |  -38.521 | me only       | automatic |
+
+        # Collect people from environment
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+        #   limit            - amount of comments returned. The default value is 20
+        #
+        # Example Request:
+        #  GET /people?from=2013-04-04-14:41:43&until=2014-04-04-14:41:43&limit=10
+        #  GET /people?reference_id=10&limit=10&oldest
+
+        desc "Find environment's people"
+        get do
+          people = select_filtered_collection_of(environment, 'people', params)
+          people = people.visible
+          present_partial people, :with => Entities::Person, :current_person => current_person
+        end
+
+        desc "Return the logged user information"
+        get "/me" do
+          authenticate!
+          present_partial current_person, :with => Entities::Person, :current_person => current_person
+        end
+
+        desc "Return the person information"
+        get ':id' do
+          person = environment.people.visible.find_by(id: params[:id])
+          return not_found! if person.blank?
+          present person, :with => Entities::Person, :current_person => current_person
+        end
+
+        desc "Update person information"
+        post ':id' do
+          authenticate!
+          return forbidden! if current_person.id.to_s != params[:id]
+          current_person.update_attributes!(asset_with_image(params[:person]))
+          present current_person, :with => Entities::Person, :current_person => current_person
+        end
+
+        #  POST api/v1/people?person[login]=some_login&person[password]=some_password&person[name]=Jack
+        #  for each custom field for person, add &person[field_name]=field_value to the request
+        desc "Create person"
+        post do
+          authenticate!
+          user_data = {}
+          user_data[:login] = params[:person].delete(:login) || params[:person][:identifier]
+          user_data[:email] = params[:person].delete(:email)
+          user_data[:password] = params[:person].delete(:password)
+          user_data[:password_confirmation] = params[:person].delete(:password_confirmation)
+
+          params[:person][:custom_values]={}
+          params[:person].keys.each do |key|
+            params[:person][:custom_values][key]=params[:person].delete(key) if Person.custom_fields(environment).any?{|cf| cf.name==key}
+          end
+
+          user = User.build(user_data, asset_with_image(params[:person]), environment)
+
+          begin
+            user.signup!
+          rescue ActiveRecord::RecordInvalid
+            render_api_errors!(user.errors.full_messages)
+          end
+
+          present user.person, :with => Entities::Person, :current_person => user.person
+        end
+
+        desc "Return the person friends"
+        get ':id/friends' do
+          person = environment.people.visible.find_by(id: params[:id])
+          return not_found! if person.blank?
+          friends = person.friends.visible
+          present friends, :with => Entities::Person, :current_person => current_person
+        end
+
+        desc "Return the person permissions on other profiles"
+        get ":id/permissions" do
+          authenticate!
+          person = environment.people.find(params[:id])
+          return not_found! if person.blank?
+          return forbidden! unless current_person == person || environment.admins.include?(current_person)
+
+          output = {}
+          person.role_assignments.map do |role_assigment|
+            if role_assigment.resource.respond_to?(:identifier)
+              output[role_assigment.resource.identifier] = role_assigment.role.permissions
+            end
+          end
+          present output
+        end
+      end
+
+      resource :profiles do
+        segment '/:profile_id' do
+          resource :members do
+            paginate max_per_page: MAX_PER_PAGE
+            get do
+              profile = environment.profiles.find_by id: params[:profile_id]
+              members = select_filtered_collection_of(profile, 'members', params)
+              present members, :with => Entities::Person, :current_person => current_person
+            end
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,51 @@
+module Api
+  module V1
+    class Profiles < Grape::API
+
+      resource :profiles do
+
+        get do
+          profiles = select_filtered_collection_of(environment, 'profiles', params)
+          profiles = profiles.visible
+          profiles = profiles.by_location(params) # Must be the last. May return Exception obj.
+          present profiles, :with => Entities::Profile, :current_person => current_person
+        end
+
+        get ':id' do
+          profiles = environment.profiles
+          profiles = profiles.visible
+          profile = profiles.find_by id: params[:id]
+
+          if profile
+            present profile, :with => Entities::Profile, :current_person => current_person
+          else
+            not_found!
+          end
+        end
+        
+        desc "Update profile information"
+        post ':id' do
+          authenticate!
+          profile = environment.profiles.find_by(id: params[:id])
+          return forbidden! unless current_person.has_permission?(:edit_profile, profile)
+          profile.update_attributes!(params[:profile])
+          present profile, :with => Entities::Profile, :current_person => current_person
+        end
+
+        delete ':id' do
+          authenticate!
+          profiles = environment.profiles
+          profile = profiles.find_by id: params[:id]
+
+          not_found! if profile.blank?
+
+          if current_person.has_permission?(:destroy_profile, profile)
+            profile.destroy
+          else
+            forbidden!
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,37 @@
+module Api
+  module V1
+    class Search < Grape::API
+
+      resource :search do
+        resource :article do
+          paginate max_per_page: 200
+          get do
+            # Security checks
+            sanitize_params_hash(params)
+            # Api::Helpers
+            asset = :articles
+            context = environment
+
+            profile = environment.profiles.find(params[:profile_id]) if params[:profile_id]
+            scope = profile.nil? ? environment.articles.is_public : profile.articles.is_public
+            scope = scope.where(:type => params[:type]) if params[:type] && !(params[:type] == 'Article')
+            scope = scope.where(make_conditions_with_parameter(params))
+            scope = scope.joins(:categories).where(:categories => {:id => params[:category_ids]}) if params[:category_ids].present?
+            scope = scope.where('articles.children_count > 0') if params[:has_children].present?
+            query = params[:query] || ""
+            order = "more_recent"
+
+            options = {:filter => order, :template_id => params[:template_id]}
+
+            search_result = find_by_contents(asset, context, scope, query, {:page => 1}, options)
+
+            articles = search_result[:results]
+
+            present_articles(articles)
+          end
+        end
+      end
+
+    end
+  end
+end
@@ -0,0 +1,190 @@
+require "uri"
+
+module Api
+  module V1
+    class Session < Grape::API
+
+      ################################
+      # => Login with captcha only
+      # This method will attempt to login the user using only the captcha.
+      # To do this, we generate a temporary in-memory user and generate a private
+      # token to it.
+      ################################
+      post "/login-captcha" do
+        remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
+        # verify_captcha will render_api_error! and exit in case of any problem
+        # this return is just to improve the clarity of the execution path
+        return unless verify_captcha(remote_ip, params, environment)
+        ## Creates and caches a captcha session store
+        store = Noosfero::API::SessionStore.create("captcha")
+        ## Initialize the data for the session store
+        store.data = []
+        ## Put it back in cache
+        store.store
+        { "private_token" => "#{store.private_token}" }
+      end
+
+      # Login to get token
+      #
+      # Parameters:
+      #   login (*required) - user login or email
+      #   password (required) - user password
+      #
+      # Example Request:
+      #  POST http://localhost:3000/api/v1/login?login=adminuser&password=admin
+      post "/login" do
+        begin
+          user ||= User.authenticate(params[:login], params[:password], environment)
+        rescue User::UserNotActivated => e
+          render_api_error!(e.message, 401)
+        end
+
+        return unauthorized! unless user
+        @current_user = user
+        present user, :with => Entities::UserLogin, :current_person => current_person
+      end
+
+      post "/login_from_cookie" do
+        return unauthorized! if cookies[:auth_token].blank?
+        user = User.where(remember_token: cookies[:auth_token]).first
+        return unauthorized! unless user && user.activated?
+        @current_user = user
+        present user, :with => Entities::UserLogin, :current_person => current_person
+      end
+
+      # Create user.
+      #
+      # Parameters:
+      #   email (required)                  - Email
+      #   password (required)               - Password
+      #   login                             - login
+      # Example Request:
+      #   POST /register?email=some@mail.com&password=pas&password_confirmation=pas&login=some
+      params do
+        requires :email, type: String, desc: _("Email")
+        requires :login, type: String, desc: _("Login")
+        #requires :password, type: String, desc: _("Password")
+        #requires :password_confirmation, type: String, desc: _("Password confirmation")
+      end
+
+      post "/register" do
+        attrs = attributes_for_keys [:email, :login, :password, :password_confirmation] + environment.signup_person_fields
+        remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
+        # verify_captcha will render_api_error! and exit in case of any problem
+        # this return is just to improve the clarity of the execution path
+        return unless verify_captcha(remote_ip, params, environment)
+
+        name = params[:name].present? ? params[:name] : attrs[:email]
+        attrs[:password_confirmation] = attrs[:password] if !attrs.has_key?(:password_confirmation)
+        user = User.new(attrs.merge(:name => name))
+
+        begin
+          user.signup!
+          user.generate_private_token! if user.activated?
+          present user, :with => Entities::UserLogin, :current_person => user.person
+        rescue ActiveRecord::RecordInvalid
+          message = user.errors.as_json.merge((user.person.present? ? user.person.errors : {}).as_json).to_json
+          render_api_error!(message, 400)
+        end
+      end
+
+      params do
+        requires :activation_code, type: String, desc: _("Activation token")
+      end
+
+      # Activate a user.
+      #
+      # Parameter:
+      #   activation_code (required)                  - Activation token
+      # Example Request:
+      #   PATCH /activate?activation_code=28259abd12cc6a64ef9399cf3286cb998b96aeaf
+      patch "/activate" do
+        user = User.find_by activation_code: params[:activation_code]
+        if user
+          unless user.environment.enabled?('admin_must_approve_new_users')
+            if user.activate
+                user.generate_private_token!
+                present user, :with => Entities::UserLogin, :current_person => current_person
+            end
+          else
+            if user.create_moderate_task
+              user.activation_code = nil
+              user.save!
+
+              # Waiting for admin moderate user registration
+              status 202
+              body({
+                :message => 'Waiting for admin moderate user registration'
+              })
+            end
+          end
+        else
+          # Token not found in database
+          render_api_error!(_('Token is invalid'), 412)
+        end
+      end
+
+      # Request a new password.
+      #
+      # Parameters:
+      #   value (required)                  - Email or login
+      # Example Request:
+      #   POST /forgot_password?value=some@mail.com
+      post "/forgot_password" do
+        requestors = fetch_requestors(params[:value])
+        not_found! if requestors.blank?
+        remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
+        # verify_captcha will render_api_error! and exit in case of any problem
+        # this return is just to improve the clarity of the execution path
+        return unless verify_captcha(remote_ip, params, environment)
+        requestors.each do |requestor|
+          ChangePassword.create!(:requestor => requestor)
+        end
+      end
+
+      # Resend activation code.
+      #
+      # Parameters:
+      #   value (required)                  - Email or login
+      # Example Request:
+      #   POST /resend_activation_code?value=some@mail.com
+      post "/resend_activation_code" do
+        requestors = fetch_requestors(params[:value])
+        not_found! if requestors.blank?
+        remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
+        # verify_captcha will render_api_error! and exit in case of any problem
+        # this return is just to improve the clarity of the execution path
+        return unless verify_captcha(remote_ip, params, environment)
+
+        requestors.each do |requestor|
+          requestor.user.resend_activation_code
+        end
+        present requestors.map(&:user), :with => Entities::UserLogin
+      end
+
+      params do
+        requires :code, type: String, desc: _("Forgot password code")
+      end
+      # Change password
+      #
+      # Parameters:
+      #   code (required)                  - Change password code
+      #   password (required)
+      #   password_confirmation (required)
+      # Example Request:
+      #   PATCH /new_password?code=xxxx&password=secret&password_confirmation=secret
+      patch "/new_password" do
+        change_password = ChangePassword.find_by code: params[:code]
+        not_found! if change_password.nil?
+
+        if change_password.update_attributes(:password => params[:password], :password_confirmation => params[:password_confirmation])
+          change_password.finish
+          present change_password.requestor.user, :with => Entities::UserLogin, :current_person => current_person
+        else
+          something_wrong!
+        end
+      end
+
+    end
+  end
+end
@@ -0,0 +1,30 @@
+module Api
+  module V1
+    class Tags < Grape::API
+      resource :articles do
+        resource ':id/tags' do
+          get do
+            article = find_article(environment.articles, params[:id])
+            present article.tag_list
+          end
+
+          desc "Add a tag to an article"
+          post do
+            authenticate!
+            article = find_article(environment.articles, params[:id])
+            article.tag_list=params[:tags]
+            article.save
+            present article.tag_list
+          end
+        end
+      end
+
+      resource :environment do
+        desc 'Return the tag counts for this environment'
+        get '/tags' do
+          present environment.tag_counts
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,57 @@
+module Api
+  module V1
+    class Tasks < Grape::API
+#      before { authenticate! }
+
+#      ARTICLE_TYPES = Article.descendants.map{|a| a.to_s}
+
+      resource :tasks do
+
+        # Collect tasks
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest articles. If nothing is passed the newest articles are collected
+        #   limit            - amount of articles returned. The default value is 20
+        #
+        # Example Request:
+        #  GET host/api/v1/tasks?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
+        get do
+          tasks = select_filtered_collection_of(environment, 'tasks', params)
+          tasks = tasks.select {|t| current_person.has_permission?(t.permission, environment)}
+          present_partial tasks, :with => Entities::Task
+        end
+
+        desc "Return the task id"
+        get ':id' do
+          task = find_task(environment, params[:id])
+          present_partial task, :with => Entities::Task
+        end
+      end
+
+      kinds = %w[community person enterprise]
+      kinds.each do |kind|
+        resource kind.pluralize.to_sym do
+          segment "/:#{kind}_id" do
+            resource :tasks do
+              get do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                present_tasks(profile)
+              end
+
+              get ':id' do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                present_task(profile)
+              end
+
+              post do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                post_task(profile, params)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,43 @@
+module Api
+  module V1
+    class Users < Grape::API
+
+      resource :users do
+
+        get do
+          users = select_filtered_collection_of(environment, 'users', params)
+          users = users.select{|u| u.person.display_info_to? current_person}
+          present users, :with => Entities::User, :current_person => current_person
+        end
+
+        get "/me" do
+          authenticate!
+          present current_user, :with => Entities::User, :current_person => current_person
+        end
+
+        get ":id" do
+          user = environment.users.find_by id: params[:id]
+          if user
+            present user, :with => Entities::User, :current_person => current_person
+          else
+            not_found!
+          end
+        end
+
+        get ":id/permissions" do
+          authenticate!
+          user = environment.users.find(params[:id])
+          output = {}
+          user.person.role_assignments.map do |role_assigment|
+            if role_assigment.resource.respond_to?(:identifier) && role_assigment.resource.identifier == params[:profile]
+              output[:permissions] = role_assigment.role.permissions
+            end
+          end
+          present output
+        end
+
+      end
+
+    end
+  end
+end
@@ -0,0 +1,160 @@
+module AuthenticatedSystem
+
+  protected
+
+    def self.included base
+      if base < ActionController::Base
+        base.around_filter :user_set_current
+        base.before_filter :login_from_cookie
+      end
+
+      # Inclusion hook to make #current_user and #logged_in?
+      # available as ActionView helper methods.
+      base.helper_method :current_user, :logged_in?
+    end
+
+    # Returns true or false if the user is logged in.
+    # Preloads @current_user with the user model if they're logged in.
+    def logged_in?
+      current_user != nil
+    end
+
+    # Accesses the current user from the session.
+    def current_user
+      @current_user ||= begin
+        id = session[:user]
+        user = User.where(id: id).first if id
+        user.session = session if user
+        User.current = user
+        user
+      end
+    end
+
+    # Store the given user in the session.
+    def current_user=(new_user)
+      if new_user.nil?
+        session.delete(:user)
+      else
+        session[:user] = new_user.id
+        new_user.session = session
+        new_user.register_login
+      end
+      @current_user = User.current = new_user
+    end
+
+    # See impl. from http://stackoverflow.com/a/2513456/670229
+    def user_set_current
+      User.current = current_user
+      yield
+    ensure
+      # to address the thread variable leak issues in Puma/Thin webserver
+      User.current = nil
+    end
+
+    # Check if the user is authorized.
+    #
+    # Override this method in your controllers if you want to restrict access
+    # to only a few actions or if you want to check if the user
+    # has the correct rights.
+    #
+    # Example:
+    #
+    #  # only allow nonbobs
+    #  def authorize?
+    #    current_user.login != "bob"
+    #  end
+    def authorized?
+      true
+    end
+
+    # Filter method to enforce a login requirement.
+    #
+    # To require logins for all actions, use this in your controllers:
+    #
+    #   before_filter :login_required
+    #
+    # To require logins for specific actions, use this in your controllers:
+    #
+    #   before_filter :login_required, :only => [ :edit, :update ]
+    #
+    # To skip this in a subclassed controller:
+    #
+    #   skip_before_filter :login_required
+    #
+    def login_required
+      username, passwd = get_auth_data
+      if username && passwd
+        self.current_user ||= User.authenticate(username, passwd) || nil
+      end
+      if logged_in? && authorized?
+        true
+      else
+        if params[:require_login_popup]
+          render :json => { :require_login_popup => true }
+        else
+          access_denied
+        end
+      end
+    end
+
+    # Redirect as appropriate when an access request fails.
+    #
+    # The default action is to redirect to the login screen.
+    #
+    # Override this method in your controllers if you want to have special
+    # behavior in case the user is not authorized
+    # to access the requested action.  For example, a popup window might
+    # simply close itself.
+    def access_denied
+      respond_to do |accepts|
+        accepts.html do
+          if request.xhr?
+            render :text => _('Access denied'), :status => 401
+          else
+            store_location
+            redirect_to :controller => '/account', :action => 'login'
+          end
+        end
+        accepts.xml do
+          headers["Status"]           = "Unauthorized"
+          headers["WWW-Authenticate"] = %(Basic realm="Web Password")
+          render :text => "Could't authenticate you", :status => '401 Unauthorized'
+        end
+      end
+      false
+    end
+
+    # Store the URI of the current request in the session.
+    #
+    # We can return to this location by calling #redirect_back_or_default.
+    def store_location(location = request.url)
+      session[:return_to] = location
+    end
+
+    # Redirect to the URI stored by the most recent store_location call or
+    # to the passed default.
+    def redirect_back_or_default(default)
+      if session[:return_to]
+        redirect_to(session.delete(:return_to))
+      else
+        redirect_to(default)
+      end
+    end
+
+    # When called with before_filter :login_from_cookie will check for an :auth_token
+    # cookie and log the user back in if apropriate
+    def login_from_cookie
+      return if cookies[:auth_token].blank? or logged_in?
+      user = User.where(remember_token: cookies[:auth_token]).first
+      self.current_user = user if user and user.remember_token?
+    end
+
+  private
+    @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
+    # gets BASIC auth info
+    def get_auth_data
+      auth_key  = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
+      auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
+      return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil]
+    end
+end
@@ -18,6 +18,13 @@ class ApplicationController &lt; ActionController::Base
   end
   before_filter :redirect_to_current_user
+  before_filter :set_session_theme
+  def set_session_theme
+    if params[:theme]
+      session[:theme] = environment.theme_ids.include?(params[:theme]) ? params[:theme] : nil
+    end
+  end
+
   def require_login_for_environment
     login_required
   end
@@ -63,12 +63,12 @@ class ProfileThemesController &lt; ThemesController
   end
   def start_test
-    session[:theme] = params[:id]
+    session[:user_theme] = params[:id]
     redirect_to :controller => 'content_viewer', :profile => profile.identifier, :action => 'view_page'
   end
   def stop_test
-    session[:theme] = nil
+    session[:user_theme] = nil
     redirect_to :action => 'index'
   end
@@ -13,7 +13,7 @@ class ApiController &lt; PublicController
   private
   def endpoints
-    Noosfero::API::API.endpoints(environment)
+    Api::App.endpoints(environment)
   end
 end
@@ -213,7 +213,7 @@ class ContentViewerController &lt; ApplicationController
       end
       if @page.published && @page.uploaded_file?
-        redirect_to @page.public_filename
+        redirect_to "#{Noosfero.root}#{@page.public_filename}"
       else
         send_data data, @page.download_headers
       end
@@ -235,13 +235,6 @@ module ApplicationHelper
     link_to(content_tag('span', text), url, html_options.merge(:class => the_class, :title => text))
   end
-  def button_bar(options = {}, &block)
-    options[:class].nil? ?
-      options[:class]='button-bar' :
-      options[:class]+=' button-bar'
-    concat(content_tag('div', capture(&block).to_s + tag('br', :style => 'clear: left;'), options))
-  end
-
   def render_profile_actions klass
     name = klass.to_s.underscore
     begin
@@ -353,7 +346,7 @@ module ApplicationHelper
   end
   def is_testing_theme
-    !controller.session[:theme].nil?
+    !controller.session[:user_theme].nil?
   end
   def theme_owner
@@ -602,8 +595,8 @@ module ApplicationHelper
     end
     if block
-      field_html ||= ''
-      field_html += capture(&block)
+      field_html ||= ''.html_safe
+      field_html   = [field_html, capture(&block)].safe_join
     end
     if controller.action_name == 'signup' || controller.action_name == 'new_community' || (controller.controller_name == "enterprise_registration" && controller.action_name == 'index') || (controller.controller_name == 'home' && controller.action_name == 'index' && user.nil?)
@@ -612,7 +605,9 @@ module ApplicationHelper
       end
     else
       if profile.active_fields.include?(name)
-        result = content_tag('div', field_html + profile_field_privacy_selector(profile, name), :class => 'field-with-privacy-selector')
+        result = content_tag :div, class: 'field-with-privacy-selector' do
+          [field_html, profile_field_privacy_selector(profile, name)].safe_join
+        end
       end
     end
@@ -620,10 +615,6 @@ module ApplicationHelper
       result = required(result)
     end
-    if block
-      concat(result)
-    end
-
     result
   end
@@ -868,7 +859,7 @@ module ApplicationHelper
   alias :browse_communities_menu :search_communities_menu
   def pagination_links(collection, options={})
-    options = {:previous_label => content_tag(:span, '&laquo; ', :class => 'previous-arrow') + _('Previous'), :next_label => _('Next') + content_tag(:span, ' &raquo;', :class => 'next-arrow'), :inner_window => 1, :outer_window => 0 }.merge(options)
+    options = {:previous_label => content_tag(:span, '&laquo; '.html_safe, :class => 'previous-arrow') + _('Previous'), :next_label => _('Next') + content_tag(:span, ' &raquo;'.html_safe, :class => 'next-arrow'), :inner_window => 1, :outer_window => 0 }.merge(options)
     will_paginate(collection, options)
   end
@@ -990,6 +981,7 @@ module ApplicationHelper
     values = {}
     values.merge!(task.information[:variables]) if task.information[:variables]
     values.merge!({:requestor => link_to(task.requestor.name, task.requestor.url)}) if task.requestor
+    values.merge!({:target => link_to(task.target.name, task.target.url)}) if (task.target && task.target.respond_to?(:url))
     values.merge!({:subject => content_tag('span', task.subject, :class=>'task_target')}) if task.subject
     values.merge!({:linked_subject => link_to(content_tag('span', task.linked_subject[:text], :class => 'task_target'), task.linked_subject[:url])}) if task.linked_subject
     (task.information[:message] % values).html_safe
@@ -188,9 +188,9 @@ module ArticleHelper
   def following_button(page, user)
     if !user.blank? and user != page.author
       if page.is_followed_by? user
-        button :cancel, unfollow_button_text(page), {:controller => 'profile', :action => 'unfollow_article', :article_id => page.id, :profile => page.profile.identifier}
+        button :cancel, unfollow_button_text(page), {controller: :profile, profile: page.profile.identifier, action: :unfollow_article, article_id: page.id}
       else
-        button :add, follow_button_text(page), {:controller => 'profile', :action => 'follow_article', :article_id => page.id, :profile => page.profile.identifier}
+        button :add, follow_button_text(page), {controller: :profile, profile: page.profile.identifier, action: :follow_article, article_id: page.id}
       end
     end
   end
@@ -99,15 +99,10 @@ module BoxesHelper
   end
   def render_block_content block
-    # FIXME: this conditional should be removed after all
-    # block footer from plugins methods get refactored into helpers and views.
-    # They are a failsafe until all of them are done.
-    return block.content if block.method(:content).owner != Block
     render_block block
   end
   def render_block_footer block
-    return block.footer if block.method(:footer).owner != Block
     render_block block, 'footers/'
   end
 module ButtonsHelper
+
+  def button_bar(options = {}, &block)
+    options[:class] ||= ''
+    options[:class] << ' button-bar'
+
+    content_tag :div, options do
+      [
+        capture(&block).to_s,
+        tag(:br, style: 'clear: left;'),
+      ].safe_join
+    end
+  end
+
   def button(type, label, url, html_options = {})
     html_options ||= {}
     the_class = 'with-text'
@@ -2,8 +2,8 @@ module ThemeLoaderHelper
   def current_theme
     @current_theme ||=
       begin
-        if session[:theme]
-          session[:theme]
+        if session[:user_theme]
+          session[:user_theme]
         else
           # utility for developers: set the theme to 'random' in development mode and
           # you will get a different theme every request. This is interesting for
@@ -11,8 +11,8 @@ module ThemeLoaderHelper
           if Rails.env.development? && environment.theme == 'random'
             @random_theme ||= Dir.glob('public/designs/themes/*').map { |f| File.basename(f) }.rand
             @random_theme
-          elsif Rails.env.development? && respond_to?(:params) && params[:theme] && File.exists?(Rails.root.join('public/designs/themes', params[:theme]))
-            params[:theme]
+          elsif Rails.env.development? && respond_to?(:params) && params[:user_theme] && File.exists?(Rails.root.join('public/designs/themes', params[:user_theme]))
+            params[:user_theme]
           else
             if profile && !profile.theme.nil?
               profile.theme
@@ -34,8 +34,10 @@ module ThemeLoaderHelper
   end
   def theme_path
-    if session[:theme]
+    if session[:user_theme]
       '/user_themes/' + current_theme
+    elsif session[:theme]
+      '/designs/themes/' + session[:theme]
     else
       '/designs/themes/' + current_theme
     end
 module UsersHelper
-  FILTER_TRANSLATION = {
+  def filter_translation
+    {
       'all_users' => _('All users'),
       'admin_users' => _('Admin users'),
       'activated_users' => _('Activated users'),
       'deactivated_users' => _('Deativated users'),
-  }
+    }
+  end
   def filter_selector(filter, float = 'right')
-    options = options_for_select(FILTER_TRANSLATION.map {|key, name| [name, key]}, :selected => filter)
+    options = options_for_select(filter_translation.map {|key, name| [name, key]}, :selected => filter)
     url_params = url_for(params.merge(:filter => 'FILTER'))
     onchange = "document.location.href = '#{url_params}'.replace('FILTER', this.value)"
     select_field = select_tag(:filter, options, :onchange => onchange)
@@ -19,7 +21,7 @@ module UsersHelper
   end
   def users_filter_title(filter)
-    FILTER_TRANSLATION[filter]
+    filter_translation[filter]
   end
 end
@@ -0,0 +1,14 @@
+class ActivitiesCounterCacheJob
+
+  def perform
+    person_activities_counts = ApplicationRecord.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= #{ApplicationRecord.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
+    organization_activities_counts = ApplicationRecord.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= #{ApplicationRecord.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
+    activities_counts = person_activities_counts.entries + organization_activities_counts.entries
+    activities_counts.each do |count|
+      update_sql = ApplicationRecord.__send__(:sanitize_sql, ["UPDATE profiles SET activities_count=? WHERE profiles.id=?;", count['count'].to_i, count['id'] ], '')
+      ApplicationRecord.connection.execute(update_sql)
+    end
+    Delayed::Job.enqueue(ActivitiesCounterCacheJob.new, {:priority => -3, :run_at => 1.day.from_now})
+  end
+
+end
@@ -0,0 +1,11 @@
+class CreateThumbnailsJob < Struct.new(:class_name, :file_id)
+  def perform
+    return unless class_name.constantize.exists?(file_id)
+    file = class_name.constantize.find(file_id)
+    file.create_thumbnails
+    article = Article.where(:image_id => file_id).first
+    if article
+      article.touch
+    end
+  end
+end
@@ -0,0 +1,27 @@
+class DownloadReportedImagesJob < Struct.new(:abuse_report, :article)
+  def perform
+    images_paths = article.image? ? [File.join(article.profile.environment.top_url, article.public_filename(:display))] : article.body_images_paths
+    images_paths.each do |image_path|
+      image = get_image(image_path)
+      reported_image = ReportedImage.create!( :abuse_report => abuse_report,
+                                              :uploaded_data => image,
+                                              :filename => File.basename(image_path),
+                                              :size => image.size )
+      abuse_report.content = parse_content(abuse_report, image_path, reported_image)
+    end
+    abuse_report.save!
+  end
+
+  def get_image(image_path)
+    image = ActionController::UploadedTempfile.new('reported_image')
+    image.write(Net::HTTP.get(URI.parse(image_path)))
+    image.original_path = 'tmp/' + File.basename(image_path)
+    image.content_type = 'image/' + File.extname(image_path).gsub('.','')
+    image
+  end
+
+  def parse_content(report, old_path, image)
+    old_path = old_path.gsub(report.reporter.environment.top_url, '')
+    report.content.gsub(/#{old_path}/, image.public_filename)
+  end
+end
@@ -0,0 +1,11 @@
+class GetEmailContactsJob < Struct.new(:import_from, :login, :password, :contact_list_id)
+  def perform
+    begin
+      Invitation.get_contacts(import_from, login, password, contact_list_id)
+    rescue Contacts::AuthenticationError => ex
+      ContactList.exists?(contact_list_id) && ContactList.find(contact_list_id).register_auth_error
+    rescue Exception => ex
+      ContactList.exists?(contact_list_id) && ContactList.find(contact_list_id).register_error
+    end
+  end
+end
@@ -0,0 +1,10 @@
+class InvitationJob < Struct.new(:person_id, :contacts_to_invite, :message, :profile_id, :contact_list_id, :locale)
+  def perform
+    Noosfero.with_locale(locale) do
+      person = Person.find(person_id)
+      profile = Profile.find(profile_id)
+      Invitation.invite(person, contacts_to_invite, message, profile)
+      ContactList.exists?(contact_list_id) && ContactList.find(contact_list_id).destroy
+    end
+  end
+end
@@ -0,0 +1,22 @@
+class LogMemoryConsumptionJob < Struct.new(:last_stat)
+  # Number of entries do display
+  N = 20
+
+  def perform
+    logpath = File.join(Rails.root, 'log', "#{ENV['RAILS_ENV']}_memory_consumption.log")
+    logger = Logger.new(logpath)
+    stats = Hash.new(0)
+    ObjectSpace.each_object {|o| stats[o.class.to_s] += 1}
+    i = 1
+
+    logger << "[#{Time.now.strftime('%F %T %z')}]\n"
+    stats.sort {|(k1,v1),(k2,v2)| v2 <=> v1}.each do |k,v|
+      logger << (sprintf "%-60s %10d", k, v)
+      logger << (sprintf " | delta %10d", (v - last_stat[k])) if last_stat && last_stat[k]
+      logger << "\n"
+      break if i > N
+      i += 1
+    end
+    logger << "\n"
+  end
+end
@@ -0,0 +1,8 @@
+class MailingJob < Struct.new(:mailing_id)
+  def perform
+    mailing = Mailing.find(mailing_id)
+    Noosfero.with_locale(mailing.locale) do
+      mailing.deliver
+    end
+  end
+end
@@ -0,0 +1,44 @@
+class NotifyActivityToProfilesJob < Struct.new(:tracked_action_id)
+  NOTIFY_ONLY_COMMUNITY = [
+    'add_member_in_community'
+  ]
+
+  NOT_NOTIFY_COMMUNITY = [
+    'join_community'
+  ]
+  def perform
+    return unless ActionTracker::Record.exists?(tracked_action_id)
+    tracked_action = ActionTracker::Record.find(tracked_action_id)
+    return unless tracked_action.user.present?
+    target = tracked_action.target
+    if target.is_a?(Community) && ( NOTIFY_ONLY_COMMUNITY.include?(tracked_action.verb) || ! target.public_profile )
+      ActionTrackerNotification.create(:profile_id => target.id, :action_tracker_id => tracked_action.id)
+      return
+    end
+
+    # Notify the user
+    ActionTrackerNotification.create(:profile_id => tracked_action.user.id, :action_tracker_id => tracked_action.id)
+
+    # Notify all friends
+    ActionTrackerNotification.connection.execute("insert into action_tracker_notifications(profile_id, action_tracker_id) select f.friend_id, #{tracked_action.id} from friendships as f where person_id=#{tracked_action.user.id} and f.friend_id not in (select atn.profile_id from action_tracker_notifications as atn where atn.action_tracker_id = #{tracked_action.id})")
+
+    if tracked_action.user.is_a? Organization
+      ActionTrackerNotification.connection.execute "insert into action_tracker_notifications(profile_id, action_tracker_id) " +
+      "select distinct accessor_id, #{tracked_action.id} from role_assignments where resource_id = #{tracked_action.user.id} and resource_type='Profile' " +
+      if tracked_action.user.is_a? Enterprise then "union select distinct person_id, #{tracked_action.id} from favorite_enterprise_people where enterprise_id = #{tracked_action.user.id}" else "" end
+    end
+
+    if target.is_a?(Community)
+      ActionTrackerNotification.create(:profile_id => target.id, :action_tracker_id => tracked_action.id) unless NOT_NOTIFY_COMMUNITY.include?(tracked_action.verb)
+
+      ActionTrackerNotification.connection.execute("insert into action_tracker_notifications(profile_id, action_tracker_id) select distinct profiles.id, #{tracked_action.id} from role_assignments, profiles where profiles.type = 'Person' and profiles.id = role_assignments.accessor_id and profiles.id != #{tracked_action.user.id} and profiles.id not in (select atn.profile_id from action_tracker_notifications as atn where atn.action_tracker_id = #{tracked_action.id}) and role_assignments.resource_type = 'Profile' and role_assignments.resource_id = #{target.id}")
+    end
+
+    if target.is_a?(Article) && target.profile.is_a?(Community)
+      ActionTrackerNotification.create(:profile_id => target.profile.id, :action_tracker_id => tracked_action.id) unless NOT_NOTIFY_COMMUNITY.include?(tracked_action.verb)
+
+      ActionTrackerNotification.connection.execute("insert into action_tracker_notifications(profile_id, action_tracker_id) select distinct profiles.id, #{tracked_action.id} from role_assignments, profiles where profiles.type = 'Person' and profiles.id = role_assignments.accessor_id and profiles.id != #{tracked_action.user.id} and profiles.id not in (select atn.profile_id from action_tracker_notifications as atn where atn.action_tracker_id = #{tracked_action.id}) and role_assignments.resource_type = 'Profile' and role_assignments.resource_id = #{target.profile.id}")
+    end
+
+  end
+end
@@ -0,0 +1,22 @@
+class ProfileSuggestionsJob < Struct.new(:person_id)
+
+  def self.exists?(person_id)
+    !find(person_id).empty?
+  end
+
+  def self.find(person_id)
+    Delayed::Job.by_handler("--- !ruby/struct:ProfileSuggestionsJob\nperson_id: #{person_id}\n")
+  end
+
+  def perform
+    logger = Delayed::Worker.logger
+    begin
+      person = Person.find(person_id)
+      ProfileSuggestion.calculate_suggestions(person)
+      UserMailer.profiles_suggestions_email(person).deliver if person.email_suggestions
+    rescue Exception => exception
+      logger.error("Error with suggestions for person ID %d: %s" % [person_id, exception.to_s])
+    end
+  end
+
+end
@@ -0,0 +1,6 @@
+class UserActivationJob < Struct.new(:user_id)
+  def perform
+    user = User.find(user_id)
+    user.destroy unless user.activated? || user.person.is_template? || user.moderate_registration_pending?
+  end
+end
@@ -37,6 +37,10 @@ class AddMember &lt; Task
     true
   end
+  def reject_details
+    true
+  end
+
   def footer
     true
   end
@@ -72,8 +76,9 @@ class AddMember &lt; Task
   end
   def task_cancelled_message
-    _("Your request to enter community \"%{target} with the profile \"%{requestor}\" was not accepted. Please contact any profile admin from %{url} for more information.") %
-    {:target => self.target.name, :url => self.target.url,
-     :requestor => self.requestor.name}
+    _("Your request to enter community \"%{target}\" with the profile \"%{requestor}\" was not accepted. Please contact any profile admin from %{target} for more information. The following explanation was given: \n\n\"%{explanation}\"") %
+    {:target => self.target.name,
+     :requestor => self.requestor.name,
+     :explanation => self.reject_explanation}
   end
 end
 class ApplicationRecord < ActiveRecord::Base
-  self.abstract_class = true
-
-  def self.postgresql?
-    self.connection.adapter_name == 'PostgreSQL'
-  end
+  self.abstract_class       = true
+  self.store_full_sti_class = true
   # an ActionView instance for rendering views on models
   def self.action_view
@@ -25,7 +22,7 @@ class ApplicationRecord &lt; ActiveRecord::Base
   alias :meta_cache_key :cache_key
   def cache_key
     key = [Noosfero::VERSION, meta_cache_key]
-    key.unshift(ApplicationRecord.connection.schema_search_path) if ApplicationRecord.postgresql?
+    key.unshift ApplicationRecord.connection.schema_search_path
     key.join('/')
   end
@@ -29,6 +29,8 @@ class Article &lt; ApplicationRecord
     :display => %w[full]
   }
+  N_('article')
+
   def initialize(*params)
     super
     if params.present? && params.first.present?
@@ -181,30 +181,6 @@ class Block &lt; ApplicationRecord
     "/images/block_preview.png"
   end
-  # Returns the content to be used for this block.
-  #
-  # This method can return several types of objects:
-  #
-  # * <tt>String</tt>: if the string starts with <tt>http://</tt> or <tt>https://</tt>, then it is assumed to be address of an IFRAME. Otherwise it's is used as regular HTML.
-  # * <tt>Hash</tt>: the hash is used to build an URL that is used as the address for a IFRAME.
-  # * <tt>Proc</tt>: the Proc is evaluated in the scope of BoxesHelper. The
-  # block can then use <tt>render</tt>, <tt>link_to</tt>, etc.
-  #
-  # The method can also return <tt>nil</tt>, which means "no content".
-  #
-  # See BoxesHelper#extract_block_content for implementation details.
-  def content(args={})
-    "This is block number %d" % self.id
-  end
-
-  # A footer to be appended to the end of the block. Returns <tt>nil</tt>.
-  #
-  # Override in your subclasses. You can return the same types supported by
-  # #content.
-  def footer
-    nil
-  end
-
   # Is this block editable? (Default to <tt>true</tt>)
   def editable?(user=nil)
     self.edit_modes == "all"
@@ -9,7 +9,7 @@ class Community &lt; Organization
     _('Community')
   end
-  N_('Community')
+  N_('community')
   N_('Language')
   settings_items :language
@@ -12,7 +12,7 @@ class Enterprise &lt; Organization
     _('Enterprise')
   end
-  N_('Enterprise')
+  N_('enterprise')
   acts_as_trackable after_add: proc{ |p, t| notify_activity t }
@@ -750,6 +750,10 @@ class Environment &lt; ApplicationRecord
     end
   end
+  def theme_ids
+    settings[:themes] || []
+  end
+
   def themes=(values)
     settings[:themes] = values
   end
@@ -81,10 +81,8 @@ class LinkListBlock &lt; Block
     end
   end
-  def icons_options
-    ICONS.map do |i|
-      "<span title=\"#{i[1]}\" class=\"icon-#{i[0]}\" onclick=\"changeIcon(this, '#{i[0]}')\"></span>".html_safe
-    end
+  def icons
+    ICONS
   end
 end
@@ -13,6 +13,8 @@ class Person &lt; Profile
     _('Person')
   end
+  N_('person')
+
   acts_as_trackable :after_add => Proc.new {|p,t| notify_activity(t)}
   acts_as_accessor
@@ -82,7 +82,7 @@ class PersonNotifier
     helper ActionTrackerHelper
     def session
-      {:theme => nil}
+      {:user_theme => nil}
     end
     def content_summary(person, notifications, tasks)
@@ -1145,6 +1145,11 @@ private :generate_url, :url_options
     self.data[:fields_privacy]
   end
+  # abstract
+  def active_fields
+    []
+  end
+
   def public_fields
     self.active_fields
   end
@@ -31,7 +31,7 @@ class RecentDocumentsBlock &lt; Block
   end
   def api_content
-    Noosfero::API::Entities::ArticleBase.represent(docs).as_json
+    Api::Entities::ArticleBase.represent(docs).as_json
   end
   def display_api_content_by_default?
@@ -11,7 +11,7 @@
   <%= hidden_field_tag :terms_accepted, params[:terms_accepted] %>
 <% end %>
-<% button_bar do %>
+<%= button_bar do %>
   <%= submit_button( 'login', _('Log in') )%>
   <%= modal_close_button _('Cancel') if request.xhr? %>
 <% end %>
@@ -20,7 +20,7 @@
     <%= hidden_field_tag :answer, params[:answer] %>
     <%= labelled_check_box(environment.terms_of_use_acceptance_text.blank? ? _('I read the terms of use and accepted them') : environment.terms_of_use_acceptance_text, :terms_accepted, '1', false, :id => 'accept-terms') %>
-    <% button_bar do %>
+    <%= button_bar do %>
       <%= button 'cancel', _('Cancel'), :controller => 'home', :action => 'index' %>
       <%= submit_button 'forward', _('Continue'), {:disabled => true, :class => 'disabled', :id => 'submit-accept-terms'} %>
     <% end %>
@@ -24,7 +24,7 @@
 <div class='activation-box'>
   <h2><%= _('Enterprise activation') + ' - ' + (logged_in? ? _('part 1 of 2') : _('part 1 of 3')) %></h2>
-  <%= form_tag( {:action => 'accept_terms'}, {:method => 'get', :onsubmit => (@question == :foundation_year ? 'return check_valid_year(this)' : 'return check_valid_cnpj(this)')}) do %> 
+  <%= form_tag( {:action => 'accept_terms'}, {:method => 'get', :onsubmit => (@question == :foundation_year ? 'return check_valid_year(this)' : 'return check_valid_cnpj(this)')}) do %>
   <p>  <strong><%= _('Pay atention! You have only one chance!') %></strong> </p>
@@ -34,7 +34,7 @@
     <%= hidden_field_tag :enterprise_code, params[:enterprise_code] %>
-    <% button_bar do %>
+    <%= button_bar do %>
       <%= button 'cancel', _('Cancel'), :action => 'index' %>
       <%= submit_button 'forward', _('Continue') %>
     <% end %>
@@ -9,7 +9,7 @@
   <%= recaptcha_tags(:display => { :theme => 'clean' }, :ajax => true) %>
   <div>
-    <% button_bar do %>
+    <%= button_bar do %>
       <%= submit_button('send', _('Send instructions')) %>
     <% end %>
   </div>
@@ -22,7 +22,7 @@
      <%= safe_join(@plugins.dispatch(:login_extra_contents).collect { |content| instance_exec(&content) }, "") %>
-     <% button_bar do %>
+     <%= button_bar do %>
        <%= submit_button( 'login', _('Log in') )%>
        <% if is_popin %>
          <%= modal_close_button(_('Cancel')) %>
@@ -31,7 +31,7 @@
 <% end %>
-<% button_bar do %>
+<%= button_bar do %>
   <% unless @plugins.dispatch(:allow_user_registration).include?(false) %>
     <%= button :add, _("New user"), :controller => 'account', :action => 'signup' %>
   <% end %>
@@ -17,7 +17,7 @@
       <%= safe_join(@plugins.dispatch(:login_extra_contents).collect { |content| instance_eval(&content) }, "") %>
-      <% button_bar do %>
+      <%= button_bar do %>
         <%= submit_button( 'login', _('Log in') )%>
         <% unless @plugins.dispatch(:allow_user_registration).include?(false) %>
           <%= button(:add, _('New user'), { :controller => 'account', :action => 'signup' }) %>
 <h2><%= _('Are you sure you want to get out?') %></h2>
 <p>
-<% button_bar do %>
+<%= button_bar do %>
   <%= button :ok, _('Yes'), { :controller => 'account', :action => 'logout' } %>
   <%= modal_close_button _('No, I want to stay.') %>
 <% end %>
@@ -10,7 +10,7 @@
   <%= labelled_form_field(_('Enter new password'), (f.password_field :password)) %>
   <%= labelled_form_field(_('Confirm the new password'), (f.password_field :password_confirmation)) %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button(:ok, _('Change password')) %>
   <% end %>
@@ -3,8 +3,8 @@
   <%= _('%s was successfuly activated. Now you may go to your control panel or to the control panel of your enterprise') % @enterprise.name %>
-  <% button_bar do %>
-    <%= button 'forward', _('Go to my control panel'), :action => 'index', :controller => 'profile_editor', :profile => current_user.person.identifier %> 
+  <%= button_bar do %>
+    <%= button 'forward', _('Go to my control panel'), :action => 'index', :controller => 'profile_editor', :profile => current_user.person.identifier %>
     <%= button 'forward', _('Go to my enterprise control panel') % @enterprise.name, :action => 'index', :controller => 'profile_editor', :profile => @enterprise.identifier %>
   <% end %>
 <% end %>
@@ -6,7 +6,7 @@
   <%= f.text_area :message_for_disabled_enterprise, :cols => 40, :style => 'width: 90%' %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button(:save, _('Save')) %>
     <%= button(:cancel, _('Cancel'), :action => 'index') %>
   <% end %>
@@ -4,14 +4,14 @@
   <%= form_tag do %>
     <%= labelled_form_field(_('Portal identifier'), text_field_tag('portal_community_identifier', @portal_community.identifier, :size => 40) ) %>
-    <% button_bar do %>
+    <%= button_bar do %>
       <%= submit_button 'save', _('Save'), :cancel => { :action => 'index' }  %>
     <% end %>
   <% end %>
 <% else %>
-  <%= _('Portal identifier: %s') % link_to(@portal_community.identifier, @portal_community.url) %>
+  <%= _('Portal identifier: %s').html_safe % link_to(@portal_community.identifier, @portal_community.url) %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%if @portal_community.environment.enabled?('use_portal_community') %>
       <%= button 'cancel', _('Disable'), {:action => 'manage_portal_community', :activate => 0} %>
     <% else %>
@@ -37,7 +37,7 @@
     <%= _('The same order in which you arrange the folders here will be used for arranging the boxes in the environment initial page.') %>
   </p>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button 'save', _('Save'), :cancel => {:action => 'index'} %>
   <% end %>
 <% end %>
@@ -6,7 +6,7 @@
   <%= labelled_form_field _('Number of portal news'), select(:environment, :portal_news_amount, (0..10).to_a) %>
   <%= labelled_form_field _('Number of news by folder'), select(:environment, :news_amount_by_folder, (1..10).to_a) %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button(:save, _('Save')) %>
     <%= button(:cancel, _('Cancel'), :action => 'index') %>
   <% end %>
@@ -20,7 +20,7 @@
   <% tabs << {:title => _('Signup introduction text'), :id => 'signup-intro',
     :content => (render :partial => 'signup_intro', :locals => {:f => f})} %>
   <%= render_tabs(tabs) %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button(:save, _('Save'), :cancel => {:action => 'index'}) %>
   <% end %>
 <% end %>
 <h1>API Playground</h1>
 <script>
-<% prefix = Noosfero::API::API.prefix %>
+<% prefix = Api::App.prefix %>
 var prefix = <%= prefix.to_json %>;
 var endpoints = <%=
 endpoints.map do |endpoint|
@@ -2,6 +2,8 @@
   <%= hidden_field_tag 'block[links][][icon]', icon %>
   <span class='icon-<%= icon %>' style='display:block; width:16px; height:16px;'></span>
   <div class="icon-selector" style='display:none;'>
-     <%= @block.icons_options.join %>
+    <% @block.icons.map do |i| %>
+      <%= content_tag('span', '', :title => i[1], :class => "icon-#{i[0]}", :onclick => "changeIcon(this, '#{i[0]}')") %>
+    <% end %>
   </div>
 </div>
@@ -35,7 +35,7 @@
       </div>
     <% end %>
-    <% button_bar do %>
+    <%= button_bar do %>
       <%= submit_button(:save, _('Save')) %>
       <%= modal_close_button(_('Cancel')) %>
     <% end %>
@@ -3,7 +3,7 @@
 <h1><%= _('Editing sideboxes')%></h1>
-<% button_bar :class=>'design-menu' do %>
+<%= button_bar :class=>'design-menu' do %>
   <%= button(:back, _('Back to control panel'), :controller => (profile.nil? ? 'admin_panel': 'profile_editor')) %>
 <% end %>
@@ -28,7 +28,7 @@
     <%= file_field_or_thumbnail(_('Image:'), @category.image, i) %>
   <% end %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button('save', _('Save'), :cancel => {:action => 'index'}) %>
   <% end%>
 <% end %>
@@ -9,7 +9,7 @@
   <%= labelled_radio_button _('Folder'), :folder_type, 'Folder', false %>
   <%= labelled_form_field _('Name:'), text_field_tag(:new_folder, nil, 'data-url' => url_for({:action => 'new', :profile => profile.identifier})) %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button(:newfolder, _('Create')) %>
   <% end %>
 <% end %>
-<%= labelled_form_field(_('Publish date'), date_field('article[published_at]', @article.published_at || DateTime.current, {:max_date => '+0d', :date_format => 'yy-mm-dd'}, {:id => "article_published_at"})) %>
+<%= labelled_form_field(_('Publish date'), date_field('article[published_at]', @article.published_at || DateTime.current, {:max_date => '+0d', :time => true}, {:id => "article_published_at"})) %>
@@ -12,7 +12,7 @@
 <%= hidden_field_tag('back_to', @back_to) %>
-<% button_bar do %>
+<%= button_bar do %>
   <%= button_to_function :add, _('More files'), "add_new_file_fields()" %>
   <% if @back_to %>
     <%= submit_button :save, _('Upload'), :cancel => @back_to %>
@@ -12,7 +12,7 @@
     <% end %>
   </strong>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button :save, _('Yes, I want.') %>
     <%= button :cancel, _("No, I don't want."), @article.url %>
   <% end %>
@@ -21,7 +21,7 @@
     </div>
   <% end %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button :save, _('Save') %>
     <%= submit_button :save, _('Save and continue'), :name => "continue" %>
   <% end %>
@@ -48,7 +48,7 @@
     <%= options_for_article(@article, @tokenized_children) %>
   </div>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button :save, _('Save') %>
     <% if @back_to %>
@@ -25,7 +25,7 @@
         <%= hidden_field_tag :back_to, @back_to %>
         <%= labelled_form_field _('Title'), text_field_tag('name', @article.name) %>
-        <% button_bar do %>
+        <%= button_bar do %>
           <%= submit_button 'spread', _('Spread this') %>
         <% end %>
       <% end %>
@@ -41,7 +41,7 @@
         <% search_action = url_for(:action => 'search_communities_to_publish') %>
         <%= token_input_field_tag(:q, 'search-communities-to-publish', search_action, { :hint_text => _('Type in a search for your community'), :zindex => 10000, :focus => false }) %>
         <%= labelled_form_field _('Title'), text_field_tag('name', @article.name) %>
-        <% button_bar do %>
+        <%= button_bar do %>
           <%= submit_button 'spread', _('Spread this') %>
         <% end %>
       <% end %>
@@ -58,7 +58,7 @@
         <%= hidden_field_tag :back_to, @back_to %>
         <%= labelled_form_field _('Title'), text_field_tag('name', @article.name) %>
-        <% button_bar do %>
+        <%= button_bar do %>
           <%= submit_button 'spread', _('Spread this') %>
         <% end %>
       <% end %>
@@ -5,7 +5,7 @@
     <%= hidden_field_tag :back_to, @back_to %>
     <%= labelled_text_field _('Title') + ': ', :name, @article.name, :style => 'width: 100%' %>
-    <% button_bar do %>
+    <%= button_bar do %>
       <%= submit_button 'spread', _('Spread this'), :cancel => @back_to %>
     <% end %>
   <% end %>
@@ -14,7 +14,7 @@
     <%= _("There is no portal community in this environment.") %>
   </div>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= button :back, _('Back'), :controller => 'cms' %>
   <% end %>
 <% end %>
@@ -23,7 +23,7 @@
   <%= recaptcha_tags(:display => { :theme => 'clean' }, :ajax => true) unless logged_in? %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button :save, _('Save') %>
     <%= button :cancel, _('Cancel'), @back_to %>
   <% end %>
@@ -14,7 +14,7 @@
   </div>
 <% end %>
-<% button_bar(:style => 'margin-bottom: 1em;') do %>
+<%= button_bar(:style => 'margin-bottom: 1em;') do %>
   <% parent_id = ((@article && @article.allow_children?) ? @article : nil) %>
   <%= modal_button('new', _('New content'), url_for({:action => 'new', :parent_id => parent_id, :cms => true}).html_safe) %>
@@ -4,6 +4,6 @@
 <%= _('By categorizing your content, you increase the possibility that other people access it. When they are looking for, say, articles about Bahia and you categorize your article in "Regions/Bahia", then there is a good change that your article is going to be found.') %>
 </p>
-<% button_bar do %>
+<%= button_bar do %>
   <%= modal_close_button _('Close') %>
 <% end %>
@@ -8,7 +8,7 @@
   <div id="recaptcha-container" style="display: none">
     <h3><%= _('Please type the two words below') %></h3>
     <%= recaptcha_tags(:display => { :theme => 'clean' }, :ajax => true) %>
-    <% button_bar do %>
+    <%= button_bar do %>
       <%= button_to_function :add, _('Confirm'), "return false", :id => "confirm-captcha" %>
       <%= button_to_function :cancel, _('Cancel'), "noosfero.modal.close()" %>
     <% end %>
@@ -87,7 +87,7 @@ function check_captcha(button, confirm_action) {
   <%= safe_join(@plugins.dispatch(:comment_form_extra_contents, local_assigns.merge(:comment => @comment)).collect { |content| instance_exec(&content) }, "") %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button('add', _('Post comment'), :onclick => "if(check_captcha(this)) { save_comment(this) } else { check_captcha(this, save_comment)};return false;") %>
     <% if !edition_mode %>
       <%= button :cancel, _('Cancel'), '', :id => 'cancel-comment' %>
@@ -36,7 +36,7 @@ function submit_comment_form(button) {
   <div id="recaptcha-container" style="display: none">
     <h3><%= _('Please type the two words below') %></h3>
     <%= recaptcha_tags(:display => { :theme => 'clean' }, :ajax => true) %>
-    <% button_bar do %>
+    <%= button_bar do %>
       <%= button_to_function :add, _('Confirm'), "return false", :id => "confirm-captcha" %>
       <%= button_to_function :cancel, _('Cancel'), "noosfero.modal.close()" %>
     <% end %>
@@ -73,7 +73,7 @@ function submit_comment_form(button) {
   <%= hidden_field_tag(:confirm, 'false') %>
   <%= hidden_field_tag(:view, params[:view])%>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button('add', _('Post comment'), :onclick => "submit_comment_form(this); return false") %>
     <% if cancel_triggers_hide %>
       <%= button :cancel, _('Cancel'), '', :id => 'cancel-comment' %>
@@ -5,7 +5,7 @@
   <%= form_tag(@page.view_url.merge({:only_path => true}), {:method => 'post', :class => 'comment_form'}) do %>
     <%= hidden_field_tag(:unfollow, 'commit') %>
     <%= labelled_form_field(_('Enter your e-Mail'), text_field_tag(:email, nil, {:size => 40})) %>
-    <% button_bar do %>
+    <%= button_bar do %>
       <%= submit_button(:ok, _('Cancel notifications for e-mail above') ) %>
     <% end %>
   <% end %>
@@ -4,7 +4,7 @@
 <div>
   <div class='blog-description'>
-    <%= blog.body %>
+    <%= (blog.body || '').html_safe %>
   </div>
 </div>
 <hr class="pre-posts"/>
@@ -16,7 +16,7 @@
   <p><%= @page.terms_of_use %></p>
   <%= form_tag @page.url.merge(:terms_accepted => true) do %>
-    <% button_bar do %>
+    <%= button_bar do %>
       <% if user %>
         <%= submit_button :save, _("Accept")  %>
       <% else %>
@@ -8,7 +8,7 @@
     <%= _('There are no validators to validate the registration of this new enterprise. Contact your administrator for instructions.') %>
   </div>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= button :back, _('Go back'), { :profile => current_user.person.identifier, :action=>"enterprises", :controller=>"profile" }%>
   <% end %>
 <% else %>
@@ -36,7 +36,7 @@
     <%= template_options(:enterprises, 'create_enterprise')%>
-    <% button_bar do %>
+    <%= button_bar do %>
       <%= submit_button('next', _('Next'), :cancel => {:profile => current_user.person.identifier, :action=>"enterprises", :controller=>"profile"}) %>
     <% end %>
   <% end %>
@@ -4,7 +4,7 @@
 <%= render :partial => 'shared/template_welcome_page', :locals => {:template => @enterprise.template, :header => _("What can I do with a %s?")} %>
-<% button_bar do %>
+<%= button_bar do %>
   <%= button :back, _('Back'), {:controller => 'memberships', :action => 'index', :profile => user.identifier} %>
 <% end %>
@@ -22,7 +22,7 @@
   <% end %>
   </table>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button 'save', _('Confirm') %>
   <% end %>
 <% end %>
@@ -15,7 +15,7 @@
 <p><%= _('If this enterprise passes the criteria to be considered an solidarity enconomy enterprise, you can approve it by click the button below.') %></p>
 <%= form_tag :action => 'approve', :id => @pending.code do %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button('approve', _('Approve')) %>
   <% end %>
 <% end %>
@@ -27,7 +27,7 @@
 <%= form_tag :action => 'reject', :id => @pending.code do %>
   <%= labelled_form_field(_('Please provide an explanation for the rejection. This explanation will be sent to the requestor (required).'), text_area_tag('reject_explanation'))%>
   <div>
-    <% button_bar do %>
+    <%= button_bar do %>
       <%= submit_button('reject', _('Reject')) %>
     <% end %>
   </div>
@@ -5,7 +5,7 @@
 <%= labelled_form_for :info do |f| %>
   <%= f.text_area(:validation_methodology, :cols => 50, :rows => 10) %>
   <%= f.text_area(:restrictions, :cols => 50, :rows => 7) %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button('save', _('Save'), :cancel => {:action => 'index'}) %>
   <% end %>
 <% end %>
 <h1><%= _('Enterprise validations') %></h1>
-<% button_bar do %>
+<%= button_bar do %>
   <%= button(:edit, _('Edit validation info'), { :action => 'edit_validation_info' }) %>
   <%= button(:back, _('Go Back'), { :controller => 'profile_editor' }) %>
 <% end %>
@@ -3,7 +3,7 @@
 <%= form_tag( {:action => 'give_role'}, {:method => :post}) do %>
   <%= select_tag 'role', options_for_select(@roles.map{|r|[r.name,r.id]})  %>
   <%= hidden_field_tag 'person', current_user.person.id %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button('affiliate', _('Affiliate', :cancel => {:action => 'index'}) %>
   <% end %>
 <% end %>
@@ -7,7 +7,7 @@
   <% end %>
   <%= hidden_field_tag 'person', @admin.id %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button('save', _('Save changes'), :cancel => {:action => 'index'})  %>
   <% end %>
 <% end %>
@@ -9,7 +9,7 @@
   <% @roles.each do |r| %>
     <%= labelled_form_field(r.name, (check_box_tag "roles[]", r.id)) %>
   <% end %>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button( 'save', _('Make'), :cancel => {:action => 'index'} ) %>
   <% end %>
 <% end %>
@@ -3,6 +3,6 @@
 <br style="clear:both" />
-<% button_bar do %>
+<%= button_bar do %>
   <%= button(:back, _('Back'), :controller => 'admin_panel', :action => 'index') %>
 <% end %>
@@ -23,7 +23,7 @@
 </p>
 <% end %>
-<% button_bar do %>
+<%= button_bar do %>
   <%= button(:back, _('Go back'), :controller => 'profile_editor') %>
 <% end %>
@@ -55,7 +55,7 @@
 </script>
 <div>
-  <% button_bar do %>
+  <%= button_bar do %>
     <%= submit_button('save', _('Save changes'), :id=>"save_community_fields") %>
     <%= button :back, _('Back to admin panel'), :controller => 'admin_panel', :action => 'index' %>
   <% end %>
@@ -0,0 +1,89 @@		@@ -0,0 +1,89 @@
	1	+require_dependency 'api/helpers'
	2	+
	3	+module Api
	4	+ class App < Grape::API
	5	+ use Rack::JSONP
	6	+
	7	+ logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] \|\| 'production'}_api.log"))
	8	+ logger.formatter = GrapeLogging::Formatters::Default.new
	9	+ #use GrapeLogging::Middleware::RequestLogger, { logger: logger }
	10	+
	11	+ rescue_from :all do \|e\|
	12	+ logger.error e
	13	+ error! e.message, 500
	14	+ end unless Rails.env.test?
	15	+
	16	+ @@NOOSFERO_CONF = nil
	17	+ def self.NOOSFERO_CONF
	18	+ if @@NOOSFERO_CONF
	19	+ @@NOOSFERO_CONF
	20	+ else
	21	+ file = Rails.root.join('config', 'noosfero.yml')
	22	+ @@NOOSFERO_CONF = File.exists?(file) ? YAML.load_file(file)[Rails.env] \|\| {} : {}
	23	+ end
	24	+ end
	25	+
	26	+ before { set_locale }
	27	+ before { setup_multitenancy }
	28	+ before { detect_stuff_by_domain }
	29	+ before { filter_disabled_plugins_endpoints }
	30	+ before { init_noosfero_plugins }
	31	+ after { set_session_cookie }
	32	+
	33	+ version 'v1'
	34	+ prefix [ENV['RAILS_RELATIVE_URL_ROOT'], "api"].compact.join('/')
	35	+ format :json
	36	+ content_type :txt, "text/plain"
	37	+
	38	+ helpers Helpers
	39	+
	40	+ mount V1::Session
	41	+ mount V1::Articles
	42	+ mount V1::Comments
	43	+ mount V1::Users
	44	+ mount V1::Communities
	45	+ mount V1::People
	46	+ mount V1::Enterprises
	47	+ mount V1::Categories
	48	+ mount V1::Tasks
	49	+ mount V1::Tags
	50	+ mount V1::Environments
	51	+ mount V1::Search
	52	+ mount V1::Contacts
	53	+ mount V1::Boxes
	54	+ mount V1::Blocks
	55	+ mount V1::Profiles
	56	+ mount V1::Activities
	57	+
	58	+ # hook point which allow plugins to add Grape::API extensions to Api::App
	59	+ #finds for plugins which has api mount points classes defined (the class should extends Grape::API)
	60	+ @plugins = Noosfero::Plugin.all.map { \|p\| p.constantize }
	61	+ @plugins.each do \|klass\|
	62	+ if klass.public_methods.include? :api_mount_points
	63	+ klass.api_mount_points.each do \|mount_class\|
	64	+ mount mount_class if mount_class && ( mount_class < Grape::API )
	65	+ end
	66	+ end
	67	+ end
	68	+
	69	+ def self.endpoint_unavailable?(endpoint, environment)
	70	+ api_class = endpoint.options[:app] \|\| endpoint.options[:for]
	71	+ if api_class.present?
	72	+ klass = api_class.name.deconstantize.constantize
	73	+ return klass < Noosfero::Plugin && !environment.plugin_enabled?(klass)
	74	+ end
	75	+ end
	76	+
	77	+ class << self
	78	+ def endpoints_with_plugins(environment = nil)
	79	+ if environment.present?
	80	+ cloned_endpoints = endpoints_without_plugins.dup
	81	+ cloned_endpoints.delete_if { \|endpoint\| endpoint_unavailable?(endpoint, environment) }
	82	+ else
	83	+ endpoints_without_plugins
	84	+ end
	85	+ end
	86	+ alias_method_chain :endpoints, :plugins
	87	+ end
	88	+ end
	89	+end
@@ -0,0 +1,269 @@		@@ -0,0 +1,269 @@
	1	+module Api
	2	+ module Entities
	3	+
	4	+ Entity.format_with :timestamp do \|date\|
	5	+ date.strftime('%Y/%m/%d %H:%M:%S') if date
	6	+ end
	7	+
	8	+ PERMISSIONS = {
	9	+ :admin => 0,
	10	+ :self => 10,
	11	+ :private_content => 20,
	12	+ :logged_user => 30,
	13	+ :anonymous => 40
	14	+ }
	15	+
	16	+ def self.can_display_profile_field? profile, options, permission_options={}
	17	+ permissions={:field => "", :permission => :private_content}
	18	+ permissions.merge!(permission_options)
	19	+ field = permissions[:field]
	20	+ permission = permissions[:permission]
	21	+ return true if profile.public? && profile.public_fields.map{\|f\| f.to_sym}.include?(field.to_sym)
	22	+
	23	+ current_person = options[:current_person]
	24	+
	25	+ current_permission = if current_person.present?
	26	+ if current_person.is_admin?
	27	+ :admin
	28	+ elsif current_person == profile
	29	+ :self
	30	+ elsif profile.display_private_info_to?(current_person)
	31	+ :private_content
	32	+ else
	33	+ :logged_user
	34	+ end
	35	+ else
	36	+ :anonymous
	37	+ end
	38	+ PERMISSIONS[current_permission] <= PERMISSIONS[permission]
	39	+ end
	40	+
	41	+ class Image < Entity
	42	+ root 'images', 'image'
	43	+
	44	+ expose :url do \|image, options\|
	45	+ image.public_filename
	46	+ end
	47	+
	48	+ expose :icon_url do \|image, options\|
	49	+ image.public_filename(:icon)
	50	+ end
	51	+
	52	+ expose :minor_url do \|image, options\|
	53	+ image.public_filename(:minor)
	54	+ end
	55	+
	56	+ expose :portrait_url do \|image, options\|
	57	+ image.public_filename(:portrait)
	58	+ end
	59	+
	60	+ expose :thumb_url do \|image, options\|
	61	+ image.public_filename(:thumb)
	62	+ end
	63	+ end
	64	+
	65	+ class CategoryBase < Entity
	66	+ root 'categories', 'category'
	67	+ expose :name, :id, :slug
	68	+ end
	69	+
	70	+ class Category < CategoryBase
	71	+ root 'categories', 'category'
	72	+ expose :full_name do \|category, options\|
	73	+ category.full_name
	74	+ end
	75	+ expose :parent, :using => CategoryBase, if: { parent: true }
	76	+ expose :children, :using => CategoryBase, if: { children: true }
	77	+ expose :image, :using => Image
	78	+ expose :display_color
	79	+ end
	80	+
	81	+ class Region < Category
	82	+ root 'regions', 'region'
	83	+ expose :parent_id
	84	+ end
	85	+
	86	+ class Block < Entity
	87	+ root 'blocks', 'block'
	88	+ expose :id, :type, :settings, :position, :enabled
	89	+ expose :mirror, :mirror_block_id, :title
	90	+ expose :api_content, if: lambda { \|object, options\| options[:display_api_content] \|\| object.display_api_content_by_default? }
	91	+ end
	92	+
	93	+ class Box < Entity
	94	+ root 'boxes', 'box'
	95	+ expose :id, :position
	96	+ expose :blocks, :using => Block do \|box, options\|
	97	+ box.blocks.select {\|block\| block.visible_to_user?(options[:current_person]) }
	98	+ end
	99	+ end
	100	+
	101	+ class Profile < Entity
	102	+ expose :identifier, :name, :id
	103	+ expose :created_at, :format_with => :timestamp
	104	+ expose :updated_at, :format_with => :timestamp
	105	+ expose :additional_data do \|profile, options\|
	106	+ hash ={}
	107	+ profile.public_values.each do \|value\|
	108	+ hash[value.custom_field.name]=value.value
	109	+ end
	110	+
	111	+ private_values = profile.custom_field_values - profile.public_values
	112	+ private_values.each do \|value\|
	113	+ if Entities.can_display_profile_field?(profile,options)
	114	+ hash[value.custom_field.name]=value.value
	115	+ end
	116	+ end
	117	+ hash
	118	+ end
	119	+ expose :image, :using => Image
	120	+ expose :region, :using => Region
	121	+ expose :type
	122	+ expose :custom_header
	123	+ expose :custom_footer
	124	+ end
	125	+
	126	+ class UserBasic < Entity
	127	+ expose :id
	128	+ expose :login
	129	+ end
	130	+
	131	+ class Person < Profile
	132	+ root 'people', 'person'
	133	+ expose :user, :using => UserBasic, documentation: {type: 'User', desc: 'The user data of a person' }
	134	+ expose :vote_count
	135	+ expose :comments_count do \|person, options\|
	136	+ person.comments.count
	137	+ end
	138	+ expose :following_articles_count do \|person, options\|
	139	+ person.following_articles.count
	140	+ end
	141	+ expose :articles_count do \|person, options\|
	142	+ person.articles.count
	143	+ end
	144	+ end
	145	+
	146	+ class Enterprise < Profile
	147	+ root 'enterprises', 'enterprise'
	148	+ end
	149	+
	150	+ class Community < Profile
	151	+ root 'communities', 'community'
	152	+ expose :description
	153	+ expose :admins, :if => lambda { \|community, options\| community.display_info_to? options[:current_person]} do \|community, options\|
	154	+ community.admins.map{\|admin\| {"name"=>admin.name, "id"=>admin.id, "username" => admin.identifier}}
	155	+ end
	156	+ expose :categories, :using => Category
	157	+ expose :members, :using => Person , :if => lambda{ \|community, options\| community.display_info_to? options[:current_person] }
	158	+ end
	159	+
	160	+ class CommentBase < Entity
	161	+ expose :body, :title, :id
	162	+ expose :created_at, :format_with => :timestamp
	163	+ expose :author, :using => Profile
	164	+ expose :reply_of, :using => CommentBase
	165	+ end
	166	+
	167	+ class Comment < CommentBase
	168	+ root 'comments', 'comment'
	169	+ expose :children, as: :replies, :using => Comment
	170	+ end
	171	+
	172	+ class ArticleBase < Entity
	173	+ root 'articles', 'article'
	174	+ expose :id
	175	+ expose :body
	176	+ expose :abstract, documentation: {type: 'String', desc: 'Teaser of the body'}
	177	+ expose :created_at, :format_with => :timestamp
	178	+ expose :updated_at, :format_with => :timestamp
	179	+ expose :title, :documentation => {:type => "String", :desc => "Title of the article"}
	180	+ expose :created_by, :as => :author, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile author that create the article'}
	181	+ expose :profile, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile associated with the article'}
	182	+ expose :categories, :using => Category
	183	+ expose :image, :using => Image
	184	+ expose :votes_for
	185	+ expose :votes_against
	186	+ expose :setting
	187	+ expose :position
	188	+ expose :hits
	189	+ expose :start_date
	190	+ expose :end_date, :documentation => {type: 'DateTime', desc: 'The date of finish of the article'}
	191	+ expose :tag_list
	192	+ expose :children_count
	193	+ expose :slug, :documentation => {:type => "String", :desc => "Trimmed and parsed name of a article"}
	194	+ expose :path
	195	+ expose :followers_count
	196	+ expose :votes_count
	197	+ expose :comments_count
	198	+ expose :archived, :documentation => {:type => "Boolean", :desc => "Defines if a article is readonly"}
	199	+ expose :type
	200	+ expose :comments, using: CommentBase, :if => lambda{\|obj,opt\| opt[:params] && ['1','true',true].include?(opt[:params][:show_comments])}
	201	+ expose :published
	202	+ expose :accept_comments?, as: :accept_comments
	203	+ end
	204	+
	205	+ class Article < ArticleBase
	206	+ root 'articles', 'article'
	207	+ expose :parent, :using => ArticleBase
	208	+ expose :children, :using => ArticleBase do \|article, options\|
	209	+ article.children.published.limit(V1::Articles::MAX_PER_PAGE)
	210	+ end
	211	+ end
	212	+
	213	+ class User < Entity
	214	+ root 'users', 'user'
	215	+
	216	+ attrs = [:id,:login,:email,:activated?]
	217	+ aliases = {:activated? => :activated}
	218	+
	219	+ attrs.each do \|attribute\|
	220	+ name = aliases.has_key?(attribute) ? aliases[attribute] : attribute
	221	+ expose attribute, :as => name, :if => lambda{\|user,options\| Entities.can_display_profile_field?(user.person, options, {:field => attribute})}
	222	+ end
	223	+
	224	+ expose :person, :using => Person, :if => lambda{\|user,options\| user.person.display_info_to? options[:current_person]}
	225	+ expose :permissions, :if => lambda{\|user,options\| Entities.can_display_profile_field?(user.person, options, {:field => :permissions, :permission => :self})} do \|user, options\|
	226	+ output = {}
	227	+ user.person.role_assignments.map do \|role_assigment\|
	228	+ if role_assigment.resource.respond_to?(:identifier) && !role_assigment.role.nil?
	229	+ output[role_assigment.resource.identifier] = role_assigment.role.permissions
	230	+ end
	231	+ end
	232	+ output
	233	+ end
	234	+ end
	235	+
	236	+ class UserLogin < User
	237	+ root 'users', 'user'
	238	+ expose :private_token, documentation: {type: 'String', desc: 'A valid authentication code for post/delete api actions'}, if: lambda {\|object, options\| object.activated? }
	239	+ end
	240	+
	241	+ class Task < Entity
	242	+ root 'tasks', 'task'
	243	+ expose :id
	244	+ expose :type
	245	+ end
	246	+
	247	+ class Environment < Entity
	248	+ expose :name
	249	+ expose :id
	250	+ expose :description
	251	+ expose :settings, if: lambda { \|instance, options\| options[:is_admin] }
	252	+ end
	253	+
	254	+ class Tag < Entity
	255	+ root 'tags', 'tag'
	256	+ expose :name
	257	+ end
	258	+
	259	+ class Activity < Entity
	260	+ root 'activities', 'activity'
	261	+ expose :id, :params, :verb, :created_at, :updated_at, :comments_count, :visible
	262	+ expose :user, :using => Profile
	263	+ expose :target do \|activity, opts\|
	264	+ type_map = {Profile => ::Profile, ArticleBase => ::Article}.find {\|h\| activity.target.kind_of?(h.last)}
	265	+ type_map.first.represent(activity.target) unless type_map.nil?
	266	+ end
	267	+ end
	268	+ end
	269	+end
@@ -0,0 +1,27 @@		@@ -0,0 +1,27 @@
	1	+module Api
	2	+ class Entity < Grape::Entity
	3	+
	4	+ def initialize(object, options = {})
	5	+ object = nil if object.is_a? Exception
	6	+ super object, options
	7	+ end
	8	+
	9	+ def self.represent(objects, options = {})
	10	+ if options[:has_exception]
	11	+ data = super objects, options.merge(is_inner_data: true)
	12	+ if objects.is_a? Exception
	13	+ data.merge ok: false, error: {
	14	+ type: objects.class.name,
	15	+ message: objects.message
	16	+ }
	17	+ else
	18	+ data = data.serializable_hash if data.is_a? Entity
	19	+ data.merge ok: true, error: { type: 'Success', message: '' }
	20	+ end
	21	+ else
	22	+ super objects, options
	23	+ end
	24	+ end
	25	+
	26	+ end
	27	+end
@@ -0,0 +1,484 @@		@@ -0,0 +1,484 @@
	1	+require 'base64'
	2	+require 'tempfile'
	3	+
	4	+module Api
	5	+ module Helpers
	6	+ PRIVATE_TOKEN_PARAM = :private_token
	7	+ DEFAULT_ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type, :author_id, :identifier, :archived]
	8	+
	9	+ include SanitizeParams
	10	+ include Noosfero::Plugin::HotSpot
	11	+ include ForgotPasswordHelper
	12	+ include SearchTermHelper
	13	+
	14	+ def set_locale
	15	+ I18n.locale = (params[:lang] \|\| request.env['HTTP_ACCEPT_LANGUAGE'] \|\| 'en')
	16	+ end
	17	+
	18	+ def init_noosfero_plugins
	19	+ plugins
	20	+ end
	21	+
	22	+ def current_tmp_user
	23	+ private_token = (params[PRIVATE_TOKEN_PARAM] \|\| headers['Private-Token']).to_s
	24	+ ## Get the "captcha" session store
	25	+ @current_tmp_user = Noosfero::API::SessionStore.get("captcha##{private_token}")
	26	+ @current_tmp_user
	27	+ end
	28	+
	29	+ def logout_tmp_user
	30	+ @current_tmp_user = nil
	31	+ end
	32	+
	33	+ def current_user
	34	+ private_token = (params[PRIVATE_TOKEN_PARAM] \|\| headers['Private-Token']).to_s
	35	+ @current_user \|\|= User.find_by private_token: private_token
	36	+ @current_user \|\|= plugins.dispatch("api_custom_login", request).first
	37	+ @current_user
	38	+ end
	39	+
	40	+ def current_person
	41	+ current_user.person unless current_user.nil?
	42	+ end
	43	+
	44	+ def is_admin?(environment)
	45	+ return false unless current_user
	46	+ return current_person.is_admin?(environment)
	47	+ end
	48	+
	49	+ def logout
	50	+ @current_user = nil
	51	+ end
	52	+
	53	+ def environment
	54	+ @environment
	55	+ end
	56	+
	57	+ def present_partial(model, options)
	58	+ if(params[:fields].present?)
	59	+ begin
	60	+ fields = JSON.parse(params[:fields])
	61	+ if fields.present?
	62	+ options.merge!(fields.symbolize_keys.slice(:only, :except))
	63	+ end
	64	+ rescue
	65	+ fields = params[:fields]
	66	+ fields = fields.split(',') if fields.kind_of?(String)
	67	+ options[:only] = Array.wrap(fields)
	68	+ end
	69	+ end
	70	+ present model, options
	71	+ end
	72	+
	73	+ include FindByContents
	74	+
	75	+ ####################################################################
	76	+ #### SEARCH
	77	+ ####################################################################
	78	+ def multiple_search?(searches=nil)
	79	+ ['index', 'category_index'].include?(params[:action]) \|\| (searches && searches.size > 1)
	80	+ end
	81	+ ####################################################################
	82	+
	83	+ def logger
	84	+ logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] \|\| 'production'}_api.log"))
	85	+ logger.formatter = GrapeLogging::Formatters::Default.new
	86	+ logger
	87	+ end
	88	+
	89	+ def limit
	90	+ limit = params[:limit].to_i
	91	+ limit = default_limit if limit <= 0
	92	+ limit
	93	+ end
	94	+
	95	+ def period(from_date, until_date)
	96	+ return nil if from_date.nil? && until_date.nil?
	97	+
	98	+ begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
	99	+ end_period = until_date.nil? ? DateTime.now : until_date
	100	+
	101	+ begin_period..end_period
	102	+ end
	103	+
	104	+ def parse_content_type(content_type)
	105	+ return nil if content_type.blank?
	106	+ content_type.split(',').map do \|content_type\|
	107	+ content_type.camelcase
	108	+ end
	109	+ end
	110	+
	111	+ def find_article(articles, id)
	112	+ article = articles.find(id)
	113	+ article.display_to?(current_person) ? article : forbidden!
	114	+ end
	115	+
	116	+ def post_article(asset, params)
	117	+ return forbidden! unless current_person.can_post_content?(asset)
	118	+
	119	+ klass_type = params[:content_type] \|\| params[:article].delete(:type) \|\| TinyMceArticle.name
	120	+ return forbidden! unless klass_type.constantize <= Article
	121	+
	122	+ article = klass_type.constantize.new(params[:article])
	123	+ article.last_changed_by = current_person
	124	+ article.created_by= current_person
	125	+ article.profile = asset
	126	+
	127	+ if !article.save
	128	+ render_api_errors!(article.errors.full_messages)
	129	+ end
	130	+ present_partial article, :with => Entities::Article
	131	+ end
	132	+
	133	+ def present_article(asset)
	134	+ article = find_article(asset.articles, params[:id])
	135	+ present_partial article, :with => Entities::Article, :params => params
	136	+ end
	137	+
	138	+ def present_articles_for_asset(asset, method = 'articles')
	139	+ articles = find_articles(asset, method)
	140	+ present_articles(articles)
	141	+ end
	142	+
	143	+ def present_articles(articles)
	144	+ present_partial paginate(articles), :with => Entities::Article, :params => params
	145	+ end
	146	+
	147	+ def find_articles(asset, method = 'articles')
	148	+ articles = select_filtered_collection_of(asset, method, params)
	149	+ if current_person.present?
	150	+ articles = articles.display_filter(current_person, nil)
	151	+ else
	152	+ articles = articles.published
	153	+ end
	154	+ articles
	155	+ end
	156	+
	157	+ def find_task(asset, id)
	158	+ task = asset.tasks.find(id)
	159	+ current_person.has_permission?(task.permission, asset) ? task : forbidden!
	160	+ end
	161	+
	162	+ def post_task(asset, params)
	163	+ klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
	164	+ return forbidden! unless klass_type.constantize <= Task
	165	+
	166	+ task = klass_type.constantize.new(params[:task])
	167	+ task.requestor_id = current_person.id
	168	+ task.target_id = asset.id
	169	+ task.target_type = 'Profile'
	170	+
	171	+ if !task.save
	172	+ render_api_errors!(task.errors.full_messages)
	173	+ end
	174	+ present_partial task, :with => Entities::Task
	175	+ end
	176	+
	177	+ def present_task(asset)
	178	+ task = find_task(asset, params[:id])
	179	+ present_partial task, :with => Entities::Task
	180	+ end
	181	+
	182	+ def present_tasks(asset)
	183	+ tasks = select_filtered_collection_of(asset, 'tasks', params)
	184	+ tasks = tasks.select {\|t\| current_person.has_permission?(t.permission, asset)}
	185	+ return forbidden! if tasks.empty? && !current_person.has_permission?(:perform_task, asset)
	186	+ present_partial tasks, :with => Entities::Task
	187	+ end
	188	+
	189	+ def make_conditions_with_parameter(params = {})
	190	+ parsed_params = parser_params(params)
	191	+ conditions = {}
	192	+ from_date = DateTime.parse(parsed_params.delete(:from)) if parsed_params[:from]
	193	+ until_date = DateTime.parse(parsed_params.delete(:until)) if parsed_params[:until]
	194	+
	195	+ conditions[:type] = parse_content_type(parsed_params.delete(:content_type)) unless parsed_params[:content_type].nil?
	196	+
	197	+ conditions[:created_at] = period(from_date, until_date) if from_date \|\| until_date
	198	+ conditions.merge!(parsed_params)
	199	+
	200	+ conditions
	201	+ end
	202	+
	203	+ # changing make_order_with_parameters to avoid sql injection
	204	+ def make_order_with_parameters(object, method, params)
	205	+ order = "created_at DESC"
	206	+ unless params[:order].blank?
	207	+ if params[:order].include? '\'' or params[:order].include? '"'
	208	+ order = "created_at DESC"
	209	+ elsif ['RANDOM()', 'RANDOM'].include? params[:order].upcase
	210	+ order = 'RANDOM()'
	211	+ else
	212	+ field_name, direction = params[:order].split(' ')
	213	+ assoc = object.class.reflect_on_association(method.to_sym)
	214	+ if !field_name.blank? and assoc
	215	+ if assoc.klass.attribute_names.include? field_name
	216	+ if direction.present? and ['ASC','DESC'].include? direction.upcase
	217	+ order = "#{field_name} #{direction.upcase}"
	218	+ end
	219	+ end
	220	+ end
	221	+ end
	222	+ end
	223	+ return order
	224	+ end
	225	+
	226	+ def make_timestamp_with_parameters_and_method(params, method)
	227	+ timestamp = nil
	228	+ if params[:timestamp]
	229	+ datetime = DateTime.parse(params[:timestamp])
	230	+ table_name = method.to_s.singularize.camelize.constantize.table_name
	231	+ timestamp = "#{table_name}.updated_at >= '#{datetime}'"
	232	+ end
	233	+
	234	+ timestamp
	235	+ end
	236	+
	237	+ def by_reference(scope, params)
	238	+ reference_id = params[:reference_id].to_i == 0 ? nil : params[:reference_id].to_i
	239	+ if reference_id.nil?
	240	+ scope
	241	+ else
	242	+ created_at = scope.find(reference_id).created_at
	243	+ scope.send("#{params.key?(:oldest) ? 'older_than' : 'younger_than'}", created_at)
	244	+ end
	245	+ end
	246	+
	247	+ def by_categories(scope, params)
	248	+ category_ids = params[:category_ids]
	249	+ if category_ids.nil?
	250	+ scope
	251	+ else
	252	+ scope.joins(:categories).where(:categories => {:id => category_ids})
	253	+ end
	254	+ end
	255	+
	256	+ def by_period(scope, params, attribute)
	257	+ from_param = "from_#{attribute}".to_sym
	258	+ until_param = "until_#{attribute}".to_sym
	259	+ from_date = DateTime.parse(params.delete(from_param)) if params[from_param]
	260	+ until_date = DateTime.parse(params.delete(until_param)) if params[until_param]
	261	+ scope = scope.where("#{attribute} >= ?", from_date) unless from_date.nil?
	262	+ scope = scope.where("#{attribute} <= ?", until_date) unless until_date.nil?
	263	+ scope
	264	+ end
	265	+
	266	+ def select_filtered_collection_of(object, method, params)
	267	+ conditions = make_conditions_with_parameter(params)
	268	+ order = make_order_with_parameters(object,method,params)
	269	+ timestamp = make_timestamp_with_parameters_and_method(params, method)
	270	+
	271	+ objects = object.send(method)
	272	+ objects = by_reference(objects, params)
	273	+ objects = by_categories(objects, params)
	274	+ [:start_date, :end_date].each { \|attribute\| objects = by_period(objects, params, attribute) }
	275	+
	276	+ objects = objects.where(conditions).where(timestamp).reorder(order)
	277	+
	278	+ params[:page] \|\|= 1
	279	+ params[:per_page] \|\|= limit
	280	+ paginate(objects)
	281	+ end
	282	+
	283	+ def authenticate!
	284	+ unauthorized! unless current_user
	285	+ end
	286	+
	287	+ # Allows the anonymous captcha user authentication
	288	+ # to pass the check. Used by the articles/vote to allow
	289	+ # the vote without login
	290	+ def authenticate_allow_captcha!
	291	+ unauthorized! unless current_tmp_user \|\| current_user
	292	+ end
	293	+
	294	+ def profiles_for_person(profiles, person)
	295	+ if person
	296	+ profiles.listed_for_person(person)
	297	+ else
	298	+ profiles.visible
	299	+ end
	300	+ end
	301	+
	302	+ # Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
	303	+ # or a Bad Request error is invoked.
	304	+ #
	305	+ # Parameters:
	306	+ # keys (unique) - A hash consisting of keys that must be unique
	307	+ def unique_attributes!(obj, keys)
	308	+ keys.each do \|key\|
	309	+ cant_be_saved_request!(key) if obj.find_by(key.to_s => params[key])
	310	+ end
	311	+ end
	312	+
	313	+ def attributes_for_keys(keys)
	314	+ attrs = {}
	315	+ keys.each do \|key\|
	316	+ attrs[key] = params[key] if params[key].present? or (params.has_key?(key) and params[key] == false)
	317	+ end
	318	+ attrs
	319	+ end
	320	+
	321	+ ##########################################
	322	+ # error helpers #
	323	+ ##########################################
	324	+
	325	+ def not_found!
	326	+ render_api_error!('404 Not found', 404)
	327	+ end
	328	+
	329	+ def forbidden!
	330	+ render_api_error!('403 Forbidden', 403)
	331	+ end
	332	+
	333	+ def cant_be_saved_request!(attribute)
	334	+ message = _("(Invalid request) %s can't be saved") % attribute
	335	+ render_api_error!(message, 400)
	336	+ end
	337	+
	338	+ def bad_request!(attribute)
	339	+ message = _("(Invalid request) %s not given") % attribute
	340	+ render_api_error!(message, 400)
	341	+ end
	342	+
	343	+ def something_wrong!
	344	+ message = _("Something wrong happened")
	345	+ render_api_error!(message, 400)
	346	+ end
	347	+
	348	+ def unauthorized!
	349	+ render_api_error!(_('Unauthorized'), 401)
	350	+ end
	351	+
	352	+ def not_allowed!
	353	+ render_api_error!(_('Method Not Allowed'), 405)
	354	+ end
	355	+
	356	+ # javascript_console_message is supposed to be executed as console.log()
	357	+ def render_api_error!(user_message, status, log_message = nil, javascript_console_message = nil)
	358	+ message_hash = {'message' => user_message, :code => status}
	359	+ message_hash[:javascript_console_message] = javascript_console_message if javascript_console_message.present?
	360	+ log_msg = "#{status}, User message: #{user_message}"
	361	+ log_msg = "#{log_message}, #{log_msg}" if log_message.present?
	362	+ log_msg = "#{log_msg}, Javascript Console Message: #{javascript_console_message}" if javascript_console_message.present?
	363	+ logger.error log_msg unless Rails.env.test?
	364	+ error!(message_hash, status)
	365	+ end
	366	+
	367	+ def render_api_errors!(messages)
	368	+ messages = messages.to_a if messages.class == ActiveModel::Errors
	369	+ render_api_error!(messages.join(','), 400)
	370	+ end
	371	+
	372	+ ####################################################################
	373	+ #### VOTE
	374	+ ####################################################################
	375	+ def do_vote(article, current_person, value)
	376	+ begin
	377	+ vote = Vote.new(:voteable => article, :voter => current_person, :vote => value)
	378	+ return vote.save!
	379	+ rescue ActiveRecord::RecordInvalid => e
	380	+ render_api_error!(e.message, 400)
	381	+ return false
	382	+ end
	383	+ end
	384	+
	385	+ protected
	386	+
	387	+ def set_session_cookie
	388	+ cookies['_noosfero_api_session'] = { value: @current_user.private_token, httponly: true } if @current_user.present?
	389	+ # Set also the private_token for the current_tmp_user
	390	+ cookies['_noosfero_api_session'] = { value: @current_tmp_user.private_token, httponly: true } if @current_tmp_user.present?
	391	+ end
	392	+
	393	+ def setup_multitenancy
	394	+ Noosfero::MultiTenancy.setup!(request.host)
	395	+ end
	396	+
	397	+ def detect_stuff_by_domain
	398	+ @domain = Domain.by_name(request.host)
	399	+ if @domain.nil?
	400	+ @environment = Environment.default
	401	+ if @environment.nil? && Rails.env.development?
	402	+ # This should only happen in development ...
	403	+ @environment = Environment.create!(:name => "Noosfero", :is_default => true)
	404	+ end
	405	+ else
	406	+ @environment = @domain.environment
	407	+ end
	408	+ end
	409	+
	410	+ def filter_disabled_plugins_endpoints
	411	+ not_found! if Api::App.endpoint_unavailable?(self, @environment)
	412	+ end
	413	+
	414	+ def asset_with_image params
	415	+ if params.has_key? :image_builder
	416	+ asset_api_params = params
	417	+ asset_api_params[:image_builder] = base64_to_uploadedfile(asset_api_params[:image_builder])
	418	+ return asset_api_params
	419	+ end
	420	+ params
	421	+ end
	422	+
	423	+ def base64_to_uploadedfile(base64_image)
	424	+ tempfile = base64_to_tempfile base64_image
	425	+ converted_image = base64_image
	426	+ converted_image[:tempfile] = tempfile
	427	+ return {uploaded_data: ActionDispatch::Http::UploadedFile.new(converted_image)}
	428	+ end
	429	+
	430	+ def base64_to_tempfile base64_image
	431	+ base64_img_str = base64_image[:tempfile]
	432	+ decoded_base64_str = Base64.decode64(base64_img_str)
	433	+ tempfile = Tempfile.new(base64_image[:filename])
	434	+ tempfile.write(decoded_base64_str.encode("ascii-8bit").force_encoding("utf-8"))
	435	+ tempfile.rewind
	436	+ tempfile
	437	+ end
	438	+ private
	439	+
	440	+ def parser_params(params)
	441	+ parsed_params = {}
	442	+ params.map do \|k,v\|
	443	+ parsed_params[k.to_sym] = v if DEFAULT_ALLOWED_PARAMETERS.include?(k.to_sym)
	444	+ end
	445	+ parsed_params
	446	+ end
	447	+
	448	+ def default_limit
	449	+ 20
	450	+ end
	451	+
	452	+ def parse_content_type(content_type)
	453	+ return nil if content_type.blank?
	454	+ content_types = content_type.split(',').map do \|content_type\|
	455	+ content_type = content_type.camelcase
	456	+ content_type == 'TextArticle' ? Article.text_article_types : content_type
	457	+ end
	458	+ content_types.flatten.uniq
	459	+ end
	460	+
	461	+ def period(from_date, until_date)
	462	+ begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
	463	+ end_period = until_date.nil? ? DateTime.now : until_date
	464	+ begin_period..end_period
	465	+ end
	466	+
	467	+
	468	+ ##########################################
	469	+ # captcha_helpers #
	470	+ ##########################################
	471	+
	472	+ def verify_captcha(remote_ip, params, environment)
	473	+ captcha_plugin_enabled = plugins.dispatch(:verify_captcha, remote_ip, params, environment).map {\|p\| p if ! ( p===nil ) }
	474	+ return true if captcha_plugin_enabled.size == 0
	475	+ if captcha_plugin_enabled.size > 1
	476	+ return render_api_error!(_("Error processing Captcha"), 500, nil, "More than one captcha plugin enabled")
	477	+ end
	478	+ test_result = captcha_plugin_enabled[0]
	479	+ return true if test_result === true
	480	+ render_api_error!(test_result[:user_message], test_result[:status], test_result[:log_message], test_result[:javascript_console_message])
	481	+ end
	482	+
	483	+ end
	484	+end
@@ -0,0 +1,20 @@		@@ -0,0 +1,20 @@
	1	+module Api
	2	+ module V1
	3	+ class Activities < Grape::API
	4	+ before { authenticate! }
	5	+
	6	+ resource :profiles do
	7	+
	8	+ get ':id/activities' do
	9	+ profile = Profile.find_by id: params[:id]
	10	+
	11	+ not_found! if profile.blank? \|\| profile.secret \|\| !profile.visible
	12	+ forbidden! if !profile.secret && profile.visible && !profile.display_private_info_to?(current_person)
	13	+
	14	+ activities = profile.activities.map(&:activity)
	15	+ present activities, :with => Entities::Activity, :current_person => current_person
	16	+ end
	17	+ end
	18	+ end
	19	+ end
	20	+end
@@ -0,0 +1,329 @@		@@ -0,0 +1,329 @@
	1	+module Api
	2	+ module V1
	3	+ class Articles < Grape::API
	4	+
	5	+ ARTICLE_TYPES = Article.descendants.map{\|a\| a.to_s}
	6	+
	7	+ MAX_PER_PAGE = 50
	8	+
	9	+ resource :articles do
	10	+
	11	+ paginate max_per_page: MAX_PER_PAGE
	12	+ # Collect articles
	13	+ #
	14	+ # Parameters:
	15	+ # from - date where the search will begin. If nothing is passed the default date will be the date of the first article created
	16	+ # oldest - Collect the oldest articles. If nothing is passed the newest articles are collected
	17	+ # limit - amount of articles returned. The default value is 20
	18	+ #
	19	+ # Example Request:
	20	+ # GET host/api/v1/articles?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
	21	+
	22	+ desc 'Return all articles of all kinds' do
	23	+ detail 'Get all articles filtered by fields in query params'
	24	+ params Entities::Article.documentation
	25	+ success Entities::Article
	26	+ failure [[403, 'Forbidden']]
	27	+ named 'ArticlesList'
	28	+ headers [
	29	+ 'Per-Page' => {
	30	+ description: 'Total number of records',
	31	+ required: false
	32	+ }
	33	+ ]
	34	+ end
	35	+ get do
	36	+ present_articles_for_asset(environment)
	37	+ end
	38	+
	39	+ desc "Return the articles followed by me"
	40	+ get 'followed_by_me' do
	41	+ present_articles_for_asset(current_person, 'following_articles')
	42	+ end
	43	+
	44	+ desc "Return one article by id" do
	45	+ detail 'Get only one article by id. If not found the "forbidden" http error is showed'
	46	+ params Entities::Article.documentation
	47	+ success Entities::Article
	48	+ failure [[403, 'Forbidden']]
	49	+ named 'ArticleById'
	50	+ end
	51	+ get ':id', requirements: {id: /[0-9]+/} do
	52	+ present_article(environment)
	53	+ end
	54	+
	55	+ post ':id' do
	56	+ article = environment.articles.find(params[:id])
	57	+ return forbidden! unless article.allow_edit?(current_person)
	58	+ article.update_attributes!(asset_with_image(params[:article]))
	59	+ present_partial article, :with => Entities::Article
	60	+ end
	61	+
	62	+ delete ':id' do
	63	+ article = environment.articles.find(params[:id])
	64	+ return forbidden! unless article.allow_delete?(current_person)
	65	+ begin
	66	+ article.destroy
	67	+ { :success => true }
	68	+ rescue Exception => exception
	69	+ render_api_error!(_('The article couldn\'t be removed due to some problem. Please contact the administrator.'), 400)
	70	+ end
	71	+ end
	72	+
	73	+ desc 'Report a abuse and/or violent content in a article by id' do
	74	+ detail 'Submit a abuse (in general, a content violation) report about a specific article'
	75	+ params Entities::Article.documentation
	76	+ failure [[400, 'Bad Request']]
	77	+ named 'ArticleReportAbuse'
	78	+ end
	79	+ post ':id/report_abuse' do
	80	+ article = find_article(environment.articles, params[:id])
	81	+ profile = article.profile
	82	+ begin
	83	+ abuse_report = AbuseReport.new(:reason => params[:report_abuse])
	84	+ if !params[:content_type].blank?
	85	+ article = params[:content_type].constantize.find(params[:content_id])
	86	+ abuse_report.content = article_reported_version(article)
	87	+ end
	88	+
	89	+ current_person.register_report(abuse_report, profile)
	90	+
	91	+ if !params[:content_type].blank?
	92	+ abuse_report = AbuseReport.find_by reporter_id: current_person.id, abuse_complaint_id: profile.opened_abuse_complaint.id
	93	+ Delayed::Job.enqueue DownloadReportedImagesJob.new(abuse_report, article)
	94	+ end
	95	+
	96	+ {
	97	+ :success => true,
	98	+ :message => _('Your abuse report was registered. The administrators are reviewing your report.'),
	99	+ }
	100	+ rescue Exception => exception
	101	+ #logger.error(exception.to_s)
	102	+ render_api_error!(_('Your report couldn\'t be saved due to some problem. Please contact the administrator.'), 400)
	103	+ end
	104	+
	105	+ end
	106	+
	107	+ desc "Returns the articles I voted" do
	108	+ detail 'Get the Articles I make a vote'
	109	+ failure [[403, 'Forbidden']]
	110	+ named 'ArticleFollowers'
	111	+ end
	112	+ #FIXME refactor this method
	113	+ get 'voted_by_me' do
	114	+ present_articles(current_person.votes.where(:voteable_type => 'Article').collect(&:voteable))
	115	+ end
	116	+
	117	+ desc 'Perform a vote on a article by id' do
	118	+ detail 'Vote on a specific article with values: 1 (if you like) or -1 (if not)'
	119	+ params Entities::UserLogin.documentation
	120	+ failure [[401,'Unauthorized']]
	121	+ named 'ArticleVote'
	122	+ end
	123	+ post ':id/vote' do
	124	+ ## The vote api should allow regular login or with captcha
	125	+ authenticate_allow_captcha!
	126	+ value = (params[:value] \|\| 1).to_i
	127	+ # FIXME verify allowed values
	128	+ render_api_error!('Vote value not allowed', 400) unless [-1, 1].include?(value)
	129	+ article = find_article(environment.articles, params[:id])
	130	+ ## If login with captcha
	131	+ if @current_tmp_user
	132	+ # Vote allowed only if data does not include this article
	133	+ vote = (@current_tmp_user.data.include? article.id) ? false : true
	134	+ if vote
	135	+ @current_tmp_user.data << article.id
	136	+ @current_tmp_user.store
	137	+ {:vote => do_vote(article, current_person, value)}
	138	+ else
	139	+ {:vote => false}
	140	+ end
	141	+ else
	142	+ {:vote => do_vote(article, current_person, value)}
	143	+ end
	144	+ end
	145	+
	146	+
	147	+ desc "Returns the total followers for the article" do
	148	+ detail 'Get the followers of a specific article by id'
	149	+ failure [[403, 'Forbidden']]
	150	+ named 'ArticleFollowers'
	151	+ end
	152	+ get ':id/followers' do
	153	+ article = find_article(environment.articles, params[:id])
	154	+ total = article.person_followers.count
	155	+ {:total_followers => total}
	156	+ end
	157	+
	158	+ desc "Return the articles followed by me"
	159	+ get 'followed_by_me' do
	160	+ present_articles_for_asset(current_person, 'following_articles')
	161	+ end
	162	+
	163	+ desc "Add a follower for the article" do
	164	+ detail 'Add the current user identified by private token, like a follower of a article'
	165	+ params Entities::UserLogin.documentation
	166	+ failure [[401, 'Unauthorized']]
	167	+ named 'ArticleFollow'
	168	+ end
	169	+ post ':id/follow' do
	170	+ authenticate!
	171	+ article = find_article(environment.articles, params[:id])
	172	+ if article.article_followers.exists?(:person_id => current_person.id)
	173	+ {:success => false, :already_follow => true}
	174	+ else
	175	+ article_follower = ArticleFollower.new
	176	+ article_follower.article = article
	177	+ article_follower.person = current_person
	178	+ article_follower.save!
	179	+ {:success => true}
	180	+ end
	181	+ end
	182	+
	183	+ desc 'Return the children of a article identified by id' do
	184	+ detail 'Get all children articles of a specific article'
	185	+ params Entities::Article.documentation
	186	+ failure [[403, 'Forbidden']]
	187	+ named 'ArticleChildren'
	188	+ end
	189	+
	190	+ paginate per_page: MAX_PER_PAGE, max_per_page: MAX_PER_PAGE
	191	+ get ':id/children' do
	192	+ article = find_article(environment.articles, params[:id])
	193	+
	194	+ #TODO make tests for this situation
	195	+ votes_order = params.delete(:order) if params[:order]=='votes_score'
	196	+ articles = select_filtered_collection_of(article, 'children', params)
	197	+ articles = articles.display_filter(current_person, article.profile)
	198	+
	199	+ #TODO make tests for this situation
	200	+ if votes_order
	201	+ articles = articles.joins('left join votes on articles.id=votes.voteable_id').group('articles.id').reorder('sum(coalesce(votes.vote, 0)) DESC')
	202	+ end
	203	+ Article.hit(articles)
	204	+ present_articles(articles)
	205	+ end
	206	+
	207	+ desc 'Return one child of a article identified by id' do
	208	+ detail 'Get a child of a specific article'
	209	+ params Entities::Article.documentation
	210	+ success Entities::Article
	211	+ failure [[403, 'Forbidden']]
	212	+ named 'ArticleChild'
	213	+ end
	214	+ get ':id/children/:child_id' do
	215	+ article = find_article(environment.articles, params[:id])
	216	+ child = find_article(article.children, params[:child_id])
	217	+ child.hit
	218	+ present_partial child, :with => Entities::Article
	219	+ end
	220	+
	221	+ desc 'Suggest a article to another profile' do
	222	+ detail 'Suggest a article to another profile (person, community...)'
	223	+ params Entities::Article.documentation
	224	+ success Entities::Task
	225	+ failure [[401,'Unauthorized']]
	226	+ named 'ArticleSuggest'
	227	+ end
	228	+ post ':id/children/suggest' do
	229	+ authenticate!
	230	+ parent_article = environment.articles.find(params[:id])
	231	+
	232	+ suggest_article = SuggestArticle.new
	233	+ suggest_article.article = params[:article]
	234	+ suggest_article.article[:parent_id] = parent_article.id
	235	+ suggest_article.target = parent_article.profile
	236	+ suggest_article.requestor = current_person
	237	+
	238	+ unless suggest_article.save
	239	+ render_api_errors!(suggest_article.article_object.errors.full_messages)
	240	+ end
	241	+ present_partial suggest_article, :with => Entities::Task
	242	+ end
	243	+
	244	+ # Example Request:
	245	+ # POST api/v1/articles/:id/children?private_token=234298743290432&article[name]=title&article[body]=body
	246	+ desc 'Add a child article to a parent identified by id' do
	247	+ detail 'Create a new article and associate to a parent'
	248	+ params Entities::Article.documentation
	249	+ success Entities::Article
	250	+ failure [[401,'Unauthorized']]
	251	+ named 'ArticleAddChild'
	252	+ end
	253	+ post ':id/children' do
	254	+ parent_article = environment.articles.find(params[:id])
	255	+ params[:article][:parent_id] = parent_article.id
	256	+ post_article(parent_article.profile, params)
	257	+ end
	258	+ end
	259	+
	260	+ resource :profiles do
	261	+ get ':id/home_page' do
	262	+ profiles = environment.profiles
	263	+ profiles = profiles.visible_for_person(current_person)
	264	+ profile = profiles.find_by id: params[:id]
	265	+ present_partial profile.home_page, :with => Entities::Article
	266	+ end
	267	+ end
	268	+
	269	+ kinds = %w[profile community person enterprise]
	270	+ kinds.each do \|kind\|
	271	+ resource kind.pluralize.to_sym do
	272	+ segment "/:#{kind}_id" do
	273	+ resource :articles do
	274	+
	275	+ desc "Return all articles associate with a profile of type #{kind}" do
	276	+ detail 'Get a list of articles of a profile'
	277	+ params Entities::Article.documentation
	278	+ success Entities::Article
	279	+ failure [[403, 'Forbidden']]
	280	+ named 'ArticlesOfProfile'
	281	+ end
	282	+ get do
	283	+ profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
	284	+
	285	+ if params[:path].present?
	286	+ article = profile.articles.find_by path: params[:path]
	287	+ if !article \|\| !article.display_to?(current_person)
	288	+ article = forbidden!
	289	+ end
	290	+
	291	+ present_partial article, :with => Entities::Article
	292	+ else
	293	+
	294	+ present_articles_for_asset(profile)
	295	+ end
	296	+ end
	297	+
	298	+ desc "Return a article associate with a profile of type #{kind}" do
	299	+ detail 'Get only one article of a profile'
	300	+ params Entities::Article.documentation
	301	+ success Entities::Article
	302	+ failure [[403, 'Forbidden']]
	303	+ named 'ArticleOfProfile'
	304	+ end
	305	+ get ':id' do
	306	+ profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
	307	+ present_article(profile)
	308	+ end
	309	+
	310	+ # Example Request:
	311	+ # POST api/v1/{people,communities,enterprises}/:asset_id/articles?private_token=234298743290432&article[name]=title&article[body]=body
	312	+ desc "Add a new article associated with a profile of type #{kind}" do
	313	+ detail 'Create a new article and associate with a profile'
	314	+ params Entities::Article.documentation
	315	+ success Entities::Article
	316	+ failure [[403, 'Forbidden']]
	317	+ named 'ArticleCreateToProfile'
	318	+ end
	319	+ post do
	320	+ profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
	321	+ post_article(profile, params)
	322	+ end
	323	+ end
	324	+ end
	325	+ end
	326	+ end
	327	+ end
	328	+ end
	329	+end
@@ -0,0 +1,15 @@		@@ -0,0 +1,15 @@
	1	+module Api
	2	+ module V1
	3	+
	4	+ class Blocks < Grape::API
	5	+ resource :blocks do
	6	+ get ':id' do
	7	+ block = Block.find(params["id"])
	8	+ return forbidden! unless block.visible_to_user?(current_person)
	9	+ present block, :with => Entities::Block, display_api_content: true
	10	+ end
	11	+ end
	12	+ end
	13	+
	14	+ end
	15	+end
@@ -0,0 +1,45 @@		@@ -0,0 +1,45 @@
	1	+module Api
	2	+ module V1
	3	+
	4	+ class Boxes < Grape::API
	5	+
	6	+ kinds = %w[profile community person enterprise]
	7	+ kinds.each do \|kind\|
	8	+
	9	+ resource kind.pluralize.to_sym do
	10	+
	11	+ segment "/:#{kind}_id" do
	12	+ resource :boxes do
	13	+ get do
	14	+ profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
	15	+ return forbidden! unless profile.display_info_to?(current_person)
	16	+ present profile.boxes, with: Entities::Box, current_person: current_person
	17	+ end
	18	+ end
	19	+ end
	20	+ end
	21	+
	22	+ end
	23	+
	24	+ resource :environments do
	25	+ [ '/default', '/context', ':environment_id' ].each do \|route\|
	26	+ segment route do
	27	+ resource :boxes do
	28	+ get do
	29	+ if (route.match(/default/))
	30	+ env = Environment.default
	31	+ elsif (route.match(/context/))
	32	+ env = environment
	33	+ else
	34	+ env = Environment.find(params[:environment_id])
	35	+ end
	36	+ present env.boxes, with: Entities::Box, current_person: current_person
	37	+ end
	38	+ end
	39	+ end
	40	+ end
	41	+ end
	42	+ end
	43	+
	44	+ end
	45	+end
@@ -0,0 +1,25 @@		@@ -0,0 +1,25 @@
	1	+module Api
	2	+ module V1
	3	+ class Categories < Grape::API
	4	+
	5	+ resource :categories do
	6	+
	7	+ get do
	8	+ type = params[:category_type]
	9	+ include_parent = params[:include_parent] == 'true'
	10	+ include_children = params[:include_children] == 'true'
	11	+
	12	+ categories = type.nil? ? environment.categories : environment.categories.where(:type => type)
	13	+ present categories, :with => Entities::Category, parent: include_parent, children: include_children
	14	+ end
	15	+
	16	+ desc "Return the category by id"
	17	+ get ':id' do
	18	+ present environment.categories.find(params[:id]), :with => Entities::Category, parent: true, children: true
	19	+ end
	20	+
	21	+ end
	22	+
	23	+ end
	24	+ end
	25	+end
@@ -0,0 +1,63 @@		@@ -0,0 +1,63 @@
	1	+module Api
	2	+ module V1
	3	+ class Comments < Grape::API
	4	+ MAX_PER_PAGE = 20
	5	+
	6	+
	7	+ resource :articles do
	8	+ paginate max_per_page: MAX_PER_PAGE
	9	+ # Collect comments from articles
	10	+ #
	11	+ # Parameters:
	12	+ # reference_id - comment id used as reference to collect comment
	13	+ # oldest - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
	14	+ # limit - amount of comments returned. The default value is 20
	15	+ #
	16	+ # Example Request:
	17	+ # GET /articles/12/comments?oldest&limit=10&reference_id=23
	18	+ get ":id/comments" do
	19	+ article = find_article(environment.articles, params[:id])
	20	+ comments = select_filtered_collection_of(article, :comments, params)
	21	+ comments = comments.without_spam
	22	+ comments = comments.without_reply if(params[:without_reply].present?)
	23	+ comments = plugins.filter(:unavailable_comments, comments)
	24	+ present paginate(comments), :with => Entities::Comment, :current_person => current_person
	25	+ end
	26	+
	27	+ get ":id/comments/:comment_id" do
	28	+ article = find_article(environment.articles, params[:id])
	29	+ present article.comments.find(params[:comment_id]), :with => Entities::Comment, :current_person => current_person
	30	+ end
	31	+
	32	+ # Example Request:
	33	+ # POST api/v1/articles/12/comments?private_token=2298743290432&body=new comment&title=New
	34	+ post ":id/comments" do
	35	+ authenticate!
	36	+ article = find_article(environment.articles, params[:id])
	37	+ return forbidden! unless article.accept_comments?
	38	+ options = params.select { \|key,v\| !['id','private_token'].include?(key) }.merge(:author => current_person, :source => article)
	39	+ begin
	40	+ comment = Comment.create!(options)
	41	+ rescue ActiveRecord::RecordInvalid => e
	42	+ render_api_error!(e.message, 400)
	43	+ end
	44	+ present comment, :with => Entities::Comment, :current_person => current_person
	45	+ end
	46	+
	47	+ delete ":id/comments/:comment_id" do
	48	+ article = find_article(environment.articles, params[:id])
	49	+ comment = article.comments.find_by_id(params[:comment_id])
	50	+ return not_found! if comment.nil?
	51	+ return forbidden! unless comment.can_be_destroyed_by?(current_person)
	52	+ begin
	53	+ comment.destroy
	54	+ present comment, with: Entities::Comment, :current_person => current_person
	55	+ rescue => e
	56	+ render_api_error!(e.message, 500)
	57	+ end
	58	+ end
	59	+ end
	60	+
	61	+ end
	62	+ end
	63	+end