From c58dacfa2adff8a6c5cacc47f7499ca0cb5d911e Mon Sep 17 00:00:00 2001 From: Evandro Junior Date: Thu, 7 Jul 2016 13:35:07 -0300 Subject: [PATCH] Exposing permission to delete comment --- app/api/entities.rb | 4 ++++ app/models/comment.rb | 3 +++ test/api/comments_test.rb | 30 ++++++++++++++++++++++++++++++ test/unit/comment_test.rb | 6 ++++++ 4 files changed, 43 insertions(+), 0 deletions(-) diff --git a/app/api/entities.rb b/app/api/entities.rb index e80a3ee..a1d391a 100644 --- a/app/api/entities.rb +++ b/app/api/entities.rb @@ -169,6 +169,10 @@ module Api expose :created_at, :format_with => :timestamp expose :author, :using => Profile expose :reply_of, :using => CommentBase + expose :permissions do |comment, options| + Entities.permissions_for_entity(comment, options[:current_person], + :allow_destroy?) + end end class Comment < CommentBase diff --git a/app/models/comment.rb b/app/models/comment.rb index b79be4d..3bc1cb4 100644 --- a/app/models/comment.rb +++ b/app/models/comment.rb @@ -211,6 +211,9 @@ class Comment < ApplicationRecord user == author || user == profile || user.has_permission?(:moderate_comments, profile) end + # method used by the API + alias_method :allow_destroy?, :can_be_destroyed_by? + def can_be_marked_as_spam_by?(user) return if user.nil? user == profile || user.has_permission?(:moderate_comments, profile) diff --git a/test/api/comments_test.rb b/test/api/comments_test.rb index e5ca9fe..497e599 100644 --- a/test/api/comments_test.rb +++ b/test/api/comments_test.rb @@ -245,4 +245,34 @@ class CommentsTest < ActiveSupport::TestCase assert_equal 500, last_response.status assert_includes article.comments, comment end + + should 'list allow_destroy permission when get your own comment' do + login_api + article = fast_create(Article, :profile_id => @person.id, :name => "Some thing") + article.comments.create!(:body => "some comment", :author => @person) + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal 200, last_response.status + assert_includes json["comments"][0]["permissions"], 'allow_destroy' + end + + should 'anonymous not allowed to destroy comments' do + article = fast_create(Article, :profile_id => @person.id, :name => "Some thing") + article.comments.create!(:body => "some comment", :author => @person) + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal 200, last_response.status + assert_not_includes json["comments"][0]["permissions"], 'allow_destroy' + end + + should 'unprivileged user not be allowed to destroy other people comments' do + article = fast_create(Article, profile_id: @local_person.id, name: "Some thing") + comment = article.comments.create!(body: "some comment", author: @local_person) + login_api + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal 200, last_response.status + assert_not_includes json["comments"][0]["permissions"], 'allow_destroy' + end + end diff --git a/test/unit/comment_test.rb b/test/unit/comment_test.rb index eaaff46..d6b653e 100644 --- a/test/unit/comment_test.rb +++ b/test/unit/comment_test.rb @@ -597,6 +597,12 @@ class CommentTest < ActiveSupport::TestCase refute comment.can_be_destroyed_by?(nil) end + should 'anonymous has no allow_destroy? permission' do + comment = Comment.new + + refute comment.allow_destroy?(nil) + end + should 'not be able to destroy comment' do user = Person.new profile = Profile.new -- libgit2 0.21.2