Commit c58dacfa2adff8a6c5cacc47f7499ca0cb5d911e

Authored by Evandro Junior
1 parent 4615d072

Exposing permission to delete comment

app/api/entities.rb
... ... @@ -169,6 +169,10 @@ module Api
169 169 expose :created_at, :format_with => :timestamp
170 170 expose :author, :using => Profile
171 171 expose :reply_of, :using => CommentBase
  172 + expose :permissions do |comment, options|
  173 + Entities.permissions_for_entity(comment, options[:current_person],
  174 + :allow_destroy?)
  175 + end
172 176 end
173 177  
174 178 class Comment < CommentBase
... ...
app/models/comment.rb
... ... @@ -211,6 +211,9 @@ class Comment &lt; ApplicationRecord
211 211 user == author || user == profile || user.has_permission?(:moderate_comments, profile)
212 212 end
213 213  
  214 + # method used by the API
  215 + alias_method :allow_destroy?, :can_be_destroyed_by?
  216 +
214 217 def can_be_marked_as_spam_by?(user)
215 218 return if user.nil?
216 219 user == profile || user.has_permission?(:moderate_comments, profile)
... ...
test/api/comments_test.rb
... ... @@ -245,4 +245,34 @@ class CommentsTest &lt; ActiveSupport::TestCase
245 245 assert_equal 500, last_response.status
246 246 assert_includes article.comments, comment
247 247 end
  248 +
  249 + should 'list allow_destroy permission when get your own comment' do
  250 + login_api
  251 + article = fast_create(Article, :profile_id => @person.id, :name => "Some thing")
  252 + article.comments.create!(:body => "some comment", :author => @person)
  253 + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  254 + json = JSON.parse(last_response.body)
  255 + assert_equal 200, last_response.status
  256 + assert_includes json["comments"][0]["permissions"], 'allow_destroy'
  257 + end
  258 +
  259 + should 'anonymous not allowed to destroy comments' do
  260 + article = fast_create(Article, :profile_id => @person.id, :name => "Some thing")
  261 + article.comments.create!(:body => "some comment", :author => @person)
  262 + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  263 + json = JSON.parse(last_response.body)
  264 + assert_equal 200, last_response.status
  265 + assert_not_includes json["comments"][0]["permissions"], 'allow_destroy'
  266 + end
  267 +
  268 + should 'unprivileged user not be allowed to destroy other people comments' do
  269 + article = fast_create(Article, profile_id: @local_person.id, name: "Some thing")
  270 + comment = article.comments.create!(body: "some comment", author: @local_person)
  271 + login_api
  272 + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  273 + json = JSON.parse(last_response.body)
  274 + assert_equal 200, last_response.status
  275 + assert_not_includes json["comments"][0]["permissions"], 'allow_destroy'
  276 + end
  277 +
248 278 end
... ...
test/unit/comment_test.rb
... ... @@ -597,6 +597,12 @@ class CommentTest &lt; ActiveSupport::TestCase
597 597 refute comment.can_be_destroyed_by?(nil)
598 598 end
599 599  
  600 + should 'anonymous has no allow_destroy? permission' do
  601 + comment = Comment.new
  602 +
  603 + refute comment.allow_destroy?(nil)
  604 + end
  605 +
600 606 should 'not be able to destroy comment' do
601 607 user = Person.new
602 608 profile = Profile.new
... ...