Commit c58dacfa2adff8a6c5cacc47f7499ca0cb5d911e
1 parent
4615d072
Exists in
staging
and in
5 other branches
Exposing permission to delete comment
Showing
4 changed files
with
43 additions
and
0 deletions
Show diff stats
app/api/entities.rb
@@ -169,6 +169,10 @@ module Api | @@ -169,6 +169,10 @@ module Api | ||
169 | expose :created_at, :format_with => :timestamp | 169 | expose :created_at, :format_with => :timestamp |
170 | expose :author, :using => Profile | 170 | expose :author, :using => Profile |
171 | expose :reply_of, :using => CommentBase | 171 | expose :reply_of, :using => CommentBase |
172 | + expose :permissions do |comment, options| | ||
173 | + Entities.permissions_for_entity(comment, options[:current_person], | ||
174 | + :allow_destroy?) | ||
175 | + end | ||
172 | end | 176 | end |
173 | 177 | ||
174 | class Comment < CommentBase | 178 | class Comment < CommentBase |
app/models/comment.rb
@@ -211,6 +211,9 @@ class Comment < ApplicationRecord | @@ -211,6 +211,9 @@ class Comment < ApplicationRecord | ||
211 | user == author || user == profile || user.has_permission?(:moderate_comments, profile) | 211 | user == author || user == profile || user.has_permission?(:moderate_comments, profile) |
212 | end | 212 | end |
213 | 213 | ||
214 | + # method used by the API | ||
215 | + alias_method :allow_destroy?, :can_be_destroyed_by? | ||
216 | + | ||
214 | def can_be_marked_as_spam_by?(user) | 217 | def can_be_marked_as_spam_by?(user) |
215 | return if user.nil? | 218 | return if user.nil? |
216 | user == profile || user.has_permission?(:moderate_comments, profile) | 219 | user == profile || user.has_permission?(:moderate_comments, profile) |
test/api/comments_test.rb
@@ -245,4 +245,34 @@ class CommentsTest < ActiveSupport::TestCase | @@ -245,4 +245,34 @@ class CommentsTest < ActiveSupport::TestCase | ||
245 | assert_equal 500, last_response.status | 245 | assert_equal 500, last_response.status |
246 | assert_includes article.comments, comment | 246 | assert_includes article.comments, comment |
247 | end | 247 | end |
248 | + | ||
249 | + should 'list allow_destroy permission when get your own comment' do | ||
250 | + login_api | ||
251 | + article = fast_create(Article, :profile_id => @person.id, :name => "Some thing") | ||
252 | + article.comments.create!(:body => "some comment", :author => @person) | ||
253 | + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" | ||
254 | + json = JSON.parse(last_response.body) | ||
255 | + assert_equal 200, last_response.status | ||
256 | + assert_includes json["comments"][0]["permissions"], 'allow_destroy' | ||
257 | + end | ||
258 | + | ||
259 | + should 'anonymous not allowed to destroy comments' do | ||
260 | + article = fast_create(Article, :profile_id => @person.id, :name => "Some thing") | ||
261 | + article.comments.create!(:body => "some comment", :author => @person) | ||
262 | + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" | ||
263 | + json = JSON.parse(last_response.body) | ||
264 | + assert_equal 200, last_response.status | ||
265 | + assert_not_includes json["comments"][0]["permissions"], 'allow_destroy' | ||
266 | + end | ||
267 | + | ||
268 | + should 'unprivileged user not be allowed to destroy other people comments' do | ||
269 | + article = fast_create(Article, profile_id: @local_person.id, name: "Some thing") | ||
270 | + comment = article.comments.create!(body: "some comment", author: @local_person) | ||
271 | + login_api | ||
272 | + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" | ||
273 | + json = JSON.parse(last_response.body) | ||
274 | + assert_equal 200, last_response.status | ||
275 | + assert_not_includes json["comments"][0]["permissions"], 'allow_destroy' | ||
276 | + end | ||
277 | + | ||
248 | end | 278 | end |
test/unit/comment_test.rb
@@ -597,6 +597,12 @@ class CommentTest < ActiveSupport::TestCase | @@ -597,6 +597,12 @@ class CommentTest < ActiveSupport::TestCase | ||
597 | refute comment.can_be_destroyed_by?(nil) | 597 | refute comment.can_be_destroyed_by?(nil) |
598 | end | 598 | end |
599 | 599 | ||
600 | + should 'anonymous has no allow_destroy? permission' do | ||
601 | + comment = Comment.new | ||
602 | + | ||
603 | + refute comment.allow_destroy?(nil) | ||
604 | + end | ||
605 | + | ||
600 | should 'not be able to destroy comment' do | 606 | should 'not be able to destroy comment' do |
601 | user = Person.new | 607 | user = Person.new |
602 | profile = Profile.new | 608 | profile = Profile.new |