Download as
Browse Code »

Commit d5e6dc97348b29e806c1cefef50680648c559cd6

Authored by Victor Costa
1 parent da0f17cb
Exists in staging and in 29 other branches all_pending_tasks_api, api_roles, comments_permissions, elasticsearch, elasticsearch_api, elasticsearch_categories, elasticsearch_filter, elasticsearch_sort, elasticsearch_to_merge, elasticsearch_view, environment-exposes-api, export-comment-api, export_data, external_followers, federation-webfinger, federation_followers, federation_followers_backend, federation_oauth_provider, federation_webfinger, follower_permition, master, master_profile_followers, oauth_external_login, oauth_login, private-scraps, private-scraps-rebase, production, profile_api_improvements, user_mention

api: do not list boxes for users without permission

Showing 2 changed files with 10 additions and 0 deletions   Show diff stats
app/api/v1/boxes.rb
  Diff comments   View file @d5e6dc9
... ... @@ -12,6 +12,7 @@ module Api
12 12 resource :boxes do
13 13 get do
14 14 profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
  15 + return forbidden! unless profile.display_info_to?(current_person)
15 16 present profile.boxes, :with => Entities::Box
16 17 end
17 18 end
... ...
test/api/boxes_test.rb
  Diff comments   View file @d5e6dc9
... ... @@ -69,4 +69,13 @@ class BoxesTest < ActiveSupport::TestCase
69 69 json = JSON.parse(last_response.body)
70 70 assert_equal [], json["boxes"].first["blocks"].map {|b| b['id']}
71 71 end
  72 +
  73 + should 'not list boxes for user without permission' do
  74 + profile = fast_create(Profile, public_profile: false)
  75 + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
  76 + block = fast_create(Block, box_id: box.id)
  77 + get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
  78 + json = JSON.parse(last_response.body)
  79 + assert_equal 403, last_response.status
  80 + end
72 81 end
... ...