api: do not list boxes for users without permission

Victor Costa
1 parent da0f17cb
Showing 2 changed files with 10 additions and 0 deletions Show diff stats
app/api/v1/boxes.rb
test/api/boxes_test.rb
@@ -12,6 +12,7 @@ module Api
             resource :boxes do
               get do
                 profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                return forbidden! unless profile.display_info_to?(current_person)
                 present profile.boxes, :with => Entities::Box
               end
             end
@@ -69,4 +69,13 @@ class BoxesTest &lt; ActiveSupport::TestCase
     json = JSON.parse(last_response.body)
     assert_equal [], json["boxes"].first["blocks"].map {|b| b['id']}
   end
+
+  should 'not list boxes for user without permission' do
+    profile = fast_create(Profile, public_profile: false)
+    box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
+    block = fast_create(Block, box_id: box.id)
+    get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 403, last_response.status
+  end
 end
	@@ -69,4 +69,13 @@ class BoxesTest < ActiveSupport::TestCase		@@ -69,4 +69,13 @@ class BoxesTest < ActiveSupport::TestCase
69	json = JSON.parse(last_response.body)	69	json = JSON.parse(last_response.body)
70	assert_equal [], json["boxes"].first["blocks"].map {\|b\| b['id']}	70	assert_equal [], json["boxes"].first["blocks"].map {\|b\| b['id']}
71	end	71	end
		72	+
		73	+ should 'not list boxes for user without permission' do
		74	+ profile = fast_create(Profile, public_profile: false)
		75	+ box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
		76	+ block = fast_create(Block, box_id: box.id)
		77	+ get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
		78	+ json = JSON.parse(last_response.body)
		79	+ assert_equal 403, last_response.status
		80	+ end
72	end	81	end