Download as
Browse Code »

Commit f642d36149086a8f7b145fc498955d2fc755cff5

Authored by Leandro Santos
1 parent 61f3e5fd
Exists in staging and in 31 other branches all_pending_tasks_api, api-articles-period, api_roles, comments_permissions, elasticsearch, elasticsearch_api, elasticsearch_categories, elasticsearch_filter, elasticsearch_sort, elasticsearch_to_merge, elasticsearch_view, environment-exposes-api, export-comment-api, export_data, external_followers, federation-webfinger, federation_followers, federation_followers_backend, federation_oauth_provider, federation_webfinger, fix_notification_email, follower_permition, master, master_profile_followers, oauth_external_login, oauth_login, private-scraps, private-scraps-rebase, production, profile_api_improvements, user_mention

restrict delete profila api action for logged users

Showing 2 changed files with 14 additions and 0 deletions   Show diff stats
lib/noosfero/api/v1/profiles.rb
  Diff comments   View file @f642d36
... ... @@ -20,6 +20,7 @@ module Noosfero
20 20 end
21 21  
22 22 delete ':id' do
  23 + authenticate!
23 24 profiles = environment.profiles
24 25 profile = profiles.find_by id: params[:id]
25 26  
... ...
test/api/profiles_test.rb
  Diff comments   View file @f642d36
... ... @@ -35,6 +35,7 @@ class ProfilesTest < ActiveSupport::TestCase
35 35 group_kinds = %w(community enterprise)
36 36 group_kinds.each do |kind|
37 37 should "delete #{kind} from profile id with permission" do
  38 + login_api
38 39 profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
39 40 give_permission(@person, 'destroy_profile', profile)
40 41 assert_not_nil Profile.find_by_id profile.id
... ... @@ -46,6 +47,7 @@ class ProfilesTest < ActiveSupport::TestCase
46 47 end
47 48  
48 49 should "not delete #{kind} from profile id without permission" do
  50 + login_api
49 51 profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
50 52 assert_not_nil Profile.find_by_id profile.id
51 53  
... ... @@ -57,12 +59,14 @@ class ProfilesTest < ActiveSupport::TestCase
57 59 end
58 60  
59 61 should 'person delete itself' do
  62 + login_api
60 63 delete "/api/v1/profiles/#{@person.id}?#{params.to_query}"
61 64 assert_equal 200, last_response.status
62 65 assert_nil Profile.find_by_id @person.id
63 66 end
64 67  
65 68 should 'only admin delete other people' do
  69 + login_api
66 70 profile = fast_create(Person, :environment_id => environment.id)
67 71 assert_not_nil Profile.find_by_id profile.id
68 72  
... ... @@ -80,6 +84,15 @@ class ProfilesTest < ActiveSupport::TestCase
80 84  
81 85 end
82 86  
  87 + should 'anonymous user access delete action' do
  88 + anonymous_setup
  89 + profile = fast_create(Person, :environment_id => environment.id)
  90 +
  91 + delete "/api/v1/profiles/#{profile.id}?#{params.to_query}"
  92 + assert_equal 401, last_response.status
  93 + assert_not_nil Profile.find_by_id profile.id
  94 + end
  95 +
83 96 should 'anonymous list all profiles' do
84 97 person1 = fast_create(Person)
85 98 person2 = fast_create(Person)
... ...