Commit f642d36149086a8f7b145fc498955d2fc755cff5
1 parent
61f3e5fd
Exists in
staging
and in
31 other branches
restrict delete profila api action for logged users
Showing
2 changed files
with
14 additions
and
0 deletions
Show diff stats
lib/noosfero/api/v1/profiles.rb
test/api/profiles_test.rb
... | ... | @@ -35,6 +35,7 @@ class ProfilesTest < ActiveSupport::TestCase |
35 | 35 | group_kinds = %w(community enterprise) |
36 | 36 | group_kinds.each do |kind| |
37 | 37 | should "delete #{kind} from profile id with permission" do |
38 | + login_api | |
38 | 39 | profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id) |
39 | 40 | give_permission(@person, 'destroy_profile', profile) |
40 | 41 | assert_not_nil Profile.find_by_id profile.id |
... | ... | @@ -46,6 +47,7 @@ class ProfilesTest < ActiveSupport::TestCase |
46 | 47 | end |
47 | 48 | |
48 | 49 | should "not delete #{kind} from profile id without permission" do |
50 | + login_api | |
49 | 51 | profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id) |
50 | 52 | assert_not_nil Profile.find_by_id profile.id |
51 | 53 | |
... | ... | @@ -57,12 +59,14 @@ class ProfilesTest < ActiveSupport::TestCase |
57 | 59 | end |
58 | 60 | |
59 | 61 | should 'person delete itself' do |
62 | + login_api | |
60 | 63 | delete "/api/v1/profiles/#{@person.id}?#{params.to_query}" |
61 | 64 | assert_equal 200, last_response.status |
62 | 65 | assert_nil Profile.find_by_id @person.id |
63 | 66 | end |
64 | 67 | |
65 | 68 | should 'only admin delete other people' do |
69 | + login_api | |
66 | 70 | profile = fast_create(Person, :environment_id => environment.id) |
67 | 71 | assert_not_nil Profile.find_by_id profile.id |
68 | 72 | |
... | ... | @@ -80,6 +84,15 @@ class ProfilesTest < ActiveSupport::TestCase |
80 | 84 | |
81 | 85 | end |
82 | 86 | |
87 | + should 'anonymous user access delete action' do | |
88 | + anonymous_setup | |
89 | + profile = fast_create(Person, :environment_id => environment.id) | |
90 | + | |
91 | + delete "/api/v1/profiles/#{profile.id}?#{params.to_query}" | |
92 | + assert_equal 401, last_response.status | |
93 | + assert_not_nil Profile.find_by_id profile.id | |
94 | + end | |
95 | + | |
83 | 96 | should 'anonymous list all profiles' do |
84 | 97 | person1 = fast_create(Person) |
85 | 98 | person2 = fast_create(Person) | ... | ... |