Commit f642d36149086a8f7b145fc498955d2fc755cff5
1 parent
61f3e5fd
Exists in
staging
and in
31 other branches
restrict delete profila api action for logged users
Showing
2 changed files
with
14 additions
and
0 deletions
Show diff stats
lib/noosfero/api/v1/profiles.rb
| @@ -20,6 +20,7 @@ module Noosfero | @@ -20,6 +20,7 @@ module Noosfero | ||
| 20 | end | 20 | end |
| 21 | 21 | ||
| 22 | delete ':id' do | 22 | delete ':id' do |
| 23 | + authenticate! | ||
| 23 | profiles = environment.profiles | 24 | profiles = environment.profiles |
| 24 | profile = profiles.find_by id: params[:id] | 25 | profile = profiles.find_by id: params[:id] |
| 25 | 26 |
test/api/profiles_test.rb
| @@ -35,6 +35,7 @@ class ProfilesTest < ActiveSupport::TestCase | @@ -35,6 +35,7 @@ class ProfilesTest < ActiveSupport::TestCase | ||
| 35 | group_kinds = %w(community enterprise) | 35 | group_kinds = %w(community enterprise) |
| 36 | group_kinds.each do |kind| | 36 | group_kinds.each do |kind| |
| 37 | should "delete #{kind} from profile id with permission" do | 37 | should "delete #{kind} from profile id with permission" do |
| 38 | + login_api | ||
| 38 | profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id) | 39 | profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id) |
| 39 | give_permission(@person, 'destroy_profile', profile) | 40 | give_permission(@person, 'destroy_profile', profile) |
| 40 | assert_not_nil Profile.find_by_id profile.id | 41 | assert_not_nil Profile.find_by_id profile.id |
| @@ -46,6 +47,7 @@ class ProfilesTest < ActiveSupport::TestCase | @@ -46,6 +47,7 @@ class ProfilesTest < ActiveSupport::TestCase | ||
| 46 | end | 47 | end |
| 47 | 48 | ||
| 48 | should "not delete #{kind} from profile id without permission" do | 49 | should "not delete #{kind} from profile id without permission" do |
| 50 | + login_api | ||
| 49 | profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id) | 51 | profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id) |
| 50 | assert_not_nil Profile.find_by_id profile.id | 52 | assert_not_nil Profile.find_by_id profile.id |
| 51 | 53 | ||
| @@ -57,12 +59,14 @@ class ProfilesTest < ActiveSupport::TestCase | @@ -57,12 +59,14 @@ class ProfilesTest < ActiveSupport::TestCase | ||
| 57 | end | 59 | end |
| 58 | 60 | ||
| 59 | should 'person delete itself' do | 61 | should 'person delete itself' do |
| 62 | + login_api | ||
| 60 | delete "/api/v1/profiles/#{@person.id}?#{params.to_query}" | 63 | delete "/api/v1/profiles/#{@person.id}?#{params.to_query}" |
| 61 | assert_equal 200, last_response.status | 64 | assert_equal 200, last_response.status |
| 62 | assert_nil Profile.find_by_id @person.id | 65 | assert_nil Profile.find_by_id @person.id |
| 63 | end | 66 | end |
| 64 | 67 | ||
| 65 | should 'only admin delete other people' do | 68 | should 'only admin delete other people' do |
| 69 | + login_api | ||
| 66 | profile = fast_create(Person, :environment_id => environment.id) | 70 | profile = fast_create(Person, :environment_id => environment.id) |
| 67 | assert_not_nil Profile.find_by_id profile.id | 71 | assert_not_nil Profile.find_by_id profile.id |
| 68 | 72 | ||
| @@ -80,6 +84,15 @@ class ProfilesTest < ActiveSupport::TestCase | @@ -80,6 +84,15 @@ class ProfilesTest < ActiveSupport::TestCase | ||
| 80 | 84 | ||
| 81 | end | 85 | end |
| 82 | 86 | ||
| 87 | + should 'anonymous user access delete action' do | ||
| 88 | + anonymous_setup | ||
| 89 | + profile = fast_create(Person, :environment_id => environment.id) | ||
| 90 | + | ||
| 91 | + delete "/api/v1/profiles/#{profile.id}?#{params.to_query}" | ||
| 92 | + assert_equal 401, last_response.status | ||
| 93 | + assert_not_nil Profile.find_by_id profile.id | ||
| 94 | + end | ||
| 95 | + | ||
| 83 | should 'anonymous list all profiles' do | 96 | should 'anonymous list all profiles' do |
| 84 | person1 = fast_create(Person) | 97 | person1 = fast_create(Person) |
| 85 | person2 = fast_create(Person) | 98 | person2 = fast_create(Person) |