From f8559a31defedb1c01c81ebade7030a43a4b1b1e Mon Sep 17 00:00:00 2001
From: Victor Costa <vfcosta@gmail.com>
Date: Wed, 4 May 2016 15:54:50 -0300
Subject: [PATCH] api: list only published children when get an article

---
 lib/noosfero/api/entities.rb   |  4 ++--
 test/unit/api/articles_test.rb |  9 +++++++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/lib/noosfero/api/entities.rb b/lib/noosfero/api/entities.rb
index fe6438a..682d5cf 100644
--- a/lib/noosfero/api/entities.rb
+++ b/lib/noosfero/api/entities.rb
@@ -183,8 +183,8 @@ module Noosfero
       class Article < ArticleBase
         root 'articles', 'article'
         expose :parent, :using => ArticleBase
-        expose :children, using: ArticleBase do |article, options|
-          article.children.limit(Noosfero::API::V1::Articles::MAX_PER_PAGE)
+        expose :children, :using => ArticleBase do |article, options|
+          article.children.published.limit(Noosfero::API::V1::Articles::MAX_PER_PAGE)
         end
       end
 
diff --git a/test/unit/api/articles_test.rb b/test/unit/api/articles_test.rb
index 25b25ee..47f5064 100644
--- a/test/unit/api/articles_test.rb
+++ b/test/unit/api/articles_test.rb
@@ -689,4 +689,13 @@ class ArticlesTest < ActiveSupport::TestCase
 
   end
 
+  should 'not list private child when get the parent article' do
+    person = fast_create(Person, :environment_id => environment.id)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing")
+    child = fast_create(Article, :parent_id => article.id, :profile_id => person.id, :name => "Some thing", :published => false)
+    get "/api/v1/articles/#{article.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_not_includes json['article']['children'].map {|a| a['id']}, child.id
+  end
+
 end
--
libgit2 0.21.2