Download as
Browse Code »

Commit 03e5175fd16045773b33dde4c12e846a35a6e1fa

Authored by Victor Costa
Committed by Rodrigo Souto
1 parent b72fb3b7
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

api: check permission to create articles

Showing 3 changed files with 31 additions and 0 deletions   Show diff stats
lib/api/entities.rb
  Diff comments   View file @03e5175
... ... @@ -53,6 +53,7 @@ module API
53 53 expose :author, :using => Profile
54 54 expose :profile, :using => Profile
55 55 expose :categories, :using => Category
  56 + expose :parent, :using => Article
56 57 end
57 58  
58 59 class Comment < Grape::Entity
... ...
lib/api/v1/articles.rb
  Diff comments   View file @03e5175
... ... @@ -63,6 +63,8 @@ module API
63 63 # POST api/v1/communites/:community_id/articles?private_toke=234298743290432&article[name]=title&article[body]=body
64 64 post do
65 65 community = environment.communities.find(params[:community_id])
  66 + return forbidden! unless current_user.person.can_post_content?(community)
  67 +
66 68 klass_type= params[:content_type].nil? ? 'TinyMceArticle' : params[:content_type]
67 69 article = klass_type.constantize.new(params[:article])
68 70 article.last_changed_by = current_person
... ...
test/unit/api_test.rb
  Diff comments   View file @03e5175
... ... @@ -193,4 +193,32 @@ class APITest &lt; ActiveSupport::TestCase
193 193 assert_not_includes json['articles'].map {|a| a['id']}, child.id
194 194 end
195 195  
  196 + should 'create article in a community' do
  197 + community = fast_create(Community)
  198 + give_permission(user.person, 'post_content', community)
  199 + params[:article] = {:name => "Title"}
  200 + post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
  201 + json = JSON.parse(last_response.body)
  202 + assert_equal "Title", json["article"]["title"]
  203 + end
  204 +
  205 + should 'do not create article if user has no permission to post content' do
  206 + community = fast_create(Community)
  207 + give_permission(user.person, 'invite_members', community)
  208 + params[:article] = {:name => "Title"}
  209 + post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
  210 + assert_equal 403, last_response.status
  211 + end
  212 +
  213 + should 'create article with parent' do
  214 + community = fast_create(Community)
  215 + community.add_member(user.person)
  216 + article = fast_create(Article)
  217 +
  218 + params[:article] = {:name => "Title", :parent_id => article.id}
  219 + post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
  220 + json = JSON.parse(last_response.body)
  221 + assert_equal article.id, json["article"]["parent"]["id"]
  222 + end
  223 +
196 224 end
... ...