From 03e5175fd16045773b33dde4c12e846a35a6e1fa Mon Sep 17 00:00:00 2001
From: Victor Costa <vfcosta@gmail.com>
Date: Fri, 26 Dec 2014 15:56:22 -0300
Subject: [PATCH] api: check permission to create articles

---
 lib/api/entities.rb    |  1 +
 lib/api/v1/articles.rb |  2 ++
 test/unit/api_test.rb  | 28 ++++++++++++++++++++++++++++
 3 files changed, 31 insertions(+), 0 deletions(-)

diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index a5df120..8562f2c 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -53,6 +53,7 @@ module API
       expose :author, :using => Profile
       expose :profile, :using => Profile
       expose :categories, :using => Category
+      expose :parent, :using => Article
     end
 
     class Comment < Grape::Entity
diff --git a/lib/api/v1/articles.rb b/lib/api/v1/articles.rb
index c28dadc..686f78e 100644
--- a/lib/api/v1/articles.rb
+++ b/lib/api/v1/articles.rb
@@ -63,6 +63,8 @@ module API
             #  POST api/v1/communites/:community_id/articles?private_toke=234298743290432&article[name]=title&article[body]=body
             post do
               community = environment.communities.find(params[:community_id])
+              return forbidden! unless current_user.person.can_post_content?(community)
+
               klass_type= params[:content_type].nil? ? 'TinyMceArticle' : params[:content_type]
               article = klass_type.constantize.new(params[:article])
               article.last_changed_by = current_person
diff --git a/test/unit/api_test.rb b/test/unit/api_test.rb
index 3d31703..bf4363a 100644
--- a/test/unit/api_test.rb
+++ b/test/unit/api_test.rb
@@ -193,4 +193,32 @@ class APITest < ActiveSupport::TestCase
     assert_not_includes json['articles'].map {|a| a['id']}, child.id
   end
 
+  should 'create article in a community' do
+    community = fast_create(Community)
+    give_permission(user.person, 'post_content', community)
+    params[:article] = {:name => "Title"}
+    post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal "Title", json["article"]["title"]
+  end
+
+  should 'do not create article if user has no permission to post content' do
+    community = fast_create(Community)
+    give_permission(user.person, 'invite_members', community)
+    params[:article] = {:name => "Title"}
+    post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'create article with parent' do
+    community = fast_create(Community)
+    community.add_member(user.person)
+    article = fast_create(Article)
+
+    params[:article] = {:name => "Title", :parent_id => article.id}
+    post "/api/v1/communities/#{community.id}/articles?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal article.id, json["article"]["parent"]["id"]
+  end
+
 end
--
libgit2 0.21.2