diff --git a/app/api/entities.rb b/app/api/entities.rb index d5c4276..72946e6 100644 --- a/app/api/entities.rb +++ b/app/api/entities.rb @@ -121,6 +121,10 @@ module Api expose :type expose :custom_header expose :custom_footer + expose :permissions do |profile, options| + Entities.permissions_for_entity(profile, options[:current_person], + :allow_post_content?, :allow_edit?, :allow_destroy?) + end end class UserBasic < Entity diff --git a/app/api/v1/profiles.rb b/app/api/v1/profiles.rb index 6c84a99..42a69b4 100644 --- a/app/api/v1/profiles.rb +++ b/app/api/v1/profiles.rb @@ -27,7 +27,7 @@ module Api post ':id' do authenticate! profile = environment.profiles.find_by(id: params[:id]) - return forbidden! unless current_person.has_permission?(:edit_profile, profile) + return forbidden! unless profile.allow_edit?(current_person) profile.update_attributes!(params[:profile]) present profile, :with => Entities::Profile, :current_person => current_person end @@ -39,7 +39,7 @@ module Api not_found! if profile.blank? - if current_person.has_permission?(:destroy_profile, profile) + if profile.allow_destroy?(current_person) profile.destroy else forbidden! diff --git a/app/models/article.rb b/app/models/article.rb index 4608805..e5898f2 100644 --- a/app/models/article.rb +++ b/app/models/article.rb @@ -567,7 +567,7 @@ class Article < ApplicationRecord def allow_post_content?(user = nil) return true if allow_edit_topic?(user) - user && (user.has_permission?('post_content', profile) || allow_publish_content?(user) && (user == author)) + user && (profile.allow_post_content?(user) || allow_publish_content?(user) && (user == author)) end def allow_publish_content?(user = nil) diff --git a/app/models/profile.rb b/app/models/profile.rb index b0f75db..1d9f516 100644 --- a/app/models/profile.rb +++ b/app/models/profile.rb @@ -1137,4 +1137,15 @@ private :generate_url, :url_options false end + def allow_post_content?(person = nil) + person.kind_of?(Profile) && person.has_permission?('post_content', self) + end + + def allow_edit?(person = nil) + person.kind_of?(Profile) && person.has_permission?('edit_profile', self) + end + + def allow_destroy?(person = nil) + person.kind_of?(Profile) && person.has_permission?('destroy_profile', self) + end end diff --git a/test/api/profiles_test.rb b/test/api/profiles_test.rb index fae94f5..57ed552 100644 --- a/test/api/profiles_test.rb +++ b/test/api/profiles_test.rb @@ -191,4 +191,13 @@ class ProfilesTest < ActiveSupport::TestCase post "/api/v1/profiles/#{profile.id}?#{params.to_query}" assert_equal 403, last_response.status end + + should 'list profile permissions when get an article' do + login_api + profile = fast_create(Profile) + give_permission(person, 'post_content', profile) + get "/api/v1/profiles/#{profile.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_includes json["permissions"], 'allow_post_content' + end end diff --git a/test/unit/profile_test.rb b/test/unit/profile_test.rb index 0268d1a..8c5dc07 100644 --- a/test/unit/profile_test.rb +++ b/test/unit/profile_test.rb @@ -2204,4 +2204,24 @@ class ProfileTest < ActiveSupport::TestCase assert_not_includes profiles, p3 assert_not_includes profiles, p4 end + + ['post_content', 'edit_profile', 'destroy_profile'].each do |permission| + should "return true in #{permission} when user has this permission" do + profile = fast_create(Profile) + person = fast_create(Person) + give_permission(person, permission, profile) + assert profile.send("allow_#{permission.gsub(/_profile/,'')}?", person) + end + + should "return false in #{permission} when user doesn't have this permission" do + profile = fast_create(Profile) + person = fast_create(Person) + assert !profile.send("allow_#{permission.gsub(/_profile/,'')}?", person) + end + + should "return false in #{permission} when user is nil" do + profile = fast_create(Profile) + assert !profile.send("allow_#{permission.gsub(/_profile/,'')}?", nil) + end + end end -- libgit2 0.21.2