From 4ab09e4f4dcca1aa6d1ef86cee44724de07d664e Mon Sep 17 00:00:00 2001 From: Leandro Nunes dos Santos Date: Wed, 20 Jul 2016 11:01:10 -0300 Subject: [PATCH] should task endpoints be accessed only by logged users --- app/api/v1/tasks.rb | 4 +--- test/api/task_test.rb | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+), 3 deletions(-) diff --git a/app/api/v1/tasks.rb b/app/api/v1/tasks.rb index ea4ca40..1844154 100644 --- a/app/api/v1/tasks.rb +++ b/app/api/v1/tasks.rb @@ -1,9 +1,7 @@ module Api module V1 class Tasks < Grape::API -# before { authenticate! } - -# ARTICLE_TYPES = Article.descendants.map{|a| a.to_s} + before { authenticate! } resource :tasks do diff --git a/test/api/task_test.rb b/test/api/task_test.rb index 9541fea..2c28542 100644 --- a/test/api/task_test.rb +++ b/test/api/task_test.rb @@ -19,6 +19,15 @@ class TasksTest < ActiveSupport::TestCase assert_includes json["tasks"].map { |a| a["id"] }, task.id end + should 'not list tasks of environment for unlogged users' do + logout_api + environment.add_admin(person) + task = create(Task, :requestor => person, :target => environment) + get "/api/v1/tasks?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal 401, last_response.status + end + should 'return environment task by id' do environment.add_admin(person) task = create(Task, :requestor => person, :target => environment) @@ -27,6 +36,15 @@ class TasksTest < ActiveSupport::TestCase assert_equal task.id, json["task"]["id"] end + should 'not return environment task by id for unlogged users' do + logout_api + environment.add_admin(person) + task = create(Task, :requestor => person, :target => environment) + get "/api/v1/tasks/#{task.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal 401, last_response.status + end + should 'not return environmet task if user has no permission to view it' do person = fast_create(Person) task = create(Task, :requestor => person, :target => environment) @@ -51,6 +69,19 @@ class TasksTest < ActiveSupport::TestCase assert_equal task.id, json["task"]["id"] end + should 'not return task by community for unlogged users' do + logout_api + community = fast_create(Community) + community.add_admin(person) + + task = create(Task, :requestor => person, :target => community) + assert person.is_member_of?(community) + + get "/api/v1/communities/#{community.id}/tasks/#{task.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal 401, last_response.status + end + should 'not return task by community if user has no permission to view it' do community = fast_create(Community) task = create(Task, :requestor => person, :target => community) @@ -68,6 +99,15 @@ class TasksTest < ActiveSupport::TestCase assert_not_nil json["task"]["id"] end + should 'not create task in a community for unlogged users' do + logout_api + community = fast_create(Community) + give_permission(person, 'perform_task', community) + post "/api/v1/communities/#{community.id}/tasks?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal 401, last_response.status + end + should 'create task defining the requestor as current profile logged in' do community = fast_create(Community) community.add_member(person) @@ -99,6 +139,14 @@ class TasksTest < ActiveSupport::TestCase assert_equal task.id, json["task"]["id"] end + should 'not return task by person for unlogged users' do + logout_api + task = create(Task, :requestor => person, :target => person) + get "/api/v1/people/#{person.id}/tasks/#{task.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal 401, last_response.status + end + should 'not return task by person if user has no permission to view it' do some_person = fast_create(Person) task = create(Task, :requestor => person, :target => some_person) @@ -113,6 +161,13 @@ class TasksTest < ActiveSupport::TestCase assert_not_nil json["task"]["id"] end + should 'not create task in person for unlogged users' do + logout_api + post "/api/v1/people/#{person.id}/tasks?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal 401, last_response.status + end + should 'create task for another person' do some_person = fast_create(Person) post "/api/v1/people/#{some_person.id}/tasks?#{params.to_query}" @@ -144,6 +199,19 @@ class TasksTest < ActiveSupport::TestCase assert_equal task.id, json["task"]["id"] end + should 'not return task by enterprise for unlogged users' do + logout_api + enterprise = fast_create(Enterprise) + enterprise.add_admin(person) + + task = create(Task, :requestor => person, :target => enterprise) + assert person.is_member_of?(enterprise) + + get "/api/v1/enterprises/#{enterprise.id}/tasks/#{task.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal 401, last_response.status + end + should 'not return task by enterprise if user has no permission to view it' do enterprise = fast_create(Enterprise) task = create(Task, :requestor => person, :target => enterprise) @@ -161,6 +229,15 @@ class TasksTest < ActiveSupport::TestCase assert_not_nil json["task"]["id"] end + should 'not create task in a enterprise for unlogged users' do + logout_api + enterprise = fast_create(Enterprise) + give_permission(person, 'perform_task', enterprise) + post "/api/v1/enterprises/#{enterprise.id}/tasks?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal 401, last_response.status + end + should 'create task defining the target as the enterprise' do enterprise = fast_create(Enterprise) enterprise.add_member(person) @@ -170,4 +247,5 @@ class TasksTest < ActiveSupport::TestCase assert_equal enterprise, Task.last.target end + end -- libgit2 0.21.2