should task endpoints be accessed only by logged users

Leandro Santos
1 parent 56cc28dc
Showing 2 changed files with 79 additions and 3 deletions Show diff stats
app/api/v1/tasks.rb
test/api/task_test.rb
 module Api
   module V1
     class Tasks < Grape::API
-#      before { authenticate! }
-
-#      ARTICLE_TYPES = Article.descendants.map{|a| a.to_s}
+      before { authenticate! }
       resource :tasks do
@@ -19,6 +19,15 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_includes json["tasks"].map { |a| a["id"] }, task.id
   end
+  should 'not list tasks of environment for unlogged users' do
+    logout_api
+    environment.add_admin(person)
+    task = create(Task, :requestor => person, :target => environment)
+    get "/api/v1/tasks?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'return environment task by id' do
     environment.add_admin(person)
     task = create(Task, :requestor => person, :target => environment)
@@ -27,6 +36,15 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_equal task.id, json["task"]["id"]
   end
+  should 'not return environment task by id for unlogged users' do
+    logout_api
+    environment.add_admin(person)
+    task = create(Task, :requestor => person, :target => environment)
+    get "/api/v1/tasks/#{task.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'not return environmet task if user has no permission to view it' do
     person = fast_create(Person)
     task = create(Task, :requestor => person, :target => environment)
@@ -51,6 +69,19 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_equal task.id, json["task"]["id"]
   end
+  should 'not return task by community for unlogged users' do
+    logout_api
+    community = fast_create(Community)
+    community.add_admin(person)
+
+    task = create(Task, :requestor => person, :target => community)
+    assert person.is_member_of?(community)
+
+    get "/api/v1/communities/#{community.id}/tasks/#{task.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'not return task by community if user has no permission to view it' do
     community = fast_create(Community)
     task = create(Task, :requestor => person, :target => community)
@@ -68,6 +99,15 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_not_nil json["task"]["id"]
   end
+  should 'not create task in a community for unlogged users' do
+    logout_api
+    community = fast_create(Community)
+    give_permission(person, 'perform_task', community)
+    post "/api/v1/communities/#{community.id}/tasks?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'create task defining the requestor as current profile logged in' do
     community = fast_create(Community)
     community.add_member(person)
@@ -99,6 +139,14 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_equal task.id, json["task"]["id"]
   end
+  should 'not return task by person for unlogged users' do
+    logout_api
+    task = create(Task, :requestor => person, :target => person)
+    get "/api/v1/people/#{person.id}/tasks/#{task.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'not return task by person if user has no permission to view it' do
     some_person = fast_create(Person)
     task = create(Task, :requestor => person, :target => some_person)
@@ -113,6 +161,13 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_not_nil json["task"]["id"]
   end
+  should 'not create task in person for unlogged users' do
+    logout_api
+    post "/api/v1/people/#{person.id}/tasks?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'create task for another person' do
     some_person = fast_create(Person)
     post "/api/v1/people/#{some_person.id}/tasks?#{params.to_query}"
@@ -144,6 +199,19 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_equal task.id, json["task"]["id"]
   end
+  should 'not return task by enterprise for unlogged users' do
+    logout_api
+    enterprise = fast_create(Enterprise)
+    enterprise.add_admin(person)
+
+    task = create(Task, :requestor => person, :target => enterprise)
+    assert person.is_member_of?(enterprise)
+
+    get "/api/v1/enterprises/#{enterprise.id}/tasks/#{task.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'not return task by enterprise if user has no permission to view it' do
     enterprise = fast_create(Enterprise)
     task = create(Task, :requestor => person, :target => enterprise)
@@ -161,6 +229,15 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_not_nil json["task"]["id"]
   end
+  should 'not create task in a enterprise for unlogged users' do
+    logout_api
+    enterprise = fast_create(Enterprise)
+    give_permission(person, 'perform_task', enterprise)
+    post "/api/v1/enterprises/#{enterprise.id}/tasks?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
   should 'create task defining the target as the enterprise' do
     enterprise = fast_create(Enterprise)
     enterprise.add_member(person)
@@ -170,4 +247,5 @@ class TasksTest &lt; ActiveSupport::TestCase
     assert_equal enterprise, Task.last.target
   end
+
 end
1	module Api	1	module Api
2	module V1	2	module V1
3	class Tasks < Grape::API	3	class Tasks < Grape::API
4	-# before { authenticate! }
5	-
6	-# ARTICLE_TYPES = Article.descendants.map{\|a\| a.to_s}	4	+ before { authenticate! }
7		5
8	resource :tasks do	6	resource :tasks do
9		7
	@@ -19,6 +19,15 @@ class TasksTest < ActiveSupport::TestCase		@@ -19,6 +19,15 @@ class TasksTest < ActiveSupport::TestCase
19	assert_includes json["tasks"].map { \|a\| a["id"] }, task.id	19	assert_includes json["tasks"].map { \|a\| a["id"] }, task.id
20	end	20	end
21		21
		22	+ should 'not list tasks of environment for unlogged users' do
		23	+ logout_api
		24	+ environment.add_admin(person)
		25	+ task = create(Task, :requestor => person, :target => environment)
		26	+ get "/api/v1/tasks?#{params.to_query}"
		27	+ json = JSON.parse(last_response.body)
		28	+ assert_equal 401, last_response.status
		29	+ end
		30	+
22	should 'return environment task by id' do	31	should 'return environment task by id' do
23	environment.add_admin(person)	32	environment.add_admin(person)
24	task = create(Task, :requestor => person, :target => environment)	33	task = create(Task, :requestor => person, :target => environment)
	@@ -27,6 +36,15 @@ class TasksTest < ActiveSupport::TestCase		@@ -27,6 +36,15 @@ class TasksTest < ActiveSupport::TestCase
27	assert_equal task.id, json["task"]["id"]	36	assert_equal task.id, json["task"]["id"]
28	end	37	end
29		38
		39	+ should 'not return environment task by id for unlogged users' do
		40	+ logout_api
		41	+ environment.add_admin(person)
		42	+ task = create(Task, :requestor => person, :target => environment)
		43	+ get "/api/v1/tasks/#{task.id}?#{params.to_query}"
		44	+ json = JSON.parse(last_response.body)
		45	+ assert_equal 401, last_response.status
		46	+ end
		47	+
30	should 'not return environmet task if user has no permission to view it' do	48	should 'not return environmet task if user has no permission to view it' do
31	person = fast_create(Person)	49	person = fast_create(Person)
32	task = create(Task, :requestor => person, :target => environment)	50	task = create(Task, :requestor => person, :target => environment)
	@@ -51,6 +69,19 @@ class TasksTest < ActiveSupport::TestCase		@@ -51,6 +69,19 @@ class TasksTest < ActiveSupport::TestCase
51	assert_equal task.id, json["task"]["id"]	69	assert_equal task.id, json["task"]["id"]
52	end	70	end
53		71
		72	+ should 'not return task by community for unlogged users' do
		73	+ logout_api
		74	+ community = fast_create(Community)
		75	+ community.add_admin(person)
		76	+
		77	+ task = create(Task, :requestor => person, :target => community)
		78	+ assert person.is_member_of?(community)
		79	+
		80	+ get "/api/v1/communities/#{community.id}/tasks/#{task.id}?#{params.to_query}"
		81	+ json = JSON.parse(last_response.body)
		82	+ assert_equal 401, last_response.status
		83	+ end
		84	+
54	should 'not return task by community if user has no permission to view it' do	85	should 'not return task by community if user has no permission to view it' do
55	community = fast_create(Community)	86	community = fast_create(Community)
56	task = create(Task, :requestor => person, :target => community)	87	task = create(Task, :requestor => person, :target => community)
	@@ -68,6 +99,15 @@ class TasksTest < ActiveSupport::TestCase		@@ -68,6 +99,15 @@ class TasksTest < ActiveSupport::TestCase
68	assert_not_nil json["task"]["id"]	99	assert_not_nil json["task"]["id"]
69	end	100	end
70		101
		102	+ should 'not create task in a community for unlogged users' do
		103	+ logout_api
		104	+ community = fast_create(Community)
		105	+ give_permission(person, 'perform_task', community)
		106	+ post "/api/v1/communities/#{community.id}/tasks?#{params.to_query}"
		107	+ json = JSON.parse(last_response.body)
		108	+ assert_equal 401, last_response.status
		109	+ end
		110	+
71	should 'create task defining the requestor as current profile logged in' do	111	should 'create task defining the requestor as current profile logged in' do
72	community = fast_create(Community)	112	community = fast_create(Community)
73	community.add_member(person)	113	community.add_member(person)
	@@ -99,6 +139,14 @@ class TasksTest < ActiveSupport::TestCase		@@ -99,6 +139,14 @@ class TasksTest < ActiveSupport::TestCase
99	assert_equal task.id, json["task"]["id"]	139	assert_equal task.id, json["task"]["id"]
100	end	140	end
101		141
		142	+ should 'not return task by person for unlogged users' do
		143	+ logout_api
		144	+ task = create(Task, :requestor => person, :target => person)
		145	+ get "/api/v1/people/#{person.id}/tasks/#{task.id}?#{params.to_query}"
		146	+ json = JSON.parse(last_response.body)
		147	+ assert_equal 401, last_response.status
		148	+ end
		149	+
102	should 'not return task by person if user has no permission to view it' do	150	should 'not return task by person if user has no permission to view it' do
103	some_person = fast_create(Person)	151	some_person = fast_create(Person)
104	task = create(Task, :requestor => person, :target => some_person)	152	task = create(Task, :requestor => person, :target => some_person)
	@@ -113,6 +161,13 @@ class TasksTest < ActiveSupport::TestCase		@@ -113,6 +161,13 @@ class TasksTest < ActiveSupport::TestCase
113	assert_not_nil json["task"]["id"]	161	assert_not_nil json["task"]["id"]
114	end	162	end
115		163
		164	+ should 'not create task in person for unlogged users' do
		165	+ logout_api
		166	+ post "/api/v1/people/#{person.id}/tasks?#{params.to_query}"
		167	+ json = JSON.parse(last_response.body)
		168	+ assert_equal 401, last_response.status
		169	+ end
		170	+
116	should 'create task for another person' do	171	should 'create task for another person' do
117	some_person = fast_create(Person)	172	some_person = fast_create(Person)
118	post "/api/v1/people/#{some_person.id}/tasks?#{params.to_query}"	173	post "/api/v1/people/#{some_person.id}/tasks?#{params.to_query}"
	@@ -144,6 +199,19 @@ class TasksTest < ActiveSupport::TestCase		@@ -144,6 +199,19 @@ class TasksTest < ActiveSupport::TestCase
144	assert_equal task.id, json["task"]["id"]	199	assert_equal task.id, json["task"]["id"]
145	end	200	end
146		201
		202	+ should 'not return task by enterprise for unlogged users' do
		203	+ logout_api
		204	+ enterprise = fast_create(Enterprise)
		205	+ enterprise.add_admin(person)
		206	+
		207	+ task = create(Task, :requestor => person, :target => enterprise)
		208	+ assert person.is_member_of?(enterprise)
		209	+
		210	+ get "/api/v1/enterprises/#{enterprise.id}/tasks/#{task.id}?#{params.to_query}"
		211	+ json = JSON.parse(last_response.body)
		212	+ assert_equal 401, last_response.status
		213	+ end
		214	+
147	should 'not return task by enterprise if user has no permission to view it' do	215	should 'not return task by enterprise if user has no permission to view it' do
148	enterprise = fast_create(Enterprise)	216	enterprise = fast_create(Enterprise)
149	task = create(Task, :requestor => person, :target => enterprise)	217	task = create(Task, :requestor => person, :target => enterprise)
	@@ -161,6 +229,15 @@ class TasksTest < ActiveSupport::TestCase		@@ -161,6 +229,15 @@ class TasksTest < ActiveSupport::TestCase
161	assert_not_nil json["task"]["id"]	229	assert_not_nil json["task"]["id"]
162	end	230	end
163		231
		232	+ should 'not create task in a enterprise for unlogged users' do
		233	+ logout_api
		234	+ enterprise = fast_create(Enterprise)
		235	+ give_permission(person, 'perform_task', enterprise)
		236	+ post "/api/v1/enterprises/#{enterprise.id}/tasks?#{params.to_query}"
		237	+ json = JSON.parse(last_response.body)
		238	+ assert_equal 401, last_response.status
		239	+ end
		240	+
164	should 'create task defining the target as the enterprise' do	241	should 'create task defining the target as the enterprise' do
165	enterprise = fast_create(Enterprise)	242	enterprise = fast_create(Enterprise)
166	enterprise.add_member(person)	243	enterprise.add_member(person)
	@@ -170,4 +247,5 @@ class TasksTest < ActiveSupport::TestCase		@@ -170,4 +247,5 @@ class TasksTest < ActiveSupport::TestCase
170		247
171	assert_equal enterprise, Task.last.target	248	assert_equal enterprise, Task.last.target
172	end	249	end
		250	+
173	end	251	end