diff --git a/lib/noosfero/api/v1/enterprises.rb b/lib/noosfero/api/v1/enterprises.rb index d662505..5085853 100644 --- a/lib/noosfero/api/v1/enterprises.rb +++ b/lib/noosfero/api/v1/enterprises.rb @@ -2,7 +2,6 @@ module Noosfero module API module V1 class Enterprises < Grape::API - before { authenticate! } resource :enterprises do diff --git a/lib/noosfero/api/v1/users.rb b/lib/noosfero/api/v1/users.rb index f494d5d..56a3912 100644 --- a/lib/noosfero/api/v1/users.rb +++ b/lib/noosfero/api/v1/users.rb @@ -2,7 +2,6 @@ module Noosfero module API module V1 class Users < Grape::API - before { authenticate! } resource :users do @@ -13,6 +12,7 @@ module Noosfero end get "/me" do + authenticate! present current_user, :with => Entities::User, :current_person => current_person end @@ -25,6 +25,7 @@ module Noosfero end get ":id/permissions" do + authenticate! user = environment.users.find(params[:id]) output = {} user.person.role_assignments.map do |role_assigment| diff --git a/test/api/communities_test.rb b/test/api/communities_test.rb index c6e28a3..5269522 100644 --- a/test/api/communities_test.rb +++ b/test/api/communities_test.rb @@ -283,4 +283,30 @@ class CommunitiesTest < ActiveSupport::TestCase assert_not_includes json["communities"].map { |a| a["id"] }, community2.id end + should 'display public custom fields to anonymous' do + anonymous_setup + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default) + some_community = fast_create(Community) + some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} } + some_community.save! + + get "/api/v1/communities/#{some_community.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + assert json['community']['additional_data'].has_key?('Rating') + assert_equal "Five stars", json['community']['additional_data']['Rating'] + end + + should 'not display private custom fields to anonymous' do + anonymous_setup + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Community", :active => true, :environment => Environment.default) + some_community = fast_create(Community) + some_community.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} } + some_community.save! + + get "/api/v1/communities/#{some_community.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + refute json['community']['additional_data'].has_key?('Rating') + end + + end diff --git a/test/api/enterprises_test.rb b/test/api/enterprises_test.rb index 681d3ae..2dcd13e 100644 --- a/test/api/enterprises_test.rb +++ b/test/api/enterprises_test.rb @@ -107,4 +107,29 @@ class EnterprisesTest < ActiveSupport::TestCase assert_equivalent [c1.id], json['enterprises'].map {|c| c['id']} end + should 'display public custom fields to anonymous' do + anonymous_setup + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default) + some_enterprise = fast_create(Enterprise) + some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} } + some_enterprise.save! + + get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + assert json['enterprise']['additional_data'].has_key?('Rating') + assert_equal "Five stars", json['enterprise']['additional_data']['Rating'] + end + + should 'not display public custom fields to anonymous' do + anonymous_setup + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default) + some_enterprise = fast_create(Enterprise) + some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} } + some_enterprise.save! + + get "/api/v1/enterprises/#{some_enterprise.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + refute json['enterprise']['additional_data'].has_key?('Rating') + end + end diff --git a/test/api/people_test.rb b/test/api/people_test.rb index 41a53bb..cb70e23 100644 --- a/test/api/people_test.rb +++ b/test/api/people_test.rb @@ -348,6 +348,17 @@ class PeopleTest < ActiveSupport::TestCase assert_equal json['person']['additional_data'], {} end + should 'hide private fields to anonymous' do + anonymous_setup + target_person = create_user('some-user').person + target_person.save! + + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" + json = JSON.parse(last_response.body) + refute json["user"].has_key?("permissions") + refute json["user"].has_key?("activated") + end + should 'display non-public custom fields to friend' do login_api CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) diff --git a/test/api/profiles_test.rb b/test/api/profiles_test.rb index 8cbcb96..95d16ba 100644 --- a/test/api/profiles_test.rb +++ b/test/api/profiles_test.rb @@ -103,4 +103,30 @@ class ProfilesTest < ActiveSupport::TestCase assert_equal community.id, json['id'] end + should 'display public custom fields to anonymous' do + anonymous_setup + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default) + some_profile = fast_create(Profile) + some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} } + some_profile.save! + + get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + assert json['additional_data'].has_key?('Rating') + assert_equal "Five stars", json['additional_data']['Rating'] + end + + should 'not display private custom fields to anonymous' do + anonymous_setup + CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Profile", :active => true, :environment => Environment.default) + some_profile = fast_create(Profile) + some_profile.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} } + some_profile.save! + + get "/api/v1/profiles/#{some_profile.id}?#{params.to_query}" + json = JSON.parse(last_response.body) + refute json.has_key?('Rating') + end + + end diff --git a/test/api/users_test.rb b/test/api/users_test.rb index 434bc5d..010eda9 100644 --- a/test/api/users_test.rb +++ b/test/api/users_test.rb @@ -3,23 +3,22 @@ require_relative 'test_helper' class UsersTest < ActiveSupport::TestCase - def setup + should 'logger user list users' do login_api - end - - should 'list users' do get "/api/v1/users/?#{params.to_query}" json = JSON.parse(last_response.body) assert_includes json["users"].map { |a| a["login"] }, user.login end - should 'get user' do + should 'logger user get user info' do + login_api get "/api/v1/users/#{user.id}?#{params.to_query}" json = JSON.parse(last_response.body) assert_equal user.id, json['user']['id'] end - should 'list user permissions' do + should 'logger user list user permissions' do + login_api community = fast_create(Community) community.add_admin(person) get "/api/v1/users/#{user.id}/?#{params.to_query}" @@ -28,25 +27,29 @@ class UsersTest < ActiveSupport::TestCase end should 'get logged user' do + login_api get "/api/v1/users/me?#{params.to_query}" json = JSON.parse(last_response.body) assert_equal user.id, json['user']['id'] end should 'not show permissions to logged user' do + login_api target_person = create_user('some-user').person get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" json = JSON.parse(last_response.body) refute json["user"].has_key?("permissions") end - should 'show permissions to self' do + should 'logger user show permissions to self' do + login_api get "/api/v1/users/#{user.id}/?#{params.to_query}" json = JSON.parse(last_response.body) assert json["user"].has_key?("permissions") end should 'not show permissions to friend' do + login_api target_person = create_user('some-user').person f = Friendship.new @@ -60,6 +63,7 @@ class UsersTest < ActiveSupport::TestCase end should 'not show private attribute to logged user' do + login_api target_person = create_user('some-user').person get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" json = JSON.parse(last_response.body) @@ -67,6 +71,7 @@ class UsersTest < ActiveSupport::TestCase end should 'show private attr to friend' do + login_api target_person = create_user('some-user').person f = Friendship.new f.friend = target_person @@ -79,6 +84,7 @@ class UsersTest < ActiveSupport::TestCase end should 'show public attribute to logged user' do + login_api target_person = create_user('some-user').person target_person.fields_privacy={:email=> 'public'} target_person.save! @@ -89,6 +95,7 @@ class UsersTest < ActiveSupport::TestCase end should 'show public and private field to admin' do + login_api Environment.default.add_admin(person) target_person = create_user('some-user').person @@ -102,4 +109,26 @@ class UsersTest < ActiveSupport::TestCase assert json["user"].has_key?("activated") end + should 'show public fields to anonymous' do + anonymous_setup + target_person = create_user('some-user').person + target_person.fields_privacy={:email=> 'public'} + target_person.save! + + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" + json = JSON.parse(last_response.body) + assert json["user"].has_key?("email") + end + + should 'hide private fields to anonymous' do + anonymous_setup + target_person = create_user('some-user').person + target_person.save! + + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" + json = JSON.parse(last_response.body) + refute json["user"].has_key?("permissions") + refute json["user"].has_key?("activated") + end + end -- libgit2 0.21.2