Commit 62abbce29210aaf457bb900ff59c931b324c8261
Exists in
send_email_to_admins
and in
5 other branches
Merge branch 'api_delete_profile' into 'master'
Adds delete endpoint to profiles API Adds delete endpoint do profiles API. The endpoint checks if the logged user has permission to do so, and returns forbidden otherwise. Returns 404 if target is not found. See merge request !860
Showing
2 changed files
with
61 additions
and
0 deletions
Show diff stats
lib/noosfero/api/v1/profiles.rb
| ... | ... | @@ -19,6 +19,19 @@ module Noosfero |
| 19 | 19 | profile = profiles.find_by id: params[:id] |
| 20 | 20 | present profile, :with => Entities::Profile, :current_person => current_person |
| 21 | 21 | end |
| 22 | + | |
| 23 | + delete ':id' do | |
| 24 | + profiles = environment.profiles | |
| 25 | + profile = profiles.find_by id: params[:id] | |
| 26 | + | |
| 27 | + not_found! if profile.blank? | |
| 28 | + | |
| 29 | + if current_person.has_permission?(:destroy_profile, profile) | |
| 30 | + profile.destroy | |
| 31 | + else | |
| 32 | + forbidden! | |
| 33 | + end | |
| 34 | + end | |
| 22 | 35 | end |
| 23 | 36 | end |
| 24 | 37 | end | ... | ... |
test/api/profiles_test.rb
| ... | ... | @@ -29,4 +29,52 @@ class ProfilesTest < ActiveSupport::TestCase |
| 29 | 29 | json = JSON.parse(last_response.body) |
| 30 | 30 | assert_equal community.id, json['id'] |
| 31 | 31 | end |
| 32 | + | |
| 33 | + group_kinds = %w(community enterprise) | |
| 34 | + group_kinds.each do |kind| | |
| 35 | + should "delete #{kind} from profile id with permission" do | |
| 36 | + profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id) | |
| 37 | + give_permission(@person, 'destroy_profile', profile) | |
| 38 | + assert_not_nil Profile.find_by_id profile.id | |
| 39 | + | |
| 40 | + delete "/api/v1/profiles/#{profile.id}?#{params.to_query}" | |
| 41 | + | |
| 42 | + assert_equal 200, last_response.status | |
| 43 | + assert_nil Profile.find_by_id profile.id | |
| 44 | + end | |
| 45 | + | |
| 46 | + should "not delete #{kind} from profile id without permission" do | |
| 47 | + profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id) | |
| 48 | + assert_not_nil Profile.find_by_id profile.id | |
| 49 | + | |
| 50 | + delete "/api/v1/profiles/#{profile.id}?#{params.to_query}" | |
| 51 | + | |
| 52 | + assert_equal 403, last_response.status | |
| 53 | + assert_not_nil Profile.find_by_id profile.id | |
| 54 | + end | |
| 55 | + end | |
| 56 | + | |
| 57 | + should 'person delete itself' do | |
| 58 | + delete "/api/v1/profiles/#{@person.id}?#{params.to_query}" | |
| 59 | + assert_equal 200, last_response.status | |
| 60 | + assert_nil Profile.find_by_id @person.id | |
| 61 | + end | |
| 62 | + | |
| 63 | + should 'only admin delete other people' do | |
| 64 | + profile = fast_create(Person, :environment_id => environment.id) | |
| 65 | + assert_not_nil Profile.find_by_id profile.id | |
| 66 | + | |
| 67 | + delete "/api/v1/profiles/#{profile.id}?#{params.to_query}" | |
| 68 | + | |
| 69 | + assert_equal 403, last_response.status | |
| 70 | + assert_not_nil Profile.find_by_id profile.id | |
| 71 | + | |
| 72 | + environment.add_admin(@person) | |
| 73 | + | |
| 74 | + delete "/api/v1/profiles/#{profile.id}?#{params.to_query}" | |
| 75 | + | |
| 76 | + assert_equal 200, last_response.status | |
| 77 | + assert_nil Profile.find_by_id profile.id | |
| 78 | + | |
| 79 | + end | |
| 32 | 80 | end | ... | ... |