Commit 62abbce29210aaf457bb900ff59c931b324c8261

Authored by Joenio Costa
2 parents d2159684 06c36ffd

Merge branch 'api_delete_profile' into 'master'

Adds delete endpoint to profiles API

Adds delete endpoint do profiles API. The endpoint checks if the logged user has permission to do so, and returns forbidden otherwise. Returns 404 if target is not found.

See merge request !860
lib/noosfero/api/v1/profiles.rb
@@ -19,6 +19,19 @@ module Noosfero @@ -19,6 +19,19 @@ module Noosfero
19 profile = profiles.find_by id: params[:id] 19 profile = profiles.find_by id: params[:id]
20 present profile, :with => Entities::Profile, :current_person => current_person 20 present profile, :with => Entities::Profile, :current_person => current_person
21 end 21 end
  22 +
  23 + delete ':id' do
  24 + profiles = environment.profiles
  25 + profile = profiles.find_by id: params[:id]
  26 +
  27 + not_found! if profile.blank?
  28 +
  29 + if current_person.has_permission?(:destroy_profile, profile)
  30 + profile.destroy
  31 + else
  32 + forbidden!
  33 + end
  34 + end
22 end 35 end
23 end 36 end
24 end 37 end
test/api/profiles_test.rb
@@ -29,4 +29,52 @@ class ProfilesTest < ActiveSupport::TestCase @@ -29,4 +29,52 @@ class ProfilesTest < ActiveSupport::TestCase
29 json = JSON.parse(last_response.body) 29 json = JSON.parse(last_response.body)
30 assert_equal community.id, json['id'] 30 assert_equal community.id, json['id']
31 end 31 end
  32 +
  33 + group_kinds = %w(community enterprise)
  34 + group_kinds.each do |kind|
  35 + should "delete #{kind} from profile id with permission" do
  36 + profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
  37 + give_permission(@person, 'destroy_profile', profile)
  38 + assert_not_nil Profile.find_by_id profile.id
  39 +
  40 + delete "/api/v1/profiles/#{profile.id}?#{params.to_query}"
  41 +
  42 + assert_equal 200, last_response.status
  43 + assert_nil Profile.find_by_id profile.id
  44 + end
  45 +
  46 + should "not delete #{kind} from profile id without permission" do
  47 + profile = fast_create(kind.camelcase.constantize, :environment_id => environment.id)
  48 + assert_not_nil Profile.find_by_id profile.id
  49 +
  50 + delete "/api/v1/profiles/#{profile.id}?#{params.to_query}"
  51 +
  52 + assert_equal 403, last_response.status
  53 + assert_not_nil Profile.find_by_id profile.id
  54 + end
  55 + end
  56 +
  57 + should 'person delete itself' do
  58 + delete "/api/v1/profiles/#{@person.id}?#{params.to_query}"
  59 + assert_equal 200, last_response.status
  60 + assert_nil Profile.find_by_id @person.id
  61 + end
  62 +
  63 + should 'only admin delete other people' do
  64 + profile = fast_create(Person, :environment_id => environment.id)
  65 + assert_not_nil Profile.find_by_id profile.id
  66 +
  67 + delete "/api/v1/profiles/#{profile.id}?#{params.to_query}"
  68 +
  69 + assert_equal 403, last_response.status
  70 + assert_not_nil Profile.find_by_id profile.id
  71 +
  72 + environment.add_admin(@person)
  73 +
  74 + delete "/api/v1/profiles/#{profile.id}?#{params.to_query}"
  75 +
  76 + assert_equal 200, last_response.status
  77 + assert_nil Profile.find_by_id profile.id
  78 +
  79 + end
32 end 80 end