added tests for anonymous

Evandro Junior · Leandro Santos
1 parent b03d485a
Showing 2 changed files with 118 additions and 13 deletions Show diff stats
lib/noosfero/api/v1/people.rb
test/api/people_test.rb
@@ -2,7 +2,6 @@ module Noosfero
   module API
     module V1
       class People < Grape::API
-        before { authenticate! }
  
         MAX_PER_PAGE = 50
  
@@ -41,6 +40,7 @@ module Noosfero
  
           desc "Return the logged user information"
           get "/me" do
+            authenticate!
             present_partial current_person, :with => Entities::Person, :current_person => current_person
           end
  
@@ -53,6 +53,7 @@ module Noosfero
  
           desc "Update person information"
           post ':id' do
+            authenticate!
             return forbidden! if current_person.id.to_s != params[:id]
             current_person.update_attributes!(params[:person])
             present current_person, :with => Entities::Person, :current_person => current_person
@@ -63,6 +64,7 @@ module Noosfero
           #  for each custom field for person, add &person[field_name]=field_value to the request
           desc "Create person"
           post do
+            authenticate!
             user_data = {}
             user_data[:login] = params[:person].delete(:login) || params[:person][:identifier]
             user_data[:email] = params[:person].delete(:email)
@@ -95,6 +97,7 @@ module Noosfero
  
           desc "Return the person permissions on other profiles"
           get ":id/permissions" do
+            authenticate!
             person = environment.people.find(params[:id])
             return not_found! if person.blank?
             return forbidden! unless current_person == person || environment.admins.include?(current_person)
@@ -6,7 +6,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
     Person.delete_all
   end
  
-  should 'list all people' do
+  should 'logged user list all people' do
     login_api
     person1 = fast_create(Person, :public_profile => true)
     person2 = fast_create(Person)
@@ -15,7 +15,16 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equivalent [person1.id, person2.id, person.id], json['people'].map {|c| c['id']}
   end
  
-  should 'list all members of a community' do
+  should 'anonymous list all people' do
+    anonymous_setup
+    person1 = fast_create(Person, :public_profile => true)
+    person2 = fast_create(Person)
+    get "/api/v1/people?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [person1.id, person2.id], json['people'].map {|c| c['id']}
+  end
+
+  should 'logged user list all members of a community' do
     login_api
     person1 = fast_create(Person)
     person2 = fast_create(Person)
@@ -29,7 +38,21 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equivalent [person1.id,person2.id], json["people"].map{|p| p["id"]}
   end
  
-  should 'not list invisible people' do
+  should 'anonymous list all members of a community' do
+    anonymous_setup
+    person1 = fast_create(Person)
+    person2 = fast_create(Person)
+    community = fast_create(Community)
+    community.add_member(person1)
+    community.add_member(person2)
+
+    get "/api/v1/profiles/#{community.id}/members?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 2, json["people"].count
+    assert_equivalent [person1.id,person2.id], json["people"].map{|p| p["id"]}
+  end
+
+  should 'logged user not list invisible people' do
     login_api
     invisible_person = fast_create(Person, :visible => false)
  
@@ -37,7 +60,15 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_not_includes json_response_ids(:people), invisible_person.id
   end
  
-  should 'list private people' do
+  should 'annoymous not list invisible people' do
+    anonymous_setup
+    invisible_person = fast_create(Person, :visible => false)
+
+    get "/api/v1/people?#{params.to_query}"
+    assert_not_includes json_response_ids(:people), invisible_person.id
+  end
+
+  should 'logged user list private people' do
     login_api
     private_person = fast_create(Person, :public_profile => false)
  
@@ -45,7 +76,15 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_includes json_response_ids(:people), private_person.id
   end
  
-  should 'list private person for friends' do
+  should 'anonymous list private people' do
+    anonymous_setup
+    private_person = fast_create(Person, :public_profile => false)
+
+    get "/api/v1/people?#{params.to_query}"
+    assert_includes json_response_ids(:people), private_person.id
+  end
+
+  should 'logged user list private person for friends' do
     login_api
     p1 = fast_create(Person)
     p2 = fast_create(Person, :public_profile => false)
@@ -56,7 +95,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_includes json_response_ids(:people), p2.id
   end
  
-  should 'get person' do
+  should 'logged user get person' do
     login_api
     some_person = fast_create(Person)
  
@@ -65,7 +104,17 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal some_person.id, json['person']['id']
   end
  
-  should 'people endpoint filter by fields parameter' do
+  should 'anonymous get person' do
+    anonymous_setup
+    some_person = fast_create(Person)
+
+    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal some_person.id, json['person']['id']
+  end
+
+
+  should 'people endpoint filter by fields parameter for logged user' do
     login_api
     get "/api/v1/people?#{params.to_query}&fields=name"
     json = JSON.parse(last_response.body)
@@ -73,7 +122,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal expected, json
   end
  
-  should 'people endpoint filter by fields parameter with hierarchy' do
+  should 'people endpoint filter by fields parameter with hierarchy for logged user' do
     login_api
     fields = URI.encode({only: [:name, {user: [:login]}]}.to_json.to_str)
     get "/api/v1/people?#{params.to_query}&fields=#{fields}"
@@ -89,7 +138,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal person.id, json['person']['id']
   end
  
-  should 'me endpoint filter by fields parameter' do
+  should 'access me endpoint filter by fields parameter' do
     login_api
     get "/api/v1/people/me?#{params.to_query}&fields=name"
     json = JSON.parse(last_response.body)
@@ -97,7 +146,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal expected, json
   end
  
-  should 'not get invisible person' do
+  should 'logged user not get invisible person' do
     login_api
     person = fast_create(Person, :visible => false)
  
@@ -106,6 +155,15 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert json['person'].blank?
   end
  
+  should 'anonymous not get invisible person' do
+    anonymous_setup
+    person = fast_create(Person, :visible => false)
+
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['person'].blank?
+  end
+
   should 'get private people' do
     login_api
     private_person = fast_create(Person, :public_profile => false)
@@ -115,6 +173,15 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal json['person']['id'], private_person.id
   end
  
+  should 'anonymous get private people' do
+    anonymous_setup
+    private_person = fast_create(Person, :public_profile => false)
+
+    get "/api/v1/people/#{private_person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal json['person']['id'], private_person.id
+  end
+
   should 'get private person for friends' do
     login_api
     private_person = fast_create(Person, :public_profile => false)
@@ -135,6 +202,16 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_includes json_response_ids(:people), person.id
   end
  
+  should 'anonymous list person friends' do
+    anonymous_setup
+    person = fast_create(Person)
+    friend = fast_create(Person)
+    person.add_friend(friend)
+    friend.add_friend(person)
+    get "/api/v1/people/#{friend.id}/friends?#{params.to_query}"
+    assert_includes json_response_ids(:people), person.id
+  end
+
   should 'not list person invisible friends' do
     login_api
     friend = fast_create(Person)
@@ -221,7 +298,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal another_name, person.name
   end
  
-  should 'display public custom fields' do
+  should 'logged user display public custom fields' do
     login_api
     CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
     some_person = create_user('some-person').person
@@ -234,7 +311,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
   end
  
-  should 'not display non-public custom fields' do
+  should 'logged user not display non-public custom fields' do
     login_api
     CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
     some_person = create_user('some-person').person
@@ -246,6 +323,31 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_equal json['person']['additional_data'], {}
   end
  
+  should 'display public custom fields to anonymous' do
+    anonymous_setup
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
+    some_person = create_user('some-person').person
+    some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
+    some_person.save!
+
+    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['person']['additional_data'].has_key?('Custom Blog')
+    assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
+  end
+
+  should 'not display non-public custom fields to anonymous' do
+    anonymous_setup
+    CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
+    some_person = create_user('some-person').person
+    some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
+    some_person.save!
+
+    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal json['person']['additional_data'], {}
+  end
+
   should 'display non-public custom fields to friend' do
     login_api
     CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
...	...	@@ -2,7 +2,6 @@ module Noosfero
2	2	module API
3	3	module V1
4	4	class People < Grape::API
5		- before { authenticate! }
6	5
7	6	MAX_PER_PAGE = 50
8	7
...	...	@@ -41,6 +40,7 @@ module Noosfero
41	40
42	41	desc "Return the logged user information"
43	42	get "/me" do
	43	+ authenticate!
44	44	present_partial current_person, :with => Entities::Person, :current_person => current_person
45	45	end
46	46
...	...	@@ -53,6 +53,7 @@ module Noosfero
53	53
54	54	desc "Update person information"
55	55	post ':id' do
	56	+ authenticate!
56	57	return forbidden! if current_person.id.to_s != params[:id]
57	58	current_person.update_attributes!(params[:person])
58	59	present current_person, :with => Entities::Person, :current_person => current_person
...	...	@@ -63,6 +64,7 @@ module Noosfero
63	64	# for each custom field for person, add &person[field_name]=field_value to the request
64	65	desc "Create person"
65	66	post do
	67	+ authenticate!
66	68	user_data = {}
67	69	user_data[:login] = params[:person].delete(:login) \|\| params[:person][:identifier]
68	70	user_data[:email] = params[:person].delete(:email)
...	...	@@ -95,6 +97,7 @@ module Noosfero
95	97
96	98	desc "Return the person permissions on other profiles"
97	99	get ":id/permissions" do
	100	+ authenticate!
98	101	person = environment.people.find(params[:id])
99	102	return not_found! if person.blank?
100	103	return forbidden! unless current_person == person \|\| environment.admins.include?(current_person)
...	...
...	...	@@ -6,7 +6,7 @@ class PeopleTest < ActiveSupport::TestCase
6	6	Person.delete_all
7	7	end
8	8
9		- should 'list all people' do
	9	+ should 'logged user list all people' do
10	10	login_api
11	11	person1 = fast_create(Person, :public_profile => true)
12	12	person2 = fast_create(Person)
...	...	@@ -15,7 +15,16 @@ class PeopleTest < ActiveSupport::TestCase
15	15	assert_equivalent [person1.id, person2.id, person.id], json['people'].map {\|c\| c['id']}
16	16	end
17	17
18		- should 'list all members of a community' do
	18	+ should 'anonymous list all people' do
	19	+ anonymous_setup
	20	+ person1 = fast_create(Person, :public_profile => true)
	21	+ person2 = fast_create(Person)
	22	+ get "/api/v1/people?#{params.to_query}"
	23	+ json = JSON.parse(last_response.body)
	24	+ assert_equivalent [person1.id, person2.id], json['people'].map {\|c\| c['id']}
	25	+ end
	26	+
	27	+ should 'logged user list all members of a community' do
19	28	login_api
20	29	person1 = fast_create(Person)
21	30	person2 = fast_create(Person)
...	...	@@ -29,7 +38,21 @@ class PeopleTest < ActiveSupport::TestCase
29	38	assert_equivalent [person1.id,person2.id], json["people"].map{\|p\| p["id"]}
30	39	end
31	40
32		- should 'not list invisible people' do
	41	+ should 'anonymous list all members of a community' do
	42	+ anonymous_setup
	43	+ person1 = fast_create(Person)
	44	+ person2 = fast_create(Person)
	45	+ community = fast_create(Community)
	46	+ community.add_member(person1)
	47	+ community.add_member(person2)
	48	+
	49	+ get "/api/v1/profiles/#{community.id}/members?#{params.to_query}"
	50	+ json = JSON.parse(last_response.body)
	51	+ assert_equal 2, json["people"].count
	52	+ assert_equivalent [person1.id,person2.id], json["people"].map{\|p\| p["id"]}
	53	+ end
	54	+
	55	+ should 'logged user not list invisible people' do
33	56	login_api
34	57	invisible_person = fast_create(Person, :visible => false)
35	58
...	...	@@ -37,7 +60,15 @@ class PeopleTest < ActiveSupport::TestCase
37	60	assert_not_includes json_response_ids(:people), invisible_person.id
38	61	end
39	62
40		- should 'list private people' do
	63	+ should 'annoymous not list invisible people' do
	64	+ anonymous_setup
	65	+ invisible_person = fast_create(Person, :visible => false)
	66	+
	67	+ get "/api/v1/people?#{params.to_query}"
	68	+ assert_not_includes json_response_ids(:people), invisible_person.id
	69	+ end
	70	+
	71	+ should 'logged user list private people' do
41	72	login_api
42	73	private_person = fast_create(Person, :public_profile => false)
43	74
...	...	@@ -45,7 +76,15 @@ class PeopleTest < ActiveSupport::TestCase
45	76	assert_includes json_response_ids(:people), private_person.id
46	77	end
47	78
48		- should 'list private person for friends' do
	79	+ should 'anonymous list private people' do
	80	+ anonymous_setup
	81	+ private_person = fast_create(Person, :public_profile => false)
	82	+
	83	+ get "/api/v1/people?#{params.to_query}"
	84	+ assert_includes json_response_ids(:people), private_person.id
	85	+ end
	86	+
	87	+ should 'logged user list private person for friends' do
49	88	login_api
50	89	p1 = fast_create(Person)
51	90	p2 = fast_create(Person, :public_profile => false)
...	...	@@ -56,7 +95,7 @@ class PeopleTest < ActiveSupport::TestCase
56	95	assert_includes json_response_ids(:people), p2.id
57	96	end
58	97
59		- should 'get person' do
	98	+ should 'logged user get person' do
60	99	login_api
61	100	some_person = fast_create(Person)
62	101
...	...	@@ -65,7 +104,17 @@ class PeopleTest < ActiveSupport::TestCase
65	104	assert_equal some_person.id, json['person']['id']
66	105	end
67	106
68		- should 'people endpoint filter by fields parameter' do
	107	+ should 'anonymous get person' do
	108	+ anonymous_setup
	109	+ some_person = fast_create(Person)
	110	+
	111	+ get "/api/v1/people/#{some_person.id}?#{params.to_query}"
	112	+ json = JSON.parse(last_response.body)
	113	+ assert_equal some_person.id, json['person']['id']
	114	+ end
	115	+
	116	+
	117	+ should 'people endpoint filter by fields parameter for logged user' do
69	118	login_api
70	119	get "/api/v1/people?#{params.to_query}&fields=name"
71	120	json = JSON.parse(last_response.body)
...	...	@@ -73,7 +122,7 @@ class PeopleTest < ActiveSupport::TestCase
73	122	assert_equal expected, json
74	123	end
75	124
76		- should 'people endpoint filter by fields parameter with hierarchy' do
	125	+ should 'people endpoint filter by fields parameter with hierarchy for logged user' do
77	126	login_api
78	127	fields = URI.encode({only: [:name, {user: [:login]}]}.to_json.to_str)
79	128	get "/api/v1/people?#{params.to_query}&fields=#{fields}"
...	...	@@ -89,7 +138,7 @@ class PeopleTest < ActiveSupport::TestCase
89	138	assert_equal person.id, json['person']['id']
90	139	end
91	140
92		- should 'me endpoint filter by fields parameter' do
	141	+ should 'access me endpoint filter by fields parameter' do
93	142	login_api
94	143	get "/api/v1/people/me?#{params.to_query}&fields=name"
95	144	json = JSON.parse(last_response.body)
...	...	@@ -97,7 +146,7 @@ class PeopleTest < ActiveSupport::TestCase
97	146	assert_equal expected, json
98	147	end
99	148
100		- should 'not get invisible person' do
	149	+ should 'logged user not get invisible person' do
101	150	login_api
102	151	person = fast_create(Person, :visible => false)
103	152
...	...	@@ -106,6 +155,15 @@ class PeopleTest < ActiveSupport::TestCase
106	155	assert json['person'].blank?
107	156	end
108	157
	158	+ should 'anonymous not get invisible person' do
	159	+ anonymous_setup
	160	+ person = fast_create(Person, :visible => false)
	161	+
	162	+ get "/api/v1/people/#{person.id}?#{params.to_query}"
	163	+ json = JSON.parse(last_response.body)
	164	+ assert json['person'].blank?
	165	+ end
	166	+
109	167	should 'get private people' do
110	168	login_api
111	169	private_person = fast_create(Person, :public_profile => false)
...	...	@@ -115,6 +173,15 @@ class PeopleTest < ActiveSupport::TestCase
115	173	assert_equal json['person']['id'], private_person.id
116	174	end
117	175
	176	+ should 'anonymous get private people' do
	177	+ anonymous_setup
	178	+ private_person = fast_create(Person, :public_profile => false)
	179	+
	180	+ get "/api/v1/people/#{private_person.id}?#{params.to_query}"
	181	+ json = JSON.parse(last_response.body)
	182	+ assert_equal json['person']['id'], private_person.id
	183	+ end
	184	+
118	185	should 'get private person for friends' do
119	186	login_api
120	187	private_person = fast_create(Person, :public_profile => false)
...	...	@@ -135,6 +202,16 @@ class PeopleTest < ActiveSupport::TestCase
135	202	assert_includes json_response_ids(:people), person.id
136	203	end
137	204
	205	+ should 'anonymous list person friends' do
	206	+ anonymous_setup
	207	+ person = fast_create(Person)
	208	+ friend = fast_create(Person)
	209	+ person.add_friend(friend)
	210	+ friend.add_friend(person)
	211	+ get "/api/v1/people/#{friend.id}/friends?#{params.to_query}"
	212	+ assert_includes json_response_ids(:people), person.id
	213	+ end
	214	+
138	215	should 'not list person invisible friends' do
139	216	login_api
140	217	friend = fast_create(Person)
...	...	@@ -221,7 +298,7 @@ class PeopleTest < ActiveSupport::TestCase
221	298	assert_equal another_name, person.name
222	299	end
223	300
224		- should 'display public custom fields' do
	301	+ should 'logged user display public custom fields' do
225	302	login_api
226	303	CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
227	304	some_person = create_user('some-person').person
...	...	@@ -234,7 +311,7 @@ class PeopleTest < ActiveSupport::TestCase
234	311	assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
235	312	end
236	313
237		- should 'not display non-public custom fields' do
	314	+ should 'logged user not display non-public custom fields' do
238	315	login_api
239	316	CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
240	317	some_person = create_user('some-person').person
...	...	@@ -246,6 +323,31 @@ class PeopleTest < ActiveSupport::TestCase
246	323	assert_equal json['person']['additional_data'], {}
247	324	end
248	325
	326	+ should 'display public custom fields to anonymous' do
	327	+ anonymous_setup
	328	+ CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
	329	+ some_person = create_user('some-person').person
	330	+ some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
	331	+ some_person.save!
	332	+
	333	+ get "/api/v1/people/#{some_person.id}?#{params.to_query}"
	334	+ json = JSON.parse(last_response.body)
	335	+ assert json['person']['additional_data'].has_key?('Custom Blog')
	336	+ assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
	337	+ end
	338	+
	339	+ should 'not display non-public custom fields to anonymous' do
	340	+ anonymous_setup
	341	+ CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
	342	+ some_person = create_user('some-person').person
	343	+ some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
	344	+ some_person.save!
	345	+
	346	+ get "/api/v1/people/#{some_person.id}?#{params.to_query}"
	347	+ json = JSON.parse(last_response.body)
	348	+ assert_equal json['person']['additional_data'], {}
	349	+ end
	350	+
249	351	should 'display non-public custom fields to friend' do
250	352	login_api
251	353	CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
...	...