api: restrict access to block endpoint based on block visibility

Victor Costa
1 parent 8184feed
Showing 3 changed files with 72 additions and 3 deletions Show diff stats
app/models/block.rb
lib/noosfero/api/v1/blocks.rb
test/unit/block_test.rb
@@ -76,6 +76,17 @@ class Block &lt; ApplicationRecord
     true
   end
  
+  def visible_to_user?(user)
+    visible = self.display_to_user?(user)
+    if self.owner.kind_of?(Profile)
+      visible &= self.owner.display_info_to?(user)
+      visible &= (self.visible? || user && user.has_permission?(:edit_profile_design, self.owner))
+    elsif self.owner.kind_of?(Environment)
+      visible &= (self.visible? || user && user.has_permission?(:edit_environment_design, self.owner))
+    end
+    visible
+  end
+
   def display_to_user?(user)
     display_user == 'all' || (user.nil? && display_user == 'not_logged') || (user && display_user == 'logged') || (user && display_user == 'followers' && user.follows?(owner))
   end
@@ -6,9 +6,7 @@ module Noosfero
         resource :blocks do
           get ':id' do
             block = Block.find(params["id"])
-            if block.owner.kind_of?(Profile)
-              return forbidden! unless block.owner.display_info_to?(current_person)
-            end
+            return forbidden! unless block.visible_to_user?(current_person)
             present block, :with => Entities::Block, display_api_content: true
           end
         end
@@ -365,4 +365,64 @@ class BlockTest &lt; ActiveSupport::TestCase
     assert block.get_limit.is_a?(Fixnum)
   end
  
+  should 'return true at visible_to_user? when block is visible' do
+    block = Block.new
+    person = create_user('person_one').person
+    assert block.visible_to_user?(person)
+  end
+
+  should 'return false at visible_to_user? when block is not visible and user is nil' do
+    block = Block.new
+    person = create_user('person_one').person
+    block.stubs(:owner).returns(person)
+    block.expects(:visible?).returns(false)
+    assert !block.visible_to_user?(nil)
+  end
+
+  should 'return false at visible_to_user? when block is not visible and user does not has permission' do
+    block = Block.new
+    person = create_user('person_one').person
+    community = fast_create(Community)
+    block.stubs(:owner).returns(community)
+    block.expects(:visible?).returns(false)
+    assert !block.visible_to_user?(person)
+  end
+
+  should 'return true at visible_to_user? when block is not visible and user has permission' do
+    block = Block.new
+    person = create_user('person_one').person
+    community = fast_create(Community)
+    give_permission(person, 'edit_profile_design', community)
+    block.stubs(:owner).returns(community)
+    block.expects(:visible?).returns(false)
+    assert block.visible_to_user?(person)
+  end
+
+  should 'return false at visible_to_user? when block is not visible and user does not has permission in environment' do
+    block = Block.new
+    environment = Environment.default
+    person = create_user('person_one').person
+    block.stubs(:owner).returns(environment)
+    block.expects(:visible?).returns(false)
+    assert !block.visible_to_user?(person)
+  end
+
+  should 'return true at visible_to_user? when block is not visible and user has permission in environment' do
+    block = Block.new
+    environment = Environment.default
+    person = create_user('person_one').person
+    give_permission(person, 'edit_environment_design', environment)
+    block.stubs(:owner).returns(environment)
+    block.expects(:visible?).returns(false)
+    assert block.visible_to_user?(person)
+  end
+
+  should 'return false at visible_to_user? when block is not visible to user' do
+    block = Block.new
+    person = create_user('person_one').person
+    block.stubs(:owner).returns(person)
+    block.expects(:visible?).returns(true)
+    block.expects(:display_to_user?).returns(false)
+    assert !block.visible_to_user?(nil)
+  end
 end
...	...	@@ -76,6 +76,17 @@ class Block < ApplicationRecord
76	76	true
77	77	end
78	78
	79	+ def visible_to_user?(user)
	80	+ visible = self.display_to_user?(user)
	81	+ if self.owner.kind_of?(Profile)
	82	+ visible &= self.owner.display_info_to?(user)
	83	+ visible &= (self.visible? \|\| user && user.has_permission?(:edit_profile_design, self.owner))
	84	+ elsif self.owner.kind_of?(Environment)
	85	+ visible &= (self.visible? \|\| user && user.has_permission?(:edit_environment_design, self.owner))
	86	+ end
	87	+ visible
	88	+ end
	89	+
79	90	def display_to_user?(user)
80	91	display_user == 'all' \|\| (user.nil? && display_user == 'not_logged') \|\| (user && display_user == 'logged') \|\| (user && display_user == 'followers' && user.follows?(owner))
81	92	end
...	...
...	...	@@ -6,9 +6,7 @@ module Noosfero
6	6	resource :blocks do
7	7	get ':id' do
8	8	block = Block.find(params["id"])
9		- if block.owner.kind_of?(Profile)
10		- return forbidden! unless block.owner.display_info_to?(current_person)
11		- end
	9	+ return forbidden! unless block.visible_to_user?(current_person)
12	10	present block, :with => Entities::Block, display_api_content: true
13	11	end
14	12	end
...	...
...	...	@@ -365,4 +365,64 @@ class BlockTest < ActiveSupport::TestCase
365	365	assert block.get_limit.is_a?(Fixnum)
366	366	end
367	367
	368	+ should 'return true at visible_to_user? when block is visible' do
	369	+ block = Block.new
	370	+ person = create_user('person_one').person
	371	+ assert block.visible_to_user?(person)
	372	+ end
	373	+
	374	+ should 'return false at visible_to_user? when block is not visible and user is nil' do
	375	+ block = Block.new
	376	+ person = create_user('person_one').person
	377	+ block.stubs(:owner).returns(person)
	378	+ block.expects(:visible?).returns(false)
	379	+ assert !block.visible_to_user?(nil)
	380	+ end
	381	+
	382	+ should 'return false at visible_to_user? when block is not visible and user does not has permission' do
	383	+ block = Block.new
	384	+ person = create_user('person_one').person
	385	+ community = fast_create(Community)
	386	+ block.stubs(:owner).returns(community)
	387	+ block.expects(:visible?).returns(false)
	388	+ assert !block.visible_to_user?(person)
	389	+ end
	390	+
	391	+ should 'return true at visible_to_user? when block is not visible and user has permission' do
	392	+ block = Block.new
	393	+ person = create_user('person_one').person
	394	+ community = fast_create(Community)
	395	+ give_permission(person, 'edit_profile_design', community)
	396	+ block.stubs(:owner).returns(community)
	397	+ block.expects(:visible?).returns(false)
	398	+ assert block.visible_to_user?(person)
	399	+ end
	400	+
	401	+ should 'return false at visible_to_user? when block is not visible and user does not has permission in environment' do
	402	+ block = Block.new
	403	+ environment = Environment.default
	404	+ person = create_user('person_one').person
	405	+ block.stubs(:owner).returns(environment)
	406	+ block.expects(:visible?).returns(false)
	407	+ assert !block.visible_to_user?(person)
	408	+ end
	409	+
	410	+ should 'return true at visible_to_user? when block is not visible and user has permission in environment' do
	411	+ block = Block.new
	412	+ environment = Environment.default
	413	+ person = create_user('person_one').person
	414	+ give_permission(person, 'edit_environment_design', environment)
	415	+ block.stubs(:owner).returns(environment)
	416	+ block.expects(:visible?).returns(false)
	417	+ assert block.visible_to_user?(person)
	418	+ end
	419	+
	420	+ should 'return false at visible_to_user? when block is not visible to user' do
	421	+ block = Block.new
	422	+ person = create_user('person_one').person
	423	+ block.stubs(:owner).returns(person)
	424	+ block.expects(:visible?).returns(true)
	425	+ block.expects(:display_to_user?).returns(false)
	426	+ assert !block.visible_to_user?(nil)
	427	+ end
368	428	end
...	...