api: check for permissions before return some entities

Victor Costa · Rodrigo Souto
1 parent 294b2f50
Showing 8 changed files with 155 additions and 13 deletions Show diff stats
lib/api/v1/comments.rb
lib/api/v1/communities.rb
lib/api/v1/enterprises.rb
lib/api/v1/people.rb
test/unit/api/comments_test.rb
test/unit/api/communities_test.rb
test/unit/api/enterprises_test.rb
test/unit/api/people_test.rb
@@ -16,24 +16,27 @@ module API
         get ":id/comments" do
  
           conditions = make_conditions_with_parameter(params)
+          article = find_article(environment.articles, params[:id])
  
           if params[:reference_id]
-            comments = environment.articles.find(params[:id]).comments.send("#{params.key?(:oldest) ? 'older_than' : 'newer_than'}", params[:reference_id]).reorder("created_at DESC").find(:all, :conditions => conditions, :limit => limit)
+            comments = article.comments.send("#{params.key?(:oldest) ? 'older_than' : 'newer_than'}", params[:reference_id]).reorder("created_at DESC").find(:all, :conditions => conditions, :limit => limit)
           else
-            comments = environment.articles.find(params[:id]).comments.reorder("created_at DESC").find(:all, :conditions => conditions, :limit => limit)
+            comments = article.comments.reorder("created_at DESC").find(:all, :conditions => conditions, :limit => limit)
           end
           present comments, :with => Entities::Comment
  
         end
  
         get ":id/comments/:comment_id" do
-          present environment.articles.find(params[:id]).comments.find(params[:comment_id]), :with => Entities::Comment
+          article = find_article(environment.articles, params[:id])
+          present article.comments.find(params[:comment_id]), :with => Entities::Comment
         end
  
         # Example Request:
         #  POST api/v1/articles/12/comments?private_toke=234298743290432&body=new comment
         post ":id/comments" do
-          present environment.articles.find(params[:id]).comments.create(:author => current_person, :body => params[:body]), :with => Entities::Comment
+          article = find_article(environment.articles, params[:id])
+          present article.comments.create(:author => current_person, :body => params[:body]), :with => Entities::Comment
         end
       end
  
@@ -20,14 +20,14 @@ module API
           present communities, :with => Entities::Community
         end
  
-        #FIXME See only public communities
         get '/all' do
           communities = select_filtered_collection_of(environment, 'communities', params)
+          communities = communities.visible
           present communities, :with => Entities::Community
         end
  
         get ':id' do
-          community = environment.communities.find(params[:id])
+          community = environment.communities.visible.find_by_id(params[:id])
           present community, :with => Entities::Community
         end
  
@@ -2,7 +2,7 @@ module API
   module V1
     class Enterprises < Grape::API
       before { authenticate! }
-   
+
       resource :enterprises do
  
         # Collect comments from articles
@@ -19,14 +19,14 @@ module API
           enterprises = select_filtered_collection_of(environment, 'enterprises', params)
           present enterprises, :with => Entities::Enterprise
         end
-  
-        desc "Return the article id" 
+
+        desc "Return one environment by id"
         get ':id' do
           present environment.enterprises.find(params[:id]), :with => Entities::Enterprise
         end
  
       end
-   
+
     end
   end
 end
@@ -2,7 +2,7 @@ module API
   module V1
     class People < Grape::API
       before { authenticate! }
-   
+
       resource :people do
  
         # Collect comments from articles
@@ -20,13 +20,13 @@ module API
           present people, :with => Entities::Person
         end
  
-        desc "Return the person information" 
+        desc "Return the person information"
         get '/:id' do
           present environment.people.find(params[:id]), :with => Entities::Person
         end
  
       end
-   
+
     end
   end
 end
@@ -6,6 +6,34 @@ class CommentsTest &lt; ActiveSupport::TestCase
     login_api
   end
  
+  should 'not list comments if user has no permission to view the source article' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+    assert !article.published?
+
+    get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'not return comment if user has no permission to view the source article' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+    comment = article.comments.create!(:body => "another comment", :author => user.person)
+    assert !article.published?
+
+    get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
+  should 'not comment a article if user has no permission to view it' do
+    person = fast_create(Person)
+    article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
+    assert !article.published?
+
+    post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
+
   should 'return comments of an article' do
     article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
     article.comments.create!(:body => "some comment", :author => user.person)
@@ -0,0 +1,53 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class CommunitiesTest < ActiveSupport::TestCase
+
+  def setup
+    login_api
+  end
+
+  should 'list user communities' do
+    community1 = fast_create(Community)
+    fast_create(Community)
+    community1.add_member(user.person)
+
+    get "/api/v1/communities?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [community1.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'list all communities' do
+    community1 = fast_create(Community)
+    community2 = fast_create(Community)
+
+    get "/api/v1/communities/all?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'get community' do
+    community = fast_create(Community)
+
+    get "/api/v1/communities/#{community.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal community.id, json['community']['id']
+  end
+
+  should 'not list invisible communities' do
+    community1 = fast_create(Community)
+    fast_create(Community, :visible => false)
+
+    get "/api/v1/communities/all?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [community1.id], json['communities'].map {|c| c['id']}
+  end
+
+  should 'not get invisible community' do
+    community = fast_create(Community, :visible => false)
+
+    get "/api/v1/communities/#{community.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['community'].blank?
+  end
+
+end
@@ -0,0 +1,29 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class EnterprisesTest < ActiveSupport::TestCase
+
+  def setup
+    login_api
+  end
+
+  should 'list enterprises' do
+    enterprise1 = fast_create(Enterprise)
+    enterprise2 = fast_create(Enterprise)
+
+    get "/api/v1/enterprises?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+
+    assert_includes json.map {|c| c['id']}, enterprise1.id
+    assert_includes json.map {|c| c['id']}, enterprise2.id
+  end
+
+  should 'return one enterprise by id' do
+    enterprise = fast_create(Enterprise)
+
+    get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+
+    assert_equal enterprise.id, json['id']
+  end
+
+end
@@ -0,0 +1,29 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class PeopleTest < ActiveSupport::TestCase
+
+  def setup
+    login_api
+  end
+
+  should 'list persons' do
+    person1 = fast_create(Person)
+    person2 = fast_create(Person)
+
+    get "/api/v1/people?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+
+    assert_includes json.map {|c| c['id']}, person1.id
+    assert_includes json.map {|c| c['id']}, person2.id
+  end
+
+  should 'return one person by id' do
+    person = fast_create(Person)
+
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+
+    assert_equal person.id, json['id']
+  end
+
+end
...	...	@@ -16,24 +16,27 @@ module API
16	16	get ":id/comments" do
17	17
18	18	conditions = make_conditions_with_parameter(params)
	19	+ article = find_article(environment.articles, params[:id])
19	20
20	21	if params[:reference_id]
21		- comments = environment.articles.find(params[:id]).comments.send("#{params.key?(:oldest) ? 'older_than' : 'newer_than'}", params[:reference_id]).reorder("created_at DESC").find(:all, :conditions => conditions, :limit => limit)
	22	+ comments = article.comments.send("#{params.key?(:oldest) ? 'older_than' : 'newer_than'}", params[:reference_id]).reorder("created_at DESC").find(:all, :conditions => conditions, :limit => limit)
22	23	else
23		- comments = environment.articles.find(params[:id]).comments.reorder("created_at DESC").find(:all, :conditions => conditions, :limit => limit)
	24	+ comments = article.comments.reorder("created_at DESC").find(:all, :conditions => conditions, :limit => limit)
24	25	end
25	26	present comments, :with => Entities::Comment
26	27
27	28	end
28	29
29	30	get ":id/comments/:comment_id" do
30		- present environment.articles.find(params[:id]).comments.find(params[:comment_id]), :with => Entities::Comment
	31	+ article = find_article(environment.articles, params[:id])
	32	+ present article.comments.find(params[:comment_id]), :with => Entities::Comment
31	33	end
32	34
33	35	# Example Request:
34	36	# POST api/v1/articles/12/comments?private_toke=234298743290432&body=new comment
35	37	post ":id/comments" do
36		- present environment.articles.find(params[:id]).comments.create(:author => current_person, :body => params[:body]), :with => Entities::Comment
	38	+ article = find_article(environment.articles, params[:id])
	39	+ present article.comments.create(:author => current_person, :body => params[:body]), :with => Entities::Comment
37	40	end
38	41	end
39	42
...	...
...	...	@@ -20,14 +20,14 @@ module API
20	20	present communities, :with => Entities::Community
21	21	end
22	22
23		- #FIXME See only public communities
24	23	get '/all' do
25	24	communities = select_filtered_collection_of(environment, 'communities', params)
	25	+ communities = communities.visible
26	26	present communities, :with => Entities::Community
27	27	end
28	28
29	29	get ':id' do
30		- community = environment.communities.find(params[:id])
	30	+ community = environment.communities.visible.find_by_id(params[:id])
31	31	present community, :with => Entities::Community
32	32	end
33	33
...	...
...	...	@@ -2,7 +2,7 @@ module API
2	2	module V1
3	3	class Enterprises < Grape::API
4	4	before { authenticate! }
5		-
	5	+
6	6	resource :enterprises do
7	7
8	8	# Collect comments from articles
...	...	@@ -19,14 +19,14 @@ module API
19	19	enterprises = select_filtered_collection_of(environment, 'enterprises', params)
20	20	present enterprises, :with => Entities::Enterprise
21	21	end
22		-
23		- desc "Return the article id"
	22	+
	23	+ desc "Return one environment by id"
24	24	get ':id' do
25	25	present environment.enterprises.find(params[:id]), :with => Entities::Enterprise
26	26	end
27	27
28	28	end
29		-
	29	+
30	30	end
31	31	end
32	32	end
...	...
...	...	@@ -2,7 +2,7 @@ module API
2	2	module V1
3	3	class People < Grape::API
4	4	before { authenticate! }
5		-
	5	+
6	6	resource :people do
7	7
8	8	# Collect comments from articles
...	...	@@ -20,13 +20,13 @@ module API
20	20	present people, :with => Entities::Person
21	21	end
22	22
23		- desc "Return the person information"
	23	+ desc "Return the person information"
24	24	get '/:id' do
25	25	present environment.people.find(params[:id]), :with => Entities::Person
26	26	end
27	27
28	28	end
29		-
	29	+
30	30	end
31	31	end
32	32	end
...	...
...	...	@@ -6,6 +6,34 @@ class CommentsTest < ActiveSupport::TestCase
6	6	login_api
7	7	end
8	8
	9	+ should 'not list comments if user has no permission to view the source article' do
	10	+ person = fast_create(Person)
	11	+ article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
	12	+ assert !article.published?
	13	+
	14	+ get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
	15	+ assert_equal 403, last_response.status
	16	+ end
	17	+
	18	+ should 'not return comment if user has no permission to view the source article' do
	19	+ person = fast_create(Person)
	20	+ article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
	21	+ comment = article.comments.create!(:body => "another comment", :author => user.person)
	22	+ assert !article.published?
	23	+
	24	+ get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
	25	+ assert_equal 403, last_response.status
	26	+ end
	27	+
	28	+ should 'not comment a article if user has no permission to view it' do
	29	+ person = fast_create(Person)
	30	+ article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
	31	+ assert !article.published?
	32	+
	33	+ post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
	34	+ assert_equal 403, last_response.status
	35	+ end
	36	+
9	37	should 'return comments of an article' do
10	38	article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
11	39	article.comments.create!(:body => "some comment", :author => user.person)
...	...
...	...	@@ -0,0 +1,53 @@
	1	+require File.dirname(__FILE__) + '/test_helper'
	2	+
	3	+class CommunitiesTest < ActiveSupport::TestCase
	4	+
	5	+ def setup
	6	+ login_api
	7	+ end
	8	+
	9	+ should 'list user communities' do
	10	+ community1 = fast_create(Community)
	11	+ fast_create(Community)
	12	+ community1.add_member(user.person)
	13	+
	14	+ get "/api/v1/communities?#{params.to_query}"
	15	+ json = JSON.parse(last_response.body)
	16	+ assert_equivalent [community1.id], json['communities'].map {\|c\| c['id']}
	17	+ end
	18	+
	19	+ should 'list all communities' do
	20	+ community1 = fast_create(Community)
	21	+ community2 = fast_create(Community)
	22	+
	23	+ get "/api/v1/communities/all?#{params.to_query}"
	24	+ json = JSON.parse(last_response.body)
	25	+ assert_equivalent [community1.id, community2.id], json['communities'].map {\|c\| c['id']}
	26	+ end
	27	+
	28	+ should 'get community' do
	29	+ community = fast_create(Community)
	30	+
	31	+ get "/api/v1/communities/#{community.id}?#{params.to_query}"
	32	+ json = JSON.parse(last_response.body)
	33	+ assert_equal community.id, json['community']['id']
	34	+ end
	35	+
	36	+ should 'not list invisible communities' do
	37	+ community1 = fast_create(Community)
	38	+ fast_create(Community, :visible => false)
	39	+
	40	+ get "/api/v1/communities/all?#{params.to_query}"
	41	+ json = JSON.parse(last_response.body)
	42	+ assert_equal [community1.id], json['communities'].map {\|c\| c['id']}
	43	+ end
	44	+
	45	+ should 'not get invisible community' do
	46	+ community = fast_create(Community, :visible => false)
	47	+
	48	+ get "/api/v1/communities/#{community.id}?#{params.to_query}"
	49	+ json = JSON.parse(last_response.body)
	50	+ assert json['community'].blank?
	51	+ end
	52	+
	53	+end
...	...
...	...	@@ -0,0 +1,29 @@
	1	+require File.dirname(__FILE__) + '/test_helper'
	2	+
	3	+class EnterprisesTest < ActiveSupport::TestCase
	4	+
	5	+ def setup
	6	+ login_api
	7	+ end
	8	+
	9	+ should 'list enterprises' do
	10	+ enterprise1 = fast_create(Enterprise)
	11	+ enterprise2 = fast_create(Enterprise)
	12	+
	13	+ get "/api/v1/enterprises?#{params.to_query}"
	14	+ json = JSON.parse(last_response.body)
	15	+
	16	+ assert_includes json.map {\|c\| c['id']}, enterprise1.id
	17	+ assert_includes json.map {\|c\| c['id']}, enterprise2.id
	18	+ end
	19	+
	20	+ should 'return one enterprise by id' do
	21	+ enterprise = fast_create(Enterprise)
	22	+
	23	+ get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
	24	+ json = JSON.parse(last_response.body)
	25	+
	26	+ assert_equal enterprise.id, json['id']
	27	+ end
	28	+
	29	+end
...	...
...	...	@@ -0,0 +1,29 @@
	1	+require File.dirname(__FILE__) + '/test_helper'
	2	+
	3	+class PeopleTest < ActiveSupport::TestCase
	4	+
	5	+ def setup
	6	+ login_api
	7	+ end
	8	+
	9	+ should 'list persons' do
	10	+ person1 = fast_create(Person)
	11	+ person2 = fast_create(Person)
	12	+
	13	+ get "/api/v1/people?#{params.to_query}"
	14	+ json = JSON.parse(last_response.body)
	15	+
	16	+ assert_includes json.map {\|c\| c['id']}, person1.id
	17	+ assert_includes json.map {\|c\| c['id']}, person2.id
	18	+ end
	19	+
	20	+ should 'return one person by id' do
	21	+ person = fast_create(Person)
	22	+
	23	+ get "/api/v1/people/#{person.id}?#{params.to_query}"
	24	+ json = JSON.parse(last_response.body)
	25	+
	26	+ assert_equal person.id, json['id']
	27	+ end
	28	+
	29	+end
...	...