Download as
Browse Code »

Commit 8b6ad9de6df2060812d6e87017058a0183285a4c

Authored by Victor Costa
Committed by Rodrigo Souto
1 parent 294b2f50
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

api: check for permissions before return some entities

Showing 8 changed files with 155 additions and 13 deletions   Show diff stats
lib/api/v1/comments.rb
  Diff comments   View file @8b6ad9d
@@ -16,24 +16,27 @@ module API @@ -16,24 +16,27 @@ module API
16 get ":id/comments" do 16 get ":id/comments" do
17 17
18 conditions = make_conditions_with_parameter(params) 18 conditions = make_conditions_with_parameter(params)
  19 + article = find_article(environment.articles, params[:id])
19 20
20 if params[:reference_id] 21 if params[:reference_id]
21 - comments = environment.articles.find(params[:id]).comments.send("#{params.key?(:oldest) ? 'older_than' : 'newer_than'}", params[:reference_id]).reorder("created_at DESC").find(:all, :conditions => conditions, :limit => limit) 22 + comments = article.comments.send("#{params.key?(:oldest) ? 'older_than' : 'newer_than'}", params[:reference_id]).reorder("created_at DESC").find(:all, :conditions => conditions, :limit => limit)
22 else 23 else
23 - comments = environment.articles.find(params[:id]).comments.reorder("created_at DESC").find(:all, :conditions => conditions, :limit => limit) 24 + comments = article.comments.reorder("created_at DESC").find(:all, :conditions => conditions, :limit => limit)
24 end 25 end
25 present comments, :with => Entities::Comment 26 present comments, :with => Entities::Comment
26 27
27 end 28 end
28 29
29 get ":id/comments/:comment_id" do 30 get ":id/comments/:comment_id" do
30 - present environment.articles.find(params[:id]).comments.find(params[:comment_id]), :with => Entities::Comment 31 + article = find_article(environment.articles, params[:id])
  32 + present article.comments.find(params[:comment_id]), :with => Entities::Comment
31 end 33 end
32 34
33 # Example Request: 35 # Example Request:
34 # POST api/v1/articles/12/comments?private_toke=234298743290432&body=new comment 36 # POST api/v1/articles/12/comments?private_toke=234298743290432&body=new comment
35 post ":id/comments" do 37 post ":id/comments" do
36 - present environment.articles.find(params[:id]).comments.create(:author => current_person, :body => params[:body]), :with => Entities::Comment 38 + article = find_article(environment.articles, params[:id])
  39 + present article.comments.create(:author => current_person, :body => params[:body]), :with => Entities::Comment
37 end 40 end
38 end 41 end
39 42
lib/api/v1/communities.rb
  Diff comments   View file @8b6ad9d
@@ -20,14 +20,14 @@ module API @@ -20,14 +20,14 @@ module API
20 present communities, :with => Entities::Community 20 present communities, :with => Entities::Community
21 end 21 end
22 22
23 - #FIXME See only public communities  
24 get '/all' do 23 get '/all' do
25 communities = select_filtered_collection_of(environment, 'communities', params) 24 communities = select_filtered_collection_of(environment, 'communities', params)
  25 + communities = communities.visible
26 present communities, :with => Entities::Community 26 present communities, :with => Entities::Community
27 end 27 end
28 28
29 get ':id' do 29 get ':id' do
30 - community = environment.communities.find(params[:id]) 30 + community = environment.communities.visible.find_by_id(params[:id])
31 present community, :with => Entities::Community 31 present community, :with => Entities::Community
32 end 32 end
33 33
lib/api/v1/enterprises.rb
  Diff comments   View file @8b6ad9d
@@ -2,7 +2,7 @@ module API @@ -2,7 +2,7 @@ module API
2 module V1 2 module V1
3 class Enterprises < Grape::API 3 class Enterprises < Grape::API
4 before { authenticate! } 4 before { authenticate! }
5 - 5 +
6 resource :enterprises do 6 resource :enterprises do
7 7
8 # Collect comments from articles 8 # Collect comments from articles
@@ -19,14 +19,14 @@ module API @@ -19,14 +19,14 @@ module API
19 enterprises = select_filtered_collection_of(environment, 'enterprises', params) 19 enterprises = select_filtered_collection_of(environment, 'enterprises', params)
20 present enterprises, :with => Entities::Enterprise 20 present enterprises, :with => Entities::Enterprise
21 end 21 end
22 -  
23 - desc "Return the article id" 22 +
  23 + desc "Return one environment by id"
24 get ':id' do 24 get ':id' do
25 present environment.enterprises.find(params[:id]), :with => Entities::Enterprise 25 present environment.enterprises.find(params[:id]), :with => Entities::Enterprise
26 end 26 end
27 27
28 end 28 end
29 - 29 +
30 end 30 end
31 end 31 end
32 end 32 end
lib/api/v1/people.rb
  Diff comments   View file @8b6ad9d
@@ -2,7 +2,7 @@ module API @@ -2,7 +2,7 @@ module API
2 module V1 2 module V1
3 class People < Grape::API 3 class People < Grape::API
4 before { authenticate! } 4 before { authenticate! }
5 - 5 +
6 resource :people do 6 resource :people do
7 7
8 # Collect comments from articles 8 # Collect comments from articles
@@ -20,13 +20,13 @@ module API @@ -20,13 +20,13 @@ module API
20 present people, :with => Entities::Person 20 present people, :with => Entities::Person
21 end 21 end
22 22
23 - desc "Return the person information" 23 + desc "Return the person information"
24 get '/:id' do 24 get '/:id' do
25 present environment.people.find(params[:id]), :with => Entities::Person 25 present environment.people.find(params[:id]), :with => Entities::Person
26 end 26 end
27 27
28 end 28 end
29 - 29 +
30 end 30 end
31 end 31 end
32 end 32 end
test/unit/api/comments_test.rb
  Diff comments   View file @8b6ad9d
@@ -6,6 +6,34 @@ class CommentsTest &lt; ActiveSupport::TestCase @@ -6,6 +6,34 @@ class CommentsTest &lt; ActiveSupport::TestCase
6 login_api 6 login_api
7 end 7 end
8 8
  9 + should 'not list comments if user has no permission to view the source article' do
  10 + person = fast_create(Person)
  11 + article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
  12 + assert !article.published?
  13 +
  14 + get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  15 + assert_equal 403, last_response.status
  16 + end
  17 +
  18 + should 'not return comment if user has no permission to view the source article' do
  19 + person = fast_create(Person)
  20 + article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
  21 + comment = article.comments.create!(:body => "another comment", :author => user.person)
  22 + assert !article.published?
  23 +
  24 + get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
  25 + assert_equal 403, last_response.status
  26 + end
  27 +
  28 + should 'not comment a article if user has no permission to view it' do
  29 + person = fast_create(Person)
  30 + article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
  31 + assert !article.published?
  32 +
  33 + post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  34 + assert_equal 403, last_response.status
  35 + end
  36 +
9 should 'return comments of an article' do 37 should 'return comments of an article' do
10 article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing") 38 article = fast_create(Article, :profile_id => user.person.id, :name => "Some thing")
11 article.comments.create!(:body => "some comment", :author => user.person) 39 article.comments.create!(:body => "some comment", :author => user.person)
test/unit/api/communities_test.rb 0 → 100644
  Diff comments   View file @8b6ad9d
@@ -0,0 +1,53 @@ @@ -0,0 +1,53 @@
  1 +require File.dirname(__FILE__) + '/test_helper'
  2 +
  3 +class CommunitiesTest < ActiveSupport::TestCase
  4 +
  5 + def setup
  6 + login_api
  7 + end
  8 +
  9 + should 'list user communities' do
  10 + community1 = fast_create(Community)
  11 + fast_create(Community)
  12 + community1.add_member(user.person)
  13 +
  14 + get "/api/v1/communities?#{params.to_query}"
  15 + json = JSON.parse(last_response.body)
  16 + assert_equivalent [community1.id], json['communities'].map {|c| c['id']}
  17 + end
  18 +
  19 + should 'list all communities' do
  20 + community1 = fast_create(Community)
  21 + community2 = fast_create(Community)
  22 +
  23 + get "/api/v1/communities/all?#{params.to_query}"
  24 + json = JSON.parse(last_response.body)
  25 + assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
  26 + end
  27 +
  28 + should 'get community' do
  29 + community = fast_create(Community)
  30 +
  31 + get "/api/v1/communities/#{community.id}?#{params.to_query}"
  32 + json = JSON.parse(last_response.body)
  33 + assert_equal community.id, json['community']['id']
  34 + end
  35 +
  36 + should 'not list invisible communities' do
  37 + community1 = fast_create(Community)
  38 + fast_create(Community, :visible => false)
  39 +
  40 + get "/api/v1/communities/all?#{params.to_query}"
  41 + json = JSON.parse(last_response.body)
  42 + assert_equal [community1.id], json['communities'].map {|c| c['id']}
  43 + end
  44 +
  45 + should 'not get invisible community' do
  46 + community = fast_create(Community, :visible => false)
  47 +
  48 + get "/api/v1/communities/#{community.id}?#{params.to_query}"
  49 + json = JSON.parse(last_response.body)
  50 + assert json['community'].blank?
  51 + end
  52 +
  53 +end
test/unit/api/enterprises_test.rb 0 → 100644
  Diff comments   View file @8b6ad9d
@@ -0,0 +1,29 @@ @@ -0,0 +1,29 @@
  1 +require File.dirname(__FILE__) + '/test_helper'
  2 +
  3 +class EnterprisesTest < ActiveSupport::TestCase
  4 +
  5 + def setup
  6 + login_api
  7 + end
  8 +
  9 + should 'list enterprises' do
  10 + enterprise1 = fast_create(Enterprise)
  11 + enterprise2 = fast_create(Enterprise)
  12 +
  13 + get "/api/v1/enterprises?#{params.to_query}"
  14 + json = JSON.parse(last_response.body)
  15 +
  16 + assert_includes json.map {|c| c['id']}, enterprise1.id
  17 + assert_includes json.map {|c| c['id']}, enterprise2.id
  18 + end
  19 +
  20 + should 'return one enterprise by id' do
  21 + enterprise = fast_create(Enterprise)
  22 +
  23 + get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
  24 + json = JSON.parse(last_response.body)
  25 +
  26 + assert_equal enterprise.id, json['id']
  27 + end
  28 +
  29 +end
test/unit/api/people_test.rb 0 → 100644
  Diff comments   View file @8b6ad9d
@@ -0,0 +1,29 @@ @@ -0,0 +1,29 @@
  1 +require File.dirname(__FILE__) + '/test_helper'
  2 +
  3 +class PeopleTest < ActiveSupport::TestCase
  4 +
  5 + def setup
  6 + login_api
  7 + end
  8 +
  9 + should 'list persons' do
  10 + person1 = fast_create(Person)
  11 + person2 = fast_create(Person)
  12 +
  13 + get "/api/v1/people?#{params.to_query}"
  14 + json = JSON.parse(last_response.body)
  15 +
  16 + assert_includes json.map {|c| c['id']}, person1.id
  17 + assert_includes json.map {|c| c['id']}, person2.id
  18 + end
  19 +
  20 + should 'return one person by id' do
  21 + person = fast_create(Person)
  22 +
  23 + get "/api/v1/people/#{person.id}?#{params.to_query}"
  24 + json = JSON.parse(last_response.body)
  25 +
  26 + assert_equal person.id, json['id']
  27 + end
  28 +
  29 +end