api: remove users

Move users api mountpoint to people and also deal with permissions issues.

api: remove users
Move users api mountpoint to people and also deal with permissions issues.
Rodrigo Souto
1 parent dc740341
Showing 6 changed files with 104 additions and 76 deletions Show diff stats
app/controllers/public/account_controller.rb
app/models/user.rb
lib/noosfero/api/entities.rb
lib/noosfero/api/v1/people.rb
lib/noosfero/api/v1/users.rb
test/unit/api/people_test.rb
@@ -91,11 +91,8 @@ class AccountController &lt; ApplicationController
     @block_bot = !!session[:may_be_a_bot]
     @invitation_code = params[:invitation_code]
     begin
-      @user = User.new(params[:user])
-      @user.terms_of_use = environment.terms_of_use
-      @user.environment = environment
+      @user = User.build(params[:user], params[:profile_data], environment)
       @terms_of_use = environment.terms_of_use
-      @user.person_data = params[:profile_data]
       @user.return_to = session[:return_to]
       @person = Person.new(params[:profile_data])
       @person.environment = @user.environment
@@ -34,6 +34,14 @@ class User &lt; ActiveRecord::Base
     alias_method_chain :human_attribute_name, :customization
   end
  
+  def self.build(user_data, person_data, environment)
+    user = User.new(user_data)
+    user.terms_of_use = environment.terms_of_use
+    user.environment = environment
+    user.person_data = person_data
+    user
+  end
+
   before_create do |user|
     if user.environment.nil?
       user.environment = Environment.default
@@ -36,8 +36,14 @@ module Noosfero
         expose :image, :using => Image
       end
  
+      class User < Entity
+        expose :id
+        expose :login
+      end
+
       class Person < Profile
         root 'people', 'person'
+        expose :user, :using => User
       end
       class Enterprise < Profile
         root 'enterprises', 'enterprise'
@@ -95,23 +101,6 @@ module Noosfero
         expose :author, :using => Profile
       end
  
-
-      class User < Entity
-        root 'users', 'user'
-        expose :id
-        expose :login
-        expose :person, :using => Profile
-        expose :permissions do |user, options|
-          output = {}
-          user.person.role_assignments.map do |role_assigment|
-            if role_assigment.resource.respond_to?(:identifier)
-              output[role_assigment.resource.identifier] = role_assigment.role.permissions
-            end
-          end
-          output
-        end
-      end
-
       class UserLogin < User
         expose :private_token
       end
@@ -36,12 +36,34 @@ module Noosfero
             present people, :with => Entities::Person
           end
  
+          desc "Return the logged user information"
+          get "/me" do
+            present current_person, :with => Entities::Person
+          end
+
           desc "Return the person information"
           get ':id' do
             person = environment.people.visible_for_person(current_person).find_by_id(params[:id])
             present person, :with => Entities::Person
           end
  
+          # Example Request:
+          #  POST api/v1/people?person[login]=some_login&person[password]=some_password&person[name]=Jack
+          desc "Create person"
+          post do
+            user_data = {}
+            user_data[:login] = params[:person].delete(:login) || params[:person][:identifier]
+            user_data[:email] = params[:person].delete(:email)
+            user_data[:password] = params[:person].delete(:password)
+            user_data[:password_confirmation] = params[:person].delete(:password_confirmation)
+            user = User.build(user_data, params[:person], environment)
+            if !user.signup!
+              render_api_errors!(user.errors.full_messages)
+            end
+
+            present user.person, :with => Entities::Person
+          end
+
           desc "Return the person friends"
           get ':id/friends' do
             person = environment.people.visible_for_person(current_person).find_by_id(params[:id])
@@ -49,8 +71,20 @@ module Noosfero
             present friends, :with => Entities::Person
           end
  
-        end
+          desc "Return the person permissions on other profiles"
+          get ":id/permissions" do
+            person = environment.people.find(params[:id])
+            return forbidden! unless current_person == person || environment.admins.include?(current_person)
  
+            output = {}
+            person.role_assignments.map do |role_assigment|
+              if role_assigment.resource.respond_to?(:identifier)
+                output[role_assigment.resource.identifier] = role_assigment.role.permissions
+              end
+            end
+            present output
+          end
+        end
       end
     end
   end
@@ -1,52 +0,0 @@
-module Noosfero
-  module API
-    module V1
-      class Users < Grape::API
-        before { authenticate! }
-
-        resource :users do
-
-          #FIXME make the pagination
-          #FIXME put it on environment context
-          get do
-            present environment.users, :with => Entities::User
-          end
-
-          # Example Request:
-          #  POST api/v1/users?user[login]=some_login&user[password]=some
-          post do
-            user = User.new(params[:user])
-            user.terms_of_use = environment.terms_of_use
-            user.environment = environment
-            if !user.save
-              render_api_errors!(user.errors.full_messages)
-            end
-
-            present user, :with => Entities::User
-          end
-
-          get "/me" do
-            present current_user, :with => Entities::User
-          end
-
-          get ":id" do
-            present environment.users.find_by_id(params[:id]), :with => Entities::User
-          end
-
-          get ":id/permissions" do
-            user = environment.users.find(params[:id])
-            output = {}
-            user.person.role_assignments.map do |role_assigment|
-              if role_assigment.resource.respond_to?(:identifier) && role_assigment.resource.identifier == params[:profile]
-                output[:permissions] = role_assigment.role.permissions
-              end
-            end
-            present output
-          end
-
-        end
-
-      end
-    end
-  end
-end
@@ -40,9 +40,15 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
  
   should 'get person' do
-    person = fast_create(Person)
+    some_person = fast_create(Person)
  
-    get "/api/v1/people/#{person.id}?#{params.to_query}"
+    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal some_person.id, json['person']['id']
+  end
+
+  should 'get logged person' do
+    get "/api/v1/people/me?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal person.id, json['person']['id']
   end
@@ -96,4 +102,50 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_not_includes friends, invisible_friend.id
   end
  
+  should 'create a person' do
+    login = 'some'
+    params[:person] = {:login => login, :password => '123456', :password_confirmation => '123456', :email => 'some@some.com'}
+    post "/api/v1/people?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal login, json['person']['identifier']
+  end
+
+  should 'return 400 status for invalid person creation' do
+    params[:person] = {:login => 'some'}
+    post "/api/v1/users?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 400, last_response.status
+  end
+
+  should 'display permissions' do
+    community = fast_create(Community)
+    community.add_member(fast_create(Person))
+    community.add_member(person)
+    permissions = Profile::Roles.member(person.environment.id).permissions
+    get "/api/v1/people/#{person.id}/permissions?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+
+    assert_equal json[community.identifier], permissions
+  end
+
+  should 'display permissions if self' do
+    get "/api/v1/people/#{person.id}/permissions?#{params.to_query}"
+    assert_equal 200, last_response.status
+  end
+
+  should 'display permissions if admin' do
+    environment = person.environment
+    environment.add_admin(person)
+    some_person = fast_create(Person)
+
+    get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
+    assert_equal 200, last_response.status
+  end
+
+  should 'not display permissions if not admin or self' do
+    some_person = create_user('some-person').person
+
+    get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
 end
...	...	@@ -91,11 +91,8 @@ class AccountController < ApplicationController
91	91	@block_bot = !!session[:may_be_a_bot]
92	92	@invitation_code = params[:invitation_code]
93	93	begin
94		- @user = User.new(params[:user])
95		- @user.terms_of_use = environment.terms_of_use
96		- @user.environment = environment
	94	+ @user = User.build(params[:user], params[:profile_data], environment)
97	95	@terms_of_use = environment.terms_of_use
98		- @user.person_data = params[:profile_data]
99	96	@user.return_to = session[:return_to]
100	97	@person = Person.new(params[:profile_data])
101	98	@person.environment = @user.environment
...	...
...	...	@@ -34,6 +34,14 @@ class User < ActiveRecord::Base
34	34	alias_method_chain :human_attribute_name, :customization
35	35	end
36	36
	37	+ def self.build(user_data, person_data, environment)
	38	+ user = User.new(user_data)
	39	+ user.terms_of_use = environment.terms_of_use
	40	+ user.environment = environment
	41	+ user.person_data = person_data
	42	+ user
	43	+ end
	44	+
37	45	before_create do \|user\|
38	46	if user.environment.nil?
39	47	user.environment = Environment.default
...	...
...	...	@@ -36,8 +36,14 @@ module Noosfero
36	36	expose :image, :using => Image
37	37	end
38	38
	39	+ class User < Entity
	40	+ expose :id
	41	+ expose :login
	42	+ end
	43	+
39	44	class Person < Profile
40	45	root 'people', 'person'
	46	+ expose :user, :using => User
41	47	end
42	48	class Enterprise < Profile
43	49	root 'enterprises', 'enterprise'
...	...	@@ -95,23 +101,6 @@ module Noosfero
95	101	expose :author, :using => Profile
96	102	end
97	103
98		-
99		- class User < Entity
100		- root 'users', 'user'
101		- expose :id
102		- expose :login
103		- expose :person, :using => Profile
104		- expose :permissions do \|user, options\|
105		- output = {}
106		- user.person.role_assignments.map do \|role_assigment\|
107		- if role_assigment.resource.respond_to?(:identifier)
108		- output[role_assigment.resource.identifier] = role_assigment.role.permissions
109		- end
110		- end
111		- output
112		- end
113		- end
114		-
115	104	class UserLogin < User
116	105	expose :private_token
117	106	end
...	...
...	...	@@ -36,12 +36,34 @@ module Noosfero
36	36	present people, :with => Entities::Person
37	37	end
38	38
	39	+ desc "Return the logged user information"
	40	+ get "/me" do
	41	+ present current_person, :with => Entities::Person
	42	+ end
	43	+
39	44	desc "Return the person information"
40	45	get ':id' do
41	46	person = environment.people.visible_for_person(current_person).find_by_id(params[:id])
42	47	present person, :with => Entities::Person
43	48	end
44	49
	50	+ # Example Request:
	51	+ # POST api/v1/people?person[login]=some_login&person[password]=some_password&person[name]=Jack
	52	+ desc "Create person"
	53	+ post do
	54	+ user_data = {}
	55	+ user_data[:login] = params[:person].delete(:login) \|\| params[:person][:identifier]
	56	+ user_data[:email] = params[:person].delete(:email)
	57	+ user_data[:password] = params[:person].delete(:password)
	58	+ user_data[:password_confirmation] = params[:person].delete(:password_confirmation)
	59	+ user = User.build(user_data, params[:person], environment)
	60	+ if !user.signup!
	61	+ render_api_errors!(user.errors.full_messages)
	62	+ end
	63	+
	64	+ present user.person, :with => Entities::Person
	65	+ end
	66	+
45	67	desc "Return the person friends"
46	68	get ':id/friends' do
47	69	person = environment.people.visible_for_person(current_person).find_by_id(params[:id])
...	...	@@ -49,8 +71,20 @@ module Noosfero
49	71	present friends, :with => Entities::Person
50	72	end
51	73
52		- end
	74	+ desc "Return the person permissions on other profiles"
	75	+ get ":id/permissions" do
	76	+ person = environment.people.find(params[:id])
	77	+ return forbidden! unless current_person == person \|\| environment.admins.include?(current_person)
53	78
	79	+ output = {}
	80	+ person.role_assignments.map do \|role_assigment\|
	81	+ if role_assigment.resource.respond_to?(:identifier)
	82	+ output[role_assigment.resource.identifier] = role_assigment.role.permissions
	83	+ end
	84	+ end
	85	+ present output
	86	+ end
	87	+ end
54	88	end
55	89	end
56	90	end
...	...
...	...	@@ -1,52 +0,0 @@
1		-module Noosfero
2		- module API
3		- module V1
4		- class Users < Grape::API
5		- before { authenticate! }
6		-
7		- resource :users do
8		-
9		- #FIXME make the pagination
10		- #FIXME put it on environment context
11		- get do
12		- present environment.users, :with => Entities::User
13		- end
14		-
15		- # Example Request:
16		- # POST api/v1/users?user[login]=some_login&user[password]=some
17		- post do
18		- user = User.new(params[:user])
19		- user.terms_of_use = environment.terms_of_use
20		- user.environment = environment
21		- if !user.save
22		- render_api_errors!(user.errors.full_messages)
23		- end
24		-
25		- present user, :with => Entities::User
26		- end
27		-
28		- get "/me" do
29		- present current_user, :with => Entities::User
30		- end
31		-
32		- get ":id" do
33		- present environment.users.find_by_id(params[:id]), :with => Entities::User
34		- end
35		-
36		- get ":id/permissions" do
37		- user = environment.users.find(params[:id])
38		- output = {}
39		- user.person.role_assignments.map do \|role_assigment\|
40		- if role_assigment.resource.respond_to?(:identifier) && role_assigment.resource.identifier == params[:profile]
41		- output[:permissions] = role_assigment.role.permissions
42		- end
43		- end
44		- present output
45		- end
46		-
47		- end
48		-
49		- end
50		- end
51		- end
52		-end
...	...	@@ -40,9 +40,15 @@ class PeopleTest < ActiveSupport::TestCase
40	40	end
41	41
42	42	should 'get person' do
43		- person = fast_create(Person)
	43	+ some_person = fast_create(Person)
44	44
45		- get "/api/v1/people/#{person.id}?#{params.to_query}"
	45	+ get "/api/v1/people/#{some_person.id}?#{params.to_query}"
	46	+ json = JSON.parse(last_response.body)
	47	+ assert_equal some_person.id, json['person']['id']
	48	+ end
	49	+
	50	+ should 'get logged person' do
	51	+ get "/api/v1/people/me?#{params.to_query}"
46	52	json = JSON.parse(last_response.body)
47	53	assert_equal person.id, json['person']['id']
48	54	end
...	...	@@ -96,4 +102,50 @@ class PeopleTest < ActiveSupport::TestCase
96	102	assert_not_includes friends, invisible_friend.id
97	103	end
98	104
	105	+ should 'create a person' do
	106	+ login = 'some'
	107	+ params[:person] = {:login => login, :password => '123456', :password_confirmation => '123456', :email => 'some@some.com'}
	108	+ post "/api/v1/people?#{params.to_query}"
	109	+ json = JSON.parse(last_response.body)
	110	+ assert_equal login, json['person']['identifier']
	111	+ end
	112	+
	113	+ should 'return 400 status for invalid person creation' do
	114	+ params[:person] = {:login => 'some'}
	115	+ post "/api/v1/users?#{params.to_query}"
	116	+ json = JSON.parse(last_response.body)
	117	+ assert_equal 400, last_response.status
	118	+ end
	119	+
	120	+ should 'display permissions' do
	121	+ community = fast_create(Community)
	122	+ community.add_member(fast_create(Person))
	123	+ community.add_member(person)
	124	+ permissions = Profile::Roles.member(person.environment.id).permissions
	125	+ get "/api/v1/people/#{person.id}/permissions?#{params.to_query}"
	126	+ json = JSON.parse(last_response.body)
	127	+
	128	+ assert_equal json[community.identifier], permissions
	129	+ end
	130	+
	131	+ should 'display permissions if self' do
	132	+ get "/api/v1/people/#{person.id}/permissions?#{params.to_query}"
	133	+ assert_equal 200, last_response.status
	134	+ end
	135	+
	136	+ should 'display permissions if admin' do
	137	+ environment = person.environment
	138	+ environment.add_admin(person)
	139	+ some_person = fast_create(Person)
	140	+
	141	+ get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
	142	+ assert_equal 200, last_response.status
	143	+ end
	144	+
	145	+ should 'not display permissions if not admin or self' do
	146	+ some_person = create_user('some-person').person
	147	+
	148	+ get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
	149	+ assert_equal 403, last_response.status
	150	+ end
99	151	end
...	...