api: remove users

Move users api mountpoint to people and also deal with permissions issues.

api: remove users
Move users api mountpoint to people and also deal with permissions issues.
Rodrigo Souto
1 parent dc740341
Showing 6 changed files with 104 additions and 76 deletions Show diff stats
app/controllers/public/account_controller.rb
app/models/user.rb
lib/noosfero/api/entities.rb
lib/noosfero/api/v1/people.rb
lib/noosfero/api/v1/users.rb
test/unit/api/people_test.rb
@@ -91,11 +91,8 @@ class AccountController &lt; ApplicationController
     @block_bot = !!session[:may_be_a_bot]
     @invitation_code = params[:invitation_code]
     begin
-      @user = User.new(params[:user])
-      @user.terms_of_use = environment.terms_of_use
-      @user.environment = environment
+      @user = User.build(params[:user], params[:profile_data], environment)
       @terms_of_use = environment.terms_of_use
-      @user.person_data = params[:profile_data]
       @user.return_to = session[:return_to]
       @person = Person.new(params[:profile_data])
       @person.environment = @user.environment
@@ -34,6 +34,14 @@ class User &lt; ActiveRecord::Base
     alias_method_chain :human_attribute_name, :customization
   end
+  def self.build(user_data, person_data, environment)
+    user = User.new(user_data)
+    user.terms_of_use = environment.terms_of_use
+    user.environment = environment
+    user.person_data = person_data
+    user
+  end
+
   before_create do |user|
     if user.environment.nil?
       user.environment = Environment.default
@@ -36,8 +36,14 @@ module Noosfero
         expose :image, :using => Image
       end
+      class User < Entity
+        expose :id
+        expose :login
+      end
+
       class Person < Profile
         root 'people', 'person'
+        expose :user, :using => User
       end
       class Enterprise < Profile
         root 'enterprises', 'enterprise'
@@ -95,23 +101,6 @@ module Noosfero
         expose :author, :using => Profile
       end
-
-      class User < Entity
-        root 'users', 'user'
-        expose :id
-        expose :login
-        expose :person, :using => Profile
-        expose :permissions do |user, options|
-          output = {}
-          user.person.role_assignments.map do |role_assigment|
-            if role_assigment.resource.respond_to?(:identifier)
-              output[role_assigment.resource.identifier] = role_assigment.role.permissions
-            end
-          end
-          output
-        end
-      end
-
       class UserLogin < User
         expose :private_token
       end
@@ -36,12 +36,34 @@ module Noosfero
             present people, :with => Entities::Person
           end
+          desc "Return the logged user information"
+          get "/me" do
+            present current_person, :with => Entities::Person
+          end
+
           desc "Return the person information"
           get ':id' do
             person = environment.people.visible_for_person(current_person).find_by_id(params[:id])
             present person, :with => Entities::Person
           end
+          # Example Request:
+          #  POST api/v1/people?person[login]=some_login&person[password]=some_password&person[name]=Jack
+          desc "Create person"
+          post do
+            user_data = {}
+            user_data[:login] = params[:person].delete(:login) || params[:person][:identifier]
+            user_data[:email] = params[:person].delete(:email)
+            user_data[:password] = params[:person].delete(:password)
+            user_data[:password_confirmation] = params[:person].delete(:password_confirmation)
+            user = User.build(user_data, params[:person], environment)
+            if !user.signup!
+              render_api_errors!(user.errors.full_messages)
+            end
+
+            present user.person, :with => Entities::Person
+          end
+
           desc "Return the person friends"
           get ':id/friends' do
             person = environment.people.visible_for_person(current_person).find_by_id(params[:id])
@@ -49,8 +71,20 @@ module Noosfero
             present friends, :with => Entities::Person
           end
-        end
+          desc "Return the person permissions on other profiles"
+          get ":id/permissions" do
+            person = environment.people.find(params[:id])
+            return forbidden! unless current_person == person || environment.admins.include?(current_person)
+            output = {}
+            person.role_assignments.map do |role_assigment|
+              if role_assigment.resource.respond_to?(:identifier)
+                output[role_assigment.resource.identifier] = role_assigment.role.permissions
+              end
+            end
+            present output
+          end
+        end
       end
     end
   end
@@ -1,52 +0,0 @@
-module Noosfero
-  module API
-    module V1
-      class Users < Grape::API
-        before { authenticate! }
-
-        resource :users do
-
-          #FIXME make the pagination
-          #FIXME put it on environment context
-          get do
-            present environment.users, :with => Entities::User
-          end
-
-          # Example Request:
-          #  POST api/v1/users?user[login]=some_login&user[password]=some
-          post do
-            user = User.new(params[:user])
-            user.terms_of_use = environment.terms_of_use
-            user.environment = environment
-            if !user.save
-              render_api_errors!(user.errors.full_messages)
-            end
-
-            present user, :with => Entities::User
-          end
-
-          get "/me" do
-            present current_user, :with => Entities::User
-          end
-
-          get ":id" do
-            present environment.users.find_by_id(params[:id]), :with => Entities::User
-          end
-
-          get ":id/permissions" do
-            user = environment.users.find(params[:id])
-            output = {}
-            user.person.role_assignments.map do |role_assigment|
-              if role_assigment.resource.respond_to?(:identifier) && role_assigment.resource.identifier == params[:profile]
-                output[:permissions] = role_assigment.role.permissions
-              end
-            end
-            present output
-          end
-
-        end
-
-      end
-    end
-  end
-end
@@ -40,9 +40,15 @@ class PeopleTest &lt; ActiveSupport::TestCase
   end
   should 'get person' do
-    person = fast_create(Person)
+    some_person = fast_create(Person)
-    get "/api/v1/people/#{person.id}?#{params.to_query}"
+    get "/api/v1/people/#{some_person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal some_person.id, json['person']['id']
+  end
+
+  should 'get logged person' do
+    get "/api/v1/people/me?#{params.to_query}"
     json = JSON.parse(last_response.body)
     assert_equal person.id, json['person']['id']
   end
@@ -96,4 +102,50 @@ class PeopleTest &lt; ActiveSupport::TestCase
     assert_not_includes friends, invisible_friend.id
   end
+  should 'create a person' do
+    login = 'some'
+    params[:person] = {:login => login, :password => '123456', :password_confirmation => '123456', :email => 'some@some.com'}
+    post "/api/v1/people?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal login, json['person']['identifier']
+  end
+
+  should 'return 400 status for invalid person creation' do
+    params[:person] = {:login => 'some'}
+    post "/api/v1/users?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 400, last_response.status
+  end
+
+  should 'display permissions' do
+    community = fast_create(Community)
+    community.add_member(fast_create(Person))
+    community.add_member(person)
+    permissions = Profile::Roles.member(person.environment.id).permissions
+    get "/api/v1/people/#{person.id}/permissions?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+
+    assert_equal json[community.identifier], permissions
+  end
+
+  should 'display permissions if self' do
+    get "/api/v1/people/#{person.id}/permissions?#{params.to_query}"
+    assert_equal 200, last_response.status
+  end
+
+  should 'display permissions if admin' do
+    environment = person.environment
+    environment.add_admin(person)
+    some_person = fast_create(Person)
+
+    get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
+    assert_equal 200, last_response.status
+  end
+
+  should 'not display permissions if not admin or self' do
+    some_person = create_user('some-person').person
+
+    get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
 end
	@@ -34,6 +34,14 @@ class User < ActiveRecord::Base		@@ -34,6 +34,14 @@ class User < ActiveRecord::Base
34	alias_method_chain :human_attribute_name, :customization	34	alias_method_chain :human_attribute_name, :customization
35	end	35	end
36		36
		37	+ def self.build(user_data, person_data, environment)
		38	+ user = User.new(user_data)
		39	+ user.terms_of_use = environment.terms_of_use
		40	+ user.environment = environment
		41	+ user.person_data = person_data
		42	+ user
		43	+ end
		44	+
37	before_create do \|user\|	45	before_create do \|user\|
38	if user.environment.nil?	46	if user.environment.nil?
39	user.environment = Environment.default	47	user.environment = Environment.default
	@@ -36,12 +36,34 @@ module Noosfero		@@ -36,12 +36,34 @@ module Noosfero
36	present people, :with => Entities::Person	36	present people, :with => Entities::Person
37	end	37	end
38		38
		39	+ desc "Return the logged user information"
		40	+ get "/me" do
		41	+ present current_person, :with => Entities::Person
		42	+ end
		43	+
39	desc "Return the person information"	44	desc "Return the person information"
40	get ':id' do	45	get ':id' do
41	person = environment.people.visible_for_person(current_person).find_by_id(params[:id])	46	person = environment.people.visible_for_person(current_person).find_by_id(params[:id])
42	present person, :with => Entities::Person	47	present person, :with => Entities::Person
43	end	48	end
44		49
		50	+ # Example Request:
		51	+ # POST api/v1/people?person[login]=some_login&person[password]=some_password&person[name]=Jack
		52	+ desc "Create person"
		53	+ post do
		54	+ user_data = {}
		55	+ user_data[:login] = params[:person].delete(:login) \|\| params[:person][:identifier]
		56	+ user_data[:email] = params[:person].delete(:email)
		57	+ user_data[:password] = params[:person].delete(:password)
		58	+ user_data[:password_confirmation] = params[:person].delete(:password_confirmation)
		59	+ user = User.build(user_data, params[:person], environment)
		60	+ if !user.signup!
		61	+ render_api_errors!(user.errors.full_messages)
		62	+ end
		63	+
		64	+ present user.person, :with => Entities::Person
		65	+ end
		66	+
45	desc "Return the person friends"	67	desc "Return the person friends"
46	get ':id/friends' do	68	get ':id/friends' do
47	person = environment.people.visible_for_person(current_person).find_by_id(params[:id])	69	person = environment.people.visible_for_person(current_person).find_by_id(params[:id])
	@@ -49,8 +71,20 @@ module Noosfero		@@ -49,8 +71,20 @@ module Noosfero
49	present friends, :with => Entities::Person	71	present friends, :with => Entities::Person
50	end	72	end
51		73
52	- end	74	+ desc "Return the person permissions on other profiles"
		75	+ get ":id/permissions" do
		76	+ person = environment.people.find(params[:id])
		77	+ return forbidden! unless current_person == person \|\| environment.admins.include?(current_person)
53		78
		79	+ output = {}
		80	+ person.role_assignments.map do \|role_assigment\|
		81	+ if role_assigment.resource.respond_to?(:identifier)
		82	+ output[role_assigment.resource.identifier] = role_assigment.role.permissions
		83	+ end
		84	+ end
		85	+ present output
		86	+ end
		87	+ end
54	end	88	end
55	end	89	end
56	end	90	end
	@@ -1,52 +0,0 @@	@@ -1,52 +0,0 @@
1	-module Noosfero
2	- module API
3	- module V1
4	- class Users < Grape::API
5	- before { authenticate! }
6	-
7	- resource :users do
8	-
9	- #FIXME make the pagination
10	- #FIXME put it on environment context
11	- get do
12	- present environment.users, :with => Entities::User
13	- end
14	-
15	- # Example Request:
16	- # POST api/v1/users?user[login]=some_login&user[password]=some
17	- post do
18	- user = User.new(params[:user])
19	- user.terms_of_use = environment.terms_of_use
20	- user.environment = environment
21	- if !user.save
22	- render_api_errors!(user.errors.full_messages)
23	- end
24	-
25	- present user, :with => Entities::User
26	- end
27	-
28	- get "/me" do
29	- present current_user, :with => Entities::User
30	- end
31	-
32	- get ":id" do
33	- present environment.users.find_by_id(params[:id]), :with => Entities::User
34	- end
35	-
36	- get ":id/permissions" do
37	- user = environment.users.find(params[:id])
38	- output = {}
39	- user.person.role_assignments.map do \|role_assigment\|
40	- if role_assigment.resource.respond_to?(:identifier) && role_assigment.resource.identifier == params[:profile]
41	- output[:permissions] = role_assigment.role.permissions
42	- end
43	- end
44	- present output
45	- end
46	-
47	- end
48	-
49	- end
50	- end
51	- end
52	-end
	@@ -40,9 +40,15 @@ class PeopleTest < ActiveSupport::TestCase		@@ -40,9 +40,15 @@ class PeopleTest < ActiveSupport::TestCase
40	end	40	end
41		41
42	should 'get person' do	42	should 'get person' do
43	- person = fast_create(Person)	43	+ some_person = fast_create(Person)
44		44
45	- get "/api/v1/people/#{person.id}?#{params.to_query}"	45	+ get "/api/v1/people/#{some_person.id}?#{params.to_query}"
		46	+ json = JSON.parse(last_response.body)
		47	+ assert_equal some_person.id, json['person']['id']
		48	+ end
		49	+
		50	+ should 'get logged person' do
		51	+ get "/api/v1/people/me?#{params.to_query}"
46	json = JSON.parse(last_response.body)	52	json = JSON.parse(last_response.body)
47	assert_equal person.id, json['person']['id']	53	assert_equal person.id, json['person']['id']
48	end	54	end
	@@ -96,4 +102,50 @@ class PeopleTest < ActiveSupport::TestCase		@@ -96,4 +102,50 @@ class PeopleTest < ActiveSupport::TestCase
96	assert_not_includes friends, invisible_friend.id	102	assert_not_includes friends, invisible_friend.id
97	end	103	end
98		104
		105	+ should 'create a person' do
		106	+ login = 'some'
		107	+ params[:person] = {:login => login, :password => '123456', :password_confirmation => '123456', :email => 'some@some.com'}
		108	+ post "/api/v1/people?#{params.to_query}"
		109	+ json = JSON.parse(last_response.body)
		110	+ assert_equal login, json['person']['identifier']
		111	+ end
		112	+
		113	+ should 'return 400 status for invalid person creation' do
		114	+ params[:person] = {:login => 'some'}
		115	+ post "/api/v1/users?#{params.to_query}"
		116	+ json = JSON.parse(last_response.body)
		117	+ assert_equal 400, last_response.status
		118	+ end
		119	+
		120	+ should 'display permissions' do
		121	+ community = fast_create(Community)
		122	+ community.add_member(fast_create(Person))
		123	+ community.add_member(person)
		124	+ permissions = Profile::Roles.member(person.environment.id).permissions
		125	+ get "/api/v1/people/#{person.id}/permissions?#{params.to_query}"
		126	+ json = JSON.parse(last_response.body)
		127	+
		128	+ assert_equal json[community.identifier], permissions
		129	+ end
		130	+
		131	+ should 'display permissions if self' do
		132	+ get "/api/v1/people/#{person.id}/permissions?#{params.to_query}"
		133	+ assert_equal 200, last_response.status
		134	+ end
		135	+
		136	+ should 'display permissions if admin' do
		137	+ environment = person.environment
		138	+ environment.add_admin(person)
		139	+ some_person = fast_create(Person)
		140	+
		141	+ get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
		142	+ assert_equal 200, last_response.status
		143	+ end
		144	+
		145	+ should 'not display permissions if not admin or self' do
		146	+ some_person = create_user('some-person').person
		147	+
		148	+ get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
		149	+ assert_equal 403, last_response.status
		150	+ end
99	end	151	end