Download as
Browse Code »

Commit 9db0c7d6b0621dbf73210a0baeaa2910d68afcf7

Authored by Victor Costa
2 parents 0848a8e7 adb9abdd
Exists in profile_api_improvements and in 1 other branch fix_sign_up_form

Merge branch 'fix-blocks-api' into 'master' 

api: return invisible blocks to users with permission to edit



See merge request !964
Showing 4 changed files with 24 additions and 2 deletions   Show diff stats
app/api/entities.rb
  Diff comments   View file @9db0c7d
@@ -97,7 +97,7 @@ module Api @@ -97,7 +97,7 @@ module Api
97 root 'boxes', 'box' 97 root 'boxes', 'box'
98 expose :id, :position 98 expose :id, :position
99 expose :blocks, :using => Block do |box, options| 99 expose :blocks, :using => Block do |box, options|
100 - box.blocks.select {|block| block.visible_to_user?(options[:current_person]) } 100 + box.blocks.select {|block| block.visible_to_user?(options[:current_person]) || block.allow_edit?(options[:current_person]) }
101 end 101 end
102 end 102 end
103 103
app/api/v1/blocks.rb
  Diff comments   View file @9db0c7d
@@ -5,7 +5,7 @@ module Api @@ -5,7 +5,7 @@ module Api
5 resource :blocks do 5 resource :blocks do
6 get ':id' do 6 get ':id' do
7 block = Block.find(params["id"]) 7 block = Block.find(params["id"])
8 - return forbidden! unless block.visible_to_user?(current_person) 8 + return forbidden! unless block.visible_to_user?(current_person) || block.allow_edit?(current_person)
9 present block, :with => Entities::Block, display_api_content: true, current_person: current_person 9 present block, :with => Entities::Block, display_api_content: true, current_person: current_person
10 end 10 end
11 11
test/api/blocks_test.rb
  Diff comments   View file @9db0c7d
@@ -53,6 +53,16 @@ class BlocksTest < ActiveSupport::TestCase @@ -53,6 +53,16 @@ class BlocksTest < ActiveSupport::TestCase
53 assert_equal 403, last_response.status 53 assert_equal 403, last_response.status
54 end 54 end
55 55
  56 + should 'get an invisible profile block for an user with permission' do
  57 + profile = fast_create(Profile, public_profile: false)
  58 + profile.add_admin(person)
  59 + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
  60 + block = fast_create(Block, box_id: box.id)
  61 + get "/api/v1/blocks/#{block.id}?#{params.to_query}"
  62 + json = JSON.parse(last_response.body)
  63 + assert_equal block.id, json["block"]["id"]
  64 + end
  65 +
56 should 'get a block for an user with permission in a private profile' do 66 should 'get a block for an user with permission in a private profile' do
57 profile = fast_create(Profile, public_profile: false) 67 profile = fast_create(Profile, public_profile: false)
58 profile.add_admin(person) 68 profile.add_admin(person)
test/api/boxes_test.rb
  Diff comments   View file @9db0c7d
@@ -81,6 +81,18 @@ class BoxesTest < ActiveSupport::TestCase @@ -81,6 +81,18 @@ class BoxesTest < ActiveSupport::TestCase
81 assert_equal [block.id], json["boxes"].first["blocks"].map {|b| b['id']} 81 assert_equal [block.id], json["boxes"].first["blocks"].map {|b| b['id']}
82 end 82 end
83 83
  84 + should 'list a block with not logged in display_user for an admin user' do
  85 + profile = fast_create(Profile)
  86 + profile.add_admin(person)
  87 + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
  88 + block = fast_create(Block, box_id: box.id)
  89 + block.display_user = 'not_logged'
  90 + block.save!
  91 + get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
  92 + json = JSON.parse(last_response.body)
  93 + assert_equal [block.id], json["boxes"].first["blocks"].map {|b| b['id']}
  94 + end
  95 +
84 should 'not list boxes for user without permission' do 96 should 'not list boxes for user without permission' do
85 profile = fast_create(Profile, public_profile: false) 97 profile = fast_create(Profile, public_profile: false)
86 box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name) 98 box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)