Commit a9df0202c7b6405df55c9db0f2e16978a91c014e

Authored by Gabriel Silva
1 parent d6d98372

Reviews api permissions

- Reviewed Profile scopes
- Removed required authentication for anonymous
- Corrected records fetching (considering permission levels)
- Conditionally exposes attributes

Signed-off-by: Gabriel Silva <gabriel93.silva@gmail.com>
Signed-off-by: Marcos Ronaldo <marcos.rpj2@gmail.com>
Signed-off-by: Victor Navarro <victor.matias.navarro@gmail.com>
app/models/organization.rb
... ... @@ -16,7 +16,7 @@ class Organization &lt; Profile
16 16 # visible.
17 17 # 4) The user is not a member of the organization but the organization is
18 18 # visible, public and enabled.
19   - def self.visible_for_person(person)
  19 + def self.listed_for_person(person)
20 20 joins('LEFT JOIN "role_assignments" ON ("role_assignments"."resource_id" = "profiles"."id"
21 21 AND "role_assignments"."resource_type" = \'Profile\') OR (
22 22 "role_assignments"."resource_id" = "profiles"."environment_id" AND
... ... @@ -26,13 +26,24 @@ class Organization &lt; Profile
26 26 ['( (roles.key = ? OR roles.key = ?) AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? )
27 27 OR
28 28 ( ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
29   - ( profiles.public_profile = ? AND profiles.enabled = ? ) ) AND
  29 + ( profiles.enabled = ? ) ) AND
30 30 ( profiles.visible = ? ) )',
31 31 'profile_admin', 'environment_administrator', Profile.name, person.id,
32   - Profile.name, person.id, true, true, true]
  32 + Profile.name, person.id, true, true]
33 33 ).uniq
34 34 end
35 35  
  36 + def self.visible_for_person(person)
  37 + listed_for_person(person).where(
  38 + ['( (roles.key = ? OR roles.key = ?) AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? )
  39 + OR
  40 + ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
  41 + ( profiles.enabled = ? AND profiles.public_profile = ? ) )',
  42 + 'profile_admin', 'environment_administrator', Profile.name, person.id,
  43 + Profile.name, person.id, true, true]
  44 + )
  45 + end
  46 +
36 47 settings_items :closed, :type => :boolean, :default => false
37 48 def closed?
38 49 closed
... ...
app/models/person.rb
... ... @@ -372,7 +372,7 @@ class Person &lt; Profile
372 372 ['%s@%s' % [self.identifier, self.email_domain] ]
373 373 end
374 374  
375   - def display_info_to?(user)
  375 + def display_private_info_to?(user)
376 376 if friends.include?(user)
377 377 true
378 378 else
... ...
lib/noosfero/api/entities.rb
... ... @@ -9,13 +9,18 @@ module Noosfero
9 9 PERMISSIONS = {
10 10 :admin => 0,
11 11 :self => 10,
12   - :friend => 20,
  12 + :private_content => 20,
13 13 :logged_user => 30,
14 14 :anonymous => 40
15 15 }
16 16  
17   - def self.can_display? profile, options, field, permission = :friend
18   - return true if profile.public_fields.map{|f| f.to_sym}.include?(field.to_sym)
  17 + def self.can_display_profile_field? profile, options, permission_options={}
  18 + permissions={:field => "", :permission => :private_content}
  19 + permissions.merge!(permission_options)
  20 + field = permissions[:field]
  21 + permission = permissions[:permission]
  22 + return true if profile.public? && profile.public_fields.map{|f| f.to_sym}.include?(field.to_sym)
  23 +
19 24 current_person = options[:current_person]
20 25  
21 26 current_permission = if current_person.present?
... ... @@ -23,8 +28,8 @@ module Noosfero
23 28 :admin
24 29 elsif current_person == profile
25 30 :self
26   - elsif current_person.friends.include?(profile)
27   - :friend
  31 + elsif profile.display_private_info_to?(current_person)
  32 + :private_content
28 33 else
29 34 :logged_user
30 35 end
... ... @@ -103,7 +108,7 @@ module Noosfero
103 108  
104 109 private_values = profile.custom_field_values - profile.public_values
105 110 private_values.each do |value|
106   - if Entities.can_display?(profile,options,:custom_field)
  111 + if Entities.can_display_profile_field?(profile,options)
107 112 hash[value.custom_field.name]=value.value
108 113 end
109 114 end
... ... @@ -143,11 +148,11 @@ module Noosfero
143 148 class Community < Profile
144 149 root 'communities', 'community'
145 150 expose :description
146   - expose :admins do |community, options|
  151 + expose :admins, :if => lambda { |community, options| community.display_info_to? options[:current_person]} do |community, options|
147 152 community.admins.map{|admin| {"name"=>admin.name, "id"=>admin.id, "username" => admin.identifier}}
148 153 end
149 154 expose :categories, :using => Category
150   - expose :members, :using => Person
  155 + expose :members, :using => Person , :if => lambda{ |community, options| community.display_info_to? options[:current_person] }
151 156 end
152 157  
153 158 class CommentBase < Entity
... ... @@ -209,11 +214,11 @@ module Noosfero
209 214  
210 215 attrs.each do |attribute|
211 216 name = aliases.has_key?(attribute) ? aliases[attribute] : attribute
212   - expose attribute, :as => name, :if => lambda{|user,options| Entities.can_display?(user.person, options, attribute)}
  217 + expose attribute, :as => name, :if => lambda{|user,options| Entities.can_display_profile_field?(user.person, options, {:field => attribute})}
213 218 end
214 219  
215   - expose :person, :using => Person
216   - expose :permissions, :if => lambda{|user,options| Entities.can_display?(user.person, options, :permissions, :self)} do |user, options|
  220 + expose :person, :using => Person, :if => lambda{|user,options| user.person.display_info_to? options[:current_person]}
  221 + expose :permissions, :if => lambda{|user,options| Entities.can_display_profile_field?(user.person, options, {:field => :permissions, :permission => :self})} do |user, options|
217 222 output = {}
218 223 user.person.role_assignments.map do |role_assigment|
219 224 if role_assigment.resource.respond_to?(:identifier) && !role_assigment.role.nil?
... ...
lib/noosfero/api/helpers.rb
... ... @@ -266,6 +266,13 @@ require_relative &#39;../../find_by_contents&#39;
266 266 unauthorized! unless current_user
267 267 end
268 268  
  269 + def profiles_for_person(profiles, person)
  270 + if person
  271 + profiles.listed_for_person(person)
  272 + else
  273 + profiles.visible
  274 + end
  275 + end
269 276  
270 277 # Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
271 278 # or a Bad Request error is invoked.
... ...
lib/noosfero/api/v1/activities.rb
... ... @@ -7,9 +7,11 @@ module Noosfero
7 7 resource :profiles do
8 8  
9 9 get ':id/activities' do
10   - profile = environment.profiles
11   - profile = profile.visible_for_person(current_person) if profile.respond_to?(:visible_for_person)
12   - profile = profile.find_by id: params[:id]
  10 + profile = Profile.find_by id: params[:id]
  11 +
  12 + not_found! if profile.blank? || profile.secret || !profile.visible
  13 + forbidden! if !profile.secret && profile.visible && !profile.display_private_info_to?(current_person)
  14 +
13 15 activities = profile.activities.map(&:activity)
14 16 present activities, :with => Entities::Activity, :current_person => current_person
15 17 end
... ...
lib/noosfero/api/v1/communities.rb
... ... @@ -17,8 +17,8 @@ module Noosfero
17 17 # GET /communities?reference_id=10&limit=10&oldest
18 18 get do
19 19 communities = select_filtered_collection_of(environment, 'communities', params)
20   - communities = communities.visible
21   - communities = communities.by_location(params) # Must be the last. May return Exception obj.
  20 + communities = profiles_for_person(communities, current_person)
  21 + communities = communities.by_location(params) # Must be the last. May return Exception obj
22 22 present communities, :with => Entities::Community, :current_person => current_person
23 23 end
24 24  
... ... @@ -49,7 +49,7 @@ module Noosfero
49 49 end
50 50  
51 51 get ':id' do
52   - community = environment.communities.visible.find_by(id: params[:id])
  52 + community = profiles_for_person(environment.communities, current_person).find_by_id(params[:id])
53 53 present community, :with => Entities::Community, :current_person => current_person
54 54 end
55 55  
... ... @@ -63,6 +63,10 @@ module Noosfero
63 63  
64 64 get do
65 65 person = environment.people.find(params[:person_id])
  66 +
  67 + not_found! if person.blank?
  68 + forbidden! if !person.display_info_to?(current_person)
  69 +
66 70 communities = select_filtered_collection_of(person, 'communities', params)
67 71 communities = communities.visible
68 72 present communities, :with => Entities::Community, :current_person => current_person
... ...
lib/noosfero/api/v1/profiles.rb
... ... @@ -16,7 +16,12 @@ module Noosfero
16 16 profiles = environment.profiles
17 17 profiles = profiles.visible
18 18 profile = profiles.find_by id: params[:id]
19   - present profile, :with => Entities::Profile, :current_person => current_person
  19 +
  20 + if profile
  21 + present profile, :with => Entities::Profile, :current_person => current_person
  22 + else
  23 + not_found!
  24 + end
20 25 end
21 26  
22 27 delete ':id' do
... ...
lib/noosfero/api/v1/tags.rb
... ... @@ -3,16 +3,16 @@ module Noosfero
3 3 module V1
4 4 class Tags < Grape::API
5 5 before { authenticate! }
6   -
  6 +
7 7 resource :articles do
8 8  
9 9 resource ':id/tags' do
10   -
  10 +
11 11 get do
12 12 article = find_article(environment.articles, params[:id])
13 13 present article.tag_list
14 14 end
15   -
  15 +
16 16 desc "Add a tag to an article"
17 17 post do
18 18 article = find_article(environment.articles, params[:id])
... ... @@ -20,10 +20,8 @@ module Noosfero
20 20 article.save
21 21 present article.tag_list
22 22 end
23   -
24 23 end
25 24 end
26   -
27 25 end
28 26 end
29 27 end
... ...
lib/noosfero/api/v1/users.rb
... ... @@ -18,10 +18,11 @@ module Noosfero
18 18  
19 19 get ":id" do
20 20 user = environment.users.find_by id: params[:id]
21   - unless user.person.display_info_to? current_person
22   - unauthorized!
  21 + if user
  22 + present user, :with => Entities::User, :current_person => current_person
  23 + else
  24 + not_found!
23 25 end
24   - present user, :with => Entities::User, :current_person => current_person
25 26 end
26 27  
27 28 get ":id/permissions" do
... ...
plugins/comment_paragraph/test/unit/api_test.rb
... ... @@ -4,6 +4,7 @@ require_relative &#39;../../../../test/api/test_helper&#39;
4 4 class APITest < ActiveSupport::TestCase
5 5  
6 6 def setup
  7 + create_and_activate_user
7 8 login_api
8 9 environment.enable_plugin(CommentParagraphPlugin)
9 10 end
... ...
plugins/push_notification/test/api/api_test.rb
... ... @@ -3,6 +3,7 @@ require_relative &#39;../../../../test/api/test_helper&#39;
3 3 class PushNotificationApiTest < ActiveSupport::TestCase
4 4  
5 5 def setup
  6 + create_and_activate_user
6 7 login_api
7 8 environment = Environment.default
8 9 environment.enable_plugin(PushNotificationPlugin)
... ...
test/api/activities_test.rb
... ... @@ -3,20 +3,74 @@ require_relative &#39;test_helper&#39;
3 3 class ActivitiesTest < ActiveSupport::TestCase
4 4  
5 5 def setup
  6 + create_and_activate_user
6 7 login_api
7 8 end
8 9  
9   - should 'get activity from profile' do
10   - person = fast_create(Person)
11   - organization = fast_create(Organization)
12   - assert_difference 'organization.activities_count' do
13   - ActionTracker::Record.create! :verb => :leave_scrap, :user => person, :target => organization
14   - organization.reload
15   - end
16   - get "/api/v1/profiles/#{organization.id}/activities?#{params.to_query}"
  10 + should 'get own activities' do
  11 + create_activity(person)
  12 +
  13 + get "/api/v1/profiles/#{person.id}/activities?#{params.to_query}"
17 14 json = JSON.parse(last_response.body)
  15 +
18 16 assert 1, json["activities"].count
19   - assert_equal organization.activities.map(&:activity).first.id, json["activities"].first["id"]
  17 + assert_equivalent person.activities.map(&:activity).map(&:id), json["activities"].map{|c| c["id"]}
  18 + end
  19 +
  20 + should 'not get private community activities' do
  21 + community = fast_create(Community, :public_profile => false)
  22 + create_activity(community)
  23 +
  24 + get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}"
  25 + json = JSON.parse(last_response.body)
  26 + assert_nil json["activities"]
  27 + assert_equal 403, last_response.status
  28 + end
  29 +
  30 + should 'not get community activities if not member' do
  31 + community = fast_create(Community)
  32 + other_person = fast_create(Person)
  33 + community.add_member(other_person) # so there is an activity in community
  34 +
  35 + get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}"
  36 + json = JSON.parse(last_response.body)
  37 + assert_nil json["activities"]
  38 + assert_equal 403, last_response.status
  39 + end
  40 +
  41 + should 'get community activities for member' do
  42 + community = fast_create(Community)
  43 + create_activity(community)
  44 + community.add_member(person)
  45 +
  46 + get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}"
  47 + json = JSON.parse(last_response.body)
  48 + assert_equivalent community.activities.map(&:activity).map(&:id), json["activities"].map{|c| c["id"]}
  49 + end
  50 +
  51 + should 'not get other person activities' do
  52 + other_person = fast_create(Person)
  53 + create_activity(other_person)
  54 +
  55 + get "/api/v1/profiles/#{other_person.id}/activities?#{params.to_query}"
  56 + json = JSON.parse(last_response.body)
  57 + assert_nil json["activities"]
  58 + assert_equal 403, last_response.status
  59 + end
  60 +
  61 + should 'get friend activities' do
  62 + other_person = fast_create(Person)
  63 + other_person.add_friend(person)
  64 + create_activity(other_person)
  65 +
  66 + get "/api/v1/profiles/#{other_person.id}/activities?#{params.to_query}"
  67 + json = JSON.parse(last_response.body)
  68 + assert_equivalent other_person.activities.map(&:activity).map(&:id), json["activities"].map{|c| c["id"]}
  69 + end
  70 +
  71 + def create_activity(target)
  72 + activity = ActionTracker::Record.create! :verb => :leave_scrap, :user => person, :target => target
  73 + ProfileActivity.create! profile_id: target.id, activity: activity
20 74 end
21 75  
22 76 end
... ...
test/api/articles_test.rb
... ... @@ -3,6 +3,7 @@ require_relative &#39;test_helper&#39;
3 3 class ArticlesTest < ActiveSupport::TestCase
4 4  
5 5 def setup
  6 + create_and_activate_user
6 7 login_api
7 8 end
8 9  
... ... @@ -199,7 +200,6 @@ class ArticlesTest &lt; ActiveSupport::TestCase
199 200 article = fast_create(Article, :profile_id => @person.id, :name => "Some thing", :archived => true)
200 201 @params[:value] = 1
201 202 post "/api/v1/articles/#{article.id}/vote?#{params.to_query}"
202   - puts JSON.parse(last_response.body)
203 203 assert_equal 400, last_response.status
204 204 end
205 205  
... ...
test/api/boxes_test.rb
... ... @@ -3,8 +3,7 @@ require_relative &#39;test_helper&#39;
3 3 class BoxesTest < ActiveSupport::TestCase
4 4  
5 5 def setup
6   - @controller = AccountController.new
7   - @request = ActionController::TestRequest.new
  6 + create_and_activate_user
8 7 login_api
9 8 # @request = ActionController::TestRequest.new
10 9 end
... ...
test/api/categories_test.rb
... ... @@ -2,7 +2,11 @@ require_relative &#39;test_helper&#39;
2 2  
3 3 class CategoriesTest < ActiveSupport::TestCase
4 4  
5   - should 'list categories to logged user' do
  5 + def setup
  6 + create_and_activate_user
  7 + end
  8 +
  9 + should 'logged user list categories' do
6 10 login_api
7 11 category = fast_create(Category, :environment_id => environment.id)
8 12 get "/api/v1/categories/?#{params.to_query}"
... ...
test/api/comments_test.rb
... ... @@ -4,12 +4,12 @@ class CommentsTest &lt; ActiveSupport::TestCase
4 4  
5 5 def setup
6 6 @local_person = fast_create(Person)
  7 + create_and_activate_user
7 8 end
8   - attr_reader :local_person
9 9  
10 10 should 'logged user not list comments if user has no permission to view the source article' do
11 11 login_api
12   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
  12 + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing", :published => false)
13 13 assert !article.published?
14 14  
15 15 get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
... ... @@ -18,8 +18,8 @@ class CommentsTest &lt; ActiveSupport::TestCase
18 18  
19 19 should 'logged user not return comment if user has no permission to view the source article' do
20 20 login_api
21   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
22   - comment = article.comments.create!(:body => "another comment", :author => local_person)
  21 + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing", :published => false)
  22 + comment = article.comments.create!(:body => "another comment", :author => @local_person)
23 23 assert !article.published?
24 24  
25 25 get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
... ... @@ -28,7 +28,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
28 28  
29 29 should 'logged user not comment an article if user has no permission to view it' do
30 30 login_api
31   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
  31 + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing", :published => false)
32 32 assert !article.published?
33 33  
34 34 post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
... ... @@ -37,9 +37,9 @@ class CommentsTest &lt; ActiveSupport::TestCase
37 37  
38 38 should 'logged user return comments of an article' do
39 39 login_api
40   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
41   - article.comments.create!(:body => "some comment", :author => local_person)
42   - article.comments.create!(:body => "another comment", :author => local_person)
  40 + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
  41 + article.comments.create!(:body => "some comment", :author => @local_person)
  42 + article.comments.create!(:body => "another comment", :author => @local_person)
43 43  
44 44 get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
45 45 json = JSON.parse(last_response.body)
... ... @@ -49,8 +49,8 @@ class CommentsTest &lt; ActiveSupport::TestCase
49 49  
50 50 should 'logged user return comment of an article' do
51 51 login_api
52   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
53   - comment = article.comments.create!(:body => "another comment", :author => local_person)
  52 + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
  53 + comment = article.comments.create!(:body => "another comment", :author => @local_person)
54 54  
55 55 get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
56 56 json = JSON.parse(last_response.body)
... ... @@ -60,7 +60,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
60 60  
61 61 should 'logged user comment an article' do
62 62 login_api
63   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  63 + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
64 64 body = 'My comment'
65 65 params.merge!({:body => body})
66 66  
... ... @@ -81,16 +81,16 @@ class CommentsTest &lt; ActiveSupport::TestCase
81 81 end
82 82  
83 83 should 'logged user comment creation define the source' do
84   - login_api
85   - amount = Comment.count
86   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
87   - body = 'My comment'
88   - params.merge!({:body => body})
  84 + login_api
  85 + amount = Comment.count
  86 + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
  87 + body = 'My comment'
  88 + params.merge!({:body => body})
89 89  
90   - post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
91   - assert_equal amount + 1, Comment.count
92   - comment = Comment.last
93   - assert_not_nil comment.source
  90 + post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
  91 + assert_equal amount + 1, Comment.count
  92 + comment = Comment.last
  93 + assert_not_nil comment.source
94 94 end
95 95  
96 96 should 'call plugin hotspot to filter unavailable comments' do
... ... @@ -102,7 +102,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
102 102 Noosfero::Plugin.stubs(:all).returns([Plugin1.name])
103 103 Environment.default.enable_plugin(Plugin1)
104 104  
105   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  105 + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
106 106 c1 = fast_create(Comment, source_id: article.id, body: "comment 1")
107 107 c2 = fast_create(Comment, source_id: article.id, body: "comment 2", :user_agent => 'Jack')
108 108  
... ... @@ -112,7 +112,7 @@ class CommentsTest &lt; ActiveSupport::TestCase
112 112 end
113 113  
114 114 should 'anonymous do not return comments marked as spam' do
115   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  115 + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
116 116 c1 = fast_create(Comment, source_id: article.id, body: "comment 1", spam: true)
117 117 c2 = fast_create(Comment, source_id: article.id, body: "comment 2")
118 118 get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
... ... @@ -120,18 +120,18 @@ class CommentsTest &lt; ActiveSupport::TestCase
120 120 assert_equal ["comment 2"], json["comments"].map {|c| c["body"]}
121 121 end
122 122  
123   - should 'not, anonymous list comments if has no permission to view the source article' do
124   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false)
  123 + should 'not list comments if anonymous has no permission to view the source article' do
  124 + article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false)
125 125 assert !article.published?
126 126  
127 127 get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
128 128 assert_equal 403, last_response.status
129 129 end
130 130  
131   - should 'anonymous return comments of an article' do
132   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
133   - article.comments.create!(:body => "some comment", :author => local_person)
134   - article.comments.create!(:body => "another comment", :author => local_person)
  131 + should 'return comments of an article for anonymous' do
  132 + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
  133 + article.comments.create!(:body => "some comment", :author => @local_person)
  134 + article.comments.create!(:body => "another comment", :author => @local_person)
135 135  
136 136 get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
137 137 json = JSON.parse(last_response.body)
... ... @@ -139,9 +139,9 @@ class CommentsTest &lt; ActiveSupport::TestCase
139 139 assert_equal 2, json["comments"].length
140 140 end
141 141  
142   - should 'anonymous return comment of an article' do
143   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
144   - comment = article.comments.create!(:body => "another comment", :author => local_person)
  142 + should 'return comment of an article for anonymous' do
  143 + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
  144 + comment = article.comments.create!(:body => "another comment", :author => @local_person)
145 145  
146 146 get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}"
147 147 json = JSON.parse(last_response.body)
... ... @@ -149,12 +149,13 @@ class CommentsTest &lt; ActiveSupport::TestCase
149 149 assert_equal comment.id, json['comment']['id']
150 150 end
151 151  
152   - should 'not, anonymous comment an article (at least so far...)' do
153   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
  152 + should 'anonymous user not comment an article' do
  153 + article = fast_create(Article, :profile_id => person.id, :name => "Some thing")
154 154 body = 'My comment'
155 155 name = "John Doe"
156 156 email = "JohnDoe@gmail.com"
157 157 params.merge!({:body => body, name: name, email: email})
  158 +
158 159 post "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
159 160 json = JSON.parse(last_response.body)
160 161 assert_equal 401, last_response.status
... ... @@ -162,8 +163,8 @@ class CommentsTest &lt; ActiveSupport::TestCase
162 163  
163 164 should 'logged user paginate comments' do
164 165 login_api
165   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
166   - 5.times { article.comments.create!(:body => "some comment", :author => local_person) }
  166 + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
  167 + 5.times { article.comments.create!(:body => "some comment", :author => @local_person) }
167 168 params[:per_page] = 3
168 169  
169 170 get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
... ... @@ -174,9 +175,9 @@ class CommentsTest &lt; ActiveSupport::TestCase
174 175  
175 176 should 'logged user return only root comments' do
176 177 login_api
177   - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing")
178   - comment1 = article.comments.create!(:body => "some comment", :author => local_person)
179   - comment2 = article.comments.create!(:body => "another comment", :author => local_person, :reply_of_id => comment1.id)
  178 + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing")
  179 + comment1 = article.comments.create!(:body => "some comment", :author => @local_person)
  180 + comment2 = article.comments.create!(:body => "another comment", :author => @local_person, :reply_of_id => comment1.id)
180 181 params[:without_reply] = true
181 182  
182 183 get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
... ...
test/api/communities_test.rb
... ... @@ -4,28 +4,31 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
4 4  
5 5 def setup
6 6 Community.delete_all
  7 + create_and_activate_user
7 8 end
8 9  
9   - should 'logged user list only communities' do
  10 + should 'list only communities to logged user' do
10 11 login_api
11 12 community = fast_create(Community, :environment_id => environment.id)
12 13 enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
  14 +
13 15 get "/api/v1/communities?#{params.to_query}"
14 16 json = JSON.parse(last_response.body)
15 17 assert_not_includes json['communities'].map {|c| c['id']}, enterprise.id
16 18 assert_includes json['communities'].map {|c| c['id']}, community.id
17 19 end
18 20  
19   - should 'logged user list all communities' do
  21 + should 'list all communities to logged user' do
20 22 login_api
21 23 community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
22 24 community2 = fast_create(Community, :environment_id => environment.id)
  25 +
23 26 get "/api/v1/communities?#{params.to_query}"
24 27 json = JSON.parse(last_response.body)
25 28 assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
26 29 end
27 30  
28   - should 'not, logged user list invisible communities' do
  31 + should 'not list invisible communities to logged user' do
29 32 login_api
30 33 community1 = fast_create(Community, :environment_id => environment.id)
31 34 fast_create(Community, :environment_id => environment.id, :visible => false)
... ... @@ -35,28 +38,28 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
35 38 assert_equal [community1.id], json['communities'].map {|c| c['id']}
36 39 end
37 40  
38   - should 'logged user list private communities' do
39   - login_api
40   - community1 = fast_create(Community, :environment_id => environment.id)
41   - community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
  41 + should 'list private communities to logged user' do
  42 + login_api
  43 + community1 = fast_create(Community, :environment_id => environment.id)
  44 + community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
42 45  
43   - get "/api/v1/communities?#{params.to_query}"
44   - json = JSON.parse(last_response.body)
45   - assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
  46 + get "/api/v1/communities?#{params.to_query}"
  47 + json = JSON.parse(last_response.body)
  48 + assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
46 49 end
47 50  
48   - should 'logged user list private community for members' do
  51 + should 'list private communities to logged members' do
49 52 login_api
50   - c1 = fast_create(Community, :environment_id => environment.id)
51   - c2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
52   - c2.add_member(person)
  53 + community1 = fast_create(Community, :environment_id => environment.id)
  54 + community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
  55 + community2.add_member(person)
53 56  
54 57 get "/api/v1/communities?#{params.to_query}"
55 58 json = JSON.parse(last_response.body)
56   - assert_equivalent [c1.id, c2.id], json['communities'].map {|c| c['id']}
  59 + assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
57 60 end
58 61  
59   - should 'logged user create a community' do
  62 + should 'create a community with logged user' do
60 63 login_api
61 64 params[:community] = {:name => 'some'}
62 65 post "/api/v1/communities?#{params.to_query}"
... ... @@ -64,14 +67,14 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
64 67 assert_equal 'some', json['community']['name']
65 68 end
66 69  
67   - should 'logged user return 400 status for invalid community creation' do
  70 + should 'return 400 status for invalid community creation to logged user ' do
68 71 login_api
69 72 post "/api/v1/communities?#{params.to_query}"
70 73 json = JSON.parse(last_response.body)
71 74 assert_equal 400, last_response.status
72 75 end
73 76  
74   - should 'logged user get community' do
  77 + should 'get community to logged user' do
75 78 login_api
76 79 community = fast_create(Community, :environment_id => environment.id)
77 80  
... ... @@ -80,26 +83,27 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
80 83 assert_equal community.id, json['community']['id']
81 84 end
82 85  
83   - should 'not, logged user get invisible community' do
  86 + should 'not list invisible community to logged users' do
84 87 login_api
85 88 community = fast_create(Community, :environment_id => environment.id, :visible => false)
86 89  
87 90 get "/api/v1/communities/#{community.id}?#{params.to_query}"
88 91 json = JSON.parse(last_response.body)
89   - assert json['community'].blank?
  92 +
  93 + assert_nil json["community"]
90 94 end
91 95  
92   - should 'not, logged user get private communities without permission' do
  96 + should 'not get private community content to non member' do
93 97 login_api
94   - community = fast_create(Community, :environment_id => environment.id)
95   - fast_create(Community, :environment_id => environment.id, :public_profile => false)
  98 + community = fast_create(Community, :environment_id => environment.id, :public_profile => false)
96 99  
97 100 get "/api/v1/communities/#{community.id}?#{params.to_query}"
98 101 json = JSON.parse(last_response.body)
99 102 assert_equal community.id, json['community']['id']
  103 + assert_nil json['community']['members']
100 104 end
101 105  
102   - should 'logged user get private community for members' do
  106 + should 'get private community to logged member' do
103 107 login_api
104 108 community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :visible => true)
105 109 community.add_member(person)
... ... @@ -107,9 +111,10 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
107 111 get "/api/v1/communities/#{community.id}?#{params.to_query}"
108 112 json = JSON.parse(last_response.body)
109 113 assert_equal community.id, json['community']['id']
  114 + assert_not_nil json['community']['members']
110 115 end
111 116  
112   - should 'logged user list person communities' do
  117 + should 'list person communities to logged user' do
113 118 login_api
114 119 community = fast_create(Community, :environment_id => environment.id)
115 120 fast_create(Community, :environment_id => environment.id)
... ... @@ -120,16 +125,16 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
120 125 assert_equivalent [community.id], json['communities'].map {|c| c['id']}
121 126 end
122 127  
123   - should 'not, logged user list person communities invisible' do
  128 + should 'not list person invisible communities to logged user' do
124 129 login_api
125   - c1 = fast_create(Community, :environment_id => environment.id)
126   - c2 = fast_create(Community, :environment_id => environment.id, :visible => false)
127   - c1.add_member(person)
128   - c2.add_member(person)
  130 + community1 = fast_create(Community, :environment_id => environment.id)
  131 + community2 = fast_create(Community, :environment_id => environment.id, :visible => false)
  132 + community1.add_member(person)
  133 + community2.add_member(person)
129 134  
130 135 get "/api/v1/people/#{person.id}/communities?#{params.to_query}"
131 136 json = JSON.parse(last_response.body)
132   - assert_equivalent [c1.id], json['communities'].map {|c| c['id']}
  137 + assert_equivalent [community1.id], json['communities'].map {|c| c['id']}
133 138 end
134 139  
135 140 should 'logged user list communities with pagination' do
... ... @@ -154,7 +159,7 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
154 159 assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id
155 160 end
156 161  
157   - should 'logged user list communities with timestamp' do
  162 + should 'list communities with timestamp to logged user' do
158 163 login_api
159 164 community1 = fast_create(Community, :public_profile => true)
160 165 community2 = fast_create(Community)
... ... @@ -173,6 +178,7 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
173 178 should 'anonymous list only communities' do
174 179 community = fast_create(Community, :environment_id => environment.id)
175 180 enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise
  181 +
176 182 get "/api/v1/communities?#{params.to_query}"
177 183 json = JSON.parse(last_response.body)
178 184 assert_not_includes json['communities'].map {|c| c['id']}, enterprise.id
... ... @@ -182,12 +188,13 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
182 188 should 'anonymous list all communities' do
183 189 community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true)
184 190 community2 = fast_create(Community, :environment_id => environment.id)
  191 +
185 192 get "/api/v1/communities?#{params.to_query}"
186 193 json = JSON.parse(last_response.body)
187 194 assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
188 195 end
189 196  
190   - should 'not, anonymous list invisible communities' do
  197 + should 'not list invisible communities to anonymous' do
191 198 community1 = fast_create(Community, :environment_id => environment.id)
192 199 fast_create(Community, :environment_id => environment.id, :visible => false)
193 200  
... ... @@ -196,7 +203,17 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
196 203 assert_equal [community1.id], json['communities'].map {|c| c['id']}
197 204 end
198 205  
199   - should 'anonymous list private communities' do
  206 + should 'list all visible communities except secret ones to anonymous' do
  207 + community = fast_create(Community, :environment_id => environment.id)
  208 + private_community = fast_create(Community, :environment_id => environment.id, :public_profile => false)
  209 + secret_community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :secret => true)
  210 +
  211 + get "/api/v1/communities?#{params.to_query}"
  212 + json = JSON.parse(last_response.body)
  213 + assert_equivalent [community.id, private_community.id], json['communities'].map {|c| c['id']}
  214 + end
  215 +
  216 + should 'list private communities to anonymous' do
200 217 community1 = fast_create(Community, :environment_id => environment.id)
201 218 community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false)
202 219  
... ... @@ -205,36 +222,59 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
205 222 assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']}
206 223 end
207 224  
208   - should 'not, anonymous create a community' do
  225 + should 'not create a community as an anonymous user' do
209 226 params[:community] = {:name => 'some'}
  227 +
210 228 post "/api/v1/communities?#{params.to_query}"
211 229 json = JSON.parse(last_response.body)
212 230 assert_equal 401, last_response.status
213 231 end
214 232  
215   - should 'anonymous get community' do
  233 + should 'get community for anonymous' do
216 234 community = fast_create(Community, :environment_id => environment.id)
217 235 get "/api/v1/communities/#{community.id}"
218 236 json = JSON.parse(last_response.body)
219 237 assert_equal community.id, json['community']['id']
220 238 end
221 239  
222   - should 'not, anonymous get invisible community' do
  240 + should 'not get invisible community to anonymous user' do
223 241 community = fast_create(Community, :environment_id => environment.id, :visible => false)
224 242 get "/api/v1/communities/#{community.id}"
225 243 json = JSON.parse(last_response.body)
226 244 assert json['community'].blank?
227 245 end
228 246  
229   - should 'not, anonymous get private communities' do
230   - community = fast_create(Community, :environment_id => environment.id)
231   - fast_create(Community, :environment_id => environment.id, :public_profile => false)
  247 + should 'get private community to anonymous user' do
  248 + community = fast_create(Community, :environment_id => environment.id, :public_profile => false)
  249 +
232 250 get "/api/v1/communities/#{community.id}"
233 251 json = JSON.parse(last_response.body)
234 252 assert_equal community.id, json['community']['id']
  253 + assert_nil json['community']['members']
  254 + end
  255 +
  256 + should 'list public person communities to anonymous' do
  257 + community = fast_create(Community, :environment_id => environment.id)
  258 + fast_create(Community, :environment_id => environment.id)
  259 + community.add_member(person)
  260 +
  261 + get "/api/v1/people/#{person.id}/communities?#{params.to_query}"
  262 + json = JSON.parse(last_response.body)
  263 + assert_equivalent [community.id], json['communities'].map {|c| c['id']}
  264 + end
  265 +
  266 + should 'not list private person communities to anonymous' do
  267 + community = fast_create(Community, :environment_id => environment.id)
  268 + fast_create(Community, :environment_id => environment.id)
  269 + person.public_profile = false
  270 + person.save
  271 + community.add_member(person)
  272 +
  273 + get "/api/v1/people/#{person.id}/communities?#{params.to_query}"
  274 + assert_equal 403, last_response.status
235 275 end
236 276  
237   - should 'anonymous list communities with pagination' do
  277 + should 'list communities with pagination to anonymous' do
238 278 community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago)
239 279 community2 = fast_create(Community, :created_at => 2.days.ago)
240 280  
... ... @@ -255,7 +295,7 @@ class CommunitiesTest &lt; ActiveSupport::TestCase
255 295 assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id
256 296 end
257 297  
258   - should 'anonymous list communities with timestamp' do
  298 + should 'list communities with timestamp to anonymous ' do
259 299 community1 = fast_create(Community, :public_profile => true)
260 300 community2 = fast_create(Community)
261 301  
... ...
test/api/enterprises_test.rb
... ... @@ -4,6 +4,7 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
4 4  
5 5 def setup
6 6 Enterprise.delete_all
  7 + create_and_activate_user
7 8 end
8 9  
9 10 should 'logger user list only enterprises' do
... ... @@ -17,7 +18,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
17 18 end
18 19  
19 20 should 'anonymous list only enterprises' do
20   - anonymous_setup
21 21 community = fast_create(Community, :environment_id => environment.id) # should not list this community
22 22 enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
23 23 get "/api/v1/enterprises?#{params.to_query}"
... ... @@ -27,7 +27,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
27 27 end
28 28  
29 29 should 'anonymous list all enterprises' do
30   - anonymous_setup
31 30 enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true)
32 31 enterprise2 = fast_create(Enterprise, :environment_id => environment.id)
33 32 get "/api/v1/enterprises?#{params.to_query}"
... ... @@ -55,7 +54,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
55 54 end
56 55  
57 56 should 'not, anonymous list invisible enterprises' do
58   - anonymous_setup
59 57 enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
60 58 fast_create(Enterprise, :visible => false)
61 59  
... ... @@ -71,11 +69,10 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
71 69  
72 70 get "/api/v1/enterprises?#{params.to_query}"
73 71 json = JSON.parse(last_response.body)
74   - assert_equal [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']}
  72 + assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']}
75 73 end
76 74  
77 75 should 'anonymous list private enterprises' do
78   - anonymous_setup
79 76 enterprise1 = fast_create(Enterprise, :environment_id => environment.id)
80 77 enterprise2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
81 78  
... ... @@ -106,7 +103,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
106 103 end
107 104  
108 105 should 'anonymous get enterprise' do
109   - anonymous_setup
110 106 enterprise = fast_create(Enterprise, :environment_id => environment.id)
111 107  
112 108 get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
... ... @@ -133,7 +129,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
133 129 end
134 130  
135 131 should 'not, anonymous get invisible enterprise' do
136   - anonymous_setup
137 132 enterprise = fast_create(Enterprise, :visible => false)
138 133  
139 134 get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}"
... ... @@ -152,7 +147,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
152 147 end
153 148  
154 149 should 'not, anonymous get private enterprises' do
155   - anonymous_setup
156 150 enterprise = fast_create(Enterprise, :environment_id => environment.id)
157 151 fast_create(Enterprise, :environment_id => environment.id, :public_profile => false)
158 152  
... ... @@ -195,7 +189,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
195 189 end
196 190  
197 191 should 'display public custom fields to anonymous' do
198   - anonymous_setup
199 192 CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
200 193 some_enterprise = fast_create(Enterprise)
201 194 some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} }
... ... @@ -208,7 +201,6 @@ class EnterprisesTest &lt; ActiveSupport::TestCase
208 201 end
209 202  
210 203 should 'not display public custom fields to anonymous' do
211   - anonymous_setup
212 204 CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default)
213 205 some_enterprise = fast_create(Enterprise)
214 206 some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} }
... ...
test/api/environment_test.rb
... ... @@ -2,6 +2,10 @@ require_relative &#39;test_helper&#39;
2 2  
3 3 class EnvironmentTest < ActiveSupport::TestCase
4 4  
  5 + def setup
  6 + create_and_activate_user
  7 + end
  8 +
5 9 should 'return the default environment' do
6 10 environment = Environment.default
7 11 get "/api/v1/environment/default"
... ... @@ -62,6 +66,6 @@ class EnvironmentTest &lt; ActiveSupport::TestCase
62 66 get "/api/v1/environment/context"
63 67 json = JSON.parse(last_response.body)
64 68 assert_equal context_env.id, json['id']
65   - end
  69 + end
66 70  
67 71 end
... ...
test/api/helpers_test.rb
... ... @@ -6,28 +6,26 @@ class APIHelpersTest &lt; ActiveSupport::TestCase
6 6 include Noosfero::API::APIHelpers
7 7  
8 8 def setup
  9 + create_and_activate_user
9 10 @headers = {}
10 11 end
11 12  
12 13 attr_accessor :headers
13 14  
14 15 should 'get the current user with valid token' do
15   - user = create_user('someuser')
16   - user.generate_private_token!
  16 + login_api
17 17 self.params = {:private_token => user.private_token}
18 18 assert_equal user, current_user
19 19 end
20 20  
21 21 should 'get the current user with valid token in header' do
22   - user = create_user('someuser')
23   - user.generate_private_token!
  22 + login_api
24 23 headers['Private-Token'] = user.private_token
25 24 assert_equal user, current_user
26 25 end
27 26  
28 27 should 'get the current user even with expired token' do
29   - user = create_user('someuser')
30   - user.generate_private_token!
  28 + login_api
31 29 user.private_token_generated_at = DateTime.now.prev_year
32 30 user.save
33 31 self.params = {:private_token => user.private_token}
... ... @@ -35,8 +33,7 @@ class APIHelpersTest &lt; ActiveSupport::TestCase
35 33 end
36 34  
37 35 should 'get the person of current user' do
38   - user = create_user('someuser')
39   - user.generate_private_token!
  36 + login_api
40 37 self.params = {:private_token => user.private_token}
41 38 assert_equal user.person, current_person
42 39 end
... ... @@ -106,24 +103,22 @@ class APIHelpersTest &lt; ActiveSupport::TestCase
106 103 end
107 104  
108 105 should 'find_article return article by id in list passed for user with permission' do
109   - user = create_user('someuser')
  106 + login_api
110 107 a = fast_create(Article, :profile_id => user.person.id)
111 108 fast_create(Article, :profile_id => user.person.id)
112 109 fast_create(Article, :profile_id => user.person.id)
113 110  
114   - user.generate_private_token!
115 111 self.params = {private_token: user.private_token}
116 112 User.expects(:find_by).with(private_token: user.private_token).returns(user)
117 113 assert_equal a, find_article(user.person.articles, a.id)
118 114 end
119 115  
120 116 should 'find_article return forbidden when a user try to access an article without permission' do
121   - user = create_user('someuser')
  117 + login_api
122 118 p = fast_create(Profile)
123 119 a = fast_create(Article, :published => false, :profile_id => p.id)
124 120 fast_create(Article, :profile_id => p.id)
125 121  
126   - user.generate_private_token!
127 122 self.params = {private_token: user.private_token}
128 123 User.expects(:find_by).with(private_token: user.private_token).returns(user)
129 124 assert_equal 403, find_article(p.articles, a.id).last
... ...
test/api/people_test.rb
... ... @@ -3,7 +3,8 @@ require_relative &#39;test_helper&#39;
3 3 class PeopleTest < ActiveSupport::TestCase
4 4  
5 5 def setup
6   - Person.delete_all
  6 + Person.destroy_all
  7 + create_and_activate_user
7 8 end
8 9  
9 10 should 'logged user list all people' do
... ... @@ -16,12 +17,11 @@ class PeopleTest &lt; ActiveSupport::TestCase
16 17 end
17 18  
18 19 should 'anonymous list all people' do
19   - anonymous_setup
20 20 person1 = fast_create(Person, :public_profile => true)
21 21 person2 = fast_create(Person)
22 22 get "/api/v1/people?#{params.to_query}"
23 23 json = JSON.parse(last_response.body)
24   - assert_equivalent [person1.id, person2.id], json['people'].map {|c| c['id']}
  24 + assert_equivalent [person.id, person1.id, person2.id], json['people'].map {|c| c['id']}
25 25 end
26 26  
27 27 should 'logged user list all members of a community' do
... ... @@ -39,7 +39,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
39 39 end
40 40  
41 41 should 'anonymous list all members of a community' do
42   - anonymous_setup
43 42 person1 = fast_create(Person)
44 43 person2 = fast_create(Person)
45 44 community = fast_create(Community)
... ... @@ -76,7 +75,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
76 75 end
77 76  
78 77 should 'anonymous list private people' do
79   - anonymous_setup
80 78 private_person = fast_create(Person, :public_profile => false)
81 79  
82 80 get "/api/v1/people?#{params.to_query}"
... ... @@ -170,7 +168,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
170 168 end
171 169  
172 170 should 'anonymous get private people' do
173   - anonymous_setup
174 171 private_person = fast_create(Person, :public_profile => false)
175 172  
176 173 get "/api/v1/people/#{private_person.id}?#{params.to_query}"
... ... @@ -199,7 +196,6 @@ class PeopleTest &lt; ActiveSupport::TestCase
199 196 end
200 197  
201 198 should 'anonymous list person friends' do
202   - anonymous_setup
203 199 person = fast_create(Person)
204 200 friend = fast_create(Person)
205 201 person.add_friend(friend)
... ... @@ -270,7 +266,7 @@ class PeopleTest &lt; ActiveSupport::TestCase
270 266  
271 267 should 'not display permissions if not admin or self' do
272 268 login_api
273   - some_person = create_user('some-person').person
  269 + some_person = fast_create(Person)
274 270  
275 271 get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}"
276 272 assert_equal 403, last_response.status
... ... @@ -296,8 +292,11 @@ class PeopleTest &lt; ActiveSupport::TestCase
296 292  
297 293 should 'logged user display public custom fields' do
298 294 login_api
299   - CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
300   - some_person = create_user('some-person').person
  295 + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
  296 + some_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
  297 + some_person.user.activate
  298 + some_person.reload
  299 +
301 300 some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
302 301 some_person.save!
303 302  
... ... @@ -309,10 +308,11 @@ class PeopleTest &lt; ActiveSupport::TestCase
309 308  
310 309 should 'logged user not display non-public custom fields' do
311 310 login_api
312   - CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
313   - some_person = create_user('some-person').person
  311 + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
  312 + some_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
314 313 some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
315 314 some_person.save!
  315 + some_person.user.activate
316 316  
317 317 get "/api/v1/people/#{some_person.id}?#{params.to_query}"
318 318 json = JSON.parse(last_response.body)
... ... @@ -320,36 +320,31 @@ class PeopleTest &lt; ActiveSupport::TestCase
320 320 end
321 321  
322 322 should 'display public custom fields to anonymous' do
323   - anonymous_setup
324   - CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
325   - some_person = create_user('some-person').person
326   - some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
327   - some_person.save!
  323 + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
  324 + person.reload
  325 + person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} }
  326 + person.save!
328 327  
329   - get "/api/v1/people/#{some_person.id}?#{params.to_query}"
  328 + get "/api/v1/people/#{person.id}?#{params.to_query}"
330 329 json = JSON.parse(last_response.body)
331 330 assert json['person']['additional_data'].has_key?('Custom Blog')
332 331 assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog']
333 332 end
334 333  
335 334 should 'not display non-public custom fields to anonymous' do
336   - anonymous_setup
337   - CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
338   - some_person = create_user('some-person').person
339   - some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
340   - some_person.save!
  335 + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
  336 + person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
  337 + person.save!
341 338  
342   - get "/api/v1/people/#{some_person.id}?#{params.to_query}"
  339 + get "/api/v1/people/#{person.id}?#{params.to_query}"
343 340 json = JSON.parse(last_response.body)
344 341 assert_equal json['person']['additional_data'], {}
345 342 end
346 343  
347 344 should 'hide private fields to anonymous' do
348   - anonymous_setup
349   - target_person = create_user('some-user').person
350   - target_person.save!
  345 + target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment)
351 346  
352   - get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
  347 + get "/api/v1/users/#{target_user.id}/?#{params.to_query}"
353 348 json = JSON.parse(last_response.body)
354 349 refute json["user"].has_key?("permissions")
355 350 refute json["user"].has_key?("activated")
... ... @@ -357,15 +352,16 @@ class PeopleTest &lt; ActiveSupport::TestCase
357 352  
358 353 should 'display non-public custom fields to friend' do
359 354 login_api
360   - CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default)
361   - some_person = create_user('some-person').person
  355 + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment)
  356 + some_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
  357 + some_person.user.activate
  358 + some_person.reload
  359 +
362 360 some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} }
363 361 some_person.save!
364 362  
365   - f = Friendship.new
366   - f.friend = some_person
367   - f.person = person
368   - f.save!
  363 + some_person.add_friend(person)
  364 + person.add_friend(some_person)
369 365  
370 366 get "/api/v1/people/#{some_person.id}?#{params.to_query}"
371 367 json = JSON.parse(last_response.body)
... ...
test/api/profiles_test.rb
... ... @@ -4,6 +4,7 @@ class ProfilesTest &lt; ActiveSupport::TestCase
4 4  
5 5 def setup
6 6 Profile.delete_all
  7 + create_and_activate_user
7 8 end
8 9  
9 10 should 'logged user list all profiles' do
... ... @@ -24,6 +25,13 @@ class ProfilesTest &lt; ActiveSupport::TestCase
24 25 assert_equal some_person.id, json['id']
25 26 end
26 27  
  28 + should 'not get inexistent profile' do
  29 + login_api
  30 + get "/api/v1/profiles/invalid_id?#{params.to_query}"
  31 + json = JSON.parse(last_response.body)
  32 + assert_equal 404, last_response.status
  33 + end
  34 +
27 35 should 'logged user get community from profile id' do
28 36 login_api
29 37 community = fast_create(Community)
... ... @@ -85,7 +93,6 @@ class ProfilesTest &lt; ActiveSupport::TestCase
85 93 end
86 94  
87 95 should 'anonymous user access delete action' do
88   - anonymous_setup
89 96 profile = fast_create(Person, :environment_id => environment.id)
90 97  
91 98 delete "/api/v1/profiles/#{profile.id}?#{params.to_query}"
... ... @@ -99,7 +106,7 @@ class ProfilesTest &lt; ActiveSupport::TestCase
99 106 community = fast_create(Community)
100 107 get "/api/v1/profiles"
101 108 json = JSON.parse(last_response.body)
102   - assert_equivalent [person1.id, person2.id, community.id], json.map {|p| p['id']}
  109 + assert_equivalent [person.id, person1.id, person2.id, community.id], json.map {|p| p['id']}
103 110 end
104 111  
105 112 should 'anonymous get person from profile id' do
... ...
test/api/search_test.rb
... ... @@ -3,9 +3,8 @@ require_relative &#39;test_helper&#39;
3 3 class SearchTest < ActiveSupport::TestCase
4 4  
5 5 def setup
6   - @person = create_user('testing').person
  6 + create_and_activate_user
7 7 end
8   - attr_reader :person
9 8  
10 9 should 'not list unpublished articles' do
11 10 Article.delete_all
... ...
test/api/session_test.rb
... ... @@ -3,6 +3,7 @@ require_relative &#39;test_helper&#39;
3 3 class SessionTest < ActiveSupport::TestCase
4 4  
5 5 def setup
  6 + create_and_activate_user
6 7 login_api
7 8 end
8 9  
... ... @@ -147,10 +148,9 @@ class SessionTest &lt; ActiveSupport::TestCase
147 148 end
148 149  
149 150 should 'create task to change password by user login' do
150   - user = create_user
151 151 params = {:value => user.login}
152 152 assert_difference 'ChangePassword.count' do
153   - post "/api/v1/forgot_password?#{params.to_query}"
  153 + post "/api/v1/forgot_password?#{params.to_query}"
154 154 end
155 155 end
156 156  
... ... @@ -173,8 +173,6 @@ class SessionTest &lt; ActiveSupport::TestCase
173 173 end
174 174  
175 175 should 'do not change user password when password confirmation is wrong' do
176   - user = create_user
177   - user.activate
178 176 task = ChangePassword.create!(:requestor => user.person)
179 177 params = {:code => task.code, :password => 'secret', :password_confirmation => 's3cret'}
180 178 patch "/api/v1/new_password?#{params.to_query}"
... ... @@ -200,8 +198,8 @@ class SessionTest &lt; ActiveSupport::TestCase
200 198 end
201 199  
202 200 should 'resend activation code for an inactive user' do
203   - user = create_user
204   - params = {:value => user.login}
  201 + another_user = User.create!(:login => "userlogin", :password => 'testapi', :password_confirmation => 'testapi', :email => 'test2@test.org', :environment => @environment)
  202 + params = {:value => another_user.login}
205 203 Delayed::Job.destroy_all
206 204 assert_difference 'ActionMailer::Base.deliveries.size' do
207 205 post "/api/v1/resend_activation_code?#{params.to_query}"
... ... @@ -209,13 +207,11 @@ class SessionTest &lt; ActiveSupport::TestCase
209 207 end
210 208 json = JSON.parse(last_response.body)
211 209 refute json['users'].first['private_token']
212   - assert_equal user.email, ActionMailer::Base.deliveries.last['to'].to_s
  210 + assert_equal another_user.email, ActionMailer::Base.deliveries.last['to'].to_s
213 211 end
214 212  
215 213 should 'not resend activation code for an active user' do
216   - user = create_user
217 214 params = {:value => user.login}
218   - user.activate
219 215 Delayed::Job.destroy_all
220 216 assert_no_difference 'ActionMailer::Base.deliveries.size' do
221 217 post "/api/v1/resend_activation_code?#{params.to_query}"
... ...
test/api/task_test.rb
... ... @@ -3,8 +3,8 @@ require_relative &#39;test_helper&#39;
3 3 class TasksTest < ActiveSupport::TestCase
4 4  
5 5 def setup
  6 + create_and_activate_user
6 7 login_api
7   - @person = user.person
8 8 @community = fast_create(Community)
9 9 @environment = Environment.default
10 10 end
... ...
test/api/test_helper.rb
... ... @@ -4,17 +4,23 @@ class ActiveSupport::TestCase
4 4  
5 5 include Rack::Test::Methods
6 6  
  7 + USER_PASSWORD = "testapi"
  8 + USER_LOGIN = "testapi"
  9 +
7 10 def app
8 11 Noosfero::API::API
9 12 end
10 13  
11   - def login_api
  14 + def create_and_activate_user
12 15 @environment = Environment.default
13   - @user = User.create!(:login => 'testapi', :password => 'testapi', :password_confirmation => 'testapi', :email => 'test@test.org', :environment => @environment)
  16 + @user = User.create!(:login => USER_LOGIN, :password => USER_PASSWORD, :password_confirmation => USER_PASSWORD, :email => 'test@test.org', :environment => @environment)
14 17 @user.activate
15 18 @person = @user.person
  19 + @params = {}
  20 + end
16 21  
17   - post "/api/v1/login?login=testapi&password=testapi"
  22 + def login_api
  23 + post "/api/v1/login?login=#{USER_LOGIN}&password=#{USER_PASSWORD}"
18 24 json = JSON.parse(last_response.body)
19 25 @private_token = json["private_token"]
20 26 unless @private_token
... ... @@ -22,7 +28,7 @@ class ActiveSupport::TestCase
22 28 @private_token = @user.private_token
23 29 end
24 30  
25   - @params = {:private_token => @private_token}
  31 + @params[:private_token] = @private_token
26 32 end
27 33  
28 34 attr_accessor :private_token, :user, :person, :params, :environment
... ...
test/api/users_test.rb
... ... @@ -3,6 +3,10 @@ require_relative &#39;test_helper&#39;
3 3  
4 4 class UsersTest < ActiveSupport::TestCase
5 5  
  6 + def setup
  7 + create_and_activate_user
  8 + end
  9 +
6 10 should 'logger user list users' do
7 11 login_api
8 12 get "/api/v1/users/?#{params.to_query}"
... ... @@ -35,8 +39,8 @@ class UsersTest &lt; ActiveSupport::TestCase
35 39  
36 40 should 'not show permissions to logged user' do
37 41 login_api
38   - target_person = create_user('some-user').person
39   - get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
  42 + target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment)
  43 + get "/api/v1/users/#{target_user.id}/?#{params.to_query}"
40 44 json = JSON.parse(last_response.body)
41 45 refute json["user"].has_key?("permissions")
42 46 end
... ... @@ -50,12 +54,10 @@ class UsersTest &lt; ActiveSupport::TestCase
50 54  
51 55 should 'not show permissions to friend' do
52 56 login_api
53   - target_person = create_user('some-user').person
  57 + target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
54 58  
55   - f = Friendship.new
56   - f.friend = target_person
57   - f.person = person
58   - f.save!
  59 + target_person.add_friend(person)
  60 + person.add_friend(target_person)
59 61  
60 62 get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
61 63 json = JSON.parse(last_response.body)
... ... @@ -64,19 +66,21 @@ class UsersTest &lt; ActiveSupport::TestCase
64 66  
65 67 should 'not show private attribute to logged user' do
66 68 login_api
67   - target_person = create_user('some-user').person
68   - get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
  69 + target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment)
  70 +
  71 + get "/api/v1/users/#{target_user.id}/?#{params.to_query}"
69 72 json = JSON.parse(last_response.body)
70   - refute json["user"].has_key?("email")
  73 + assert_equal 200, last_response.status
  74 + assert_nil json['user']['email']
  75 + assert_nil json['user']['person']
71 76 end
72 77  
73 78 should 'show private attr to friend' do
74 79 login_api
75   - target_person = create_user('some-user').person
76   - f = Friendship.new
77   - f.friend = target_person
78   - f.person = person
79   - f.save!
  80 + target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
  81 + target_person.add_friend(person)
  82 + person.add_friend(target_person)
  83 +
80 84 get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
81 85 json = JSON.parse(last_response.body)
82 86 assert json["user"].has_key?("email")
... ... @@ -85,9 +89,12 @@ class UsersTest &lt; ActiveSupport::TestCase
85 89  
86 90 should 'show public attribute to logged user' do
87 91 login_api
88   - target_person = create_user('some-user').person
  92 + target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
  93 + target_person.public_profile = true
  94 + target_person.visible = true
89 95 target_person.fields_privacy={:email=> 'public'}
90 96 target_person.save!
  97 +
91 98 get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
92 99 json = JSON.parse(last_response.body)
93 100 assert json["user"].has_key?("email")
... ... @@ -98,7 +105,7 @@ class UsersTest &lt; ActiveSupport::TestCase
98 105 login_api
99 106 Environment.default.add_admin(person)
100 107  
101   - target_person = create_user('some-user').person
  108 + target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
102 109 target_person.fields_privacy={:email=> 'public'}
103 110 target_person.save!
104 111  
... ... @@ -110,9 +117,10 @@ class UsersTest &lt; ActiveSupport::TestCase
110 117 end
111 118  
112 119 should 'show public fields to anonymous' do
113   - anonymous_setup
114   - target_person = create_user('some-user').person
  120 + target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person
115 121 target_person.fields_privacy={:email=> 'public'}
  122 + target_person.public_profile = true
  123 + target_person.visible = true
116 124 target_person.save!
117 125  
118 126 get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
... ... @@ -121,11 +129,9 @@ class UsersTest &lt; ActiveSupport::TestCase
121 129 end
122 130  
123 131 should 'hide private fields to anonymous' do
124   - anonymous_setup
125   - target_person = create_user('some-user').person
126   - target_person.save!
  132 + target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment)
127 133  
128   - get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}"
  134 + get "/api/v1/users/#{target_user.id}/?#{params.to_query}"
129 135 json = JSON.parse(last_response.body)
130 136 refute json["user"].has_key?("permissions")
131 137 refute json["user"].has_key?("activated")
... ...
test/unit/organization_test.rb
... ... @@ -458,7 +458,7 @@ class OrganizationTest &lt; ActiveSupport::TestCase
458 458 refute c.is_admin?(moderator)
459 459 end
460 460  
461   - should 'fetch organizations there are visible for a user' do
  461 + should 'fetch organizations that are visible for users' do
462 462 person = create_user('some-person').person
463 463 admin = create_user('some-admin').person
464 464 env_admin = create_user('env-admin').person
... ... @@ -513,18 +513,58 @@ class OrganizationTest &lt; ActiveSupport::TestCase
513 513 assert_includes env_admin_orgs, o7
514 514 end
515 515  
516   - should 'fetch organizations there are visible for a visitor' do
517   - visitor = nil
518   - Organization.destroy_all
  516 + should 'fetch organizations that are listed for users' do
  517 + person = create_user('some-person').person
  518 + admin = create_user('some-admin').person
  519 + env_admin = create_user('env-admin').person
  520 +
519 521 o1 = fast_create(Organization, :public_profile => true , :visible => true )
520   - o2 = fast_create(Organization, :public_profile => false, :visible => true )
521   - o3 = fast_create(Organization, :public_profile => true , :visible => false)
522   - o4 = fast_create(Organization, :public_profile => false, :visible => false)
523   - person_orgs = Organization.visible_for_person(visitor)
524   - assert_includes person_orgs, o1
525   - assert_not_includes person_orgs, o2
526   - assert_not_includes person_orgs, o3
527   - assert_not_includes person_orgs, o4
528   - end
  522 + o1.add_admin(admin)
  523 + o1.add_member(person)
  524 +
  525 + o2 = fast_create(Organization, :public_profile => true , :visible => true )
  526 + o3 = fast_create(Organization, :public_profile => false, :visible => true )
  527 +
  528 + o4 = fast_create(Organization, :public_profile => false, :visible => true)
  529 + o4.add_admin(admin)
  530 + o4.add_member(person)
  531 +
  532 + o5 = fast_create(Organization, :public_profile => true , :visible => false)
  533 + o5.add_admin(admin)
  534 + o5.add_member(person)
  535 +
  536 + o6 = fast_create(Enterprise, :enabled => false, :visible => true)
  537 + o6.add_admin(admin)
  538 +
  539 + o7 = fast_create(Organization, :public_profile => false, :visible => false)
  540 +
  541 + Environment.default.add_admin(env_admin)
  542 +
  543 + person_orgs = Organization.listed_for_person(person)
  544 + admin_orgs = Organization.listed_for_person(admin)
  545 + env_admin_orgs = Organization.listed_for_person(env_admin)
  546 +
  547 + assert_includes person_orgs, o1
  548 + assert_includes admin_orgs, o1
  549 + assert_includes env_admin_orgs, o1
  550 +
  551 + assert_includes person_orgs, o2
  552 + assert_includes env_admin_orgs, o2
  553 + assert_includes person_orgs, o3
  554 + assert_includes env_admin_orgs, o3
  555 +
  556 + assert_includes person_orgs, o4
  557 + assert_includes admin_orgs, o4
  558 + assert_includes env_admin_orgs, o4
  559 +
  560 + assert_not_includes person_orgs, o5
  561 + assert_includes admin_orgs, o5
  562 + assert_includes env_admin_orgs, o5
529 563  
  564 + assert_not_includes person_orgs, o6
  565 + assert_includes admin_orgs, o6
  566 +
  567 + assert_not_includes person_orgs, o7
  568 + assert_includes env_admin_orgs, o7
  569 + end
530 570 end
... ...
test/unit/person_test.rb
... ... @@ -1951,17 +1951,4 @@ class PersonTest &lt; ActiveSupport::TestCase
1951 1951 person.save!
1952 1952 end
1953 1953  
1954   - should 'fetch people there are visible for a visitor' do
1955   - person = nil
1956   - p1 = fast_create(Person, :public_profile => true , :visible => true)
1957   - p2 = fast_create(Person, :public_profile => false, :visible => true)
1958   - p3 = fast_create(Person, :public_profile => true , :visible => false)
1959   - p4 = fast_create(Person, :public_profile => false, :visible => false)
1960   - people_visible_by_visitor = Person.visible_for_person(person)
1961   - assert_includes people_visible_by_visitor, p1
1962   - assert_not_includes people_visible_by_visitor, p2
1963   - assert_not_includes people_visible_by_visitor, p3
1964   - assert_not_includes people_visible_by_visitor, p4
1965   - end
1966   -
1967 1954 end
... ...