diff --git a/app/models/organization.rb b/app/models/organization.rb index 220b30d..335aa0d 100644 --- a/app/models/organization.rb +++ b/app/models/organization.rb @@ -16,7 +16,7 @@ class Organization < Profile # visible. # 4) The user is not a member of the organization but the organization is # visible, public and enabled. - def self.visible_for_person(person) + def self.listed_for_person(person) joins('LEFT JOIN "role_assignments" ON ("role_assignments"."resource_id" = "profiles"."id" AND "role_assignments"."resource_type" = \'Profile\') OR ( "role_assignments"."resource_id" = "profiles"."environment_id" AND @@ -26,13 +26,24 @@ class Organization < Profile ['( (roles.key = ? OR roles.key = ?) AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR ( ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR - ( profiles.public_profile = ? AND profiles.enabled = ? ) ) AND + ( profiles.enabled = ? ) ) AND ( profiles.visible = ? ) )', 'profile_admin', 'environment_administrator', Profile.name, person.id, - Profile.name, person.id, true, true, true] + Profile.name, person.id, true, true] ).uniq end + def self.visible_for_person(person) + listed_for_person(person).where( + ['( (roles.key = ? OR roles.key = ?) AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) + OR + ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR + ( profiles.enabled = ? AND profiles.public_profile = ? ) )', + 'profile_admin', 'environment_administrator', Profile.name, person.id, + Profile.name, person.id, true, true] + ) + end + settings_items :closed, :type => :boolean, :default => false def closed? closed diff --git a/app/models/person.rb b/app/models/person.rb index 18015ba..8ed2809 100644 --- a/app/models/person.rb +++ b/app/models/person.rb @@ -372,7 +372,7 @@ class Person < Profile ['%s@%s' % [self.identifier, self.email_domain] ] end - def display_info_to?(user) + def display_private_info_to?(user) if friends.include?(user) true else diff --git a/lib/noosfero/api/entities.rb b/lib/noosfero/api/entities.rb index 89b38f9..8498e1f 100644 --- a/lib/noosfero/api/entities.rb +++ b/lib/noosfero/api/entities.rb @@ -9,13 +9,18 @@ module Noosfero PERMISSIONS = { :admin => 0, :self => 10, - :friend => 20, + :private_content => 20, :logged_user => 30, :anonymous => 40 } - def self.can_display? profile, options, field, permission = :friend - return true if profile.public_fields.map{|f| f.to_sym}.include?(field.to_sym) + def self.can_display_profile_field? profile, options, permission_options={} + permissions={:field => "", :permission => :private_content} + permissions.merge!(permission_options) + field = permissions[:field] + permission = permissions[:permission] + return true if profile.public? && profile.public_fields.map{|f| f.to_sym}.include?(field.to_sym) + current_person = options[:current_person] current_permission = if current_person.present? @@ -23,8 +28,8 @@ module Noosfero :admin elsif current_person == profile :self - elsif current_person.friends.include?(profile) - :friend + elsif profile.display_private_info_to?(current_person) + :private_content else :logged_user end @@ -103,7 +108,7 @@ module Noosfero private_values = profile.custom_field_values - profile.public_values private_values.each do |value| - if Entities.can_display?(profile,options,:custom_field) + if Entities.can_display_profile_field?(profile,options) hash[value.custom_field.name]=value.value end end @@ -143,11 +148,11 @@ module Noosfero class Community < Profile root 'communities', 'community' expose :description - expose :admins do |community, options| + expose :admins, :if => lambda { |community, options| community.display_info_to? options[:current_person]} do |community, options| community.admins.map{|admin| {"name"=>admin.name, "id"=>admin.id, "username" => admin.identifier}} end expose :categories, :using => Category - expose :members, :using => Person + expose :members, :using => Person , :if => lambda{ |community, options| community.display_info_to? options[:current_person] } end class CommentBase < Entity @@ -209,11 +214,11 @@ module Noosfero attrs.each do |attribute| name = aliases.has_key?(attribute) ? aliases[attribute] : attribute - expose attribute, :as => name, :if => lambda{|user,options| Entities.can_display?(user.person, options, attribute)} + expose attribute, :as => name, :if => lambda{|user,options| Entities.can_display_profile_field?(user.person, options, {:field => attribute})} end - expose :person, :using => Person - expose :permissions, :if => lambda{|user,options| Entities.can_display?(user.person, options, :permissions, :self)} do |user, options| + expose :person, :using => Person, :if => lambda{|user,options| user.person.display_info_to? options[:current_person]} + expose :permissions, :if => lambda{|user,options| Entities.can_display_profile_field?(user.person, options, {:field => :permissions, :permission => :self})} do |user, options| output = {} user.person.role_assignments.map do |role_assigment| if role_assigment.resource.respond_to?(:identifier) && !role_assigment.role.nil? diff --git a/lib/noosfero/api/helpers.rb b/lib/noosfero/api/helpers.rb index fb64fcc..901eaf1 100644 --- a/lib/noosfero/api/helpers.rb +++ b/lib/noosfero/api/helpers.rb @@ -266,6 +266,13 @@ require_relative '../../find_by_contents' unauthorized! unless current_user end + def profiles_for_person(profiles, person) + if person + profiles.listed_for_person(person) + else + profiles.visible + end + end # Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash # or a Bad Request error is invoked. diff --git a/lib/noosfero/api/v1/activities.rb b/lib/noosfero/api/v1/activities.rb index 5b64e00..038852b 100644 --- a/lib/noosfero/api/v1/activities.rb +++ b/lib/noosfero/api/v1/activities.rb @@ -7,9 +7,11 @@ module Noosfero resource :profiles do get ':id/activities' do - profile = environment.profiles - profile = profile.visible_for_person(current_person) if profile.respond_to?(:visible_for_person) - profile = profile.find_by id: params[:id] + profile = Profile.find_by id: params[:id] + + not_found! if profile.blank? || profile.secret || !profile.visible + forbidden! if !profile.secret && profile.visible && !profile.display_private_info_to?(current_person) + activities = profile.activities.map(&:activity) present activities, :with => Entities::Activity, :current_person => current_person end diff --git a/lib/noosfero/api/v1/communities.rb b/lib/noosfero/api/v1/communities.rb index dd4f457..94ec917 100644 --- a/lib/noosfero/api/v1/communities.rb +++ b/lib/noosfero/api/v1/communities.rb @@ -17,8 +17,8 @@ module Noosfero # GET /communities?reference_id=10&limit=10&oldest get do communities = select_filtered_collection_of(environment, 'communities', params) - communities = communities.visible - communities = communities.by_location(params) # Must be the last. May return Exception obj. + communities = profiles_for_person(communities, current_person) + communities = communities.by_location(params) # Must be the last. May return Exception obj present communities, :with => Entities::Community, :current_person => current_person end @@ -49,7 +49,7 @@ module Noosfero end get ':id' do - community = environment.communities.visible.find_by(id: params[:id]) + community = profiles_for_person(environment.communities, current_person).find_by_id(params[:id]) present community, :with => Entities::Community, :current_person => current_person end @@ -63,6 +63,10 @@ module Noosfero get do person = environment.people.find(params[:person_id]) + + not_found! if person.blank? + forbidden! if !person.display_info_to?(current_person) + communities = select_filtered_collection_of(person, 'communities', params) communities = communities.visible present communities, :with => Entities::Community, :current_person => current_person diff --git a/lib/noosfero/api/v1/profiles.rb b/lib/noosfero/api/v1/profiles.rb index 29ce7c2..eb14fa6 100644 --- a/lib/noosfero/api/v1/profiles.rb +++ b/lib/noosfero/api/v1/profiles.rb @@ -16,7 +16,12 @@ module Noosfero profiles = environment.profiles profiles = profiles.visible profile = profiles.find_by id: params[:id] - present profile, :with => Entities::Profile, :current_person => current_person + + if profile + present profile, :with => Entities::Profile, :current_person => current_person + else + not_found! + end end delete ':id' do diff --git a/lib/noosfero/api/v1/tags.rb b/lib/noosfero/api/v1/tags.rb index 4bc0b7e..3e902a1 100644 --- a/lib/noosfero/api/v1/tags.rb +++ b/lib/noosfero/api/v1/tags.rb @@ -3,16 +3,16 @@ module Noosfero module V1 class Tags < Grape::API before { authenticate! } - + resource :articles do resource ':id/tags' do - + get do article = find_article(environment.articles, params[:id]) present article.tag_list end - + desc "Add a tag to an article" post do article = find_article(environment.articles, params[:id]) @@ -20,10 +20,8 @@ module Noosfero article.save present article.tag_list end - end end - end end end diff --git a/lib/noosfero/api/v1/users.rb b/lib/noosfero/api/v1/users.rb index 56a3912..163021c 100644 --- a/lib/noosfero/api/v1/users.rb +++ b/lib/noosfero/api/v1/users.rb @@ -18,10 +18,11 @@ module Noosfero get ":id" do user = environment.users.find_by id: params[:id] - unless user.person.display_info_to? current_person - unauthorized! + if user + present user, :with => Entities::User, :current_person => current_person + else + not_found! end - present user, :with => Entities::User, :current_person => current_person end get ":id/permissions" do diff --git a/plugins/comment_paragraph/test/unit/api_test.rb b/plugins/comment_paragraph/test/unit/api_test.rb index 9daaac2..b630bba 100644 --- a/plugins/comment_paragraph/test/unit/api_test.rb +++ b/plugins/comment_paragraph/test/unit/api_test.rb @@ -4,6 +4,7 @@ require_relative '../../../../test/api/test_helper' class APITest < ActiveSupport::TestCase def setup + create_and_activate_user login_api environment.enable_plugin(CommentParagraphPlugin) end diff --git a/plugins/push_notification/test/api/api_test.rb b/plugins/push_notification/test/api/api_test.rb index 158b6d6..f1ef124 100644 --- a/plugins/push_notification/test/api/api_test.rb +++ b/plugins/push_notification/test/api/api_test.rb @@ -3,6 +3,7 @@ require_relative '../../../../test/api/test_helper' class PushNotificationApiTest < ActiveSupport::TestCase def setup + create_and_activate_user login_api environment = Environment.default environment.enable_plugin(PushNotificationPlugin) diff --git a/test/api/activities_test.rb b/test/api/activities_test.rb index b06e14b..e76d8ee 100644 --- a/test/api/activities_test.rb +++ b/test/api/activities_test.rb @@ -3,20 +3,74 @@ require_relative 'test_helper' class ActivitiesTest < ActiveSupport::TestCase def setup + create_and_activate_user login_api end - should 'get activity from profile' do - person = fast_create(Person) - organization = fast_create(Organization) - assert_difference 'organization.activities_count' do - ActionTracker::Record.create! :verb => :leave_scrap, :user => person, :target => organization - organization.reload - end - get "/api/v1/profiles/#{organization.id}/activities?#{params.to_query}" + should 'get own activities' do + create_activity(person) + + get "/api/v1/profiles/#{person.id}/activities?#{params.to_query}" json = JSON.parse(last_response.body) + assert 1, json["activities"].count - assert_equal organization.activities.map(&:activity).first.id, json["activities"].first["id"] + assert_equivalent person.activities.map(&:activity).map(&:id), json["activities"].map{|c| c["id"]} + end + + should 'not get private community activities' do + community = fast_create(Community, :public_profile => false) + create_activity(community) + + get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_nil json["activities"] + assert_equal 403, last_response.status + end + + should 'not get community activities if not member' do + community = fast_create(Community) + other_person = fast_create(Person) + community.add_member(other_person) # so there is an activity in community + + get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_nil json["activities"] + assert_equal 403, last_response.status + end + + should 'get community activities for member' do + community = fast_create(Community) + create_activity(community) + community.add_member(person) + + get "/api/v1/profiles/#{community.id}/activities?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equivalent community.activities.map(&:activity).map(&:id), json["activities"].map{|c| c["id"]} + end + + should 'not get other person activities' do + other_person = fast_create(Person) + create_activity(other_person) + + get "/api/v1/profiles/#{other_person.id}/activities?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_nil json["activities"] + assert_equal 403, last_response.status + end + + should 'get friend activities' do + other_person = fast_create(Person) + other_person.add_friend(person) + create_activity(other_person) + + get "/api/v1/profiles/#{other_person.id}/activities?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equivalent other_person.activities.map(&:activity).map(&:id), json["activities"].map{|c| c["id"]} + end + + def create_activity(target) + activity = ActionTracker::Record.create! :verb => :leave_scrap, :user => person, :target => target + ProfileActivity.create! profile_id: target.id, activity: activity end end diff --git a/test/api/articles_test.rb b/test/api/articles_test.rb index 78898e3..80fd33a 100644 --- a/test/api/articles_test.rb +++ b/test/api/articles_test.rb @@ -3,6 +3,7 @@ require_relative 'test_helper' class ArticlesTest < ActiveSupport::TestCase def setup + create_and_activate_user login_api end @@ -199,7 +200,6 @@ class ArticlesTest < ActiveSupport::TestCase article = fast_create(Article, :profile_id => @person.id, :name => "Some thing", :archived => true) @params[:value] = 1 post "/api/v1/articles/#{article.id}/vote?#{params.to_query}" - puts JSON.parse(last_response.body) assert_equal 400, last_response.status end diff --git a/test/api/boxes_test.rb b/test/api/boxes_test.rb index 1ba8b6b..1fa99f1 100644 --- a/test/api/boxes_test.rb +++ b/test/api/boxes_test.rb @@ -3,8 +3,7 @@ require_relative 'test_helper' class BoxesTest < ActiveSupport::TestCase def setup - @controller = AccountController.new - @request = ActionController::TestRequest.new + create_and_activate_user login_api # @request = ActionController::TestRequest.new end diff --git a/test/api/categories_test.rb b/test/api/categories_test.rb index f356dd7..2243023 100644 --- a/test/api/categories_test.rb +++ b/test/api/categories_test.rb @@ -2,7 +2,11 @@ require_relative 'test_helper' class CategoriesTest < ActiveSupport::TestCase - should 'list categories to logged user' do + def setup + create_and_activate_user + end + + should 'logged user list categories' do login_api category = fast_create(Category, :environment_id => environment.id) get "/api/v1/categories/?#{params.to_query}" diff --git a/test/api/comments_test.rb b/test/api/comments_test.rb index d5a4b55..4255755 100644 --- a/test/api/comments_test.rb +++ b/test/api/comments_test.rb @@ -4,12 +4,12 @@ class CommentsTest < ActiveSupport::TestCase def setup @local_person = fast_create(Person) + create_and_activate_user end - attr_reader :local_person should 'logged user not list comments if user has no permission to view the source article' do login_api - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false) + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing", :published => false) assert !article.published? get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" @@ -18,8 +18,8 @@ class CommentsTest < ActiveSupport::TestCase should 'logged user not return comment if user has no permission to view the source article' do login_api - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false) - comment = article.comments.create!(:body => "another comment", :author => local_person) + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing", :published => false) + comment = article.comments.create!(:body => "another comment", :author => @local_person) assert !article.published? get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}" @@ -28,7 +28,7 @@ class CommentsTest < ActiveSupport::TestCase should 'logged user not comment an article if user has no permission to view it' do login_api - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false) + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing", :published => false) assert !article.published? post "/api/v1/articles/#{article.id}/comments?#{params.to_query}" @@ -37,9 +37,9 @@ class CommentsTest < ActiveSupport::TestCase should 'logged user return comments of an article' do login_api - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing") - article.comments.create!(:body => "some comment", :author => local_person) - article.comments.create!(:body => "another comment", :author => local_person) + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing") + article.comments.create!(:body => "some comment", :author => @local_person) + article.comments.create!(:body => "another comment", :author => @local_person) get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" json = JSON.parse(last_response.body) @@ -49,8 +49,8 @@ class CommentsTest < ActiveSupport::TestCase should 'logged user return comment of an article' do login_api - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing") - comment = article.comments.create!(:body => "another comment", :author => local_person) + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing") + comment = article.comments.create!(:body => "another comment", :author => @local_person) get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}" json = JSON.parse(last_response.body) @@ -60,7 +60,7 @@ class CommentsTest < ActiveSupport::TestCase should 'logged user comment an article' do login_api - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing") + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing") body = 'My comment' params.merge!({:body => body}) @@ -81,16 +81,16 @@ class CommentsTest < ActiveSupport::TestCase end should 'logged user comment creation define the source' do - login_api - amount = Comment.count - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing") - body = 'My comment' - params.merge!({:body => body}) + login_api + amount = Comment.count + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing") + body = 'My comment' + params.merge!({:body => body}) - post "/api/v1/articles/#{article.id}/comments?#{params.to_query}" - assert_equal amount + 1, Comment.count - comment = Comment.last - assert_not_nil comment.source + post "/api/v1/articles/#{article.id}/comments?#{params.to_query}" + assert_equal amount + 1, Comment.count + comment = Comment.last + assert_not_nil comment.source end should 'call plugin hotspot to filter unavailable comments' do @@ -102,7 +102,7 @@ class CommentsTest < ActiveSupport::TestCase Noosfero::Plugin.stubs(:all).returns([Plugin1.name]) Environment.default.enable_plugin(Plugin1) - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing") + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing") c1 = fast_create(Comment, source_id: article.id, body: "comment 1") c2 = fast_create(Comment, source_id: article.id, body: "comment 2", :user_agent => 'Jack') @@ -112,7 +112,7 @@ class CommentsTest < ActiveSupport::TestCase end should 'anonymous do not return comments marked as spam' do - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing") + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing") c1 = fast_create(Comment, source_id: article.id, body: "comment 1", spam: true) c2 = fast_create(Comment, source_id: article.id, body: "comment 2") get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" @@ -120,18 +120,18 @@ class CommentsTest < ActiveSupport::TestCase assert_equal ["comment 2"], json["comments"].map {|c| c["body"]} end - should 'not, anonymous list comments if has no permission to view the source article' do - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing", :published => false) + should 'not list comments if anonymous has no permission to view the source article' do + article = fast_create(Article, :profile_id => person.id, :name => "Some thing", :published => false) assert !article.published? get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" assert_equal 403, last_response.status end - should 'anonymous return comments of an article' do - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing") - article.comments.create!(:body => "some comment", :author => local_person) - article.comments.create!(:body => "another comment", :author => local_person) + should 'return comments of an article for anonymous' do + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing") + article.comments.create!(:body => "some comment", :author => @local_person) + article.comments.create!(:body => "another comment", :author => @local_person) get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" json = JSON.parse(last_response.body) @@ -139,9 +139,9 @@ class CommentsTest < ActiveSupport::TestCase assert_equal 2, json["comments"].length end - should 'anonymous return comment of an article' do - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing") - comment = article.comments.create!(:body => "another comment", :author => local_person) + should 'return comment of an article for anonymous' do + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing") + comment = article.comments.create!(:body => "another comment", :author => @local_person) get "/api/v1/articles/#{article.id}/comments/#{comment.id}?#{params.to_query}" json = JSON.parse(last_response.body) @@ -149,12 +149,13 @@ class CommentsTest < ActiveSupport::TestCase assert_equal comment.id, json['comment']['id'] end - should 'not, anonymous comment an article (at least so far...)' do - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing") + should 'anonymous user not comment an article' do + article = fast_create(Article, :profile_id => person.id, :name => "Some thing") body = 'My comment' name = "John Doe" email = "JohnDoe@gmail.com" params.merge!({:body => body, name: name, email: email}) + post "/api/v1/articles/#{article.id}/comments?#{params.to_query}" json = JSON.parse(last_response.body) assert_equal 401, last_response.status @@ -162,8 +163,8 @@ class CommentsTest < ActiveSupport::TestCase should 'logged user paginate comments' do login_api - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing") - 5.times { article.comments.create!(:body => "some comment", :author => local_person) } + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing") + 5.times { article.comments.create!(:body => "some comment", :author => @local_person) } params[:per_page] = 3 get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" @@ -174,9 +175,9 @@ class CommentsTest < ActiveSupport::TestCase should 'logged user return only root comments' do login_api - article = fast_create(Article, :profile_id => local_person.id, :name => "Some thing") - comment1 = article.comments.create!(:body => "some comment", :author => local_person) - comment2 = article.comments.create!(:body => "another comment", :author => local_person, :reply_of_id => comment1.id) + article = fast_create(Article, :profile_id => @local_person.id, :name => "Some thing") + comment1 = article.comments.create!(:body => "some comment", :author => @local_person) + comment2 = article.comments.create!(:body => "another comment", :author => @local_person, :reply_of_id => comment1.id) params[:without_reply] = true get "/api/v1/articles/#{article.id}/comments?#{params.to_query}" diff --git a/test/api/communities_test.rb b/test/api/communities_test.rb index 61b8100..bf1838f 100644 --- a/test/api/communities_test.rb +++ b/test/api/communities_test.rb @@ -4,28 +4,31 @@ class CommunitiesTest < ActiveSupport::TestCase def setup Community.delete_all + create_and_activate_user end - should 'logged user list only communities' do + should 'list only communities to logged user' do login_api community = fast_create(Community, :environment_id => environment.id) enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise + get "/api/v1/communities?#{params.to_query}" json = JSON.parse(last_response.body) assert_not_includes json['communities'].map {|c| c['id']}, enterprise.id assert_includes json['communities'].map {|c| c['id']}, community.id end - should 'logged user list all communities' do + should 'list all communities to logged user' do login_api community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true) community2 = fast_create(Community, :environment_id => environment.id) + get "/api/v1/communities?#{params.to_query}" json = JSON.parse(last_response.body) assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']} end - should 'not, logged user list invisible communities' do + should 'not list invisible communities to logged user' do login_api community1 = fast_create(Community, :environment_id => environment.id) fast_create(Community, :environment_id => environment.id, :visible => false) @@ -35,28 +38,28 @@ class CommunitiesTest < ActiveSupport::TestCase assert_equal [community1.id], json['communities'].map {|c| c['id']} end - should 'logged user list private communities' do - login_api - community1 = fast_create(Community, :environment_id => environment.id) - community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false) + should 'list private communities to logged user' do + login_api + community1 = fast_create(Community, :environment_id => environment.id) + community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false) - get "/api/v1/communities?#{params.to_query}" - json = JSON.parse(last_response.body) - assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']} + get "/api/v1/communities?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']} end - should 'logged user list private community for members' do + should 'list private communities to logged members' do login_api - c1 = fast_create(Community, :environment_id => environment.id) - c2 = fast_create(Community, :environment_id => environment.id, :public_profile => false) - c2.add_member(person) + community1 = fast_create(Community, :environment_id => environment.id) + community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false) + community2.add_member(person) get "/api/v1/communities?#{params.to_query}" json = JSON.parse(last_response.body) - assert_equivalent [c1.id, c2.id], json['communities'].map {|c| c['id']} + assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']} end - should 'logged user create a community' do + should 'create a community with logged user' do login_api params[:community] = {:name => 'some'} post "/api/v1/communities?#{params.to_query}" @@ -64,14 +67,14 @@ class CommunitiesTest < ActiveSupport::TestCase assert_equal 'some', json['community']['name'] end - should 'logged user return 400 status for invalid community creation' do + should 'return 400 status for invalid community creation to logged user ' do login_api post "/api/v1/communities?#{params.to_query}" json = JSON.parse(last_response.body) assert_equal 400, last_response.status end - should 'logged user get community' do + should 'get community to logged user' do login_api community = fast_create(Community, :environment_id => environment.id) @@ -80,26 +83,27 @@ class CommunitiesTest < ActiveSupport::TestCase assert_equal community.id, json['community']['id'] end - should 'not, logged user get invisible community' do + should 'not list invisible community to logged users' do login_api community = fast_create(Community, :environment_id => environment.id, :visible => false) get "/api/v1/communities/#{community.id}?#{params.to_query}" json = JSON.parse(last_response.body) - assert json['community'].blank? + + assert_nil json["community"] end - should 'not, logged user get private communities without permission' do + should 'not get private community content to non member' do login_api - community = fast_create(Community, :environment_id => environment.id) - fast_create(Community, :environment_id => environment.id, :public_profile => false) + community = fast_create(Community, :environment_id => environment.id, :public_profile => false) get "/api/v1/communities/#{community.id}?#{params.to_query}" json = JSON.parse(last_response.body) assert_equal community.id, json['community']['id'] + assert_nil json['community']['members'] end - should 'logged user get private community for members' do + should 'get private community to logged member' do login_api community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :visible => true) community.add_member(person) @@ -107,9 +111,10 @@ class CommunitiesTest < ActiveSupport::TestCase get "/api/v1/communities/#{community.id}?#{params.to_query}" json = JSON.parse(last_response.body) assert_equal community.id, json['community']['id'] + assert_not_nil json['community']['members'] end - should 'logged user list person communities' do + should 'list person communities to logged user' do login_api community = fast_create(Community, :environment_id => environment.id) fast_create(Community, :environment_id => environment.id) @@ -120,16 +125,16 @@ class CommunitiesTest < ActiveSupport::TestCase assert_equivalent [community.id], json['communities'].map {|c| c['id']} end - should 'not, logged user list person communities invisible' do + should 'not list person invisible communities to logged user' do login_api - c1 = fast_create(Community, :environment_id => environment.id) - c2 = fast_create(Community, :environment_id => environment.id, :visible => false) - c1.add_member(person) - c2.add_member(person) + community1 = fast_create(Community, :environment_id => environment.id) + community2 = fast_create(Community, :environment_id => environment.id, :visible => false) + community1.add_member(person) + community2.add_member(person) get "/api/v1/people/#{person.id}/communities?#{params.to_query}" json = JSON.parse(last_response.body) - assert_equivalent [c1.id], json['communities'].map {|c| c['id']} + assert_equivalent [community1.id], json['communities'].map {|c| c['id']} end should 'logged user list communities with pagination' do @@ -154,7 +159,7 @@ class CommunitiesTest < ActiveSupport::TestCase assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id end - should 'logged user list communities with timestamp' do + should 'list communities with timestamp to logged user' do login_api community1 = fast_create(Community, :public_profile => true) community2 = fast_create(Community) @@ -173,6 +178,7 @@ class CommunitiesTest < ActiveSupport::TestCase should 'anonymous list only communities' do community = fast_create(Community, :environment_id => environment.id) enterprise = fast_create(Enterprise, :environment_id => environment.id) # should not list this enterprise + get "/api/v1/communities?#{params.to_query}" json = JSON.parse(last_response.body) assert_not_includes json['communities'].map {|c| c['id']}, enterprise.id @@ -182,12 +188,13 @@ class CommunitiesTest < ActiveSupport::TestCase should 'anonymous list all communities' do community1 = fast_create(Community, :environment_id => environment.id, :public_profile => true) community2 = fast_create(Community, :environment_id => environment.id) + get "/api/v1/communities?#{params.to_query}" json = JSON.parse(last_response.body) assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']} end - should 'not, anonymous list invisible communities' do + should 'not list invisible communities to anonymous' do community1 = fast_create(Community, :environment_id => environment.id) fast_create(Community, :environment_id => environment.id, :visible => false) @@ -196,7 +203,17 @@ class CommunitiesTest < ActiveSupport::TestCase assert_equal [community1.id], json['communities'].map {|c| c['id']} end - should 'anonymous list private communities' do + should 'list all visible communities except secret ones to anonymous' do + community = fast_create(Community, :environment_id => environment.id) + private_community = fast_create(Community, :environment_id => environment.id, :public_profile => false) + secret_community = fast_create(Community, :environment_id => environment.id, :public_profile => false, :secret => true) + + get "/api/v1/communities?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equivalent [community.id, private_community.id], json['communities'].map {|c| c['id']} + end + + should 'list private communities to anonymous' do community1 = fast_create(Community, :environment_id => environment.id) community2 = fast_create(Community, :environment_id => environment.id, :public_profile => false) @@ -205,36 +222,59 @@ class CommunitiesTest < ActiveSupport::TestCase assert_equivalent [community1.id, community2.id], json['communities'].map {|c| c['id']} end - should 'not, anonymous create a community' do + should 'not create a community as an anonymous user' do params[:community] = {:name => 'some'} + post "/api/v1/communities?#{params.to_query}" json = JSON.parse(last_response.body) assert_equal 401, last_response.status end - should 'anonymous get community' do + should 'get community for anonymous' do community = fast_create(Community, :environment_id => environment.id) get "/api/v1/communities/#{community.id}" json = JSON.parse(last_response.body) assert_equal community.id, json['community']['id'] end - should 'not, anonymous get invisible community' do + should 'not get invisible community to anonymous user' do community = fast_create(Community, :environment_id => environment.id, :visible => false) get "/api/v1/communities/#{community.id}" json = JSON.parse(last_response.body) assert json['community'].blank? end - should 'not, anonymous get private communities' do - community = fast_create(Community, :environment_id => environment.id) - fast_create(Community, :environment_id => environment.id, :public_profile => false) + should 'get private community to anonymous user' do + community = fast_create(Community, :environment_id => environment.id, :public_profile => false) + get "/api/v1/communities/#{community.id}" json = JSON.parse(last_response.body) assert_equal community.id, json['community']['id'] + assert_nil json['community']['members'] + end + + should 'list public person communities to anonymous' do + community = fast_create(Community, :environment_id => environment.id) + fast_create(Community, :environment_id => environment.id) + community.add_member(person) + + get "/api/v1/people/#{person.id}/communities?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equivalent [community.id], json['communities'].map {|c| c['id']} + end + + should 'not list private person communities to anonymous' do + community = fast_create(Community, :environment_id => environment.id) + fast_create(Community, :environment_id => environment.id) + person.public_profile = false + person.save + community.add_member(person) + + get "/api/v1/people/#{person.id}/communities?#{params.to_query}" + assert_equal 403, last_response.status end - should 'anonymous list communities with pagination' do + should 'list communities with pagination to anonymous' do community1 = fast_create(Community, :public_profile => true, :created_at => 1.day.ago) community2 = fast_create(Community, :created_at => 2.days.ago) @@ -255,7 +295,7 @@ class CommunitiesTest < ActiveSupport::TestCase assert_not_includes json_page_two["communities"].map { |a| a["id"] }, community1.id end - should 'anonymous list communities with timestamp' do + should 'list communities with timestamp to anonymous ' do community1 = fast_create(Community, :public_profile => true) community2 = fast_create(Community) diff --git a/test/api/enterprises_test.rb b/test/api/enterprises_test.rb index f6b8ab4..94fb131 100644 --- a/test/api/enterprises_test.rb +++ b/test/api/enterprises_test.rb @@ -4,6 +4,7 @@ class EnterprisesTest < ActiveSupport::TestCase def setup Enterprise.delete_all + create_and_activate_user end should 'logger user list only enterprises' do @@ -17,7 +18,6 @@ class EnterprisesTest < ActiveSupport::TestCase end should 'anonymous list only enterprises' do - anonymous_setup community = fast_create(Community, :environment_id => environment.id) # should not list this community enterprise = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true) get "/api/v1/enterprises?#{params.to_query}" @@ -27,7 +27,6 @@ class EnterprisesTest < ActiveSupport::TestCase end should 'anonymous list all enterprises' do - anonymous_setup enterprise1 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => true) enterprise2 = fast_create(Enterprise, :environment_id => environment.id) get "/api/v1/enterprises?#{params.to_query}" @@ -55,7 +54,6 @@ class EnterprisesTest < ActiveSupport::TestCase end should 'not, anonymous list invisible enterprises' do - anonymous_setup enterprise1 = fast_create(Enterprise, :environment_id => environment.id) fast_create(Enterprise, :visible => false) @@ -71,11 +69,10 @@ class EnterprisesTest < ActiveSupport::TestCase get "/api/v1/enterprises?#{params.to_query}" json = JSON.parse(last_response.body) - assert_equal [enterprise1.id, enterprise2.id], json['enterprises'].map {|c| c['id']} + assert_equal [enterprise1.id], json['enterprises'].map {|c| c['id']} end should 'anonymous list private enterprises' do - anonymous_setup enterprise1 = fast_create(Enterprise, :environment_id => environment.id) enterprise2 = fast_create(Enterprise, :environment_id => environment.id, :public_profile => false) @@ -106,7 +103,6 @@ class EnterprisesTest < ActiveSupport::TestCase end should 'anonymous get enterprise' do - anonymous_setup enterprise = fast_create(Enterprise, :environment_id => environment.id) get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}" @@ -133,7 +129,6 @@ class EnterprisesTest < ActiveSupport::TestCase end should 'not, anonymous get invisible enterprise' do - anonymous_setup enterprise = fast_create(Enterprise, :visible => false) get "/api/v1/enterprises/#{enterprise.id}?#{params.to_query}" @@ -152,7 +147,6 @@ class EnterprisesTest < ActiveSupport::TestCase end should 'not, anonymous get private enterprises' do - anonymous_setup enterprise = fast_create(Enterprise, :environment_id => environment.id) fast_create(Enterprise, :environment_id => environment.id, :public_profile => false) @@ -195,7 +189,6 @@ class EnterprisesTest < ActiveSupport::TestCase end should 'display public custom fields to anonymous' do - anonymous_setup CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default) some_enterprise = fast_create(Enterprise) some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "true"} } @@ -208,7 +201,6 @@ class EnterprisesTest < ActiveSupport::TestCase end should 'not display public custom fields to anonymous' do - anonymous_setup CustomField.create!(:name => "Rating", :format => "string", :customized_type => "Enterprise", :active => true, :environment => Environment.default) some_enterprise = fast_create(Enterprise) some_enterprise.custom_values = { "Rating" => { "value" => "Five stars", "public" => "false"} } diff --git a/test/api/environment_test.rb b/test/api/environment_test.rb index a9db4c1..79f96cc 100644 --- a/test/api/environment_test.rb +++ b/test/api/environment_test.rb @@ -2,6 +2,10 @@ require_relative 'test_helper' class EnvironmentTest < ActiveSupport::TestCase + def setup + create_and_activate_user + end + should 'return the default environment' do environment = Environment.default get "/api/v1/environment/default" @@ -62,6 +66,6 @@ class EnvironmentTest < ActiveSupport::TestCase get "/api/v1/environment/context" json = JSON.parse(last_response.body) assert_equal context_env.id, json['id'] - end + end end diff --git a/test/api/helpers_test.rb b/test/api/helpers_test.rb index 2a56c36..14ad270 100644 --- a/test/api/helpers_test.rb +++ b/test/api/helpers_test.rb @@ -6,28 +6,26 @@ class APIHelpersTest < ActiveSupport::TestCase include Noosfero::API::APIHelpers def setup + create_and_activate_user @headers = {} end attr_accessor :headers should 'get the current user with valid token' do - user = create_user('someuser') - user.generate_private_token! + login_api self.params = {:private_token => user.private_token} assert_equal user, current_user end should 'get the current user with valid token in header' do - user = create_user('someuser') - user.generate_private_token! + login_api headers['Private-Token'] = user.private_token assert_equal user, current_user end should 'get the current user even with expired token' do - user = create_user('someuser') - user.generate_private_token! + login_api user.private_token_generated_at = DateTime.now.prev_year user.save self.params = {:private_token => user.private_token} @@ -35,8 +33,7 @@ class APIHelpersTest < ActiveSupport::TestCase end should 'get the person of current user' do - user = create_user('someuser') - user.generate_private_token! + login_api self.params = {:private_token => user.private_token} assert_equal user.person, current_person end @@ -106,24 +103,22 @@ class APIHelpersTest < ActiveSupport::TestCase end should 'find_article return article by id in list passed for user with permission' do - user = create_user('someuser') + login_api a = fast_create(Article, :profile_id => user.person.id) fast_create(Article, :profile_id => user.person.id) fast_create(Article, :profile_id => user.person.id) - user.generate_private_token! self.params = {private_token: user.private_token} User.expects(:find_by).with(private_token: user.private_token).returns(user) assert_equal a, find_article(user.person.articles, a.id) end should 'find_article return forbidden when a user try to access an article without permission' do - user = create_user('someuser') + login_api p = fast_create(Profile) a = fast_create(Article, :published => false, :profile_id => p.id) fast_create(Article, :profile_id => p.id) - user.generate_private_token! self.params = {private_token: user.private_token} User.expects(:find_by).with(private_token: user.private_token).returns(user) assert_equal 403, find_article(p.articles, a.id).last diff --git a/test/api/people_test.rb b/test/api/people_test.rb index 34e52ae..9e4cd9b 100644 --- a/test/api/people_test.rb +++ b/test/api/people_test.rb @@ -3,7 +3,8 @@ require_relative 'test_helper' class PeopleTest < ActiveSupport::TestCase def setup - Person.delete_all + Person.destroy_all + create_and_activate_user end should 'logged user list all people' do @@ -16,12 +17,11 @@ class PeopleTest < ActiveSupport::TestCase end should 'anonymous list all people' do - anonymous_setup person1 = fast_create(Person, :public_profile => true) person2 = fast_create(Person) get "/api/v1/people?#{params.to_query}" json = JSON.parse(last_response.body) - assert_equivalent [person1.id, person2.id], json['people'].map {|c| c['id']} + assert_equivalent [person.id, person1.id, person2.id], json['people'].map {|c| c['id']} end should 'logged user list all members of a community' do @@ -39,7 +39,6 @@ class PeopleTest < ActiveSupport::TestCase end should 'anonymous list all members of a community' do - anonymous_setup person1 = fast_create(Person) person2 = fast_create(Person) community = fast_create(Community) @@ -76,7 +75,6 @@ class PeopleTest < ActiveSupport::TestCase end should 'anonymous list private people' do - anonymous_setup private_person = fast_create(Person, :public_profile => false) get "/api/v1/people?#{params.to_query}" @@ -170,7 +168,6 @@ class PeopleTest < ActiveSupport::TestCase end should 'anonymous get private people' do - anonymous_setup private_person = fast_create(Person, :public_profile => false) get "/api/v1/people/#{private_person.id}?#{params.to_query}" @@ -199,7 +196,6 @@ class PeopleTest < ActiveSupport::TestCase end should 'anonymous list person friends' do - anonymous_setup person = fast_create(Person) friend = fast_create(Person) person.add_friend(friend) @@ -270,7 +266,7 @@ class PeopleTest < ActiveSupport::TestCase should 'not display permissions if not admin or self' do login_api - some_person = create_user('some-person').person + some_person = fast_create(Person) get "/api/v1/people/#{some_person.id}/permissions?#{params.to_query}" assert_equal 403, last_response.status @@ -296,8 +292,11 @@ class PeopleTest < ActiveSupport::TestCase should 'logged user display public custom fields' do login_api - CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) - some_person = create_user('some-person').person + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment) + some_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person + some_person.user.activate + some_person.reload + some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} } some_person.save! @@ -309,10 +308,11 @@ class PeopleTest < ActiveSupport::TestCase should 'logged user not display non-public custom fields' do login_api - CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) - some_person = create_user('some-person').person + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment) + some_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} } some_person.save! + some_person.user.activate get "/api/v1/people/#{some_person.id}?#{params.to_query}" json = JSON.parse(last_response.body) @@ -320,36 +320,31 @@ class PeopleTest < ActiveSupport::TestCase end should 'display public custom fields to anonymous' do - anonymous_setup - CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) - some_person = create_user('some-person').person - some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} } - some_person.save! + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment) + person.reload + person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "true"} } + person.save! - get "/api/v1/people/#{some_person.id}?#{params.to_query}" + get "/api/v1/people/#{person.id}?#{params.to_query}" json = JSON.parse(last_response.body) assert json['person']['additional_data'].has_key?('Custom Blog') assert_equal "www.blog.org", json['person']['additional_data']['Custom Blog'] end should 'not display non-public custom fields to anonymous' do - anonymous_setup - CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) - some_person = create_user('some-person').person - some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} } - some_person.save! + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment) + person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} } + person.save! - get "/api/v1/people/#{some_person.id}?#{params.to_query}" + get "/api/v1/people/#{person.id}?#{params.to_query}" json = JSON.parse(last_response.body) assert_equal json['person']['additional_data'], {} end should 'hide private fields to anonymous' do - anonymous_setup - target_person = create_user('some-user').person - target_person.save! + target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment) - get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" + get "/api/v1/users/#{target_user.id}/?#{params.to_query}" json = JSON.parse(last_response.body) refute json["user"].has_key?("permissions") refute json["user"].has_key?("activated") @@ -357,15 +352,16 @@ class PeopleTest < ActiveSupport::TestCase should 'display non-public custom fields to friend' do login_api - CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => Environment.default) - some_person = create_user('some-person').person + CustomField.create!(:name => "Custom Blog", :format => "string", :customized_type => "Person", :active => true, :environment => environment) + some_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person + some_person.user.activate + some_person.reload + some_person.custom_values = { "Custom Blog" => { "value" => "www.blog.org", "public" => "0"} } some_person.save! - f = Friendship.new - f.friend = some_person - f.person = person - f.save! + some_person.add_friend(person) + person.add_friend(some_person) get "/api/v1/people/#{some_person.id}?#{params.to_query}" json = JSON.parse(last_response.body) diff --git a/test/api/profiles_test.rb b/test/api/profiles_test.rb index 0b0c06b..25308ee 100644 --- a/test/api/profiles_test.rb +++ b/test/api/profiles_test.rb @@ -4,6 +4,7 @@ class ProfilesTest < ActiveSupport::TestCase def setup Profile.delete_all + create_and_activate_user end should 'logged user list all profiles' do @@ -24,6 +25,13 @@ class ProfilesTest < ActiveSupport::TestCase assert_equal some_person.id, json['id'] end + should 'not get inexistent profile' do + login_api + get "/api/v1/profiles/invalid_id?#{params.to_query}" + json = JSON.parse(last_response.body) + assert_equal 404, last_response.status + end + should 'logged user get community from profile id' do login_api community = fast_create(Community) @@ -85,7 +93,6 @@ class ProfilesTest < ActiveSupport::TestCase end should 'anonymous user access delete action' do - anonymous_setup profile = fast_create(Person, :environment_id => environment.id) delete "/api/v1/profiles/#{profile.id}?#{params.to_query}" @@ -99,7 +106,7 @@ class ProfilesTest < ActiveSupport::TestCase community = fast_create(Community) get "/api/v1/profiles" json = JSON.parse(last_response.body) - assert_equivalent [person1.id, person2.id, community.id], json.map {|p| p['id']} + assert_equivalent [person.id, person1.id, person2.id, community.id], json.map {|p| p['id']} end should 'anonymous get person from profile id' do diff --git a/test/api/search_test.rb b/test/api/search_test.rb index 7102674..8b581ed 100644 --- a/test/api/search_test.rb +++ b/test/api/search_test.rb @@ -3,9 +3,8 @@ require_relative 'test_helper' class SearchTest < ActiveSupport::TestCase def setup - @person = create_user('testing').person + create_and_activate_user end - attr_reader :person should 'not list unpublished articles' do Article.delete_all diff --git a/test/api/session_test.rb b/test/api/session_test.rb index f91ea09..080818a 100644 --- a/test/api/session_test.rb +++ b/test/api/session_test.rb @@ -3,6 +3,7 @@ require_relative 'test_helper' class SessionTest < ActiveSupport::TestCase def setup + create_and_activate_user login_api end @@ -147,10 +148,9 @@ class SessionTest < ActiveSupport::TestCase end should 'create task to change password by user login' do - user = create_user params = {:value => user.login} assert_difference 'ChangePassword.count' do - post "/api/v1/forgot_password?#{params.to_query}" + post "/api/v1/forgot_password?#{params.to_query}" end end @@ -173,8 +173,6 @@ class SessionTest < ActiveSupport::TestCase end should 'do not change user password when password confirmation is wrong' do - user = create_user - user.activate task = ChangePassword.create!(:requestor => user.person) params = {:code => task.code, :password => 'secret', :password_confirmation => 's3cret'} patch "/api/v1/new_password?#{params.to_query}" @@ -200,8 +198,8 @@ class SessionTest < ActiveSupport::TestCase end should 'resend activation code for an inactive user' do - user = create_user - params = {:value => user.login} + another_user = User.create!(:login => "userlogin", :password => 'testapi', :password_confirmation => 'testapi', :email => 'test2@test.org', :environment => @environment) + params = {:value => another_user.login} Delayed::Job.destroy_all assert_difference 'ActionMailer::Base.deliveries.size' do post "/api/v1/resend_activation_code?#{params.to_query}" @@ -209,13 +207,11 @@ class SessionTest < ActiveSupport::TestCase end json = JSON.parse(last_response.body) refute json['users'].first['private_token'] - assert_equal user.email, ActionMailer::Base.deliveries.last['to'].to_s + assert_equal another_user.email, ActionMailer::Base.deliveries.last['to'].to_s end should 'not resend activation code for an active user' do - user = create_user params = {:value => user.login} - user.activate Delayed::Job.destroy_all assert_no_difference 'ActionMailer::Base.deliveries.size' do post "/api/v1/resend_activation_code?#{params.to_query}" diff --git a/test/api/task_test.rb b/test/api/task_test.rb index 01bf515..9541fea 100644 --- a/test/api/task_test.rb +++ b/test/api/task_test.rb @@ -3,8 +3,8 @@ require_relative 'test_helper' class TasksTest < ActiveSupport::TestCase def setup + create_and_activate_user login_api - @person = user.person @community = fast_create(Community) @environment = Environment.default end diff --git a/test/api/test_helper.rb b/test/api/test_helper.rb index be6fca6..baa51df 100644 --- a/test/api/test_helper.rb +++ b/test/api/test_helper.rb @@ -4,17 +4,23 @@ class ActiveSupport::TestCase include Rack::Test::Methods + USER_PASSWORD = "testapi" + USER_LOGIN = "testapi" + def app Noosfero::API::API end - def login_api + def create_and_activate_user @environment = Environment.default - @user = User.create!(:login => 'testapi', :password => 'testapi', :password_confirmation => 'testapi', :email => 'test@test.org', :environment => @environment) + @user = User.create!(:login => USER_LOGIN, :password => USER_PASSWORD, :password_confirmation => USER_PASSWORD, :email => 'test@test.org', :environment => @environment) @user.activate @person = @user.person + @params = {} + end - post "/api/v1/login?login=testapi&password=testapi" + def login_api + post "/api/v1/login?login=#{USER_LOGIN}&password=#{USER_PASSWORD}" json = JSON.parse(last_response.body) @private_token = json["private_token"] unless @private_token @@ -22,7 +28,7 @@ class ActiveSupport::TestCase @private_token = @user.private_token end - @params = {:private_token => @private_token} + @params[:private_token] = @private_token end attr_accessor :private_token, :user, :person, :params, :environment diff --git a/test/api/users_test.rb b/test/api/users_test.rb index 010eda9..47df93f 100644 --- a/test/api/users_test.rb +++ b/test/api/users_test.rb @@ -3,6 +3,10 @@ require_relative 'test_helper' class UsersTest < ActiveSupport::TestCase + def setup + create_and_activate_user + end + should 'logger user list users' do login_api get "/api/v1/users/?#{params.to_query}" @@ -35,8 +39,8 @@ class UsersTest < ActiveSupport::TestCase should 'not show permissions to logged user' do login_api - target_person = create_user('some-user').person - get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" + target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment) + get "/api/v1/users/#{target_user.id}/?#{params.to_query}" json = JSON.parse(last_response.body) refute json["user"].has_key?("permissions") end @@ -50,12 +54,10 @@ class UsersTest < ActiveSupport::TestCase should 'not show permissions to friend' do login_api - target_person = create_user('some-user').person + target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person - f = Friendship.new - f.friend = target_person - f.person = person - f.save! + target_person.add_friend(person) + person.add_friend(target_person) get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" json = JSON.parse(last_response.body) @@ -64,19 +66,21 @@ class UsersTest < ActiveSupport::TestCase should 'not show private attribute to logged user' do login_api - target_person = create_user('some-user').person - get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" + target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment) + + get "/api/v1/users/#{target_user.id}/?#{params.to_query}" json = JSON.parse(last_response.body) - refute json["user"].has_key?("email") + assert_equal 200, last_response.status + assert_nil json['user']['email'] + assert_nil json['user']['person'] end should 'show private attr to friend' do login_api - target_person = create_user('some-user').person - f = Friendship.new - f.friend = target_person - f.person = person - f.save! + target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person + target_person.add_friend(person) + person.add_friend(target_person) + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" json = JSON.parse(last_response.body) assert json["user"].has_key?("email") @@ -85,9 +89,12 @@ class UsersTest < ActiveSupport::TestCase should 'show public attribute to logged user' do login_api - target_person = create_user('some-user').person + target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person + target_person.public_profile = true + target_person.visible = true target_person.fields_privacy={:email=> 'public'} target_person.save! + get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" json = JSON.parse(last_response.body) assert json["user"].has_key?("email") @@ -98,7 +105,7 @@ class UsersTest < ActiveSupport::TestCase login_api Environment.default.add_admin(person) - target_person = create_user('some-user').person + target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person target_person.fields_privacy={:email=> 'public'} target_person.save! @@ -110,9 +117,10 @@ class UsersTest < ActiveSupport::TestCase end should 'show public fields to anonymous' do - anonymous_setup - target_person = create_user('some-user').person + target_person = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment).person target_person.fields_privacy={:email=> 'public'} + target_person.public_profile = true + target_person.visible = true target_person.save! get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" @@ -121,11 +129,9 @@ class UsersTest < ActiveSupport::TestCase end should 'hide private fields to anonymous' do - anonymous_setup - target_person = create_user('some-user').person - target_person.save! + target_user = User.create!(:login => 'user1', :password => 'USER_PASSWORD', :password_confirmation => 'USER_PASSWORD', :email => 'test2@test.org', :environment => environment) - get "/api/v1/users/#{target_person.user.id}/?#{params.to_query}" + get "/api/v1/users/#{target_user.id}/?#{params.to_query}" json = JSON.parse(last_response.body) refute json["user"].has_key?("permissions") refute json["user"].has_key?("activated") diff --git a/test/unit/organization_test.rb b/test/unit/organization_test.rb index 96d69c0..a0150eb 100644 --- a/test/unit/organization_test.rb +++ b/test/unit/organization_test.rb @@ -458,7 +458,7 @@ class OrganizationTest < ActiveSupport::TestCase refute c.is_admin?(moderator) end - should 'fetch organizations there are visible for a user' do + should 'fetch organizations that are visible for users' do person = create_user('some-person').person admin = create_user('some-admin').person env_admin = create_user('env-admin').person @@ -513,18 +513,58 @@ class OrganizationTest < ActiveSupport::TestCase assert_includes env_admin_orgs, o7 end - should 'fetch organizations there are visible for a visitor' do - visitor = nil - Organization.destroy_all + should 'fetch organizations that are listed for users' do + person = create_user('some-person').person + admin = create_user('some-admin').person + env_admin = create_user('env-admin').person + o1 = fast_create(Organization, :public_profile => true , :visible => true ) - o2 = fast_create(Organization, :public_profile => false, :visible => true ) - o3 = fast_create(Organization, :public_profile => true , :visible => false) - o4 = fast_create(Organization, :public_profile => false, :visible => false) - person_orgs = Organization.visible_for_person(visitor) - assert_includes person_orgs, o1 - assert_not_includes person_orgs, o2 - assert_not_includes person_orgs, o3 - assert_not_includes person_orgs, o4 - end + o1.add_admin(admin) + o1.add_member(person) + + o2 = fast_create(Organization, :public_profile => true , :visible => true ) + o3 = fast_create(Organization, :public_profile => false, :visible => true ) + + o4 = fast_create(Organization, :public_profile => false, :visible => true) + o4.add_admin(admin) + o4.add_member(person) + + o5 = fast_create(Organization, :public_profile => true , :visible => false) + o5.add_admin(admin) + o5.add_member(person) + + o6 = fast_create(Enterprise, :enabled => false, :visible => true) + o6.add_admin(admin) + + o7 = fast_create(Organization, :public_profile => false, :visible => false) + + Environment.default.add_admin(env_admin) + + person_orgs = Organization.listed_for_person(person) + admin_orgs = Organization.listed_for_person(admin) + env_admin_orgs = Organization.listed_for_person(env_admin) + + assert_includes person_orgs, o1 + assert_includes admin_orgs, o1 + assert_includes env_admin_orgs, o1 + + assert_includes person_orgs, o2 + assert_includes env_admin_orgs, o2 + assert_includes person_orgs, o3 + assert_includes env_admin_orgs, o3 + + assert_includes person_orgs, o4 + assert_includes admin_orgs, o4 + assert_includes env_admin_orgs, o4 + + assert_not_includes person_orgs, o5 + assert_includes admin_orgs, o5 + assert_includes env_admin_orgs, o5 + assert_not_includes person_orgs, o6 + assert_includes admin_orgs, o6 + + assert_not_includes person_orgs, o7 + assert_includes env_admin_orgs, o7 + end end diff --git a/test/unit/person_test.rb b/test/unit/person_test.rb index 9e69b60..440a8f6 100644 --- a/test/unit/person_test.rb +++ b/test/unit/person_test.rb @@ -1951,17 +1951,4 @@ class PersonTest < ActiveSupport::TestCase person.save! end - should 'fetch people there are visible for a visitor' do - person = nil - p1 = fast_create(Person, :public_profile => true , :visible => true) - p2 = fast_create(Person, :public_profile => false, :visible => true) - p3 = fast_create(Person, :public_profile => true , :visible => false) - p4 = fast_create(Person, :public_profile => false, :visible => false) - people_visible_by_visitor = Person.visible_for_person(person) - assert_includes people_visible_by_visitor, p1 - assert_not_includes people_visible_by_visitor, p2 - assert_not_includes people_visible_by_visitor, p3 - assert_not_includes people_visible_by_visitor, p4 - end - end -- libgit2 0.21.2