Commit d5e6dc97348b29e806c1cefef50680648c559cd6
1 parent
da0f17cb
Exists in
ratings_minor_fixes
and in
3 other branches
api: do not list boxes for users without permission
Showing
2 changed files
with
10 additions
and
0 deletions
Show diff stats
app/api/v1/boxes.rb
| ... | ... | @@ -12,6 +12,7 @@ module Api |
| 12 | 12 | resource :boxes do |
| 13 | 13 | get do |
| 14 | 14 | profile = environment.send(kind.pluralize).find(params["#{kind}_id"]) |
| 15 | + return forbidden! unless profile.display_info_to?(current_person) | |
| 15 | 16 | present profile.boxes, :with => Entities::Box |
| 16 | 17 | end |
| 17 | 18 | end | ... | ... |
test/api/boxes_test.rb
| ... | ... | @@ -69,4 +69,13 @@ class BoxesTest < ActiveSupport::TestCase |
| 69 | 69 | json = JSON.parse(last_response.body) |
| 70 | 70 | assert_equal [], json["boxes"].first["blocks"].map {|b| b['id']} |
| 71 | 71 | end |
| 72 | + | |
| 73 | + should 'not list boxes for user without permission' do | |
| 74 | + profile = fast_create(Profile, public_profile: false) | |
| 75 | + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name) | |
| 76 | + block = fast_create(Block, box_id: box.id) | |
| 77 | + get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}" | |
| 78 | + json = JSON.parse(last_response.body) | |
| 79 | + assert_equal 403, last_response.status | |
| 80 | + end | |
| 72 | 81 | end | ... | ... |