api: do not list forbidden blocks in boxes endpoint

Victor Costa
1 parent 6761d8c0
Showing 2 changed files with 25 additions and 1 deletions Show diff stats
app/api/entities.rb
test/api/boxes_test.rb
@@ -93,7 +93,9 @@ module Api
     class Box < Entity
       root 'boxes', 'box'
       expose :id, :position
-      expose :blocks, :using => Block
+      expose :blocks, :using => Block do |box, options|
+        box.blocks.select {|block| block.visible_to_user?(options[:current_person]) }
+      end
     end
     class Profile < Entity
@@ -47,4 +47,26 @@ class BoxesTest &lt; ActiveSupport::TestCase
     json = JSON.parse(last_response.body)
     assert !json["boxes"].first["blocks"].first.key?('api_content')
   end
+
+  should 'get blocks from boxes' do
+    Environment.delete_all
+    environment = fast_create(Environment, :is_default => true)
+    box = fast_create(Box, :owner_id => environment.id, :owner_type => 'Environment')
+    block = fast_create(Block, box_id: box.id)
+    get "/api/v1/environments/default/boxes?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [block.id], json["boxes"].first["blocks"].map {|b| b['id']}
+  end
+
+  should 'not list a block for not logged users' do
+    logout_api
+    profile = fast_create(Profile)
+    box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
+    block = fast_create(Block, box_id: box.id)
+    block.display = 'never'
+    block.save!
+    get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [], json["boxes"].first["blocks"].map {|b| b['id']}
+  end
 end
	@@ -47,4 +47,26 @@ class BoxesTest < ActiveSupport::TestCase		@@ -47,4 +47,26 @@ class BoxesTest < ActiveSupport::TestCase
47	json = JSON.parse(last_response.body)	47	json = JSON.parse(last_response.body)
48	assert !json["boxes"].first["blocks"].first.key?('api_content')	48	assert !json["boxes"].first["blocks"].first.key?('api_content')
49	end	49	end
		50	+
		51	+ should 'get blocks from boxes' do
		52	+ Environment.delete_all
		53	+ environment = fast_create(Environment, :is_default => true)
		54	+ box = fast_create(Box, :owner_id => environment.id, :owner_type => 'Environment')
		55	+ block = fast_create(Block, box_id: box.id)
		56	+ get "/api/v1/environments/default/boxes?#{params.to_query}"
		57	+ json = JSON.parse(last_response.body)
		58	+ assert_equal [block.id], json["boxes"].first["blocks"].map {\|b\| b['id']}
		59	+ end
		60	+
		61	+ should 'not list a block for not logged users' do
		62	+ logout_api
		63	+ profile = fast_create(Profile)
		64	+ box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
		65	+ block = fast_create(Block, box_id: box.id)
		66	+ block.display = 'never'
		67	+ block.save!
		68	+ get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
		69	+ json = JSON.parse(last_response.body)
		70	+ assert_equal [], json["boxes"].first["blocks"].map {\|b\| b['id']}
		71	+ end
50	end	72	end