From e43f331f6d7a2aa90134841560c804486155b3fd Mon Sep 17 00:00:00 2001
From: Victor Costa <vfcosta@gmail.com>
Date: Mon, 23 May 2016 13:17:00 -0300
Subject: [PATCH] api: add endpoint to update profiles

---
 app/api/v1/profiles.rb    |  9 +++++++++
 test/api/profiles_test.rb | 45 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+), 0 deletions(-)

diff --git a/app/api/v1/profiles.rb b/app/api/v1/profiles.rb
index 9678229..6c84a99 100644
--- a/app/api/v1/profiles.rb
+++ b/app/api/v1/profiles.rb
@@ -22,6 +22,15 @@ module Api
             not_found!
           end
         end
+        
+        desc "Update profile information"
+        post ':id' do
+          authenticate!
+          profile = environment.profiles.find_by(id: params[:id])
+          return forbidden! unless current_person.has_permission?(:edit_profile, profile)
+          profile.update_attributes!(params[:profile])
+          present profile, :with => Entities::Profile, :current_person => current_person
+        end
 
         delete ':id' do
           authenticate!
diff --git a/test/api/profiles_test.rb b/test/api/profiles_test.rb
index 25308ee..fae94f5 100644
--- a/test/api/profiles_test.rb
+++ b/test/api/profiles_test.rb
@@ -146,4 +146,49 @@ class ProfilesTest < ActiveSupport::TestCase
     refute json.has_key?('Rating')
   end
 
+  [Community, Enterprise].each do |klass|
+    should "update #{klass.name}" do
+      login_api
+      profile = fast_create(klass)
+      profile.add_admin(person)
+      params[:profile] = {}
+      params[:profile][:custom_header] = "Another Header"
+      post "/api/v1/profiles/#{profile.id}?#{params.to_query}"
+      assert_equal "Another Header", profile.reload.custom_header
+    end
+
+    should "not update a #{klass.name} if user does not have permission" do
+      login_api
+      profile = fast_create(klass)
+      params[:profile] = {}
+      params[:profile][:custom_header] = "Another Header"
+      post "/api/v1/profiles/#{profile.id}?#{params.to_query}"
+      assert_equal 403, last_response.status
+    end
+
+    should "not update a #{klass.name} if user is not logged in" do
+      profile = fast_create(klass)
+      params[:profile] = {}
+      params[:profile][:custom_header] = "Another Header"
+      post "/api/v1/profiles/#{profile.id}?#{params.to_query}"
+      assert_equal 401, last_response.status
+    end
+  end
+
+  should 'update person' do
+    login_api
+    params[:profile] = {}
+    params[:profile][:custom_header] = "Another Header"
+    post "/api/v1/profiles/#{person.id}?#{params.to_query}"
+    assert_equal "Another Header", person.reload.custom_header
+  end
+
+  should 'not update person information if user does not have permission' do
+    login_api
+    profile = fast_create(Person)
+    params[:profile] = {}
+    params[:profile][:custom_header] = "Another Header"
+    post "/api/v1/profiles/#{profile.id}?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
 end
--
libgit2 0.21.2