Merge branch 'display-blocks' into 'master'

Do not list boxes and blocks for users without permission in boxes endpoint See merge request !925

Merge branch 'display-blocks' into 'master'
Do not list boxes and blocks for users without permission in boxes endpoint See merge request !925
Leandro Santos
2 parents f6358b74 d5e6dc97
Showing 3 changed files with 35 additions and 1 deletions Show diff stats
app/api/entities.rb
app/api/v1/boxes.rb
test/api/boxes_test.rb
@@ -93,7 +93,9 @@ module Api
     class Box < Entity
       root 'boxes', 'box'
       expose :id, :position
-      expose :blocks, :using => Block
+      expose :blocks, :using => Block do |box, options|
+        box.blocks.select {|block| block.visible_to_user?(options[:current_person]) }
+      end
     end
  
     class Profile < Entity
@@ -12,6 +12,7 @@ module Api
             resource :boxes do
               get do
                 profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                return forbidden! unless profile.display_info_to?(current_person)
                 present profile.boxes, :with => Entities::Box
               end
             end
@@ -47,4 +47,35 @@ class BoxesTest &lt; ActiveSupport::TestCase
     json = JSON.parse(last_response.body)
     assert !json["boxes"].first["blocks"].first.key?('api_content')
   end
+
+  should 'get blocks from boxes' do
+    Environment.delete_all
+    environment = fast_create(Environment, :is_default => true)
+    box = fast_create(Box, :owner_id => environment.id, :owner_type => 'Environment')
+    block = fast_create(Block, box_id: box.id)
+    get "/api/v1/environments/default/boxes?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [block.id], json["boxes"].first["blocks"].map {|b| b['id']}
+  end
+
+  should 'not list a block for not logged users' do
+    logout_api
+    profile = fast_create(Profile)
+    box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
+    block = fast_create(Block, box_id: box.id)
+    block.display = 'never'
+    block.save!
+    get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal [], json["boxes"].first["blocks"].map {|b| b['id']}
+  end
+
+  should 'not list boxes for user without permission' do
+    profile = fast_create(Profile, public_profile: false)
+    box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
+    block = fast_create(Block, box_id: box.id)
+    get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 403, last_response.status
+  end
 end
...	...	@@ -93,7 +93,9 @@ module Api
93	93	class Box < Entity
94	94	root 'boxes', 'box'
95	95	expose :id, :position
96		- expose :blocks, :using => Block
	96	+ expose :blocks, :using => Block do \|box, options\|
	97	+ box.blocks.select {\|block\| block.visible_to_user?(options[:current_person]) }
	98	+ end
97	99	end
98	100
99	101	class Profile < Entity
...	...
...	...	@@ -12,6 +12,7 @@ module Api
12	12	resource :boxes do
13	13	get do
14	14	profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
	15	+ return forbidden! unless profile.display_info_to?(current_person)
15	16	present profile.boxes, :with => Entities::Box
16	17	end
17	18	end
...	...
...	...	@@ -47,4 +47,35 @@ class BoxesTest < ActiveSupport::TestCase
47	47	json = JSON.parse(last_response.body)
48	48	assert !json["boxes"].first["blocks"].first.key?('api_content')
49	49	end
	50	+
	51	+ should 'get blocks from boxes' do
	52	+ Environment.delete_all
	53	+ environment = fast_create(Environment, :is_default => true)
	54	+ box = fast_create(Box, :owner_id => environment.id, :owner_type => 'Environment')
	55	+ block = fast_create(Block, box_id: box.id)
	56	+ get "/api/v1/environments/default/boxes?#{params.to_query}"
	57	+ json = JSON.parse(last_response.body)
	58	+ assert_equal [block.id], json["boxes"].first["blocks"].map {\|b\| b['id']}
	59	+ end
	60	+
	61	+ should 'not list a block for not logged users' do
	62	+ logout_api
	63	+ profile = fast_create(Profile)
	64	+ box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
	65	+ block = fast_create(Block, box_id: box.id)
	66	+ block.display = 'never'
	67	+ block.save!
	68	+ get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
	69	+ json = JSON.parse(last_response.body)
	70	+ assert_equal [], json["boxes"].first["blocks"].map {\|b\| b['id']}
	71	+ end
	72	+
	73	+ should 'not list boxes for user without permission' do
	74	+ profile = fast_create(Profile, public_profile: false)
	75	+ box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
	76	+ block = fast_create(Block, box_id: box.id)
	77	+ get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
	78	+ json = JSON.parse(last_response.body)
	79	+ assert_equal 403, last_response.status
	80	+ end
50	81	end
...	...