Commit e73ac0c3f642bcaafd522b436877577ee260470e
Exists in
ratings_minor_fixes
and in
3 other branches
Merge branch 'display-blocks' into 'master'
Do not list boxes and blocks for users without permission in boxes endpoint See merge request !925
Showing
3 changed files
with
35 additions
and
1 deletions
Show diff stats
app/api/entities.rb
@@ -93,7 +93,9 @@ module Api | @@ -93,7 +93,9 @@ module Api | ||
93 | class Box < Entity | 93 | class Box < Entity |
94 | root 'boxes', 'box' | 94 | root 'boxes', 'box' |
95 | expose :id, :position | 95 | expose :id, :position |
96 | - expose :blocks, :using => Block | 96 | + expose :blocks, :using => Block do |box, options| |
97 | + box.blocks.select {|block| block.visible_to_user?(options[:current_person]) } | ||
98 | + end | ||
97 | end | 99 | end |
98 | 100 | ||
99 | class Profile < Entity | 101 | class Profile < Entity |
app/api/v1/boxes.rb
@@ -12,6 +12,7 @@ module Api | @@ -12,6 +12,7 @@ module Api | ||
12 | resource :boxes do | 12 | resource :boxes do |
13 | get do | 13 | get do |
14 | profile = environment.send(kind.pluralize).find(params["#{kind}_id"]) | 14 | profile = environment.send(kind.pluralize).find(params["#{kind}_id"]) |
15 | + return forbidden! unless profile.display_info_to?(current_person) | ||
15 | present profile.boxes, :with => Entities::Box | 16 | present profile.boxes, :with => Entities::Box |
16 | end | 17 | end |
17 | end | 18 | end |
test/api/boxes_test.rb
@@ -47,4 +47,35 @@ class BoxesTest < ActiveSupport::TestCase | @@ -47,4 +47,35 @@ class BoxesTest < ActiveSupport::TestCase | ||
47 | json = JSON.parse(last_response.body) | 47 | json = JSON.parse(last_response.body) |
48 | assert !json["boxes"].first["blocks"].first.key?('api_content') | 48 | assert !json["boxes"].first["blocks"].first.key?('api_content') |
49 | end | 49 | end |
50 | + | ||
51 | + should 'get blocks from boxes' do | ||
52 | + Environment.delete_all | ||
53 | + environment = fast_create(Environment, :is_default => true) | ||
54 | + box = fast_create(Box, :owner_id => environment.id, :owner_type => 'Environment') | ||
55 | + block = fast_create(Block, box_id: box.id) | ||
56 | + get "/api/v1/environments/default/boxes?#{params.to_query}" | ||
57 | + json = JSON.parse(last_response.body) | ||
58 | + assert_equal [block.id], json["boxes"].first["blocks"].map {|b| b['id']} | ||
59 | + end | ||
60 | + | ||
61 | + should 'not list a block for not logged users' do | ||
62 | + logout_api | ||
63 | + profile = fast_create(Profile) | ||
64 | + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name) | ||
65 | + block = fast_create(Block, box_id: box.id) | ||
66 | + block.display = 'never' | ||
67 | + block.save! | ||
68 | + get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}" | ||
69 | + json = JSON.parse(last_response.body) | ||
70 | + assert_equal [], json["boxes"].first["blocks"].map {|b| b['id']} | ||
71 | + end | ||
72 | + | ||
73 | + should 'not list boxes for user without permission' do | ||
74 | + profile = fast_create(Profile, public_profile: false) | ||
75 | + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name) | ||
76 | + block = fast_create(Block, box_id: box.id) | ||
77 | + get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}" | ||
78 | + json = JSON.parse(last_response.body) | ||
79 | + assert_equal 403, last_response.status | ||
80 | + end | ||
50 | end | 81 | end |