Commit e73ac0c3f642bcaafd522b436877577ee260470e
Exists in
ratings_minor_fixes
and in
3 other branches
Merge branch 'display-blocks' into 'master'
Do not list boxes and blocks for users without permission in boxes endpoint See merge request !925
Showing
3 changed files
with
35 additions
and
1 deletions
Show diff stats
app/api/entities.rb
| @@ -93,7 +93,9 @@ module Api | @@ -93,7 +93,9 @@ module Api | ||
| 93 | class Box < Entity | 93 | class Box < Entity |
| 94 | root 'boxes', 'box' | 94 | root 'boxes', 'box' |
| 95 | expose :id, :position | 95 | expose :id, :position |
| 96 | - expose :blocks, :using => Block | 96 | + expose :blocks, :using => Block do |box, options| |
| 97 | + box.blocks.select {|block| block.visible_to_user?(options[:current_person]) } | ||
| 98 | + end | ||
| 97 | end | 99 | end |
| 98 | 100 | ||
| 99 | class Profile < Entity | 101 | class Profile < Entity |
app/api/v1/boxes.rb
| @@ -12,6 +12,7 @@ module Api | @@ -12,6 +12,7 @@ module Api | ||
| 12 | resource :boxes do | 12 | resource :boxes do |
| 13 | get do | 13 | get do |
| 14 | profile = environment.send(kind.pluralize).find(params["#{kind}_id"]) | 14 | profile = environment.send(kind.pluralize).find(params["#{kind}_id"]) |
| 15 | + return forbidden! unless profile.display_info_to?(current_person) | ||
| 15 | present profile.boxes, :with => Entities::Box | 16 | present profile.boxes, :with => Entities::Box |
| 16 | end | 17 | end |
| 17 | end | 18 | end |
test/api/boxes_test.rb
| @@ -47,4 +47,35 @@ class BoxesTest < ActiveSupport::TestCase | @@ -47,4 +47,35 @@ class BoxesTest < ActiveSupport::TestCase | ||
| 47 | json = JSON.parse(last_response.body) | 47 | json = JSON.parse(last_response.body) |
| 48 | assert !json["boxes"].first["blocks"].first.key?('api_content') | 48 | assert !json["boxes"].first["blocks"].first.key?('api_content') |
| 49 | end | 49 | end |
| 50 | + | ||
| 51 | + should 'get blocks from boxes' do | ||
| 52 | + Environment.delete_all | ||
| 53 | + environment = fast_create(Environment, :is_default => true) | ||
| 54 | + box = fast_create(Box, :owner_id => environment.id, :owner_type => 'Environment') | ||
| 55 | + block = fast_create(Block, box_id: box.id) | ||
| 56 | + get "/api/v1/environments/default/boxes?#{params.to_query}" | ||
| 57 | + json = JSON.parse(last_response.body) | ||
| 58 | + assert_equal [block.id], json["boxes"].first["blocks"].map {|b| b['id']} | ||
| 59 | + end | ||
| 60 | + | ||
| 61 | + should 'not list a block for not logged users' do | ||
| 62 | + logout_api | ||
| 63 | + profile = fast_create(Profile) | ||
| 64 | + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name) | ||
| 65 | + block = fast_create(Block, box_id: box.id) | ||
| 66 | + block.display = 'never' | ||
| 67 | + block.save! | ||
| 68 | + get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}" | ||
| 69 | + json = JSON.parse(last_response.body) | ||
| 70 | + assert_equal [], json["boxes"].first["blocks"].map {|b| b['id']} | ||
| 71 | + end | ||
| 72 | + | ||
| 73 | + should 'not list boxes for user without permission' do | ||
| 74 | + profile = fast_create(Profile, public_profile: false) | ||
| 75 | + box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name) | ||
| 76 | + block = fast_create(Block, box_id: box.id) | ||
| 77 | + get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}" | ||
| 78 | + json = JSON.parse(last_response.body) | ||
| 79 | + assert_equal 403, last_response.status | ||
| 80 | + end | ||
| 50 | end | 81 | end |