Merge branch 'api-profile-permissions' into 'master'

api: return permissions for user in profile entity See merge request !950

Merge branch 'api-profile-permissions' into 'master'
api: return permissions for user in profile entity See merge request !950
Victor Costa
2 parents 3290adaf 3aab4dac
Showing 6 changed files with 47 additions and 3 deletions Show diff stats
app/api/entities.rb
app/api/v1/profiles.rb
app/models/article.rb
app/models/profile.rb
test/api/profiles_test.rb
test/unit/profile_test.rb
@@ -121,6 +121,10 @@ module Api
       expose :type
       expose :custom_header
       expose :custom_footer
+      expose :permissions do |profile, options|
+        Entities.permissions_for_entity(profile, options[:current_person],
+        :allow_post_content?, :allow_edit?, :allow_destroy?)
+      end
     end
  
     class UserBasic < Entity
@@ -27,7 +27,7 @@ module Api
         post ':id' do
           authenticate!
           profile = environment.profiles.find_by(id: params[:id])
-          return forbidden! unless current_person.has_permission?(:edit_profile, profile)
+          return forbidden! unless profile.allow_edit?(current_person)
           profile.update_attributes!(params[:profile])
           present profile, :with => Entities::Profile, :current_person => current_person
         end
@@ -39,7 +39,7 @@ module Api
  
           not_found! if profile.blank?
  
-          if current_person.has_permission?(:destroy_profile, profile)
+          if profile.allow_destroy?(current_person)
             profile.destroy
           else
             forbidden!
@@ -567,7 +567,7 @@ class Article &lt; ApplicationRecord
  
   def allow_post_content?(user = nil)
     return true if allow_edit_topic?(user)
-    user && (user.has_permission?('post_content', profile) || allow_publish_content?(user) && (user == author))
+    user && (profile.allow_post_content?(user) || allow_publish_content?(user) && (user == author))
   end
  
   def allow_publish_content?(user = nil)
@@ -1137,4 +1137,15 @@ private :generate_url, :url_options
     false
   end
  
+  def allow_post_content?(person = nil)
+    person.kind_of?(Profile) && person.has_permission?('post_content', self)
+  end
+
+  def allow_edit?(person = nil)
+    person.kind_of?(Profile) && person.has_permission?('edit_profile', self)
+  end
+
+  def allow_destroy?(person = nil)
+    person.kind_of?(Profile) && person.has_permission?('destroy_profile', self)
+  end
 end
@@ -191,4 +191,13 @@ class ProfilesTest &lt; ActiveSupport::TestCase
     post "/api/v1/profiles/#{profile.id}?#{params.to_query}"
     assert_equal 403, last_response.status
   end
+
+  should 'list profile permissions when get an article' do
+    login_api
+    profile = fast_create(Profile)
+    give_permission(person, 'post_content', profile)
+    get "/api/v1/profiles/#{profile.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_includes json["permissions"], 'allow_post_content'
+  end
 end
@@ -2204,4 +2204,24 @@ class ProfileTest &lt; ActiveSupport::TestCase
     assert_not_includes profiles, p3
     assert_not_includes profiles, p4
   end
+  
+  ['post_content', 'edit_profile', 'destroy_profile'].each do |permission|
+    should "return true in #{permission} when user has this permission" do
+      profile = fast_create(Profile)
+      person = fast_create(Person)
+      give_permission(person, permission, profile)
+      assert profile.send("allow_#{permission.gsub(/_profile/,'')}?", person)
+    end
+
+    should "return false in #{permission} when user doesn't have this permission" do
+      profile = fast_create(Profile)
+      person = fast_create(Person)
+      assert !profile.send("allow_#{permission.gsub(/_profile/,'')}?", person)
+    end
+
+    should "return false in #{permission} when user is nil" do
+      profile = fast_create(Profile)
+      assert !profile.send("allow_#{permission.gsub(/_profile/,'')}?", nil)
+    end
+  end
 end
...	...	@@ -121,6 +121,10 @@ module Api
121	121	expose :type
122	122	expose :custom_header
123	123	expose :custom_footer
	124	+ expose :permissions do \|profile, options\|
	125	+ Entities.permissions_for_entity(profile, options[:current_person],
	126	+ :allow_post_content?, :allow_edit?, :allow_destroy?)
	127	+ end
124	128	end
125	129
126	130	class UserBasic < Entity
...	...
...	...	@@ -27,7 +27,7 @@ module Api
27	27	post ':id' do
28	28	authenticate!
29	29	profile = environment.profiles.find_by(id: params[:id])
30		- return forbidden! unless current_person.has_permission?(:edit_profile, profile)
	30	+ return forbidden! unless profile.allow_edit?(current_person)
31	31	profile.update_attributes!(params[:profile])
32	32	present profile, :with => Entities::Profile, :current_person => current_person
33	33	end
...	...	@@ -39,7 +39,7 @@ module Api
39	39
40	40	not_found! if profile.blank?
41	41
42		- if current_person.has_permission?(:destroy_profile, profile)
	42	+ if profile.allow_destroy?(current_person)
43	43	profile.destroy
44	44	else
45	45	forbidden!
...	...
...	...	@@ -567,7 +567,7 @@ class Article < ApplicationRecord
567	567
568	568	def allow_post_content?(user = nil)
569	569	return true if allow_edit_topic?(user)
570		- user && (user.has_permission?('post_content', profile) \|\| allow_publish_content?(user) && (user == author))
	570	+ user && (profile.allow_post_content?(user) \|\| allow_publish_content?(user) && (user == author))
571	571	end
572	572
573	573	def allow_publish_content?(user = nil)
...	...
...	...	@@ -1137,4 +1137,15 @@ private :generate_url, :url_options
1137	1137	false
1138	1138	end
1139	1139
	1140	+ def allow_post_content?(person = nil)
	1141	+ person.kind_of?(Profile) && person.has_permission?('post_content', self)
	1142	+ end
	1143	+
	1144	+ def allow_edit?(person = nil)
	1145	+ person.kind_of?(Profile) && person.has_permission?('edit_profile', self)
	1146	+ end
	1147	+
	1148	+ def allow_destroy?(person = nil)
	1149	+ person.kind_of?(Profile) && person.has_permission?('destroy_profile', self)
	1150	+ end
1140	1151	end
...	...
...	...	@@ -191,4 +191,13 @@ class ProfilesTest < ActiveSupport::TestCase
191	191	post "/api/v1/profiles/#{profile.id}?#{params.to_query}"
192	192	assert_equal 403, last_response.status
193	193	end
	194	+
	195	+ should 'list profile permissions when get an article' do
	196	+ login_api
	197	+ profile = fast_create(Profile)
	198	+ give_permission(person, 'post_content', profile)
	199	+ get "/api/v1/profiles/#{profile.id}?#{params.to_query}"
	200	+ json = JSON.parse(last_response.body)
	201	+ assert_includes json["permissions"], 'allow_post_content'
	202	+ end
194	203	end
...	...
...	...	@@ -2204,4 +2204,24 @@ class ProfileTest < ActiveSupport::TestCase
2204	2204	assert_not_includes profiles, p3
2205	2205	assert_not_includes profiles, p4
2206	2206	end
	2207	+
	2208	+ ['post_content', 'edit_profile', 'destroy_profile'].each do \|permission\|
	2209	+ should "return true in #{permission} when user has this permission" do
	2210	+ profile = fast_create(Profile)
	2211	+ person = fast_create(Person)
	2212	+ give_permission(person, permission, profile)
	2213	+ assert profile.send("allow_#{permission.gsub(/_profile/,'')}?", person)
	2214	+ end
	2215	+
	2216	+ should "return false in #{permission} when user doesn't have this permission" do
	2217	+ profile = fast_create(Profile)
	2218	+ person = fast_create(Person)
	2219	+ assert !profile.send("allow_#{permission.gsub(/_profile/,'')}?", person)
	2220	+ end
	2221	+
	2222	+ should "return false in #{permission} when user is nil" do
	2223	+ profile = fast_create(Profile)
	2224	+ assert !profile.send("allow_#{permission.gsub(/_profile/,'')}?", nil)
	2225	+ end
	2226	+ end
2207	2227	end
...	...