Fixed permission on tasks API mount point

Signed-off-by: André Bernardes <andrebsguedes@gmail.com> Signed-off-by: Eduardo Vital <vitaldu@gmail.com>

Fixed permission on tasks API mount point
Signed-off-by: André Bernardes <andrebsguedes@gmail.com> Signed-off-by: Eduardo Vital <vitaldu@gmail.com>
André Guedes · Rodrigo Souto
1 parent c26f9ef6
Showing 2 changed files with 6 additions and 138 deletions Show diff stats
lib/noosfero/api/helpers.rb
lib/noosfero/api/v1/tasks.rb
@@ -83,14 +83,12 @@ module Noosfero
         present articles, :with => Entities::Article, :fields => params[:fields]
       end
  
-      def find_task(tasks, id)
-        task = tasks.find(id)
-        task.display_to?(current_user.person) ? task : forbidden!
+      def find_task(asset, id)
+        task = asset.tasks.find(id)
+        current_person.has_permission?(task.permission, asset) ? task : forbidden!
       end
  
       def post_task(asset, params)
-        return forbidden! unless current_person.has_permission?(:perform_task, asset)
-
         klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
         return forbidden! unless TASK_TYPES.include?(klass_type)
  
@@ -106,7 +104,7 @@ module Noosfero
       end
  
       def present_task(asset)
-        task = find_task(asset.tasks, params[:id])
+        task = find_task(asset, params[:id])
         present task, :with => Entities::Task, :fields => params[:fields]
       end
  
@@ -18,18 +18,16 @@ module Noosfero
           # Example Request:
           #  GET host/api/v1/tasks?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
           get do
-            #FIXME check for permission
             tasks = select_filtered_collection_of(environment, 'tasks', params)
+            tasks = tasks.select {|t| current_person.has_permission?(t.permission, environment)}
             present tasks, :with => Entities::Task, :fields => params[:fields]
           end
  
           desc "Return the task id"
           get ':id' do
-            task = find_task(environment.tasks, params[:id])
+            task = find_task(environment, params[:id])
             present task, :with => Entities::Task, :fields => params[:fields]
           end
-
-
         end
  
         kinds = %w[community person enterprise]
@@ -55,134 +53,6 @@ module Noosfero
             end
           end
         end
-
-
-        resource :communities do
-          segment '/:community_id' do
-            resource :tasks do
-              get do
-                #FIXME check for permission
-                community = environment.communities.find(params[:community_id])
-                tasks = select_filtered_collection_of(community, 'tasks', params)
-                present tasks, :with => Entities::Task, :fields => params[:fields]
-              end
-
-              get ':id' do
-                community = environment.communities.find(params[:community_id])
-                task = find_task(community.tasks, params[:id])
-                present task, :with => Entities::Task, :fields => params[:fields]
-              end
-
-              # Example Request:
-              #  POST api/v1/communites/:community_id/articles?private_token=234298743290432&article[name]=title&article[body]=body
-              post do
-                community = environment.communities.find(params[:community_id])
-#FIXME see the correct permission
-                return forbidden! unless current_person.can_post_content?(community)
-#FIXME check the task type before create
-                klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
-#                return forbidden! unless ARTICLE_TYPES.include?(klass_type)
-#
-                task = klass_type.constantize.new(params[:task])
-                task.requestor = current_person
-                task.target = community
-
-                if !task.save
-                  render_api_errors!(task.errors.full_messages)
-                end
-                present task, :with => Entities::Task, :fields => params[:fields]
-              end
-
-            end
-          end
-
-        end
-
-#         resource :people do
-#           segment '/:person_id' do
-#             resource :tasks do
-#               get do
-# #                person = environment.people.find(params[:person_id])
-# #                articles = select_filtered_collection_of(person, 'articles', params)
-# #                articles = articles.display_filter(current_person, person)
-# tasks = Task.all
-#                 present tasks, :with => Entities::Task, :fields => params[:fields]
-#               end
-
-#               get ':id' do
-# #                person = environment.people.find(params[:person_id])
-# #                article = find_article(person.articles, params[:id])
-# task = Task.first
-#                 present task, :with => Entities::Task, :fields => params[:fields]
-#               end
-
-#               post do
-# #                person = environment.people.find(params[:person_id])
-# #                return forbidden! unless current_person.can_post_content?(person)
-# #
-# #                klass_type= params[:content_type].nil? ? 'TinyMceArticle' : params[:content_type]
-# #                return forbidden! unless ARTICLE_TYPES.include?(klass_type)
-# #
-# #                article = klass_type.constantize.new(params[:article])
-# #                article.last_changed_by = current_person
-# #                article.created_by= current_person
-# #                article.profile = person
-# #
-# #                if !article.save
-# #                  render_api_errors!(article.errors.full_messages)
-# #                end
-# task = Task.first
-#                 present task, :with => Entities::Task, :fields => params[:fields]
-#               end
-
-#             end
-#           end
-
-#         end
-
-#         resource :enterprises do
-#           segment '/:enterprise_id' do
-#             resource :tasks do
-#               get do
-# #                enterprise = environment.enterprises.find(params[:enterprise_id])
-# #                articles = select_filtered_collection_of(enterprise, 'articles', params)
-# #                articles = articles.display_filter(current_person, enterprise)
-# tasks = Task.all
-#                 present tasks, :with => Entities::Task, :fields => params[:fields]
-#               end
-
-#               get ':id' do
-# #                enterprise = environment.enterprises.find(params[:enterprise_id])
-# #                article = find_article(enterprise.articles, params[:id])
-# task = Task.first
-#                 present task, :with => Entities::Task, :fields => params[:fields]
-#               end
-
-#               post do
-# #                enterprise = environment.enterprises.find(params[:enterprise_id])
-# #                return forbidden! unless current_person.can_post_content?(enterprise)
-# #
-# #                klass_type= params[:content_type].nil? ? 'TinyMceArticle' : params[:content_type]
-# #                return forbidden! unless ARTICLE_TYPES.include?(klass_type)
-# #
-# #                article = klass_type.constantize.new(params[:article])
-# #                article.last_changed_by = current_person
-# #                article.created_by= current_person
-# #                article.profile = enterprise
-# #
-# #                if !article.save
-# #                  render_api_errors!(article.errors.full_messages)
-# #                end
-# task = Task.first
-#                 present task, :with => Entities::Task, :fields => params[:fields]
-#               end
-
-#             end
-#           end
-
-#         end
-
-
       end
     end
   end
...	...	@@ -83,14 +83,12 @@ module Noosfero
83	83	present articles, :with => Entities::Article, :fields => params[:fields]
84	84	end
85	85
86		- def find_task(tasks, id)
87		- task = tasks.find(id)
88		- task.display_to?(current_user.person) ? task : forbidden!
	86	+ def find_task(asset, id)
	87	+ task = asset.tasks.find(id)
	88	+ current_person.has_permission?(task.permission, asset) ? task : forbidden!
89	89	end
90	90
91	91	def post_task(asset, params)
92		- return forbidden! unless current_person.has_permission?(:perform_task, asset)
93		-
94	92	klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
95	93	return forbidden! unless TASK_TYPES.include?(klass_type)
96	94
...	...	@@ -106,7 +104,7 @@ module Noosfero
106	104	end
107	105
108	106	def present_task(asset)
109		- task = find_task(asset.tasks, params[:id])
	107	+ task = find_task(asset, params[:id])
110	108	present task, :with => Entities::Task, :fields => params[:fields]
111	109	end
112	110
...	...
...	...	@@ -18,18 +18,16 @@ module Noosfero
18	18	# Example Request:
19	19	# GET host/api/v1/tasks?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
20	20	get do
21		- #FIXME check for permission
22	21	tasks = select_filtered_collection_of(environment, 'tasks', params)
	22	+ tasks = tasks.select {\|t\| current_person.has_permission?(t.permission, environment)}
23	23	present tasks, :with => Entities::Task, :fields => params[:fields]
24	24	end
25	25
26	26	desc "Return the task id"
27	27	get ':id' do
28		- task = find_task(environment.tasks, params[:id])
	28	+ task = find_task(environment, params[:id])
29	29	present task, :with => Entities::Task, :fields => params[:fields]
30	30	end
31		-
32		-
33	31	end
34	32
35	33	kinds = %w[community person enterprise]
...	...	@@ -55,134 +53,6 @@ module Noosfero
55	53	end
56	54	end
57	55	end
58		-
59		-
60		- resource :communities do
61		- segment '/:community_id' do
62		- resource :tasks do
63		- get do
64		- #FIXME check for permission
65		- community = environment.communities.find(params[:community_id])
66		- tasks = select_filtered_collection_of(community, 'tasks', params)
67		- present tasks, :with => Entities::Task, :fields => params[:fields]
68		- end
69		-
70		- get ':id' do
71		- community = environment.communities.find(params[:community_id])
72		- task = find_task(community.tasks, params[:id])
73		- present task, :with => Entities::Task, :fields => params[:fields]
74		- end
75		-
76		- # Example Request:
77		- # POST api/v1/communites/:community_id/articles?private_token=234298743290432&article[name]=title&article[body]=body
78		- post do
79		- community = environment.communities.find(params[:community_id])
80		-#FIXME see the correct permission
81		- return forbidden! unless current_person.can_post_content?(community)
82		-#FIXME check the task type before create
83		- klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
84		-# return forbidden! unless ARTICLE_TYPES.include?(klass_type)
85		-#
86		- task = klass_type.constantize.new(params[:task])
87		- task.requestor = current_person
88		- task.target = community
89		-
90		- if !task.save
91		- render_api_errors!(task.errors.full_messages)
92		- end
93		- present task, :with => Entities::Task, :fields => params[:fields]
94		- end
95		-
96		- end
97		- end
98		-
99		- end
100		-
101		-# resource :people do
102		-# segment '/:person_id' do
103		-# resource :tasks do
104		-# get do
105		-# # person = environment.people.find(params[:person_id])
106		-# # articles = select_filtered_collection_of(person, 'articles', params)
107		-# # articles = articles.display_filter(current_person, person)
108		-# tasks = Task.all
109		-# present tasks, :with => Entities::Task, :fields => params[:fields]
110		-# end
111		-
112		-# get ':id' do
113		-# # person = environment.people.find(params[:person_id])
114		-# # article = find_article(person.articles, params[:id])
115		-# task = Task.first
116		-# present task, :with => Entities::Task, :fields => params[:fields]
117		-# end
118		-
119		-# post do
120		-# # person = environment.people.find(params[:person_id])
121		-# # return forbidden! unless current_person.can_post_content?(person)
122		-# #
123		-# # klass_type= params[:content_type].nil? ? 'TinyMceArticle' : params[:content_type]
124		-# # return forbidden! unless ARTICLE_TYPES.include?(klass_type)
125		-# #
126		-# # article = klass_type.constantize.new(params[:article])
127		-# # article.last_changed_by = current_person
128		-# # article.created_by= current_person
129		-# # article.profile = person
130		-# #
131		-# # if !article.save
132		-# # render_api_errors!(article.errors.full_messages)
133		-# # end
134		-# task = Task.first
135		-# present task, :with => Entities::Task, :fields => params[:fields]
136		-# end
137		-
138		-# end
139		-# end
140		-
141		-# end
142		-
143		-# resource :enterprises do
144		-# segment '/:enterprise_id' do
145		-# resource :tasks do
146		-# get do
147		-# # enterprise = environment.enterprises.find(params[:enterprise_id])
148		-# # articles = select_filtered_collection_of(enterprise, 'articles', params)
149		-# # articles = articles.display_filter(current_person, enterprise)
150		-# tasks = Task.all
151		-# present tasks, :with => Entities::Task, :fields => params[:fields]
152		-# end
153		-
154		-# get ':id' do
155		-# # enterprise = environment.enterprises.find(params[:enterprise_id])
156		-# # article = find_article(enterprise.articles, params[:id])
157		-# task = Task.first
158		-# present task, :with => Entities::Task, :fields => params[:fields]
159		-# end
160		-
161		-# post do
162		-# # enterprise = environment.enterprises.find(params[:enterprise_id])
163		-# # return forbidden! unless current_person.can_post_content?(enterprise)
164		-# #
165		-# # klass_type= params[:content_type].nil? ? 'TinyMceArticle' : params[:content_type]
166		-# # return forbidden! unless ARTICLE_TYPES.include?(klass_type)
167		-# #
168		-# # article = klass_type.constantize.new(params[:article])
169		-# # article.last_changed_by = current_person
170		-# # article.created_by= current_person
171		-# # article.profile = enterprise
172		-# #
173		-# # if !article.save
174		-# # render_api_errors!(article.errors.full_messages)
175		-# # end
176		-# task = Task.first
177		-# present task, :with => Entities::Task, :fields => params[:fields]
178		-# end
179		-
180		-# end
181		-# end
182		-
183		-# end
184		-
185		-
186	56	end
187	57	end
188	58	end
...	...