From 44d8600f63ac4267f4fd9644183c2d7a9f9d23e9 Mon Sep 17 00:00:00 2001
From: André Bernardes <andrebsguedes@gmail.com>
Date: Wed, 1 Jul 2015 17:30:01 -0300
Subject: [PATCH] Fixed permission on tasks API mount point

---
 lib/noosfero/api/helpers.rb  |  10 ++++------
 lib/noosfero/api/v1/tasks.rb | 134 ++------------------------------------------------------------------------------------------------------------------------------------
 2 files changed, 6 insertions(+), 138 deletions(-)

diff --git a/lib/noosfero/api/helpers.rb b/lib/noosfero/api/helpers.rb
index 6d15eb8..54de70e 100644
--- a/lib/noosfero/api/helpers.rb
+++ b/lib/noosfero/api/helpers.rb
@@ -83,14 +83,12 @@ module Noosfero
         present articles, :with => Entities::Article, :fields => params[:fields]
       end
 
-      def find_task(tasks, id)
-        task = tasks.find(id)
-        task.display_to?(current_user.person) ? task : forbidden!
+      def find_task(asset, id)
+        task = asset.tasks.find(id)
+        current_person.has_permission?(task.permission, asset) ? task : forbidden!
       end
 
       def post_task(asset, params)
-        return forbidden! unless current_person.has_permission?(:perform_task, asset)
-
         klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
         return forbidden! unless TASK_TYPES.include?(klass_type)
 
@@ -106,7 +104,7 @@ module Noosfero
       end
 
       def present_task(asset)
-        task = find_task(asset.tasks, params[:id])
+        task = find_task(asset, params[:id])
         present task, :with => Entities::Task, :fields => params[:fields]
       end
 
diff --git a/lib/noosfero/api/v1/tasks.rb b/lib/noosfero/api/v1/tasks.rb
index 7e581b7..feec86e 100644
--- a/lib/noosfero/api/v1/tasks.rb
+++ b/lib/noosfero/api/v1/tasks.rb
@@ -18,18 +18,16 @@ module Noosfero
           # Example Request:
           #  GET host/api/v1/tasks?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
           get do
-            #FIXME check for permission
             tasks = select_filtered_collection_of(environment, 'tasks', params)
+            tasks = tasks.select {|t| current_person.has_permission?(t.permission, environment)}
             present tasks, :with => Entities::Task, :fields => params[:fields]
           end
 
           desc "Return the task id"
           get ':id' do
-            task = find_task(environment.tasks, params[:id])
+            task = find_task(environment, params[:id])
             present task, :with => Entities::Task, :fields => params[:fields]
           end
-
-
         end
 
         kinds = %w[community person enterprise]
@@ -55,134 +53,6 @@ module Noosfero
             end
           end
         end
-
-
-        resource :communities do
-          segment '/:community_id' do
-            resource :tasks do
-              get do
-                #FIXME check for permission
-                community = environment.communities.find(params[:community_id])
-                tasks = select_filtered_collection_of(community, 'tasks', params)
-                present tasks, :with => Entities::Task, :fields => params[:fields]
-              end
-
-              get ':id' do
-                community = environment.communities.find(params[:community_id])
-                task = find_task(community.tasks, params[:id])
-                present task, :with => Entities::Task, :fields => params[:fields]
-              end
-
-              # Example Request:
-              #  POST api/v1/communites/:community_id/articles?private_token=234298743290432&article[name]=title&article[body]=body
-              post do
-                community = environment.communities.find(params[:community_id])
-#FIXME see the correct permission
-                return forbidden! unless current_person.can_post_content?(community)
-#FIXME check the task type before create
-                klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
-#                return forbidden! unless ARTICLE_TYPES.include?(klass_type)
-#
-                task = klass_type.constantize.new(params[:task])
-                task.requestor = current_person
-                task.target = community
-
-                if !task.save
-                  render_api_errors!(task.errors.full_messages)
-                end
-                present task, :with => Entities::Task, :fields => params[:fields]
-              end
-
-            end
-          end
-
-        end
-
-#         resource :people do
-#           segment '/:person_id' do
-#             resource :tasks do
-#               get do
-# #                person = environment.people.find(params[:person_id])
-# #                articles = select_filtered_collection_of(person, 'articles', params)
-# #                articles = articles.display_filter(current_person, person)
-# tasks = Task.all
-#                 present tasks, :with => Entities::Task, :fields => params[:fields]
-#               end
-
-#               get ':id' do
-# #                person = environment.people.find(params[:person_id])
-# #                article = find_article(person.articles, params[:id])
-# task = Task.first
-#                 present task, :with => Entities::Task, :fields => params[:fields]
-#               end
-
-#               post do
-# #                person = environment.people.find(params[:person_id])
-# #                return forbidden! unless current_person.can_post_content?(person)
-# #
-# #                klass_type= params[:content_type].nil? ? 'TinyMceArticle' : params[:content_type]
-# #                return forbidden! unless ARTICLE_TYPES.include?(klass_type)
-# #
-# #                article = klass_type.constantize.new(params[:article])
-# #                article.last_changed_by = current_person
-# #                article.created_by= current_person
-# #                article.profile = person
-# #
-# #                if !article.save
-# #                  render_api_errors!(article.errors.full_messages)
-# #                end
-# task = Task.first
-#                 present task, :with => Entities::Task, :fields => params[:fields]
-#               end
-
-#             end
-#           end
-
-#         end
-
-#         resource :enterprises do
-#           segment '/:enterprise_id' do
-#             resource :tasks do
-#               get do
-# #                enterprise = environment.enterprises.find(params[:enterprise_id])
-# #                articles = select_filtered_collection_of(enterprise, 'articles', params)
-# #                articles = articles.display_filter(current_person, enterprise)
-# tasks = Task.all
-#                 present tasks, :with => Entities::Task, :fields => params[:fields]
-#               end
-
-#               get ':id' do
-# #                enterprise = environment.enterprises.find(params[:enterprise_id])
-# #                article = find_article(enterprise.articles, params[:id])
-# task = Task.first
-#                 present task, :with => Entities::Task, :fields => params[:fields]
-#               end
-
-#               post do
-# #                enterprise = environment.enterprises.find(params[:enterprise_id])
-# #                return forbidden! unless current_person.can_post_content?(enterprise)
-# #
-# #                klass_type= params[:content_type].nil? ? 'TinyMceArticle' : params[:content_type]
-# #                return forbidden! unless ARTICLE_TYPES.include?(klass_type)
-# #
-# #                article = klass_type.constantize.new(params[:article])
-# #                article.last_changed_by = current_person
-# #                article.created_by= current_person
-# #                article.profile = enterprise
-# #
-# #                if !article.save
-# #                  render_api_errors!(article.errors.full_messages)
-# #                end
-# task = Task.first
-#                 present task, :with => Entities::Task, :fields => params[:fields]
-#               end
-
-#             end
-#           end
-
-#         end
-
-
       end
     end
   end
--
libgit2 0.21.2