Download as
Browse Code »

Commit 44d8600f63ac4267f4fd9644183c2d7a9f9d23e9

Authored by André Guedes
Committed by Rodrigo Souto
1 parent c26f9ef6
Exists in api_private_token and in 2 other branches add_fields_in_api, api_pagination

Fixed permission on tasks API mount point 

Signed-off-by: André Bernardes <andrebsguedes@gmail.com>
Signed-off-by: Eduardo Vital <vitaldu@gmail.com>
Showing 2 changed files with 6 additions and 138 deletions   Show diff stats
lib/noosfero/api/helpers.rb
  Diff comments   View file @44d8600
@@ -83,14 +83,12 @@ module Noosfero @@ -83,14 +83,12 @@ module Noosfero
83 present articles, :with => Entities::Article, :fields => params[:fields] 83 present articles, :with => Entities::Article, :fields => params[:fields]
84 end 84 end
85 85
86 - def find_task(tasks, id)  
87 - task = tasks.find(id)  
88 - task.display_to?(current_user.person) ? task : forbidden! 86 + def find_task(asset, id)
  87 + task = asset.tasks.find(id)
  88 + current_person.has_permission?(task.permission, asset) ? task : forbidden!
89 end 89 end
90 90
91 def post_task(asset, params) 91 def post_task(asset, params)
92 - return forbidden! unless current_person.has_permission?(:perform_task, asset)  
93 -  
94 klass_type= params[:content_type].nil? ? 'Task' : params[:content_type] 92 klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
95 return forbidden! unless TASK_TYPES.include?(klass_type) 93 return forbidden! unless TASK_TYPES.include?(klass_type)
96 94
@@ -106,7 +104,7 @@ module Noosfero @@ -106,7 +104,7 @@ module Noosfero
106 end 104 end
107 105
108 def present_task(asset) 106 def present_task(asset)
109 - task = find_task(asset.tasks, params[:id]) 107 + task = find_task(asset, params[:id])
110 present task, :with => Entities::Task, :fields => params[:fields] 108 present task, :with => Entities::Task, :fields => params[:fields]
111 end 109 end
112 110
lib/noosfero/api/v1/tasks.rb
  Diff comments   View file @44d8600
@@ -18,18 +18,16 @@ module Noosfero @@ -18,18 +18,16 @@ module Noosfero
18 # Example Request: 18 # Example Request:
19 # GET host/api/v1/tasks?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317 19 # GET host/api/v1/tasks?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
20 get do 20 get do
21 - #FIXME check for permission  
22 tasks = select_filtered_collection_of(environment, 'tasks', params) 21 tasks = select_filtered_collection_of(environment, 'tasks', params)
  22 + tasks = tasks.select {|t| current_person.has_permission?(t.permission, environment)}
23 present tasks, :with => Entities::Task, :fields => params[:fields] 23 present tasks, :with => Entities::Task, :fields => params[:fields]
24 end 24 end
25 25
26 desc "Return the task id" 26 desc "Return the task id"
27 get ':id' do 27 get ':id' do
28 - task = find_task(environment.tasks, params[:id]) 28 + task = find_task(environment, params[:id])
29 present task, :with => Entities::Task, :fields => params[:fields] 29 present task, :with => Entities::Task, :fields => params[:fields]
30 end 30 end
31 -  
32 -  
33 end 31 end
34 32
35 kinds = %w[community person enterprise] 33 kinds = %w[community person enterprise]
@@ -55,134 +53,6 @@ module Noosfero @@ -55,134 +53,6 @@ module Noosfero
55 end 53 end
56 end 54 end
57 end 55 end
58 -  
59 -  
60 - resource :communities do  
61 - segment '/:community_id' do  
62 - resource :tasks do  
63 - get do  
64 - #FIXME check for permission  
65 - community = environment.communities.find(params[:community_id])  
66 - tasks = select_filtered_collection_of(community, 'tasks', params)  
67 - present tasks, :with => Entities::Task, :fields => params[:fields]  
68 - end  
69 -  
70 - get ':id' do  
71 - community = environment.communities.find(params[:community_id])  
72 - task = find_task(community.tasks, params[:id])  
73 - present task, :with => Entities::Task, :fields => params[:fields]  
74 - end  
75 -  
76 - # Example Request:  
77 - # POST api/v1/communites/:community_id/articles?private_token=234298743290432&article[name]=title&article[body]=body  
78 - post do  
79 - community = environment.communities.find(params[:community_id])  
80 -#FIXME see the correct permission  
81 - return forbidden! unless current_person.can_post_content?(community)  
82 -#FIXME check the task type before create  
83 - klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]  
84 -# return forbidden! unless ARTICLE_TYPES.include?(klass_type)  
85 -#  
86 - task = klass_type.constantize.new(params[:task])  
87 - task.requestor = current_person  
88 - task.target = community  
89 -  
90 - if !task.save  
91 - render_api_errors!(task.errors.full_messages)  
92 - end  
93 - present task, :with => Entities::Task, :fields => params[:fields]  
94 - end  
95 -  
96 - end  
97 - end  
98 -  
99 - end  
100 -  
101 -# resource :people do  
102 -# segment '/:person_id' do  
103 -# resource :tasks do  
104 -# get do  
105 -# # person = environment.people.find(params[:person_id])  
106 -# # articles = select_filtered_collection_of(person, 'articles', params)  
107 -# # articles = articles.display_filter(current_person, person)  
108 -# tasks = Task.all  
109 -# present tasks, :with => Entities::Task, :fields => params[:fields]  
110 -# end  
111 -  
112 -# get ':id' do  
113 -# # person = environment.people.find(params[:person_id])  
114 -# # article = find_article(person.articles, params[:id])  
115 -# task = Task.first  
116 -# present task, :with => Entities::Task, :fields => params[:fields]  
117 -# end  
118 -  
119 -# post do  
120 -# # person = environment.people.find(params[:person_id])  
121 -# # return forbidden! unless current_person.can_post_content?(person)  
122 -# #  
123 -# # klass_type= params[:content_type].nil? ? 'TinyMceArticle' : params[:content_type]  
124 -# # return forbidden! unless ARTICLE_TYPES.include?(klass_type)  
125 -# #  
126 -# # article = klass_type.constantize.new(params[:article])  
127 -# # article.last_changed_by = current_person  
128 -# # article.created_by= current_person  
129 -# # article.profile = person  
130 -# #  
131 -# # if !article.save  
132 -# # render_api_errors!(article.errors.full_messages)  
133 -# # end  
134 -# task = Task.first  
135 -# present task, :with => Entities::Task, :fields => params[:fields]  
136 -# end  
137 -  
138 -# end  
139 -# end  
140 -  
141 -# end  
142 -  
143 -# resource :enterprises do  
144 -# segment '/:enterprise_id' do  
145 -# resource :tasks do  
146 -# get do  
147 -# # enterprise = environment.enterprises.find(params[:enterprise_id])  
148 -# # articles = select_filtered_collection_of(enterprise, 'articles', params)  
149 -# # articles = articles.display_filter(current_person, enterprise)  
150 -# tasks = Task.all  
151 -# present tasks, :with => Entities::Task, :fields => params[:fields]  
152 -# end  
153 -  
154 -# get ':id' do  
155 -# # enterprise = environment.enterprises.find(params[:enterprise_id])  
156 -# # article = find_article(enterprise.articles, params[:id])  
157 -# task = Task.first  
158 -# present task, :with => Entities::Task, :fields => params[:fields]  
159 -# end  
160 -  
161 -# post do  
162 -# # enterprise = environment.enterprises.find(params[:enterprise_id])  
163 -# # return forbidden! unless current_person.can_post_content?(enterprise)  
164 -# #  
165 -# # klass_type= params[:content_type].nil? ? 'TinyMceArticle' : params[:content_type]  
166 -# # return forbidden! unless ARTICLE_TYPES.include?(klass_type)  
167 -# #  
168 -# # article = klass_type.constantize.new(params[:article])  
169 -# # article.last_changed_by = current_person  
170 -# # article.created_by= current_person  
171 -# # article.profile = enterprise  
172 -# #  
173 -# # if !article.save  
174 -# # render_api_errors!(article.errors.full_messages)  
175 -# # end  
176 -# task = Task.first  
177 -# present task, :with => Entities::Task, :fields => params[:fields]  
178 -# end  
179 -  
180 -# end  
181 -# end  
182 -  
183 -# end  
184 -  
185 -  
186 end 56 end
187 end 57 end
188 end 58 end