[Git][noosfero/noosfero][master] 2 commits: Exposing permission to delete comment
Leandro Nunes
gitlab at mg.gitlab.com
Fri Jul 29 18:47:22 BRT 2016
Leandro Nunes pushed to branch master at Noosfero / noosfero
Commits:
c58dacfa by Evandro Junior at 2016-07-07T17:09:24-03:00
Exposing permission to delete comment
- - - - -
1af52164 by Leandro Nunes at 2016-07-29T21:47:06+00:00
Merge branch 'comments_permissions' into 'master'
Exposing permission to delete comment
Exposing permission to delete comments in the API
See merge request !991
- - - - -
4 changed files:
- app/api/entities.rb
- app/models/comment.rb
- test/api/comments_test.rb
- test/unit/comment_test.rb
Changes:
=====================================
app/api/entities.rb
=====================================
--- a/app/api/entities.rb
+++ b/app/api/entities.rb
@@ -174,6 +174,10 @@ module Api
expose :created_at, :format_with => :timestamp
expose :author, :using => Profile
expose :reply_of, :using => CommentBase
+ expose :permissions do |comment, options|
+ Entities.permissions_for_entity(comment, options[:current_person],
+ :allow_destroy?)
+ end
end
class Comment < CommentBase
=====================================
app/models/comment.rb
=====================================
--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -212,6 +212,9 @@ class Comment < ApplicationRecord
user == author || user == profile || user.has_permission?(:moderate_comments, profile)
end
+ # method used by the API
+ alias_method :allow_destroy?, :can_be_destroyed_by?
+
def can_be_marked_as_spam_by?(user)
return if user.nil?
user == profile || user.has_permission?(:moderate_comments, profile)
=====================================
test/api/comments_test.rb
=====================================
--- a/test/api/comments_test.rb
+++ b/test/api/comments_test.rb
@@ -245,4 +245,34 @@ class CommentsTest < ActiveSupport::TestCase
assert_equal 500, last_response.status
assert_includes article.comments, comment
end
+
+ should 'list allow_destroy permission when get your own comment' do
+ login_api
+ article = fast_create(Article, :profile_id => @person.id, :name => "Some thing")
+ article.comments.create!(:body => "some comment", :author => @person)
+ get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+ json = JSON.parse(last_response.body)
+ assert_equal 200, last_response.status
+ assert_includes json["comments"][0]["permissions"], 'allow_destroy'
+ end
+
+ should 'anonymous not allowed to destroy comments' do
+ article = fast_create(Article, :profile_id => @person.id, :name => "Some thing")
+ article.comments.create!(:body => "some comment", :author => @person)
+ get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+ json = JSON.parse(last_response.body)
+ assert_equal 200, last_response.status
+ assert_not_includes json["comments"][0]["permissions"], 'allow_destroy'
+ end
+
+ should 'unprivileged user not be allowed to destroy other people comments' do
+ article = fast_create(Article, profile_id: @local_person.id, name: "Some thing")
+ comment = article.comments.create!(body: "some comment", author: @local_person)
+ login_api
+ get "/api/v1/articles/#{article.id}/comments?#{params.to_query}"
+ json = JSON.parse(last_response.body)
+ assert_equal 200, last_response.status
+ assert_not_includes json["comments"][0]["permissions"], 'allow_destroy'
+ end
+
end
=====================================
test/unit/comment_test.rb
=====================================
--- a/test/unit/comment_test.rb
+++ b/test/unit/comment_test.rb
@@ -597,6 +597,12 @@ class CommentTest < ActiveSupport::TestCase
refute comment.can_be_destroyed_by?(nil)
end
+ should 'anonymous has no allow_destroy? permission' do
+ comment = Comment.new
+
+ refute comment.allow_destroy?(nil)
+ end
+
should 'not be able to destroy comment' do
user = Person.new
profile = Profile.new
View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/7836ee6ed1a316a6a0cad99e830f7d1f9903a3e9...1af52164cce8b6179e6c4fc309c76e8ee0b7f02e
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20160729/77992987/attachment-0001.html>
More information about the Noosfero-dev
mailing list