[Git][noosfero/noosfero][master] 2 commits: api: return permissions for user in profile entity

Wed Jun 8 18:06:49 BRT 2016

Victor Costa pushed to branch master at Noosfero / noosfero


Commits:
3aab4dac by Victor Costa at 2016-06-06T11:00:46-03:00
api: return permissions for user in profile entity

- - - - -
f3f08e74 by Victor Costa at 2016-06-08T21:06:19+00:00
Merge branch 'api-profile-permissions' into 'master'

api: return permissions for user in profile entity



See merge request !950
- - - - -


6 changed files:

- app/api/entities.rb
- app/api/v1/profiles.rb
- app/models/article.rb
- app/models/profile.rb
- test/api/profiles_test.rb
- test/unit/profile_test.rb


Changes:

=====================================
app/api/entities.rb
=====================================

--- a/app/api/entities.rb
+++ b/app/api/entities.rb
@@ -121,6 +121,10 @@ module Api
       expose :type
       expose :custom_header
       expose :custom_footer
+      expose :permissions do |profile, options|
+        Entities.permissions_for_entity(profile, options[:current_person],
+        :allow_post_content?, :allow_edit?, :allow_destroy?)
+      end
     end
 
     class UserBasic < Entity


=====================================
app/api/v1/profiles.rb
=====================================
--- a/app/api/v1/profiles.rb
+++ b/app/api/v1/profiles.rb
@@ -27,7 +27,7 @@ module Api
         post ':id' do
           authenticate!
           profile = environment.profiles.find_by(id: params[:id])
-          return forbidden! unless current_person.has_permission?(:edit_profile, profile)
+          return forbidden! unless profile.allow_edit?(current_person)
           profile.update_attributes!(params[:profile])
           present profile, :with => Entities::Profile, :current_person => current_person
         end
@@ -39,7 +39,7 @@ module Api
 
           not_found! if profile.blank?
 
-          if current_person.has_permission?(:destroy_profile, profile)
+          if profile.allow_destroy?(current_person)
             profile.destroy
           else
             forbidden!


=====================================
app/models/article.rb
=====================================
--- a/app/models/article.rb
+++ b/app/models/article.rb
@@ -567,7 +567,7 @@ class Article < ApplicationRecord
 
   def allow_post_content?(user = nil)
     return true if allow_edit_topic?(user)
-    user && (user.has_permission?('post_content', profile) || allow_publish_content?(user) && (user == author))
+    user && (profile.allow_post_content?(user) || allow_publish_content?(user) && (user == author))
   end
 
   def allow_publish_content?(user = nil)


=====================================
app/models/profile.rb
=====================================
--- a/app/models/profile.rb
+++ b/app/models/profile.rb
@@ -1137,4 +1137,15 @@ private :generate_url, :url_options
     false
   end
 
+  def allow_post_content?(person = nil)
+    person.kind_of?(Profile) && person.has_permission?('post_content', self)
+  end
+
+  def allow_edit?(person = nil)
+    person.kind_of?(Profile) && person.has_permission?('edit_profile', self)
+  end
+
+  def allow_destroy?(person = nil)
+    person.kind_of?(Profile) && person.has_permission?('destroy_profile', self)
+  end
 end


=====================================
test/api/profiles_test.rb
=====================================
--- a/test/api/profiles_test.rb
+++ b/test/api/profiles_test.rb
@@ -191,4 +191,13 @@ class ProfilesTest < ActiveSupport::TestCase
     post "/api/v1/profiles/#{profile.id}?#{params.to_query}"
     assert_equal 403, last_response.status
   end
+
+  should 'list profile permissions when get an article' do
+    login_api
+    profile = fast_create(Profile)
+    give_permission(person, 'post_content', profile)
+    get "/api/v1/profiles/#{profile.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_includes json["permissions"], 'allow_post_content'
+  end
 end


=====================================
test/unit/profile_test.rb
=====================================
--- a/test/unit/profile_test.rb
+++ b/test/unit/profile_test.rb
@@ -2204,4 +2204,24 @@ class ProfileTest < ActiveSupport::TestCase
     assert_not_includes profiles, p3
     assert_not_includes profiles, p4
   end
+  
+  ['post_content', 'edit_profile', 'destroy_profile'].each do |permission|
+    should "return true in #{permission} when user has this permission" do
+      profile = fast_create(Profile)
+      person = fast_create(Person)
+      give_permission(person, permission, profile)
+      assert profile.send("allow_#{permission.gsub(/_profile/,'')}?", person)
+    end
+
+    should "return false in #{permission} when user doesn't have this permission" do
+      profile = fast_create(Profile)
+      person = fast_create(Person)
+      assert !profile.send("allow_#{permission.gsub(/_profile/,'')}?", person)
+    end
+
+    should "return false in #{permission} when user is nil" do
+      profile = fast_create(Profile)
+      assert !profile.send("allow_#{permission.gsub(/_profile/,'')}?", nil)
+    end
+  end
 end



View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/3290adaf8bf27647971c14ef505196ca797b7d56...f3f08e743107263318ac2a4d5db3bb77131f0868
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20160608/749450e7/attachment-0001.html>
