[Git][noosfero/noosfero][master] 2 commits: api: return permissions for user in profile entity
Victor Costa
gitlab at mg.gitlab.com
Wed Jun 8 18:06:49 BRT 2016
Victor Costa pushed to branch master at Noosfero / noosfero
Commits:
3aab4dac by Victor Costa at 2016-06-06T11:00:46-03:00
api: return permissions for user in profile entity
- - - - -
f3f08e74 by Victor Costa at 2016-06-08T21:06:19+00:00
Merge branch 'api-profile-permissions' into 'master'
api: return permissions for user in profile entity
See merge request !950
- - - - -
6 changed files:
- app/api/entities.rb
- app/api/v1/profiles.rb
- app/models/article.rb
- app/models/profile.rb
- test/api/profiles_test.rb
- test/unit/profile_test.rb
Changes:
=====================================
app/api/entities.rb
=====================================
--- a/app/api/entities.rb
+++ b/app/api/entities.rb
@@ -121,6 +121,10 @@ module Api
expose :type
expose :custom_header
expose :custom_footer
+ expose :permissions do |profile, options|
+ Entities.permissions_for_entity(profile, options[:current_person],
+ :allow_post_content?, :allow_edit?, :allow_destroy?)
+ end
end
class UserBasic < Entity
=====================================
app/api/v1/profiles.rb
=====================================
--- a/app/api/v1/profiles.rb
+++ b/app/api/v1/profiles.rb
@@ -27,7 +27,7 @@ module Api
post ':id' do
authenticate!
profile = environment.profiles.find_by(id: params[:id])
- return forbidden! unless current_person.has_permission?(:edit_profile, profile)
+ return forbidden! unless profile.allow_edit?(current_person)
profile.update_attributes!(params[:profile])
present profile, :with => Entities::Profile, :current_person => current_person
end
@@ -39,7 +39,7 @@ module Api
not_found! if profile.blank?
- if current_person.has_permission?(:destroy_profile, profile)
+ if profile.allow_destroy?(current_person)
profile.destroy
else
forbidden!
=====================================
app/models/article.rb
=====================================
--- a/app/models/article.rb
+++ b/app/models/article.rb
@@ -567,7 +567,7 @@ class Article < ApplicationRecord
def allow_post_content?(user = nil)
return true if allow_edit_topic?(user)
- user && (user.has_permission?('post_content', profile) || allow_publish_content?(user) && (user == author))
+ user && (profile.allow_post_content?(user) || allow_publish_content?(user) && (user == author))
end
def allow_publish_content?(user = nil)
=====================================
app/models/profile.rb
=====================================
--- a/app/models/profile.rb
+++ b/app/models/profile.rb
@@ -1137,4 +1137,15 @@ private :generate_url, :url_options
false
end
+ def allow_post_content?(person = nil)
+ person.kind_of?(Profile) && person.has_permission?('post_content', self)
+ end
+
+ def allow_edit?(person = nil)
+ person.kind_of?(Profile) && person.has_permission?('edit_profile', self)
+ end
+
+ def allow_destroy?(person = nil)
+ person.kind_of?(Profile) && person.has_permission?('destroy_profile', self)
+ end
end
=====================================
test/api/profiles_test.rb
=====================================
--- a/test/api/profiles_test.rb
+++ b/test/api/profiles_test.rb
@@ -191,4 +191,13 @@ class ProfilesTest < ActiveSupport::TestCase
post "/api/v1/profiles/#{profile.id}?#{params.to_query}"
assert_equal 403, last_response.status
end
+
+ should 'list profile permissions when get an article' do
+ login_api
+ profile = fast_create(Profile)
+ give_permission(person, 'post_content', profile)
+ get "/api/v1/profiles/#{profile.id}?#{params.to_query}"
+ json = JSON.parse(last_response.body)
+ assert_includes json["permissions"], 'allow_post_content'
+ end
end
=====================================
test/unit/profile_test.rb
=====================================
--- a/test/unit/profile_test.rb
+++ b/test/unit/profile_test.rb
@@ -2204,4 +2204,24 @@ class ProfileTest < ActiveSupport::TestCase
assert_not_includes profiles, p3
assert_not_includes profiles, p4
end
+
+ ['post_content', 'edit_profile', 'destroy_profile'].each do |permission|
+ should "return true in #{permission} when user has this permission" do
+ profile = fast_create(Profile)
+ person = fast_create(Person)
+ give_permission(person, permission, profile)
+ assert profile.send("allow_#{permission.gsub(/_profile/,'')}?", person)
+ end
+
+ should "return false in #{permission} when user doesn't have this permission" do
+ profile = fast_create(Profile)
+ person = fast_create(Person)
+ assert !profile.send("allow_#{permission.gsub(/_profile/,'')}?", person)
+ end
+
+ should "return false in #{permission} when user is nil" do
+ profile = fast_create(Profile)
+ assert !profile.send("allow_#{permission.gsub(/_profile/,'')}?", nil)
+ end
+ end
end
View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/3290adaf8bf27647971c14ef505196ca797b7d56...f3f08e743107263318ac2a4d5db3bb77131f0868
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20160608/749450e7/attachment-0001.html>
More information about the Noosfero-dev
mailing list