[Git][noosfero/noosfero][master] 2 commits: api: return invisible blocks to users with permission to edit
Victor Costa
gitlab at mg.gitlab.com
Thu Jun 16 14:37:11 BRT 2016
Victor Costa pushed to branch master at Noosfero / noosfero
Commits:
adb9abdd by Victor Costa at 2016-06-15T16:42:58-03:00
api: return invisible blocks to users with permission to edit
- - - - -
9db0c7d6 by Victor Costa at 2016-06-16T17:36:28+00:00
Merge branch 'fix-blocks-api' into 'master'
api: return invisible blocks to users with permission to edit
See merge request !964
- - - - -
4 changed files:
- app/api/entities.rb
- app/api/v1/blocks.rb
- test/api/blocks_test.rb
- test/api/boxes_test.rb
Changes:
=====================================
app/api/entities.rb
=====================================
--- a/app/api/entities.rb
+++ b/app/api/entities.rb
@@ -97,7 +97,7 @@ module Api
root 'boxes', 'box'
expose :id, :position
expose :blocks, :using => Block do |box, options|
- box.blocks.select {|block| block.visible_to_user?(options[:current_person]) }
+ box.blocks.select {|block| block.visible_to_user?(options[:current_person]) || block.allow_edit?(options[:current_person]) }
end
end
=====================================
app/api/v1/blocks.rb
=====================================
--- a/app/api/v1/blocks.rb
+++ b/app/api/v1/blocks.rb
@@ -5,7 +5,7 @@ module Api
resource :blocks do
get ':id' do
block = Block.find(params["id"])
- return forbidden! unless block.visible_to_user?(current_person)
+ return forbidden! unless block.visible_to_user?(current_person) || block.allow_edit?(current_person)
present block, :with => Entities::Block, display_api_content: true, current_person: current_person
end
=====================================
test/api/blocks_test.rb
=====================================
--- a/test/api/blocks_test.rb
+++ b/test/api/blocks_test.rb
@@ -53,6 +53,16 @@ class BlocksTest < ActiveSupport::TestCase
assert_equal 403, last_response.status
end
+ should 'get an invisible profile block for an user with permission' do
+ profile = fast_create(Profile, public_profile: false)
+ profile.add_admin(person)
+ box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
+ block = fast_create(Block, box_id: box.id)
+ get "/api/v1/blocks/#{block.id}?#{params.to_query}"
+ json = JSON.parse(last_response.body)
+ assert_equal block.id, json["block"]["id"]
+ end
+
should 'get a block for an user with permission in a private profile' do
profile = fast_create(Profile, public_profile: false)
profile.add_admin(person)
=====================================
test/api/boxes_test.rb
=====================================
--- a/test/api/boxes_test.rb
+++ b/test/api/boxes_test.rb
@@ -81,6 +81,18 @@ class BoxesTest < ActiveSupport::TestCase
assert_equal [block.id], json["boxes"].first["blocks"].map {|b| b['id']}
end
+ should 'list a block with not logged in display_user for an admin user' do
+ profile = fast_create(Profile)
+ profile.add_admin(person)
+ box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
+ block = fast_create(Block, box_id: box.id)
+ block.display_user = 'not_logged'
+ block.save!
+ get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
+ json = JSON.parse(last_response.body)
+ assert_equal [block.id], json["boxes"].first["blocks"].map {|b| b['id']}
+ end
+
should 'not list boxes for user without permission' do
profile = fast_create(Profile, public_profile: false)
box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/0848a8e7f17f1cece431b21624420617d6e0612b...9db0c7d6b0621dbf73210a0baeaa2910d68afcf7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20160616/b1427100/attachment-0001.html>
More information about the Noosfero-dev
mailing list