[Git][noosfero/noosfero][master] 3 commits: api: do not list forbidden blocks in boxes endpoint
Leandro Nunes
gitlab at mg.gitlab.com
Wed May 18 13:00:30 BRT 2016
Leandro Nunes pushed to branch master at Noosfero / noosfero
Commits:
da0f17cb by Victor Costa at 2016-05-18T12:33:41-03:00
api: do not list forbidden blocks in boxes endpoint
- - - - -
d5e6dc97 by Victor Costa at 2016-05-18T12:34:37-03:00
api: do not list boxes for users without permission
- - - - -
e73ac0c3 by Leandro Nunes at 2016-05-18T16:00:13+00:00
Merge branch 'display-blocks' into 'master'
Do not list boxes and blocks for users without permission in boxes endpoint
See merge request !925
- - - - -
3 changed files:
- app/api/entities.rb
- app/api/v1/boxes.rb
- test/api/boxes_test.rb
Changes:
=====================================
app/api/entities.rb
=====================================
--- a/app/api/entities.rb
+++ b/app/api/entities.rb
@@ -93,7 +93,9 @@ module Api
class Box < Entity
root 'boxes', 'box'
expose :id, :position
- expose :blocks, :using => Block
+ expose :blocks, :using => Block do |box, options|
+ box.blocks.select {|block| block.visible_to_user?(options[:current_person]) }
+ end
end
class Profile < Entity
=====================================
app/api/v1/boxes.rb
=====================================
--- a/app/api/v1/boxes.rb
+++ b/app/api/v1/boxes.rb
@@ -12,6 +12,7 @@ module Api
resource :boxes do
get do
profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+ return forbidden! unless profile.display_info_to?(current_person)
present profile.boxes, :with => Entities::Box
end
end
=====================================
test/api/boxes_test.rb
=====================================
--- a/test/api/boxes_test.rb
+++ b/test/api/boxes_test.rb
@@ -47,4 +47,35 @@ class BoxesTest < ActiveSupport::TestCase
json = JSON.parse(last_response.body)
assert !json["boxes"].first["blocks"].first.key?('api_content')
end
+
+ should 'get blocks from boxes' do
+ Environment.delete_all
+ environment = fast_create(Environment, :is_default => true)
+ box = fast_create(Box, :owner_id => environment.id, :owner_type => 'Environment')
+ block = fast_create(Block, box_id: box.id)
+ get "/api/v1/environments/default/boxes?#{params.to_query}"
+ json = JSON.parse(last_response.body)
+ assert_equal [block.id], json["boxes"].first["blocks"].map {|b| b['id']}
+ end
+
+ should 'not list a block for not logged users' do
+ logout_api
+ profile = fast_create(Profile)
+ box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
+ block = fast_create(Block, box_id: box.id)
+ block.display = 'never'
+ block.save!
+ get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
+ json = JSON.parse(last_response.body)
+ assert_equal [], json["boxes"].first["blocks"].map {|b| b['id']}
+ end
+
+ should 'not list boxes for user without permission' do
+ profile = fast_create(Profile, public_profile: false)
+ box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
+ block = fast_create(Block, box_id: box.id)
+ get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
+ json = JSON.parse(last_response.body)
+ assert_equal 403, last_response.status
+ end
end
View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/f6358b745f14e82faa0d4f4cb1d5fbe7d44b6300...e73ac0c3f642bcaafd522b436877577ee260470e
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20160518/72e368d3/attachment-0001.html>
More information about the Noosfero-dev
mailing list