[Git][noosfero/noosfero][master] 2 commits: avoid unauthorized access to block preview on profiles

Mon Aug 7 08:41:57 BRT 2017

Leandro Nunes pushed to branch master at Noosfero / noosfero


Commits:
eb7a14f6 by Leandro Nunes dos Santos at 2017-08-04T16:05:10-03:00
avoid unauthorized access to block preview on profiles

- - - - -
bf7ff4db by Leandro Nunes dos Santos at 2017-08-07T08:41:30-03:00
Merge branch 'avoid-unauthorized-access-to-block-preview'

- - - - -


3 changed files:

- app/api/helpers.rb
- app/api/v1/blocks.rb
- test/api/blocks_test.rb


Changes:

=====================================
app/api/helpers.rb
=====================================

--- a/app/api/helpers.rb
+++ b/app/api/helpers.rb
@@ -30,7 +30,7 @@ module Api
       private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
       @current_user ||= User.find_by private_token: private_token
       @current_user ||= plugins.dispatch("api_custom_login", request).first
-      @current_user = session.user if @current_user.blank? && session.present?
+#      @current_user = session.user if @current_user.blank? && session.present?
       @current_user
     end
 


=====================================
app/api/v1/blocks.rb
=====================================
--- a/app/api/v1/blocks.rb
+++ b/app/api/v1/blocks.rb
@@ -11,6 +11,7 @@ module Api
                 block_type = params[:block_type]
                 return forbidden! unless Object.const_defined?(block_type) && block_type.constantize <= Block
                 profile = environment.profiles.find_by(id: params[:id])
+                return forbidden! unless profile.allow_edit_design?(current_person)
                 block = block_type.constantize.new(:box => Box.new(:owner => profile))
                 present_partial block, :with => Entities::Block, display_api_content: true
               end


=====================================
test/api/blocks_test.rb
=====================================
--- a/test/api/blocks_test.rb
+++ b/test/api/blocks_test.rb
@@ -196,6 +196,49 @@ class BlocksTest < ActiveSupport::TestCase
     assert_equal json["message"], "403 Forbidden"
   end
 
+  should 'unlogged user not be able to get preview of a profile Block' do
+    logout_api
+    community = fast_create(Community, :environment_id => environment.id)
+    params[:block_type] = 'RawHTMLBlock'
+    get "/api/v1/profiles/#{community.id}/blocks/preview?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_nil json["api_content"]
+    assert_equal json["message"], "403 Forbidden"
+  end
+
+  should 'only user with permission see the preview of a profile Block' do
+    community = fast_create(Community, :environment_id => environment.id)
+    params[:block_type] = 'RawHTMLBlock'
+    get "/api/v1/profiles/#{community.id}/blocks/preview?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_nil json["api_content"]
+    assert_equal json["message"], "403 Forbidden"
+  end
+
+  should 'only user with edit_design permission see the preview of a profile Block' do
+    community = fast_create(Community, :environment_id => environment.id)
+    community.add_member(person)
+    give_permission(person, 'edit_profile_design', profile)
+    params[:block_type] = 'RawHTMLBlock'
+    get "/api/v1/profiles/#{community.id}/blocks/preview?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_not_nil json["api_content"]
+  end
+
+  should 'user with permissions different from edit_design should not see the preview of a profile Block' do
+    community = fast_create(Community, :environment_id => environment.id)
+    login_api
+
+    ['destroy_profile', 'edit_profile', 'post_content'].map do |permission|
+      give_permission(person, permission, community)
+    end
+    params[:block_type] = 'RawHTMLBlock'
+    get "/api/v1/profiles/#{community.id}/blocks/preview?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_nil json["api_content"]
+    assert_equal json["message"], "403 Forbidden"
+  end
+
   should 'be able to get preview of CommunitiesBlock' do
     community = fast_create(Community, :environment_id => environment.id)
     community.add_admin(person)
@@ -205,6 +248,7 @@ class BlocksTest < ActiveSupport::TestCase
     assert_includes json["api_content"]['communities'].map{ |community| community['id'] }, community.id
   end
 
+
   should 'be able to get preview of RawHTMLBlock' do
     params[:block_type] = 'RawHTMLBlock'
     get "/api/v1/profiles/#{person.id}/blocks/preview?#{params.to_query}"



View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/743381224d6974eb2aac4ee5517e6e3c5c1226a2...bf7ff4db2a372646a114e9d58df235e04e96792d

---
View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/743381224d6974eb2aac4ee5517e6e3c5c1226a2...bf7ff4db2a372646a114e9d58df235e04e96792d
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20170807/4f05d0b0/attachment-0001.html>
