[Git][noosfero/noosfero][master] 2 commits: avoid unauthorized access to block preview on profiles
Leandro Nunes
gitlab at mg.gitlab.com
Mon Aug 7 08:41:57 BRT 2017
Leandro Nunes pushed to branch master at Noosfero / noosfero
Commits:
eb7a14f6 by Leandro Nunes dos Santos at 2017-08-04T16:05:10-03:00
avoid unauthorized access to block preview on profiles
- - - - -
bf7ff4db by Leandro Nunes dos Santos at 2017-08-07T08:41:30-03:00
Merge branch 'avoid-unauthorized-access-to-block-preview'
- - - - -
3 changed files:
- app/api/helpers.rb
- app/api/v1/blocks.rb
- test/api/blocks_test.rb
Changes:
=====================================
app/api/helpers.rb
=====================================
--- a/app/api/helpers.rb
+++ b/app/api/helpers.rb
@@ -30,7 +30,7 @@ module Api
private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
@current_user ||= User.find_by private_token: private_token
@current_user ||= plugins.dispatch("api_custom_login", request).first
- @current_user = session.user if @current_user.blank? && session.present?
+# @current_user = session.user if @current_user.blank? && session.present?
@current_user
end
=====================================
app/api/v1/blocks.rb
=====================================
--- a/app/api/v1/blocks.rb
+++ b/app/api/v1/blocks.rb
@@ -11,6 +11,7 @@ module Api
block_type = params[:block_type]
return forbidden! unless Object.const_defined?(block_type) && block_type.constantize <= Block
profile = environment.profiles.find_by(id: params[:id])
+ return forbidden! unless profile.allow_edit_design?(current_person)
block = block_type.constantize.new(:box => Box.new(:owner => profile))
present_partial block, :with => Entities::Block, display_api_content: true
end
=====================================
test/api/blocks_test.rb
=====================================
--- a/test/api/blocks_test.rb
+++ b/test/api/blocks_test.rb
@@ -196,6 +196,49 @@ class BlocksTest < ActiveSupport::TestCase
assert_equal json["message"], "403 Forbidden"
end
+ should 'unlogged user not be able to get preview of a profile Block' do
+ logout_api
+ community = fast_create(Community, :environment_id => environment.id)
+ params[:block_type] = 'RawHTMLBlock'
+ get "/api/v1/profiles/#{community.id}/blocks/preview?#{params.to_query}"
+ json = JSON.parse(last_response.body)
+ assert_nil json["api_content"]
+ assert_equal json["message"], "403 Forbidden"
+ end
+
+ should 'only user with permission see the preview of a profile Block' do
+ community = fast_create(Community, :environment_id => environment.id)
+ params[:block_type] = 'RawHTMLBlock'
+ get "/api/v1/profiles/#{community.id}/blocks/preview?#{params.to_query}"
+ json = JSON.parse(last_response.body)
+ assert_nil json["api_content"]
+ assert_equal json["message"], "403 Forbidden"
+ end
+
+ should 'only user with edit_design permission see the preview of a profile Block' do
+ community = fast_create(Community, :environment_id => environment.id)
+ community.add_member(person)
+ give_permission(person, 'edit_profile_design', profile)
+ params[:block_type] = 'RawHTMLBlock'
+ get "/api/v1/profiles/#{community.id}/blocks/preview?#{params.to_query}"
+ json = JSON.parse(last_response.body)
+ assert_not_nil json["api_content"]
+ end
+
+ should 'user with permissions different from edit_design should not see the preview of a profile Block' do
+ community = fast_create(Community, :environment_id => environment.id)
+ login_api
+
+ ['destroy_profile', 'edit_profile', 'post_content'].map do |permission|
+ give_permission(person, permission, community)
+ end
+ params[:block_type] = 'RawHTMLBlock'
+ get "/api/v1/profiles/#{community.id}/blocks/preview?#{params.to_query}"
+ json = JSON.parse(last_response.body)
+ assert_nil json["api_content"]
+ assert_equal json["message"], "403 Forbidden"
+ end
+
should 'be able to get preview of CommunitiesBlock' do
community = fast_create(Community, :environment_id => environment.id)
community.add_admin(person)
@@ -205,6 +248,7 @@ class BlocksTest < ActiveSupport::TestCase
assert_includes json["api_content"]['communities'].map{ |community| community['id'] }, community.id
end
+
should 'be able to get preview of RawHTMLBlock' do
params[:block_type] = 'RawHTMLBlock'
get "/api/v1/profiles/#{person.id}/blocks/preview?#{params.to_query}"
View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/743381224d6974eb2aac4ee5517e6e3c5c1226a2...bf7ff4db2a372646a114e9d58df235e04e96792d
---
View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/743381224d6974eb2aac4ee5517e6e3c5c1226a2...bf7ff4db2a372646a114e9d58df235e04e96792d
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20170807/4f05d0b0/attachment-0001.html>
More information about the Noosfero-dev
mailing list