diff --git a/app/controllers/api_bands_controller.rb b/app/controllers/api_bands_controller.rb index ce607d569..662095b66 100644 --- a/app/controllers/api_bands_controller.rb +++ b/app/controllers/api_bands_controller.rb @@ -66,17 +66,70 @@ class ApiBandsController < ApplicationController ###################### RECORDINGS ####################### def recording_index - @recordings = Recording.paginate(page: params[:page]) + + hide_private = false + + band = Band.find(params[:id]) + + # hide private Recordings from anyone who's not in the Band + unless band.users.exists? current_user + hide_private = true + end + + if hide_private + @recordings = Recording.find(:all, + :joins => :musician_recordings, + :select => "recordings.id, recordings.description, recordings.public", + :conditions => ["bands_recordings.band_id='#{params[:id]}'' AND public=true"]) + + #.paginate(page: params[:page]) + else + @recordings = Recording.find(:all, + :joins => :musician_recordings, + :select => "recordings.id, recordings.description, recordings.public", + :conditions => ["bands_recordings.band_id='#{params[:id]}'"]) + end + end + + def recording_show + hide_private = false + + band = Band.find(params[:id]) + + # hide private Recordings from anyone who's not in the Band + unless band.users.exists? current_user + hide_private = true + end + + @recording = Recording.find(params[:recording_id]) + if !@recording.public && hide_private + render :json => { :message => "You are not allowed to access this recording." }, :status => 403 + #respond_with "You are not allowed to view this recording.", responder: ApiResponder, :status => 403 + else + respond_with @recording, responder: ApiResponder, :status => 200 + end end def recording_create - Recording.save(params[:recording_id], + @recording = Recording.save(params[:recording_id], params[:public], params[:description], params[:id], true) + + if @recording.errors.nil? || @recording.errors.size == 0 + @band = Band.find(params[:id]) + respond_with @recording, responder: ApiResponder, :status => 201, :location => api_band_recording_detail_url(@band, @recording) + + else + raise ActiveRecord::Rollback + response.status = :unprocessable_entity + respond_with @recording + end end def recording_destroy + @recording = Recording.find(params[:recording_id]) + @recording.delete end end \ No newline at end of file diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index a1d09d9dc..433edf9ec 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -5,15 +5,15 @@ class ApiController < ApplicationController # define common error handlers rescue_from 'JamRuby::StateError' do |exception| @exception = exception - render "errors/state_error.rabl", :status => 500 + render "errors/state_error.rabl", :status => 400 end - rescue_from 'JamRuby::JamArgrumentError' do |exception| + rescue_from 'JamRuby::JamArgumentError' do |exception| @exception = exception - render "errors/jam_argument_error", :status => 500 + render "errors/jam_argument_error", :status => 400 end rescue_from 'JamRuby::PermissionError' do |exception| @exception = exception - render "errors/permission_error", :status => 500 + render "errors/permission_error", :status => 403 end rescue_from 'ActiveRecord::RecordNotFound' do |exception| @@log.debug(exception) diff --git a/app/controllers/api_users_controller.rb b/app/controllers/api_users_controller.rb index db161879b..ae4b8aa32 100644 --- a/app/controllers/api_users_controller.rb +++ b/app/controllers/api_users_controller.rb @@ -55,6 +55,7 @@ class ApiUsersController < ApiController def update auth_user(params[:id]) @user = User.save(params[:id], + current_user.id, params[:first_name], params[:last_name], params[:email], @@ -123,21 +124,59 @@ class ApiUsersController < ApiController ###################### RECORDINGS ####################### def recording_index - @recordings = Recording.where("user_id=#{params[:id]}").paginate(page: params[:page]) + + hide_private = false + + # hide private recordings from anyone but the current user + if current_user.id != params[:id] + hide_private = true + end + + + if hide_private + @recordings = Recording.find(:all, + :joins => :musician_recordings, + :select => "recordings.id, recordings.description, recordings.public", + :conditions => ["musicians_recordings.user_id='#{params[:id]}' AND public=true"]) + + #.paginate(page: params[:page]) + else + @recordings = Recording.find(:all, + :joins => :musician_recordings, + :select => "recordings.id, recordings.description, recordings.public", + :conditions => ["musicians_recordings.user_id='#{params[:id]}'"]) + end + end + + def recording_show + hide_private = false + + # hide private recordings from anyone but the current user + if current_user.id != params[:id] + hide_private = true + end + + @recording = Recording.find(params[:recording_id]) + if !@recording.public && hide_private + render :json => { :message => "You are not allowed to access this recording." }, :status => 403 + #respond_with "You are not allowed to access this recording.", responder: ApiResponder, :status => 403 + else + respond_with @recording, responder: ApiResponder, :status => 200 + end end def recording_create - auth_user(params[:id]) @recording = Recording.save(params[:recording_id], params[:public], params[:description], + current_user.id, params[:id], false) # check for errors if @recording.errors.nil? || @recording.errors.size == 0 - respond_with @recording, responder: ApiResponder, :status => 201, :location => api_recording_detail_url(@recording) - + @user = current_user + respond_with @recording, responder: ApiResponder, :status => 201, :location => api_recording_detail_url(@user, @recording) else raise ActiveRecord::Rollback response.status = :unprocessable_entity @@ -146,10 +185,10 @@ class ApiUsersController < ApiController end def recording_update - auth_user(params[:id]) @recording = Recording.save(params[:recording_id], params[:public], params[:description], + current_user.id, params[:id], false) @@ -166,7 +205,9 @@ class ApiUsersController < ApiController def recording_destroy auth_user(params[:id]) - Recording.delete(params[:recording_id], params[:id], false) + recording = Recording.find(params[:recording_id]) + recording.delete + #Recording.delete(params[:recording_id], params[:id], false) end ###################### FAVORITES ######################## @@ -247,7 +288,7 @@ class ApiUsersController < ApiController respond_with responder: ApiResponder end - ###################### AUTHORIZATION #################### + ###################### AUTHENTICATION ################### def auth_session_create @user = User.authenticate(params[:email], params[:password]) @@ -267,6 +308,7 @@ class ApiUsersController < ApiController protected def auth_user(id) if current_user.id != id + #respond_with "You do not have permissions to perform this action.", responder: ApiResponder, :status => 403 raise PermissionError, "You do not have permissions to perform this action." end end diff --git a/app/views/api_bands/following_create.rabl b/app/views/api_bands/following_create.rabl deleted file mode 100644 index 94be1bebd..000000000 --- a/app/views/api_bands/following_create.rabl +++ /dev/null @@ -1,3 +0,0 @@ -object @band.followings - -extends "api_bands/following_index" \ No newline at end of file diff --git a/app/views/api_bands/recording_create.rabl b/app/views/api_bands/recording_create.rabl index e69de29bb..4aeb0e520 100644 --- a/app/views/api_bands/recording_create.rabl +++ b/app/views/api_bands/recording_create.rabl @@ -0,0 +1,3 @@ +object @recording + +extends "api_bands/recording_show" \ No newline at end of file diff --git a/app/views/api_bands/recording_index.rabl b/app/views/api_bands/recording_index.rabl index e69de29bb..2b5445634 100644 --- a/app/views/api_bands/recording_index.rabl +++ b/app/views/api_bands/recording_index.rabl @@ -0,0 +1,3 @@ +object @recordings + +extends "api_bands/recording_show" \ No newline at end of file diff --git a/app/views/api_bands/recording_show.rabl b/app/views/api_bands/recording_show.rabl index e69de29bb..a233cdb0f 100644 --- a/app/views/api_bands/recording_show.rabl +++ b/app/views/api_bands/recording_show.rabl @@ -0,0 +1,3 @@ +object @recording + +attributes :id, :description, :public \ No newline at end of file diff --git a/app/views/api_bands/recording_update.rabl b/app/views/api_bands/recording_update.rabl index e69de29bb..4aeb0e520 100644 --- a/app/views/api_bands/recording_update.rabl +++ b/app/views/api_bands/recording_update.rabl @@ -0,0 +1,3 @@ +object @recording + +extends "api_bands/recording_show" \ No newline at end of file diff --git a/app/views/api_users/recording_create.rabl b/app/views/api_users/recording_create.rabl index e69de29bb..8d8826efe 100644 --- a/app/views/api_users/recording_create.rabl +++ b/app/views/api_users/recording_create.rabl @@ -0,0 +1,3 @@ +object @recording + +extends "api_users/recording_show" \ No newline at end of file diff --git a/app/views/api_users/recording_index.rabl b/app/views/api_users/recording_index.rabl index e7df79f18..d56a00b4f 100644 --- a/app/views/api_users/recording_index.rabl +++ b/app/views/api_users/recording_index.rabl @@ -1,3 +1,3 @@ -object @user +object @recordings -extends "api_users/show" \ No newline at end of file +extends "api_users/recording_show" \ No newline at end of file diff --git a/app/views/api_users/recording_show.rabl b/app/views/api_users/recording_show.rabl index e69de29bb..a233cdb0f 100644 --- a/app/views/api_users/recording_show.rabl +++ b/app/views/api_users/recording_show.rabl @@ -0,0 +1,3 @@ +object @recording + +attributes :id, :description, :public \ No newline at end of file diff --git a/app/views/api_users/recording_update.rabl b/app/views/api_users/recording_update.rabl index e69de29bb..8d8826efe 100644 --- a/app/views/api_users/recording_update.rabl +++ b/app/views/api_users/recording_update.rabl @@ -0,0 +1,3 @@ +object @recording + +extends "api_users/recording_show" \ No newline at end of file diff --git a/config/routes.rb b/config/routes.rb index b47448fde..33c970019 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -8,7 +8,7 @@ SampleApp::Application.routes.draw do resources :users resources :music_sessions resources :friend_requests - + resources :sessions, only: [:new, :create, :destroy] #root to: 'static_pages#home' @@ -46,9 +46,6 @@ SampleApp::Application.routes.draw do # genres match '/genres' => 'api_genres#index', :via => :get - # recordings - match '/recordings/:id' => 'api_recordings#show', :via => :get, :as => 'api_recording_detail' - # users match '/users' => 'api_users#index', :via => :get match '/users/:id' => 'api_users#show', :via => :get, :as => 'api_user_detail' @@ -103,7 +100,7 @@ SampleApp::Application.routes.draw do # band recordings match '/bands/:id/recordings' => 'api_bands#recording_index', :via => :get - match '/bands/:id/recordings/:recording_id' => 'api_bands#recording_show', :via => :get + match '/bands/:id/recordings/:recording_id' => 'api_bands#recording_show', :via => :get, :as => 'api_band_recording_detail' match '/bands/:id/recordings' => 'api_bands#recording_create', :via => :post match '/bands/:id/recordings/:recording_id' => 'api_bands#recording_update', :via => :post match '/bands/:id/recordings/:recording_id' => 'api_bands#recording_destroy', :via => :delete diff --git a/spec/requests/bands_api_spec.rb b/spec/requests/bands_api_spec.rb index e69de29bb..8cdb37e21 100644 --- a/spec/requests/bands_api_spec.rb +++ b/spec/requests/bands_api_spec.rb @@ -0,0 +1,20 @@ +require 'spec_helper' + +describe "Band API", :type => :api do + + include Rack::Test::Methods + + subject { page } + + describe "profile" do + let(:band) { FactoryGirl.create(:band) } + let(:user) { FactoryGirl.create(:user) } + let(:fan) { FactoryGirl.create(:fan) } + + it "should allow musician to create band" do + end + + it "should not allow fan to create band" do + end + end +end \ No newline at end of file diff --git a/spec/requests/invitations_api_spec.rb b/spec/requests/invitations_api_spec.rb index e2894a98c..aef7ca0be 100644 --- a/spec/requests/invitations_api_spec.rb +++ b/spec/requests/invitations_api_spec.rb @@ -168,7 +168,7 @@ describe "Invitation API ", :type => :api do # then check that there is one invitation sent by us get '/api/invitations.json?sender=' + other_user.id - last_response.status.should eql(500) + last_response.status.should eql(403) response = JSON.parse(last_response.body) response.should == {"message" => "You can only ask for your own sent invitations","type" => "PermissionError"} diff --git a/spec/requests/music_session_pages_spec.rb b/spec/requests/music_session_pages_spec.rb index 5b7691be4..48b9cb59b 100644 --- a/spec/requests/music_session_pages_spec.rb +++ b/spec/requests/music_session_pages_spec.rb @@ -322,7 +322,7 @@ describe "Music Session API ", :type => :api do # users are friends, but no invitation... so we shouldn't be able to join as user 2 login(user2) post "/api/sessions/#{session["id"]}/participants.json", { :client_id => client2.client_id, :as_musician => true }.to_json, "CONTENT_TYPE" => 'application/json' - last_response.status.should eql(500) + last_response.status.should eql(403) join_response = JSON.parse(last_response.body) join_response["type"].should == "PermissionError" diff --git a/spec/requests/users_api_spec.rb b/spec/requests/users_api_spec.rb index 0e3509b12..cda094338 100644 --- a/spec/requests/users_api_spec.rb +++ b/spec/requests/users_api_spec.rb @@ -98,7 +98,7 @@ describe "User API", :type => :api do followings.size.should == 1 followings[0]["user_id"].should == fan.id - # get followers for for fan + # get followers for other side of above following (fan) login(fan.email, fan.password, 200, true) get "/api/users/#{fan.id}/followers.json" last_response.status.should == 200 @@ -134,35 +134,83 @@ describe "User API", :type => :api do it "should not allow user to create following for another user" do login(user.email, user.password, 200, true) - post "/api/users/2/followings.json", { :user_id => fan.id }.to_json, "CONTENT_TYPE" => 'application/json' - last_response.status.should == 500 + post "/api/users/10/followings.json", { :user_id => fan.id }.to_json, "CONTENT_TYPE" => 'application/json' + last_response.status.should == 403 end it "should not allow user to delete following of another user" do end it "should allow musician to create recordings" do + + # create public recording login(user.email, user.password, 200, true) + post "/api/users/#{user.id}/recordings.json", { :description => "My Recording", :public => true }.to_json, "CONTENT_TYPE" => 'application/json' + last_response.status.should == 201 + recording = JSON.parse(last_response.body) + recording["description"].should == "My Recording" + + # create private recording + login(user.email, user.password, 200, true) + post "/api/users/#{user.id}/recordings.json", { :description => "My Recording 2", :public => false }.to_json, "CONTENT_TYPE" => 'application/json' + last_response.status.should == 201 + private_recording = JSON.parse(last_response.body) + + # get all recordings as creator + login(user.email, user.password, 200, true) + get "/api/users/#{user.id}/recordings.json" + last_response.status.should == 200 + recordings = JSON.parse(last_response.body) + recordings.size.should == 2 + + # get all recordings as non-creator + login(fan.email, fan.password, 200, true) + get "/api/users/#{user.id}/recordings.json" + last_response.status.should == 200 + recordings = JSON.parse(last_response.body) + recordings.size.should == 1 + + # attempt to get the private recording + login(fan.email, fan.password, 200, true) + get "/api/users/#{user.id}/recordings/#{private_recording["id"]}.json" + last_response.status.should == 403 end it "should not allow fan to create recordings" do - end - - it "should allow user to get recordings" do + login(fan.email, fan.password, 200, true) + post "/api/users/#{fan.id}/recordings.json", { :description => "My Recording", :public => true }.to_json, "CONTENT_TYPE" => 'application/json' + last_response.status.should == 403 end it "should allow user to create favorites" do + # create recording first + login(user.email, user.password, 200, true) + post "/api/users/#{user.id}/recordings.json", { :description => "My Recording", :public => true }.to_json, "CONTENT_TYPE" => 'application/json' + last_response.status.should == 201 + recording = JSON.parse(last_response.body) + + # add favorite + login(user.email, user.password, 200, true) + post "/api/users/#{user.id}/favorites.json", { :recording_id => recording["id"] }.to_json, "CONTENT_TYPE" => 'application/json' + last_response.status.should == 201 + + login(user.email, user.password, 200, true) + get "/api/users/#{user.id}/favorites.json" + last_response.status.should == 200 + puts last_response.body + favorites = JSON.parse(last_response.body) + favorites.size.should == 1 + favorites[0]["recording_id"].should == recording["id"] + favorites[0]["description"].should == "My Recording" + favorites[0]["public"].should == true + end + + it "should not allow user to create favorite for another user" do end it "should allow user to delete favorites" do end - it "should allow musician to create band" do - end - - it "should not allow fan to create band" do - end - it "should allow user to send friend request" do end