Merge branch 'private_profile_pages' into 'master'

Private profile pages When the profile is private, some pages are still shown if using the URL. For example, pages like agenda and contact email. We added a before_filter to make sure that doesn't happen. See merge request !459

Merge branch 'private_profile_pages' into 'master'
Private profile pages When the profile is private, some pages are still shown if using the URL. For example, pages like agenda and contact email. We added a before_filter to make sure that doesn't happen. See merge request !459
Antonio Terceiro
2 parents 94d0d92d 2dbb8586
Showing 6 changed files with 81 additions and 18 deletions Show diff stats
app/controllers/public/contact_controller.rb
app/controllers/public/events_controller.rb
app/controllers/public/profile_controller.rb
app/controllers/public_controller.rb
test/functional/contact_controller_test.rb
test/functional/events_controller_test.rb
 class ContactController < PublicController
   needs_profile
+  before_filter :allow_access_to_page
   def new
     @contact = build_contact
 class EventsController < PublicController
   needs_profile
+  before_filter :allow_access_to_page
   def events
     @events = []
@@ -16,13 +16,7 @@ class ProfileController &lt; PublicController
       @activities = @profile.activities.paginate(:per_page => 15, :page => params[:page])
     end
     @tags = profile.article_tags
-    unless profile.display_info_to?(user)
-      if profile.visible?
-        private_profile
-      else
-        invisible_profile
-      end
-    end
+    allow_access_to_page
   end
   def tags
@@ -396,17 +390,6 @@ class ProfileController &lt; PublicController
     end
   end
-  def private_profile
-    private_profile_partial_parameters
-    render :action => 'index', :status => 403
-  end
-
-  def invisible_profile
-    unless profile.is_template?
-      render_access_denied(_("This profile is inaccessible. You don't have the permission to view the content here."), _("Oops ... you cannot go ahead here"))
-    end
-  end
-
   def per_page
     Noosfero::Constants::PROFILE_PER_PAGE
   end
 class PublicController < ApplicationController
+  protected
+
+  def allow_access_to_page
+    unless profile.display_info_to?(user)
+      if profile.visible?
+        private_profile
+      else
+        invisible_profile
+      end
+    end
+  end
+
+  def private_profile
+    private_profile_partial_parameters
+    render :template => 'shared/access_denied.html.erb', :status => 403
+  end
+
+  def invisible_profile
+    unless profile.is_template?
+      render_access_denied(_("This profile is inaccessible. You don't have the permission to view the content here."), _("Oops ... you cannot go ahead here"))
+    end
+  end
 end
@@ -125,4 +125,31 @@ class ContactControllerTest &lt; ActionController::TestCase
     assert_equal 'Bahia', assigns(:contact).state
   end
+  should 'not show send e-mail page to non members of private community' do
+    community = fast_create(Community, :identifier => 'private-community', :name => 'Private Community', :public_profile => false)
+
+    post :new, :profile => community.identifier
+
+    assert_response :forbidden
+    assert_template :access_denied
+  end
+
+  should 'not show send e-mail page to non members of invisible community' do
+    community = fast_create(Community, :identifier => 'invisible-community', :name => 'Private Community', :visible => false)
+
+    post :new, :profile => community.identifier
+
+    assert_response :forbidden
+    assert_template :access_denied
+  end
+
+  should 'show send e-mail page to members of private community' do
+    community = fast_create(Community, :identifier => 'private-community', :name => 'Private Community', :public_profile => false)
+    community.add_member(@profile)
+
+    post :new, :profile => community.identifier
+
+    assert_response :success
+  end
+
 end
@@ -54,4 +54,33 @@ class EventsControllerTest &lt; ActionController::TestCase
     assert_tag :tag => 'a', :content => /Joao Birthday/
   end
+  should 'not show events page to non members of private community' do
+    community = fast_create(Community, :identifier => 'private-community', :name => 'Private Community', :public_profile => false)
+
+    post :events, :profile => community.identifier
+
+    assert_response :forbidden
+    assert_template :access_denied
+  end
+
+  should 'not show events page to non members of invisible community' do
+    community = fast_create(Community, :identifier => 'invisible-community', :name => 'Private Community', :visible => false)
+
+    post :events, :profile => community.identifier
+
+    assert_response :forbidden
+    assert_template :access_denied
+  end
+
+  should 'show events page to members of private community' do
+    community = fast_create(Community, :identifier => 'private-community', :name => 'Private Community', :public_profile => false)
+    community.add_member(@profile)
+
+    login_as('testuser')
+
+    post :events, :profile => community.identifier
+
+    assert_response :success
+  end
+
 end
1	class ContactController < PublicController	1	class ContactController < PublicController
2		2
3	needs_profile	3	needs_profile
		4	+ before_filter :allow_access_to_page
4		5
5	def new	6	def new
6	@contact = build_contact	7	@contact = build_contact
1	class EventsController < PublicController	1	class EventsController < PublicController
2		2
3	needs_profile	3	needs_profile
		4	+ before_filter :allow_access_to_page
4		5
5	def events	6	def events
6	@events = []	7	@events = []
	@@ -16,13 +16,7 @@ class ProfileController < PublicController		@@ -16,13 +16,7 @@ class ProfileController < PublicController
16	@activities = @profile.activities.paginate(:per_page => 15, :page => params[:page])	16	@activities = @profile.activities.paginate(:per_page => 15, :page => params[:page])
17	end	17	end
18	@tags = profile.article_tags	18	@tags = profile.article_tags
19	- unless profile.display_info_to?(user)
20	- if profile.visible?
21	- private_profile
22	- else
23	- invisible_profile
24	- end
25	- end	19	+ allow_access_to_page
26	end	20	end
27		21
28	def tags	22	def tags
	@@ -396,17 +390,6 @@ class ProfileController < PublicController		@@ -396,17 +390,6 @@ class ProfileController < PublicController
396	end	390	end
397	end	391	end
398		392
399	- def private_profile
400	- private_profile_partial_parameters
401	- render :action => 'index', :status => 403
402	- end
403	-
404	- def invisible_profile
405	- unless profile.is_template?
406	- render_access_denied(_("This profile is inaccessible. You don't have the permission to view the content here."), _("Oops ... you cannot go ahead here"))
407	- end
408	- end
409	-
410	def per_page	393	def per_page
411	Noosfero::Constants::PROFILE_PER_PAGE	394	Noosfero::Constants::PROFILE_PER_PAGE
412	end	395	end
1	class PublicController < ApplicationController	1	class PublicController < ApplicationController
		2	+ protected
		3	+
		4	+ def allow_access_to_page
		5	+ unless profile.display_info_to?(user)
		6	+ if profile.visible?
		7	+ private_profile
		8	+ else
		9	+ invisible_profile
		10	+ end
		11	+ end
		12	+ end
		13	+
		14	+ def private_profile
		15	+ private_profile_partial_parameters
		16	+ render :template => 'shared/access_denied.html.erb', :status => 403
		17	+ end
		18	+
		19	+ def invisible_profile
		20	+ unless profile.is_template?
		21	+ render_access_denied(_("This profile is inaccessible. You don't have the permission to view the content here."), _("Oops ... you cannot go ahead here"))
		22	+ end
		23	+ end
2	end	24	end
	@@ -125,4 +125,31 @@ class ContactControllerTest < ActionController::TestCase		@@ -125,4 +125,31 @@ class ContactControllerTest < ActionController::TestCase
125	assert_equal 'Bahia', assigns(:contact).state	125	assert_equal 'Bahia', assigns(:contact).state
126	end	126	end
127		127
		128	+ should 'not show send e-mail page to non members of private community' do
		129	+ community = fast_create(Community, :identifier => 'private-community', :name => 'Private Community', :public_profile => false)
		130	+
		131	+ post :new, :profile => community.identifier
		132	+
		133	+ assert_response :forbidden
		134	+ assert_template :access_denied
		135	+ end
		136	+
		137	+ should 'not show send e-mail page to non members of invisible community' do
		138	+ community = fast_create(Community, :identifier => 'invisible-community', :name => 'Private Community', :visible => false)
		139	+
		140	+ post :new, :profile => community.identifier
		141	+
		142	+ assert_response :forbidden
		143	+ assert_template :access_denied
		144	+ end
		145	+
		146	+ should 'show send e-mail page to members of private community' do
		147	+ community = fast_create(Community, :identifier => 'private-community', :name => 'Private Community', :public_profile => false)
		148	+ community.add_member(@profile)
		149	+
		150	+ post :new, :profile => community.identifier
		151	+
		152	+ assert_response :success
		153	+ end
		154	+
128	end	155	end
	@@ -54,4 +54,33 @@ class EventsControllerTest < ActionController::TestCase		@@ -54,4 +54,33 @@ class EventsControllerTest < ActionController::TestCase
54	assert_tag :tag => 'a', :content => /Joao Birthday/	54	assert_tag :tag => 'a', :content => /Joao Birthday/
55	end	55	end
56		56
		57	+ should 'not show events page to non members of private community' do
		58	+ community = fast_create(Community, :identifier => 'private-community', :name => 'Private Community', :public_profile => false)
		59	+
		60	+ post :events, :profile => community.identifier
		61	+
		62	+ assert_response :forbidden
		63	+ assert_template :access_denied
		64	+ end
		65	+
		66	+ should 'not show events page to non members of invisible community' do
		67	+ community = fast_create(Community, :identifier => 'invisible-community', :name => 'Private Community', :visible => false)
		68	+
		69	+ post :events, :profile => community.identifier
		70	+
		71	+ assert_response :forbidden
		72	+ assert_template :access_denied
		73	+ end
		74	+
		75	+ should 'show events page to members of private community' do
		76	+ community = fast_create(Community, :identifier => 'private-community', :name => 'Private Community', :public_profile => false)
		77	+ community.add_member(@profile)
		78	+
		79	+ login_as('testuser')
		80	+
		81	+ post :events, :profile => community.identifier
		82	+
		83	+ assert_response :success
		84	+ end
		85	+
57	end	86	end