Commit 67d9cf1a850407fa7bdfacc6f3658b24c70125ce
Committed by
Antonio Terceiro
Antonio Terceiro
1 parent
f386c3a4
Exists in
master
and in
22 other branches
ActionItem1221: created permission for publish articles
members can create articles an edit/delete them without being able to edit/delete others' members articles
Showing
5 changed files
with
99 additions
and
7 deletions
Show diff stats
app/controllers/my_profile/cms_controller.rb
| 1 | class CmsController < MyProfileController | 1 | class CmsController < MyProfileController |
| 2 | 2 | ||
| 3 | - protect 'post_content', :profile, :except => [:set_home_page] | ||
| 4 | protect 'edit_profile', :profile, :only => [:set_home_page] | 3 | protect 'edit_profile', :profile, :only => [:set_home_page] |
| 5 | 4 | ||
| 5 | + def self.protect_if(*args) | ||
| 6 | + before_filter(*args) do |c| | ||
| 7 | + user, profile = c.send(:user), c.send(:profile) | ||
| 8 | + if yield(c, user, profile) | ||
| 9 | + true | ||
| 10 | + else | ||
| 11 | + render_access_denied(c) | ||
| 12 | + false | ||
| 13 | + end | ||
| 14 | + end | ||
| 15 | + end | ||
| 16 | + | ||
| 17 | + protect_if :except => [:set_home_page, :edit, :destroy, :publish] do |c, user, profile| | ||
| 18 | + user && (user.has_permission?('post_content', profile) || user.has_permission?('publish_content', profile)) | ||
| 19 | + end | ||
| 20 | + | ||
| 21 | + protect_if :only => [:edit, :destroy, :publish] do |c, user, profile| | ||
| 22 | + profile.articles.find(c.params[:id]).allow_post_content?(user) | ||
| 23 | + end | ||
| 24 | + | ||
| 6 | alias :check_ssl_orig :check_ssl | 25 | alias :check_ssl_orig :check_ssl |
| 7 | # Redefines the SSL checking to avoid requiring SSL when creating the "New | 26 | # Redefines the SSL checking to avoid requiring SSL when creating the "New |
| 8 | # publication" button on article's public view. | 27 | # publication" button on article's public view. |
app/models/article.rb
| @@ -214,11 +214,8 @@ class Article < ActiveRecord::Base | @@ -214,11 +214,8 @@ class Article < ActiveRecord::Base | ||
| 214 | end | 214 | end |
| 215 | end | 215 | end |
| 216 | 216 | ||
| 217 | - def allow_post_content?(logged_person = nil) | ||
| 218 | - if logged_person && logged_person.has_permission?('post_content', profile) | ||
| 219 | - return true | ||
| 220 | - end | ||
| 221 | - false | 217 | + def allow_post_content?(user = nil) |
| 218 | + user && (user.has_permission?('post_content', profile) || user.has_permission?('publish_content', profile) && (user == self.creator)) | ||
| 222 | end | 219 | end |
| 223 | 220 | ||
| 224 | def comments_updated | 221 | def comments_updated |
| @@ -291,6 +288,11 @@ class Article < ActiveRecord::Base | @@ -291,6 +288,11 @@ class Article < ActiveRecord::Base | ||
| 291 | self.find(:all, :include => :taggings, :conditions => ['taggings.tag_id = ?', tag.id]) | 288 | self.find(:all, :include => :taggings, :conditions => ['taggings.tag_id = ?', tag.id]) |
| 292 | end | 289 | end |
| 293 | 290 | ||
| 291 | + def creator | ||
| 292 | + creator_id = versions[0][:last_changed_by_id] | ||
| 293 | + creator_id && Profile.find(creator_id) | ||
| 294 | + end | ||
| 295 | + | ||
| 294 | private | 296 | private |
| 295 | 297 | ||
| 296 | def sanitize_tag_list | 298 | def sanitize_tag_list |
app/models/profile.rb
| @@ -33,7 +33,7 @@ class Profile < ActiveRecord::Base | @@ -33,7 +33,7 @@ class Profile < ActiveRecord::Base | ||
| 33 | 'edit_profile' => N_('Edit profile'), | 33 | 'edit_profile' => N_('Edit profile'), |
| 34 | 'destroy_profile' => N_('Destroy profile'), | 34 | 'destroy_profile' => N_('Destroy profile'), |
| 35 | 'manage_memberships' => N_('Manage memberships'), | 35 | 'manage_memberships' => N_('Manage memberships'), |
| 36 | - 'post_content' => N_('Post content'), | 36 | + 'post_content' => N_('Manage content'), # changed only presentation name to keep already given permissions |
| 37 | 'edit_profile_design' => N_('Edit profile design'), | 37 | 'edit_profile_design' => N_('Edit profile design'), |
| 38 | 'manage_products' => N_('Manage products'), | 38 | 'manage_products' => N_('Manage products'), |
| 39 | 'manage_friends' => N_('Manage friends'), | 39 | 'manage_friends' => N_('Manage friends'), |
| @@ -42,6 +42,7 @@ class Profile < ActiveRecord::Base | @@ -42,6 +42,7 @@ class Profile < ActiveRecord::Base | ||
| 42 | 'moderate_comments' => N_('Moderate comments'), | 42 | 'moderate_comments' => N_('Moderate comments'), |
| 43 | 'edit_appearance' => N_('Edit appearance'), | 43 | 'edit_appearance' => N_('Edit appearance'), |
| 44 | 'view_private_content' => N_('View private content'), | 44 | 'view_private_content' => N_('View private content'), |
| 45 | + 'publish_content' => N_('Publish content'), | ||
| 45 | } | 46 | } |
| 46 | 47 | ||
| 47 | acts_as_accessible | 48 | acts_as_accessible |
test/functional/cms_controller_test.rb
| @@ -1148,4 +1148,58 @@ class CmsControllerTest < Test::Unit::TestCase | @@ -1148,4 +1148,58 @@ class CmsControllerTest < Test::Unit::TestCase | ||
| 1148 | assert_not_includes assigns(:article_types).map{|at|at[:name]}, 'Event' | 1148 | assert_not_includes assigns(:article_types).map{|at|at[:name]}, 'Event' |
| 1149 | end | 1149 | end |
| 1150 | 1150 | ||
| 1151 | + should 'not allow user without permission create an article in community' do | ||
| 1152 | + c = Community.create!(:name => 'test_comm', :identifier => 'test_comm') | ||
| 1153 | + u = create_user_with_permission('test_user', 'bogus_permission', c) | ||
| 1154 | + login_as :test_user | ||
| 1155 | + | ||
| 1156 | + get :new, :profile => c.identifier | ||
| 1157 | + assert_response :forbidden | ||
| 1158 | + assert_template 'access_denied.rhtml' | ||
| 1159 | + end | ||
| 1160 | + | ||
| 1161 | + should 'allow user with permission create an article in community' do | ||
| 1162 | + c = Community.create!(:name => 'test_comm', :identifier => 'test_comm') | ||
| 1163 | + u = create_user_with_permission('test_user', 'publish_content', c) | ||
| 1164 | + login_as :test_user | ||
| 1165 | + | ||
| 1166 | + get :new, :profile => c.identifier, :type => 'TinyMceArticle' | ||
| 1167 | + assert_response :success | ||
| 1168 | + assert_template 'edit' | ||
| 1169 | + end | ||
| 1170 | + | ||
| 1171 | + should 'not allow user edit article if he has publish permission but is not owner' do | ||
| 1172 | + c = Community.create!(:name => 'test_comm', :identifier => 'test_comm') | ||
| 1173 | + u = create_user_with_permission('test_user', 'publish_content', c) | ||
| 1174 | + a = c.articles.create!(:name => 'test_article') | ||
| 1175 | + login_as :test_user | ||
| 1176 | + | ||
| 1177 | + get :edit, :profile => c.identifier, :id => a.id | ||
| 1178 | + assert_response :forbidden | ||
| 1179 | + assert_template 'access_denied.rhtml' | ||
| 1180 | + end | ||
| 1181 | + | ||
| 1182 | + should 'not allow user edit article if he is owner but has no publish permission' do | ||
| 1183 | + c = Community.create!(:name => 'test_comm', :identifier => 'test_comm') | ||
| 1184 | + u = create_user_with_permission('test_user', 'bogus_permission', c) | ||
| 1185 | + a = c.articles.create!(:name => 'test_article', :last_changed_by => u) | ||
| 1186 | + login_as :test_user | ||
| 1187 | + | ||
| 1188 | + get :edit, :profile => c.identifier, :id => a.id | ||
| 1189 | + assert_response :forbidden | ||
| 1190 | + assert_template 'access_denied.rhtml' | ||
| 1191 | + end | ||
| 1192 | + | ||
| 1193 | + should 'allow user edit article if he is owner and has publish permission' do | ||
| 1194 | + c = Community.create!(:name => 'test_comm', :identifier => 'test_comm') | ||
| 1195 | + u = create_user_with_permission('test_user', 'publish_content', c) | ||
| 1196 | + a = c.articles.create!(:name => 'test_article', :last_changed_by => u) | ||
| 1197 | + login_as :test_user | ||
| 1198 | + | ||
| 1199 | + get :edit, :profile => c.identifier, :id => a.id | ||
| 1200 | + | ||
| 1201 | + assert_response :success | ||
| 1202 | + assert_template 'edit' | ||
| 1203 | + end | ||
| 1204 | + | ||
| 1151 | end | 1205 | end |
test/unit/article_test.rb
| @@ -763,4 +763,20 @@ class ArticleTest < Test::Unit::TestCase | @@ -763,4 +763,20 @@ class ArticleTest < Test::Unit::TestCase | ||
| 763 | assert_match(/-owner/, a.cache_key({}, c)) | 763 | assert_match(/-owner/, a.cache_key({}, c)) |
| 764 | end | 764 | end |
| 765 | 765 | ||
| 766 | + should 'have a creator method' do | ||
| 767 | + c = Community.create!(:name => 'new_comm') | ||
| 768 | + a = c.articles.create!(:name => 'a test article', :last_changed_by => profile) | ||
| 769 | + p = create_user('other_user').person | ||
| 770 | + a.update_attributes(:body => 'some content', :last_changed_by => p); a.save! | ||
| 771 | + assert_equal profile, a.creator | ||
| 772 | + end | ||
| 773 | + | ||
| 774 | + should 'allow creator to edit if is publisher' do | ||
| 775 | + c = Community.create!(:name => 'new_comm') | ||
| 776 | + p = create_user_with_permission('test_user', 'publish_content', c) | ||
| 777 | + a = c.articles.create!(:name => 'a test article', :last_changed_by => p) | ||
| 778 | + | ||
| 779 | + assert a.allow_post_content?(p) | ||
| 780 | + end | ||
| 781 | + | ||
| 766 | end | 782 | end |