proposals_discussion: fix published filter from load_proposals and protect against denied access

Victor Costa
1 parent ca1e037e
Showing 2 changed files with 27 additions and 2 deletions Show diff stats
controllers/public/proposals_discussion_plugin_public_controller.rb
test/functional/proposals_discussion_plugin_public_controller_test.rb
@@ -2,13 +2,14 @@ class ProposalsDiscussionPluginPublicController &lt; ApplicationController
  
   needs_profile
  
+  before_filter :check_permission
+
   def load_proposals
-    @holder = profile.articles.find(params[:holder_id])
     page = (params[:page] || 1).to_i
     set_rand_cookie if page == 1
     order = params[:order]
  
-    @proposals = order_proposals(@holder.proposals.public, order)
+    @proposals = order_proposals(@holder.proposals.published, order)
     @proposals = @proposals.page(page).per_page(4)
  
     render :partial => 'content_viewer/proposals_list_content', :locals => {:proposals => @proposals, :holder => @holder, :page => page+1, :order => order}
@@ -16,6 +17,11 @@ class ProposalsDiscussionPluginPublicController &lt; ApplicationController
  
   private
  
+  def check_permission
+    @holder = profile.articles.find(params[:holder_id])
+    render_access_denied unless @holder.display_to?(user)
+  end
+
   def order_proposals(proposals, order)
     case order
     when 'alphabetical'
@@ -76,4 +76,23 @@ class ProposalsDiscussionPluginPublicControllerTest &lt; ActionController::TestCase
     assert_equal [proposal3, proposal1, proposal2], assigns(:proposals)
   end
  
+  should 'load proposals when profile is private and the user is a member' do
+    person = create_user.person
+    login_as(person.identifier)
+    profile.add_member(person)
+    profile.update_attribute(:public_profile, false)
+
+    proposals = 3.times.map { fast_create(ProposalsDiscussionPlugin::Proposal, :name => 'proposal title', :abstract => 'proposal abstract', :profile_id => profile.id, :parent_id => topic.id)}
+    get :load_proposals, :profile => profile.identifier, :holder_id => topic.id
+    assert_equivalent proposals, assigns(:proposals)
+  end
+
+  should 'not load proposals when profile is private and user is not logged' do
+    logout
+    profile.update_attribute(:public_profile, false)
+    proposals = 3.times.map { fast_create(ProposalsDiscussionPlugin::Proposal, :name => 'proposal title', :abstract => 'proposal abstract', :profile_id => profile.id, :parent_id => topic.id)}
+    get :load_proposals, :profile => profile.identifier, :holder_id => topic.id
+    assert_equal nil, assigns(:proposals)
+  end
+
 end
...	...	@@ -2,13 +2,14 @@ class ProposalsDiscussionPluginPublicController < ApplicationController
2	2
3	3	needs_profile
4	4
	5	+ before_filter :check_permission
	6	+
5	7	def load_proposals
6		- @holder = profile.articles.find(params[:holder_id])
7	8	page = (params[:page] \|\| 1).to_i
8	9	set_rand_cookie if page == 1
9	10	order = params[:order]
10	11
11		- @proposals = order_proposals(@holder.proposals.public, order)
	12	+ @proposals = order_proposals(@holder.proposals.published, order)
12	13	@proposals = @proposals.page(page).per_page(4)
13	14
14	15	render :partial => 'content_viewer/proposals_list_content', :locals => {:proposals => @proposals, :holder => @holder, :page => page+1, :order => order}
...	...	@@ -16,6 +17,11 @@ class ProposalsDiscussionPluginPublicController < ApplicationController
16	17
17	18	private
18	19
	20	+ def check_permission
	21	+ @holder = profile.articles.find(params[:holder_id])
	22	+ render_access_denied unless @holder.display_to?(user)
	23	+ end
	24	+
19	25	def order_proposals(proposals, order)
20	26	case order
21	27	when 'alphabetical'
...	...
...	...	@@ -76,4 +76,23 @@ class ProposalsDiscussionPluginPublicControllerTest < ActionController::TestCase
76	76	assert_equal [proposal3, proposal1, proposal2], assigns(:proposals)
77	77	end
78	78
	79	+ should 'load proposals when profile is private and the user is a member' do
	80	+ person = create_user.person
	81	+ login_as(person.identifier)
	82	+ profile.add_member(person)
	83	+ profile.update_attribute(:public_profile, false)
	84	+
	85	+ proposals = 3.times.map { fast_create(ProposalsDiscussionPlugin::Proposal, :name => 'proposal title', :abstract => 'proposal abstract', :profile_id => profile.id, :parent_id => topic.id)}
	86	+ get :load_proposals, :profile => profile.identifier, :holder_id => topic.id
	87	+ assert_equivalent proposals, assigns(:proposals)
	88	+ end
	89	+
	90	+ should 'not load proposals when profile is private and user is not logged' do
	91	+ logout
	92	+ profile.update_attribute(:public_profile, false)
	93	+ proposals = 3.times.map { fast_create(ProposalsDiscussionPlugin::Proposal, :name => 'proposal title', :abstract => 'proposal abstract', :profile_id => profile.id, :parent_id => topic.id)}
	94	+ get :load_proposals, :profile => profile.identifier, :holder_id => topic.id
	95	+ assert_equal nil, assigns(:proposals)
	96	+ end
	97	+
79	98	end
...	...