proposals_discussion: fix published filter from load_proposals and protect against denied access

Victor Costa
1 parent ca1e037e
Showing 2 changed files with 27 additions and 2 deletions Show diff stats
controllers/public/proposals_discussion_plugin_public_controller.rb
test/functional/proposals_discussion_plugin_public_controller_test.rb
@@ -2,13 +2,14 @@ class ProposalsDiscussionPluginPublicController &lt; ApplicationController
   needs_profile
+  before_filter :check_permission
+
   def load_proposals
-    @holder = profile.articles.find(params[:holder_id])
     page = (params[:page] || 1).to_i
     set_rand_cookie if page == 1
     order = params[:order]
-    @proposals = order_proposals(@holder.proposals.public, order)
+    @proposals = order_proposals(@holder.proposals.published, order)
     @proposals = @proposals.page(page).per_page(4)
     render :partial => 'content_viewer/proposals_list_content', :locals => {:proposals => @proposals, :holder => @holder, :page => page+1, :order => order}
@@ -16,6 +17,11 @@ class ProposalsDiscussionPluginPublicController &lt; ApplicationController
   private
+  def check_permission
+    @holder = profile.articles.find(params[:holder_id])
+    render_access_denied unless @holder.display_to?(user)
+  end
+
   def order_proposals(proposals, order)
     case order
     when 'alphabetical'
@@ -76,4 +76,23 @@ class ProposalsDiscussionPluginPublicControllerTest &lt; ActionController::TestCase
     assert_equal [proposal3, proposal1, proposal2], assigns(:proposals)
   end
+  should 'load proposals when profile is private and the user is a member' do
+    person = create_user.person
+    login_as(person.identifier)
+    profile.add_member(person)
+    profile.update_attribute(:public_profile, false)
+
+    proposals = 3.times.map { fast_create(ProposalsDiscussionPlugin::Proposal, :name => 'proposal title', :abstract => 'proposal abstract', :profile_id => profile.id, :parent_id => topic.id)}
+    get :load_proposals, :profile => profile.identifier, :holder_id => topic.id
+    assert_equivalent proposals, assigns(:proposals)
+  end
+
+  should 'not load proposals when profile is private and user is not logged' do
+    logout
+    profile.update_attribute(:public_profile, false)
+    proposals = 3.times.map { fast_create(ProposalsDiscussionPlugin::Proposal, :name => 'proposal title', :abstract => 'proposal abstract', :profile_id => profile.id, :parent_id => topic.id)}
+    get :load_proposals, :profile => profile.identifier, :holder_id => topic.id
+    assert_equal nil, assigns(:proposals)
+  end
+
 end
	@@ -76,4 +76,23 @@ class ProposalsDiscussionPluginPublicControllerTest < ActionController::TestCase		@@ -76,4 +76,23 @@ class ProposalsDiscussionPluginPublicControllerTest < ActionController::TestCase
76	assert_equal [proposal3, proposal1, proposal2], assigns(:proposals)	76	assert_equal [proposal3, proposal1, proposal2], assigns(:proposals)
77	end	77	end
78		78
		79	+ should 'load proposals when profile is private and the user is a member' do
		80	+ person = create_user.person
		81	+ login_as(person.identifier)
		82	+ profile.add_member(person)
		83	+ profile.update_attribute(:public_profile, false)
		84	+
		85	+ proposals = 3.times.map { fast_create(ProposalsDiscussionPlugin::Proposal, :name => 'proposal title', :abstract => 'proposal abstract', :profile_id => profile.id, :parent_id => topic.id)}
		86	+ get :load_proposals, :profile => profile.identifier, :holder_id => topic.id
		87	+ assert_equivalent proposals, assigns(:proposals)
		88	+ end
		89	+
		90	+ should 'not load proposals when profile is private and user is not logged' do
		91	+ logout
		92	+ profile.update_attribute(:public_profile, false)
		93	+ proposals = 3.times.map { fast_create(ProposalsDiscussionPlugin::Proposal, :name => 'proposal title', :abstract => 'proposal abstract', :profile_id => profile.id, :parent_id => topic.id)}
		94	+ get :load_proposals, :profile => profile.identifier, :holder_id => topic.id
		95	+ assert_equal nil, assigns(:proposals)
		96	+ end
		97	+
79	end	98	end