proposals_discussion: fix permission access to export function

Victor Costa
1 parent c563665f
Showing 2 changed files with 22 additions and 1 deletions Show diff stats
controllers/profile/proposals_discussion_plugin_profile_controller.rb
test/functional/proposals_discussion_plugin_profile_controller_test.rb
 class ProposalsDiscussionPluginProfileController < ProfileController
  
+  before_filter :check_access_to_profile
+
   def export
-    @comments = profile.articles.find(params[:article_id]).proposals_comments
+    @comments = @target.proposals_comments
+  end
+
+  protected
+
+  def check_access_to_profile
+    @target = profile.articles.find(params[:article_id])
+    render_access_denied(_('You are not allowed to export data from this article')) unless @target.allow_create?(user)
   end
  
 end
@@ -13,6 +13,7 @@ class ProposalsDiscussionPluginProfileControllerTest &lt; ActionController::TestCas
   attr_reader :profile, :discussion, :topic, :person
  
   should 'assigns comments of all proposals' do
+    discussion.class.any_instance.stubs(:allow_create?).returns(true)
     proposal1 = fast_create(ProposalsDiscussionPlugin::Proposal, :profile_id => profile.id, :parent_id => topic.id)
     proposal2 = fast_create(ProposalsDiscussionPlugin::Proposal, :profile_id => profile.id, :parent_id => topic.id)
     comment1 = fast_create(Comment, :source_id => proposal1.id)
@@ -22,4 +23,15 @@ class ProposalsDiscussionPluginProfileControllerTest &lt; ActionController::TestCas
     assert_equivalent [comment1, comment2, comment3], assigns(:comments)
   end
  
+  should 'deny access to export when user is not logged' do
+    logout
+    get :export, :format => :csv, :article_id => discussion.id, :profile => profile.identifier
+    assert_template 'access_denied'
+  end
+
+  should 'deny access to export when user has no permission' do
+    get :export, :format => :csv, :article_id => discussion.id, :profile => profile.identifier
+    assert_template 'access_denied'
+  end
+
 end
1	1	class ProposalsDiscussionPluginProfileController < ProfileController
2	2
	3	+ before_filter :check_access_to_profile
	4	+
3	5	def export
4		- @comments = profile.articles.find(params[:article_id]).proposals_comments
	6	+ @comments = @target.proposals_comments
	7	+ end
	8	+
	9	+ protected
	10	+
	11	+ def check_access_to_profile
	12	+ @target = profile.articles.find(params[:article_id])
	13	+ render_access_denied(_('You are not allowed to export data from this article')) unless @target.allow_create?(user)
5	14	end
6	15
7	16	end
...	...
...	...	@@ -13,6 +13,7 @@ class ProposalsDiscussionPluginProfileControllerTest < ActionController::TestCas
13	13	attr_reader :profile, :discussion, :topic, :person
14	14
15	15	should 'assigns comments of all proposals' do
	16	+ discussion.class.any_instance.stubs(:allow_create?).returns(true)
16	17	proposal1 = fast_create(ProposalsDiscussionPlugin::Proposal, :profile_id => profile.id, :parent_id => topic.id)
17	18	proposal2 = fast_create(ProposalsDiscussionPlugin::Proposal, :profile_id => profile.id, :parent_id => topic.id)
18	19	comment1 = fast_create(Comment, :source_id => proposal1.id)
...	...	@@ -22,4 +23,15 @@ class ProposalsDiscussionPluginProfileControllerTest < ActionController::TestCas
22	23	assert_equivalent [comment1, comment2, comment3], assigns(:comments)
23	24	end
24	25
	26	+ should 'deny access to export when user is not logged' do
	27	+ logout
	28	+ get :export, :format => :csv, :article_id => discussion.id, :profile => profile.identifier
	29	+ assert_template 'access_denied'
	30	+ end
	31	+
	32	+ should 'deny access to export when user has no permission' do
	33	+ get :export, :format => :csv, :article_id => discussion.id, :profile => profile.identifier
	34	+ assert_template 'access_denied'
	35	+ end
	36	+
25	37	end
...	...