Commit fccd062142cf4f76c9022220dafb5ec5da73f340
1 parent
c563665f
Exists in
master
and in
11 other branches
proposals_discussion: fix permission access to export function
Showing
2 changed files
with
22 additions
and
1 deletions
Show diff stats
controllers/profile/proposals_discussion_plugin_profile_controller.rb
| 1 | class ProposalsDiscussionPluginProfileController < ProfileController | 1 | class ProposalsDiscussionPluginProfileController < ProfileController |
| 2 | 2 | ||
| 3 | + before_filter :check_access_to_profile | ||
| 4 | + | ||
| 3 | def export | 5 | def export |
| 4 | - @comments = profile.articles.find(params[:article_id]).proposals_comments | 6 | + @comments = @target.proposals_comments |
| 7 | + end | ||
| 8 | + | ||
| 9 | + protected | ||
| 10 | + | ||
| 11 | + def check_access_to_profile | ||
| 12 | + @target = profile.articles.find(params[:article_id]) | ||
| 13 | + render_access_denied(_('You are not allowed to export data from this article')) unless @target.allow_create?(user) | ||
| 5 | end | 14 | end |
| 6 | 15 | ||
| 7 | end | 16 | end |
test/functional/proposals_discussion_plugin_profile_controller_test.rb
| @@ -13,6 +13,7 @@ class ProposalsDiscussionPluginProfileControllerTest < ActionController::TestCas | @@ -13,6 +13,7 @@ class ProposalsDiscussionPluginProfileControllerTest < ActionController::TestCas | ||
| 13 | attr_reader :profile, :discussion, :topic, :person | 13 | attr_reader :profile, :discussion, :topic, :person |
| 14 | 14 | ||
| 15 | should 'assigns comments of all proposals' do | 15 | should 'assigns comments of all proposals' do |
| 16 | + discussion.class.any_instance.stubs(:allow_create?).returns(true) | ||
| 16 | proposal1 = fast_create(ProposalsDiscussionPlugin::Proposal, :profile_id => profile.id, :parent_id => topic.id) | 17 | proposal1 = fast_create(ProposalsDiscussionPlugin::Proposal, :profile_id => profile.id, :parent_id => topic.id) |
| 17 | proposal2 = fast_create(ProposalsDiscussionPlugin::Proposal, :profile_id => profile.id, :parent_id => topic.id) | 18 | proposal2 = fast_create(ProposalsDiscussionPlugin::Proposal, :profile_id => profile.id, :parent_id => topic.id) |
| 18 | comment1 = fast_create(Comment, :source_id => proposal1.id) | 19 | comment1 = fast_create(Comment, :source_id => proposal1.id) |
| @@ -22,4 +23,15 @@ class ProposalsDiscussionPluginProfileControllerTest < ActionController::TestCas | @@ -22,4 +23,15 @@ class ProposalsDiscussionPluginProfileControllerTest < ActionController::TestCas | ||
| 22 | assert_equivalent [comment1, comment2, comment3], assigns(:comments) | 23 | assert_equivalent [comment1, comment2, comment3], assigns(:comments) |
| 23 | end | 24 | end |
| 24 | 25 | ||
| 26 | + should 'deny access to export when user is not logged' do | ||
| 27 | + logout | ||
| 28 | + get :export, :format => :csv, :article_id => discussion.id, :profile => profile.identifier | ||
| 29 | + assert_template 'access_denied' | ||
| 30 | + end | ||
| 31 | + | ||
| 32 | + should 'deny access to export when user has no permission' do | ||
| 33 | + get :export, :format => :csv, :article_id => discussion.id, :profile => profile.identifier | ||
| 34 | + assert_template 'access_denied' | ||
| 35 | + end | ||
| 36 | + | ||
| 25 | end | 37 | end |