Download as
Browse Code »

Commit 06fa2f5d2bc272d3778669dfb75c309a9b1e1c61

Authored by Victor Costa
1 parent 486279f0
Exists in staging and in 4 other branches captcha_serpro_plugin, login-captcha, production, production-vendorized

proposals_discussion: fix published filter from load_proposals and protect against denied access

Showing 2 changed files with 27 additions and 2 deletions   Show diff stats
plugins/proposals_discussion/controllers/public/proposals_discussion_plugin_public_controller.rb
  Diff comments   View file @06fa2f5
@@ -2,13 +2,14 @@ class ProposalsDiscussionPluginPublicController < ApplicationController @@ -2,13 +2,14 @@ class ProposalsDiscussionPluginPublicController < ApplicationController
2 2
3 needs_profile 3 needs_profile
4 4
  5 + before_filter :check_permission
  6 +
5 def load_proposals 7 def load_proposals
6 - @holder = profile.articles.find(params[:holder_id])  
7 page = (params[:page] || 1).to_i 8 page = (params[:page] || 1).to_i
8 set_rand_cookie if page == 1 9 set_rand_cookie if page == 1
9 order = params[:order] 10 order = params[:order]
10 11
11 - @proposals = order_proposals(@holder.proposals.public, order) 12 + @proposals = order_proposals(@holder.proposals.published, order)
12 @proposals = @proposals.page(page).per_page(4) 13 @proposals = @proposals.page(page).per_page(4)
13 14
14 render :partial => 'content_viewer/proposals_list_content', :locals => {:proposals => @proposals, :holder => @holder, :page => page+1, :order => order} 15 render :partial => 'content_viewer/proposals_list_content', :locals => {:proposals => @proposals, :holder => @holder, :page => page+1, :order => order}
@@ -16,6 +17,11 @@ class ProposalsDiscussionPluginPublicController < ApplicationController @@ -16,6 +17,11 @@ class ProposalsDiscussionPluginPublicController < ApplicationController
16 17
17 private 18 private
18 19
  20 + def check_permission
  21 + @holder = profile.articles.find(params[:holder_id])
  22 + render_access_denied unless @holder.display_to?(user)
  23 + end
  24 +
19 def order_proposals(proposals, order) 25 def order_proposals(proposals, order)
20 case order 26 case order
21 when 'alphabetical' 27 when 'alphabetical'
plugins/proposals_discussion/test/functional/proposals_discussion_plugin_public_controller_test.rb
  Diff comments   View file @06fa2f5
@@ -76,4 +76,23 @@ class ProposalsDiscussionPluginPublicControllerTest < ActionController::TestCase @@ -76,4 +76,23 @@ class ProposalsDiscussionPluginPublicControllerTest < ActionController::TestCase
76 assert_equal [proposal3, proposal1, proposal2], assigns(:proposals) 76 assert_equal [proposal3, proposal1, proposal2], assigns(:proposals)
77 end 77 end
78 78
  79 + should 'load proposals when profile is private and the user is a member' do
  80 + person = create_user.person
  81 + login_as(person.identifier)
  82 + profile.add_member(person)
  83 + profile.update_attribute(:public_profile, false)
  84 +
  85 + proposals = 3.times.map { fast_create(ProposalsDiscussionPlugin::Proposal, :name => 'proposal title', :abstract => 'proposal abstract', :profile_id => profile.id, :parent_id => topic.id)}
  86 + get :load_proposals, :profile => profile.identifier, :holder_id => topic.id
  87 + assert_equivalent proposals, assigns(:proposals)
  88 + end
  89 +
  90 + should 'not load proposals when profile is private and user is not logged' do
  91 + logout
  92 + profile.update_attribute(:public_profile, false)
  93 + proposals = 3.times.map { fast_create(ProposalsDiscussionPlugin::Proposal, :name => 'proposal title', :abstract => 'proposal abstract', :profile_id => profile.id, :parent_id => topic.id)}
  94 + get :load_proposals, :profile => profile.identifier, :holder_id => topic.id
  95 + assert_equal nil, assigns(:proposals)
  96 + end
  97 +
79 end 98 end