Commit 0b6af5138a22d8dc990915331cd1802009625a3e
1 parent
ad2520f9
Exists in
staging
and in
42 other branches
ActionItem295: adding access control checks to Article
git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1824 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing
2 changed files
with
68 additions
and
0 deletions
Show diff stats
app/models/article.rb
| ... | ... | @@ -120,6 +120,18 @@ class Article < ActiveRecord::Base |
| 120 | 120 | self.find(:all, :order => 'articles.name', :conditions => [ 'articles.name like (?) or articles.name like (?)', initial + '%', initial.upcase + '%']) |
| 121 | 121 | end |
| 122 | 122 | |
| 123 | + def display_to?(user) | |
| 124 | + if self.profile.public_content | |
| 125 | + true | |
| 126 | + else | |
| 127 | + if user.nil? | |
| 128 | + false | |
| 129 | + else | |
| 130 | + (user == self.profile) || user.memberships.include?(self.profile) | |
| 131 | + end | |
| 132 | + end | |
| 133 | + end | |
| 134 | + | |
| 123 | 135 | private |
| 124 | 136 | |
| 125 | 137 | def sanitize_tag_list | ... | ... |
test/unit/article_test.rb
| ... | ... | @@ -233,4 +233,60 @@ class ArticleTest < Test::Unit::TestCase |
| 233 | 233 | assert !Article.new.folder?, 'should identify itself as non-folder' |
| 234 | 234 | end |
| 235 | 235 | |
| 236 | + should 'always display if public content' do | |
| 237 | + person = create_user('testuser').person | |
| 238 | + assert_equal true, person.home_page.display_to?(nil) | |
| 239 | + end | |
| 240 | + | |
| 241 | + should 'display to owner' do | |
| 242 | + # a person with private contents ... | |
| 243 | + person = create_user('testuser').person | |
| 244 | + person.update_attributes!(:public_content => false) | |
| 245 | + | |
| 246 | + # ... can see his own articles | |
| 247 | + a = person.articles.create!(:name => 'test article') | |
| 248 | + assert_equal true, a.display_to?(person) | |
| 249 | + end | |
| 250 | + | |
| 251 | + should 'not display to other unauthenticated user if private' do | |
| 252 | + # a person with private contents ... | |
| 253 | + person = create_user('testuser').person | |
| 254 | + person.update_attributes!(:public_content => false) | |
| 255 | + | |
| 256 | + # ... has an article ... | |
| 257 | + a1 = person.articles.create!(:name => 'test article') | |
| 258 | + | |
| 259 | + # ... which anonymous users cannot view | |
| 260 | + assert_equal false, a1.display_to?(nil) | |
| 261 | + end | |
| 262 | + | |
| 263 | + should 'not display to another user if private' do | |
| 264 | + # a person with private contents ... | |
| 265 | + person = create_user('testuser').person | |
| 266 | + person.update_attributes!(:public_content => false) | |
| 267 | + | |
| 268 | + # ... has an article ... | |
| 269 | + a1 = person.articles.create!(:name => 'test article') | |
| 270 | + | |
| 271 | + # ... which another user cannot see | |
| 272 | + another_user = create_user('another_user').person | |
| 273 | + assert_equal false, a1.display_to?(another_user) | |
| 274 | + end | |
| 275 | + | |
| 276 | + should 'display for members of profile' do | |
| 277 | + # a community with private content ... | |
| 278 | + community = Community.create!(:name => 'test community') | |
| 279 | + community.update_attributes!(:public_content => false) | |
| 280 | + | |
| 281 | + # ... has an article ... | |
| 282 | + a1 = community.articles.create!(:name => 'test article') | |
| 283 | + | |
| 284 | + # ... and its members ... | |
| 285 | + member = create_user('testuser').person | |
| 286 | + community.add_member(member) | |
| 287 | + | |
| 288 | + # ... can view that article | |
| 289 | + assert_equal true, a1.display_to?(member) | |
| 290 | + end | |
| 291 | + | |
| 236 | 292 | end | ... | ... |