Download as
Browse Code »

Commit 766d3c974e30487eb858e72ede0710e6d4e3d855

Authored by Rodrigo Souto
1 parent 566724a7
Exists in staging and in 42 other branches all_pending_tasks_api, api-articles-period, api_roles, caching-rails4, captcha_serpro_plugin, comments_permissions, content-manager-hostspot, elasticsearch, elasticsearch_api, elasticsearch_categories, elasticsearch_filter, elasticsearch_sort, elasticsearch_to_merge, elasticsearch_view, environment-exposes-api, export-comment-api, export-comment-paragraph, export_data, external_followers, federation-webfinger, federation_followers, federation_followers_backend, federation_oauth_provider, federation_webfinger, fix_event_date_issue, fix_notification_email, fix_string_downcase_and_upcase, follower_permition, json_cookie_serializer, login-captcha, master, master_profile_followers, oauth_external_login, oauth_login, private-scraps, private-scraps-rebase, production, production-vendorized, profile_api_improvements, tasks_keep_filter_params, user_mention, webfinger_server

[work-assignment] Defining download and upload restrictions

Showing 7 changed files with 178 additions and 2 deletions   Show diff stats
app/controllers/my_profile/cms_controller.rb
  Diff comments   View file @766d3c9
@@ -16,7 +16,12 @@ class CmsController < MyProfileController @@ -16,7 +16,12 @@ class CmsController < MyProfileController
16 16
17 before_filter :login_required, :except => [:suggest_an_article] 17 before_filter :login_required, :except => [:suggest_an_article]
18 18
19 - protect_if :except => [:suggest_an_article, :set_home_page, :edit, :destroy, :publish] do |c, user, profile| 19 + protect_if :only => :upload_files do |c, user, profile|
  20 + article_id = c.params[:parent_id]
  21 + profile.articles.find(article_id).allow_create?(user)
  22 + end
  23 +
  24 + protect_if :except => [:suggest_an_article, :set_home_page, :edit, :destroy, :publish, :upload_files] do |c, user, profile|
20 user && (user.has_permission?('post_content', profile) || user.has_permission?('publish_content', profile)) 25 user && (user.has_permission?('post_content', profile) || user.has_permission?('publish_content', profile))
21 end 26 end
22 27
plugins/work_assignment/lib/work_assignment_plugin.rb
  Diff comments   View file @766d3c9
@@ -5,7 +5,16 @@ class WorkAssignmentPlugin < Noosfero::Plugin @@ -5,7 +5,16 @@ class WorkAssignmentPlugin < Noosfero::Plugin
5 end 5 end
6 6
7 def self.plugin_description 7 def self.plugin_description
8 - _("New kind of content for work organization.") 8 + _("New kind of content for organizations.")
  9 + end
  10 +
  11 + def self.can_download_submission?(user, submission)
  12 + work_assignment = submission.parent.parent
  13 + work_assignment.publish_submissions || (user && (submission.author == user || user.has_permission?('view_private_content', work_assignment.profile)))
  14 + end
  15 +
  16 + def self.is_submission?(content)
  17 + content && content.parent && content.parent.parent && content.parent.parent.kind_of?(WorkAssignmentPlugin::WorkAssignment)
9 end 18 end
10 19
11 def content_types 20 def content_types
@@ -24,4 +33,20 @@ class WorkAssignmentPlugin < Noosfero::Plugin @@ -24,4 +33,20 @@ class WorkAssignmentPlugin < Noosfero::Plugin
24 !content.profile.members.include?(context.send(:user)) 33 !content.profile.members.include?(context.send(:user))
25 end 34 end
26 35
  36 + def content_viewer_controller_filters
  37 + block = lambda do
  38 + path = params[:page].join('/')
  39 + content = profile.articles.find_by_path(path)
  40 +
  41 + if WorkAssignmentPlugin.is_submission?(content) && !WorkAssignmentPlugin.can_download_submission?(user, content)
  42 + render_access_denied
  43 + end
  44 + end
  45 +
  46 + { :type => 'before_filter',
  47 + :method_name => 'work_assingment_only_admin_or_owner_download',
  48 + :options => {:only => 'view_page'},
  49 + :block => block }
  50 + end
  51 +
27 end 52 end
plugins/work_assignment/lib/work_assignment_plugin/work_assignment.rb
  Diff comments   View file @766d3c9
1 class WorkAssignmentPlugin::WorkAssignment < Folder 1 class WorkAssignmentPlugin::WorkAssignment < Folder
2 2
  3 + alias :submissions :children
  4 +
3 def self.icon_name(article = nil) 5 def self.icon_name(article = nil)
4 'work-assignment' 6 'work-assignment'
5 end 7 end
plugins/work_assignment/test/functional/cms_controller_test.rb 0 → 100644
  Diff comments   View file @766d3c9
@@ -0,0 +1,34 @@ @@ -0,0 +1,34 @@
  1 +require 'test_helper'
  2 +require 'cms_controller'
  3 +
  4 +# Re-raise errors caught by the controller.
  5 +class CmsController; def rescue_action(e) raise e end; end
  6 +
  7 +class CmsControllerTest < ActionController::TestCase
  8 +
  9 + def setup
  10 + @controller = CmsController.new
  11 + @request = ActionController::TestRequest.new
  12 + @response = ActionController::TestResponse.new
  13 + @person = create_user('test_user').person
  14 + login_as :test_user
  15 + end
  16 +
  17 + attr_accessor :person
  18 +
  19 + should 'not allow non-members to upload submissions on work_assignment' do
  20 + organization = fast_create(Organization)
  21 + work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => 'Work Assignment', :profile => organization)
  22 +
  23 + get :upload_files, :profile => organization.identifier, :parent_id => work_assignment.id
  24 + assert_response :forbidden
  25 + assert_template 'access_denied.rhtml'
  26 +
  27 + organization.add_member(person)
  28 +
  29 + get :upload_files, :profile => organization.identifier, :parent_id => work_assignment.id
  30 + assert_response :success
  31 + end
  32 +
  33 +end
  34 +
plugins/work_assignment/test/functional/content_viewer_controller_test.rb 0 → 100644
  Diff comments   View file @766d3c9
@@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
  1 +require 'test_helper'
  2 +require 'content_viewer_controller'
  3 +
  4 +# Re-raise errors caught by the controller.
  5 +class ContentViewerController; def rescue_action(e) raise e end; end
  6 +
  7 +class ContentViewerControllerTest < ActionController::TestCase
  8 +
  9 + def setup
  10 + @controller = ContentViewerController.new
  11 + @request = ActionController::TestRequest.new
  12 + @response = ActionController::TestResponse.new
  13 +
  14 + @organization = fast_create(Organization)
  15 + @work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => 'Work Assignment', :profile => @organization)
  16 + @person = create_user('test_user').person
  17 + @environment = @organization.environment
  18 + @environment.enable_plugin(WorkAssignmentPlugin)
  19 + @environment.save!
  20 + login_as(:test_user)
  21 + end
  22 + attr_reader :organization, :person, :work_assignment
  23 +
  24 + should 'can download work_assignment' do
  25 + random_member = fast_create(Person)
  26 + organization.add_member(random_member)
  27 + folder = work_assignment.find_or_create_author_folder(random_member)
  28 + submission = UploadedFile.create!(:uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'), :profile => organization, :parent => folder)
  29 + WorkAssignmentPlugin.stubs(:can_download_submission?).returns(false)
  30 +
  31 + get :view_page, :profile => organization.identifier, :page => submission.explode_path
  32 + assert_response :forbidden
  33 + assert_template 'access_denied.rhtml'
  34 +
  35 + WorkAssignmentPlugin.stubs(:can_download_submission?).returns(true)
  36 +
  37 + get :view_page, :profile => organization.identifier, :page => submission.explode_path
  38 + assert_response :success
  39 + end
  40 +
  41 +end
plugins/work_assignment/test/unit/work_assingment_plugin_test.rb 0 → 100644
  Diff comments   View file @766d3c9
@@ -0,0 +1,57 @@ @@ -0,0 +1,57 @@
  1 +require 'test_helper'
  2 +
  3 +class WorkAssignmentPluginTest < ActiveSupport::TestCase
  4 + should 'verify if a content is a work_assignment submission' do
  5 + organization = fast_create(Organization)
  6 + content = UploadedFile.create!(:uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'), :profile => organization)
  7 + assert !WorkAssignmentPlugin.is_submission?(content)
  8 +
  9 + work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => 'Work Assignment', :profile => organization)
  10 + content.parent = work_assignment
  11 + content.save!
  12 + assert !WorkAssignmentPlugin.is_submission?(content)
  13 +
  14 + author_folder = work_assignment.find_or_create_author_folder(fast_create(Person))
  15 + content.parent = author_folder
  16 + content.save!
  17 + assert WorkAssignmentPlugin.is_submission?(content)
  18 + end
  19 +
  20 + should 'be able to download submission if work_assignment published submissions' do
  21 + submission = create_submission
  22 + assert !WorkAssignmentPlugin.can_download_submission?(nil, submission)
  23 +
  24 + work_assignment = submission.parent.parent
  25 + work_assignment.publish_submissions = true
  26 + work_assignment.save!
  27 + assert WorkAssignmentPlugin.can_download_submission?(nil, submission)
  28 + end
  29 +
  30 + should 'be able to download submission if the user is author of it' do
  31 + person = fast_create(Person)
  32 + submission = create_submission
  33 + assert !WorkAssignmentPlugin.can_download_submission?(person, submission)
  34 +
  35 + submission.author = person
  36 + submission.save!
  37 + assert WorkAssignmentPlugin.can_download_submission?(person, submission)
  38 + end
  39 +
  40 + should 'be able to download submission if the user has the view_private_content permission on the profile' do
  41 + person = fast_create(Person)
  42 + submission = create_submission
  43 + assert !WorkAssignmentPlugin.can_download_submission?(person, submission)
  44 +
  45 + moderator = create_user_with_permission('moderator', 'view_private_content', submission.profile)
  46 + assert WorkAssignmentPlugin.can_download_submission?(moderator, submission)
  47 + end
  48 +
  49 + private
  50 +
  51 + def create_submission
  52 + organization = fast_create(Organization)
  53 + work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => 'Work Assignment', :profile => organization)
  54 + author_folder = work_assignment.find_or_create_author_folder(fast_create(Person))
  55 + UploadedFile.create!(:uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'), :profile => organization, :parent => author_folder)
  56 + end
  57 +end
test/functional/cms_controller_test.rb
  Diff comments   View file @766d3c9
@@ -1566,6 +1566,18 @@ class CmsControllerTest &lt; ActionController::TestCase @@ -1566,6 +1566,18 @@ class CmsControllerTest &lt; ActionController::TestCase
1566 assert_equal profile, a.author 1566 assert_equal profile, a.author
1567 end 1567 end
1568 1568
  1569 + should 'not allow user upload files if he can not create on the parent folder' do
  1570 + c = Community.create!(:name => 'test_comm', :identifier => 'test_comm')
  1571 + u = create_user('test_user')
  1572 + a = c.articles.create!(:name => 'test_article')
  1573 + a.stubs(:allow_create?).with(u).returns(true)
  1574 + login_as :test_user
  1575 +
  1576 + get :upload_files, :profile => c.identifier, :parent_id => a.id
  1577 + assert_response :forbidden
  1578 + assert_template 'access_denied.rhtml'
  1579 + end
  1580 +
1569 protected 1581 protected
1570 1582
1571 # FIXME this is to avoid adding an extra dependency for a proper JSON parser. 1583 # FIXME this is to avoid adding an extra dependency for a proper JSON parser.