Commit 8791558a0575b50946a09ab197a157b91f701443
Committed by
Antonio Terceiro
Antonio Terceiro
1 parent
8a9f6087
Exists in
master
and in
23 other branches
ActionItem1034: access denied page should not use blocks of the current profile
* not show sideboxes when render access denied * fix tests for access_control plugin * remove unused helper UsesDesignBlocksHelper * profile design needs login
Showing
7 changed files
with
38 additions
and
14 deletions
Show diff stats
app/controllers/application.rb
| ... | ... | @@ -37,12 +37,6 @@ class ApplicationController < ActionController::Base |
| 37 | 37 | def uses_design_blocks? |
| 38 | 38 | !@no_design_blocks && self.class.uses_design_blocks? |
| 39 | 39 | end |
| 40 | - module UsesDesignBlocksHelper | |
| 41 | - def uses_design_blocks? | |
| 42 | - @controller.uses_design_blocks? | |
| 43 | - end | |
| 44 | - end | |
| 45 | - helper UsesDesignBlocksHelper | |
| 46 | 40 | |
| 47 | 41 | # Be sure to include AuthenticationSystem in Application Controller instead |
| 48 | 42 | include AuthenticatedSystem | ... | ... |
app/controllers/box_organizer_controller.rb
app/helpers/boxes_helper.rb
| 1 | 1 | module BoxesHelper |
| 2 | 2 | |
| 3 | 3 | def insert_boxes(content) |
| 4 | - if @controller.send(:boxes_editor?) | |
| 4 | + if @controller.send(:boxes_editor?) && @controller.send(:uses_design_blocks?) | |
| 5 | 5 | content + display_boxes_editor(@controller.boxes_holder) |
| 6 | 6 | else |
| 7 | 7 | if @controller.send(:uses_design_blocks?) | ... | ... |
test/functional/profile_design_controller_test.rb
| ... | ... | @@ -12,7 +12,7 @@ class ProfileDesignControllerTest < Test::Unit::TestCase |
| 12 | 12 | @request.stubs(:ssl?).returns(true) |
| 13 | 13 | @response = ActionController::TestResponse.new |
| 14 | 14 | |
| 15 | - @holder = create_user('designtestuser').person | |
| 15 | + @profile = @holder = create_user('designtestuser').person | |
| 16 | 16 | holder.save! |
| 17 | 17 | |
| 18 | 18 | @box1 = Box.new |
| ... | ... | @@ -65,6 +65,7 @@ class ProfileDesignControllerTest < Test::Unit::TestCase |
| 65 | 65 | @controller.stubs(:boxes_holder).returns(holder) |
| 66 | 66 | login_as 'designtestuser' |
| 67 | 67 | end |
| 68 | + attr_reader :profile | |
| 68 | 69 | |
| 69 | 70 | def test_local_files_reference |
| 70 | 71 | assert_local_files_reference :get, :index, :profile => 'designtestuser' |
| ... | ... | @@ -319,4 +320,17 @@ class ProfileDesignControllerTest < Test::Unit::TestCase |
| 319 | 320 | assert_equal 20, @box1.blocks[-1].limit |
| 320 | 321 | end |
| 321 | 322 | |
| 323 | + should 'require login' do | |
| 324 | + logout | |
| 325 | + get :index, :profile => profile.identifier | |
| 326 | + assert_redirected_to :controller => 'account', :action => 'login' | |
| 327 | + end | |
| 328 | + | |
| 329 | + should 'not show sideboxes when render access denied' do | |
| 330 | + another_profile = create_user('bobmarley').person | |
| 331 | + get :index, :profile => another_profile.identifier | |
| 332 | + assert_tag :tag => 'div', :attributes => {:class => 'no-boxes'} | |
| 333 | + assert_tag :tag => 'div', :attributes => {:id => 'access-denied'} | |
| 334 | + end | |
| 335 | + | |
| 322 | 336 | end | ... | ... |
vendor/plugins/access_control/lib/permission_check.rb
| ... | ... | @@ -20,12 +20,19 @@ module PermissionCheck |
| 20 | 20 | target = target_method.kind_of?(Symbol) ? c.send(target_method) : target_method |
| 21 | 21 | accessor = accessor_method.kind_of?(Symbol) ? c.send(accessor_method) : accessor_method |
| 22 | 22 | unless accessor && accessor.has_permission?(permission.to_s, target) |
| 23 | -# c.instance_variable_set('@b', [accessor, permission, target]) | |
| 24 | - c.send(:render, :template => access_denied_template_path, :status => 403) && false | |
| 23 | + render_access_denied(c) && false | |
| 25 | 24 | end |
| 26 | 25 | end |
| 27 | 26 | end |
| 28 | 27 | |
| 28 | + def render_access_denied(c) | |
| 29 | + if c.respond_to?(:render_access_denied) | |
| 30 | + c.send(:render_access_denied) | |
| 31 | + else | |
| 32 | + c.send(:render, :template => access_denied_template_path, :status => 403) | |
| 33 | + end | |
| 34 | + end | |
| 35 | + | |
| 29 | 36 | def access_denied_template_path |
| 30 | 37 | if File.exists?(File.join(RAILS_ROOT, 'app', 'views', 'access_control', 'access_denied.rhtml')) |
| 31 | 38 | File.join(RAILS_ROOT, 'app', 'views', 'access_control', 'access_denied.rhtml') | ... | ... |
vendor/plugins/access_control/test/schema.rb
| ... | ... | @@ -3,10 +3,11 @@ ActiveRecord::Migration.verbose = false |
| 3 | 3 | ActiveRecord::Schema.define(:version => 0) do |
| 4 | 4 | |
| 5 | 5 | create_table :access_control_test_roles, :force => true do |t| |
| 6 | - t.column :name, :string | |
| 7 | - t.column :permissions, :string | |
| 8 | - t.column :key, :string | |
| 9 | - t.column :system, :boolean, :default => false | |
| 6 | + t.column :name, :string | |
| 7 | + t.column :permissions, :string | |
| 8 | + t.column :key, :string | |
| 9 | + t.column :system, :boolean, :default => false | |
| 10 | + t.column :environment_id, :integer | |
| 10 | 11 | end |
| 11 | 12 | |
| 12 | 13 | create_table :access_control_test_role_assignments, :force => true do |t| | ... | ... |
vendor/plugins/access_control/test/test_helper.rb
| ... | ... | @@ -18,6 +18,12 @@ RoleAssignment.set_table_name 'access_control_test_role_assignments' |
| 18 | 18 | class AccessControlTestAccessor < ActiveRecord::Base |
| 19 | 19 | set_table_name 'access_control_test_accessors' |
| 20 | 20 | acts_as_accessor |
| 21 | + def cache_keys | |
| 22 | + [] | |
| 23 | + end | |
| 24 | + def blocks_to_expire_cache | |
| 25 | + [] | |
| 26 | + end | |
| 21 | 27 | end |
| 22 | 28 | |
| 23 | 29 | # resource example class to be accessed by some accessor | ... | ... |