Commit 0b6af5138a22d8dc990915331cd1802009625a3e
1 parent
ad2520f9
Exists in
master
and in
29 other branches
ActionItem295: adding access control checks to Article
git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1824 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing
2 changed files
with
68 additions
and
0 deletions
Show diff stats
app/models/article.rb
@@ -120,6 +120,18 @@ class Article < ActiveRecord::Base | @@ -120,6 +120,18 @@ class Article < ActiveRecord::Base | ||
120 | self.find(:all, :order => 'articles.name', :conditions => [ 'articles.name like (?) or articles.name like (?)', initial + '%', initial.upcase + '%']) | 120 | self.find(:all, :order => 'articles.name', :conditions => [ 'articles.name like (?) or articles.name like (?)', initial + '%', initial.upcase + '%']) |
121 | end | 121 | end |
122 | 122 | ||
123 | + def display_to?(user) | ||
124 | + if self.profile.public_content | ||
125 | + true | ||
126 | + else | ||
127 | + if user.nil? | ||
128 | + false | ||
129 | + else | ||
130 | + (user == self.profile) || user.memberships.include?(self.profile) | ||
131 | + end | ||
132 | + end | ||
133 | + end | ||
134 | + | ||
123 | private | 135 | private |
124 | 136 | ||
125 | def sanitize_tag_list | 137 | def sanitize_tag_list |
test/unit/article_test.rb
@@ -233,4 +233,60 @@ class ArticleTest < Test::Unit::TestCase | @@ -233,4 +233,60 @@ class ArticleTest < Test::Unit::TestCase | ||
233 | assert !Article.new.folder?, 'should identify itself as non-folder' | 233 | assert !Article.new.folder?, 'should identify itself as non-folder' |
234 | end | 234 | end |
235 | 235 | ||
236 | + should 'always display if public content' do | ||
237 | + person = create_user('testuser').person | ||
238 | + assert_equal true, person.home_page.display_to?(nil) | ||
239 | + end | ||
240 | + | ||
241 | + should 'display to owner' do | ||
242 | + # a person with private contents ... | ||
243 | + person = create_user('testuser').person | ||
244 | + person.update_attributes!(:public_content => false) | ||
245 | + | ||
246 | + # ... can see his own articles | ||
247 | + a = person.articles.create!(:name => 'test article') | ||
248 | + assert_equal true, a.display_to?(person) | ||
249 | + end | ||
250 | + | ||
251 | + should 'not display to other unauthenticated user if private' do | ||
252 | + # a person with private contents ... | ||
253 | + person = create_user('testuser').person | ||
254 | + person.update_attributes!(:public_content => false) | ||
255 | + | ||
256 | + # ... has an article ... | ||
257 | + a1 = person.articles.create!(:name => 'test article') | ||
258 | + | ||
259 | + # ... which anonymous users cannot view | ||
260 | + assert_equal false, a1.display_to?(nil) | ||
261 | + end | ||
262 | + | ||
263 | + should 'not display to another user if private' do | ||
264 | + # a person with private contents ... | ||
265 | + person = create_user('testuser').person | ||
266 | + person.update_attributes!(:public_content => false) | ||
267 | + | ||
268 | + # ... has an article ... | ||
269 | + a1 = person.articles.create!(:name => 'test article') | ||
270 | + | ||
271 | + # ... which another user cannot see | ||
272 | + another_user = create_user('another_user').person | ||
273 | + assert_equal false, a1.display_to?(another_user) | ||
274 | + end | ||
275 | + | ||
276 | + should 'display for members of profile' do | ||
277 | + # a community with private content ... | ||
278 | + community = Community.create!(:name => 'test community') | ||
279 | + community.update_attributes!(:public_content => false) | ||
280 | + | ||
281 | + # ... has an article ... | ||
282 | + a1 = community.articles.create!(:name => 'test article') | ||
283 | + | ||
284 | + # ... and its members ... | ||
285 | + member = create_user('testuser').person | ||
286 | + community.add_member(member) | ||
287 | + | ||
288 | + # ... can view that article | ||
289 | + assert_equal true, a1.display_to?(member) | ||
290 | + end | ||
291 | + | ||
236 | end | 292 | end |