ActionItem295: adding access control checks to Article

git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1824 3f533792-8f58-4932-b0fe-aaf55b0a4547

ActionItem295: adding access control checks to Article
git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1824 3f533792-8f58-4932-b0fe-aaf55b0a4547
AntonioTerceiro
1 parent ad2520f9
Showing 2 changed files with 68 additions and 0 deletions Show diff stats
app/models/article.rb
test/unit/article_test.rb
@@ -120,6 +120,18 @@ class Article &lt; ActiveRecord::Base
     self.find(:all, :order => 'articles.name', :conditions => [ 'articles.name like (?) or articles.name like (?)', initial + '%', initial.upcase + '%'])
   end
+  def display_to?(user)
+    if self.profile.public_content
+      true
+    else
+      if user.nil?
+        false
+      else
+        (user == self.profile) || user.memberships.include?(self.profile)
+      end
+    end
+  end
+
   private
   def sanitize_tag_list
@@ -233,4 +233,60 @@ class ArticleTest &lt; Test::Unit::TestCase
     assert !Article.new.folder?, 'should identify itself as non-folder'
   end
+  should 'always display if public content' do
+    person = create_user('testuser').person
+    assert_equal true, person.home_page.display_to?(nil)
+  end
+
+  should 'display to owner' do
+    # a person with private contents ...
+    person = create_user('testuser').person
+    person.update_attributes!(:public_content => false)
+
+    # ... can see his own articles
+    a = person.articles.create!(:name => 'test article')
+    assert_equal true, a.display_to?(person)
+  end
+
+  should 'not display to other unauthenticated user if private' do
+    # a person with private contents ...
+    person = create_user('testuser').person
+    person.update_attributes!(:public_content => false)
+
+    # ... has an article ...
+    a1 = person.articles.create!(:name => 'test article')
+
+    # ... which anonymous users cannot view
+    assert_equal false, a1.display_to?(nil)
+  end
+
+  should 'not display to another user if private' do
+    # a person with private contents ...
+    person = create_user('testuser').person
+    person.update_attributes!(:public_content => false)
+
+    # ... has an article ...
+    a1 = person.articles.create!(:name => 'test article')
+
+    # ... which another user cannot see
+    another_user = create_user('another_user').person
+    assert_equal false, a1.display_to?(another_user)
+  end
+
+  should 'display for members of profile' do
+    # a community with private content ...
+    community = Community.create!(:name => 'test community')
+    community.update_attributes!(:public_content => false)
+
+    # ... has an article ...
+    a1 = community.articles.create!(:name => 'test article')
+
+    # ... and its members ...
+    member = create_user('testuser').person
+    community.add_member(member)
+
+    # ... can view that article
+    assert_equal true, a1.display_to?(member)
+  end
+
 end
	@@ -120,6 +120,18 @@ class Article < ActiveRecord::Base		@@ -120,6 +120,18 @@ class Article < ActiveRecord::Base
120	self.find(:all, :order => 'articles.name', :conditions => [ 'articles.name like (?) or articles.name like (?)', initial + '%', initial.upcase + '%'])	120	self.find(:all, :order => 'articles.name', :conditions => [ 'articles.name like (?) or articles.name like (?)', initial + '%', initial.upcase + '%'])
121	end	121	end
122		122
		123	+ def display_to?(user)
		124	+ if self.profile.public_content
		125	+ true
		126	+ else
		127	+ if user.nil?
		128	+ false
		129	+ else
		130	+ (user == self.profile) \|\| user.memberships.include?(self.profile)
		131	+ end
		132	+ end
		133	+ end
		134	+
123	private	135	private
124		136
125	def sanitize_tag_list	137	def sanitize_tag_list
	@@ -233,4 +233,60 @@ class ArticleTest < Test::Unit::TestCase		@@ -233,4 +233,60 @@ class ArticleTest < Test::Unit::TestCase
233	assert !Article.new.folder?, 'should identify itself as non-folder'	233	assert !Article.new.folder?, 'should identify itself as non-folder'
234	end	234	end
235		235
		236	+ should 'always display if public content' do
		237	+ person = create_user('testuser').person
		238	+ assert_equal true, person.home_page.display_to?(nil)
		239	+ end
		240	+
		241	+ should 'display to owner' do
		242	+ # a person with private contents ...
		243	+ person = create_user('testuser').person
		244	+ person.update_attributes!(:public_content => false)
		245	+
		246	+ # ... can see his own articles
		247	+ a = person.articles.create!(:name => 'test article')
		248	+ assert_equal true, a.display_to?(person)
		249	+ end
		250	+
		251	+ should 'not display to other unauthenticated user if private' do
		252	+ # a person with private contents ...
		253	+ person = create_user('testuser').person
		254	+ person.update_attributes!(:public_content => false)
		255	+
		256	+ # ... has an article ...
		257	+ a1 = person.articles.create!(:name => 'test article')
		258	+
		259	+ # ... which anonymous users cannot view
		260	+ assert_equal false, a1.display_to?(nil)
		261	+ end
		262	+
		263	+ should 'not display to another user if private' do
		264	+ # a person with private contents ...
		265	+ person = create_user('testuser').person
		266	+ person.update_attributes!(:public_content => false)
		267	+
		268	+ # ... has an article ...
		269	+ a1 = person.articles.create!(:name => 'test article')
		270	+
		271	+ # ... which another user cannot see
		272	+ another_user = create_user('another_user').person
		273	+ assert_equal false, a1.display_to?(another_user)
		274	+ end
		275	+
		276	+ should 'display for members of profile' do
		277	+ # a community with private content ...
		278	+ community = Community.create!(:name => 'test community')
		279	+ community.update_attributes!(:public_content => false)
		280	+
		281	+ # ... has an article ...
		282	+ a1 = community.articles.create!(:name => 'test article')
		283	+
		284	+ # ... and its members ...
		285	+ member = create_user('testuser').person
		286	+ community.add_member(member)
		287	+
		288	+ # ... can view that article
		289	+ assert_equal true, a1.display_to?(member)
		290	+ end
		291	+
236	end	292	end