Commit 0c69cdb144b96f7c69826c1d07fbf393d77c910d
Exists in
master
and in
29 other branches
Merge branch 'stable'
Conflicts: test/functional/profile_controller_test.rb
Showing
26 changed files
with
334 additions
and
52 deletions
Show diff stats
app/controllers/my_profile/cms_controller.rb
| ... | ... | @@ -149,7 +149,7 @@ class CmsController < MyProfileController |
| 149 | 149 | def set_home_page |
| 150 | 150 | @article = profile.articles.find(params[:id]) |
| 151 | 151 | profile.home_page = @article |
| 152 | - profile.save! | |
| 152 | + profile.save(false) | |
| 153 | 153 | flash[:notice] = _('"%s" configured as home page.') % @article.name |
| 154 | 154 | redirect_to :action => 'view', :id => @article.id |
| 155 | 155 | end | ... | ... |
app/controllers/public/profile_controller.rb
| ... | ... | @@ -3,7 +3,7 @@ class ProfileController < PublicController |
| 3 | 3 | needs_profile |
| 4 | 4 | before_filter :check_access_to_profile, :except => [:join, :refuse_join, :refuse_for_now, :index] |
| 5 | 5 | before_filter :store_before_join, :only => [:join] |
| 6 | - before_filter :login_required, :only => [:join, :refuse_join, :leave] | |
| 6 | + before_filter :login_required, :only => [:join, :refuse_join, :leave, :unblock] | |
| 7 | 7 | |
| 8 | 8 | helper TagsHelper |
| 9 | 9 | |
| ... | ... | @@ -127,8 +127,14 @@ class ProfileController < PublicController |
| 127 | 127 | end |
| 128 | 128 | |
| 129 | 129 | def unblock |
| 130 | - profile.unblock | |
| 131 | - redirect_to :controller => 'profile', :action => 'index' | |
| 130 | + if current_user.person.is_admin?(profile.environment) | |
| 131 | + profile.unblock | |
| 132 | + flash[:notice] = _("You have unblocked %s successfully. ") % profile.name | |
| 133 | + redirect_to :controller => 'profile', :action => 'index' | |
| 134 | + else | |
| 135 | + message = _('You are not allowed to unblock enterprises in this environment.') | |
| 136 | + render_access_denied(message) | |
| 137 | + end | |
| 132 | 138 | end |
| 133 | 139 | |
| 134 | 140 | protected | ... | ... |
app/models/block.rb
| ... | ... | @@ -20,7 +20,7 @@ class Block < ActiveRecord::Base |
| 20 | 20 | # |
| 21 | 21 | # * <tt>:article</tt>: the article being viewed currently |
| 22 | 22 | def visible?(context = nil) |
| 23 | - if settings[:visible] == false || display == 'never' | |
| 23 | + if display == 'never' | |
| 24 | 24 | return false |
| 25 | 25 | end |
| 26 | 26 | if context && context[:article] && display == 'home_page_only' |
| ... | ... | @@ -35,21 +35,7 @@ class Block < ActiveRecord::Base |
| 35 | 35 | # * <tt>'never'</tt>: the block is hidden (it does not appear for visitors) |
| 36 | 36 | # * <tt>'home_page_only'</tt> the block is displayed only when viewing the |
| 37 | 37 | # homepage of its owner. |
| 38 | - def display | |
| 39 | - if settings[:visible] == false | |
| 40 | - 'never' | |
| 41 | - else | |
| 42 | - settings[:display] || 'always' | |
| 43 | - end | |
| 44 | - end | |
| 45 | - | |
| 46 | - # Sets the <tt>value</tt> attribute. | |
| 47 | - def display=(value) | |
| 48 | - settings[:display] = value | |
| 49 | - # clear the old setting | |
| 50 | - settings[:visible] = nil | |
| 51 | - end | |
| 52 | - | |
| 38 | + settings_items :display, :type => :string, :default => 'always' | |
| 53 | 39 | |
| 54 | 40 | # returns the description of the block, used when the user sees a list of |
| 55 | 41 | # blocks to choose one to include in the design. | ... | ... |
app/views/shared/tiny_mce.rhtml
| ... | ... | @@ -22,7 +22,7 @@ tinyMCE.init({ |
| 22 | 22 | paste_insert_word_content_callback : "convertWord", |
| 23 | 23 | paste_use_dialog: false, |
| 24 | 24 | apply_source_formatting : true, |
| 25 | - extended_valid_elements : "applet[style|archive|codebase|code|height|width],comment,iframe[src|style|allowtransparency|frameborder]", | |
| 25 | + extended_valid_elements : "applet[style|archive|codebase|code|height|width],comment,iframe[src|style|allowtransparency|frameborder|width|height]", | |
| 26 | 26 | content_css: '/stylesheets/tinymce.css', |
| 27 | 27 | language: <%= tinymce_language.inspect %>, |
| 28 | 28 | entity_encoding: 'raw' | ... | ... |
app/views/tasks/_add_friend.rhtml
| ... | ... | @@ -2,7 +2,7 @@ |
| 2 | 2 | |
| 3 | 3 | <%= link_to( profile_image(task.requestor, :minor, :border => 0), task.requestor.public_profile_url ) %> |
| 4 | 4 | |
| 5 | -<%= _('%s wants to connect to you as a friend.') % | |
| 5 | +<%= _('%s wants to be your friend.') % | |
| 6 | 6 | content_tag('strong', link_to( task.requestor.name, task.requestor.public_profile_url ) ) %> |
| 7 | 7 | |
| 8 | 8 | <% form_for('task', task, :url => { :action => 'close', :id => task.id } ) do |f| %> | ... | ... |
| ... | ... | @@ -0,0 +1 @@ |
| 1 | +<%= render :partial => 'add_friend', :locals => {:task => task} %> | ... | ... |
| ... | ... | @@ -0,0 +1,29 @@ |
| 1 | +<h2><%= _('Join community') %></h2> | |
| 2 | + | |
| 3 | +<%= link_to( profile_image(task.requestor, :minor, :border => 0), task.requestor.public_profile_url ) %> | |
| 4 | + | |
| 5 | +<%= _('%s invites you to join the community %s.') % | |
| 6 | + [content_tag('strong', link_to( task.requestor.name, task.requestor.public_profile_url ) ), | |
| 7 | + content_tag('strong', link_to( task.community.name, task.community.public_profile_url ) )] %> | |
| 8 | + | |
| 9 | +<% form_for('task', task, :url => { :action => 'close', :id => task.id } ) do |f| %> | |
| 10 | + | |
| 11 | + <div> | |
| 12 | + <%= radio_button_tag(:decision, 'finish', true, | |
| 13 | + :id => "decision-finish-#{task.id}", | |
| 14 | + :onclick => "Element.show('group-for-friend-#{task.id}')") %> | |
| 15 | + <label for="<%= "decision-finish-#{task.id}" %>"><b><%= _('Accept') %></b></label> | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + <%= radio_button_tag(:decision, 'cancel', false, | |
| 20 | + :id => "decision-cancel-#{task.id}", | |
| 21 | + :onclick => "Element.hide('group-for-friend-#{task.id}')") %> | |
| 22 | + <label for="<%= "decision-cancel-#{task.id}" %>"><b><%= _('Reject') %></b></label> | |
| 23 | + | |
| 24 | + </div> | |
| 25 | + | |
| 26 | + <% button_bar do %> | |
| 27 | + <%= submit_button(:ok, _('Ok!')) %> | |
| 28 | + <% end %> | |
| 29 | +<% end %> | ... | ... |
db/migrate/20100514133346_move_values_of_visible_field_to_display_field.rb
0 → 100644
| ... | ... | @@ -0,0 +1,20 @@ |
| 1 | +class MoveValuesOfVisibleFieldToDisplayField < ActiveRecord::Migration | |
| 2 | + def self.up | |
| 3 | + Block.all.each do |block| | |
| 4 | + visible = block.settings.delete(:visible) | |
| 5 | + if visible == false | |
| 6 | + block.settings[:display] = 'never' | |
| 7 | + block.save! | |
| 8 | + else | |
| 9 | + if block.settings[:display].blank? | |
| 10 | + block.settings[:display] = 'always' | |
| 11 | + block.save! | |
| 12 | + end | |
| 13 | + end | |
| 14 | + end | |
| 15 | + end | |
| 16 | + | |
| 17 | + def self.down | |
| 18 | + say "Nothing to do!" | |
| 19 | + end | |
| 20 | +end | ... | ... |
db/schema.rb
| ... | ... | @@ -9,7 +9,7 @@ |
| 9 | 9 | # |
| 10 | 10 | # It's strongly recommended to check this file into your version control system. |
| 11 | 11 | |
| 12 | -ActiveRecord::Schema.define(:version => 20100413231206) do | |
| 12 | +ActiveRecord::Schema.define(:version => 20100514133346) do | |
| 13 | 13 | |
| 14 | 14 | create_table "article_versions", :force => true do |t| |
| 15 | 15 | t.integer "article_id" | ... | ... |
features/invitation.feature
| ... | ... | @@ -4,9 +4,9 @@ Feature: invitation |
| 4 | 4 | |
| 5 | 5 | Background: |
| 6 | 6 | Given the following users |
| 7 | - | login | | |
| 8 | - | josesilva | | |
| 9 | - | josesantos | | |
| 7 | + | login | email | | |
| 8 | + | josesilva | silva@invalid.br | | |
| 9 | + | josesantos | santos@invalid.br | | |
| 10 | 10 | And the following communities |
| 11 | 11 | | owner | identifier | name | |
| 12 | 12 | | josesilva | 26-bsslines | 26 Bsslines | |
| ... | ... | @@ -72,14 +72,89 @@ Feature: invitation |
| 72 | 72 | Then I should see "Access denied" |
| 73 | 73 | |
| 74 | 74 | Scenario: not see link to invite members to enterprise in manage members |
| 75 | - Given I am on /myprofile/beatles-for-sale/profile_members | |
| 75 | + Given I am on Beatles For Sale's members management | |
| 76 | 76 | Then I should not see "Invite your friends to join Beatles For Sale" link |
| 77 | 77 | |
| 78 | 78 | Scenario: back to manage members after invite friends |
| 79 | - Given I am on /myprofile/26-bsslines/profile_members | |
| 79 | + Given I am on 26 Bsslines's members management | |
| 80 | 80 | And I follow "Invite your friends to join 26 Bsslines" |
| 81 | 81 | And I press "Next" |
| 82 | 82 | And I fill in "manual_import_addresses" with "misfits@devil.doll" |
| 83 | 83 | And I fill in "mail_template" with "Follow this link <url>" |
| 84 | 84 | When I press "Invite my friends!" |
| 85 | 85 | Then I should be on /myprofile/26-bsslines/profile_members |
| 86 | + | |
| 87 | + Scenario: noosfero user receives a task when a user invites to join a community | |
| 88 | + Given I am on 26 Bsslines's members management | |
| 89 | + And I follow "Invite your friends to join 26 Bsslines" | |
| 90 | + And I press "Next" | |
| 91 | + And I fill in "manual_import_addresses" with "santos@invalid.br" | |
| 92 | + And I fill in "mail_template" with "Follow this link <url>" | |
| 93 | + And I press "Invite my friends!" | |
| 94 | + When I am logged in as "josesantos" | |
| 95 | + And I follow "Control Panel" | |
| 96 | + And I should see "josesilva invites you to join the community 26 Bsslines." | |
| 97 | + | |
| 98 | + Scenario: noosfero user accepts to join community | |
| 99 | + Given I invite email "santos@invalid.br" to join community "26 Bsslines" | |
| 100 | + When I am logged in as "josesantos" | |
| 101 | + And I follow "Control panel" | |
| 102 | + And I follow "Process requests" | |
| 103 | + And I should see "josesilva invites you to join the community 26 Bsslines." | |
| 104 | + And I choose "Accept" | |
| 105 | + When I press "Ok!" | |
| 106 | + Then I should not see "josesilva invites you to join the community 26 Bsslines." | |
| 107 | + When I follow "Control panel" | |
| 108 | + And I follow "Manage my groups" | |
| 109 | + Then I should see "26 Bsslines" | |
| 110 | + | |
| 111 | + Scenario: noosfero user rejects to join community | |
| 112 | + Given I invite email "santos@invalid.br" to join community "26 Bsslines" | |
| 113 | + When I am logged in as "josesantos" | |
| 114 | + And I follow "Control panel" | |
| 115 | + And I follow "Process requests" | |
| 116 | + And I should see "josesilva invites you to join the community 26 Bsslines." | |
| 117 | + And I choose "Reject" | |
| 118 | + When I press "Ok!" | |
| 119 | + Then I should not see "josesilva invites you to join the community 26 Bsslines." | |
| 120 | + When I follow "Control panel" | |
| 121 | + And I follow "Manage my groups" | |
| 122 | + Then I should not see "26 Bsslines" | |
| 123 | + | |
| 124 | + Scenario: noosfero user receives a task when a user invites to be friend | |
| 125 | + Given I am on josesilva's control panel | |
| 126 | + And I follow "Manage Friends" | |
| 127 | + And I follow "Invite people from my e-mail contacts" | |
| 128 | + And I press "Next" | |
| 129 | + And I fill in "manual_import_addresses" with "santos@invalid.br" | |
| 130 | + And I fill in "mail_template" with "Follow this link <url>" | |
| 131 | + And I press "Invite my friends!" | |
| 132 | + When I am logged in as "josesantos" | |
| 133 | + And I follow "Control Panel" | |
| 134 | + And I should see "josesilva wants to be your friend." | |
| 135 | + | |
| 136 | + Scenario: noosfero user accepts to be friend | |
| 137 | + Given I invite email "santos@invalid.br" to be my friend | |
| 138 | + When I am logged in as "josesantos" | |
| 139 | + And I follow "Control panel" | |
| 140 | + And I follow "Process requests" | |
| 141 | + And I should see "josesilva wants to be your friend." | |
| 142 | + And I choose "Accept" | |
| 143 | + When I press "Ok!" | |
| 144 | + And I should not see "josesilva wants to be your friend." | |
| 145 | + When I follow "Control panel" | |
| 146 | + And I follow "Manage friends" | |
| 147 | + Then I should see "josesilva" | |
| 148 | + | |
| 149 | + Scenario: noosfero user rejects to be friend | |
| 150 | + Given I invite email "santos@invalid.br" to be my friend | |
| 151 | + When I am logged in as "josesantos" | |
| 152 | + And I follow "Control panel" | |
| 153 | + And I follow "Process requests" | |
| 154 | + And I should see "josesilva wants to be your friend." | |
| 155 | + And I choose "Ignore" | |
| 156 | + When I press "Ok!" | |
| 157 | + And I should not see "josesilva wants to be your friend." | |
| 158 | + When I follow "Control panel" | |
| 159 | + And I follow "Manage friends" | |
| 160 | + Then I should not see "josesilva" | ... | ... |
| ... | ... | @@ -0,0 +1,19 @@ |
| 1 | +Given /^I invite email "(.+)" to join community "(.+)"$/ do |email, community| | |
| 2 | + identifier = Community.find_by_name(community).identifier | |
| 3 | + visit("/myprofile/#{identifier}/profile_members") | |
| 4 | + click_link('Invite your friends to join 26 Bsslines') | |
| 5 | + click_button('Next') | |
| 6 | + fill_in('manual_import_addresses', :with => "#{email}") | |
| 7 | + fill_in('mail_template', :with => 'Follow this link <url>') | |
| 8 | + click_button("Invite my friends!") | |
| 9 | +end | |
| 10 | + | |
| 11 | +Given /^I invite email "(.+)" to be my friend$/ do |email| | |
| 12 | + click_link('Control panel') | |
| 13 | + click_link('Manage friends') | |
| 14 | + click_link('Invite people from my e-mail contacts') | |
| 15 | + click_button('Next') | |
| 16 | + fill_in('manual_import_addresses', :with => "#{email}") | |
| 17 | + fill_in('mail_template', :with => 'Follow this link <url>') | |
| 18 | + click_button("Invite my friends!") | |
| 19 | +end | ... | ... |
features/support/paths.rb
| ... | ... | @@ -48,6 +48,9 @@ module NavigationHelpers |
| 48 | 48 | when /^(.+)'s cms/ |
| 49 | 49 | '/myprofile/%s/cms' % Profile.find_by_name($1).identifier |
| 50 | 50 | |
| 51 | + when /^(.+)'s members management/ | |
| 52 | + '/myprofile/%s/profile_members' % Profile.find_by_name($1).identifier | |
| 53 | + | |
| 51 | 54 | # Add more mappings here. |
| 52 | 55 | # Here is a more fancy example: |
| 53 | 56 | # | ... | ... |
test/factories.rb
test/functional/cms_controller_test.rb
| ... | ... | @@ -121,6 +121,25 @@ class CmsControllerTest < Test::Unit::TestCase |
| 121 | 121 | assert_equal a, profile.home_page |
| 122 | 122 | end |
| 123 | 123 | |
| 124 | + should 'be able to set home page even when profile description is invalid' do | |
| 125 | + a = profile.articles.build(:name => 'my new home page') | |
| 126 | + a.save! | |
| 127 | + | |
| 128 | + profile.description = 'a' * 600 | |
| 129 | + profile.save(false) | |
| 130 | + | |
| 131 | + assert !profile.valid? | |
| 132 | + assert_not_equal a, profile.home_page | |
| 133 | + | |
| 134 | + post :set_home_page, :profile => profile.identifier, :id => a.id | |
| 135 | + | |
| 136 | + assert_redirected_to :action => 'view', :id => a.id | |
| 137 | + | |
| 138 | + profile = Profile.find(@profile.id) | |
| 139 | + assert_equal a, profile.home_page | |
| 140 | + end | |
| 141 | + | |
| 142 | + | |
| 124 | 143 | should 'set last_changed_by when creating article' do |
| 125 | 144 | login_as(profile.identifier) |
| 126 | 145 | ... | ... |
test/functional/profile_controller_test.rb
| ... | ... | @@ -683,5 +683,25 @@ class ProfileControllerTest < Test::Unit::TestCase |
| 683 | 683 | assert_tag :tag => 'div', :attributes => { :class => 'public-profile-description' }, :content => /Person\'s description/ |
| 684 | 684 | end |
| 685 | 685 | |
| 686 | + should 'ask for login if user not logged' do | |
| 687 | + enterprise = fast_create(Enterprise) | |
| 688 | + get :unblock, :profile => enterprise.identifier | |
| 689 | + assert_redirected_to :controller => 'account', :action => 'login' | |
| 690 | + end | |
| 691 | + | |
| 692 | + should ' not allow ordinary users to unblock enterprises' do | |
| 693 | + login_as(profile.identifier) | |
| 694 | + enterprise = fast_create(Enterprise) | |
| 695 | + get :unblock, :profile => enterprise.identifier | |
| 696 | + assert_response 403 | |
| 697 | + end | |
| 698 | + | |
| 699 | + should 'allow environment admin to unblock enteprises' do | |
| 700 | + login_as(profile.identifier) | |
| 701 | + enterprise = fast_create(Enterprise) | |
| 702 | + enterprise.environment.add_admin(profile) | |
| 703 | + get :unblock, :profile => enterprise.identifier | |
| 704 | + assert_response 302 | |
| 705 | + end | |
| 686 | 706 | |
| 687 | 707 | end | ... | ... |
test/unit/block_test.rb
| ... | ... | @@ -46,20 +46,6 @@ class BlockTest < Test::Unit::TestCase |
| 46 | 46 | assert_equal 'my title', b.view_title |
| 47 | 47 | end |
| 48 | 48 | |
| 49 | - should 'be backwards compatible with old "visible" setting' do | |
| 50 | - b = Block.new | |
| 51 | - b.settings[:visible] = false | |
| 52 | - assert !b.visible? | |
| 53 | - assert_equal 'never', b.display | |
| 54 | - end | |
| 55 | - | |
| 56 | - should 'clean old "visible setting" when display is set' do | |
| 57 | - b = Block.new | |
| 58 | - b.settings[:visible] = false | |
| 59 | - b.display = 'never' | |
| 60 | - assert_nil b.settings[:visible] | |
| 61 | - end | |
| 62 | - | |
| 63 | 49 | should 'be cacheable' do |
| 64 | 50 | b = Block.new |
| 65 | 51 | assert b.cacheable? |
| ... | ... | @@ -100,4 +86,21 @@ class BlockTest < Test::Unit::TestCase |
| 100 | 86 | assert_equal false, block.visible?(:article => Article.new) |
| 101 | 87 | end |
| 102 | 88 | |
| 89 | + should 'be able to save display setting' do | |
| 90 | + user = create_user('testinguser').person | |
| 91 | + box = fast_create(Box, :owner_id => user.id) | |
| 92 | + block = Block.create!(:display => 'never', :box => box) | |
| 93 | + block.reload | |
| 94 | + assert_equal 'never', block.display | |
| 95 | + end | |
| 96 | + | |
| 97 | + should 'be able to update display setting' do | |
| 98 | + user = create_user('testinguser').person | |
| 99 | + box = fast_create(Box, :owner_id => user.id) | |
| 100 | + block = Block.create!(:display => 'never', :box => box) | |
| 101 | + assert block.update_attributes!(:display => 'always') | |
| 102 | + block.reload | |
| 103 | + assert_equal 'always', block.display | |
| 104 | + end | |
| 105 | + | |
| 103 | 106 | end | ... | ... |
test/unit/environment_test.rb
| ... | ... | @@ -894,4 +894,12 @@ class EnvironmentTest < Test::Unit::TestCase |
| 894 | 894 | assert_no_match /[<>]/, environment.message_for_disabled_enterprise |
| 895 | 895 | end |
| 896 | 896 | |
| 897 | + should 'not sanitize html comments' do | |
| 898 | + environment = Environment.new | |
| 899 | + environment.message_for_disabled_enterprise = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>' | |
| 900 | + environment.valid? | |
| 901 | + | |
| 902 | + assert_match /<!-- .* --> <h1> Wellformed html code <\/h1>/, environment.message_for_disabled_enterprise | |
| 903 | + end | |
| 904 | + | |
| 897 | 905 | end | ... | ... |
test/unit/event_test.rb
| ... | ... | @@ -250,4 +250,14 @@ class EventTest < ActiveSupport::TestCase |
| 250 | 250 | assert_no_match /[<>]/, event.address |
| 251 | 251 | end |
| 252 | 252 | |
| 253 | + should 'not sanitize html comments' do | |
| 254 | + event = Event.new | |
| 255 | + event.description = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>' | |
| 256 | + event.address = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>' | |
| 257 | + event.valid? | |
| 258 | + | |
| 259 | + assert_match /<!-- .* --> <h1> Wellformed html code <\/h1>/, event.description | |
| 260 | + assert_match /<!-- .* --> <h1> Wellformed html code <\/h1>/, event.address | |
| 261 | + end | |
| 262 | + | |
| 253 | 263 | end | ... | ... |
test/unit/folder_test.rb
| ... | ... | @@ -140,6 +140,14 @@ class FolderTest < ActiveSupport::TestCase |
| 140 | 140 | assert_equal "<h1> Body </h1>", folder.body |
| 141 | 141 | end |
| 142 | 142 | |
| 143 | + should 'not sanitize html comments' do | |
| 144 | + folder = Folder.new | |
| 145 | + folder.body = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>' | |
| 146 | + folder.valid? | |
| 147 | + | |
| 148 | + assert_match /<!-- .* --> <h1> Wellformed html code <\/h1>/, folder.body | |
| 149 | + end | |
| 150 | + | |
| 143 | 151 | should 'escape malformed html tags' do |
| 144 | 152 | folder = Folder.new |
| 145 | 153 | folder.body = "<h1<< Description >>/h1>" | ... | ... |
test/unit/link_list_block_test.rb
| ... | ... | @@ -74,4 +74,13 @@ class LinkListBlockTest < ActiveSupport::TestCase |
| 74 | 74 | end |
| 75 | 75 | end |
| 76 | 76 | |
| 77 | + should 'be able to update display setting' do | |
| 78 | + user = create_user('testinguser').person | |
| 79 | + box = fast_create(Box, :owner_id => user.id) | |
| 80 | + block = LinkListBlock.create!(:display => 'never', :box => box) | |
| 81 | + assert block.update_attributes!(:display => 'always') | |
| 82 | + block.reload | |
| 83 | + assert_equal 'always', block.display | |
| 84 | + end | |
| 85 | + | |
| 77 | 86 | end | ... | ... |
test/unit/my_network_block_test.rb
| ... | ... | @@ -27,4 +27,13 @@ class MyNetworkBlockTest < ActiveSupport::TestCase |
| 27 | 27 | instance_eval(& block.content) |
| 28 | 28 | end |
| 29 | 29 | |
| 30 | + should 'be able to update display setting' do | |
| 31 | + user = create_user('testinguser').person | |
| 32 | + box = fast_create(Box, :owner_id => user.id) | |
| 33 | + block = MyNetworkBlock.create!(:display => 'never', :box => box) | |
| 34 | + assert block.update_attributes!(:display => 'always') | |
| 35 | + block.reload | |
| 36 | + assert_equal 'always', block.display | |
| 37 | + end | |
| 38 | + | |
| 30 | 39 | end | ... | ... |
test/unit/profile_test.rb
| ... | ... | @@ -1553,6 +1553,16 @@ class ProfileTest < Test::Unit::TestCase |
| 1553 | 1553 | assert_no_match /[<>]/, profile.custom_footer |
| 1554 | 1554 | end |
| 1555 | 1555 | |
| 1556 | + should 'not sanitize html comments' do | |
| 1557 | + profile = Profile.new | |
| 1558 | + profile.custom_header = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>' | |
| 1559 | + profile.custom_footer = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>' | |
| 1560 | + profile.valid? | |
| 1561 | + | |
| 1562 | + assert_match /<!-- .* --> <h1> Wellformed html code <\/h1>/, profile.custom_header | |
| 1563 | + assert_match /<!-- .* --> <h1> Wellformed html code <\/h1>/, profile.custom_footer | |
| 1564 | + end | |
| 1565 | + | |
| 1556 | 1566 | private |
| 1557 | 1567 | |
| 1558 | 1568 | def assert_invalid_identifier(id) | ... | ... |
test/unit/recent_documents_block_test.rb
| ... | ... | @@ -69,4 +69,13 @@ class RecentDocumentsBlockTest < Test::Unit::TestCase |
| 69 | 69 | assert_equal nil, block.footer |
| 70 | 70 | end |
| 71 | 71 | |
| 72 | + should 'be able to update display setting' do | |
| 73 | + user = create_user('testinguser').person | |
| 74 | + box = fast_create(Box, :owner_id => user.id) | |
| 75 | + block = RecentDocumentsBlock.create!(:display => 'never', :box => box) | |
| 76 | + assert block.update_attributes!(:display => 'always') | |
| 77 | + block.reload | |
| 78 | + assert_equal 'always', block.display | |
| 79 | + end | |
| 80 | + | |
| 72 | 81 | end | ... | ... |
test/unit/tiny_mce_article_test.rb
| ... | ... | @@ -59,14 +59,28 @@ class TinyMceArticleTest < Test::Unit::TestCase |
| 59 | 59 | assert_equal "<iframe src=\"http://itheora.org\"></iframe>", article.body |
| 60 | 60 | end |
| 61 | 61 | |
| 62 | - should 'remove iframe if it is not from itheora' do | |
| 62 | + should 'remove iframe if it is not from itheora or softwarelivre' do | |
| 63 | 63 | article = TinyMceArticle.create!(:profile => profile, :name => 'article', :abstract => 'abstract', :body => "<iframe src='anything'></iframe>") |
| 64 | 64 | assert_equal "", article.body |
| 65 | 65 | end |
| 66 | 66 | |
| 67 | + should 'allow iframe if it is from stream.softwarelivre.org' do | |
| 68 | + article = TinyMceArticle.create!(:profile => profile, :name => 'article', :abstract => 'abstract', :body => "<iframe src='http://stream.softwarelivre.org'></iframe>") | |
| 69 | + assert_equal "<iframe src=\"http://stream.softwarelivre.org\"></iframe>", article.body | |
| 70 | + end | |
| 71 | + | |
| 67 | 72 | #TinymMCE convert config={"key":(.*)} in config={"key":(.*)} |
| 68 | 73 | should 'not replace " with &quot; when adding an Archive.org video' do |
| 69 | 74 | article = TinyMceArticle.create!(:profile => profile, :name => 'article', :abstract => 'abstract', :body => "<embed flashvars='config={"key":"\#$b6eb72a0f2f1e29f3d4"}'> </embed>") |
| 70 | 75 | assert_equal "<embed flashvars=\"config={"key":"\#$b6eb72a0f2f1e29f3d4"}\"> </embed>", article.body |
| 71 | 76 | end |
| 77 | + | |
| 78 | + should 'not sanitize html comments' do | |
| 79 | + article = TinyMceArticle.new | |
| 80 | + article.body = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>' | |
| 81 | + article.valid? | |
| 82 | + | |
| 83 | + assert_match /<!-- .* --> <h1> Wellformed html code <\/h1>/, article.body | |
| 84 | + end | |
| 85 | + | |
| 72 | 86 | end | ... | ... |
vendor/plugins/white_list_sanitizer_unescape_before_reescape/init.rb
| ... | ... | @@ -12,7 +12,9 @@ HTML::WhiteListSanitizer.module_eval do |
| 12 | 12 | final_text = final_text.gsub(/<!--.*\[if IE\]-->(.*)<!--\[endif\]-->/, '<!–-[if IE]>\1<![endif]-–>') #FIX for itheora comments |
| 13 | 13 | |
| 14 | 14 | if final_text =~ /iframe/ |
| 15 | - unless final_text =~ /<iframe(.*)src=(.*)itheora.org(.*)<\/iframe>/ | |
| 15 | + itheora_video = /<iframe(.*)src=(.*)itheora.org(.*)<\/iframe>/ | |
| 16 | + sl_video = /<iframe(.*)src=\"http:\/\/stream.softwarelivre.org(.*)<\/iframe>/ | |
| 17 | + unless (final_text =~ itheora_video || final_text =~ sl_video) | |
| 16 | 18 | final_text = final_text.gsub(/<iframe(.*)<\/iframe>/, '') |
| 17 | 19 | end |
| 18 | 20 | end | ... | ... |
vendor/plugins/xss_terminate/lib/xss_terminate.rb
| ... | ... | @@ -53,7 +53,7 @@ module XssTerminate |
| 53 | 53 | if with == :full |
| 54 | 54 | self[field] = CGI.escapeHTML(self[field]) |
| 55 | 55 | elsif with == :white_list |
| 56 | - self[field] = CGI.escapeHTML(self[field]) if !wellformed_html_tag?(self[field]) | |
| 56 | + self[field] = CGI.escapeHTML(self[field]) if !wellformed_html_code?(self[field]) | |
| 57 | 57 | end |
| 58 | 58 | |
| 59 | 59 | else |
| ... | ... | @@ -62,7 +62,7 @@ module XssTerminate |
| 62 | 62 | if with == :full |
| 63 | 63 | self.send("#{field}=", CGI.escapeHTML(self.send("#{field}"))) |
| 64 | 64 | elsif with == :white_list |
| 65 | - self.send("#{field}=", CGI.escapeHTML(self.send("#{field}"))) if !wellformed_html_tag?(self.send("#{field}")) | |
| 65 | + self.send("#{field}=", CGI.escapeHTML(self.send("#{field}"))) if !wellformed_html_code?(self.send("#{field}")) | |
| 66 | 66 | end |
| 67 | 67 | |
| 68 | 68 | end |
| ... | ... | @@ -103,14 +103,29 @@ module XssTerminate |
| 103 | 103 | end |
| 104 | 104 | end |
| 105 | 105 | |
| 106 | - def wellformed_html_tag?(field) | |
| 106 | + def wellformed_html_code?(field) | |
| 107 | 107 | return true if !field |
| 108 | - | |
| 109 | 108 | counter = 0 |
| 110 | - field.split(//).each do |letter| | |
| 111 | - counter += 1 if letter == '<' | |
| 112 | - counter -= 1 if letter == '>' | |
| 113 | - if counter < 0 || 1 < counter | |
| 109 | + in_comment = false | |
| 110 | + field=field.split(//) | |
| 111 | + for i in 0..field.length-1 | |
| 112 | + if !in_comment | |
| 113 | + if field[i] == '<' | |
| 114 | + if field[i+1..i+3] == ["!","-","-"] | |
| 115 | + in_comment = true | |
| 116 | + else | |
| 117 | + counter += 1 | |
| 118 | + end | |
| 119 | + elsif field[i] == '>' | |
| 120 | + counter -= 1 | |
| 121 | + end | |
| 122 | + else | |
| 123 | + if field[i-2..i] == ["-","-",">"] | |
| 124 | + in_comment = false | |
| 125 | + end | |
| 126 | + end | |
| 127 | + | |
| 128 | + if counter < 0 || 1 < counter | |
| 114 | 129 | return false |
| 115 | 130 | end |
| 116 | 131 | end | ... | ... |