From 35d7a6afc47334b10c03d7e9a6deb0df1114c96f Mon Sep 17 00:00:00 2001
From: Daniela Soares Feitosa <danielafeitosa@colivre.coop.br>
Date: Mon, 20 Jan 2014 01:42:50 +0000
Subject: [PATCH] Checking if perrmission to view article before version

---
 app/controllers/public/content_viewer_controller.rb | 45 +++++++++++++++++++++++----------------------
 features/article_versioning.feature                 | 16 ++++++++++++++++
 test/functional/content_viewer_controller_test.rb   |  8 ++++----
 3 files changed, 43 insertions(+), 26 deletions(-)

diff --git a/app/controllers/public/content_viewer_controller.rb b/app/controllers/public/content_viewer_controller.rb
index 0a2987c..4a2b06e 100644
--- a/app/controllers/public/content_viewer_controller.rb
+++ b/app/controllers/public/content_viewer_controller.rb
@@ -26,25 +26,10 @@ class ContentViewerController < ApplicationController
       end
     end
 
-    if !@page.nil? && !@page.display_to?(user)
-      if !profile.public?
-        private_profile_partial_parameters
-        render :template => 'profile/_private_profile.rhtml', :status => 403
-      else #if !profile.visible?
-        message = _('You are not allowed to view this content.')
-        message += ' ' + _('You can contact the owner of this profile to request access then.')
-        render_access_denied(message)
-      end
-      return
-    end
+    return unless allow_access_to_page(path)
 
-    # page not found, give error
-    if @page.nil?
-      render_not_found(@path)
-      return
-    end
-
-    if @version
+    if @version > 0
+      return render_access_denied unless @page.display_versions?
       @versioned_article = @page.versions.find_by_version(@version)
       if @versioned_article && @page.versions.latest.version != @versioned_article.version
         render :template => 'content_viewer/versioned_article.rhtml'
@@ -140,10 +125,8 @@ class ContentViewerController < ApplicationController
   def article_versions
     path = params[:page].join('/')
     @page = profile.articles.find_by_path(path)
-    unless @page
-      render_not_found(@page)
-      return
-    end
+    return unless allow_access_to_page(path)
+
     render_access_denied unless @page.display_versions?
     @versions = @page.versions.paginate(:per_page => per_page, :page => params[:npage])
   end
@@ -178,4 +161,22 @@ class ContentViewerController < ApplicationController
   end
   helper_method :pass_without_comment_captcha?
 
+  def allow_access_to_page(path)
+    allowed = true
+    if @page.nil? # page not found, give error
+      render_not_found(path)
+      allowed = false
+    elsif !@page.display_to?(user)
+      if !profile.public?
+        private_profile_partial_parameters
+        render :template => 'profile/_private_profile.rhtml', :status => 403
+        allowed = false
+      else #if !profile.visible?
+        render_access_denied
+        allowed = false
+      end
+    end
+    allowed
+  end
+
 end
diff --git a/features/article_versioning.feature b/features/article_versioning.feature
index ecf1a1e..19255a5 100644
--- a/features/article_versioning.feature
+++ b/features/article_versioning.feature
@@ -69,3 +69,19 @@ Feature: article versioning
       | joaosilva | Versions disabled | Versions can't be displayed | false            |
     And I go to /joaosilva/versions-disabled/versions
     Then I should see "Access denied"
+
+  Scenario: deny access to specific version when disabled on article and not logged
+    Given the article "Edited Article" is updated with
+      | display_versions |
+      | false            |
+    And I am not logged in
+    And I go to /joaosilva/edited-article?version=1
+    Then I should see "Access denied"
+
+  Scenario: deny access to specific version when disabled, private and not logged
+    Given the article "Edited Article" is updated with
+      | display_versions | published |
+      | false            | false     |
+    And I am not logged in
+    And I go to /joaosilva/edited-article?version=1
+    Then I should see "Access denied"
diff --git a/test/functional/content_viewer_controller_test.rb b/test/functional/content_viewer_controller_test.rb
index d73984d..3e9952c 100644
--- a/test/functional/content_viewer_controller_test.rb
+++ b/test/functional/content_viewer_controller_test.rb
@@ -381,21 +381,21 @@ class ContentViewerControllerTest < ActionController::TestCase
   end
 
   should "fetch correct article version" do
-    page = profile.articles.create!(:name => 'myarticle', :body => 'original article')
+    page = TextArticle.create!(:name => 'myarticle', :body => 'original article', :display_versions => true, :profile => profile)
     page.body = 'edited article'; page.save
 
     get :view_page, :profile => profile.identifier, :page => [ 'myarticle' ], :version => 1
 
-    assert_tag :tag => 'div', :attributes => { :class => 'article-body article-body-article' }, :content => /original article/
+    assert_tag :tag => 'div', :attributes => { :class => /article-body/ }, :content => /original article/
   end
 
   should "display current article if version does not exist" do
-    page = profile.articles.create!(:name => 'myarticle', :body => 'original article')
+    page = TextArticle.create!(:name => 'myarticle', :body => 'original article', :display_versions => true, :profile => profile)
     page.body = 'edited article'; page.save
 
     get :view_page, :profile => profile.identifier, :page => [ 'myarticle' ], :version => 'bli'
 
-    assert_tag :tag => 'div', :attributes => { :class => 'article-body article-body-article' }, :content => /edited article/
+    assert_tag :tag => 'div', :attributes => { :class => /article-body/ }, :content => /edited article/
   end
 
   should 'not return an article of a different user' do
--
libgit2 0.21.2