Checking if perrmission to view article before version

Daniela Feitosa
1 parent 25f34b4d
Showing 3 changed files with 43 additions and 26 deletions Show diff stats
app/controllers/public/content_viewer_controller.rb
features/article_versioning.feature
test/functional/content_viewer_controller_test.rb
@@ -26,25 +26,10 @@ class ContentViewerController &lt; ApplicationController
       end
     end
-    if !@page.nil? && !@page.display_to?(user)
-      if !profile.public?
-        private_profile_partial_parameters
-        render :template => 'profile/_private_profile.rhtml', :status => 403
-      else #if !profile.visible?
-        message = _('You are not allowed to view this content.')
-        message += ' ' + _('You can contact the owner of this profile to request access then.')
-        render_access_denied(message)
-      end
-      return
-    end
+    return unless allow_access_to_page(path)
-    # page not found, give error
-    if @page.nil?
-      render_not_found(@path)
-      return
-    end
-
-    if @version
+    if @version > 0
+      return render_access_denied unless @page.display_versions?
       @versioned_article = @page.versions.find_by_version(@version)
       if @versioned_article && @page.versions.latest.version != @versioned_article.version
         render :template => 'content_viewer/versioned_article.rhtml'
@@ -140,10 +125,8 @@ class ContentViewerController &lt; ApplicationController
   def article_versions
     path = params[:page].join('/')
     @page = profile.articles.find_by_path(path)
-    unless @page
-      render_not_found(@page)
-      return
-    end
+    return unless allow_access_to_page(path)
+
     render_access_denied unless @page.display_versions?
     @versions = @page.versions.paginate(:per_page => per_page, :page => params[:npage])
   end
@@ -178,4 +161,22 @@ class ContentViewerController &lt; ApplicationController
   end
   helper_method :pass_without_comment_captcha?
+  def allow_access_to_page(path)
+    allowed = true
+    if @page.nil? # page not found, give error
+      render_not_found(path)
+      allowed = false
+    elsif !@page.display_to?(user)
+      if !profile.public?
+        private_profile_partial_parameters
+        render :template => 'profile/_private_profile.rhtml', :status => 403
+        allowed = false
+      else #if !profile.visible?
+        render_access_denied
+        allowed = false
+      end
+    end
+    allowed
+  end
+
 end
@@ -69,3 +69,19 @@ Feature: article versioning
       | joaosilva | Versions disabled | Versions can't be displayed | false            |
     And I go to /joaosilva/versions-disabled/versions
     Then I should see "Access denied"
+
+  Scenario: deny access to specific version when disabled on article and not logged
+    Given the article "Edited Article" is updated with
+      | display_versions |
+      | false            |
+    And I am not logged in
+    And I go to /joaosilva/edited-article?version=1
+    Then I should see "Access denied"
+
+  Scenario: deny access to specific version when disabled, private and not logged
+    Given the article "Edited Article" is updated with
+      | display_versions | published |
+      | false            | false     |
+    And I am not logged in
+    And I go to /joaosilva/edited-article?version=1
+    Then I should see "Access denied"
@@ -381,21 +381,21 @@ class ContentViewerControllerTest &lt; ActionController::TestCase
   end
   should "fetch correct article version" do
-    page = profile.articles.create!(:name => 'myarticle', :body => 'original article')
+    page = TextArticle.create!(:name => 'myarticle', :body => 'original article', :display_versions => true, :profile => profile)
     page.body = 'edited article'; page.save
     get :view_page, :profile => profile.identifier, :page => [ 'myarticle' ], :version => 1
-    assert_tag :tag => 'div', :attributes => { :class => 'article-body article-body-article' }, :content => /original article/
+    assert_tag :tag => 'div', :attributes => { :class => /article-body/ }, :content => /original article/
   end
   should "display current article if version does not exist" do
-    page = profile.articles.create!(:name => 'myarticle', :body => 'original article')
+    page = TextArticle.create!(:name => 'myarticle', :body => 'original article', :display_versions => true, :profile => profile)
     page.body = 'edited article'; page.save
     get :view_page, :profile => profile.identifier, :page => [ 'myarticle' ], :version => 'bli'
-    assert_tag :tag => 'div', :attributes => { :class => 'article-body article-body-article' }, :content => /edited article/
+    assert_tag :tag => 'div', :attributes => { :class => /article-body/ }, :content => /edited article/
   end
   should 'not return an article of a different user' do
	@@ -69,3 +69,19 @@ Feature: article versioning		@@ -69,3 +69,19 @@ Feature: article versioning
69	\| joaosilva \| Versions disabled \| Versions can't be displayed \| false \|	69	\| joaosilva \| Versions disabled \| Versions can't be displayed \| false \|
70	And I go to /joaosilva/versions-disabled/versions	70	And I go to /joaosilva/versions-disabled/versions
71	Then I should see "Access denied"	71	Then I should see "Access denied"
		72	+
		73	+ Scenario: deny access to specific version when disabled on article and not logged
		74	+ Given the article "Edited Article" is updated with
		75	+ \| display_versions \|
		76	+ \| false \|
		77	+ And I am not logged in
		78	+ And I go to /joaosilva/edited-article?version=1
		79	+ Then I should see "Access denied"
		80	+
		81	+ Scenario: deny access to specific version when disabled, private and not logged
		82	+ Given the article "Edited Article" is updated with
		83	+ \| display_versions \| published \|
		84	+ \| false \| false \|
		85	+ And I am not logged in
		86	+ And I go to /joaosilva/edited-article?version=1
		87	+ Then I should see "Access denied"
	@@ -381,21 +381,21 @@ class ContentViewerControllerTest < ActionController::TestCase		@@ -381,21 +381,21 @@ class ContentViewerControllerTest < ActionController::TestCase
381	end	381	end
382		382
383	should "fetch correct article version" do	383	should "fetch correct article version" do
384	- page = profile.articles.create!(:name => 'myarticle', :body => 'original article')	384	+ page = TextArticle.create!(:name => 'myarticle', :body => 'original article', :display_versions => true, :profile => profile)
385	page.body = 'edited article'; page.save	385	page.body = 'edited article'; page.save
386		386
387	get :view_page, :profile => profile.identifier, :page => [ 'myarticle' ], :version => 1	387	get :view_page, :profile => profile.identifier, :page => [ 'myarticle' ], :version => 1
388		388
389	- assert_tag :tag => 'div', :attributes => { :class => 'article-body article-body-article' }, :content => /original article/	389	+ assert_tag :tag => 'div', :attributes => { :class => /article-body/ }, :content => /original article/
390	end	390	end
391		391
392	should "display current article if version does not exist" do	392	should "display current article if version does not exist" do
393	- page = profile.articles.create!(:name => 'myarticle', :body => 'original article')	393	+ page = TextArticle.create!(:name => 'myarticle', :body => 'original article', :display_versions => true, :profile => profile)
394	page.body = 'edited article'; page.save	394	page.body = 'edited article'; page.save
395		395
396	get :view_page, :profile => profile.identifier, :page => [ 'myarticle' ], :version => 'bli'	396	get :view_page, :profile => profile.identifier, :page => [ 'myarticle' ], :version => 'bli'
397		397
398	- assert_tag :tag => 'div', :attributes => { :class => 'article-body article-body-article' }, :content => /edited article/	398	+ assert_tag :tag => 'div', :attributes => { :class => /article-body/ }, :content => /edited article/
399	end	399	end
400		400
401	should 'not return an article of a different user' do	401	should 'not return an article of a different user' do