Commit 3ac7b58711da016dc6ed4720f2a63d20906823ba
Committed by
Rodrigo Souto
Rodrigo Souto
1 parent
c48222e1
Exists in
master
and in
12 other branches
Allow edition of raw html blocks only by admin users
Signed-off-by: Lucas Kanashiro <kanashiro.duarte@gmail.com> Signed-off-by: Gustavo Jaruga <darksshades@gmail.com>
Showing
11 changed files
with
55 additions
and
6 deletions
Show diff stats
app/controllers/box_organizer_controller.rb
| @@ -83,6 +83,7 @@ class BoxOrganizerController < ApplicationController | @@ -83,6 +83,7 @@ class BoxOrganizerController < ApplicationController | ||
| 83 | 83 | ||
| 84 | def save | 84 | def save |
| 85 | @block = boxes_holder.blocks.find(params[:id]) | 85 | @block = boxes_holder.blocks.find(params[:id]) |
| 86 | + return render_access_denied unless @block.editable?(user) | ||
| 86 | @block.update(params[:block]) | 87 | @block.update(params[:block]) |
| 87 | redirect_to :action => 'index' | 88 | redirect_to :action => 'index' |
| 88 | end | 89 | end |
app/helpers/boxes_helper.rb
| @@ -250,7 +250,7 @@ module BoxesHelper | @@ -250,7 +250,7 @@ module BoxesHelper | ||
| 250 | end | 250 | end |
| 251 | end | 251 | end |
| 252 | 252 | ||
| 253 | - if editable?(block) | 253 | + if editable?(block, user) |
| 254 | buttons << modal_icon_button(:edit, _('Edit'), { :action => 'edit', :id => block.id }) | 254 | buttons << modal_icon_button(:edit, _('Edit'), { :action => 'edit', :id => block.id }) |
| 255 | end | 255 | end |
| 256 | 256 | ||
| @@ -296,7 +296,7 @@ module BoxesHelper | @@ -296,7 +296,7 @@ module BoxesHelper | ||
| 296 | return block.movable? || user.is_admin? | 296 | return block.movable? || user.is_admin? |
| 297 | end | 297 | end |
| 298 | 298 | ||
| 299 | - def editable?(block) | ||
| 300 | - return block.editable? || user.is_admin? | 299 | + def editable?(block, user=nil) |
| 300 | + return block.editable?(user) || user.is_admin? | ||
| 301 | end | 301 | end |
| 302 | end | 302 | end |
app/models/block.rb
| @@ -195,8 +195,8 @@ class Block < ActiveRecord::Base | @@ -195,8 +195,8 @@ class Block < ActiveRecord::Base | ||
| 195 | nil | 195 | nil |
| 196 | end | 196 | end |
| 197 | 197 | ||
| 198 | - # Is this block editable? (Default to <tt>false</tt>) | ||
| 199 | - def editable? | 198 | + # Is this block editable? (Default to <tt>true</tt>) |
| 199 | + def editable?(user=nil) | ||
| 200 | self.edit_modes == "all" | 200 | self.edit_modes == "all" |
| 201 | end | 201 | end |
| 202 | 202 |
app/models/disabled_enterprise_message_block.rb
app/models/environment.rb
| @@ -54,6 +54,7 @@ class Environment < ActiveRecord::Base | @@ -54,6 +54,7 @@ class Environment < ActiveRecord::Base | ||
| 54 | 'manage_environment_licenses' => N_('Manage environment licenses'), | 54 | 'manage_environment_licenses' => N_('Manage environment licenses'), |
| 55 | 'manage_environment_trusted_sites' => N_('Manage environment trusted sites'), | 55 | 'manage_environment_trusted_sites' => N_('Manage environment trusted sites'), |
| 56 | 'edit_appearance' => N_('Edit appearance'), | 56 | 'edit_appearance' => N_('Edit appearance'), |
| 57 | + 'edit_raw_html_block' => N_('Edit Raw HTML block'), | ||
| 57 | } | 58 | } |
| 58 | 59 | ||
| 59 | module Roles | 60 | module Roles |
app/models/raw_html_block.rb
db/migrate/20150103134141_add_edit_raw_html_block_to_admin_role.rb
0 → 100644
| @@ -0,0 +1,17 @@ | @@ -0,0 +1,17 @@ | ||
| 1 | +class AddEditRawHtmlBlockToAdminRole < ActiveRecord::Migration | ||
| 2 | + def self.up | ||
| 3 | + Environment.all.map(&:id).each do |id| | ||
| 4 | + role = Environment::Roles.admin(id) | ||
| 5 | + role.permissions << 'edit_raw_html_block' | ||
| 6 | + role.save! | ||
| 7 | + end | ||
| 8 | + end | ||
| 9 | + | ||
| 10 | + def self.down | ||
| 11 | + Environment.all.map(&:id).each do |id| | ||
| 12 | + role = Environment::Roles.admin(id) | ||
| 13 | + role.permissions -= ['edit_raw_html_block'] | ||
| 14 | + role.save! | ||
| 15 | + end | ||
| 16 | + end | ||
| 17 | +end |
test/fixtures/roles.yml
| @@ -100,3 +100,4 @@ environment_administrator: | @@ -100,3 +100,4 @@ environment_administrator: | ||
| 100 | - destroy_profile | 100 | - destroy_profile |
| 101 | - manage_environment_templates | 101 | - manage_environment_templates |
| 102 | - manage_environment_licenses | 102 | - manage_environment_licenses |
| 103 | + - edit_raw_html_block |
test/functional/profile_design_controller_test.rb
| @@ -311,6 +311,12 @@ class ProfileDesignControllerTest < ActionController::TestCase | @@ -311,6 +311,12 @@ class ProfileDesignControllerTest < ActionController::TestCase | ||
| 311 | assert_equal 999, @b1.article_id | 311 | assert_equal 999, @b1.article_id |
| 312 | end | 312 | end |
| 313 | 313 | ||
| 314 | + should 'not be able to save a non editable block' do | ||
| 315 | + Block.any_instance.expects(:editable?).returns(false) | ||
| 316 | + post :save, :profile => 'designtestuser', :id => @b1.id, :block => { } | ||
| 317 | + assert_response :forbidden | ||
| 318 | + end | ||
| 319 | + | ||
| 314 | should 'be able to edit ProductsBlock' do | 320 | should 'be able to edit ProductsBlock' do |
| 315 | block = ProductsBlock.new | 321 | block = ProductsBlock.new |
| 316 | 322 |
test/unit/boxes_helper_test.rb
| @@ -187,6 +187,7 @@ class BoxesHelperTest < ActionView::TestCase | @@ -187,6 +187,7 @@ class BoxesHelperTest < ActionView::TestCase | ||
| 187 | block = Block.create!(:box => box) | 187 | block = Block.create!(:box => box) |
| 188 | block.stubs(:embedable?).returns(true) | 188 | block.stubs(:embedable?).returns(true) |
| 189 | stubs(:url_for).returns('') | 189 | stubs(:url_for).returns('') |
| 190 | + @controller.stubs(:user).returns(box.owner) | ||
| 190 | assert_tag_in_string block_edit_buttons(block), :tag => 'a', :attributes => {:class => 'button icon-button icon-embed '} | 191 | assert_tag_in_string block_edit_buttons(block), :tag => 'a', :attributes => {:class => 'button icon-button icon-embed '} |
| 191 | end | 192 | end |
| 192 | 193 | ||
| @@ -195,6 +196,7 @@ class BoxesHelperTest < ActionView::TestCase | @@ -195,6 +196,7 @@ class BoxesHelperTest < ActionView::TestCase | ||
| 195 | block = Block.create!(:box => box) | 196 | block = Block.create!(:box => box) |
| 196 | block.stubs(:embedable?).returns(false) | 197 | block.stubs(:embedable?).returns(false) |
| 197 | stubs(:url_for).returns('') | 198 | stubs(:url_for).returns('') |
| 199 | + @controller.stubs(:user).returns(box.owner) | ||
| 198 | assert_no_tag_in_string block_edit_buttons(block), :tag => 'a', :attributes => {:class => 'button icon-button icon-embed '} | 200 | assert_no_tag_in_string block_edit_buttons(block), :tag => 'a', :attributes => {:class => 'button icon-button icon-embed '} |
| 199 | end | 201 | end |
| 200 | 202 |
test/unit/raw_html_block_test.rb
| @@ -22,4 +22,20 @@ class RawHTMLBlockTest < ActiveSupport::TestCase | @@ -22,4 +22,20 @@ class RawHTMLBlockTest < ActiveSupport::TestCase | ||
| 22 | assert_match(/HTML$/, block.content) | 22 | assert_match(/HTML$/, block.content) |
| 23 | end | 23 | end |
| 24 | 24 | ||
| 25 | + should 'not be editable for users without permission' do | ||
| 26 | + environment = Environment.default | ||
| 27 | + box = Box.new(:owner => environment) | ||
| 28 | + block = RawHTMLBlock.new(:html => "HTML", :box => box) | ||
| 29 | + user = create_user('testuser').person | ||
| 30 | + assert !block.editable?(user) | ||
| 31 | + end | ||
| 32 | + | ||
| 33 | + should 'be editable for users with permission' do | ||
| 34 | + environment = Environment.default | ||
| 35 | + box = Box.new(:owner => environment) | ||
| 36 | + block = RawHTMLBlock.new(:html => "HTML", :box => box) | ||
| 37 | + user = create_user_with_permission('testuser', 'edit_raw_html_block', environment) | ||
| 38 | + assert block.editable?(user) | ||
| 39 | + end | ||
| 40 | + | ||
| 25 | end | 41 | end |