Download as
Browse Code »

Commit 3c4fe9d3ebd90deb158100cc82e2651f05f743a6

Authored by MoisesMachado
1 parent c8f6e434
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

ActionItem5: added the management of members of a profile and the protect helper… 

… to protect actions from unathorized access


git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@507 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing 10 changed files with 88 additions and 3 deletions   Show diff stats
app/controllers/application.rb
  Diff comments   View file @3c4fe9d
@@ -51,4 +51,16 @@ class ApplicationController < ActionController::Base @@ -51,4 +51,16 @@ class ApplicationController < ActionController::Base
51 verify :method => :post, :only => actions, :redirect_to => redirect 51 verify :method => :post, :only => actions, :redirect_to => redirect
52 end 52 end
53 53
  54 + # Declares the +permission+ need to be able to access +action+.
  55 + #
  56 + # * +action+ must be a symbol or string with the name of the action
  57 + # * +permission+ must be a symbol or string naming the needed permission.
  58 + # * +target+ is the object over witch the user would need the specified permission.
  59 + def self.protect(actions, permission, target = nil)
  60 + before_filter :only => actions do |controller|
  61 + unless controller.send(:logged_in?) and controller.send(:current_user).person.has_permission?(permission, target)
  62 + controller.send(:render, {:file => 'app/views/shared/access_denied.rhtml', :layout => true})
  63 + end
  64 + end
  65 + end
54 end 66 end
app/controllers/profile_admin/enterprise_controller.rb
  Diff comments   View file @3c4fe9d
@@ -2,7 +2,8 @@ @@ -2,7 +2,8 @@
2 class EnterpriseController < ProfileAdminController 2 class EnterpriseController < ProfileAdminController
3 3
4 before_filter :logon, :my_enterprises 4 before_filter :logon, :my_enterprises
5 - 5 + protect([:edit, :update, :activate, :destroy], 'edit_enterprise', @profile)
  6 +
6 # Redirects to show if there is only one action and to list otherwise 7 # Redirects to show if there is only one action and to list otherwise
7 def index 8 def index
8 if @person.enterprises.size == 1 9 if @person.enterprises.size == 1
@@ -10,6 +11,8 @@ class EnterpriseController &lt; ProfileAdminController @@ -10,6 +11,8 @@ class EnterpriseController &lt; ProfileAdminController
10 else 11 else
11 redirect_to :action => 'list' 12 redirect_to :action => 'list'
12 end 13 end
  14 + @vitual_communities = VirtualCommunity.find(:all)
  15 + @validation_entities = Organization.find(:all)
13 end 16 end
14 17
15 # Lists all enterprises 18 # Lists all enterprises
@@ -104,7 +107,7 @@ class EnterpriseController &lt; ProfileAdminController @@ -104,7 +107,7 @@ class EnterpriseController &lt; ProfileAdminController
104 if @enterprise.approve 107 if @enterprise.approve
105 flash[:notice] = _('Enterprise successfuly approved') 108 flash[:notice] = _('Enterprise successfuly approved')
106 else 109 else
107 - flash[:notice] = _('Failed to approve the enterprise') 110 + flash[:notice] = _('Failed to approve the htmlenterprise')
108 end 111 end
109 redirect_to :action => 'index' 112 redirect_to :action => 'index'
110 end 113 end
app/controllers/profile_admin/profile_member_controller.rb 0 → 100644
  Diff comments   View file @3c4fe9d
@@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
  1 +class ProfileMemberController < ApplicationController
  2 +
  3 + def index
  4 + @members = @profile.people
  5 + end
  6 +
  7 + def affiliate
  8 + @member = Person.find(params[:id])
  9 + @roles = Role.find(:all).select{ |r| r.has_kind?(:profile) }
  10 + end
  11 +
  12 + def give_role
  13 + @person = Person.find(params[:person])
  14 + @role = Role.find(params[:role])
  15 + if @profile.affiliate(@person, @role)
  16 + redirect_to :action => 'index'
  17 + else
  18 + @member = Person.find(params[:person])
  19 + @roles = Role.find(:all).select{ |r| r.has_kind?(:profile) }
  20 + render :action => 'affiliate'
  21 + end
  22 + end
  23 +end
app/helpers/profile_member_helper.rb 0 → 100644
  Diff comments   View file @3c4fe9d
@@ -0,0 +1,2 @@ @@ -0,0 +1,2 @@
  1 +module ProfileMemberHelper
  2 +end
app/models/profile.rb
  Diff comments   View file @3c4fe9d
@@ -103,6 +103,10 @@ class Profile &lt; ActiveRecord::Base @@ -103,6 +103,10 @@ class Profile &lt; ActiveRecord::Base
103 end 103 end
104 104
105 def affiliate(person, role) 105 def affiliate(person, role)
106 - RoleAssignment.new(:person => person, :role => role, :resource => self).save 106 + unless RoleAssignment.find(:first, :conditions => {:person_id => person, :role_id => role, :resource_id => self, :resource_type => self.class.base_class.name})
  107 + RoleAssignment.new(:person => person, :role => role, :resource => self).save
  108 + else
  109 + false
  110 + end
107 end 111 end
108 end 112 end
app/models/role.rb
  Diff comments   View file @3c4fe9d
@@ -5,6 +5,8 @@ class Role &lt; ActiveRecord::Base @@ -5,6 +5,8 @@ class Role &lt; ActiveRecord::Base
5 'edit_profile' => N_('Edit profile'), 5 'edit_profile' => N_('Edit profile'),
6 'post_content' => N_('Post content'), 6 'post_content' => N_('Post content'),
7 'destroy_profile' => N_('Destroy profile'), 7 'destroy_profile' => N_('Destroy profile'),
  8 + 'manage_membership' => N_('Manage membership'),
  9 + 'moderate_content' => N_('Moderate content'),
8 }, 10 },
9 :system => { 11 :system => {
10 } 12 }
@@ -35,4 +37,8 @@ class Role &lt; ActiveRecord::Base @@ -35,4 +37,8 @@ class Role &lt; ActiveRecord::Base
35 def has_permission?(perm) 37 def has_permission?(perm)
36 permissions.include?(perm) 38 permissions.include?(perm)
37 end 39 end
  40 +
  41 + def has_kind?(kind)
  42 + permissions.any?{ |p| PERMISSIONS[kind][p] }
  43 + end
38 end 44 end
app/views/profile_member/affiliate.rhtml 0 → 100644
  Diff comments   View file @3c4fe9d
@@ -0,0 +1,7 @@ @@ -0,0 +1,7 @@
  1 +<h2> <%= @member.name %> </h2>
  2 +
  3 +<% form_tag( {:action => 'give_role'}, {:method => :post}) do %>
  4 + <%= select_tag 'role', options_for_select(@roles.map{|r|[r.name,r.id]}) %>
  5 + <%= hidden_field_tag 'person', current_user.person.id %>
  6 + <%= submit_tag _('Affiliate') %>
  7 +<% end %>
app/views/profile_member/index.rhtml 0 → 100644
  Diff comments   View file @3c4fe9d
@@ -0,0 +1,9 @@ @@ -0,0 +1,9 @@
  1 +<h2> <%= _('Listing Members') %> </h2>
  2 +
  3 +<%= link_to _('Affiliate'), :action => 'affiliate', :id => current_user.person %>
  4 +
  5 +<ul>
  6 + <% @members.each do |m| %>
  7 + <li> <%= m.name %> </li>
  8 + <% end %>
  9 +</ul>
app/views/shared/access_denied.rhtml 0 → 100644
  Diff comments   View file @3c4fe9d
@@ -0,0 +1 @@ @@ -0,0 +1 @@
  1 +<h2> <%= _('Access denied') %> </h2>
test/functional/profile_member_controller_test.rb 0 → 100644
  Diff comments   View file @3c4fe9d
@@ -0,0 +1,18 @@ @@ -0,0 +1,18 @@
  1 +require File.dirname(__FILE__) + '/../test_helper'
  2 +require 'profile_member_controller'
  3 +
  4 +# Re-raise errors caught by the controller.
  5 +class ProfileMemberController; def rescue_action(e) raise e end; end
  6 +
  7 +class ProfileMemberControllerTest < Test::Unit::TestCase
  8 + def setup
  9 + @controller = ProfileMemberController.new
  10 + @request = ActionController::TestRequest.new
  11 + @response = ActionController::TestResponse.new
  12 + end
  13 +
  14 + # Replace this with your real tests.
  15 + def test_truth
  16 + assert true
  17 + end
  18 +end