Download as
Browse Code »

Commit 3d54bea3beaa37c340beee2ec906b58a4a4687a2

Authored by Daniela Feitosa
1 parent d323bd53
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Protecting methods to users with edit_profile permission

Showing 2 changed files with 25 additions and 0 deletions   Show diff stats
plugins/sub_organizations/controllers/sub_organizations_plugin_myprofile_controller.rb
  Diff comments   View file @3d54bea
... ... @@ -2,6 +2,7 @@ class SubOrganizationsPluginMyprofileController < MyProfileController
2 2 append_view_path File.join(File.dirname(__FILE__) + '/../views')
3 3  
4 4 before_filter :organizations_only
  5 + protect 'edit_profile', :profile
5 6  
6 7 def index
7 8 @children = SubOrganizationsPlugin::Relation.children(profile)
... ...
plugins/sub_organizations/test/functional/sub_organizations_plugin_myprofile_controller_test.rb
  Diff comments   View file @3d54bea
... ... @@ -86,4 +86,28 @@ class SubOrganizationsPluginMyprofileControllerTest < ActionController::TestCase
86 86 assert_includes SubOrganizationsPlugin::Relation.children(organization), org2
87 87 end
88 88  
  89 + should 'not access index if dont have permission' do
  90 + member = create_user('member').person
  91 + organization.add_member(member)
  92 +
  93 + login_as(member.identifier)
  94 + get :index, :profile => organization.identifier
  95 +
  96 + assert_response 403
  97 + assert_template 'access_denied.rhtml'
  98 + end
  99 +
  100 + should 'not search organizations if dont have permission' do
  101 + member = create_user('member').person
  102 + organization.add_member(member)
  103 +
  104 + login_as(member.identifier)
  105 +
  106 + org1 = fast_create(Organization, :name => 'sample organization 1')
  107 + get :search_organization, :profile => organization.identifier, :q => 'sampl'
  108 +
  109 + assert_response 403
  110 + assert_template 'access_denied.rhtml'
  111 + end
  112 +
89 113 end
... ...