From 3d54bea3beaa37c340beee2ec906b58a4a4687a2 Mon Sep 17 00:00:00 2001 From: Daniela Soares Feitosa Date: Wed, 22 Aug 2012 16:13:36 -0300 Subject: [PATCH] Protecting methods to users with edit_profile permission --- plugins/sub_organizations/controllers/sub_organizations_plugin_myprofile_controller.rb | 1 + plugins/sub_organizations/test/functional/sub_organizations_plugin_myprofile_controller_test.rb | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+), 0 deletions(-) diff --git a/plugins/sub_organizations/controllers/sub_organizations_plugin_myprofile_controller.rb b/plugins/sub_organizations/controllers/sub_organizations_plugin_myprofile_controller.rb index 75d1a9a..9d5100f 100644 --- a/plugins/sub_organizations/controllers/sub_organizations_plugin_myprofile_controller.rb +++ b/plugins/sub_organizations/controllers/sub_organizations_plugin_myprofile_controller.rb @@ -2,6 +2,7 @@ class SubOrganizationsPluginMyprofileController < MyProfileController append_view_path File.join(File.dirname(__FILE__) + '/../views') before_filter :organizations_only + protect 'edit_profile', :profile def index @children = SubOrganizationsPlugin::Relation.children(profile) diff --git a/plugins/sub_organizations/test/functional/sub_organizations_plugin_myprofile_controller_test.rb b/plugins/sub_organizations/test/functional/sub_organizations_plugin_myprofile_controller_test.rb index 0b7bfdd..46bb609 100644 --- a/plugins/sub_organizations/test/functional/sub_organizations_plugin_myprofile_controller_test.rb +++ b/plugins/sub_organizations/test/functional/sub_organizations_plugin_myprofile_controller_test.rb @@ -86,4 +86,28 @@ class SubOrganizationsPluginMyprofileControllerTest < ActionController::TestCase assert_includes SubOrganizationsPlugin::Relation.children(organization), org2 end + should 'not access index if dont have permission' do + member = create_user('member').person + organization.add_member(member) + + login_as(member.identifier) + get :index, :profile => organization.identifier + + assert_response 403 + assert_template 'access_denied.rhtml' + end + + should 'not search organizations if dont have permission' do + member = create_user('member').person + organization.add_member(member) + + login_as(member.identifier) + + org1 = fast_create(Organization, :name => 'sample organization 1') + get :search_organization, :profile => organization.identifier, :q => 'sampl' + + assert_response 403 + assert_template 'access_denied.rhtml' + end + end -- libgit2 0.21.2