Merge branch 'stable'

Antonio Terceiro
2 parents 81c5f0e3 8ecff858
Showing 21 changed files with 233 additions and 151 deletions Show diff stats
app/controllers/public/content_viewer_controller.rb
app/helpers/application_helper.rb
app/helpers/folder_helper.rb
app/models/article.rb
app/models/folder.rb
app/models/profile.rb
app/views/content_viewer/view_page.rhtml
app/views/profile/sitemap.rhtml
db/migrate/084_set_public_article_into_published_attribute.rb
db/migrate/085_remove_public_article.rb
db/migrate/20100326171758_clear_default_theme_from_profiles.rb
db/migrate/renumber.sh
db/schema.rb
script/apply-template
test/functional/cms_controller_test.rb
test/functional/content_viewer_controller_test.rb
test/unit/application_helper_test.rb
test/unit/article_test.rb
test/unit/folder_helper_test.rb
test/unit/folder_test.rb
@@ -26,11 +26,6 @@ class ContentViewerController &lt; ApplicationController
         end
       end
  
-      # only show unpublished articles to those who can edit then
-      if @page && !@page.published && !@page.allow_post_content?(user)
-        @page = nil
-      end
-
       # page not found, give error
       if @page.nil?
         render_not_found(@path)
@@ -336,7 +336,7 @@ module ApplicationHelper
           elsif ENV['RAILS_ENV'] == 'development' && params[:theme]
             params[:theme]
           else
-            if profile
+            if profile && !profile.theme.nil?
               profile.theme
             elsif environment
               environment.theme
 module FolderHelper
  
-  def list_articles(articles, recursive = false)
-    content_tag(
-      'table',
-      content_tag('tr', content_tag('th', _('Title')) + content_tag('th', _('Last update'))) +
-      articles.select { |item| item.public? }.map {|item| display_article_in_listing(item, recursive, 0)}.join('')
-    )
+  def list_articles(articles, user, recursive = false)
+    if !articles.blank?
+      content_tag(
+        'table',
+        content_tag('tr', content_tag('th', _('Title')) + content_tag('th', _('Last update'))) +
+        articles.select { |item| item.display_to?(user)}.map {|item| display_article_in_listing(item, recursive, 0)}.join('')
+      )
+    else
+      content_tag('em', _('(empty folder)'))
+    end
   end
  
   def display_article_in_listing(article, recursive = false, level = 0)
@@ -84,13 +84,6 @@ class Article &lt; ActiveRecord::Base
     pending_categorizations.clear
   end
  
-  before_save do |article|
-    if article.parent
-      article.public_article = article.parent.public_article
-    end
-    true
-  end
-
   acts_as_taggable  
   N_('Tag list')
  
@@ -123,11 +116,10 @@ class Article &lt; ActiveRecord::Base
     options = { :limit => limit,
                 :conditions => [
                   "advertise = ? AND
-                  public_article = ? AND
                   published = ? AND
                   profiles.visible = ? AND
                   profiles.public_profile = ? AND
-                  ((articles.type != ? and articles.type != ? and articles.type != ?) OR articles.type is NULL)", true, true, true, true, true, 'UploadedFile', 'RssFeed', 'Blog'
+                  ((articles.type != ? and articles.type != ? and articles.type != ?) OR articles.type is NULL)", true, true, true, true, 'UploadedFile', 'RssFeed', 'Blog'
                 ],
                 :include => 'profile',
                 :order => 'articles.published_at desc, articles.id desc'
@@ -221,16 +213,32 @@ class Article &lt; ActiveRecord::Base
     false
   end
  
+  def published?
+    if self.published
+      if self.parent && !self.parent.published?
+        return false
+      end
+      true
+    else
+      false
+    end
+  end
+
   named_scope :folders, :conditions => { :type => ['Folder', 'Blog']  }
  
+  def display_unpublished_article_to?(user)
+    self.author == user || allow_view_private_content?(user) || user == self.profile ||
+    user.is_admin?(self.profile.environment) || user.is_admin?(self.profile)
+  end
+
   def display_to?(user)
-    if self.public_article
+    if self.published?
       self.profile.display_info_to?(user)
     else
       if user.nil?
         false
       else
-        (user == self.profile) || user.has_permission?('view_private_content', self.profile)
+        self.display_unpublished_article_to?(user)
       end
     end
   end
@@ -243,6 +251,10 @@ class Article &lt; ActiveRecord::Base
     user && user.has_permission?('publish_content', profile)
   end
  
+  def allow_view_private_content?(user = nil)
+    user && user.has_permission?('view_private_content', profile)
+  end
+
   def comments_updated
     ferret_update
   end
@@ -252,18 +264,31 @@ class Article &lt; ActiveRecord::Base
   end
  
   def public?
-    profile.visible? && profile.public? && public_article
+    profile.visible? && profile.public? && published?
   end
  
+
   def copy(options)
-    attrs = attributes.reject! { |key, value| article_attr_blacklist.include?(key) }
+    attrs = attributes.reject! { |key, value| ATTRIBUTES_NOT_COPIED.include?(key.to_sym) }
     attrs.merge!(options)
     self.class.create(attrs)
   end
  
-  def article_attr_blacklist
-    ['id', 'profile_id', 'parent_id', 'slug', 'path', 'updated_at', 'created_at', 'last_changed_by_id', 'version', 'lock_version', 'type', 'children_count', 'comments_count', 'hits']
-  end
+  ATTRIBUTES_NOT_COPIED = [
+    :id,
+    :profile_id,
+    :parent_id,
+    :path,
+    :updated_at,
+    :created_at,
+    :last_changed_by_id,
+    :version,
+    :lock_version,
+    :type,
+    :children_count,
+    :comments_count,
+    :hits,
+  ]
  
   def self.find_by_old_path(old_path)
     find(:first, :include => :versions, :conditions => ['article_versions.path = ?', old_path], :order => 'article_versions.id desc')
@@ -4,6 +4,8 @@ class Folder &lt; Article
  
   settings_items :view_as, :type => :string, :default => 'folder'
  
+  xss_terminate :only => [ :body ], :with => 'white_list'
+
   def self.select_views
     [[_('Folder'), 'folder'], [_('Image gallery'), 'image_gallery']]
   end
@@ -39,7 +41,7 @@ class Folder &lt; Article
   end
  
   def folder
-    content_tag('div', body) + tag('hr') + (children.empty? ? content_tag('em', _('(empty folder)')) : list_articles(children))
+    content_tag('div', body) + tag('hr')
   end
  
   def image_gallery
@@ -448,7 +448,7 @@ private :generate_url, :url_options
  
       # a default private folder if public
       if self.public?
-       folder = Folder.new(:name => _("Intranet"), :public_article => false)
+       folder = Folder.new(:name => _("Intranet"), :published => false)
        self.articles << folder
       end
     end
@@ -588,10 +588,6 @@ private :generate_url, :url_options
     end
   end
  
-  def theme
-    self[:theme] || environment && environment.theme || 'default'
-  end
-
   def public?
     visible && public_profile
   end
@@ -693,7 +689,7 @@ private :generate_url, :url_options
       if user.nil?
         false
       else
-        (user == self) || (user.is_admin?(self.environment)) || (user.memberships.include?(self))
+        (user == self) || (user.is_admin?(self.environment)) || user.is_admin?(self) || user.memberships.include?(self)
       end
     end
 end
@@ -81,6 +81,9 @@
 <% cache(@page.cache_key(params, user)) do %>
   <div class="<%="article-body article-body-" + @page.css_class_name %>">
     <%= article_to_html(@page) %>
+    <% if @page.folder? %>
+      <%= list_articles(@page.children, user)%>
+    <% end %>
     <br style="clear:both" />
   </div> <!-- end class="article-body" -->
 <% end %>
 <h1><%= _("%s: site map") % profile.name %></h1>
  
-<%= list_articles(@articles, false) %>
+<%= list_articles(@articles, user) %>
@@ -0,0 +1,9 @@
+class SetPublicArticleIntoPublishedAttribute < ActiveRecord::Migration
+  def self.up
+    execute('update articles set published=(1!=1) where not public_article')
+  end
+
+  def self.down
+    say "this migration can't be reverted"
+  end
+end
@@ -0,0 +1,10 @@
+class RemovePublicArticle < ActiveRecord::Migration
+  def self.up
+    remove_column :articles, :public_article
+  end
+
+  def self.down
+    add_column :articles, :public_article, :boolean, :default => true
+    execute('update articles set public_article = (1>0)')
+  end
+end
@@ -0,0 +1,9 @@
+class ClearDefaultThemeFromProfiles < ActiveRecord::Migration
+  def self.up
+    execute("update profiles set theme = null where theme = 'default'")
+  end
+
+  def self.down
+    say "WARNING: cannot undo this migration"
+  end
+end
@@ -1,12 +0,0 @@
-ls -1 *.rb | (
-  i=1
-  while read IN; do
-    OUT=$(echo $IN | sed -e "s/^[0-9]\+/$(printf '%03d' $i)/")
-    if [ "$IN" != "$OUT" ]; then
-      echo mv $IN $OUT
-    else
-      echo "# $IN stays untouched"
-    fi
-    i=$[$i + 1]
-  done
-)
@@ -9,7 +9,7 @@
 #
 # It's strongly recommended to check this file into your version control system.
  
-ActiveRecord::Schema.define(:version => 83) do
+ActiveRecord::Schema.define(:version => 20100326171758) do
  
   create_table "article_versions", :force => true do |t|
     t.integer  "article_id"
@@ -72,7 +72,6 @@ ActiveRecord::Schema.define(:version =&gt; 83) do
     t.date     "start_date"
     t.date     "end_date"
     t.integer  "children_count",       :default => 0
-    t.boolean  "public_article",       :default => true
     t.boolean  "accept_comments",      :default => true
     t.integer  "reference_article_id"
     t.text     "setting"
@@ -8,7 +8,7 @@ env = Environment.default
  
 def move_articles_to_blog(profile)
   profile.articles.each { |article|
-    if !article.blog? && !article.is_a?(RssFeed) && article.public_article
+    if !article.blog? && !article.is_a?(RssFeed) && article.published?
       puts 'including ' + article.path + ' in the blog'
       article.parent = profile.blog
       article.save!
@@ -624,14 +624,14 @@ class CmsControllerTest &lt; Test::Unit::TestCase
   end
  
   should 'create a private article child of private folder' do
-    folder = Folder.new(:name => 'my intranet', :public_article => false); profile.articles << folder; folder.save!
+    folder = Folder.new(:name => 'my intranet', :published => false); profile.articles << folder; folder.save!
  
     post :new, :profile => profile.identifier, :type => 'TextileArticle', :parent_id => folder.id, :article => { :name => 'new-private-article'}
     folder.reload
  
-    assert !assigns(:article).public?
+    assert !assigns(:article).published?
     assert_equal 'new-private-article', folder.children[0].name
-    assert !folder.children[0].public?
+    assert !folder.children[0].published?
   end
  
   should 'load communities for that the user belongs' do
@@ -293,10 +293,10 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
     assert_response 404
   end
  
-  should 'show unpublished articles as unexisting' do
+  should 'show access denied to unpublished articles' do
     profile.articles.create!(:name => 'test', :published => false)
     get :view_page, :profile => profile.identifier, :page => [ 'test' ]
-    assert_response 404
+    assert_response 403
   end
  
   should 'show unpublished articles to the user himself' do
@@ -307,19 +307,9 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
     assert_response :success
   end
  
-  should 'show unpublished articles to members' do
-    community = Community.create!(:name => 'testcomm')
-    community.articles.create!(:name => 'test', :published => false)
-    community.add_member(profile)
-
-    login_as(profile.identifier)
-    get :view_page, :profile => community.identifier, :page => [ 'test' ]
-    assert_response :success
-  end
-
   should 'not show private content to members' do
     community = Community.create!(:name => 'testcomm')
-    Folder.create!(:name => 'test', :profile => community, :public_article => false)
+    Folder.create!(:name => 'test', :profile => community, :published => false)
     community.add_member(profile)
  
     login_as(profile.identifier)
@@ -332,7 +322,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
  
   should 'show private content to profile moderators' do
     community = Community.create!(:name => 'testcomm')
-    community.articles.create!(:name => 'test', :public_article => false)
+    community.articles.create!(:name => 'test', :published => false)
     community.add_moderator(profile)
  
     login_as(profile.identifier)
@@ -344,7 +334,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
  
   should 'show private content to profile admins' do
     community = Community.create!(:name => 'testcomm')
-    community.articles.create!(:name => 'test', :public_article => false)
+    community.articles.create!(:name => 'test', :published => false)
     community.add_admin(profile)
  
     login_as(profile.identifier)
@@ -430,7 +420,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
  
   should 'not give access to private articles if logged off' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
+    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :published => false)
  
     @request.stubs(:ssl?).returns(true)
     get :view_page, :profile => 'test_profile', :page => [ 'my-intranet' ]
@@ -441,7 +431,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
   should 'not give access to private articles if logged in but not member' do
     login_as('testinguser')
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
+    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :published => false)
  
     @request.stubs(:ssl?).returns(true)
     get :view_page, :profile => 'test_profile', :page => [ 'my-intranet' ]
@@ -452,7 +442,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
   should 'not give access to private articles if logged in and only member' do
     person = create_user('test_user').person
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
+    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :published => false)
     profile.affiliate(person, Profile::Roles.member(profile.environment.id))
     login_as('test_user')
  
@@ -465,7 +455,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
   should 'give access to private articles if logged in and moderator' do
     person = create_user('test_user').person
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
+    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :published => false)
     profile.affiliate(person, Profile::Roles.moderator(profile.environment.id))
     login_as('test_user')
  
@@ -478,7 +468,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
   should 'give access to private articles if logged in and admin' do
     person = create_user('test_user').person
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
+    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :published => false)
     profile.affiliate(person, Profile::Roles.admin(profile.environment.id))
     login_as('test_user')
  
@@ -507,21 +497,21 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
  
   should 'require SSL for viewing non-public articles' do
     Environment.default.update_attribute(:enable_ssl, true)
-    page = profile.articles.create!(:name => 'myarticle', :body => 'top secret', :public_article => false)
+    page = profile.articles.create!(:name => 'myarticle', :body => 'top secret', :published => false)
     get :view_page, :profile => 'testinguser', :page => [ 'myarticle' ]
     assert_redirected_to :protocol => 'https://', :profile => 'testinguser', :page => [ 'myarticle' ]
   end
  
   should 'avoid SSL for viewing public articles' do
     @request.expects(:ssl?).returns(true).at_least_once
-    page = profile.articles.create!(:name => 'myarticle', :body => 'top secret', :public_article => true)
+    page = profile.articles.create!(:name => 'myarticle', :body => 'top secret', :published => true)
     get :view_page, :profile => 'testinguser', :page => [ 'myarticle' ]
     assert_redirected_to :protocol => 'http://', :profile => 'testinguser', :page => [ 'myarticle' ]
   end
  
   should 'not redirect to SSL if already on SSL' do
     @request.expects(:ssl?).returns(true).at_least_once
-    page = profile.articles.create!(:name => 'myarticle', :body => 'top secret', :public_article => false)
+    page = profile.articles.create!(:name => 'myarticle', :body => 'top secret', :published => false)
     login_as('testinguser')
     get :view_page, :profile => 'testinguser', :page => [ 'myarticle' ]
     assert_response :success
@@ -555,6 +555,12 @@ class ApplicationHelperTest &lt; Test::Unit::TestCase
     assert_equal 'profile-theme', current_theme
   end
  
+  should 'use environment theme if the profile theme is nil' do
+    stubs(:environment).returns(fast_create(Environment, :theme => 'new-theme'))
+    stubs(:profile).returns(fast_create(Profile))
+    assert_equal environment.theme, current_theme
+  end
+
   protected
  
   def url_for(args = {})
@@ -160,8 +160,8 @@ class ArticleTest &lt; Test::Unit::TestCase
     p = create_user('usr1').person
     Article.destroy_all
  
-    first  = p.articles.build(:name => 'first',  :public_article => true);  first.save!
-    second = p.articles.build(:name => 'second', :public_article => false); second.save!
+    first  = p.articles.build(:name => 'first',  :published => true);  first.save!
+    second = p.articles.build(:name => 'second', :published => false); second.save!
  
     assert_equal [ first ], Article.recent(nil)
   end
@@ -202,8 +202,8 @@ class ArticleTest &lt; Test::Unit::TestCase
  
     now = Time.now
  
-    first  = p.articles.build(:name => 'first',  :public_article => true, :created_at => now, :published_at => now);  first.save!
-    second = p.articles.build(:name => 'second', :public_article => true, :updated_at => now, :published_at => now + 1.second); second.save!
+    first  = p.articles.build(:name => 'first',  :published => true, :created_at => now, :published_at => now);  first.save!
+    second = p.articles.build(:name => 'second', :published => true, :updated_at => now, :published_at => now + 1.second); second.save!
  
     assert_equal [ second, first ], Article.recent(2)
  
@@ -443,21 +443,21 @@ class ArticleTest &lt; Test::Unit::TestCase
     assert !Article.new.accept_category?(ProductCategory.new)
   end
  
-  should 'accept public_article attribute' do
-    assert_respond_to Article.new, :public_article
-    assert_respond_to Article.new, :public_article=
+  should 'accept published attribute' do
+    assert_respond_to Article.new, :published
+    assert_respond_to Article.new, :published=
   end
  
   should 'say that logged off user cannot see private article' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    article = Article.create!(:name => 'test article', :profile => profile, :public_article => false)
+    article = Article.create!(:name => 'test article', :profile => profile, :published => false)
  
     assert !article.display_to?(nil)
   end 
  
   should 'say that not member of profile cannot see private article' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    article = Article.create!(:name => 'test article', :profile => profile, :public_article => false)
+    article = Article.create!(:name => 'test article', :profile => profile, :published => false)
     person = create_user('test_user').person
  
     assert !article.display_to?(person)
@@ -465,7 +465,7 @@ class ArticleTest &lt; Test::Unit::TestCase
  
   should 'say that member user can not see private article' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    article = Article.create!(:name => 'test article', :profile => profile, :public_article => false)
+    article = Article.create!(:name => 'test article', :profile => profile, :published => false)
     person = create_user('test_user').person
     profile.affiliate(person, Profile::Roles.member(profile.environment.id))
  
@@ -474,7 +474,7 @@ class ArticleTest &lt; Test::Unit::TestCase
  
   should 'say that profile admin can see private article' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    article = Article.create!(:name => 'test article', :profile => profile, :public_article => false)
+    article = Article.create!(:name => 'test article', :profile => profile, :published => false)
     person = create_user('test_user').person
     profile.affiliate(person, Profile::Roles.admin(profile.environment.id))
  
@@ -483,7 +483,7 @@ class ArticleTest &lt; Test::Unit::TestCase
  
   should 'say that profile moderator can see private article' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    article = Article.create!(:name => 'test article', :profile => profile, :public_article => false)
+    article = Article.create!(:name => 'test article', :profile => profile, :published => false)
     person = create_user('test_user').person
     profile.affiliate(person, Profile::Roles.moderator(profile.environment.id))
  
@@ -492,7 +492,7 @@ class ArticleTest &lt; Test::Unit::TestCase
  
   should 'not show article to non member if article public but profile private' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile', :public_profile => false)
-    article = Article.create!(:name => 'test article', :profile => profile, :public_article => true)
+    article = Article.create!(:name => 'test article', :profile => profile, :published => true)
     person1 = create_user('test_user1').person
     profile.affiliate(person1, Profile::Roles.member(profile.environment.id))
     person2 = create_user('test_user2').person
@@ -504,54 +504,27 @@ class ArticleTest &lt; Test::Unit::TestCase
  
   should 'make new article private if created inside a private folder' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    folder = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
+    folder = Folder.create!(:name => 'my_intranet', :profile => profile, :published => false)
     article = Article.create!(:name => 'my private article', :profile => profile, :parent => folder)
  
-    assert !article.public_article
-  end
-
-  should 'respond to public? like public_article if profile is public' do
-    p = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    a1 = Article.create!(:name => 'test public article', :profile => p)
-    a2 = Article.create!(:name => 'test private article', :profile => p, :public_article => false)
-
-    assert a1.public?
-    assert !a2.public?
-  end
-
-  should 'respond to public? as false if profile is private' do
-    p = Profile.create!(:name => 'test profile', :identifier => 'test_profile', :public_profile => false)
-    a1 = Article.create!(:name => 'test public article', :profile => p)
-    a2 = Article.create!(:name => 'test private article', :profile => p, :public_article => false)
-
-    assert !a1.public?
-    assert !a2.public?
-  end
-
-  should 'respond to public? as false if profile is invisible' do
-    profile = fast_create(Profile, :visible => false)
-    article1 = fast_create(Article, :profile_id => profile.id)
-    article2 = fast_create(Article, :profile_id => profile.id, :public_article => false)
-
-    assert !article1.public?
-    assert !article2.public?
+    assert !article.published?
   end
  
   should 'save as private' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    folder = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
+    folder = Folder.create!(:name => 'my_intranet', :profile => profile, :published => false)
     article = TextileArticle.new(:name => 'my private article')
     article.profile = profile
     article.parent = folder
     article.save!
     article.reload
  
-    assert !article.public_article
+    assert !article.published?
   end
  
   should 'not allow friends of private person see the article' do
     person = create_user('test_user').person
-    article = Article.create!(:name => 'test article', :profile => person, :public_article => false)
+    article = Article.create!(:name => 'test article', :profile => person, :published => false)
     friend = create_user('test_friend').person
     person.add_friend(friend)
     person.save!
@@ -562,7 +535,7 @@ class ArticleTest &lt; Test::Unit::TestCase
  
   should 'display private articles to people who can view private content' do
     person = create_user('test_user').person
-    article = Article.create!(:name => 'test article', :profile => person, :public_article => false)
+    article = Article.create!(:name => 'test article', :profile => person, :published => false)
  
     admin_user = create_user('admin_user').person
     admin_user.stubs(:has_permission?).with('view_private_content', article.profile).returns('true')
@@ -598,6 +571,12 @@ class ArticleTest &lt; Test::Unit::TestCase
     assert_kind_of Folder, b
   end
  
+  should 'copy slug' do
+    a = fast_create(Article, :slug => 'slug123')
+    b = a.copy({})
+    assert_equal a.slug, b.slug
+  end
+
   should 'load article under an old path' do
     p = create_user('test_user').person
     a = p.articles.create(:name => 'old-name')
@@ -15,4 +15,82 @@ class FolderHelperTest &lt; Test::Unit::TestCase
     assert_equal 'icons-mime/unknown.png', icon_for_article(art2)
   end
  
+  should 'list all the folder\'s children to the owner' do
+    profile = create_user('Folder Owner').person
+    folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
+    sub_folder = fast_create(Folder, {:name => 'Child Folder', :parent_id => folder.id,
+                             :profile_id => profile.id})
+    sub_blog = fast_create(Blog, {:name => 'Child Blog', :parent_id => folder.id,
+                           :profile_id => profile.id})
+    sub_article = fast_create(Article, {:name => 'Not Public Child Article', :parent_id =>
+                              folder.id, :profile_id => profile.id, :published => false})
+
+    result = folder.list_articles(folder.children, profile)
+
+    assert_match 'Child Folder', result
+    assert_match 'Not Public Child Article', result
+    assert_match 'Child Blog', result
+  end
+
+  should 'list the folder\'s children that are public to the user' do
+    profile = create_user('Folder Owner').person
+    profile2 = create_user('Folder Viwer').person
+    folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
+    public_article = fast_create(Article, {:name => 'Public Article', :parent_id =>
+                              folder.id, :profile_id => profile.id, :published => true})
+    not_public_article = fast_create(Article, {:name => 'Not Public Article', :parent_id =>
+                              folder.id, :profile_id => profile.id, :published => false})
+
+    result = folder.list_articles(folder.children, profile2)
+
+    assert_match 'Public Article', result
+    assert_no_match /Not Public Article/, result
+  end
+
+  should ' not list the folder\'s children to the user because the owner\'s profile is not public' do
+    profile = create_user('folder-owner').person
+    profile.public_profile = false
+    profile.save!
+    profile2 = create_user('Folder Viwer').person
+    folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
+    article = fast_create(Article, {:name => 'Article', :parent_id => folder.id, :profile_id => profile.id})
+
+    result = folder.list_articles(folder.children, profile2)
+
+    assert_no_match /Article/, result
+  end
+
+  should ' not list the folder\'s children to the user because the owner\'s profile is not visible' do
+    profile = create_user('folder-owner').person
+    profile.visible = false
+    profile.save!
+    profile2 = create_user('Folder Viwer').person
+    folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
+    article = fast_create(Article, {:name => 'Article', :parent_id => folder.id, :profile_id => profile.id})
+
+    result = folder.list_articles(folder.children, profile2)
+
+    assert_no_match /Article/, result
+  end
+
+  should 'list subitems as HTML content' do
+    profile = create_user('folder-owner').person
+    folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
+    article = fast_create(Article, {:name => 'Article1', :parent_id => folder.id, :profile_id => profile.id})
+    article = fast_create(Article, {:name => 'Article2', :parent_id => folder.id, :profile_id => profile.id})
+
+    result = folder.list_articles(folder.children, profile)
+
+    assert_tag_in_string result, :tag => 'td', :descendant => { :tag => 'a', :attributes => { :href => /.*\/folder-owner\/my-article-[0-9]*(\?|$)/ } }, :content => /Article1/
+    assert_tag_in_string result, :tag => 'td', :descendant => { :tag => 'a', :attributes => { :href => /.*\/folder-owner\/my-article-[0-9]*(\?|$)/ } }, :content => /Article2/
+  end
+
+  should 'explictly advise if empty' do
+    profile = create_user('folder-owner').person
+    folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
+    result = folder.list_articles(folder.children, profile)
+
+    assert_match '(empty folder)', result
+  end
+
 end
@@ -18,23 +18,6 @@ class FolderTest &lt; ActiveSupport::TestCase
     assert_not_equal Article.new.icon_name, Folder.new.icon_name
   end
  
-  should 'list subitems as HTML content' do
-    p = create_user('testuser').person
-    f = Folder.create!(:profile => p, :name => 'f')
-    f.children.create!(:profile => p, :name => 'onearticle')
-    f.children.create!(:profile => p, :name => 'otherarticle')
-    f.reload
-
-    assert_tag_in_string f.to_html, :tag => 'td', :descendant => { :tag => 'a', :attributes => { :href => /.*\/testuser\/f\/onearticle(\?|$)/ } }, :content => /onearticle/
-    assert_tag_in_string f.to_html, :tag => 'td', :descendant => { :tag => 'a', :attributes => { :href => /.*\/testuser\/f\/otherarticle(\?|$)/ } }, :content => /otherarticle/
-  end
-
-  should 'explictly advise if empty' do
-    p = create_user('testuser').person
-    f = Folder.create!(:profile => p, :name => 'f')
-    assert_tag_in_string f.to_html, :content => '(empty folder)'
-  end
-
   should 'show text body in HTML content' do
     p = create_user('testuser').person
     f = Folder.create!(:name => 'f', :profile => p, :body => 'this-is-the-text')
@@ -147,4 +130,19 @@ class FolderTest &lt; ActiveSupport::TestCase
  
     assert_includes folder.images(true), pi
   end
+
+  should 'not let pass javascript in the body' do
+    owner = create_user('testuser').person
+    folder = fast_create(Folder, {:profile_id => owner.id, :body => '<script>alert("Xss Attack!")</script>'})
+    folder.save!
+    assert_no_match(/<script>/, folder.body)
+  end
+
+  should 'let pass html in the body' do
+    owner = create_user('testuser').person
+    folder = fast_create(Folder, {:profile_id => owner.id, :body => '<strong>I am not a Xss Attack!")</strong>'})
+    folder.save!
+    assert_match(/<strong>/, folder.body)
+  end
+
 end
@@ -909,15 +909,6 @@ class ProfileTest &lt; Test::Unit::TestCase
     assert_equal 'my-shiny-theme', p.theme
   end
  
-  should 'delegate theme selection to environment by default' do
-    p = Profile.new
-    env = mock
-    p.stubs(:environment).returns(env)
-    env.expects(:theme).returns('environment-stored-theme')
-
-    assert_equal 'environment-stored-theme', p.theme
-  end
-
   should 'respond to public? as public_profile' do
     p1 = fast_create(Profile)
     p2 = fast_create(Profile, :public_profile => false)
@@ -930,8 +921,8 @@ class ProfileTest &lt; Test::Unit::TestCase
     p1 = create(Profile)
     p2 = create(Profile, :public_profile => false)
  
-    assert p1.articles.find(:first, :conditions => {:public_article => false})
-    assert !p2.articles.find(:first, :conditions => {:public_article => false})
+    assert p1.articles.find(:first, :conditions => {:published => false})
+    assert !p2.articles.find(:first, :conditions => {:published => false})
   end
  
   should 'remove member with many roles' do
...	...	@@ -26,11 +26,6 @@ class ContentViewerController < ApplicationController
26	26	end
27	27	end
28	28
29		- # only show unpublished articles to those who can edit then
30		- if @page && !@page.published && !@page.allow_post_content?(user)
31		- @page = nil
32		- end
33		-
34	29	# page not found, give error
35	30	if @page.nil?
36	31	render_not_found(@path)
...	...
...	...	@@ -336,7 +336,7 @@ module ApplicationHelper
336	336	elsif ENV['RAILS_ENV'] == 'development' && params[:theme]
337	337	params[:theme]
338	338	else
339		- if profile
	339	+ if profile && !profile.theme.nil?
340	340	profile.theme
341	341	elsif environment
342	342	environment.theme
...	...
1	1	module FolderHelper
2	2
3		- def list_articles(articles, recursive = false)
4		- content_tag(
5		- 'table',
6		- content_tag('tr', content_tag('th', _('Title')) + content_tag('th', _('Last update'))) +
7		- articles.select { \|item\| item.public? }.map {\|item\| display_article_in_listing(item, recursive, 0)}.join('')
8		- )
	3	+ def list_articles(articles, user, recursive = false)
	4	+ if !articles.blank?
	5	+ content_tag(
	6	+ 'table',
	7	+ content_tag('tr', content_tag('th', _('Title')) + content_tag('th', _('Last update'))) +
	8	+ articles.select { \|item\| item.display_to?(user)}.map {\|item\| display_article_in_listing(item, recursive, 0)}.join('')
	9	+ )
	10	+ else
	11	+ content_tag('em', _('(empty folder)'))
	12	+ end
9	13	end
10	14
11	15	def display_article_in_listing(article, recursive = false, level = 0)
...	...
...	...	@@ -84,13 +84,6 @@ class Article < ActiveRecord::Base
84	84	pending_categorizations.clear
85	85	end
86	86
87		- before_save do \|article\|
88		- if article.parent
89		- article.public_article = article.parent.public_article
90		- end
91		- true
92		- end
93		-
94	87	acts_as_taggable
95	88	N_('Tag list')
96	89
...	...	@@ -123,11 +116,10 @@ class Article < ActiveRecord::Base
123	116	options = { :limit => limit,
124	117	:conditions => [
125	118	"advertise = ? AND
126		- public_article = ? AND
127	119	published = ? AND
128	120	profiles.visible = ? AND
129	121	profiles.public_profile = ? AND
130		- ((articles.type != ? and articles.type != ? and articles.type != ?) OR articles.type is NULL)", true, true, true, true, true, 'UploadedFile', 'RssFeed', 'Blog'
	122	+ ((articles.type != ? and articles.type != ? and articles.type != ?) OR articles.type is NULL)", true, true, true, true, 'UploadedFile', 'RssFeed', 'Blog'
131	123	],
132	124	:include => 'profile',
133	125	:order => 'articles.published_at desc, articles.id desc'
...	...	@@ -221,16 +213,32 @@ class Article < ActiveRecord::Base
221	213	false
222	214	end
223	215
	216	+ def published?
	217	+ if self.published
	218	+ if self.parent && !self.parent.published?
	219	+ return false
	220	+ end
	221	+ true
	222	+ else
	223	+ false
	224	+ end
	225	+ end
	226	+
224	227	named_scope :folders, :conditions => { :type => ['Folder', 'Blog'] }
225	228
	229	+ def display_unpublished_article_to?(user)
	230	+ self.author == user \|\| allow_view_private_content?(user) \|\| user == self.profile \|\|
	231	+ user.is_admin?(self.profile.environment) \|\| user.is_admin?(self.profile)
	232	+ end
	233	+
226	234	def display_to?(user)
227		- if self.public_article
	235	+ if self.published?
228	236	self.profile.display_info_to?(user)
229	237	else
230	238	if user.nil?
231	239	false
232	240	else
233		- (user == self.profile) \|\| user.has_permission?('view_private_content', self.profile)
	241	+ self.display_unpublished_article_to?(user)
234	242	end
235	243	end
236	244	end
...	...	@@ -243,6 +251,10 @@ class Article < ActiveRecord::Base
243	251	user && user.has_permission?('publish_content', profile)
244	252	end
245	253
	254	+ def allow_view_private_content?(user = nil)
	255	+ user && user.has_permission?('view_private_content', profile)
	256	+ end
	257	+
246	258	def comments_updated
247	259	ferret_update
248	260	end
...	...	@@ -252,18 +264,31 @@ class Article < ActiveRecord::Base
252	264	end
253	265
254	266	def public?
255		- profile.visible? && profile.public? && public_article
	267	+ profile.visible? && profile.public? && published?
256	268	end
257	269
	270	+
258	271	def copy(options)
259		- attrs = attributes.reject! { \|key, value\| article_attr_blacklist.include?(key) }
	272	+ attrs = attributes.reject! { \|key, value\| ATTRIBUTES_NOT_COPIED.include?(key.to_sym) }
260	273	attrs.merge!(options)
261	274	self.class.create(attrs)
262	275	end
263	276
264		- def article_attr_blacklist
265		- ['id', 'profile_id', 'parent_id', 'slug', 'path', 'updated_at', 'created_at', 'last_changed_by_id', 'version', 'lock_version', 'type', 'children_count', 'comments_count', 'hits']
266		- end
	277	+ ATTRIBUTES_NOT_COPIED = [
	278	+ :id,
	279	+ :profile_id,
	280	+ :parent_id,
	281	+ :path,
	282	+ :updated_at,
	283	+ :created_at,
	284	+ :last_changed_by_id,
	285	+ :version,
	286	+ :lock_version,
	287	+ :type,
	288	+ :children_count,
	289	+ :comments_count,
	290	+ :hits,
	291	+ ]
267	292
268	293	def self.find_by_old_path(old_path)
269	294	find(:first, :include => :versions, :conditions => ['article_versions.path = ?', old_path], :order => 'article_versions.id desc')
...	...
...	...	@@ -4,6 +4,8 @@ class Folder < Article
4	4
5	5	settings_items :view_as, :type => :string, :default => 'folder'
6	6
	7	+ xss_terminate :only => [ :body ], :with => 'white_list'
	8	+
7	9	def self.select_views
8	10	[[_('Folder'), 'folder'], [_('Image gallery'), 'image_gallery']]
9	11	end
...	...	@@ -39,7 +41,7 @@ class Folder < Article
39	41	end
40	42
41	43	def folder
42		- content_tag('div', body) + tag('hr') + (children.empty? ? content_tag('em', _('(empty folder)')) : list_articles(children))
	44	+ content_tag('div', body) + tag('hr')
43	45	end
44	46
45	47	def image_gallery
...	...
...	...	@@ -448,7 +448,7 @@ private :generate_url, :url_options
448	448
449	449	# a default private folder if public
450	450	if self.public?
451		- folder = Folder.new(:name => _("Intranet"), :public_article => false)
	451	+ folder = Folder.new(:name => _("Intranet"), :published => false)
452	452	self.articles << folder
453	453	end
454	454	end
...	...	@@ -588,10 +588,6 @@ private :generate_url, :url_options
588	588	end
589	589	end
590	590
591		- def theme
592		- self[:theme] \|\| environment && environment.theme \|\| 'default'
593		- end
594		-
595	591	def public?
596	592	visible && public_profile
597	593	end
...	...	@@ -693,7 +689,7 @@ private :generate_url, :url_options
693	689	if user.nil?
694	690	false
695	691	else
696		- (user == self) \|\| (user.is_admin?(self.environment)) \|\| (user.memberships.include?(self))
	692	+ (user == self) \|\| (user.is_admin?(self.environment)) \|\| user.is_admin?(self) \|\| user.memberships.include?(self)
697	693	end
698	694	end
699	695	end
...	...
...	...	@@ -81,6 +81,9 @@
81	81	<% cache(@page.cache_key(params, user)) do %>
82	82	<div class="<%="article-body article-body-" + @page.css_class_name %>">
83	83	<%= article_to_html(@page) %>
	84	+ <% if @page.folder? %>
	85	+ <%= list_articles(@page.children, user)%>
	86	+ <% end %>
84	87	<br style="clear:both" />
85	88	</div> <!-- end class="article-body" -->
86	89	<% end %>
...	...
1	1	<h1><%= _("%s: site map") % profile.name %></h1>
2	2
3		-<%= list_articles(@articles, false) %>
	3	+<%= list_articles(@articles, user) %>
...	...
...	...	@@ -0,0 +1,9 @@
	1	+class SetPublicArticleIntoPublishedAttribute < ActiveRecord::Migration
	2	+ def self.up
	3	+ execute('update articles set published=(1!=1) where not public_article')
	4	+ end
	5	+
	6	+ def self.down
	7	+ say "this migration can't be reverted"
	8	+ end
	9	+end
...	...
...	...	@@ -0,0 +1,10 @@
	1	+class RemovePublicArticle < ActiveRecord::Migration
	2	+ def self.up
	3	+ remove_column :articles, :public_article
	4	+ end
	5	+
	6	+ def self.down
	7	+ add_column :articles, :public_article, :boolean, :default => true
	8	+ execute('update articles set public_article = (1>0)')
	9	+ end
	10	+end
...	...