Merge branch 'stable'

Antonio Terceiro
2 parents 81c5f0e3 8ecff858
Showing 21 changed files with 233 additions and 151 deletions Show diff stats
app/controllers/public/content_viewer_controller.rb
app/helpers/application_helper.rb
app/helpers/folder_helper.rb
app/models/article.rb
app/models/folder.rb
app/models/profile.rb
app/views/content_viewer/view_page.rhtml
app/views/profile/sitemap.rhtml
db/migrate/084_set_public_article_into_published_attribute.rb
db/migrate/085_remove_public_article.rb
db/migrate/20100326171758_clear_default_theme_from_profiles.rb
db/migrate/renumber.sh
db/schema.rb
script/apply-template
test/functional/cms_controller_test.rb
test/functional/content_viewer_controller_test.rb
test/unit/application_helper_test.rb
test/unit/article_test.rb
test/unit/folder_helper_test.rb
test/unit/folder_test.rb
@@ -26,11 +26,6 @@ class ContentViewerController &lt; ApplicationController
         end
       end
-      # only show unpublished articles to those who can edit then
-      if @page && !@page.published && !@page.allow_post_content?(user)
-        @page = nil
-      end
-
       # page not found, give error
       if @page.nil?
         render_not_found(@path)
@@ -336,7 +336,7 @@ module ApplicationHelper
           elsif ENV['RAILS_ENV'] == 'development' && params[:theme]
             params[:theme]
           else
-            if profile
+            if profile && !profile.theme.nil?
               profile.theme
             elsif environment
               environment.theme
 module FolderHelper
-  def list_articles(articles, recursive = false)
-    content_tag(
-      'table',
-      content_tag('tr', content_tag('th', _('Title')) + content_tag('th', _('Last update'))) +
-      articles.select { |item| item.public? }.map {|item| display_article_in_listing(item, recursive, 0)}.join('')
-    )
+  def list_articles(articles, user, recursive = false)
+    if !articles.blank?
+      content_tag(
+        'table',
+        content_tag('tr', content_tag('th', _('Title')) + content_tag('th', _('Last update'))) +
+        articles.select { |item| item.display_to?(user)}.map {|item| display_article_in_listing(item, recursive, 0)}.join('')
+      )
+    else
+      content_tag('em', _('(empty folder)'))
+    end
   end
   def display_article_in_listing(article, recursive = false, level = 0)
@@ -84,13 +84,6 @@ class Article &lt; ActiveRecord::Base
     pending_categorizations.clear
   end
-  before_save do |article|
-    if article.parent
-      article.public_article = article.parent.public_article
-    end
-    true
-  end
-
   acts_as_taggable  
   N_('Tag list')
@@ -123,11 +116,10 @@ class Article &lt; ActiveRecord::Base
     options = { :limit => limit,
                 :conditions => [
                   "advertise = ? AND
-                  public_article = ? AND
                   published = ? AND
                   profiles.visible = ? AND
                   profiles.public_profile = ? AND
-                  ((articles.type != ? and articles.type != ? and articles.type != ?) OR articles.type is NULL)", true, true, true, true, true, 'UploadedFile', 'RssFeed', 'Blog'
+                  ((articles.type != ? and articles.type != ? and articles.type != ?) OR articles.type is NULL)", true, true, true, true, 'UploadedFile', 'RssFeed', 'Blog'
                 ],
                 :include => 'profile',
                 :order => 'articles.published_at desc, articles.id desc'
@@ -221,16 +213,32 @@ class Article &lt; ActiveRecord::Base
     false
   end
+  def published?
+    if self.published
+      if self.parent && !self.parent.published?
+        return false
+      end
+      true
+    else
+      false
+    end
+  end
+
   named_scope :folders, :conditions => { :type => ['Folder', 'Blog']  }
+  def display_unpublished_article_to?(user)
+    self.author == user || allow_view_private_content?(user) || user == self.profile ||
+    user.is_admin?(self.profile.environment) || user.is_admin?(self.profile)
+  end
+
   def display_to?(user)
-    if self.public_article
+    if self.published?
       self.profile.display_info_to?(user)
     else
       if user.nil?
         false
       else
-        (user == self.profile) || user.has_permission?('view_private_content', self.profile)
+        self.display_unpublished_article_to?(user)
       end
     end
   end
@@ -243,6 +251,10 @@ class Article &lt; ActiveRecord::Base
     user && user.has_permission?('publish_content', profile)
   end
+  def allow_view_private_content?(user = nil)
+    user && user.has_permission?('view_private_content', profile)
+  end
+
   def comments_updated
     ferret_update
   end
@@ -252,18 +264,31 @@ class Article &lt; ActiveRecord::Base
   end
   def public?
-    profile.visible? && profile.public? && public_article
+    profile.visible? && profile.public? && published?
   end
+
   def copy(options)
-    attrs = attributes.reject! { |key, value| article_attr_blacklist.include?(key) }
+    attrs = attributes.reject! { |key, value| ATTRIBUTES_NOT_COPIED.include?(key.to_sym) }
     attrs.merge!(options)
     self.class.create(attrs)
   end
-  def article_attr_blacklist
-    ['id', 'profile_id', 'parent_id', 'slug', 'path', 'updated_at', 'created_at', 'last_changed_by_id', 'version', 'lock_version', 'type', 'children_count', 'comments_count', 'hits']
-  end
+  ATTRIBUTES_NOT_COPIED = [
+    :id,
+    :profile_id,
+    :parent_id,
+    :path,
+    :updated_at,
+    :created_at,
+    :last_changed_by_id,
+    :version,
+    :lock_version,
+    :type,
+    :children_count,
+    :comments_count,
+    :hits,
+  ]
   def self.find_by_old_path(old_path)
     find(:first, :include => :versions, :conditions => ['article_versions.path = ?', old_path], :order => 'article_versions.id desc')
@@ -4,6 +4,8 @@ class Folder &lt; Article
   settings_items :view_as, :type => :string, :default => 'folder'
+  xss_terminate :only => [ :body ], :with => 'white_list'
+
   def self.select_views
     [[_('Folder'), 'folder'], [_('Image gallery'), 'image_gallery']]
   end
@@ -39,7 +41,7 @@ class Folder &lt; Article
   end
   def folder
-    content_tag('div', body) + tag('hr') + (children.empty? ? content_tag('em', _('(empty folder)')) : list_articles(children))
+    content_tag('div', body) + tag('hr')
   end
   def image_gallery
@@ -448,7 +448,7 @@ private :generate_url, :url_options
       # a default private folder if public
       if self.public?
-       folder = Folder.new(:name => _("Intranet"), :public_article => false)
+       folder = Folder.new(:name => _("Intranet"), :published => false)
        self.articles << folder
       end
     end
@@ -588,10 +588,6 @@ private :generate_url, :url_options
     end
   end
-  def theme
-    self[:theme] || environment && environment.theme || 'default'
-  end
-
   def public?
     visible && public_profile
   end
@@ -693,7 +689,7 @@ private :generate_url, :url_options
       if user.nil?
         false
       else
-        (user == self) || (user.is_admin?(self.environment)) || (user.memberships.include?(self))
+        (user == self) || (user.is_admin?(self.environment)) || user.is_admin?(self) || user.memberships.include?(self)
       end
     end
 end
@@ -81,6 +81,9 @@
 <% cache(@page.cache_key(params, user)) do %>
   <div class="<%="article-body article-body-" + @page.css_class_name %>">
     <%= article_to_html(@page) %>
+    <% if @page.folder? %>
+      <%= list_articles(@page.children, user)%>
+    <% end %>
     <br style="clear:both" />
   </div> <!-- end class="article-body" -->
 <% end %>
 <h1><%= _("%s: site map") % profile.name %></h1>
-<%= list_articles(@articles, false) %>
+<%= list_articles(@articles, user) %>
@@ -0,0 +1,9 @@
+class SetPublicArticleIntoPublishedAttribute < ActiveRecord::Migration
+  def self.up
+    execute('update articles set published=(1!=1) where not public_article')
+  end
+
+  def self.down
+    say "this migration can't be reverted"
+  end
+end
@@ -0,0 +1,10 @@
+class RemovePublicArticle < ActiveRecord::Migration
+  def self.up
+    remove_column :articles, :public_article
+  end
+
+  def self.down
+    add_column :articles, :public_article, :boolean, :default => true
+    execute('update articles set public_article = (1>0)')
+  end
+end
@@ -0,0 +1,9 @@
+class ClearDefaultThemeFromProfiles < ActiveRecord::Migration
+  def self.up
+    execute("update profiles set theme = null where theme = 'default'")
+  end
+
+  def self.down
+    say "WARNING: cannot undo this migration"
+  end
+end
@@ -1,12 +0,0 @@
-ls -1 *.rb | (
-  i=1
-  while read IN; do
-    OUT=$(echo $IN | sed -e "s/^[0-9]\+/$(printf '%03d' $i)/")
-    if [ "$IN" != "$OUT" ]; then
-      echo mv $IN $OUT
-    else
-      echo "# $IN stays untouched"
-    fi
-    i=$[$i + 1]
-  done
-)
@@ -9,7 +9,7 @@
 #
 # It's strongly recommended to check this file into your version control system.
-ActiveRecord::Schema.define(:version => 83) do
+ActiveRecord::Schema.define(:version => 20100326171758) do
   create_table "article_versions", :force => true do |t|
     t.integer  "article_id"
@@ -72,7 +72,6 @@ ActiveRecord::Schema.define(:version =&gt; 83) do
     t.date     "start_date"
     t.date     "end_date"
     t.integer  "children_count",       :default => 0
-    t.boolean  "public_article",       :default => true
     t.boolean  "accept_comments",      :default => true
     t.integer  "reference_article_id"
     t.text     "setting"
@@ -8,7 +8,7 @@ env = Environment.default
 def move_articles_to_blog(profile)
   profile.articles.each { |article|
-    if !article.blog? && !article.is_a?(RssFeed) && article.public_article
+    if !article.blog? && !article.is_a?(RssFeed) && article.published?
       puts 'including ' + article.path + ' in the blog'
       article.parent = profile.blog
       article.save!
@@ -624,14 +624,14 @@ class CmsControllerTest &lt; Test::Unit::TestCase
   end
   should 'create a private article child of private folder' do
-    folder = Folder.new(:name => 'my intranet', :public_article => false); profile.articles << folder; folder.save!
+    folder = Folder.new(:name => 'my intranet', :published => false); profile.articles << folder; folder.save!
     post :new, :profile => profile.identifier, :type => 'TextileArticle', :parent_id => folder.id, :article => { :name => 'new-private-article'}
     folder.reload
-    assert !assigns(:article).public?
+    assert !assigns(:article).published?
     assert_equal 'new-private-article', folder.children[0].name
-    assert !folder.children[0].public?
+    assert !folder.children[0].published?
   end
   should 'load communities for that the user belongs' do
@@ -293,10 +293,10 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
     assert_response 404
   end
-  should 'show unpublished articles as unexisting' do
+  should 'show access denied to unpublished articles' do
     profile.articles.create!(:name => 'test', :published => false)
     get :view_page, :profile => profile.identifier, :page => [ 'test' ]
-    assert_response 404
+    assert_response 403
   end
   should 'show unpublished articles to the user himself' do
@@ -307,19 +307,9 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
     assert_response :success
   end
-  should 'show unpublished articles to members' do
-    community = Community.create!(:name => 'testcomm')
-    community.articles.create!(:name => 'test', :published => false)
-    community.add_member(profile)
-
-    login_as(profile.identifier)
-    get :view_page, :profile => community.identifier, :page => [ 'test' ]
-    assert_response :success
-  end
-
   should 'not show private content to members' do
     community = Community.create!(:name => 'testcomm')
-    Folder.create!(:name => 'test', :profile => community, :public_article => false)
+    Folder.create!(:name => 'test', :profile => community, :published => false)
     community.add_member(profile)
     login_as(profile.identifier)
@@ -332,7 +322,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
   should 'show private content to profile moderators' do
     community = Community.create!(:name => 'testcomm')
-    community.articles.create!(:name => 'test', :public_article => false)
+    community.articles.create!(:name => 'test', :published => false)
     community.add_moderator(profile)
     login_as(profile.identifier)
@@ -344,7 +334,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
   should 'show private content to profile admins' do
     community = Community.create!(:name => 'testcomm')
-    community.articles.create!(:name => 'test', :public_article => false)
+    community.articles.create!(:name => 'test', :published => false)
     community.add_admin(profile)
     login_as(profile.identifier)
@@ -430,7 +420,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
   should 'not give access to private articles if logged off' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
+    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :published => false)
     @request.stubs(:ssl?).returns(true)
     get :view_page, :profile => 'test_profile', :page => [ 'my-intranet' ]
@@ -441,7 +431,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
   should 'not give access to private articles if logged in but not member' do
     login_as('testinguser')
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
+    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :published => false)
     @request.stubs(:ssl?).returns(true)
     get :view_page, :profile => 'test_profile', :page => [ 'my-intranet' ]
@@ -452,7 +442,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
   should 'not give access to private articles if logged in and only member' do
     person = create_user('test_user').person
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
+    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :published => false)
     profile.affiliate(person, Profile::Roles.member(profile.environment.id))
     login_as('test_user')
@@ -465,7 +455,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
   should 'give access to private articles if logged in and moderator' do
     person = create_user('test_user').person
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
+    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :published => false)
     profile.affiliate(person, Profile::Roles.moderator(profile.environment.id))
     login_as('test_user')
@@ -478,7 +468,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
   should 'give access to private articles if logged in and admin' do
     person = create_user('test_user').person
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
+    intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :published => false)
     profile.affiliate(person, Profile::Roles.admin(profile.environment.id))
     login_as('test_user')
@@ -507,21 +497,21 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
   should 'require SSL for viewing non-public articles' do
     Environment.default.update_attribute(:enable_ssl, true)
-    page = profile.articles.create!(:name => 'myarticle', :body => 'top secret', :public_article => false)
+    page = profile.articles.create!(:name => 'myarticle', :body => 'top secret', :published => false)
     get :view_page, :profile => 'testinguser', :page => [ 'myarticle' ]
     assert_redirected_to :protocol => 'https://', :profile => 'testinguser', :page => [ 'myarticle' ]
   end
   should 'avoid SSL for viewing public articles' do
     @request.expects(:ssl?).returns(true).at_least_once
-    page = profile.articles.create!(:name => 'myarticle', :body => 'top secret', :public_article => true)
+    page = profile.articles.create!(:name => 'myarticle', :body => 'top secret', :published => true)
     get :view_page, :profile => 'testinguser', :page => [ 'myarticle' ]
     assert_redirected_to :protocol => 'http://', :profile => 'testinguser', :page => [ 'myarticle' ]
   end
   should 'not redirect to SSL if already on SSL' do
     @request.expects(:ssl?).returns(true).at_least_once
-    page = profile.articles.create!(:name => 'myarticle', :body => 'top secret', :public_article => false)
+    page = profile.articles.create!(:name => 'myarticle', :body => 'top secret', :published => false)
     login_as('testinguser')
     get :view_page, :profile => 'testinguser', :page => [ 'myarticle' ]
     assert_response :success
@@ -555,6 +555,12 @@ class ApplicationHelperTest &lt; Test::Unit::TestCase
     assert_equal 'profile-theme', current_theme
   end
+  should 'use environment theme if the profile theme is nil' do
+    stubs(:environment).returns(fast_create(Environment, :theme => 'new-theme'))
+    stubs(:profile).returns(fast_create(Profile))
+    assert_equal environment.theme, current_theme
+  end
+
   protected
   def url_for(args = {})
@@ -160,8 +160,8 @@ class ArticleTest &lt; Test::Unit::TestCase
     p = create_user('usr1').person
     Article.destroy_all
-    first  = p.articles.build(:name => 'first',  :public_article => true);  first.save!
-    second = p.articles.build(:name => 'second', :public_article => false); second.save!
+    first  = p.articles.build(:name => 'first',  :published => true);  first.save!
+    second = p.articles.build(:name => 'second', :published => false); second.save!
     assert_equal [ first ], Article.recent(nil)
   end
@@ -202,8 +202,8 @@ class ArticleTest &lt; Test::Unit::TestCase
     now = Time.now
-    first  = p.articles.build(:name => 'first',  :public_article => true, :created_at => now, :published_at => now);  first.save!
-    second = p.articles.build(:name => 'second', :public_article => true, :updated_at => now, :published_at => now + 1.second); second.save!
+    first  = p.articles.build(:name => 'first',  :published => true, :created_at => now, :published_at => now);  first.save!
+    second = p.articles.build(:name => 'second', :published => true, :updated_at => now, :published_at => now + 1.second); second.save!
     assert_equal [ second, first ], Article.recent(2)
@@ -443,21 +443,21 @@ class ArticleTest &lt; Test::Unit::TestCase
     assert !Article.new.accept_category?(ProductCategory.new)
   end
-  should 'accept public_article attribute' do
-    assert_respond_to Article.new, :public_article
-    assert_respond_to Article.new, :public_article=
+  should 'accept published attribute' do
+    assert_respond_to Article.new, :published
+    assert_respond_to Article.new, :published=
   end
   should 'say that logged off user cannot see private article' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    article = Article.create!(:name => 'test article', :profile => profile, :public_article => false)
+    article = Article.create!(:name => 'test article', :profile => profile, :published => false)
     assert !article.display_to?(nil)
   end 
   should 'say that not member of profile cannot see private article' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    article = Article.create!(:name => 'test article', :profile => profile, :public_article => false)
+    article = Article.create!(:name => 'test article', :profile => profile, :published => false)
     person = create_user('test_user').person
     assert !article.display_to?(person)
@@ -465,7 +465,7 @@ class ArticleTest &lt; Test::Unit::TestCase
   should 'say that member user can not see private article' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    article = Article.create!(:name => 'test article', :profile => profile, :public_article => false)
+    article = Article.create!(:name => 'test article', :profile => profile, :published => false)
     person = create_user('test_user').person
     profile.affiliate(person, Profile::Roles.member(profile.environment.id))
@@ -474,7 +474,7 @@ class ArticleTest &lt; Test::Unit::TestCase
   should 'say that profile admin can see private article' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    article = Article.create!(:name => 'test article', :profile => profile, :public_article => false)
+    article = Article.create!(:name => 'test article', :profile => profile, :published => false)
     person = create_user('test_user').person
     profile.affiliate(person, Profile::Roles.admin(profile.environment.id))
@@ -483,7 +483,7 @@ class ArticleTest &lt; Test::Unit::TestCase
   should 'say that profile moderator can see private article' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    article = Article.create!(:name => 'test article', :profile => profile, :public_article => false)
+    article = Article.create!(:name => 'test article', :profile => profile, :published => false)
     person = create_user('test_user').person
     profile.affiliate(person, Profile::Roles.moderator(profile.environment.id))
@@ -492,7 +492,7 @@ class ArticleTest &lt; Test::Unit::TestCase
   should 'not show article to non member if article public but profile private' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile', :public_profile => false)
-    article = Article.create!(:name => 'test article', :profile => profile, :public_article => true)
+    article = Article.create!(:name => 'test article', :profile => profile, :published => true)
     person1 = create_user('test_user1').person
     profile.affiliate(person1, Profile::Roles.member(profile.environment.id))
     person2 = create_user('test_user2').person
@@ -504,54 +504,27 @@ class ArticleTest &lt; Test::Unit::TestCase
   should 'make new article private if created inside a private folder' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    folder = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
+    folder = Folder.create!(:name => 'my_intranet', :profile => profile, :published => false)
     article = Article.create!(:name => 'my private article', :profile => profile, :parent => folder)
-    assert !article.public_article
-  end
-
-  should 'respond to public? like public_article if profile is public' do
-    p = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    a1 = Article.create!(:name => 'test public article', :profile => p)
-    a2 = Article.create!(:name => 'test private article', :profile => p, :public_article => false)
-
-    assert a1.public?
-    assert !a2.public?
-  end
-
-  should 'respond to public? as false if profile is private' do
-    p = Profile.create!(:name => 'test profile', :identifier => 'test_profile', :public_profile => false)
-    a1 = Article.create!(:name => 'test public article', :profile => p)
-    a2 = Article.create!(:name => 'test private article', :profile => p, :public_article => false)
-
-    assert !a1.public?
-    assert !a2.public?
-  end
-
-  should 'respond to public? as false if profile is invisible' do
-    profile = fast_create(Profile, :visible => false)
-    article1 = fast_create(Article, :profile_id => profile.id)
-    article2 = fast_create(Article, :profile_id => profile.id, :public_article => false)
-
-    assert !article1.public?
-    assert !article2.public?
+    assert !article.published?
   end
   should 'save as private' do
     profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
-    folder = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
+    folder = Folder.create!(:name => 'my_intranet', :profile => profile, :published => false)
     article = TextileArticle.new(:name => 'my private article')
     article.profile = profile
     article.parent = folder
     article.save!
     article.reload
-    assert !article.public_article
+    assert !article.published?
   end
   should 'not allow friends of private person see the article' do
     person = create_user('test_user').person
-    article = Article.create!(:name => 'test article', :profile => person, :public_article => false)
+    article = Article.create!(:name => 'test article', :profile => person, :published => false)
     friend = create_user('test_friend').person
     person.add_friend(friend)
     person.save!
@@ -562,7 +535,7 @@ class ArticleTest &lt; Test::Unit::TestCase
   should 'display private articles to people who can view private content' do
     person = create_user('test_user').person
-    article = Article.create!(:name => 'test article', :profile => person, :public_article => false)
+    article = Article.create!(:name => 'test article', :profile => person, :published => false)
     admin_user = create_user('admin_user').person
     admin_user.stubs(:has_permission?).with('view_private_content', article.profile).returns('true')
@@ -598,6 +571,12 @@ class ArticleTest &lt; Test::Unit::TestCase
     assert_kind_of Folder, b
   end
+  should 'copy slug' do
+    a = fast_create(Article, :slug => 'slug123')
+    b = a.copy({})
+    assert_equal a.slug, b.slug
+  end
+
   should 'load article under an old path' do
     p = create_user('test_user').person
     a = p.articles.create(:name => 'old-name')
@@ -15,4 +15,82 @@ class FolderHelperTest &lt; Test::Unit::TestCase
     assert_equal 'icons-mime/unknown.png', icon_for_article(art2)
   end
+  should 'list all the folder\'s children to the owner' do
+    profile = create_user('Folder Owner').person
+    folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
+    sub_folder = fast_create(Folder, {:name => 'Child Folder', :parent_id => folder.id,
+                             :profile_id => profile.id})
+    sub_blog = fast_create(Blog, {:name => 'Child Blog', :parent_id => folder.id,
+                           :profile_id => profile.id})
+    sub_article = fast_create(Article, {:name => 'Not Public Child Article', :parent_id =>
+                              folder.id, :profile_id => profile.id, :published => false})
+
+    result = folder.list_articles(folder.children, profile)
+
+    assert_match 'Child Folder', result
+    assert_match 'Not Public Child Article', result
+    assert_match 'Child Blog', result
+  end
+
+  should 'list the folder\'s children that are public to the user' do
+    profile = create_user('Folder Owner').person
+    profile2 = create_user('Folder Viwer').person
+    folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
+    public_article = fast_create(Article, {:name => 'Public Article', :parent_id =>
+                              folder.id, :profile_id => profile.id, :published => true})
+    not_public_article = fast_create(Article, {:name => 'Not Public Article', :parent_id =>
+                              folder.id, :profile_id => profile.id, :published => false})
+
+    result = folder.list_articles(folder.children, profile2)
+
+    assert_match 'Public Article', result
+    assert_no_match /Not Public Article/, result
+  end
+
+  should ' not list the folder\'s children to the user because the owner\'s profile is not public' do
+    profile = create_user('folder-owner').person
+    profile.public_profile = false
+    profile.save!
+    profile2 = create_user('Folder Viwer').person
+    folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
+    article = fast_create(Article, {:name => 'Article', :parent_id => folder.id, :profile_id => profile.id})
+
+    result = folder.list_articles(folder.children, profile2)
+
+    assert_no_match /Article/, result
+  end
+
+  should ' not list the folder\'s children to the user because the owner\'s profile is not visible' do
+    profile = create_user('folder-owner').person
+    profile.visible = false
+    profile.save!
+    profile2 = create_user('Folder Viwer').person
+    folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
+    article = fast_create(Article, {:name => 'Article', :parent_id => folder.id, :profile_id => profile.id})
+
+    result = folder.list_articles(folder.children, profile2)
+
+    assert_no_match /Article/, result
+  end
+
+  should 'list subitems as HTML content' do
+    profile = create_user('folder-owner').person
+    folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
+    article = fast_create(Article, {:name => 'Article1', :parent_id => folder.id, :profile_id => profile.id})
+    article = fast_create(Article, {:name => 'Article2', :parent_id => folder.id, :profile_id => profile.id})
+
+    result = folder.list_articles(folder.children, profile)
+
+    assert_tag_in_string result, :tag => 'td', :descendant => { :tag => 'a', :attributes => { :href => /.*\/folder-owner\/my-article-[0-9]*(\?|$)/ } }, :content => /Article1/
+    assert_tag_in_string result, :tag => 'td', :descendant => { :tag => 'a', :attributes => { :href => /.*\/folder-owner\/my-article-[0-9]*(\?|$)/ } }, :content => /Article2/
+  end
+
+  should 'explictly advise if empty' do
+    profile = create_user('folder-owner').person
+    folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
+    result = folder.list_articles(folder.children, profile)
+
+    assert_match '(empty folder)', result
+  end
+
 end
@@ -18,23 +18,6 @@ class FolderTest &lt; ActiveSupport::TestCase
     assert_not_equal Article.new.icon_name, Folder.new.icon_name
   end
-  should 'list subitems as HTML content' do
-    p = create_user('testuser').person
-    f = Folder.create!(:profile => p, :name => 'f')
-    f.children.create!(:profile => p, :name => 'onearticle')
-    f.children.create!(:profile => p, :name => 'otherarticle')
-    f.reload
-
-    assert_tag_in_string f.to_html, :tag => 'td', :descendant => { :tag => 'a', :attributes => { :href => /.*\/testuser\/f\/onearticle(\?|$)/ } }, :content => /onearticle/
-    assert_tag_in_string f.to_html, :tag => 'td', :descendant => { :tag => 'a', :attributes => { :href => /.*\/testuser\/f\/otherarticle(\?|$)/ } }, :content => /otherarticle/
-  end
-
-  should 'explictly advise if empty' do
-    p = create_user('testuser').person
-    f = Folder.create!(:profile => p, :name => 'f')
-    assert_tag_in_string f.to_html, :content => '(empty folder)'
-  end
-
   should 'show text body in HTML content' do
     p = create_user('testuser').person
     f = Folder.create!(:name => 'f', :profile => p, :body => 'this-is-the-text')
@@ -147,4 +130,19 @@ class FolderTest &lt; ActiveSupport::TestCase
     assert_includes folder.images(true), pi
   end
+
+  should 'not let pass javascript in the body' do
+    owner = create_user('testuser').person
+    folder = fast_create(Folder, {:profile_id => owner.id, :body => '<script>alert("Xss Attack!")</script>'})
+    folder.save!
+    assert_no_match(/<script>/, folder.body)
+  end
+
+  should 'let pass html in the body' do
+    owner = create_user('testuser').person
+    folder = fast_create(Folder, {:profile_id => owner.id, :body => '<strong>I am not a Xss Attack!")</strong>'})
+    folder.save!
+    assert_match(/<strong>/, folder.body)
+  end
+
 end
@@ -909,15 +909,6 @@ class ProfileTest &lt; Test::Unit::TestCase
     assert_equal 'my-shiny-theme', p.theme
   end
-  should 'delegate theme selection to environment by default' do
-    p = Profile.new
-    env = mock
-    p.stubs(:environment).returns(env)
-    env.expects(:theme).returns('environment-stored-theme')
-
-    assert_equal 'environment-stored-theme', p.theme
-  end
-
   should 'respond to public? as public_profile' do
     p1 = fast_create(Profile)
     p2 = fast_create(Profile, :public_profile => false)
@@ -930,8 +921,8 @@ class ProfileTest &lt; Test::Unit::TestCase
     p1 = create(Profile)
     p2 = create(Profile, :public_profile => false)
-    assert p1.articles.find(:first, :conditions => {:public_article => false})
-    assert !p2.articles.find(:first, :conditions => {:public_article => false})
+    assert p1.articles.find(:first, :conditions => {:published => false})
+    assert !p2.articles.find(:first, :conditions => {:published => false})
   end
   should 'remove member with many roles' do
	@@ -336,7 +336,7 @@ module ApplicationHelper		@@ -336,7 +336,7 @@ module ApplicationHelper
336	elsif ENV['RAILS_ENV'] == 'development' && params[:theme]	336	elsif ENV['RAILS_ENV'] == 'development' && params[:theme]
337	params[:theme]	337	params[:theme]
338	else	338	else
339	- if profile	339	+ if profile && !profile.theme.nil?
340	profile.theme	340	profile.theme
341	elsif environment	341	elsif environment
342	environment.theme	342	environment.theme
1	<h1><%= _("%s: site map") % profile.name %></h1>	1	<h1><%= _("%s: site map") % profile.name %></h1>
2		2
3	-<%= list_articles(@articles, false) %>	3	+<%= list_articles(@articles, user) %>
@@ -0,0 +1,9 @@		@@ -0,0 +1,9 @@
	1	+class SetPublicArticleIntoPublishedAttribute < ActiveRecord::Migration
	2	+ def self.up
	3	+ execute('update articles set published=(1!=1) where not public_article')
	4	+ end
	5	+
	6	+ def self.down
	7	+ say "this migration can't be reverted"
	8	+ end
	9	+end
@@ -0,0 +1,10 @@		@@ -0,0 +1,10 @@
	1	+class RemovePublicArticle < ActiveRecord::Migration
	2	+ def self.up
	3	+ remove_column :articles, :public_article
	4	+ end
	5	+
	6	+ def self.down
	7	+ add_column :articles, :public_article, :boolean, :default => true
	8	+ execute('update articles set public_article = (1>0)')
	9	+ end
	10	+end
@@ -0,0 +1,9 @@		@@ -0,0 +1,9 @@
	1	+class ClearDefaultThemeFromProfiles < ActiveRecord::Migration
	2	+ def self.up
	3	+ execute("update profiles set theme = null where theme = 'default'")
	4	+ end
	5	+
	6	+ def self.down
	7	+ say "WARNING: cannot undo this migration"
	8	+ end
	9	+end
	@@ -1,12 +0,0 @@	@@ -1,12 +0,0 @@
1	-ls -1 *.rb \| (
2	- i=1
3	- while read IN; do
4	- OUT=$(echo $IN \| sed -e "s/^[0-9]\+/$(printf '%03d' $i)/")
5	- if [ "$IN" != "$OUT" ]; then
6	- echo mv $IN $OUT
7	- else
8	- echo "# $IN stays untouched"
9	- fi
10	- i=$[$i + 1]
11	- done
12	-)
	@@ -8,7 +8,7 @@ env = Environment.default		@@ -8,7 +8,7 @@ env = Environment.default
8		8
9	def move_articles_to_blog(profile)	9	def move_articles_to_blog(profile)
10	profile.articles.each { \|article\|	10	profile.articles.each { \|article\|
11	- if !article.blog? && !article.is_a?(RssFeed) && article.public_article	11	+ if !article.blog? && !article.is_a?(RssFeed) && article.published?
12	puts 'including ' + article.path + ' in the blog'	12	puts 'including ' + article.path + ' in the blog'
13	article.parent = profile.blog	13	article.parent = profile.blog
14	article.save!	14	article.save!
	@@ -624,14 +624,14 @@ class CmsControllerTest < Test::Unit::TestCase		@@ -624,14 +624,14 @@ class CmsControllerTest < Test::Unit::TestCase
624	end	624	end
625		625
626	should 'create a private article child of private folder' do	626	should 'create a private article child of private folder' do
627	- folder = Folder.new(:name => 'my intranet', :public_article => false); profile.articles << folder; folder.save!	627	+ folder = Folder.new(:name => 'my intranet', :published => false); profile.articles << folder; folder.save!
628		628
629	post :new, :profile => profile.identifier, :type => 'TextileArticle', :parent_id => folder.id, :article => { :name => 'new-private-article'}	629	post :new, :profile => profile.identifier, :type => 'TextileArticle', :parent_id => folder.id, :article => { :name => 'new-private-article'}
630	folder.reload	630	folder.reload
631		631
632	- assert !assigns(:article).public?	632	+ assert !assigns(:article).published?
633	assert_equal 'new-private-article', folder.children[0].name	633	assert_equal 'new-private-article', folder.children[0].name
634	- assert !folder.children[0].public?	634	+ assert !folder.children[0].published?
635	end	635	end
636		636
637	should 'load communities for that the user belongs' do	637	should 'load communities for that the user belongs' do
	@@ -555,6 +555,12 @@ class ApplicationHelperTest < Test::Unit::TestCase		@@ -555,6 +555,12 @@ class ApplicationHelperTest < Test::Unit::TestCase
555	assert_equal 'profile-theme', current_theme	555	assert_equal 'profile-theme', current_theme
556	end	556	end
557		557
		558	+ should 'use environment theme if the profile theme is nil' do
		559	+ stubs(:environment).returns(fast_create(Environment, :theme => 'new-theme'))
		560	+ stubs(:profile).returns(fast_create(Profile))
		561	+ assert_equal environment.theme, current_theme
		562	+ end
		563	+
558	protected	564	protected
559		565
560	def url_for(args = {})	566	def url_for(args = {})
	@@ -15,4 +15,82 @@ class FolderHelperTest < Test::Unit::TestCase		@@ -15,4 +15,82 @@ class FolderHelperTest < Test::Unit::TestCase
15	assert_equal 'icons-mime/unknown.png', icon_for_article(art2)	15	assert_equal 'icons-mime/unknown.png', icon_for_article(art2)
16	end	16	end
17		17
		18	+ should 'list all the folder\'s children to the owner' do
		19	+ profile = create_user('Folder Owner').person
		20	+ folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
		21	+ sub_folder = fast_create(Folder, {:name => 'Child Folder', :parent_id => folder.id,
		22	+ :profile_id => profile.id})
		23	+ sub_blog = fast_create(Blog, {:name => 'Child Blog', :parent_id => folder.id,
		24	+ :profile_id => profile.id})
		25	+ sub_article = fast_create(Article, {:name => 'Not Public Child Article', :parent_id =>
		26	+ folder.id, :profile_id => profile.id, :published => false})
		27	+
		28	+ result = folder.list_articles(folder.children, profile)
		29	+
		30	+ assert_match 'Child Folder', result
		31	+ assert_match 'Not Public Child Article', result
		32	+ assert_match 'Child Blog', result
		33	+ end
		34	+
		35	+ should 'list the folder\'s children that are public to the user' do
		36	+ profile = create_user('Folder Owner').person
		37	+ profile2 = create_user('Folder Viwer').person
		38	+ folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
		39	+ public_article = fast_create(Article, {:name => 'Public Article', :parent_id =>
		40	+ folder.id, :profile_id => profile.id, :published => true})
		41	+ not_public_article = fast_create(Article, {:name => 'Not Public Article', :parent_id =>
		42	+ folder.id, :profile_id => profile.id, :published => false})
		43	+
		44	+ result = folder.list_articles(folder.children, profile2)
		45	+
		46	+ assert_match 'Public Article', result
		47	+ assert_no_match /Not Public Article/, result
		48	+ end
		49	+
		50	+ should ' not list the folder\'s children to the user because the owner\'s profile is not public' do
		51	+ profile = create_user('folder-owner').person
		52	+ profile.public_profile = false
		53	+ profile.save!
		54	+ profile2 = create_user('Folder Viwer').person
		55	+ folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
		56	+ article = fast_create(Article, {:name => 'Article', :parent_id => folder.id, :profile_id => profile.id})
		57	+
		58	+ result = folder.list_articles(folder.children, profile2)
		59	+
		60	+ assert_no_match /Article/, result
		61	+ end
		62	+
		63	+ should ' not list the folder\'s children to the user because the owner\'s profile is not visible' do
		64	+ profile = create_user('folder-owner').person
		65	+ profile.visible = false
		66	+ profile.save!
		67	+ profile2 = create_user('Folder Viwer').person
		68	+ folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
		69	+ article = fast_create(Article, {:name => 'Article', :parent_id => folder.id, :profile_id => profile.id})
		70	+
		71	+ result = folder.list_articles(folder.children, profile2)
		72	+
		73	+ assert_no_match /Article/, result
		74	+ end
		75	+
		76	+ should 'list subitems as HTML content' do
		77	+ profile = create_user('folder-owner').person
		78	+ folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
		79	+ article = fast_create(Article, {:name => 'Article1', :parent_id => folder.id, :profile_id => profile.id})
		80	+ article = fast_create(Article, {:name => 'Article2', :parent_id => folder.id, :profile_id => profile.id})
		81	+
		82	+ result = folder.list_articles(folder.children, profile)
		83	+
		84	+ assert_tag_in_string result, :tag => 'td', :descendant => { :tag => 'a', :attributes => { :href => /.\/folder-owner\/my-article-[0-9](\?\|$)/ } }, :content => /Article1/
		85	+ assert_tag_in_string result, :tag => 'td', :descendant => { :tag => 'a', :attributes => { :href => /.\/folder-owner\/my-article-[0-9](\?\|$)/ } }, :content => /Article2/
		86	+ end
		87	+
		88	+ should 'explictly advise if empty' do
		89	+ profile = create_user('folder-owner').person
		90	+ folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
		91	+ result = folder.list_articles(folder.children, profile)
		92	+
		93	+ assert_match '(empty folder)', result
		94	+ end
		95	+
18	end	96	end