[work-assignment] Defining download and upload restrictions

Rodrigo Souto
1 parent 566724a7
Showing 7 changed files with 178 additions and 2 deletions Show diff stats
app/controllers/my_profile/cms_controller.rb
plugins/work_assignment/lib/work_assignment_plugin.rb
plugins/work_assignment/lib/work_assignment_plugin/work_assignment.rb
plugins/work_assignment/test/functional/cms_controller_test.rb
plugins/work_assignment/test/functional/content_viewer_controller_test.rb
plugins/work_assignment/test/unit/work_assingment_plugin_test.rb
test/functional/cms_controller_test.rb
@@ -16,7 +16,12 @@ class CmsController &lt; MyProfileController
  
   before_filter :login_required, :except => [:suggest_an_article]
  
-  protect_if :except => [:suggest_an_article, :set_home_page, :edit, :destroy, :publish] do |c, user, profile|
+  protect_if :only => :upload_files do |c, user, profile|
+    article_id = c.params[:parent_id]
+    profile.articles.find(article_id).allow_create?(user)
+  end
+
+  protect_if :except => [:suggest_an_article, :set_home_page, :edit, :destroy, :publish, :upload_files] do |c, user, profile|
     user && (user.has_permission?('post_content', profile) || user.has_permission?('publish_content', profile))
   end
  
@@ -5,7 +5,16 @@ class WorkAssignmentPlugin &lt; Noosfero::Plugin
   end
  
   def self.plugin_description
-    _("New kind of content for work organization.")
+    _("New kind of content for organizations.")
+  end
+
+  def self.can_download_submission?(user, submission)
+    work_assignment = submission.parent.parent
+    work_assignment.publish_submissions || (user && (submission.author == user || user.has_permission?('view_private_content', work_assignment.profile)))
+  end
+
+  def self.is_submission?(content)
+    content && content.parent && content.parent.parent && content.parent.parent.kind_of?(WorkAssignmentPlugin::WorkAssignment)
   end
  
   def content_types
@@ -24,4 +33,20 @@ class WorkAssignmentPlugin &lt; Noosfero::Plugin
     !content.profile.members.include?(context.send(:user))
   end
  
+  def content_viewer_controller_filters
+    block = lambda do
+      path = params[:page].join('/')
+      content = profile.articles.find_by_path(path)
+
+      if WorkAssignmentPlugin.is_submission?(content) && !WorkAssignmentPlugin.can_download_submission?(user, content)
+        render_access_denied
+      end
+    end
+
+    { :type => 'before_filter',
+      :method_name => 'work_assingment_only_admin_or_owner_download',
+      :options => {:only => 'view_page'},
+      :block => block }
+  end
+
 end
 class WorkAssignmentPlugin::WorkAssignment < Folder
  
+  alias :submissions :children
+
   def self.icon_name(article = nil)
     'work-assignment'
   end
@@ -0,0 +1,34 @@
+require 'test_helper'
+require 'cms_controller'
+
+# Re-raise errors caught by the controller.
+class CmsController; def rescue_action(e) raise e end; end
+
+class CmsControllerTest < ActionController::TestCase
+
+  def setup
+    @controller = CmsController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    @person = create_user('test_user').person
+    login_as :test_user
+  end
+
+  attr_accessor :person
+
+  should 'not allow non-members to upload submissions on work_assignment' do
+    organization = fast_create(Organization)
+    work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => 'Work Assignment', :profile => organization)
+
+    get :upload_files, :profile => organization.identifier, :parent_id => work_assignment.id
+    assert_response :forbidden
+    assert_template 'access_denied.rhtml'
+
+    organization.add_member(person)
+
+    get :upload_files, :profile => organization.identifier, :parent_id => work_assignment.id
+    assert_response :success
+  end
+
+end
+
@@ -0,0 +1,41 @@
+require 'test_helper'
+require 'content_viewer_controller'
+
+# Re-raise errors caught by the controller.
+class ContentViewerController; def rescue_action(e) raise e end; end
+
+class ContentViewerControllerTest < ActionController::TestCase
+
+  def setup
+    @controller = ContentViewerController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+
+    @organization = fast_create(Organization)
+    @work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => 'Work Assignment', :profile => @organization)
+    @person = create_user('test_user').person
+    @environment = @organization.environment
+    @environment.enable_plugin(WorkAssignmentPlugin)
+    @environment.save!
+    login_as(:test_user)
+  end
+  attr_reader :organization, :person, :work_assignment
+
+  should 'can download work_assignment' do
+    random_member = fast_create(Person)
+    organization.add_member(random_member)
+    folder = work_assignment.find_or_create_author_folder(random_member)
+    submission = UploadedFile.create!(:uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'), :profile => organization, :parent => folder)
+    WorkAssignmentPlugin.stubs(:can_download_submission?).returns(false)
+
+    get :view_page, :profile => organization.identifier, :page => submission.explode_path
+    assert_response :forbidden
+    assert_template 'access_denied.rhtml'
+
+    WorkAssignmentPlugin.stubs(:can_download_submission?).returns(true)
+
+    get :view_page, :profile => organization.identifier, :page => submission.explode_path
+    assert_response :success
+  end
+
+end
@@ -0,0 +1,57 @@
+require 'test_helper'
+
+class WorkAssignmentPluginTest < ActiveSupport::TestCase
+  should 'verify if a content is a work_assignment submission' do
+    organization = fast_create(Organization)
+    content = UploadedFile.create!(:uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'), :profile => organization)
+    assert !WorkAssignmentPlugin.is_submission?(content)
+
+    work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => 'Work Assignment', :profile => organization)
+    content.parent = work_assignment
+    content.save!
+    assert !WorkAssignmentPlugin.is_submission?(content)
+
+    author_folder = work_assignment.find_or_create_author_folder(fast_create(Person))
+    content.parent = author_folder
+    content.save!
+    assert WorkAssignmentPlugin.is_submission?(content)
+  end
+
+  should 'be able to download submission if work_assignment published submissions' do
+    submission = create_submission
+    assert !WorkAssignmentPlugin.can_download_submission?(nil, submission)
+
+    work_assignment = submission.parent.parent
+    work_assignment.publish_submissions = true
+    work_assignment.save!
+    assert WorkAssignmentPlugin.can_download_submission?(nil, submission)
+  end
+
+  should 'be able to download submission if the user is author of it' do
+    person = fast_create(Person)
+    submission = create_submission
+    assert !WorkAssignmentPlugin.can_download_submission?(person, submission)
+
+    submission.author = person
+    submission.save!
+    assert WorkAssignmentPlugin.can_download_submission?(person, submission)
+  end
+
+  should 'be able to download submission if the user has the view_private_content permission on the profile' do
+    person = fast_create(Person)
+    submission = create_submission
+    assert !WorkAssignmentPlugin.can_download_submission?(person, submission)
+
+    moderator = create_user_with_permission('moderator', 'view_private_content', submission.profile)
+    assert WorkAssignmentPlugin.can_download_submission?(moderator, submission)
+  end
+
+  private
+
+  def create_submission
+    organization = fast_create(Organization)
+    work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => 'Work Assignment', :profile => organization)
+    author_folder = work_assignment.find_or_create_author_folder(fast_create(Person))
+    UploadedFile.create!(:uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'), :profile => organization, :parent => author_folder)
+  end
+end
@@ -1566,6 +1566,18 @@ class CmsControllerTest &lt; ActionController::TestCase
     assert_equal profile, a.author
   end
  
+  should 'not allow user upload files if he can not create on the parent folder' do
+    c = Community.create!(:name => 'test_comm', :identifier => 'test_comm')
+    u = create_user('test_user')
+    a = c.articles.create!(:name => 'test_article')
+    a.stubs(:allow_create?).with(u).returns(true)
+    login_as :test_user
+
+    get :upload_files, :profile => c.identifier, :parent_id => a.id
+    assert_response :forbidden
+    assert_template 'access_denied.rhtml'
+  end
+
   protected
  
   # FIXME this is to avoid adding an extra dependency for a proper JSON parser.
...	...	@@ -16,7 +16,12 @@ class CmsController < MyProfileController
16	16
17	17	before_filter :login_required, :except => [:suggest_an_article]
18	18
19		- protect_if :except => [:suggest_an_article, :set_home_page, :edit, :destroy, :publish] do \|c, user, profile\|
	19	+ protect_if :only => :upload_files do \|c, user, profile\|
	20	+ article_id = c.params[:parent_id]
	21	+ profile.articles.find(article_id).allow_create?(user)
	22	+ end
	23	+
	24	+ protect_if :except => [:suggest_an_article, :set_home_page, :edit, :destroy, :publish, :upload_files] do \|c, user, profile\|
20	25	user && (user.has_permission?('post_content', profile) \|\| user.has_permission?('publish_content', profile))
21	26	end
22	27
...	...
...	...	@@ -5,7 +5,16 @@ class WorkAssignmentPlugin < Noosfero::Plugin
5	5	end
6	6
7	7	def self.plugin_description
8		- _("New kind of content for work organization.")
	8	+ _("New kind of content for organizations.")
	9	+ end
	10	+
	11	+ def self.can_download_submission?(user, submission)
	12	+ work_assignment = submission.parent.parent
	13	+ work_assignment.publish_submissions \|\| (user && (submission.author == user \|\| user.has_permission?('view_private_content', work_assignment.profile)))
	14	+ end
	15	+
	16	+ def self.is_submission?(content)
	17	+ content && content.parent && content.parent.parent && content.parent.parent.kind_of?(WorkAssignmentPlugin::WorkAssignment)
9	18	end
10	19
11	20	def content_types
...	...	@@ -24,4 +33,20 @@ class WorkAssignmentPlugin < Noosfero::Plugin
24	33	!content.profile.members.include?(context.send(:user))
25	34	end
26	35
	36	+ def content_viewer_controller_filters
	37	+ block = lambda do
	38	+ path = params[:page].join('/')
	39	+ content = profile.articles.find_by_path(path)
	40	+
	41	+ if WorkAssignmentPlugin.is_submission?(content) && !WorkAssignmentPlugin.can_download_submission?(user, content)
	42	+ render_access_denied
	43	+ end
	44	+ end
	45	+
	46	+ { :type => 'before_filter',
	47	+ :method_name => 'work_assingment_only_admin_or_owner_download',
	48	+ :options => {:only => 'view_page'},
	49	+ :block => block }
	50	+ end
	51	+
27	52	end
...	...
1	1	class WorkAssignmentPlugin::WorkAssignment < Folder
2	2
	3	+ alias :submissions :children
	4	+
3	5	def self.icon_name(article = nil)
4	6	'work-assignment'
5	7	end
...	...
...	...	@@ -0,0 +1,34 @@
	1	+require 'test_helper'
	2	+require 'cms_controller'
	3	+
	4	+# Re-raise errors caught by the controller.
	5	+class CmsController; def rescue_action(e) raise e end; end
	6	+
	7	+class CmsControllerTest < ActionController::TestCase
	8	+
	9	+ def setup
	10	+ @controller = CmsController.new
	11	+ @request = ActionController::TestRequest.new
	12	+ @response = ActionController::TestResponse.new
	13	+ @person = create_user('test_user').person
	14	+ login_as :test_user
	15	+ end
	16	+
	17	+ attr_accessor :person
	18	+
	19	+ should 'not allow non-members to upload submissions on work_assignment' do
	20	+ organization = fast_create(Organization)
	21	+ work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => 'Work Assignment', :profile => organization)
	22	+
	23	+ get :upload_files, :profile => organization.identifier, :parent_id => work_assignment.id
	24	+ assert_response :forbidden
	25	+ assert_template 'access_denied.rhtml'
	26	+
	27	+ organization.add_member(person)
	28	+
	29	+ get :upload_files, :profile => organization.identifier, :parent_id => work_assignment.id
	30	+ assert_response :success
	31	+ end
	32	+
	33	+end
	34	+
...	...
...	...	@@ -0,0 +1,41 @@
	1	+require 'test_helper'
	2	+require 'content_viewer_controller'
	3	+
	4	+# Re-raise errors caught by the controller.
	5	+class ContentViewerController; def rescue_action(e) raise e end; end
	6	+
	7	+class ContentViewerControllerTest < ActionController::TestCase
	8	+
	9	+ def setup
	10	+ @controller = ContentViewerController.new
	11	+ @request = ActionController::TestRequest.new
	12	+ @response = ActionController::TestResponse.new
	13	+
	14	+ @organization = fast_create(Organization)
	15	+ @work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => 'Work Assignment', :profile => @organization)
	16	+ @person = create_user('test_user').person
	17	+ @environment = @organization.environment
	18	+ @environment.enable_plugin(WorkAssignmentPlugin)
	19	+ @environment.save!
	20	+ login_as(:test_user)
	21	+ end
	22	+ attr_reader :organization, :person, :work_assignment
	23	+
	24	+ should 'can download work_assignment' do
	25	+ random_member = fast_create(Person)
	26	+ organization.add_member(random_member)
	27	+ folder = work_assignment.find_or_create_author_folder(random_member)
	28	+ submission = UploadedFile.create!(:uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'), :profile => organization, :parent => folder)
	29	+ WorkAssignmentPlugin.stubs(:can_download_submission?).returns(false)
	30	+
	31	+ get :view_page, :profile => organization.identifier, :page => submission.explode_path
	32	+ assert_response :forbidden
	33	+ assert_template 'access_denied.rhtml'
	34	+
	35	+ WorkAssignmentPlugin.stubs(:can_download_submission?).returns(true)
	36	+
	37	+ get :view_page, :profile => organization.identifier, :page => submission.explode_path
	38	+ assert_response :success
	39	+ end
	40	+
	41	+end
...	...
...	...	@@ -0,0 +1,57 @@
	1	+require 'test_helper'
	2	+
	3	+class WorkAssignmentPluginTest < ActiveSupport::TestCase
	4	+ should 'verify if a content is a work_assignment submission' do
	5	+ organization = fast_create(Organization)
	6	+ content = UploadedFile.create!(:uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'), :profile => organization)
	7	+ assert !WorkAssignmentPlugin.is_submission?(content)
	8	+
	9	+ work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => 'Work Assignment', :profile => organization)
	10	+ content.parent = work_assignment
	11	+ content.save!
	12	+ assert !WorkAssignmentPlugin.is_submission?(content)
	13	+
	14	+ author_folder = work_assignment.find_or_create_author_folder(fast_create(Person))
	15	+ content.parent = author_folder
	16	+ content.save!
	17	+ assert WorkAssignmentPlugin.is_submission?(content)
	18	+ end
	19	+
	20	+ should 'be able to download submission if work_assignment published submissions' do
	21	+ submission = create_submission
	22	+ assert !WorkAssignmentPlugin.can_download_submission?(nil, submission)
	23	+
	24	+ work_assignment = submission.parent.parent
	25	+ work_assignment.publish_submissions = true
	26	+ work_assignment.save!
	27	+ assert WorkAssignmentPlugin.can_download_submission?(nil, submission)
	28	+ end
	29	+
	30	+ should 'be able to download submission if the user is author of it' do
	31	+ person = fast_create(Person)
	32	+ submission = create_submission
	33	+ assert !WorkAssignmentPlugin.can_download_submission?(person, submission)
	34	+
	35	+ submission.author = person
	36	+ submission.save!
	37	+ assert WorkAssignmentPlugin.can_download_submission?(person, submission)
	38	+ end
	39	+
	40	+ should 'be able to download submission if the user has the view_private_content permission on the profile' do
	41	+ person = fast_create(Person)
	42	+ submission = create_submission
	43	+ assert !WorkAssignmentPlugin.can_download_submission?(person, submission)
	44	+
	45	+ moderator = create_user_with_permission('moderator', 'view_private_content', submission.profile)
	46	+ assert WorkAssignmentPlugin.can_download_submission?(moderator, submission)
	47	+ end
	48	+
	49	+ private
	50	+
	51	+ def create_submission
	52	+ organization = fast_create(Organization)
	53	+ work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => 'Work Assignment', :profile => organization)
	54	+ author_folder = work_assignment.find_or_create_author_folder(fast_create(Person))
	55	+ UploadedFile.create!(:uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'), :profile => organization, :parent => author_folder)
	56	+ end
	57	+end
...	...
...	...	@@ -1566,6 +1566,18 @@ class CmsControllerTest < ActionController::TestCase
1566	1566	assert_equal profile, a.author
1567	1567	end
1568	1568
	1569	+ should 'not allow user upload files if he can not create on the parent folder' do
	1570	+ c = Community.create!(:name => 'test_comm', :identifier => 'test_comm')
	1571	+ u = create_user('test_user')
	1572	+ a = c.articles.create!(:name => 'test_article')
	1573	+ a.stubs(:allow_create?).with(u).returns(true)
	1574	+ login_as :test_user
	1575	+
	1576	+ get :upload_files, :profile => c.identifier, :parent_id => a.id
	1577	+ assert_response :forbidden
	1578	+ assert_template 'access_denied.rhtml'
	1579	+ end
	1580	+
1569	1581	protected
1570	1582
1571	1583	# FIXME this is to avoid adding an extra dependency for a proper JSON parser.
...	...