From 79df3e282deb595c919afbc7d0115fe8b30df8fc Mon Sep 17 00:00:00 2001
From: Rodrigo Souto <rodrigo@colivre.coop.br>
Date: Fri, 16 Apr 2010 16:49:37 -0300
Subject: [PATCH] Check user permission before listing.

---
 app/helpers/folder_helper.rb          | 18 +++++++++++++-----
 app/models/folder.rb                  |  5 ++++-
 app/views/content_viewer/folder.rhtml | 10 ++++++++++
 app/views/profile/sitemap.rhtml       |  2 +-
 test/unit/folder_helper_test.rb       | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 101 insertions(+), 7 deletions(-)
 create mode 100644 app/views/content_viewer/folder.rhtml

diff --git a/app/helpers/folder_helper.rb b/app/helpers/folder_helper.rb
index 288d1cb..429f71c 100644
--- a/app/helpers/folder_helper.rb
+++ b/app/helpers/folder_helper.rb
@@ -1,11 +1,19 @@
 module FolderHelper
 
   def list_articles(articles, recursive = false)
-    content_tag(
-      'table',
-      content_tag('tr', content_tag('th', _('Title')) + content_tag('th', _('Last update'))) +
-      articles.select { |item| item.public? }.map {|item| display_article_in_listing(item, recursive, 0)}.join('')
-    )
+    if !articles.blank?
+      content_tag(
+        'table',
+        content_tag('tr', content_tag('th', _('Title')) + content_tag('th', _('Last update'))) +
+        articles.map {|item| display_article_in_listing(item, recursive, 0)}.join('')
+      )
+    else
+      content_tag('em', _('(empty folder)'))
+    end
+  end
+
+  def available_articles(articles, user)
+    articles.select {|article| article.display_to?(user)}
   end
 
   def display_article_in_listing(article, recursive = false, level = 0)
diff --git a/app/models/folder.rb b/app/models/folder.rb
index 9b6252f..f455a6a 100644
--- a/app/models/folder.rb
+++ b/app/models/folder.rb
@@ -41,7 +41,10 @@ class Folder < Article
   end
 
   def folder
-    content_tag('div', body) + tag('hr') + (children.empty? ? content_tag('em', _('(empty folder)')) : list_articles(children))
+    folder = self
+    lambda do
+      render :file => 'content_viewer/folder', :locals => { :folder => folder }
+    end
   end
 
   def image_gallery
diff --git a/app/views/content_viewer/folder.rhtml b/app/views/content_viewer/folder.rhtml
new file mode 100644
index 0000000..0f821f4
--- /dev/null
+++ b/app/views/content_viewer/folder.rhtml
@@ -0,0 +1,10 @@
+<div>
+  <%= folder.body %>
+</div>
+<hr/>
+
+<% if folder.children.empty? %>
+  <em><%= _('(empty folder)') %></em>
+<% else %>
+  <%= list_articles(available_articles(folder.children, user)) %>
+<% end %>
diff --git a/app/views/profile/sitemap.rhtml b/app/views/profile/sitemap.rhtml
index fd74211..0fcf974 100644
--- a/app/views/profile/sitemap.rhtml
+++ b/app/views/profile/sitemap.rhtml
@@ -1,3 +1,3 @@
 <h1><%= _("%s: site map") % profile.name %></h1>
 
-<%= list_articles(@articles, false) %>
+<%= list_articles(available_articles(@articles, user), false) %>
diff --git a/test/unit/folder_helper_test.rb b/test/unit/folder_helper_test.rb
index c0cb378..493157b 100644
--- a/test/unit/folder_helper_test.rb
+++ b/test/unit/folder_helper_test.rb
@@ -15,4 +15,77 @@ class FolderHelperTest < Test::Unit::TestCase
     assert_equal 'icons-mime/unknown.png', icon_for_article(art2)
   end
 
+  should 'list all the folder\'s children to the owner' do
+    profile = create_user('Folder Owner').person
+    folder = fast_create(Folder, :profile_id => profile.id)
+    sub_folder = fast_create(Folder, {:parent_id => folder.id, :profile_id => profile.id})
+    sub_blog = fast_create(Blog, {:parent_id => folder.id, :profile_id => profile.id})
+    sub_article = fast_create(Article, {:parent_id => folder.id, :profile_id => profile.id, :published => false})
+
+    result = available_articles(folder.children, profile)
+
+    assert_includes result, sub_folder
+    assert_includes result, sub_article
+    assert_includes result, sub_blog
+  end
+
+  should 'list the folder\'s children that are public to the user' do
+    profile = create_user('Folder Owner').person
+    profile2 = create_user('Folder Viwer').person
+    folder = fast_create(Folder, :profile_id => profile.id)
+    public_article = fast_create(Article, {:parent_id => folder.id, :profile_id => profile.id, :published => true})
+    not_public_article = fast_create(Article, {:parent_id => folder.id, :profile_id => profile.id, :published => false})
+
+    result = available_articles(folder.children, profile2)
+
+    assert_includes result, public_article
+    assert_not_includes result, not_public_article
+  end
+
+  should ' not list the folder\'s children to the user because the owner\'s profile is not public' do
+    profile = create_user('folder-owner').person
+    profile.public_profile = false
+    profile.save!
+    profile2 = create_user('Folder Viwer').person
+    folder = fast_create(Folder, :profile_id => profile.id)
+    article = fast_create(Article, {:parent_id => folder.id, :profile_id => profile.id})
+
+    result = available_articles(folder.children, profile2)
+
+    assert_not_includes result, article
+  end
+
+  should ' not list the folder\'s children to the user because the owner\'s profile is not visible' do
+    profile = create_user('folder-owner').person
+    profile.visible = false
+    profile.save!
+    profile2 = create_user('Folder Viwer').person
+    folder = fast_create(Folder, :profile_id => profile.id)
+    article = fast_create(Article, {:parent_id => folder.id, :profile_id => profile.id})
+
+    result = available_articles(folder.children, profile2)
+
+    assert_not_includes result, article
+  end
+
+  should 'list subitems as HTML content' do
+    profile = create_user('folder-owner').person
+    folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
+    article = fast_create(Article, {:name => 'Article1', :parent_id => folder.id, :profile_id => profile.id})
+    article = fast_create(Article, {:name => 'Article2', :parent_id => folder.id, :profile_id => profile.id})
+
+    result = folder.list_articles(folder.children)
+
+    assert_tag_in_string result, :tag => 'td', :descendant => { :tag => 'a', :attributes => { :href => /.*\/folder-owner\/my-article-[0-9]*(\?|$)/ } }, :content => /Article1/
+    assert_tag_in_string result, :tag => 'td', :descendant => { :tag => 'a', :attributes => { :href => /.*\/folder-owner\/my-article-[0-9]*(\?|$)/ } }, :content => /Article2/
+  end
+
+  should 'explictly advise if empty' do
+    profile = create_user('folder-owner').person
+    folder = fast_create(Folder, {:name => 'Parent Folder', :profile_id => profile.id})
+    result = folder.list_articles(folder.children)
+
+    assert_match '(empty folder)', result
+  end
+
 end
--
libgit2 0.21.2