Download as
Browse Code »

Commit 89b2559c511936a51e0c97a692b7d316d1f11a91

Authored by Antonio Terceiro
2 parents e51ebfd7 48f51755
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Merge branch 'private-environment' into 'master' 

Fixes pages that appear public even when environment is private

This fixes a bug in which some pages (eg. a profile page) were visible to unlogged users even if the environment has enabled "show content only to members". See commit message for explanation of what was done and why. Closes issue #124

See merge request !679
Showing 4 changed files with 23 additions and 2 deletions   Show diff stats
app/controllers/application_controller.rb
  Diff comments   View file @89b2559
... ... @@ -9,11 +9,15 @@ class ApplicationController < ActionController::Base
9 9 before_filter :allow_cross_domain_access
10 10  
11 11 before_filter :login_from_cookie
12   - before_filter :login_required, :if => :private_environment?
  12 + before_filter :require_login_for_environment, :if => :private_environment?
13 13  
14 14 before_filter :verify_members_whitelist, :if => [:private_environment?, :user]
15 15 before_filter :redirect_to_current_user
16 16  
  17 + def require_login_for_environment
  18 + login_required
  19 + end
  20 +
17 21 def verify_members_whitelist
18 22 render_access_denied unless user.is_admin? || environment.in_whitelist?(user)
19 23 end
... ...
app/controllers/public/account_controller.rb
  Diff comments   View file @89b2559
... ... @@ -2,7 +2,7 @@ class AccountController < ApplicationController
2 2  
3 3 no_design_blocks
4 4  
5   - before_filter :login_required, :only => [:activation_question, :accept_terms, :activate_enterprise, :change_password]
  5 + before_filter :login_required, :require_login_for_environment, :only => [:activation_question, :accept_terms, :activate_enterprise, :change_password]
6 6 before_filter :redirect_if_logged_in, :only => [:login, :signup]
7 7 before_filter :protect_from_bots, :only => :signup
8 8  
... ...
test/functional/account_controller_test.rb
  Diff comments   View file @89b2559
... ... @@ -1046,4 +1046,15 @@ class AccountControllerTest < ActionController::TestCase
1046 1046 :national_region_type_id => NationalRegionType::CITY,
1047 1047 :parent_national_region_code => parent_region.national_region_code)
1048 1048 end
  1049 +
  1050 + should 'not lock users out of login if environment is restrict to members' do
  1051 + Environment.default.enable(:restrict_to_members)
  1052 + get :login
  1053 + assert_response :success
  1054 +
  1055 + post :login, :user => {:login => 'johndoe', :password => 'test'}
  1056 + assert session[:user]
  1057 + assert_response :redirect
  1058 + end
  1059 +
1049 1060 end
... ...
test/functional/profile_controller_test.rb
  Diff comments   View file @89b2559
... ... @@ -1812,4 +1812,10 @@ class ProfileControllerTest < ActionController::TestCase
1812 1812 assert @response.body.index("another_user") > @response.body.index("different_user")
1813 1813 end
1814 1814  
  1815 + should 'redirect to login if environment is restrict to members' do
  1816 + Environment.default.enable(:restrict_to_members)
  1817 + get :index
  1818 + assert_redirected_to :controller => 'account', :action => 'login'
  1819 + end
  1820 +
1815 1821 end
... ...