From 947607f0206cfe40e86a6f152315ebb466edded9 Mon Sep 17 00:00:00 2001
From: Rodrigo Souto <rodrigo@colivre.coop.br>
Date: Fri, 12 Jul 2013 16:55:09 -0300
Subject: [PATCH] [comments-refactor-review] Testing permissions to edit comment too

---
 app/controllers/public/comment_controller.rb | 10 ++--------
 test/functional/comment_controller_test.rb   | 38 +++++++++++++++++++++++++++++++++++++-
 2 files changed, 39 insertions(+), 9 deletions(-)

diff --git a/app/controllers/public/comment_controller.rb b/app/controllers/public/comment_controller.rb
index 6a2aa5b..053a408 100644
--- a/app/controllers/public/comment_controller.rb
+++ b/app/controllers/public/comment_controller.rb
@@ -108,11 +108,8 @@ class CommentController < ApplicationController
   def edit
     begin
       @comment = profile.comments_received.find(params[:id])
+      raise ActiveRecord::RecordNotFound unless @comment.can_be_updated_by?(user) # Not reveal that the comment exists
     rescue ActiveRecord::RecordNotFound
-      @comment = nil
-    end
-
-    if @comment.nil?
       render_not_found
       return
     end
@@ -123,11 +120,8 @@ class CommentController < ApplicationController
   def update
     begin
       @comment = profile.comments_received.find(params[:id])
+      raise ActiveRecord::RecordNotFound unless @comment.can_be_updated_by?(user) # Not reveal that the comment exists
     rescue ActiveRecord::RecordNotFound
-      @comment = nil
-    end
-
-    if @comment.nil? or user != @comment.author
       render_not_found
       return
     end
diff --git a/test/functional/comment_controller_test.rb b/test/functional/comment_controller_test.rb
index 8613f33..0d0b7b8 100644
--- a/test/functional/comment_controller_test.rb
+++ b/test/functional/comment_controller_test.rb
@@ -477,7 +477,7 @@ class CommentControllerTest < ActionController::TestCase
   should 'edit comment from a page' do
     login_as profile.identifier
     page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
-    comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article')
+    comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article', :author_id => profile.id)
 
     get :edit, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
     assert_tag :tag => 'textarea', :attributes => {:id => 'comment_body'}, :content => 'Original comment'
@@ -491,6 +491,24 @@ class CommentControllerTest < ActionController::TestCase
     assert_response 404
   end
 
+  should 'not be able to edit comment not logged' do
+    page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
+    comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article')
+
+    get :edit, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
+    assert_response 404
+  end
+
+  should 'not be able to edit comment if does not have the permission to' do
+    user = create_user('any_guy').person
+    login_as user.identifier
+    page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
+    comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article')
+
+    get :edit, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
+    assert_response 404
+  end
+
   should 'be able to update a comment' do
     login_as profile.identifier
     page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text', :accept_comments => false)
@@ -509,6 +527,24 @@ class CommentControllerTest < ActionController::TestCase
     assert_response 404
   end
 
+  should 'not be able to update comment not logged' do
+    page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
+    comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article')
+
+    xhr :post, :update, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
+    assert_response 404
+  end
+
+  should 'not be able to update comment if does not have the permission to' do
+    user = create_user('any_guy').person
+    login_as user.identifier
+    page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
+    comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article')
+
+    xhr :post, :update, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
+    assert_response 404
+  end
+
   should 'returns ids of menu items that has to be displayed' do
     class TestActionPlugin < Noosfero::Plugin
       def check_comment_actions(c)
--
libgit2 0.21.2