Download as
Browse Code »

Commit 947607f0206cfe40e86a6f152315ebb466edded9

Authored by Rodrigo Souto
1 parent 49557601
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

[comments-refactor-review] Testing permissions to edit comment too

Showing 2 changed files with 39 additions and 9 deletions   Show diff stats
app/controllers/public/comment_controller.rb
  Diff comments   View file @947607f
... ... @@ -108,11 +108,8 @@ class CommentController < ApplicationController
108 108 def edit
109 109 begin
110 110 @comment = profile.comments_received.find(params[:id])
  111 + raise ActiveRecord::RecordNotFound unless @comment.can_be_updated_by?(user) # Not reveal that the comment exists
111 112 rescue ActiveRecord::RecordNotFound
112   - @comment = nil
113   - end
114   -
115   - if @comment.nil?
116 113 render_not_found
117 114 return
118 115 end
... ... @@ -123,11 +120,8 @@ class CommentController < ApplicationController
123 120 def update
124 121 begin
125 122 @comment = profile.comments_received.find(params[:id])
  123 + raise ActiveRecord::RecordNotFound unless @comment.can_be_updated_by?(user) # Not reveal that the comment exists
126 124 rescue ActiveRecord::RecordNotFound
127   - @comment = nil
128   - end
129   -
130   - if @comment.nil? or user != @comment.author
131 125 render_not_found
132 126 return
133 127 end
... ...
test/functional/comment_controller_test.rb
  Diff comments   View file @947607f
... ... @@ -477,7 +477,7 @@ class CommentControllerTest < ActionController::TestCase
477 477 should 'edit comment from a page' do
478 478 login_as profile.identifier
479 479 page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
480   - comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article')
  480 + comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article', :author_id => profile.id)
481 481  
482 482 get :edit, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
483 483 assert_tag :tag => 'textarea', :attributes => {:id => 'comment_body'}, :content => 'Original comment'
... ... @@ -491,6 +491,24 @@ class CommentControllerTest < ActionController::TestCase
491 491 assert_response 404
492 492 end
493 493  
  494 + should 'not be able to edit comment not logged' do
  495 + page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
  496 + comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article')
  497 +
  498 + get :edit, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
  499 + assert_response 404
  500 + end
  501 +
  502 + should 'not be able to edit comment if does not have the permission to' do
  503 + user = create_user('any_guy').person
  504 + login_as user.identifier
  505 + page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
  506 + comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article')
  507 +
  508 + get :edit, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
  509 + assert_response 404
  510 + end
  511 +
494 512 should 'be able to update a comment' do
495 513 login_as profile.identifier
496 514 page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text', :accept_comments => false)
... ... @@ -509,6 +527,24 @@ class CommentControllerTest < ActionController::TestCase
509 527 assert_response 404
510 528 end
511 529  
  530 + should 'not be able to update comment not logged' do
  531 + page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
  532 + comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article')
  533 +
  534 + xhr :post, :update, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
  535 + assert_response 404
  536 + end
  537 +
  538 + should 'not be able to update comment if does not have the permission to' do
  539 + user = create_user('any_guy').person
  540 + login_as user.identifier
  541 + page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
  542 + comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article')
  543 +
  544 + xhr :post, :update, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
  545 + assert_response 404
  546 + end
  547 +
512 548 should 'returns ids of menu items that has to be displayed' do
513 549 class TestActionPlugin < Noosfero::Plugin
514 550 def check_comment_actions(c)
... ...