Download as
Browse Code »

Commit 947607f0206cfe40e86a6f152315ebb466edded9

Authored by Rodrigo Souto
1 parent 49557601
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

[comments-refactor-review] Testing permissions to edit comment too

Showing 2 changed files with 39 additions and 9 deletions   Show diff stats
app/controllers/public/comment_controller.rb
  Diff comments   View file @947607f
@@ -108,11 +108,8 @@ class CommentController < ApplicationController @@ -108,11 +108,8 @@ class CommentController < ApplicationController
108 def edit 108 def edit
109 begin 109 begin
110 @comment = profile.comments_received.find(params[:id]) 110 @comment = profile.comments_received.find(params[:id])
  111 + raise ActiveRecord::RecordNotFound unless @comment.can_be_updated_by?(user) # Not reveal that the comment exists
111 rescue ActiveRecord::RecordNotFound 112 rescue ActiveRecord::RecordNotFound
112 - @comment = nil  
113 - end  
114 -  
115 - if @comment.nil?  
116 render_not_found 113 render_not_found
117 return 114 return
118 end 115 end
@@ -123,11 +120,8 @@ class CommentController < ApplicationController @@ -123,11 +120,8 @@ class CommentController < ApplicationController
123 def update 120 def update
124 begin 121 begin
125 @comment = profile.comments_received.find(params[:id]) 122 @comment = profile.comments_received.find(params[:id])
  123 + raise ActiveRecord::RecordNotFound unless @comment.can_be_updated_by?(user) # Not reveal that the comment exists
126 rescue ActiveRecord::RecordNotFound 124 rescue ActiveRecord::RecordNotFound
127 - @comment = nil  
128 - end  
129 -  
130 - if @comment.nil? or user != @comment.author  
131 render_not_found 125 render_not_found
132 return 126 return
133 end 127 end
test/functional/comment_controller_test.rb
  Diff comments   View file @947607f
@@ -477,7 +477,7 @@ class CommentControllerTest < ActionController::TestCase @@ -477,7 +477,7 @@ class CommentControllerTest < ActionController::TestCase
477 should 'edit comment from a page' do 477 should 'edit comment from a page' do
478 login_as profile.identifier 478 login_as profile.identifier
479 page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text') 479 page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
480 - comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article') 480 + comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article', :author_id => profile.id)
481 481
482 get :edit, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' } 482 get :edit, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
483 assert_tag :tag => 'textarea', :attributes => {:id => 'comment_body'}, :content => 'Original comment' 483 assert_tag :tag => 'textarea', :attributes => {:id => 'comment_body'}, :content => 'Original comment'
@@ -491,6 +491,24 @@ class CommentControllerTest < ActionController::TestCase @@ -491,6 +491,24 @@ class CommentControllerTest < ActionController::TestCase
491 assert_response 404 491 assert_response 404
492 end 492 end
493 493
  494 + should 'not be able to edit comment not logged' do
  495 + page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
  496 + comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article')
  497 +
  498 + get :edit, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
  499 + assert_response 404
  500 + end
  501 +
  502 + should 'not be able to edit comment if does not have the permission to' do
  503 + user = create_user('any_guy').person
  504 + login_as user.identifier
  505 + page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
  506 + comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article')
  507 +
  508 + get :edit, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
  509 + assert_response 404
  510 + end
  511 +
494 should 'be able to update a comment' do 512 should 'be able to update a comment' do
495 login_as profile.identifier 513 login_as profile.identifier
496 page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text', :accept_comments => false) 514 page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text', :accept_comments => false)
@@ -509,6 +527,24 @@ class CommentControllerTest < ActionController::TestCase @@ -509,6 +527,24 @@ class CommentControllerTest < ActionController::TestCase
509 assert_response 404 527 assert_response 404
510 end 528 end
511 529
  530 + should 'not be able to update comment not logged' do
  531 + page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
  532 + comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article')
  533 +
  534 + xhr :post, :update, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
  535 + assert_response 404
  536 + end
  537 +
  538 + should 'not be able to update comment if does not have the permission to' do
  539 + user = create_user('any_guy').person
  540 + login_as user.identifier
  541 + page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
  542 + comment = fast_create(Comment, :body => 'Original comment', :source_id => page.id, :source_type => 'Article')
  543 +
  544 + xhr :post, :update, :id => comment.id, :profile => profile.identifier, :comment => { :body => 'Comment edited' }
  545 + assert_response 404
  546 + end
  547 +
512 should 'returns ids of menu items that has to be displayed' do 548 should 'returns ids of menu items that has to be displayed' do
513 class TestActionPlugin < Noosfero::Plugin 549 class TestActionPlugin < Noosfero::Plugin
514 def check_comment_actions(c) 550 def check_comment_actions(c)