Download as
Browse Code »

Commit cd15a410a4673db619f96d52b11ffc293f0a1eba

Authored by Victor Costa
1 parent 83dd0faf
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Deny access to set_home_page for unauthorized users

Showing 2 changed files with 9 additions and 0 deletions   Show diff stats
app/controllers/my_profile/cms_controller.rb
  Diff comments   View file @cd15a41
@@ -174,6 +174,8 @@ class CmsController < MyProfileController @@ -174,6 +174,8 @@ class CmsController < MyProfileController
174 174
175 post_only :set_home_page 175 post_only :set_home_page
176 def set_home_page 176 def set_home_page
  177 + return render_access_denied unless user.can_change_homepage?
  178 +
177 article = params[:id].nil? ? nil : profile.articles.find(params[:id]) 179 article = params[:id].nil? ? nil : profile.articles.find(params[:id])
178 profile.update_attribute(:home_page, article) 180 profile.update_attribute(:home_page, article)
179 181
test/functional/cms_controller_test.rb
  Diff comments   View file @cd15a41
@@ -114,6 +114,13 @@ class CmsControllerTest < ActionController::TestCase @@ -114,6 +114,13 @@ class CmsControllerTest < ActionController::TestCase
114 assert_no_tag :tag => 'div', :content => /Profile homepage/, :attributes => { :class => "cms-homepage"} 114 assert_no_tag :tag => 'div', :content => /Profile homepage/, :attributes => { :class => "cms-homepage"}
115 end 115 end
116 116
  117 + should 'not allow profile homepage changes if cannot change homepage' do
  118 + env = Environment.default; env.enable('cant_change_homepage')
  119 + a = profile.articles.create!(:name => 'my new home page')
  120 + post :set_home_page, :profile => profile.identifier, :id => a.id
  121 + assert_response 403
  122 + end
  123 +
117 should 'be able to set home page' do 124 should 'be able to set home page' do
118 a = profile.articles.build(:name => 'my new home page') 125 a = profile.articles.build(:name => 'my new home page')
119 a.save! 126 a.save!