Commit 2c72cbbf188bd4a79792a94c4788cc06c0322ce2
Committed by
Rodrigo Souto
Rodrigo Souto
1 parent
088735b3
Exists in
master
and in
22 other branches
Handle access denied to not logged user properly
Showing
2 changed files
with
2 additions
and
2 deletions
Show diff stats
app/controllers/public/content_viewer_controller.rb
| @@ -127,7 +127,7 @@ class ContentViewerController < ApplicationController | @@ -127,7 +127,7 @@ class ContentViewerController < ApplicationController | ||
| 127 | end | 127 | end |
| 128 | 128 | ||
| 129 | unless @page.display_to?(user) | 129 | unless @page.display_to?(user) |
| 130 | - if !profile.visible? || profile.secret? || (user && user.follows?(profile)) | 130 | + if !profile.visible? || profile.secret? || (user && user.follows?(profile)) || user.blank? |
| 131 | render_access_denied | 131 | render_access_denied |
| 132 | else #!profile.public? | 132 | else #!profile.public? |
| 133 | private_profile_partial_parameters | 133 | private_profile_partial_parameters |
test/functional/content_viewer_controller_test.rb
| @@ -262,7 +262,7 @@ class ContentViewerControllerTest < ActionController::TestCase | @@ -262,7 +262,7 @@ class ContentViewerControllerTest < ActionController::TestCase | ||
| 262 | 262 | ||
| 263 | get :view_page, :profile => 'test_profile', :page => [ 'my-intranet' ] | 263 | get :view_page, :profile => 'test_profile', :page => [ 'my-intranet' ] |
| 264 | 264 | ||
| 265 | - assert_template "profile/_private_profile" | 265 | + assert_template "shared/access_denied" |
| 266 | end | 266 | end |
| 267 | 267 | ||
| 268 | should 'not give access to private articles if logged in but not member' do | 268 | should 'not give access to private articles if logged in but not member' do |