Commit 35d7a6afc47334b10c03d7e9a6deb0df1114c96f
1 parent
25f34b4d
Exists in
master
and in
28 other branches
Checking if perrmission to view article before version
Showing
3 changed files
with
43 additions
and
26 deletions
Show diff stats
app/controllers/public/content_viewer_controller.rb
| ... | ... | @@ -26,25 +26,10 @@ class ContentViewerController < ApplicationController |
| 26 | 26 | end |
| 27 | 27 | end |
| 28 | 28 | |
| 29 | - if !@page.nil? && !@page.display_to?(user) | |
| 30 | - if !profile.public? | |
| 31 | - private_profile_partial_parameters | |
| 32 | - render :template => 'profile/_private_profile.rhtml', :status => 403 | |
| 33 | - else #if !profile.visible? | |
| 34 | - message = _('You are not allowed to view this content.') | |
| 35 | - message += ' ' + _('You can contact the owner of this profile to request access then.') | |
| 36 | - render_access_denied(message) | |
| 37 | - end | |
| 38 | - return | |
| 39 | - end | |
| 29 | + return unless allow_access_to_page(path) | |
| 40 | 30 | |
| 41 | - # page not found, give error | |
| 42 | - if @page.nil? | |
| 43 | - render_not_found(@path) | |
| 44 | - return | |
| 45 | - end | |
| 46 | - | |
| 47 | - if @version | |
| 31 | + if @version > 0 | |
| 32 | + return render_access_denied unless @page.display_versions? | |
| 48 | 33 | @versioned_article = @page.versions.find_by_version(@version) |
| 49 | 34 | if @versioned_article && @page.versions.latest.version != @versioned_article.version |
| 50 | 35 | render :template => 'content_viewer/versioned_article.rhtml' |
| ... | ... | @@ -140,10 +125,8 @@ class ContentViewerController < ApplicationController |
| 140 | 125 | def article_versions |
| 141 | 126 | path = params[:page].join('/') |
| 142 | 127 | @page = profile.articles.find_by_path(path) |
| 143 | - unless @page | |
| 144 | - render_not_found(@page) | |
| 145 | - return | |
| 146 | - end | |
| 128 | + return unless allow_access_to_page(path) | |
| 129 | + | |
| 147 | 130 | render_access_denied unless @page.display_versions? |
| 148 | 131 | @versions = @page.versions.paginate(:per_page => per_page, :page => params[:npage]) |
| 149 | 132 | end |
| ... | ... | @@ -178,4 +161,22 @@ class ContentViewerController < ApplicationController |
| 178 | 161 | end |
| 179 | 162 | helper_method :pass_without_comment_captcha? |
| 180 | 163 | |
| 164 | + def allow_access_to_page(path) | |
| 165 | + allowed = true | |
| 166 | + if @page.nil? # page not found, give error | |
| 167 | + render_not_found(path) | |
| 168 | + allowed = false | |
| 169 | + elsif !@page.display_to?(user) | |
| 170 | + if !profile.public? | |
| 171 | + private_profile_partial_parameters | |
| 172 | + render :template => 'profile/_private_profile.rhtml', :status => 403 | |
| 173 | + allowed = false | |
| 174 | + else #if !profile.visible? | |
| 175 | + render_access_denied | |
| 176 | + allowed = false | |
| 177 | + end | |
| 178 | + end | |
| 179 | + allowed | |
| 180 | + end | |
| 181 | + | |
| 181 | 182 | end | ... | ... |
features/article_versioning.feature
| ... | ... | @@ -69,3 +69,19 @@ Feature: article versioning |
| 69 | 69 | | joaosilva | Versions disabled | Versions can't be displayed | false | |
| 70 | 70 | And I go to /joaosilva/versions-disabled/versions |
| 71 | 71 | Then I should see "Access denied" |
| 72 | + | |
| 73 | + Scenario: deny access to specific version when disabled on article and not logged | |
| 74 | + Given the article "Edited Article" is updated with | |
| 75 | + | display_versions | | |
| 76 | + | false | | |
| 77 | + And I am not logged in | |
| 78 | + And I go to /joaosilva/edited-article?version=1 | |
| 79 | + Then I should see "Access denied" | |
| 80 | + | |
| 81 | + Scenario: deny access to specific version when disabled, private and not logged | |
| 82 | + Given the article "Edited Article" is updated with | |
| 83 | + | display_versions | published | | |
| 84 | + | false | false | | |
| 85 | + And I am not logged in | |
| 86 | + And I go to /joaosilva/edited-article?version=1 | |
| 87 | + Then I should see "Access denied" | ... | ... |
test/functional/content_viewer_controller_test.rb
| ... | ... | @@ -381,21 +381,21 @@ class ContentViewerControllerTest < ActionController::TestCase |
| 381 | 381 | end |
| 382 | 382 | |
| 383 | 383 | should "fetch correct article version" do |
| 384 | - page = profile.articles.create!(:name => 'myarticle', :body => 'original article') | |
| 384 | + page = TextArticle.create!(:name => 'myarticle', :body => 'original article', :display_versions => true, :profile => profile) | |
| 385 | 385 | page.body = 'edited article'; page.save |
| 386 | 386 | |
| 387 | 387 | get :view_page, :profile => profile.identifier, :page => [ 'myarticle' ], :version => 1 |
| 388 | 388 | |
| 389 | - assert_tag :tag => 'div', :attributes => { :class => 'article-body article-body-article' }, :content => /original article/ | |
| 389 | + assert_tag :tag => 'div', :attributes => { :class => /article-body/ }, :content => /original article/ | |
| 390 | 390 | end |
| 391 | 391 | |
| 392 | 392 | should "display current article if version does not exist" do |
| 393 | - page = profile.articles.create!(:name => 'myarticle', :body => 'original article') | |
| 393 | + page = TextArticle.create!(:name => 'myarticle', :body => 'original article', :display_versions => true, :profile => profile) | |
| 394 | 394 | page.body = 'edited article'; page.save |
| 395 | 395 | |
| 396 | 396 | get :view_page, :profile => profile.identifier, :page => [ 'myarticle' ], :version => 'bli' |
| 397 | 397 | |
| 398 | - assert_tag :tag => 'div', :attributes => { :class => 'article-body article-body-article' }, :content => /edited article/ | |
| 398 | + assert_tag :tag => 'div', :attributes => { :class => /article-body/ }, :content => /edited article/ | |
| 399 | 399 | end |
| 400 | 400 | |
| 401 | 401 | should 'not return an article of a different user' do | ... | ... |