Add before_filter for check permission for open edit header and footer page

Luciano Prestes
1 parent 39d689dc
Showing 4 changed files with 36 additions and 3 deletions Show diff stats
app/controllers/my_profile/profile_editor_controller.rb
app/controllers/themes_controller.rb
app/views/profile_editor/index.html.erb
test/functional/profile_editor_controller_test.rb
@@ -6,11 +6,13 @@ class ProfileEditorController &lt; MyProfileController
   before_filter :access_welcome_page, :only => [:welcome_page]
   before_filter :back_to
   before_filter :forbid_destroy_profile, :only => [:destroy_profile]
+  before_filter :check_user_can_edit_header_footer, :only => [:header_footer]
   helper_method :has_welcome_page
  
   def index
     @pending_tasks = Task.to(profile).pending.without_spam.select{|i| user.has_permission?(i.permission, profile)}
     @show_appearance_option = user.is_admin?(environment) || !environment.enabled?('disable_appearance')
+    @show_header_footer_option = user.is_admin?(environment) || (!profile.enterprise? && !environment.enabled?('disable_header_and_footer'))
   end
  
   helper :profile
@@ -163,4 +165,9 @@ class ProfileEditorController &lt; MyProfileController
       redirect_to_previous_location
     end
   end
+
+  def check_user_can_edit_header_footer
+    user_can_not_edit_header_footer = !user.is_admin?(environment) && environment.enabled?('disable_header_and_footer')
+    redirect_to back_to if user_can_not_edit_header_footer
+  end
 end
@@ -43,8 +43,8 @@ class ThemesController &lt; ApplicationController
   private
  
   def check_user_can_edit_appearance
-    disable_appearance_enabled = !user.is_admin?(environment) && environment.enabled?('disable_appearance')
-    redirect_to request.referer || "/" if disable_appearance_enabled
+    user_can_not_edit_appearance = !user.is_admin?(environment) && environment.enabled?('disable_appearance')
+    redirect_to request.referer || "/" if user_can_not_edit_appearance
   end
  
 end
@@ -24,7 +24,7 @@
  
   <%= control_panel_button(_('Edit Appearance'), 'design-editor', :controller => 'profile_themes', :action => 'index') if @show_appearance_option %>
  
-  <%= control_panel_button(_('Edit Header and Footer'), 'header-and-footer', :controller => 'profile_editor', :action => 'header_footer') if user.is_admin?(environment) || (!profile.enterprise? && !environment.enabled?('disable_header_and_footer'))  %>
+  <%= control_panel_button(_('Edit Header and Footer'), 'header-and-footer', :controller => 'profile_editor', :action => 'header_footer') if @show_header_footer_option %>
  
   <%= control_panel_button(_('Manage Content'), 'cms', :controller => 'cms') %>
  
@@ -1184,4 +1184,30 @@ class ProfileEditorControllerTest &lt; ActionController::TestCase
     get :index, :profile => user.identifier
     assert_tag :tag => 'div', :descendant => { :tag => 'a', :content => 'Edit Header and Footer' }
   end
+
+  should 'user cant edit header and footer if environment dont permit' do
+    environment = Environment.default
+    environment.settings[:disable_header_and_footer_enabled] = true
+    environment.save!
+
+    user = create_user('user').person
+    login_as('user')
+
+    get :header_footer, :profile => user.identifier
+    assert_response :redirect
+  end
+
+  should 'admin can edit header and footer if environment dont permit' do
+    user = create_user('user').person
+
+    environment = Environment.default
+    environment.add_admin(user)
+    environment.settings[:disable_header_and_footer_enabled] = true
+    environment.save!
+
+    login_as('user')
+
+    get :header_footer, :profile => user.identifier
+    assert_response :success
+  end
 end
...	...	@@ -6,11 +6,13 @@ class ProfileEditorController < MyProfileController
6	6	before_filter :access_welcome_page, :only => [:welcome_page]
7	7	before_filter :back_to
8	8	before_filter :forbid_destroy_profile, :only => [:destroy_profile]
	9	+ before_filter :check_user_can_edit_header_footer, :only => [:header_footer]
9	10	helper_method :has_welcome_page
10	11
11	12	def index
12	13	@pending_tasks = Task.to(profile).pending.without_spam.select{\|i\| user.has_permission?(i.permission, profile)}
13	14	@show_appearance_option = user.is_admin?(environment) \|\| !environment.enabled?('disable_appearance')
	15	+ @show_header_footer_option = user.is_admin?(environment) \|\| (!profile.enterprise? && !environment.enabled?('disable_header_and_footer'))
14	16	end
15	17
16	18	helper :profile
...	...	@@ -163,4 +165,9 @@ class ProfileEditorController < MyProfileController
163	165	redirect_to_previous_location
164	166	end
165	167	end
	168	+
	169	+ def check_user_can_edit_header_footer
	170	+ user_can_not_edit_header_footer = !user.is_admin?(environment) && environment.enabled?('disable_header_and_footer')
	171	+ redirect_to back_to if user_can_not_edit_header_footer
	172	+ end
166	173	end
...	...
...	...	@@ -43,8 +43,8 @@ class ThemesController < ApplicationController
43	43	private
44	44
45	45	def check_user_can_edit_appearance
46		- disable_appearance_enabled = !user.is_admin?(environment) && environment.enabled?('disable_appearance')
47		- redirect_to request.referer \|\| "/" if disable_appearance_enabled
	46	+ user_can_not_edit_appearance = !user.is_admin?(environment) && environment.enabled?('disable_appearance')
	47	+ redirect_to request.referer \|\| "/" if user_can_not_edit_appearance
48	48	end
49	49
50	50	end
...	...
...	...	@@ -24,7 +24,7 @@
24	24
25	25	<%= control_panel_button(_('Edit Appearance'), 'design-editor', :controller => 'profile_themes', :action => 'index') if @show_appearance_option %>
26	26
27		- <%= control_panel_button(_('Edit Header and Footer'), 'header-and-footer', :controller => 'profile_editor', :action => 'header_footer') if user.is_admin?(environment) \|\| (!profile.enterprise? && !environment.enabled?('disable_header_and_footer')) %>
	27	+ <%= control_panel_button(_('Edit Header and Footer'), 'header-and-footer', :controller => 'profile_editor', :action => 'header_footer') if @show_header_footer_option %>
28	28
29	29	<%= control_panel_button(_('Manage Content'), 'cms', :controller => 'cms') %>
30	30
...	...
...	...	@@ -1184,4 +1184,30 @@ class ProfileEditorControllerTest < ActionController::TestCase
1184	1184	get :index, :profile => user.identifier
1185	1185	assert_tag :tag => 'div', :descendant => { :tag => 'a', :content => 'Edit Header and Footer' }
1186	1186	end
	1187	+
	1188	+ should 'user cant edit header and footer if environment dont permit' do
	1189	+ environment = Environment.default
	1190	+ environment.settings[:disable_header_and_footer_enabled] = true
	1191	+ environment.save!
	1192	+
	1193	+ user = create_user('user').person
	1194	+ login_as('user')
	1195	+
	1196	+ get :header_footer, :profile => user.identifier
	1197	+ assert_response :redirect
	1198	+ end
	1199	+
	1200	+ should 'admin can edit header and footer if environment dont permit' do
	1201	+ user = create_user('user').person
	1202	+
	1203	+ environment = Environment.default
	1204	+ environment.add_admin(user)
	1205	+ environment.settings[:disable_header_and_footer_enabled] = true
	1206	+ environment.save!
	1207	+
	1208	+ login_as('user')
	1209	+
	1210	+ get :header_footer, :profile => user.identifier
	1211	+ assert_response :success
	1212	+ end
1187	1213	end
...	...