Commit 5d65aadb46ba12238f405e3dffaef2b727517af5

Authored by Daniela Feitosa
Committed by Antonio Terceiro
1 parent 1ab18c97

ActionItem968: admins and moderators can view private content

* Adding migrate with new permission to admin and moderators
  * not allowing members to view private content
app/models/article.rb
... ... @@ -197,7 +197,7 @@ class Article < ActiveRecord::Base
197 197 if user.nil?
198 198 false
199 199 else
200   - (user == self.profile) || user.memberships.include?(self.profile) || (profile.kind_of?(Person) && profile.friends.include?(user)) || user.has_permission?('post_content', self.profile)
  200 + (user == self.profile) || user.has_permission?('view_private_content', self.profile)
201 201 end
202 202 end
203 203 end
... ...
app/models/profile.rb
... ... @@ -25,17 +25,18 @@ class Profile < ActiveRecord::Base
25 25 end
26 26  
27 27 PERMISSIONS['Profile'] = {
28   - 'edit_profile' => N_('Edit profile'),
29   - 'destroy_profile' => N_('Destroy profile'),
30   - 'manage_memberships' => N_('Manage memberships'),
31   - 'post_content' => N_('Post content'),
32   - 'edit_profile_design' => N_('Edit profile design'),
33   - 'manage_products' => N_('Manage products'),
34   - 'manage_friends' => N_('Manage friends'),
35   - 'validate_enterprise' => N_('Validate enterprise'),
36   - 'perform_task' => N_('Perform task'),
37   - 'moderate_comments' => N_('Moderate comments'),
38   - 'edit_appearance' => N_('Edit appearance'),
  28 + 'edit_profile' => N_('Edit profile'),
  29 + 'destroy_profile' => N_('Destroy profile'),
  30 + 'manage_memberships' => N_('Manage memberships'),
  31 + 'post_content' => N_('Post content'),
  32 + 'edit_profile_design' => N_('Edit profile design'),
  33 + 'manage_products' => N_('Manage products'),
  34 + 'manage_friends' => N_('Manage friends'),
  35 + 'validate_enterprise' => N_('Validate enterprise'),
  36 + 'perform_task' => N_('Perform task'),
  37 + 'moderate_comments' => N_('Moderate comments'),
  38 + 'edit_appearance' => N_('Edit appearance'),
  39 + 'view_private_content' => N_('View private content'),
39 40 }
40 41  
41 42 acts_as_accessible
... ...
db/migrate/063_fix_some_roles_permission.rb 0 → 100644
... ... @@ -0,0 +1,21 @@
  1 +class FixSomeRolesPermission < ActiveRecord::Migration
  2 + def self.up
  3 + admin = Profile::Roles.admin
  4 + admin.permissions += ['view_private_content']
  5 + admin.save
  6 +
  7 + moderator = Profile::Roles.moderator
  8 + moderator.permissions += ['view_private_content']
  9 + moderator.save
  10 + end
  11 +
  12 + def self.down
  13 + admin = Profile::Roles.admin
  14 + admin.permissions -= ['view_private_content']
  15 + admin.save
  16 +
  17 + moderator = Profile::Roles.moderator
  18 + moderator.permissions -= ['view_private_content']
  19 + moderator.save
  20 + end
  21 +end
... ...
test/fixtures/roles.yml
... ... @@ -39,6 +39,8 @@ profile_admin:
39 39 - moderate_comments
40 40 - destroy_profile
41 41 - perform_task
  42 + - post_content
  43 + - view_private_content
42 44 profile_member:
43 45 id: 6
44 46 key: 'profile_member'
... ... @@ -55,6 +57,7 @@ profile_moderator:
55 57 system: true
56 58 permissions:
57 59 - moderate_comments
  60 + - view_private_content
58 61 environment_administrator:
59 62 id: 8
60 63 key: 'environment_administrator'
... ...
test/functional/content_viewer_controller_test.rb
... ... @@ -329,6 +329,43 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
329 329 assert_response :success
330 330 end
331 331  
  332 + should 'not show private content to members' do
  333 + community = Community.create!(:name => 'testcomm')
  334 + Folder.create!(:name => 'test', :profile => community, :public_article => false)
  335 + community.add_member(profile)
  336 +
  337 + login_as(profile.identifier)
  338 +
  339 + @request.stubs(:ssl?).returns(true)
  340 + get :view_page, :profile => community.identifier, :page => [ 'test' ]
  341 +
  342 + assert_template 'access_denied.rhtml'
  343 + end
  344 +
  345 + should 'show private content to profile moderators' do
  346 + community = Community.create!(:name => 'testcomm')
  347 + community.articles.create!(:name => 'test', :public_article => false)
  348 + community.add_moderator(profile)
  349 +
  350 + login_as(profile.identifier)
  351 +
  352 + @request.stubs(:ssl?).returns(true)
  353 + get :view_page, :profile => community.identifier, :page => [ 'test' ]
  354 + assert_response :success
  355 + end
  356 +
  357 + should 'show private content to profile admins' do
  358 + community = Community.create!(:name => 'testcomm')
  359 + community.articles.create!(:name => 'test', :public_article => false)
  360 + community.add_admin(profile)
  361 +
  362 + login_as(profile.identifier)
  363 +
  364 + @request.stubs(:ssl?).returns(true)
  365 + get :view_page, :profile => community.identifier, :page => [ 'test' ]
  366 + assert_response :success
  367 + end
  368 +
332 369 should 'show message for disabled enterprises' do
333 370 login_as(@profile.identifier)
334 371 ent = Enterprise.create!(:name => 'my test enterprise', :identifier => 'my-test-enterprise', :enabled => false)
... ... @@ -424,7 +461,7 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
424 461 assert_template 'access_denied.rhtml'
425 462 end
426 463  
427   - should 'give access to private articles if logged in and member' do
  464 + should 'not give access to private articles if logged in and only member' do
428 465 person = create_user('test_user').person
429 466 profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
430 467 intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
... ... @@ -434,6 +471,32 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
434 471 @request.stubs(:ssl?).returns(true)
435 472 get :view_page, :profile => 'test_profile', :page => [ 'my-intranet' ]
436 473  
  474 + assert_template 'access_denied.rhtml'
  475 + end
  476 +
  477 + should 'give access to private articles if logged in and moderator' do
  478 + person = create_user('test_user').person
  479 + profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
  480 + intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
  481 + profile.affiliate(person, Profile::Roles.moderator)
  482 + login_as('test_user')
  483 +
  484 + @request.stubs(:ssl?).returns(true)
  485 + get :view_page, :profile => 'test_profile', :page => [ 'my-intranet' ]
  486 +
  487 + assert_template 'view_page'
  488 + end
  489 +
  490 + should 'give access to private articles if logged in and admin' do
  491 + person = create_user('test_user').person
  492 + profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
  493 + intranet = Folder.create!(:name => 'my_intranet', :profile => profile, :public_article => false)
  494 + profile.affiliate(person, Profile::Roles.admin)
  495 + login_as('test_user')
  496 +
  497 + @request.stubs(:ssl?).returns(true)
  498 + get :view_page, :profile => 'test_profile', :page => [ 'my-intranet' ]
  499 +
437 500 assert_template 'view_page'
438 501 end
439 502  
... ...
test/unit/article_test.rb
... ... @@ -437,12 +437,30 @@ class ArticleTest &lt; Test::Unit::TestCase
437 437 assert !article.display_to?(person)
438 438 end
439 439  
440   - should 'say that member user can see private article' do
  440 + should 'say that member user can not see private article' do
441 441 profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
442 442 article = Article.create!(:name => 'test article', :profile => profile, :public_article => false)
443 443 person = create_user('test_user').person
444 444 profile.affiliate(person, Profile::Roles.member)
445 445  
  446 + assert !article.display_to?(person)
  447 + end
  448 +
  449 + should 'say that profile admin can see private article' do
  450 + profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
  451 + article = Article.create!(:name => 'test article', :profile => profile, :public_article => false)
  452 + person = create_user('test_user').person
  453 + profile.affiliate(person, Profile::Roles.admin)
  454 +
  455 + assert article.display_to?(person)
  456 + end
  457 +
  458 + should 'say that profile moderator can see private article' do
  459 + profile = Profile.create!(:name => 'test profile', :identifier => 'test_profile')
  460 + article = Article.create!(:name => 'test article', :profile => profile, :public_article => false)
  461 + person = create_user('test_user').person
  462 + profile.affiliate(person, Profile::Roles.moderator)
  463 +
446 464 assert article.display_to?(person)
447 465 end
448 466  
... ... @@ -496,7 +514,7 @@ class ArticleTest &lt; Test::Unit::TestCase
496 514 assert !article.public_article
497 515 end
498 516  
499   - should 'allow friends of private person see the article' do
  517 + should 'not allow friends of private person see the article' do
500 518 person = create_user('test_user').person
501 519 article = Article.create!(:name => 'test article', :profile => person, :public_article => false)
502 520 friend = create_user('test_friend').person
... ... @@ -504,16 +522,15 @@ class ArticleTest &lt; Test::Unit::TestCase
504 522 person.save!
505 523 friend.save!
506 524  
507   - assert article.display_to?(friend)
  525 + assert !article.display_to?(friend)
508 526 end
509 527  
510   -
511   - should 'display articles to people who can edit them' do
  528 + should 'display private articles to people who can view private content' do
512 529 person = create_user('test_user').person
513 530 article = Article.create!(:name => 'test article', :profile => person, :public_article => false)
514 531  
515 532 admin_user = create_user('admin_user').person
516   - admin_user.stubs(:has_permission?).with('post_content', article.profile).returns('true')
  533 + admin_user.stubs(:has_permission?).with('view_private_content', article.profile).returns('true')
517 534  
518 535 assert article.display_to?(admin_user)
519 536 end
... ...