Commit 67d9cf1a850407fa7bdfacc6f3658b24c70125ce
Committed by
Antonio Terceiro
Antonio Terceiro
1 parent
f386c3a4
Exists in
master
and in
28 other branches
ActionItem1221: created permission for publish articles
members can create articles an edit/delete them without being able to edit/delete others' members articles
Showing
5 changed files
with
99 additions
and
7 deletions
Show diff stats
app/controllers/my_profile/cms_controller.rb
| 1 | 1 | class CmsController < MyProfileController |
| 2 | 2 | |
| 3 | - protect 'post_content', :profile, :except => [:set_home_page] | |
| 4 | 3 | protect 'edit_profile', :profile, :only => [:set_home_page] |
| 5 | 4 | |
| 5 | + def self.protect_if(*args) | |
| 6 | + before_filter(*args) do |c| | |
| 7 | + user, profile = c.send(:user), c.send(:profile) | |
| 8 | + if yield(c, user, profile) | |
| 9 | + true | |
| 10 | + else | |
| 11 | + render_access_denied(c) | |
| 12 | + false | |
| 13 | + end | |
| 14 | + end | |
| 15 | + end | |
| 16 | + | |
| 17 | + protect_if :except => [:set_home_page, :edit, :destroy, :publish] do |c, user, profile| | |
| 18 | + user && (user.has_permission?('post_content', profile) || user.has_permission?('publish_content', profile)) | |
| 19 | + end | |
| 20 | + | |
| 21 | + protect_if :only => [:edit, :destroy, :publish] do |c, user, profile| | |
| 22 | + profile.articles.find(c.params[:id]).allow_post_content?(user) | |
| 23 | + end | |
| 24 | + | |
| 6 | 25 | alias :check_ssl_orig :check_ssl |
| 7 | 26 | # Redefines the SSL checking to avoid requiring SSL when creating the "New |
| 8 | 27 | # publication" button on article's public view. | ... | ... |
app/models/article.rb
| ... | ... | @@ -214,11 +214,8 @@ class Article < ActiveRecord::Base |
| 214 | 214 | end |
| 215 | 215 | end |
| 216 | 216 | |
| 217 | - def allow_post_content?(logged_person = nil) | |
| 218 | - if logged_person && logged_person.has_permission?('post_content', profile) | |
| 219 | - return true | |
| 220 | - end | |
| 221 | - false | |
| 217 | + def allow_post_content?(user = nil) | |
| 218 | + user && (user.has_permission?('post_content', profile) || user.has_permission?('publish_content', profile) && (user == self.creator)) | |
| 222 | 219 | end |
| 223 | 220 | |
| 224 | 221 | def comments_updated |
| ... | ... | @@ -291,6 +288,11 @@ class Article < ActiveRecord::Base |
| 291 | 288 | self.find(:all, :include => :taggings, :conditions => ['taggings.tag_id = ?', tag.id]) |
| 292 | 289 | end |
| 293 | 290 | |
| 291 | + def creator | |
| 292 | + creator_id = versions[0][:last_changed_by_id] | |
| 293 | + creator_id && Profile.find(creator_id) | |
| 294 | + end | |
| 295 | + | |
| 294 | 296 | private |
| 295 | 297 | |
| 296 | 298 | def sanitize_tag_list | ... | ... |
app/models/profile.rb
| ... | ... | @@ -33,7 +33,7 @@ class Profile < ActiveRecord::Base |
| 33 | 33 | 'edit_profile' => N_('Edit profile'), |
| 34 | 34 | 'destroy_profile' => N_('Destroy profile'), |
| 35 | 35 | 'manage_memberships' => N_('Manage memberships'), |
| 36 | - 'post_content' => N_('Post content'), | |
| 36 | + 'post_content' => N_('Manage content'), # changed only presentation name to keep already given permissions | |
| 37 | 37 | 'edit_profile_design' => N_('Edit profile design'), |
| 38 | 38 | 'manage_products' => N_('Manage products'), |
| 39 | 39 | 'manage_friends' => N_('Manage friends'), |
| ... | ... | @@ -42,6 +42,7 @@ class Profile < ActiveRecord::Base |
| 42 | 42 | 'moderate_comments' => N_('Moderate comments'), |
| 43 | 43 | 'edit_appearance' => N_('Edit appearance'), |
| 44 | 44 | 'view_private_content' => N_('View private content'), |
| 45 | + 'publish_content' => N_('Publish content'), | |
| 45 | 46 | } |
| 46 | 47 | |
| 47 | 48 | acts_as_accessible | ... | ... |
test/functional/cms_controller_test.rb
| ... | ... | @@ -1148,4 +1148,58 @@ class CmsControllerTest < Test::Unit::TestCase |
| 1148 | 1148 | assert_not_includes assigns(:article_types).map{|at|at[:name]}, 'Event' |
| 1149 | 1149 | end |
| 1150 | 1150 | |
| 1151 | + should 'not allow user without permission create an article in community' do | |
| 1152 | + c = Community.create!(:name => 'test_comm', :identifier => 'test_comm') | |
| 1153 | + u = create_user_with_permission('test_user', 'bogus_permission', c) | |
| 1154 | + login_as :test_user | |
| 1155 | + | |
| 1156 | + get :new, :profile => c.identifier | |
| 1157 | + assert_response :forbidden | |
| 1158 | + assert_template 'access_denied.rhtml' | |
| 1159 | + end | |
| 1160 | + | |
| 1161 | + should 'allow user with permission create an article in community' do | |
| 1162 | + c = Community.create!(:name => 'test_comm', :identifier => 'test_comm') | |
| 1163 | + u = create_user_with_permission('test_user', 'publish_content', c) | |
| 1164 | + login_as :test_user | |
| 1165 | + | |
| 1166 | + get :new, :profile => c.identifier, :type => 'TinyMceArticle' | |
| 1167 | + assert_response :success | |
| 1168 | + assert_template 'edit' | |
| 1169 | + end | |
| 1170 | + | |
| 1171 | + should 'not allow user edit article if he has publish permission but is not owner' do | |
| 1172 | + c = Community.create!(:name => 'test_comm', :identifier => 'test_comm') | |
| 1173 | + u = create_user_with_permission('test_user', 'publish_content', c) | |
| 1174 | + a = c.articles.create!(:name => 'test_article') | |
| 1175 | + login_as :test_user | |
| 1176 | + | |
| 1177 | + get :edit, :profile => c.identifier, :id => a.id | |
| 1178 | + assert_response :forbidden | |
| 1179 | + assert_template 'access_denied.rhtml' | |
| 1180 | + end | |
| 1181 | + | |
| 1182 | + should 'not allow user edit article if he is owner but has no publish permission' do | |
| 1183 | + c = Community.create!(:name => 'test_comm', :identifier => 'test_comm') | |
| 1184 | + u = create_user_with_permission('test_user', 'bogus_permission', c) | |
| 1185 | + a = c.articles.create!(:name => 'test_article', :last_changed_by => u) | |
| 1186 | + login_as :test_user | |
| 1187 | + | |
| 1188 | + get :edit, :profile => c.identifier, :id => a.id | |
| 1189 | + assert_response :forbidden | |
| 1190 | + assert_template 'access_denied.rhtml' | |
| 1191 | + end | |
| 1192 | + | |
| 1193 | + should 'allow user edit article if he is owner and has publish permission' do | |
| 1194 | + c = Community.create!(:name => 'test_comm', :identifier => 'test_comm') | |
| 1195 | + u = create_user_with_permission('test_user', 'publish_content', c) | |
| 1196 | + a = c.articles.create!(:name => 'test_article', :last_changed_by => u) | |
| 1197 | + login_as :test_user | |
| 1198 | + | |
| 1199 | + get :edit, :profile => c.identifier, :id => a.id | |
| 1200 | + | |
| 1201 | + assert_response :success | |
| 1202 | + assert_template 'edit' | |
| 1203 | + end | |
| 1204 | + | |
| 1151 | 1205 | end | ... | ... |
test/unit/article_test.rb
| ... | ... | @@ -763,4 +763,20 @@ class ArticleTest < Test::Unit::TestCase |
| 763 | 763 | assert_match(/-owner/, a.cache_key({}, c)) |
| 764 | 764 | end |
| 765 | 765 | |
| 766 | + should 'have a creator method' do | |
| 767 | + c = Community.create!(:name => 'new_comm') | |
| 768 | + a = c.articles.create!(:name => 'a test article', :last_changed_by => profile) | |
| 769 | + p = create_user('other_user').person | |
| 770 | + a.update_attributes(:body => 'some content', :last_changed_by => p); a.save! | |
| 771 | + assert_equal profile, a.creator | |
| 772 | + end | |
| 773 | + | |
| 774 | + should 'allow creator to edit if is publisher' do | |
| 775 | + c = Community.create!(:name => 'new_comm') | |
| 776 | + p = create_user_with_permission('test_user', 'publish_content', c) | |
| 777 | + a = c.articles.create!(:name => 'a test article', :last_changed_by => p) | |
| 778 | + | |
| 779 | + assert a.allow_post_content?(p) | |
| 780 | + end | |
| 781 | + | |
| 766 | 782 | end | ... | ... |