Commit ad8ae7d6055249fecfa0d90e5f79991142331f11
1 parent
28af7f8b
Exists in
master
and in
28 other branches
ActionItem295: finishing restriction for profile info
git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1810 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing
4 changed files
with
33 additions
and
5 deletions
Show diff stats
app/controllers/public/profile_controller.rb
| 1 | 1 | class ProfileController < ApplicationController |
| 2 | 2 | |
| 3 | 3 | needs_profile |
| 4 | - before_filter :check_public_profile | |
| 4 | + before_filter :check_access_to_profile | |
| 5 | 5 | |
| 6 | 6 | helper TagsHelper |
| 7 | 7 | |
| ... | ... | @@ -36,8 +36,8 @@ class ProfileController < ApplicationController |
| 36 | 36 | |
| 37 | 37 | protected |
| 38 | 38 | |
| 39 | - def check_public_profile | |
| 40 | - if !profile.public_profile | |
| 39 | + def check_access_to_profile | |
| 40 | + unless profile.display_info_to?(user) | |
| 41 | 41 | render :action => 'private_profile', :status => 403, :layout => false |
| 42 | 42 | end |
| 43 | 43 | end | ... | ... |
app/models/profile.rb
| ... | ... | @@ -280,4 +280,15 @@ class Profile < ActiveRecord::Base |
| 280 | 280 | self.find(:all, :order => 'profiles.name', :conditions => [ 'profiles.name like (?) or profiles.name like (?)', (initial + '%'), (initial.upcase + '%') ]) |
| 281 | 281 | end |
| 282 | 282 | |
| 283 | + # returns +true+ if the given +user+ can see profile information about this | |
| 284 | + # +profile+, and +false+ otherwise. | |
| 285 | + def display_info_to?(user) | |
| 286 | + if self.public_profile | |
| 287 | + true | |
| 288 | + else | |
| 289 | + # other possibilities would come here | |
| 290 | + (user == self) | |
| 291 | + end | |
| 292 | + end | |
| 293 | + | |
| 283 | 294 | end | ... | ... |
test/functional/profile_controller_test.rb
| ... | ... | @@ -187,8 +187,8 @@ class ProfileControllerTest < Test::Unit::TestCase |
| 187 | 187 | assert_no_tag :tag => 'a', :content => 'Leave this community' |
| 188 | 188 | end |
| 189 | 189 | |
| 190 | - should 'not display private profile' do | |
| 191 | - @profile.update_attributes!(:public_profile => false) | |
| 190 | + should 'check access before displaying profile' do | |
| 191 | + Person.any_instance.expects(:display_info_to?).with(anything).returns(false) | |
| 192 | 192 | get :index, :profile => @profile.identifier |
| 193 | 193 | assert_response 403 |
| 194 | 194 | end | ... | ... |
test/unit/profile_test.rb
| ... | ... | @@ -483,6 +483,23 @@ class ProfileTest < Test::Unit::TestCase |
| 483 | 483 | assert_equal false, p.public_content |
| 484 | 484 | end |
| 485 | 485 | |
| 486 | + should 'not display private profile to unauthenticated user' do | |
| 487 | + assert !Profile.new(:public_profile => false).display_info_to?(nil) | |
| 488 | + end | |
| 489 | + | |
| 490 | + should 'display private profile for its owner' do | |
| 491 | + p = Profile.new(:public_profile => false) | |
| 492 | + assert p.display_info_to?(p) | |
| 493 | + end | |
| 494 | + | |
| 495 | + should 'display private profile for members' do | |
| 496 | + p = create_user('testuser').person | |
| 497 | + c = Community.create!(:name => 'my community', :public_profile => false) | |
| 498 | + c.add_member(p) | |
| 499 | + | |
| 500 | + assert c.display_info_to?(p) | |
| 501 | + end | |
| 502 | + | |
| 486 | 503 | private |
| 487 | 504 | |
| 488 | 505 | def assert_invalid_identifier(id) | ... | ... |