noosfero | 2 new commits pushed to repository

Fri Feb 13 12:06:58 BRST 2015

Antonio Terceiro pushed to refs/heads/master at <a href="https://gitlab.com/noosfero/noosfero">Noosfero / noosfero</a>

Commits:
<a href="https://gitlab.com/noosfero/noosfero/commit/2dbb8586db43409cc630c1ada1efcbfea5b5a7dd">2dbb8586</a> by Tallys Martins
Move privace methods of profile_controller to public_controller
 - Create tests for private and invisible communities using the privace methods
 - Executing filters for events and contact pages in private profiles

Signed-off-by: Arthur Del Esposte <arthurmde at gmail.com>
Signed-off-by: Gabriela Navarro <navarro1703 at gmail.com>
Signed-off-by: Luciano Prestes <lucianopcbr at gmail.com>
Signed-off-by: Tallys Martins <tallysmartins at yahoo.com.br>

- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/42042b7444e1d9a2e832872492a5ba8847b87515">42042b74</a> by Antonio Terceiro
Merge branch 'private_profile_pages' into 'master'

Private profile pages

When the profile is private, some pages are still shown if using the URL. For example, pages like agenda and contact email.
We added a before_filter to make sure that doesn't happen.

See merge request !459

- - - - -


Changes:

=====================================
app/controllers/public/contact_controller.rb
=====================================

--- a/app/controllers/public/contact_controller.rb
+++ b/app/controllers/public/contact_controller.rb
@@ -1,6 +1,7 @@
 class ContactController < PublicController
 
   needs_profile
+  before_filter :allow_access_to_page
 
   def new
     @contact = build_contact

=====================================
app/controllers/public/events_controller.rb
=====================================
--- a/app/controllers/public/events_controller.rb
+++ b/app/controllers/public/events_controller.rb
@@ -1,6 +1,7 @@
 class EventsController < PublicController
 
   needs_profile
+  before_filter :allow_access_to_page
 
   def events
     @events = []

=====================================
app/controllers/public/profile_controller.rb
=====================================
--- a/app/controllers/public/profile_controller.rb
+++ b/app/controllers/public/profile_controller.rb
@@ -16,13 +16,7 @@ class ProfileController < PublicController
       @activities = @profile.activities.paginate(:per_page => 15, :page => params[:page])
     end
     @tags = profile.article_tags
-    unless profile.display_info_to?(user)
-      if profile.visible?
-        private_profile
-      else
-        invisible_profile
-      end
-    end
+    allow_access_to_page
   end
 
   def tags
@@ -396,17 +390,6 @@ class ProfileController < PublicController
     end
   end
 
-  def private_profile
-    private_profile_partial_parameters
-    render :action => 'index', :status => 403
-  end
-
-  def invisible_profile
-    unless profile.is_template?
-      render_access_denied(_("This profile is inaccessible. You don't have the permission to view the content here."), _("Oops ... you cannot go ahead here"))
-    end
-  end
-
   def per_page
     Noosfero::Constants::PROFILE_PER_PAGE
   end

=====================================
app/controllers/public_controller.rb
=====================================
--- a/app/controllers/public_controller.rb
+++ b/app/controllers/public_controller.rb
@@ -1,2 +1,24 @@
 class PublicController < ApplicationController
+  protected
+
+  def allow_access_to_page
+    unless profile.display_info_to?(user)
+      if profile.visible?
+        private_profile
+      else
+        invisible_profile
+      end
+    end
+  end
+
+  def private_profile
+    private_profile_partial_parameters
+    render :template => 'shared/access_denied.html.erb', :status => 403
+  end
+
+  def invisible_profile
+    unless profile.is_template?
+      render_access_denied(_("This profile is inaccessible. You don't have the permission to view the content here."), _("Oops ... you cannot go ahead here"))
+    end
+  end
 end

=====================================
test/functional/contact_controller_test.rb
=====================================
--- a/test/functional/contact_controller_test.rb
+++ b/test/functional/contact_controller_test.rb
@@ -125,4 +125,31 @@ class ContactControllerTest < ActionController::TestCase
     assert_equal 'Bahia', assigns(:contact).state
   end
 
+  should 'not show send e-mail page to non members of private community' do
+    community = fast_create(Community, :identifier => 'private-community', :name => 'Private Community', :public_profile => false)
+
+    post :new, :profile => community.identifier
+
+    assert_response :forbidden
+    assert_template :access_denied
+  end
+
+  should 'not show send e-mail page to non members of invisible community' do
+    community = fast_create(Community, :identifier => 'invisible-community', :name => 'Private Community', :visible => false)
+
+    post :new, :profile => community.identifier
+
+    assert_response :forbidden
+    assert_template :access_denied
+  end
+
+  should 'show send e-mail page to members of private community' do
+    community = fast_create(Community, :identifier => 'private-community', :name => 'Private Community', :public_profile => false)
+    community.add_member(@profile)
+
+    post :new, :profile => community.identifier
+
+    assert_response :success
+  end
+
 end

=====================================
test/functional/events_controller_test.rb
=====================================
--- a/test/functional/events_controller_test.rb
+++ b/test/functional/events_controller_test.rb
@@ -54,4 +54,33 @@ class EventsControllerTest < ActionController::TestCase
     assert_tag :tag => 'a', :content => /Joao Birthday/
   end
 
+  should 'not show events page to non members of private community' do
+    community = fast_create(Community, :identifier => 'private-community', :name => 'Private Community', :public_profile => false)
+
+    post :events, :profile => community.identifier
+
+    assert_response :forbidden
+    assert_template :access_denied
+  end
+
+  should 'not show events page to non members of invisible community' do
+    community = fast_create(Community, :identifier => 'invisible-community', :name => 'Private Community', :visible => false)
+
+    post :events, :profile => community.identifier
+
+    assert_response :forbidden
+    assert_template :access_denied
+  end
+
+  should 'show events page to members of private community' do
+    community = fast_create(Community, :identifier => 'private-community', :name => 'Private Community', :public_profile => false)
+    community.add_member(@profile)
+
+    login_as('testuser')
+
+    post :events, :profile => community.identifier
+
+    assert_response :success
+  end
+
 end

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20150213/79c899bd/attachment.html>
