noosfero | 3 new commits pushed to repository

Tue Jan 20 15:27:20 BRST 2015

Antonio Terceiro pushed to refs/heads/master at <a href="https://gitlab.com/noosfero/noosfero">Noosfero / noosfero</a>

Commits:
<a href="https://gitlab.com/noosfero/noosfero/commit/7c541b4a2fef9c201c164a05f1519b190f667a5f">7c541b4a</a> by Victor Costa
Base controller for plugins administration

The PluginAdminController protect by default users that didn't have
edit_environment_features permission against access plugin administration.

- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/e47daca26c5861d09c8248855472d4e65cbda1d0">e47daca2</a> by Victor Costa
Use default base class for plugin admin controllers

- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/a3f46c1e85203cfb8cdf8f630bf0bcabc767e4d6">a3f46c1e</a> by Antonio Terceiro
Merge branch 'fix_plugin_admin' into 'master'

Fix access to plugin administration pages

Users can access plugin administration pages (e.g. /admin/plugin/vote) even if they aren't environment administrators.

This MR create a new base controller for plugins that protects by default against improper access for these pages.

See merge request !417

- - - - -


Changes:

=====================================
app/controllers/admin/plugin_admin_controller.rb
=====================================

--- /dev/null
+++ b/app/controllers/admin/plugin_admin_controller.rb
@@ -0,0 +1,5 @@
+class PluginAdminController < AdminController
+
+  protect 'edit_environment_features', :environment
+
+end

=====================================
plugins/anti_spam/controllers/anti_spam_plugin_admin_controller.rb
=====================================
--- a/plugins/anti_spam/controllers/anti_spam_plugin_admin_controller.rb
+++ b/plugins/anti_spam/controllers/anti_spam_plugin_admin_controller.rb
@@ -1,4 +1,4 @@
-class AntiSpamPluginAdminController < AdminController
+class AntiSpamPluginAdminController < PluginAdminController
   append_view_path File.join(File.dirname(__FILE__) + '/../views')
 
   def index

=====================================
plugins/foo/controllers/admin/foo_plugin_admin_bar_controller.rb
=====================================
--- a/plugins/foo/controllers/admin/foo_plugin_admin_bar_controller.rb
+++ b/plugins/foo/controllers/admin/foo_plugin_admin_bar_controller.rb
@@ -1,3 +1,3 @@
-class FooPluginAdminBarController < AdminController
+class FooPluginAdminBarController < PluginAdminController
 end
 

=====================================
plugins/ldap/controllers/ldap_plugin_admin_controller.rb
=====================================
--- a/plugins/ldap/controllers/ldap_plugin_admin_controller.rb
+++ b/plugins/ldap/controllers/ldap_plugin_admin_controller.rb
@@ -1,4 +1,4 @@
-class LdapPluginAdminController < AdminController
+class LdapPluginAdminController < PluginAdminController
 
   append_view_path File.join(File.dirname(__FILE__) + '/../views')
 

=====================================
plugins/piwik/controllers/piwik_plugin_admin_controller.rb
=====================================
--- a/plugins/piwik/controllers/piwik_plugin_admin_controller.rb
+++ b/plugins/piwik/controllers/piwik_plugin_admin_controller.rb
@@ -1,4 +1,4 @@
-class PiwikPluginAdminController < AdminController
+class PiwikPluginAdminController < PluginAdminController
 
   append_view_path File.join(File.dirname(__FILE__) + '/../views')
 

=====================================
plugins/vote/controllers/vote_plugin_admin_controller.rb
=====================================
--- a/plugins/vote/controllers/vote_plugin_admin_controller.rb
+++ b/plugins/vote/controllers/vote_plugin_admin_controller.rb
@@ -1,4 +1,4 @@
-class VotePluginAdminController < AdminController
+class VotePluginAdminController < PluginAdminController
 
   def index
     settings = params[:settings]

=====================================
plugins/vote/test/functional/vote_plugin_admin_controller_test.rb
=====================================
--- a/plugins/vote/test/functional/vote_plugin_admin_controller_test.rb
+++ b/plugins/vote/test/functional/vote_plugin_admin_controller_test.rb
@@ -8,7 +8,7 @@ class VotePluginAdminControllerTest < ActionController::TestCase
 
   def setup
     @environment = Environment.default
-    @profile = create_user('profile').person
+    @profile = create_user_with_permission('profile', 'edit_environment_features', Environment.default)
     login_as(@profile.identifier)
   end
 

=====================================
test/functional/plugin_admin_controller_test.rb
=====================================
--- /dev/null
+++ b/test/functional/plugin_admin_controller_test.rb
@@ -0,0 +1,25 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class PluginAdminController
+  def index
+    render :text => 'ok'
+  end
+end
+
+class PluginAdminControllerTest < ActionController::TestCase
+
+  should 'allow user with the required permission to access plugin administration page' do
+    create_user_with_permission('testuser', 'edit_environment_features', Environment.default)
+    login_as('testuser')
+    get :index
+    assert_response :success
+  end
+
+  should 'forbid access to users that did not have the required permission' do
+    create_user('testuser')
+    login_as('testuser')
+    get :index
+    assert_response :forbidden
+  end
+
+end

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20150120/6cb2ee47/attachment.html>
