noosfero | 3 new commits pushed to repository
Antonio Terceiro
gitlab at gitlab.com
Tue Jan 20 15:27:20 BRST 2015
Antonio Terceiro pushed to refs/heads/master at <a href="https://gitlab.com/noosfero/noosfero">Noosfero / noosfero</a>
Commits:
<a href="https://gitlab.com/noosfero/noosfero/commit/7c541b4a2fef9c201c164a05f1519b190f667a5f">7c541b4a</a> by Victor Costa
Base controller for plugins administration
The PluginAdminController protect by default users that didn't have
edit_environment_features permission against access plugin administration.
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/e47daca26c5861d09c8248855472d4e65cbda1d0">e47daca2</a> by Victor Costa
Use default base class for plugin admin controllers
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/a3f46c1e85203cfb8cdf8f630bf0bcabc767e4d6">a3f46c1e</a> by Antonio Terceiro
Merge branch 'fix_plugin_admin' into 'master'
Fix access to plugin administration pages
Users can access plugin administration pages (e.g. /admin/plugin/vote) even if they aren't environment administrators.
This MR create a new base controller for plugins that protects by default against improper access for these pages.
See merge request !417
- - - - -
Changes:
=====================================
app/controllers/admin/plugin_admin_controller.rb
=====================================
--- /dev/null
+++ b/app/controllers/admin/plugin_admin_controller.rb
@@ -0,0 +1,5 @@
+class PluginAdminController < AdminController
+
+ protect 'edit_environment_features', :environment
+
+end
=====================================
plugins/anti_spam/controllers/anti_spam_plugin_admin_controller.rb
=====================================
--- a/plugins/anti_spam/controllers/anti_spam_plugin_admin_controller.rb
+++ b/plugins/anti_spam/controllers/anti_spam_plugin_admin_controller.rb
@@ -1,4 +1,4 @@
-class AntiSpamPluginAdminController < AdminController
+class AntiSpamPluginAdminController < PluginAdminController
append_view_path File.join(File.dirname(__FILE__) + '/../views')
def index
=====================================
plugins/foo/controllers/admin/foo_plugin_admin_bar_controller.rb
=====================================
--- a/plugins/foo/controllers/admin/foo_plugin_admin_bar_controller.rb
+++ b/plugins/foo/controllers/admin/foo_plugin_admin_bar_controller.rb
@@ -1,3 +1,3 @@
-class FooPluginAdminBarController < AdminController
+class FooPluginAdminBarController < PluginAdminController
end
=====================================
plugins/ldap/controllers/ldap_plugin_admin_controller.rb
=====================================
--- a/plugins/ldap/controllers/ldap_plugin_admin_controller.rb
+++ b/plugins/ldap/controllers/ldap_plugin_admin_controller.rb
@@ -1,4 +1,4 @@
-class LdapPluginAdminController < AdminController
+class LdapPluginAdminController < PluginAdminController
append_view_path File.join(File.dirname(__FILE__) + '/../views')
=====================================
plugins/piwik/controllers/piwik_plugin_admin_controller.rb
=====================================
--- a/plugins/piwik/controllers/piwik_plugin_admin_controller.rb
+++ b/plugins/piwik/controllers/piwik_plugin_admin_controller.rb
@@ -1,4 +1,4 @@
-class PiwikPluginAdminController < AdminController
+class PiwikPluginAdminController < PluginAdminController
append_view_path File.join(File.dirname(__FILE__) + '/../views')
=====================================
plugins/vote/controllers/vote_plugin_admin_controller.rb
=====================================
--- a/plugins/vote/controllers/vote_plugin_admin_controller.rb
+++ b/plugins/vote/controllers/vote_plugin_admin_controller.rb
@@ -1,4 +1,4 @@
-class VotePluginAdminController < AdminController
+class VotePluginAdminController < PluginAdminController
def index
settings = params[:settings]
=====================================
plugins/vote/test/functional/vote_plugin_admin_controller_test.rb
=====================================
--- a/plugins/vote/test/functional/vote_plugin_admin_controller_test.rb
+++ b/plugins/vote/test/functional/vote_plugin_admin_controller_test.rb
@@ -8,7 +8,7 @@ class VotePluginAdminControllerTest < ActionController::TestCase
def setup
@environment = Environment.default
- @profile = create_user('profile').person
+ @profile = create_user_with_permission('profile', 'edit_environment_features', Environment.default)
login_as(@profile.identifier)
end
=====================================
test/functional/plugin_admin_controller_test.rb
=====================================
--- /dev/null
+++ b/test/functional/plugin_admin_controller_test.rb
@@ -0,0 +1,25 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class PluginAdminController
+ def index
+ render :text => 'ok'
+ end
+end
+
+class PluginAdminControllerTest < ActionController::TestCase
+
+ should 'allow user with the required permission to access plugin administration page' do
+ create_user_with_permission('testuser', 'edit_environment_features', Environment.default)
+ login_as('testuser')
+ get :index
+ assert_response :success
+ end
+
+ should 'forbid access to users that did not have the required permission' do
+ create_user('testuser')
+ login_as('testuser')
+ get :index
+ assert_response :forbidden
+ end
+
+end
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20150120/6cb2ee47/attachment.html>
More information about the Noosfero-dev
mailing list