noosfero | 13 new commits pushed to repository
Antonio Terceiro
gitlab at gitlab.com
Wed Jan 28 16:47:32 BRST 2015
Antonio Terceiro pushed to refs/heads/stable-1.0 at <a href="https://gitlab.com/noosfero/noosfero">Noosfero / noosfero</a>
Commits:
<a href="https://gitlab.com/noosfero/noosfero/commit/3a53502126e44e9180508856d8f6e53775aa3f71">3a535021</a> by Victor Costa
Restart with zero downtime
(cherry picked from commit 585963ae1f48474605aa7f991a63d3a9d16bb1d4)
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/5cbeedb85028e8ae9bce0fc83f8426da8efc1422">5cbeedb8</a> by Parley Martins
Fix button of create new event
(cherry picked from commit daa42a638a380eb7fc7b6422662a47ea6ca77a8d)
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/97fc464e65b6d2c17004360ad0dab34e237dceee">97fc464e</a> by Victor Costa
Always allow environment admins to change homepage
(cherry picked from commit 83dd0faf85c086defa56b7f2a1bbf5c4dd1f9b59)
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/d3c99349b8746264cf55697a2b7dd4e4b60f7552">d3c99349</a> by Victor Costa
Deny access to set_home_page for unauthorized users
(cherry picked from commit cd15a410a4673db619f96d52b11ffc293f0a1eba)
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/e582a820f5438cdd93f1b0e85180f8128e5ae398">e582a820</a> by Larissa Reis
Escapes html in translations link
Escapes html so the javascript doesn't break
(cherry picked from commit 76f856ad49aa96224aaa646d49351c98be74f12a)
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/7416b48ad597ae52625365458321b943e3be944f">7416b48a</a> by Braulio Bhavamitra
Fix passenger class load to not depend on memcache gem
Use class name as string instead of constant
(cherry picked from commit dbc6d527b78d736cf114e52109335e280aca4809)
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/9351075bf4f1f599a75e7733ca88184e1d5bdebf">9351075b</a> by Eduardo Passos
trusted-sites: add openstreetmap.org as default
AI:3006
(cherry picked from commit e1f69da2a81047db67d8d9a9d5abb951238db9e2)
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/32e914461cad2edbb4e0700578036430f7ef68f9">32e91446</a> by Antonio Terceiro
Fix fragile unit test
There is no much point in hardcoding the expected constant in the test.
(cherry picked from commit 89c4127aa558b135e53bb904773303545c231fdf)
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/96f1266ea40dffc383eb61019e1dbfacfd6fd191">96f1266e</a> by Antonio Terceiro
Update pound setup instructions
(cherry picked from commit 3a38934e6417baca9c1b35698645fbb7b98ff91e)
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/b2e6c7b86208aded398ea7f7df4bf7b29ae2c1c4">b2e6c7b8</a> by Antonio Terceiro
Improve sample pound.cfg
Rails needs that header to know that the whole system is actually being
accessed via HTTPS
(cherry picked from commit 4119cb4530d778f3dd8eafd8e832e87735d4e265)
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/b179dc0416bdb296d0602af773a591c8a9bf56a2">b179dc04</a> by Antonio Terceiro
Fix protocal in generated links
When acessing Noosfero through a properly configured HTTPS setup, all
links will now be generated with https (or without an explicit
protocol and will just work).
Links generated outside of the scope of a request (models, mailers etc)
will still use http://. That can be fixed by a localized change to
Environment#top_url, but for now I expect everyone using HTTPS to have a
proper HTTP -> HTTPS redirection mechanism.
(cherry picked from commit d9c3be28655e69d77a0f9aeba6a3a50da24eea4f)
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/3c3e1b76c4947eab47273b8b4769e561aec3ad15">3c3e1b76</a> by Antonio Terceiro
Revert "Set default timezone as needed by rails 3.2"
This actually breaks things. See the discussion on !430
https://gitlab.com/noosfero/noosfero/merge_requests/430
(cherry picked from commit 4c229767b8864713d545ee96e09844b829afd321)
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/c0954f1bae2b4313a9055dabef52c9cd6bb538a1">c0954f1b</a> by Antonio Terceiro
Always sanitize HTML in header and footer
(cherry picked from commit 7441ba6c92304870c6110814fd588718d6e7bde3)
- - - - -
Changes:
=====================================
INSTALL.https.md
=====================================
--- a/INSTALL.https.md
+++ b/INSTALL.https.md
@@ -1,11 +1,9 @@
-Setup Noosfero to use HTTPS
-===========================
+# Setup Noosfero to use HTTPS
This document assumes that you have a fully and clean Noosfero
installation as explained at the `INSTALL.md` file.
-SSL certificate
-+++++++++++++++
+## Creating a self-signed SSL certificate
You should get a valid SSL certificate, but if you want to test
your setup before, you could generate a self-signed certificate
@@ -17,99 +15,106 @@ as below:
# openssl req -new -x509 -nodes -sha1 -days $[10*365] -key noosfero.key > noosfero.cert
# cat noosfero.key noosfero.cert > noosfero.pem
+## Web server configuration
+
There are two ways of using SSL with Noosfero: 1) If you are not using
Varnish; and 2) If you are using Varnish.
-1) If you are are not using Varnish
-+++++++++++++++++++++++++++++++++++
+### 1) If you are are not using Varnish
Simply do a redirect in apache to force all connections with SSL:
- <VirtualHost *:8080>
- ServerName test.stoa.usp.br
-
- Redirect / https://example.com/
- </VirtualHost>
+```
+<VirtualHost *:8080>
+ ServerName test.stoa.usp.br
+ Redirect / https://example.com/
+</VirtualHost>
+```
And set a vhost to receive then:
- <VirtualHost *:443>
- ServerName example.com
-
- SSLEngine On
- SSLCertificateFile /etc/ssl/certs/cert.pem
- SSLCertificateKeyFile /etc/ssl/private/cert.key
-
- Include /etc/noosfero/apache/virtualhost.conf
- </VirtualHost>
+```
+<VirtualHost *:443>
+ ServerName example.com
+ SSLEngine On
+ SSLCertificateFile /etc/ssl/certs/cert.pem
+ SSLCertificateKeyFile /etc/ssl/private/cert.key
+ Include /etc/noosfero/apache/virtualhost.conf
+</VirtualHost>
+```
Be aware that if you had configured varnish, the requests won't reach
it with this configuration.
-2) If you are using Varnish
-+++++++++++++++++++++++++++
-
-Varnish isn't able to communicate with the SSL protocol, so we will
-need some one who do this and Pound[1] can do the job. In order to
-install it in Debian based systems:
+### 2) If you are using Varnish
- $ sudo apt-get install pound
+Varnish isn't able to communicate with the SSL protocol, so we will need some
+one else who do this and [Pound](http://www.apsis.ch/pound) can do the job. In
+order to install it in Debian based systems:
-Set Varnish to listen in other port than 80:
+```
+$ sudo apt-get install pound
+```
-/etc/defaults/varnish
----------------------
+Set Varnish to listen in other port than 80 in `/etc/defaults/varnish`:
- DAEMON_OPTS="-a localhost:6081 \
- -T localhost:6082 \
- -f /etc/varnish/default.vcl \
- -S /etc/varnish/secret \
- -s file,/var/lib/varnish/$INSTANCE/varnish_storage.bin,1G"
+```
+DAEMON_OPTS="-a localhost:6081 \
+ -T localhost:6082 \
+ -f /etc/varnish/default.vcl \
+ -S /etc/varnish/secret \
+ -s file,/var/lib/varnish/$INSTANCE/varnish_storage.bin,1G"
+```
Configure Pound:
- # cp /usr/share/noosfero/etc/pound.cfg /etc/pound/
-
-Edit /etc/pound.cfg and set the IP and domain of your server.
+```
+# cp /usr/share/noosfero/etc/pound.cfg /etc/pound/
+```
-Configure Pound to start at system initialization:
+Edit `/etc/pound.cfg` and set the IP and domain of your server.
-/etc/default/pound
+Configure Pound to start at system initialization. At `/etc/default/pound`:
------------------
- startup=1
+```
+startup=1
+```
-Set Apache to only listen to localhost:
+Set Apache to only listen to localhost, at `/etc/apache2/ports.conf`:
-/etc/apache2/ports.conf
------------------------
-
- Listen 127.0.0.1:8080
+```
+Listen 127.0.0.1:8080
+```
Restart the services:
- $ sudo service apache2 restart
- $ sudo service varnish restart
+```
+$ sudo service apache2 restart
+$ sudo service varnish restart
+```
Start pound:
- $ sudo service pound start
-
-[1] http://www.apsis.ch/pound
+```
+$ sudo service pound start
+```
-Noosfero XMPP chat
-++++++++++++++++++
+## Noosfero XMPP chat
If you want to use chat over HTTPS, then you should add the domain
-and IP of your server in the /etc/hosts file, example:
+and IP of your server in the /etc/hosts file, example
-/etc/hosts
-----------
+`/etc/hosts:`
- 192.168.1.86 mydomain.example.com
+```
+192.168.1.86 mydomain.example.com
+```
-Also, it's recomended that you remove lines above from the file
+Also, it's recomended that you remove the lines below from the file
`/etc/apache2/sites-enabled/noosfero`:
- RewriteEngine On
- Include /usr/share/noosfero/util/chat/apache/xmpp.conf
+```
+RewriteEngine On
+Include /usr/share/noosfero/util/chat/apache/xmpp.conf
+```
=====================================
app/controllers/my_profile/cms_controller.rb
=====================================
--- a/app/controllers/my_profile/cms_controller.rb
+++ b/app/controllers/my_profile/cms_controller.rb
@@ -174,6 +174,8 @@ class CmsController < MyProfileController
post_only :set_home_page
def set_home_page
+ return render_access_denied unless user.can_change_homepage?
+
article = params[:id].nil? ? nil : profile.articles.find(params[:id])
profile.update_attribute(:home_page, article)
=====================================
app/helpers/application_helper.rb
=====================================
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -861,8 +861,9 @@ module ApplicationHelper
end
def base_url
- environment.top_url
+ environment.top_url(request.scheme)
end
+ alias :top_url :base_url
def helper_for_article(article)
article_helper = ActionView::Base.new
=====================================
app/helpers/content_viewer_helper.rb
=====================================
--- a/app/helpers/content_viewer_helper.rb
+++ b/app/helpers/content_viewer_helper.rb
@@ -45,7 +45,7 @@ module ContentViewerHelper
{ article.environment.locales[translation.language] => { :href => url_for(translation.url) } }
end
content_tag(:div, link_to(_('Translations'), '#',
- :onmouseover => "toggleSubmenu(this, '#{_('Translations')}', #{links.to_json}); return false",
+ :onmouseover => "toggleSubmenu(this, '#{_('Translations')}', #{CGI::escape_html(links.to_json)}); return false",
:class => 'article-translations-menu simplemenu-trigger up'),
:class => 'article-translations')
end
=====================================
app/helpers/tinymce_helper.rb
=====================================
--- a/app/helpers/tinymce_helper.rb
+++ b/app/helpers/tinymce_helper.rb
@@ -11,7 +11,7 @@ module TinymceHelper
end
def tinymce_init_js options = {}
- options.merge! :document_base_url => environment.top_url,
+ options.merge! :document_base_url => top_url,
:content_css => "/stylesheets/tinymce.css,#{macro_css_files}",
:plugins => %w[compat3x advlist autolink lists link image charmap print preview hr anchor pagebreak
searchreplace wordcount visualblocks visualchars code fullscreen
=====================================
app/models/environment.rb
=====================================
--- a/app/models/environment.rb
+++ b/app/models/environment.rb
@@ -283,6 +283,7 @@ class Environment < ActiveRecord::Base
www.flickr.com
www.gmodules.com
www.youtube.com
+ openstreetmap.org
] + ('a' .. 'z').map{|i| "#{i}.yimg.com"}
settings_items :enabled_plugins, :type => Array, :default => Noosfero::Plugin.available_plugin_names
@@ -656,8 +657,8 @@ class Environment < ActiveRecord::Base
{ :controller => 'admin_panel', :action => 'index' }
end
- def top_url
- url = 'http://'
+ def top_url(scheme = 'http')
+ url = scheme + '://'
url << (Noosfero.url_options.key?(:host) ? Noosfero.url_options[:host] : default_hostname)
url << ':' << Noosfero.url_options[:port].to_s if Noosfero.url_options.key?(:port)
url << Noosfero.root('')
=====================================
app/models/person.rb
=====================================
--- a/app/models/person.rb
+++ b/app/models/person.rb
@@ -74,6 +74,10 @@ class Person < Profile
belongs_to :user, :dependent => :delete
+ def can_change_homepage?
+ !environment.enabled?('cant_change_homepage') || is_admin?
+ end
+
def can_control_scrap?(scrap)
begin
!self.scraps(scrap).nil?
=====================================
app/models/profile.rb
=====================================
--- a/app/models/profile.rb
+++ b/app/models/profile.rb
@@ -391,7 +391,7 @@ class Profile < ActiveRecord::Base
end
xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation'
- xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list', :on => 'validation'
+ xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list'
include WhiteListFilter
filter_iframes :custom_header, :custom_footer
=====================================
app/views/cms/view.html.erb
=====================================
--- a/app/views/cms/view.html.erb
+++ b/app/views/cms/view.html.erb
@@ -2,7 +2,7 @@
<%= _('Content management') %>
</h1>
-<% if !environment.enabled?('cant_change_homepage') && !remove_content_button(:home) %>
+<% if user.can_change_homepage? && !remove_content_button(:home) %>
<div class="cms-homepage">
<%= _('Profile homepage:') %>
<% if profile.home_page %>
@@ -69,7 +69,7 @@
<%= expirable_button article, :edit, _('Edit'), {:action => 'edit', :id => article.id} if !remove_content_button(:edit) %>
<%= button_without_text :eyes, _('Public view'), article.view_url %>
<%= display_spread_button(profile, article) unless article.folder? || remove_content_button(:spread)%>
- <% if !environment.enabled?('cant_change_homepage') && !remove_content_button(:home) %>
+ <% if user.can_change_homepage? && !remove_content_button(:home) %>
<% if profile.home_page != article %>
<%= expirable_button article, :home, _('Use as homepage'), { :action => 'set_home_page', :id => article.id }, :method => :post %>
<% else %>
=====================================
app/views/enterprise_registration/basic_information.html.erb
=====================================
--- a/app/views/enterprise_registration/basic_information.html.erb
+++ b/app/views/enterprise_registration/basic_information.html.erb
@@ -20,7 +20,7 @@
<%= labelled_form_for :create_enterprise do |f| %>
<%= required f.text_field 'name', :onchange => "updateUrlField(this, 'create_enterprise_identifier')", :size => 40 %>
- <%= required labelled_form_field(_('Address'), content_tag('code', environment.top_url + "/" + text_field(:create_enterprise, 'identifier', :size => 26))) %>
+ <%= required labelled_form_field(_('Address'), content_tag('code', top_url + "/" + text_field(:create_enterprise, 'identifier', :size => 26))) %>
<%= render :partial => 'shared/organization_custom_fields', :locals => { :f => f, :object_name => :create_enterprise, :profile => @create_enterprise } %>
<%= required labelled_form_field(_('Region'), f.select('region_id', @regions)) if @validation == :region %>
=====================================
app/views/events/events.html.erb
=====================================
--- a/app/views/events/events.html.erb
+++ b/app/views/events/events.html.erb
@@ -3,7 +3,7 @@
<div id='agenda-toolbar'>
<%= button :back, _('Back to %s') % profile.name, profile.url %>
<% if user && user.has_permission?('post_content', profile) %>
- <%= button :new, _('New event'), myprofile_url(:controller => 'cms', :action => 'new', :type => 'Event') %>
+ <%= button :new, _('New event'), myprofile_path(:controller => 'cms', :action => 'new', :type => 'Event') %>
<% end %>
</div>
=====================================
app/views/layouts/application-ng.html.erb
=====================================
--- a/app/views/layouts/application-ng.html.erb
+++ b/app/views/layouts/application-ng.html.erb
@@ -14,7 +14,7 @@
<!-- Open Graph -->
<meta property="og:type" content="<%= @page ? 'article' : 'website' %>">
- <meta property="og:url" content="<%= @page ? url_for(@page.url) : @environment.top_url %>">
+ <meta property="og:url" content="<%= @page ? url_for(@page.url) : top_url %>">
<meta property="og:title" content="<%= h page_title %>">
<meta property="og:site_name" content="<%= profile ? profile.name : @environment.name %>">
<meta property="og:description" content="<%= meta_description_tag(@page) %>">
=====================================
app/views/layouts/application.html.erb
=====================================
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -68,7 +68,7 @@
<div id="navigation_bar">
<%= link_to "<span>"+ @environment.name() +"</span>",
- @environment.top_url,
+ top_url,
:id=>"menu_link_to_envhome",
:title=>@environment.name %>
<% unless environment.enabled?(:disable_categories) %>
=====================================
config/application.rb
=====================================
--- a/config/application.rb
+++ b/config/application.rb
@@ -113,9 +113,6 @@ module Noosfero
config.secret_token = noosfero_session_secret
config.session_store :cookie_store, :key => '_noosfero_session'
- config.time_zone = File.read('/etc/timezone').split("\n").first
- config.active_record.default_timezone = :local
-
config.paths['db/migrate'] += Dir.glob "#{Rails.root}/{baseplugins,config/plugins}/*/db/migrate"
config.i18n.load_path += Dir.glob "#{Rails.root}/{baseplugins,config/plugins}/*/locales/*.{rb,yml}"
=====================================
config/initializers/passenger.rb
=====================================
--- a/config/initializers/passenger.rb
+++ b/config/initializers/passenger.rb
@@ -3,7 +3,7 @@ if defined? PhusionPassenger
# from http://russbrooks.com/2010/10/20/rails-cache-memcache-on-passenger-with-smart-spawning
PhusionPassenger.on_event :starting_worker_process do |forked|
if forked
- Rails.cache.instance_variable_get(:@data).reset if Rails.cache.class == ActiveSupport::Cache::MemCacheStore
+ Rails.cache.instance_variable_get(:@data).reset if Rails.cache.class.name == 'ActiveSupport::Cache::MemCacheStore'
end
end
end
=====================================
etc/init.d/noosfero
=====================================
--- a/etc/init.d/noosfero
+++ b/etc/init.d/noosfero
@@ -115,8 +115,11 @@ do_stop() {
}
do_restart() {
- do_stop
- do_start
+ if running; then
+ main_script restart
+ else
+ do_start
+ fi
}
running(){
=====================================
etc/pound.cfg
=====================================
--- a/etc/pound.cfg
+++ b/etc/pound.cfg
@@ -5,7 +5,7 @@ TimeOut 300
Control "/var/run/pound/poundctl.socket"
ListenHTTP
- Address 192.168.1.86
+ Address 0.0.0.0
Port 80
xHTTP 1
# uncomment code above if you are using chat
@@ -22,7 +22,8 @@ ListenHTTP
End
ListenHTTPS
- Address 192.168.1.86
+ Address 0.0.0.0
+ AddHeader "X-Forwarded-Proto: https"
Port 443
Cert "/etc/noosfero/ssl/noosfero.pem"
Ciphers "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
=====================================
plugins/bsc/views/shared/_fields.html.erb
=====================================
--- a/plugins/bsc/views/shared/_fields.html.erb
+++ b/plugins/bsc/views/shared/_fields.html.erb
@@ -31,7 +31,7 @@
<%= hidden_field_tag 'old_bsc_identifier', profile.identifier %>
<div id="bsc-formitem">
<%= content_tag('code',
- environment.top_url + '/ ' +
+ top_url + '/ ' +
text_field(:profile_data, :identifier, :onchange => "warn_value_change()", :size => 25)
) +
content_tag('div',
=====================================
public/designs/themes/noosfero/site_title.html.erb
=====================================
--- a/public/designs/themes/noosfero/site_title.html.erb
+++ b/public/designs/themes/noosfero/site_title.html.erb
@@ -1 +1 @@
-<%= link_to(image_tag("/designs/themes/noosfero/images/logo-noosfero.png"), environment.top_url) %>
+<%= link_to(image_tag("/designs/themes/noosfero/images/logo-noosfero.png"), top_url) %>
=====================================
public/designs/themes/profile-base/site_title.html.erb
=====================================
--- a/public/designs/themes/profile-base/site_title.html.erb
+++ b/public/designs/themes/profile-base/site_title.html.erb
@@ -1,5 +1,5 @@
<% if File.exists?(File.join(Rails.root, 'public', "/designs/themes/#{environment.theme}/images/thin-logo.png")) %>
- <%= link_to(image_tag("/designs/themes/#{environment.theme}/images/thin-logo.png"), environment.top_url) %>
+ <%= link_to(image_tag("/designs/themes/#{environment.theme}/images/thin-logo.png"), top_url) %>
<% else %>
- <%= link_to(image_tag("/designs/themes/noosfero/images/thin-logo.png"), environment.top_url) %>
+ <%= link_to(image_tag("/designs/themes/noosfero/images/thin-logo.png"), top_url) %>
<% end %>
=====================================
script/production
=====================================
--- a/script/production
+++ b/script/production
@@ -45,6 +45,16 @@ do_stop() {
stop_via_pid_file tmp/pids/delayed_job.pid tmp/pids/delayed_job.*.pid tmp/pids/feed-updater.*.pid
}
+do_restart() {
+ rake db:migrate SCHEMA=/dev/null
+ environments_loop stop ||
+ stop_via_pid_file tmp/pids/delayed_job.pid tmp/pids/delayed_job.*.pid tmp/pids/feed-updater.*.pid
+ environments_loop start
+
+ clear_cache
+ ruby -S thin -C config/thin.yml restart --onebyone
+}
+
stop_via_pid_file() {
for pidfile in $@; do
if [ -e "$pidfile" ]; then
@@ -84,9 +94,7 @@ case "$ACTION" in
;;
restart)
- do_stop
- sleep 1
- do_start
+ do_restart
;;
*)
=====================================
test/functional/cms_controller_test.rb
=====================================
--- a/test/functional/cms_controller_test.rb
+++ b/test/functional/cms_controller_test.rb
@@ -101,12 +101,26 @@ class CmsControllerTest < ActionController::TestCase
assert_tag :tag => 'div', :content => /Profile homepage/, :attributes => { :class => "cms-homepage"}
end
+ should 'display the profile homepage if logged user is an environment admin' do
+ env = Environment.default; env.enable('cant_change_homepage'); env.save!
+ env.add_admin(profile)
+ get :index, :profile => profile.identifier
+ assert_tag :tag => 'div', :content => /Profile homepage/, :attributes => { :class => "cms-homepage"}
+ end
+
should 'not display the profile homepage if cannot change homepage' do
env = Environment.default; env.enable('cant_change_homepage')
get :index, :profile => profile.identifier
assert_no_tag :tag => 'div', :content => /Profile homepage/, :attributes => { :class => "cms-homepage"}
end
+ should 'not allow profile homepage changes if cannot change homepage' do
+ env = Environment.default; env.enable('cant_change_homepage')
+ a = profile.articles.create!(:name => 'my new home page')
+ post :set_home_page, :profile => profile.identifier, :id => a.id
+ assert_response 403
+ end
+
should 'be able to set home page' do
a = profile.articles.build(:name => 'my new home page')
a.save!
=====================================
test/unit/environment_test.rb
=====================================
--- a/test/unit/environment_test.rb
+++ b/test/unit/environment_test.rb
@@ -1063,7 +1063,7 @@ class EnvironmentTest < ActiveSupport::TestCase
end
should 'have a list of trusted sites by default' do
- assert_equal ['developer.myspace.com', 'itheora.org', 'maps.google.com', 'platform.twitter.com', 'player.vimeo.com', 'stream.softwarelivre.org', 'tv.softwarelivre.org', 'www.facebook.com', 'www.flickr.com', 'www.gmodules.com', 'www.youtube.com', 'a.yimg.com', 'b.yimg.com', 'c.yimg.com', 'd.yimg.com', 'e.yimg.com', 'f.yimg.com', 'g.yimg.com', 'h.yimg.com', 'i.yimg.com', 'j.yimg.com', 'k.yimg.com', 'l.yimg.com', 'm.yimg.com', 'n.yimg.com', 'o.yimg.com', 'p.yimg.com', 'q.yimg.com', 'r.yimg.com', 's.yimg.com', 't.yimg.com', 'u.yimg.com', 'v.yimg.com', 'w.yimg.com', 'x.yimg.com', 'y.yimg.com', 'z.yimg.com'], Environment.new.trusted_sites_for_iframe
+ assert_equal [String], Environment.new.trusted_sites_for_iframe.map(&:class).uniq
end
should 'have a list of trusted sites' do
=====================================
test/unit/person_test.rb
=====================================
--- a/test/unit/person_test.rb
+++ b/test/unit/person_test.rb
@@ -1470,4 +1470,18 @@ class PersonTest < ActiveSupport::TestCase
person.reload
end
end
+
+ should 'allow homepage change if user is an environment admin' do
+ person = create_user('person').person
+ person.environment.expects(:enabled?).with('cant_change_homepage').returns(true)
+ person.expects(:is_admin?).returns(true)
+ assert person.can_change_homepage?
+ end
+
+ should 'allow homepage change if environment feature permit it' do
+ person = create_user('person').person
+ person.environment.expects(:enabled?).with('cant_change_homepage').returns(false)
+ assert person.can_change_homepage?
+ end
+
end
=====================================
test/unit/profile_test.rb
=====================================
--- a/test/unit/profile_test.rb
+++ b/test/unit/profile_test.rb
@@ -840,6 +840,14 @@ class ProfileTest < ActiveSupport::TestCase
assert_equal 'environment footer', profile.custom_footer
end
+ should 'sanitize custom header and footer' do
+ p = fast_create(Profile)
+ script_kiddie_code = '<script>alert("look mom, I am a hacker!")</script>'
+ p.update_header_and_footer(script_kiddie_code, script_kiddie_code)
+ assert_no_tag_in_string p.custom_header, tag: 'script'
+ assert_no_tag_in_string p.custom_footer, tag: 'script'
+ end
+
should 'store theme' do
p = build(Profile, :theme => 'my-shiny-theme')
assert_equal 'my-shiny-theme', p.theme
@@ -1555,8 +1563,6 @@ class ProfileTest < ActiveSupport::TestCase
profile.address = "<h1><</h2< Malformed >> html >< tag"
profile.contact_phone = "<h1<< Malformed ><>>> html >< tag"
profile.description = "<h1<a> Malformed >> html ></a>< tag"
- profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
- profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
profile.valid?
assert_no_match /[<>]/, profile.name
@@ -1568,6 +1574,16 @@ class ProfileTest < ActiveSupport::TestCase
assert_no_match /[<>]/, profile.custom_footer
end
+ should 'escape malformed html tags in header and footer' do
+ profile = fast_create(Profile)
+ profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
+ profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
+ profile.save
+
+ assert_no_match /[<>]/, profile.custom_header
+ assert_no_match /[<>]/, profile.custom_footer
+ end
+
should 'not sanitize html comments' do
profile = Profile.new
profile.custom_header = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20150128/6a2178ef/attachment-0001.html>
More information about the Noosfero-dev
mailing list