app/views/cms/menus/_menu.html.erb app/views/cms/menus/_menu_item.html.erb app/views/cms/shared/access_denied.html.erb app/views/cms/users/show.html.erb test/functional/cms/content_block_controller_test.rb @@ -33,6 +33,7 @@ class Cms::ContentBlockController < Cms::BaseController after_create_on_failure end rescue Exception => @exception + raise @exception if @exception.is_a?(Cms::Errors::AccessDenied) after_create_on_error end @@ -50,6 +51,7 @@ class Cms::ContentBlockController < Cms::BaseController rescue ActiveRecord::StaleObjectError => @exception after_update_on_edit_conflict rescue Exception => @exception + raise @exception if @exception.is_a?(Cms::Errors::AccessDenied) after_update_on_error end @@ -127,15 +129,18 @@ class Cms::ContentBlockController < Cms::BaseController options[:order] = params[:order] unless params[:order].blank? scope = model_class.respond_to?(:list) ? model_class.list : model_class @blocks = scope.searchable? ? scope.search(params[:search]).paginate(options) : scope.paginate(options) + check_permissions end def load_block @block = model_class.find(params[:id]) + check_permissions end def load_block_draft - load_block + @block = model_class.find(params[:id]) @block = @block.as_of_draft_version if model_class.versioned? + check_permissions end # path related methods - available in the view as helpers @@ -162,6 +167,7 @@ class Cms::ContentBlockController < Cms::BaseController def build_block @block = model_class.new(params[model_name]) + check_permissions end def set_default_category @@ -244,6 +250,23 @@ class Cms::ContentBlockController < Cms::BaseController false end end + + # Use a "whitelist" approach to access to avoid mistakes + # By default everyone can create new block and view them and their properties, + # but blocks can only be modified based on the permissions of the pages they + # are connected to. + def check_permissions + case action_name + when "index", "show", "new", "create", "version", "versions", "usages" + # Allow + when "edit", "update" + raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@block) + when "destroy", "publish", "revert_to" + raise Cms::Errors::AccessDenied unless current_user.able_to_publish?(@block) + else + raise Cms::Errors::AccessDenied + end + end # methods to setup the view @@ -259,4 +282,4 @@ class Cms::ContentBlockController < Cms::BaseController "cms/blocks" end -end \ No newline at end of file +end app/controllers/cms/content_block_controller.rb @@ -58,6 +58,7 @@ class Cms::ContentController < Cms::ApplicationController # if caching is not enabled def render_page @_page_route.execute(self) if @_page_route + prepare_connectables_for_render unless (logged_in? && current_user.able_to?(:administrate, :edit_content, :publish_content)) render :layout => @page.layout, :action => 'show' end @@ -94,11 +95,34 @@ class Cms::ContentController < Cms::ApplicationController @template.instance_variable_set("#{v}", nil) end + prepare_connectables_for_render unless (logged_in? && current_user.able_to?(:administrate, :edit_content, :publish_content)) render :layout => @page.layout, :template => 'cms/content/show', :status => status else handle_server_error(exception) end - end + end + + # If any of the page's connectables (portlets, etc) are renderable, they may have a render method + # which does "controller" stuff, so we need to get that run before rendering the page. + def prepare_connectables_for_render + worst_exception = nil + @page.connectables_by_connector.values.each do |c| + begin + c.prepare_to_render(self) + rescue + logger.debug "THROWN EXCEPTION by connectable #{c}: #{$!}" + case $! + when ActiveRecord::RecordNotFound + raise + when Cms::Errors::AccessDenied + worst_exception = $! + else + c.render_exception = $! + end + end + end + raise worst_exception if worst_exception + end # ----- Before Filters ------------------------------------------------------- def construct_path @@ -224,4 +248,4 @@ class Cms::ContentController < Cms::ApplicationController -end \ No newline at end of file +end app/controllers/cms/content_controller.rb @@ -2,8 +2,9 @@ class Cms::DashboardController < Cms::BaseController def index @unpublished_pages = Page.unpublished.all(:order => "updated_at desc") + @unpublished_pages = @unpublished_pages.select { |page| current_user.able_to_publish?(page) } @incomplete_tasks = current_user.tasks.incomplete.all( :include => :page, :order => "tasks.due_date desc, pages.name") end -end \ No newline at end of file +end app/controllers/cms/dashboard_controller.rb @@ -2,7 +2,8 @@ module Cms module ErrorHandling def self.included(controller) controller.class_eval do - rescue_from Exception, :with => :handle_server_error + rescue_from Exception, :with => :handle_server_error unless RAILS_ENV == "test" + rescue_from Cms::Errors::AccessDenied, :with => :handle_access_denied end end @@ -13,6 +14,12 @@ module Cms :status => :internal_server_error, :locals => {:exception => exception} end + + def handle_access_denied(exception) + render :layout => 'cms/application', + :template => 'cms/shared/access_denied', + :status => 403 + end end -end \ No newline at end of file +end app/controllers/cms/error_handling.rb @@ -47,10 +47,12 @@ class Cms::LinksController < Cms::BaseController def load_section @section = Section.find(params[:section_id]) + raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@section) end def load_link @link = Link.find(params[:id]) + raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@link) end def load_draft_link app/controllers/cms/links_controller.rb @@ -60,9 +60,9 @@ class Cms::PagesController < Cms::BaseController {:publish => "published", :hide => "hidden", :archive => "archived"}.each do |status, verb| define_method status do if params[:page_ids] - params[:page_ids].each do |id| - Page.find(id).send(status) - end + @pages = params[:page_ids].map { |id| Page.find(id) } + raise Cms::Errors::AccessDenied unless @pages.all? { |page| current_user.able_to_edit?(page) } + @pages.each { |page| page.send(status) } flash[:notice] = "#{params[:page_ids].size} pages #{verb}" redirect_to cms_dashboard_url else @@ -103,6 +103,7 @@ class Cms::PagesController < Cms::BaseController def load_page @page = Page.find(params[:id]) + raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@page) end def load_draft_page @@ -112,6 +113,7 @@ class Cms::PagesController < Cms::BaseController def load_section @section = Section.find(params[:section_id]) + raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@section) end def hide_toolbar app/controllers/cms/pages_controller.rb @@ -1,5 +1,5 @@ class Cms::SectionNodesController < Cms::BaseController - check_permissions :publish_content, :only => [:move_before, :move_after] + check_permissions :publish_content, :except => [:index] def index @toolbar_tab = :sitemap app/controllers/cms/section_nodes_controller.rb @@ -1,6 +1,7 @@ class Cms::SectionsController < Cms::BaseController before_filter :load_parent, :only => [:new, :create] + before_filter :load_section, :only => [:edit, :update, :destroy, :move] before_filter :set_toolbar_tab helper_method :public_groups @@ -16,12 +17,13 @@ class Cms::SectionsController < Cms::BaseController def new @section = @parent.sections.build - @section.groups = public_groups + cms_groups + @section.groups = @parent.groups end def create @section = Section.new(params[:section]) @section.parent = @parent + @section.groups = @section.parent.groups unless current_user.able_to?(:administrate) if @section.save flash[:notice] = "Section '#{@section.name}' was created" redirect_to [:cms, @section] @@ -31,13 +33,12 @@ class Cms::SectionsController < Cms::BaseController end def edit - @section = Section.find(params[:id]) - raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@section) end def update - @section = Section.find(params[:id]) - if @section.update_attributes(params[:section]) + params[:section].delete('group_ids') if params[:section] && !current_user.able_to?(:administrate) + @section.attributes = params[:section] + if @section.save flash[:notice] = "Section '#{@section.name}' was updated" redirect_to [:cms, @section] else @@ -46,7 +47,6 @@ class Cms::SectionsController < Cms::BaseController end def destroy - @section = Section.find(params[:id]) respond_to do |format| if @section.deletable? && @section.destroy message = "Section '#{@section.name}' was deleted." @@ -61,7 +61,6 @@ class Cms::SectionsController < Cms::BaseController end def move - @section = Section.find(params[:id]) if params[:section_id] @move_to = Section.find(params[:section_id]) else @@ -81,6 +80,12 @@ class Cms::SectionsController < Cms::BaseController protected def load_parent @parent = Section.find(params[:section_id]) + raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@parent) + end + + def load_section + @section = Section.find(params[:id]) + raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@section) end def handle_file_browser_upload app/controllers/cms/sections_controller.rb @@ -21,7 +21,7 @@ class Cms::SessionsController < Cms::ApplicationController handle_remember_cookie! new_cookie_flag flash[:notice] = "Logged in successfully" if params[:success_url] # Coming from login portlet - redirect_to(session[:return_to] || params[:success_url] || "/") + redirect_to((!params[:success_url].blank? && params[:success_url]) || session[:return_to] || "/") session[:return_to] = nil else redirect_back_or_default(cms_home_url) app/controllers/cms/sessions_controller.rb @@ -1,7 +1,9 @@ class Cms::UsersController < Cms::ResourceController layout 'cms/administration' - check_permissions :administrate + check_permissions :administrate, :except => [:show, :change_password, :update_password] + before_filter :only_self_or_administrator, :only => [:show, :change_password, :update_password] + before_filter :set_menu_section after_filter :update_group_membership, :only => [:update, :create] after_filter :update_flash, :only => [ :update, :create ] @@ -33,10 +35,6 @@ class Cms::UsersController < Cms::ResourceController @users = User.paginate(:page => params[:page], :per_page => per_page, :include => :user_group_memberships, :conditions => conditions, :order => "first_name, last_name, email") end - def show - redirect_to [:edit, :cms, user] - end - def change_password user end @@ -44,7 +42,7 @@ class Cms::UsersController < Cms::ResourceController def update_password if user.update_attributes(params[:user]) flash[:notice] = "Password for '#{user.login}' was changed" - redirect_to cms_users_path + redirect_to(current_user.able_to?(:administrate) ? cms_users_path : cms_user_path(user)) else render :action => 'change_password' end @@ -95,4 +93,8 @@ class Cms::UsersController < Cms::ResourceController def set_menu_section @menu_section = 'users' end + + def only_self_or_administrator + raise Cms::Errors::AccessDenied if !current_user.able_to?(:administrate) && params[:id].to_i != current_user.id + end end app/controllers/cms/users_controller.rb @@ -24,12 +24,8 @@ module Cms text end - def render_connector(connector) - connectable = connector.connectable_with_deleted - if logged_in? && @mode == "edit" - if connectable.class.versioned? - connectable = connectable.as_of_version(connector.connectable_version) - end + def render_connector_and_connectable(connector, connectable) + if logged_in? && @mode == "edit" && current_user.able_to_edit?(connector.page) render :partial => 'cms/pages/edit_connector', :locals => { :connector => connector, :connectable => connectable} else app/helpers/cms/application_helper.rb @@ -1,30 +1,63 @@ module Cms module MenuHelper - # This will render a menu based on the page - # With no options passed, it will render a menu that shows all the child sections of the root - # and then it will show the path of decendent sections all the way to the current page. - # The resulting HTML is a DIV with a UL in it. Each LI will have an A in it. If the item is a Section, - # the HREF of the A will be the URL of the first non-archived page that is a direct child of that Section. - # Hidden pages will not show up, but if the first page in a Section is hidden, it will be used as the URL - # for that Section. This is commonly done to have a page for a Section and avoid having duplicates in the - # navigation. + # Renders a menu. There are two options, neither are required: + # + # ==== Options + # * <tt>:items</tt> - The items which should appear in the menu. This defaults to calling + # menu_items which generates items automatically based on the current page. But you can use + # this option to pass in a custom menu structure. + # * <tt>:partial</tt> - The partial used to render the menu. By default this is "partials/menu", + # which can be customised through the CMS. The partial gets a local variable <tt>items</tt>. + # + # ==== Structure of items # + # The items should be an array of hashes, in a tree. Each hash can have the following keys (name + # and url are required, others are optional): + # + # * <tt>:name</tt> - The name which appears in the menu + # * <tt>:url</tt> - The URL to link to + # * <tt>:id</tt> - The id for the menu item + # * <tt>:selected</tt> - Boolean value to indicate whether the menu item is the current page + # * <tt>:target</tt> - The target attribute for the link + # * <tt>:children</tt> - An array of hashes containing the child menu items. This is where the + # tree structure comes in. + def render_menu(options = {}) + options[:items] ||= menu_items + options[:partial] ||= "cms/menus/menu" + options[:id] ||= "menu" + options[:class] ||= "menu" + render :partial => options[:partial], :locals => { :items => options[:items], :css_id => options[:id], :css_class => options[:class] } + end + + # This will render generate an array-of-hashes tree structure based on the page, which can be + # passed to render_menu in order to generate a menu. + # + # With no options passed, it will generate a structure that includes all the child sections of + # the root and then it will include the path of decendent sections all the way to the current + # page. + # + # Hidden pages will not be included, but if the first page in a Section is hidden, it will be + # used as the URL for that Section. This is commonly done to have a page for a Section and avoid + # having duplicates in the navigation. + # # You can change the behavior with the following options, all of these are optional: # # ==== Options - # * <tt>:page</tt> - What page should be used as the current page. If this value is omitted, the value in @page will be used. - # * <tt>:path</tt> - This will be used to look up a section and that section will used to generate the menu. The current page will - # still be the value of the page option or @page. Note that this is the path to a section, not a path to a page. + # * <tt>:page</tt> - What page should be used as the current page. If this value is omitted, + # the value in @page will be used. + # * <tt>:path</tt> - This will be used to look up a section and that section will used to + # generate the menu structure. The current page will still be the value of the page option or + # @page. Note that this is the path to a section, not a path to a page. # * <tt>:from_top</tt> - How many below levels from the root the tree should start at. # All sections at this level will be shown. The default is 0, which means show all - # section that are direct children of the root + # nodes that are direct children of the root # * <tt>:depth</tt> - How many levels deep should the tree go, relative to from_top. # If no value is supplied, the tree will go all the way down to the current page. # If a value is supplied, the tree will be that many levels underneath from_top deep. # * <tt>:limit</tt> - Limits the number of top-level elements that will be included in the list - # * <tt>:class</tt> - The CSS Class that will be applied to the div. The default value is "menu". - # * <tt>:show_all_siblings</tt> - Passing true for this option will make all sibilings appear in the tree. - # the default is false, in which case only the siblings of nodes within the open path will appear. + # * <tt>:show_all_siblings</tt> - Passing true for this option will make all sibilings appear in + # the tree. The default is false, in which case only the siblings of nodes within the open + # path will appear. # # ==== Examples # @@ -32,89 +65,41 @@ module Cms # with teams being a Page, everything else a Section. Also, assume we are on the # Baltimore Ravens page. If you're not a footbal fan, see http://sports.yahoo.com/nfl/teams # - # render_menu - # # => <div class="menu"> - # <ul> - # <li id="section_2" class="first open"> - # <a href="/buf">AFC</a> - # <ul> - # <li id="section_3" class="first"> - # <a href="/buf">East</a> - # </li> - # <li id="section_4" class="open"> - # <a href="/bal">North</a> - # <ul> - # <li id="page_5" class="first on"> - # <a href="/bal">Baltimore Ravens</a> - # </li> - # <li id="page_6"> - # <a href="/cin">Cincinnati Bengals</a> - # </li> - # <li id="page_7"> - # <a href="/cle">Cleveland Browns</a> - # </li> - # <li id="page_8" class="last"> - # <a href="/pit">Pittsburgh Steelers</a> - # </li> - # </ul> - # </li> - # <li id="section_5"> - # <a href="/hou">South</a> - # </li> - # <li id="section_6" class="last"> - # <a href="/den">West</a> - # </li> - # </ul> - # </li> - # <li id="section_7" class="last"> - # <a href="/dal">NFC</a> - # </li> - # </ul> - # </div> + # menu_items + # # => [ + # { :id => "section_2", :url => "/buf", :name => "AFC", :children => [ + # { :id => "section_3", :url => "/buf", :name => "East" }, + # { :id => "section_4", :url => "/bal", :name => "North", :children => [ + # { :id => "page_5", :selected => true, :url => "/bal", :name => "Baltimore Ravens" }, + # { :id => "page_6", :url => "/cin", :name => "Cincinnati Bengals" }, + # { :id => "page_7", :url => "/cle", :name => "Cleveland Browns" }, + # { :id => "page_8", :url => "/pit", :name => "Pittsburgh Steelers" } + # ] }, + # { :id => "section_9", :url => "/hou", :name => "South" }, + # { :id => "section_10}", :url => "/den", :name => "West" } + # ] }, + # { :id => "section_11", :url => "/dal", :name => "NFC" } + # ] # - # render_menu(:depth => 2, :show_all_siblings => true) - # # => <div class="menu"> - # <ul> - # <li id="section_2" class="first open"> - # <a href="/buf">AFC</a> - # <ul> - # <li id="section_3" class="first"> - # <a href="/buf">East</a> - # </li> - # <li id="section_4" class="open"> - # <a href="/bal">North</a> - # </li> - # <li id="section_5"> - # <a href="/hou">South</a> - # </li> - # <li id="section_6" class="last"> - # <a href="/den">West</a> - # </li> - # </ul> - # </li> - # <li id="section_7" class="last"> - # <a href="/dal">NFC</a> - # <ul> - # <li id="section_8" class="first"> - # <a href="/dal">East</a> - # </li> - # <li id="section_9"> - # <a href="/chi">North</a> - # </li> - # <li id="section_10"> - # <a href="/atl">South</a> - # </li> - # <li id="section_11" class="last"> - # <a href="/ari">West</a> - # </li> - # </ul> - # </li> - # </ul> - # </div> - def render_menu(options={}) - #Intialize parameters - page = options[:page] || @page - return nil unless page + # menu_items(:depth => 2, :show_all_siblings => true) + # # => [ + # { :id => "section_2", :url => "/buf", :name => "AFC", :children => [ + # { :id => "section_3", :url => "/buf", :name => "East" }, + # { :id => "section_4", :url => "/bal", :name => "North" }, + # { :id => "section_5", :url => "/hou", :name => "South" }, + # { :id => "section_6", :url => "/den", :name => "West" } + # ] }, + # { :id => "section_7", :url => "/dal", :name => "NFC", :children => [ + # { :id => "section_8", :url => "/dal", :name => "East" }, + # { :id => "section_9", :url => "/chi", :name => "North" }, + # { :id => "section_10", :url => "/atl", :name => "South" }, + # { :id => "section_11", :url => "/ari", :name => "West" } + # ] } + # ] + def menu_items(options = {}) + # Intialize parameters + selected_page = options[:page] || @page + return nil unless selected_page # Path to the section if options.has_key?(:path) @@ -122,65 +107,52 @@ module Cms raise "Could not find section for path '#{options[:path]}'" unless section_for_path ancestors = section_for_path.ancestors(:include_self => true) else - ancestors = page.ancestors + ancestors = selected_page.ancestors end - from_top = options.has_key?(:from_top) ? options[:from_top].to_i : 0 - depth = options.has_key?(:depth) ? options[:depth].to_i : 1.0/0 - id = options[:id] || "menu" - css_class = options[:class] || "menu" - show_all_siblings = !!(options[:show_all_siblings]) - limit = options[:limit] - - html = "<div id=\"#{id}\" class=\"#{css_class}\">\n" - - if from_top > ancestors.size - return html << "</div>\n" - else - ancestors = ancestors[from_top..-1] + if options.has_key?(:from_top) + ancestors = ancestors[options[:from_top].to_i..-1] || [] end - #We are defining a recursive lambda that takes the top-level sections - #d is the current depth - fn = lambda do |nodes, d| - indent = (d-1)*4 - html << "<ul>\n".indent(indent+2) - nodes.each_with_index do |sn, i| - - #Construct the CSS classes that the LI should have - classes = ["depth-#{d}"] - if i == 0 - classes << "first" - elsif i == nodes.size-1 - classes << "last" - end - classes << "open" if ancestors.include?(sn.node) - classes << "on" if page == sn.node - cls = classes.empty? ? nil : classes.join(" ") + depth = options.has_key?(:depth) ? options[:depth].to_i : 1.0/0 + show_all_siblings = options[:show_all_siblings] || false + + # We are defining a recursive lambda that takes the top-level sections + fn = lambda do |section_nodes, current_depth| + section_nodes.map do |section_node| + node = section_node.node - html << %Q{<li id="#{sn.node_type.underscore}_#{sn.node.id}"#{cls ? " class=\"#{cls}\"" : ''}>\n}.indent(indent+4) + item = {} + item[:selected] = true if selected_page == node + item[:id] = "#{section_node.node_type.underscore}_#{section_node.node_id}" - #Figure out what this link for this node should be - #If it is a page, then the page will simply be used - #But if is a page, we call the first_page_or_link method - p = sn.node_type == "Section" ? sn.node.first_page_or_link : sn.node - html << %Q{<a href="#{p ? p.path : '#'}"#{(p.respond_to?(:new_window) && p.new_window?) ? ' target="_blank"' : ''}>#{sn.node.name}</a>\n}.indent(indent+6) + # If we are showing a section item, we want to use the path for the first page + page = section_node.section? ? node.first_page_or_link : node - #Now if this is a section, we do the child nodes, - #but only if the show_all_siblings parameter is true, - #or if this section is one of the current page's ancestors - #and also if the current depth is less than the target depth - if sn.node_type == "Section" && (show_all_siblings || ancestors.include?(sn.node)) && d < depth - fn.call(sn.node.visible_child_nodes, d+1) - end + item[:url] = page && page.path || '#' + item[:name] = node.name + item[:target] = "_blank" if page.respond_to?(:new_window?) && page.new_window? - html << %Q{</li>\n}.indent(indent+4) + # Now if this is a section, we do the child nodes, + # but only if the show_all_siblings parameter is true, + # or if this section is one of the current page's ancestors + # and also if the current depth is less than the target depth + if section_node.section? && + current_depth < depth && + (show_all_siblings || ancestors.include?(node)) && + !node.visible_child_nodes.empty? + item[:children] = fn.call(node.visible_child_nodes, current_depth + 1) + end + item end - html << "</ul>\n".indent(indent+2) end - fn.call(ancestors.first.visible_child_nodes(:limit => limit), 1) unless ancestors.first.blank? - html << "</div>\n" + + if ancestors.empty? + [] + else + fn.call(ancestors.first.visible_child_nodes(:limit => options[:limit]), 1) + end end end -end \ No newline at end of file +end app/helpers/cms/menu_helper.rb @@ -14,7 +14,7 @@ module Cms def container(name) content = instance_variable_get("@content_for_#{name}") - if logged_in? && @page && @mode == "edit" + if logged_in? && @page && @mode == "edit" && current_user.able_to_edit?(@page) render :partial => 'cms/pages/edit_container', :locals => {:name => name, :content => content} else content @@ -65,4 +65,4 @@ module Cms end end -end \ No newline at end of file +end app/helpers/cms/page_helper.rb @@ -1,5 +1,5 @@ require 'digest/sha1' -require 'ftools' +require 'fileutils' class Attachment < ActiveRecord::Base @@ -116,7 +116,7 @@ class Attachment < ActiveRecord::Base unless temp_file.blank? FileUtils.mkdir_p File.dirname(full_file_location) if temp_file.local_path - File.copy temp_file.local_path, full_file_location + FileUtils.copy temp_file.local_path, full_file_location else open(full_file_location, 'w') {|f| f << temp_file.read } end app/models/attachment.rb @@ -1,5 +1,5 @@ class Link < ActiveRecord::Base - acts_as_content_block + acts_as_content_block :connectable => false named_scope :named, lambda{|name| {:conditions => ['links.name = ?', name]}} @@ -32,4 +32,4 @@ class Link < ActiveRecord::Base url end -end \ No newline at end of file +end app/models/link.rb @@ -150,7 +150,18 @@ class Page < ActiveRecord::Base def delete_connectors connectors.for_page_version(version).all.each{|c| c.destroy } - end + end + + def connectables_by_connector + @connectables_by_connector ||= connectors.for_page_version(version).inject({}) do |mem, connector| + connectable = connector.connectable_with_deleted + if connectable.class.versioned? + connectable = connectable.as_of_version(connector.connectable_version) + end + mem[connector] = connectable + mem + end + end #This is done to let copy_connectors know which version to pull from #copy_connectors will get called later as an after_update callback app/models/page.rb @@ -75,7 +75,12 @@ class Section < ActiveRecord::Base ancs = node ? node.ancestors : [] options[:include_self] ? ancs + [self] : ancs end - + + def with_ancestors(options = {}) + options.merge! :include_self => true + self.ancestors(options) + end + def move_to(section) if root? false @@ -139,4 +144,4 @@ class Section < ActiveRecord::Base end end -end \ No newline at end of file +end app/models/section.rb @@ -11,8 +11,7 @@ class User < ActiveRecord::Base validates_presence_of :email #validates_length_of :email, :within => 6..100 #r@a.wk #validates_uniqueness_of :email, :case_sensitive => false - validates_format_of :email, :with => /[^@]{2,}@[^.]{2,}\..{2,}/, :message => "should be an email address, ex. xx@xx.com" - + validates_format_of :email, :with => /^([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})$/i, :message => "should be an email address, ex. xx@xx.com" attr_accessible :login, :email, :name, :first_name, :last_name, :password, :password_confirmation, :expires_at has_many :user_group_memberships @@ -89,12 +88,12 @@ class User < ActiveRecord::Base @viewable_sections ||= Section.find(:all, :include => {:groups => :users}, :conditions => ["users.id = ?", id]) end - def editable_sections - @editable_sections ||= Section.find(:all, :include => {:groups => [:group_type, :users]}, :conditions => ["users.id = ? and group_types.cms_access = ?", id, true]) + def modifiable_sections + @modifiable_sections ||= Section.find(:all, :include => {:groups => [:group_type, :users]}, :conditions => ["users.id = ? and group_types.cms_access = ?", id, true]) end - #Expects a list of names of Permissions - #true if the user has any of the permissions + # Expects a list of names of Permissions + # true if the user has any of the permissions def able_to?(*required_permissions) perms = required_permissions.map(&:to_sym) permissions.any? do |p| @@ -102,24 +101,43 @@ class User < ActiveRecord::Base end end - #Expects object to be an object or a section - #If it's a section, that will be used - #If it's not a section, it will call section on the object - #returns true if any of the sections of the groups the user is in matches the page's section. + # Expects object to be an object or a section + # If it's a section, that will be used + # If it's not a section, it will call section on the object + # returns true if any of the sections of the groups the user is in matches the page's section. def able_to_view?(object) section = object.is_a?(Section) ? object : object.section - !!(viewable_sections.include?(section) || groups.cms_access.count > 0) + viewable_sections.include?(section) || groups.cms_access.count > 0 + end + + def able_to_modify?(object) + case object + when Section + modifiable_sections.include?(object) + when Page, Link + modifiable_sections.include?(object.section) + else + if object.class.respond_to?(:connectable?) && object.class.connectable? + object.connected_pages.all? { |page| able_to_modify?(page) } + else + true + end + end + end + + # Expects node to be a Section, Page or Link + # Returns true if the specified node, or any of its ancestor sections, is editable by any of + # the user's 'CMS User' groups. + def able_to_edit?(object) + able_to?(:edit_content) && able_to_modify?(object) end - #Expects section to be a Section - #Returns true if any of the sections of the groups that have group_type = 'CMS User' - #that the user is in match the section. - def able_to_edit?(section) - !!(editable_sections.include?(section) && able_to?(:edit_content)) + def able_to_publish?(object) + able_to?(:publish_content) && able_to_modify?(object) end def able_to_edit_or_publish_content? able_to?(:edit_content, :publish_content) end -end \ No newline at end of file +end app/models/user.rb @@ -1,7 +1,7 @@ <% able_to? :publish_content do -%> <% if @block.respond_to?(:live?) && !@block.live? %> <%= link_to span_tag('Publish'), block_path(:publish), - :class => "http_put button left", + :class => "http_put button left#{' disabled' unless current_user.able_to_publish?(@block)}", :id => "publish_button" %> <% else %> <%= link_to span_tag('Publish'), "#", @@ -15,7 +15,7 @@ :id => "view_button" %> <%= link_to span_tag('Edit Content'), block_path(:edit), - :class => "button right#{ ' off' if action_name == 'edit'}", + :class => "button right#{ ' off' if action_name == 'edit'}#{' disabled' unless current_user.able_to_edit?(@block)}", :id => "edit_button" %> <%= link_to span_tag("Add New Content"), new_block_path, @@ -33,6 +33,6 @@ <% end %> <%= link_to span_tag("<span class=\"delete_img\">&nbsp;</span>Delete"), block_path, - :class => "http_delete confirm_with_title button", + :class => "http_delete confirm_with_title button#{' disabled' unless current_user.able_to_publish?(@block)}", :title => "Are you sure you want to delete '#{@block.name}'?", :id => "delete_button" %> app/views/cms/blocks/_toolbar_for_member.html.erb @@ -11,12 +11,14 @@ var match = this.id.match(/(.*)_(\d+)/) var type = match[1] var id = match[2] + var editable = !$(this).hasClass("non-editable") + var publishable = !$(this).hasClass("non-publishable") $('table.data tbody tr').removeClass('selected') $(this).addClass('selected') $('#functions .button').addClass('disabled').attr('href','#') $('#add_button').removeClass('disabled').attr('href', '/cms/'+collectionName+'/new') $('#view_button').removeClass('disabled').attr('href', '/cms/'+collectionName+'/'+id) - $('#edit_button').removeClass('disabled').attr('href', '/cms/'+collectionName+'/'+id+'/edit') + if (editable) $('#edit_button').removeClass('disabled').attr('href', '/cms/'+collectionName+'/'+id+'/edit') <% if content_type.model_class.versioned? %> $('#revisions_button').removeClass('disabled').attr('href', '/cms/'+collectionName+'/'+id+'/versions') <% else %> @@ -28,12 +30,14 @@ $('#delete_button').addClass('disabled') .attr('title', $.trim(cannot_be_deleted_message.text())) } else { - $('#delete_button').removeClass('disabled') - .attr('href', '/cms/'+collectionName+'/'+id) - .attr('title', 'Are You Sure You Want To Delete This Record?') + if (publishable) { + $('#delete_button').removeClass('disabled') + .attr('href', '/cms/'+collectionName+'/'+id) + .attr('title', 'Are You Sure You Want To Delete This Record?') + } } <% able_to? :publish_content do -%> - if($(this).hasClass('draft')) { + if($(this).hasClass('draft') && publishable) { $('#publish_button').removeClass('disabled').attr('href', '/cms/'+collectionName+'/'+id+'/publish?_redirect_to='+location.href) } <% end %> @@ -85,7 +89,7 @@ col_ct += 1 if content_type.model_class.publishable? %> <% @blocks.each do |b| %> <% block = b.class.versioned? ? b.as_of_draft_version : b %> - <tr id="<%= block.class.name.underscore %>_<%= block.id %>" class="<%= block.class.name.underscore %> <%= block.class.publishable? && !block.published? ? 'draft' : 'published' %>"> + <tr id="<%= block.class.name.underscore %>_<%= block.id %>" class="<%= block.class.name.underscore %> <%= block.class.publishable? && !block.published? ? 'draft' : 'published' %> <%= 'non-editable' unless current_user.able_to_edit?(block) %> <%= 'non-publishable' unless current_user.able_to_publish?(block) %>"> <td class="first"></td> <% content_type.columns_for_index.each_with_index do |column, i| %> <td class="<%= column[:label].gsub(' ', '').underscore %>"> app/views/cms/blocks/index.html.erb @@ -12,9 +12,9 @@ <iframe src="<%=h cms_toolbar_path(:page_id => @page.id, :page_version => @page.version, :mode => @mode, :page_toolbar => @show_page_toolbar ? 1 : 0) %>" width="100%" height="<%= @show_page_toolbar ? 159 : 100 %>px" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" name="cms_toolbar"></iframe> <% end %> -<% @page.connectors.for_page_version(@page.version).each do |c| %> - <% content_for(c.container.to_sym) do %> - <%= render_connector c %> +<% @page.connectables_by_connector.each_pair do |connector, connectable| %> + <% content_for(connector.container.to_sym) do %> + <%= render_connector_and_connectable(connector, connectable) %> <% end %> <% end %> app/views/cms/content/show.html.erb @@ -8,7 +8,7 @@ <table class="section_node <%= node_type %> <%= "movable" if current_user.able_to?(:publish_content) %>" width="100%" cellspacing="0" cellpadding="0"> <tr><td colspan="4" class="drop-before"></td></tr> <tr<%= ' class="doubled"' if access_icon && hidden %>> - <td id="<%= node_type %>_<%= node.id %>" class="<%= node_type == "section" && node.root? ? 'root' : '' %> <%= node_type %> node"> + <td id="<%= node_type %>_<%= node.id %>" class="<%= node_type == "section" && node.root? ? 'root' : '' %> <%= node_type %> node <%= 'non-editable' unless current_user.able_to_edit?(node) %>"> <%= icon %> <div><%= h(node.name) %></div> </td> app/views/cms/section_nodes/_node.html.erb @@ -11,46 +11,48 @@ </div> </div> -<div class="checkbox_group fields" style="float: left; width: 100%"> - <label>Public Permissions</label> - <%= hidden_field_tag "section[group_ids][]", "", :id => nil %> - <div class="checkboxes"> - <% for group in public_groups %> - <div class="checkbox_fields"> - <%= check_box_tag "section[group_ids][]", group.id, - @section.groups.include?(group), :class => "public_group_ids", :id => "public_group_ids_#{group.id}", :tabindex => next_tabindex %> - <label for="public_group_ids_<%= group.id %>"><%= group.name %></label> - </div> - <% end %> - <div class="instructions">Which &ldquo;Public&rdquo; groups can view pages in this section?</div> - <div class="check_uncheck"> - <%= link_to_check_all 'input.public_group_ids' %>, - <%= link_to_uncheck_all 'input.public_group_ids' %> +<% able_to?(:administrate) do %> + <div class="checkbox_group fields" style="float: left; width: 100%"> + <label>Public Permissions</label> + <%= hidden_field_tag "section[group_ids][]", "", :id => nil %> + <div class="checkboxes"> + <% for group in public_groups %> + <div class="checkbox_fields"> + <%= check_box_tag "section[group_ids][]", group.id, + @section.groups.include?(group), :class => "public_group_ids", :id => "public_group_ids_#{group.id}", :tabindex => next_tabindex %> + <label for="public_group_ids_<%= group.id %>"><%= group.name %></label> + </div> + <% end %> + <div class="instructions">Which &ldquo;Public&rdquo; groups can view pages in this section?</div> + <div class="check_uncheck"> + <%= link_to_check_all 'input.public_group_ids' %>, + <%= link_to_uncheck_all 'input.public_group_ids' %> + </div> </div> </div> -</div> -<br clear="all" /> + <br clear="all" /> -<div class="checkbox_group fields" style="float: left; width: 100%"> - <label>CMS Permissions</label> - <%= hidden_field_tag "section[group_ids][]", "", :id => nil %> - <div class="checkboxes"> - <% for group in cms_groups %> - <div class="checkbox_fields"> - <%= check_box_tag "section[group_ids][]", group.id, - @section.groups.include?(group), :class => "cms_group_ids", :id => "cms_group_ids_#{group.id}", :tabindex => next_tabindex %> - <label for="cms_group_ids_<%= group.id %>"><%= group.name %></label> - </div> - <% end %> - <div class="instructions">Which &ldquo;CMS&rdquo; groups can edit pages and content in this section?</div> - <div class="check_uncheck"> - <%= link_to_check_all 'input.cms_group_ids' %>, - <%= link_to_uncheck_all 'input.cms_group_ids' %> + <div class="checkbox_group fields" style="float: left; width: 100%"> + <label>CMS Permissions</label> + <%= hidden_field_tag "section[group_ids][]", "", :id => nil %> + <div class="checkboxes"> + <% for group in cms_groups %> + <div class="checkbox_fields"> + <%= check_box_tag "section[group_ids][]", group.id, + @section.groups.include?(group), :class => "cms_group_ids", :id => "cms_group_ids_#{group.id}", :tabindex => next_tabindex %> + <label for="cms_group_ids_<%= group.id %>"><%= group.name %></label> + </div> + <% end %> + <div class="instructions">Which &ldquo;CMS&rdquo; groups can edit pages and content in this section?</div> + <div class="check_uncheck"> + <%= link_to_check_all 'input.cms_group_ids' %>, + <%= link_to_uncheck_all 'input.cms_group_ids' %> + </div> </div> </div> -</div> -<br clear="all" /> + <br clear="all" /> +<% end %> <div class="buttons"> <%= lt_button_wrapper(f.submit("Save", :class => "submit", :tabindex => next_tabindex)) %> app/views/cms/sections/_form.html.erb @@ -1,10 +1,12 @@ <% @page_title = @toolbar_title = "Set New Password" %> -<% content_for :toolbar_links do %> - <%= link_to(span_tag("List All"), url_for(:controller => "users", :action => "index"), :id => "list_all_button", :class => "button") %> - <%= link_to(span_tag("Edit User"), url_for(:controller => "users", :action => "edit", :id => @user.id), :id => "edit_user_button", :class => "button") %> -<% end %> +<% able_to? :administrate do %> + <% content_for :toolbar_links do %> + <%= link_to(span_tag("List All"), url_for(:controller => "users", :action => "index"), :id => "list_all_button", :class => "button") %> + <%= link_to(span_tag("Edit User"), url_for(:controller => "users", :action => "edit", :id => @user.id), :id => "edit_user_button", :class => "button") %> + <% end %> -<%= content_for :functions, render(:partial => "toolbar") %> + <%= content_for :functions, render(:partial => "toolbar") %> +<% end %> <% content_for :html_head do %> <%= stylesheet_link_tag('cms/form_layout') %> @@ -16,4 +18,4 @@ <div class="buttons"> <%= lt_button_wrapper(f.submit("Save", :class => "submit")) %> </div> -<% end %> \ No newline at end of file +<% end %> app/views/cms/users/change_password.html.erb @@ -26,7 +26,7 @@ <% @users.each do |user|%> <tr> <td class="first"></td> - <td><div class="dividers"><%= link_to "#{user.first_name} #{user.last_name}", [:cms, user] %></div></td> + <td><div class="dividers"><%= link_to "#{user.first_name} #{user.last_name}", edit_cms_user_path(user) %></div></td> <td><div class="dividers"><%= link_to user.email, "mailto:#{user.email}" %></div></td> <td> <div class="dividers"> app/views/cms/users/index.html.erb @@ -8,7 +8,7 @@ <% able_to?(:administrate) do %><li><%= link_to image_tag("/images/cms/nav_admin#{'_on' if tab == :administration}.gif", :id => 'nav_admin_img'), cms_administration_path, :target => "_top" %></li><% end %> </ul> <ul id="userlinks"> - <li id="user_info"><%= image_tag "cms/icons/user.png" %><span><%= current_user.full_name %></span></li> + <li id="user_info"><a href="<%= current_user.able_to?(:administrate) ? edit_cms_user_path(current_user) : cms_user_path(current_user) %>" target="_top"><%= image_tag "cms/icons/user.png" %> <%= current_user.full_name %></a></li> <li><%= link_to "Logout", cms_logout_path, :class => "http_delete", :target => "_top" %></li> </ul> <% flash_class, flash_message = flash.to_a.first %> app/views/layouts/_cms_toolbar.html.erb @@ -50,30 +50,30 @@ <%= link_to "<span>Publish</span>", @page.live? ? '#' : publish_cms_page_path(@page), :id => "publish_button", - :class => "http_put button#{' disabled' if !current_user.able_to?(:publish_content) || @page.version != @page.draft.version || @page.live?} left", + :class => "http_put button#{' disabled' if !current_user.able_to?(:publish_content) || !current_user.able_to_edit?(@page) || @page.version != @page.draft.version || @page.live?} left", :target => "_top" %> <%= link_to "<span>Assign</span>", new_cms_page_task_path(@page), :id => "assign_button", - :class => "button#{ ' disabled' if @page.assigned_to == current_user} middle", + :class => "button#{ ' disabled' if @page.assigned_to == current_user || !current_user.able_to_edit?(@page) } middle", :target => "_top" %> <%= link_to "<span>Complete Task</span>", @page.current_task ? complete_cms_task_path(@page.current_task) : '#', :id => "complete_task_button", - :class => "http_put button#{ ' disabled' unless @page.assigned_to == current_user} right", + :class => "http_put button#{ ' disabled' if @page.assigned_to != current_user || !current_user.able_to_edit?(@page) } right", :target => "_top" %> <%= link_to "<span>Edit Properties</span>", [:edit, :cms, @page], :id => "edit_properties_button", - :class => "spacer button", + :class => "spacer button#{ ' disabled' unless current_user.able_to_edit?(@page) }", :target => "_top" %> <%= link_to "<span>List Versions</span>", versions_cms_page_path(@page), - :class => "spacer button", + :class => "spacer button#{ ' disabled' unless current_user.able_to_edit?(@page) }", :target => "_top" %> <% able_to? :publish_content do %> @@ -83,7 +83,7 @@ :id => "delete_button", :title => "Are you sure you want to delete '#{@page.name}'?", :target => "_top", - :class => "spacer button confirm_with_title http_delete" %> + :class => "spacer button confirm_with_title http_delete#{ ' disabled' unless current_user.able_to_publish?(@page) }" %> <% else %> <%= link_to "<span>Revert to this Version</span>", revert_to_cms_page_path(@page, @page.version), @@ -98,7 +98,7 @@ <div class="visual_editor_label">Visual Editor:</div> <div class="visual_editor_value_container"> <% if @mode == "edit" %> - <div><span id="visual_editor_state">ON</span></div> + <div><span id="visual_editor_state"<%= ' title="You don\'t have permission to edit this page"' unless current_user.able_to_edit?(@page) %>>ON<%= '*' unless current_user.able_to_edit?(@page) %></span></div> <% else %> <div><span id="visual_editor_state">OFF</span></div> <% end %> app/views/layouts/_page_toolbar.html.erb @@ -7,18 +7,29 @@ <div id="wrapper"> <%= render_cms_toolbar(:administration) %> <div id="main"> - <div class="top_cap_menu"></div> - <div id="menu"> - <%= render :partial => 'cms/shared/admin_sidebar' %> - </div> - <div id="contentwrap"> + + <% if current_user.able_to?(:administrate) %> + <div class="top_cap_menu"></div> + <div id="menu"> + <%= render :partial => 'cms/shared/admin_sidebar' %> + </div> + <div id="contentwrap"> + <% else %> + <div class="top_cap"></div> + <div id="contentwrapbig"> + <% end %> + <div id="functions"> <h1><%= @toolbar_title %></h1> <%= yield :functions %> </div> <br clear="all" /> - <div class="top_cap_content"></div> + + <% able_to?(:administrate) do %> + <div class="top_cap_content"></div> + <% end %> + <div id="content"> <div class="pad"> <%= yield %> @@ -26,7 +37,13 @@ </div> </div> <br clear="all" /> - <div class="bottom_cap_content"></div> + + <% if current_user.able_to?(:administrate) %> + <div class="bottom_cap_content"></div> + <% else %> + <div class="bottom_cap"></div> + <% end %> + <%= render :partial => 'layouts/cms/footer' %> </div> </div> app/views/layouts/cms/administration.html.erb @@ -5,11 +5,11 @@ Gem::Specification.new do |s| s.name = %q{browsercms} - s.version = "3.0.2" + s.version = "3.0.3" s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version= s.authors = ["BrowserMedia"] - s.date = %q{2009-10-06} + s.date = %q{2009-10-28} s.email = %q{github@browsermedia.com} s.extra_rdoc_files = [ "LICENSE.txt", @@ -155,6 +155,8 @@ Gem::Specification.new do |s| "app/views/cms/links/destroy.js.rjs", "app/views/cms/links/edit.html.erb", "app/views/cms/links/new.html.erb", + "app/views/cms/menus/_menu.html.erb", + "app/views/cms/menus/_menu_item.html.erb", "app/views/cms/page_routes/_form.html.erb", "app/views/cms/page_routes/edit.html.erb", "app/views/cms/page_routes/index.html.erb", @@ -191,6 +193,7 @@ Gem::Specification.new do |s| "app/views/cms/shared/_pagination.html.erb", "app/views/cms/shared/_version_conflict_diff.html.erb", "app/views/cms/shared/_version_conflict_error.html.erb", + "app/views/cms/shared/access_denied.html.erb", "app/views/cms/shared/error.html.erb", "app/views/cms/tags/_form.html.erb", "app/views/cms/tags/render.html.erb", @@ -205,6 +208,7 @@ Gem::Specification.new do |s| "app/views/cms/users/edit.html.erb", "app/views/cms/users/index.html.erb", "app/views/cms/users/new.html.erb", + "app/views/cms/users/show.html.erb", "app/views/layouts/_cms_toolbar.html.erb", "app/views/layouts/_page_toolbar.html.erb", "app/views/layouts/application.html.erb", @@ -1228,12 +1232,11 @@ Gem::Specification.new do |s| "templates/demo.rb", "templates/module.rb" ] - s.has_rdoc = true s.homepage = %q{http://www.browsercms.org} s.rdoc_options = ["--charset=UTF-8"] s.require_paths = ["lib"] s.rubyforge_project = %q{browsercms} - s.rubygems_version = %q{1.3.1} + s.rubygems_version = %q{1.3.5} s.summary = %q{BrowserCMS is a general purpose, open source Web Content Management System (CMS), written in Ruby on Rails.} s.test_files = [ "test/functional/cms/file_blocks_controller_test.rb", @@ -1248,6 +1251,7 @@ Gem::Specification.new do |s| "test/functional/cms/links_controller_test.rb", "test/functional/cms/dynamic_views_controller_test.rb", "test/functional/cms/categories_controller_test.rb", + "test/functional/cms/content_block_controller_test.rb", "test/functional/cms/pages_controller_test.rb", "test/functional/cms/connectors_controller_test.rb", "test/functional/cms/home_controller_test.rb", @@ -1303,7 +1307,7 @@ Gem::Specification.new do |s| if s.respond_to? :specification_version then current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION - s.specification_version = 2 + s.specification_version = 3 if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then else browsercms.gemspec @@ -1,4 +1,6 @@ # Settings specified here will take precedence over those in config/environment.rb +config.gem "mocha" +config.gem "redgreen" config.gem "thoughtbot-factory_girl", :lib => "factory_girl", :source => "http://gems.github.com" # The test environment is used exclusively to run your application's config/environments/test.rb @@ -1,4 +1,16 @@ -ActionController::Routing::Routes.draw do |map| - map.connect "/__test__", :controller => "cms/content", :action => "show_page_route" - map.routes_for_browser_cms -end \ No newline at end of file +if RAILS_ENV == "test" + class ContentBlock + def self.versioned?; true; end + def self.publishable?; true; end + def self.connectable?; true; end + def self.searchable?; false; end + end +end + +# Only load these routes if this is the "root" application +if RAILS_ROOT == File.expand_path(File.dirname(__FILE__) + "/..") + ActionController::Routing::Routes.draw do |map| + map.connect "/__test__", :controller => "cms/content", :action => "show_page_route" + map.routes_for_browser_cms + end +end config/routes.rb @@ -61,7 +61,7 @@ module ActsAsList #{scope_condition_method} - before_destroy :remove_from_list + before_destroy :remove_from_list_without_saving before_create :add_to_list_bottom EOV end @@ -118,13 +118,17 @@ module ActsAsList end # Removes the item from the list. - def remove_from_list + def remove_from_list(save = true) if in_list? decrement_positions_on_lower_items - update_attribute position_column, nil + update_attribute(position_column, nil) if save end end + def remove_from_list_without_saving + self.remove_from_list(false) + end + # Increase the position of this item without adjusting the rest of the list. def increment_position return unless in_list? @@ -249,4 +253,4 @@ module ActsAsList self.update_attribute(position_column, position) end end -end \ No newline at end of file +end lib/acts_as_list.rb @@ -28,4 +28,4 @@ module Cms end end end -end \ No newline at end of file +end lib/cms/acts/content_block.rb @@ -118,14 +118,14 @@ module Cms # Override this method if you would like to override the way the section is set def set_attachment_section - if new_record? && !attachment_file.blank? + if !attachment_file.blank? attachment.section = Section.root.first end end # Override this method if you would like to override the way file_path is set def set_attachment_file_path - if new_record? && !attachment_file.blank? + if !attachment_file.blank? attachment.file_path = "/attachments/#{File.basename(attachment_file.original_filename).to_s.downcase}" end end @@ -181,4 +181,4 @@ module Cms end end end -end \ No newline at end of file +end lib/cms/behaviors/attaching.rb @@ -23,7 +23,18 @@ module Cms after_save :publish_for_non_versioned named_scope :published, :conditions => {:published => true} - named_scope :unpublished, :conditions => {:published => false} + named_scope :unpublished, lambda { + if versioned? + { :joins => :versions, + :conditions => + "#{connection.quote_table_name(version_table_name)}.#{connection.quote_column_name('version')} > " + + "#{connection.quote_table_name(table_name)}.#{connection.quote_column_name('version')}", + :select => "distinct #{connection.quote_table_name(table_name)}.*" } + else + { :conditions => { :published => false } } + end + } + end end module ClassMethods lib/cms/behaviors/publishing.rb @@ -82,7 +82,7 @@ module Cms end module InstanceMethods - def perform_render(controller) + def prepare_to_render(controller) # Give this renderable a reference to the controller @controller = controller @@ -90,12 +90,21 @@ module Cms # This gives the view a reference to this object instance_variable_set(self.class.instance_variable_name_for_view, self) - + # This is like a controller action # We will call it if you have defined a render method # but if you haven't we won't render if respond_to?(:render) + end + def perform_render(controller) + return "Exception: #{@render_exception}" if @render_exception + unless @controller + # We haven't prepared to render. This should only happen when logged in, as we don't want + # errors to bubble up and prevent the page being edited in that case. + prepare_to_render(controller) + end + # Create, Instantiate and Initialize the view view_class = Class.new(ActionView::Base) action_view = view_class.new(@controller.view_paths, {}, @controller) @@ -108,7 +117,7 @@ module Cms # We want content_for to be called on the controller's view, not this inner view def action_view.content_for(name, content=nil, &block) - controller.instance_variable_get("@template").content_for(name, content, &block) + @controller.instance_variable_get("@template").content_for(name, content, &block) end # Copy instance variables from this renderable object to it's view @@ -122,6 +131,10 @@ module Cms end end + def render_exception=(exception) + @render_exception = exception + end + protected def copy_instance_variables_from_controller! if @controller.respond_to?(:instance_variables_for_rendering) @@ -141,4 +154,4 @@ module Cms end end -end \ No newline at end of file +end lib/cms/behaviors/rendering.rb @@ -110,7 +110,7 @@ module Cms def save(perform_validations=true) transaction do #logger.info "..... Calling valid?" - return false unless valid? + return false unless !perform_validations || valid? if changed? #logger.info "..... Changes => #{changes.inspect}" @@ -172,7 +172,7 @@ module Cms end def save!(perform_validations=true) - save || raise(ActiveRecord::RecordNotSaved.new(errors.full_messages)) + save(perform_validations) || raise(ActiveRecord::RecordNotSaved.new(errors.full_messages)) end def draft lib/cms/behaviors/versioning.rb @@ -119,6 +119,10 @@ module Cms::Routes :enable => :put } + if RAILS_ENV == "test" && File.expand_path(RAILS_ROOT) == File.expand_path(File.dirname(__FILE__) + "/../..") + cms.content_blocks :content_block + end + end if PageRoute.table_exists? lib/cms/routes.rb @@ -9,24 +9,6 @@ end namespace :cms do - desc "DEPRECATED" - task :install do - puts "This task has been deprecated, please use 'rake install' instead" - end - - desc "Bumps the build number in lib/cms/init.rb" - task :bump_build_number do - init_file = Rails.root.join("lib/cms/init.rb") - s = File.read(init_file) - open(init_file, 'w') do |f| - f << s.sub(/def build_number; (\d+) end/) do |s| - new_build_number = $1.to_i + 1 - puts "Build number bumped to #{new_build_number}" - "def build_number; #{new_build_number} end" - end - end - end - desc "Generate guides for the CMS" task :guides do require 'rubygems' lib/tasks/cms.rake @@ -187,15 +187,26 @@ jQuery(function($){ } var enableButtonsForNode = function(node) { - var id = getId(node.id, /(section|page|link)_/) - if($(node).hasClass('section')) { - enableButtonsForSection(id) - } else if($(node).hasClass('page')) { - enableButtonsForPage(id) - } else if($(node).hasClass('link')) { - enableButtonsForLink(id) - } - } + var id = getId(node.id, /(section|page|link)_/); + if(!$(node).is(".non-editable")) { + if($(node).hasClass('section')) { + enableButtonsForSection(id); + } else if($(node).hasClass('page')) { + enableButtonsForPage(id); + } else if($(node).hasClass('link')) { + enableButtonsForLink(id); + } + }else if($(node).hasClass('page')) { + $('#edit-button') + .html('<span>View Page</span>') + .removeClass('disabled') + .attr('href','/cms/pages/'+id) + .unbind('click') + .click(function(){return true}); + } else { + $('#properties-button').attr('href','/cms/sitemap'); + } + }; var enableButtonsForSection = function(id) { $('#properties-button') @@ -253,6 +264,7 @@ jQuery(function($){ var enableButtonsForPage = function(id) { $('#edit-button') + .html('<span>Edit Page</span>') .removeClass('disabled') .attr('href','/cms/pages/'+id) .unbind('click') public/javascripts/cms/sitemap.js @@ -1,6 +1,6 @@ @import url(/stylesheets/cms/selectbox.css); -form { +form, .faux_form { font-size: 10pt; font-family: "Trebuchet MS", Helvetica, Verdana, Arial, sans-serif; color:#485561; @@ -21,6 +21,19 @@ padding: 10px 0; background: url(/images/cms/dashed.gif) repeat-x 100% 100%; } +/* Fake forms */ +.faux_form .fields { +padding: 22px 0 10px 0; +font-size: 12px; +overflow: hidden; +} +.faux_form .fields .label { +padding: 0 0 12px 0; +float: left; +width: 140px; +font-weight: bold; +} + /* LABELS */ .text_fields label, .textarea_fields label, @@ -39,7 +52,8 @@ font-size: 12px; .select_fields label, .text_editor_fields label, .file_fields label, -.checkboxes label +.checkboxes label, +.faux_label { font-weight: bold; font-size: 12px; public/stylesheets/cms/form_layout.css @@ -70,13 +70,14 @@ color: #666; font-weight: bold; } -#nav ul#userlinks li a, #nav ul#userlinks li span { -padding: 8px 19px 11px 19px; +#nav ul#userlinks li a { +padding: 4px 19px 11px 19px; background: url(/images/cms/usercontrols_bg_cap.png) no-repeat 100% 0; color: #666; display: block; float: left; text-decoration: none; +line-height: 18px; } #nav ul#userlinks li span { @@ -88,7 +89,7 @@ padding: 9px 10px; } #nav ul#userlinks li#user_info img { float:left; -margin: 4px 0 0 5px; +margin: 0 5px 0 0; } #nav .cmssearch { public/stylesheets/cms/nav.css @@ -2,26 +2,26 @@ require File.join(File.dirname(__FILE__), '/../../test_helper') class Cms::ContentControllerTest < ActionController::TestCase include Cms::ControllerTestHelper - + def test_show_home_page get :show assert_response :success assert_select "title", "Home" end - + def test_show_another_page @page = Factory(:page, :section => root_section, :path => "/about", :name => "Test About", :template_file_name => "default.html.erb", :publish_on_save => true) get :show, :path => ["about"] assert_select "title", "Test About" end - + def test_page_not_found_to_guest get :show, :path => ["foo"] assert_response :not_found assert_select "title", "Not Found" assert_select "h1", "Page Not Found" end - + def test_page_not_found_to_cms_admin login_as_cms_admin get :show, :path => ["foo"] @@ -29,25 +29,25 @@ class Cms::ContentControllerTest < ActionController::TestCase assert_select "title", "Page Not Found" assert_select "h2", "There is no page at /foo" end - + def test_show_protected_page_to_guest create_protected_page - + get :show, :path => ["secret"] assert_response :forbidden assert_select "title", "Access Denied" end - + def test_show_protected_page_to_privileged_user create_protected_page - + login_as @privileged_user - + get :show, :path => ["secret"] assert_response :success assert_select "title", "Shhh... It's a Secret" end - + def test_show_archived_page_to_guest create_archived_page @@ -67,14 +67,14 @@ class Cms::ContentControllerTest < ActionController::TestCase def test_show_file create_file - + get :show, :path => ["test.txt"] - + assert_response :success assert_equal "text/plain", @response.content_type assert_equal "This is a test", streaming_file_contents end - + def test_show_archived_file create_file @@ -82,46 +82,46 @@ class Cms::ContentControllerTest < ActionController::TestCase @file_block.update_attributes(:archived => true, :publish_on_save => true) reset(:file_block) assert @file_block.attachment.archived? - + get :show, :path => ["test.txt"] - + assert_response :not_found assert_select "title", "Not Found" end - + def test_show_protected_file_to_guest create_protected_file - + get :show, :path => ["test.txt"] - + assert_response :forbidden assert_select "title", "Access Denied" end - + def test_show_protected_file_to_privileged_user create_protected_file login_as @privileged_user - + get :show, :path => ["test.txt"] - + assert_response :success assert_equal "text/plain", @response.content_type assert_equal "This is a test", streaming_file_contents end - + def test_show_page_route @page_template = Factory(:page_template, :name => "test_show_page_route") - @page = Factory(:page, - :section => root_section, + @page = Factory(:page, + :section => root_section, :template_file_name => "test_show_page_route.html.erb") - @portlet = DynamicPortlet.create!(:name => "Test", + @portlet = DynamicPortlet.create!(:name => "Test", :template => "<h1><%= @foo %></h1>", :connect_to_page_id => @page.id, :connect_to_container => "main") @page_route = @page.page_routes.create(:pattern => "/foo", :code => "@foo = params[:foo]") reset(:page) @page.publish! - + get :show_page_route, :foo => "42", :_page_route_id => @page_route.id assert_response :success assert_select "h1", "42" @@ -137,10 +137,10 @@ class Cms::ContentControllerTest < ActionController::TestCase def test_show_draft_page_with_content_as_editor login_as_cms_admin create_page_with_content - + @block.update_attributes(:content => "<h3>I've been edited</h3>") reset(:page, :block) - + get :show, :path => ["page_with_content"] assert_response :success assert_select "h3", "I've been edited" @@ -154,42 +154,42 @@ class Cms::ContentControllerTest < ActionController::TestCase @secret_group = Factory(:group, :name => "Secret") @secret_group.sections << @protected_section @privileged_user = Factory(:user, :login => "privileged") - @privileged_user.groups << @secret_group + @privileged_user.groups << @secret_group end - + def create_protected_page - create_protected_user_section_group - @page = Factory(:page, - :section => @protected_section, - :path => "/secret", - :name => "Shhh... It's a Secret", - :template_file_name => "default.html.erb", + create_protected_user_section_group + @page = Factory(:page, + :section => @protected_section, + :path => "/secret", + :name => "Shhh... It's a Secret", + :template_file_name => "default.html.erb", :publish_on_save => true) end - + def create_file @file = mock_file(:read => "This is a test", :content_type => "text/plain") - @file_block = Factory(:file_block, :attachment_section => root_section, :attachment_file => @file, :attachment_file_path => "/test.txt", :publish_on_save => true) + @file_block = Factory(:file_block, :attachment_section => root_section, :attachment_file => @file, :attachment_file_path => "/test.txt", :publish_on_save => true) end - + def create_protected_file - create_protected_user_section_group + create_protected_user_section_group create_file reset(:file_block) @file_block.update_attributes(:attachment_section => @protected_section) reset(:file_block) end - + def create_archived_page - @page = Factory(:page, - :section => root_section, - :path => "/archived", - :name => "Archived", - :archived => true, - :template_file_name => "default.html.erb", + @page = Factory(:page, + :section => root_section, + :path => "/archived", + :name => "Archived", + :archived => true, + :template_file_name => "default.html.erb", :publish_on_save => true) end - + def create_page_with_content @page_template = Factory(:page_template, :name => "testing_editting_content") @@ -200,14 +200,14 @@ class Cms::ContentControllerTest < ActionController::TestCase @block = HtmlBlock.create!(:name => "Test", :content => "<h3>TEST</h3>", - :connect_to_page_id => @page.id, + :connect_to_page_id => @page.id, :connect_to_container => "main") reset(:page) @page.publish! - + end - + end # CMS Page Caching Enabled (Production Mode) @@ -225,18 +225,18 @@ end class Cms::ContentCachingEnabledControllerTest < ActionController::TestCase tests Cms::ContentController include Cms::ControllerTestHelper - + def setup ActionController::Base.perform_caching = true @page = Factory(:page, :section => root_section, :name => "Test Page", :path => "/page", :publish_on_save => true) @registered_user = Factory(:user) @registered_user.groups << Group.with_code("guest").first end - + def teardown ActionController::Base.perform_caching = false end - + def test_guest_user_views_page_on_public_site @request.host = "mysite.com" get :show, :path => ["page"] @@ -253,9 +253,9 @@ class Cms::ContentCachingEnabledControllerTest < ActionController::TestCase def test_registered_user_views_page_on_public_site login_as @registered_user @request.host = "mysite.com" - + get :show, :path => ["page"] - + assert_response :success assert_select "title", "Test Page" end @@ -263,19 +263,19 @@ class Cms::ContentCachingEnabledControllerTest < ActionController::TestCase def test_registered_user_views_page_on_cms_site login_as @registered_user @request.host = "cms.mysite.com" - + get :show, :path => ["page"] - + assert_redirected_to "http://mysite.com/page" end - + def test_cms_user_views_page_on_public_site login_as_cms_admin @request.session[:page_mode] = "edit" @request.host = "mysite.com" - + get :show, :path => ["page"] - + assert_response :success assert_select "title", "Test Page" assert_select "iframe", {:count => 0} @@ -285,14 +285,14 @@ class Cms::ContentCachingEnabledControllerTest < ActionController::TestCase login_as_cms_admin @request.session[:page_mode] = "edit" @request.host = "cms.mysite.com" - + get :show, :path => ["page"] - + assert_response :success assert_select "title", "Test Page" assert_select "iframe" - end - + end + end # CMS Page Caching Disabled (Development Mode) @@ -310,14 +310,14 @@ end class Cms::ContentCachingDisabledControllerTest < ActionController::TestCase tests Cms::ContentController include Cms::ControllerTestHelper - + def setup ActionController::Base.perform_caching = false @page = Factory(:page, :section => root_section, :name => "Test Page", :path => "/page", :publish_on_save => true) @registered_user = Factory(:user) @registered_user.groups << Group.with_code("guest").first end - + def test_guest_user_views_page_on_public_site @request.host = "mysite.com" get :show, :path => ["page"] @@ -335,9 +335,9 @@ class Cms::ContentCachingDisabledControllerTest < ActionController::TestCase def test_registered_user_views_page_on_public_site login_as @registered_user @request.host = "mysite.com" - + get :show, :path => ["page"] - + assert_response :success assert_select "title", "Test Page" end @@ -345,20 +345,20 @@ class Cms::ContentCachingDisabledControllerTest < ActionController::TestCase def test_registered_user_views_page_on_cms_site login_as @registered_user @request.host = "mysite.com" - + get :show, :path => ["page"] - + assert_response :success assert_select "title", "Test Page" end - + def test_cms_user_views_page_on_public_site login_as_cms_admin @request.session[:page_mode] = "edit" @request.host = "mysite.com" - + get :show, :path => ["page"] - + assert_response :success assert_select "title", "Test Page" assert_select "iframe" @@ -368,12 +368,67 @@ class Cms::ContentCachingDisabledControllerTest < ActionController::TestCase login_as_cms_admin @request.session[:page_mode] = "edit" @request.host = "cms.mysite.com" - + get :show, :path => ["page"] - + assert_response :success assert_select "title", "Test Page" assert_select "iframe" end - -end \ No newline at end of file + + def test_portlet_throw_access_denied_goes_to_access_denied_page + @page = Factory(:page, :section => root_section, :path => "/about", :name => "Test About", :template_file_name => "default.html.erb", :publish_on_save => true) + @portlet_render = DynamicPortlet.create!(:name => "Test", :connect_to_page_id => @page.id, :connect_to_container => "main", :template => '<p id="hi">hello</p>') + @portlet_raise_access_denied = DynamicPortlet.create!(:name => "Test", :connect_to_page_id => @page.id, :connect_to_container => "main", :code => 'raise Cms::Errors::AccessDenied') + reset(:page) + + get :show, :path => ["about"] + assert_response :forbidden + assert_select "title", "Access Denied" + end + def test_portlet_throw_not_found_goes_to_not_found_page + @page = Factory(:page, :section => root_section, :path => "/about", :name => "Test About", :template_file_name => "default.html.erb", :publish_on_save => true) + @portlet_render = DynamicPortlet.create!(:name => "Test", :connect_to_page_id => @page.id, :connect_to_container => "main", :template => '<p id="hi">hello</p>') + @portlet_raise_not_found = DynamicPortlet.create!(:name => "Test", :connect_to_page_id => @page.id, :connect_to_container => "main", :code => 'raise ActiveRecord::RecordNotFound') + reset(:page) + + get :show, :path => ["about"] + assert_response :not_found + assert_select "title", "Not Found" + end + + def test_portlets_throw_multiple_goes_to_not_found + @page = Factory(:page, :section => root_section, :path => "/about", :name => "Test About", :template_file_name => "default.html.erb", :publish_on_save => true) + @portlet_render = DynamicPortlet.create!(:name => "Test", :connect_to_page_id => @page.id, :connect_to_container => "main", :template => '<p id="hi">hello</p>') + @portlet_raise_not_found = DynamicPortlet.create!(:name => "Test", :connect_to_page_id => @page.id, :connect_to_container => "main", :code => 'raise ActiveRecord::RecordNotFound') + @portlet_raise_access_denied = DynamicPortlet.create!(:name => "Test", :connect_to_page_id => @page.id, :connect_to_container => "main", :code => 'raise Cms::Errors::AccessDenied') + @portlet_raise_generic = DynamicPortlet.create!(:name => "Test", :connect_to_page_id => @page.id, :connect_to_container => "main", :code => 'raise') + reset(:page) + + get :show, :path => ["about"] + assert_response :not_found + assert_select "title", "Not Found" + end + + def test_portlets_throw_multiple_goes_to_access_denied + @page = Factory(:page, :section => root_section, :path => "/about", :name => "Test About", :template_file_name => "default.html.erb", :publish_on_save => true) + @portlet_render = DynamicPortlet.create!(:name => "Test", :connect_to_page_id => @page.id, :connect_to_container => "main", :template => '<p id="hi">hello</p>') + @portlet_raise_access_denied = DynamicPortlet.create!(:name => "Test", :connect_to_page_id => @page.id, :connect_to_container => "main", :code => 'raise Cms::Errors::AccessDenied') + @portlet_raise_generic = DynamicPortlet.create!(:name => "Test", :connect_to_page_id => @page.id, :connect_to_container => "main", :code => 'raise') + reset(:page) + + get :show, :path => ["about"] + assert_response :forbidden + assert_select "title", "Access Denied" + end + def test_portlet_throw_generic_exception_still_render_page + @page = Factory(:page, :section => root_section, :path => "/about", :name => "Test About", :template_file_name => "default.html.erb", :publish_on_save => true) + @portlet_render = DynamicPortlet.create!(:name => "Test", :connect_to_page_id => @page.id, :connect_to_container => "main", :template => '<p id="hi">hello</p>') + @portlet_raise_generic = DynamicPortlet.create!(:name => "Test", :connect_to_page_id => @page.id, :connect_to_container => "main", :code => 'raise') + reset(:page) + + get :show, :path => ["about"] + assert_select "#hi", "hello" + + end +end test/functional/cms/content_controller_test.rb @@ -57,4 +57,92 @@ class Cms::LinksControllerTest < ActionController::TestCase @link = Factory(:link, :section => root_section, :url => "http://v1.example.com") end -end \ No newline at end of file +end + +class Cms::LinksControllerPermissionsTest < ActionController::TestCase + tests Cms::LinksController + include Cms::ControllerTestHelper + + def setup + # DRYME copypaste from UserPermissionTest + @user = Factory(:user) + @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true)) + @group.permissions << create_or_find_permission_named("edit_content") + @group.permissions << create_or_find_permission_named("publish_content") + @user.groups << @group + + @editable_section = Factory(:section, :parent => root_section, :name => "Editable") + @editable_subsection = Factory(:section, :parent => @editable_section, :name => "Editable Subsection") + @group.sections << @editable_section + @editable_page = Factory(:page, :section => @editable_section, :name => "Editable Page") + @editable_subpage = Factory(:page, :section => @editable_subsection, :name => "Editable SubPage") + @editable_link = Factory(:link, :section => @editable_section, :name => "Editable Link") + @editable_sublink = Factory(:link, :section => @editable_subsection, :name => "Editable SubLink") + + @noneditable_section = Factory(:section, :parent => root_section, :name => "Not Editable") + @noneditable_page = Factory(:page, :section => @noneditable_section, :name => "Non-Editable Page") + @noneditable_link = Factory(:link, :section => @noneditable_section, :name => "Non-Editable Link") + + @noneditables = [@noneditable_section, @noneditable_page, @noneditable_link] + @editables = [@editable_section, @editable_subsection, + @editable_page, @editable_subpage, + @editable_link, @editable_sublink] + end + + def test_new_permissions + login_as(@user) + + get :new, :section_id => @editable_section + assert_response :success + + get :new, :section_id => @noneditable_section + assert_response 403 + assert_template "cms/shared/access_denied" + end + + def test_create_permissions + login_as(@user) + + post :create, :section_id => @editable_section, :name => "Another editable link" + assert_response :success + + post :create, :section_id => @noneditable_section, :name => "Another non-editable link" + assert_response 403 + assert_template "cms/shared/access_denied" + end + + def test_edit_permissions + login_as(@user) + + get :edit, :id => @editable_link + assert_response :success + + get :edit, :id => @noneditable_link + assert_response 403 + assert_template "cms/shared/access_denied" + end + + def test_update_permissions + login_as(@user) + + put :update, :id => @editable_link, :name => "Modified editable link" + assert_response :redirect + + put :update, :id => @noneditable_link, :name => "Modified non-editable link" + assert_response 403 + assert_template "cms/shared/access_denied" + end + + def test_destroy_permissions + login_as(@user) + + delete :destroy, :id => @editable_link + assert_response :redirect + + delete :destroy, :id => @noneditable_link + assert_response 403 + assert_template "cms/shared/access_denied" + end +end + + test/functional/cms/links_controller_test.rb @@ -87,3 +87,134 @@ class Cms::PagesControllerTest < ActionController::TestCase end end + +class Cms::PagesControllerPermissionsTest < ActionController::TestCase + tests Cms::PagesController + include Cms::ControllerTestHelper + + def setup + # DRYME copypaste from UserPermissionTest + @user = Factory(:user) + @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true)) + @group.permissions << create_or_find_permission_named("edit_content") + @group.permissions << create_or_find_permission_named("publish_content") + @user.groups << @group + + @editable_section = Factory(:section, :parent => root_section, :name => "Editable") + @editable_subsection = Factory(:section, :parent => @editable_section, :name => "Editable Subsection") + @group.sections << @editable_section + @editable_page = Factory(:page, :section => @editable_section, :name => "Editable Page") + @editable_subpage = Factory(:page, :section => @editable_subsection, :name => "Editable SubPage") + @editable_link = Factory(:link, :section => @editable_section, :name => "Editable Link") + @editable_sublink = Factory(:link, :section => @editable_subsection, :name => "Editable SubLink") + + @noneditable_section = Factory(:section, :parent => root_section, :name => "Not Editable") + @noneditable_page = Factory(:page, :section => @noneditable_section, :name => "Non-Editable Page") + @noneditable_link = Factory(:link, :section => @noneditable_section, :name => "Non-Editable Link") + + @noneditables = [@noneditable_section, @noneditable_page, @noneditable_link] + @editables = [@editable_section, @editable_subsection, + @editable_page, @editable_subpage, + @editable_link, @editable_sublink] + end + + def test_new_permissions + login_as(@user) + + get :new, :section_id => @editable_section + assert_response :success + + get :new, :section_id => @noneditable_section + assert_response 403 + assert_template "cms/shared/access_denied" + end + + def test_create_permissions + login_as(@user) + + post :create, :section_id => @editable_section, :name => "Another editable page" + assert_response :success + + post :create, :section_id => @noneditable_section, :name => "Another non-editable page" + assert_response 403 + assert_template "cms/shared/access_denied" + end + + def test_edit_permissions + login_as(@user) + + get :edit, :id => @editable_page + assert_response :success + + get :edit, :id => @noneditable_page + assert_response 403 + assert_template "cms/shared/access_denied" + end + + def test_update_permissions + login_as(@user) + + # Regular update + put :update, :id => @editable_page, :name => "Modified editable page" + assert_response :redirect + + put :update, :id => @noneditable_page, :name => "Modified non-editable page" + assert_response 403 + assert_template "cms/shared/access_denied" + + # archive + put :archive, :id => @editable_page + assert_response :redirect + + put :archive, :id => @noneditable_page + assert_response 403 + assert_template "cms/shared/access_denied" + + # hide + put :hide, :id => @editable_page + assert_response :redirect + + put :hide, :id => @noneditable_page + assert_response 403 + assert_template "cms/shared/access_denied" + + # publish + put :publish, :id => @editable_page + assert_response :redirect + + put :publish, :id => @noneditable_page + assert_response 403 + assert_template "cms/shared/access_denied" + + # publish many + put :publish, :page_ids => [@editable_page.id] + assert_response :redirect + + put :publish, :page_ids => [@noneditable_page.id] + assert_response 403 + + put :publish, :page_ids => [@editable_page.id, @noneditable_page.id] + assert_response 403 + + # revert_to + # can't find route... +# put :revert_to, :id => @editable_page.id +# assert_response :redirect + +# put :revert_to, :id => @noneditable_page.id +# assert_response :error # shouldn't it be 403? + end + + def test_destroy_permissions + login_as(@user) + + delete :destroy, :id => @editable_page + assert_response :redirect + + delete :destroy, :id => @noneditable_page + assert_response 403 + assert_template "cms/shared/access_denied" + end +end + + test/functional/cms/pages_controller_test.rb @@ -3,11 +3,8 @@ require File.join(File.dirname(__FILE__), '/../../test_helper') class Cms::SectionNodesControllerTest < ActionController::TestCase include Cms::ControllerTestHelper - def setup + def test_index_as_admin login_as_cms_admin - end - - def test_index @foo = Factory(:section, :name => "Foo", :parent => root_section) @bar = Factory(:section, :name => "Bar", :parent => @foo) @page = Factory(:page, :name => "Test Page", :section => @bar) @@ -39,6 +36,49 @@ class Cms::SectionNodesControllerTest < ActionController::TestCase end end +end + +class Cms::SectionNodesControllerPermissionsTest < ActionController::TestCase + tests Cms::SectionNodesController + include Cms::ControllerTestHelper + def setup + # DRYME copypaste from UserPermissionTest + @user = Factory(:user) + login_as(@user) + @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true)) + @group.permissions << create_or_find_permission_named("edit_content") + @group.permissions << create_or_find_permission_named("publish_content") + @user.groups << @group + + @editable_section = Factory(:section, :parent => root_section, :name => "Editable") + @group.sections << @editable_section + @editable_page = Factory(:page, :section => @editable_section, :name => "Editable Page") + @editable_link = Factory(:link, :section => @editable_section, :name => "Editable Link") + + @noneditable_section = Factory(:section, :parent => root_section, :name => "Not Editable") + @noneditable_page = Factory(:page, :section => @noneditable_section, :name => "Non-Editable Page") + @noneditable_link = Factory(:link, :section => @noneditable_section, :name => "Non-Editable Link") + + @noneditables = [@noneditable_section, @noneditable_page, @noneditable_link] + @editables = [@editable_section, + @editable_page, + @editable_link,] + end -end \ No newline at end of file + def test_index_as_contributor_with_subsections + get :index + assert_response :success + + # Check that each non-editable has the non-editable class, and that each editable does not have + # the non-editable class + @noneditables.each do |ne| + assert_select "td.node.non-editable div", ne.name + end + @editables.each do |e| + td = css_select("td##{e.class.to_s.underscore}_#{e.id}", e.name).first + assert !td.attributes["class"].include?("non-editable") + end + end +end + test/functional/cms/section_nodes_controller_test.rb @@ -13,8 +13,15 @@ class Cms::SectionsControllerTest < ActionController::TestCase assert_select "input[name=?][value=?]", "section[name]", root_section.name end + test "GET new should set the groups to the parent section's groups by default" do + @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true)) + get :new, :section_id => root_section.to_param + assert_equal root_section.groups, assigns(:section).groups + assert !assigns(:section).groups.include?(@group) + end + def test_update - @section = Factory(:section, :name => "V1", :parent => root_section) + @section = Factory(:section, :name => "V1", :parent => root_section, :groups => root_section.groups) put :update, :id => @section.to_param, :section => {:name => "V2"} reset(:section) @@ -76,3 +83,143 @@ class Cms::SectionFileBrowserControllerTest < ActionController::TestCase end end + +class Cms::SectionsControllerPermissionsTest < ActionController::TestCase + tests Cms::SectionsController + include Cms::ControllerTestHelper + + def setup + # DRYME copypaste from UserPermissionTest + @user = Factory(:user) + @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true)) + @group.permissions << create_or_find_permission_named("edit_content") + @group.permissions << create_or_find_permission_named("publish_content") + @user.groups << @group + + @editable_section = Factory(:section, :parent => root_section, :name => "Editable") + @editable_subsection = Factory(:section, :parent => @editable_section, :name => "Editable Subsection") + @group.sections << @editable_section + @editable_page = Factory(:page, :section => @editable_section, :name => "Editable Page") + @editable_subpage = Factory(:page, :section => @editable_subsection, :name => "Editable SubPage") + @editable_link = Factory(:link, :section => @editable_section, :name => "Editable Link") + @editable_sublink = Factory(:link, :section => @editable_subsection, :name => "Editable SubLink") + + @noneditable_section = Factory(:section, :parent => root_section, :name => "Not Editable") + @noneditable_page = Factory(:page, :section => @noneditable_section, :name => "Non-Editable Page") + @noneditable_link = Factory(:link, :section => @noneditable_section, :name => "Non-Editable Link") + + @noneditables = [@noneditable_section, @noneditable_page, @noneditable_link] + @editables = [@editable_section, @editable_subsection, + @editable_page, @editable_subpage, + @editable_link, @editable_sublink] + end + + def test_new_permissions + login_as(@user) + + get :new, :section_id => @editable_section + assert_response :success + + get :new, :section_id => @noneditable_section + assert_response 403 + assert_template "cms/shared/access_denied" + end + + test "POST create should set the groups to the parent section's groups for non-admin user" do + @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true)) + login_as(@user) + get :new, :section_id => @editable_section + assert_equal @editable_section.groups, assigns(:section).groups + assert !assigns(:section).groups.include?(@group) + end + + def test_create_permissions + login_as(@user) + + post :create, :section_id => @editable_section, :name => "Another editable subsection" + assert_response :success + + post :create, :section_id => @noneditable_section, :name => "Another non-editable subsection" + assert_response 403 + assert_template "cms/shared/access_denied" + end + + def test_edit_permissions + login_as(@user) + + get :edit, :id => @editable_section + assert_response :success + + get :edit, :id => @noneditable_section + assert_response 403 + assert_template "cms/shared/access_denied" + end + + def test_update_permissions + login_as(@user) + + put :update, :id => @editable_section, :name => "Modified editable subsection" + assert_response :redirect + + put :update, :id => @noneditable_section, :name => "Modified non-editable subsection" + assert_response 403 + assert_template "cms/shared/access_denied" + end + + def test_update_permissions_of_subsection + login_as(@user) + + put :update, :id => @editable_section, :name => "Modified editable subsection" + assert_response :redirect + + put :update, :id => @editable_subsection, :name => "Section below editable section" + assert_response 403 + assert_template "cms/shared/access_denied" + end + + test "PUT update should leave groups alone for non-admin user" do + @group2 = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true)) + expected_groups = @editable_section.groups + login_as(@user) + put :update, :id => @editable_section + assert_response :redirect + assert_equal expected_groups, assigns(:section).groups + assert !assigns(:section).groups.include?(@group2) + end + + test "PUT update should leave groups alone for non-admin user even if hack url" do + @group2 = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true)) + expected_groups = @editable_section.groups + login_as(@user) + RAILS_DEFAULT_LOGGER.warn("starting...") + put :update, :id => @editable_section, :section => {:name => "new name", :group_ids => [@group, @group2]} + assert_response :redirect + assert_equal expected_groups, assigns(:section).groups + assert_equal "new name", assigns(:section).name + assert !assigns(:section).groups.include?(@group2) + end + + + + test "PUT update should add groups for admin user" do +# This step is unnecessary in the actual cms, as you can't stop the admin from doing anything + Group.find(:first, :conditions => "code = 'cms-admin'").sections << @editable_subsection + @group2 = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true)) + expected_groups = [@group, @group2] + login_as_cms_admin + put :update, :id => @editable_subsection, :section => {:name => "new name", :group_ids => [@group, @group2]} + assert_response :redirect + assert_equal expected_groups, assigns(:section).groups + end + + def test_destroy_permissions + login_as(@user) + + delete :destroy, :id => @editable_section + assert_response :redirect + + delete :destroy, :id => @noneditable_section + assert_response 403 + assert_template "cms/shared/access_denied" + end +end test/functional/cms/sections_controller_test.rb @@ -2,6 +2,9 @@ require File.join(File.dirname(__FILE__), '/../../test_helper') class Cms::SessionsControllerTest < ActionController::TestCase include Cms::ControllerTestHelper + def teardown + User.current = nil + end def test_not_redirected_to_cms_site_if_public_site @request.host = "foo.com" @@ -19,6 +22,22 @@ class Cms::SessionsControllerTest < ActionController::TestCase assert_select "title", "CMS Login" end + def test_return_to + user = Factory(:user) + expected_url = "/expected_url" + + post :create, {:success_url => "", :login => user.login, :password => "password"}, {:return_to => expected_url } + assert_redirected_to(expected_url) + end + def test_success_url_overrides_return_to + user = Factory(:user) + expected_url = "/expected_url" + + post :create, {:success_url => expected_url, :login => user.login, :password => "password"}, {:return_to => "/somewhere_else" } + + assert_redirected_to(expected_url) + end + end class Cms::SessionsControllerCacheEnabledTest < ActionController::TestCase @@ -49,4 +68,4 @@ class Cms::SessionsControllerCacheEnabledTest < ActionController::TestCase assert_select "title", "CMS Login" end -end \ No newline at end of file +end test/functional/cms/sessions_controller_test.rb @@ -6,7 +6,6 @@ class Cms::UsersControllerTest < ActionController::TestCase def setup login_as_cms_admin @user = User.first - end def test_index @@ -132,6 +131,11 @@ class Cms::UsersControllerTest < ActionController::TestCase assert_select "input#user_expires_at" end + def test_show + get :show, :id => @user.id + assert_response :success + end + def test_update put :update, :id => @user.id, :user => { :first_name => "First"} reset(:user) @@ -181,4 +185,47 @@ class Cms::UsersControllerTest < ActionController::TestCase @user_with_login = Factory(:user, :login => "mylogin") end -end \ No newline at end of file +end + +class Cms::UsersControllerNonAdminTest < ActionController::TestCase + tests Cms::UsersController + include Cms::ControllerTestHelper + + def setup + @user = Factory.build(:user) + @user.groups = [groups(:group_3)] + @user.save! + login_as(@user) + end + + def test_show_self + get :show, :id => @user.id + assert_response :success + end + + def test_show_other + get :show, :id => Factory(:user).id + assert @response.body.include?("Access Denied") + end + + def test_change_password_self + get :change_password, :id => @user.id + assert_response :success + end + + def test_change_password_other + get :change_password, :id => Factory(:user).id + assert @response.body.include?("Access Denied") + end + + def test_update_password_self + put :update_password, :id => @user.id, + :user => {:password => "something_else", :password_confirmation => "something_else"} + assert_redirected_to cms_user_path(@user) + end + + def test_update_password_other + put :update_password, :id => Factory(:user).id + assert @response.body.include?("Access Denied") + end +end test/functional/cms/users_controller_test.rb @@ -2,6 +2,8 @@ ENV["RAILS_ENV"] = "test" require File.expand_path(File.dirname(__FILE__) + "/../config/environment") require 'test_help' require 'action_view/test_case' +require 'mocha' +require 'redgreen' class ActiveSupport::TestCase # Transactional fixtures accelerate your tests by wrapping each test method test/test_helper.rb @@ -81,6 +81,32 @@ class DefaultAttachableTest < ActiveSupport::TestCase assert_equal "/attachments/foo.jpg", @attachable.attachment_file_path assert @attachable.attachment.published? end + + def test_create_without_attachment_and_then_add_attachment_on_edit + @attachable = DefaultAttachable.new(:name => "File Name", + :attachment_file => nil, :publish_on_save => true) + + assert_difference 'DefaultAttachable.count' do + assert_valid @attachable + @attachable.save! + end + + assert_nil @attachable.attachment_file_path + + reset(:attachable) + + @attachable.attachment_file = @file + @attachable.save + @attachable.publish + assert_equal "/attachments/foo.jpg", @attachable.attachment_file_path + + reset(:attachable) + + assert_equal @section, @attachable.attachment_section + assert_equal @section.id, @attachable.attachment_section_id + assert_equal "/attachments/foo.jpg", @attachable.attachment_file_path + assert @attachable.attachment.published? + end end test/unit/behaviors/attaching_test.rb @@ -2,217 +2,96 @@ require File.join(File.dirname(__FILE__), '/../../test_helper') class Cms::MenuHelperTest < ActionView::TestCase - def test_render_menu + def test_menu_items Page.first.update_attributes(:hidden => true, :publish_on_save => true) create_nfl_data - expected = <<HTML -<div id="menu" class="menu"> - <ul> - <li id="section_#{@afc.id}" class="depth-1 first open"> - <a href="/buf">AFC</a> - <ul> - <li id="section_#{@afc_east.id}" class="depth-2 first"> - <a href="/buf">East</a> - </li> - <li id="section_#{@afc_north.id}" class="depth-2 open"> - <a href="/bal">North</a> - <ul> - <li id="page_#{@bal.id}" class="depth-3 first on"> - <a href="/bal">Baltimore Ravens</a> - </li> - <li id="page_#{@cin.id}" class="depth-3"> - <a href="/cin">Cincinnati Bengals</a> - </li> - <li id="page_#{@cle.id}" class="depth-3"> - <a href="/cle">Cleveland Browns</a> - </li> - <li id="page_#{@pit.id}" class="depth-3 last"> - <a href="/pit">Pittsburgh Steelers</a> - </li> - </ul> - </li> - <li id="section_#{@afc_south.id}" class="depth-2"> - <a href="/hou">South</a> - </li> - <li id="section_#{@afc_west.id}" class="depth-2 last"> - <a href="/den">West</a> - </li> - </ul> - </li> - <li id="section_#{@nfc.id}" class="depth-1 last"> - <a href="/dal">NFC</a> - </li> - </ul> -</div> -HTML - - assert_equal expected, render_menu(:page => @bal) + expected = [ + { :id => "section_#{@afc.id}", :url => "/buf", :name => "AFC", :children => [ + { :id => "section_#{@afc_east.id}", :url => "/buf", :name => "East" }, + { :id => "section_#{@afc_north.id}", :url => "/bal", :name => "North", :children => [ + { :id => "page_#{@bal.id}", :selected => true, :url => "/bal", :name => "Baltimore Ravens" }, + { :id => "page_#{@cin.id}", :url => "/cin", :name => "Cincinnati Bengals" }, + { :id => "page_#{@cle.id}", :url => "/cle", :name => "Cleveland Browns" }, + { :id => "page_#{@pit.id}", :url => "/pit", :name => "Pittsburgh Steelers" } + ] }, + { :id => "section_#{@afc_south.id}", :url => "/hou", :name => "South" }, + { :id => "section_#{@afc_west.id}", :url => "/den", :name => "West" } + ] }, + { :id => "section_#{@nfc.id}", :url => "/dal", :name => "NFC" } + ] + + assert_equal expected, menu_items(:page => @bal) @page = @bal - assert_equal expected, render_menu - assert_match /<div id=\"menu\" class=\"leftnav\">/, render_menu(:class => "leftnav") - - expected = <<HTML -<div id="menu" class="menu"> - <ul> - <li id="section_#{@afc.id}" class="depth-1 first open"> - <a href="/buf">AFC</a> - <ul> - <li id="section_#{@afc_east.id}" class="depth-2 first"> - <a href="/buf">East</a> - </li> - <li id="section_#{@afc_north.id}" class="depth-2 open"> - <a href="/bal">North</a> - </li> - <li id="section_#{@afc_south.id}" class="depth-2"> - <a href="/hou">South</a> - </li> - <li id="section_#{@afc_west.id}" class="depth-2 last"> - <a href="/den">West</a> - </li> - </ul> - </li> - <li id="section_#{@nfc.id}" class="depth-1 last"> - <a href="/dal">NFC</a> - </li> - </ul> -</div> -HTML - - assert_equal expected, render_menu(:depth => 2) - - expected = <<HTML -<div id="menu" class="menu"> - <ul> - <li id="section_#{@afc_east.id}" class="depth-1 first"> - <a href="/buf">East</a> - </li> - <li id="section_#{@afc_north.id}" class="depth-1 open"> - <a href="/bal">North</a> - <ul> - <li id="page_#{@bal.id}" class="depth-2 first on"> - <a href="/bal">Baltimore Ravens</a> - </li> - <li id="page_#{@cin.id}" class="depth-2"> - <a href="/cin">Cincinnati Bengals</a> - </li> - <li id="page_#{@cle.id}" class="depth-2"> - <a href="/cle">Cleveland Browns</a> - </li> - <li id="page_#{@pit.id}" class="depth-2 last"> - <a href="/pit">Pittsburgh Steelers</a> - </li> - </ul> - </li> - <li id="section_#{@afc_south.id}" class="depth-1"> - <a href="/hou">South</a> - </li> - <li id="section_#{@afc_west.id}" class="depth-1 last"> - <a href="/den">West</a> - </li> - </ul> -</div> -HTML - - assert_equal expected, render_menu(:from_top => 1, :depth => 2) - - expected = <<HTML -<div id="menu" class="menu"> - <ul> - <li id="section_#{@afc.id}" class="depth-1 first open"> - <a href="/buf">AFC</a> - <ul> - <li id="section_#{@afc_east.id}" class="depth-2 first"> - <a href="/buf">East</a> - </li> - <li id="section_#{@afc_north.id}" class="depth-2 open"> - <a href="/bal">North</a> - </li> - <li id="section_#{@afc_south.id}" class="depth-2"> - <a href="/hou">South</a> - </li> - <li id="section_#{@afc_west.id}" class="depth-2 last"> - <a href="/den">West</a> - </li> - </ul> - </li> - <li id="section_#{@nfc.id}" class="depth-1 last"> - <a href="/dal">NFC</a> - <ul> - <li id="section_#{@nfc_east.id}" class="depth-2 first"> - <a href="/dal">East</a> - </li> - <li id="section_#{@nfc_north.id}" class="depth-2"> - <a href="/chi">North</a> - </li> - <li id="section_#{@nfc_south.id}" class="depth-2"> - <a href="/atl">South</a> - </li> - <li id="section_#{@nfc_west.id}" class="depth-2 last"> - <a href="/ari">West</a> - </li> - </ul> - </li> - </ul> -</div> -HTML - - assert_equal expected, render_menu(:depth => 2, :show_all_siblings => true) - - expected = <<HTML -<div id="menu" class="menu"> - <ul> - <li id="section_#{@afc.id}" class="depth-1 first open"> - <a href="/buf">AFC</a> - </li> - <li id="section_#{@nfc.id}" class="depth-1 last"> - <a href="/dal">NFC</a> - </li> - </ul> -</div> -HTML - - assert_equal expected, render_menu(:depth => 1) - - expected = <<HTML -<div id="menu" class="menu"> - <ul> - <li id="section_#{@afc_east.id}" class="depth-1 first"> - <a href="/buf">East</a> - </li> - <li id="section_#{@afc_north.id}" class="depth-1 open"> - <a href="/bal">North</a> - </li> - <li id="section_#{@afc_south.id}" class="depth-1"> - <a href="/hou">South</a> - </li> - <li id="section_#{@afc_west.id}" class="depth-1 last"> - <a href="/den">West</a> - </li> - </ul> -</div> -HTML - - assert_equal expected, render_menu(:from_top => 1, :depth => 1) - - expected = <<HTML -<div id="menu" class="menu"> - <ul> - <li id="section_#{@afc_east.id}" class="depth-1 first"> - <a href="/buf">East</a> - </li> - <li id="section_#{@afc_north.id}" class="depth-1 open"> - <a href="/bal">North</a> - </li> - <li id="section_#{@afc_south.id}" class="depth-1 last"> - <a href="/hou">South</a> - </li> - </ul> -</div> -HTML - - assert_equal expected, render_menu(:from_top => 1, :depth => 1, :limit => 3) + assert_equal expected, menu_items + + expected = [ + { :id => "section_#{@afc.id}", :url => "/buf", :name => "AFC", :children => [ + { :id => "section_#{@afc_east.id}", :url => "/buf", :name => "East" }, + { :id => "section_#{@afc_north.id}", :url => "/bal", :name => "North" }, + { :id => "section_#{@afc_south.id}", :url => "/hou", :name => "South" }, + { :id => "section_#{@afc_west.id}", :url => "/den", :name => "West" } + ] }, + { :id => "section_#{@nfc.id}", :url => "/dal", :name => "NFC" } + ] + + assert_equal expected, menu_items(:depth => 2) + + expected = [ + { :id => "section_#{@afc_east.id}", :url => "/buf", :name => "East" }, + { :id => "section_#{@afc_north.id}", :url => "/bal", :name => "North", :children => [ + { :id => "page_#{@bal.id}", :selected => true, :url => "/bal", :name => "Baltimore Ravens" }, + { :id => "page_#{@cin.id}", :url => "/cin", :name => "Cincinnati Bengals" }, + { :id => "page_#{@cle.id}", :url => "/cle", :name => "Cleveland Browns" }, + { :id => "page_#{@pit.id}", :url => "/pit", :name => "Pittsburgh Steelers" } + ] }, + { :id => "section_#{@afc_south.id}", :url => "/hou", :name => "South" }, + { :id => "section_#{@afc_west.id}", :url => "/den", :name => "West" } + ] + + assert_equal expected, menu_items(:from_top => 1, :depth => 2) + + expected = [ + { :id => "section_#{@afc.id}", :url => "/buf", :name => "AFC", :children => [ + { :id => "section_#{@afc_east.id}", :url => "/buf", :name => "East" }, + { :id => "section_#{@afc_north.id}", :url => "/bal", :name => "North" }, + { :id => "section_#{@afc_south.id}", :url => "/hou", :name => "South" }, + { :id => "section_#{@afc_west.id}", :url => "/den", :name => "West" } + ] }, + { :id => "section_#{@nfc.id}", :url => "/dal", :name => "NFC", :children => [ + { :id => "section_#{@nfc_east.id}", :url => "/dal", :name => "East" }, + { :id => "section_#{@nfc_north.id}", :url => "/chi", :name => "North" }, + { :id => "section_#{@nfc_south.id}", :url => "/atl", :name => "South" }, + { :id => "section_#{@nfc_west.id}", :url => "/ari", :name => "West" } + ] } + ] + + assert_equal expected, menu_items(:depth => 2, :show_all_siblings => true) + + expected = [ + { :id => "section_#{@afc.id}", :url => "/buf", :name => "AFC" }, + { :id => "section_#{@nfc.id}", :url => "/dal", :name => "NFC" } + ] + + assert_equal expected, menu_items(:depth => 1) + + expected = [ + { :id => "section_#{@afc_east.id}", :url => "/buf", :name => "East" }, + { :id => "section_#{@afc_north.id}", :url => "/bal", :name => "North" }, + { :id => "section_#{@afc_south.id}", :url => "/hou", :name => "South" }, + { :id => "section_#{@afc_west.id}", :url => "/den", :name => "West" } + ] + + assert_equal expected, menu_items(:from_top => 1, :depth => 1) + + expected = [ + { :id => "section_#{@afc_east.id}", :url => "/buf", :name => "East" }, + { :id => "section_#{@afc_north.id}", :url => "/bal", :name => "North" }, + { :id => "section_#{@afc_south.id}", :url => "/hou", :name => "South" } + ] + + assert_equal expected, menu_items(:from_top => 1, :depth => 1, :limit => 3) end @@ -223,36 +102,20 @@ HTML @press_releases = Factory(:page, :section => @news, :name => "Press Releases", :path => "/press_releases", :publish_on_save => true) @corporate_news = Factory(:link, :section => @news, :name => "Corporate News", :url => "/news", :new_window => false, :publish_on_save => true) @cnn = Factory(:link, :section => @news, :name => "CNN", :url => "http://www.cnn.com", :new_window => true, :publish_on_save => true) - expected = <<HTML -<div id="menu" class="menu"> - <ul> - <li id="section_#{@news.id}" class="depth-1 first open"> - <a href="/press_releases">News</a> - <ul> - <li id="page_#{@press_releases.id}" class="depth-2 first on"> - <a href="/press_releases">Press Releases</a> - </li> - <li id="link_#{@corporate_news.id}" class="depth-2"> - <a href="/news">Corporate News</a> - </li> - <li id="link_#{@cnn.id}" class="depth-2 last"> - <a href="http://www.cnn.com" target="_blank">CNN</a> - </li> - </ul> - </li> - </ul> -</div> -HTML - @page = @press_releases - output = render_menu - - assert_equal expected, output + expected = [ + { :id => "section_#{@news.id}", :url => "/press_releases", :name => "News", :children => [ + { :id => "page_#{@press_releases.id}", :selected => true, :url => "/press_releases", :name => "Press Releases" }, + { :id => "link_#{@corporate_news.id}", :url => "/news", :name => "Corporate News" }, + { :id => "link_#{@cnn.id}", :url => "http://www.cnn.com", :target => "_blank", :name => "CNN" } + ] } + ] - assert_equal %Q{<div id="menu" class="menu">\n</div>\n}, - render_menu(:from_top => 42) + @page = @press_releases + assert_equal expected, menu_items + assert_equal [], menu_items(:from_top => 42) end - + def test_render_menu_does_not_show_unpublished_pages @section = Factory(:section, :name => "Test", :path => "/test") @page = Factory(:page, :section => @section, :name => "Overview", :path => "/test", :publish_on_save => true) @@ -260,11 +123,13 @@ HTML @draft_page = Factory(:page, :section => @section, :name => "Draft v1", :path => "/draft", :publish_on_save => true) @draft_page.update_attributes(:name => "Draft v2") @never_published = Factory(:page, :section => @section, :name => "Never Published", :path => "/never_published") - output = render_menu(:from_top => 1) - - assert output =~ /\/test/, "Overview page should show up" - assert output =~ /Draft v1/, "Original version of draft page should show up" - assert output !~ /\/never_published/, "Never published should not show up" + + expected = [ + { :id => "page_#{@page.id}", :name => "Overview", :url => "/test", :selected => true }, + { :id => "page_#{@draft_page.id}", :name => "Draft v1", :url => "/draft" } + ] + + assert_equal expected, menu_items(:from_top => 1) end def test_render_menu_with_path @@ -274,48 +139,23 @@ HTML @contact_us = Factory(:page, :section => @footer, :name => "Contact Us", :path => "/contact_us", :publish_on_save => true) @privacy_policy = Factory(:page, :section => @footer, :name => "Privacy Policy", :path => "/privacy_policy", :publish_on_save => true) - expected = <<HTML -<div id="menu" class="menu"> - <ul> - <li id="page_#{@about_us.id}" class="depth-1 first"> - <a href="/about_us">About Us</a> - </li> - <li id="page_#{@contact_us.id}" class="depth-1"> - <a href="/contact_us">Contact Us</a> - </li> - <li id="page_#{@privacy_policy.id}" class="depth-1 last"> - <a href="/privacy_policy">Privacy Policy</a> - </li> - </ul> -</div> -HTML - - #puts "Expected:\n#{expected}" - actual = render_menu(:page => @test, :path => "/footer", :from_top => 1) - #puts "Actual:\n#{actual}" + expected = [ + { :id => "page_#{@about_us.id}", :url => "/about_us", :name => "About Us" }, + { :id => "page_#{@contact_us.id}", :url => "/contact_us", :name => "Contact Us" }, + { :id => "page_#{@privacy_policy.id}", :url => "/privacy_policy", :name => "Privacy Policy" } + ] + + actual = menu_items(:page => @test, :path => "/footer", :from_top => 1) assert_equal expected, actual - expected = <<HTML -<div id="menu" class="menu"> - <ul> - <li id="page_#{@about_us.id}" class="depth-1 first"> - <a href="/about_us">About Us</a> - </li> - <li id="page_#{@contact_us.id}" class="depth-1 on"> - <a href="/contact_us">Contact Us</a> - </li> - <li id="page_#{@privacy_policy.id}" class="depth-1 last"> - <a href="/privacy_policy">Privacy Policy</a> - </li> - </ul> -</div> -HTML - - #puts "Expected:\n#{expected}" - actual = render_menu(:page => @contact_us, :path => "/footer", :from_top => 1) - #puts "Actual:\n#{actual}" - assert_equal expected, actual + expected = [ + { :id => "page_#{@about_us.id}", :url => "/about_us", :name => "About Us" }, + { :id => "page_#{@contact_us.id}", :url => "/contact_us", :name => "Contact Us", :selected => true }, + { :id => "page_#{@privacy_policy.id}", :url => "/privacy_policy", :name => "Privacy Policy" } + ] + actual = menu_items(:page => @contact_us, :path => "/footer", :from_top => 1) + assert_equal expected, actual end protected @@ -374,4 +214,4 @@ HTML end -end \ No newline at end of file +end test/unit/helpers/menu_helper_test.rb @@ -16,7 +16,6 @@ class UserTest < ActiveSupport::TestCase @user.disable! assert_nil User.authenticate(@user.login, @user.password) end - def test_expiration @user = Factory.build(:user) assert_nil @user.expires_at @@ -32,7 +31,6 @@ class UserTest < ActiveSupport::TestCase @user.expires_at = 1.day.ago assert @user.expired? end - def test_disable_enable @user = Factory(:user) @@ -52,9 +50,26 @@ class UserTest < ActiveSupport::TestCase assert !@user.expired? assert User.active.all.include?(@user) end + test "email validation" do + @user = Factory(:user) + assert @user.valid? + + valid_emails = ['t@test.com', 'T@test.com', 'test@somewhere.mobi', 'test@somewhere.tv', 'joe_blow@somewhere.co.nz', 'joe_blow@somewhere.com.au', 't@t-t.co'] + valid_emails.each do |email| + @user.email = email + assert @user.valid? + end + + invalid_emails = ['', '@test.com', '@test', 'test@test', 'test@somewhere', 'test@somewhere.', 'test@somewhere.x', 'test@somewhere..'] + invalid_emails.each do |email| + @user.email = email + assert !@user.valid? + end + end + end -class UserPermssionsTest < ActiveSupport::TestCase +class UserPermissionsTest < ActiveSupport::TestCase def setup @user = Factory(:user) @guest_group = Group.first(:conditions => {:code => "guest"}) @@ -75,36 +90,119 @@ class UserPermssionsTest < ActiveSupport::TestCase assert !@user.able_to?("do something the group does not have permission to do") end - def test_cms_user_permissions + test "cms user access to nodes" do + @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true)) + @user.groups << @group + + @modifiable_section = Factory(:section, :parent => root_section, :name => "Modifiable") + @non_modifiable_section = Factory(:section, :parent => root_section, :name => "Not Modifiable") + + @group.sections << @modifiable_section + + @modifiable_page = Factory(:page, :section => @modifiable_section) + @non_modifiable_page = Factory(:page, :section => @non_modifiable_section) + + @modifiable_link = Factory(:link, :section => @modifiable_section) + @non_modifiable_link = Factory(:link, :section => @non_modifiable_section) + + assert @user.able_to_modify?(@modifiable_section) + assert !@user.able_to_modify?(@non_modifiable_section) + + assert @user.able_to_modify?(@modifiable_page) + assert !@user.able_to_modify?(@non_modifiable_page) + + assert @user.able_to_modify?(@modifiable_link) + assert !@user.able_to_modify?(@non_modifiable_link) + end + + test "cms user access to connectables" do @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true)) - @group.permissions << create_or_find_permission_named("edit_content") - @group.permissions << create_or_find_permission_named("publish_content") @user.groups << @group - @editable_section = Factory(:section, :parent => root_section, :name => "Editable") - @group.sections << @editable_section - @noneditable_section = Factory(:section, :parent => root_section, :name => "Not Editable") - @editable_page = Factory(:page, :section => @editable_section) - @noneditable_page = Factory(:page, :section => @noneditable_section) - - assert @user.able_to_edit?(@editable_section) - assert !@user.able_to_edit?(@noneditable_section) - assert @user.able_to_view?(@editable_page) - assert @user.able_to_view?(@noneditable_page) + + @modifiable_section = Factory(:section, :parent => root_section, :name => "Modifiable") + @non_modifiable_section = Factory(:section, :parent => root_section, :name => "Not Modifiable") + + @group.sections << @modifiable_section + + @modifiable_page = Factory(:page, :section => @modifiable_section) + @non_modifiable_page = Factory(:page, :section => @non_modifiable_section) + + @all_modifiable_connectable = stub( + :class => stub(:content_block? => true, :connectable? => true), + :connected_pages => [@modifiable_page]) + @some_modifiable_connectable = stub( + :class => stub(:content_block? => true, :connectable? => true), + :connected_pages => [@modifiable_page, @non_modifiable_page]) + @none_modifiable_connectable = stub( + :class => stub(:content_block? => true, :connectable? => true), + :connected_pages => [@non_modifiable_page]) + + assert @user.able_to_modify?(@all_modifiable_connectable) + assert !@user.able_to_modify?(@some_modifiable_connectable) + assert !@user.able_to_modify?(@none_modifiable_connectable) + end + + test "cms user access to non-connectable content blocks" do + @content_block = stub(:class => stub(:content_block? => true)) + assert @user.able_to_modify?(@content_block) end - def test_non_cms_user_permissions + test "non cms user access to nodes" do @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "Registered User")) @user.groups << @group - @editable_section = Factory(:section, :parent => root_section, :name => "Editable") - @group.sections << @editable_section - @noneditable_section = Factory(:section, :parent => root_section, :name => "Not Editable") - @editable_page = Factory(:page, :section => @editable_section) - @noneditable_page = Factory(:page, :section => @noneditable_section) + + @modifiable_section = Factory(:section, :parent => root_section, :name => "Modifiable") + @group.sections << @modifiable_section + @non_modifiable_section = Factory(:section, :parent => root_section, :name => "Not Modifiable") + + @modifiable_page = Factory(:page, :section => @modifiable_section) + @non_modifiable_page = Factory(:page, :section => @non_modifiable_section) - assert !@user.able_to_edit?(@editable_section) - assert !@user.able_to_edit?(@noneditable_section) - assert @user.able_to_view?(@editable_page) - assert !@user.able_to_view?(@noneditable_page) + assert !@user.able_to_modify?(@modifiable_section) + assert !@user.able_to_modify?(@non_modifiable_section) + + assert @user.able_to_view?(@modifiable_page) + assert !@user.able_to_view?(@non_modifiable_page) + end + + test "cms user with no permissions should still be able to view pages" do + @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true)) + @user.groups << @group + + @page = Factory(:page) + assert @user.able_to_view?(@page) + end + + test "cms user who can edit content" do + @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true)) + @group.permissions << create_or_find_permission_named("edit_content") + @user.groups << @group + + node = stub + + @user.stubs(:able_to_modify?).with(node).returns(true) + assert @user.able_to_edit?(node) + assert !@user.able_to_publish?(node) + + @user.stubs(:able_to_modify?).with(node).returns(false) + assert !@user.able_to_edit?(node) + assert !@user.able_to_publish?(node) + end + + test "cms user who can publish content" do + @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true)) + @group.permissions << create_or_find_permission_named("publish_content") + @user.groups << @group + + node = stub + + @user.stubs(:able_to_modify?).with(node).returns(true) + assert !@user.able_to_edit?(node) + assert @user.able_to_publish?(node) + + @user.stubs(:able_to_modify?).with(node).returns(false) + assert !@user.able_to_edit?(node) + assert !@user.able_to_publish?(node) end end @@ -127,4 +225,4 @@ class GuestUserTest < ActiveSupport::TestCase assert !@user.able_to_view?(@protected_page) end -end \ No newline at end of file +end test/unit/models/user_test.rb f457e772954dab427d922598db6f9ab5bfb033a7 342e0ffcee051ffdc7430133cd8e2327d5101fdc peakpg peakpg@gmail.com http://github.com/browsermedia/browsercms/commit/1c393cefe71bf454241ced4ff1f56d9d629f9a4a 1c393cefe71bf454241ced4ff1f56d9d629f9a4a 2009-11-03T13:53:08-08:00 2009-11-03T13:53:08-08:00 Merge branch 'master' of git@github.com:browsermedia/browsercms 01d4706ca9bad2353f54d31dcbdf3816ea7b4996 peakpg peakpg@gmail.com