ticket #207: Newsletters backend controllers should guard permissions

svenfuchs · Feb 17, 2009 · 440be6b · 440be6b
1 parent 1fc3927
commit 440be6b
Show file tree

Hide file tree

Showing 9 changed files with 110 additions and 10 deletions.
diff --git a/engines/adva_cms/lib/roles.rb b/engines/adva_cms/lib/roles.rb
@@ -111,5 +111,26 @@
               :'create photo'       => :admin,
               :'update photo'       => :admin,
               :'destroy photo'      => :admin,
-              :'manage photo'       => :admin
+              :'manage photo'       => :admin,
+
+              :'show newsletter'    => :moderator,
+              :'create newsletter'  => :admin,
+              :'update newsletter'  => :admin,
+              :'destroy newsletter' => :admin,
+
+              :'update deleted_newsletter'  => :admin,
+              :'destroy deleted_newsletter' => :superuser,
+
+              :'show issue'         => :moderator,
+              :'create issue'       => :moderator,
+              :'update issue'       => :moderator,
+              :'destroy issue'      => :moderator,
+
+              :'update deleted_issue'  => :moderator,
+              :'destroy deleted_issue' => :superuser,
+
+              :'show newsletter_subscription'    => :moderator,
+              :'create newsletter_subscription'  => :moderator,
+              :'update newsletter_subscription'  => :moderator,
+              :'destroy newsletter_subscription' => :moderator
 end
diff --git a/engines/adva_newsletter/app/controllers/admin/deleted_issues_controller.rb b/engines/adva_newsletter/app/controllers/admin/deleted_issues_controller.rb
@@ -1,4 +1,6 @@
 class Admin::DeletedIssuesController < Admin::BaseController
+  guards_permissions :deleted_issue 
+
   def update
     @deleted_issue = DeletedIssue.find(params[:id])
     @deleted_issue.restore

diff --git a/engines/adva_newsletter/app/controllers/admin/issue_delivery_controller.rb b/engines/adva_newsletter/app/controllers/admin/issue_delivery_controller.rb
@@ -1,4 +1,6 @@
 class Admin::IssueDeliveryController < Admin::BaseController
+  guards_permissions :issue 
+
   before_filter :set_newsletter
   before_filter :set_issue
 

diff --git a/engines/adva_newsletter/app/controllers/admin/issues_controller.rb b/engines/adva_newsletter/app/controllers/admin/issues_controller.rb
@@ -1,4 +1,6 @@
 class Admin::IssuesController < Admin::BaseController
+  guards_permissions :issue 
+
   before_filter :set_newsletter, :except => :index
   before_filter :set_issue, :except => [:index, :new, :create]
 

diff --git a/engines/adva_newsletter/app/controllers/admin/newsletter_subscriptions_controller.rb b/engines/adva_newsletter/app/controllers/admin/newsletter_subscriptions_controller.rb
@@ -1,4 +1,5 @@
 class Admin::NewsletterSubscriptionsController < Admin::BaseController
+  guards_permissions :newsletter_subscription 
 
   def index
     @newsletter = Newsletter.find(params[:newsletter_id])

diff --git a/engines/adva_newsletter/app/controllers/admin/newsletters_controller.rb b/engines/adva_newsletter/app/controllers/admin/newsletters_controller.rb
@@ -1,4 +1,5 @@
 class Admin::NewslettersController < Admin::BaseController
+  guards_permissions :newsletter 
 
   def index
     @newsletters = Newsletter.find(:all)

diff --git a/engines/adva_newsletter/test/contexts.rb b/engines/adva_newsletter/test/contexts.rb
@@ -0,0 +1,9 @@
+class Test::Unit::TestCase
+  share :site_with_newsletter do
+    before do
+      @site  = Site.find_by_name("site with newsletter")
+      @newsletter = @site.newsletters.first
+      @issue = @newsletter.issues.first
+    end
+  end
+end
diff --git a/engines/adva_newsletter/test/functional/admin/issues_controller_test.rb b/engines/adva_newsletter/test/functional/admin/issues_controller_test.rb
@@ -3,11 +3,8 @@
 # quite a lot is covered by integration test
 class AdminIssuesControllerTest < ActionController::TestCase
   tests Admin::IssuesController
+  with_common :site_with_newsletter
 
-  def setup
-    super
-  end
-
   test "routing" do
     with_options :path_prefix => "/admin/sites/1/newsletters/1/", :site_id => "1", :newsletter_id => "1" do |r|
       r.it_maps :get,    "issues",        :action => 'index'
@@ -19,4 +16,38 @@ def setup
       r.it_maps :delete, "issues/1",      :action => 'destroy', :id => '1'
     end
   end
+
+  def default_params
+    { :site_id => @site.id, :newsletter_id => @newsletter.id }
+  end
+
+  describe "GET :index" do
+    action { get :index, default_params }
+    it_guards_permissions :show, :issue
+  end
+
+  describe "GET :edit" do
+    action { get :edit, default_params.merge(:id => @issue.id) }
+    it_guards_permissions :update, :issue
+  end
+
+  describe "PUT :update" do
+    action { put :update, default_params.merge(:title => "test", :body => "test")}
+    it_guards_permissions :update, :issue
+  end
+
+  describe "GET :new" do
+    action { get :new, default_params }
+    it_guards_permissions :create, :issue
+  end
+
+  describe "POST :create" do
+    action { post :create, default_params.merge(:title => "test", :body => "test")}
+    it_guards_permission :create, :issue
+  end
+
+  describe "DELETE :destroy" do
+    action { delete :destroy, default_params.merge(:id => @issue.id) }
+    it_guards_permission :destroy, :issue
+  end
 end
diff --git a/engines/adva_newsletter/test/functional/admin/newsletters_controller_test.rb b/engines/adva_newsletter/test/functional/admin/newsletters_controller_test.rb
@@ -1,12 +1,9 @@
 require File.expand_path(File.dirname(__FILE__) + "/../../test_helper")
 
-# quite a lot is covered by integration test
+# quite a lot is covered also by integration test
 class AdminNewslettersControllerTest < ActionController::TestCase
   tests Admin::NewslettersController
-
-  def setup
-    super
-  end
+  with_common :site_with_newsletter
 
   test "routing" do
     with_options :path_prefix => "/admin/sites/1/", :site_id => "1" do |r|
@@ -19,4 +16,38 @@ def setup
       r.it_maps :delete, "newsletters/1",      :action => 'destroy', :id => '1'
     end
   end
+
+  def default_params
+    { :site_id => @site.id }
+  end
+
+  describe "GET :index" do
+    action { get :index, default_params }
+    it_guards_permissions :show, :newsletter
+  end
+
+  describe "GET :edit" do
+    action { get :edit, default_params.merge(:id => @newsletter.id) }
+    it_guards_permissions :update, :newsletter
+  end
+
+  describe "PUT :update" do
+    action { put :update, default_params.merge(:title => "test", :desc => "test")}
+    it_guards_permissions :update, :newsletter
+  end
+
+  describe "GET :new" do
+    action { get :new, default_params }
+    it_guards_permissions :create, :newsletter
+  end
+
+  describe "POST :create" do
+    action { post :create, default_params.merge(:title => "test", :desc => "test")}
+    it_guards_permission :create, :newsletter
+  end
+
+  describe "DELETE :destroy" do
+    action { delete :destroy, default_params.merge(:id => @newsletter.id) }
+    it_guards_permission :destroy, :newsletter
+  end
 end