resource_read should 404 with wrong params

When resource read is called with wrong params, it can be manipulated to
show that a resource belongs to the wrong package causing to overall
confusion.

ckan/controllers/package.py

@@ -1180,6 +1180,9 @@ def resource_read(self, id, resource_id):
             c.resource = get_action('resource_show')(context,
                                                      {'id': resource_id})
             c.package = get_action('package_show')(context, {'id': id})
+            if (c.resource['id'] not in [x['id'] for x in
+                    c.package.get('resources')]):
+                abort(404, _('Resource not found'))
             # required for nav menu
             c.pkg = context['package']
             c.pkg_dict = c.package

ckan/new_tests/controllers/__init__.py

@@ -51,3 +51,14 @@
    code's behavior into a test harness before it can be safely refactored.
 
 '''
+from pylons.test import pylonsapp
+import paste.fixture
+
+
+class WsgiAppCase(object):
+    wsgiapp = pylonsapp
+    assert wsgiapp, 'You need to run nose with --with-pylons'
+    # Either that, or this file got imported somehow before the tests started
+    # running, meaning the pylonsapp wasn't setup yet (which is done in
+    # pylons.test.py:begin())
+    app = paste.fixture.TestApp(wsgiapp)

ckan/new_tests/controllers/test_package.py

@@ -0,0 +1,41 @@
+from nose.tools import assert_equal
+from routes import url_for as url_for
+
+from ckan.new_tests.controllers import WsgiAppCase
+import ckan.new_tests.factories as factories
+import ckan.new_tests.helpers as helpers
+import ckan.lib.search as search
+
+
+class TestResourceRead(WsgiAppCase):
+
+    @classmethod
+    def setup_class(cls):
+        helpers.reset_db()
+
+    def setup(self):
+        import ckan.model as model
+
+        # Reset the db before each test method.
+        model.repo.rebuild_db()
+
+        # Clear the search index
+        search.clear()
+
+    def test_existing_resource_with_associated_package(self):
+        new_package = factories.Dataset()
+        resource = factories.Resource(package_id=new_package['id'])
+        response = self.app.get(
+            url=url_for(controller='package', action='resource_read',
+            id=new_package['id'], resource_id=resource['id']),
+            status=200,
+        )
+
+    def test_existing_resource_with_package_not_associated(self):
+        new_package = factories.Dataset()
+        resource = factories.Resource()
+        response = self.app.get(
+            url=url_for(controller='package', action='resource_read',
+            id=new_package['id'], resource_id=resource['id']),
+            status=404,
+        )

ckan/new_tests/controllers/test_util.py

@@ -1,19 +1,7 @@
 from nose.tools import assert_equal
-from pylons.test import pylonsapp
-import paste.fixture
 
 from routes import url_for as url_for
-
-
-# This is stolen from the old tests and should probably go in __init__.py
-# if it is what we want.
-class WsgiAppCase(object):
-    wsgiapp = pylonsapp
-    assert wsgiapp, 'You need to run nose with --with-pylons'
-    # Either that, or this file got imported somehow before the tests started
-    # running, meaning the pylonsapp wasn't setup yet (which is done in
-    # pylons.test.py:begin())
-    app = paste.fixture.TestApp(wsgiapp)
+from ckan.new_tests.controllers import WsgiAppCase
 
 
 class TestUtil(WsgiAppCase):