Don’t let sitepaths reveal that access-controlled items exist, to una…

…uthorized users.
grantneufeld · Jun 11, 2011 · 1168123 · 1168123
1 parent 298a01f
commit 1168123
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/app/controllers/paths_controller.rb b/app/controllers/paths_controller.rb
@@ -30,6 +30,9 @@ def sitepath
       requires_view_authority
       render_path_item(@path.item)
     end
+  rescue Wayground::AccessDenied
+    # don’t reveal to unauthorized users that an item exists if it is access controlled
+    missing
   end
 
   # GET /paths

diff --git a/spec/controllers/paths_controller_spec.rb b/spec/controllers/paths_controller_spec.rb
@@ -65,6 +65,19 @@ def mock_path(stubs={})
       get :sitepath, {:url => path.sitepath}
       response.status.should eq 501
     end
+    it "shows the 404 missing error if the Path’s item requires authority to view" do
+      page = Factory.create(:page, {:is_authority_controlled => true})
+      path = Factory.create(:path, {:item => page})
+      get :sitepath, {:url => path.sitepath}
+      response.status.should eq 404
+    end
+    it "allows an authorized user to access an authority controlled item" do
+      set_logged_in_admin
+      page = Factory.create(:page, {:is_authority_controlled => true})
+      path = Factory.create(:path, {:item => page})
+      get :sitepath, {:url => path.sitepath}
+      response.status.should eq 200
+    end
   end
 
   describe "GET index" do