[webui][api] moved field checks to controller, updated test functions…

… and some more refactoring.
openSUSE · Aug 19, 2013 · 2ded339 · 2ded339
1 parent f0b4f01
commit 2ded339
Show file tree

Hide file tree

Showing 10 changed files with 107 additions and 79 deletions.
diff --git a/src/api/app/controllers/webui/comments_controller.rb b/src/api/app/controllers/webui/comments_controller.rb
@@ -1,7 +1,17 @@
 class Webui::CommentsController < Webui::BaseController
 	class NotFoundObjectError < APIException
 	 setup 'not_found', 404, "Not found"
-	end 
+	end
+	class CommentNoDataEntered < APIException
+		setup 'comment_no_data_entered', 403, "No data Entered"
+	end
+	class CommentNoUserFound < APIException
+		setup 'comment_no_user_found', 403, "No user found"
+	end
+	class CommentNoPermission < APIException
+		setup "comment_no_permission_error"
+	end
+
 	def packages
 		package = Package.get_by_project_and_name(params[:project] , params[:package])
 		if package.blank?
@@ -23,49 +33,117 @@ def requests
 	end
 
 	def packages_new
+		required_parameters :body, :user, :project, :package
+		required_parameters :title if !params[:parent_id]
+		require_fields(params)
+		require_title(params)
+		permission_check!(params)
+
 		CommentPackage.save(params)
 		render_ok
 	end
 
 	def projects_new
+		required_parameters :body, :user, :project
+		required_parameters :title if !params[:parent_id]
+		require_fields(params)
+		require_title(params)
+		permission_check!(params)
+
 		CommentProject.save(params)
 		render_ok
 	end
 
 	def requests_new
+		required_parameters :body, :user, :id
+		required_parameters :title if !params[:parent_id]
+		require_fields(params)
+		require_title(params)
+		permission_check!(params)
+
 		CommentRequest.save(params)
 		render_ok
 	end
 
 	def projects_edit
+		required_parameters :project, :comment_id, :body
+		require_fields(params)
+		permission_check!(params)
+
 		CommentProject.edit(params)
 		render_ok
 	end
 
 	def packages_edit
+		required_parameters :project, :package, :comment_id, :body
+		require_fields(params)
+		permission_check!(params)
+
 		CommentPackage.edit(params)
 		render_ok
 	end
 
 	def requests_edit
+		required_parameters :body, :comment_id, :id
+		require_fields(params)
+		permission_check!(params)
+
 		CommentRequest.edit(params)
 		render_ok
 	end
 
 	def projects_delete
+		delete_action_check(params)
+		permission_check!(params)
+
 		CommentProject.delete(params)
 		render_ok
 	end
 
 	def packages_delete
+		delete_action_check(params)
+		permission_check!(params)
+
 		CommentPackage.delete(params)
 		render_ok
 	end
 
 	def requests_delete
+		delete_action_check(params)
+		permission_check!(params)
+
 		CommentRequest.delete(params)
 		render_ok
 	end
 
+	private
+	def require_fields(params)
+		if params[:body].blank?
+			raise CommentNoDataEntered.new "You didn't add a body to the comment."
+		elsif params[:user].blank?
+			raise CommentNoUserFound.new "No user found. Sign in before continuing."
+		end
+	end
+
+	def require_title(params)
+		if !params[:parent_id] && params[:title].blank?
+			raise CommentNoDataEntered.new "You didnt add a title to the comment."
+		end
+	end
+
+	def delete_action_check(params)
+		required_parameters :user, :comment_id
+		params[:body] = "Comment deleted."
+		require_fields(params)
+	end
+
+	def permission_check!(params)
+		package = Package.get_by_project_and_name(params[:project], params[:package]) if params[:package]    
+		project = Project.get_by_name(params[:project]) if params[:project]
+		user = User.new
 
-end
+		unless @http_user.login == params[:user] || @http_user.is_admin? || user.has_local_permission?("change_project", project) || user.has_local_permission?("change_package", package)
+			raise CommentNoPermission.new, "You don't have the permissions to modify the content."
+		end
+	end
+end
diff --git a/src/api/app/models/comment.rb b/src/api/app/models/comment.rb
@@ -3,52 +3,19 @@ class Comment < ActiveRecord::Base
   belongs_to :package
   belongs_to :bs_request
 
-  class CommentNoDataEntered < APIException
-    setup 'comment_no_data_entered', 403, "No data Entered"
-  end
-  class CommentNoUserFound < APIException
-    setup 'comment_no_user_found', 403, "No user found"
-  end
-  class CommentWritePermissionError < APIException
-    setup "comment_write_permission_error"
-  end
-
-  def self.fields_check!(params)
-    if params[:body].blank?
-      raise CommentNoDataEntered.new "You didn't add a body to the comment." 
-    elsif params[:user].blank?
-      raise CommentNoUserFound.new "No user found. Sign in before continuing."
-    end
-  end
-
-  def self.permission_check!(params)
-    unless User.current.login == params[:user] || User.current.is_admin? || @object_permission_check
-      raise CommentWritePermissionError, "You don't have the permissions to modify the content."
-    end
-    fields_check!(params)
-  end
-
   def self.save(params)
     @comment = {}
   	@comment['title'] 	= params[:title]
   	@comment['body'] = params[:body]
   	@comment['user'] = params[:user]
   	@comment['parent_id'] = params[:parent_id] if params[:parent_id]
-
-    fields_check!(params)
-    if !params[:parent_id] && params[:title].blank?
-      raise CommentNoDataEntered.new "You didn't add a title to the comment." 
-    end
   end
 
   def self.edit(params)
-    permission_check!(params)
     self.update(params[:comment_id],:body => params[:body])
   end
 
   def self.delete(params)
-    params[:body] = "Comment deleted."
-    permission_check!(params)
     self.update(params[:comment_id],:body => params[:body] , :user => params[:user])
   end
 

diff --git a/src/api/app/models/comment_package.rb b/src/api/app/models/comment_package.rb
@@ -5,10 +5,4 @@ def self.save(params)
 		@comment['package_id'] = package.id
 		CommentPackage.create(@comment)
 	end
-
-	def self.permission_check!(params)
-		package = Package.get_by_project_and_name(params[:project], params[:package])
-		@object_permission_check = User.current.can_modify_package?(package)
-		super
-	end
 end
diff --git a/src/api/app/models/comment_project.rb b/src/api/app/models/comment_project.rb
@@ -6,10 +6,4 @@ def self.save(params)
 		@comment['project_id'] = project.id
 		CommentProject.create(@comment)
 	end
-
-	def self.permission_check!(params)
-		project = Project.get_by_name(params[:project])
-		@object_permission_check = User.current.can_modify_project?(project)	
-		super
-	end
 end
diff --git a/src/api/test/functional/comments_controller_test.rb b/src/api/test/functional/comments_controller_test.rb
@@ -14,15 +14,15 @@ def test_show_and_post_comments_on_project
     assert_response :success
 
     # testing empty comments
-    post "/webui/comments/project/BaseDistro/new", {:project => "BaseDistro", :title => "This is a title", :user => "Admin"}
+    post "/webui/comments/project/BaseDistro/new", {:project => "BaseDistro", :title => "This is a title", :body => "", :user => "Admin"}
     assert_response 403
 
     # counter test
     get "/webui/comments/project/BaseDistro"
     assert_response :success
 
     post "/webui/comments/project/BaseDistro/new", {:project => "BaseDistro", :title => "This is a title"}
-    assert_response 403
+    assert_response 400
   end
 
   def test_update_permissions_for_comments_on_project

diff --git a/src/webui/app/controllers/package_controller.rb b/src/webui/app/controllers/package_controller.rb
@@ -1114,7 +1114,7 @@ def save_comments
   end
 
   def edit_comments
-    required_parameters :project, :package, :comment_id
+    required_parameters :project, :package, :comment_id, :body
     begin
       unless params[:update] == 'true'
         params[:project] = @project.name

diff --git a/src/webui/app/controllers/request_controller.rb b/src/webui/app/controllers/request_controller.rb
@@ -288,22 +288,23 @@ def set_incident
     end
     redirect_to :controller => :request, :action => "show", :id => params[:id]
   end
-
-
   def comments
-    # avoiding display of comment section for unnecessary request ids
     begin
-      @req = ApiDetails.read(:request, params[:id])
-    rescue ApiDetails::NotFoundError
-      flash[:error] = "Can't find request #{params[:id]}"
-      redirect_back_or_to :controller => "home", :action => "requests" and return
-    end
-
-    unless params[:reply] == 'true'
-      @comment = ApiDetails.read(:comments_by_request, params[:id])
-      @comments_as_thread = sort_comments(@comment)
-    else
-      render_dialog
+      # avoiding display of comment section for unnecessary request ids
+      begin
+        @req = ApiDetails.read(:request, params[:id])
+      rescue ApiDetails::NotFoundError
+        flash[:error] = "Can't find request #{params[:id]}"
+        redirect_back_or_to :controller => "home", :action => "requests" and return
+      end
+      unless params[:reply] == 'true'
+        @comment = ApiDetails.read(:comments_by_request, params[:id])
+        @comments_as_thread = sort_comments(@comment)
+      else
+        render_dialog
+      end
+    rescue ActiveXML::Transport::Error => e
+      render :text => e.summary, :status => 404, :content_type => "text/plain"
     end
   end
 
@@ -328,7 +329,7 @@ def save_comments
   end
 
   def edit_comments
-    required_parameters :id, :comment_id
+    required_parameters :id, :comment_id, :body
     begin
       unless params[:update] == 'true'
         params[:request_id] = params[:id]

diff --git a/src/webui/app/views/shared/_comment_links.html.erb b/src/webui/app/views/shared/_comment_links.html.erb
@@ -1,9 +1,10 @@
 <%= link_to("Reply", {:controller => params[:controller], :action => 'save_comments', :parent_id => comment[:id], :reply => 'true' }, :remote => true, :class => 'comment_links') %>  
 
-<%if @user.login == comment[:user]%>
-   <%= link_to("Edit", {:controller => params[:controller], :action => 'edit_comments', :comment_id => comment[:id], :update => 'true'}, :remote => true, :class => 'comment_links') %>
-<%end%>
-
-<% if @permission_check || @user.is_admin? || @user.login == comment[:user]%>
-<%= link_to("Delete", {:controller => params[:controller], :action => 'delete_comments', :comment_id => comment[:id], :user => comment[:user]}, :class => "comment_links") %>
+<%if @user %>
+	<%if @user.login == comment[:user]%>
+		<%= link_to("Edit", {:controller => params[:controller], :action => 'edit_comments', :comment_id => comment[:id], :update => 'true'}, :remote => true, :class => 'comment_links') %>
+	<%end%>
+	<% if @permission_check || @user.is_admin? || @user.login == comment[:user]%>
+		<%= link_to("Delete", {:controller => params[:controller], :action => 'delete_comments', :comment_id => comment[:id], :user => comment[:user]}, :class => "comment_links") %>
+	<%end%> 
 <%end%> 
diff --git a/src/webui/app/views/shared/_new_comment.html.erb b/src/webui/app/views/shared/_new_comment.html.erb
@@ -3,7 +3,7 @@
 	<%= form_tag :controller => params[:controller], :action => "save_comments" do %>
 		<p>
   			<strong>Title:</strong><br/>
-  			<%= text_field_tag 'title', @title%><br/>
+  			<%= text_field_tag 'title',@titlee%><br/>
  			 <strong>Body:</strong><br/>
   			<%= text_area_tag 'body', @body, :cols => 80, :rows => 10 %><br/>
   			<%= hidden_field_tag 'user', session[:login] %>

diff --git a/src/webui/test/functional/request_controller_test.rb b/src/webui/test/functional/request_controller_test.rb
@@ -151,11 +151,4 @@ def test_my_involved_requests
     # diff is expanded
     page.must_have_text "+DummyContent"
   end
-
-  test "comment creation without login" do
-    logout
-    visit "/request/comments/1000"
-    find_button("Add comment").click
-    find('#flash-messages').must_have_text "Please login to access the requested page."
-  end
 end