[webui] test and fix permission handling in patchinfo editor in anony…

…mous mode
openSUSE · Jan 30, 2014 · c806971 · c806971
1 parent 95eaa73
commit c806971
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/src/api/app/controllers/webui/patchinfo_controller.rb b/src/api/app/controllers/webui/patchinfo_controller.rb
@@ -228,6 +228,9 @@ def save
         @block_reason = params[:block_reason]
         render :action => 'edit_patchinfo', :project => @project, :package => @package
       end
+    rescue ActiveXML::Transport::UnauthorizedError
+      flash[:error] = 'Unauthorized Access'
+      redirect_to :action => 'show', :project => @project.name, :package => @package.name
     rescue ActiveXML::Transport::ForbiddenError
       flash[:error] = 'No permission to edit the patchinfo-file.'
       redirect_to :action => 'show', :project => @project.name, :package => @package.name

diff --git a/src/api/test/functional/webui/patchinfo_create_test.rb b/src/api/test/functional/webui/patchinfo_create_test.rb
@@ -113,6 +113,9 @@ def create_patchinfo new_patchinfo
     elsif new_patchinfo[:expect] == :short_desc_and_sum
       flash_message.must_equal "|| Summary is too short (should have more than 10 signs) || Description is too short (should have more than 50 signs and longer than summary)"
       flash_message_type.must_equal :alert
+    elsif new_patchinfo[:expect] == :no_login
+      flash_message.must_equal "Unauthorized Access"
+      flash_message_type.must_equal :alert
     elsif new_patchinfo[:expect] == :no_permission
       flash_message.must_equal "No permission to edit the patchinfo-file."
       flash_message_type.must_equal :alert
@@ -139,7 +142,7 @@ def delete_patchinfo project
       :rating => "low")
 
     # check that the patchinfo is not editable for unauthorized users per buttons
-    logout
+    login_adrian
     visit patchinfo_show_path(project: "home:Iggy", package: "patchinfo")
     page.wont_have_content("Edit patchinfo")
     page.wont_have_content("Delete patchinfo")
@@ -152,6 +155,21 @@ def delete_patchinfo project
       :category => "recommended",
       :rating => "low",
       :expect => :no_permission)    
+
+    # check that the patchinfo is not editable for anonymous user per buttons
+    logout
+    visit patchinfo_show_path(project: "home:Iggy", package: "patchinfo")
+    page.wont_have_content("Edit patchinfo")
+    page.wont_have_content("Delete patchinfo")
+
+    # check that the patchinfo is not editable per direct url for unauthorized users
+    visit patchinfo_edit_patchinfo_path(project: "home:Iggy", package: "patchinfo")
+    create_patchinfo(
+      :summary => "This is a test for the patchinfoeditor",
+      :description => LONG_DESCRIPTION,
+      :category => "recommended",
+      :rating => "low",
+      :expect => :no_login)    
     login_Iggy    
     delete_patchinfo('home:Iggy')
   end