diff --git a/TODO b/TODO index d20ae869f..dba592043 100644 --- a/TODO +++ b/TODO @@ -1,38 +1,5 @@ -[fix] preview of section articles is not displaying article -[fix] section on front end goes to home and not to the correct section -[fix] tags inside double quotes does not show correctly on article edit view - -[fix] comments_controller does not guard permissions -[fix] users_controller does not guard permissions -[fix] admin/wikipages_controller does not guard permissions -[fix] topics_controller does not guard permissions - -[fix] routes for pagination are missing -[fix] separate login and admin/login pages (same thing, different layout) -[fix] currently broken: belongs_to_author: with_deleted => true -[fix] js'ify all dates and use js date format -[fix] adapt has_counter for approved_comments - -[feature] [content] pipe all filtered column results (*_html) through whitelist sanitizer -[feature] [wiki] implement wikipage admin area (analog to articles area) -[feature] [wiki] add various filters to admin wikipage list (like on admin articles list) -[feature] [wiki] make the 'home' wikipage permalink configurable per wiki? -[feature] [comments] add various filters to admin comments list (like on admin articles list) -[feature] [blog] miss tricky says that xml_rpc is a must - -[plugin] pingback plugin -[plugin] comment email notification -[plugin] reverse captcha plugin - -[major] add spam protection for comments and wikipages (look at viking + multiengine branch) -[major] implement search - - -[feature] add before_move and after_move hooks to better_nested_set -[feature] make cacheable_flash behave transparent (do not clear flash after writing it to the cookie) - rational: controller specs should work and controllers behave correctly - not matter if the plugin is installed or not +[fix] separate login and admin/login pages (same thing, different layout) ? [feature] admin section: have an activity center/dashboard where engines can register their widgets (partials) to. e.g.: "x comments are awaiting your approval", "Please change your administrator password!" etc. @@ -41,23 +8,16 @@ possible solution: have a section setting "manage categories for this section"? that would even allow to manage categories per Section, but requires to explicitely turn it on. - [theme] microformat everything: hcard, hatom -# broken + missing specs +# missing specs -[specs] spec widgets -[specs] spec and implement admin/wikipage section -[specs] implement themes + theme_file specs -[specs] implement assets specs -[specs] spec registration, login, authentication +[specs] controllers: spec various error conditions like record not found [specs] spec usage of xss_terminate in one place (so that one can easily see which attributes get filtered and which don't) -[specs] controllers: spec various error conditions like record not found -[specs] controllers: simplify specs by circumventing the routing filters - (i.e. use paths like they would be recognized when no filters are - being used) +[specs] spec assets +[specs] spec widgets # resources viking http://github.com/technoweenie/viking/tree/master @@ -69,7 +29,6 @@ apache multisite config http://www.appelsiini.net/2007/6/mephisto-multiple-site- ------------------------------------------------------------------------------ - # users [feature] ajax users online feature? @@ -126,12 +85,7 @@ apache multisite config http://www.appelsiini.net/2007/6/mephisto-multiple-site- # themes -[feature] make ActionMailer themeable [enhance] decouple admin interface through using a themeable instead of site -[feature] add drop-in erb- and haml-safemode support, make public controllers use safemode -[feature] use caches_page_with_references or just expire the whole cache dir -[feature] clone pre-installed themes -[enhance] make theme.files.find work without globbing all files [major] add liquid layer (drops + helpers) (?) ยป add an ActionView Liquid template handler? [major] port a simple liquid theme and test it with drops (?) @@ -139,53 +93,57 @@ apache multisite config http://www.appelsiini.net/2007/6/mephisto-multiple-site- [major] add attachments for wikipages (are they also in beast?) -# CacheableFlash +# Rails - after_filter won't be called when the filter chain is halted. maybe an - around_filter is a better choice? - - after_filter :write_flash_to_cookie + got bitten by this for the second time now: -# Rails + def caches_page(*actions) + # return unless perform_caching -got bitten by this for the second time now: + page caching is turned off globally + test_1 requires class MyModel caches_page :foo end + no after_filter is added + test_2 turns page caching on and requires class MyModel (which was already loaded, so requiring is skipped) + still no after_filter added so page caching does not kick in -def caches_page(*actions) -# return unless perform_caching + Asset Helpers: apparently they need a server restart to rebuild a cached file when it got deleted -page caching is turned off globally -test_1 requires class MyModel caches_page :foo end -no after_filter is added -test_2 turns page caching on and requires class MyModel (which was already loaded, so requiring is skipped) -still no after_filter added so page caching does not kick in + Currently there's no method to expire compiled templates. + http://pastie.org/private/2vqi8gnfwfepjtb3mz6aa + Lifo says Rails edge makes it easier + Role::Admin.new :object => nil seems to run into SystemStackError with: + class Role belongs_to :object, :polymorphic => true + class Role::Admin < Role + force certain after_filters to be run even if the filter chain has been halted: + :after_filter => :bla, :force => true + section.articles.maximum(:position) returns nil when table is empty. shouldn't that be 0? -Asset Helpers: apparently they need a server restart to rebuild a cached file when it got deleted + ActionController::Base#layout can't be restricted to certain formats, can it? (see BlogController + feeds) -There's no method to expire compiled templates. http://pastie.org/private/2vqi8gnfwfepjtb3mz6aa + section.radio_button :type, type (and other helpers) should create an id="section_type_blog" + even when the section is a blog (i.e. that's an STI related bug) -Role::Admin.new :object => nil seems to run into SystemStackError with: - class Role belongs_to :object, :polymorphic => true - class Role::Admin < Role + wikipage routing/controller: change :id to :permalink ... doesn't seem to work with resources + http://dev.rubyonrails.org/ticket/6814 => wontfix + http://archive.jvoorhis.com/articles/2006/08/01/announcing-resource_hacks => seems to break url_helpers + def to_param + "#{username.gsub(/[^a-z0-9]+/i, '-')}" if self.username + end -force certain after_filters to be run even if the filter chain has been halted: - :after_filter => :bla, :force => true +# better_nested_set -section.articles.maximum(:position) returns nil when table is empty. shouldn't that be 0? + add before_move and after_move hooks to better_nested_set -ActionController::Base#layout can't be restricted to certain formats, can it? (see BlogController + feeds) +# cacheable_flash -section.radio_button :type, type (and other helpers) should create an id="section_type_blog" -even when the section is a blog (i.e. that's an STI related bug) + make cacheable_flash behave transparent (do not clear flash after writing it to the cookie) + rational: controller specs should work and controllers behave correctly + not matter if the plugin is installed or not -wikipage routing/controller: change :id to :permalink ... doesn't seem to work with resources - http://dev.rubyonrails.org/ticket/6814 => wontfix - http://archive.jvoorhis.com/articles/2006/08/01/announcing-resource_hacks => seems to break url_helpers - def to_param - "#{username.gsub(/[^a-z0-9]+/i, '-')}" if self.username - end + after_filter won't be called when the filter chain is halted. maybe an around_filter is a better choice? # rspec diff --git a/spec/controllers/sections_controller_spec.rb b/spec/controllers/sections_controller_spec.rb index 845a9a868..834abf906 100644 --- a/spec/controllers/sections_controller_spec.rb +++ b/spec/controllers/sections_controller_spec.rb @@ -12,24 +12,60 @@ end describe "GET to :show" do + before :each do + @article.stub!(:published?).and_return true + end act! { request_to :get, '/sections/1' } it_assigns :section, :article - it_renders_template :show - it_gets_page_cached - - describe "with no article permalink present" do + + describe "with no article permalink given" do + it_renders_template :show + it_gets_page_cached + it "should find the section's primary article" do @section.articles.should_receive(:primary).any_number_of_times.and_return @article act! end end - describe "with an article permalink present" do + describe "with an article permalink given" do act! { request_to :get, '/sections/1/articles/an-article' } + it "should find the section's primary article" do - @section.articles.should_receive(:find_published_by_permalink).any_number_of_times.and_return @article + @section.articles.should_receive(:find_by_permalink).any_number_of_times.and_return @article act! end + + describe "when the article is published" do + it_renders_template :show + it_gets_page_cached + end + + describe "when the article is not published" do + before :each do + @article.stub!(:published?).and_return false + @article.stub!(:role_authorizing).and_return Role.build(:author) + end + + describe "and the user has :update permissions" do + before :each do + controller.stub!(:current_user).and_return stub_model(User, :has_role? => true) + end + + it_renders_template :show + it "skips caching for the rendered page" do + act! + controller.instance_variable_get(:@skip_caching).should be_true + end + end + + describe "and the user does not have :update permissions" do + before :each do + controller.stub!(:current_user).and_return stub_model(User, :has_role? => false) + end + it_redirects_to { 'http://test.host/login' } + end + end end end end diff --git a/vendor/engines/adva_cms/app/controllers/sections_controller.rb b/vendor/engines/adva_cms/app/controllers/sections_controller.rb index 0cfef67e4..b508bb676 100644 --- a/vendor/engines/adva_cms/app/controllers/sections_controller.rb +++ b/vendor/engines/adva_cms/app/controllers/sections_controller.rb @@ -1,5 +1,8 @@ class SectionsController < BaseController + include ActionController::GuardsPermissions::InstanceMethods + before_filter :set_article + before_filter :guard_view_permissions, :only => :show caches_page_with_references :show, :track => ['@article'] @@ -13,18 +16,30 @@ def show protected def set_section - @section = params[:id].blank? ? @site.sections.root : @site.sections.find(params[:id]) + @section = params[:section_id].blank? ? @site.sections.root : @site.sections.find(params[:section_id]) raise SectionRoutingError.new("Section must be a Section: #{@section.inspect}") unless @section.is_a? Section end def set_article - @article = if params[:permalink].blank? - @section.articles.primary + if params[:permalink].blank? + @article = @section.articles.primary else - @section.articles.find_published_by_permalink params[:permalink] + @article = @section.articles.find_by_permalink params[:permalink], :include => :author + raise ActiveRecord::RecordNotFound unless @article + end + end + + def guard_view_permissions + unless @article.published? + guard_permission(:update, :article) + @skip_caching = true end end + def current_role_context + @article || @section + end + # experimental ... not sure if that's a good idea, but it would reduce quite # some routes, i.e. even increase performance # def process(*args)