Permalink
Browse files

failing cuke for files in private convs

A random user in the project can see files from private conversations he
can't see. #FAIL
  • Loading branch information...
1 parent 3a84784 commit 4016e59e6e65ab677c2bafde8fb4dbb1fdd55f5b @jrom jrom committed Sep 8, 2011
@@ -7,9 +7,11 @@ Feature: Creating a private conversation
| pablo | pablo@teambox.com | Pablo | Villalba |
| jordi | jordi@teambox.com | Jordi | Romero |
| enric | enric@teambox.com | Enric | Lluelles |
- Given a project with users @mislav, @pablo, @jordi and @enric
+ And a project exists with name: "Ruby Rockstars"
+ And @mislav exists and is logged in
+ And I am in the project called "Ruby Rockstars"
And "mislav" is an administrator in the project
- And I am logged in as @mislav
+ And @pablo, @jordi and @enric is currently in the project "Ruby Rockstars"
Scenario: All conversations are private
Given @pablo started a private conversation named "Roflcopter"
@@ -111,3 +113,12 @@ Feature: Creating a private conversation
When I go to the project page
Then I should not see "fire Jordi"
+ Scenario: Files in private conversations are private
+ Given @jordi started a private conversation named "Look at this private document @mislav can't see" in the "Ruby Rockstars" project with an attached file
+ And @mislav started a private conversation named "Look at this other private document" in the "Ruby Rockstars" project with an attached file
+ And I go to the conversations page
+ Then I should see "Look at this other private document"
+ And I go to the uploads page
+ Then I should see "Private document at Look at this other private document"
+ Then I should not see "Private document at Look at this private document"
+
@@ -17,10 +17,17 @@
Factory(:conversation, :user => @current_user, :project => (project_name ? Project.find_by_name(project_name) : @current_project), :name => nil, :simple => true)
end
-Given /^(@.+) started a (p[a-z]+ )?conversation named "([^\"]+)"(?: in the "([^\"]*)" project)?$/ do |user_name, priv_type, conversation_name, project_name|
+Given /^(@.+) started a (p[a-z]+ )?conversation named "([^\"]+)"(?: in the "([^\"]*)" project)?(?: with an attached (file))?$/ do |user_name, priv_type, conversation_name, project_name, file|
is_private = (priv_type||'').strip == 'private'
+ project = (project_name ? Project.find_by_name(project_name): @current_project)
user = User.find_by_login(user_name.gsub('@',''))
- Factory(:conversation, :user => user, :is_private => is_private, :project => (project_name ? Project.find_by_name(project_name) : @current_project), :name => conversation_name)
+ conversation = Factory(:conversation, :user => user, :is_private => is_private, :project => project, :name => conversation_name)
+ if file
+ upload = Factory :upload, :user => user, :project => project, :asset_file_name => "#{is_private ? "Private" : "Normal"} document at #{conversation_name}.png"
+ comment = conversation.comments.last
+ comment.uploads << upload
+ comment.save!
+ end
end
Given /^the conversation "([^\"]+)" is watched by (@.+)$/ do |name, users|
@@ -65,8 +65,8 @@
Given /I am in the project called "([^\"]*)"$/ do |name|
Given %(there is a project called "#{name}")
- project = Project.find_by_name(name)
- project.add_user(@current_user)
+ @current_project = Project.find_by_name(name)
+ @current_project.add_user(@current_user)
end
Given /I am a commenter in the project called "([^\"]*)"$/ do |name|

0 comments on commit 4016e59

Please sign in to comment.