Commit 3ac7b58711da016dc6ed4720f2a63d20906823ba
Committed by
Rodrigo Souto
1 parent
c48222e1
Exists in
master
and in
12 other branches
Allow edition of raw html blocks only by admin users
Signed-off-by: Lucas Kanashiro <kanashiro.duarte@gmail.com> Signed-off-by: Gustavo Jaruga <darksshades@gmail.com>
Showing
11 changed files
with
55 additions
and
6 deletions
Show diff stats
app/controllers/box_organizer_controller.rb
... | ... | @@ -83,6 +83,7 @@ class BoxOrganizerController < ApplicationController |
83 | 83 | |
84 | 84 | def save |
85 | 85 | @block = boxes_holder.blocks.find(params[:id]) |
86 | + return render_access_denied unless @block.editable?(user) | |
86 | 87 | @block.update(params[:block]) |
87 | 88 | redirect_to :action => 'index' |
88 | 89 | end | ... | ... |
app/helpers/boxes_helper.rb
... | ... | @@ -250,7 +250,7 @@ module BoxesHelper |
250 | 250 | end |
251 | 251 | end |
252 | 252 | |
253 | - if editable?(block) | |
253 | + if editable?(block, user) | |
254 | 254 | buttons << modal_icon_button(:edit, _('Edit'), { :action => 'edit', :id => block.id }) |
255 | 255 | end |
256 | 256 | |
... | ... | @@ -296,7 +296,7 @@ module BoxesHelper |
296 | 296 | return block.movable? || user.is_admin? |
297 | 297 | end |
298 | 298 | |
299 | - def editable?(block) | |
300 | - return block.editable? || user.is_admin? | |
299 | + def editable?(block, user=nil) | |
300 | + return block.editable?(user) || user.is_admin? | |
301 | 301 | end |
302 | 302 | end | ... | ... |
app/models/block.rb
... | ... | @@ -195,8 +195,8 @@ class Block < ActiveRecord::Base |
195 | 195 | nil |
196 | 196 | end |
197 | 197 | |
198 | - # Is this block editable? (Default to <tt>false</tt>) | |
199 | - def editable? | |
198 | + # Is this block editable? (Default to <tt>true</tt>) | |
199 | + def editable?(user=nil) | |
200 | 200 | self.edit_modes == "all" |
201 | 201 | end |
202 | 202 | ... | ... |
app/models/disabled_enterprise_message_block.rb
app/models/environment.rb
... | ... | @@ -54,6 +54,7 @@ class Environment < ActiveRecord::Base |
54 | 54 | 'manage_environment_licenses' => N_('Manage environment licenses'), |
55 | 55 | 'manage_environment_trusted_sites' => N_('Manage environment trusted sites'), |
56 | 56 | 'edit_appearance' => N_('Edit appearance'), |
57 | + 'edit_raw_html_block' => N_('Edit Raw HTML block'), | |
57 | 58 | } |
58 | 59 | |
59 | 60 | module Roles | ... | ... |
app/models/raw_html_block.rb
db/migrate/20150103134141_add_edit_raw_html_block_to_admin_role.rb
0 → 100644
... | ... | @@ -0,0 +1,17 @@ |
1 | +class AddEditRawHtmlBlockToAdminRole < ActiveRecord::Migration | |
2 | + def self.up | |
3 | + Environment.all.map(&:id).each do |id| | |
4 | + role = Environment::Roles.admin(id) | |
5 | + role.permissions << 'edit_raw_html_block' | |
6 | + role.save! | |
7 | + end | |
8 | + end | |
9 | + | |
10 | + def self.down | |
11 | + Environment.all.map(&:id).each do |id| | |
12 | + role = Environment::Roles.admin(id) | |
13 | + role.permissions -= ['edit_raw_html_block'] | |
14 | + role.save! | |
15 | + end | |
16 | + end | |
17 | +end | ... | ... |
test/fixtures/roles.yml
test/functional/profile_design_controller_test.rb
... | ... | @@ -311,6 +311,12 @@ class ProfileDesignControllerTest < ActionController::TestCase |
311 | 311 | assert_equal 999, @b1.article_id |
312 | 312 | end |
313 | 313 | |
314 | + should 'not be able to save a non editable block' do | |
315 | + Block.any_instance.expects(:editable?).returns(false) | |
316 | + post :save, :profile => 'designtestuser', :id => @b1.id, :block => { } | |
317 | + assert_response :forbidden | |
318 | + end | |
319 | + | |
314 | 320 | should 'be able to edit ProductsBlock' do |
315 | 321 | block = ProductsBlock.new |
316 | 322 | ... | ... |
test/unit/boxes_helper_test.rb
... | ... | @@ -187,6 +187,7 @@ class BoxesHelperTest < ActionView::TestCase |
187 | 187 | block = Block.create!(:box => box) |
188 | 188 | block.stubs(:embedable?).returns(true) |
189 | 189 | stubs(:url_for).returns('') |
190 | + @controller.stubs(:user).returns(box.owner) | |
190 | 191 | assert_tag_in_string block_edit_buttons(block), :tag => 'a', :attributes => {:class => 'button icon-button icon-embed '} |
191 | 192 | end |
192 | 193 | |
... | ... | @@ -195,6 +196,7 @@ class BoxesHelperTest < ActionView::TestCase |
195 | 196 | block = Block.create!(:box => box) |
196 | 197 | block.stubs(:embedable?).returns(false) |
197 | 198 | stubs(:url_for).returns('') |
199 | + @controller.stubs(:user).returns(box.owner) | |
198 | 200 | assert_no_tag_in_string block_edit_buttons(block), :tag => 'a', :attributes => {:class => 'button icon-button icon-embed '} |
199 | 201 | end |
200 | 202 | ... | ... |
test/unit/raw_html_block_test.rb
... | ... | @@ -22,4 +22,20 @@ class RawHTMLBlockTest < ActiveSupport::TestCase |
22 | 22 | assert_match(/HTML$/, block.content) |
23 | 23 | end |
24 | 24 | |
25 | + should 'not be editable for users without permission' do | |
26 | + environment = Environment.default | |
27 | + box = Box.new(:owner => environment) | |
28 | + block = RawHTMLBlock.new(:html => "HTML", :box => box) | |
29 | + user = create_user('testuser').person | |
30 | + assert !block.editable?(user) | |
31 | + end | |
32 | + | |
33 | + should 'be editable for users with permission' do | |
34 | + environment = Environment.default | |
35 | + box = Box.new(:owner => environment) | |
36 | + block = RawHTMLBlock.new(:html => "HTML", :box => box) | |
37 | + user = create_user_with_permission('testuser', 'edit_raw_html_block', environment) | |
38 | + assert block.editable?(user) | |
39 | + end | |
40 | + | |
25 | 41 | end | ... | ... |