Commit 3ac7b58711da016dc6ed4720f2a63d20906823ba
Committed by
Rodrigo Souto
Rodrigo Souto
1 parent
c48222e1
Exists in
master
and in
12 other branches
Allow edition of raw html blocks only by admin users
Signed-off-by: Lucas Kanashiro <kanashiro.duarte@gmail.com> Signed-off-by: Gustavo Jaruga <darksshades@gmail.com>
Showing
11 changed files
with
55 additions
and
6 deletions
Show diff stats
app/controllers/box_organizer_controller.rb
| ... | ... | @@ -83,6 +83,7 @@ class BoxOrganizerController < ApplicationController |
| 83 | 83 | |
| 84 | 84 | def save |
| 85 | 85 | @block = boxes_holder.blocks.find(params[:id]) |
| 86 | + return render_access_denied unless @block.editable?(user) | |
| 86 | 87 | @block.update(params[:block]) |
| 87 | 88 | redirect_to :action => 'index' |
| 88 | 89 | end | ... | ... |
app/helpers/boxes_helper.rb
| ... | ... | @@ -250,7 +250,7 @@ module BoxesHelper |
| 250 | 250 | end |
| 251 | 251 | end |
| 252 | 252 | |
| 253 | - if editable?(block) | |
| 253 | + if editable?(block, user) | |
| 254 | 254 | buttons << modal_icon_button(:edit, _('Edit'), { :action => 'edit', :id => block.id }) |
| 255 | 255 | end |
| 256 | 256 | |
| ... | ... | @@ -296,7 +296,7 @@ module BoxesHelper |
| 296 | 296 | return block.movable? || user.is_admin? |
| 297 | 297 | end |
| 298 | 298 | |
| 299 | - def editable?(block) | |
| 300 | - return block.editable? || user.is_admin? | |
| 299 | + def editable?(block, user=nil) | |
| 300 | + return block.editable?(user) || user.is_admin? | |
| 301 | 301 | end |
| 302 | 302 | end | ... | ... |
app/models/block.rb
| ... | ... | @@ -195,8 +195,8 @@ class Block < ActiveRecord::Base |
| 195 | 195 | nil |
| 196 | 196 | end |
| 197 | 197 | |
| 198 | - # Is this block editable? (Default to <tt>false</tt>) | |
| 199 | - def editable? | |
| 198 | + # Is this block editable? (Default to <tt>true</tt>) | |
| 199 | + def editable?(user=nil) | |
| 200 | 200 | self.edit_modes == "all" |
| 201 | 201 | end |
| 202 | 202 | ... | ... |
app/models/disabled_enterprise_message_block.rb
app/models/environment.rb
| ... | ... | @@ -54,6 +54,7 @@ class Environment < ActiveRecord::Base |
| 54 | 54 | 'manage_environment_licenses' => N_('Manage environment licenses'), |
| 55 | 55 | 'manage_environment_trusted_sites' => N_('Manage environment trusted sites'), |
| 56 | 56 | 'edit_appearance' => N_('Edit appearance'), |
| 57 | + 'edit_raw_html_block' => N_('Edit Raw HTML block'), | |
| 57 | 58 | } |
| 58 | 59 | |
| 59 | 60 | module Roles | ... | ... |
app/models/raw_html_block.rb
db/migrate/20150103134141_add_edit_raw_html_block_to_admin_role.rb
0 → 100644
| ... | ... | @@ -0,0 +1,17 @@ |
| 1 | +class AddEditRawHtmlBlockToAdminRole < ActiveRecord::Migration | |
| 2 | + def self.up | |
| 3 | + Environment.all.map(&:id).each do |id| | |
| 4 | + role = Environment::Roles.admin(id) | |
| 5 | + role.permissions << 'edit_raw_html_block' | |
| 6 | + role.save! | |
| 7 | + end | |
| 8 | + end | |
| 9 | + | |
| 10 | + def self.down | |
| 11 | + Environment.all.map(&:id).each do |id| | |
| 12 | + role = Environment::Roles.admin(id) | |
| 13 | + role.permissions -= ['edit_raw_html_block'] | |
| 14 | + role.save! | |
| 15 | + end | |
| 16 | + end | |
| 17 | +end | ... | ... |
test/fixtures/roles.yml
test/functional/profile_design_controller_test.rb
| ... | ... | @@ -311,6 +311,12 @@ class ProfileDesignControllerTest < ActionController::TestCase |
| 311 | 311 | assert_equal 999, @b1.article_id |
| 312 | 312 | end |
| 313 | 313 | |
| 314 | + should 'not be able to save a non editable block' do | |
| 315 | + Block.any_instance.expects(:editable?).returns(false) | |
| 316 | + post :save, :profile => 'designtestuser', :id => @b1.id, :block => { } | |
| 317 | + assert_response :forbidden | |
| 318 | + end | |
| 319 | + | |
| 314 | 320 | should 'be able to edit ProductsBlock' do |
| 315 | 321 | block = ProductsBlock.new |
| 316 | 322 | ... | ... |
test/unit/boxes_helper_test.rb
| ... | ... | @@ -187,6 +187,7 @@ class BoxesHelperTest < ActionView::TestCase |
| 187 | 187 | block = Block.create!(:box => box) |
| 188 | 188 | block.stubs(:embedable?).returns(true) |
| 189 | 189 | stubs(:url_for).returns('') |
| 190 | + @controller.stubs(:user).returns(box.owner) | |
| 190 | 191 | assert_tag_in_string block_edit_buttons(block), :tag => 'a', :attributes => {:class => 'button icon-button icon-embed '} |
| 191 | 192 | end |
| 192 | 193 | |
| ... | ... | @@ -195,6 +196,7 @@ class BoxesHelperTest < ActionView::TestCase |
| 195 | 196 | block = Block.create!(:box => box) |
| 196 | 197 | block.stubs(:embedable?).returns(false) |
| 197 | 198 | stubs(:url_for).returns('') |
| 199 | + @controller.stubs(:user).returns(box.owner) | |
| 198 | 200 | assert_no_tag_in_string block_edit_buttons(block), :tag => 'a', :attributes => {:class => 'button icon-button icon-embed '} |
| 199 | 201 | end |
| 200 | 202 | ... | ... |
test/unit/raw_html_block_test.rb
| ... | ... | @@ -22,4 +22,20 @@ class RawHTMLBlockTest < ActiveSupport::TestCase |
| 22 | 22 | assert_match(/HTML$/, block.content) |
| 23 | 23 | end |
| 24 | 24 | |
| 25 | + should 'not be editable for users without permission' do | |
| 26 | + environment = Environment.default | |
| 27 | + box = Box.new(:owner => environment) | |
| 28 | + block = RawHTMLBlock.new(:html => "HTML", :box => box) | |
| 29 | + user = create_user('testuser').person | |
| 30 | + assert !block.editable?(user) | |
| 31 | + end | |
| 32 | + | |
| 33 | + should 'be editable for users with permission' do | |
| 34 | + environment = Environment.default | |
| 35 | + box = Box.new(:owner => environment) | |
| 36 | + block = RawHTMLBlock.new(:html => "HTML", :box => box) | |
| 37 | + user = create_user_with_permission('testuser', 'edit_raw_html_block', environment) | |
| 38 | + assert block.editable?(user) | |
| 39 | + end | |
| 40 | + | |
| 25 | 41 | end | ... | ... |