Merge pull request #3752 from riking/patch-6

FIX: Give 403 for deleted topics, +lots of tests
This commit is contained in:
Robin Ward 2015-09-11 12:11:04 -04:00
commit f767a6147d
4 changed files with 123 additions and 4 deletions

View File

@ -41,7 +41,7 @@ cache:
before_install:
- gem install bundler
- npm i -g eslint babel-eslint
- npm i -g eslint@1.3.1 babel-eslint
- eslint app/assets/javascripts
- eslint --ext .es6 app/assets/javascripts
- eslint --ext .es6 test/javascripts

View File

@ -355,8 +355,8 @@ class TopicView
end
def find_topic(topic_id)
finder = Topic.where(id: topic_id).includes(:category)
finder = finder.with_deleted if @guardian.can_see_deleted_topics?
# with_deleted covered in #check_and_raise_exceptions
finder = Topic.with_deleted.where(id: topic_id).includes(:category)
finder.first
end

View File

@ -1,5 +1,23 @@
require 'spec_helper'
def topics_controller_show_gen_perm_tests(expected, ctx)
expected.each do |sym, status|
params = "topic_id: #{sym}.id, slug: #{sym}.slug"
if sym == :nonexist
params = "topic_id: nonexist_topic_id"
end
ctx.instance_eval("
it 'returns #{status} for #{sym}' do
begin
xhr :get, :show, #{params}
expect(response.status).to eq(#{status})
rescue Discourse::NotLoggedIn
expect(302).to eq(#{status})
end
end")
end
end
describe TopicsController do
context 'wordpress' do
@ -554,6 +572,108 @@ describe TopicsController do
end
end
context 'permission errors' do
let(:allowed_user) { Fabricate(:user) }
let(:allowed_group) { Fabricate(:group) }
let(:secure_category) {
c = Fabricate(:category)
c.permissions = [[allowed_group, :full]]
c.save
allowed_user.groups = [allowed_group]
allowed_user.save
c }
let(:normal_topic) { Fabricate(:topic) }
let(:secure_topic) { Fabricate(:topic, category: secure_category) }
let(:private_topic) { Fabricate(:private_message_topic, user: allowed_user) }
let(:deleted_topic) { Fabricate(:deleted_topic) }
let(:nonexist_topic_id) { Topic.last.id + 10000 }
context 'anonymous' do
expected = {
:normal_topic => 200,
:secure_topic => 403,
:private_topic => 302,
:deleted_topic => 403,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)
end
context 'anonymous with login required' do
before do
SiteSetting.login_required = true
end
expected = {
:normal_topic => 302,
:secure_topic => 302,
:private_topic => 302,
:deleted_topic => 302,
:nonexist => 302
}
topics_controller_show_gen_perm_tests(expected, self)
end
context 'normal user' do
before do
log_in(:user)
end
expected = {
:normal_topic => 200,
:secure_topic => 403,
:private_topic => 403,
:deleted_topic => 403,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)
end
context 'allowed user' do
before do
log_in_user(allowed_user)
end
expected = {
:normal_topic => 200,
:secure_topic => 200,
:private_topic => 200,
:deleted_topic => 403,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)
end
context 'moderator' do
before do
log_in(:moderator)
end
expected = {
:normal_topic => 200,
:secure_topic => 403,
:private_topic => 403,
:deleted_topic => 200,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)
end
context 'admin' do
before do
log_in(:admin)
end
expected = {
:normal_topic => 200,
:secure_topic => 200,
:private_topic => 200,
:deleted_topic => 200,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)
end
end
it 'records a view' do
expect { xhr :get, :show, topic_id: topic.id, slug: topic.slug }.to change(TopicViewItem, :count).by(1)
end

View File

@ -144,7 +144,6 @@ Spork.prefork do
FileUtils.cp("#{Rails.root}/spec/fixtures/images/#{filename}", "#{Rails.root}/tmp/spec/#{filename}")
File.new("#{Rails.root}/tmp/spec/#{filename}")
end
end
Spork.each_run do