FIX: Give 403 for deleted topics, +lots of tests

This commit is contained in:
Kane York 2015-09-11 08:29:44 -07:00
parent 18d7c1c75d
commit 460243d7a3
3 changed files with 122 additions and 3 deletions

View file

@ -355,8 +355,8 @@ class TopicView
end end
def find_topic(topic_id) def find_topic(topic_id)
finder = Topic.where(id: topic_id).includes(:category) # with_deleted covered in #check_and_raise_exceptions
finder = finder.with_deleted if @guardian.can_see_deleted_topics? finder = Topic.with_deleted.where(id: topic_id).includes(:category)
finder.first finder.first
end end

View file

@ -1,5 +1,23 @@
require 'spec_helper' require 'spec_helper'
def topics_controller_show_gen_perm_tests(expected, ctx)
expected.each do |sym, status|
params = "topic_id: #{sym}.id, slug: #{sym}.slug"
if sym == :nonexist
params = "topic_id: nonexist_topic_id"
end
ctx.instance_eval("
it 'returns #{status} for #{sym}' do
begin
xhr :get, :show, #{params}
expect(response.status).to eq(#{status})
rescue Discourse::NotLoggedIn
expect(302).to eq(#{status})
end
end")
end
end
describe TopicsController do describe TopicsController do
context 'wordpress' do context 'wordpress' do
@ -554,6 +572,108 @@ describe TopicsController do
end end
end end
context 'permission errors' do
let(:allowed_user) { Fabricate(:user) }
let(:allowed_group) { Fabricate(:group) }
let(:secure_category) {
c = Fabricate(:category)
c.permissions = [[allowed_group, :full]]
c.save
allowed_user.groups = [allowed_group]
allowed_user.save
c }
let(:normal_topic) { Fabricate(:topic) }
let(:secure_topic) { Fabricate(:topic, category: secure_category) }
let(:private_topic) { Fabricate(:private_message_topic, user: allowed_user) }
let(:deleted_topic) { Fabricate(:deleted_topic) }
let(:nonexist_topic_id) { Topic.last.id + 10000 }
context 'anonymous' do
expected = {
:normal_topic => 200,
:secure_topic => 403,
:private_topic => 302,
:deleted_topic => 403,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)
end
context 'anonymous with login required' do
before do
SiteSetting.login_required = true
end
expected = {
:normal_topic => 302,
:secure_topic => 302,
:private_topic => 302,
:deleted_topic => 302,
:nonexist => 302
}
topics_controller_show_gen_perm_tests(expected, self)
end
context 'normal user' do
before do
log_in(:user)
end
expected = {
:normal_topic => 200,
:secure_topic => 403,
:private_topic => 403,
:deleted_topic => 403,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)
end
context 'allowed user' do
before do
log_in_user(allowed_user)
end
expected = {
:normal_topic => 200,
:secure_topic => 200,
:private_topic => 200,
:deleted_topic => 403,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)
end
context 'moderator' do
before do
log_in(:moderator)
end
expected = {
:normal_topic => 200,
:secure_topic => 403,
:private_topic => 403,
:deleted_topic => 200,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)
end
context 'admin' do
before do
log_in(:admin)
end
expected = {
:normal_topic => 200,
:secure_topic => 200,
:private_topic => 200,
:deleted_topic => 200,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)
end
end
it 'records a view' do it 'records a view' do
expect { xhr :get, :show, topic_id: topic.id, slug: topic.slug }.to change(TopicViewItem, :count).by(1) expect { xhr :get, :show, topic_id: topic.id, slug: topic.slug }.to change(TopicViewItem, :count).by(1)
end end

View file

@ -144,7 +144,6 @@ Spork.prefork do
FileUtils.cp("#{Rails.root}/spec/fixtures/images/#{filename}", "#{Rails.root}/tmp/spec/#{filename}") FileUtils.cp("#{Rails.root}/spec/fixtures/images/#{filename}", "#{Rails.root}/tmp/spec/#{filename}")
File.new("#{Rails.root}/tmp/spec/#{filename}") File.new("#{Rails.root}/tmp/spec/#{filename}")
end end
end end
Spork.each_run do Spork.each_run do