browsercms 3.0.2 → 3.0.3

data/test/functional/cms/section_nodes_controller_test.rb

@@ -3,11 +3,8 @@ require File.join(File.dirname(__FILE__), '/../../test_helper')
 class Cms::SectionNodesControllerTest < ActionController::TestCase
   include Cms::ControllerTestHelper
   
-  def setup
+  def test_index_as_admin
     login_as_cms_admin
-  end
-  
-  def test_index
     @foo = Factory(:section, :name => "Foo", :parent => root_section)
     @bar = Factory(:section, :name => "Bar", :parent => @foo)
     @page = Factory(:page, :name => "Test Page", :section => @bar)
@@ -39,6 +36,49 @@ class Cms::SectionNodesControllerTest < ActionController::TestCase
     end
   end
   
+end
+
+class Cms::SectionNodesControllerPermissionsTest < ActionController::TestCase
+  tests Cms::SectionNodesController
+  include Cms::ControllerTestHelper
   
+  def setup
+    # DRYME copypaste from UserPermissionTest
+    @user = Factory(:user)
+    login_as(@user)
+    @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    @group.permissions << create_or_find_permission_named("edit_content")
+    @group.permissions << create_or_find_permission_named("publish_content")
+    @user.groups << @group
+    
+    @editable_section = Factory(:section, :parent => root_section, :name => "Editable")
+    @group.sections << @editable_section
+    @editable_page = Factory(:page, :section => @editable_section, :name => "Editable Page")
+    @editable_link = Factory(:link, :section => @editable_section, :name => "Editable Link")
+    
+    @noneditable_section = Factory(:section, :parent => root_section, :name => "Not Editable")
+    @noneditable_page = Factory(:page, :section => @noneditable_section, :name => "Non-Editable Page")
+    @noneditable_link = Factory(:link, :section => @noneditable_section, :name => "Non-Editable Link")
+    
+    @noneditables = [@noneditable_section, @noneditable_page, @noneditable_link]
+    @editables = [@editable_section,
+      @editable_page, 
+      @editable_link,]
+  end
   
-end
+  def test_index_as_contributor_with_subsections
+    get :index
+    assert_response :success
+    
+    # Check that each non-editable has the non-editable class, and that each editable does not have
+    # the non-editable class
+    @noneditables.each do |ne|
+      assert_select "td.node.non-editable div", ne.name
+    end
+    @editables.each do |e|
+      td = css_select("td##{e.class.to_s.underscore}_#{e.id}", e.name).first
+      assert !td.attributes["class"].include?("non-editable")
+    end
+  end
+end
+

data/test/functional/cms/sections_controller_test.rb

@@ -13,8 +13,15 @@ class Cms::SectionsControllerTest < ActionController::TestCase
     assert_select "input[name=?][value=?]", "section[name]", root_section.name
   end
   
+  test "GET new should set the groups to the parent section's groups by default" do
+    @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    get :new, :section_id => root_section.to_param
+    assert_equal root_section.groups, assigns(:section).groups
+    assert !assigns(:section).groups.include?(@group)
+  end
+  
   def test_update
-    @section = Factory(:section, :name => "V1", :parent => root_section)
+    @section = Factory(:section, :name => "V1", :parent => root_section, :groups => root_section.groups)
     
     put :update, :id => @section.to_param, :section => {:name => "V2"}
     reset(:section)
@@ -76,3 +83,143 @@ class Cms::SectionFileBrowserControllerTest < ActionController::TestCase
   end
   
 end
+
+class Cms::SectionsControllerPermissionsTest < ActionController::TestCase
+  tests Cms::SectionsController
+  include Cms::ControllerTestHelper
+  
+  def setup
+    # DRYME copypaste from UserPermissionTest
+    @user = Factory(:user)
+    @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    @group.permissions << create_or_find_permission_named("edit_content")
+    @group.permissions << create_or_find_permission_named("publish_content")
+    @user.groups << @group
+    
+    @editable_section = Factory(:section, :parent => root_section, :name => "Editable")
+    @editable_subsection = Factory(:section, :parent => @editable_section, :name => "Editable Subsection")
+    @group.sections << @editable_section
+    @editable_page = Factory(:page, :section => @editable_section, :name => "Editable Page")
+    @editable_subpage = Factory(:page, :section => @editable_subsection, :name => "Editable SubPage")
+    @editable_link = Factory(:link, :section => @editable_section, :name => "Editable Link")
+    @editable_sublink = Factory(:link, :section => @editable_subsection, :name => "Editable SubLink")
+    
+    @noneditable_section = Factory(:section, :parent => root_section, :name => "Not Editable")
+    @noneditable_page = Factory(:page, :section => @noneditable_section, :name => "Non-Editable Page")
+    @noneditable_link = Factory(:link, :section => @noneditable_section, :name => "Non-Editable Link")
+    
+    @noneditables = [@noneditable_section, @noneditable_page, @noneditable_link]
+    @editables = [@editable_section, @editable_subsection, 
+      @editable_page, @editable_subpage, 
+      @editable_link, @editable_sublink]
+  end
+
+  def test_new_permissions
+    login_as(@user)
+
+    get :new, :section_id => @editable_section
+    assert_response :success
+
+    get :new, :section_id => @noneditable_section
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+  
+  test "POST create should set the groups to the parent section's groups for non-admin user" do
+    @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    login_as(@user)
+    get :new, :section_id => @editable_section
+    assert_equal @editable_section.groups, assigns(:section).groups
+    assert !assigns(:section).groups.include?(@group)
+  end
+
+  def test_create_permissions
+    login_as(@user)
+
+    post :create, :section_id => @editable_section, :name => "Another editable subsection"
+    assert_response :success
+
+    post :create, :section_id => @noneditable_section, :name => "Another non-editable subsection"
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+
+  def test_edit_permissions
+    login_as(@user)
+
+    get :edit, :id => @editable_section
+    assert_response :success
+
+    get :edit, :id => @noneditable_section
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+
+  def test_update_permissions
+    login_as(@user)
+
+    put :update, :id => @editable_section, :name => "Modified editable subsection"
+    assert_response :redirect
+
+    put :update, :id => @noneditable_section, :name => "Modified non-editable subsection"
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+  
+  def test_update_permissions_of_subsection
+    login_as(@user)
+
+    put :update, :id => @editable_section, :name => "Modified editable subsection"
+    assert_response :redirect
+
+    put :update, :id => @editable_subsection, :name => "Section below editable section"
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+  
+  test "PUT update should leave groups alone for non-admin user" do
+    @group2 = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    expected_groups = @editable_section.groups
+    login_as(@user)
+    put :update, :id => @editable_section
+    assert_response :redirect
+    assert_equal expected_groups, assigns(:section).groups
+    assert !assigns(:section).groups.include?(@group2)
+  end
+
+  test "PUT update should leave groups alone for non-admin user even if hack url" do
+    @group2 = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    expected_groups = @editable_section.groups
+    login_as(@user)
+    RAILS_DEFAULT_LOGGER.warn("starting...")
+    put :update, :id => @editable_section, :section => {:name => "new name", :group_ids => [@group, @group2]}
+    assert_response :redirect
+    assert_equal expected_groups, assigns(:section).groups
+    assert_equal "new name", assigns(:section).name
+    assert !assigns(:section).groups.include?(@group2)
+  end
+
+
+
+  test "PUT update should add groups for admin user" do
+# This step is unnecessary in the actual cms, as you can't stop the admin from doing anything
+    Group.find(:first, :conditions => "code = 'cms-admin'").sections << @editable_subsection
+    @group2 = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    expected_groups = [@group, @group2]
+    login_as_cms_admin
+    put :update, :id => @editable_subsection, :section => {:name => "new name", :group_ids => [@group, @group2]}
+    assert_response :redirect
+    assert_equal expected_groups, assigns(:section).groups
+  end
+
+  def test_destroy_permissions
+    login_as(@user)
+
+    delete :destroy, :id => @editable_section
+    assert_response :redirect
+
+    delete :destroy, :id => @noneditable_section
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+end

data/test/functional/cms/sessions_controller_test.rb

@@ -2,6 +2,9 @@ require File.join(File.dirname(__FILE__), '/../../test_helper')
 
 class Cms::SessionsControllerTest < ActionController::TestCase
   include Cms::ControllerTestHelper
+  def teardown
+    User.current = nil
+  end
   
   def test_not_redirected_to_cms_site_if_public_site
     @request.host = "foo.com"
@@ -19,6 +22,22 @@ class Cms::SessionsControllerTest < ActionController::TestCase
     assert_select "title", "CMS Login"
   end
   
+  def test_return_to
+    user = Factory(:user)
+    expected_url = "/expected_url"
+
+    post :create, {:success_url => "", :login => user.login, :password => "password"}, {:return_to => expected_url }
+    assert_redirected_to(expected_url)
+  end
+  def test_success_url_overrides_return_to
+    user = Factory(:user)
+    expected_url = "/expected_url"
+
+    post :create, {:success_url => expected_url, :login => user.login, :password => "password"}, {:return_to => "/somewhere_else" }
+
+    assert_redirected_to(expected_url)
+  end
+  
 end
 
 class Cms::SessionsControllerCacheEnabledTest < ActionController::TestCase
@@ -48,5 +67,10 @@ class Cms::SessionsControllerCacheEnabledTest < ActionController::TestCase
     log @response.body
     assert_select "title", "CMS Login"
   end
-  
-end
+
+  test "destroy" do
+    Cms::SessionsController.any_instance.expects(:logout_user)
+    delete :destroy
+    assert_redirected_to "/" 
+  end
+end

data/test/functional/cms/users_controller_test.rb

@@ -6,7 +6,6 @@ class Cms::UsersControllerTest < ActionController::TestCase
   def setup
     login_as_cms_admin
     @user = User.first
-    
   end
   
   def test_index
@@ -132,6 +131,11 @@ class Cms::UsersControllerTest < ActionController::TestCase
     assert_select "input#user_expires_at"
   end
   
+  def test_show
+    get :show, :id => @user.id
+    assert_response :success
+  end
+  
   def test_update
     put :update, :id => @user.id, :user => { :first_name => "First"}
     reset(:user)
@@ -181,4 +185,47 @@ class Cms::UsersControllerTest < ActionController::TestCase
       @user_with_login = Factory(:user, :login => "mylogin")
     end
   
-end
+end
+
+class Cms::UsersControllerNonAdminTest < ActionController::TestCase
+  tests Cms::UsersController
+  include Cms::ControllerTestHelper
+
+  def setup
+    @user = Factory.build(:user)
+    @user.groups = [groups(:group_3)]
+    @user.save!
+    login_as(@user)
+  end
+  
+  def test_show_self
+    get :show, :id => @user.id
+    assert_response :success
+  end
+  
+  def test_show_other
+    get :show, :id => Factory(:user).id
+    assert @response.body.include?("Access Denied")
+  end
+  
+  def test_change_password_self
+    get :change_password, :id => @user.id
+    assert_response :success
+  end
+  
+  def test_change_password_other
+    get :change_password, :id => Factory(:user).id
+    assert @response.body.include?("Access Denied")
+  end
+  
+  def test_update_password_self
+    put :update_password, :id => @user.id,
+        :user => {:password => "something_else", :password_confirmation => "something_else"}
+    assert_redirected_to cms_user_path(@user)
+  end
+  
+  def test_update_password_other
+    put :update_password, :id => Factory(:user).id
+    assert @response.body.include?("Access Denied")
+  end
+end

data/test/test_helper.rb

@@ -2,6 +2,8 @@ ENV["RAILS_ENV"] = "test"
 require File.expand_path(File.dirname(__FILE__) + "/../config/environment")
 require 'test_help'
 require 'action_view/test_case'
+require 'mocha'
+require 'redgreen'
 
 class ActiveSupport::TestCase
   # Transactional fixtures accelerate your tests by wrapping each test method
@@ -97,7 +99,7 @@ class ActiveSupport::TestCase
   end
 
   def guest_group
-    Group.find_by_code("guest") || Factory(:group, :code => "guest")
+    Group.guest || Factory(:group, :code => Group::GUEST_CODE)
   end  
 
   def login_as(user)

data/test/unit/behaviors/attaching_test.rb

@@ -81,6 +81,32 @@ class DefaultAttachableTest < ActiveSupport::TestCase
     assert_equal "/attachments/foo.jpg", @attachable.attachment_file_path
     assert @attachable.attachment.published?
   end  
+
+  def test_create_without_attachment_and_then_add_attachment_on_edit
+    @attachable = DefaultAttachable.new(:name => "File Name", 
+      :attachment_file => nil, :publish_on_save => true)
+
+    assert_difference 'DefaultAttachable.count' do
+      assert_valid @attachable
+      @attachable.save!
+    end
+
+    assert_nil @attachable.attachment_file_path
+
+    reset(:attachable)
+
+    @attachable.attachment_file = @file
+    @attachable.save
+    @attachable.publish
+    assert_equal "/attachments/foo.jpg", @attachable.attachment_file_path
+
+    reset(:attachable)
+
+    assert_equal @section, @attachable.attachment_section
+    assert_equal @section.id, @attachable.attachment_section_id
+    assert_equal "/attachments/foo.jpg", @attachable.attachment_file_path
+    assert @attachable.attachment.published?
+  end
   
   
 end