we5-browsercms 3.0.2 → 3.0.5

data/lib/cms/acts/content_block.rb

@@ -28,4 +28,4 @@ module Cms
       end
     end
   end
-end
+end

data/lib/cms/authentication/controller.rb

@@ -1,3 +1,27 @@
+#
+# Defines the authentication behavior for controllers in BrowserCMS. It can be added to any controller that needs to 
+# hook into the BrowserCMS Authentication behavior like so:
+#
+# class MySuperSecureController < ApplicationController
+#   include Cms::Authentication::Controller
+#
+# It is based off Restful_Authentication, and adds in behavior to deal with several concepts specific to BrowserCMS.
+#
+# (Note: 10/8/09 - I was comparing this to a very old version of the generated code from Restful_Authentication,
+# so some of the following items may be 'stock' to that. (Especially #2)
+#
+# 1. Guests - These represents users that are not logged in. What guests can see and do can be modified via the CMS UI. Guests
+#             are not considered to be 'logged in'.
+# 2. 'Current' User - The currently logged in user is stored in a thread local, and can be accessed anywhere via 'User.current'.
+#             This allows model code to easily record which user is making changes to records, for versioning, etc.
+#
+# 3. 'Admin' Access Denied Page - If users try to access a protected controller, they are redirected to the CMS administration Login page
+#             which may be different than the 'front end' user login page. (Cms::Controller handles that differently)
+#
+#
+# To Dos: It appears as though we are storing the 'current' user in two places, @current_user and User.current. This is probably not DRY, but
+#   more testing would be needed.
+#
 module Cms
   module Authentication
     module Controller
@@ -12,6 +36,7 @@ module Cms
         # If the user is not logged in, this will be set to the guest user, which represents a public
         # user, who will likely have more limited permissions
         def current_user
+          # Note: We have disabled basic_http_auth
           @current_user ||= begin
             User.current = (login_from_session || login_from_cookie || User.guest)  
           end
@@ -61,7 +86,7 @@ module Cms
 
         # Redirect as appropriate when an access request fails.
         #
-        # The default action is to redirect to the login screen.
+        # The default action is to redirect to the BrowserCMS admin login screen.
         #
         # Override this method in your controllers if you want to have special
         # behavior in case the user is not authorized
@@ -73,11 +98,6 @@ module Cms
               store_location
               redirect_to cms_login_path
             end
-            # format.any doesn't work in rails version < http://dev.rubyonrails.org/changeset/8987
-            # you may want to change format.any to e.g. format.any(:js, :xml)
-            # format.any do
-            #   request_http_basic_authentication 'Web Password'
-            # end
           end
         end
 
@@ -162,7 +182,6 @@ module Cms
 
         # Cookies shouldn't be allowed to persist past their freshness date,
         # and they should be changed at each login
-
         def valid_remember_cookie?
           return nil unless User.current
           (User.current.remember_token?) && 

data/lib/cms/behaviors/attaching.rb

@@ -118,14 +118,14 @@ module Cms
 
         # Override this method if you would like to override the way the section is set
         def set_attachment_section
-          if new_record? && !attachment_file.blank?
+          if !attachment_file.blank?
             attachment.section = Section.root.first
           end
         end
 
         # Override this method if you would like to override the way file_path is set
         def set_attachment_file_path
-          if new_record? && !attachment_file.blank?
+          if !attachment_file.blank?
             attachment.file_path = "/attachments/#{File.basename(attachment_file.original_filename).to_s.downcase}"
           end
         end
@@ -181,4 +181,4 @@ module Cms
       end
     end
   end
-end
+end

data/lib/cms/behaviors/publishing.rb

@@ -23,7 +23,18 @@ module Cms
           after_save :publish_for_non_versioned
         
           named_scope :published, :conditions => {:published => true}
-          named_scope :unpublished, :conditions => {:published => false}        
+          named_scope :unpublished, lambda {
+            if versioned?
+              { :joins => :versions,
+                :conditions =>
+                  "#{connection.quote_table_name(version_table_name)}.#{connection.quote_column_name('version')} > " +
+                  "#{connection.quote_table_name(table_name)}.#{connection.quote_column_name('version')}",
+                :select => "distinct #{connection.quote_table_name(table_name)}.*" }
+            else
+              { :conditions => { :published => false } }
+            end
+          }
+
         end
       end
       module ClassMethods

data/lib/cms/behaviors/rendering.rb

@@ -82,7 +82,7 @@ module Cms
   
     end
     module InstanceMethods
-      def perform_render(controller)
+      def prepare_to_render(controller)
         # Give this renderable a reference to the controller
         @controller = controller
 
@@ -90,12 +90,21 @@ module Cms
 
         # This gives the view a reference to this object
         instance_variable_set(self.class.instance_variable_name_for_view, self)
-
+    
         # This is like a controller action
         # We will call it if you have defined a render method
         # but if you haven't we won't
         render if respond_to?(:render)
+      end
     
+      def perform_render(controller)
+        return "Exception: #{@render_exception}" if @render_exception
+        unless @controller
+          # We haven't prepared to render. This should only happen when logged in, as we don't want
+          # errors to bubble up and prevent the page being edited in that case.
+          prepare_to_render(controller)
+        end
+        
         # Create, Instantiate and Initialize the view
         view_class  = Class.new(ActionView::Base)      
         action_view = view_class.new(@controller.view_paths, {}, @controller)
@@ -108,7 +117,7 @@ module Cms
         
         # We want content_for to be called on the controller's view, not this inner view
         def action_view.content_for(name, content=nil, &block)
-          controller.instance_variable_get("@template").content_for(name, content, &block)
+          @controller.instance_variable_get("@template").content_for(name, content, &block)
         end
         
         # Copy instance variables from this renderable object to it's view
@@ -122,6 +131,10 @@ module Cms
         end
       end
   
+      def render_exception=(exception)
+        @render_exception = exception
+      end
+
       protected
         def copy_instance_variables_from_controller!
           if @controller.respond_to?(:instance_variables_for_rendering)
@@ -141,4 +154,4 @@ module Cms
       
     end
   end
-end
+end

data/lib/cms/behaviors/versioning.rb

@@ -110,7 +110,7 @@ module Cms
         def save(perform_validations=true)
           transaction do
             #logger.info "..... Calling valid?"
-            return false unless valid?            
+            return false unless !perform_validations || valid?            
             
             if changed?
               #logger.info "..... Changes => #{changes.inspect}"
@@ -172,7 +172,7 @@ module Cms
         end
 
         def save!(perform_validations=true)
-          save || raise(ActiveRecord::RecordNotSaved.new(errors.full_messages))
+          save(perform_validations) || raise(ActiveRecord::RecordNotSaved.new(errors.full_messages))
         end
 
         def draft

data/lib/cms/routes.rb

@@ -119,6 +119,10 @@ module Cms::Routes
         :enable => :put
       }
       
+      if RAILS_ENV == "test" && File.expand_path(RAILS_ROOT) == File.expand_path(File.dirname(__FILE__) + "/../..")
+        cms.content_blocks :content_block
+      end
+      
     end
 
     if PageRoute.table_exists?

data/lib/tasks/cms.rake

@@ -9,24 +9,6 @@ end
 
 namespace :cms do
   
-  desc "DEPRECATED"
-  task :install do
-    puts "This task has been deprecated, please use 'rake install' instead"
-  end
-  
-  desc "Bumps the build number in lib/cms/init.rb"
-  task :bump_build_number do
-    init_file = Rails.root.join("lib/cms/init.rb")
-    s = File.read(init_file)
-    open(init_file, 'w') do |f| 
-      f << s.sub(/def build_number; (\d+) end/) do |s|
-        new_build_number = $1.to_i + 1
-        puts "Build number bumped to #{new_build_number}"
-        "def build_number; #{new_build_number} end"
-      end
-    end
-  end
-  
   desc "Generate guides for the CMS"
   task :guides do
     require 'rubygems'

data/public/javascripts/cms/content_library.js

@@ -0,0 +1,36 @@
+jQuery(function($){
+    
+    //----- Helper Functions -----------------------------------------------------
+    //In all of this code, we are defining functions that we use later
+    //None of this actually manipulates the DOM in any way
+    
+    //This is used to get the id part of an elementId
+    //For example, if you have section_node_5, 
+    //you pass this 'section_node_5', 'section_node' 
+    //and this returns 5
+    var getId = function(elementId, s) {
+	return elementId.replace(s,'')
+    }
+    
+
+    var nodeOnDoubleClick = function() {
+	if($('#edit_button').hasClass('disabled')) {
+	    //$('#view_button').click()
+	    location.href = $('#view_button')[0].href
+	} else {
+	    //$('#edit_button').click()      
+	    location.href = $('#edit_button')[0].href
+	}
+    }
+    
+    var addNodeOnDoubleClick = function() {
+	$('#blocks tr').dblclick(nodeOnDoubleClick)
+    }
+    
+    //----- Init -----------------------------------------------------------------
+    //In other words, stuff that happens when the page loads
+    //This is where we actually manipulate the DOM, fire events, etc.
+    
+    addNodeOnDoubleClick()
+
+})

data/public/javascripts/cms/sitemap.js

@@ -187,15 +187,26 @@ jQuery(function($){
     }
     
     var enableButtonsForNode = function(node) {
-	var id = getId(node.id, /(section|page|link)_/)
-	if($(node).hasClass('section')) {
-	    enableButtonsForSection(id)
-	} else if($(node).hasClass('page')) {
-	    enableButtonsForPage(id)
-	} else if($(node).hasClass('link')) {
-	    enableButtonsForLink(id)
-	}  
-    }
+	var id = getId(node.id, /(section|page|link)_/);
+	if(!$(node).is(".non-editable")) {
+		if($(node).hasClass('section')) {
+		    enableButtonsForSection(id);
+		} else if($(node).hasClass('page')) {
+		    enableButtonsForPage(id);
+		} else if($(node).hasClass('link')) {
+		    enableButtonsForLink(id);
+		}  
+	}else if($(node).hasClass('page')) {
+	    $('#edit-button')
+	        .html('<span>View Page</span>')
+		.removeClass('disabled')
+		.attr('href','/cms/pages/'+id)
+		.unbind('click')
+		.click(function(){return true});
+	} else {
+	    $('#properties-button').attr('href','/cms/sitemap');
+	}
+    };
     
     var enableButtonsForSection = function(id) {
 	$('#properties-button')
@@ -253,6 +264,7 @@ jQuery(function($){
     
     var enableButtonsForPage = function(id) {
 	$('#edit-button')
+	.html('<span>Edit Page</span>')
 	.removeClass('disabled')
 	.attr('href','/cms/pages/'+id)
 	.unbind('click')

data/public/stylesheets/cms/form_layout.css

@@ -1,6 +1,6 @@
 @import url(/stylesheets/cms/selectbox.css);
 
-form {
+form, .faux_form {
 font-size: 10pt;
 font-family: "Trebuchet MS", Helvetica, Verdana, Arial, sans-serif;
 color:#485561;
@@ -21,6 +21,19 @@ padding: 10px 0;
 background: url(/images/cms/dashed.gif) repeat-x 100% 100%;
 }
 
+/* Fake forms */
+.faux_form .fields {
+padding: 22px 0 10px 0;
+font-size: 12px;
+overflow: hidden;
+}
+.faux_form .fields .label {
+padding: 0 0 12px 0;
+float: left;
+width: 140px;
+font-weight: bold;
+}
+
 /* LABELS */
 .text_fields label,
 .textarea_fields label,
@@ -39,7 +52,8 @@ font-size: 12px;
 .select_fields label,
 .text_editor_fields label,
 .file_fields label,
-.checkboxes label
+.checkboxes label,
+.faux_label
  {
 font-weight: bold;
 font-size: 12px;

data/public/stylesheets/cms/nav.css

@@ -70,13 +70,14 @@ color: #666;
 font-weight: bold;
 }
 
-#nav ul#userlinks li a,	#nav ul#userlinks li span {
-padding: 8px 19px 11px 19px;
+#nav ul#userlinks li a {
+padding: 4px 19px 11px 19px;
 background: url(/images/cms/usercontrols_bg_cap.png) no-repeat 100% 0;
 color: #666;
 display: block;
 float: left;
 text-decoration: none;
+line-height: 18px;
 }
 
 #nav ul#userlinks li span {
@@ -88,7 +89,7 @@ padding: 9px 10px;
 }
 #nav ul#userlinks li#user_info img {
 float:left;
-margin: 4px 0 0 5px;
+margin: 0 5px 0 0;
 }
 
 #nav .cmssearch {

data/test/functional/cms/content_block_controller_test.rb

@@ -0,0 +1,120 @@
+require File.join(File.dirname(__FILE__), '/../../test_helper')
+
+class PermissionsForContentBlockControllerTest < ActionController::TestCase
+  include Cms::ControllerTestHelper
+  tests Cms::ContentBlockController
+  
+  # We're stubbing a lot because we *just* want to isolate the behaviour for checking permissions
+  def setup
+    login_as_cms_admin
+    @user = User.first
+    @controller.stubs(:current_user).returns(@user)
+    @controller.stubs(:render)
+    @controller.stubs(:model_class).returns(ContentBlock)
+    @controller.stubs(:set_default_category)
+    @controller.stubs(:blocks_path).returns("/cms/content_block")
+    @controller.stubs(:redirect_to_first).returns("/cms/content_block")
+    
+    @block = stub_everything("block")
+    @block.stubs(:as_of_draft_version).returns(@block)
+    @block.stubs(:as_of_version).returns(@block)
+    @block.stubs(:connected_pages).returns(stub(:all => stub))
+    
+    ContentBlock.stubs(:find).returns(@block)
+    ContentBlock.stubs(:new).returns(@block)
+    ContentBlock.stubs(:paginate)
+  end
+  
+  def expect_access_denied
+    @controller.expects(:render).with(has_entry(:status => 403))
+  end
+  
+  def expect_success
+    expect_access_denied.never
+  end
+  
+  test "GET index allows any user" do
+    expect_success
+    get :index
+  end
+  
+  test "GET show allows any user" do
+    expect_success
+    get :show, :id => 5
+  end
+  
+  test "GET new allows any user" do
+    expect_success
+    get :new
+  end
+  
+  test "POST create allows any user" do
+    expect_success
+    post :create
+  end
+  
+  test "GET version allows any user" do
+    expect_success
+    get :version, :id => 5, :version => 3
+  end
+  
+  test "GET versions allows any user" do
+    expect_success
+    get :versions, :id => 5
+  end
+  
+  test "GET usages allows any user" do
+    expect_success
+    get :usages, :id => 5
+  end
+  
+  test "GET edit allows only users who are able to edit the block" do
+    @user.stubs(:able_to_edit?).with(@block).returns(false)
+    expect_access_denied
+    get :edit, :id => 5
+    
+    @user.stubs(:able_to_edit?).with(@block).returns(true)
+    expect_success
+    get :edit, :id => 5
+  end
+  
+  test "PUT update allows only users who are able to edit the block" do
+    @user.stubs(:able_to_edit?).with(@block).returns(false)
+    expect_access_denied
+    put :update, :id => 5
+    
+    @user.stubs(:able_to_edit?).with(@block).returns(true)
+    expect_success
+    put :update, :id => 5
+  end
+  
+  test "DELETE destroy allows only users who are able to publish the block" do
+    @user.stubs(:able_to_publish?).with(@block).returns(false)
+    expect_access_denied
+    delete :destroy, :id => 5
+    
+    @user.stubs(:able_to_publish?).with(@block).returns(true)
+    expect_success
+    delete :destroy, :id => 5
+  end
+  
+  test "PUT publish allows only users who are able to publish the block" do
+    @user.stubs(:able_to_publish?).with(@block).returns(false)
+    expect_access_denied
+    put :publish, :id => 5
+    
+    @user.stubs(:able_to_publish?).with(@block).returns(true)
+    expect_success
+    put :publish, :id => 5
+  end
+  
+  test "PUT revert_to allows only users who are able to publish the block" do
+    @user.stubs(:able_to_publish?).with(@block).returns(false)
+    expect_access_denied
+    put :revert_to, :id => 5, :version => 1
+    
+    @user.stubs(:able_to_publish?).with(@block).returns(true)
+    expect_success
+    put :revert_to, :id => 5, :version => 1
+  end
+end