we5-browsercms 3.0.2 → 3.0.5

data/test/functional/cms/pages_controller_test.rb

@@ -66,6 +66,13 @@ class Cms::PagesControllerTest < ActionController::TestCase
     end
   end
 
+ def test_version
+    create_page
+    @page.update_attributes(:name => "V2")
+    get :version, :id => @page.to_param, :version => 1
+    assert_response :success
+  end
+
   def test_revert_to
     create_page
     @page.update_attributes(:name => "V2")
@@ -87,3 +94,134 @@ class Cms::PagesControllerTest < ActionController::TestCase
     end
 
 end
+
+class Cms::PagesControllerPermissionsTest < ActionController::TestCase
+  tests Cms::PagesController
+  include Cms::ControllerTestHelper
+  
+  def setup 
+    # DRYME copypaste from UserPermissionTest
+    @user = Factory(:user)
+    @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    @group.permissions << create_or_find_permission_named("edit_content")
+    @group.permissions << create_or_find_permission_named("publish_content")
+    @user.groups << @group
+    
+    @editable_section = Factory(:section, :parent => root_section, :name => "Editable")
+    @editable_subsection = Factory(:section, :parent => @editable_section, :name => "Editable Subsection")
+    @group.sections << @editable_section
+    @editable_page = Factory(:page, :section => @editable_section, :name => "Editable Page")
+    @editable_subpage = Factory(:page, :section => @editable_subsection, :name => "Editable SubPage")
+    @editable_link = Factory(:link, :section => @editable_section, :name => "Editable Link")
+    @editable_sublink = Factory(:link, :section => @editable_subsection, :name => "Editable SubLink")
+    
+    @noneditable_section = Factory(:section, :parent => root_section, :name => "Not Editable")
+    @noneditable_page = Factory(:page, :section => @noneditable_section, :name => "Non-Editable Page")
+    @noneditable_link = Factory(:link, :section => @noneditable_section, :name => "Non-Editable Link")
+    
+    @noneditables = [@noneditable_section, @noneditable_page, @noneditable_link]
+    @editables = [@editable_section, @editable_subsection, 
+      @editable_page, @editable_subpage, 
+      @editable_link, @editable_sublink]
+  end
+
+  def test_new_permissions
+    login_as(@user)
+
+    get :new, :section_id => @editable_section
+    assert_response :success
+
+    get :new, :section_id => @noneditable_section
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+
+  def test_create_permissions
+    login_as(@user)
+
+    post :create, :section_id => @editable_section, :name => "Another editable page"
+    assert_response :success
+
+    post :create, :section_id => @noneditable_section, :name => "Another non-editable page"
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+
+  def test_edit_permissions
+    login_as(@user)
+
+    get :edit, :id => @editable_page
+    assert_response :success
+
+    get :edit, :id => @noneditable_page
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+
+  def test_update_permissions
+    login_as(@user)
+
+    # Regular update
+    put :update, :id => @editable_page, :name => "Modified editable page"
+    assert_response :redirect
+
+    put :update, :id => @noneditable_page, :name => "Modified non-editable page"
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+
+    # archive
+    put :archive, :id => @editable_page
+    assert_response :redirect
+
+    put :archive, :id => @noneditable_page
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+
+    # hide
+    put :hide, :id => @editable_page
+    assert_response :redirect
+
+    put :hide, :id => @noneditable_page
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+
+    # publish
+    put :publish, :id => @editable_page
+    assert_response :redirect
+
+    put :publish, :id => @noneditable_page
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+
+    # publish many
+    put :publish, :page_ids => [@editable_page.id]
+    assert_response :redirect
+    
+    put :publish, :page_ids => [@noneditable_page.id]
+    assert_response 403
+    
+    put :publish, :page_ids => [@editable_page.id, @noneditable_page.id]
+    assert_response 403
+
+    # revert_to
+    # can't find route...
+#    put :revert_to, :id => @editable_page.id
+#    assert_response :redirect
+
+#    put :revert_to, :id => @noneditable_page.id
+#    assert_response :error # shouldn't it be 403?
+  end
+
+  def test_destroy_permissions
+    login_as(@user)
+
+    delete :destroy, :id => @editable_page
+    assert_response :redirect
+
+    delete :destroy, :id => @noneditable_page
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+end
+
+

data/test/functional/cms/section_nodes_controller_test.rb

@@ -3,11 +3,8 @@ require File.join(File.dirname(__FILE__), '/../../test_helper')
 class Cms::SectionNodesControllerTest < ActionController::TestCase
   include Cms::ControllerTestHelper
   
-  def setup
+  def test_index_as_admin
     login_as_cms_admin
-  end
-  
-  def test_index
     @foo = Factory(:section, :name => "Foo", :parent => root_section)
     @bar = Factory(:section, :name => "Bar", :parent => @foo)
     @page = Factory(:page, :name => "Test Page", :section => @bar)
@@ -39,6 +36,49 @@ class Cms::SectionNodesControllerTest < ActionController::TestCase
     end
   end
   
+end
+
+class Cms::SectionNodesControllerPermissionsTest < ActionController::TestCase
+  tests Cms::SectionNodesController
+  include Cms::ControllerTestHelper
   
+  def setup
+    # DRYME copypaste from UserPermissionTest
+    @user = Factory(:user)
+    login_as(@user)
+    @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    @group.permissions << create_or_find_permission_named("edit_content")
+    @group.permissions << create_or_find_permission_named("publish_content")
+    @user.groups << @group
+    
+    @editable_section = Factory(:section, :parent => root_section, :name => "Editable")
+    @group.sections << @editable_section
+    @editable_page = Factory(:page, :section => @editable_section, :name => "Editable Page")
+    @editable_link = Factory(:link, :section => @editable_section, :name => "Editable Link")
+    
+    @noneditable_section = Factory(:section, :parent => root_section, :name => "Not Editable")
+    @noneditable_page = Factory(:page, :section => @noneditable_section, :name => "Non-Editable Page")
+    @noneditable_link = Factory(:link, :section => @noneditable_section, :name => "Non-Editable Link")
+    
+    @noneditables = [@noneditable_section, @noneditable_page, @noneditable_link]
+    @editables = [@editable_section,
+      @editable_page, 
+      @editable_link,]
+  end
   
-end
+  def test_index_as_contributor_with_subsections
+    get :index
+    assert_response :success
+    
+    # Check that each non-editable has the non-editable class, and that each editable does not have
+    # the non-editable class
+    @noneditables.each do |ne|
+      assert_select "td.node.non-editable div", ne.name
+    end
+    @editables.each do |e|
+      td = css_select("td##{e.class.to_s.underscore}_#{e.id}", e.name).first
+      assert !td.attributes["class"].include?("non-editable")
+    end
+  end
+end
+

data/test/functional/cms/sections_controller_test.rb

@@ -13,8 +13,15 @@ class Cms::SectionsControllerTest < ActionController::TestCase
     assert_select "input[name=?][value=?]", "section[name]", root_section.name
   end
   
+  test "GET new should set the groups to the parent section's groups by default" do
+    @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    get :new, :section_id => root_section.to_param
+    assert_equal root_section.groups, assigns(:section).groups
+    assert !assigns(:section).groups.include?(@group)
+  end
+  
   def test_update
-    @section = Factory(:section, :name => "V1", :parent => root_section)
+    @section = Factory(:section, :name => "V1", :parent => root_section, :groups => root_section.groups)
     
     put :update, :id => @section.to_param, :section => {:name => "V2"}
     reset(:section)
@@ -76,3 +83,143 @@ class Cms::SectionFileBrowserControllerTest < ActionController::TestCase
   end
   
 end
+
+class Cms::SectionsControllerPermissionsTest < ActionController::TestCase
+  tests Cms::SectionsController
+  include Cms::ControllerTestHelper
+  
+  def setup
+    # DRYME copypaste from UserPermissionTest
+    @user = Factory(:user)
+    @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    @group.permissions << create_or_find_permission_named("edit_content")
+    @group.permissions << create_or_find_permission_named("publish_content")
+    @user.groups << @group
+    
+    @editable_section = Factory(:section, :parent => root_section, :name => "Editable")
+    @editable_subsection = Factory(:section, :parent => @editable_section, :name => "Editable Subsection")
+    @group.sections << @editable_section
+    @editable_page = Factory(:page, :section => @editable_section, :name => "Editable Page")
+    @editable_subpage = Factory(:page, :section => @editable_subsection, :name => "Editable SubPage")
+    @editable_link = Factory(:link, :section => @editable_section, :name => "Editable Link")
+    @editable_sublink = Factory(:link, :section => @editable_subsection, :name => "Editable SubLink")
+    
+    @noneditable_section = Factory(:section, :parent => root_section, :name => "Not Editable")
+    @noneditable_page = Factory(:page, :section => @noneditable_section, :name => "Non-Editable Page")
+    @noneditable_link = Factory(:link, :section => @noneditable_section, :name => "Non-Editable Link")
+    
+    @noneditables = [@noneditable_section, @noneditable_page, @noneditable_link]
+    @editables = [@editable_section, @editable_subsection, 
+      @editable_page, @editable_subpage, 
+      @editable_link, @editable_sublink]
+  end
+
+  def test_new_permissions
+    login_as(@user)
+
+    get :new, :section_id => @editable_section
+    assert_response :success
+
+    get :new, :section_id => @noneditable_section
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+  
+  test "POST create should set the groups to the parent section's groups for non-admin user" do
+    @group = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    login_as(@user)
+    get :new, :section_id => @editable_section
+    assert_equal @editable_section.groups, assigns(:section).groups
+    assert !assigns(:section).groups.include?(@group)
+  end
+
+  def test_create_permissions
+    login_as(@user)
+
+    post :create, :section_id => @editable_section, :name => "Another editable subsection"
+    assert_response :success
+
+    post :create, :section_id => @noneditable_section, :name => "Another non-editable subsection"
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+
+  def test_edit_permissions
+    login_as(@user)
+
+    get :edit, :id => @editable_section
+    assert_response :success
+
+    get :edit, :id => @noneditable_section
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+
+  def test_update_permissions
+    login_as(@user)
+
+    put :update, :id => @editable_section, :name => "Modified editable subsection"
+    assert_response :redirect
+
+    put :update, :id => @noneditable_section, :name => "Modified non-editable subsection"
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+  
+  def test_update_permissions_of_subsection
+    login_as(@user)
+
+    put :update, :id => @editable_section, :name => "Modified editable subsection"
+    assert_response :redirect
+
+    put :update, :id => @editable_subsection, :name => "Section below editable section"
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+  
+  test "PUT update should leave groups alone for non-admin user" do
+    @group2 = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    expected_groups = @editable_section.groups
+    login_as(@user)
+    put :update, :id => @editable_section
+    assert_response :redirect
+    assert_equal expected_groups, assigns(:section).groups
+    assert !assigns(:section).groups.include?(@group2)
+  end
+
+  test "PUT update should leave groups alone for non-admin user even if hack url" do
+    @group2 = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    expected_groups = @editable_section.groups
+    login_as(@user)
+    RAILS_DEFAULT_LOGGER.warn("starting...")
+    put :update, :id => @editable_section, :section => {:name => "new name", :group_ids => [@group, @group2]}
+    assert_response :redirect
+    assert_equal expected_groups, assigns(:section).groups
+    assert_equal "new name", assigns(:section).name
+    assert !assigns(:section).groups.include?(@group2)
+  end
+
+
+
+  test "PUT update should add groups for admin user" do
+# This step is unnecessary in the actual cms, as you can't stop the admin from doing anything
+    Group.find(:first, :conditions => "code = 'cms-admin'").sections << @editable_subsection
+    @group2 = Factory(:group, :name => "Test", :group_type => Factory(:group_type, :name => "CMS User", :cms_access => true))
+    expected_groups = [@group, @group2]
+    login_as_cms_admin
+    put :update, :id => @editable_subsection, :section => {:name => "new name", :group_ids => [@group, @group2]}
+    assert_response :redirect
+    assert_equal expected_groups, assigns(:section).groups
+  end
+
+  def test_destroy_permissions
+    login_as(@user)
+
+    delete :destroy, :id => @editable_section
+    assert_response :redirect
+
+    delete :destroy, :id => @noneditable_section
+    assert_response 403
+    assert_template "cms/shared/access_denied"
+  end
+end

data/test/functional/cms/sessions_controller_test.rb

@@ -2,6 +2,9 @@ require File.join(File.dirname(__FILE__), '/../../test_helper')
 
 class Cms::SessionsControllerTest < ActionController::TestCase
   include Cms::ControllerTestHelper
+  def teardown
+    User.current = nil
+  end
   
   def test_not_redirected_to_cms_site_if_public_site
     @request.host = "foo.com"
@@ -19,6 +22,22 @@ class Cms::SessionsControllerTest < ActionController::TestCase
     assert_select "title", "CMS Login"
   end
   
+  def test_return_to
+    user = Factory(:user)
+    expected_url = "/expected_url"
+
+    post :create, {:success_url => "", :login => user.login, :password => "password"}, {:return_to => expected_url }
+    assert_redirected_to(expected_url)
+  end
+  def test_success_url_overrides_return_to
+    user = Factory(:user)
+    expected_url = "/expected_url"
+
+    post :create, {:success_url => expected_url, :login => user.login, :password => "password"}, {:return_to => "/somewhere_else" }
+
+    assert_redirected_to(expected_url)
+  end
+  
 end
 
 class Cms::SessionsControllerCacheEnabledTest < ActionController::TestCase
@@ -48,5 +67,10 @@ class Cms::SessionsControllerCacheEnabledTest < ActionController::TestCase
     log @response.body
     assert_select "title", "CMS Login"
   end
-  
-end
+
+  test "destroy" do
+    Cms::SessionsController.any_instance.expects(:logout_user)
+    delete :destroy
+    assert_redirected_to "/" 
+  end
+end

data/test/functional/cms/users_controller_test.rb

@@ -6,7 +6,6 @@ class Cms::UsersControllerTest < ActionController::TestCase
   def setup
     login_as_cms_admin
     @user = User.first
-    
   end
   
   def test_index
@@ -132,6 +131,11 @@ class Cms::UsersControllerTest < ActionController::TestCase
     assert_select "input#user_expires_at"
   end
   
+  def test_show
+    get :show, :id => @user.id
+    assert_response :success
+  end
+  
   def test_update
     put :update, :id => @user.id, :user => { :first_name => "First"}
     reset(:user)
@@ -181,4 +185,47 @@ class Cms::UsersControllerTest < ActionController::TestCase
       @user_with_login = Factory(:user, :login => "mylogin")
     end
   
-end
+end
+
+class Cms::UsersControllerNonAdminTest < ActionController::TestCase
+  tests Cms::UsersController
+  include Cms::ControllerTestHelper
+
+  def setup
+    @user = Factory.build(:user)
+    @user.groups = [groups(:group_3)]
+    @user.save!
+    login_as(@user)
+  end
+  
+  def test_show_self
+    get :show, :id => @user.id
+    assert_response :success
+  end
+  
+  def test_show_other
+    get :show, :id => Factory(:user).id
+    assert @response.body.include?("Access Denied")
+  end
+  
+  def test_change_password_self
+    get :change_password, :id => @user.id
+    assert_response :success
+  end
+  
+  def test_change_password_other
+    get :change_password, :id => Factory(:user).id
+    assert @response.body.include?("Access Denied")
+  end
+  
+  def test_update_password_self
+    put :update_password, :id => @user.id,
+        :user => {:password => "something_else", :password_confirmation => "something_else"}
+    assert_redirected_to cms_user_path(@user)
+  end
+  
+  def test_update_password_other
+    put :update_password, :id => Factory(:user).id
+    assert @response.body.include?("Access Denied")
+  end
+end