[refs #511] add issue index authorization

2012-05-30 22:03:07 +06:00 · 2012-05-30 22:03:07 +06:00 · 5c9f914e4a
parent 2e7865d487
commit 5c9f914e4a
2 changed files with 29 additions and 2 deletions
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@ -4,7 +4,7 @@ class Projects::IssuesController < Projects::BaseController
  before_filter :authenticate_user!
  skip_before_filter :authenticate_user!, :only => [:index, :show] if APP_CONFIG['anonymous_access']
  load_resource :project
-  load_and_authorize_resource :issue, :through => :project, :find_by => :serial_id, :only => [:show, :edit, :update, :destroy, :new, :create]
+  load_and_authorize_resource :issue, :through => :project, :find_by => :serial_id, :only => [:show, :edit, :update, :destroy, :new, :create, :index]
  before_filter :load_and_authorize_label, :only => NON_RESTFUL_ACTION

  layout 'application'
--- a/spec/controllers/projects/issues_controller_spec.rb
+++ b/spec/controllers/projects/issues_controller_spec.rb
@ -11,6 +11,12 @@ shared_examples_for 'issue user with project reader rights' do
    get :show, :owner_name => @project.owner.uname, :project_name => @project.name, :id => @issue.serial_id
    response.should render_template(:show)
  end
+
+  it 'should be able to perform index action on hidden project' do
+    @project.update_attribute :visibility, 'hidden'
+    get :index, :owner_name => @project.owner.uname, :project_name => @project.name
+    response.should render_template(:index)
+  end
 end

 shared_examples_for 'issue user with project writer rights' do
@ -187,7 +193,22 @@ describe Projects::IssuesController do

  context 'for guest' do
    if APP_CONFIG['anonymous_access']
-      it_should_behave_like 'issue user with project reader rights'
+      # it_should_behave_like 'issue user with project reader rights'
+      it 'should be able to perform index action' do
+        get :index, :owner_name => @project.owner.uname, :project_name => @project.name
+        response.should render_template(:index)
+      end
+
+      it 'should be able to perform show action' do
+        get :show, :owner_name => @project.owner.uname, :project_name => @project.name, :id => @issue.serial_id
+        response.should render_template(:show)
+      end
+
+      it 'should not be able to perform index action on hidden project' do
+        @project.update_attribute :visibility, 'hidden'
+        get :index, :owner_name => @project.owner.uname, :project_name => @project.name
+        response.should redirect_to(forbidden_path)
+      end
    else
      it 'should not be able to perform index action' do
        get :index, :owner_name => @project.owner.uname, :project_name => @project.name
@ -198,6 +219,12 @@ describe Projects::IssuesController do
        get :show, :owner_name => @project.owner.uname, :project_name => @project.name, :id => @issue.serial_id
        response.should redirect_to(new_user_session_path)
      end
+
+      it 'should not be able to perform index action on hidden project' do
+        @project.update_attribute :visibility, 'hidden'
+        get :index, :owner_name => @project.owner.uname, :project_name => @project.name
+        response.should redirect_to(new_user_session_path)
+      end
    end

    it 'should not be able to perform create action' do