From b7eff22c2353e7e5417ea9e9b9b62014afa05308 Mon Sep 17 00:00:00 2001
From: Vokhmin Alexey V <avokhmin@gmail.com>
Date: Thu, 18 Oct 2012 15:22:31 +0400
Subject: [PATCH 01/11] #698: added API for Advisories

---
 .../api/v1/advisories_controller.rb           | 36 +++++++++++++++++++
 app/controllers/api/v1/base_controller.rb     |  2 +-
 .../api/v1/advisories/_advisory.json.jbuilder | 12 +++++++
 .../api/v1/advisories/index.json.jbuilder     |  4 +++
 .../api/v1/advisories/show.json.jbuilder      | 24 +++++++++++++
 config/routes.rb                              |  1 +
 6 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 app/controllers/api/v1/advisories_controller.rb
 create mode 100644 app/views/api/v1/advisories/_advisory.json.jbuilder
 create mode 100644 app/views/api/v1/advisories/index.json.jbuilder
 create mode 100644 app/views/api/v1/advisories/show.json.jbuilder

diff --git a/app/controllers/api/v1/advisories_controller.rb b/app/controllers/api/v1/advisories_controller.rb
new file mode 100644
index 000000000..f4496442f
--- /dev/null
+++ b/app/controllers/api/v1/advisories_controller.rb
@@ -0,0 +1,36 @@
+# -*- encoding : utf-8 -*-
+class Api::V1::AdvisoriesController < Api::V1::BaseController
+  before_filter :authenticate_user!
+  skip_before_filter :authenticate_user! if APP_CONFIG['anonymous_access']
+  load_resource :find_by => :advisory_id
+  authorize_resource
+
+  def index
+    @advisories = @advisories.scoped(:include => :platforms).
+      paginate(paginate_params)
+  end
+
+  def show
+    fetch_packages_info
+  end
+
+  protected
+
+  # this method fetches and structurize packages attached to current advisory.
+  def fetch_packages_info
+    @packages_info = Hash.new { |h, k| h[k] = {} } # maaagic, it's maaagic ;)
+    @advisory.build_lists.find_in_batches(:include => [:save_to_platform, :packages, :project]) do |batch|
+      batch.each do |build_list|
+        tmp = build_list.packages.inject({:srpm => nil, :rpm => []}) do |h, p|
+          p.package_type == 'binary' ? h[:rpm] << p.fullname : h[:srpm] = p.fullname
+          h
+        end
+        h = { build_list.project => tmp }
+        @packages_info[build_list.save_to_platform].merge!(h) do |pr, old, new|
+          {:srpm => new[:srpm], :rpm => old[:rpm].concat(new[:rpm]).uniq}
+        end
+      end
+    end
+  end
+
+end
diff --git a/app/controllers/api/v1/base_controller.rb b/app/controllers/api/v1/base_controller.rb
index 488c215f2..a44addbf1 100644
--- a/app/controllers/api/v1/base_controller.rb
+++ b/app/controllers/api/v1/base_controller.rb
@@ -68,7 +68,7 @@ class Api::V1::BaseController < ApplicationController
     id = status != 200 ? nil : subject.id
 
     render :json => {
-      subject.class.name.downcase.to_sym => {
+      subject.class.name.underscore.to_sym => {
         :id => id,
         :message => message
       }
diff --git a/app/views/api/v1/advisories/_advisory.json.jbuilder b/app/views/api/v1/advisories/_advisory.json.jbuilder
new file mode 100644
index 000000000..5205ddc29
--- /dev/null
+++ b/app/views/api/v1/advisories/_advisory.json.jbuilder
@@ -0,0 +1,12 @@
+json.id advisory.advisory_id
+json.(advisory, :description)
+json.platforms advisory.platforms do |json_platform, platform|
+  json_platform.(platform, :id, :released)
+  json_platform.url api_v1_platform_path(platform.id, :format => :json)
+end
+json.projects advisory.projects do |json_project, project|
+  json_project.(project, :id, :name)
+  json_project.fullname project.name_with_owner
+  json_project.url api_v1_project_path(project.id, :format => :json)
+end
+json.url api_v1_advisory_path(advisory.advisory_id, :format => :json)
\ No newline at end of file
diff --git a/app/views/api/v1/advisories/index.json.jbuilder b/app/views/api/v1/advisories/index.json.jbuilder
new file mode 100644
index 000000000..c0248c828
--- /dev/null
+++ b/app/views/api/v1/advisories/index.json.jbuilder
@@ -0,0 +1,4 @@
+json.advisories @advisories do |json, advisory|
+  json.partial! 'advisory', :advisory => advisory, :json => json
+end
+json.url api_v1_advisories_path(:format => :json)
\ No newline at end of file
diff --git a/app/views/api/v1/advisories/show.json.jbuilder b/app/views/api/v1/advisories/show.json.jbuilder
new file mode 100644
index 000000000..0083293ee
--- /dev/null
+++ b/app/views/api/v1/advisories/show.json.jbuilder
@@ -0,0 +1,24 @@
+json.advisory do |json|
+  json.partial! 'advisory', :advisory => @advisory, :json => json
+  json.created_at @advisory.created_at.to_i
+  json.updated_at @advisory.updated_at.to_i
+  json.build_lists @advisory.build_lists do |json_build_list, build_list|
+    json_build_list.(build_list, :id)
+    json_build_list.url api_v1_build_list_path(build_list.id, :format => :json)
+  end
+
+  json.affected_in @packages_info do |json_platform, package_info|
+    platform = package_info[0]
+    json_platform.(platform, :id)
+    json_platform.url api_v1_platform_path(platform.id, :format => :json)
+    json_platform.projects package_info[1] do |json_project, info|
+      project = info[0]
+      json_project.(project, :id)
+      json_project.url api_v1_project_path(project.id, :format => :json)
+      packages = info[1]
+      json_project.srpm packages[:srpm]
+      json_project.rpm packages[:rpm]
+    end
+  end
+
+end
diff --git a/config/routes.rb b/config/routes.rb
index bd1691c70..7f9fff5d8 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -12,6 +12,7 @@ Rosa::Application.routes.draw do
 
   namespace :api do
     namespace :v1 do
+      resources :advisories, :only => [:index, :show]
       resources :build_lists, :only => [:index, :create, :show] do
         member {
           get :publish

From 00a88583484b416046ec5c0cd5f51a59e3ca857e Mon Sep 17 00:00:00 2001
From: Vokhmin Alexey V <avokhmin@gmail.com>
Date: Thu, 18 Oct 2012 17:08:40 +0400
Subject: [PATCH 02/11] #698: updated Advisories#show API

---
 app/views/api/v1/advisories/show.json.jbuilder | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/views/api/v1/advisories/show.json.jbuilder b/app/views/api/v1/advisories/show.json.jbuilder
index 0083293ee..e6d4988cc 100644
--- a/app/views/api/v1/advisories/show.json.jbuilder
+++ b/app/views/api/v1/advisories/show.json.jbuilder
@@ -2,6 +2,9 @@ json.advisory do |json|
   json.partial! 'advisory', :advisory => @advisory, :json => json
   json.created_at @advisory.created_at.to_i
   json.updated_at @advisory.updated_at.to_i
+  json.(@advisory, :update_type)
+  json.references @advisory.references.split('\n')
+  
   json.build_lists @advisory.build_lists do |json_build_list, build_list|
     json_build_list.(build_list, :id)
     json_build_list.url api_v1_build_list_path(build_list.id, :format => :json)

From 68dbae8c836252b81d83b5c3df9c56815aad2b9c Mon Sep 17 00:00:00 2001
From: Vokhmin Alexey V <avokhmin@gmail.com>
Date: Thu, 18 Oct 2012 18:17:50 +0400
Subject: [PATCH 03/11] #698: added #create and #fork actions for Advisories
 API

---
 app/controllers/advisories_controller.rb      |  23 +-
 .../api/v1/advisories_controller.rb           |  41 +--
 .../projects/build_lists_controller.rb        |  15 +-
 app/models/advisory.rb                        | 278 +++++++++++++++---
 app/models/build_list.rb                      |   8 +
 config/routes.rb                              |   2 +-
 6 files changed, 274 insertions(+), 93 deletions(-)

diff --git a/app/controllers/advisories_controller.rb b/app/controllers/advisories_controller.rb
index 9bbf15f6c..912509508 100644
--- a/app/controllers/advisories_controller.rb
+++ b/app/controllers/advisories_controller.rb
@@ -5,8 +5,6 @@ class AdvisoriesController < ApplicationController
   load_resource :find_by => :advisory_id
   authorize_resource
 
-  before_filter :fetch_packages_info, :only => [:show]
-
   def index
     @advisories = @advisories.scoped(:include => :platforms)
     @advisories = @advisories.search_by_id(params[:q]) if params[:q]
@@ -18,6 +16,7 @@ class AdvisoriesController < ApplicationController
   end
 
   def show
+    @packages_info = @advisory.fetch_packages_info
   end
 
   def search
@@ -27,24 +26,4 @@ class AdvisoriesController < ApplicationController
       format.json { render @advisory }
     end
   end
-
-  protected
-
-  # this method fetches and structurize packages attached to current advisory.
-  def fetch_packages_info
-    @packages_info = Hash.new { |h, k| h[k] = {} } # maaagic, it's maaagic ;)
-    @advisory.build_lists.find_in_batches(:include => [:save_to_platform, :packages, :project]) do |batch|
-      batch.each do |build_list|
-        tmp = build_list.packages.inject({:srpm => nil, :rpm => []}) do |h, p|
-          p.package_type == 'binary' ? h[:rpm] << p.fullname : h[:srpm] = p.fullname
-          h
-        end
-        h = { build_list.project => tmp }
-        @packages_info[build_list.save_to_platform].merge!(h) do |pr, old, new|
-          {:srpm => new[:srpm], :rpm => old[:rpm].concat(new[:rpm]).uniq}
-        end
-      end
-    end
-  end
-
 end
diff --git a/app/controllers/api/v1/advisories_controller.rb b/app/controllers/api/v1/advisories_controller.rb
index f4496442f..520e93560 100644
--- a/app/controllers/api/v1/advisories_controller.rb
+++ b/app/controllers/api/v1/advisories_controller.rb
@@ -1,9 +1,11 @@
 # -*- encoding : utf-8 -*-
 class Api::V1::AdvisoriesController < Api::V1::BaseController
   before_filter :authenticate_user!
-  skip_before_filter :authenticate_user! if APP_CONFIG['anonymous_access']
-  load_resource :find_by => :advisory_id
-  authorize_resource
+  skip_before_filter :authenticate_user!, :only => [:index, :show] if APP_CONFIG['anonymous_access']
+  load_and_authorize_resource :advisory,
+    :find_by => :advisory_id, :only => [:show, :update]
+  load_and_authorize_resource :build_list,
+    :find_by => :build_list_id, :only => [:create, :update]
 
   def index
     @advisories = @advisories.scoped(:include => :platforms).
@@ -11,25 +13,26 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
   end
 
   def show
-    fetch_packages_info
+    @packages_info = @advisory.fetch_packages_info
   end
 
-  protected
+  def create
+    @advisory = @build_list.build_and_associate_advisory(params[:advisory])
+    if @build_list.status == BuildList::BUILD_PUBLISHED &&
+        @advisory.save && @build_list.save
+      render_json_response @advisory, 'Advisory has been created successfully'
+    else
+      render_validation_error @advisory, error_message(@build_list, 'Advisory has not been created')
+    end
+  end
 
-  # this method fetches and structurize packages attached to current advisory.
-  def fetch_packages_info
-    @packages_info = Hash.new { |h, k| h[k] = {} } # maaagic, it's maaagic ;)
-    @advisory.build_lists.find_in_batches(:include => [:save_to_platform, :packages, :project]) do |batch|
-      batch.each do |build_list|
-        tmp = build_list.packages.inject({:srpm => nil, :rpm => []}) do |h, p|
-          p.package_type == 'binary' ? h[:rpm] << p.fullname : h[:srpm] = p.fullname
-          h
-        end
-        h = { build_list.project => tmp }
-        @packages_info[build_list.save_to_platform].merge!(h) do |pr, old, new|
-          {:srpm => new[:srpm], :rpm => old[:rpm].concat(new[:rpm]).uniq}
-        end
-      end
+  def update
+    if @build_list.status == BuildList::BUILD_PUBLISHED &&
+        @advisory.attach_build_list(@build_list) &&
+        @advisory.save && @build_list.save
+      render_json_response @advisory, "Build list '#{@build_list.id}' has been attached to advisory successfully"
+    else
+      render_validation_error @advisory, error_message(@build_list, 'Build list has not been attached to advisory')
     end
   end
 
diff --git a/app/controllers/projects/build_lists_controller.rb b/app/controllers/projects/build_lists_controller.rb
index 570814681..c066be64c 100644
--- a/app/controllers/projects/build_lists_controller.rb
+++ b/app/controllers/projects/build_lists_controller.rb
@@ -196,23 +196,14 @@ class Projects::BuildListsController < Projects::BaseController
 
       if params[:attach_advisory] == 'new'
         # create new advisory
-        unless @build_list.build_advisory(params[:build_list][:advisory]) do |a|
-              a.update_type = @build_list.update_type
-              a.projects   << @build_list.project
-              a.platforms  << @build_list.save_to_platform unless a.platforms.include? @build_list.save_to_platform
-            end.save
+        advisory = @build_list.build_and_associate_advisory(params[:build_list][:advisory])
+        unless advisory.save
           redirect_to :back, :notice => t('layout.build_lists.publish_fail') and return
         end
       else
         # attach existing advisory
         a = Advisory.where(:advisory_id => params[:attach_advisory]).limit(1).first
-        if a.update_type != @build_list.update_type
-          redirect_to :back, :notice => t('layout.build_lists.publish_fail') and return
-        end
-        a.platforms  << @build_list.save_to_platform unless a.platforms.include? @build_list.save_to_platform
-        a.projects   << @build_list.project unless a.projects.include? @build_list.project
-        @build_list.advisory = a
-        unless a.save
+        if !(a && a.attach_build_list(@build_list) && a.save)
           redirect_to :back, :notice => t('layout.build_lists.publish_fail') and return
         end
       end
diff --git a/app/models/advisory.rb b/app/models/advisory.rb
index 4410ba621..60ed6fcf4 100644
--- a/app/models/advisory.rb
+++ b/app/models/advisory.rb
@@ -1,41 +1,241 @@
-class Advisory < ActiveRecord::Base
-  has_and_belongs_to_many :platforms
-  has_and_belongs_to_many :projects
-  has_many :build_lists
-
-  validates :description, :update_type, :presence => true
-  validates :update_type, :inclusion => BuildList::RELEASE_UPDATE_TYPES
-
-  after_create :generate_advisory_id
-  before_save  :normalize_references, :if => :references_changed?
-
-  ID_TEMPLATE        = 'ROSA-%<type>s-%<year>d:%<id>04d'
-  ID_STRING_TEMPLATE = 'ROSA-%<type>s-%<year>04s:%<id>04s'
-  TYPES = {'security' => 'SA', 'bugfix' => 'A'}
-
-  scope :search_by_id, lambda { |aid| where('advisory_id ILIKE ?', "%#{aid.to_s.strip}%") }
-  scope :by_update_type, lambda { |ut| where(:update_type => ut) }
-  default_scope order('created_at DESC')
-
-  def to_param
-    advisory_id
-  end
-
-  protected
-
-  def generate_advisory_id
-    self.advisory_id = sprintf(ID_TEMPLATE, :type => TYPES[self.update_type], :year => Time.now.utc.year, :id => self.id)
-    self.save
-  end
-
-  def normalize_references
-    self.references.gsub!(/\r| /, '')
-    self.references = self.references.split('\n').map do |ref|
-      ref = CGI::escapeHTML(ref)
-      ref = "http://#{ref}" unless ref =~ %r[^http(s?)://*]
-      ref
-    end.join("\n")
-  end
+# -*- encoding : utf-8 -*-
+require 'spec_helper'
 
+shared_examples_for "api projects user with reader rights" do
+  include_examples "api projects user with show rights"
+end
+
+shared_examples_for "api projects user with reader rights for hidden project" do
+  before(:each) do
+    @project.update_column(:visibility, 'hidden')
+  end
+
+  it_should_behave_like 'api projects user with show rights'
+end
+
+shared_examples_for "api projects user without reader rights for hidden project" do
+  before(:each) do
+    @project.update_column(:visibility, 'hidden')
+  end
+
+  it_should_behave_like 'api projects user without show rights'
+end
+
+shared_examples_for "api projects user without show rights" do
+  it "should show access violation instead of project data" do
+    get :show, :id => @project.id, :format => :json
+    response.should_not be_success
+  end
+
+  it "should show access violation instead of project refs_list" do
+    get :refs_list, :id => @project.id, :format => :json
+    response.should_not be_success
+  end
+
+  it "should access violation instead of project data by get_id" do
+    get :get_id, :name => @project.name, :owner => @project.owner.uname, :format => :json
+    response.should_not be_success
+  end
+end
+
+shared_examples_for "api projects user with show rights" do
+  it "should show project data" do
+    get :show, :id => @project.id, :format => :json
+    render_template(:show)
+  end
+
+  it "should show refs_list of project" do
+    get :refs_list, :id => @project.id, :format => :json
+    render_template(:refs_list)
+  end
+
+  context 'project find by get_id' do
+    it "should find project by name and owner name" do
+      @project.reload
+      get :get_id, :name => @project.name, :owner => @project.owner.uname, :format => :json
+      assigns[:project].id.should == @project.id
+    end
+
+    it "should not find project by non existing name and owner name" do
+      get :get_id, :name => 'NONE_EXISTING_NAME', :owner => @project.owner.uname, :format => :json
+      assigns[:project].should be_blank
+    end
+
+    it "should render 404 for non existing name and owner name" do
+      get :get_id, :name => 'NONE_EXISTING_NAME', :owner => @project.owner.uname, :format => :json
+      response.body.should == {:message => I18n.t("flash.404_message")}.to_json
+    end
+  end
+end
+
+describe Api::V1::AdvisoriesController do
+
+  before(:each) do
+    stub_symlink_methods
+
+    @project = FactoryGirl.create(:project)
+    @hidden_project = FactoryGirl.create(:project)
+    @another_user = FactoryGirl.create(:user)
+  end
+
+  context 'for guest' do
+    
+    if APP_CONFIG['anonymous_access']
+      it_should_behave_like 'api projects user with reader rights'
+      it_should_behave_like 'api projects user without reader rights for hidden project'
+    else
+      it_should_behave_like 'api projects user without show rights'
+    end
+
+  end
+
+  context 'for simple user' do
+    before(:each) do
+      @user = FactoryGirl.create(:user)
+      http_login(@user)
+    end
+
+    it_should_behave_like 'api projects user with reader rights'
+    it_should_behave_like 'api projects user without reader rights for hidden project'
+  end
+
+  context 'for admin' do
+    before(:each) do
+      @admin = FactoryGirl.create(:admin)
+      http_login(@admin)
+    end
+
+    it_should_behave_like 'api projects user with reader rights'
+    it_should_behave_like 'api projects user with reader rights for hidden project'
+  end
+
+  context 'for owner user' do
+    before(:each) do
+      @user = FactoryGirl.create(:user)
+      http_login(@user)
+      @project.owner = @user; @project.save
+      @project.relations.create!(:actor_type => 'User', :actor_id => @user.id, :role => 'admin')
+    end
+
+    it_should_behave_like 'api projects user with reader rights'
+    it_should_behave_like 'api projects user with reader rights for hidden project'
+  end
+
+  context 'for reader user' do
+    before(:each) do
+      @user = FactoryGirl.create(:user)
+      http_login(@user)
+      @project.relations.create!(:actor_type => 'User', :actor_id => @user.id, :role => 'reader')
+    end
+
+    it_should_behave_like 'api projects user with reader rights'
+    it_should_behave_like 'api projects user with reader rights for hidden project'
+  end
+
+  context 'for writer user' do
+    before(:each) do
+      @user = FactoryGirl.create(:user)
+      http_login(@user)
+      @project.relations.create!(:actor_type => 'User', :actor_id => @user.id, :role => 'writer')
+    end
+
+    it_should_behave_like 'api projects user with reader rights'
+    it_should_behave_like 'api projects user with reader rights for hidden project'
+  end
+
+  context 'for group' do
+    before(:each) do
+      @group = FactoryGirl.create(:group)
+      @group_user = FactoryGirl.create(:user)
+      @project.relations.destroy_all
+      http_login(@group_user)
+    end
+
+    context 'with no relations to project' do
+      it_should_behave_like 'api projects user with reader rights'
+      it_should_behave_like 'api projects user without reader rights for hidden project'
+    end
+
+    context 'owner of the project' do
+      before(:each) do
+        @project.owner = @group; @project.save
+        @project.relations.create :actor_id => @project.owner.id, :actor_type => @project.owner.class.to_s, :role => 'admin'
+      end
+
+      context 'reader user' do
+        before(:each) do
+          @group.actors.create(:actor_id => @group_user.id, :actor_type => 'User', :role => 'reader')
+        end
+
+        it_should_behave_like 'api projects user with reader rights'
+        it_should_behave_like 'api projects user with reader rights for hidden project'
+      end
+
+      context 'admin user' do
+        before(:each) do
+          @group.actors.create(:actor_id => @group_user.id, :actor_type => 'User', :role => 'admin')
+        end
+
+        it_should_behave_like 'api projects user with reader rights'
+        it_should_behave_like 'api projects user with reader rights for hidden project'
+      end
+    end
+
+    context 'member of the project' do
+      context 'with admin rights' do
+        before(:each) do
+          @project.relations.create :actor_id => @group.id, :actor_type => @group.class.to_s, :role => 'admin'
+        end
+
+        context 'reader user' do
+          before(:each) do
+            @group.actors.create(:actor_id => @group_user.id, :actor_type => 'User', :role => 'reader')
+          end
+
+          it_should_behave_like 'api projects user with reader rights'
+          it_should_behave_like 'api projects user with reader rights for hidden project'
+        end
+
+        context 'admin user' do
+          before(:each) do
+            @group.actors.create(:actor_id => @group_user.id, :actor_type => 'User', :role => 'admin')
+          end
+
+          it_should_behave_like 'api projects user with reader rights'
+          it_should_behave_like 'api projects user with reader rights for hidden project'
+        end
+      end
+
+      context 'with reader rights' do
+        before(:each) do
+          @project.relations.create :actor_id => @group.id, :actor_type => @group.class.to_s, :role => 'reader'
+        end
+
+        context 'reader user' do
+          before(:each) do
+            @group.actors.create(:actor_id => @group_user.id, :actor_type => 'User', :role => 'reader')
+          end
+
+          it_should_behave_like 'api projects user with reader rights'
+          it_should_behave_like 'api projects user with reader rights for hidden project'
+
+          context 'user should has best role' do
+            before(:each) do
+              @project.relations.create :actor_id => @group_user.id, :actor_type => @group_user.class.to_s, :role => 'admin'
+            end
+          it_should_behave_like 'api projects user with reader rights'
+          end
+        end
+
+        context 'admin user' do
+          before(:each) do
+            @group.actors.create(:actor_id => @group_user.id, :actor_type => 'User', :role => 'admin')
+          end
+
+          it_should_behave_like 'api projects user with reader rights'
+          it_should_behave_like 'api projects user with reader rights for hidden project'
+        end
+      end
+    end
+  end
 end
-Advisory.include_root_in_json = false
diff --git a/app/models/build_list.rb b/app/models/build_list.rb
index 37f68a827..1540a3842 100644
--- a/app/models/build_list.rb
+++ b/app/models/build_list.rb
@@ -303,6 +303,14 @@ class BuildList < ActiveRecord::Base
     #[WAITING_FOR_RESPONSE, BuildServer::BUILD_PENDING, BuildServer::BUILD_STARTED].include?(status)
   end
 
+  def build_and_associate_advisory(params)
+    build_advisory(params) do |a|
+      a.update_type = update_type
+      a.projects   << project
+      a.platforms  << save_to_platform unless a.platforms.include? save_to_platform
+    end
+  end
+
   protected
 
   def notify_users
diff --git a/config/routes.rb b/config/routes.rb
index 7f9fff5d8..3ddaf3279 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -12,7 +12,7 @@ Rosa::Application.routes.draw do
 
   namespace :api do
     namespace :v1 do
-      resources :advisories, :only => [:index, :show]
+      resources :advisories, :only => [:index, :show, :create, :update]
       resources :build_lists, :only => [:index, :create, :show] do
         member {
           get :publish

From 334fc9a574745832d00ec86d6204374a77e938e2 Mon Sep 17 00:00:00 2001
From: Vokhmin Alexey V <avokhmin@gmail.com>
Date: Thu, 18 Oct 2012 18:29:31 +0400
Subject: [PATCH 04/11] #698: revert advisory model

---
 app/models/advisory.rb | 284 ++++++++---------------------------------
 1 file changed, 55 insertions(+), 229 deletions(-)

diff --git a/app/models/advisory.rb b/app/models/advisory.rb
index 60ed6fcf4..50c667ff8 100644
--- a/app/models/advisory.rb
+++ b/app/models/advisory.rb
@@ -1,241 +1,67 @@
-# -*- encoding : utf-8 -*-
-require 'spec_helper'
+class Advisory < ActiveRecord::Base
+  has_and_belongs_to_many :platforms
+  has_and_belongs_to_many :projects
+  has_many :build_lists
 
-shared_examples_for "api projects user with reader rights" do
-  include_examples "api projects user with show rights"
-end
+  validates :description, :update_type, :presence => true
+  validates :update_type, :inclusion => BuildList::RELEASE_UPDATE_TYPES
 
-shared_examples_for "api projects user with reader rights for hidden project" do
-  before(:each) do
-    @project.update_column(:visibility, 'hidden')
+  after_create :generate_advisory_id
+  before_save  :normalize_references, :if => :references_changed?
+
+  ID_TEMPLATE        = 'ROSA-%<type>s-%<year>d:%<id>04d'
+  ID_STRING_TEMPLATE = 'ROSA-%<type>s-%<year>04s:%<id>04s'
+  TYPES = {'security' => 'SA', 'bugfix' => 'A'}
+
+  scope :search_by_id, lambda { |aid| where('advisory_id ILIKE ?', "%#{aid.to_s.strip}%") }
+  scope :by_update_type, lambda { |ut| where(:update_type => ut) }
+  default_scope order('created_at DESC')
+
+  def to_param
+    advisory_id
   end
 
-  it_should_behave_like 'api projects user with show rights'
-end
-
-shared_examples_for "api projects user without reader rights for hidden project" do
-  before(:each) do
-    @project.update_column(:visibility, 'hidden')
+  def attach_build_list(build_list)
+    return false if update_type != build_list.update_type
+    self.platforms  << build_list.save_to_platform unless platforms.include? build_list.save_to_platform
+    self.projects   << build_list.project unless projects.include? build_list.project
+    build_list.advisory = self
+    true
   end
 
-  it_should_behave_like 'api projects user without show rights'
-end
-
-shared_examples_for "api projects user without show rights" do
-  it "should show access violation instead of project data" do
-    get :show, :id => @project.id, :format => :json
-    response.should_not be_success
-  end
-
-  it "should show access violation instead of project refs_list" do
-    get :refs_list, :id => @project.id, :format => :json
-    response.should_not be_success
-  end
-
-  it "should access violation instead of project data by get_id" do
-    get :get_id, :name => @project.name, :owner => @project.owner.uname, :format => :json
-    response.should_not be_success
-  end
-end
-
-shared_examples_for "api projects user with show rights" do
-  it "should show project data" do
-    get :show, :id => @project.id, :format => :json
-    render_template(:show)
-  end
-
-  it "should show refs_list of project" do
-    get :refs_list, :id => @project.id, :format => :json
-    render_template(:refs_list)
-  end
-
-  context 'project find by get_id' do
-    it "should find project by name and owner name" do
-      @project.reload
-      get :get_id, :name => @project.name, :owner => @project.owner.uname, :format => :json
-      assigns[:project].id.should == @project.id
-    end
-
-    it "should not find project by non existing name and owner name" do
-      get :get_id, :name => 'NONE_EXISTING_NAME', :owner => @project.owner.uname, :format => :json
-      assigns[:project].should be_blank
-    end
-
-    it "should render 404 for non existing name and owner name" do
-      get :get_id, :name => 'NONE_EXISTING_NAME', :owner => @project.owner.uname, :format => :json
-      response.body.should == {:message => I18n.t("flash.404_message")}.to_json
-    end
-  end
-end
-
-describe Api::V1::AdvisoriesController do
-
-  before(:each) do
-    stub_symlink_methods
-
-    @project = FactoryGirl.create(:project)
-    @hidden_project = FactoryGirl.create(:project)
-    @another_user = FactoryGirl.create(:user)
-  end
-
-  context 'for guest' do
-    
-    if APP_CONFIG['anonymous_access']
-      it_should_behave_like 'api projects user with reader rights'
-      it_should_behave_like 'api projects user without reader rights for hidden project'
-    else
-      it_should_behave_like 'api projects user without show rights'
-    end
-
-  end
-
-  context 'for simple user' do
-    before(:each) do
-      @user = FactoryGirl.create(:user)
-      http_login(@user)
-    end
-
-    it_should_behave_like 'api projects user with reader rights'
-    it_should_behave_like 'api projects user without reader rights for hidden project'
-  end
-
-  context 'for admin' do
-    before(:each) do
-      @admin = FactoryGirl.create(:admin)
-      http_login(@admin)
-    end
-
-    it_should_behave_like 'api projects user with reader rights'
-    it_should_behave_like 'api projects user with reader rights for hidden project'
-  end
-
-  context 'for owner user' do
-    before(:each) do
-      @user = FactoryGirl.create(:user)
-      http_login(@user)
-      @project.owner = @user; @project.save
-      @project.relations.create!(:actor_type => 'User', :actor_id => @user.id, :role => 'admin')
-    end
-
-    it_should_behave_like 'api projects user with reader rights'
-    it_should_behave_like 'api projects user with reader rights for hidden project'
-  end
-
-  context 'for reader user' do
-    before(:each) do
-      @user = FactoryGirl.create(:user)
-      http_login(@user)
-      @project.relations.create!(:actor_type => 'User', :actor_id => @user.id, :role => 'reader')
-    end
-
-    it_should_behave_like 'api projects user with reader rights'
-    it_should_behave_like 'api projects user with reader rights for hidden project'
-  end
-
-  context 'for writer user' do
-    before(:each) do
-      @user = FactoryGirl.create(:user)
-      http_login(@user)
-      @project.relations.create!(:actor_type => 'User', :actor_id => @user.id, :role => 'writer')
-    end
-
-    it_should_behave_like 'api projects user with reader rights'
-    it_should_behave_like 'api projects user with reader rights for hidden project'
-  end
-
-  context 'for group' do
-    before(:each) do
-      @group = FactoryGirl.create(:group)
-      @group_user = FactoryGirl.create(:user)
-      @project.relations.destroy_all
-      http_login(@group_user)
-    end
-
-    context 'with no relations to project' do
-      it_should_behave_like 'api projects user with reader rights'
-      it_should_behave_like 'api projects user without reader rights for hidden project'
-    end
-
-    context 'owner of the project' do
-      before(:each) do
-        @project.owner = @group; @project.save
-        @project.relations.create :actor_id => @project.owner.id, :actor_type => @project.owner.class.to_s, :role => 'admin'
-      end
-
-      context 'reader user' do
-        before(:each) do
-          @group.actors.create(:actor_id => @group_user.id, :actor_type => 'User', :role => 'reader')
+  # this method fetches and structurize packages attached to current advisory.
+  def fetch_packages_info
+    packages_info = Hash.new { |h, k| h[k] = {} } # maaagic, it's maaagic ;)
+    build_lists.find_in_batches(:include => [:save_to_platform, :packages, :project]) do |batch|
+      batch.each do |build_list|
+        tmp = build_list.packages.inject({:srpm => nil, :rpm => []}) do |h, p|
+          p.package_type == 'binary' ? h[:rpm] << p.fullname : h[:srpm] = p.fullname
+          h
         end
-
-        it_should_behave_like 'api projects user with reader rights'
-        it_should_behave_like 'api projects user with reader rights for hidden project'
-      end
-
-      context 'admin user' do
-        before(:each) do
-          @group.actors.create(:actor_id => @group_user.id, :actor_type => 'User', :role => 'admin')
-        end
-
-        it_should_behave_like 'api projects user with reader rights'
-        it_should_behave_like 'api projects user with reader rights for hidden project'
-      end
-    end
-
-    context 'member of the project' do
-      context 'with admin rights' do
-        before(:each) do
-          @project.relations.create :actor_id => @group.id, :actor_type => @group.class.to_s, :role => 'admin'
-        end
-
-        context 'reader user' do
-          before(:each) do
-            @group.actors.create(:actor_id => @group_user.id, :actor_type => 'User', :role => 'reader')
-          end
-
-          it_should_behave_like 'api projects user with reader rights'
-          it_should_behave_like 'api projects user with reader rights for hidden project'
-        end
-
-        context 'admin user' do
-          before(:each) do
-            @group.actors.create(:actor_id => @group_user.id, :actor_type => 'User', :role => 'admin')
-          end
-
-          it_should_behave_like 'api projects user with reader rights'
-          it_should_behave_like 'api projects user with reader rights for hidden project'
-        end
-      end
-
-      context 'with reader rights' do
-        before(:each) do
-          @project.relations.create :actor_id => @group.id, :actor_type => @group.class.to_s, :role => 'reader'
-        end
-
-        context 'reader user' do
-          before(:each) do
-            @group.actors.create(:actor_id => @group_user.id, :actor_type => 'User', :role => 'reader')
-          end
-
-          it_should_behave_like 'api projects user with reader rights'
-          it_should_behave_like 'api projects user with reader rights for hidden project'
-
-          context 'user should has best role' do
-            before(:each) do
-              @project.relations.create :actor_id => @group_user.id, :actor_type => @group_user.class.to_s, :role => 'admin'
-            end
-          it_should_behave_like 'api projects user with reader rights'
-          end
-        end
-
-        context 'admin user' do
-          before(:each) do
-            @group.actors.create(:actor_id => @group_user.id, :actor_type => 'User', :role => 'admin')
-          end
-
-          it_should_behave_like 'api projects user with reader rights'
-          it_should_behave_like 'api projects user with reader rights for hidden project'
+        h = { build_list.project => tmp }
+        packages_info[build_list.save_to_platform].merge!(h) do |pr, old, new|
+          {:srpm => new[:srpm], :rpm => old[:rpm].concat(new[:rpm]).uniq}
         end
       end
     end
+    packages_info
   end
+
+  protected
+
+  def generate_advisory_id
+    self.advisory_id = sprintf(ID_TEMPLATE, :type => TYPES[self.update_type], :year => Time.now.utc.year, :id => self.id)
+    self.save
+  end
+
+  def normalize_references
+    self.references.gsub!(/\r| /, '')
+    self.references = self.references.split('\n').map do |ref|
+      ref = CGI::escapeHTML(ref)
+      ref = "http://#{ref}" unless ref =~ %r[^http(s?)://*]
+      ref
+    end.join("\n")
+  end
+
 end
+Advisory.include_root_in_json = false
\ No newline at end of file

From a3252594b8b04deee614dfe45962e80cd3364d80 Mon Sep 17 00:00:00 2001
From: Vokhmin Alexey V <avokhmin@gmail.com>
Date: Thu, 18 Oct 2012 18:32:43 +0400
Subject: [PATCH 05/11] #698: fixed #index action in Advisories controller

---
 app/controllers/api/v1/advisories_controller.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/app/controllers/api/v1/advisories_controller.rb b/app/controllers/api/v1/advisories_controller.rb
index 520e93560..688b72ee8 100644
--- a/app/controllers/api/v1/advisories_controller.rb
+++ b/app/controllers/api/v1/advisories_controller.rb
@@ -2,8 +2,7 @@
 class Api::V1::AdvisoriesController < Api::V1::BaseController
   before_filter :authenticate_user!
   skip_before_filter :authenticate_user!, :only => [:index, :show] if APP_CONFIG['anonymous_access']
-  load_and_authorize_resource :advisory,
-    :find_by => :advisory_id, :only => [:show, :update]
+  load_and_authorize_resource :advisory, :find_by => :advisory_id
   load_and_authorize_resource :build_list,
     :find_by => :build_list_id, :only => [:create, :update]
 

From f3eff0da923ed3144c45da4fcbe3bcaf52e1b694 Mon Sep 17 00:00:00 2001
From: Vokhmin Alexey V <avokhmin@gmail.com>
Date: Thu, 18 Oct 2012 18:58:13 +0400
Subject: [PATCH 06/11] #698: added specs for #index, #show actions

---
 .../api/v1/advisories_controller_spec.rb      | 72 +++++++++++++++++++
 spec/factories/advisories.rb                  |  7 ++
 2 files changed, 79 insertions(+)
 create mode 100644 spec/controllers/api/v1/advisories_controller_spec.rb
 create mode 100644 spec/factories/advisories.rb

diff --git a/spec/controllers/api/v1/advisories_controller_spec.rb b/spec/controllers/api/v1/advisories_controller_spec.rb
new file mode 100644
index 000000000..061f27c19
--- /dev/null
+++ b/spec/controllers/api/v1/advisories_controller_spec.rb
@@ -0,0 +1,72 @@
+# -*- encoding : utf-8 -*-
+require 'spec_helper'
+
+shared_examples_for 'api advisories user with show rights' do
+  it 'should be able to perform show action' do
+    get :show, :id => @advisory.advisory_id, :format => :json
+    response.should be_success
+  end
+
+  it 'should be able to perform index action' do
+    get :index, :format => :json
+    response.should be_success
+  end
+end
+
+describe Api::V1::AdvisoriesController do
+
+  before do
+    stub_symlink_methods
+
+    @advisory = FactoryGirl.create(:advisory)
+    @build_list = FactoryGirl.create(:build_list_core)
+    @another_user = FactoryGirl.create(:user)
+  end
+
+  context 'for guest' do
+    
+    if APP_CONFIG['anonymous_access']
+      it_should_behave_like 'api advisories user with show rights'
+    end
+
+    it 'should not be able to perform show action', :anonymous_access  => false do
+      get :show, :id => @advisory.advisory_id, :format => :json
+      response.should_not be_success
+    end
+
+    it 'should not be able to perform index action', :anonymous_access  => false do
+      get :index, :format => :json
+      response.should_not be_success
+    end
+
+  end
+
+  context 'for simple user' do
+    before do
+      @user = FactoryGirl.create(:user)
+      http_login(@user)
+    end
+    it_should_behave_like 'api advisories user with show rights'
+
+  end
+
+  context 'for admin' do
+    before do
+      @admin = FactoryGirl.create(:admin)
+      http_login(@admin)
+    end
+
+    it_should_behave_like 'api advisories user with show rights'
+  end
+
+  context 'for user who has access to update build_list' do
+    before do
+      @user = FactoryGirl.create(:user)
+      @build_list.project.relations.create(:role => 'фвьшт', :actor => @user)
+      http_login(@user)
+    end
+
+    it_should_behave_like 'api advisories user with show rights'
+  end
+
+end
diff --git a/spec/factories/advisories.rb b/spec/factories/advisories.rb
new file mode 100644
index 000000000..11094106a
--- /dev/null
+++ b/spec/factories/advisories.rb
@@ -0,0 +1,7 @@
+# -*- encoding : utf-8 -*-
+FactoryGirl.define do
+  factory :advisory do
+    description { FactoryGirl.generate(:string) }
+    update_type 'security'
+  end
+end

From 84e5f3ead3b3ebd51e28e228e861d30988200a40 Mon Sep 17 00:00:00 2001
From: Vokhmin Alexey V <avokhmin@gmail.com>
Date: Thu, 18 Oct 2012 19:44:28 +0400
Subject: [PATCH 07/11] #698: updated specs, permission access

---
 .../api/v1/advisories_controller.rb           | 15 +++-
 .../api/v1/advisories_controller_spec.rb      | 79 ++++++++++++++++++-
 2 files changed, 86 insertions(+), 8 deletions(-)

diff --git a/app/controllers/api/v1/advisories_controller.rb b/app/controllers/api/v1/advisories_controller.rb
index 688b72ee8..9e90f748d 100644
--- a/app/controllers/api/v1/advisories_controller.rb
+++ b/app/controllers/api/v1/advisories_controller.rb
@@ -2,9 +2,9 @@
 class Api::V1::AdvisoriesController < Api::V1::BaseController
   before_filter :authenticate_user!
   skip_before_filter :authenticate_user!, :only => [:index, :show] if APP_CONFIG['anonymous_access']
-  load_and_authorize_resource :advisory, :find_by => :advisory_id
-  load_and_authorize_resource :build_list,
-    :find_by => :build_list_id, :only => [:create, :update]
+  load_resource :advisory, :find_by => :advisory_id
+  before_filter :find_build_list, :only => [:create, :update]
+  authorize_resource :build_list, :only => [:create, :update]
 
   def index
     @advisories = @advisories.scoped(:include => :platforms).
@@ -26,7 +26,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
   end
 
   def update
-    if @build_list.status == BuildList::BUILD_PUBLISHED &&
+    if @advisory && @build_list.status == BuildList::BUILD_PUBLISHED &&
         @advisory.attach_build_list(@build_list) &&
         @advisory.save && @build_list.save
       render_json_response @advisory, "Build list '#{@build_list.id}' has been attached to advisory successfully"
@@ -35,4 +35,11 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
     end
   end
 
+  protected
+
+  def find_build_list
+    @build_list = BuildList.find params[:build_list_id]
+    authorize! :publish, @build_list
+  end
+
 end
diff --git a/spec/controllers/api/v1/advisories_controller_spec.rb b/spec/controllers/api/v1/advisories_controller_spec.rb
index 061f27c19..cbac3a514 100644
--- a/spec/controllers/api/v1/advisories_controller_spec.rb
+++ b/spec/controllers/api/v1/advisories_controller_spec.rb
@@ -13,6 +13,74 @@ shared_examples_for 'api advisories user with show rights' do
   end
 end
 
+shared_examples_for 'api advisories user with admin rights' do
+  context 'api advisories user with create rights' do
+    let(:params) { {:build_list_id => @build_list.id, :advisory => {:description => 'test'}} }
+    it 'should be able to perform create action' do
+      post :create, params, :format => :json
+      response.should be_success
+    end
+    it 'ensures that advisory has been created' do
+      lambda { post :create, params, :format => :json }.should change{ Advisory.count }.by(1)
+    end
+    it 'ensures that build_list has been associated with advisory' do
+      post :create, params, :format => :json
+      @build_list.reload
+      @build_list.advisory.should_not be_nil
+    end
+  end
+
+  context 'api advisories user with update rights' do
+    let(:params) { {:id => @advisory.advisory_id, :build_list_id => @build_list.id} }
+    it 'should be able to perform update action' do
+      put :update, params, :format => :json
+      response.should be_success
+    end
+    it 'ensures that advisory has not been created' do
+      lambda { put :update, params, :format => :json }.should_not change{ Advisory.count }
+    end
+    it 'ensures that build_list has been associated with advisory' do
+      put :update, params, :format => :json
+      @build_list.reload
+      @build_list.advisory.should_not be_nil
+    end
+  end
+end
+
+shared_examples_for 'api advisories user without admin rights' do
+  context 'api advisories user without create rights' do
+    let(:params) { {:build_list_id => @build_list.id, :advisory => {:description => 'test'}} }
+    it 'should not be able to perform create action' do
+      post :create, params, :format => :json
+      response.should_not be_success
+    end
+    it 'ensures that advisory has not been created' do
+      lambda { post :create, params, :format => :json }.should_not change{ Advisory.count }
+    end
+    it 'ensures that build_list has not been associated with advisory' do
+      post :create, params, :format => :json
+      @build_list.reload
+      @build_list.advisory.should be_nil
+    end
+  end
+
+  context 'api advisories user without update rights' do
+    let(:params) { {:id => @advisory.advisory_id, :build_list_id => @build_list.id} }
+    it 'should not be able to perform update action' do
+      put :update, params, :format => :json
+      response.should_not be_success
+    end
+    it 'ensures that advisory has not been created' do
+      lambda { put :update, params, :format => :json }.should_not change{ Advisory.count }
+    end
+    it 'ensures that build_list has not been associated with advisory' do
+      put :update, params, :format => :json
+      @build_list.reload
+      @build_list.advisory.should be_nil
+    end
+  end
+end
+
 describe Api::V1::AdvisoriesController do
 
   before do
@@ -20,7 +88,7 @@ describe Api::V1::AdvisoriesController do
 
     @advisory = FactoryGirl.create(:advisory)
     @build_list = FactoryGirl.create(:build_list_core)
-    @another_user = FactoryGirl.create(:user)
+    @build_list.update_column(:status, BuildList::BUILD_PUBLISHED)
   end
 
   context 'for guest' do
@@ -38,7 +106,7 @@ describe Api::V1::AdvisoriesController do
       get :index, :format => :json
       response.should_not be_success
     end
-
+    it_should_behave_like 'api advisories user without admin rights'
   end
 
   context 'for simple user' do
@@ -47,7 +115,7 @@ describe Api::V1::AdvisoriesController do
       http_login(@user)
     end
     it_should_behave_like 'api advisories user with show rights'
-
+    it_should_behave_like 'api advisories user without admin rights'
   end
 
   context 'for admin' do
@@ -57,16 +125,19 @@ describe Api::V1::AdvisoriesController do
     end
 
     it_should_behave_like 'api advisories user with show rights'
+    it_should_behave_like 'api advisories user with admin rights'
   end
 
   context 'for user who has access to update build_list' do
     before do
       @user = FactoryGirl.create(:user)
-      @build_list.project.relations.create(:role => 'фвьшт', :actor => @user)
+      @build_list.project.relations.create(:role => 'admin', :actor => @user)
+      @build_list.save_to_platform.relations.create(:role => 'admin', :actor => @user)
       http_login(@user)
     end
 
     it_should_behave_like 'api advisories user with show rights'
+    it_should_behave_like 'api advisories user with admin rights'
   end
 
 end

From 8bbb82faa8a69e1cec2a82947bc684ef9755706c Mon Sep 17 00:00:00 2001
From: Vokhmin Alexey V <avokhmin@gmail.com>
Date: Thu, 18 Oct 2012 20:25:24 +0400
Subject: [PATCH 08/11] #698: updated Advisories API

---
 app/controllers/api/v1/advisories_controller.rb     | 13 +++++++++----
 .../api/v1/advisories_controller_spec.rb            |  3 ++-
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/app/controllers/api/v1/advisories_controller.rb b/app/controllers/api/v1/advisories_controller.rb
index 9e90f748d..c7addc632 100644
--- a/app/controllers/api/v1/advisories_controller.rb
+++ b/app/controllers/api/v1/advisories_controller.rb
@@ -17,8 +17,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
 
   def create
     @advisory = @build_list.build_and_associate_advisory(params[:advisory])
-    if @build_list.status == BuildList::BUILD_PUBLISHED &&
-        @advisory.save && @build_list.save
+    if may_be_published? && @advisory.save && @build_list.save
       render_json_response @advisory, 'Advisory has been created successfully'
     else
       render_validation_error @advisory, error_message(@build_list, 'Advisory has not been created')
@@ -26,7 +25,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
   end
 
   def update
-    if @advisory && @build_list.status == BuildList::BUILD_PUBLISHED &&
+    if @advisory && may_be_published?
         @advisory.attach_build_list(@build_list) &&
         @advisory.save && @build_list.save
       render_json_response @advisory, "Build list '#{@build_list.id}' has been attached to advisory successfully"
@@ -39,7 +38,13 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
 
   def find_build_list
     @build_list = BuildList.find params[:build_list_id]
-    authorize! :publish, @build_list
+  end
+
+  def may_be_published?
+    !@build_list.save_to_repository.publish_without_qa &&
+      can?(:update, @build_list.save_to_platform) &&
+      @build_list.save_to_platform.released &&
+      @build_list.status == BuildList::BUILD_PUBLISHED
   end
 
 end
diff --git a/spec/controllers/api/v1/advisories_controller_spec.rb b/spec/controllers/api/v1/advisories_controller_spec.rb
index cbac3a514..bb7114c7f 100644
--- a/spec/controllers/api/v1/advisories_controller_spec.rb
+++ b/spec/controllers/api/v1/advisories_controller_spec.rb
@@ -88,6 +88,8 @@ describe Api::V1::AdvisoriesController do
 
     @advisory = FactoryGirl.create(:advisory)
     @build_list = FactoryGirl.create(:build_list_core)
+    @build_list.save_to_platform.update_column(:released, true)
+    @build_list.save_to_repository.update_column(:publish_without_qa, false)
     @build_list.update_column(:status, BuildList::BUILD_PUBLISHED)
   end
 
@@ -131,7 +133,6 @@ describe Api::V1::AdvisoriesController do
   context 'for user who has access to update build_list' do
     before do
       @user = FactoryGirl.create(:user)
-      @build_list.project.relations.create(:role => 'admin', :actor => @user)
       @build_list.save_to_platform.relations.create(:role => 'admin', :actor => @user)
       http_login(@user)
     end

From 5cf69bff9268f9f8e7e200f2f70348bb33b7730e Mon Sep 17 00:00:00 2001
From: Vokhmin Alexey V <avokhmin@gmail.com>
Date: Thu, 18 Oct 2012 20:36:29 +0400
Subject: [PATCH 09/11] #698: renamed method

---
 app/controllers/api/v1/advisories_controller.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/controllers/api/v1/advisories_controller.rb b/app/controllers/api/v1/advisories_controller.rb
index c7addc632..e66610959 100644
--- a/app/controllers/api/v1/advisories_controller.rb
+++ b/app/controllers/api/v1/advisories_controller.rb
@@ -17,7 +17,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
 
   def create
     @advisory = @build_list.build_and_associate_advisory(params[:advisory])
-    if may_be_published? && @advisory.save && @build_list.save
+    if can_attach? && @advisory.save && @build_list.save
       render_json_response @advisory, 'Advisory has been created successfully'
     else
       render_validation_error @advisory, error_message(@build_list, 'Advisory has not been created')
@@ -25,7 +25,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
   end
 
   def update
-    if @advisory && may_be_published?
+    if @advisory && can_attach?
         @advisory.attach_build_list(@build_list) &&
         @advisory.save && @build_list.save
       render_json_response @advisory, "Build list '#{@build_list.id}' has been attached to advisory successfully"
@@ -40,7 +40,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
     @build_list = BuildList.find params[:build_list_id]
   end
 
-  def may_be_published?
+  def can_attach?
     !@build_list.save_to_repository.publish_without_qa &&
       can?(:update, @build_list.save_to_platform) &&
       @build_list.save_to_platform.released &&

From 0cf093307473fe7d520ee91c2009ca490710d843 Mon Sep 17 00:00:00 2001
From: Vokhmin Alexey V <avokhmin@gmail.com>
Date: Fri, 19 Oct 2012 11:32:12 +0400
Subject: [PATCH 10/11] #698:small refactoring

---
 .../api/v1/advisories_controller.rb           | 22 +++++++------------
 .../projects/build_lists_controller.rb        |  7 +++---
 app/models/advisory.rb                        |  2 +-
 app/models/build_list.rb                      | 15 ++++++++-----
 4 files changed, 21 insertions(+), 25 deletions(-)

diff --git a/app/controllers/api/v1/advisories_controller.rb b/app/controllers/api/v1/advisories_controller.rb
index e66610959..20d4f4d08 100644
--- a/app/controllers/api/v1/advisories_controller.rb
+++ b/app/controllers/api/v1/advisories_controller.rb
@@ -3,7 +3,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
   before_filter :authenticate_user!
   skip_before_filter :authenticate_user!, :only => [:index, :show] if APP_CONFIG['anonymous_access']
   load_resource :advisory, :find_by => :advisory_id
-  before_filter :find_build_list, :only => [:create, :update]
+  before_filter :find_and_authorize_build_list, :only => [:create, :update]
   authorize_resource :build_list, :only => [:create, :update]
 
   def index
@@ -16,8 +16,9 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
   end
 
   def create
-    @advisory = @build_list.build_and_associate_advisory(params[:advisory])
-    if can_attach? && @advisory.save && @build_list.save
+    if @build_list.can_attach? &&
+        @build_list.associate_and_create_advisory(params[:advisory]) &&
+        @build_list.save
       render_json_response @advisory, 'Advisory has been created successfully'
     else
       render_validation_error @advisory, error_message(@build_list, 'Advisory has not been created')
@@ -25,9 +26,8 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
   end
 
   def update
-    if @advisory && can_attach?
-        @advisory.attach_build_list(@build_list) &&
-        @advisory.save && @build_list.save
+    if @advisory && @build_list.can_attach? &&
+        @advisory.attach_build_list(@build_list) && @build_list.save
       render_json_response @advisory, "Build list '#{@build_list.id}' has been attached to advisory successfully"
     else
       render_validation_error @advisory, error_message(@build_list, 'Build list has not been attached to advisory')
@@ -36,15 +36,9 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
 
   protected
 
-  def find_build_list
+  def find_and_authorize_build_list
     @build_list = BuildList.find params[:build_list_id]
-  end
-
-  def can_attach?
-    !@build_list.save_to_repository.publish_without_qa &&
-      can?(:update, @build_list.save_to_platform) &&
-      @build_list.save_to_platform.released &&
-      @build_list.status == BuildList::BUILD_PUBLISHED
+    authorize! :update, @build_list.save_to_platform
   end
 
 end
diff --git a/app/controllers/projects/build_lists_controller.rb b/app/controllers/projects/build_lists_controller.rb
index c066be64c..08788ebd9 100644
--- a/app/controllers/projects/build_lists_controller.rb
+++ b/app/controllers/projects/build_lists_controller.rb
@@ -196,14 +196,13 @@ class Projects::BuildListsController < Projects::BaseController
 
       if params[:attach_advisory] == 'new'
         # create new advisory
-        advisory = @build_list.build_and_associate_advisory(params[:build_list][:advisory])
-        unless advisory.save
+        unless @build_list.associate_and_create_advisory(params[:build_list][:advisory])
           redirect_to :back, :notice => t('layout.build_lists.publish_fail') and return
         end
       else
         # attach existing advisory
-        a = Advisory.where(:advisory_id => params[:attach_advisory]).limit(1).first
-        if !(a && a.attach_build_list(@build_list) && a.save)
+        a = Advisory.where(:advisory_id => params[:attach_advisory]).first
+        unless (a && a.attach_build_list(@build_list))
           redirect_to :back, :notice => t('layout.build_lists.publish_fail') and return
         end
       end
diff --git a/app/models/advisory.rb b/app/models/advisory.rb
index 50c667ff8..951a8ec8c 100644
--- a/app/models/advisory.rb
+++ b/app/models/advisory.rb
@@ -26,7 +26,7 @@ class Advisory < ActiveRecord::Base
     self.platforms  << build_list.save_to_platform unless platforms.include? build_list.save_to_platform
     self.projects   << build_list.project unless projects.include? build_list.project
     build_list.advisory = self
-    true
+    save
   end
 
   # this method fetches and structurize packages attached to current advisory.
diff --git a/app/models/build_list.rb b/app/models/build_list.rb
index 1540a3842..583448079 100644
--- a/app/models/build_list.rb
+++ b/app/models/build_list.rb
@@ -303,12 +303,15 @@ class BuildList < ActiveRecord::Base
     #[WAITING_FOR_RESPONSE, BuildServer::BUILD_PENDING, BuildServer::BUILD_STARTED].include?(status)
   end
 
-  def build_and_associate_advisory(params)
-    build_advisory(params) do |a|
-      a.update_type = update_type
-      a.projects   << project
-      a.platforms  << save_to_platform unless a.platforms.include? save_to_platform
-    end
+  def associate_and_create_advisory(params)
+    build_advisory(params){ |a| a.update_type = update_type }
+    advisory.attach_build_list(self)
+  end
+
+  def can_attach?
+    !save_to_repository.publish_without_qa &&
+      save_to_platform.released &&
+      status == BUILD_PUBLISHED
   end
 
   protected

From 18ac16ae96c20f2618588fb792c8cb82dbade2be Mon Sep 17 00:00:00 2001
From: Vokhmin Alexey V <avokhmin@gmail.com>
Date: Fri, 19 Oct 2012 18:03:09 +0400
Subject: [PATCH 11/11] #698: small refactoring, added ckeck for main platform

---
 app/controllers/api/v1/advisories_controller.rb | 4 ++--
 app/models/build_list.rb                        | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/controllers/api/v1/advisories_controller.rb b/app/controllers/api/v1/advisories_controller.rb
index 20d4f4d08..201c4cd98 100644
--- a/app/controllers/api/v1/advisories_controller.rb
+++ b/app/controllers/api/v1/advisories_controller.rb
@@ -16,7 +16,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
   end
 
   def create
-    if @build_list.can_attach? &&
+    if @build_list.can_attach_to_advisory? &&
         @build_list.associate_and_create_advisory(params[:advisory]) &&
         @build_list.save
       render_json_response @advisory, 'Advisory has been created successfully'
@@ -26,7 +26,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
   end
 
   def update
-    if @advisory && @build_list.can_attach? &&
+    if @advisory && @build_list.can_attach_to_advisory? &&
         @advisory.attach_build_list(@build_list) && @build_list.save
       render_json_response @advisory, "Build list '#{@build_list.id}' has been attached to advisory successfully"
     else
diff --git a/app/models/build_list.rb b/app/models/build_list.rb
index 583448079..c3976f623 100644
--- a/app/models/build_list.rb
+++ b/app/models/build_list.rb
@@ -308,8 +308,9 @@ class BuildList < ActiveRecord::Base
     advisory.attach_build_list(self)
   end
 
-  def can_attach?
+  def can_attach_to_advisory?
     !save_to_repository.publish_without_qa &&
+      save_to_platform.main? &&
       save_to_platform.released &&
       status == BUILD_PUBLISHED
   end