From 7da6c008e9358396e0bc696e6ee47e4b5e8488f6 Mon Sep 17 00:00:00 2001 From: yasushiito Date: Fri, 20 Jul 2012 18:57:45 +0900 Subject: [PATCH] t#29050:fix edit permissin --- app/controllers/original_pictures_controller.rb | 4 +- app/controllers/stories_controller.rb | 8 ++- app/models/original_picture.rb | 6 ++ app/models/story.rb | 6 +- .../original_pictures_controller_spec.rb | 4 +- spec/controllers/stories_controller_spec.rb | 76 +++++++++++++++++++++- spec/models/original_picture_spec.rb | 35 ++++++++++ spec/models/story_spec.rb | 28 +++----- 8 files changed, 135 insertions(+), 32 deletions(-) diff --git a/app/controllers/original_pictures_controller.rb b/app/controllers/original_pictures_controller.rb index 31b3ca14..b9e941c9 100644 --- a/app/controllers/original_pictures_controller.rb +++ b/app/controllers/original_pictures_controller.rb @@ -129,7 +129,7 @@ class OriginalPicturesController < ApplicationController # PUT /original_pictures/1.json def update @picture_data = set_image params[:original_picture][:file] - @original_picture = OriginalPicture.show(params[:id], @author) + @original_picture = OriginalPicture.edit(params[:id], @author) @original_picture.supply_default @artist respond_to do |format| @@ -146,7 +146,7 @@ class OriginalPicturesController < ApplicationController # DELETE /original_pictures/1 # DELETE /original_pictures/1.json def destroy - @original_picture = OriginalPicture.find(params[:id], @author) + @original_picture = OriginalPicture.edit(params[:id], @author) OriginalPicture.transaction do @original_picture.destroy end diff --git a/app/controllers/stories_controller.rb b/app/controllers/stories_controller.rb index 15d48cae..f2ee0825 100644 --- a/app/controllers/stories_controller.rb +++ b/app/controllers/stories_controller.rb @@ -87,7 +87,7 @@ class StoriesController < ApplicationController # PUT /stories/1 # PUT /stories/1.json def update - @story = Story.show(params[:id], @author) + @story = Story.edit(params[:id], @author) ot = @story.t @story.attributes = params[:story] @story.overwrite @author @@ -106,8 +106,10 @@ class StoriesController < ApplicationController # DELETE /stories/1.js # DELETE /stories/1.json def destroy - @story = Story.show(params[:id], @author) - @story.destroy_and_shorten + @story = Story.edit(params[:id], @author) + Story.transaction do + @story.destroy_and_shorten + end respond_to do |format| format.html { redirect_to story_path(@story.comic) } format.json { head :ok } diff --git a/app/models/original_picture.rb b/app/models/original_picture.rb index 722e1104..96740f90 100644 --- a/app/models/original_picture.rb +++ b/app/models/original_picture.rb @@ -59,6 +59,12 @@ class OriginalPicture < ActiveRecord::Base pic end + def self.edit cid, artist, opt = {} + pic = OriginalPicture.find(cid, :include => self.show_include_opt(opt)) + raise ActiveRecord::Forbidden unless pic.own?(artist) + pic + end + def self.show_include_opt opt = {} res = [:license, :resource_picture] res.push(opt[:include]) if opt[:include] diff --git a/app/models/story.rb b/app/models/story.rb index 78394803..26575e67 100644 --- a/app/models/story.rb +++ b/app/models/story.rb @@ -23,11 +23,9 @@ class Story < ActiveRecord::Base self.author_id == author.id end - def self.show sid, au = nil + def self.edit sid, au res = Story.find sid - if au - raise ActiveRecord::Forbidden unless res.own?(au) - end + raise ActiveRecord::Forbidden unless res.own?(au) res end diff --git a/spec/controllers/original_pictures_controller_spec.rb b/spec/controllers/original_pictures_controller_spec.rb index 93596032..4eb1e8d5 100644 --- a/spec/controllers/original_pictures_controller_spec.rb +++ b/spec/controllers/original_pictures_controller_spec.rb @@ -592,7 +592,7 @@ describe OriginalPicturesController do describe '更新に於いて' do before do @pic = Factory :original_picture, :artist_id => @artist.id , :license_id => @license.id - OriginalPicture.stub(:show).with(any_args()).and_return(@pic) + OriginalPicture.stub(:edit).with(any_args()).and_return(@pic) sign_in @user end context '事前チェックしておく' do @@ -600,7 +600,7 @@ describe OriginalPicturesController do OriginalPicture.any_instance.stub(:store).with(any_args()).and_return(true) end it '原画モデルに単体取得を問い合わせている' do - OriginalPicture.should_receive(:show).exactly(1) + OriginalPicture.should_receive(:edit).exactly(1) put :update, :id => @pic.id, :original_picture => Factory.attributes_for(:original_picture) end it 'モデルに更新を依頼する' do diff --git a/spec/controllers/stories_controller_spec.rb b/spec/controllers/stories_controller_spec.rb index 13985d93..51244820 100644 --- a/spec/controllers/stories_controller_spec.rb +++ b/spec/controllers/stories_controller_spec.rb @@ -262,9 +262,9 @@ describe StoriesController do sign_in @user end context 'つつがなく終わるとき' do - it 'モデルに取得依頼する' do - Story.stub(:show).with(any_args).and_return(@story) - Story.should_receive(:show).exactly(1) + it 'モデルに編集取得依頼する' do + Story.stub(:edit).with(any_args).and_return(@story) + Story.should_receive(:edit).exactly(1) put :update, :id => @story.id, :story => @attr end it 'POSTデータから、カラム値を復元している' do @@ -361,4 +361,74 @@ describe StoriesController do end end + describe '削除に於いて' do + before do + @story = Factory :story, :author_id => @author.id + sign_in @user + Story.stub(:edit).and_return(@story) + end + context 'つつがなく終わるとき' do + it 'ストーリーモデルに編集取得を問い合わせている' do + Story.should_receive(:edit).exactly(1) + delete :destroy, :id => @story.id + end + it '@storyにアレを取得している' do + delete :destroy, :id => @story.id + assigns(:story).id.should eq(@story.id) + end + it 'そのストーリーを一つのトランザクションで削除する' do + lambda { + delete :destroy, :id => @story.id + }.should change(Story, :count) + end + context 'html形式' do + it 'ステータスコード302 Foundを返す' do + delete :destroy, :id => @story.id + response.status.should eq 302 + end + it 'ストーリー一覧ページへ遷移する' do + delete :destroy, :id => @story.id + response.should redirect_to(story_path(@story.comic_id)) + end + end + context 'json形式' do + it 'ステータスコード200 OKを返す' do + delete :destroy, :id => @story.id, :format => :json + response.should be_success + end + end + end + context '作家権限がないとき' do + before do + sign_out @user + end + context 'html形式' do + it 'ステータスコード302 Foundを返す' do + delete :destroy, :id => @story.id + response.status.should eq 302 + end + it 'サインインページへ遷移する' do + delete :destroy, :id => @story.id + response.body.should redirect_to '/users/sign_in' + end + end + context 'json形式' do + it 'ステータスコード401 Unauthorizedを返す' do + delete :destroy, :id => @story.id, :format => :json + response.status.should eq 401 + end + it '応答メッセージにUnauthorizedを返す' do + delete :destroy, :id => @story.id, :format => :json + response.message.should match(/Unauthorized/) + end + end + end +=begin + context '対象ストーリーがないとき' do + end + context '他人のストーリーだったとき' do + end +=end + end + end diff --git a/spec/models/original_picture_spec.rb b/spec/models/original_picture_spec.rb index f8c8f7c1..dd685eae 100644 --- a/spec/models/original_picture_spec.rb +++ b/spec/models/original_picture_spec.rb @@ -224,6 +224,41 @@ describe OriginalPicture do end end end + describe '編集取得に於いて' do + before do + @op = Factory :original_picture, :artist_id => @artist.id + end + it '指定の原画を返す' do + pic = OriginalPicture.edit @op.id, @artist + pic.should eq @op + end + context '関連テーブルオプションがないとき' do + it 'ライセンスと素材を含んでいる' do + r = OriginalPicture.show_include_opt + r.should eq [:license, :resource_picture] + end + end + context '関連テーブルオプションで絵師を含ませたとき' do + it 'ライセンスと素材と作者データを含んでいる' do + r = OriginalPicture.show_include_opt(:include => :artist) + r.should eq [:license, :resource_picture, :artist] + end + end + context '他人の原画を開こうとしたとき' do + it '403Forbidden例外を返す' do + lambda{ + pic = OriginalPicture.edit @op.id, @other_artist + }.should raise_error(ActiveRecord::Forbidden) + end + end + context '存在しない原画を開こうとしたとき' do + it '404RecordNotFound例外を返す' do + lambda{ + pic = OriginalPicture.edit 0, @artist + }.should raise_error(ActiveRecord::RecordNotFound) + end + end + end describe 'json単体出力オプションに於いて' do it 'includeキーがライセンスと素材を含んでいる' do r = OriginalPicture.show_json_include_opt diff --git a/spec/models/story_spec.rb b/spec/models/story_spec.rb index 57cb93ba..1f9a23e9 100644 --- a/spec/models/story_spec.rb +++ b/spec/models/story_spec.rb @@ -164,30 +164,22 @@ describe Story do @panel = Factory :panel, :author_id => @author.id @story = Factory :story, :author_id => @author.id, :comic_id => @comic.id, :panel_id => @panel.id end - context 'オーナー指定がないとき' do - it '指定のストーリーを返す' do - l = Story.show @story.id, @author - l.should eq @story - end + it '指定のストーリーを返す' do + l = Story.edit @story.id, @author + l.should eq @story end - context 'オーナー指定のとき' do - it '指定のストーリーが自分のものならそれを返す' do - l = Story.show @story.id, @author - l.should eq @story - end - context '他人のストーリーを開こうとしたとき' do - it '403Forbidden例外を返す' do - Story.any_instance.stub(:own?).and_return(false) - lambda{ - Story.show @story.id, @author - }.should raise_error(ActiveRecord::Forbidden) - end + context '他人のストーリーを開こうとしたとき' do + it '403Forbidden例外を返す' do + Story.any_instance.stub(:own?).and_return(false) + lambda{ + Story.edit @story.id, @author + }.should raise_error(ActiveRecord::Forbidden) end end context '存在しないストーリーを開こうとしたとき' do it '404RecordNotFound例外を返す' do lambda{ - Story.show 110, @author + Story.edit 110, @author }.should raise_error(ActiveRecord::RecordNotFound) end end -- 2.11.0