From 0ed6c21f100decc41579df47c800debac7472d6e Mon Sep 17 00:00:00 2001 From: Mario Visic Date: Sat, 20 Aug 2011 17:08:37 +0800 Subject: [PATCH 1/6] Added a failing cucumber test for viewing the delete asset button as an author. --- .../admin/authorization/theme_assets.feature | 7 +++++++ features/step_definitions/theme_asset_steps.rb | 17 ++++++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/features/admin/authorization/theme_assets.feature b/features/admin/authorization/theme_assets.feature index 1adccf01..cc0011ef 100644 --- a/features/admin/authorization/theme_assets.feature +++ b/features/admin/authorization/theme_assets.feature @@ -6,6 +6,7 @@ Feature: Theme Assets Background: Given I have the site: "test site" set up And I have a designer and an author + And I have an image theme asset named "dog.png" Scenario: As an unauthenticated user Given I am not authenticated @@ -20,6 +21,8 @@ Background: And I should see "Snippets" And I should see "Style and javascript" And I should see "Images" + And I should see "dog.png" + And I should see a delete image button Scenario: Accessing theme assets as a Designer Given I am an authenticated "designer" @@ -29,6 +32,8 @@ Background: And I should see "Snippets" And I should see "Style and javascript" And I should see "Images" + And I should see "dog.png" + And I should see a delete image button Scenario: Accessing theme assets as an Author Given I am an authenticated "author" @@ -38,3 +43,5 @@ Background: And I should not see "Snippets" And I should not see "Style and javascript" And I should see "Images" + And I should see "dog.png" + And I should not see a delete image button diff --git a/features/step_definitions/theme_asset_steps.rb b/features/step_definitions/theme_asset_steps.rb index 0db95683..894234af 100644 --- a/features/step_definitions/theme_asset_steps.rb +++ b/features/step_definitions/theme_asset_steps.rb @@ -24,8 +24,23 @@ Given /^a stylesheet asset named "([^"]*)"$/ do |name| @asset = create_plain_text_asset(name, 'stylesheet') end +Given /^I have an image theme asset named "([^"]*)"$/ do |name| + @asset = FactoryGirl.create(:theme_asset, :site => @site, :source => File.open(Rails.root.join('spec', 'fixtures', 'assets', '5k.png'))) + @asset.source_filename = name + @asset.save! +end + + # other stuff Then /^I should see "([^"]*)" as theme asset code$/ do |code| find(:css, "#theme_asset_plain_text").text.should == code -end \ No newline at end of file +end + +Then /^I should see a delete image button$/ do + page.has_css?("ul.theme-assets li .more a.remove").should be_true +end + +Then /^I should not see a delete image button$/ do + page.has_css?("ul.theme-assets li .more a.remove").should be_false +end From 24c9752018e1220ffe4a168aec9d6908acc2840d Mon Sep 17 00:00:00 2001 From: Mario Visic Date: Sat, 20 Aug 2011 17:13:06 +0800 Subject: [PATCH 2/6] Implemenation for hiding the destroy asset button. --- app/views/admin/theme_assets/_asset.html.haml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/admin/theme_assets/_asset.html.haml b/app/views/admin/theme_assets/_asset.html.haml index 99f0e080..23a81e03 100644 --- a/app/views/admin/theme_assets/_asset.html.haml +++ b/app/views/admin/theme_assets/_asset.html.haml @@ -9,5 +9,5 @@ %span!= t('.updated_at') %span.date= l asset.updated_at, :format => :short - - if edit + - if edit && can?(:destroy, asset) = link_to image_tag('admin/list/icons/trash.png'), admin_theme_asset_path(asset), :class => 'remove', :confirm => t('admin.messages.confirm'), :method => :delete From 5c3cf8308229bf57009f62acb1bcf65f2ac9d886 Mon Sep 17 00:00:00 2001 From: Mario Visic Date: Sat, 20 Aug 2011 17:31:16 +0800 Subject: [PATCH 3/6] Added a failing scenario for the new site button when the account is a designer. --- .../authorization/account_settings.feature | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 features/admin/authorization/account_settings.feature diff --git a/features/admin/authorization/account_settings.feature b/features/admin/authorization/account_settings.feature new file mode 100644 index 00000000..51e475ae --- /dev/null +++ b/features/admin/authorization/account_settings.feature @@ -0,0 +1,28 @@ +Feature: Account Settings + In order to ensure sites are not tampered with + As an admin, designer or author + I will be restricted based on my role + +Background: + Given I have the site: "test site" set up + And I have a designer and an author + + Scenario: As an unauthenticated user + Given I am not authenticated + When I go to account settings + Then I should see "Log in" + + Scenario: Accessing site settings as an Admin + Given I am an authenticated "admin" + When I go to account settings + Then I should see "new site" + + Scenario: Accessing site settings as a Designer + Given I am an authenticated "designer" + When I go to account settings + Then I should not see "new site" + + Scenario: Accessing site settings as an Author + Given I am an authenticated "author" + When I go to account settings + Then I should not see "new site" From a7bc648333da34e451f84eaa7d8776d698d2d0ae Mon Sep 17 00:00:00 2001 From: Mario Visic Date: Sat, 20 Aug 2011 17:33:13 +0800 Subject: [PATCH 4/6] Implemented the site ability fix for designers. --- app/models/ability.rb | 2 ++ app/views/admin/my_account/edit.html.haml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/app/models/ability.rb b/app/models/ability.rb index 54d477bc..e4838493 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -61,6 +61,8 @@ class Ability can :point, Site + cannot :create, Site + can :manage, Membership cannot :change_role, Membership do |membership| diff --git a/app/views/admin/my_account/edit.html.haml b/app/views/admin/my_account/edit.html.haml index 1755b3e0..7484bac1 100644 --- a/app/views/admin/my_account/edit.html.haml +++ b/app/views/admin/my_account/edit.html.haml @@ -8,7 +8,7 @@ - if multi_sites? - content_for :buttons do - = admin_button_tag t('.new_site'), new_admin_site_url, :class => 'new' if can?(:manage, Site) + = admin_button_tag t('.new_site'), new_admin_site_url, :class => 'new' if can?(:create, Site) %p= t('.help') From 8a5241f2658a91cff6bf4ef1d4e07d38b803ff21 Mon Sep 17 00:00:00 2001 From: Mario Visic Date: Sat, 20 Aug 2011 17:37:58 +0800 Subject: [PATCH 5/6] Updated a scenario to fail. --- features/admin/authorization/current_site.feature | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/features/admin/authorization/current_site.feature b/features/admin/authorization/current_site.feature index ce61e589..591b6f6b 100644 --- a/features/admin/authorization/current_site.feature +++ b/features/admin/authorization/current_site.feature @@ -30,7 +30,7 @@ Background: Given I am an authenticated "designer" When I go to site settings Then I should see "import" - And I should see "add account" + And I should not see "add account" And I should see "SEO settings" And I should see "Access points" And I should not see the role dropdown on myself From 22445856ec145e87b626e9b09211237e1ff1e1bd Mon Sep 17 00:00:00 2001 From: Mario Visic Date: Sat, 20 Aug 2011 17:41:00 +0800 Subject: [PATCH 6/6] The add account link is now hidden unless admins have permission. --- app/views/admin/current_site/edit.html.haml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/app/views/admin/current_site/edit.html.haml b/app/views/admin/current_site/edit.html.haml index 7e5f7143..5cbb6dc4 100644 --- a/app/views/admin/current_site/edit.html.haml +++ b/app/views/admin/current_site/edit.html.haml @@ -3,10 +3,11 @@ - content_for :submenu do = render_cell 'admin/settings_menu', :show -- if can?(:manage, @site) - - content_for :buttons do +- content_for :buttons do + - if can?(:manage, @site) = admin_button_tag :export, new_admin_export_url, :class => 'new' = admin_button_tag :import, new_admin_import_url, :class => 'new' + - if can?(:create, Account) = admin_button_tag t('.new_membership'), new_admin_membership_url, :class => 'new' %p!= t('.help')