nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

MS IZ fixed some permissions in photo controller

Browse source
This commit is contained in:
zhitomirskiyi 2010-11-03 16:42:33 -07:00
parent 03b272db60
commit 8246882067
4 changed files with 126 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

96
app/controllers/photos_controller.rb
View file

@ -24,35 +24,14 @@ class PhotosController < ApplicationController
album = current_user.find_visible_post_by_id( params[:photo][:album_id] )
begin
######################## dealing with local files #############
# get file name
file_name = params[:qqfile]
# get file content type
att_content_type = (request.content_type.to_s == "") ? "application/octet-stream" : request.content_type.to_s
# create temporal file
begin
file = Tempfile.new(file_name, {:encoding => 'BINARY'})
file.print request.raw_post.force_encoding('BINARY')
rescue RuntimeError => e
raise e unless e.message.include?('cannot generate tempfile')
file = Tempfile.new(file_name) # Ruby 1.8 compatibility
file.print request.raw_post
end
# put data into this file from raw post request
# create several required methods for this temporal file
Tempfile.send(:define_method, "content_type") {return att_content_type}
Tempfile.send(:define_method, "original_filename") {return file_name}
##############
params[:photo][:user_file] = file
params[:photo][:user_file] = file_handler(params)
@photo = current_user.build_post(:photo, params[:photo])
if @photo.save
raise 'MongoMapper failed to catch a failed save' unless post.id
raise 'MongoMapper failed to catch a failed save' unless @photo.id
current_user.dispatch_post(@photo, :to => params[:photo][:to])
respond_to do |format|
format.json{render(:layout => false , :json => {"success" => true, "data" => @photo}.to_json )}
@ -83,15 +62,17 @@ class PhotosController < ApplicationController
end
def destroy
@photo = current_user.find_visible_post_by_id params[:id]
photo = current_user.my_posts.where(:_id => params[:id]).first
@photo.destroy
flash[:notice] = I18n.t 'photos.destroy.notice'
if photo
photo.destroy
flash[:notice] = I18n.t 'photos.destroy.notice'
redirect = photo.album
end
redirect = @photo.album
redirect ||= photos_path
respond_with :location => @photo.album
respond_with :location => redirect
end
def show
@ -107,21 +88,52 @@ class PhotosController < ApplicationController
end
def edit
@photo = current_user.find_visible_post_by_id params[:id]
@album = @photo.album
redirect_to @photo #unless current_user.owns? @photo
@photo = current_user.my_posts.where(:_id => params[:id]).first
if @photo
@album = @photo.album
else
redirect_to photos_path
end
end
def update
@photo = current_user.find_visible_post_by_id params[:id]
if current_user.update_post( @photo, params[:photo] )
flash[:notice] = I18n.t 'photos.update.notice'
respond_with @photo
photo = current_user.my_posts.where(:_id => params[:id]).first
if photo
if current_user.update_post( photo, params[:photo] )
flash[:notice] = I18n.t 'photos.update.notice'
respond_with photo
else
flash[:error] = I18n.t 'photos.update.error'
redirect_to [:edit, photo]
end
else
flash[:error] = I18n.t 'photos.update.error'
redirect_to [:edit, @photo]
redirect_to photos_path
end
end
private
def file_handler(params)
######################## dealing with local files #############
# get file name
file_name = params[:qqfile]
# get file content type
att_content_type = (request.content_type.to_s == "") ? "application/octet-stream" : request.content_type.to_s
# create tempora##l file
begin
file = Tempfile.new(file_name, {:encoding => 'BINARY'})
file.print request.raw_post.force_encoding('BINARY')
rescue RuntimeError => e
raise e unless e.message.include?('cannot generate tempfile')
file = Tempfile.new(file_name) # Ruby 1.8 compatibility
file.print request.raw_post
end
# put data into this file from raw post request
# create several required methods for this temporal file
Tempfile.send(:define_method, "content_type") {return att_content_type}
Tempfile.send(:define_method, "original_filename") {return file_name}
file
end
end

4
lib/diaspora/user/querying.rb
View file

@ -32,6 +32,10 @@ module Diaspora
end
end
def my_posts
Post.where(:diaspora_handle => person.diaspora_handle)
end
def contact_for(person)
id = person.id
contact_for_person_id(id)

44
spec/controllers/photos_controller_spec.rb
View file

@ -8,31 +8,44 @@ describe PhotosController do
let(:user) {make_user}
let(:user2) {make_user}
let(:aspect) {user.aspects.create(:name => 'winners')}
let!(:aspect) {user.aspects.create(:name => 'winners')}
let(:aspect2) {user2.aspects.create(:name => 'winners')}
let!(:album) {user.post(:album, :to => aspect.id, :name => "room on fire")}
let!(:album2) {user2.post(:album, :to => aspect2.id, :name => "room on fire")}
let(:filename) {'button.png'}
let(:fixture_name) {File.join(File.dirname(__FILE__), '..', 'fixtures', filename)}
let(:image) {File.open(fixture_name)}
let!(:photo){ user.post(:photo, :album_id => album.id, :user_file => image, :to => aspect.id)}
let(:photo_no_album){ user.post(:photo, :user_file => image, :to => aspect.id)}
let!(:photo2){ user2.post(:photo, :album_id => album2.id, :user_file => image, :to => aspect2.id)}
before do
friend_users(user, aspect, user2, aspect2)
sign_in :user, user
user.reload
aspect.reload
aspect2.reload
@controller.stub!(:current_user).and_return(user)
end
describe '#create' do
let(:foo) {{:album_id => album.id.to_s}}
before do
@controller.stub!(:file_handler).and_return(image)
end
it 'can make a photo in an album' do
pending
proc{ post :create, :photo => foo, :qqfile => fixture_name }.should change(Photo, :count).by(1)
end
it 'can make a picture without an album' do
pending
end
it 'does not let you create a photo in an album you do not own' do
pending
end
end
describe '#index' do
@ -71,23 +84,32 @@ describe PhotosController do
describe '#edit' do
it 'should let you edit a photo with an album' do
pending
get :edit, :id => photo.id
response.should_not redirect_to(photo)
response.code.should == "200"
end
it 'should let you edit a photo you own that does not have an album' do
pending
get :edit, :id => photo_no_album.id
response.should_not redirect_to(photo)
response.code.should == "200"
end
it 'should not let you edit a photo that is not yours' do
get :edit, :id => photo2.id
response.should redirect_to(:action => :index)
end
end
describe '#destroy' do
it 'should let me delete my photos' do
delete :destroy, :id => photo.id
Photo.find_by_id(photo.id).should be nil
end
it 'will not let you destory posts you do not own' do
delete :destroy, :id => photo2.id
Photo.find_by_id(photo2.id).should_not be nil
end
end
describe "#update" do
@ -102,5 +124,11 @@ describe PhotosController do
put :update, :id => photo.id, :photo => params
photo.reload.person_id.should == user.person.id
end
it 'should redirect if you do not have access to the post' do
params = { :caption => "now with lasers!"}
put :update, :id => photo2.id, :photo => params
response.should redirect_to(:action => :index)
end
end
end

38
spec/models/user/querying_spec.rb
View file

@ -7,19 +7,22 @@ require 'spec_helper'
describe User do
let(:user) {make_user}
let!(:aspect) { user.aspects.create(:name => "cats")}
let!(:user2) { Factory(:user_with_aspect) }
let(:person_one) { Factory.create :person }
let(:person_two) { Factory.create :person }
let(:person_three) { Factory.create :person }
context 'with two posts' do
let!(:status_message1) { user2.post :status_message, :message => "hi", :to => user2.aspects.first.id }
let!(:status_message2) { user2.post :status_message, :message => "hey", :public => true , :to => user2.aspects.first.id }
describe "#visible_posts" do
let!(:status_message4) { user2.post :status_message, :message => "blah", :public => true , :to => user2.aspects.first.id }
let!(:status_message3) { user.post :status_message, :message => "hey", :public => true , :to => user.aspects.first.id }
describe "#visible_posts" do
it "queries by person id" do
query = user2.visible_posts(:person_id => user2.person.id)
query.include?(status_message1).should == true
@ -59,6 +62,29 @@ describe User do
end
end
end
describe '#my_posts' do
it 'should return only my posts' do
posts2 = user2.my_posts
posts2.should include status_message1
posts2.should include status_message2
posts2.should_not include status_message3
user.my_posts.should include status_message3
end
it 'returns query objexts so chainable' do
user2.my_posts.where(:_id => status_message1.id.to_s).all.should == [status_message1]
pub_posts = user2.my_posts.where(:public => true).all
pub_posts.should_not include status_message1
pub_posts.should include status_message2
pub_posts.should include status_message4
pub_posts.should_not include status_message3
user.my_posts.where(:public => false).all.should == []
end
end
end
context 'with two users' do
@ -68,8 +94,8 @@ describe User do
let!(:user4) { Factory.create(:user_with_aspect)}
before do
friend_users(user, first_aspect, user4, user4.aspects.first)
friend_users(user, second_aspect, user2, user2.aspects.first)
friend_users(user, first_aspect, user4, user4.aspects.first)
friend_users(user, second_aspect, user2, user2.aspects.first)
end
describe '#friends_not_in_aspect' do