Adds a News#commentable? method to easily specific additional rules.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8854 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index 230af5caf54639e9966b2a60686202ee7e2a944e..e6cfab79862af5baa9485d4d9daf45c2dfb2aca9 100644 (file)
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -1,3 +1,20 @@
+# Redmine - project management software
+# Copyright (C) 2006-2012  Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
 class CommentsController < ApplicationController
   default_search_scope :news
   model_object News
@@ -7,6 +24,8 @@ class CommentsController < ApplicationController
 
   verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
   def create
+    raise Unauthorized unless @news.commentable?
+
     @comment = Comment.new(params[:comment])
     @comment.author = User.current
     if @news.comments << @comment
@@ -32,5 +51,4 @@ class CommentsController < ApplicationController
     @comment = nil
     @news
   end
-
 end

diff --git a/app/models/news.rb b/app/models/news.rb
index 78dcc0c8c18b7df9635df777bbf15d571d28dcc6..eed17945e248944afe17e1bfc9c3fbd4234e9e70 100644 (file)
--- a/app/models/news.rb
+++ b/app/models/news.rb
@@ -42,6 +42,11 @@ class News < ActiveRecord::Base
     !user.nil? && user.allowed_to?(:view_news, project)
   end
 
+  # Returns true if the news can be commented by user
+  def commentable?(user=User.current)
+    user.allowed_to?(:comment_news, project)
+  end
+
   # returns latest news for projects visible by user
   def self.latest(user = User.current, count = 5)
     find(:all, :limit => count,

diff --git a/app/views/news/show.html.erb b/app/views/news/show.html.erb
index 72c18d9a6a0874f7fe1eba1bff0c137e3dfb3d5e..b0b5f023e04e425fd1c8d0638c16b19e72f758ac 100644 (file)
--- a/app/views/news/show.html.erb
+++ b/app/views/news/show.html.erb
@@ -53,7 +53,7 @@
 <% end if @comments.any? %>
 </div>
 
-<% if authorize_for 'comments', 'create' %>
+<% if @news.commentable? %>
 <p><%= toggle_link l(:label_comment_add), "add_comment_form", :focus => "comment_comments" %></p>
 <% form_tag({:controller => 'comments', :action => 'create', :id => @news}, :id => "add_comment_form", :style => "display:none;") do %>
 <div class="box">

diff --git a/test/functional/comments_controller_test.rb b/test/functional/comments_controller_test.rb
index a04df43f5ada0d86492b245deba50f48373115de..e3e99d364a1fcd9c2cbd5c90156c1e625e67f74f 100644 (file)
--- a/test/functional/comments_controller_test.rb
+++ b/test/functional/comments_controller_test.rb
@@ -44,6 +44,15 @@ class CommentsControllerTest < ActionController::TestCase
     end
   end
 
+  def test_create_should_be_denied_if_news_is_not_commentable
+    News.any_instance.stubs(:commentable?).returns(false)
+    @request.session[:user_id] = 2
+    assert_no_difference 'Comment.count' do
+      post :create, :id => 1, :comment => { :comments => 'This is a test comment' }
+      assert_response 403
+    end
+  end
+
   def test_destroy_comment
     comments_count = News.find(1).comments.size
     @request.session[:user_id] = 2