can [:new, :show, :create, :destroy], :oauth2_authorization
can [:edit, :update, :destroy], :account
can [:show], :dashboard
- can [:new, :create, :edit, :update, :comment, :subscribe, :unsubscribe], DiaryEntry
+ can [:new, :create, :edit, :update, :subscribe, :unsubscribe], DiaryEntry
+ can [:create], DiaryComment
can [:make_friend, :remove_friend], Friendship
can [:new, :create, :reply, :show, :inbox, :outbox, :muted, :mark, :unmute, :destroy], Message
can [:close, :reopen], Note
authorize_resource
before_action :lookup_user, :only => :index
- before_action :check_database_writable, :only => [:hide, :unhide]
+ before_action :check_database_writable, :only => [:create, :hide, :unhide]
allow_thirdparty_images :only => :index
@comments, @newer_comments_id, @older_comments_id = get_page_items(comments, :includes => [:user])
end
+ def create
+ @entry = DiaryEntry.find(params[:id])
+ @comments = @entry.visible_comments
+ @diary_comment = @entry.comments.build(comment_params)
+ @diary_comment.user = current_user
+ if @diary_comment.save
+
+ # Notify current subscribers of the new comment
+ @entry.subscribers.visible.each do |user|
+ UserMailer.diary_comment_notification(@diary_comment, user).deliver_later if current_user != user
+ end
+
+ # Add the commenter to the subscribers if necessary
+ @entry.subscriptions.create(:user => current_user) unless @entry.subscribers.exists?(current_user.id)
+
+ redirect_to diary_entry_path(@entry.user, @entry)
+ else
+ render :action => "new"
+ end
+ rescue ActiveRecord::RecordNotFound
+ render "diary_entries/no_such_entry", :status => :not_found
+ end
+
def hide
comment = DiaryComment.find(params[:comment])
comment.update(:visible => false)
comment.update(:visible => true)
redirect_to diary_entry_path(comment.diary_entry.user, comment.diary_entry)
end
+
+ private
+
+ ##
+ # return permitted diary comment parameters
+ def comment_params
+ params.require(:diary_comment).permit(:body)
+ end
end
authorize_resource
before_action :lookup_user, :only => :show
- before_action :check_database_writable, :only => [:new, :create, :edit, :update, :comment, :hide, :unhide, :subscribe, :unsubscribe]
+ before_action :check_database_writable, :only => [:new, :create, :edit, :update, :hide, :unhide, :subscribe, :unsubscribe]
allow_thirdparty_images :only => [:new, :create, :edit, :update, :index, :show]
render :action => "no_such_entry", :status => :not_found
end
- def comment
- @entry = DiaryEntry.find(params[:id])
- @comments = @entry.visible_comments
- @diary_comment = @entry.comments.build(comment_params)
- @diary_comment.user = current_user
- if @diary_comment.save
-
- # Notify current subscribers of the new comment
- @entry.subscribers.visible.each do |user|
- UserMailer.diary_comment_notification(@diary_comment, user).deliver_later if current_user != user
- end
-
- # Add the commenter to the subscribers if necessary
- @entry.subscriptions.create(:user => current_user) unless @entry.subscribers.exists?(current_user.id)
-
- redirect_to diary_entry_path(@entry.user, @entry)
- else
- render :action => "show"
- end
- rescue ActiveRecord::RecordNotFound
- render :action => "no_such_entry", :status => :not_found
- end
-
def subscribe
@diary_entry = DiaryEntry.find(params[:id])
ActionController::Parameters.new.permit(:title, :body, :language_code, :latitude, :longitude)
end
- ##
- # return permitted diary comment parameters
- def comment_params
- params.require(:diary_comment).permit(:body)
- end
-
##
# decide on a location for the diary entry map
def set_map_location
<% if current_user %>
<h3 id="newcomment"><%= t ".leave_a_comment" %></h3>
- <%= bootstrap_form_for @entry.comments.new, :url => { :action => "comment" } do |f| %>
+ <%= bootstrap_form_for @entry.comments.new, :url => comment_diary_entry_path(@entry.user, @entry) do |f| %>
<%= f.richtext_field :body, :cols => 80, :rows => 20, :hide_label => true %>
<%= f.primary %>
<% end %>
scope "/user/:display_name" do
resources :diary_entries, :path => "diary", :only => [:edit, :update, :show], :id => /\d+/
end
- post "/user/:display_name/diary/:id/newcomment" => "diary_entries#comment", :id => /\d+/, :as => :comment_diary_entry
+ post "/user/:display_name/diary/:id/newcomment" => "diary_comments#create", :id => /\d+/, :as => :comment_diary_entry
post "/user/:display_name/diary/:id/hide" => "diary_entries#hide", :id => /\d+/, :as => :hide_diary_entry
post "/user/:display_name/diary/:id/unhide" => "diary_entries#unhide", :id => /\d+/, :as => :unhide_diary_entry
post "/user/:display_name/diary/:id/hidecomment/:comment" => "diary_comments#hide", :id => /\d+/, :comment => /\d+/, :as => :hide_diary_comment
assert ability.can?(action, DiaryComment), "should be able to #{action} DiaryComments"
end
- [:create, :edit, :comment, :subscribe, :unsubscribe, :hide, :unhide].each do |action|
+ [:create, :edit, :subscribe, :unsubscribe, :hide, :unhide].each do |action|
assert ability.cannot?(action, DiaryEntry), "should not be able to #{action} DiaryEntries"
end
- [:hide, :unhide].each do |action|
+ [:create, :hide, :unhide].each do |action|
assert ability.cannot?(action, DiaryComment), "should not be able to #{action} DiaryComments"
end
end
test "Diary permissions" do
ability = Ability.new create(:user)
- [:index, :rss, :show, :create, :edit, :comment, :subscribe, :unsubscribe].each do |action|
+ [:index, :rss, :show, :create, :edit, :subscribe, :unsubscribe].each do |action|
assert ability.can?(action, DiaryEntry), "should be able to #{action} DiaryEntries"
end
- [:index].each do |action|
+ [:index, :create].each do |action|
assert ability.can?(action, DiaryComment), "should be able to #{action} DiaryComments"
end
class AdministratorAbilityTest < AbilityTest
test "Diary for an administrator" do
ability = Ability.new create(:administrator_user)
- [:index, :rss, :show, :create, :edit, :comment, :subscribe, :unsubscribe, :hide, :unhide].each do |action|
+ [:index, :rss, :show, :create, :edit, :subscribe, :unsubscribe, :hide, :unhide].each do |action|
assert ability.can?(action, DiaryEntry), "should be able to #{action} DiaryEntries"
end
- [:index, :hide, :unhide].each do |action|
+ [:index, :create, :hide, :unhide].each do |action|
assert ability.can?(action, DiaryComment), "should be able to #{action} DiaryComments"
end
end
{ :path => "/user/username/diary/comments", :method => :get },
{ :controller => "diary_comments", :action => "index", :display_name => "username" }
)
+ assert_routing(
+ { :path => "/user/username/diary/1/newcomment", :method => :post },
+ { :controller => "diary_comments", :action => "create", :display_name => "username", :id => "1" }
+ )
assert_routing(
{ :path => "/user/username/diary/1/hidecomment/2", :method => :post },
{ :controller => "diary_comments", :action => "hide", :display_name => "username", :id => "1", :comment => "2" }
end
end
+ def test_create
+ user = create(:user)
+ other_user = create(:user)
+ entry = create(:diary_entry, :user => user)
+ create(:diary_entry_subscription, :diary_entry => entry, :user => user)
+
+ # Make sure that you are denied when you are not logged in
+ post comment_diary_entry_path(entry.user, entry)
+ assert_response :forbidden
+
+ session_for(other_user)
+
+ # Verify that you get a not found error, when you pass a bogus id
+ post comment_diary_entry_path(entry.user, :id => 9999)
+ assert_response :not_found
+ assert_select "div.content-heading", :count => 1 do
+ assert_select "h1", :text => "No entry with the id: 9999", :count => 1
+ end
+
+ # Now try an invalid comment with an empty body
+ assert_no_difference "ActionMailer::Base.deliveries.size" do
+ assert_no_difference "DiaryComment.count" do
+ assert_no_difference "entry.subscribers.count" do
+ perform_enqueued_jobs do
+ post comment_diary_entry_path(entry.user, entry, :diary_comment => { :body => "" })
+ end
+ end
+ end
+ end
+ assert_response :success
+ assert_template :new
+
+ # Now try again with the right id
+ assert_difference "ActionMailer::Base.deliveries.size", entry.subscribers.count do
+ assert_difference "DiaryComment.count", 1 do
+ assert_difference "entry.subscribers.count", 1 do
+ perform_enqueued_jobs do
+ post comment_diary_entry_path(entry.user, entry, :diary_comment => { :body => "New comment" })
+ end
+ end
+ end
+ end
+ assert_redirected_to diary_entry_path(entry.user, entry)
+ email = ActionMailer::Base.deliveries.first
+ assert_equal [user.email], email.to
+ assert_equal "[OpenStreetMap] #{other_user.display_name} commented on a diary entry", email.subject
+ assert_match(/New comment/, email.text_part.decoded)
+ assert_match(/New comment/, email.html_part.decoded)
+ ActionMailer::Base.deliveries.clear
+ comment = DiaryComment.order(:id).last
+ assert_equal entry.id, comment.diary_entry_id
+ assert_equal other_user.id, comment.user_id
+ assert_equal "New comment", comment.body
+
+ # Now show the diary entry, and check the new comment is present
+ get diary_entry_path(entry.user, entry)
+ assert_response :success
+ assert_select ".diary-comment", :count => 1 do
+ assert_select "#comment#{comment.id}", :count => 1 do
+ assert_select "a[href='/user/#{ERB::Util.u(other_user.display_name)}']", :text => other_user.display_name, :count => 1
+ end
+ assert_select ".richtext", :text => /New comment/, :count => 1
+ end
+ end
+
+ def test_create_spammy
+ user = create(:user)
+ other_user = create(:user)
+ entry = create(:diary_entry, :user => user)
+ create(:diary_entry_subscription, :diary_entry => entry, :user => user)
+
+ session_for(other_user)
+
+ # Generate some spammy content
+ spammy_text = 1.upto(50).map { |n| "http://example.com/spam#{n}" }.join(" ")
+
+ # Try creating a spammy comment
+ assert_difference "ActionMailer::Base.deliveries.size", 1 do
+ assert_difference "DiaryComment.count", 1 do
+ perform_enqueued_jobs do
+ post comment_diary_entry_path(entry.user, entry, :diary_comment => { :body => spammy_text })
+ end
+ end
+ end
+ assert_redirected_to diary_entry_path(entry.user, entry)
+ email = ActionMailer::Base.deliveries.first
+ assert_equal [user.email], email.to
+ assert_equal "[OpenStreetMap] #{other_user.display_name} commented on a diary entry", email.subject
+ assert_match %r{http://example.com/spam}, email.text_part.decoded
+ assert_match %r{http://example.com/spam}, email.html_part.decoded
+ ActionMailer::Base.deliveries.clear
+ comment = DiaryComment.order(:id).last
+ assert_equal entry.id, comment.diary_entry_id
+ assert_equal other_user.id, comment.user_id
+ assert_equal spammy_text, comment.body
+ assert_equal "suspended", User.find(other_user.id).status
+
+ # Follow the redirect
+ get diary_entries_path(:display_name => user.display_name)
+ assert_redirected_to :controller => :users, :action => :suspended
+
+ # Now show the diary entry, and check the new comment is not present
+ get diary_entry_path(entry.user, entry)
+ assert_response :success
+ assert_select ".diary-comment", :count => 0
+ end
+
def test_hide
user = create(:user)
diary_entry = create(:diary_entry, :user => user)
{ :path => "/user/username/diary/1", :method => :put },
{ :controller => "diary_entries", :action => "update", :display_name => "username", :id => "1" }
)
- assert_routing(
- { :path => "/user/username/diary/1/newcomment", :method => :post },
- { :controller => "diary_entries", :action => "comment", :display_name => "username", :id => "1" }
- )
assert_routing(
{ :path => "/user/username/diary/1/hide", :method => :post },
{ :controller => "diary_entries", :action => "hide", :display_name => "username", :id => "1" }
assert_select "span[class=translation_missing]", false, "Missing translation in edit diary entry"
end
- def test_comment
- user = create(:user)
- other_user = create(:user)
- entry = create(:diary_entry, :user => user)
- create(:diary_entry_subscription, :diary_entry => entry, :user => user)
-
- # Make sure that you are denied when you are not logged in
- post comment_diary_entry_path(entry.user, entry)
- assert_response :forbidden
-
- session_for(other_user)
-
- # Verify that you get a not found error, when you pass a bogus id
- post comment_diary_entry_path(entry.user, :id => 9999)
- assert_response :not_found
- assert_select "div.content-heading", :count => 1 do
- assert_select "h1", :text => "No entry with the id: 9999", :count => 1
- end
-
- # Now try an invalid comment with an empty body
- assert_no_difference "ActionMailer::Base.deliveries.size" do
- assert_no_difference "DiaryComment.count" do
- assert_no_difference "entry.subscribers.count" do
- perform_enqueued_jobs do
- post comment_diary_entry_path(entry.user, entry, :diary_comment => { :body => "" })
- end
- end
- end
- end
- assert_response :success
- assert_template :show
-
- # Now try again with the right id
- assert_difference "ActionMailer::Base.deliveries.size", entry.subscribers.count do
- assert_difference "DiaryComment.count", 1 do
- assert_difference "entry.subscribers.count", 1 do
- perform_enqueued_jobs do
- post comment_diary_entry_path(entry.user, entry, :diary_comment => { :body => "New comment" })
- end
- end
- end
- end
- assert_redirected_to :action => :show, :display_name => entry.user.display_name, :id => entry.id
- email = ActionMailer::Base.deliveries.first
- assert_equal [user.email], email.to
- assert_equal "[OpenStreetMap] #{other_user.display_name} commented on a diary entry", email.subject
- assert_match(/New comment/, email.text_part.decoded)
- assert_match(/New comment/, email.html_part.decoded)
- ActionMailer::Base.deliveries.clear
- comment = DiaryComment.order(:id).last
- assert_equal entry.id, comment.diary_entry_id
- assert_equal other_user.id, comment.user_id
- assert_equal "New comment", comment.body
-
- # Now show the diary entry, and check the new comment is present
- get diary_entry_path(entry.user, entry)
- assert_response :success
- assert_select ".diary-comment", :count => 1 do
- assert_select "#comment#{comment.id}", :count => 1 do
- assert_select "a[href='/user/#{ERB::Util.u(other_user.display_name)}']", :text => other_user.display_name, :count => 1
- end
- assert_select ".richtext", :text => /New comment/, :count => 1
- end
- end
-
- def test_comment_spammy
- user = create(:user)
- other_user = create(:user)
- entry = create(:diary_entry, :user => user)
- create(:diary_entry_subscription, :diary_entry => entry, :user => user)
-
- session_for(other_user)
-
- # Generate some spammy content
- spammy_text = 1.upto(50).map { |n| "http://example.com/spam#{n}" }.join(" ")
-
- # Try creating a spammy comment
- assert_difference "ActionMailer::Base.deliveries.size", 1 do
- assert_difference "DiaryComment.count", 1 do
- perform_enqueued_jobs do
- post comment_diary_entry_path(entry.user, entry, :diary_comment => { :body => spammy_text })
- end
- end
- end
- assert_redirected_to :action => :show, :display_name => entry.user.display_name, :id => entry.id
- email = ActionMailer::Base.deliveries.first
- assert_equal [user.email], email.to
- assert_equal "[OpenStreetMap] #{other_user.display_name} commented on a diary entry", email.subject
- assert_match %r{http://example.com/spam}, email.text_part.decoded
- assert_match %r{http://example.com/spam}, email.html_part.decoded
- ActionMailer::Base.deliveries.clear
- comment = DiaryComment.order(:id).last
- assert_equal entry.id, comment.diary_entry_id
- assert_equal other_user.id, comment.user_id
- assert_equal spammy_text, comment.body
- assert_equal "suspended", User.find(other_user.id).status
-
- # Follow the redirect
- get diary_entries_path(:display_name => user.display_name)
- assert_redirected_to :controller => :users, :action => :suspended
-
- # Now show the diary entry, and check the new comment is not present
- get diary_entry_path(entry.user, entry)
- assert_response :success
- assert_select ".diary-comment", :count => 0
- end
-
def test_index_all
diary_entry = create(:diary_entry)
geo_entry = create(:diary_entry, :latitude => 51.50763, :longitude => -0.10781)
projects / rails.git / commitdiff