Handle unauthenticated users for likes/comments of private posts

closes #7583

Changelog.md

@@ -17,6 +17,7 @@
 * Fix mixed username and timestamp with LTR/RTL scripts [#7575](https://github.com/diaspora/diaspora/pull/7575)
 * Prevent users from zooming in IE Mobile [#7589](https://github.com/diaspora/diaspora/pull/7589)
 * Fix recipient prefill on contacts and profile page [#7599](https://github.com/diaspora/diaspora/pull/7599)
+* Display likes and reshares without login [#7583](https://github.com/diaspora/diaspora/pull/7583)
 
 ## Features
 * Ask for confirmation when leaving a submittable comment field [#7530](https://github.com/diaspora/diaspora/pull/7530)

app/controllers/comments_controller.rb

@@ -11,6 +11,10 @@ class CommentsController < ApplicationController
     head :not_found
   end
 
+  rescue_from Diaspora::NonPublic do
+    authenticate_user!
+  end
+
   def create
     begin
       comment = comment_service.create(params[:post_id], params[:text])

app/controllers/likes_controller.rb

@@ -10,6 +10,10 @@ class LikesController < ApplicationController
              :mobile,
              :json
 
+  rescue_from Diaspora::NonPublic do
+    authenticate_user!
+  end
+
   def create
     like = like_service.create(params[:post_id])
   rescue ActiveRecord::RecordNotFound, ActiveRecord::RecordInvalid

spec/controllers/comments_controller_spec.rb

@@ -4,7 +4,6 @@
 
 describe CommentsController, :type => :controller do
   before do
-    allow(@controller).to receive(:current_user).and_return(alice)
     sign_in alice, scope: :user
   end
 
@@ -62,6 +61,7 @@ describe CommentsController, :type => :controller do
       aspect_to_post = eve.aspects.where(:name => "generic").first
       @post = eve.post :status_message, :text => 'GIANTS', :to => aspect_to_post
 
+      allow(@controller).to receive(:current_user).and_return(alice)
       expect(alice).not_to receive(:comment)
       post :create, params: comment_hash
       expect(response.code).to eq("404")
@@ -102,6 +102,7 @@ describe CommentsController, :type => :controller do
       it "lets the user delete their comment" do
         comment = alice.comment!(@message, "hey")
 
+        allow(@controller).to receive(:current_user).and_return(alice)
         expect(alice).to receive(:retract).with(comment)
         delete :destroy, params: {post_id: 1, id: comment.id}, format: :js
         expect(response.status).to eq(204)
@@ -111,6 +112,7 @@ describe CommentsController, :type => :controller do
         comment1 = bob.comment!(@message, "hey")
         comment2 = eve.comment!(@message, "hey")
 
+        allow(@controller).to receive(:current_user).and_return(alice)
         expect(alice).not_to receive(:retract).with(comment1)
         delete :destroy, params: {post_id: 1, id: comment2.id}, format: :js
         expect(response.status).to eq(403)
@@ -154,5 +156,12 @@ describe CommentsController, :type => :controller do
       get :index, params: {post_id: message.id}, format: :json
       expect(response.status).to eq(404)
     end
+
+    it "returns a 401 for a private post when logged out" do
+      bob.comment!(@message, "hey")
+      sign_out :user
+      get :index, params: {post_id: @message.id}, format: :json
+      expect(response.status).to eq(401)
+    end
   end
 end

spec/controllers/likes_controller_spec.rb

@@ -101,6 +101,13 @@ describe LikesController, type: :controller do
       get :index, params: {post_id: post.id}, format: :json
       expect(JSON.parse(response.body).map {|h| h["id"] }).to match_array(post.likes.map(&:id))
     end
+
+    it "returns a 401 for a private post when logged out" do
+      bob.like!(@message)
+      sign_out :user
+      get :index, params: {post_id: @message.id}, format: :json
+      expect(response.status).to eq(401)
+    end
   end
 
   describe "#destroy" do