Unverified Commit e31c5ff4 authored by Benjamin Neff's avatar Benjamin Neff Committed by Steffen van Bergerem

Handle unauthenticated users for likes/comments of private posts

closes #7583
parent 350e2486
......@@ -17,6 +17,7 @@
* Fix mixed username and timestamp with LTR/RTL scripts [#7575](https://github.com/diaspora/diaspora/pull/7575)
* Prevent users from zooming in IE Mobile [#7589](https://github.com/diaspora/diaspora/pull/7589)
* Fix recipient prefill on contacts and profile page [#7599](https://github.com/diaspora/diaspora/pull/7599)
* Display likes and reshares without login [#7583](https://github.com/diaspora/diaspora/pull/7583)
## Features
* Ask for confirmation when leaving a submittable comment field [#7530](https://github.com/diaspora/diaspora/pull/7530)
......
......@@ -11,6 +11,10 @@ class CommentsController < ApplicationController
head :not_found
end
rescue_from Diaspora::NonPublic do
authenticate_user!
end
def create
begin
comment = comment_service.create(params[:post_id], params[:text])
......
......@@ -10,6 +10,10 @@ class LikesController < ApplicationController
:mobile,
:json
rescue_from Diaspora::NonPublic do
authenticate_user!
end
def create
like = like_service.create(params[:post_id])
rescue ActiveRecord::RecordNotFound, ActiveRecord::RecordInvalid
......
......@@ -4,7 +4,6 @@
describe CommentsController, :type => :controller do
before do
allow(@controller).to receive(:current_user).and_return(alice)
sign_in alice, scope: :user
end
......@@ -62,6 +61,7 @@ describe CommentsController, :type => :controller do
aspect_to_post = eve.aspects.where(:name => "generic").first
@post = eve.post :status_message, :text => 'GIANTS', :to => aspect_to_post
allow(@controller).to receive(:current_user).and_return(alice)
expect(alice).not_to receive(:comment)
post :create, params: comment_hash
expect(response.code).to eq("404")
......@@ -102,6 +102,7 @@ describe CommentsController, :type => :controller do
it "lets the user delete their comment" do
comment = alice.comment!(@message, "hey")
allow(@controller).to receive(:current_user).and_return(alice)
expect(alice).to receive(:retract).with(comment)
delete :destroy, params: {post_id: 1, id: comment.id}, format: :js
expect(response.status).to eq(204)
......@@ -111,6 +112,7 @@ describe CommentsController, :type => :controller do
comment1 = bob.comment!(@message, "hey")
comment2 = eve.comment!(@message, "hey")
allow(@controller).to receive(:current_user).and_return(alice)
expect(alice).not_to receive(:retract).with(comment1)
delete :destroy, params: {post_id: 1, id: comment2.id}, format: :js
expect(response.status).to eq(403)
......@@ -154,5 +156,12 @@ describe CommentsController, :type => :controller do
get :index, params: {post_id: message.id}, format: :json
expect(response.status).to eq(404)
end
it "returns a 401 for a private post when logged out" do
bob.comment!(@message, "hey")
sign_out :user
get :index, params: {post_id: @message.id}, format: :json
expect(response.status).to eq(401)
end
end
end
......@@ -101,6 +101,13 @@ describe LikesController, type: :controller do
get :index, params: {post_id: post.id}, format: :json
expect(JSON.parse(response.body).map {|h| h["id"] }).to match_array(post.likes.map(&:id))
end
it "returns a 401 for a private post when logged out" do
bob.like!(@message)
sign_out :user
get :index, params: {post_id: @message.id}, format: :json
expect(response.status).to eq(401)
end
end
describe "#destroy" do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment