diff options
| -rw-r--r-- | app/models/incoming_message.rb | 4 | ||||
| -rw-r--r-- | app/models/info_request.rb | 4 | ||||
| -rw-r--r-- | app/views/request/_outgoing_correspondence.text.erb | 12 | ||||
| -rw-r--r-- | lib/message_prominence.rb | 4 | ||||
| -rw-r--r-- | spec/integration/download_request_spec.rb | 98 |
5 files changed, 112 insertions, 10 deletions
diff --git a/app/models/incoming_message.rb b/app/models/incoming_message.rb index 6d93dfcb9..8b2aa87e7 100644 --- a/app/models/incoming_message.rb +++ b/app/models/incoming_message.rb @@ -69,10 +69,6 @@ class IncomingMessage < ActiveRecord::Base self.info_request_events.detect{ |e| e.event_type == 'response' } end - def all_can_view? - self.prominence == 'normal' - end - # Return a cached structured mail object def mail(force = nil) if (!force.nil? || @mail.nil?) && !self.raw_email.nil? diff --git a/app/models/info_request.rb b/app/models/info_request.rb index 32e651ff9..fe0c94056 100644 --- a/app/models/info_request.rb +++ b/app/models/info_request.rb @@ -1062,7 +1062,9 @@ public end def all_can_view_all_correspondence? - all_can_view? && incoming_messages.all?{ |message| message.all_can_view? } + all_can_view? && + incoming_messages.all?{ |message| message.all_can_view? } && + outgoing_messages.all?{ |message| message.all_can_view? } end def indexed_by_search? diff --git a/app/views/request/_outgoing_correspondence.text.erb b/app/views/request/_outgoing_correspondence.text.erb index fe2ad901c..80c71cc01 100644 --- a/app/views/request/_outgoing_correspondence.text.erb +++ b/app/views/request/_outgoing_correspondence.text.erb @@ -1,4 +1,8 @@ -<%= _('From:') %> <% if @info_request.user_name %><%= @info_request.user_name %><% else %><%= "[#{_('An anonymous user')}]"%><% end %> -<%= _('To:') %> <%= @info_request.public_body.name %> -<%= _('Date:') %> <%= simple_date(info_request_event.created_at) %> -<%= outgoing_message.get_body_for_text_display %> +<%- if not outgoing_message.user_can_view?(@user) %> + <%= render :partial => 'request/hidden_correspondence.text', :locals => { :message => outgoing_message }%> +<%- else %> + <%= _('From:') %> <% if @info_request.user_name %><%= @info_request.user_name %><% else %><%= "[#{_('An anonymous user')}]"%><% end %> + <%= _('To:') %> <%= @info_request.public_body.name %> + <%= _('Date:') %> <%= simple_date(info_request_event.created_at) %> + <%= outgoing_message.get_body_for_text_display %> +<%- end %> diff --git a/lib/message_prominence.rb b/lib/message_prominence.rb index 9149a6b28..8f54fcc95 100644 --- a/lib/message_prominence.rb +++ b/lib/message_prominence.rb @@ -17,6 +17,10 @@ module MessageProminence self.prominence == 'normal' end + def all_can_view? + self.prominence == 'normal' + end + end end diff --git a/spec/integration/download_request_spec.rb b/spec/integration/download_request_spec.rb index 93475fff2..a4e346e47 100644 --- a/spec/integration/download_request_spec.rb +++ b/spec/integration/download_request_spec.rb @@ -85,6 +85,54 @@ describe 'when making a zipfile available' do end + context 'when an outgoing message is made "requester_only"' do + + it 'should not include the outgoing message in a download of the entire request + by a non-request owner but should retain them for owner and admin' do + + # Non-owner can download zip with outgoing + non_owner = login(FactoryGirl.create(:user)) + info_request = FactoryGirl.create(:info_request) + + inspect_zip_download(non_owner, info_request) do |zip| + zip.count.should == 1 + zip.read('correspondence.pdf').should match('Some information please') + end + + # Admin makes the incoming message requester only + admin = login(FactoryGirl.create(:admin_user)) + post_data = {:outgoing_message => {:prominence => 'requester_only', + :prominence_reason => 'boring', + :body => 'Some information please'}} + admin.post_via_redirect "/en/admin/outgoing/update/#{info_request.outgoing_messages.first.id}", post_data + admin.response.should be_success + + # Admin retains the requester only things + inspect_zip_download(admin, info_request) do |zip| + zip.count.should == 1 + zip.read('correspondence.pdf').should match('Some information please') + end + + # Zip for non owner is now without requester_only things + inspect_zip_download(non_owner, info_request) do |zip| + zip.count.should == 1 + correspondence_text = zip.read('correspondence.pdf') + correspondence_text.should_not match('Some information please') + expected_text = "This message has been hidden.\n boring" + correspondence_text.should match(expected_text) + end + + # Requester retains the requester only things + owner = login(info_request.user) + inspect_zip_download(owner, info_request) do |zip| + zip.count.should == 1 + zip.read('correspondence.pdf').should match('Some information please') + end + + end + + end + end context 'when no html to pdf converter is supplied' do @@ -176,7 +224,7 @@ describe 'when making a zipfile available' do it 'should not include the incoming message or attachments in a download of the entire request by a non-request owner but should retain them for owner and admin' do - # Non-owner can download zip with incoming and attachments + # Non-owner can download zip with outgoing non_owner = login(FactoryGirl.create(:user)) info_request = FactoryGirl.create(:info_request_with_incoming_attachments) @@ -218,6 +266,54 @@ describe 'when making a zipfile available' do end + context 'when an outgoing message is made "requester_only"' do + + it 'should not include the outgoing message in a download of the entire request + by a non-request owner but should retain them for owner and admin' do + + # Non-owner can download zip with incoming and attachments + non_owner = login(FactoryGirl.create(:user)) + info_request = FactoryGirl.create(:info_request) + + inspect_zip_download(non_owner, info_request) do |zip| + zip.count.should == 1 + zip.read('correspondence.txt').should match('Some information please') + end + + # Admin makes the incoming message requester only + admin = login(FactoryGirl.create(:admin_user)) + post_data = {:outgoing_message => {:prominence => 'requester_only', + :prominence_reason => 'boring', + :body => 'Some information please'}} + admin.post_via_redirect "/en/admin/outgoing/update/#{info_request.outgoing_messages.first.id}", post_data + admin.response.should be_success + + # Admin retains the requester only things + inspect_zip_download(admin, info_request) do |zip| + zip.count.should == 1 + zip.read('correspondence.txt').should match('Some information please') + end + + # Zip for non owner is now without requester_only things + inspect_zip_download(non_owner, info_request) do |zip| + zip.count.should == 1 + correspondence_text = zip.read('correspondence.txt') + correspondence_text.should_not match('Some information please') + expected_text = 'This message has been hidden. boring' + correspondence_text.should match(expected_text) + end + + # Requester retains the requester only things + owner = login(info_request.user) + inspect_zip_download(owner, info_request) do |zip| + zip.count.should == 1 + zip.read('correspondence.txt').should match('Some information please') + end + + end + + end + it 'should successfully make a zipfile for an external request' do external_request = FactoryGirl.create(:external_request) user = login(FactoryGirl.create(:user)) |