From bcaa2f6079577cad3acfa004f625bc49c145c047 Mon Sep 17 00:00:00 2001 From: Brian Austin Date: Tue, 12 May 2026 22:49:39 +0200 Subject: [PATCH] AO3-7388 Redirect to user skin page with error if trying to preview a skin you can't use This reverts commit 8c294d150b9bb7154380117820719481116b747a. Co-authored-by: Lim Zhe Rui <88964793+zrei@users.noreply.github.com> --- app/controllers/skins_controller.rb | 9 +- config/locales/controllers/en.yml | 2 + spec/controllers/skins_controller_spec.rb | 197 ++++++++++++++++++++++ 3 files changed, 206 insertions(+), 2 deletions(-) diff --git a/app/controllers/skins_controller.rb b/app/controllers/skins_controller.rb index 4adef9bdff5..326dbe87c01 100644 --- a/app/controllers/skins_controller.rb +++ b/app/controllers/skins_controller.rb @@ -1,9 +1,9 @@ class SkinsController < ApplicationController - before_action :users_only, only: [:new, :create, :destroy] + before_action :users_only, only: [:new, :create, :destroy, :preview] before_action :load_skin, except: [:index, :new, :create, :unset] before_action :check_ownership_or_admin, only: [:edit, :update] before_action :check_ownership, only: [:confirm_delete, :destroy] - before_action :check_visibility, only: [:show] + before_action :check_visibility, only: [:show, :preview] before_action :check_editability, only: [:edit, :update, :confirm_delete, :destroy] #### ACTIONS @@ -129,6 +129,11 @@ def update # Get /skins/1/preview def preview + if @skin.is_a?(WorkSkin) || @skin.unusable? + flash[:error] = t(".cannot_preview") + redirect_to user_skins_path(current_user) and return + end + flash[:notice] = [] flash[:notice] << ts("You are previewing the skin %{title}. This is a randomly chosen page.", title: @skin.title) flash[:notice] << ts("Go back or click any link to remove the skin.") diff --git a/config/locales/controllers/en.yml b/config/locales/controllers/en.yml index e1198536650..5f313ec9c63 100644 --- a/config/locales/controllers/en.yml +++ b/config/locales/controllers/en.yml @@ -314,6 +314,8 @@ en: index: public_site_page_title: Public Site Skins public_work_page_title: Public Work Skins + preview: + cannot_preview: Sorry, you can't preview that skin. stats: index: page_title: "%{username} - Stats" diff --git a/spec/controllers/skins_controller_spec.rb b/spec/controllers/skins_controller_spec.rb index b798c1c9063..1dd6486bbd4 100644 --- a/spec/controllers/skins_controller_spec.rb +++ b/spec/controllers/skins_controller_spec.rb @@ -622,4 +622,201 @@ end end end + + describe "GET #preview" do + let(:skin_creator) { create(:user) } + let(:other_user) { create(:user) } + subject { get :preview, params: { id: skin.id } } + + shared_examples "a skin admins cannot preview" do + before do + fake_login_admin(admin) + end + + context "when logged in as an admin with no role" do + let(:admin) { create(:admin, roles: []) } + + it "redirects with an error" do + subject + # This actually redirects to the root path + it_redirects_to_user_login_with_error + end + end + + Admin::VALID_ROLES.each do |role| + context "when logged in as an admin with role #{role}" do + let(:admin) { create(:admin, roles: [role]) } + + it "redirects with an error" do + subject + # This actually redirects to the root path + it_redirects_to_user_login_with_error + end + end + end + end + + shared_examples "a skin guests cannot preview" do + context "when not logged in" do + it "errors and redirects to user_login" do + subject + it_redirects_to_user_login_with_error + end + end + end + + shared_examples "a public skin that cannot be previewed" do + context "when logged in as the skin creator" do + it "errors and redirects to user_skins_path" do + fake_login_known_user(skin.author) + subject + + it_redirects_to_with_error(user_skins_path(skin.author), "Sorry, you can't preview that skin.") + end + end + + context "when logged in as a user who isn't the skin author" do + it "errors and redirects to user_skins_path" do + fake_login_known_user(other_user) + subject + + it_redirects_to_with_error(user_skins_path(other_user), "Sorry, you can't preview that skin.") + end + end + + context "when logged in as an admin" do + it_behaves_like "a skin admins cannot preview" + end + + context "when not logged in" do + it_behaves_like "a skin guests cannot preview" + end + end + + shared_examples "a non-public skin that cannot be previewed" do + context "when logged in as the skin creator" do + it "errors and redirects to user_skins_path" do + fake_login_known_user(skin.author) + subject + + it_redirects_to_with_error(user_skins_path(skin.author), "Sorry, you can't preview that skin.") + end + end + + context "when logged in as a user who isn't the skin author" do + it "errors and redirects to user_path" do + fake_login_known_user(other_user) + subject + + it_redirects_to_with_error(user_path(other_user), "Sorry, you don't have permission to access the page you were trying to reach.") + end + end + + context "when logged in as an admin" do + it_behaves_like "a skin admins cannot preview" + end + + context "when not logged in" do + it_behaves_like "a skin guests cannot preview" + end + end + + context "with workskin" do + context "when workskin is public" do + let(:skin) { create(:work_skin, :public, title: "Work Skin", author: skin_creator) } + + it_behaves_like "a public skin that cannot be previewed" + end + + context "when workskin is not public" do + let(:skin) { create(:work_skin, title: "Work Skin", author: skin_creator) } + + it_behaves_like "a non-public skin that cannot be previewed" + end + end + + context "with parent only site skin" do + context "when site skin is public" do + let(:skin) { create(:skin, :public, title: "Parent Only Site Skin", unusable: true, author: skin_creator) } + + it_behaves_like "a public skin that cannot be previewed" + end + + context "when site skin is not public" do + let(:skin) { create(:skin, title: "Parent Only Site Skin", unusable: true, author: skin_creator) } + + it_behaves_like "a non-public skin that cannot be previewed" + end + end + + context "with accessible site skin" do + let(:success) { it_redirects_to_simple(tag_works_path(tag, site_skin: skin.id)) } + let(:tag) { create(:canonical_fandom) } + + before do + FilterCount.create!( + filter: tag, + public_works_count: 10, + unhidden_works_count: 10 + ) + end + + context "when site skin is public" do + let(:skin) { create(:skin, :public, title: "Accessible Site Skin", author: skin_creator) } + + context "when logged in as the skin creator" do + it "succeeds" do + fake_login_known_user(skin.author) + subject + success + end + end + + context "when logged in as a user who isn't the skin author" do + it "succeeds" do + fake_login + subject + success + end + end + + context "when logged in as an admin" do + it_behaves_like "a skin admins cannot preview" + end + + context "when not logged in" do + it_behaves_like "a skin guests cannot preview" + end + end + + context "when site skin is not public" do + let(:skin) { create(:skin, title: "Accessible Site Skin", author: skin_creator) } + + context "when logged in as the skin author" do + it "succeeds" do + fake_login_known_user(skin.author) + subject + success + end + end + + context "when logged in as a user who isn't the skin author" do + it "redirects with an error" do + fake_login_known_user(other_user) + subject + + it_redirects_to_with_error(user_path(other_user), "Sorry, you don't have permission to access the page you were trying to reach.") + end + end + + context "when logged in as an admin" do + it_behaves_like "a skin admins cannot preview" + end + + context "when not logged in" do + it_behaves_like "a skin guests cannot preview" + end + end + end + end end