RSS feeds are now smart about password-protected webs

CHANGELOG

@@ -8,6 +8,9 @@
           "textile link":LinkToSomePlace will not look insane.
           RSS feeds accept query parameters, sush as 
           http://localhost:2500/wiki/rss_with_headlines?start=2005-02-18&end=2005-02-19&limit=10
+          RSS feed wiuth page contents for a password-protected web behaves as follows:
+            if the web is published, RSS feed links to the published version of the web
+            otherwise, the feed is not available
           Madeleine will check every hour if there are new commands in the log or 24 hours have 
           passed since last snapshot, and take snapshot if either of these conditions is true
           Madeleine will also not log read-only operations, resulting in a better performance

app/controllers/application.rb

@@ -28,10 +28,8 @@ class ApplicationController < ActionController::Base
   end
 
   def check_authorization
-    if in_a_web? and 
+    if in_a_web? and needs_authorization?(@action_name) and not authorized? and 
-        not authorized? and 
+      redirect_to :controller => 'wiki', :action => 'login', :web => @web_name
-        not %w( login authenticate published ).include?(@action_name)
-      redirect_to :action => 'login', :web => @web_name
       return false
     end
   end
@@ -126,4 +124,8 @@ class ApplicationController < ActionController::Base
     $instiki_wiki_service
   end
 
+  def needs_authorization?(action)
+    not %w( login authenticate published rss_with_content rss_with_headlines ).include?(action)
+  end
+
 end

app/controllers/wiki_controller.rb

@@ -75,6 +75,7 @@ class WikiController < ApplicationController
   end
 
   def feeds
+    @rss_with_content_allowed = rss_with_content_allowed?
     # show the template
   end
 
@@ -91,7 +92,12 @@ class WikiController < ApplicationController
   end
 
   def rss_with_content
-    render_rss(hide_description = false, *parse_rss_params)
+    if rss_with_content_allowed?
+      render_rss(hide_description = false, *parse_rss_params)
+    else
+      render_text 'RSS feed with content for this web is blocked for security reasons. ' +
+        'The web is password-protected and not published', '403 Forbidden'
+    end
   end
 
   def rss_with_headlines
@@ -326,6 +332,8 @@ class WikiController < ApplicationController
     
     @hide_description = hide_description
     @response.headers['Content-Type'] = 'text/xml'
+    @link_action = @web.password ? 'published' : 'show'
+    
     render 'wiki/rss_feed'
   end
 
@@ -343,6 +351,10 @@ class WikiController < ApplicationController
     @template.render_file(template_name)
   end
   
+  def rss_with_content_allowed?
+    @web.password.nil? or @web.published
+  end
+  
   def truncate(text, length = 30, truncate_string = '...')
     if text.length > length then text[0..(length - 3)] + truncate_string else text end
   end

app/views/wiki/feeds.rhtml

@@ -4,7 +4,7 @@
 
 <ul id="feedsList">
   <li>
-    <% unless @web.password and not @web.published %>
+    <% if @rss_with_content_allowed %>
       <%= link_to 'Full content (RSS 2.0)', :web => @web.address, :action => :rss_with_content %>
     <% end %>
   </li>

app/views/wiki/rss_feed.rhtml

@@ -2,7 +2,7 @@
 <rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/">
 	<channel>
 		<title><%= @web.name %></title>
-		<link><%= url_for :only_path => false, :web => @web_name, :action => 'show', :id => 'HomePage' %></link>
+		<link><%= url_for :only_path => false, :web => @web_name, :action => @link_action, :id => 'HomePage' %></link>
 		<description>An Instiki wiki</description>
 		<language>en-us</language>
 		<ttl>40</ttl>
@@ -10,11 +10,11 @@
 		<item>
       <title><%= page.plain_name %></title>
     <% unless @hide_description %>
-      <description><%= CGI.escapeHTML(page.display_content) %></description>
+      <description><%= h page.display_content %></description>
     <% end %>
       <pubDate><%= page.created_at.strftime "%a, %e %b %Y %H:%M:%S %Z" %></pubDate>
-      <guid><%= url_for :only_path => false, :web => @web_name, :action => 'show', :id => page.name %></guid>
+      <guid><%= url_for :only_path => false, :web => @web_name, :action => @link_action, :id => page.name %></guid>
-      <link><%= url_for :only_path => false, :web => @web_name, :action => 'show', :id => page.name %></link>
+      <link><%= url_for :only_path => false, :web => @web_name, :action => @link_action, :id => page.name %></link>
       <dc:creator><%= WikiWords.separate(page.author) %></dc:creator>
     </item>
   <% end %>

test/functional/wiki_controller_test.rb

@@ -369,6 +369,16 @@ class WikiControllerTest < Test::Unit::TestCase
     assert !r.template_objects['hide_description']
   end
 
+  def test_rss_with_content_when_blocked
+    setup_wiki_with_three_pages
+    @web.password = 'aaa'
+    @web.published = false
+    
+    r = process 'rss_with_content', 'web' => 'wiki1'
+    
+    assert_equal 403, r.response_code
+  end
+  
 
   def test_rss_with_headlines
     setup_wiki_with_three_pages
@@ -400,6 +410,30 @@ class WikiControllerTest < Test::Unit::TestCase
     assert_template_xpath_match '/rss/channel/item/link', expected_page_links
   end
 
+  def test_rss_switch_links_to_published
+    setup_wiki_with_three_pages
+    @web.password = 'aaa'
+    @web.published = true
+    
+    @request.host = 'foo.bar.info'
+    @request.port = 80
+
+    r = process 'rss_with_headlines', 'web' => 'wiki1'
+
+    assert_success
+    xml = REXML::Document.new(r.body)
+
+    expected_page_links =
+        ['http://foo.bar.info/wiki1/published/HomePage',
+         'http://foo.bar.info/wiki1/published/Oak',
+         'http://foo.bar.info/wiki1/published/Elephant']
+    
+    assert_template_xpath_match '/rss/channel/link', 
+        'http://foo.bar.info/wiki1/published/HomePage'
+    assert_template_xpath_match '/rss/channel/item/guid', expected_page_links
+    assert_template_xpath_match '/rss/channel/item/link', expected_page_links
+  end
+
   def test_rss_with_params
     setup_wiki_with_30_pages