Merge pull request #3388 from AlchemyCMS/permit-show-admin-page

Fix admin page preview permissions

Author: tvdeyen

app/controllers/alchemy/admin/pages_controller.rb

@@ -72,6 +72,8 @@ def tree
       # Used by page preview iframe in Page#edit view.
       #
       def show
+        authorize! :edit_content, @page
+
         Current.preview_page = @page
         # Setting the locale to pages language, so the page content has it's correct translations.
         ::I18n.locale = @page.language.locale

spec/requests/alchemy/admin/pages_controller_spec.rb

@@ -12,6 +12,12 @@ module Alchemy
         get admin_pages_path
         expect(request).to redirect_to(Alchemy.login_path)
       end
+
+      it "can not access page preview of a public page" do
+        page = create(:alchemy_page, :public)
+        get admin_page_path(page)
+        expect(request).to redirect_to(Alchemy.login_path)
+      end
     end
 
     context "a member" do
@@ -21,6 +27,12 @@ module Alchemy
         get admin_pages_path
         expect(request).to redirect_to(root_path)
       end
+
+      it "can not access page preview of a public page" do
+        page = create(:alchemy_page, :public)
+        get admin_page_path(page)
+        expect(request).to redirect_to("/")
+      end
     end
 
     context "with logged in editor user" do
@@ -274,6 +286,11 @@ module Alchemy
         let(:language) { create(:alchemy_language, locale: "nl") }
         let!(:page) { create(:alchemy_page, language: language) }
 
+        it "can be accessed" do
+          get admin_page_path(page)
+          expect(response).to be_successful
+        end
+
         it "should assign @preview_mode with true" do
           get admin_page_path(page)
           expect(assigns(:preview_mode)).to eq(true)