From 038cad9b636c0ad96a0b1152ef5acac87dbf53e8 Mon Sep 17 00:00:00 2001 From: Julian Seidenberg Date: Wed, 27 May 2009 01:26:34 +0000 Subject: [PATCH] BUGFIX: fixed permissions to allow non-admin user to post and manage blog entries --- code/BlogHolder.php | 99 ++++++++++++++++++----------------- code/BlogManagementWidget.php | 6 +-- 2 files changed, 55 insertions(+), 50 deletions(-) diff --git a/code/BlogHolder.php b/code/BlogHolder.php index 216059c..d6f9786 100644 --- a/code/BlogHolder.php +++ b/code/BlogHolder.php @@ -5,47 +5,47 @@ */ /** - * Blog holder to display summarised blog entries. - * + * Blog holder to display summarised blog entries. + * * A blog holder is the leaf end of a BlogTree, but can also be used standalone in simpler circumstances. * BlogHolders can only hold BlogEntries, BlogTrees can only hold BlogTrees and BlogHolders * BlogHolders have a form on them for easy posting, and an owner that can post to them, BlogTrees don't */ -class BlogHolder extends BlogTree { - +class BlogHolder extends BlogTree implements PermissionProvider { + static $icon = "blog/images/blogholder"; - + static $db = array( 'TrackBacksEnabled' => 'Boolean', 'AllowCustomAuthors' => 'Boolean', ); - + static $has_one = array( 'Owner' => 'Member', ); - + static $allowed_children = array( 'BlogEntry' ); - + function getCMSFields() { $fields = parent::getCMSFields(); $fields->addFieldToTab('Root.Content.Main', new CheckboxField('TrackBacksEnabled', 'Enable TrackBacks')); $fields->addFieldToTab('Root.Content.Main', new DropdownField('OwnerID', 'Blog owner', DataObject::get('Member')->toDropDownMap('ID', 'Name', 'None'))); $fields->addFieldToTab('Root.Content.Main', new CheckboxField('AllowCustomAuthors', 'Allow non-admins to have a custom author field')); - + return $fields; } public function BlogHolderIDs() { return array( $this->ID ); } - + /* * @todo: These next few functions don't really belong in the model. Can we remove them? */ - + /** * Only display the blog entries that have the specified tag */ @@ -54,63 +54,64 @@ class BlogHolder extends BlogTree { return Convert::raw2xml(Director::urlParam('ID')); } } - + /** * Check if url has "/post" */ function isPost() { return Director::urlParam('Action') == 'post'; } - + /** * Link for creating a new blog entry */ function postURL(){ return $this->Link('post'); } - + /** * Returns true if the current user is an admin, or is the owner of this blog * * @return Boolean */ function IsOwner() { - return Permission::check('ADMIN') || (Member::currentUserID() == $this->OwnerID); + return (Permission::check('BLOGMANAGEMENT') || Permission::check('ADMIN')); + //return Permission::check('ADMIN') || (Member::currentUserID() == $this->OwnerID); } - + /** * Create default blog setup */ function requireDefaultRecords() { parent::requireDefaultRecords(); - + if(!DataObject::get_one('BlogHolder')) { $blogholder = new BlogHolder(); $blogholder->Title = "Blog"; $blogholder->URLSegment = "blog"; $blogholder->Status = "Published"; - + $widgetarea = new WidgetArea(); $widgetarea->write(); - + $blogholder->SideBarID = $widgetarea->ID; $blogholder->write(); $blogholder->publish("Stage", "Live"); - + $managementwidget = new BlogManagementWidget(); $managementwidget->ParentID = $widgetarea->ID; $managementwidget->write(); - + $tagcloudwidget = new TagCloudWidget(); $tagcloudwidget->ParentID = $widgetarea->ID; $tagcloudwidget->write(); - + $archivewidget = new ArchiveWidget(); $archivewidget->ParentID = $widgetarea->ID; $archivewidget->write(); - + $widgetarea->write(); - + $blog = new BlogEntry(); $blog->Title = _t('BlogHolder.SUCTITLE', "SilverStripe blog module successfully installed"); $blog->URLSegment = 'sample-blog-entry'; @@ -120,7 +121,7 @@ class BlogHolder extends BlogTree { $blog->ParentID = $blogholder->ID; $blog->write(); $blog->publish("Stage", "Live"); - + Database::alteration_message("Blog page created","created"); } } @@ -131,30 +132,34 @@ class BlogHolder_Controller extends BlogTree_Controller { parent::init(); Requirements::themedCSS("bbcodehelp"); } - + /** * Return list of usable tags for help */ function BBTags() { return BBCodeParser::usable_tags(); } - + + function providePermissions() { + return array("BLOGMANAGEMENT" => "Blog management"); + } + /** * Post a new blog entry */ function post(){ if(!$this->IsOwner()){ - Security::permissionFailure($this, _t('BlogHolder.HAVENTPERM', 'Posting blogs is an administrator task. Please log in.')); + Security::permissionFailure($this, _t('BlogHolder.HAVENTPERM', 'You do not have sufficient permissions to post blog entries. Please log in.')); } - + $page = $this->customise(array( 'Content' => false, 'Form' => $this->BlogEntryForm() )); - + return $page->renderWith('Page'); } - + /** * A simple form for creating blog entries */ @@ -164,25 +169,25 @@ class BlogHolder_Controller extends BlogTree_Controller { Requirements::javascript('jsparty/scriptaculous/effects.js'); Requirements::javascript('cms/javascript/PageCommentInterface.js'); Requirements::javascript('blog/javascript/bbcodehelp.js'); - + $id = 0; if(Director::urlParam('ID')) { $id = (int) Director::urlParam('ID'); } - + $codeparser = new BBCodeParser(); $membername = Member::currentMember() ? Member::currentMember()->getName() : ""; - + if(BlogEntry::$allow_wysiwyg_editing) { $contentfield = new HtmlEditorField("BlogPost", _t("BlogEntry.CN")); } else { - $contentfield = new CompositeField( + $contentfield = new CompositeField( new LiteralField("BBCodeHelper",""._t("BlogEntry.BBH")."
" ), new TextareaField("BlogPost", _t("BlogEntry.CN"),20), // This is called BlogPost as the id #Content is generally used already new LiteralField("BBCodeTags","
".$codeparser->useable_tagsHTML()."
") ); } - + if(class_exists('TagField')) { $tagfield = new TagField('Tags', null, null, 'BlogEntry'); $tagfield->setSeparator(', '); @@ -201,14 +206,14 @@ class BlogHolder_Controller extends BlogTree_Controller { $tagfield, new LiteralField("Tagsnote"," ") - ); - + ); + $submitAction = new FormAction('postblog', _t('BlogHolder.POST', 'Post blog entry')); $actions = new FieldSet($submitAction); $validator = new RequiredFields('Title','Content'); - + $form = new Form($this, 'BlogEntryForm',$fields, $actions,$validator); - + if($id != 0) { $entry = DataObject::get_by_id('BlogEntry', $id); if($entry->IsOwner()) { @@ -218,33 +223,33 @@ class BlogHolder_Controller extends BlogTree_Controller { } else { $form->loadDataFrom(array("Author" => Cookie::get("BlogHolder_Name"))); } - + return $form; } - + function postblog($data, $form) { Cookie::set("BlogHolder_Name", $data['Author']); $blogentry = false; - + if($data['ID']) { $blogentry = DataObject::get_by_id("BlogEntry", $data['ID']); if(!$blogentry->IsOwner()) { unset($blogentry); } } - + if(!$blogentry) { $blogentry = new BlogEntry(); } - + $form->saveInto($blogentry); $blogentry->ParentID = $this->ID; $blogentry->Content = $form->datafieldByName('BlogPost')->dataValue(); - + $blogentry->Status = "Published"; $blogentry->writeToStage("Stage"); $blogentry->publish("Stage", "Live"); - + Director::redirect($this->Link()); } } diff --git a/code/BlogManagementWidget.php b/code/BlogManagementWidget.php index 2874682..9cafcf9 100644 --- a/code/BlogManagementWidget.php +++ b/code/BlogManagementWidget.php @@ -33,7 +33,7 @@ class BlogManagementWidget extends Widget implements PermissionProvider { } function CommentLink() { - if(!Permission::check('ADMIN')) { + if(!Permission::check('BLOGMANAGEMENT')) { return false; } $unmoderatedcount = DB::query("SELECT COUNT(*) FROM PageComment WHERE NeedsModeration=1")->value(); @@ -46,11 +46,11 @@ class BlogManagementWidget extends Widget implements PermissionProvider { } function providePermissions() { - return array("BLOGMANAGEMENTWIDGET_VIEW" => "View blog management widget"); + return array("BLOGMANAGEMENT" => "Blog management"); } function WidgetHolder() { - if(Permission::check("BLOGMANAGEMENTWIDGET_VIEW")) { + if(Permission::check("BLOGMANAGEMENT")) { return $this->renderWith("WidgetHolder"); } }