BUGFIX Using $allowed_actions in BlogHolder, permission checks on BlogHoder_Controller->postblog()
This commit is contained in:
Ingo Schommer
parent
f41973b838
commit
1e809afc65
|
|
@ -128,6 +128,13 @@ class BlogHolder extends BlogTree implements PermissionProvider {
|
|||
}
|
||||
|
||||
class BlogHolder_Controller extends BlogTree_Controller {
|
||||
|
||||
static $allowed_actions = array(
|
||||
'postblog' => 'BLOGMANAGEMENT',
|
||||
'post' => 'BLOGMANAGEMENT',
|
||||
'BlogEntryForm' => 'BLOGMANAGEMENT',
|
||||
);
|
||||
|
||||
function init() {
|
||||
parent::init();
|
||||
Requirements::themedCSS("bbcodehelp");
|
||||
|
|
@ -148,10 +155,6 @@ class BlogHolder_Controller extends BlogTree_Controller {
|
|||
* Post a new blog entry
|
||||
*/
|
||||
function post(){
|
||||
if(!$this->IsOwner()){
|
||||
Security::permissionFailure($this, _t('BlogHolder.HAVENTPERM', 'You do not have sufficient permissions to post blog entries. Please log in.'));
|
||||
}
|
||||
|
||||
$page = $this->customise(array(
|
||||
'Content' => false,
|
||||
'Form' => $this->BlogEntryForm()
|
||||
|
|
@ -231,7 +234,7 @@ class BlogHolder_Controller extends BlogTree_Controller {
|
|||
Cookie::set("BlogHolder_Name", $data['Author']);
|
||||
$blogentry = false;
|
||||
|
||||
if($data['ID']) {
|
||||
if(isset($data['ID']) && $data['ID']) {
|
||||
$blogentry = DataObject::get_by_id("BlogEntry", $data['ID']);
|
||||
if(!$blogentry->IsOwner()) {
|
||||
unset($blogentry);
|
||||
|
|
|
|||
|
|
@ -0,0 +1,49 @@
|
|||
<?php
|
||||
/**
|
||||
* @package blog
|
||||
* @subpackage tests
|
||||
*/
|
||||
class BlogHolderFunctionalTest extends FunctionalTest {
|
||||
|
||||
static $fixture_file = 'blog/tests/BlogHolderFunctionalTest.yml';
|
||||
|
||||
function setUp() {
|
||||
parent::setUp();
|
||||
|
||||
$blogHolder = $this->objFromFixture('BlogHolder', 'blogholder');
|
||||
$blogHolder->publish('Stage', 'LIve');
|
||||
$blogEntry = $this->objFromFixture('BlogEntry', 'entry1');
|
||||
$blogEntry->publish('Stage', 'LIve');
|
||||
}
|
||||
|
||||
function testFrontendBlogPostRequiresPermission() {
|
||||
// get valid SecurityID (from comments form, would usually be copy/pasted)
|
||||
$blogEntry = $this->objFromFixture('BlogEntry', 'entry1');
|
||||
$response = $this->get($blogEntry->URLSegment);
|
||||
$securityID = Session::get('SecurityID');
|
||||
|
||||
// without login
|
||||
$data = array(
|
||||
'Title'=>'Disallowed',
|
||||
'Author'=>'Disallowed',
|
||||
'Content'=>'Disallowed',
|
||||
'action_postblog' => 'Post blog entry',
|
||||
'SecurityID' => $securityID
|
||||
);
|
||||
$response = $this->post('blog/BlogEntryForm', $data);
|
||||
$this->assertFalse(DataObject::get_one('BlogEntry', sprintf("Title = 'Disallowed'")));
|
||||
|
||||
// with login
|
||||
$blogEditor = $this->objFromFixture('Member', 'blog_editor');
|
||||
$blogEditor->logIn();
|
||||
$data = array(
|
||||
'Title'=>'Allowed',
|
||||
'Author'=>'Allowed',
|
||||
'Content'=>'Allowed',
|
||||
'action_postblog' => 'Post blog entry',
|
||||
'SecurityID' => $securityID
|
||||
);
|
||||
$response = $this->post('blog/BlogEntryForm', $data);
|
||||
$this->assertType('BlogEntry', DataObject::get_one('BlogEntry', sprintf("Title = 'Allowed'")));
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
Permission:
|
||||
blog_management:
|
||||
Code: BLOGMANAGEMENT
|
||||
Group:
|
||||
blog_editors:
|
||||
Code: blog-editors
|
||||
Permissions: =>Permission.blog_management
|
||||
Member:
|
||||
blog_editor:
|
||||
Email: blogeditor@test.com
|
||||
Groups: =>Group.blog_editors
|
||||
BlogHolder:
|
||||
blogholder:
|
||||
Title: Blog Holder
|
||||
URLSegment: blog
|
||||
BlogEntry:
|
||||
entry1:
|
||||
Title: Blog Entry
|
||||
ProvideComments: 1
|
||||
Parent: =>BlogHolder.blogholder
|
||||
Loading…
Reference in New Issue