From ff9c6ec057f3ff04b82afec4825d181af691cda0 Mon Sep 17 00:00:00 2001
From: Sam Minnee <sam@silverstripe.com>
Date: Tue, 7 Jul 2009 23:49:43 +0000
Subject: [PATCH 2/3] BUGFIX: Improvement permission checking of postblog and
 BlogEntryForm

---
 code/BlogHolder.php                | 20 +++++++++---
 tests/BlogHolderFunctionalTest.php | 49 ++++++++++++++++++++++++++++++
 tests/BlogHolderFunctionalTest.yml | 20 ++++++++++++
 3 files changed, 85 insertions(+), 4 deletions(-)
 create mode 100644 tests/BlogHolderFunctionalTest.php
 create mode 100644 tests/BlogHolderFunctionalTest.yml

diff --git a/code/BlogHolder.php b/code/BlogHolder.php
index 2bdc475..ec71169 100644
--- a/code/BlogHolder.php
+++ b/code/BlogHolder.php
@@ -166,6 +166,16 @@ class BlogHolder extends Page {
 }
 
 class BlogHolder_Controller extends Page_Controller {
+	
+	static $allowed_actions = array(
+		'postblog' => 'BLOGMANAGEMENT',
+		'post' => 'BLOGMANAGEMENT',
+		'BlogEntryForm' => 'BLOGMANAGEMENT',
+		'rss',
+		'tag',
+		'showarchive',
+	);
+	
 	function init() {
 		parent::init();
 		
@@ -258,9 +268,7 @@ class BlogHolder_Controller extends Page_Controller {
 	 * Post a new blog entry
 	 */
 	function post(){
-		if(!Permission::check('ADMIN')){
-			Security::permissionFailure($this, _t('BlogHolder.HAVENTPERM', 'Posting blogs is an administrator task. Please log in.'));
-		}
+		if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
 		
 		$page = $this->customise(array(
 			'Content' => false,
@@ -283,6 +291,8 @@ class BlogHolder_Controller extends Page_Controller {
 	 * A simple form for creating blog entries
 	 */
 	function BlogEntryForm() {
+		if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
+
 		Requirements::javascript('jsparty/behaviour.js');
 		Requirements::javascript('jsparty/prototype.js');
 		Requirements::javascript('jsparty/scriptaculous/effects.js');
@@ -342,10 +352,12 @@ class BlogHolder_Controller extends Page_Controller {
 	}
 	
 	function postblog($data, $form) {
+		if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
+
 		Cookie::set("BlogHolder_Name", $data['Author']);
 		$blogentry = false;
 		
-		if($data['ID']) {
+		if(isset($data['ID']) && $data['ID']) {
 			$blogentry = DataObject::get_by_id("BlogEntry", $data['ID']);
 		}
 		
diff --git a/tests/BlogHolderFunctionalTest.php b/tests/BlogHolderFunctionalTest.php
new file mode 100644
index 0000000..566cf00
--- /dev/null
+++ b/tests/BlogHolderFunctionalTest.php
@@ -0,0 +1,49 @@
+<?php
+/**
+ * @package blog
+ * @subpackage tests
+ */
+class BlogHolderFunctionalTest extends FunctionalTest {
+	
+	static $fixture_file = 'blog/tests/BlogHolderFunctionalTest.yml';
+	
+	function setUp() {
+		parent::setUp();
+		
+		$blogHolder = $this->objFromFixture('BlogHolder', 'blogholder');
+		$blogHolder->publish('Stage', 'LIve');
+		$blogEntry = $this->objFromFixture('BlogEntry', 'entry1');
+		$blogEntry->publish('Stage', 'LIve');
+	}
+	
+	function testFrontendBlogPostRequiresPermission() {
+		// get valid SecurityID (from comments form, would usually be copy/pasted)
+		$blogEntry = $this->objFromFixture('BlogEntry', 'entry1');
+		$response = $this->get($blogEntry->URLSegment);
+		$securityID = Session::get('SecurityID');
+		
+		// without login
+		$data = array(
+			'Title'=>'Disallowed',
+			'Author'=>'Disallowed',
+			'Content'=>'Disallowed',
+			'action_postblog' => 'Post blog entry',
+			'SecurityID' => $securityID
+		);
+		$response = $this->post('blog/BlogEntryForm', $data);
+		$this->assertFalse(DataObject::get_one('BlogEntry', sprintf("Title = 'Disallowed'")));
+		
+		// with login
+		$blogEditor = $this->objFromFixture('Member', 'blog_editor');
+		$blogEditor->logIn();
+		$data = array(
+			'Title'=>'Allowed',
+			'Author'=>'Allowed',
+			'Content'=>'Allowed',
+			'action_postblog' => 'Post blog entry',
+			'SecurityID' => $securityID
+		);
+		$response = $this->post('blog/BlogEntryForm', $data);
+		$this->assertType('BlogEntry', DataObject::get_one('BlogEntry', sprintf("Title = 'Allowed'")));
+	}
+}
\ No newline at end of file
diff --git a/tests/BlogHolderFunctionalTest.yml b/tests/BlogHolderFunctionalTest.yml
new file mode 100644
index 0000000..561c1ba
--- /dev/null
+++ b/tests/BlogHolderFunctionalTest.yml
@@ -0,0 +1,20 @@
+Permission:
+    blog_management:
+        Code: BLOGMANAGEMENT
+Group:
+    blog_editors:
+        Code: blog-editors
+        Permissions: =>Permission.blog_management
+Member:
+    blog_editor:
+        Email: blogeditor@test.com
+        Groups: =>Group.blog_editors
+BlogHolder:
+   blogholder:
+      Title: Blog Holder
+      URLSegment: blog
+BlogEntry:
+    entry1:
+        Title: Blog Entry
+        ProvideComments: 1
+        Parent: =>BlogHolder.blogholder
\ No newline at end of file

From 26ad18d3854eeac45d0768197b544169f4b7339c Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Wed, 8 Jul 2009 01:25:13 +0000
Subject: [PATCH 3/3] MINOR Merged from trunk

---
 tests/BlogHolderFunctionalTest.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/BlogHolderFunctionalTest.php b/tests/BlogHolderFunctionalTest.php
index 566cf00..4137d27 100644
--- a/tests/BlogHolderFunctionalTest.php
+++ b/tests/BlogHolderFunctionalTest.php
@@ -11,9 +11,9 @@ class BlogHolderFunctionalTest extends FunctionalTest {
 		parent::setUp();
 		
 		$blogHolder = $this->objFromFixture('BlogHolder', 'blogholder');
-		$blogHolder->publish('Stage', 'LIve');
+		$blogHolder->publish('Stage', 'Live');
 		$blogEntry = $this->objFromFixture('BlogEntry', 'entry1');
-		$blogEntry->publish('Stage', 'LIve');
+		$blogEntry->publish('Stage', 'Live');
 	}
 	
 	function testFrontendBlogPostRequiresPermission() {