BUGFIX: Improvement permission checking of postblog and BlogEntryForm

code/BlogHolder.php

@@ -166,6 +166,16 @@ class BlogHolder extends Page {
 }
 
 class BlogHolder_Controller extends Page_Controller {
+	
+	static $allowed_actions = array(
+		'postblog' => 'BLOGMANAGEMENT',
+		'post' => 'BLOGMANAGEMENT',
+		'BlogEntryForm' => 'BLOGMANAGEMENT',
+		'rss',
+		'tag',
+		'showarchive',
+	);
+	
 	function init() {
 		parent::init();
 		
@@ -258,9 +268,7 @@ class BlogHolder_Controller extends Page_Controller {
 	 * Post a new blog entry
 	 */
 	function post(){
-		if(!Permission::check('ADMIN')){
-			Security::permissionFailure($this, _t('BlogHolder.HAVENTPERM', 'Posting blogs is an administrator task. Please log in.'));
-		}
+		if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
 		
 		$page = $this->customise(array(
 			'Content' => false,
@@ -283,6 +291,8 @@ class BlogHolder_Controller extends Page_Controller {
 	 * A simple form for creating blog entries
 	 */
 	function BlogEntryForm() {
+		if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
+
 		Requirements::javascript('jsparty/behaviour.js');
 		Requirements::javascript('jsparty/prototype.js');
 		Requirements::javascript('jsparty/scriptaculous/effects.js');
@@ -342,10 +352,12 @@ class BlogHolder_Controller extends Page_Controller {
 	}
 	
 	function postblog($data, $form) {
+		if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
+
 		Cookie::set("BlogHolder_Name", $data['Author']);
 		$blogentry = false;
 		
-		if($data['ID']) {
+		if(isset($data['ID']) && $data['ID']) {
 			$blogentry = DataObject::get_by_id("BlogEntry", $data['ID']);
 		}
 		

tests/BlogHolderFunctionalTest.php

@@ -0,0 +1,49 @@
+<?php
+/**
+ * @package blog
+ * @subpackage tests
+ */
+class BlogHolderFunctionalTest extends FunctionalTest {
+	
+	static $fixture_file = 'blog/tests/BlogHolderFunctionalTest.yml';
+	
+	function setUp() {
+		parent::setUp();
+		
+		$blogHolder = $this->objFromFixture('BlogHolder', 'blogholder');
+		$blogHolder->publish('Stage', 'LIve');
+		$blogEntry = $this->objFromFixture('BlogEntry', 'entry1');
+		$blogEntry->publish('Stage', 'LIve');
+	}
+	
+	function testFrontendBlogPostRequiresPermission() {
+		// get valid SecurityID (from comments form, would usually be copy/pasted)
+		$blogEntry = $this->objFromFixture('BlogEntry', 'entry1');
+		$response = $this->get($blogEntry->URLSegment);
+		$securityID = Session::get('SecurityID');
+		
+		// without login
+		$data = array(
+			'Title'=>'Disallowed',
+			'Author'=>'Disallowed',
+			'Content'=>'Disallowed',
+			'action_postblog' => 'Post blog entry',
+			'SecurityID' => $securityID
+		);
+		$response = $this->post('blog/BlogEntryForm', $data);
+		$this->assertFalse(DataObject::get_one('BlogEntry', sprintf("Title = 'Disallowed'")));
+		
+		// with login
+		$blogEditor = $this->objFromFixture('Member', 'blog_editor');
+		$blogEditor->logIn();
+		$data = array(
+			'Title'=>'Allowed',
+			'Author'=>'Allowed',
+			'Content'=>'Allowed',
+			'action_postblog' => 'Post blog entry',
+			'SecurityID' => $securityID
+		);
+		$response = $this->post('blog/BlogEntryForm', $data);
+		$this->assertType('BlogEntry', DataObject::get_one('BlogEntry', sprintf("Title = 'Allowed'")));
+	}
+}

tests/BlogHolderFunctionalTest.yml

@@ -0,0 +1,20 @@
+Permission:
+    blog_management:
+        Code: BLOGMANAGEMENT
+Group:
+    blog_editors:
+        Code: blog-editors
+        Permissions: =>Permission.blog_management
+Member:
+    blog_editor:
+        Email: blogeditor@test.com
+        Groups: =>Group.blog_editors
+BlogHolder:
+   blogholder:
+      Title: Blog Holder
+      URLSegment: blog
+BlogEntry:
+    entry1:
+        Title: Blog Entry
+        ProvideComments: 1
+        Parent: =>BlogHolder.blogholder