mirror of
https://github.com/silverstripe/silverstripe-blog
synced 2024-10-22 11:05:58 +02:00
BUGFIX: Improvement permission checking of postblog and BlogEntryForm
This commit is contained in:
parent
8bae964a23
commit
ff9c6ec057
@ -166,6 +166,16 @@ class BlogHolder extends Page {
|
|||||||
}
|
}
|
||||||
|
|
||||||
class BlogHolder_Controller extends Page_Controller {
|
class BlogHolder_Controller extends Page_Controller {
|
||||||
|
|
||||||
|
static $allowed_actions = array(
|
||||||
|
'postblog' => 'BLOGMANAGEMENT',
|
||||||
|
'post' => 'BLOGMANAGEMENT',
|
||||||
|
'BlogEntryForm' => 'BLOGMANAGEMENT',
|
||||||
|
'rss',
|
||||||
|
'tag',
|
||||||
|
'showarchive',
|
||||||
|
);
|
||||||
|
|
||||||
function init() {
|
function init() {
|
||||||
parent::init();
|
parent::init();
|
||||||
|
|
||||||
@ -258,9 +268,7 @@ class BlogHolder_Controller extends Page_Controller {
|
|||||||
* Post a new blog entry
|
* Post a new blog entry
|
||||||
*/
|
*/
|
||||||
function post(){
|
function post(){
|
||||||
if(!Permission::check('ADMIN')){
|
if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
|
||||||
Security::permissionFailure($this, _t('BlogHolder.HAVENTPERM', 'Posting blogs is an administrator task. Please log in.'));
|
|
||||||
}
|
|
||||||
|
|
||||||
$page = $this->customise(array(
|
$page = $this->customise(array(
|
||||||
'Content' => false,
|
'Content' => false,
|
||||||
@ -283,6 +291,8 @@ class BlogHolder_Controller extends Page_Controller {
|
|||||||
* A simple form for creating blog entries
|
* A simple form for creating blog entries
|
||||||
*/
|
*/
|
||||||
function BlogEntryForm() {
|
function BlogEntryForm() {
|
||||||
|
if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
|
||||||
|
|
||||||
Requirements::javascript('jsparty/behaviour.js');
|
Requirements::javascript('jsparty/behaviour.js');
|
||||||
Requirements::javascript('jsparty/prototype.js');
|
Requirements::javascript('jsparty/prototype.js');
|
||||||
Requirements::javascript('jsparty/scriptaculous/effects.js');
|
Requirements::javascript('jsparty/scriptaculous/effects.js');
|
||||||
@ -342,10 +352,12 @@ class BlogHolder_Controller extends Page_Controller {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function postblog($data, $form) {
|
function postblog($data, $form) {
|
||||||
|
if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
|
||||||
|
|
||||||
Cookie::set("BlogHolder_Name", $data['Author']);
|
Cookie::set("BlogHolder_Name", $data['Author']);
|
||||||
$blogentry = false;
|
$blogentry = false;
|
||||||
|
|
||||||
if($data['ID']) {
|
if(isset($data['ID']) && $data['ID']) {
|
||||||
$blogentry = DataObject::get_by_id("BlogEntry", $data['ID']);
|
$blogentry = DataObject::get_by_id("BlogEntry", $data['ID']);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
49
tests/BlogHolderFunctionalTest.php
Normal file
49
tests/BlogHolderFunctionalTest.php
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* @package blog
|
||||||
|
* @subpackage tests
|
||||||
|
*/
|
||||||
|
class BlogHolderFunctionalTest extends FunctionalTest {
|
||||||
|
|
||||||
|
static $fixture_file = 'blog/tests/BlogHolderFunctionalTest.yml';
|
||||||
|
|
||||||
|
function setUp() {
|
||||||
|
parent::setUp();
|
||||||
|
|
||||||
|
$blogHolder = $this->objFromFixture('BlogHolder', 'blogholder');
|
||||||
|
$blogHolder->publish('Stage', 'LIve');
|
||||||
|
$blogEntry = $this->objFromFixture('BlogEntry', 'entry1');
|
||||||
|
$blogEntry->publish('Stage', 'LIve');
|
||||||
|
}
|
||||||
|
|
||||||
|
function testFrontendBlogPostRequiresPermission() {
|
||||||
|
// get valid SecurityID (from comments form, would usually be copy/pasted)
|
||||||
|
$blogEntry = $this->objFromFixture('BlogEntry', 'entry1');
|
||||||
|
$response = $this->get($blogEntry->URLSegment);
|
||||||
|
$securityID = Session::get('SecurityID');
|
||||||
|
|
||||||
|
// without login
|
||||||
|
$data = array(
|
||||||
|
'Title'=>'Disallowed',
|
||||||
|
'Author'=>'Disallowed',
|
||||||
|
'Content'=>'Disallowed',
|
||||||
|
'action_postblog' => 'Post blog entry',
|
||||||
|
'SecurityID' => $securityID
|
||||||
|
);
|
||||||
|
$response = $this->post('blog/BlogEntryForm', $data);
|
||||||
|
$this->assertFalse(DataObject::get_one('BlogEntry', sprintf("Title = 'Disallowed'")));
|
||||||
|
|
||||||
|
// with login
|
||||||
|
$blogEditor = $this->objFromFixture('Member', 'blog_editor');
|
||||||
|
$blogEditor->logIn();
|
||||||
|
$data = array(
|
||||||
|
'Title'=>'Allowed',
|
||||||
|
'Author'=>'Allowed',
|
||||||
|
'Content'=>'Allowed',
|
||||||
|
'action_postblog' => 'Post blog entry',
|
||||||
|
'SecurityID' => $securityID
|
||||||
|
);
|
||||||
|
$response = $this->post('blog/BlogEntryForm', $data);
|
||||||
|
$this->assertType('BlogEntry', DataObject::get_one('BlogEntry', sprintf("Title = 'Allowed'")));
|
||||||
|
}
|
||||||
|
}
|
20
tests/BlogHolderFunctionalTest.yml
Normal file
20
tests/BlogHolderFunctionalTest.yml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
Permission:
|
||||||
|
blog_management:
|
||||||
|
Code: BLOGMANAGEMENT
|
||||||
|
Group:
|
||||||
|
blog_editors:
|
||||||
|
Code: blog-editors
|
||||||
|
Permissions: =>Permission.blog_management
|
||||||
|
Member:
|
||||||
|
blog_editor:
|
||||||
|
Email: blogeditor@test.com
|
||||||
|
Groups: =>Group.blog_editors
|
||||||
|
BlogHolder:
|
||||||
|
blogholder:
|
||||||
|
Title: Blog Holder
|
||||||
|
URLSegment: blog
|
||||||
|
BlogEntry:
|
||||||
|
entry1:
|
||||||
|
Title: Blog Entry
|
||||||
|
ProvideComments: 1
|
||||||
|
Parent: =>BlogHolder.blogholder
|
Loading…
Reference in New Issue
Block a user