BUGFIX: Improvement permission checking of postblog and BlogEntryForm

This commit is contained in:
Sam Minnee 2009-07-07 23:49:43 +00:00
parent 8bae964a23
commit ff9c6ec057
3 changed files with 85 additions and 4 deletions

View File

@ -166,6 +166,16 @@ class BlogHolder extends Page {
}
class BlogHolder_Controller extends Page_Controller {
static $allowed_actions = array(
'postblog' => 'BLOGMANAGEMENT',
'post' => 'BLOGMANAGEMENT',
'BlogEntryForm' => 'BLOGMANAGEMENT',
'rss',
'tag',
'showarchive',
);
function init() {
parent::init();
@ -258,9 +268,7 @@ class BlogHolder_Controller extends Page_Controller {
* Post a new blog entry
*/
function post(){
if(!Permission::check('ADMIN')){
Security::permissionFailure($this, _t('BlogHolder.HAVENTPERM', 'Posting blogs is an administrator task. Please log in.'));
}
if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
$page = $this->customise(array(
'Content' => false,
@ -283,6 +291,8 @@ class BlogHolder_Controller extends Page_Controller {
* A simple form for creating blog entries
*/
function BlogEntryForm() {
if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
Requirements::javascript('jsparty/behaviour.js');
Requirements::javascript('jsparty/prototype.js');
Requirements::javascript('jsparty/scriptaculous/effects.js');
@ -342,10 +352,12 @@ class BlogHolder_Controller extends Page_Controller {
}
function postblog($data, $form) {
if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
Cookie::set("BlogHolder_Name", $data['Author']);
$blogentry = false;
if($data['ID']) {
if(isset($data['ID']) && $data['ID']) {
$blogentry = DataObject::get_by_id("BlogEntry", $data['ID']);
}

View File

@ -0,0 +1,49 @@
<?php
/**
* @package blog
* @subpackage tests
*/
class BlogHolderFunctionalTest extends FunctionalTest {
static $fixture_file = 'blog/tests/BlogHolderFunctionalTest.yml';
function setUp() {
parent::setUp();
$blogHolder = $this->objFromFixture('BlogHolder', 'blogholder');
$blogHolder->publish('Stage', 'LIve');
$blogEntry = $this->objFromFixture('BlogEntry', 'entry1');
$blogEntry->publish('Stage', 'LIve');
}
function testFrontendBlogPostRequiresPermission() {
// get valid SecurityID (from comments form, would usually be copy/pasted)
$blogEntry = $this->objFromFixture('BlogEntry', 'entry1');
$response = $this->get($blogEntry->URLSegment);
$securityID = Session::get('SecurityID');
// without login
$data = array(
'Title'=>'Disallowed',
'Author'=>'Disallowed',
'Content'=>'Disallowed',
'action_postblog' => 'Post blog entry',
'SecurityID' => $securityID
);
$response = $this->post('blog/BlogEntryForm', $data);
$this->assertFalse(DataObject::get_one('BlogEntry', sprintf("Title = 'Disallowed'")));
// with login
$blogEditor = $this->objFromFixture('Member', 'blog_editor');
$blogEditor->logIn();
$data = array(
'Title'=>'Allowed',
'Author'=>'Allowed',
'Content'=>'Allowed',
'action_postblog' => 'Post blog entry',
'SecurityID' => $securityID
);
$response = $this->post('blog/BlogEntryForm', $data);
$this->assertType('BlogEntry', DataObject::get_one('BlogEntry', sprintf("Title = 'Allowed'")));
}
}

View File

@ -0,0 +1,20 @@
Permission:
blog_management:
Code: BLOGMANAGEMENT
Group:
blog_editors:
Code: blog-editors
Permissions: =>Permission.blog_management
Member:
blog_editor:
Email: blogeditor@test.com
Groups: =>Group.blog_editors
BlogHolder:
blogholder:
Title: Blog Holder
URLSegment: blog
BlogEntry:
entry1:
Title: Blog Entry
ProvideComments: 1
Parent: =>BlogHolder.blogholder