mirror of
https://github.com/silverstripe/silverstripe-blog
synced 2024-10-22 11:05:58 +02:00
BUGFIX: Improvement permission checking of postblog and BlogEntryForm
This commit is contained in:
parent
8bae964a23
commit
ff9c6ec057
@ -166,6 +166,16 @@ class BlogHolder extends Page {
|
||||
}
|
||||
|
||||
class BlogHolder_Controller extends Page_Controller {
|
||||
|
||||
static $allowed_actions = array(
|
||||
'postblog' => 'BLOGMANAGEMENT',
|
||||
'post' => 'BLOGMANAGEMENT',
|
||||
'BlogEntryForm' => 'BLOGMANAGEMENT',
|
||||
'rss',
|
||||
'tag',
|
||||
'showarchive',
|
||||
);
|
||||
|
||||
function init() {
|
||||
parent::init();
|
||||
|
||||
@ -258,9 +268,7 @@ class BlogHolder_Controller extends Page_Controller {
|
||||
* Post a new blog entry
|
||||
*/
|
||||
function post(){
|
||||
if(!Permission::check('ADMIN')){
|
||||
Security::permissionFailure($this, _t('BlogHolder.HAVENTPERM', 'Posting blogs is an administrator task. Please log in.'));
|
||||
}
|
||||
if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
|
||||
|
||||
$page = $this->customise(array(
|
||||
'Content' => false,
|
||||
@ -283,6 +291,8 @@ class BlogHolder_Controller extends Page_Controller {
|
||||
* A simple form for creating blog entries
|
||||
*/
|
||||
function BlogEntryForm() {
|
||||
if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
|
||||
|
||||
Requirements::javascript('jsparty/behaviour.js');
|
||||
Requirements::javascript('jsparty/prototype.js');
|
||||
Requirements::javascript('jsparty/scriptaculous/effects.js');
|
||||
@ -342,10 +352,12 @@ class BlogHolder_Controller extends Page_Controller {
|
||||
}
|
||||
|
||||
function postblog($data, $form) {
|
||||
if(!Permission::check('BLOGMANAGEMENT')) return Security::permissionFailure();
|
||||
|
||||
Cookie::set("BlogHolder_Name", $data['Author']);
|
||||
$blogentry = false;
|
||||
|
||||
if($data['ID']) {
|
||||
if(isset($data['ID']) && $data['ID']) {
|
||||
$blogentry = DataObject::get_by_id("BlogEntry", $data['ID']);
|
||||
}
|
||||
|
||||
|
49
tests/BlogHolderFunctionalTest.php
Normal file
49
tests/BlogHolderFunctionalTest.php
Normal file
@ -0,0 +1,49 @@
|
||||
<?php
|
||||
/**
|
||||
* @package blog
|
||||
* @subpackage tests
|
||||
*/
|
||||
class BlogHolderFunctionalTest extends FunctionalTest {
|
||||
|
||||
static $fixture_file = 'blog/tests/BlogHolderFunctionalTest.yml';
|
||||
|
||||
function setUp() {
|
||||
parent::setUp();
|
||||
|
||||
$blogHolder = $this->objFromFixture('BlogHolder', 'blogholder');
|
||||
$blogHolder->publish('Stage', 'LIve');
|
||||
$blogEntry = $this->objFromFixture('BlogEntry', 'entry1');
|
||||
$blogEntry->publish('Stage', 'LIve');
|
||||
}
|
||||
|
||||
function testFrontendBlogPostRequiresPermission() {
|
||||
// get valid SecurityID (from comments form, would usually be copy/pasted)
|
||||
$blogEntry = $this->objFromFixture('BlogEntry', 'entry1');
|
||||
$response = $this->get($blogEntry->URLSegment);
|
||||
$securityID = Session::get('SecurityID');
|
||||
|
||||
// without login
|
||||
$data = array(
|
||||
'Title'=>'Disallowed',
|
||||
'Author'=>'Disallowed',
|
||||
'Content'=>'Disallowed',
|
||||
'action_postblog' => 'Post blog entry',
|
||||
'SecurityID' => $securityID
|
||||
);
|
||||
$response = $this->post('blog/BlogEntryForm', $data);
|
||||
$this->assertFalse(DataObject::get_one('BlogEntry', sprintf("Title = 'Disallowed'")));
|
||||
|
||||
// with login
|
||||
$blogEditor = $this->objFromFixture('Member', 'blog_editor');
|
||||
$blogEditor->logIn();
|
||||
$data = array(
|
||||
'Title'=>'Allowed',
|
||||
'Author'=>'Allowed',
|
||||
'Content'=>'Allowed',
|
||||
'action_postblog' => 'Post blog entry',
|
||||
'SecurityID' => $securityID
|
||||
);
|
||||
$response = $this->post('blog/BlogEntryForm', $data);
|
||||
$this->assertType('BlogEntry', DataObject::get_one('BlogEntry', sprintf("Title = 'Allowed'")));
|
||||
}
|
||||
}
|
20
tests/BlogHolderFunctionalTest.yml
Normal file
20
tests/BlogHolderFunctionalTest.yml
Normal file
@ -0,0 +1,20 @@
|
||||
Permission:
|
||||
blog_management:
|
||||
Code: BLOGMANAGEMENT
|
||||
Group:
|
||||
blog_editors:
|
||||
Code: blog-editors
|
||||
Permissions: =>Permission.blog_management
|
||||
Member:
|
||||
blog_editor:
|
||||
Email: blogeditor@test.com
|
||||
Groups: =>Group.blog_editors
|
||||
BlogHolder:
|
||||
blogholder:
|
||||
Title: Blog Holder
|
||||
URLSegment: blog
|
||||
BlogEntry:
|
||||
entry1:
|
||||
Title: Blog Entry
|
||||
ProvideComments: 1
|
||||
Parent: =>BlogHolder.blogholder
|
Loading…
Reference in New Issue
Block a user