mirror of
https://github.com/silverstripe/silverstripe-cms
synced 2024-10-22 06:05:56 +00:00
ENHANCEMENT Added PageComment->canView()/canEdit()/canDelete(), and using these permissions in PageCommentInterface. Caution: canCreate() actions are still determined by PageCommentInterface::$comments_require_login/$comments_require_permission
BUGFIX Requiring CMS_ACCESS_CommentAdmin instead of ADMIN permissions in PageCommentInterface and CommentAdmin administrative actions (from r104968) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/cms/trunk@112459 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
parent
a52f572f1e
commit
e43a2409cd
@ -60,7 +60,7 @@ class PageComment extends DataObject {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function DeleteLink() {
|
function DeleteLink() {
|
||||||
return (Permission::check('CMS_ACCESS_CMSMain')) ? "PageComment_Controller/deletecomment/$this->ID" : false;
|
return ($this->canDelete()) ? "PageComment_Controller/deletecomment/$this->ID" : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
function CommentTextWithLinks() {
|
function CommentTextWithLinks() {
|
||||||
@ -70,15 +70,15 @@ class PageComment extends DataObject {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function SpamLink() {
|
function SpamLink() {
|
||||||
return (Permission::check('CMS_ACCESS_CMSMain') && !$this->IsSpam) ? "PageComment_Controller/reportspam/$this->ID" : false;
|
return ($this->canEdit() && !$this->IsSpam) ? "PageComment_Controller/reportspam/$this->ID" : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
function HamLink() {
|
function HamLink() {
|
||||||
return (Permission::check('CMS_ACCESS_CMSMain') && $this->IsSpam) ? "PageComment_Controller/reportham/$this->ID" : false;
|
return ($this->canEdit() && $this->IsSpam) ? "PageComment_Controller/reportham/$this->ID" : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
function ApproveLink() {
|
function ApproveLink() {
|
||||||
return (Permission::check('CMS_ACCESS_CMSMain') && $this->NeedsModeration) ? "PageComment_Controller/approve/$this->ID" : false;
|
return ($this->canEdit() && $this->NeedsModeration) ? "PageComment_Controller/approve/$this->ID" : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
function SpamClass() {
|
function SpamClass() {
|
||||||
@ -156,6 +156,77 @@ class PageComment extends DataObject {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This always returns true, and should be handled by {@link PageCommentInterface->CanPostComment()}.
|
||||||
|
*
|
||||||
|
* @todo Integrate with PageCommentInterface::$comments_require_permission and $comments_require_login
|
||||||
|
*
|
||||||
|
* @param Member $member
|
||||||
|
* @return Boolean
|
||||||
|
*/
|
||||||
|
function canCreate($member = null) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks for association with a page,
|
||||||
|
* and {@link SiteTree->ProvidePermission} flag being set to TRUE.
|
||||||
|
* Note: There's an additional layer of permission control
|
||||||
|
* in {@link PageCommentInterface}.
|
||||||
|
*
|
||||||
|
* @param Member $member
|
||||||
|
* @return Boolean
|
||||||
|
*/
|
||||||
|
function canView($member = null) {
|
||||||
|
if(!$member) $member = Member::currentUser();
|
||||||
|
|
||||||
|
// Standard mechanism for accepting permission changes from decorators
|
||||||
|
$extended = $this->extendedCan('canView', $member);
|
||||||
|
if($extended !== null) return $extended;
|
||||||
|
|
||||||
|
$page = $this->Parent();
|
||||||
|
return (
|
||||||
|
($page && $page->ProvideComments)
|
||||||
|
|| (bool)Permission::checkMember($member, 'CMS_ACCESS_CommentAdmin')
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks for "CMS_ACCESS_CommentAdmin" permission codes
|
||||||
|
* and {@link canView()}.
|
||||||
|
*
|
||||||
|
* @param Member $member
|
||||||
|
* @return Boolean
|
||||||
|
*/
|
||||||
|
function canEdit($member = null) {
|
||||||
|
if(!$member) $member = Member::currentUser();
|
||||||
|
|
||||||
|
// Standard mechanism for accepting permission changes from decorators
|
||||||
|
$extended = $this->extendedCan('canEdit', $member);
|
||||||
|
if($extended !== null) return $extended;
|
||||||
|
|
||||||
|
if(!$this->canView($member)) return false;
|
||||||
|
|
||||||
|
return (bool)Permission::checkMember($member, 'CMS_ACCESS_CommentAdmin');
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks for "CMS_ACCESS_CommentAdmin" permission codes
|
||||||
|
* and {@link canEdit()}.
|
||||||
|
*
|
||||||
|
* @param Member $member
|
||||||
|
* @return Boolean
|
||||||
|
*/
|
||||||
|
function canDelete($member = null) {
|
||||||
|
if(!$member) $member = Member::currentUser();
|
||||||
|
|
||||||
|
// Standard mechanism for accepting permission changes from decorators
|
||||||
|
$extended = $this->extendedCan('canDelete', $member);
|
||||||
|
if($extended !== null) return $extended;
|
||||||
|
|
||||||
|
return $this->canEdit($member);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -180,13 +251,11 @@ class PageComment_Controller extends Controller {
|
|||||||
* Deletes all comments on the page referenced by the url param pageid
|
* Deletes all comments on the page referenced by the url param pageid
|
||||||
*/
|
*/
|
||||||
function deleteallcomments() {
|
function deleteallcomments() {
|
||||||
if(Permission::check('CMS_ACCESS_CMSMain')) {
|
$pageId = $_REQUEST['pageid'];
|
||||||
$pageId = $_REQUEST['pageid'];
|
if(preg_match('/^\d+$/', $pageId)) {
|
||||||
if(preg_match('/^\d+$/', $pageId)) {
|
$comments = DataObject::get("PageComment", "\"ParentID\" = $pageId");
|
||||||
$comments = DataObject::get("PageComment", "\"ParentID\" = $pageId");
|
if($comments) foreach($comments as $c) {
|
||||||
if($comments) foreach($comments as $c) {
|
if($c->canDelete()) $c->delete();
|
||||||
$c->delete();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -198,11 +267,9 @@ class PageComment_Controller extends Controller {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function deletecomment() {
|
function deletecomment() {
|
||||||
if(Permission::check('CMS_ACCESS_CMSMain')) {
|
$comment = DataObject::get_by_id("PageComment", $this->urlParams['ID']);
|
||||||
$comment = DataObject::get_by_id("PageComment", $this->urlParams['ID']);
|
if($comment && $comment->canDelete()) {
|
||||||
if($comment) {
|
$comment->delete();
|
||||||
$comment->delete();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if($this->isAjax()) {
|
if($this->isAjax()) {
|
||||||
@ -213,51 +280,45 @@ class PageComment_Controller extends Controller {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function approve() {
|
function approve() {
|
||||||
if(Permission::check('CMS_ACCESS_CMSMain')) {
|
$comment = DataObject::get_by_id("PageComment", $this->urlParams['ID']);
|
||||||
$comment = DataObject::get_by_id("PageComment", $this->urlParams['ID']);
|
|
||||||
|
|
||||||
if($comment) {
|
if($comment && $comment->canEdit()) {
|
||||||
$comment->NeedsModeration = false;
|
$comment->NeedsModeration = false;
|
||||||
$comment->write();
|
$comment->write();
|
||||||
|
|
||||||
// @todo Report to spamprotecter this is true
|
// @todo Report to spamprotecter this is true
|
||||||
|
|
||||||
if($this->isAjax()) {
|
if($this->isAjax()) {
|
||||||
echo $comment->renderWith('PageCommentInterface_singlecomment');
|
echo $comment->renderWith('PageCommentInterface_singlecomment');
|
||||||
} else {
|
} else {
|
||||||
$this->redirectBack();
|
Director::redirectBack();
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function reportspam() {
|
function reportspam() {
|
||||||
$comment = DataObject::get_by_id("PageComment", $this->urlParams['ID']);
|
$comment = DataObject::get_by_id("PageComment", $this->urlParams['ID']);
|
||||||
if($comment) {
|
if($comment && $comment->canEdit()) {
|
||||||
// check they have access
|
// if spam protection module exists
|
||||||
if(Permission::check('CMS_ACCESS_CMSMain')) {
|
if(class_exists('SpamProtectorManager')) {
|
||||||
|
SpamProtectorManager::send_feedback($comment, 'spam');
|
||||||
// if spam protection module exists
|
|
||||||
if(class_exists('SpamProtectorManager')) {
|
|
||||||
SpamProtectorManager::send_feedback($comment, 'spam');
|
|
||||||
}
|
|
||||||
|
|
||||||
// If Akismet is enabled
|
|
||||||
else if(SSAkismet::isEnabled()) {
|
|
||||||
try {
|
|
||||||
$akismet = new SSAkismet();
|
|
||||||
$akismet->setCommentAuthor($comment->getField('Name'));
|
|
||||||
$akismet->setCommentContent($comment->getField('Comment'));
|
|
||||||
$akismet->submitSpam();
|
|
||||||
} catch (Exception $e) {
|
|
||||||
// Akismet didn't work, most likely the service is down.
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$comment->IsSpam = true;
|
|
||||||
$comment->NeedsModeration = false;
|
|
||||||
$comment->write();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If Akismet is enabled
|
||||||
|
else if(SSAkismet::isEnabled()) {
|
||||||
|
try {
|
||||||
|
$akismet = new SSAkismet();
|
||||||
|
$akismet->setCommentAuthor($comment->getField('Name'));
|
||||||
|
$akismet->setCommentContent($comment->getField('Comment'));
|
||||||
|
$akismet->submitSpam();
|
||||||
|
} catch (Exception $e) {
|
||||||
|
// Akismet didn't work, most likely the service is down.
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$comment->IsSpam = true;
|
||||||
|
$comment->NeedsModeration = false;
|
||||||
|
$comment->write();
|
||||||
}
|
}
|
||||||
if($this->isAjax()) {
|
if($this->isAjax()) {
|
||||||
if(SSAkismet::isEnabled() && SSAkismet::getSaveSpam()) {
|
if(SSAkismet::isEnabled() && SSAkismet::getSaveSpam()) {
|
||||||
@ -274,27 +335,24 @@ class PageComment_Controller extends Controller {
|
|||||||
*/
|
*/
|
||||||
function reportham() {
|
function reportham() {
|
||||||
$comment = DataObject::get_by_id("PageComment", $this->urlParams['ID']);
|
$comment = DataObject::get_by_id("PageComment", $this->urlParams['ID']);
|
||||||
if($comment) {
|
if($comment && $comment->canEdit()) {
|
||||||
if(Permission::check('CMS_ACCESS_CMSMain')) {
|
// if spam protection module exists
|
||||||
|
if(class_exists('SpamProtectorManager')) {
|
||||||
// if spam protection module exists
|
SpamProtectorManager::send_feedback($comment, 'ham');
|
||||||
if(class_exists('SpamProtectorManager')) {
|
|
||||||
SpamProtectorManager::send_feedback($comment, 'ham');
|
|
||||||
}
|
|
||||||
|
|
||||||
if(SSAkismet::isEnabled()) {
|
|
||||||
try {
|
|
||||||
$akismet = new SSAkismet();
|
|
||||||
$akismet->setCommentAuthor($comment->getField('Name'));
|
|
||||||
$akismet->setCommentContent($comment->getField('Comment'));
|
|
||||||
$akismet->submitHam();
|
|
||||||
} catch (Exception $e) {
|
|
||||||
// Akismet didn't work, most likely the service is down.
|
|
||||||
}
|
|
||||||
}
|
|
||||||
$comment->setField('IsSpam', false);
|
|
||||||
$comment->write();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(SSAkismet::isEnabled()) {
|
||||||
|
try {
|
||||||
|
$akismet = new SSAkismet();
|
||||||
|
$akismet->setCommentAuthor($comment->getField('Name'));
|
||||||
|
$akismet->setCommentContent($comment->getField('Comment'));
|
||||||
|
$akismet->submitHam();
|
||||||
|
} catch (Exception $e) {
|
||||||
|
// Akismet didn't work, most likely the service is down.
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$comment->setField('IsSpam', false);
|
||||||
|
$comment->write();
|
||||||
}
|
}
|
||||||
if($this->isAjax()) {
|
if($this->isAjax()) {
|
||||||
echo $comment->renderWith('PageCommentInterface_singlecomment');
|
echo $comment->renderWith('PageCommentInterface_singlecomment');
|
||||||
|
@ -231,7 +231,7 @@ class PageCommentInterface extends RequestHandler {
|
|||||||
$limit['limit'] = PageComment::$comments_per_page;
|
$limit['limit'] = PageComment::$comments_per_page;
|
||||||
|
|
||||||
$spamfilter = isset($_GET['showspam']) ? '' : "AND \"IsSpam\" = 0";
|
$spamfilter = isset($_GET['showspam']) ? '' : "AND \"IsSpam\" = 0";
|
||||||
$unmoderatedfilter = Permission::check('ADMIN') ? '' : "AND \"NeedsModeration\" = 0";
|
$unmoderatedfilter = Permission::check('CMS_ACCESS_CommentAdmin') ? '' : "AND \"NeedsModeration\" = 0";
|
||||||
$order = self::$order_comments_by;
|
$order = self::$order_comments_by;
|
||||||
$comments = DataObject::get("PageComment", "\"ParentID\" = '" . Convert::raw2sql($this->page->ID) . "' $spamfilter $unmoderatedfilter", $order, "", $limit);
|
$comments = DataObject::get("PageComment", "\"ParentID\" = '" . Convert::raw2sql($this->page->ID) . "' $spamfilter $unmoderatedfilter", $order, "", $limit);
|
||||||
|
|
||||||
@ -254,7 +254,7 @@ class PageCommentInterface extends RequestHandler {
|
|||||||
* comments on a page referenced by the url param pageid
|
* comments on a page referenced by the url param pageid
|
||||||
*/
|
*/
|
||||||
function DeleteAllLink() {
|
function DeleteAllLink() {
|
||||||
if(Permission::check('CMS_ACCESS_CMSMain')) {
|
if(Permission::check('CMS_ACCESS_CommentAdmin')) {
|
||||||
return Director::absoluteBaseURL() . "PageComment/deleteallcomments?pageid=" . $this->page->ID;
|
return Director::absoluteBaseURL() . "PageComment/deleteallcomments?pageid=" . $this->page->ID;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -28,7 +28,7 @@ class CommentAdminTest extends FunctionalTest {
|
|||||||
function testdeletemarked(){
|
function testdeletemarked(){
|
||||||
$comm = $this->objFromFixture('PageComment', 'Comment1');
|
$comm = $this->objFromFixture('PageComment', 'Comment1');
|
||||||
$id = $comm->ID;
|
$id = $comm->ID;
|
||||||
$this->logInWithPermission('ADMIN');
|
$this->logInWithPermission('CMS_ACCESS_CommentAdmin');
|
||||||
$result = $this->get("admin/comments/EditForm/field/Comments/item/$id/delete");
|
$result = $this->get("admin/comments/EditForm/field/Comments/item/$id/delete");
|
||||||
$checkComm = DataObject::get_by_id('PageComment',$id);
|
$checkComm = DataObject::get_by_id('PageComment',$id);
|
||||||
|
|
||||||
|
@ -4,13 +4,64 @@ class PageCommentsTest extends FunctionalTest {
|
|||||||
|
|
||||||
static $fixture_file = 'cms/tests/PageCommentsTest.yml';
|
static $fixture_file = 'cms/tests/PageCommentsTest.yml';
|
||||||
|
|
||||||
|
function testCanView() {
|
||||||
|
$visitor = $this->objFromFixture('Member', 'visitor');
|
||||||
|
$admin = $this->objFromFixture('Member', 'commentadmin');
|
||||||
|
$comment = $this->objFromFixture('PageComment', 'firstComA');
|
||||||
|
|
||||||
|
$this->assertTrue($comment->canView($visitor),
|
||||||
|
'Unauthenticated members can view comments associated to a page with ProvideComments=1'
|
||||||
|
);
|
||||||
|
$this->assertTrue($comment->canView($admin),
|
||||||
|
'Admins with CMS_ACCESS_CommentAdmin permissions can view comments associated to a page with ProvideComments=1'
|
||||||
|
);
|
||||||
|
|
||||||
|
$disabledComment = $this->objFromFixture('PageComment', 'disabledCom');
|
||||||
|
|
||||||
|
$this->assertFalse($disabledComment->canView($visitor),
|
||||||
|
'Unauthenticated members can not view comments associated to a page with ProvideComments=0'
|
||||||
|
);
|
||||||
|
$this->assertTrue($disabledComment->canView($admin),
|
||||||
|
'Admins with CMS_ACCESS_CommentAdmin permissions can view comments associated to a page with ProvideComments=0'
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
function testCanEdit() {
|
||||||
|
$visitor = $this->objFromFixture('Member', 'visitor');
|
||||||
|
$admin = $this->objFromFixture('Member', 'commentadmin');
|
||||||
|
$comment = $this->objFromFixture('PageComment', 'firstComA');
|
||||||
|
|
||||||
|
$this->assertFalse($comment->canEdit($visitor));
|
||||||
|
$this->assertTrue($comment->canEdit($admin));
|
||||||
|
}
|
||||||
|
|
||||||
|
function testCanDelete() {
|
||||||
|
$visitor = $this->objFromFixture('Member', 'visitor');
|
||||||
|
$admin = $this->objFromFixture('Member', 'commentadmin');
|
||||||
|
$comment = $this->objFromFixture('PageComment', 'firstComA');
|
||||||
|
|
||||||
|
$this->assertFalse($comment->canEdit($visitor));
|
||||||
|
$this->assertTrue($comment->canEdit($admin));
|
||||||
|
}
|
||||||
|
|
||||||
|
function testDeleteComment() {
|
||||||
|
$firstPage = $this->objFromFixture('Page', 'first');
|
||||||
|
$this->autoFollowRedirection = false;
|
||||||
|
$this->logInAs('commentadmin');
|
||||||
|
|
||||||
|
$firstComment = $this->objFromFixture('PageComment', 'firstComA');
|
||||||
|
$firstCommentID = $firstComment->ID;
|
||||||
|
Director::test($firstPage->RelativeLink(), null, $this->session());
|
||||||
|
Director::test('PageComment/deletecomment/'.$firstComment->ID, null, $this->session());
|
||||||
|
|
||||||
|
$this->assertFalse(DataObject::get_by_id('PageComment', $firstCommentID));
|
||||||
|
}
|
||||||
|
|
||||||
function testDeleteAllCommentsOnPage() {
|
function testDeleteAllCommentsOnPage() {
|
||||||
|
|
||||||
|
|
||||||
$second = $this->objFromFixture('Page', 'second');
|
$second = $this->objFromFixture('Page', 'second');
|
||||||
$this->autoFollowRedirection = false;
|
$this->autoFollowRedirection = false;
|
||||||
$this->logInAs('admin');
|
$this->logInAs('commentadmin');
|
||||||
|
|
||||||
Director::test('second-page', null, $this->session());
|
Director::test('second-page', null, $this->session());
|
||||||
Director::test('PageComment/deleteallcomments?pageid='.$second->ID,
|
Director::test('PageComment/deleteallcomments?pageid='.$second->ID,
|
||||||
null, $this->session());
|
null, $this->session());
|
||||||
|
@ -1,27 +1,36 @@
|
|||||||
Member:
|
Member:
|
||||||
admin:
|
commentadmin:
|
||||||
FirstName: admin
|
FirstName: admin
|
||||||
|
visitor:
|
||||||
|
FirstName: visitor
|
||||||
|
|
||||||
Group:
|
Group:
|
||||||
admin:
|
commentadmins:
|
||||||
Title: Admin
|
Title: Admin
|
||||||
Members: =>Member.admin
|
Members: =>Member.commentadmin
|
||||||
|
|
||||||
Permission:
|
Permission:
|
||||||
admin:
|
admin:
|
||||||
Code: ADMIN
|
Code: CMS_ACCESS_CommentAdmin
|
||||||
Group: =>Group.admin
|
Group: =>Group.commentadmins
|
||||||
|
|
||||||
Page:
|
Page:
|
||||||
first:
|
first:
|
||||||
Title: First page
|
Title: First page
|
||||||
URLSegment: first-page
|
URLSegment: first-page
|
||||||
|
ProvideComments: 1
|
||||||
second:
|
second:
|
||||||
Title: Second page
|
Title: Second page
|
||||||
URLSegment: second-page
|
URLSegment: second-page
|
||||||
|
ProvideComments: 1
|
||||||
third:
|
third:
|
||||||
Title: Third page
|
Title: Third page
|
||||||
URLSegment:third-page
|
URLSegment:third-page
|
||||||
|
ProvideComments: 1
|
||||||
|
pageNoComments:
|
||||||
|
Title: No comments
|
||||||
|
URLSegment: no-comments
|
||||||
|
ProvideComments: 0
|
||||||
|
|
||||||
PageComment:
|
PageComment:
|
||||||
firstComA:
|
firstComA:
|
||||||
@ -48,3 +57,6 @@ PageComment:
|
|||||||
ParentID: =>Page.third
|
ParentID: =>Page.third
|
||||||
Name: TC
|
Name: TC
|
||||||
Comment: textTC
|
Comment: textTC
|
||||||
|
disabledCom:
|
||||||
|
ParentID: =>Page.pageNoComments
|
||||||
|
Name: Disabled
|
Loading…
x
Reference in New Issue
Block a user