diff --git a/code/extensions/ContentReviewCMSPageEditController.php b/code/extensions/ContentReviewCMSPageEditController.php index f780849..17aabe2 100644 --- a/code/extensions/ContentReviewCMSPageEditController.php +++ b/code/extensions/ContentReviewCMSPageEditController.php @@ -29,12 +29,14 @@ class ContentReviewCMSPageEditController extends LeftAndMainExtension { } $SQL_id = Convert::raw2sql($data['ID']); $record = SiteTree::get()->byID($SQL_id); - if($record && !$record->canEdit()) { - return Security::permissionFailure($this); - } + if(!$record || !$record->ID) { throw new SS_HTTPResponse_Exception("Bad record ID #$SQL_id", 404); } + + if(!$record->canEdit()) { + return Security::permissionFailure($this->owner); + } $fields = new FieldList(); $fields->push(HiddenField::create('ID', 'ID', $SQL_id)); diff --git a/code/extensions/ContentReviewOwner.php b/code/extensions/ContentReviewOwner.php index 9cec84a..dbf6167 100644 --- a/code/extensions/ContentReviewOwner.php +++ b/code/extensions/ContentReviewOwner.php @@ -3,6 +3,7 @@ /** * Description of GroupContentReview * + * @codeCoverageIgnore */ class ContentReviewOwner extends DataExtension { diff --git a/tests/ContentReviewCMSPageEditControllerTest.php b/tests/ContentReviewCMSPageEditControllerTest.php new file mode 100644 index 0000000..746ab16 --- /dev/null +++ b/tests/ContentReviewCMSPageEditControllerTest.php @@ -0,0 +1,70 @@ +setExpectedException('SS_HTTPResponse_Exception', 'No record ID', 404); + $controller = new CMSPageEditController(); + $dummyForm = new CMSForm($controller, 'EditForm', new FieldList(), new FieldList()); + $controller->reviewed(array('ID'=>null, 'Message' => null), $dummyForm); + } + + public function testReviewedThrowsExceptionWithWrongRecordID() { + $this->setExpectedException('SS_HTTPResponse_Exception', 'Bad record ID #FAIL', 404); + $controller = new CMSPageEditController(); + $dummyForm = new CMSForm($controller, 'EditForm', new FieldList(), new FieldList()); + $controller->reviewed(array('ID'=>'FAIL', 'Message' => null), $dummyForm); + } + + public function testReviewedThrowsExceptionWithWrongAccess() { + $visitor = $this->objFromFixture('Member', 'visitor'); + $this->loginAs($visitor); + $page = $this->objFromFixture('Page', 'home'); + $data = array( + 'action_reviewed' => 1 + ); + $response = $this->post('admin/pages/edit/EditForm', $data); + $this->assertEquals(403, $response->getStatusCode()); + } + + public function testReviewedWithAuthor() { + $author = $this->objFromFixture('Member', 'author'); + $this->loginAs($author); + $page = $this->objFromFixture('Page', 'home'); + + $data = array( + 'action_reviewed' => 1, + 'ID' => $page->ID + ); + + $response = $this->post('admin/pages/edit/EditForm', $data); + $this->assertEquals('OK', $response->getStatusDescription()); + $this->assertEquals(200, $response->getStatusCode()); + } + + public function testSaveReview() { + $author = $this->objFromFixture('Member', 'author'); + $this->loginAs($author); + $page = $this->objFromFixture('Page', 'home'); + + $data = array( + 'action_save_review' => 1, + 'ID' => $page->ID, + 'ReviewNotes' => 'This is the best page ever' + ); + + $response = $this->post('admin/pages/edit/EditForm', $data); + + $this->assertEquals('OK', $response->getStatusDescription()); + $this->assertEquals(200, $response->getStatusCode()); + + $this->assertEquals(1, $page->ReviewLogs()->count()); + $reviewLog = $page->ReviewLogs()->first(); + + $this->assertEquals($data['ReviewNotes'], $reviewLog->Note); + } + +} + diff --git a/tests/ContentReviewTest.yml b/tests/ContentReviewTest.yml index 76675f9..bc16caa 100644 --- a/tests/ContentReviewTest.yml +++ b/tests/ContentReviewTest.yml @@ -31,6 +31,10 @@ Member: FirstName: Test Surname: Editor Groups: =>Group.editorgroup + visitor: + FirstName: Kari + Surname: Visitor + Email: visitor@example.com Page: home: