diff --git a/security/Member.php b/security/Member.php index cec9533c8..38e49a982 100644 --- a/security/Member.php +++ b/security/Member.php @@ -1491,6 +1491,12 @@ class Member_ProfileForm extends Form { } $SQL_data = Convert::raw2sql($data); $member = DataObject::get_by_id("Member", $SQL_data['ID']); + + if(!$member->canEdit()) { + $form->sessionMessage(_t('Member.CANTEDIT', 'You don\'t have permission to do that'), 'bad'); + return $this->controller->redirectBack(); + } + if($SQL_data['Locale'] != $member->Locale) { $form->addErrorMessage("Generic", _t('Member.REFRESHLANG'),"good"); } diff --git a/tests/control/CMSProfileControllerTest.php b/tests/control/CMSProfileControllerTest.php new file mode 100644 index 000000000..074faee77 --- /dev/null +++ b/tests/control/CMSProfileControllerTest.php @@ -0,0 +1,78 @@ +objFromFixture('Member', 'user1'); + $anotherMember = $this->objFromFixture('Member', 'user2'); + $this->session()->inst_set('loggedInAs', $member->ID); + + $response = $this->post('admin/myprofile/Member_ProfileForm', array( + 'action_dosave' => 1, + 'ID' => $anotherMember->ID, + 'FirstName' => 'JoeEdited', + 'Surname' => 'BloggsEdited', + 'Email' => $member->Email, + 'Locale' => $member->Locale, + 'Password[_Password]' => 'password', + 'Password[_ConfirmPassword]' => 'password', + )); + + $anotherMember = $this->objFromFixture('Member', 'user2'); + + $this->assertNotEquals($anotherMember->FirstName, 'JoeEdited', 'FirstName field stays the same'); + } + + public function testMemberEditsOwnProfile() { + $member = $this->objFromFixture('Member', 'user1'); + $this->session()->inst_set('loggedInAs', $member->ID); + + $response = $this->post('admin/myprofile/Member_ProfileForm', array( + 'action_dosave' => 1, + 'ID' => $member->ID, + 'FirstName' => 'JoeEdited', + 'Surname' => 'BloggsEdited', + 'Email' => $member->Email, + 'Locale' => $member->Locale, + 'Password[_Password]' => 'password', + 'Password[_ConfirmPassword]' => 'password', + )); + + $member = $this->objFromFixture('Member', 'user1'); + + $this->assertEquals($member->FirstName, 'JoeEdited', 'FirstName field was changed'); + } + + public function testExtendedPermissionsStopEditingOwnProfile() { + Config::inst()->update('Member', 'extensions', array('CMSProfileControllerTestExtension')); + + $member = $this->objFromFixture('Member', 'user1'); + $this->session()->inst_set('loggedInAs', $member->ID); + + $response = $this->post('admin/myprofile/Member_ProfileForm', array( + 'action_dosave' => 1, + 'ID' => $member->ID, + 'FirstName' => 'JoeEdited', + 'Surname' => 'BloggsEdited', + 'Email' => $member->Email, + 'Locale' => $member->Locale, + 'Password[_Password]' => 'password', + 'Password[_ConfirmPassword]' => 'password', + )); + + $member = $this->objFromFixture('Member', 'user1'); + + $this->assertNotEquals($member->FirstName, 'JoeEdited', 'FirstName field was NOT changed because we modified canEdit'); + } + +} +class CMSProfileControllerTestExtension extends DataExtension { + + public function canEdit($member = null) { + return false; + } + +} diff --git a/tests/control/CMSProfileControllerTest.yml b/tests/control/CMSProfileControllerTest.yml new file mode 100644 index 000000000..4ab2d44f3 --- /dev/null +++ b/tests/control/CMSProfileControllerTest.yml @@ -0,0 +1,27 @@ +Permission: + admin: + Code: ADMIN + cmsmain: + Code: CMS_ACCESS_LeftAndMain + leftandmain: + Code: CMS_ACCESS_CMSMain +Group: + admins: + Title: Administrators + Permissions: =>Permission.admin + cmsusers: + Title: CMS Users + Permissions: =>Permission.cmsmain, =>Permission.leftandmain +Member: + admin: + FirstName: Admin + Email: admin@user.com + Groups: =>Group.admins + user1: + FirstName: Joe + Email: user1@user.com + Groups: =>Group.cmsusers + user2: + FirstName: Steve + Email: user2@user.com + Groups: =>Group.cmsusers