Merge pull request #777 from halkyon/field_edit3

Member_ProfileForm respect canEdit() permissions on Member
This commit is contained in:
Will Rossiter 2012-10-27 20:11:46 -07:00
commit 69ea73b4ed
3 changed files with 115 additions and 2 deletions

View File

@ -1502,10 +1502,14 @@ class Member_ProfileForm extends Form {
if(!isset($data['ID']) || $data['ID'] != Member::currentUserID()) { if(!isset($data['ID']) || $data['ID'] != Member::currentUserID()) {
return $this->controller->redirectBack(); return $this->controller->redirectBack();
} }
$SQL_data = Convert::raw2sql($data); $SQL_data = Convert::raw2sql($data);
$member = DataObject::get_by_id("Member", $SQL_data['ID']); $member = DataObject::get_by_id("Member", $SQL_data['ID']);
if(!$member->canEdit()) {
$form->sessionMessage(_t('Member.CANTEDIT', 'You don\'t have permission to do that'), 'bad');
return $this->controller->redirectBack();
}
if($SQL_data['Locale'] != $member->Locale) { if($SQL_data['Locale'] != $member->Locale) {
$form->addErrorMessage("Generic", _t('Member.REFRESHLANG'),"good"); $form->addErrorMessage("Generic", _t('Member.REFRESHLANG'),"good");
} }

View File

@ -0,0 +1,82 @@
<?php
class CMSProfileControllerTest extends FunctionalTest {
public static $fixture_file = 'CMSProfileControllerTest.yml';
public $autoFollowRedirection = false;
public function testMemberCantEditAnother() {
$member = $this->objFromFixture('Member', 'user1');
$anotherMember = $this->objFromFixture('Member', 'user2');
$this->session()->inst_set('loggedInAs', $member->ID);
$response = $this->post('admin/myprofile/Member_ProfileForm', array(
'action_dosave' => 1,
'ID' => $anotherMember->ID,
'FirstName' => 'JoeEdited',
'Surname' => 'BloggsEdited',
'Email' => $member->Email,
'Locale' => $member->Locale,
'Password[_Password]' => 'password',
'Password[_ConfirmPassword]' => 'password',
));
$anotherMember = $this->objFromFixture('Member', 'user2');
$this->assertNotEquals($anotherMember->FirstName, 'JoeEdited', 'FirstName field stays the same');
}
public function testMemberEditsOwnProfile() {
$member = $this->objFromFixture('Member', 'user1');
$this->session()->inst_set('loggedInAs', $member->ID);
$response = $this->post('admin/myprofile/Member_ProfileForm', array(
'action_dosave' => 1,
'ID' => $member->ID,
'FirstName' => 'JoeEdited',
'Surname' => 'BloggsEdited',
'Email' => $member->Email,
'Locale' => $member->Locale,
'Password[_Password]' => 'password',
'Password[_ConfirmPassword]' => 'password',
));
$member = $this->objFromFixture('Member', 'user1');
$this->assertEquals($member->FirstName, 'JoeEdited', 'FirstName field was changed');
}
public function testExtendedPermissionsStopEditingOwnProfile() {
$existingExtensions = Config::inst()->get('Member', 'extensions');
Config::inst()->update('Member', 'extensions', array('CMSProfileControllerTestExtension'));
$member = $this->objFromFixture('Member', 'user1');
$this->session()->inst_set('loggedInAs', $member->ID);
$response = $this->post('admin/myprofile/Member_ProfileForm', array(
'action_dosave' => 1,
'ID' => $member->ID,
'FirstName' => 'JoeEdited',
'Surname' => 'BloggsEdited',
'Email' => $member->Email,
'Locale' => $member->Locale,
'Password[_Password]' => 'password',
'Password[_ConfirmPassword]' => 'password',
));
$member = $this->objFromFixture('Member', 'user1');
$this->assertNotEquals($member->FirstName, 'JoeEdited', 'FirstName field was NOT changed because we modified canEdit');
Config::inst()->remove('Member', 'extensions');
Config::inst()->update('Member', 'extensions', $existingExtensions);
}
}
class CMSProfileControllerTestExtension extends DataExtension {
public function canEdit($member = null) {
return false;
}
}

View File

@ -0,0 +1,27 @@
Permission:
admin:
Code: ADMIN
cmsmain:
Code: CMS_ACCESS_LeftAndMain
leftandmain:
Code: CMS_ACCESS_CMSMain
Group:
admins:
Title: Administrators
Permissions: =>Permission.admin
cmsusers:
Title: CMS Users
Permissions: =>Permission.cmsmain, =>Permission.leftandmain
Member:
admin:
FirstName: Admin
Email: admin@user.com
Groups: =>Group.admins
user1:
FirstName: Joe
Email: user1@user.com
Groups: =>Group.cmsusers
user2:
FirstName: Steve
Email: user2@user.com
Groups: =>Group.cmsusers