mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Merge pull request #777 from halkyon/field_edit3
Member_ProfileForm respect canEdit() permissions on Member
This commit is contained in:
Will Rossiter
commit
69ea73b4ed
@ -1502,10 +1502,14 @@ class Member_ProfileForm extends Form {
|
||||
if(!isset($data['ID']) || $data['ID'] != Member::currentUserID()) {
|
||||
return $this->controller->redirectBack();
|
||||
}
|
||||
|
||||
$SQL_data = Convert::raw2sql($data);
|
||||
$member = DataObject::get_by_id("Member", $SQL_data['ID']);
|
||||
|
||||
if(!$member->canEdit()) {
|
||||
$form->sessionMessage(_t('Member.CANTEDIT', 'You don\'t have permission to do that'), 'bad');
|
||||
return $this->controller->redirectBack();
|
||||
}
|
||||
|
||||
if($SQL_data['Locale'] != $member->Locale) {
|
||||
$form->addErrorMessage("Generic", _t('Member.REFRESHLANG'),"good");
|
||||
}
|
||||
|
||||
82
tests/control/CMSProfileControllerTest.php
Normal file
82
tests/control/CMSProfileControllerTest.php
Normal file
@ -0,0 +1,82 @@
|
||||
<?php
|
||||
class CMSProfileControllerTest extends FunctionalTest {
|
||||
|
||||
public static $fixture_file = 'CMSProfileControllerTest.yml';
|
||||
|
||||
public $autoFollowRedirection = false;
|
||||
|
||||
public function testMemberCantEditAnother() {
|
||||
$member = $this->objFromFixture('Member', 'user1');
|
||||
$anotherMember = $this->objFromFixture('Member', 'user2');
|
||||
$this->session()->inst_set('loggedInAs', $member->ID);
|
||||
|
||||
$response = $this->post('admin/myprofile/Member_ProfileForm', array(
|
||||
'action_dosave' => 1,
|
||||
'ID' => $anotherMember->ID,
|
||||
'FirstName' => 'JoeEdited',
|
||||
'Surname' => 'BloggsEdited',
|
||||
'Email' => $member->Email,
|
||||
'Locale' => $member->Locale,
|
||||
'Password[_Password]' => 'password',
|
||||
'Password[_ConfirmPassword]' => 'password',
|
||||
));
|
||||
|
||||
$anotherMember = $this->objFromFixture('Member', 'user2');
|
||||
|
||||
$this->assertNotEquals($anotherMember->FirstName, 'JoeEdited', 'FirstName field stays the same');
|
||||
}
|
||||
|
||||
public function testMemberEditsOwnProfile() {
|
||||
$member = $this->objFromFixture('Member', 'user1');
|
||||
$this->session()->inst_set('loggedInAs', $member->ID);
|
||||
|
||||
$response = $this->post('admin/myprofile/Member_ProfileForm', array(
|
||||
'action_dosave' => 1,
|
||||
'ID' => $member->ID,
|
||||
'FirstName' => 'JoeEdited',
|
||||
'Surname' => 'BloggsEdited',
|
||||
'Email' => $member->Email,
|
||||
'Locale' => $member->Locale,
|
||||
'Password[_Password]' => 'password',
|
||||
'Password[_ConfirmPassword]' => 'password',
|
||||
));
|
||||
|
||||
$member = $this->objFromFixture('Member', 'user1');
|
||||
|
||||
$this->assertEquals($member->FirstName, 'JoeEdited', 'FirstName field was changed');
|
||||
}
|
||||
|
||||
public function testExtendedPermissionsStopEditingOwnProfile() {
|
||||
$existingExtensions = Config::inst()->get('Member', 'extensions');
|
||||
Config::inst()->update('Member', 'extensions', array('CMSProfileControllerTestExtension'));
|
||||
|
||||
$member = $this->objFromFixture('Member', 'user1');
|
||||
$this->session()->inst_set('loggedInAs', $member->ID);
|
||||
|
||||
$response = $this->post('admin/myprofile/Member_ProfileForm', array(
|
||||
'action_dosave' => 1,
|
||||
'ID' => $member->ID,
|
||||
'FirstName' => 'JoeEdited',
|
||||
'Surname' => 'BloggsEdited',
|
||||
'Email' => $member->Email,
|
||||
'Locale' => $member->Locale,
|
||||
'Password[_Password]' => 'password',
|
||||
'Password[_ConfirmPassword]' => 'password',
|
||||
));
|
||||
|
||||
$member = $this->objFromFixture('Member', 'user1');
|
||||
|
||||
$this->assertNotEquals($member->FirstName, 'JoeEdited', 'FirstName field was NOT changed because we modified canEdit');
|
||||
|
||||
Config::inst()->remove('Member', 'extensions');
|
||||
Config::inst()->update('Member', 'extensions', $existingExtensions);
|
||||
}
|
||||
|
||||
}
|
||||
class CMSProfileControllerTestExtension extends DataExtension {
|
||||
|
||||
public function canEdit($member = null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
}
|
||||
27
tests/control/CMSProfileControllerTest.yml
Normal file
27
tests/control/CMSProfileControllerTest.yml
Normal file
@ -0,0 +1,27 @@
|
||||
Permission:
|
||||
admin:
|
||||
Code: ADMIN
|
||||
cmsmain:
|
||||
Code: CMS_ACCESS_LeftAndMain
|
||||
leftandmain:
|
||||
Code: CMS_ACCESS_CMSMain
|
||||
Group:
|
||||
admins:
|
||||
Title: Administrators
|
||||
Permissions: =>Permission.admin
|
||||
cmsusers:
|
||||
Title: CMS Users
|
||||
Permissions: =>Permission.cmsmain, =>Permission.leftandmain
|
||||
Member:
|
||||
admin:
|
||||
FirstName: Admin
|
||||
Email: admin@user.com
|
||||
Groups: =>Group.admins
|
||||
user1:
|
||||
FirstName: Joe
|
||||
Email: user1@user.com
|
||||
Groups: =>Group.cmsusers
|
||||
user2:
|
||||
FirstName: Steve
|
||||
Email: user2@user.com
|
||||
Groups: =>Group.cmsusers
|
||||
Loading…
Reference in New Issue
Block a user