From 995f1f4157b2a37c6c3c3414c495e2b0a6b96c7d Mon Sep 17 00:00:00 2001 From: Sam Minnee Date: Tue, 19 Oct 2010 01:32:39 +0000 Subject: [PATCH] BUGFIX: ensure that pages can only be requested from staging and live (from r110759) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112845 467b73ca-7a2a-4603-9d3b-597d59a354a9 --- core/model/Versioned.php | 11 +++++++---- tests/SiteTreePermissionsTest.php | 33 +++++++++++++++++++++++++++++++ tests/SiteTreePermissionsTest.yml | 5 ++++- 3 files changed, 44 insertions(+), 5 deletions(-) diff --git a/core/model/Versioned.php b/core/model/Versioned.php index 031963bb5..76ac1d0aa 100755 --- a/core/model/Versioned.php +++ b/core/model/Versioned.php @@ -626,15 +626,18 @@ class Versioned extends DataObjectDecorator { */ static function choose_site_stage() { if(isset($_GET['stage'])) { - $_GET['stage'] = ucfirst(strtolower($_GET['stage'])); - Session::set('readingMode', 'Stage.' . $_GET['stage']); + $stage = ucfirst(strtolower($_GET['stage'])); + + if(!in_array($stage, array('Stage', 'Live'))) $stage = 'Live'; + + Session::set('readingMode', 'Stage.' . $stage); } if(isset($_GET['archiveDate'])) { Session::set('readingMode', 'Archive.' . $_GET['archiveDate']); } - if(Session::get('readingMode')) { - Versioned::set_reading_mode(Session::get('readingMode')); + if($mode = Session::get('readingMode')) { + Versioned::set_reading_mode($mode); } else { Versioned::reading_stage("Live"); } diff --git a/tests/SiteTreePermissionsTest.php b/tests/SiteTreePermissionsTest.php index bb1834d0b..122e3e8be 100755 --- a/tests/SiteTreePermissionsTest.php +++ b/tests/SiteTreePermissionsTest.php @@ -34,6 +34,39 @@ class SiteTreePermissionsTest extends FunctionalTest { $this->autoFollowRedirection = false; } + + function testAccessingStageWithBlankStage() { + $this->useDraftSite(false); + $this->autoFollowRedirection = false; + + $page = $this->objFromFixture('Page', 'draftOnlyPage'); + + if($member = Member::currentUser()) { + $member->logOut(); + } + + $response = $this->get($page->URLSegment . '?stage=Live'); + $this->assertEquals($response->getStatusCode(), '404'); + + $response = $this->get($page->URLSegment . '?stage='); + $this->assertEquals($response->getStatusCode(), '404'); + + // should be prompted for a login + $response = $this->get($page->URLSegment . '?stage=Stage'); + $this->assertEquals($response->getStatusCode(), '302'); + + $this->logInWithPermission('ADMIN'); + + $response = $this->get($page->URLSegment . '?stage=Live'); + $this->assertEquals($response->getStatusCode(), '404'); + + $response = $this->get($page->URLSegment . '?stage=Stage'); + $this->assertEquals($response->getStatusCode(), '200'); + + $response = $this->get($page->URLSegment . '?stage='); + $this->assertEquals($response->getStatusCode(), '404'); + } + function testPermissionCheckingWorksOnDeletedPages() { // Set up fixture - a published page deleted from draft $this->logInWithPermission("ADMIN"); diff --git a/tests/SiteTreePermissionsTest.yml b/tests/SiteTreePermissionsTest.yml index 67e2987cb..709d8aa6f 100644 --- a/tests/SiteTreePermissionsTest.yml +++ b/tests/SiteTreePermissionsTest.yml @@ -82,4 +82,7 @@ Page: deleteTestChildPage: CanEditType: OnlyTheseUsers EditorGroups: =>Group.subadmingroup - URLSegment: deleteTestChildPage \ No newline at end of file + URLSegment: deleteTestChildPage + draftOnlyPage: + CanViewType: Anyone + URLSegment: draft-only \ No newline at end of file