BUGFIX: Ticket #4805

added a canCreateTopLevel() if there is no parent object in CMSMain.php 
added testCreationOfTopLevelPage toCMSMainTest.php
added the nessessary 'database entries' in the CMSMainTest.yml 

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/cms/branches/2.4@98001 467b73ca-7a2a-4603-9d3b-597d59a354a9

code/CMSMain.php

@@ -494,8 +494,13 @@ JS;
 		if(is_numeric($parent)) $parentObj = DataObject::get_by_id("SiteTree", $parent);
 		if(!$parentObj || !$parentObj->ID) $parent = 0;
 		
-		if($parentObj && !$parentObj->canAddChildren()) return Security::permissionFailure($this);
+		if($parentObj){
-		if(!singleton($className)->canCreate()) return Security::permissionFailure($this);
+			if(!$parentObj->canAddChildren()) return Security::permissionFailure($this);
+			if(!singleton($className)->canCreate()) return Security::permissionFailure($this);
+		}else{
+			if(!SiteConfig::current_site_config()->canCreateTopLevel())
+				return Security::permissionFailure($this);
+		}
 
 		$p = $this->getNewItem("new-$className-$parent".$suffix, false);
 		$p->Locale = $_REQUEST['Locale'];

tests/CMSMainTest.php

@@ -163,4 +163,24 @@ class CMSMainTest extends FunctionalTest {
 		$result = $this->get('admin/getfilteredsubtree?filter=CMSSiteTreeFilter_DeletedPages&ajax=1&ID=' . $id);
 		$this->assertEquals(200, $result->getStatusCode());
 	}
+	
+	function testCreationOfTopLevelPage(){
+		$cmsUser = $this->objFromFixture('Member', 'allcmssectionsuser');
+		$rootEditUser = $this->objFromFixture('Member', 'rootedituser');
+
+		// with insufficient permissions
+		$cmsUser->logIn();
+		$response = $this->post('admin/addpage', array('ParentID' => '0', 'PageType' => 'Page', 'Locale' => 'en_US'));
+		// should redirect, which is a permission error
+		$this->assertEquals(403, $response->getStatusCode(), 'Add TopLevel page must fail for normal user');
+
+		// with correct permissions
+		$rootEditUser->logIn();
+		$response = $this->post('admin/addpage', array('ParentID' => '0', 'PageType' => 'Page', 'Locale' => 'en_US'));
+		$this->assertEquals(302, $response->getStatusCode(), 'Must be a redirect on success');
+		$location=$response->getHeader('Location');
+		$this->assertContains('/show/',$location, 'Must redirect to /show/ the new page');
+		// TODO Logout
+		$this->session()->inst_set('loggedInAs', NULL);
+	}
 }

tests/CMSMainTest.yml

@@ -25,6 +25,8 @@ Group:
       Title: assetsonly
    allcmssections:
       Title: allcmssections
+   rooteditusers:
+      Title: rooteditusers
 Member:
    admin:
       Email: admin@example.com
@@ -36,6 +38,9 @@ Member:
    allcmssectionsuser:
       Email: allcmssectionsuser@test.com
       Groups: =>Group.allcmssections
+   rootedituser:
+      Email: rootedituser@test.com
+      Groups: =>Group.rooteditusers
 Permission:
    admin:
       Code: ADMIN
@@ -45,4 +50,15 @@ Permission:
       GroupID: =>Group.assetsonly
    allcmssections:
       Code: CMS_ACCESS_LeftAndMain
-      GroupID: =>Group.allcmssections
+      GroupID: =>Group.allcmssections
+   allcmssections2:
+      Code: CMS_ACCESS_LeftAndMain
+      GroupID: =>Group.rooteditusers
+SiteConfig:
+   siteconfig1:
+      EditorGroups: =>Group.rooteditusers
+      CanCreateTopLevelType: 'OnlyTheseUsers'
+SiteConfig_CreateTopLevelGroups:
+   createtoplevelgroups1:
+      siteconfigid:  1
+      GroupID: =>Group.rooteditusers