mirror of
https://github.com/silverstripe/silverstripe-reports
synced 2024-10-22 11:05:53 +02:00
ENHANCEMENT Added PageComment->canView()/canEdit()/canDelete(), and using these permissions in PageCommentInterface. Caution: canCreate() actions are still determined by PageCommentInterface::$comments_require_login/$comments_require_permission
BUGFIX Requiring CMS_ACCESS_CommentAdmin instead of ADMIN permissions in PageCommentInterface and CommentAdmin administrative actions (from r104968) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/cms/trunk@112459 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer
parent
a52f572f1e
commit
e43a2409cd
@ -60,7 +60,7 @@ class PageComment extends DataObject {
|
||||
}
|
||||
|
||||
function DeleteLink() {
|
||||
return (Permission::check('CMS_ACCESS_CMSMain')) ? "PageComment_Controller/deletecomment/$this->ID" : false;
|
||||
return ($this->canDelete()) ? "PageComment_Controller/deletecomment/$this->ID" : false;
|
||||
}
|
||||
|
||||
function CommentTextWithLinks() {
|
||||
@ -70,15 +70,15 @@ class PageComment extends DataObject {
|
||||
}
|
||||
|
||||
function SpamLink() {
|
||||
return (Permission::check('CMS_ACCESS_CMSMain') && !$this->IsSpam) ? "PageComment_Controller/reportspam/$this->ID" : false;
|
||||
return ($this->canEdit() && !$this->IsSpam) ? "PageComment_Controller/reportspam/$this->ID" : false;
|
||||
}
|
||||
|
||||
function HamLink() {
|
||||
return (Permission::check('CMS_ACCESS_CMSMain') && $this->IsSpam) ? "PageComment_Controller/reportham/$this->ID" : false;
|
||||
return ($this->canEdit() && $this->IsSpam) ? "PageComment_Controller/reportham/$this->ID" : false;
|
||||
}
|
||||
|
||||
function ApproveLink() {
|
||||
return (Permission::check('CMS_ACCESS_CMSMain') && $this->NeedsModeration) ? "PageComment_Controller/approve/$this->ID" : false;
|
||||
return ($this->canEdit() && $this->NeedsModeration) ? "PageComment_Controller/approve/$this->ID" : false;
|
||||
}
|
||||
|
||||
function SpamClass() {
|
||||
@ -156,6 +156,77 @@ class PageComment extends DataObject {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* This always returns true, and should be handled by {@link PageCommentInterface->CanPostComment()}.
|
||||
*
|
||||
* @todo Integrate with PageCommentInterface::$comments_require_permission and $comments_require_login
|
||||
*
|
||||
* @param Member $member
|
||||
* @return Boolean
|
||||
*/
|
||||
function canCreate($member = null) {
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks for association with a page,
|
||||
* and {@link SiteTree->ProvidePermission} flag being set to TRUE.
|
||||
* Note: There's an additional layer of permission control
|
||||
* in {@link PageCommentInterface}.
|
||||
*
|
||||
* @param Member $member
|
||||
* @return Boolean
|
||||
*/
|
||||
function canView($member = null) {
|
||||
if(!$member) $member = Member::currentUser();
|
||||
|
||||
// Standard mechanism for accepting permission changes from decorators
|
||||
$extended = $this->extendedCan('canView', $member);
|
||||
if($extended !== null) return $extended;
|
||||
|
||||
$page = $this->Parent();
|
||||
return (
|
||||
($page && $page->ProvideComments)
|
||||
|| (bool)Permission::checkMember($member, 'CMS_ACCESS_CommentAdmin')
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks for "CMS_ACCESS_CommentAdmin" permission codes
|
||||
* and {@link canView()}.
|
||||
*
|
||||
* @param Member $member
|
||||
* @return Boolean
|
||||
*/
|
||||
function canEdit($member = null) {
|
||||
if(!$member) $member = Member::currentUser();
|
||||
|
||||
// Standard mechanism for accepting permission changes from decorators
|
||||
$extended = $this->extendedCan('canEdit', $member);
|
||||
if($extended !== null) return $extended;
|
||||
|
||||
if(!$this->canView($member)) return false;
|
||||
|
||||
return (bool)Permission::checkMember($member, 'CMS_ACCESS_CommentAdmin');
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks for "CMS_ACCESS_CommentAdmin" permission codes
|
||||
* and {@link canEdit()}.
|
||||
*
|
||||
* @param Member $member
|
||||
* @return Boolean
|
||||
*/
|
||||
function canDelete($member = null) {
|
||||
if(!$member) $member = Member::currentUser();
|
||||
|
||||
// Standard mechanism for accepting permission changes from decorators
|
||||
$extended = $this->extendedCan('canDelete', $member);
|
||||
if($extended !== null) return $extended;
|
||||
|
||||
return $this->canEdit($member);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -180,13 +251,11 @@ class PageComment_Controller extends Controller {
|
||||
* Deletes all comments on the page referenced by the url param pageid
|
||||
*/
|
||||
function deleteallcomments() {
|
||||
if(Permission::check('CMS_ACCESS_CMSMain')) {
|
||||
$pageId = $_REQUEST['pageid'];
|
||||
if(preg_match('/^\d+$/', $pageId)) {
|
||||
$comments = DataObject::get("PageComment", "\"ParentID\" = $pageId");
|
||||
if($comments) foreach($comments as $c) {
|
||||
$c->delete();
|
||||
}
|
||||
if($c->canDelete()) $c->delete();
|
||||
}
|
||||
}
|
||||
|
||||
@ -198,12 +267,10 @@ class PageComment_Controller extends Controller {
|
||||
}
|
||||
|
||||
function deletecomment() {
|
||||
if(Permission::check('CMS_ACCESS_CMSMain')) {
|
||||
$comment = DataObject::get_by_id("PageComment", $this->urlParams['ID']);
|
||||
if($comment) {
|
||||
if($comment && $comment->canDelete()) {
|
||||
$comment->delete();
|
||||
}
|
||||
}
|
||||
|
||||
if($this->isAjax()) {
|
||||
echo "";
|
||||
@ -213,10 +280,9 @@ class PageComment_Controller extends Controller {
|
||||
}
|
||||
|
||||
function approve() {
|
||||
if(Permission::check('CMS_ACCESS_CMSMain')) {
|
||||
$comment = DataObject::get_by_id("PageComment", $this->urlParams['ID']);
|
||||
|
||||
if($comment) {
|
||||
if($comment && $comment->canEdit()) {
|
||||
$comment->NeedsModeration = false;
|
||||
$comment->write();
|
||||
|
||||
@ -225,18 +291,14 @@ class PageComment_Controller extends Controller {
|
||||
if($this->isAjax()) {
|
||||
echo $comment->renderWith('PageCommentInterface_singlecomment');
|
||||
} else {
|
||||
$this->redirectBack();
|
||||
}
|
||||
Director::redirectBack();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function reportspam() {
|
||||
$comment = DataObject::get_by_id("PageComment", $this->urlParams['ID']);
|
||||
if($comment) {
|
||||
// check they have access
|
||||
if(Permission::check('CMS_ACCESS_CMSMain')) {
|
||||
|
||||
if($comment && $comment->canEdit()) {
|
||||
// if spam protection module exists
|
||||
if(class_exists('SpamProtectorManager')) {
|
||||
SpamProtectorManager::send_feedback($comment, 'spam');
|
||||
@ -258,7 +320,6 @@ class PageComment_Controller extends Controller {
|
||||
$comment->NeedsModeration = false;
|
||||
$comment->write();
|
||||
}
|
||||
}
|
||||
if($this->isAjax()) {
|
||||
if(SSAkismet::isEnabled() && SSAkismet::getSaveSpam()) {
|
||||
echo $comment->renderWith('PageCommentInterface_singlecomment');
|
||||
@ -274,9 +335,7 @@ class PageComment_Controller extends Controller {
|
||||
*/
|
||||
function reportham() {
|
||||
$comment = DataObject::get_by_id("PageComment", $this->urlParams['ID']);
|
||||
if($comment) {
|
||||
if(Permission::check('CMS_ACCESS_CMSMain')) {
|
||||
|
||||
if($comment && $comment->canEdit()) {
|
||||
// if spam protection module exists
|
||||
if(class_exists('SpamProtectorManager')) {
|
||||
SpamProtectorManager::send_feedback($comment, 'ham');
|
||||
@ -295,7 +354,6 @@ class PageComment_Controller extends Controller {
|
||||
$comment->setField('IsSpam', false);
|
||||
$comment->write();
|
||||
}
|
||||
}
|
||||
if($this->isAjax()) {
|
||||
echo $comment->renderWith('PageCommentInterface_singlecomment');
|
||||
} else {
|
||||
|
||||
@ -231,7 +231,7 @@ class PageCommentInterface extends RequestHandler {
|
||||
$limit['limit'] = PageComment::$comments_per_page;
|
||||
|
||||
$spamfilter = isset($_GET['showspam']) ? '' : "AND \"IsSpam\" = 0";
|
||||
$unmoderatedfilter = Permission::check('ADMIN') ? '' : "AND \"NeedsModeration\" = 0";
|
||||
$unmoderatedfilter = Permission::check('CMS_ACCESS_CommentAdmin') ? '' : "AND \"NeedsModeration\" = 0";
|
||||
$order = self::$order_comments_by;
|
||||
$comments = DataObject::get("PageComment", "\"ParentID\" = '" . Convert::raw2sql($this->page->ID) . "' $spamfilter $unmoderatedfilter", $order, "", $limit);
|
||||
|
||||
@ -254,7 +254,7 @@ class PageCommentInterface extends RequestHandler {
|
||||
* comments on a page referenced by the url param pageid
|
||||
*/
|
||||
function DeleteAllLink() {
|
||||
if(Permission::check('CMS_ACCESS_CMSMain')) {
|
||||
if(Permission::check('CMS_ACCESS_CommentAdmin')) {
|
||||
return Director::absoluteBaseURL() . "PageComment/deleteallcomments?pageid=" . $this->page->ID;
|
||||
}
|
||||
}
|
||||
|
||||
@ -28,7 +28,7 @@ class CommentAdminTest extends FunctionalTest {
|
||||
function testdeletemarked(){
|
||||
$comm = $this->objFromFixture('PageComment', 'Comment1');
|
||||
$id = $comm->ID;
|
||||
$this->logInWithPermission('ADMIN');
|
||||
$this->logInWithPermission('CMS_ACCESS_CommentAdmin');
|
||||
$result = $this->get("admin/comments/EditForm/field/Comments/item/$id/delete");
|
||||
$checkComm = DataObject::get_by_id('PageComment',$id);
|
||||
|
||||
|
||||
@ -4,13 +4,64 @@ class PageCommentsTest extends FunctionalTest {
|
||||
|
||||
static $fixture_file = 'cms/tests/PageCommentsTest.yml';
|
||||
|
||||
function testCanView() {
|
||||
$visitor = $this->objFromFixture('Member', 'visitor');
|
||||
$admin = $this->objFromFixture('Member', 'commentadmin');
|
||||
$comment = $this->objFromFixture('PageComment', 'firstComA');
|
||||
|
||||
$this->assertTrue($comment->canView($visitor),
|
||||
'Unauthenticated members can view comments associated to a page with ProvideComments=1'
|
||||
);
|
||||
$this->assertTrue($comment->canView($admin),
|
||||
'Admins with CMS_ACCESS_CommentAdmin permissions can view comments associated to a page with ProvideComments=1'
|
||||
);
|
||||
|
||||
$disabledComment = $this->objFromFixture('PageComment', 'disabledCom');
|
||||
|
||||
$this->assertFalse($disabledComment->canView($visitor),
|
||||
'Unauthenticated members can not view comments associated to a page with ProvideComments=0'
|
||||
);
|
||||
$this->assertTrue($disabledComment->canView($admin),
|
||||
'Admins with CMS_ACCESS_CommentAdmin permissions can view comments associated to a page with ProvideComments=0'
|
||||
);
|
||||
}
|
||||
|
||||
function testCanEdit() {
|
||||
$visitor = $this->objFromFixture('Member', 'visitor');
|
||||
$admin = $this->objFromFixture('Member', 'commentadmin');
|
||||
$comment = $this->objFromFixture('PageComment', 'firstComA');
|
||||
|
||||
$this->assertFalse($comment->canEdit($visitor));
|
||||
$this->assertTrue($comment->canEdit($admin));
|
||||
}
|
||||
|
||||
function testCanDelete() {
|
||||
$visitor = $this->objFromFixture('Member', 'visitor');
|
||||
$admin = $this->objFromFixture('Member', 'commentadmin');
|
||||
$comment = $this->objFromFixture('PageComment', 'firstComA');
|
||||
|
||||
$this->assertFalse($comment->canEdit($visitor));
|
||||
$this->assertTrue($comment->canEdit($admin));
|
||||
}
|
||||
|
||||
function testDeleteComment() {
|
||||
$firstPage = $this->objFromFixture('Page', 'first');
|
||||
$this->autoFollowRedirection = false;
|
||||
$this->logInAs('commentadmin');
|
||||
|
||||
$firstComment = $this->objFromFixture('PageComment', 'firstComA');
|
||||
$firstCommentID = $firstComment->ID;
|
||||
Director::test($firstPage->RelativeLink(), null, $this->session());
|
||||
Director::test('PageComment/deletecomment/'.$firstComment->ID, null, $this->session());
|
||||
|
||||
$this->assertFalse(DataObject::get_by_id('PageComment', $firstCommentID));
|
||||
}
|
||||
|
||||
function testDeleteAllCommentsOnPage() {
|
||||
|
||||
|
||||
$second = $this->objFromFixture('Page', 'second');
|
||||
$this->autoFollowRedirection = false;
|
||||
$this->logInAs('admin');
|
||||
$this->logInAs('commentadmin');
|
||||
|
||||
Director::test('second-page', null, $this->session());
|
||||
Director::test('PageComment/deleteallcomments?pageid='.$second->ID,
|
||||
null, $this->session());
|
||||
|
||||
@ -1,27 +1,36 @@
|
||||
Member:
|
||||
admin:
|
||||
commentadmin:
|
||||
FirstName: admin
|
||||
visitor:
|
||||
FirstName: visitor
|
||||
|
||||
Group:
|
||||
admin:
|
||||
commentadmins:
|
||||
Title: Admin
|
||||
Members: =>Member.admin
|
||||
Members: =>Member.commentadmin
|
||||
|
||||
Permission:
|
||||
admin:
|
||||
Code: ADMIN
|
||||
Group: =>Group.admin
|
||||
Code: CMS_ACCESS_CommentAdmin
|
||||
Group: =>Group.commentadmins
|
||||
|
||||
Page:
|
||||
first:
|
||||
Title: First page
|
||||
URLSegment: first-page
|
||||
ProvideComments: 1
|
||||
second:
|
||||
Title: Second page
|
||||
URLSegment: second-page
|
||||
ProvideComments: 1
|
||||
third:
|
||||
Title: Third page
|
||||
URLSegment:third-page
|
||||
ProvideComments: 1
|
||||
pageNoComments:
|
||||
Title: No comments
|
||||
URLSegment: no-comments
|
||||
ProvideComments: 0
|
||||
|
||||
PageComment:
|
||||
firstComA:
|
||||
@ -48,3 +57,6 @@ PageComment:
|
||||
ParentID: =>Page.third
|
||||
Name: TC
|
||||
Comment: textTC
|
||||
disabledCom:
|
||||
ParentID: =>Page.pageNoComments
|
||||
Name: Disabled
|
||||
Loading…
Reference in New Issue
Block a user