diff --git a/code/Model/Submission/SubmittedFileField.php b/code/Model/Submission/SubmittedFileField.php
index 1a57cce..c89afb8 100755
--- a/code/Model/Submission/SubmittedFileField.php
+++ b/code/Model/Submission/SubmittedFileField.php
@@ -6,6 +6,8 @@ use SilverStripe\Assets\File;
use SilverStripe\Control\Director;
use SilverStripe\ORM\FieldType\DBField;
use SilverStripe\Versioned\Versioned;
+use SilverStripe\Security\Member;
+use SilverStripe\Security\Security;
/**
* A file uploaded on a {@link UserDefinedForm} and attached to a single
@@ -41,27 +43,40 @@ class SubmittedFileField extends SubmittedFormField
{
$name = $this->getFileName();
$link = $this->getLink(false);
- $title = _t(__CLASS__ . '.DOWNLOADFILE', 'Download File');
- $message = _t(__CLASS__ . '.INSUFFICIENTRIGHTS', 'You don\'t have the right permissions to download this file');
- $file = $this->getUploadedFileFromDraft();
-
if ($link) {
- if ($file->canView()) {
+ $title = _t(__CLASS__ . '.DOWNLOADFILE', 'Download File');
+ $file = $this->getUploadedFileFromDraft();
+ if (!$file->canView()) {
+ if (Security::getCurrentUser()) {
+ // Logged in CMS user without permissions to view file in the CMS
+ $default = 'You don\'t have the right permissions to download this file';
+ $message = _t(__CLASS__ . '..INSUFFICIENTRIGHTS', $default);
+ return DBField::create_field('HTMLText', sprintf(
+ ' %s - %s',
+ htmlspecialchars($name, ENT_QUOTES),
+ htmlspecialchars($message, ENT_QUOTES)
+ ));
+ } else {
+ // Userforms submission filled in by non-logged in user being emailed to recipient
+ $message = _t(__CLASS__ . '.YOUMUSTBELOGGEDIN', 'You must be logged in to view this file');
+ return DBField::create_field('HTMLText', sprintf(
+ '%s - %s - %s',
+ htmlspecialchars($name, ENT_QUOTES),
+ htmlspecialchars($link, ENT_QUOTES),
+ htmlspecialchars($title, ENT_QUOTES),
+ htmlspecialchars($message, ENT_QUOTES)
+ ));
+ }
+ } else {
+ // Logged in CMS user with permissions to view file in the CMS
return DBField::create_field('HTMLText', sprintf(
'%s - %s',
htmlspecialchars($name, ENT_QUOTES),
htmlspecialchars($link, ENT_QUOTES),
htmlspecialchars($title, ENT_QUOTES)
));
- } else {
- return DBField::create_field('HTMLText', sprintf(
- ' %s - %s',
- htmlspecialchars($name, ENT_QUOTES),
- htmlspecialchars($message, ENT_QUOTES)
- ));
}
}
-
return false;
}
diff --git a/lang/en.yml b/lang/en.yml
index eea791b..aa9f2dd 100644
--- a/lang/en.yml
+++ b/lang/en.yml
@@ -328,6 +328,7 @@ en:
one: 'A Submitted File Field'
other: '{count} Submitted File Fields'
SINGULARNAME: 'Submitted File Field'
+ YOUMUSTBELOGGEDIN: 'You must be logged in to view this file'
has_one_UploadedFile: 'Uploaded file'
SilverStripe\UserForms\Model\Submission\SubmittedForm:
PLURALNAME: 'Submitted Forms'
diff --git a/tests/php/Model/SubmittedFileFieldTest.php b/tests/php/Model/SubmittedFileFieldTest.php
index 8bb96fd..d88304b 100644
--- a/tests/php/Model/SubmittedFileFieldTest.php
+++ b/tests/php/Model/SubmittedFileFieldTest.php
@@ -74,35 +74,47 @@ class SubmittedFileFieldTest extends SapphireTest
// Set an explicit base URL so we get a reliable value for the test
Director::config()->set('alternate_base_url', 'http://mysite.com');
$fileName = $this->submittedFile->getFileName();
- $message = "You don't have the right permissions to download this file";
+ $link = 'http://mysite.com/assets/3c01bdbb26/test-SubmittedFileFieldTest.txt';
$this->file->CanViewType = 'OnlyTheseUsers';
$this->file->write();
- $this->loginWithPermission('ADMIN');
+ // Userforms submission filled in by non-logged in user being emailed to recipient
+ $this->logOut();
$this->assertEquals(
sprintf(
- '%s - Download File',
- $fileName
+ '%s - %s - %s',
+ $fileName,
+ $link,
+ 'Download File',
+ 'You must be logged in to view this file'
),
$this->submittedFile->getFormattedValue()->value
);
-
$this->logOut();
- $this->loginWithPermission('CMS_ACCESS_CMSMain');
+
+ // Logged in CMS user without permissions to view file in the CMS
+ $this->logInWithPermission('CMS_ACCESS_CMSMain');
$this->assertEquals(
sprintf(
' %s - %s',
$fileName,
- $message
+ 'You don't have the right permissions to download this file'
),
$this->submittedFile->getFormattedValue()->value
);
+ $this->logOut();
- $store = Injector::inst()->get(AssetStore::class);
- $this->assertFalse(
- $store->canView($fileName, $this->file->getHash()),
- 'Users without canView rights on the file should not have been session granted access to it'
+ // Logged in CMS user with permissions to view file in the CMS
+ $this->loginWithPermission('ADMIN');
+ $this->assertEquals(
+ sprintf(
+ '%s - %s',
+ $fileName,
+ $link,
+ 'Download File'
+ ),
+ $this->submittedFile->getFormattedValue()->value
);
}
}