From 83497b773e34b14b1e70f87660dc58def6a02b9f Mon Sep 17 00:00:00 2001
From: Colin Kuskie <colink@perldreamer.com>
Date: Thu, 28 May 2009 04:15:50 +0000
Subject: [PATCH] Fix Story permissions so that admin need not be turned on.
 canEdit is now determined by the Story and the parent StoryArchive. With
 tests, and template changes.

---
 docs/changelog/7.x.x.txt                      |   1 +
 .../root_import_storymanager.wgpkg            | Bin 0 -> 4660 bytes
 lib/WebGUI/Asset/Story.pm                     |  20 +++++
 lib/WebGUI/Help/Asset_Story.pm                |   1 +
 lib/WebGUI/i18n/English/Asset_Story.pm        |   5 ++
 t/Asset/Story.t                               |  73 ++++++++++++++----
 6 files changed, 83 insertions(+), 17 deletions(-)
 create mode 100644 docs/upgrades/packages-7.7.8/root_import_storymanager.wgpkg

diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt
index d4e2f67a0..fd59802da 100644
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@@ -8,6 +8,7 @@
  - fixed a similar problem with metadata in the Shortcut Asset.
  - fixed #10396: Syndicated Content wobject not displaying edit controls
  - fixed #10386: Template override missing in nav shortcut
+ - fixed #10436: Story Manager - Story Edit/Delete links are Admin Only
 
 7.7.7
  - Added EMS Schedule table
diff --git a/docs/upgrades/packages-7.7.8/root_import_storymanager.wgpkg b/docs/upgrades/packages-7.7.8/root_import_storymanager.wgpkg
new file mode 100644
index 0000000000000000000000000000000000000000..1908a50a8e0d77bdbc0af05a38d4e7659221de04
GIT binary patch
literal 4660
zcmV-463gu$iwFP!00000|Lq-XbK5pDpZhB~p1EE!lUQ%ba$L{Ic2cM3Bu?$TdbxTi
z5t0~FBtuemlurNqEf!C{WYMA&yOCxR$po-iEP#Cj+<vh7PqkX@bXpG{(C>B=ziUnS
zHsq)JpjN9_J5Bh%Q-5I8YSminfdNfc|Cxr7831Yn&#~Rh{QjmP3BvqhIym^?;P87+
z)w@)LSl875trq^SZ+{Lww<JUXVw=x<*8I0?twv)0o45>snyde;YW}xZk9rwB{Ph!T
z!mWr*e8-H)g&9TWU_2pi6mA*2#()3!7|X-R3(OJGANhgjlOVDQRzxrq(jXuJ$2yqN
zx?7DcY)=auGmM^n^}PT}d)UUEI*u%cT^J$!Eq~f~>~Ksh)z&4~?`_xet`TTe6@)X_
z^Fuogj(m**^O%^{xj70?&A}yr1B7B-de<%q-omzifn_?fvF53UW*Cx)H=2DtYF(P0
z567f`dUEvS<io-BZ(ptzhSR`7qyx{3D)xkqze1@wo0u+8G+=+2!C-7(5!K8Nk8R5$
zZgRkOcp7+-7tMS|ER7bUz?=FntY?-TVXLNsCZ-pk@0o^cPRK8xwrp!Jf_cBVG6RE;
zY5&ufVOzOn`+F60|C9U4Wex425t1;pJ$D;mY@61^c3->ud;Y!xJn-Bo@SG5u!s7~d
zXb<B+EIWkdH#@f@hwSf->ss@OJ*&`%T4UJ-pfE7qQ!k9pfU2+>_hEeFfDB;_3JKG)
zXz}cA;J^s?|9s&_Byi0LFgKltP->V4&dTE+o!bkn++&mS=qVlaUOzA@aTFx&LPF<{
zt~L^AsI$k<y<n1hcrcA34+xb2@f;QjfB^CWtpt%B&+`q7Zch3O9{+jt@L%5^tG2}V
z2IC{Bun(vrn$UC#19ho<W%UpUj!;0MW%NU#{h>j_4GeVQ0F5ki!lI^RR49m9GWQL@
zpdz|v6UNcrs~}E%7R5up9t__c*=$0#;U_utrf#%thcBm2Wczeg=xZub`NR&R?Wuq6
z)v7Q<@l{6KWh{sw471k)6g+-U`oF$?@ozTq#?O7=Q%`}U8DPxFn{YTi_=yWen>xC&
zF3IfL3#>!On_By7OWN+31a<_Cp9kLL)C_>-CO13s#KW=ajxrgl?GnzDx0L*@qAV9u
zT=h2q{u{o6eUF{65$^8dYTw;G=j>lqr`-CbXW2uWG0v@8y;<)z+KpyiRl-?Ec=~=(
z<(wnEvk7C|9aUt9luwy`hv8FGCE=y*zw#pJd4T&fNfeMx({suc=5$O6H$|baW%?kf
zu5@97obJs2#(VDSBl67v<iR`=?d~3*zdT73%nnaHDrK19i^&-~JR(CA7Ba%shYDyC
zKEGJj?RL7|R;R9U^?+R2l)=*N$lAk1>@?cljs^&%0*E-d7&Kyzz3Ue)WkHM@S{u-3
znOqc75}|87Qy~%h=3pM7g<w$<b_=%2a^i(^tR-X%<4XXbs9cdu=6gvM#Zk+aDaaR*
z*`g@0q&&G<nowDiEk#x$J9GhoG9&h&h!`k|^=FE}9L}#MFo*9GcM#0{=rm)qM&^hs
zm45#Uj7`|}$k+LQ+TOLpvsnmxFS%urSqL7a>$AXaQT5JZxVpgS9H!Cj)^=JQO?wB%
z2m*?uH}tNLhoje*zeT;TRv2}H>FC@WDXt?~3&)R|5P$#lcNyl&21dyg$k7}c>$CrB
z&331jwEr8m&I6-b@>ny$ZS4Pz{lA3$|Ev*x`{VPs@#LfT%IVEc>+jw-8gDdSc$584
zKo3U4Oto31@ec~UV}Xflpg{meGVLGLcQEL{$Z^PsxRz$x4MBNCeH%<GUMMV6YTnRd
zZu!Dv%f6yOKy8c}x8@b$7B5%sXiG5L2gFG~521F?wR)B%%PI(v!3R5i=1}j&zyY&+
z*XVoE_$f6;E4*{@&Hr@FK5>#3f49qxJZj^y8fmm6YGp9<y>tY|;4A=tGtvDG^KcRM
zSA<SD?c-<{MMu<M5jy=@5!$fYD?-Kbm>Ie#WkmfIp~JPxkfAeg#fX|KLS$@@#t!_8
zI4aC#HV+}yVnrw+7hQCou<{a!C{xNGgG2UW2z*eu)&v{OWIb4Y0q$c@MsIz`Gp!|%
zoW}wY4`9MRb%HKRH9+c+wOA=u#r8iSb$|?Gr8t>RRDeo7Ct4{sg}5~k2qpMRF#?}(
z0s2tCC+rxI+P4wy!f6ZxJ0cE=n3PufNB+h$EUaGuQ>}yBA*)9%#>}}dnFm#t?vl=g
zhzYe$i$(~o5%AU2)OEP9H6O%kUD(tgZJ;8oMz{tCc2>6q+}Evoy`}KI7w+pux87*i
zyILG!UGD1&CAOkgmh)OH^i1<;A>&AS0Efyn!cD#+vxvf;Zxk`p2yrm>GI?W$J!B-&
zMUkU3?J_zRc1<=zPT?S`myL$7XBI?5R4*Hid3sNZ7HPAmj0q9;%Yu{;)yt-YuwED%
z%B)CHK~yXo0cEW$ND0-TY*gmhH7RnW%$kMQgw#olq(L)}ab#OFDYQUQOB*u_qeeBP
z9LBYP6_bTbh7nU9HidR^rtwl9F1c1q7F7~POL<tJ=vZ(cWf?2wVUla5WYHsGq%4d@
zws}IE&tJy#Y?Cbf(x%D6C`zMb4@{C+fR$pI6#djCE1j{@MkwsST^Kvr#Sl~|Zieht
zgl?u~(cF`0YEt37L($Zn_+NW{@js){Xm?Wazbd4GZ{mNM5zA5^Zt{PZ%m1xD>;2Y!
z_OahJ{rZRNVKDeGv`&h||F{ARDbJc|y2=RP)RD$5?;EoKX%Zz10V+)pQ{|*r+p#lK
zDM6&>C4+)@E1d$W4Dhw&K(<wXt92lu@5tau!v@mSphQ*uufd&kGZICdOC61P_rkZ-
ztk&E09X)??UA`qg@0I_sbl>>IXL*|DZ$mBLPTPcg#kZiL??6naQ|s|wXiw=Wy+hhl
zsiOG10L#(;T5Ht*T9DD4)c@+8#zy~J$AZ}Cf6M8Ay;}R~$;Z#{duQVh@2}2!hhbn6
zJs0+-{4ey_MV@aD6k}ec`nPO)KInA9zj6DsUlK&o41K-#$b>90$8!mfqDr+EsEK+I
zQ)kDGOtn>10w+&GedVps`N=al`&9uL(6gR<E}Eb5%qggZN47-vnRKu~I~t%7>2^5X
zO4nvbqLjvs#Y<@1kj-XORMToVeMo&fY#bS9nO1uwN?Y9P2pelb(KTrO=ke{kE<Hcd
zZ2`@`*6i%48Mzm#J)TME)U*Ri>r(9#WX@9Nmu0Ho^URav=8B)jIF{gaG{?3iUV1Yp
z<soayMPnH0JT(7s(k+Z7<eob3<mZpjC;lBy6R9nFFHE)c7TuU?>(Jqs=_AMftF6!e
zt99!2^!cCa=KRkx)4FimAItvR0-@ku8Ub<O00|x>fr~~6_`MB!qXs;S;O39YAPnIN
zzeM8CXY?wO@ZoG~SNc=iu_^--ZrTWmQ$f#MSb-DkF8ps!WXU!_c!Y;i!a-pBQ4IQL
z^U7q8p_4EeK(FaOX6D%Qo><=G3AuuUmzBidusa$23WEd@+go-7>9F*+mkR%W(kGGm
z1g`NYuLnsk@dNuv!B?`b$h|D<o=~u!ZcFLJ6y7+cOLVpHq%P5im`%CpZ<<!zE#j)3
zH~z=yIQVk$dD6SAJ%2Tg-n?w})DnQ05}qBNe`}7=#8ta{;y8iK37U!;ztkl6qMVrS
zdj*$iXwD5#N@)VUbT15o>7<_w<KaW;R1o_9#l=bQ?EK<_dIazp&HKho9r=VfAv#ww
zyakIy{qUL}27Br{a8ZyU`}}zn!O1)9mK9|<E!ZhS=2l6L6HNg0&``5P3`wMiYR4B7
zk8niE;c`R(U2)5gIFuj&i-gYvwGoT6>11LCGl>T!qpHu&H>e&2vEhaZl`*&<n_`4|
zEYDX_!0{UxR6{nYXz9o)l%?R3qVXcl6{MRp(zF7MIF02hLJZ#e^pXe*x=&n}MDK<%
zrmR%tXKLp<dC9pwA^S$6sX6kJX<+Cz^W$B!<2>n}`!nA9&~qS<8SW&bhnF5b)p}>i
zcQEQKxN?qw`XX~RYf4Y}p+8xl&Z%r*{5-MDa16c9n_M$Ir3b@8SlINMrT8{Q0%JMo
z0C?XPCNdtvU0Eia3JsuR{q`n6H?-Z6L$C=iLZ~?Fc%ugb5SyHqiI3bJkXgs`9us3`
zeY102u_5a%(qk1J&~L31xY^<al&nmrt345=v>&+y_n;%L3aPz`b(wcI0Uq)c_aU(n
z6sJUOS^y6v+(bL((M1-QZp#W|t>L~e!2lHE?2ae?T$_pn75I^~EK29C?lW&13=$`T
zceSMrL}E>Wa-27&(a^WMzJxd{7jw4fIr_Te8m(M*YA`pfE%Y`EpsE!tSbgopMAT-r
z!5;XBtTvo+7IF}aAiV%tB~M&PhktUjg{@Hf<YVvn_3Q0vWINl>sKvAGxs)5iuixRQ
z{OsYUEw*kHhkR@dr|y6X0OKLKdSv{ifKh;yWeXkE_{D%LBzYg#wlyNr_90*MnUMd2
zn<6Lg;NmT~plsKu8GnPdg>0NcrXK-$8?MEHTmK&BmWOZySFAJ!3N|v@ZGziN&c(Mb
z+vik5tDUZR9!ilMQOEO8z>rOfZ=UoekC1Z?gBzWfakXL*wU4&|Ea=^T3{473poK9f
zO+jBr@TaEwD<SyPXznyyJ6hZU1qhlaXY@`<<2-eHUU>l^Z73NR-(_@NAPCfM*6v+?
zS86iW6$DaCN?4tD?9Mwq$gCTQG}aQ6zrsXhd<3_>W*|z9N1AGi-{8XMIuYs<nKz@&
zu?z)+pq3Ugw42SsI7{Jb4-6?eD&&PIRiy??O)P%RN;w9hq>VD~Vw6Q3ikX8Fq_o=L
z0$Y755$5`gLA)j~VU4ZL5Zp_2oTn%kGXs-Q_4Ofby7(4BqTkjCR8uNVzzpc8)HuvF
z{v-_D>|+m;3c0LWuEMQ>6((EO1-QyCqGXj?%KbIyv~f#oE4Il|4b5AbOPFvmMu*Ii
z`Ks~^wVc&JJw9AlEZGFpz;0HA?sHw;ib%Qdz=-1U2hH>FgPTqo*GalX*pfwuEY;M}
zCP|8eJ7FlXbQh&#E|l(3C(hef<AW~;Fa6f(sPFy$$M1ul_UeJfZi&?_jKa6X)*GFj
zx^}DgCf#G<xcgnHn9lzwGxLLu68f0;{+C9z)lB67!v!(${-5ePh_t!?74Cnf3NHwC
z>eLXge93vgi=MEJJ`jz6{Allfx$z$C8=}~X--qy8nAZU~5|O06vqM!B3u$Y_2FFL<
zn_%c017JcA;Y~i^Xr2&n%3eLtXje5i7I#wNok;XuJvHq{CQOYHek~reKRuv&CGrdT
zUt5E>$Z1ZCFn=dFZRtp3uSuYuEAcjjjMoRvecOd1*Ib9+d$0eQ45HoL=bl4}E#E$L
zo7Y_!FWDP>6qGq`zlqnk9dbsmt}RH`Tf7e=jadP&V56Z4^f_;}(5DMm?P4#lXtZlP
z&2BBekh5Q2A+M1?1}_eMj}vyItvKO{o3lXmH1~y+s@q<@Pj_(7@yBr6a0G8IaUAvn
zEDhVzF6U2CFs62$9$=!4+@knH+uD9$Ly#Hb8VfGQ8qC$^0{?YrBHyJCTpsE7|250h
z0-=w2`d_EnY$x=;W@B^z$9k5-kCp!$Q#gv`nZ_FGnT+TCqrtnAe*c?$YFA%WgRgIf
z^}{zxCn%Q52xo2X%{kCOOJysR&`2BVAr3uS^@$cHV>=>Zg@x$cOh&C#2?Tv)<VroI
zE+7`YQqNdM4DD}`I5&@d(bpf+CeqWb;N2X{(pqAOoc%3hTKH#j>==rO$F<a8;^~SM
zFX8$vFG8gTNaJZTEAhKVsTkoP!w*-B5j$JEwrEvW=Xr5~ViBt>$m@w(#a*RYc-#qh
zDI)egGE1~~s?Ieug^j1=K$e9`lNmtyQI(L%pp|nL%PcVxM^NV&nx(#2QRbH<5h!3!
z)>}L4%`(wUu3Oru&D6yF)3Qv8$m?8LohzrA6iUiyDVwBxR^b^gT~T`7gUpf~2`oog
zp7fO<?}+5x<cEZiI$lD4NL<qXbApmzgOMNp`s$Va<oeA^*O~NdLF<EdAI@SyN$sr<
qMT3$ZxK653jf)(}BHp~Zay|ZpO)nb?Y$$MlDDZ#2=c11QhyVZ?aUJRa

literal 0
HcmV?d00001

diff --git a/lib/WebGUI/Asset/Story.pm b/lib/WebGUI/Asset/Story.pm
index c930b161c..0cb86e42b 100644
--- a/lib/WebGUI/Asset/Story.pm
+++ b/lib/WebGUI/Asset/Story.pm
@@ -85,6 +85,25 @@ sub addRevision {
 
 #-------------------------------------------------------------------
 
+=head2 canEdit ( )
+
+You can't add children to a Story.
+
+=cut
+
+sub canEdit {
+    my $self = shift;
+    my $userId = shift || $self->session->user->userId;
+    if ($userId eq $self->get("ownerUserId")) {
+        return 1;
+    }
+    my $user = WebGUI::User->new($self->session, $userId);
+    return $self->SUPER::canEdit($userId)
+        || $self->getArchive->canPostStories($userId);
+}
+
+#-------------------------------------------------------------------
+
 =head2 definition ( session, definition )
 
 defines asset properties for New Asset instances.  You absolutely need 
@@ -839,6 +858,7 @@ sub viewTemplateVariables {
     }
     $var->{hasPhotos}   = $photoCounter;
     $var->{singlePhoto} = $photoCounter == 1;
+    $var->{canEdit}     = $self->canEdit;
     return $var;
 }
 
diff --git a/lib/WebGUI/Help/Asset_Story.pm b/lib/WebGUI/Help/Asset_Story.pm
index 1597b6b4d..902a74b27 100644
--- a/lib/WebGUI/Help/Asset_Story.pm
+++ b/lib/WebGUI/Help/Asset_Story.pm
@@ -55,6 +55,7 @@ our $HELP = {
         ],
         fields    => [],
         variables => [
+            { name      => 'canEdit', },
             { name      => 'highlights_loop',
               'variables' => [
                 { name      => 'highlight', },
diff --git a/lib/WebGUI/i18n/English/Asset_Story.pm b/lib/WebGUI/i18n/English/Asset_Story.pm
index e8c9b2da2..c0441f8b2 100644
--- a/lib/WebGUI/i18n/English/Asset_Story.pm
+++ b/lib/WebGUI/i18n/English/Asset_Story.pm
@@ -446,6 +446,11 @@ our $I18N = {
         lastUpdated => 0,
     },
 
+    'canEdit' => {
+        message => q|A boolean which will be true if the current user can edit this story.|,
+        lastUpdated => 0,
+    },
+
 };
 
 1;
diff --git a/t/Asset/Story.t b/t/Asset/Story.t
index e72240bfb..b2e350cd7 100644
--- a/t/Asset/Story.t
+++ b/t/Asset/Story.t
@@ -13,33 +13,52 @@ use strict;
 use lib "$FindBin::Bin/../lib";
 
 use WebGUI::Test;
+use WebGUI::Test::Maker::Permission;
 use WebGUI::Session;
 use WebGUI::Storage;
+use WebGUI::User;
+use WebGUI::Group;
 
 use Test::More; # increment this value for each test you create
 use Test::Deep;
 use Data::Dumper;
 
-my $tests = 42;
-plan tests => 1
-            + $tests
-            ;
-
 #TODO: This script tests certain aspects of WebGUI::Storage and it should not
 
 my $session = WebGUI::Test->session;
 
-my $class  = 'WebGUI::Asset::Story';
-my $loaded = use_ok($class);
-my $story;
+my $story = 'placeholder for Test::Maker::Permission';
 my $wgBday = WebGUI::Test->webguiBirthday;
 
+my $canPostGroup = WebGUI::Group->new($session, 'new');
+my $postUser     = WebGUI::User->create($session);
+$canPostGroup->addUsers([$postUser->userId]);
+my $archiveOwner = WebGUI::User->create($session);
+my $reader       = WebGUI::User->create($session);
+$postUser->username('Can Post User');
+$reader->username('Average Reader');
+$archiveOwner->username('Archive Owner');
+WebGUI::Test->groupsToDelete($canPostGroup);
+WebGUI::Test->usersToDelete($postUser, $archiveOwner, $reader);
+
+my $canEditMaker = WebGUI::Test::Maker::Permission->new();
+$canEditMaker->prepare({
+    object   => $story,
+    session  => $session,
+    method   => 'canEdit',
+    pass     => [3, $postUser, $archiveOwner ],
+    fail     => [1, $reader                  ],
+});
+
+
 my $defaultNode = WebGUI::Asset->getDefault($session);
 my $archive     = $defaultNode->addChild({
-    className => 'WebGUI::Asset::Wobject::StoryArchive',
-    title     => 'Test Archive',
-                 #1234567890123456789012
-    assetId   => 'TestStoryArchiveAsset1',
+    className   => 'WebGUI::Asset::Wobject::StoryArchive',
+    title       => 'Test Archive',
+                   #1234567890123456789012
+    assetId     => 'TestStoryArchiveAsset1',
+    groupToPost => $canPostGroup->getId,
+    ownerUserId => $archiveOwner->userId,
 });
 my $topic       = $defaultNode->addChild({
     className => 'WebGUI::Asset::Wobject::StoryTopic',
@@ -50,11 +69,26 @@ my $topic       = $defaultNode->addChild({
 });
 my $archiveTag  = WebGUI::VersionTag->getWorking($session);
 $archiveTag->commit;
+WebGUI::Test->tagsToRollback($archiveTag);
 
 my $storage1 = WebGUI::Storage->create($session);
 my $storage2 = WebGUI::Storage->create($session);
 WebGUI::Test->storagesToDelete($storage1, $storage2);
 
+############################################################
+#
+# PLAN
+#
+############################################################
+
+my $tests = 42;
+plan tests => 1
+            + $tests
+            + $canEditMaker->plan
+            ;
+
+my $class  = 'WebGUI::Asset::Story';
+my $loaded = use_ok($class);
 
 SKIP: {
 
@@ -108,6 +142,16 @@ is($story->get('state'),    'published', 'Story is published');
 
 is($story->getArchive->getId, $archive->getId, 'getArchive gets the parent archive for the Story');
 
+############################################################
+#
+# canEdit
+#
+############################################################
+
+$canEditMaker->{_tests}->[0]->{object} = $story;
+
+$canEditMaker->run();
+
 ############################################################
 #
 # Photo JSON
@@ -383,9 +427,4 @@ cmp_bag(
 }
 
 END {
-    $story->purge   if $story;
-    $archive->purge if $archive;
-    $topic->purge   if $topic;
-    $archiveTag->rollback;
-    WebGUI::VersionTag->getWorking($session)->rollback;
 }