fix: Events can no longer be edited by anyone who can add events
This commit is contained in:
Doug Bell
parent
6b017ad991
commit
8ec2c763b4
8 changed files with 512 additions and 17 deletions
|
|
@ -180,16 +180,26 @@ sub canAdd {
|
|||
|
||||
####################################################################
|
||||
|
||||
=head2 canEdit
|
||||
=head2 canEdit ( [userId] )
|
||||
|
||||
Returns true if a user can edit this asset. This uses the canEditEvent
|
||||
from the parent Calendar.
|
||||
Returns true if the given userId can edit this asset. If userId is not given,
|
||||
the userId of the current session is used.
|
||||
|
||||
Users can edit this event if they are the owner of the event, or if they are
|
||||
allowed to edit the parent Calendar.
|
||||
|
||||
=cut
|
||||
|
||||
sub canEdit {
|
||||
my $self = shift;
|
||||
return $self->getParent->canAddEvent;
|
||||
my $userId = shift;
|
||||
|
||||
if ( !$userId ) {
|
||||
$userId = $self->session->user->userId;
|
||||
}
|
||||
|
||||
return 1 if ( $userId eq $self->get('ownerUserId') );
|
||||
return $self->getParent->canEdit( $userId );
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -370,7 +370,7 @@ sub appendTemplateVarsDateTime {
|
|||
|
||||
#----------------------------------------------------------------------------
|
||||
|
||||
=head2 canEdit
|
||||
=head2 canEdit ( [userId] )
|
||||
|
||||
Returns true if the user can edit this asset.
|
||||
|
||||
|
|
@ -381,24 +381,33 @@ around the canEdit check when www_editSave is being used to add an asset).
|
|||
|
||||
sub canEdit {
|
||||
my $self = shift;
|
||||
my $userId = shift || $self->session->user->userId;
|
||||
my $form = $self->session->form;
|
||||
my $user = $self->session->user;
|
||||
|
||||
# Account for new events
|
||||
return 1 if ($self->canAddEvent && $form->process("func") eq "add");
|
||||
return 1 if (
|
||||
$self->canAddEvent
|
||||
$self->canAddEvent( $userId )
|
||||
&& $form->process("func") eq "add"
|
||||
);
|
||||
return 1 if (
|
||||
$self->canAddEvent( $userId )
|
||||
&& $form->process("assetId") eq "new"
|
||||
&& $form->process("func") eq "editSave"
|
||||
&& $form->process("class") eq "WebGUI::Asset::Event"
|
||||
);
|
||||
|
||||
return $self->SUPER::canEdit()
|
||||
# Who can edit the Calendar can do everything
|
||||
if ( $self->SUPER::canEdit( $userId ) ) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
# Fails all checks
|
||||
return 0;
|
||||
}
|
||||
|
||||
#----------------------------------------------------------------------------
|
||||
|
||||
=head2 canAddEvent
|
||||
=head2 canAddEvent ( [userId] )
|
||||
|
||||
Returns true if able to add events. Checks to make sure that the
|
||||
Calendar has been committed at least once. Checks to make sure that
|
||||
|
|
@ -409,7 +418,13 @@ the calendar, or the group that can edit events in the calendar).
|
|||
|
||||
sub canAddEvent {
|
||||
my $self = shift;
|
||||
|
||||
my $userId = shift;
|
||||
|
||||
my $user = $userId
|
||||
? WebGUI::User->new( $self->session, $userId )
|
||||
: $self->session->user
|
||||
;
|
||||
|
||||
# Events can only be added after the Calendar has been committed once
|
||||
return 0 if (
|
||||
$self->get("status") ne "approved"
|
||||
|
|
@ -417,8 +432,7 @@ sub canAddEvent {
|
|||
);
|
||||
|
||||
return 1 if (
|
||||
$self->session->user->isInGroup($self->get("groupIdEventEdit"))
|
||||
|| $self->SUPER::canEdit
|
||||
$user->isInGroup($self->get("groupIdEventEdit"))
|
||||
);
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue