Only users who canAdminister the parent wiki are allowed to purge revisions of a wiki page. Fixes bug #11377
This commit is contained in:
Colin Kuskie
parent
4b4038d7d0
commit
acc6447841
6 changed files with 179 additions and 21 deletions
|
|
@ -8,9 +8,9 @@
|
|||
- fixed #11044: Optionally include hidden pages in sitemap.xml
|
||||
- fixed #11379: Certain fields in some Assets cannot be overridden in the config file
|
||||
- fixed #11380: "Use this Address" button in Shop needs to be green!
|
||||
- fixed: Due to a typo France was not considered part of the EU by the EU
|
||||
TaxDriver. ( Martin Kamerbeek / Oqapi )
|
||||
- fixed: Due to a typo France was not considered part of the EU by the EU TaxDriver. ( Martin Kamerbeek / Oqapi )
|
||||
- fixed #11292: Made search less sticky
|
||||
- fixed #11377: Normal users can delete revisions in wiki
|
||||
|
||||
7.8.10
|
||||
- fixed #11332: Pagination in webgui.org forum urls
|
||||
|
|
|
|||
BIN
docs/upgrades/packages-7.7.11
Normal file
BIN
docs/upgrades/packages-7.7.11
Normal file
Binary file not shown.
|
|
@ -297,8 +297,9 @@ sub getTemplateVars {
|
|||
historyUrl => $self->getUrl("func=getHistory"),
|
||||
editContent => $self->getEditForm,
|
||||
allowsAttachments => $wiki->get("allowAttachments"),
|
||||
comments => $self->getFormattedComments(),
|
||||
comments => $self->getFormattedComments(),
|
||||
canEdit => $self->canEdit,
|
||||
canAdminister => $wiki->canAdminister,
|
||||
isProtected => $self->isProtected,
|
||||
content => $wiki->autolinkHtml(
|
||||
$self->scrubContent,
|
||||
|
|
@ -584,6 +585,36 @@ sub www_getHistory {
|
|||
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
=head2 www_purgeRevision
|
||||
|
||||
Override the main method to change which group is allowed to purge revisions for WikiPages. Only
|
||||
members who can administer the parent wiki (canAdminister) can purge revisions.
|
||||
|
||||
=cut
|
||||
|
||||
sub www_purgeRevision {
|
||||
my $self = shift;
|
||||
my $session = $self->session;
|
||||
return $session->privilege->insufficient() unless $self->getWiki->canAdminister;
|
||||
my $revisionDate = $session->form->process("revisionDate");
|
||||
return undef unless $revisionDate;
|
||||
my $asset = WebGUI::Asset->new($session, $self->getId, $self->get("className"), $revisionDate);
|
||||
return undef if ($asset->get('revisionDate') != $revisionDate);
|
||||
my $parent = $asset->getParent;
|
||||
$asset->purgeRevision;
|
||||
if ($session->form->process("proceed") eq "manageRevisionsInTag") {
|
||||
my $working = (defined $self) ? $self : $parent;
|
||||
$session->http->setRedirect($working->getUrl("op=manageRevisionsInTag"));
|
||||
return undef;
|
||||
}
|
||||
unless (defined $self) {
|
||||
return $parent->www_view;
|
||||
}
|
||||
return $self->www_manageRevisions;
|
||||
}
|
||||
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
=head2 www_restoreWikiPage
|
||||
|
||||
Publishes a wiki page that has been put into the trash or the clipboard.
|
||||
|
|
|
|||
|
|
@ -231,7 +231,7 @@ sub autolinkHtml {
|
|||
=head2 canAdminister
|
||||
|
||||
Returns true if the current user is in the groupToAdminister group, or the user can edit
|
||||
this WikiMaster.
|
||||
this WikiMaster due to groupIdEdit or ownerUserId.
|
||||
|
||||
=cut
|
||||
|
||||
|
|
@ -244,33 +244,27 @@ sub canAdminister {
|
|||
|
||||
=head2 canEdit ( )
|
||||
|
||||
Overriding canEdit method to check permissions correctly when someone is adding a wikipage
|
||||
Overriding canEdit method to check permissions correctly when someone is adding a wikipage.
|
||||
|
||||
=cut
|
||||
|
||||
sub canEdit {
|
||||
my $self = shift;
|
||||
return (
|
||||
(
|
||||
(
|
||||
$self->session->form->process("func") eq "add" ||
|
||||
(
|
||||
$self->session->form->process("assetId") eq "new" &&
|
||||
$self->session->form->process("func") eq "editSave" &&
|
||||
$self->session->form->process("class") eq "WebGUI::Asset::WikiPage"
|
||||
)
|
||||
) &&
|
||||
$self->canEditPages
|
||||
) || # account for new posts
|
||||
$self->next::method()
|
||||
);
|
||||
my $self = shift;
|
||||
my $form = $self->session->form;
|
||||
my $addNew = $form->process("func" ) eq "add";
|
||||
my $editSave = $form->process("assetId" ) eq "new"
|
||||
&& $form->process("func" ) eq "editSave"
|
||||
&& $form->process("class","className" ) eq "WebGUI::Asset::WikiPage";
|
||||
my $canEdit = ( ($addNew || $editSave) && $self->canEditPages )
|
||||
|| $self->next::method();
|
||||
return $canEdit;
|
||||
}
|
||||
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
=head2 canEditPages
|
||||
|
||||
Returns true is the current user is in the group that can edit page, or if
|
||||
Returns true is the current user is in the group that can edit pages, or if
|
||||
they can administer the wiki (canAdminister).
|
||||
|
||||
=cut
|
||||
|
|
|
|||
|
|
@ -59,6 +59,7 @@ our $HELP = {
|
|||
{ name => 'canEdit',
|
||||
description => 'canEdit variable',
|
||||
},
|
||||
{ name => 'canAdminister', },
|
||||
{ name => 'isProtected', },
|
||||
{ name => 'historyLabel',
|
||||
description => 'historyLabel variable',
|
||||
|
|
|
|||
132
t/Asset/WikiPage/permissions.t
Normal file
132
t/Asset/WikiPage/permissions.t
Normal file
|
|
@ -0,0 +1,132 @@
|
|||
#-------------------------------------------------------------------
|
||||
# WebGUI is Copyright 2001-2009 Plain Black Corporation.
|
||||
#-------------------------------------------------------------------
|
||||
# Please read the legal notices (docs/legal.txt) and the license
|
||||
# (docs/license.txt) that came with this distribution before using
|
||||
# this software.
|
||||
#-------------------------------------------------------------------
|
||||
# http://www.plainblack.com info@plainblack.com
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
use FindBin;
|
||||
use strict;
|
||||
use lib "$FindBin::Bin/../../lib";
|
||||
|
||||
##The goal of this test is to test permissions handling for the WikiMaster and WikiPage.
|
||||
|
||||
use WebGUI::Test;
|
||||
use WebGUI::Test::Maker::Permission;
|
||||
use WebGUI::Session;
|
||||
use Test::More tests => 31; # increment this value for each test you create
|
||||
use WebGUI::Asset::Wobject::WikiMaster;
|
||||
use WebGUI::Asset::WikiPage;
|
||||
|
||||
|
||||
my $session = WebGUI::Test->session;
|
||||
my $node = WebGUI::Asset->getImportNode($session);
|
||||
my $versionTag = WebGUI::VersionTag->getWorking($session);
|
||||
$versionTag->set({name=>"Wiki Test"});
|
||||
addToCleanup($versionTag);
|
||||
|
||||
my $assetEdit = WebGUI::Group->new($session, "new");
|
||||
my $wikiAdmin = WebGUI::Group->new($session, "new");
|
||||
my $wikiEditPage = WebGUI::Group->new($session, "new");
|
||||
addToCleanup($assetEdit, $wikiAdmin, $wikiEditPage);
|
||||
|
||||
my $assetEditor = WebGUI::User->create($session);
|
||||
$assetEdit->addUsers([$assetEditor->userId]);
|
||||
my $wikiAdministrator = WebGUI::User->create($session);
|
||||
$wikiAdmin->addUsers([$wikiAdministrator->userId]);
|
||||
my $wikiPageEditor = WebGUI::User->create($session);
|
||||
$wikiEditPage->addUsers([$wikiPageEditor->userId]);
|
||||
my $wikiOwner = WebGUI::User->create($session);
|
||||
my $wikiPageOwner = WebGUI::User->create($session);
|
||||
addToCleanup($assetEditor, $wikiAdministrator, $wikiPageEditor, $wikiOwner, $wikiPageOwner);
|
||||
|
||||
$session->user({user => $wikiOwner});
|
||||
my $wiki = $node->addChild({
|
||||
className => 'WebGUI::Asset::Wobject::WikiMaster',
|
||||
groupIdEdit => $assetEdit->getId,
|
||||
groupToAdminister => $wikiAdmin->getId,
|
||||
groupToEditPages => $wikiEditPage->getId,
|
||||
ownerUserId => $wikiOwner,
|
||||
});
|
||||
$versionTag->commit;
|
||||
my $wikipage = $wiki->addChild({
|
||||
className => 'WebGUI::Asset::WikiPage',
|
||||
ownerUserId => $wikiPageOwner->userId,
|
||||
}, undef, undef, {skipAutoCommitWorkflows => 1});
|
||||
is $wikipage->get('ownerUserId'), $wikiPageOwner->userId, 'wiki page owned by correct user';
|
||||
|
||||
# Wikis create and autocommit a version tag when a child is added. Lets get the name so we can roll it back.
|
||||
my $secondVersionTag = WebGUI::VersionTag->new($session,$wikipage->get("tagId"));
|
||||
$secondVersionTag->commit;
|
||||
addToCleanup($secondVersionTag );
|
||||
|
||||
# Test for sane object types
|
||||
isa_ok($wiki, 'WebGUI::Asset::Wobject::WikiMaster');
|
||||
isa_ok($wikipage, 'WebGUI::Asset::WikiPage');
|
||||
|
||||
note "wiki canAdminister";
|
||||
$session->user({userId => 3});
|
||||
ok ( $wiki->canAdminister, 'Site admin');
|
||||
$session->user({user => $assetEditor});
|
||||
ok ( $wiki->canAdminister, 'asset editor');
|
||||
$session->user({user => $wikiAdministrator});
|
||||
ok ( $wiki->canAdminister, 'wiki admin');
|
||||
$session->user({user => $wikiPageEditor});
|
||||
ok (! $wiki->canAdminister, 'wiki page editor');
|
||||
$session->user({user => $wikiOwner});
|
||||
ok (! $wiki->canAdminister, 'wiki owner');
|
||||
$session->user({user => $wikiPageOwner});
|
||||
ok (! $wiki->canAdminister, 'wiki page owner');
|
||||
$session->user({userId => 1});
|
||||
ok (! $wiki->canAdminister, 'visitor');
|
||||
|
||||
note "wiki canEditPages";
|
||||
$session->user({userId => 3});
|
||||
ok ( $wiki->canEditPages, 'Site admin');
|
||||
$session->user({user => $assetEditor});
|
||||
ok ( $wiki->canEditPages, 'asset editor');
|
||||
$session->user({user => $wikiAdministrator});
|
||||
ok ( $wiki->canEditPages, 'wiki admin');
|
||||
$session->user({user => $wikiPageEditor});
|
||||
ok ( $wiki->canEditPages, 'wiki page editor');
|
||||
$session->user({user => $wikiOwner});
|
||||
ok (! $wiki->canEditPages, 'wiki owner');
|
||||
$session->user({user => $wikiPageOwner});
|
||||
ok (! $wiki->canEditPages, 'wiki page owner'); ##A wiki page owner should not be able to edit _all_ pages, just their own
|
||||
$session->user({userId => 1});
|
||||
ok (! $wiki->canEditPages, 'visitor');
|
||||
|
||||
note "wiki canEdit";
|
||||
$session->user({userId => 3});
|
||||
ok ( $wiki->canEdit, 'Site admin');
|
||||
$session->user({user => $assetEditor});
|
||||
ok ( $wiki->canEdit, 'asset editor');
|
||||
$session->user({user => $wikiAdministrator});
|
||||
ok (! $wiki->canEdit, 'wiki admin');
|
||||
$session->user({user => $wikiPageEditor});
|
||||
ok (! $wiki->canEdit, 'wiki page editor');
|
||||
$session->user({user => $wikiOwner});
|
||||
ok (! $wiki->canEdit, 'wiki owner');
|
||||
$session->user({user => $wikiPageOwner});
|
||||
ok (! $wiki->canEdit, 'wiki page owner'); ##A wiki page owner should not be able to edit _all_ pages, just their own
|
||||
$session->user({userId => 1});
|
||||
ok (! $wiki->canEdit, 'visitor');
|
||||
|
||||
note "wikipage canEdit";
|
||||
$session->user({userId => 3});
|
||||
ok ( $wikipage->canEdit, 'Site admin');
|
||||
$session->user({user => $assetEditor});
|
||||
ok ( $wikipage->canEdit, 'asset editor');
|
||||
$session->user({user => $wikiAdministrator});
|
||||
ok ( $wikipage->canEdit, 'wiki admin');
|
||||
$session->user({user => $wikiPageEditor});
|
||||
ok ( $wikipage->canEdit, 'wiki page editor');
|
||||
$session->user({user => $wikiOwner});
|
||||
ok (! $wikipage->canEdit, 'wiki owner');
|
||||
$session->user({user => $wikiPageOwner});
|
||||
ok (! $wikipage->canEdit, 'wiki page owner');
|
||||
$session->user({userId => 1});
|
||||
ok (! $wikipage->canEdit, 'visitor');
|
||||
Loading…
Add table
Add a link
Reference in a new issue