diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt index 4ed689bfa..7ceb28152 100644 --- a/docs/changelog/7.x.x.txt +++ b/docs/changelog/7.x.x.txt @@ -8,9 +8,9 @@ - fixed #11044: Optionally include hidden pages in sitemap.xml - fixed #11379: Certain fields in some Assets cannot be overridden in the config file - fixed #11380: "Use this Address" button in Shop needs to be green! - - fixed: Due to a typo France was not considered part of the EU by the EU - TaxDriver. ( Martin Kamerbeek / Oqapi ) + - fixed: Due to a typo France was not considered part of the EU by the EU TaxDriver. ( Martin Kamerbeek / Oqapi ) - fixed #11292: Made search less sticky + - fixed #11377: Normal users can delete revisions in wiki 7.8.10 - fixed #11332: Pagination in webgui.org forum urls diff --git a/docs/upgrades/packages-7.7.11 b/docs/upgrades/packages-7.7.11 new file mode 100644 index 000000000..cb8732b30 Binary files /dev/null and b/docs/upgrades/packages-7.7.11 differ diff --git a/lib/WebGUI/Asset/WikiPage.pm b/lib/WebGUI/Asset/WikiPage.pm index 3a674df04..eb99c9de5 100644 --- a/lib/WebGUI/Asset/WikiPage.pm +++ b/lib/WebGUI/Asset/WikiPage.pm @@ -297,8 +297,9 @@ sub getTemplateVars { historyUrl => $self->getUrl("func=getHistory"), editContent => $self->getEditForm, allowsAttachments => $wiki->get("allowAttachments"), - comments => $self->getFormattedComments(), + comments => $self->getFormattedComments(), canEdit => $self->canEdit, + canAdminister => $wiki->canAdminister, isProtected => $self->isProtected, content => $wiki->autolinkHtml( $self->scrubContent, @@ -584,6 +585,36 @@ sub www_getHistory { #------------------------------------------------------------------- +=head2 www_purgeRevision + +Override the main method to change which group is allowed to purge revisions for WikiPages. Only +members who can administer the parent wiki (canAdminister) can purge revisions. + +=cut + +sub www_purgeRevision { + my $self = shift; + my $session = $self->session; + return $session->privilege->insufficient() unless $self->getWiki->canAdminister; + my $revisionDate = $session->form->process("revisionDate"); + return undef unless $revisionDate; + my $asset = WebGUI::Asset->new($session, $self->getId, $self->get("className"), $revisionDate); + return undef if ($asset->get('revisionDate') != $revisionDate); + my $parent = $asset->getParent; + $asset->purgeRevision; + if ($session->form->process("proceed") eq "manageRevisionsInTag") { + my $working = (defined $self) ? $self : $parent; + $session->http->setRedirect($working->getUrl("op=manageRevisionsInTag")); + return undef; + } + unless (defined $self) { + return $parent->www_view; + } + return $self->www_manageRevisions; +} + +#------------------------------------------------------------------- + =head2 www_restoreWikiPage Publishes a wiki page that has been put into the trash or the clipboard. diff --git a/lib/WebGUI/Asset/Wobject/WikiMaster.pm b/lib/WebGUI/Asset/Wobject/WikiMaster.pm index 01e0c473e..093033c5f 100644 --- a/lib/WebGUI/Asset/Wobject/WikiMaster.pm +++ b/lib/WebGUI/Asset/Wobject/WikiMaster.pm @@ -231,7 +231,7 @@ sub autolinkHtml { =head2 canAdminister Returns true if the current user is in the groupToAdminister group, or the user can edit -this WikiMaster. +this WikiMaster due to groupIdEdit or ownerUserId. =cut @@ -244,33 +244,27 @@ sub canAdminister { =head2 canEdit ( ) -Overriding canEdit method to check permissions correctly when someone is adding a wikipage +Overriding canEdit method to check permissions correctly when someone is adding a wikipage. =cut sub canEdit { - my $self = shift; - return ( - ( - ( - $self->session->form->process("func") eq "add" || - ( - $self->session->form->process("assetId") eq "new" && - $self->session->form->process("func") eq "editSave" && - $self->session->form->process("class") eq "WebGUI::Asset::WikiPage" - ) - ) && - $self->canEditPages - ) || # account for new posts - $self->next::method() - ); + my $self = shift; + my $form = $self->session->form; + my $addNew = $form->process("func" ) eq "add"; + my $editSave = $form->process("assetId" ) eq "new" + && $form->process("func" ) eq "editSave" + && $form->process("class","className" ) eq "WebGUI::Asset::WikiPage"; + my $canEdit = ( ($addNew || $editSave) && $self->canEditPages ) + || $self->next::method(); + return $canEdit; } #------------------------------------------------------------------- =head2 canEditPages -Returns true is the current user is in the group that can edit page, or if +Returns true is the current user is in the group that can edit pages, or if they can administer the wiki (canAdminister). =cut diff --git a/lib/WebGUI/Help/Asset_WikiPage.pm b/lib/WebGUI/Help/Asset_WikiPage.pm index a9596f8c9..f0f61076f 100644 --- a/lib/WebGUI/Help/Asset_WikiPage.pm +++ b/lib/WebGUI/Help/Asset_WikiPage.pm @@ -59,6 +59,7 @@ our $HELP = { { name => 'canEdit', description => 'canEdit variable', }, + { name => 'canAdminister', }, { name => 'isProtected', }, { name => 'historyLabel', description => 'historyLabel variable', diff --git a/t/Asset/WikiPage/permissions.t b/t/Asset/WikiPage/permissions.t new file mode 100644 index 000000000..dc5adc341 --- /dev/null +++ b/t/Asset/WikiPage/permissions.t @@ -0,0 +1,132 @@ +#------------------------------------------------------------------- +# WebGUI is Copyright 2001-2009 Plain Black Corporation. +#------------------------------------------------------------------- +# Please read the legal notices (docs/legal.txt) and the license +# (docs/license.txt) that came with this distribution before using +# this software. +#------------------------------------------------------------------- +# http://www.plainblack.com info@plainblack.com +#------------------------------------------------------------------- + +use FindBin; +use strict; +use lib "$FindBin::Bin/../../lib"; + +##The goal of this test is to test permissions handling for the WikiMaster and WikiPage. + +use WebGUI::Test; +use WebGUI::Test::Maker::Permission; +use WebGUI::Session; +use Test::More tests => 31; # increment this value for each test you create +use WebGUI::Asset::Wobject::WikiMaster; +use WebGUI::Asset::WikiPage; + + +my $session = WebGUI::Test->session; +my $node = WebGUI::Asset->getImportNode($session); +my $versionTag = WebGUI::VersionTag->getWorking($session); +$versionTag->set({name=>"Wiki Test"}); +addToCleanup($versionTag); + +my $assetEdit = WebGUI::Group->new($session, "new"); +my $wikiAdmin = WebGUI::Group->new($session, "new"); +my $wikiEditPage = WebGUI::Group->new($session, "new"); +addToCleanup($assetEdit, $wikiAdmin, $wikiEditPage); + +my $assetEditor = WebGUI::User->create($session); +$assetEdit->addUsers([$assetEditor->userId]); +my $wikiAdministrator = WebGUI::User->create($session); +$wikiAdmin->addUsers([$wikiAdministrator->userId]); +my $wikiPageEditor = WebGUI::User->create($session); +$wikiEditPage->addUsers([$wikiPageEditor->userId]); +my $wikiOwner = WebGUI::User->create($session); +my $wikiPageOwner = WebGUI::User->create($session); +addToCleanup($assetEditor, $wikiAdministrator, $wikiPageEditor, $wikiOwner, $wikiPageOwner); + +$session->user({user => $wikiOwner}); +my $wiki = $node->addChild({ + className => 'WebGUI::Asset::Wobject::WikiMaster', + groupIdEdit => $assetEdit->getId, + groupToAdminister => $wikiAdmin->getId, + groupToEditPages => $wikiEditPage->getId, + ownerUserId => $wikiOwner, +}); +$versionTag->commit; +my $wikipage = $wiki->addChild({ + className => 'WebGUI::Asset::WikiPage', + ownerUserId => $wikiPageOwner->userId, +}, undef, undef, {skipAutoCommitWorkflows => 1}); +is $wikipage->get('ownerUserId'), $wikiPageOwner->userId, 'wiki page owned by correct user'; + +# Wikis create and autocommit a version tag when a child is added. Lets get the name so we can roll it back. +my $secondVersionTag = WebGUI::VersionTag->new($session,$wikipage->get("tagId")); +$secondVersionTag->commit; +addToCleanup($secondVersionTag ); + +# Test for sane object types +isa_ok($wiki, 'WebGUI::Asset::Wobject::WikiMaster'); +isa_ok($wikipage, 'WebGUI::Asset::WikiPage'); + +note "wiki canAdminister"; +$session->user({userId => 3}); +ok ( $wiki->canAdminister, 'Site admin'); +$session->user({user => $assetEditor}); +ok ( $wiki->canAdminister, 'asset editor'); +$session->user({user => $wikiAdministrator}); +ok ( $wiki->canAdminister, 'wiki admin'); +$session->user({user => $wikiPageEditor}); +ok (! $wiki->canAdminister, 'wiki page editor'); +$session->user({user => $wikiOwner}); +ok (! $wiki->canAdminister, 'wiki owner'); +$session->user({user => $wikiPageOwner}); +ok (! $wiki->canAdminister, 'wiki page owner'); +$session->user({userId => 1}); +ok (! $wiki->canAdminister, 'visitor'); + +note "wiki canEditPages"; +$session->user({userId => 3}); +ok ( $wiki->canEditPages, 'Site admin'); +$session->user({user => $assetEditor}); +ok ( $wiki->canEditPages, 'asset editor'); +$session->user({user => $wikiAdministrator}); +ok ( $wiki->canEditPages, 'wiki admin'); +$session->user({user => $wikiPageEditor}); +ok ( $wiki->canEditPages, 'wiki page editor'); +$session->user({user => $wikiOwner}); +ok (! $wiki->canEditPages, 'wiki owner'); +$session->user({user => $wikiPageOwner}); +ok (! $wiki->canEditPages, 'wiki page owner'); ##A wiki page owner should not be able to edit _all_ pages, just their own +$session->user({userId => 1}); +ok (! $wiki->canEditPages, 'visitor'); + +note "wiki canEdit"; +$session->user({userId => 3}); +ok ( $wiki->canEdit, 'Site admin'); +$session->user({user => $assetEditor}); +ok ( $wiki->canEdit, 'asset editor'); +$session->user({user => $wikiAdministrator}); +ok (! $wiki->canEdit, 'wiki admin'); +$session->user({user => $wikiPageEditor}); +ok (! $wiki->canEdit, 'wiki page editor'); +$session->user({user => $wikiOwner}); +ok (! $wiki->canEdit, 'wiki owner'); +$session->user({user => $wikiPageOwner}); +ok (! $wiki->canEdit, 'wiki page owner'); ##A wiki page owner should not be able to edit _all_ pages, just their own +$session->user({userId => 1}); +ok (! $wiki->canEdit, 'visitor'); + +note "wikipage canEdit"; +$session->user({userId => 3}); +ok ( $wikipage->canEdit, 'Site admin'); +$session->user({user => $assetEditor}); +ok ( $wikipage->canEdit, 'asset editor'); +$session->user({user => $wikiAdministrator}); +ok ( $wikipage->canEdit, 'wiki admin'); +$session->user({user => $wikiPageEditor}); +ok ( $wikipage->canEdit, 'wiki page editor'); +$session->user({user => $wikiOwner}); +ok (! $wikipage->canEdit, 'wiki owner'); +$session->user({user => $wikiPageOwner}); +ok (! $wikipage->canEdit, 'wiki page owner'); +$session->user({userId => 1}); +ok (! $wikipage->canEdit, 'visitor');