From acc6447841642b76a5ddb4549457a186847796c3 Mon Sep 17 00:00:00 2001
From: Colin Kuskie <colink@perldreamer.com>
Date: Mon, 1 Feb 2010 14:50:40 -0800
Subject: [PATCH] Only users who canAdminister the parent wiki are allowed to
 purge revisions of a wiki page.  Fixes bug #11377

---
 docs/changelog/7.x.x.txt               |   4 +-
 docs/upgrades/packages-7.7.11          | Bin 0 -> 2328 bytes
 lib/WebGUI/Asset/WikiPage.pm           |  33 ++++++-
 lib/WebGUI/Asset/Wobject/WikiMaster.pm |  30 +++---
 lib/WebGUI/Help/Asset_WikiPage.pm      |   1 +
 t/Asset/WikiPage/permissions.t         | 132 +++++++++++++++++++++++++
 6 files changed, 179 insertions(+), 21 deletions(-)
 create mode 100644 docs/upgrades/packages-7.7.11
 create mode 100644 t/Asset/WikiPage/permissions.t

diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt
index 4ed689bfa..7ceb28152 100644
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@@ -8,9 +8,9 @@
  - fixed #11044: Optionally include hidden pages in sitemap.xml
  - fixed #11379: Certain fields in some Assets cannot be overridden in the config file
  - fixed #11380: "Use this Address" button in Shop needs to be green!
- - fixed: Due to a typo France was not considered part of the EU by the EU
-   TaxDriver. ( Martin Kamerbeek / Oqapi )
+ - fixed: Due to a typo France was not considered part of the EU by the EU TaxDriver. ( Martin Kamerbeek / Oqapi )
  - fixed #11292: Made search less sticky
+ - fixed #11377: Normal users can delete revisions in wiki
 
 7.8.10
  - fixed #11332: Pagination in webgui.org forum urls
diff --git a/docs/upgrades/packages-7.7.11 b/docs/upgrades/packages-7.7.11
new file mode 100644
index 0000000000000000000000000000000000000000..cb8732b3093601c13d591a17e02e52ab1ce381ca
GIT binary patch
literal 2328
zcmV+z3Fr17iwFP!00000|Ls~)bK5o&_H%y)&V8`#u|&zX?2M#n#*LFYGil>qob%m8
zX$B%;2{8rm07#0O`oDJ<BnXnC;*4W=`VeMnQCMJiu~>Zj0cvaO@t=0PeR9&>+G@8u
zC*3xFwmU~hTU#W5+FPB@;bG^vdw9}0+9I7!`=Gr=V94V?b8V;smqHnHakJUpTr;IN
zi*Zu$*vZ+?FLeDUiLBQh|F_$<@7>l%EyV*l3L1}(VZH0uA6EV3sIvY?hljBK5Y5Mb
z9&7zukMH_JSor({Y{G5BW=Tv9`#_DM;dI7?(c7d)-o4+qa&4rd6IN_WluVd1oY{_6
z4Qh(1HqSpLQW+MVT9KH?vDJd&P%$tQ{j@?=+lSk^0Cu6V`nQw$IOclFA}<tddBsH}
zmv&U!3)m;4=sBa&C7tLC8s5MtR6M}FOcaZsj<&T~#SHW@GukF*l`v>CFfa(UhL)*f
z*U<9&b5x}pt2qzGa~?;5q2mQ-%YbUljCNmJFlx6C<AUMi8EJ-6v7#j%DxR2<_aEtk
zrp@4tR$=WNR&*+5Gm^6=TfmwImG7|0aW2C_kZKwZ?rSKNLa@+qDFXl6oN@7RCRofc
zFN5r}IcA1FtOd8?+2;o3m`<gYuz586amjCZ0-K}-Dby5n0a-)bJBc}=pT|-~O!Yd+
zC!(R+MC3<6#{TW*kq}A)Q_co9jZCV8Q<crJG)B&<!Y^nB|42(iC_~td=o;*uiIQ^>
zLGHy;^~N!@^wam{lpEGBnQAV1WTw4#KcP{?#iZat{e;kYAC8h~8x^PEJ{nz^W>ihM
zuwiOKkPD8amR&#RvyCU4t<3?NeCS9kmK3L0j1ix~Ligq>ZWM8YeWC!PEXRs~&n7`O
zx;5d~yZzmMA<&7`9Cu7Fgf(W0q#wl|iX{M-Jt3RvTb)~E?{ma8p!W*;3D&=b&5S8J
z^eCxULMEE8qj3p7|32UxiN6mz!Pb2-tpb*Jg6B7w@|bxSe13zGuLjU>u<<nzIudAL
z1B{NuW;jI9LLeodM*@!y^>|81ut#D#W-*~6BH5<TI%~2QjKnRvu-T3ql9}<QEVPgc
zey6?^I%QzI-p`u-lHm#}=ku%wXPhU6n!A8<M92I1hfL*ysr~ZACl<x+#L-K9Qd}n~
zuor`w!Eg@mXhTQ{9@dvEhU8kRg5g}TgH>OQ`Z(N3GNUG(k}2bpsUh;3NHYbz1Ap&W
zj*Uelk4&X@{8QYmWKgv*p_`Q;;=08&sY%aL?Q#=$v34blq>Jd9-4Z}00}13^p6q!!
zbD9bT>HbwMOCg`98*1BHzqJZi-JIUvJ?C+$+-3b;(HjY0_T*A9^%jopFVjOo;j{sj
z+m^eCUDJ7NAl+|x6Umz&ZE1ft@(RQkAiae04wNl@I=(O07fKq5hl}b7h3j)3MNCxN
zk!&R|qvsJfR@6E0>fC9}3I+y@e&E+cGp&Iwv=&sgXav;ywHOYPVJe44i*!oH8t6PU
z2idqGfbI04(9LiI>|hW;Bf=oU!64!b!Xr3BI1&qIiV%)+8k#(vg_A<s-;SBb)h;Eu
z?E`4-)Ht$<#|`REU3pq&8wQ1JR&W+iV6PC%!C@2x6#k2O!4GT4#VDi#BZ^0}Ix7rh
zYbLO<&O|YSXat`@FpmqiZQR@hF;0FOK2UbtT7Wn8w7uPQ(!8=9eQ0gjstIdy4Xo1i
z6yhnK-+q6I1X56BlQeF`5)Z=rr+9Gv;Bt4jKM24J2%k?3G**1jMj`l_k1zz=%QM1Z
zkbM=)H*B>8NY<(C-F}ax=^0C4|4#S{z7$r+Cot^FAuf+~5HflsvLSZeA^28+x}YJc
za|pxi*2AT8C};LQqo^77O4?XEx4QYJPQf<JQw(jD_KeFe=RU!PXXz0xvr`xRqBZwk
zw04SnooiTNnDJd?7P>UZ^<3Dacw^T=CaxAj1eDzWz>XqM30$d=|DB${e%*qT+=Q9d
zWh!dyxVY`W)qq6@9GneoNzvHJ(&FE6?Xue0-(bxRfa4)(Zq%7;6!;a|aF69~J+hPM
z0hz+|rCO!CbZ6hY<%ZyAL=AnT!n%QPA+a_M3*o+tox#{1F>21rx^H(~5N_QIV&?5`
z1Hb0iCiv=iRcWVY6}d;Az=0G~FvmVWJ<X^Jr|4uUN7H5pO>{{9BsHT)VkWh@kjXrz
zYE4H$c9$Z!F2fV(vndr5rmLDpq9ndk8D`PBoUy7N;sjnpn)JT>aRKa*8yNXQ$=L-}
z;8nGJ+D-l|ou&2mij9AM`?A-wh}Y{~X1AGMC0qwGtnPR>XsdV4jkoV@?;_JU)ZA3!
z4d*X1;@3R8Z0sByciYE@PfogCMONN%vst4jUSzQT+Qze#eUK}N6+wRCJ88H}`c)b*
z5?WNZ{X1UH^>Y9hI?gl|B$l_l;eVtijyp#M8BT0&uK~7c0vEW8;w3A9<oxn$d`qYT
zQe{2b5cpp2{PLGq>&w9PD_fe<>)+DFFxOc$sxvJvMk+fvIC#=N?4A_vffZYDBuB81
z(|Ome2~<-csCgRrV8Ty3>D{rrNw#(h>h)AEUy2t}&C=i%LMk8!bwb0`EUsjEA(;r(
zDlxXvW}i3fXkKdD+RSnPzGQDB)w7^fDp#8*-k_G)0iz<WvOX-8%jcX|)(0hTma^H|
zJNL^(Z9OoanxV|o5qFi~YWX9xAIF!#9AJNy{FG*dn3_OhJ62OFBd*c8owC5JTs;(>
zNijV8d&h;_FxVUX>)o@n)63I$dqKmqmCr~~=+io`fIwQJCbWi%6f{vdB7K2)#CW9W
zZDtsbORV?6dbYFgNds~QU<tSI4>&=v_x}BGFUX03T_s1_ADs%2LbYG3y9Jpqz4esh
z%S@mwy;GN~_iGM0f!9za0)|eq1Ng-sA^-o8{`vIs>dB2dIJ$Z<KU+*Zlyd!M1q^vs
z1#T#l_P5BoLTPJ8{!?TD((P}QrD6g<Q6C-S|GeNWLJ<U7lDYTW(fq$3o^`t?R9z;=
yXCFQ;f9ibv&3DcVOy(c{rh5Cs?L+*2`(4NP2z-yg_XylK0)GMFR&QMZCIA4^0*0{w

literal 0
HcmV?d00001

diff --git a/lib/WebGUI/Asset/WikiPage.pm b/lib/WebGUI/Asset/WikiPage.pm
index 3a674df04..eb99c9de5 100644
--- a/lib/WebGUI/Asset/WikiPage.pm
+++ b/lib/WebGUI/Asset/WikiPage.pm
@@ -297,8 +297,9 @@ sub getTemplateVars {
         historyUrl          => $self->getUrl("func=getHistory"),
         editContent         => $self->getEditForm,
         allowsAttachments   => $wiki->get("allowAttachments"),
-        comments	    => $self->getFormattedComments(),
+        comments	        => $self->getFormattedComments(),
         canEdit             => $self->canEdit,
+        canAdminister       => $wiki->canAdminister,
 		isProtected         => $self->isProtected,
         content             => $wiki->autolinkHtml(
             $self->scrubContent,
@@ -584,6 +585,36 @@ sub www_getHistory {
 
 #-------------------------------------------------------------------
 
+=head2 www_purgeRevision
+
+Override the main method to change which group is allowed to purge revisions for WikiPages.  Only
+members who can administer the parent wiki (canAdminister) can purge revisions.
+
+=cut
+
+sub www_purgeRevision {
+	my $self    = shift;
+	my $session = $self->session;
+	return $session->privilege->insufficient() unless $self->getWiki->canAdminister;
+	my $revisionDate = $session->form->process("revisionDate");
+	return undef unless $revisionDate;
+	my $asset = WebGUI::Asset->new($session, $self->getId, $self->get("className"), $revisionDate);
+	return undef if ($asset->get('revisionDate') != $revisionDate);
+	my $parent = $asset->getParent;
+	$asset->purgeRevision;
+	if ($session->form->process("proceed") eq "manageRevisionsInTag") {
+		my $working = (defined $self) ? $self : $parent;
+		$session->http->setRedirect($working->getUrl("op=manageRevisionsInTag"));
+		return undef;
+	}
+	unless (defined $self) {
+		return $parent->www_view;
+	}
+	return $self->www_manageRevisions;
+}
+
+#-------------------------------------------------------------------
+
 =head2 www_restoreWikiPage 
 
 Publishes a wiki page that has been put into the trash or the clipboard.
diff --git a/lib/WebGUI/Asset/Wobject/WikiMaster.pm b/lib/WebGUI/Asset/Wobject/WikiMaster.pm
index 01e0c473e..093033c5f 100644
--- a/lib/WebGUI/Asset/Wobject/WikiMaster.pm
+++ b/lib/WebGUI/Asset/Wobject/WikiMaster.pm
@@ -231,7 +231,7 @@ sub autolinkHtml {
 =head2 canAdminister 
 
 Returns true if the current user is in the groupToAdminister group, or the user can edit
-this WikiMaster.
+this WikiMaster due to groupIdEdit or ownerUserId.
 
 =cut
 
@@ -244,33 +244,27 @@ sub canAdminister {
 
 =head2 canEdit ( )
 
-Overriding canEdit method to check permissions correctly when someone is adding a wikipage
+Overriding canEdit method to check permissions correctly when someone is adding a wikipage.
 
 =cut
 
 sub canEdit {
-        my $self = shift;
-        return (
-                (
-                        (
-                                $self->session->form->process("func") eq "add" ||
-                                (
-                                        $self->session->form->process("assetId") eq "new" &&
-                                        $self->session->form->process("func") eq "editSave" &&
-                                        $self->session->form->process("class") eq "WebGUI::Asset::WikiPage"
-                                )
-                        ) &&
-                        $self->canEditPages
-                ) || # account for new posts
-                $self->next::method()
-        );
+    my $self = shift;
+    my $form      = $self->session->form;
+    my $addNew    = $form->process("func"              ) eq "add";
+    my $editSave  = $form->process("assetId"           ) eq "new"
+                 && $form->process("func"              ) eq "editSave"
+                 && $form->process("class","className" ) eq "WebGUI::Asset::WikiPage";
+    my $canEdit = ( ($addNew || $editSave) && $self->canEditPages )
+               || $self->next::method();
+    return $canEdit;
 }
 
 #-------------------------------------------------------------------
 
 =head2 canEditPages 
 
-Returns true is the current user is in the group that can edit page, or if
+Returns true is the current user is in the group that can edit pages, or if
 they can administer the wiki (canAdminister).
 
 =cut
diff --git a/lib/WebGUI/Help/Asset_WikiPage.pm b/lib/WebGUI/Help/Asset_WikiPage.pm
index a9596f8c9..f0f61076f 100644
--- a/lib/WebGUI/Help/Asset_WikiPage.pm
+++ b/lib/WebGUI/Help/Asset_WikiPage.pm
@@ -59,6 +59,7 @@ our $HELP = {
             {   name        => 'canEdit',
                 description => 'canEdit variable',
             },
+            {   name        => 'canAdminister', },
             {   name        => 'isProtected', },
             {   name        => 'historyLabel',
                 description => 'historyLabel variable',
diff --git a/t/Asset/WikiPage/permissions.t b/t/Asset/WikiPage/permissions.t
new file mode 100644
index 000000000..dc5adc341
--- /dev/null
+++ b/t/Asset/WikiPage/permissions.t
@@ -0,0 +1,132 @@
+#-------------------------------------------------------------------
+# WebGUI is Copyright 2001-2009 Plain Black Corporation.
+#-------------------------------------------------------------------
+# Please read the legal notices (docs/legal.txt) and the license
+# (docs/license.txt) that came with this distribution before using
+# this software.
+#-------------------------------------------------------------------
+# http://www.plainblack.com                     info@plainblack.com
+#-------------------------------------------------------------------
+
+use FindBin;
+use strict;
+use lib "$FindBin::Bin/../../lib";
+
+##The goal of this test is to test permissions handling for the WikiMaster and WikiPage.
+
+use WebGUI::Test;
+use WebGUI::Test::Maker::Permission;
+use WebGUI::Session;
+use Test::More tests => 31; # increment this value for each test you create
+use WebGUI::Asset::Wobject::WikiMaster;
+use WebGUI::Asset::WikiPage;
+
+
+my $session = WebGUI::Test->session;
+my $node = WebGUI::Asset->getImportNode($session);
+my $versionTag = WebGUI::VersionTag->getWorking($session);
+$versionTag->set({name=>"Wiki Test"});
+addToCleanup($versionTag);
+
+my $assetEdit    = WebGUI::Group->new($session, "new");
+my $wikiAdmin    = WebGUI::Group->new($session, "new");
+my $wikiEditPage = WebGUI::Group->new($session, "new");
+addToCleanup($assetEdit, $wikiAdmin, $wikiEditPage);
+
+my $assetEditor       = WebGUI::User->create($session);
+$assetEdit->addUsers([$assetEditor->userId]);
+my $wikiAdministrator = WebGUI::User->create($session);
+$wikiAdmin->addUsers([$wikiAdministrator->userId]);
+my $wikiPageEditor    = WebGUI::User->create($session);
+$wikiEditPage->addUsers([$wikiPageEditor->userId]);
+my $wikiOwner         = WebGUI::User->create($session);
+my $wikiPageOwner     = WebGUI::User->create($session);
+addToCleanup($assetEditor, $wikiAdministrator, $wikiPageEditor, $wikiOwner, $wikiPageOwner);
+
+$session->user({user => $wikiOwner});
+my $wiki = $node->addChild({
+    className         => 'WebGUI::Asset::Wobject::WikiMaster',
+    groupIdEdit       => $assetEdit->getId,
+    groupToAdminister => $wikiAdmin->getId,
+    groupToEditPages  => $wikiEditPage->getId,
+    ownerUserId       => $wikiOwner,
+});
+$versionTag->commit;
+my $wikipage = $wiki->addChild({
+    className   => 'WebGUI::Asset::WikiPage',
+    ownerUserId => $wikiPageOwner->userId,
+}, undef, undef, {skipAutoCommitWorkflows => 1});
+is $wikipage->get('ownerUserId'), $wikiPageOwner->userId, 'wiki page owned by correct user';
+
+# Wikis create and autocommit a version tag when a child is added.  Lets get the name so we can roll it back.
+my $secondVersionTag = WebGUI::VersionTag->new($session,$wikipage->get("tagId"));
+$secondVersionTag->commit;
+addToCleanup($secondVersionTag );
+
+# Test for sane object types
+isa_ok($wiki, 'WebGUI::Asset::Wobject::WikiMaster');
+isa_ok($wikipage, 'WebGUI::Asset::WikiPage');
+
+note "wiki canAdminister";
+$session->user({userId => 3});
+ok (  $wiki->canAdminister, 'Site admin');
+$session->user({user => $assetEditor});
+ok (  $wiki->canAdminister, 'asset editor');
+$session->user({user => $wikiAdministrator});
+ok (  $wiki->canAdminister, 'wiki admin');
+$session->user({user => $wikiPageEditor});
+ok (! $wiki->canAdminister, 'wiki page editor');
+$session->user({user => $wikiOwner});
+ok (! $wiki->canAdminister, 'wiki owner');
+$session->user({user => $wikiPageOwner});
+ok (! $wiki->canAdminister, 'wiki page owner');
+$session->user({userId => 1});
+ok (! $wiki->canAdminister, 'visitor');
+
+note "wiki canEditPages";
+$session->user({userId => 3});
+ok (  $wiki->canEditPages, 'Site admin');
+$session->user({user => $assetEditor});
+ok (  $wiki->canEditPages, 'asset editor');
+$session->user({user => $wikiAdministrator});
+ok (  $wiki->canEditPages, 'wiki admin');
+$session->user({user => $wikiPageEditor});
+ok (  $wiki->canEditPages, 'wiki page editor');
+$session->user({user => $wikiOwner});
+ok (! $wiki->canEditPages, 'wiki owner');
+$session->user({user => $wikiPageOwner});
+ok (! $wiki->canEditPages, 'wiki page owner');  ##A wiki page owner should not be able to edit _all_ pages, just their own
+$session->user({userId => 1});
+ok (! $wiki->canEditPages, 'visitor');
+
+note "wiki canEdit";
+$session->user({userId => 3});
+ok (  $wiki->canEdit, 'Site admin');
+$session->user({user => $assetEditor});
+ok (  $wiki->canEdit, 'asset editor');
+$session->user({user => $wikiAdministrator});
+ok (! $wiki->canEdit, 'wiki admin');
+$session->user({user => $wikiPageEditor});
+ok (! $wiki->canEdit, 'wiki page editor');
+$session->user({user => $wikiOwner});
+ok (! $wiki->canEdit, 'wiki owner');
+$session->user({user => $wikiPageOwner});
+ok (! $wiki->canEdit, 'wiki page owner');  ##A wiki page owner should not be able to edit _all_ pages, just their own
+$session->user({userId => 1});
+ok (! $wiki->canEdit, 'visitor');
+
+note "wikipage canEdit";
+$session->user({userId => 3});
+ok (  $wikipage->canEdit, 'Site admin');
+$session->user({user => $assetEditor});
+ok (  $wikipage->canEdit, 'asset editor');
+$session->user({user => $wikiAdministrator});
+ok (  $wikipage->canEdit, 'wiki admin');
+$session->user({user => $wikiPageEditor});
+ok (  $wikipage->canEdit, 'wiki page editor');
+$session->user({user => $wikiOwner});
+ok (! $wikipage->canEdit, 'wiki owner');
+$session->user({user => $wikiPageOwner});
+ok (! $wikipage->canEdit, 'wiki page owner');
+$session->user({userId => 1});
+ok (! $wikipage->canEdit, 'visitor');