oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Only users who canAdminister the parent wiki are allowed to purge revisions of a wiki page. Fixes bug #11377

Browse source
This commit is contained in:
Colin Kuskie 2010-02-01 14:50:40 -08:00
parent 4b4038d7d0
commit acc6447841
6 changed files with 179 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

33
lib/WebGUI/Asset/WikiPage.pm
View file

@ -297,8 +297,9 @@ sub getTemplateVars {
historyUrl => $self->getUrl("func=getHistory"),
editContent => $self->getEditForm,
allowsAttachments => $wiki->get("allowAttachments"),
comments => $self->getFormattedComments(),
comments => $self->getFormattedComments(),
canEdit => $self->canEdit,
canAdminister => $wiki->canAdminister,
isProtected => $self->isProtected,
content => $wiki->autolinkHtml(
$self->scrubContent,
@ -584,6 +585,36 @@ sub www_getHistory {
#-------------------------------------------------------------------
=head2 www_purgeRevision
Override the main method to change which group is allowed to purge revisions for WikiPages. Only
members who can administer the parent wiki (canAdminister) can purge revisions.
=cut
sub www_purgeRevision {
my $self = shift;
my $session = $self->session;
return $session->privilege->insufficient() unless $self->getWiki->canAdminister;
my $revisionDate = $session->form->process("revisionDate");
return undef unless $revisionDate;
my $asset = WebGUI::Asset->new($session, $self->getId, $self->get("className"), $revisionDate);
return undef if ($asset->get('revisionDate') != $revisionDate);
my $parent = $asset->getParent;
$asset->purgeRevision;
if ($session->form->process("proceed") eq "manageRevisionsInTag") {
my $working = (defined $self) ? $self : $parent;
$session->http->setRedirect($working->getUrl("op=manageRevisionsInTag"));
return undef;
}
unless (defined $self) {
return $parent->www_view;
}
return $self->www_manageRevisions;
}
#-------------------------------------------------------------------
=head2 www_restoreWikiPage
Publishes a wiki page that has been put into the trash or the clipboard.

30
lib/WebGUI/Asset/Wobject/WikiMaster.pm
View file

@ -231,7 +231,7 @@ sub autolinkHtml {
=head2 canAdminister
Returns true if the current user is in the groupToAdminister group, or the user can edit
this WikiMaster.
this WikiMaster due to groupIdEdit or ownerUserId.
=cut
@ -244,33 +244,27 @@ sub canAdminister {
=head2 canEdit ( )
Overriding canEdit method to check permissions correctly when someone is adding a wikipage
Overriding canEdit method to check permissions correctly when someone is adding a wikipage.
=cut
sub canEdit {
my $self = shift;
return (
(
(
$self->session->form->process("func") eq "add" ||
(
$self->session->form->process("assetId") eq "new" &&
$self->session->form->process("func") eq "editSave" &&
$self->session->form->process("class") eq "WebGUI::Asset::WikiPage"
)
) &&
$self->canEditPages
) || # account for new posts
$self->next::method()
);
my $self = shift;
my $form = $self->session->form;
my $addNew = $form->process("func" ) eq "add";
my $editSave = $form->process("assetId" ) eq "new"
&& $form->process("func" ) eq "editSave"
&& $form->process("class","className" ) eq "WebGUI::Asset::WikiPage";
my $canEdit = ( ($addNew || $editSave) && $self->canEditPages )
|| $self->next::method();
return $canEdit;
}
#-------------------------------------------------------------------
=head2 canEditPages
Returns true is the current user is in the group that can edit page, or if
Returns true is the current user is in the group that can edit pages, or if
they can administer the wiki (canAdminister).
=cut

1
lib/WebGUI/Help/Asset_WikiPage.pm
View file

@ -59,6 +59,7 @@ our $HELP = {
{ name => 'canEdit',
description => 'canEdit variable',
},
{ name => 'canAdminister', },
{ name => 'isProtected', },
{ name => 'historyLabel',
description => 'historyLabel variable',