Add permission checks to schedule JSON in the EMS.

2009-09-15 18:43:50 -07:00 · 2009-09-15 18:43:50 -07:00 · b2798a47a1
commit b2798a47a1
parent bcaff3b9eb
2 changed files with 21 additions and 7 deletions
--- a/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm
+++ b/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm
@ -1156,6 +1156,7 @@ returns the JSON data for a page of the schedule table
 sub www_getScheduleDataJSON {
    my $self = shift;
    my $session = $self->session;
+    return $session->privilege->insufficient() unless $self->canView;
    # the following two are expected to be configurable...
    my $locationsPerPage = $self->get('scheduleColumnsPerPage');

@ -2053,7 +2054,7 @@ sub www_toggleRegistrantCheckedIn {

 =head2 www_viewSchedule ()

-view the schedule table
+View the schedule table.

 =cut

@ -2076,7 +2077,7 @@ sub www_viewSchedule {
                      rowsPerPage => $rowsPerPage,
                      dataColumns => $dataColumns,
                      fieldList => $fieldList,
-		      dataSourceUrl => $self->getUrl('func=getScheduleDataJSON'),
+                      dataSourceUrl => $self->getUrl('func=getScheduleDataJSON'),
                  },$self->get('scheduleTemplateId')));

 }
--- a/t/Asset/Wobject/EventManagementSystem.t
+++ b/t/Asset/Wobject/EventManagementSystem.t
@ -50,7 +50,7 @@ $versionTag->set({name=>"EventManagementSystem Test"});
 #----------------------------------------------------------------------------
 # Tests

-plan tests => 32 ;        # Increment this number for each test you create
+plan tests => 34 ;        # Increment this number for each test you create

 #----------------------------------------------------------------------------

@ -161,14 +161,27 @@ ok(scalar(@$ribbons) == 2, 'Two ribbons exist');
 ok( $ems->can('www_getScheduleDataJSON'), 'Can call get Schedule data' );
 ok( $ems->can('www_viewSchedule'), 'Can call view Schedule' );

+my $data;
 $session->user({userId => $crasher->getId});
-my $data = $ems->www_viewSchedule();
-is($session->http->getStatus, 401, 'www_viewSchedule: visitor may not see the schedule');
 $session->http->setStatus(201);
+$data = $ems->www_viewSchedule();
+is($session->http->getStatus, 401, 'www_viewSchedule: visitor may not see the schedule');

+$session->http->setStatus(201);
 $session->user({userId => $attender->getId});
-my $data = $ems->www_viewSchedule();
-is($session->http->getStatus, 201, 'attender user may see the schedule');
+$data = $ems->www_viewSchedule();
+is($session->http->getStatus, 201, '... attender user can see the schedule');
+
+$session->http->setStatus(201);
+$session->user({userId => $crasher->getId});
+$data = $ems->www_getScheduleDataJSON();
+is($session->http->getStatus, 401, 'www_getScheduleDataJSON: non-attender may now see the schedule JSON');
+
+$session->http->setStatus(201);
+$session->user({userId => $attender->getId});
+$data = $ems->www_getScheduleDataJSON();
+is($session->http->getStatus, 201, '... attender can see the schedule JSON');
+$session->http->setStatus(201);

 my $html = $ems->www_viewSchedule();
 ok( $html !~ /REPLACE/, 'tags were successfully replaced');