From b2798a47a108c0b2499fbcab728cdc78937c8a5f Mon Sep 17 00:00:00 2001 From: Colin Kuskie Date: Tue, 15 Sep 2009 18:43:50 -0700 Subject: [PATCH] Add permission checks to schedule JSON in the EMS. --- .../Asset/Wobject/EventManagementSystem.pm | 5 ++-- t/Asset/Wobject/EventManagementSystem.t | 23 +++++++++++++++---- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm b/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm index a819dda00..486bc1178 100644 --- a/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm +++ b/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm @@ -1156,6 +1156,7 @@ returns the JSON data for a page of the schedule table sub www_getScheduleDataJSON { my $self = shift; my $session = $self->session; + return $session->privilege->insufficient() unless $self->canView; # the following two are expected to be configurable... my $locationsPerPage = $self->get('scheduleColumnsPerPage'); @@ -2053,7 +2054,7 @@ sub www_toggleRegistrantCheckedIn { =head2 www_viewSchedule () -view the schedule table +View the schedule table. =cut @@ -2076,7 +2077,7 @@ sub www_viewSchedule { rowsPerPage => $rowsPerPage, dataColumns => $dataColumns, fieldList => $fieldList, - dataSourceUrl => $self->getUrl('func=getScheduleDataJSON'), + dataSourceUrl => $self->getUrl('func=getScheduleDataJSON'), },$self->get('scheduleTemplateId'))); } diff --git a/t/Asset/Wobject/EventManagementSystem.t b/t/Asset/Wobject/EventManagementSystem.t index 15dc58785..36bd87e39 100644 --- a/t/Asset/Wobject/EventManagementSystem.t +++ b/t/Asset/Wobject/EventManagementSystem.t @@ -50,7 +50,7 @@ $versionTag->set({name=>"EventManagementSystem Test"}); #---------------------------------------------------------------------------- # Tests -plan tests => 32 ; # Increment this number for each test you create +plan tests => 34 ; # Increment this number for each test you create #---------------------------------------------------------------------------- @@ -161,14 +161,27 @@ ok(scalar(@$ribbons) == 2, 'Two ribbons exist'); ok( $ems->can('www_getScheduleDataJSON'), 'Can call get Schedule data' ); ok( $ems->can('www_viewSchedule'), 'Can call view Schedule' ); +my $data; $session->user({userId => $crasher->getId}); -my $data = $ems->www_viewSchedule(); -is($session->http->getStatus, 401, 'www_viewSchedule: visitor may not see the schedule'); $session->http->setStatus(201); +$data = $ems->www_viewSchedule(); +is($session->http->getStatus, 401, 'www_viewSchedule: visitor may not see the schedule'); +$session->http->setStatus(201); $session->user({userId => $attender->getId}); -my $data = $ems->www_viewSchedule(); -is($session->http->getStatus, 201, 'attender user may see the schedule'); +$data = $ems->www_viewSchedule(); +is($session->http->getStatus, 201, '... attender user can see the schedule'); + +$session->http->setStatus(201); +$session->user({userId => $crasher->getId}); +$data = $ems->www_getScheduleDataJSON(); +is($session->http->getStatus, 401, 'www_getScheduleDataJSON: non-attender may now see the schedule JSON'); + +$session->http->setStatus(201); +$session->user({userId => $attender->getId}); +$data = $ems->www_getScheduleDataJSON(); +is($session->http->getStatus, 201, '... attender can see the schedule JSON'); +$session->http->setStatus(201); my $html = $ems->www_viewSchedule(); ok( $html !~ /REPLACE/, 'tags were successfully replaced');