From bcaff3b9ebd8dca667a3ebc13a62e0b180f5c8d0 Mon Sep 17 00:00:00 2001 From: Colin Kuskie Date: Tue, 15 Sep 2009 18:38:28 -0700 Subject: [PATCH] Add permission check to www_viewSchedule for the EMS. fixes bug #10987 --- docs/changelog/7.x.x.txt | 1 + .../Asset/Wobject/EventManagementSystem.pm | 9 +- t/Asset/Wobject/EventManagementSystem.t | 262 ++++++++++-------- 3 files changed, 145 insertions(+), 127 deletions(-) diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt index 28ff37779..fc8eb08a3 100644 --- a/docs/changelog/7.x.x.txt +++ b/docs/changelog/7.x.x.txt @@ -41,6 +41,7 @@ - fixed #10885: Code Editor breaks Javascript comments - fixed #10991: Calendar: bug in Display tab - added direct value access in DataForm list view + - fixed #10987: EMS Schedule -- No Permission Check 7.7.19 - fixed #10838: Forwarded forum post email to new CS adds reply to original thread diff --git a/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm b/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm index b7ae690ad..a819dda00 100644 --- a/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm +++ b/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm @@ -2058,13 +2058,14 @@ view the schedule table =cut sub www_viewSchedule { - my $self = shift; - my $db = $self->session->db; - my $rowsPerPage = 25; + my $self = shift; + return $self->session->privilege->insufficient() unless $self->canView; + my $db = $self->session->db; + my $rowsPerPage = 25; my $locationsPerPage = $self->get('scheduleColumnsPerPage'); my @columnNames = map { "'col" . $_ . "'" } ( 1..$locationsPerPage ); - my $fieldList = join ',', @columnNames; + my $fieldList = join ',', @columnNames; my $dataColumns = join ",\n", map { '{key:' . $_ . ',sortable:false,label:"",formatter:formatViewScheduleItem}' } @columnNames; diff --git a/t/Asset/Wobject/EventManagementSystem.t b/t/Asset/Wobject/EventManagementSystem.t index 7ba1eb757..15dc58785 100644 --- a/t/Asset/Wobject/EventManagementSystem.t +++ b/t/Asset/Wobject/EventManagementSystem.t @@ -30,10 +30,14 @@ use Test::Deep; my $session = WebGUI::Test->session; my $registrar = WebGUI::User->create($session); -WebGUI::Test->usersToDelete($registrar); +my $attender = WebGUI::User->create($session); +my $crasher = WebGUI::User->create($session); +WebGUI::Test->usersToDelete($registrar, $attender, $crasher); my $registrars = WebGUI::Group->new($session, 'new'); -WebGUI::Test->groupsToDelete($registrars); +my $attendees = WebGUI::Group->new($session, 'new'); +WebGUI::Test->groupsToDelete($registrars, $attendees); $registrars->addUsers([$registrar->getId]); +$attendees->addUsers([$attender->getId]); # Do our work in the import node @@ -46,7 +50,7 @@ $versionTag->set({name=>"EventManagementSystem Test"}); #---------------------------------------------------------------------------- # Tests -plan tests => 30 ; # Increment this number for each test you create +plan tests => 32 ; # Increment this number for each test you create #---------------------------------------------------------------------------- @@ -59,12 +63,13 @@ use_ok('WebGUI::Asset::Sku::EMSToken'); # Add an EMS asset my $ems = $node->addChild({ - className=>'WebGUI::Asset::Wobject::EventManagementSystem', - title => 'Test EMS', - description => 'This is a test ems', - url => '/test-ems', - workflowIdCommit => 'pbworkflow000000000003', # Commit Content Immediately + className =>'WebGUI::Asset::Wobject::EventManagementSystem', + title => 'Test EMS', + description => 'This is a test ems', + url => '/test-ems', + workflowIdCommit => 'pbworkflow000000000003', # Commit Content Immediately registrationStaffGroupId => $registrars->getId, + groupIdView => $attendees->getId }); $versionTag->commit; WebGUI::Test->tagsToRollback($versionTag); @@ -74,7 +79,7 @@ isa_ok($ems, 'WebGUI::Asset::Wobject::EventManagementSystem'); # Test to see if we can set new values my $newEMSSettings = { - timezone => 'America/New York', + timezone => 'America/New York', }; # update the new values for this instance @@ -82,7 +87,7 @@ $ems->update($newEMSSettings); # Let's check our updated values foreach my $newSetting (keys %{$newEMSSettings}) { - is ($ems->get($newSetting), $newEMSSettings->{$newSetting}, "updated $newSetting is ".$newEMSSettings->{$newSetting}); + is ($ems->get($newSetting), $newEMSSettings->{$newSetting}, "updated $newSetting is ".$newEMSSettings->{$newSetting}); } my $preparedView = $ems->prepareView(); @@ -98,22 +103,23 @@ ok($ems->isRegistrationStaff == 0, 'Visitor is not part of registration staff'); $session->user({ userId => $registrar->getId }); ok($ems->isRegistrationStaff == 1, 'User is part of registration staff'); +$session->user({ userId => 3 }); # Add two badges, using addChild instead of Mech my @badges; push(@badges, $ems->addChild({ - className=>'WebGUI::Asset::Sku::EMSBadge', + className=>'WebGUI::Asset::Sku::EMSBadge', title => 'title', description => 'desc', })); push(@badges, $ems->addChild({ - className=>'WebGUI::Asset::Sku::EMSBadge', + className=>'WebGUI::Asset::Sku::EMSBadge', title => 'title', description => 'desc', })); foreach my $badge(@badges) { - ok(ref($badge) eq 'WebGUI::Asset::Sku::EMSBadge', 'Badge added'); + ok(ref($badge) eq 'WebGUI::Asset::Sku::EMSBadge', 'Badge added'); } # Check that both badges exists @@ -124,15 +130,15 @@ ok(scalar(@$badges) == 2, 'Two Badges exist'); my @tickets; push(@tickets, $ems->addChild({ className=>'WebGUI::Asset::Sku::EMSTicket', - startDate => '2009-01-01 14:00:00', + startDate => '2009-01-01 14:00:00', })); push(@tickets, $ems->addChild({ - className=>'WebGUI::Asset::Sku::EMSTicket', - startDate => '2009-01-01 14:00:00', + className=>'WebGUI::Asset::Sku::EMSTicket', + startDate => '2009-01-01 14:00:00', })); foreach my $ticket(@tickets) { - ok(ref($ticket) eq 'WebGUI::Asset::Sku::EMSTicket', 'Ticket added'); + ok(ref($ticket) eq 'WebGUI::Asset::Sku::EMSTicket', 'Ticket added'); } ok($ems->can('getTickets'), 'Can get tickets'); @@ -145,7 +151,7 @@ push(@ribbons, $ems->addChild({className=>'WebGUI::Asset::Sku::EMSRibbon'})); push(@ribbons, $ems->addChild({className=>'WebGUI::Asset::Sku::EMSRibbon'})); foreach my $ribbon(@ribbons) { - ok(ref($ribbon) eq 'WebGUI::Asset::Sku::EMSRibbon', 'Ribbon added'); + ok(ref($ribbon) eq 'WebGUI::Asset::Sku::EMSRibbon', 'Ribbon added'); } ok($ems->can('getRibbons'), 'Can get ribbons'); @@ -154,10 +160,20 @@ ok(scalar(@$ribbons) == 2, 'Two ribbons exist'); ok( $ems->can('www_getScheduleDataJSON'), 'Can call get Schedule data' ); ok( $ems->can('www_viewSchedule'), 'Can call view Schedule' ); + +$session->user({userId => $crasher->getId}); +my $data = $ems->www_viewSchedule(); +is($session->http->getStatus, 401, 'www_viewSchedule: visitor may not see the schedule'); +$session->http->setStatus(201); + +$session->user({userId => $attender->getId}); +my $data = $ems->www_viewSchedule(); +is($session->http->getStatus, 201, 'attender user may see the schedule'); + my $html = $ems->www_viewSchedule(); ok( $html !~ /REPLACE/, 'tags were successfully replaced'); # print 'html={', $html, "}\n"; -my $data = $ems->www_getScheduleDataJSON(); +$data = $ems->www_getScheduleDataJSON(); cmp_deeply( JSON::from_json($data), { records => [], @@ -177,88 +193,88 @@ cmp_deeply( JSON::from_json($data), my @tickets= ( $ems->addChild({ - className => "WebGUI::Asset::Sku::EMSTicket", - title => 'lecture 1 room a 10 am', - eventNumber => 1, - startDate => '2009-01-01 10:00:00', - location => 'a', + className => "WebGUI::Asset::Sku::EMSTicket", + title => 'lecture 1 room a 10 am', + eventNumber => 1, + startDate => '2009-01-01 10:00:00', + location => 'a', }), $ems->addChild({ - className => "WebGUI::Asset::Sku::EMSTicket", - title => 'lecture 2 room b 10 am', - eventNumber => 2, - startDate => '2009-01-01 10:00:00', - location => 'b', + className => "WebGUI::Asset::Sku::EMSTicket", + title => 'lecture 2 room b 10 am', + eventNumber => 2, + startDate => '2009-01-01 10:00:00', + location => 'b', }), $ems->addChild({ - className => "WebGUI::Asset::Sku::EMSTicket", - title => 'lecture 3 room c 10 am', - eventNumber => 3, - startDate => '2009-01-01 10:00:00', - location => 'c', + className => "WebGUI::Asset::Sku::EMSTicket", + title => 'lecture 3 room c 10 am', + eventNumber => 3, + startDate => '2009-01-01 10:00:00', + location => 'c', }), $ems->addChild({ - className => "WebGUI::Asset::Sku::EMSTicket", - title => 'lecture 4 room a 11 am', - eventNumber => 4, - startDate => '2009-01-01 11:00:00', - location => 'a', + className => "WebGUI::Asset::Sku::EMSTicket", + title => 'lecture 4 room a 11 am', + eventNumber => 4, + startDate => '2009-01-01 11:00:00', + location => 'a', }), $ems->addChild({ - className => "WebGUI::Asset::Sku::EMSTicket", - title => 'lecture 5 room b 11 am', - eventNumber => 5, - startDate => '2009-01-01 11:00:00', - location => 'b', + className => "WebGUI::Asset::Sku::EMSTicket", + title => 'lecture 5 room b 11 am', + eventNumber => 5, + startDate => '2009-01-01 11:00:00', + location => 'b', }), $ems->addChild({ - className => "WebGUI::Asset::Sku::EMSTicket", - title => 'lecture 6 room c 11 am', - eventNumber => 6, - startDate => '2009-01-01 11:00:00', - location => 'c', + className => "WebGUI::Asset::Sku::EMSTicket", + title => 'lecture 6 room c 11 am', + eventNumber => 6, + startDate => '2009-01-01 11:00:00', + location => 'c', }), $ems->addChild({ - className => "WebGUI::Asset::Sku::EMSTicket", - title => 'lecture 7 room d 12 am', - eventNumber => 7, - startDate => '2009-01-01 12:00:00', - location => 'd', + className => "WebGUI::Asset::Sku::EMSTicket", + title => 'lecture 7 room d 12 am', + eventNumber => 7, + startDate => '2009-01-01 12:00:00', + location => 'd', }), $ems->addChild({ - className => "WebGUI::Asset::Sku::EMSTicket", - title => 'lecture 8 room a 1 pm', - eventNumber => 8, - startDate => '2009-01-01 13:00:00', - location => 'a', + className => "WebGUI::Asset::Sku::EMSTicket", + title => 'lecture 8 room a 1 pm', + eventNumber => 8, + startDate => '2009-01-01 13:00:00', + location => 'a', }), $ems->addChild({ - className => "WebGUI::Asset::Sku::EMSTicket", - title => 'lecture 9 room b 1 pm', - eventNumber => 9, - startDate => '2009-01-01 13:00:00', - location => 'b', + className => "WebGUI::Asset::Sku::EMSTicket", + title => 'lecture 9 room b 1 pm', + eventNumber => 9, + startDate => '2009-01-01 13:00:00', + location => 'b', }), $ems->addChild({ - className => "WebGUI::Asset::Sku::EMSTicket", - title => 'lecture 10 room c 1 pm', - eventNumber => 10, - startDate => '2009-01-01 13:00:00', - location => 'c', + className => "WebGUI::Asset::Sku::EMSTicket", + title => 'lecture 10 room c 1 pm', + eventNumber => 10, + startDate => '2009-01-01 13:00:00', + location => 'c', }), $ems->addChild({ - className => "WebGUI::Asset::Sku::EMSTicket", - title => 'lecture 11 room e 2 pm', - eventNumber => 11, - startDate => '2009-01-01 14:00:00', - location => 'e', + className => "WebGUI::Asset::Sku::EMSTicket", + title => 'lecture 11 room e 2 pm', + eventNumber => 11, + startDate => '2009-01-01 14:00:00', + location => 'e', }), $ems->addChild({ - className => "WebGUI::Asset::Sku::EMSTicket", - title => 'lecture 12 room f 2 pm', - eventNumber => 12, - startDate => '2009-01-01 14:00:00', - location => 'f', + className => "WebGUI::Asset::Sku::EMSTicket", + title => 'lecture 12 room f 2 pm', + eventNumber => 12, + startDate => '2009-01-01 14:00:00', + location => 'f', }), ); is( scalar(@tickets), 12, 'created tickets for ems'); @@ -280,50 +296,50 @@ sub ticketInfo { my $tk = shift; return { }; } cmp_deeply( JSON::from_json($data), { records => [ - { colDate => '', - col1 => { type => 'label', title => 'a' }, - col2 => { type => 'label', title => 'b' }, - col3 => { type => 'label', title => 'c' }, - col4 => { type => 'label', title => 'd' }, - col5 => { type => 'label', title => 'e' }, - }, - { colDate => $tickets[0]->get('startDate'), - col1 => ticketInfo( $tickets[0] ), - col2 => ticketInfo( $tickets[1] ), - col3 => ticketInfo( $tickets[2] ), - col4 => { type => 'empty' }, - col5 => { type => 'empty' }, - }, - { colDate => $tickets[3]->get('startDate'), - col1 => ticketInfo( $tickets[3] ), - col2 => ticketInfo( $tickets[4] ), - col3 => ticketInfo( $tickets[5] ), - col4 => { type => 'empty' }, - col5 => { type => 'empty' }, - }, - { colDate => $tickets[6]->get('startDate'), - col1 => { type => 'empty' }, - col2 => { type => 'empty' }, - col3 => { type => 'empty' }, - col4 => ticketInfo( $tickets[6] ), - col5 => { type => 'empty' }, - }, - { colDate => $tickets[7]->get('startDate'), - col1 => ticketInfo( $tickets[7] ), - col2 => ticketInfo( $tickets[8] ), - col3 => ticketInfo( $tickets[9] ), - col4 => { type => 'empty' }, - col5 => { type => 'empty' }, - }, - { colDate => $tickets[10]->get('startDate'), - col1 => { type => 'empty' }, - col2 => { type => 'empty' }, - col3 => { type => 'empty' }, - col4 => { type => 'empty' }, - col5 => ticketInfo( $tickets[10] ), - }, - ], - totalRecords => 6, + { colDate => '', + col1 => { type => 'label', title => 'a' }, + col2 => { type => 'label', title => 'b' }, + col3 => { type => 'label', title => 'c' }, + col4 => { type => 'label', title => 'd' }, + col5 => { type => 'label', title => 'e' }, + }, + { colDate => $tickets[0]->get('startDate'), + col1 => ticketInfo( $tickets[0] ), + col2 => ticketInfo( $tickets[1] ), + col3 => ticketInfo( $tickets[2] ), + col4 => { type => 'empty' }, + col5 => { type => 'empty' }, + }, + { colDate => $tickets[3]->get('startDate'), + col1 => ticketInfo( $tickets[3] ), + col2 => ticketInfo( $tickets[4] ), + col3 => ticketInfo( $tickets[5] ), + col4 => { type => 'empty' }, + col5 => { type => 'empty' }, + }, + { colDate => $tickets[6]->get('startDate'), + col1 => { type => 'empty' }, + col2 => { type => 'empty' }, + col3 => { type => 'empty' }, + col4 => ticketInfo( $tickets[6] ), + col5 => { type => 'empty' }, + }, + { colDate => $tickets[7]->get('startDate'), + col1 => ticketInfo( $tickets[7] ), + col2 => ticketInfo( $tickets[8] ), + col3 => ticketInfo( $tickets[9] ), + col4 => { type => 'empty' }, + col5 => { type => 'empty' }, + }, + { colDate => $tickets[10]->get('startDate'), + col1 => { type => 'empty' }, + col2 => { type => 'empty' }, + col3 => { type => 'empty' }, + col4 => { type => 'empty' }, + col5 => ticketInfo( $tickets[10] ), + }, + ], + totalRecords => 6, recordsReturned => 6, startIndex => 0, sort => undef,