add permissions checks for wizards

lib/WebGUI/Wizard.pm

@@ -99,6 +99,10 @@ them again after everything's done.
 sub dispatch {
     my ($self) = @_;
 
+    if ( !$self->canView ) {
+        return $self->session->privilege->noAccess;
+    }
+
     # See if we process a form
     if ( my $step = $self->getCurrentStep ) { 
         $self->session->log->info( "Processing " . $step );

lib/WebGUI/Wizard/HomePage.pm

@@ -68,6 +68,11 @@ sub addPage {
     return addAsset( $parent, { title => $title, className => "WebGUI::Asset::Wobject::Layout", displayTitle => 0 } );
 }
 
+sub canView {
+    my ( $self ) = @_;
+    return $self->session->user->isAdmin;
+}
+
 sub wrapStyle { 
     return WebGUI::Wizard::Setup::wrapStyle( @_ );
 }

lib/WebGUI/Wizard/Setup.pm

@@ -20,6 +20,15 @@ sub _get_steps {
     )];
 }
 
+sub canView {
+    my ( $self ) = @_;
+    my $session = $self->session;
+
+    # Only specialState="init" or admin user
+    return $session->setting->get('specialState') eq 'init' 
+        || $session->user->getId eq '3';
+}
+
 sub wrapStyle {
     my ( $self, $output ) = @_;
     my $session = $self->session;
@@ -49,7 +58,7 @@ body {
     background-color:   #ccf;
 }
 
-h1 { 
+h1 {
     position: absolute; 
     top: 10px;
     padding: 0;
@@ -154,6 +163,8 @@ sub www_adminAccountSave {
     $u->profileField( "timeZone", $timezone );
     $u->profileField( "language", $language );
     $u->identifier( Digest::MD5::md5_base64( $form->process( "identifier", "password", "123qwe" ) ) );
+    # The user is now Admin
+    $session->user({ userId => "3" });
 
     $u = WebGUI::User->new( $session, "1" );
     $u->profileField( "timeZone", $timezone );