Requiring live checks in some cases

LibreCat · Mar 5, 2020 · a148788 · a148788
1 parent a805d89
commit a148788
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 18 deletions.
diff --git a/lib/LibreCat/App/Catalogue/Controller/Permission.pm b/lib/LibreCat/App/Catalogue/Controller/Permission.pm
@@ -63,8 +63,11 @@ sub _can_do_action {
 
     return 0 unless defined($user_id) && defined($role);
 
-    my $pub   = get_cached_publication($id) or return 0;
-    my $user  = get_cached_user($user_id);
+    my $pub   = $opts->{live} ? h->main_publication->get($id) : get_cached_publication($id);
+
+    is_hash_ref($pub) or return 0;
+
+    my $user  = $opts->{live} ? h->get_person( $user_id ) : get_cached_user($user_id);
 
     # do not touch deleted records
     return 0 if $pub->{status} && $pub->{status} eq 'deleted';
@@ -102,7 +105,9 @@ Publication identifier
 
 =item opts
 
-Hash reference containing "user_id" and "role". Both must be a string
+ * user_id
+ * role
+ * [live=1]
 
 =back
 
@@ -123,7 +128,9 @@ Publication identifier
 
 =item opts
 
-Hash reference containing "user_id" and "role". Both must be a string
+* user_id
+* role
+* [live=1]
 
 =back
 
@@ -144,7 +151,9 @@ Publication identifier
 
 =item opts
 
-Hash reference containing "user_id" and "role". Both must be a string
+* user_id
+* role
+* [live=1]
 
 =back
 
@@ -165,7 +174,9 @@ Publication identifier
 
 =item opts
 
-Hash reference containing "user_id" and "role". Both must be a string
+* user_id
+* role
+* [live=1]
 
 =back
 
@@ -186,7 +197,9 @@ Publication identifier
 
 =item opts
 
-Hash reference containing "user_id" and "role". Both must be a string
+* user_id
+* role
+* [live=1]
 
 =back
 
@@ -213,6 +226,7 @@ Hash reference containing:
     * role (string)
     * file_id (string)
     * ip (string)
+    * [live=1]
 
 =back
 
@@ -224,8 +238,10 @@ sub can_download {
     is_string($id)     or return (0, "");
     is_hash_ref($opts) or return (0, "");
 
-    my $pub = get_cached_publication($id) or return (0, "");
+    my $pub   = $opts->{live} ? h->main_publication->get($id) : get_cached_publication($id);
 
+    is_hash_ref($pub) or retur (0,"");
+
     my $file_id = $opts->{file_id};
     my $user_id = $opts->{user_id};
     my $role    = $opts->{role};

diff --git a/lib/LibreCat/App/Catalogue/Route/file.pm b/lib/LibreCat/App/Catalogue/Route/file.pm
@@ -156,7 +156,8 @@ sub _handle_download {
             file_id => $file_id,
             user_id => session->{user_id},
             role    => session->{role},
-            ip      => request->address
+            ip      => request->address,
+            live    => 1
         }
     );
 

diff --git a/lib/LibreCat/App/Catalogue/Route/publication.pm b/lib/LibreCat/App/Catalogue/Route/publication.pm
@@ -139,7 +139,7 @@ Checks if the user has permission the see/edit this record.
         unless (
             p->can_edit(
                 $rec->{_id},
-                {user_id => session("user_id"), role => session("role")}
+                {user_id => session("user_id"), role => session("role"), live=>1}
             )
             )
         {
@@ -201,7 +201,7 @@ Checks if the user has the rights to update this record.
             $params->{finalSubmit} eq 'recPublish'
             && p->can_make_public(
                 $params->{_id},
-                {user_id => session("user_id"), role => session("role")}
+                {user_id => session("user_id"), role => session("role"), live=>1}
             )
             )
         {
@@ -211,7 +211,7 @@ Checks if the user has the rights to update this record.
             $params->{finalSubmit} eq 'recReturn'
             && p->can_return(
                 $params->{_id},
-                {user_id => session("user_id"), role => session("role")}
+                {user_id => session("user_id"), role => session("role"), live=>1}
             )
             )
         {
@@ -221,7 +221,7 @@ Checks if the user has the rights to update this record.
             $params->{finalSubmit} eq 'recSubmit'
             && p->can_submit(
                 $params->{_id},
-                {user_id => session("user_id"), role => session("role")}
+                {user_id => session("user_id"), role => session("role"), live=>1}
             )
             )
         {
@@ -230,7 +230,7 @@ Checks if the user has the rights to update this record.
         elsif (
             p->can_edit(
                 $params->{_id},
-                {user_id => session("user_id"), role => session("role")}
+                {user_id => session("user_id"), role => session("role"), live=>1}
             )
         )
         {
@@ -352,7 +352,7 @@ Checks if the user has the rights to edit this record.
         unless (
             p->can_return(
                 $rec->{_id},
-                {user_id => session("user_id"), role => session("role")}
+                {user_id => session("user_id"), role => session("role"), live=>1}
             )
             )
         {
@@ -390,7 +390,7 @@ Deletes record with id. For admins only.
         unless (
             p->can_delete(
                 $rec->{_id},
-                {user_id => session("user_id"), role => session("role")}
+                {user_id => session("user_id"), role => session("role"), live=>1}
             )
             )
         {
@@ -518,7 +518,7 @@ Publishes private records, returns to the list.
         unless (
             p->can_make_public(
                 $rec->{_id},
-                {user_id => session("user_id"), role => session("role")}
+                {user_id => session("user_id"), role => session("role"), live=>1}
             )
             )
         {

diff --git a/t/LibreCat/App/Catalogue/Route/file.t b/t/LibreCat/App/Catalogue/Route/file.t
@@ -159,7 +159,6 @@ note("hide record from public and try to download");
     $pubs->search_bag->add($r);
     $pubs->bag->commit();
     $pubs->search_bag->commit;
-
     $mech->max_redirect(0);
     $mech->get("/download/$record_id/$file_id/$file_name");
     is ($mech->status, 403, "forbidden: status 403");