Skip to content

Commit

Permalink
Item5464: Rename attachment needs CHANGE not RENAME
Browse files Browse the repository at this point in the history 
Renaming an attachment changes the topic - enforce ALLOWTOPICCHANGE.
Also don't require ALLOWTOPICRENAME, since the topic is not being
renamed.

Added a unit test to make sure that rename requires change access on the
target web.

git-svn-id: http://svn.foswiki.org/branches/Release01x01@11196 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
  • Loading branch information
GeorgeClark authored and GeorgeClark committed Mar 24, 2011
1 parent 28e2c64 commit 29d6549
Show file tree
Hide file tree
Showing 2 changed files with 160 additions and 1 deletion.
154 changes: 154 additions & 0 deletions UnitTestContrib/test/unit/RenameTests.pm
View file
Expand Up @@ -1091,6 +1091,55 @@ rename [[$this->{new_web}.OldTopic]]
THIS
}

# Rename OldTopic to a different web no change access on target web
sub test_renameTopic_new_web_same_topic_name_no_access {
my $this = shift;

my $m =
Foswiki::Meta->new( $this->{session}, "$this->{test_web}/Targetweb" );
$m->populateNewWeb();
$this->assert( Foswiki::Func::webExists("$this->{test_web}/Targetweb") );

$m =
Foswiki::Meta->new( $this->{session}, "$this->{test_web}/Targetweb",
'WebPreferences' );
$m->text(" * Set ALLOWWEBCHANGE = NotMe\n * Set ALLOWWEBVIEW = \n");
$m->save();

my $query = new Unit::Request(
{
action => ['rename'],
newweb => ["$this->{test_web}/Targetweb" ],
newtopic => ['OldTopic'],
topic => 'OldTopic'
}
);

$query->path_info("/$this->{test_web}");
$this->{session}->finish();
$this->{session} = new Foswiki( $this->{test_user_login}, $query );
$Foswiki::Plugins::SESSION = $this->{session};

try {
my ($text) =
$this->captureWithKey( rename => $UI_FN, $this->{session} );
$this->assert( 0, $text );
}
catch Foswiki::AccessControlException with {
my $e = shift;
$this->assert_equals( 'OldTopic', $e->{topic} );
$this->assert_equals( 'CHANGE', $e->{mode} );
$this->assert_equals( 'access not allowed on web', $e->{reason} );
}
otherwise {
$this->assert( 0, shift );
};

$this->assert( $this->{session}->topicExists( "$this->{test_web}", 'OldTopic' ) );
$this->assert( !$this->{session}->topicExists( "$this->{test_web}/Targetweb", 'OldTopic' ) );

}

# Rename non-wikiword OldTopic to NewTopic within the same web
sub test_renameTopic_nonWikiWord_same_web_new_topic_name {
my $this = shift;
Expand Down Expand Up @@ -1757,6 +1806,111 @@ sub test_rename_attachment {
);
}

# Item5464 - Rename of attachment requires change access, not rename access
sub test_rename_attachment_Rename_Denied_Change_Allowed {
my $this = shift;

my $to =
new Foswiki::Meta( $this->{session}, $this->{test_web}, 'NewTopic' );
$to->text("Wibble\n * Set ALLOWTOPICRENAME = NotMe\n");
$to->save();

# returns undef on OSX with 3.15 version of CGI module (works on 3.42)
my $stream = new File::Temp( UNLINK => 0 );
print $stream "Blah Blah";
$stream->close();
$stream->unlink_on_destroy(1);

$to =
new Foswiki::Meta( $this->{session}, $this->{test_web},
$this->{test_topic} );
$to->attach( name => 'dis.dat', file => $stream->filename );

$this->{session}->finish();

my $query = new Unit::Request(
{
attachment => ['dis.dat'],
newattachment => ['doh.dat'],
newtopic => ['NewTopic'],
newweb => $this->{test_web},
}
);

$query->path_info("/$this->{test_web}/$this->{test_topic}");
$this->{session} = new Foswiki( $this->{test_user_login}, $query );
$Foswiki::Plugins::SESSION = $this->{session};
my ($text) = $this->captureWithKey( rename => $UI_FN, $this->{session} );
$this->assert_matches( qr/Status: 302/, $text );
$this->assert_matches( qr#/$this->{test_web}/NewTopic#, $text );
$this->assert(
!Foswiki::Func::attachmentExists(
$this->{test_web}, $this->{test_topic}, 'dis.dat'
)
);
$this->assert(
Foswiki::Func::attachmentExists(
$this->{test_web}, 'NewTopic', 'doh.dat'
)
);
}

# Item5464 - Rename of attachment requires change access, not rename access
sub test_rename_attachment_Rename_Allowed_Change_Denied {
my $this = shift;

my $to =
new Foswiki::Meta( $this->{session}, $this->{test_web}, 'NewTopic' );
$to->text("Wibble\n * Set ALLOWTOPICCHANGE = NotMe\n");
$to->save();

# returns undef on OSX with 3.15 version of CGI module (works on 3.42)
my $stream = new File::Temp( UNLINK => 0 );
print $stream "Blah Blah";
$stream->close();
$stream->unlink_on_destroy(1);

$to =
new Foswiki::Meta( $this->{session}, $this->{test_web},
$this->{test_topic} );
$to->attach( name => 'dis.dat', file => $stream->filename );

$this->{session}->finish();

my $query = new Unit::Request(
{
attachment => ['dis.dat'],
newattachment => ['doh.dat'],
newtopic => ['NewTopic'],
newweb => $this->{test_web},
}
);

$query->path_info("/$this->{test_web}/$this->{test_topic}");
$this->{session} = new Foswiki( $this->{test_user_login}, $query );
$Foswiki::Plugins::SESSION = $this->{session};
try {
my ($text) =
$this->captureWithKey( rename => $UI_FN, $this->{session} );
$this->assert( 0, $text );
}
catch Foswiki::AccessControlException with {
my $e = shift;
$this->assert_equals( 'NewTopic', $e->{topic} );
$this->assert_equals( 'CHANGE', $e->{mode} );
$this->assert_equals( 'access not allowed on topic', $e->{reason} );
}
otherwise {
$this->assert( 0, shift );
};

$this->assert(
Foswiki::Func::attachmentExists(
$this->{test_web}, $this->{test_topic}, 'dis.dat'
)
);
}

sub test_rename_attachment_not_in_meta {
my $this = shift;

Expand Down
7 changes: 6 additions & 1 deletion core/lib/Foswiki/UI/Rename.pm
View file
Expand Up @@ -225,7 +225,12 @@ sub _renameTopicOrAttachment {
}
}

Foswiki::UI::checkAccess( $session, 'RENAME', $old );
if ( $newWeb || $newTopic ) {
Foswiki::UI::checkAccess( $session, 'RENAME', $old );
}
else {
Foswiki::UI::checkAccess( $session, 'CHANGE', $old );
}

my $new = Foswiki::Meta->new(
$session,
Expand Down

0 comments on commit 29d6549

Please sign in to comment.