Fixed checking of core.edit.own in views and in models of contenthist…

…ory, and also added category form case
joomla · Jun 18, 2016 · 5bbbcff · 5bbbcff
1 parent a2df687
commit 5bbbcff
Show file tree

Hide file tree

Showing 11 changed files with 177 additions and 84 deletions.
diff --git a/administrator/components/com_banners/views/banner/view.html.php b/administrator/components/com_banners/views/banner/view.html.php
@@ -112,7 +112,7 @@ protected function addToolbar()
 		}
 		else
 		{
-			if ($this->state->params->get('save_history', 0) && $user->authorise('core.edit'))
+			if ($this->state->params->get('save_history', 0) && $canDo->get('core.edit'))
 			{
 				JToolbarHelper::versions('com_banners.banner', $this->item->id);
 			}

diff --git a/administrator/components/com_banners/views/client/view.html.php b/administrator/components/com_banners/views/client/view.html.php
@@ -117,7 +117,7 @@ protected function addToolbar()
 		}
 		else
 		{
-			if ($this->state->params->get('save_history', 0) && $user->authorise('core.edit'))
+			if ($this->state->params->get('save_history', 0) && $canDo->get('core.edit'))
 			{
 				JToolbarHelper::versions('com_banners.client', $this->item->id);
 			}

diff --git a/administrator/components/com_categories/views/category/view.html.php b/administrator/components/com_categories/views/category/view.html.php
@@ -166,33 +166,34 @@ protected function addToolbar()
 			JToolbarHelper::apply('category.apply');
 			JToolbarHelper::save('category.save');
 			JToolbarHelper::save2new('category.save2new');
+			JToolbarHelper::cancel('category.cancel');
 		}
 
 		// If not checked out, can save the item.
-		elseif (!$checkedOut && ($canDo->get('core.edit') || ($canDo->get('core.edit.own') && $this->item->created_user_id == $userId)))
+		else
 		{
-			JToolbarHelper::apply('category.apply');
-			JToolbarHelper::save('category.save');
+			// Since it's an existing record, check the edit permission, or fall back to edit own if the owner.
+			$itemEditable = $canDo->get('core.edit') || ($canDo->get('core.edit.own') && $this->item->created_user_id == $userId);
 
-			if ($canDo->get('core.create'))
+			// Can't save the record if it's checked out and editable
+			if (!$checkedOut && $itemEditable)
 			{
-				JToolbarHelper::save2new('category.save2new');
+				JToolbarHelper::apply('category.apply');
+				JToolbarHelper::save('category.save');
+
+				if ($canDo->get('core.create'))
+				{
+					JToolbarHelper::save2new('category.save2new');
+				}
 			}
-		}
 
-		// If an existing item, can save to a copy.
-		if (!$isNew && $canDo->get('core.create'))
-		{
-			JToolbarHelper::save2copy('category.save2copy');
-		}
+			// If an existing item, can save to a copy.
+			if ($canDo->get('core.create'))
+			{
+				JToolbarHelper::save2copy('category.save2copy');
+			}
 
-		if (empty($this->item->id))
-		{
-			JToolbarHelper::cancel('category.cancel');
-		}
-		else
-		{
-			if ($componentParams->get('save_history', 0) && $user->authorise('core.edit'))
+			if ($componentParams->get('save_history', 0) && $itemEditable)
 			{
 				$typeAlias = $extension . '.category';
 				JToolbarHelper::versions($typeAlias, $this->item->id);

diff --git a/administrator/components/com_contact/views/contact/view.html.php b/administrator/components/com_contact/views/contact/view.html.php
@@ -106,20 +106,19 @@ protected function addToolbar()
 		}
 		else
 		{
-			// Can't save the record if it's checked out.
-			if (!$checkedOut)
+			// Since it's an existing record, check the edit permission, or fall back to edit own if the owner.
+			$itemEditable = $canDo->get('core.edit') || ($canDo->get('core.edit.own') && $this->item->created_by == $userId);
+
+			// Can't save the record if it's checked out and editable
+			if (!$checkedOut && $itemEditable)
 			{
-				// Since it's an existing record, check the edit permission, or fall back to edit own if the owner.
-				if ($canDo->get('core.edit') || ($canDo->get('core.edit.own') && $this->item->created_by == $userId))
+				JToolbarHelper::apply('contact.apply');
+				JToolbarHelper::save('contact.save');
+
+				// We can save this record, but check the create permission to see if we can return to make a new one.
+				if ($canDo->get('core.create'))
 				{
-					JToolbarHelper::apply('contact.apply');
-					JToolbarHelper::save('contact.save');
-
-					// We can save this record, but check the create permission to see if we can return to make a new one.
-					if ($canDo->get('core.create'))
-					{
-						JToolbarHelper::save2new('contact.save2new');
-					}
+					JToolbarHelper::save2new('contact.save2new');
 				}
 			}
 
@@ -129,7 +128,7 @@ protected function addToolbar()
 				JToolbarHelper::save2copy('contact.save2copy');
 			}
 
-			if ($this->state->params->get('save_history', 0) && ($user->authorise('core.edit') || $user->authorise('core.edit.own')))
+			if ($this->state->params->get('save_history', 0) && $itemEditable)
 			{
 				JToolbarHelper::versions('com_contact.contact', $this->item->id);
 			}

diff --git a/administrator/components/com_content/views/article/view.html.php b/administrator/components/com_content/views/article/view.html.php
@@ -101,20 +101,19 @@ protected function addToolbar()
 		}
 		else
 		{
-			// Can't save the record if it's checked out.
-			if (!$checkedOut)
+			// Since it's an existing record, check the edit permission, or fall back to edit own if the owner.
+			$itemEditable = $canDo->get('core.edit') || ($canDo->get('core.edit.own') && $this->item->created_by == $userId);
+
+			// Can't save the record if it's checked out and editable
+			if (!$checkedOut && $itemEditable)
 			{
-				// Since it's an existing record, check the edit permission, or fall back to edit own if the owner.
-				if ($canDo->get('core.edit') || ($canDo->get('core.edit.own') && $this->item->created_by == $userId))
+				JToolbarHelper::apply('article.apply');
+				JToolbarHelper::save('article.save');
+
+				// We can save this record, but check the create permission to see if we can return to make a new one.
+				if ($canDo->get('core.create'))
 				{
-					JToolbarHelper::apply('article.apply');
-					JToolbarHelper::save('article.save');
-
-					// We can save this record, but check the create permission to see if we can return to make a new one.
-					if ($canDo->get('core.create'))
-					{
-						JToolbarHelper::save2new('article.save2new');
-					}
+					JToolbarHelper::save2new('article.save2new');
 				}
 			}
 
@@ -124,7 +123,7 @@ protected function addToolbar()
 				JToolbarHelper::save2copy('article.save2copy');
 			}
 
-			if ($this->state->params->get('save_history', 0) && ($canDo->get('core.edit') || $canDo->get('core.edit.own')))
+			if ($this->state->params->get('save_history', 0) && $itemEditable)
 			{
 				JToolbarHelper::versions('com_content.article', $this->item->id);
 			}

diff --git a/administrator/components/com_contenthistory/models/compare.php b/administrator/components/com_contenthistory/models/compare.php
@@ -55,11 +55,7 @@ public function getItems()
 			$user = JFactory::getUser();
 
 			// Access check
-			if ($user->authorise('core.edit', $contentTypeTable->type_alias . '.' . (int) $table1->ucm_item_id))
-			{
-				$return = true;
-			}
-			elseif ($user->authorise('core.edit.own', $contentTypeTable->type_alias . '.' . (int) $table1->ucm_item_id))
+			if ($user->authorise('core.edit', $contentTypeTable->type_alias . '.' . (int) $table1->ucm_item_id) || $this->canEdit($table1))
 			{
 				$return = true;
 			}
@@ -88,4 +84,46 @@ public function getItems()
 
 		return false;
 	}
+
+	/**
+	 * Method to test whether a record is editable
+	 *
+	 * @param   JTableContenthistory  $record  A JTable object.
+	 *
+	 * @return  boolean  True if allowed to edit the record. Defaults to the permission set in the component.
+	 *
+	 * @since   3.6
+	 */
+	protected function canEdit($record)
+	{
+		$result = false;
+
+		if (!empty($record->ucm_type_id))
+		{
+			// Check that the type id matches the type alias
+			$typeAlias = JFactory::getApplication()->input->get('type_alias');
+
+			/** @var JTableContenttype $contentTypeTable */
+			$contentTypeTable = JTable::getInstance('Contenttype', 'JTable');
+
+			if ($contentTypeTable->getTypeId($typeAlias) == $record->ucm_type_id)
+			{
+				/**
+				 * Make sure user has edit privileges for this content item. Note that we use edit permissions
+				 * for the content item, not delete permissions for the content history row.
+				 */
+				$user   = JFactory::getUser();
+				$result = $user->authorise('core.edit', $typeAlias . '.' . (int) $record->ucm_item_id);
+
+				// Finally try session (this catch catches edit.own case too)
+				if (!$result)
+				{
+					$typeEditables = (array) JFactory::getApplication()->getUserState(str_replace('.', '.edit.', $typeAlias) . '.id');
+					$result = in_array((int) $record->ucm_item_id, $values);
+				}
+			}
+		}
+
+		return $result;
+	}
 }
diff --git a/administrator/components/com_contenthistory/models/history.php b/administrator/components/com_contenthistory/models/history.php
@@ -40,12 +40,11 @@ public function __construct($config = array())
 	}
 
 	/**
-	 * Method to test whether a history record can be deleted. Note that we check whether we have edit permissions
-	 * for the content item row.
+	 * Method to test whether a record is editable
 	 *
 	 * @param   JTableContenthistory  $record  A JTable object.
 	 *
-	 * @return  boolean  True if allowed to delete the record. Defaults to the permission set in the component.
+	 * @return  boolean  True if allowed to edit the record. Defaults to the permission set in the component.
 	 *
 	 * @since   3.2
 	 */
@@ -69,12 +68,34 @@ protected function canEdit($record)
 				 */
 				$user   = JFactory::getUser();
 				$result = $user->authorise('core.edit', $typeAlias . '.' . (int) $record->ucm_item_id);
+
+				// Finally try session (this catch catches edit.own case too)
+				if (!$result)
+				{
+					$typeEditables = (array) JFactory::getApplication()->getUserState(str_replace('.', '.edit.', $typeAlias) . '.id');
+					$result = in_array((int) $record->ucm_item_id, $values);
+				}
 			}
 		}
 
 		return $result;
 	}
 
+	/**
+	 * Method to test whether a history record can be deleted. Note that we check whether we have edit permissions
+	 * for the content item row.
+	 *
+	 * @param   JTableContenthistory  $record  A JTable object.
+	 *
+	 * @return  boolean  True if allowed to delete the record. Defaults to the permission set in the component.
+	 *
+	 * @since   3.6
+	 */
+	protected function canDelete($record)
+	{
+		return canEdit($record);
+	}
+
 	/**
 	 * Method to delete one or more records from content history table.
 	 *
@@ -172,11 +193,7 @@ public function getItems()
 		}
 
 		// Access check
-		if ($user->authorise('core.edit', $contentTypeTable->type_alias . '.' . (int) $items[0]->ucm_item_id))
-		{
-			return $items;
-		}
-		elseif ($user->authorise('core.edit.own', $contentTypeTable->type_alias . '.' . (int) $items[0]->ucm_item_id))
+		if ($user->authorise('core.edit', $contentTypeTable->type_alias . '.' . (int) $items[0]->ucm_item_id) || $this->canEdit($items[0]))
 		{
 			return $items;
 		}

diff --git a/administrator/components/com_contenthistory/models/preview.php b/administrator/components/com_contenthistory/models/preview.php
@@ -49,11 +49,7 @@ public function getItem()
 		$user = JFactory::getUser();
 
 		// Access check
-		if ($user->authorise('core.edit', $contentTypeTable->type_alias . '.' . (int) $table->ucm_item_id))
-		{
-			$return = true;
-		}
-		elseif ($user->authorise('core.edit.own', $contentTypeTable->type_alias . '.' . (int) $table->ucm_item_id))
+		if ($user->authorise('core.edit', $contentTypeTable->type_alias . '.' . (int) $table->ucm_item_id) || $this->canEdit($table))
 		{
 			$return = true;
 		}
@@ -75,4 +71,46 @@ public function getItem()
 			return $result;
 		}
 	}
+
+	/**
+	 * Method to test whether a record is editable
+	 *
+	 * @param   JTableContenthistory  $record  A JTable object.
+	 *
+	 * @return  boolean  True if allowed to edit the record. Defaults to the permission set in the component.
+	 *
+	 * @since   3.6
+	 */
+	protected function canEdit($record)
+	{
+		$result = false;
+
+		if (!empty($record->ucm_type_id))
+		{
+			// Check that the type id matches the type alias
+			$typeAlias = JFactory::getApplication()->input->get('type_alias');
+
+			/** @var JTableContenttype $contentTypeTable */
+			$contentTypeTable = JTable::getInstance('Contenttype', 'JTable');
+
+			if ($contentTypeTable->getTypeId($typeAlias) == $record->ucm_type_id)
+			{
+				/**
+				 * Make sure user has edit privileges for this content item. Note that we use edit permissions
+				 * for the content item, not delete permissions for the content history row.
+				 */
+				$user   = JFactory::getUser();
+				$result = $user->authorise('core.edit', $typeAlias . '.' . (int) $record->ucm_item_id);
+
+				// Finally try session (this catch catches edit.own case too)
+				if (!$result)
+				{
+					$typeEditables = (array) JFactory::getApplication()->getUserState(str_replace('.', '.edit.', $typeAlias) . '.id');
+					$result = in_array((int) $record->ucm_item_id, $values);
+				}
+			}
+		}
+
+		return $result;
+	}
 }
diff --git a/administrator/components/com_newsfeeds/views/newsfeed/view.html.php b/administrator/components/com_newsfeeds/views/newsfeed/view.html.php
@@ -115,7 +115,7 @@ protected function addToolbar()
 		}
 		else
 		{
-			if ($this->state->params->get('save_history', 0) && ($user->authorise('core.edit') || $user->authorise('core.edit.own')))
+			if ($this->state->params->get('save_history', 0) && $canDo->get('core.edit'))
 			{
 				JToolbarHelper::versions('com_newsfeeds.newsfeed', $this->item->id);
 			}

diff --git a/administrator/components/com_tags/views/tag/view.html.php b/administrator/components/com_tags/views/tag/view.html.php
@@ -90,33 +90,34 @@ protected function addToolbar()
 			JToolbarHelper::apply('tag.apply');
 			JToolbarHelper::save('tag.save');
 			JToolbarHelper::save2new('tag.save2new');
+			JToolbarHelper::cancel('tag.cancel');
 		}
 
 		// If not checked out, can save the item.
-		elseif (!$checkedOut && ($canDo->get('core.edit') || ($canDo->get('core.edit.own') && $this->item->created_user_id == $userId)))
+		else
 		{
-			JToolbarHelper::apply('tag.apply');
-			JToolbarHelper::save('tag.save');
+			// Since it's an existing record, check the edit permission, or fall back to edit own if the owner.
+			$itemEditable = $canDo->get('core.edit') || ($canDo->get('core.edit.own') && $this->item->created_user_id == $userId);
 
-			if ($canDo->get('core.create'))
+			// Can't save the record if it's checked out and editable
+			if (!$checkedOut && $itemEditable)
 			{
-				JToolbarHelper::save2new('tag.save2new');
+				JToolbarHelper::apply('tag.apply');
+				JToolbarHelper::save('tag.save');
+
+				if ($canDo->get('core.create'))
+				{
+					JToolbarHelper::save2new('tag.save2new');
+				}
 			}
-		}
 
-		// If an existing item, can save to a copy.
-		if (!$isNew && $canDo->get('core.create'))
-		{
-			JToolbarHelper::save2copy('tag.save2copy');
-		}
+			// If an existing item, can save to a copy.
+			if ($canDo->get('core.create'))
+			{
+				JToolbarHelper::save2copy('tag.save2copy');
+			}
 
-		if (empty($this->item->id))
-		{
-			JToolbarHelper::cancel('tag.cancel');
-		}
-		else
-		{
-			if ($this->state->params->get('save_history', 0) && ($user->authorise('core.edit') || $user->authorise('core.edit.own')))
+			if ($this->state->params->get('save_history', 0) && $itemEditable)
 			{
 				JToolbarHelper::versions('com_tags.tag', $this->item->id);
 			}