Permalink
Browse files

Should have written tests for the new check privilege stuff.

  • Loading branch information...
rizen committed Oct 5, 2017
1 parent 9cacad5 commit e5d7c0829365c7e459ecca2f1b03ed7af06a4ad0
Showing with 67 additions and 15 deletions.
  1. +3 −0 CHANGES.txt
  2. +1 −1 author.t/lib/TestWing/DB.pm
  3. +29 −0 author.t/lib/TestWing/DB/Result/Company.pm
  4. +34 −14 lib/Wing/DB/Result.pm
View
@@ -4,6 +4,9 @@ This file tracks the changes to Wing over time. Especially
with respect to new features and compatibility changes.
==========================================================
2017-10-05
* Should have written tests for the new check privilege stuff.
2017-10-04
* check_privilege in Wing::Role::Result::Field now will also describe the field if it is privileged.
* No longer hiding an error sending an email.
@@ -5,7 +5,7 @@ use utf8;
no warnings qw(uninitialized);
extends qw/DBIx::Class::Schema/;
our $VERSION = 4;
our $VERSION = 5;
__PACKAGE__->load_namespaces();
@@ -17,6 +17,12 @@ __PACKAGE__->wing_fields(
view => 'public',
edit => 'postable',
},
private_info => {
dbic => { data_type => 'varchar', size => 255, is_nullable => 1 },
view => 'admin',
edit => 'admin',
check_privilege => 'extra_privilege_switch',
},
);
__PACKAGE__->wing_child(
@@ -29,5 +35,28 @@ __PACKAGE__->wing_child(
__PACKAGE__->wing_finalize_class( table_name => 'companies');
around can_edit => sub {
my ($orig, $self, $user, $tracer) = @_;
if ($self->is_owner) {
return 1;
}
return $orig->($self, $user);
};
has is_owner => (
is => 'rw',
default => 0,
);
has privilege_switch => (
is => 'rw',
default => 0,
);
sub extra_privilege_switch {
my $self = shift;
return $self->privilege_switch;
}
no Moose;
__PACKAGE__->meta->make_immutable(inline_constructor => 0);
View
@@ -498,34 +498,54 @@ See L<Wing::Rest> C<get_tracer()>
sub verify_posted_params {
my ($self, $params, $current_user, $tracer) = @_;
my $can_edit = eval { $self->can_edit($current_user, $tracer) };
my $is_admin = defined $current_user && $current_user->is_admin;
my $can_edit = eval { $is_admin || $self->can_edit($current_user, $tracer) };
my $cant_edit = $@;
my $required_params = $self->required_params;
my $privileged_params = $self->privileged_params;
my $admin_postable_params = $self->admin_postable_params;
my @postable_params = (@{$self->postable_params}, @{ $admin_postable_params }, );
PARAM: foreach my $param (@postable_params) {
if (exists $params->{$param}) {
##Make sure required params exist
my $saveit = sub {
$self->$param($params->{$param});
};
if (any {$_ eq $param} @$required_params && $params->{$param} eq '') {
ouch(441, $param.' is required.', $param) unless $params->{$param};
}
if (!any {$_ eq $param} @{$admin_postable_params}) {
if ( defined $current_user && $current_user->is_admin ) {
##Grandfather in admin access to all params
next PARAM unless exists $privileged_params->{$param};
}
# admins can save whatever they want
if ($is_admin) {
$saveit->();
next PARAM;
}
# skip admin postable params unless they are a privileged param
my $is_admin_postable = any {$_ eq $param} @{$admin_postable_params};
if ($is_admin_postable) {
next PARAM unless exists $privileged_params->{$param};
}
# if it's a privileged param and it can pass the privilege check, save it
if (exists $privileged_params->{$param}) {
##Allow check_privilege overrides (TGC, Game->is_support; TTE, Convention->has_privilege)
next PARAM unless $self->check_privilege_method($privileged_params->{$param}, $current_user);
if ($self->check_privilege_method($privileged_params->{$param}, $current_user)) {
$saveit->();
next PARAM;
}
elsif ($is_admin_postable) { # if we weren't allowed to edit and it was admin postable we need to skip it
next PARAM;
}
}
elsif (!$can_edit) {
##Not a privileged param, fallback to regular can_edit check
die $cant_edit;
# if we are allowed to edit it then save it
if ($can_edit) {
$saveit->();
next PARAM;
}
$self->$param($params->{$param});
# everything failed
ouch 450, $cant_edit, $param;
}
}
}

0 comments on commit e5d7c08

Please sign in to comment.