Skip to content

Commit

Permalink
Merge pull request #825 from simonwelsh/canview
Browse files Browse the repository at this point in the history 
FIX Check for stage and drafts in SiteTree::canView()
  • Loading branch information
Sam Minnée committed Aug 9, 2013
2 parents d017286 + b1664f8 commit e922717
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 2 deletions.
17 changes: 17 additions & 0 deletions code/model/SiteTree.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -787,6 +787,23 @@ public function canView($member = null) {
// admin override
if($member && Permission::checkMember($member, array("ADMIN", "SITETREE_VIEW_ALL"))) return true;

// make sure we were loaded off an allowed stage

// Were we definitely loaded directly off Live during our query?
$fromLive = true;

foreach (array('mode' => 'stage', 'stage' => 'live') as $param => $match) {
$fromLive = $fromLive && strtolower((string)$this->getSourceQueryParam("Versioned.$param")) == $match;
}

if(!$fromLive
&& !Session::get('unsecuredDraftSite')
&& !Permission::checkMember($member, array('CMS_ACCESS_CMSMain', 'VIEW_DRAFT_CONTENT'))) {
// If we weren't definitely loaded from live, and we can't view non-live content, we need to
// check to make sure this version is the live version and so can be viewed
if (Versioned::get_versionnumber_by_stage($this->class, 'Live', $this->ID) != $this->Version) return false;
}

// Standard mechanism for accepting permission changes from extensions
$extended = $this->extendedCan('canView', $member);
if($extended !== null) return $extended;
Expand Down
9 changes: 7 additions & 2 deletions tests/search/SearchFormTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ public function testPagesRestrictedToLoggedinUsersNotIncluded() {
$sf = new SearchForm($this->mockController, 'SearchForm');

$page = $this->objFromFixture('SiteTree', 'restrictedViewLoggedInUsers');
$page->publish('Stage', 'Live');
$results = $sf->getResults(null, array('Search'=>'restrictedViewLoggedInUsers'));
$this->assertNotContains(
$page->ID,
Expand All @@ -110,6 +111,7 @@ public function testPagesRestrictedToSpecificGroupNotIncluded() {
$sf = new SearchForm($this->mockController, 'SearchForm');

$page = $this->objFromFixture('SiteTree', 'restrictedViewOnlyWebsiteUsers');
$page->publish('Stage', 'Live');
$results = $sf->getResults(null, array('Search'=>'restrictedViewOnlyWebsiteUsers'));
$this->assertNotContains(
$page->ID,
Expand Down Expand Up @@ -138,11 +140,14 @@ public function testPagesRestrictedToSpecificGroupNotIncluded() {
$member->logOut();
}

public function testInheritedRestrictedPagesNotInlucded() {
public function testInheritedRestrictedPagesNotIncluded() {
$sf = new SearchForm($this->mockController, 'SearchForm');

$parent = $this->objFromFixture('SiteTree', 'restrictedViewLoggedInUsers');
$parent->publish('Stage', 'Live');

$page = $this->objFromFixture('SiteTree', 'inheritRestrictedView');

$page->publish('Stage', 'Live');
$results = $sf->getResults(null, array('Search'=>'inheritRestrictedView'));
$this->assertNotContains(
$page->ID,
Expand Down

0 comments on commit e922717

Please sign in to comment.