Permalink
Browse files

MINOR Fixed permissions inconsistency, where users can't delete their…

… own posts in Post->canDelete().
  • Loading branch information...
1 parent a2c11e1 commit 904e493f3d01dcd395920184d27bd17e501722fd @chillu chillu committed Aug 4, 2011
Showing with 43 additions and 38 deletions.
  1. +7 −2 code/Post.php
  2. +36 −36 tests/PostTest.php
View
@@ -107,10 +107,15 @@ function canEdit() {
}
/**
- * Check if user can delete this post - only moderators are allowed to delete.
+ * Follow edit permissions for this, but additionally allow moderation even
+ * if the thread is marked as readonly.
*/
function canDelete() {
- return $this->Thread()->canModerate();
+ if($this->canEdit()) {
+ return true;
+ } else {
+ return $this->Thread()->canModerate();
+ }
}
/**
View
@@ -5,48 +5,48 @@ class PostTest extends FunctionalTest {
static $fixture_file = "forum/tests/ForumTest.yml";
function testPermissions() {
- $member = $this->objFromFixture('Member', 'test1');
- $this->session()->inst_set('loggedInAs', $member->ID);
-
+ $member1 = $this->objFromFixture('Member', 'test1');
+ $member2 = $this->objFromFixture('Member', 'test2');
+ $moderator = $this->objFromFixture('Member', 'moderator');
+ $admin = $this->objFromFixture('Member', 'admin');
+
+ $postMember2 = $this->objFromFixture('Post', 'Post18');
+
// read only thread post
- $readonly = $this->objFromFixture('Post', 'ReadonlyThreadPost');
- $this->assertFalse($readonly->canEdit()); // Even though it's user's own
- $this->assertTrue($readonly->canView());
- $this->assertFalse($readonly->canCreate());
- $this->assertFalse($readonly->canDelete());
+ $member1->logIn();
+ $postReadonly = $this->objFromFixture('Post', 'ReadonlyThreadPost');
+ $this->assertFalse($postReadonly->canEdit()); // Even though it's user's own
+ $this->assertTrue($postReadonly->canView());
+ $this->assertFalse($postReadonly->canCreate());
+ $this->assertFalse($postReadonly->canDelete());
// normal thread. They can post to these
- $post = $this->objFromFixture('Post', 'Post18');
- $this->assertFalse($post->canEdit()); // Not user's post
- $this->assertTrue($post->canView());
- $this->assertTrue($post->canCreate());
- $this->assertFalse($post->canDelete());
-
- $member = $this->objFromFixture('Member', 'test2');
- $this->session()->inst_set('loggedInAs', $member->ID);
-
- // Check the user can edit his own post (but not delete)
- $this->assertTrue($post->canEdit()); // User's post
- $this->assertTrue($post->canView());
- $this->assertTrue($post->canCreate());
- $this->assertFalse($post->canDelete());
-
- // Moderator can delete posts
- $member = $this->objFromFixture('Member', 'moderator');
- $member->logIn();
+ $member1->logIn();
+ $this->assertFalse($postMember2->canEdit()); // Not user's post
+ $this->assertTrue($postMember2->canView());
+ $this->assertTrue($postMember2->canCreate());
+ $this->assertFalse($postMember2->canDelete());
+
+ // Check the user has full rights on his own post
+ $member2->logIn();
+ $this->assertTrue($postMember2->canEdit()); // User's post
+ $this->assertTrue($postMember2->canView());
+ $this->assertTrue($postMember2->canCreate());
+ $this->assertTrue($postMember2->canDelete());
- $this->assertFalse($post->canEdit());
- $this->assertTrue($post->canView());
- $this->assertTrue($post->canCreate());
- $this->assertTrue($post->canDelete());
+ // Moderator can delete posts, even if he doesn't own them
+ $moderator->logIn();
+ $this->assertFalse($postMember2->canEdit());
+ $this->assertTrue($postMember2->canView());
+ $this->assertTrue($postMember2->canCreate());
+ $this->assertTrue($postMember2->canDelete());
- // Admins should have full rights, even if they're not moderators
- $admin = $this->objFromFixture('Member', 'admin');
+ // Admins should have full rights, even if they're not moderators or own the post
$admin->logIn();
- $this->assertTrue($post->canEdit());
- $this->assertTrue($post->canView());
- $this->assertTrue($post->canCreate());
- $this->assertTrue($post->canDelete());
+ $this->assertTrue($postMember2->canEdit());
+ $this->assertTrue($postMember2->canView());
+ $this->assertTrue($postMember2->canCreate());
+ $this->assertTrue($postMember2->canDelete());
}
function testGetTitle() {

0 comments on commit 904e493

Please sign in to comment.