Permalink
Browse files

BUG CMSProfileController::Member_ProfileForm() respecting canEdit() p…

…ermissions on Member

CMSProfileController currently checks canView() which ensures that a logged in CMS
Member can access the profile controller, but when saving the record on Member_ProfileForm
there is no check for canEdit(), so extended permissions don't get respected.

This adds a check for canEdit() in Member_ProfileForm, and adds some functional tests
to check permissions.
  • Loading branch information...
1 parent dcf5d21 commit 5cbd2dbeb485d1a9571d2892ec941551532753d8 @halkyon halkyon committed Sep 6, 2012
Showing with 111 additions and 0 deletions.
  1. +6 −0 security/Member.php
  2. +78 −0 tests/control/CMSProfileControllerTest.php
  3. +27 −0 tests/control/CMSProfileControllerTest.yml
View
@@ -1491,6 +1491,12 @@ function dosave($data, $form) {
}
$SQL_data = Convert::raw2sql($data);
$member = DataObject::get_by_id("Member", $SQL_data['ID']);
+
+ if(!$member->canEdit()) {
+ $form->sessionMessage(_t('Member.CANTEDIT', 'You don\'t have permission to do that'), 'bad');
+ return $this->controller->redirectBack();
+ }
+
if($SQL_data['Locale'] != $member->Locale) {
$form->addErrorMessage("Generic", _t('Member.REFRESHLANG'),"good");
}
@@ -0,0 +1,78 @@
+<?php
+class CMSProfileControllerTest extends FunctionalTest {
+
+ public static $fixture_file = 'CMSProfileControllerTest.yml';
+
+ public $autoFollowRedirection = false;
+
+ public function testMemberCantEditAnother() {
+ $member = $this->objFromFixture('Member', 'user1');
+ $anotherMember = $this->objFromFixture('Member', 'user2');
+ $this->session()->inst_set('loggedInAs', $member->ID);
+
+ $response = $this->post('admin/myprofile/Member_ProfileForm', array(
+ 'action_dosave' => 1,
+ 'ID' => $anotherMember->ID,
+ 'FirstName' => 'JoeEdited',
+ 'Surname' => 'BloggsEdited',
+ 'Email' => $member->Email,
+ 'Locale' => $member->Locale,
+ 'Password[_Password]' => 'password',
+ 'Password[_ConfirmPassword]' => 'password',
+ ));
+
+ $anotherMember = $this->objFromFixture('Member', 'user2');
+
+ $this->assertNotEquals($anotherMember->FirstName, 'JoeEdited', 'FirstName field stays the same');
+ }
+
+ public function testMemberEditsOwnProfile() {
+ $member = $this->objFromFixture('Member', 'user1');
+ $this->session()->inst_set('loggedInAs', $member->ID);
+
+ $response = $this->post('admin/myprofile/Member_ProfileForm', array(
+ 'action_dosave' => 1,
+ 'ID' => $member->ID,
+ 'FirstName' => 'JoeEdited',
+ 'Surname' => 'BloggsEdited',
+ 'Email' => $member->Email,
+ 'Locale' => $member->Locale,
+ 'Password[_Password]' => 'password',
+ 'Password[_ConfirmPassword]' => 'password',
+ ));
+
+ $member = $this->objFromFixture('Member', 'user1');
+
+ $this->assertEquals($member->FirstName, 'JoeEdited', 'FirstName field was changed');
+ }
+
+ public function testExtendedPermissionsStopEditingOwnProfile() {
+ Config::inst()->update('Member', 'extensions', array('CMSProfileControllerTestExtension'));
+
+ $member = $this->objFromFixture('Member', 'user1');
+ $this->session()->inst_set('loggedInAs', $member->ID);
+
+ $response = $this->post('admin/myprofile/Member_ProfileForm', array(
+ 'action_dosave' => 1,
+ 'ID' => $member->ID,
+ 'FirstName' => 'JoeEdited',
+ 'Surname' => 'BloggsEdited',
+ 'Email' => $member->Email,
+ 'Locale' => $member->Locale,
+ 'Password[_Password]' => 'password',
+ 'Password[_ConfirmPassword]' => 'password',
+ ));
+
+ $member = $this->objFromFixture('Member', 'user1');
+
+ $this->assertNotEquals($member->FirstName, 'JoeEdited', 'FirstName field was NOT changed because we modified canEdit');
+ }
+
+}
+class CMSProfileControllerTestExtension extends DataExtension {
+
+ public function canEdit($member = null) {
+ return false;
+ }
+
+}
@@ -0,0 +1,27 @@
+Permission:
+ admin:
+ Code: ADMIN
+ cmsmain:
+ Code: CMS_ACCESS_LeftAndMain
+ leftandmain:
+ Code: CMS_ACCESS_CMSMain
+Group:
+ admins:
+ Title: Administrators
+ Permissions: =>Permission.admin
+ cmsusers:
+ Title: CMS Users
+ Permissions: =>Permission.cmsmain, =>Permission.leftandmain
+Member:
+ admin:
+ FirstName: Admin
+ Email: admin@user.com
+ Groups: =>Group.admins
+ user1:
+ FirstName: Joe
+ Email: user1@user.com
+ Groups: =>Group.cmsusers
+ user2:
+ FirstName: Steve
+ Email: user2@user.com
+ Groups: =>Group.cmsusers

0 comments on commit 5cbd2db

Please sign in to comment.