Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge pull request #777 from halkyon/field_edit3

Member_ProfileForm respect canEdit() permissions on Member
  • Loading branch information...
commit 69ea73b4ed0feaed327c75508f8afd54b16db61d 2 parents a0f8d04 + e73d28b
@wilr wilr authored
View
8 security/Member.php
@@ -1502,10 +1502,14 @@ public function dosave($data, $form) {
if(!isset($data['ID']) || $data['ID'] != Member::currentUserID()) {
return $this->controller->redirectBack();
}
-
$SQL_data = Convert::raw2sql($data);
$member = DataObject::get_by_id("Member", $SQL_data['ID']);
-
+
+ if(!$member->canEdit()) {
+ $form->sessionMessage(_t('Member.CANTEDIT', 'You don\'t have permission to do that'), 'bad');
+ return $this->controller->redirectBack();
+ }
+
if($SQL_data['Locale'] != $member->Locale) {
$form->addErrorMessage("Generic", _t('Member.REFRESHLANG'),"good");
}
View
82 tests/control/CMSProfileControllerTest.php
@@ -0,0 +1,82 @@
+<?php
+class CMSProfileControllerTest extends FunctionalTest {
+
+ public static $fixture_file = 'CMSProfileControllerTest.yml';
+
+ public $autoFollowRedirection = false;
+
+ public function testMemberCantEditAnother() {
+ $member = $this->objFromFixture('Member', 'user1');
+ $anotherMember = $this->objFromFixture('Member', 'user2');
+ $this->session()->inst_set('loggedInAs', $member->ID);
+
+ $response = $this->post('admin/myprofile/Member_ProfileForm', array(
+ 'action_dosave' => 1,
+ 'ID' => $anotherMember->ID,
+ 'FirstName' => 'JoeEdited',
+ 'Surname' => 'BloggsEdited',
+ 'Email' => $member->Email,
+ 'Locale' => $member->Locale,
+ 'Password[_Password]' => 'password',
+ 'Password[_ConfirmPassword]' => 'password',
+ ));
+
+ $anotherMember = $this->objFromFixture('Member', 'user2');
+
+ $this->assertNotEquals($anotherMember->FirstName, 'JoeEdited', 'FirstName field stays the same');
+ }
+
+ public function testMemberEditsOwnProfile() {
+ $member = $this->objFromFixture('Member', 'user1');
+ $this->session()->inst_set('loggedInAs', $member->ID);
+
+ $response = $this->post('admin/myprofile/Member_ProfileForm', array(
+ 'action_dosave' => 1,
+ 'ID' => $member->ID,
+ 'FirstName' => 'JoeEdited',
+ 'Surname' => 'BloggsEdited',
+ 'Email' => $member->Email,
+ 'Locale' => $member->Locale,
+ 'Password[_Password]' => 'password',
+ 'Password[_ConfirmPassword]' => 'password',
+ ));
+
+ $member = $this->objFromFixture('Member', 'user1');
+
+ $this->assertEquals($member->FirstName, 'JoeEdited', 'FirstName field was changed');
+ }
+
+ public function testExtendedPermissionsStopEditingOwnProfile() {
+ $existingExtensions = Config::inst()->get('Member', 'extensions');
+ Config::inst()->update('Member', 'extensions', array('CMSProfileControllerTestExtension'));
+
+ $member = $this->objFromFixture('Member', 'user1');
+ $this->session()->inst_set('loggedInAs', $member->ID);
+
+ $response = $this->post('admin/myprofile/Member_ProfileForm', array(
+ 'action_dosave' => 1,
+ 'ID' => $member->ID,
+ 'FirstName' => 'JoeEdited',
+ 'Surname' => 'BloggsEdited',
+ 'Email' => $member->Email,
+ 'Locale' => $member->Locale,
+ 'Password[_Password]' => 'password',
+ 'Password[_ConfirmPassword]' => 'password',
+ ));
+
+ $member = $this->objFromFixture('Member', 'user1');
+
+ $this->assertNotEquals($member->FirstName, 'JoeEdited', 'FirstName field was NOT changed because we modified canEdit');
+
+ Config::inst()->remove('Member', 'extensions');
+ Config::inst()->update('Member', 'extensions', $existingExtensions);
+ }
+
+}
+class CMSProfileControllerTestExtension extends DataExtension {
+
+ public function canEdit($member = null) {
+ return false;
+ }
+
+}
View
27 tests/control/CMSProfileControllerTest.yml
@@ -0,0 +1,27 @@
+Permission:
+ admin:
+ Code: ADMIN
+ cmsmain:
+ Code: CMS_ACCESS_LeftAndMain
+ leftandmain:
+ Code: CMS_ACCESS_CMSMain
+Group:
+ admins:
+ Title: Administrators
+ Permissions: =>Permission.admin
+ cmsusers:
+ Title: CMS Users
+ Permissions: =>Permission.cmsmain, =>Permission.leftandmain
+Member:
+ admin:
+ FirstName: Admin
+ Email: admin@user.com
+ Groups: =>Group.admins
+ user1:
+ FirstName: Joe
+ Email: user1@user.com
+ Groups: =>Group.cmsusers
+ user2:
+ FirstName: Steve
+ Email: user2@user.com
+ Groups: =>Group.cmsusers

0 comments on commit 69ea73b

Please sign in to comment.
Something went wrong with that request. Please try again.