Merge pull request #259 from creative-commoners/pulls/3.0/check-canvi…

…ew-permissions-before-rendering FIX Check canView() permission before rendering BaseElements
silverstripe · Jul 18, 2018 · 62a2108 · 62a2108
2 parents d2bc854 + 66b55b1
commit 62a2108
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 4 deletions.
diff --git a/src/Models/ElementalArea.php b/src/Models/ElementalArea.php
@@ -108,8 +108,10 @@ public function Breadcrumbs()
      */
     public function ElementControllers()
     {
-        $controllers = new ArrayList();
-        $items = $this->Elements();
+        $controllers = ArrayList::create();
+        $items = $this->Elements()->filterByCallback(function (BaseElement $item) {
+            return $item->canView();
+        });
 
         if (!is_null($items)) {
             foreach ($items as $element) {

diff --git a/tests/ElementControllerTest.php b/tests/ElementControllerTest.php
@@ -36,6 +36,8 @@ protected function setUp()
     public function testForTemplate()
     {
         $element = $this->objFromFixture(TestElement::class, 'element1');
+        // Although we read from Versioned::DRAFT, Versioned will still block draft content view permissions
+        $this->logInWithPermission('ADMIN');
         $controller = new TestElementController($element);
 
         $this->assertContains('Hello Test', $controller->forTemplate());

diff --git a/tests/ElementalAreaTest.php b/tests/ElementalAreaTest.php
@@ -33,6 +33,38 @@ public function testElementControllers()
         $this->assertEquals(2, $controllers->count(), 'Should be a controller per element');
     }
 
+    public function testCanViewTestElementIsFalseWhenLoggedInAsCmsEditor()
+    {
+        /** @var ElementalArea $area */
+        $area = $this->objFromFixture(ElementalArea::class, 'area2');
+        // Content editors do not have permission to view the TestElement
+        $this->logInWithPermission('VIEW_DRAFT_CONTENT');
+
+        $controllers = $area->ElementControllers();
+        $this->assertCount(2, $area->Elements(), 'There are two elements in total');
+        $this->assertCount(
+            1,
+            $controllers,
+            'Should be one controller only, since TestElement is not viewable by non-admins'
+        );
+    }
+
+    public function testCanViewTestElementIsTrueForAdmins()
+    {
+        /** @var ElementalArea $area */
+        $area = $this->objFromFixture(ElementalArea::class, 'area2');
+        // Admin users have permission to view the TestElement
+        $this->logInWithPermission('ADMIN');
+
+        $controllers = $area->ElementControllers();
+        $this->assertCount(2, $area->Elements(), 'There are two elements in total');
+        $this->assertCount(
+            2,
+            $controllers,
+            'Should be two controllers when logged in as admin'
+        );
+    }
+
     public function testGetOwnerPage()
     {
         $area1 = $this->objFromFixture(ElementalArea::class, 'area1');

diff --git a/tests/ElementalAreaTest.yml b/tests/ElementalAreaTest.yml
@@ -24,3 +24,12 @@ DNADesign\Elemental\Tests\Src\TestElement:
     Title: Element 2
     TestValue: 'Hello Test 2'
     ParentID: =>DNADesign\Elemental\Models\ElementalArea.area1
+  element3:
+    Title: Element 3
+    TestValue: 'Hello Test 3'
+    ParentID: =>DNADesign\Elemental\Models\ElementalArea.area2
+
+DNADesign\Elemental\Models\ElementContent:
+  content1:
+    HTML: Some content
+    ParentID: =>DNADesign\Elemental\Models\ElementalArea.area2
diff --git a/tests/Src/TestElement.php b/tests/Src/TestElement.php
@@ -2,15 +2,16 @@
 
 namespace DNADesign\Elemental\Tests\Src;
 
-use SilverStripe\Dev\TestOnly;
 use DNADesign\Elemental\Models\BaseElement;
+use SilverStripe\Dev\TestOnly;
+use SilverStripe\Security\Permission;
 
 class TestElement extends BaseElement implements TestOnly
 {
     private static $table_name = 'TestElement';
 
     private static $db = [
-        'TestValue' => 'Text'
+        'TestValue' => 'Text',
     ];
 
     private static $controller_class = TestElementController::class;
@@ -19,4 +20,13 @@ public function getType()
     {
         return 'A test element';
     }
+
+    public function canView($member = null)
+    {
+        $check = Permission::checkMember($member, 'ADMIN');
+        if ($check !== null) {
+            return $check;
+        }
+        return parent::canView($member);
+    }
 }