browsercms 3.0.2 → 3.0.3

data/app/controllers/cms/content_block_controller.rb

@@ -33,6 +33,7 @@ class Cms::ContentBlockController < Cms::BaseController
       after_create_on_failure
     end
   rescue Exception => @exception
+    raise @exception if @exception.is_a?(Cms::Errors::AccessDenied)
     after_create_on_error
   end
   
@@ -50,6 +51,7 @@ class Cms::ContentBlockController < Cms::BaseController
   rescue ActiveRecord::StaleObjectError => @exception
     after_update_on_edit_conflict
   rescue Exception => @exception
+    raise @exception if @exception.is_a?(Cms::Errors::AccessDenied)
     after_update_on_error
   end
   
@@ -127,15 +129,18 @@ class Cms::ContentBlockController < Cms::BaseController
       options[:order] = params[:order] unless params[:order].blank?
       scope = model_class.respond_to?(:list) ? model_class.list : model_class
       @blocks = scope.searchable? ? scope.search(params[:search]).paginate(options) : scope.paginate(options)
+      check_permissions
     end
   
     def load_block
       @block = model_class.find(params[:id])
+      check_permissions
     end
   
     def load_block_draft
-      load_block
+      @block = model_class.find(params[:id])
       @block = @block.as_of_draft_version if model_class.versioned?
+      check_permissions
     end
   
     # path related methods - available in the view as helpers
@@ -162,6 +167,7 @@ class Cms::ContentBlockController < Cms::BaseController
   
     def build_block
       @block = model_class.new(params[model_name])
+      check_permissions
     end
 
     def set_default_category
@@ -244,6 +250,23 @@ class Cms::ContentBlockController < Cms::BaseController
         false
       end
     end
+    
+    # Use a "whitelist" approach to access to avoid mistakes
+    # By default everyone can create new block and view them and their properties,
+    # but blocks can only be modified based on the permissions of the pages they
+    # are connected to.
+    def check_permissions
+      case action_name
+        when "index", "show", "new", "create", "version", "versions", "usages"
+          # Allow
+        when "edit", "update"
+          raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@block)
+        when "destroy", "publish", "revert_to"
+          raise Cms::Errors::AccessDenied unless current_user.able_to_publish?(@block)
+        else
+          raise Cms::Errors::AccessDenied
+      end
+    end
 
     # methods to setup the view
 
@@ -259,4 +282,4 @@ class Cms::ContentBlockController < Cms::BaseController
       "cms/blocks"
     end
 
-end
+end

data/app/controllers/cms/content_controller.rb

@@ -58,6 +58,7 @@ class Cms::ContentController < Cms::ApplicationController
   # if caching is not enabled
   def render_page
     @_page_route.execute(self) if @_page_route
+    prepare_connectables_for_render 
     render :layout => @page.layout, :action => 'show'
   end
   
@@ -94,11 +95,39 @@ class Cms::ContentController < Cms::ApplicationController
         @template.instance_variable_set("#{v}", nil)
       end
       
+      prepare_connectables_for_render
       render :layout => @page.layout, :template => 'cms/content/show', :status => status
     else
       handle_server_error(exception)
     end      
-  end    
+  end   
+  
+  # If any of the page's connectables (portlets, etc) are renderable, they may have a render method
+  # which does "controller" stuff, so we need to get that run before rendering the page.
+  def prepare_connectables_for_render
+
+    @_connectors = @page.connectors.for_page_version(@page.version)
+    @_connectables = @_connectors.map(&:connectable_with_deleted)
+    unless (logged_in? && current_user.able_to?(:administrate, :edit_content, :publish_content))
+      worst_exception = nil
+      @_connectables.each do |c|
+        begin
+          c.prepare_to_render(self) 
+        rescue
+          logger.debug "THROWN EXCEPTION by connectable #{c}: #{$!}"
+          case $!
+          when ActiveRecord::RecordNotFound
+            raise
+          when Cms::Errors::AccessDenied
+            worst_exception = $!
+          else
+            c.render_exception = $!
+          end
+        end
+      end
+      raise worst_exception if worst_exception
+    end 
+  end 
 
   # ----- Before Filters -------------------------------------------------------
   def construct_path
@@ -224,4 +253,4 @@ class Cms::ContentController < Cms::ApplicationController
   
   
   
-end
+end

data/app/controllers/cms/dashboard_controller.rb

@@ -2,8 +2,9 @@ class Cms::DashboardController < Cms::BaseController
       
   def index
     @unpublished_pages = Page.unpublished.all(:order => "updated_at desc")
+    @unpublished_pages = @unpublished_pages.select { |page| current_user.able_to_publish?(page) }
     @incomplete_tasks = current_user.tasks.incomplete.all(
       :include => :page, 
       :order => "tasks.due_date desc, pages.name")
   end
-end
+end

data/app/controllers/cms/error_handling.rb

@@ -2,7 +2,8 @@ module Cms
   module ErrorHandling
     def self.included(controller)
       controller.class_eval do
-          rescue_from Exception, :with => :handle_server_error
+        rescue_from Exception, :with => :handle_server_error unless RAILS_ENV == "test"
+        rescue_from Cms::Errors::AccessDenied, :with => :handle_access_denied
       end
     end
     
@@ -13,6 +14,12 @@ module Cms
         :status => :internal_server_error,
         :locals => {:exception => exception}
     end
+    
+    def handle_access_denied(exception)
+      render :layout   => 'cms/application', 
+             :template => 'cms/shared/access_denied',
+             :status => 403
+    end
 
   end
-end
+end

data/app/controllers/cms/links_controller.rb

@@ -47,10 +47,12 @@ class Cms::LinksController < Cms::BaseController
 
     def load_section
       @section = Section.find(params[:section_id])
+      raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@section)
     end
 
     def load_link
       @link = Link.find(params[:id])
+      raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@link)
     end
     
     def load_draft_link

data/app/controllers/cms/pages_controller.rb

@@ -1,5 +1,5 @@
 class Cms::PagesController < Cms::BaseController
-  
+ 
   before_filter :set_toolbar_tab
   before_filter :load_section, :only => [:new, :create]
   before_filter :load_page, :only => [:versions, :version, :revert_to, :destroy]
@@ -18,7 +18,7 @@ class Cms::PagesController < Cms::BaseController
   def show
     redirect_to Page.find(params[:id]).path
   end
-  
+ 
   def create
     @page = Page.new(params[:page])
     @page.section = @section
@@ -38,7 +38,7 @@ class Cms::PagesController < Cms::BaseController
       render :action => "edit"
     end
   rescue ActiveRecord::StaleObjectError => e
-    @other_version = @page.class.find(@page.id) 
+    @other_version = @page.class.find(@page.id)
     render :action => "edit"
   end
 
@@ -55,14 +55,14 @@ class Cms::PagesController < Cms::BaseController
       end
     end
   end
-  
+ 
   #status actions
   {:publish => "published", :hide => "hidden", :archive => "archived"}.each do |status, verb|
     define_method status do
       if params[:page_ids]
-        params[:page_ids].each do |id|
-          Page.find(id).send(status)
-        end
+        @pages = params[:page_ids].map { |id| Page.find(id) }
+        raise Cms::Errors::AccessDenied unless @pages.all? { |page| current_user.able_to_edit?(page) }
+        @pages.each { |page| page.send(status) }
         flash[:notice] = "#{params[:page_ids].size} pages #{verb}"
         redirect_to cms_dashboard_url
       else
@@ -74,25 +74,27 @@ class Cms::PagesController < Cms::BaseController
       end
     end
   end
-  
+ 
   def version
     @page = @page.as_of_version(params[:version])
     @show_toolbar = true
     @show_page_toolbar = true
+    @_connectors = @page.connectors.for_page_version(@page.version)
+    @_connectables = @_connectors.map(&:connectable_with_deleted)   
     render :layout => @page.layout, :template => 'cms/content/show'
-  end  
-  
+  end 
+ 
   def revert_to
     if @page.revert_to(params[:version])
       flash[:notice] = "Page '#{@page.name}' was reverted to version #{params[:version]}"
     end
-    
+   
     respond_to do |format|
       format.html { redirect_to @page.path }
       format.js { render :template => 'cms/shared/show_notice' }
-    end    
+    end   
   end
-  
+ 
   private
     def strip_publish_params
       unless current_user.able_to?(:publish_content)
@@ -103,17 +105,19 @@ class Cms::PagesController < Cms::BaseController
 
     def load_page
       @page = Page.find(params[:id])
+      raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@page)
     end
-    
+   
     def load_draft_page
       load_page
       @page = @page.as_of_draft_version
     end
-  
+ 
     def load_section
       @section = Section.find(params[:section_id])
+      raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@section)
     end
-    
+   
     def hide_toolbar
       @hide_page_toolbar = true
     end
@@ -121,9 +125,9 @@ class Cms::PagesController < Cms::BaseController
     def set_toolbar_tab
       @toolbar_tab = :sitemap
     end
-    
+   
     def load_templates
       @templates = PageTemplate.options
     end
-    
+   
 end

data/app/controllers/cms/section_nodes_controller.rb

@@ -1,5 +1,5 @@
 class Cms::SectionNodesController < Cms::BaseController
-  check_permissions :publish_content, :only => [:move_before, :move_after]
+  check_permissions :publish_content, :except => [:index]
   
   def index
     @toolbar_tab = :sitemap

data/app/controllers/cms/sections_controller.rb

@@ -1,6 +1,7 @@
 class Cms::SectionsController < Cms::BaseController
 
   before_filter :load_parent, :only => [:new, :create]
+  before_filter :load_section, :only => [:edit, :update, :destroy, :move]
   before_filter :set_toolbar_tab
   
   helper_method :public_groups
@@ -16,12 +17,13 @@ class Cms::SectionsController < Cms::BaseController
   
   def new
     @section = @parent.sections.build
-    @section.groups = public_groups + cms_groups
+    @section.groups = @parent.groups
   end
   
   def create
     @section = Section.new(params[:section])
     @section.parent = @parent
+    @section.groups = @section.parent.groups unless current_user.able_to?(:administrate)
     if @section.save
       flash[:notice] = "Section '#{@section.name}' was created"
       redirect_to [:cms, @section]
@@ -31,13 +33,12 @@ class Cms::SectionsController < Cms::BaseController
   end
 
   def edit
-    @section = Section.find(params[:id])
-    raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@section)
   end
   
   def update
-    @section = Section.find(params[:id])
-    if @section.update_attributes(params[:section])
+    params[:section].delete('group_ids') if params[:section] &&  !current_user.able_to?(:administrate)
+    @section.attributes = params[:section]
+    if @section.save
       flash[:notice] = "Section '#{@section.name}' was updated"
       redirect_to [:cms, @section]
     else
@@ -46,7 +47,6 @@ class Cms::SectionsController < Cms::BaseController
   end
   
   def destroy
-    @section = Section.find(params[:id])  
     respond_to do |format|
       if @section.deletable? && @section.destroy
         message = "Section '#{@section.name}' was deleted."
@@ -61,7 +61,6 @@ class Cms::SectionsController < Cms::BaseController
   end  
   
   def move
-    @section = Section.find(params[:id])
     if params[:section_id]
       @move_to = Section.find(params[:section_id])
     else
@@ -81,6 +80,12 @@ class Cms::SectionsController < Cms::BaseController
   protected
     def load_parent
       @parent = Section.find(params[:section_id])
+      raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@parent)
+    end
+
+    def load_section
+      @section = Section.find(params[:id])
+      raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@section)
     end
 
     def handle_file_browser_upload

data/app/controllers/cms/sessions_controller.rb

@@ -3,11 +3,11 @@ class Cms::SessionsController < Cms::ApplicationController
 
   before_filter :redirect_to_cms_site, :only => [:new]
   layout "cms/login"
-  
+
   def new
-    
+
   end
-  
+
   def create
     logout_keeping_session!
     user = User.authenticate(params[:login], params[:password])
@@ -21,7 +21,7 @@ class Cms::SessionsController < Cms::ApplicationController
       handle_remember_cookie! new_cookie_flag
       flash[:notice] = "Logged in successfully"
       if params[:success_url] # Coming from login portlet
-        redirect_to(session[:return_to] || params[:success_url] || "/")          
+        redirect_to((!params[:success_url].blank? && params[:success_url]) || session[:return_to] || "/")
         session[:return_to] = nil
       else
         redirect_back_or_default(cms_home_url)
@@ -30,7 +30,7 @@ class Cms::SessionsController < Cms::ApplicationController
       note_failed_signin
       @login       = params[:login]
       @remember_me = params[:remember_me]
-      flash[:login_error] = "Log in failed"  
+      flash[:login_error] = "Log in failed"
       if params[:success_url] # Coming from login portlet
         if params[:success_url].blank?
           success_url = session[:return_to] || "/"
@@ -42,23 +42,30 @@ class Cms::SessionsController < Cms::ApplicationController
         flash[:success_url] = success_url
         redirect_to request.referrer
       else
-        render :action => "new" 
-      end 
+        render :action => "new"
+      end
     end
   end
 
   def destroy
+    logout_user
+    redirect_back_or_default("/")
+  end
+
+  protected
+
+  # Pulled this out as a separate method so that modules (like bcms_cas) can override/alias destroy and
+  # not have a redirect happen as a side effect.
+  def logout_user
     logout_killing_session!
     cookies.delete :openSectionNodes
     flash[:notice] = "You have been logged out."
-    redirect_back_or_default("/")
   end
 
-protected
   # Track failed login attempts
   def note_failed_signin
     flash[:error] = "Couldn't log you in as '#{params[:login]}'"
     logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}"
   end
-  
+
 end

data/app/controllers/cms/users_controller.rb

@@ -1,7 +1,9 @@
 class Cms::UsersController < Cms::ResourceController
   layout 'cms/administration'
 
-  check_permissions :administrate
+  check_permissions :administrate, :except => [:show, :change_password, :update_password]
+  before_filter :only_self_or_administrator, :only => [:show, :change_password, :update_password]
+  
   before_filter :set_menu_section
   after_filter :update_group_membership, :only => [:update, :create]
   after_filter :update_flash, :only => [ :update, :create ]
@@ -33,10 +35,6 @@ class Cms::UsersController < Cms::ResourceController
     @users = User.paginate(:page => params[:page], :per_page => per_page, :include => :user_group_memberships, :conditions => conditions, :order => "first_name, last_name, email")
   end
 
-  def show
-    redirect_to [:edit, :cms, user]
-  end
-
   def change_password
     user
   end
@@ -44,7 +42,7 @@ class Cms::UsersController < Cms::ResourceController
   def update_password
     if user.update_attributes(params[:user])
       flash[:notice] = "Password for '#{user.login}' was changed"
-      redirect_to cms_users_path
+      redirect_to(current_user.able_to?(:administrate) ? cms_users_path : cms_user_path(user))
     else
       render :action => 'change_password'
     end
@@ -95,4 +93,8 @@ class Cms::UsersController < Cms::ResourceController
     def set_menu_section
       @menu_section = 'users'
     end
+    
+    def only_self_or_administrator
+      raise Cms::Errors::AccessDenied if !current_user.able_to?(:administrate) && params[:id].to_i != current_user.id
+    end
 end

data/app/helpers/cms/application_helper.rb

@@ -24,12 +24,8 @@ module Cms
       text
     end
 
-    def render_connector(connector)
-      connectable = connector.connectable_with_deleted
-      if logged_in? && @mode == "edit"
-        if connectable.class.versioned?
-          connectable = connectable.as_of_version(connector.connectable_version)
-        end
+    def render_connector_and_connectable(connector, connectable)
+      if logged_in? && @mode == "edit" && current_user.able_to_edit?(connector.page)
         render :partial => 'cms/pages/edit_connector', 
           :locals => { :connector => connector, :connectable => connectable}
       else