webficient-browsercms 3.0.1 → 3.0.2

data/app/controllers/cms/content_block_controller.rb

@@ -33,6 +33,7 @@ class Cms::ContentBlockController < Cms::BaseController
       after_create_on_failure
     end
   rescue Exception => @exception
+    raise @exception if @exception.is_a?(Cms::Errors::AccessDenied)
     after_create_on_error
   end
   
@@ -50,6 +51,7 @@ class Cms::ContentBlockController < Cms::BaseController
   rescue ActiveRecord::StaleObjectError => @exception
     after_update_on_edit_conflict
   rescue Exception => @exception
+    raise @exception if @exception.is_a?(Cms::Errors::AccessDenied)
     after_update_on_error
   end
   
@@ -127,15 +129,18 @@ class Cms::ContentBlockController < Cms::BaseController
       options[:order] = params[:order] unless params[:order].blank?
       scope = model_class.respond_to?(:list) ? model_class.list : model_class
       @blocks = scope.searchable? ? scope.search(params[:search]).paginate(options) : scope.paginate(options)
+      check_permissions
     end
   
     def load_block
       @block = model_class.find(params[:id])
+      check_permissions
     end
   
     def load_block_draft
-      load_block
+      @block = model_class.find(params[:id])
       @block = @block.as_of_draft_version if model_class.versioned?
+      check_permissions
     end
   
     # path related methods - available in the view as helpers
@@ -162,6 +167,7 @@ class Cms::ContentBlockController < Cms::BaseController
   
     def build_block
       @block = model_class.new(params[model_name])
+      check_permissions
     end
 
     def set_default_category
@@ -244,6 +250,23 @@ class Cms::ContentBlockController < Cms::BaseController
         false
       end
     end
+    
+    # Use a "whitelist" approach to access to avoid mistakes
+    # By default everyone can create new block and view them and their properties,
+    # but blocks can only be modified based on the permissions of the pages they
+    # are connected to.
+    def check_permissions
+      case action_name
+        when "index", "show", "new", "create", "version", "versions", "usages"
+          # Allow
+        when "edit", "update"
+          raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@block)
+        when "destroy", "publish", "revert_to"
+          raise Cms::Errors::AccessDenied unless current_user.able_to_publish?(@block)
+        else
+          raise Cms::Errors::AccessDenied
+      end
+    end
 
     # methods to setup the view
 
@@ -259,4 +282,4 @@ class Cms::ContentBlockController < Cms::BaseController
       "cms/blocks"
     end
 
-end
+end

data/app/controllers/cms/content_controller.rb

@@ -173,7 +173,8 @@ class Cms::ContentController < Cms::ApplicationController
           send_file(@file, 
             :filename => @attachment.file_name,
             :type => @attachment.file_type,
-            :disposition => "inline"
+            :disposition => "inline",
+            :x_sendfile => Attachment.use_x_sendfile
           ) 
         end    
       end

data/app/controllers/cms/dashboard_controller.rb

@@ -5,5 +5,6 @@ class Cms::DashboardController < Cms::BaseController
     @incomplete_tasks = current_user.tasks.incomplete.all(
       :include => :page, 
       :order => "tasks.due_date desc, pages.name")
+    @recent_updates = Page::Version.recent_updates
   end
-end
+end

data/app/controllers/cms/error_handling.rb

@@ -2,8 +2,8 @@ module Cms
   module ErrorHandling
     def self.included(controller)
       controller.class_eval do
-          rescue_from Exception, :with => :handle_server_error
-          rescue_from Cms::Errors::AccessDenied, :with => :handle_access_denied
+        rescue_from Exception, :with => :handle_server_error unless RAILS_ENV == "test"
+        rescue_from Cms::Errors::AccessDenied, :with => :handle_access_denied
       end
     end
     
@@ -18,7 +18,7 @@ module Cms
     def handle_access_denied(exception)
       render :layout   => 'cms/application', 
              :template => 'cms/shared/access_denied',
-             :status   => 403
+             :status => 403
     end
   end
 end

data/app/controllers/cms/sections_controller.rb

@@ -17,11 +17,12 @@ class Cms::SectionsController < Cms::BaseController
   
   def new
     @section = @parent.sections.build
-    @section.groups = public_groups + cms_groups
+    @section.groups = @parent.groups
   end
   
   def create
     @section = Section.new(params[:section])
+    @section.groups = @parent.groups unless current_user.able_to?(:administrate)
     @section.parent = @parent
     if @section.save
       flash[:notice] = "Section '#{@section.name}' was created"
@@ -35,7 +36,9 @@ class Cms::SectionsController < Cms::BaseController
   end
   
   def update
-    if @section.update_attributes(params[:section])
+    @section.attributes = params[:section]
+    @section.groups = @section.parent.groups unless current_user.able_to?(:administrate)
+    if @section.save
       flash[:notice] = "Section '#{@section.name}' was updated"
       redirect_to [:cms, @section]
     else

data/app/models/attachment.rb

@@ -147,6 +147,14 @@ class Attachment < ActiveRecord::Base
     Attachment.published.not_archived.first(:conditions => {:file_path => file_path})
   end  
   
+  def self.use_x_sendfile
+    @use_x_sendfile ||= false
+  end
+  
+  def self.use_x_sendfile=(use_x_sendfile)
+    @use_x_sendfile = use_x_sendfile
+  end
+  
   #----- Instance Methods ------------------------------------------------------
 
   def file_name
@@ -190,4 +198,4 @@ class Attachment < ActiveRecord::Base
     self.updated_at = Time.now
   end
 
-end
+end

data/app/models/content_type.rb

@@ -19,7 +19,7 @@ class ContentType < ActiveRecord::Base
   # Given a 'key' like 'html_blocks' or 'portlet'
   # Raises exception if nothing was found.
   def self.find_by_key(key)
-    class_name = key.classify
+    class_name = key.tableize.classify
     content_type = find_by_name(class_name)
     if content_type.nil?
       if class_name.constantize.ancestors.include?(Portlet)
@@ -54,7 +54,7 @@ class ContentType < ActiveRecord::Base
   end
 
   def model_class
-    name.classify.constantize
+    name.tableize.classify.constantize
   end
 
   # Allows models to show additional columns when being shown in a list.

data/app/models/link.rb

@@ -1,5 +1,5 @@
 class Link < ActiveRecord::Base
-  acts_as_content_block
+  acts_as_content_block :connectable => false
   
   named_scope :named, lambda{|name| {:conditions => ['links.name = ?', name]}}
   
@@ -32,4 +32,4 @@ class Link < ActiveRecord::Base
     url
   end
 
-end
+end

data/app/models/page.rb

@@ -48,6 +48,7 @@ class Page < ActiveRecord::Base
   
   before_validation :append_leading_slash_to_path
   before_destroy :delete_connectors
+  before_destroy :delete_section_node
   
   validates_presence_of :name, :path
   validates_uniqueness_of :path
@@ -194,6 +195,10 @@ class Page < ActiveRecord::Base
     end      
   end
   
+  def delete_section_node
+    section_node.destroy if section_node
+  end
+  
   def public?
     section ? section.public? : false
   end
@@ -262,6 +267,11 @@ class Page < ActiveRecord::Base
     (a[1..a.size].map{|a| a.name} + [name]).join(" / ")
   end
   
+  # returns current page name, lowercase, with spaces replaced by underscores
+  def internal_name
+    name.downcase.gsub(/ /, '_')
+  end
+  
   # This will return the "top level section" for a page, which is the section directly
   # below the root (a.k.a My Site) that this page is in.  If this page is in root,
   # then this will return root.

data/app/models/user.rb

@@ -89,12 +89,12 @@ class User < ActiveRecord::Base
     @viewable_sections ||= Section.find(:all, :include => {:groups => :users}, :conditions => ["users.id = ?", id])
   end
 
-  def editable_sections
-    @editable_sections ||= Section.find(:all, :include => {:groups => [:group_type, :users]}, :conditions => ["users.id = ? and group_types.cms_access = ?", id, true])
+  def modifiable_sections
+    @modifiable_sections ||= Section.find(:all, :include => {:groups => [:group_type, :users]}, :conditions => ["users.id = ? and group_types.cms_access = ?", id, true])
   end
 
-  #Expects a list of names of Permissions
-  #true if the user has any of the permissions
+  # Expects a list of names of Permissions
+  # true if the user has any of the permissions
   def able_to?(*required_permissions)
     perms = required_permissions.map(&:to_sym)
     permissions.any? do |p| 
@@ -102,25 +102,43 @@ class User < ActiveRecord::Base
     end
   end
     
-  #Expects object to be an object or a section
-  #If it's a section, that will be used
-  #If it's not a section, it will call section on the object
-  #returns true if any of the sections of the groups the user is in matches the page's section.
+  # Expects object to be an object or a section
+  # If it's a section, that will be used
+  # If it's not a section, it will call section on the object
+  # returns true if any of the sections of the groups the user is in matches the page's section.
   def able_to_view?(object)
     section = object.is_a?(Section) ? object : object.section
-    !!(viewable_sections.include?(section) || groups.cms_access.count > 0)
+    viewable_sections.include?(section) || groups.cms_access.count > 0
   end
   
-  #Expects node to be a Section, Page or Link
-  #Returns true if the specified node, or any of its ancestor sections, is editable by any of 
-  #the user's 'CMS User' groups.
-  def able_to_edit?(node)    
-    section = node.is_a?(Section) ? node : node.section
-    !!(able_to?(:edit_content) && section.with_ancestors.any? { |section| editable_sections.include?(section) })
+  def able_to_modify?(object)
+    case object
+      when Section
+        object.with_ancestors.any? { |section| modifiable_sections.include?(section) }
+      when Page, Link
+        object.section.with_ancestors.any? { |section| modifiable_sections.include?(section) }
+      else
+        if object.class.respond_to?(:connectable?) && object.class.connectable?
+          object.connected_pages.all? { |page| able_to_modify?(page) }
+        else
+          true
+        end
+    end
+  end
+  
+  # Expects node to be a Section, Page or Link
+  # Returns true if the specified node, or any of its ancestor sections, is editable by any of 
+  # the user's 'CMS User' groups.
+  def able_to_edit?(object)    
+    able_to?(:edit_content) && able_to_modify?(object)
+  end
+  
+  def able_to_publish?(object)
+    able_to?(:publish_content) && able_to_modify?(object)
   end
   
   def able_to_edit_or_publish_content?
     able_to?(:edit_content, :publish_content)
   end
   
-end
+end

data/app/views/cms/blocks/_toolbar_for_member.html.erb

@@ -1,7 +1,7 @@
 <% able_to? :publish_content do -%>
   <% if @block.respond_to?(:live?) && !@block.live? %>
     <%= link_to span_tag('Publish'), block_path(:publish), 
-      :class => "http_put button left", 
+      :class => "http_put button left#{' disabled' unless current_user.able_to_publish?(@block)}", 
       :id => "publish_button" %>
   <% else %>
     <%= link_to span_tag('Publish'), "#", 
@@ -15,7 +15,7 @@
   :id => "view_button" %>
   
 <%= link_to span_tag('Edit Content'), block_path(:edit), 
-  :class => "button right#{ ' off' if action_name == 'edit'}", 
+  :class => "button right#{ ' off' if action_name == 'edit'}#{' disabled' unless current_user.able_to_edit?(@block)}", 
   :id => "edit_button" %>
   
 <%= link_to span_tag("Add New Content"), new_block_path, 
@@ -33,6 +33,6 @@
 <% end %>
 
 <%= link_to span_tag("<span class=\"delete_img\">&nbsp;</span>Delete"), block_path, 
-  :class => "http_delete confirm_with_title button", 
+  :class => "http_delete confirm_with_title button#{' disabled' unless current_user.able_to_publish?(@block)}", 
   :title => "Are you sure you want to delete '#{@block.name}'?", 
   :id => "delete_button" %>

data/app/views/cms/blocks/index.html.erb

@@ -11,12 +11,14 @@
         var match = this.id.match(/(.*)_(\d+)/) 
         var type = match[1]
         var id = match[2]
+        var editable = !$(this).hasClass("non-editable")
+        var publishable = !$(this).hasClass("non-publishable")
         $('table.data tbody tr').removeClass('selected')
         $(this).addClass('selected')
         $('#functions .button').addClass('disabled').attr('href','#')
         $('#add_button').removeClass('disabled').attr('href', '/cms/'+collectionName+'/new')
         $('#view_button').removeClass('disabled').attr('href', '/cms/'+collectionName+'/'+id)
-        $('#edit_button').removeClass('disabled').attr('href', '/cms/'+collectionName+'/'+id+'/edit')
+        if (editable) $('#edit_button').removeClass('disabled').attr('href', '/cms/'+collectionName+'/'+id+'/edit')
         <% if content_type.model_class.versioned? %>
           $('#revisions_button').removeClass('disabled').attr('href', '/cms/'+collectionName+'/'+id+'/versions')
         <% else %>
@@ -28,12 +30,14 @@
           $('#delete_button').addClass('disabled')
             .attr('title', $.trim(cannot_be_deleted_message.text()))
         } else {
-          $('#delete_button').removeClass('disabled')
-            .attr('href', '/cms/'+collectionName+'/'+id)  
-            .attr('title', 'Are You Sure You Want To Delete This Record?')
+          if (publishable) {
+            $('#delete_button').removeClass('disabled')
+              .attr('href', '/cms/'+collectionName+'/'+id)  
+              .attr('title', 'Are You Sure You Want To Delete This Record?')
+          }
         }        
         <% able_to? :publish_content do -%>
-          if($(this).hasClass('draft')) {
+          if($(this).hasClass('draft') && publishable) {
             $('#publish_button').removeClass('disabled').attr('href', '/cms/'+collectionName+'/'+id+'/publish?_redirect_to='+location.href)        
           }
         <% end %>  
@@ -85,7 +89,7 @@
        col_ct += 1 if content_type.model_class.publishable? %>
     <% @blocks.each do |b| %>
       <% block = b.class.versioned? ? b.as_of_draft_version : b %>
-      <tr id="<%= block.class.name.underscore %>_<%= block.id %>" class="<%= block.class.name.underscore %> <%= block.class.publishable? && !block.published? ? 'draft' : 'published' %>">
+      <tr id="<%= block.class.name.underscore %>_<%= block.id %>" class="<%= block.class.name.underscore %> <%= block.class.publishable? && !block.published? ? 'draft' : 'published' %> <%= 'non-editable' unless current_user.able_to_edit?(block) %> <%= 'non-publishable' unless current_user.able_to_publish?(block) %>">
 	<td class="first"></td>
         <% content_type.columns_for_index.each_with_index do |column, i| %>
           <td class="<%= column[:label].gsub(' ', '').underscore %>">

data/app/views/cms/content/show.html.erb

@@ -1,6 +1,5 @@
 <% page_title @page.page_title -%>
 <% if @show_toolbar -%>  
-  <% content_for :html_head, stylesheet_link_tag('cms/page') -%>
   <% flash.keep -%>
   <iframe src="<%=h cms_toolbar_path(:page_id => @page.id, :page_version => @page.version, :mode => @mode, :page_toolbar => @show_page_toolbar ? 1 : 0) %>" width="100%" height="<%= @show_page_toolbar ? 159 : 100 %>px" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" name="cms_toolbar"></iframe>
 <% end -%>

data/app/views/cms/dashboard/_recently_updated.html.erb

@@ -0,0 +1,50 @@
+<div class="dashboard_unit wide" id="recent_changes">
+  <h2>Recent Changes</h2>
+
+  <div class="roundedcorners" style="position: relative">
+    <table class="data">
+      <thead>
+        <tr>
+          <th class="name first unbordered" colspan="2"><div class="dividers">Page</div></th>
+          <th><div class="dividers">Version</div></th>
+          <th><div class="dividers">Comment</div></th>
+          <th><div class="dividers">Date</div></th>
+          <th class="last" colspan="2"><div class="dividers">Editor</div></th>
+        </tr>
+      </thead>
+      <tbody>
+        <% @recent_updates.each do |r| %>
+          <tr>
+            <td class="first"></td>
+            <td class="name">
+              <div class="dividers">
+                <%= link_to h(r.page.name_with_section_path), r.page.path %>
+              </div>
+            </td>
+            <td>
+              <div class="dividers">
+                <%= "v.#{r.version}" %>
+                <%= '(LIVE)' if r.page.version == r.version %>
+                <%= '(CURRENT)' if r.page.draft == r %>
+              </div>
+            </td>
+            <td>
+              <div class="dividers"><%=h r.version_comment %></div>
+            </td>
+            <td>
+              <div class="dividers"><%= r.created_at.strftime("%b %d, %Y %I:%M %p") if r.created_at %></div>
+            </td>
+            <td>
+              <div><%= r.updated_by.login if r.updated_by %></div>
+            </td>
+            <td class="last"></td>
+          </tr>
+        <% end %>
+      </tbody>
+    </table>
+    <div class="tl"></div>
+    <div class="tr"></div>
+    <div class="bl"></div>
+    <div class="br"></div>
+  </div>
+</div>

data/app/views/cms/dashboard/index.html.erb

@@ -9,7 +9,15 @@
   <%= render :partial => 'page_drafts' %>
   <img src="/images/cms/dashboard/bottom_cap.png" style="position: absolute; bottom: -9px; left: 0" />
 </div>
+
 <div class="dashboard_wrap tasks_margin">  
   <%= render :partial => 'tasks' %>
   <img src="/images/cms/dashboard/bottom_cap.png" style="position: absolute; bottom: -9px; left: 0" />
-</div>
+</div>
+
+<br clear="all"/>
+<div class="wide_top_cap"></div>
+<div class="dashboard_wrap">
+  <%= render :partial => 'recently_updated' %>
+  <img src="/images/cms/bottom_cap.png" style="position: absolute; bottom: -9px; left: 0" />
+</div>

data/app/views/cms/sections/_form.html.erb

@@ -11,46 +11,48 @@
   </div>
 </div>
 
-<div class="checkbox_group fields" style="float: left; width: 100%">
-  <label>Public Permissions</label>
-  <%= hidden_field_tag "section[group_ids][]", "", :id => nil %>
-  <div class="checkboxes">
-    <% for group in public_groups %>
-    <div class="checkbox_fields">
-      <%= check_box_tag "section[group_ids][]", group.id,
-            @section.groups.include?(group), :class => "public_group_ids", :id => "public_group_ids_#{group.id}", :tabindex => next_tabindex %>
-        <label for="public_group_ids_<%= group.id %>"><%= group.name %></label>
-    </div>
-    <% end %>
-    <div class="instructions">Which &ldquo;Public&rdquo; groups can view pages in this section?</div>
-    <div class="check_uncheck">
-      <%= link_to_check_all 'input.public_group_ids' %>, 
-      <%= link_to_uncheck_all 'input.public_group_ids' %>
+<% able_to?(:administrate) do %>
+  <div class="checkbox_group fields" style="float: left; width: 100%">
+    <label>Public Permissions</label>
+    <%= hidden_field_tag "section[group_ids][]", "", :id => nil %>
+    <div class="checkboxes">
+      <% for group in public_groups %>
+      <div class="checkbox_fields">
+        <%= check_box_tag "section[group_ids][]", group.id,
+              @section.groups.include?(group), :class => "public_group_ids", :id => "public_group_ids_#{group.id}", :tabindex => next_tabindex %>
+          <label for="public_group_ids_<%= group.id %>"><%= group.name %></label>
+      </div>
+      <% end %>
+      <div class="instructions">Which &ldquo;Public&rdquo; groups can view pages in this section?</div>
+      <div class="check_uncheck">
+        <%= link_to_check_all 'input.public_group_ids' %>, 
+        <%= link_to_uncheck_all 'input.public_group_ids' %>
+      </div>
     </div>
   </div>
-</div>
 
-<br clear="all" />
+  <br clear="all" />
 
-<div class="checkbox_group fields" style="float: left; width: 100%">
-  <label>CMS Permissions</label>
-  <%= hidden_field_tag "section[group_ids][]", "", :id => nil %>
-  <div class="checkboxes">
-    <% for group in cms_groups %>
-    <div class="checkbox_fields">
-        <%= check_box_tag "section[group_ids][]", group.id,
-            @section.groups.include?(group), :class => "cms_group_ids", :id => "cms_group_ids_#{group.id}", :tabindex => next_tabindex %>
-        <label for="cms_group_ids_<%= group.id %>"><%= group.name %></label>
-    </div>
-    <% end %>
-    <div class="instructions">Which &ldquo;CMS&rdquo; groups can edit pages and content in this section?</div>
-    <div class="check_uncheck">
-      <%= link_to_check_all 'input.cms_group_ids' %>, 
-      <%= link_to_uncheck_all 'input.cms_group_ids' %>
+  <div class="checkbox_group fields" style="float: left; width: 100%">
+    <label>CMS Permissions</label>
+    <%= hidden_field_tag "section[group_ids][]", "", :id => nil %>
+    <div class="checkboxes">
+      <% for group in cms_groups %>
+      <div class="checkbox_fields">
+          <%= check_box_tag "section[group_ids][]", group.id,
+              @section.groups.include?(group), :class => "cms_group_ids", :id => "cms_group_ids_#{group.id}", :tabindex => next_tabindex %>
+          <label for="cms_group_ids_<%= group.id %>"><%= group.name %></label>
+      </div>
+      <% end %>
+      <div class="instructions">Which &ldquo;CMS&rdquo; groups can edit pages and content in this section?</div>
+      <div class="check_uncheck">
+        <%= link_to_check_all 'input.cms_group_ids' %>, 
+        <%= link_to_uncheck_all 'input.cms_group_ids' %>
+      </div>
     </div>
   </div>
-</div>
-<br clear="all" />
+  <br clear="all" />
+<% end %>
 
 <div class="buttons">
   <%= lt_button_wrapper(f.submit("Save", :class => "submit", :tabindex => next_tabindex)) %>

data/app/views/layouts/_page_toolbar.html.erb

@@ -67,13 +67,13 @@
 
   <%= link_to "<span>Edit Properties</span>", 
     [:edit, :cms, @page], 
-    :id => "edit_properties_button#{ ' disabled' if !current_user.able_to_edit?(@page) }",
-    :class => "spacer button", 
+    :id => "edit_properties_button",
+    :class => "spacer button#{ ' disabled' unless current_user.able_to_edit?(@page) }", 
     :target => "_top" %>
   
   <%= link_to "<span>List Versions</span>", 
     versions_cms_page_path(@page), 
-    :class => "spacer button",
+    :class => "spacer button#{ ' disabled' unless current_user.able_to_edit?(@page) }",
     :target => "_top" %>
     
   <% able_to? :publish_content do %>
@@ -83,7 +83,7 @@
         :id => "delete_button",
         :title => "Are you sure you want to delete '#{@page.name}'?", 
         :target => "_top", 
-        :class => "spacer button confirm_with_title http_delete" %>
+        :class => "spacer button confirm_with_title http_delete#{ ' disabled' unless current_user.able_to_publish?(@page) }" %>
     <% else %>
       <%= link_to "<span>Revert to this Version</span>",
         revert_to_cms_page_path(@page, @page.version), 
@@ -98,7 +98,7 @@
         <div class="visual_editor_label">Visual Editor:</div>
         <div class="visual_editor_value_container">
           <% if @mode == "edit" %>
-	    <div><span id="visual_editor_state">ON<% if !current_user.able_to_edit?(@page) %><em title="You don't have permission to edit this page's contents.">*</em><% end %></span></div>
+	    <div><span id="visual_editor_state"<%= ' title="You don\'t have permission to edit this page"' unless current_user.able_to_edit?(@page) %>>ON<%= '*' unless current_user.able_to_edit?(@page) %></span></div>
           <% else %>
 	    <div><span id="visual_editor_state">OFF</span></div>
           <% end %>