diff --git a/app/controllers/box_organizer_controller.rb b/app/controllers/box_organizer_controller.rb
index 934cccb..c76cbcc 100644
--- a/app/controllers/box_organizer_controller.rb
+++ b/app/controllers/box_organizer_controller.rb
@@ -83,6 +83,7 @@ class BoxOrganizerController < ApplicationController
def save
@block = boxes_holder.blocks.find(params[:id])
+ return render_access_denied unless @block.editable?(user)
@block.update(params[:block])
redirect_to :action => 'index'
end
diff --git a/app/helpers/boxes_helper.rb b/app/helpers/boxes_helper.rb
index ed7584f..2a60bc0 100644
--- a/app/helpers/boxes_helper.rb
+++ b/app/helpers/boxes_helper.rb
@@ -250,7 +250,7 @@ module BoxesHelper
end
end
- if editable?(block)
+ if editable?(block, user)
buttons << modal_icon_button(:edit, _('Edit'), { :action => 'edit', :id => block.id })
end
@@ -296,7 +296,7 @@ module BoxesHelper
return block.movable? || user.is_admin?
end
- def editable?(block)
- return block.editable? || user.is_admin?
+ def editable?(block, user=nil)
+ return block.editable?(user) || user.is_admin?
end
end
diff --git a/app/models/block.rb b/app/models/block.rb
index c6d8f44..2fd43d0 100644
--- a/app/models/block.rb
+++ b/app/models/block.rb
@@ -195,8 +195,8 @@ class Block < ActiveRecord::Base
nil
end
- # Is this block editable? (Default to false)
- def editable?
+ # Is this block editable? (Default to true)
+ def editable?(user=nil)
self.edit_modes == "all"
end
diff --git a/app/models/disabled_enterprise_message_block.rb b/app/models/disabled_enterprise_message_block.rb
index d433ebb..be9b29c 100644
--- a/app/models/disabled_enterprise_message_block.rb
+++ b/app/models/disabled_enterprise_message_block.rb
@@ -19,7 +19,7 @@ class DisabledEnterpriseMessageBlock < Block
end
end
- def editable?
+ def editable?(user=nil)
false
end
diff --git a/app/models/environment.rb b/app/models/environment.rb
index 28b780d..b71e3bb 100644
--- a/app/models/environment.rb
+++ b/app/models/environment.rb
@@ -54,6 +54,7 @@ class Environment < ActiveRecord::Base
'manage_environment_licenses' => N_('Manage environment licenses'),
'manage_environment_trusted_sites' => N_('Manage environment trusted sites'),
'edit_appearance' => N_('Edit appearance'),
+ 'edit_raw_html_block' => N_('Edit Raw HTML block'),
}
module Roles
diff --git a/app/models/raw_html_block.rb b/app/models/raw_html_block.rb
index 8a4ac03..09d4f60 100644
--- a/app/models/raw_html_block.rb
+++ b/app/models/raw_html_block.rb
@@ -19,4 +19,9 @@ class RawHTMLBlock < Block
def has_macro?
true
end
+
+ def editable?(user)
+ user.has_permission?('edit_raw_html_block', environment)
+ end
+
end
diff --git a/db/migrate/20150103134141_add_edit_raw_html_block_to_admin_role.rb b/db/migrate/20150103134141_add_edit_raw_html_block_to_admin_role.rb
new file mode 100644
index 0000000..e02af5a
--- /dev/null
+++ b/db/migrate/20150103134141_add_edit_raw_html_block_to_admin_role.rb
@@ -0,0 +1,17 @@
+class AddEditRawHtmlBlockToAdminRole < ActiveRecord::Migration
+ def self.up
+ Environment.all.map(&:id).each do |id|
+ role = Environment::Roles.admin(id)
+ role.permissions << 'edit_raw_html_block'
+ role.save!
+ end
+ end
+
+ def self.down
+ Environment.all.map(&:id).each do |id|
+ role = Environment::Roles.admin(id)
+ role.permissions -= ['edit_raw_html_block']
+ role.save!
+ end
+ end
+end
diff --git a/test/fixtures/roles.yml b/test/fixtures/roles.yml
index 90bc9f4..11a7b04 100644
--- a/test/fixtures/roles.yml
+++ b/test/fixtures/roles.yml
@@ -100,3 +100,4 @@ environment_administrator:
- destroy_profile
- manage_environment_templates
- manage_environment_licenses
+ - edit_raw_html_block
diff --git a/test/functional/profile_design_controller_test.rb b/test/functional/profile_design_controller_test.rb
index efbbd0f..536f093 100644
--- a/test/functional/profile_design_controller_test.rb
+++ b/test/functional/profile_design_controller_test.rb
@@ -311,6 +311,12 @@ class ProfileDesignControllerTest < ActionController::TestCase
assert_equal 999, @b1.article_id
end
+ should 'not be able to save a non editable block' do
+ Block.any_instance.expects(:editable?).returns(false)
+ post :save, :profile => 'designtestuser', :id => @b1.id, :block => { }
+ assert_response :forbidden
+ end
+
should 'be able to edit ProductsBlock' do
block = ProductsBlock.new
diff --git a/test/unit/boxes_helper_test.rb b/test/unit/boxes_helper_test.rb
index 2cd3fea..09820bd 100644
--- a/test/unit/boxes_helper_test.rb
+++ b/test/unit/boxes_helper_test.rb
@@ -187,6 +187,7 @@ class BoxesHelperTest < ActionView::TestCase
block = Block.create!(:box => box)
block.stubs(:embedable?).returns(true)
stubs(:url_for).returns('')
+ @controller.stubs(:user).returns(box.owner)
assert_tag_in_string block_edit_buttons(block), :tag => 'a', :attributes => {:class => 'button icon-button icon-embed '}
end
@@ -195,6 +196,7 @@ class BoxesHelperTest < ActionView::TestCase
block = Block.create!(:box => box)
block.stubs(:embedable?).returns(false)
stubs(:url_for).returns('')
+ @controller.stubs(:user).returns(box.owner)
assert_no_tag_in_string block_edit_buttons(block), :tag => 'a', :attributes => {:class => 'button icon-button icon-embed '}
end
diff --git a/test/unit/raw_html_block_test.rb b/test/unit/raw_html_block_test.rb
index bdf925f..d21d78f 100644
--- a/test/unit/raw_html_block_test.rb
+++ b/test/unit/raw_html_block_test.rb
@@ -22,4 +22,20 @@ class RawHTMLBlockTest < ActiveSupport::TestCase
assert_match(/HTML$/, block.content)
end
+ should 'not be editable for users without permission' do
+ environment = Environment.default
+ box = Box.new(:owner => environment)
+ block = RawHTMLBlock.new(:html => "HTML", :box => box)
+ user = create_user('testuser').person
+ assert !block.editable?(user)
+ end
+
+ should 'be editable for users with permission' do
+ environment = Environment.default
+ box = Box.new(:owner => environment)
+ block = RawHTMLBlock.new(:html => "HTML", :box => box)
+ user = create_user_with_permission('testuser', 'edit_raw_html_block', environment)
+ assert block.editable?(user)
+ end
+
end
--
libgit2 0.21.2