From 6c07c9cbab662eff671f923611a3fcca0f09c95b Mon Sep 17 00:00:00 2001 From: Sacha Greif Date: Thu, 5 Feb 2015 09:32:43 +0900 Subject: [PATCH] Don't let non-admins access pending posts. --- History.md | 1 + lib/router/filters.js | 28 +++++++++++++++-------- packages/telescope-lib/lib/permissions.js | 24 +++++++++++-------- 3 files changed, 35 insertions(+), 18 deletions(-) diff --git a/History.md b/History.md index c7c610af2..108b6b514 100644 --- a/History.md +++ b/History.md @@ -1,6 +1,7 @@ * Fix double notification bug. * Fix singleday view bug. * Fix post approval date bug. +* Don't let non-admins access pending posts. ## v0.14.0 “GridScope” diff --git a/lib/router/filters.js b/lib/router/filters.js index 8d0f28951..b4d0e4979 100644 --- a/lib/router/filters.js +++ b/lib/router/filters.js @@ -4,7 +4,7 @@ Router._filters = { - isReady: function() { + isReady: function () { if (!this.ready()) { // console.log('not ready') this.render(getTemplate('loading')); @@ -27,7 +27,7 @@ Router._filters = { }, /* - isLoggedIn: function() { + isLoggedIn: function () { if (!(Meteor.loggingIn() || Meteor.user())) { throwError(i18n.t('please_sign_in_first')); var current = getCurrentRoute(); @@ -42,7 +42,7 @@ Router._filters = { */ isLoggedIn: AccountsTemplates.ensureSignedIn, - isLoggedOut: function() { + isLoggedOut: function () { if(Meteor.user()){ this.render('already_logged_in'); } else { @@ -50,7 +50,7 @@ Router._filters = { } }, - isAdmin: function() { + isAdmin: function () { if(!this.ready()) return; if(!isAdmin()){ this.render(getTemplate('no_rights')); @@ -59,7 +59,7 @@ Router._filters = { } }, - canView: function() { + canView: function () { if(!this.ready() || Meteor.loggingIn()){ this.render(getTemplate('loading')); } else if (!can.view()) { @@ -69,6 +69,15 @@ Router._filters = { } }, + canViewPendingPosts: function () { + var post = this.data(); + if (post.status == STATUS_PENDING && !can.viewPendingPosts()) { + this.render(getTemplate('no_rights')); + } else { + this.next(); + } + }, + canPost: function () { if(!this.ready() || Meteor.loggingIn()){ this.render(getTemplate('loading')); @@ -80,7 +89,7 @@ Router._filters = { } }, - canEditPost: function() { + canEditPost: function () { if(!this.ready()) return; // Already subscribed to this post by route({waitOn: ...}) var post = Posts.findOne(this.params._id); @@ -92,7 +101,7 @@ Router._filters = { } }, - canEditComment: function() { + canEditComment: function () { if(!this.ready()) return; // Already subscribed to this comment by CommentPageController var comment = Comments.findOne(this.params._id); @@ -104,7 +113,7 @@ Router._filters = { } }, - hasCompletedProfile: function() { + hasCompletedProfile: function () { if(!this.ready()) return; var user = Meteor.user(); if (user && ! userProfileComplete(user)){ @@ -114,7 +123,7 @@ Router._filters = { } }, - setTitle: function() { + setTitle: function () { // if getTitle is set, use it. Otherwise default to site title. var title = (typeof this.getTitle === 'function') ? this.getTitle() : getSetting("title", "Telescope"); document.title = title; @@ -160,6 +169,7 @@ Meteor.startup( function (){ Router.onBeforeAction(filters.isReady); Router.onBeforeAction(filters.canView, {except: ['atSignIn', 'atSignUp', 'atForgotPwd', 'atResetPwd', 'signOut']}); + Router.onBeforeAction(filters.canViewPendingPosts, {only: ['post_page']}); Router.onBeforeAction(filters.hasCompletedProfile); Router.onBeforeAction(filters.isLoggedIn, {only: ['post_submit', 'post_edit', 'comment_edit']}); Router.onBeforeAction(filters.isLoggedOut, {only: []}); diff --git a/packages/telescope-lib/lib/permissions.js b/packages/telescope-lib/lib/permissions.js index dabd022e2..05aae6888 100644 --- a/packages/telescope-lib/lib/permissions.js +++ b/packages/telescope-lib/lib/permissions.js @@ -7,7 +7,7 @@ can = {}; // user: Defaults to Meteor.user() // // return true if all is well, false -can.view = function(user) { +can.view = function (user) { if (getSetting('requireViewInvite', false)) { if (Meteor.isClient) { @@ -19,14 +19,20 @@ can.view = function(user) { } return true; }; -can.viewById = function(userId) { + +can.viewPendingPosts = function (user) { + user = (typeof user === 'undefined') ? Meteor.user() : user; + return isAdmin(user); +}; + +can.viewById = function (userId) { // if an invite is required to view, run permission check, else return true if (getSetting('requireViewInvite', false)) { return !!userId ? can.view(Meteor.users.findOne(userId)) : false; } return true; }; -can.post = function(user, returnError) { +can.post = function (user, returnError) { user = (typeof user === 'undefined') ? Meteor.user() : user; if (!user) { @@ -43,13 +49,13 @@ can.post = function(user, returnError) { return true; } }; -can.comment = function(user, returnError) { +can.comment = function (user, returnError) { return can.post(user, returnError); }; -can.vote = function(user, returnError) { +can.vote = function (user, returnError) { return can.post(user, returnError); }; -can.edit = function(user, item, returnError) { +can.edit = function (user, item, returnError) { user = (typeof user === 'undefined') ? Meteor.user() : user; if (!user || !item || (user._id !== item.userId && !isAdmin(user))) { @@ -58,13 +64,13 @@ can.edit = function(user, item, returnError) { return true; } }; -can.editById = function(userId, item) { +can.editById = function (userId, item) { var user = Meteor.users.findOne(userId); return can.edit(user, item); }; -can.currentUserEdit = function(item) { +can.currentUserEdit = function (item) { return can.edit(Meteor.user(), item); }; -can.invite = function(user) { +can.invite = function (user) { return isInvited(user) || isAdmin(user); }; \ No newline at end of file