Don't let non-admins access pending posts.

2025-03-06 10:01:40 -05:00 · 2015-02-05 09:32:43 +09:00 · 2015-02-05 09:32:43 +09:00 · 6c07c9cbab
commit 6c07c9cbab
parent 31d8997cea
3 changed files with 35 additions and 18 deletions
--- a/History.md
+++ b/History.md
@ -1,6 +1,7 @@
 * Fix double notification bug. 
 * Fix singleday view bug.
 * Fix post approval date bug.
 * Don't let non-admins access pending posts.
 ## v0.14.0 “GridScope”
--- a/lib/router/filters.js
+++ b/lib/router/filters.js
@ -4,7 +4,7 @@
 Router._filters = {
-  isReady: function() {
+  isReady: function () {
    if (!this.ready()) {
      // console.log('not ready')
      this.render(getTemplate('loading'));
@ -27,7 +27,7 @@ Router._filters = {
  },
  /*
-  isLoggedIn: function() {
+  isLoggedIn: function () {
    if (!(Meteor.loggingIn() || Meteor.user())) {
      throwError(i18n.t('please_sign_in_first'));
      var current = getCurrentRoute();
@ -42,7 +42,7 @@ Router._filters = {
  */
  isLoggedIn: AccountsTemplates.ensureSignedIn,
-  isLoggedOut: function() {
+  isLoggedOut: function () {
    if(Meteor.user()){
      this.render('already_logged_in');
    } else {
@ -50,7 +50,7 @@ Router._filters = {
    }
  },
-  isAdmin: function() {
+  isAdmin: function () {
    if(!this.ready()) return;
    if(!isAdmin()){
      this.render(getTemplate('no_rights'));
@ -59,7 +59,7 @@ Router._filters = {
    }
  },
-  canView: function() {
+  canView: function () {
    if(!this.ready() || Meteor.loggingIn()){
      this.render(getTemplate('loading'));
    } else if (!can.view()) {
@ -69,6 +69,15 @@ Router._filters = {
    }
  },
  canViewPendingPosts: function () {
    var post = this.data();
    if (post.status == STATUS_PENDING && !can.viewPendingPosts()) {
      this.render(getTemplate('no_rights'));
    } else {
      this.next();
    }
  },
  canPost: function () {
    if(!this.ready() || Meteor.loggingIn()){
      this.render(getTemplate('loading'));
@ -80,7 +89,7 @@ Router._filters = {
    }
  },
-  canEditPost: function() {
+  canEditPost: function () {
    if(!this.ready()) return;
    // Already subscribed to this post by route({waitOn: ...})
    var post = Posts.findOne(this.params._id);
@ -92,7 +101,7 @@ Router._filters = {
    }
  },
-  canEditComment: function() {
+  canEditComment: function () {
    if(!this.ready()) return;
    // Already subscribed to this comment by CommentPageController
    var comment = Comments.findOne(this.params._id);
@ -104,7 +113,7 @@ Router._filters = {
    }
  },
-  hasCompletedProfile: function() {
+  hasCompletedProfile: function () {
    if(!this.ready()) return;
    var user = Meteor.user();
    if (user && ! userProfileComplete(user)){
@ -114,7 +123,7 @@ Router._filters = {
    }
  },
-  setTitle: function() {
+  setTitle: function () {
    // if getTitle is set, use it. Otherwise default to site title.
    var title = (typeof this.getTitle === 'function') ? this.getTitle() : getSetting("title", "Telescope");
    document.title = title;
@ -160,6 +169,7 @@ Meteor.startup( function (){
    Router.onBeforeAction(filters.isReady);
    Router.onBeforeAction(filters.canView, {except: ['atSignIn', 'atSignUp', 'atForgotPwd', 'atResetPwd', 'signOut']});
    Router.onBeforeAction(filters.canViewPendingPosts, {only: ['post_page']});
    Router.onBeforeAction(filters.hasCompletedProfile);
    Router.onBeforeAction(filters.isLoggedIn, {only: ['post_submit', 'post_edit', 'comment_edit']});
    Router.onBeforeAction(filters.isLoggedOut, {only: []});
--- a/packages/telescope-lib/lib/permissions.js
+++ b/packages/telescope-lib/lib/permissions.js
@ -7,7 +7,7 @@ can = {};
 // user:                Defaults to Meteor.user()
 //
 // return true if all is well, false
-can.view = function(user) {
+can.view = function (user) {
  if (getSetting('requireViewInvite', false)) {
    if (Meteor.isClient) {
@ -19,14 +19,20 @@ can.view = function(user) {
  }
  return true;
 };
-can.viewById = function(userId) {
+
 can.viewPendingPosts = function (user) {
  user = (typeof user === 'undefined') ? Meteor.user() : user;
  return isAdmin(user);
 };
 can.viewById = function (userId) {
  // if an invite is required to view, run permission check, else return true
  if (getSetting('requireViewInvite', false)) {
    return !!userId ? can.view(Meteor.users.findOne(userId)) : false;
  }
  return true;
 };
-can.post = function(user, returnError) {
+can.post = function (user, returnError) {
  user = (typeof user === 'undefined') ? Meteor.user() : user;
  if (!user) {
@ -43,13 +49,13 @@ can.post = function(user, returnError) {
    return true;
  }
 };
-can.comment = function(user, returnError) {
+can.comment = function (user, returnError) {
  return can.post(user, returnError);
 };
-can.vote = function(user, returnError) {
+can.vote = function (user, returnError) {
  return can.post(user, returnError);
 };
-can.edit = function(user, item, returnError) {
+can.edit = function (user, item, returnError) {
  user = (typeof user === 'undefined') ? Meteor.user() : user;
  if (!user || !item || (user._id !== item.userId && !isAdmin(user))) {
@ -58,13 +64,13 @@ can.edit = function(user, item, returnError) {
    return true;
  }
 };
-can.editById = function(userId, item) {
+can.editById = function (userId, item) {
  var user = Meteor.users.findOne(userId);
  return can.edit(user, item);
 };
-can.currentUserEdit = function(item) {
+can.currentUserEdit = function (item) {
  return can.edit(Meteor.user(), item);
 };
-can.invite = function(user) {
+can.invite = function (user) {
  return isInvited(user) || isAdmin(user);
 };