Don't let non-admins access pending posts.

History.md

@@ -1,6 +1,7 @@
 * Fix double notification bug. 
 * Fix singleday view bug.
 * Fix post approval date bug.
+* Don't let non-admins access pending posts.
 
 ## v0.14.0 “GridScope”
 

lib/router/filters.js

@@ -4,7 +4,7 @@
 
 Router._filters = {
 
-  isReady: function() {
+  isReady: function () {
     if (!this.ready()) {
       // console.log('not ready')
       this.render(getTemplate('loading'));
@@ -27,7 +27,7 @@ Router._filters = {
   },
 
   /*
-  isLoggedIn: function() {
+  isLoggedIn: function () {
     if (!(Meteor.loggingIn() || Meteor.user())) {
       throwError(i18n.t('please_sign_in_first'));
       var current = getCurrentRoute();
@@ -42,7 +42,7 @@ Router._filters = {
   */
   isLoggedIn: AccountsTemplates.ensureSignedIn,
 
-  isLoggedOut: function() {
+  isLoggedOut: function () {
     if(Meteor.user()){
       this.render('already_logged_in');
     } else {
@@ -50,7 +50,7 @@ Router._filters = {
     }
   },
 
-  isAdmin: function() {
+  isAdmin: function () {
     if(!this.ready()) return;
     if(!isAdmin()){
       this.render(getTemplate('no_rights'));
@@ -59,7 +59,7 @@ Router._filters = {
     }
   },
 
-  canView: function() {
+  canView: function () {
     if(!this.ready() || Meteor.loggingIn()){
       this.render(getTemplate('loading'));
     } else if (!can.view()) {
@@ -69,6 +69,15 @@ Router._filters = {
     }
   },
 
+  canViewPendingPosts: function () {
+    var post = this.data();
+    if (post.status == STATUS_PENDING && !can.viewPendingPosts()) {
+      this.render(getTemplate('no_rights'));
+    } else {
+      this.next();
+    }
+  },
+
   canPost: function () {
     if(!this.ready() || Meteor.loggingIn()){
       this.render(getTemplate('loading'));
@@ -80,7 +89,7 @@ Router._filters = {
     }
   },
 
-  canEditPost: function() {
+  canEditPost: function () {
     if(!this.ready()) return;
     // Already subscribed to this post by route({waitOn: ...})
     var post = Posts.findOne(this.params._id);
@@ -92,7 +101,7 @@ Router._filters = {
     }
   },
 
-  canEditComment: function() {
+  canEditComment: function () {
     if(!this.ready()) return;
     // Already subscribed to this comment by CommentPageController
     var comment = Comments.findOne(this.params._id);
@@ -104,7 +113,7 @@ Router._filters = {
     }
   },
 
-  hasCompletedProfile: function() {
+  hasCompletedProfile: function () {
     if(!this.ready()) return;
     var user = Meteor.user();
     if (user && ! userProfileComplete(user)){
@@ -114,7 +123,7 @@ Router._filters = {
     }
   },
 
-  setTitle: function() {
+  setTitle: function () {
     // if getTitle is set, use it. Otherwise default to site title.
     var title = (typeof this.getTitle === 'function') ? this.getTitle() : getSetting("title", "Telescope");
     document.title = title;
@@ -160,6 +169,7 @@ Meteor.startup( function (){
 
     Router.onBeforeAction(filters.isReady);
     Router.onBeforeAction(filters.canView, {except: ['atSignIn', 'atSignUp', 'atForgotPwd', 'atResetPwd', 'signOut']});
+    Router.onBeforeAction(filters.canViewPendingPosts, {only: ['post_page']});
     Router.onBeforeAction(filters.hasCompletedProfile);
     Router.onBeforeAction(filters.isLoggedIn, {only: ['post_submit', 'post_edit', 'comment_edit']});
     Router.onBeforeAction(filters.isLoggedOut, {only: []});

packages/telescope-lib/lib/permissions.js

@@ -7,7 +7,7 @@ can = {};
 // user:                Defaults to Meteor.user()
 //
 // return true if all is well, false
-can.view = function(user) {
+can.view = function (user) {
   if (getSetting('requireViewInvite', false)) {
 
     if (Meteor.isClient) {
@@ -19,14 +19,20 @@ can.view = function(user) {
   }
   return true;
 };
-can.viewById = function(userId) {
+
+can.viewPendingPosts = function (user) {
+  user = (typeof user === 'undefined') ? Meteor.user() : user;
+  return isAdmin(user);
+};
+
+can.viewById = function (userId) {
   // if an invite is required to view, run permission check, else return true
   if (getSetting('requireViewInvite', false)) {
     return !!userId ? can.view(Meteor.users.findOne(userId)) : false;
   }
   return true;
 };
-can.post = function(user, returnError) {
+can.post = function (user, returnError) {
   user = (typeof user === 'undefined') ? Meteor.user() : user;
 
   if (!user) {
@@ -43,13 +49,13 @@ can.post = function(user, returnError) {
     return true;
   }
 };
-can.comment = function(user, returnError) {
+can.comment = function (user, returnError) {
   return can.post(user, returnError);
 };
-can.vote = function(user, returnError) {
+can.vote = function (user, returnError) {
   return can.post(user, returnError);
 };
-can.edit = function(user, item, returnError) {
+can.edit = function (user, item, returnError) {
   user = (typeof user === 'undefined') ? Meteor.user() : user;
 
   if (!user || !item || (user._id !== item.userId && !isAdmin(user))) {
@@ -58,13 +64,13 @@ can.edit = function(user, item, returnError) {
     return true;
   }
 };
-can.editById = function(userId, item) {
+can.editById = function (userId, item) {
   var user = Meteor.users.findOne(userId);
   return can.edit(user, item);
 };
-can.currentUserEdit = function(item) {
+can.currentUserEdit = function (item) {
   return can.edit(Meteor.user(), item);
 };
-can.invite = function(user) {
+can.invite = function (user) {
   return isInvited(user) || isAdmin(user);
 };