hiro/Vulcan
1
0
Fork 0
mirror of https://github.com/vale981/Vulcan synced 2025-03-06 10:01:40 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

adding permission check for post and comment edit

Browse source
This commit is contained in:
Sacha Greif 2012-10-10 10:48:14 +09:00
parent 1b4d48577c
commit b3c932b2ab
9 changed files with 105 additions and 60 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
client/app.js
View file

@ -127,4 +127,11 @@ Handlebars.registerHelper('isAdmin', function(showError) {
throwError('Sorry, you do not have access to this page');
return false;
}
});
Handlebars.registerHelper('canEdit', function(collectionName, action) {
var action = (typeof action !== 'string') ? null : action;
var collection = (typeof collectionName !== 'string') ? Posts : eval(collectionName);
var itemId = (collectionName==="Posts") ? Session.get('selectedPostId') : Session.get('selectedCommentId');
var item=collection.findOne(itemId);
return item && canEdit(Meteor.user(), item, action);
});

34
client/views/comments/comment_edit.html
View file

@ -1,18 +1,20 @@
<template name="comment_edit">
<div class="grid submit">
{{#with comment}}
<form class="grid-block form-horizontal">
{{#constant}}
<div class="control-group">
<label class="control-label">Comment</label>
<div class="controls" id="editor"><textarea id="body" value="" class="input-xlarge">{{body}}</textarea></div>
</div>
{{/constant}}
<div class="form-actions">
<a class="delete-link" href="/comments/deleted">Delete Comment</a>
<input type="submit" value="Submit" title="(⌘+enter)" />
</div>
</form>
{{/with}}
</div>
{{#if canEdit Comments replace}}
<div class="grid submit">
{{#with comment}}
<form class="grid-block form-horizontal">
{{#constant}}
<div class="control-group">
<label class="control-label">Comment</label>
<div class="controls" id="editor"><textarea id="body" value="" class="input-xlarge">{{body}}</textarea></div>
</div>
{{/constant}}
<div class="form-actions">
<a class="delete-link" href="/comments/deleted">Delete Comment</a>
<input type="submit" value="Submit" title="(⌘+enter)" />
</div>
</form>
{{/with}}
</div>
{{/if}}
</template>

2
client/views/errors/no_rights.html Normal file
View file

@ -0,0 +1,2 @@
<template name="no_rights">
</template>

0
client/views/errors/no_rights.js Normal file
View file

78
client/views/posts/post_edit.html
View file

@ -1,42 +1,44 @@
<template name="post_edit">
<div class="grid submit">
{{#with post}}
<form class="grid-block form-horizontal">
<div class="control-group">
<label class="control-label">Title</label>
<div class="controls"><input id="title" type="text" value="{{headline}}" /></div>
</div>
<div class="control-group">
<label class="control-label">URL</label>
<div class="controls"><input id="url" type="text" value="{{url}}" /></div>
</div>
<div class="control-group">
<label class="control-label">Body</label>
<div class="controls" id="editor"><textarea id="body" value="" class="input-xlarge">{{body}}</textarea></div>
</div>
<div class="control-group">
<label class="control-label">Category</label>
<div class="controls">
{{#each categories}}
<label class="radio inline">
<input id="category_{{_id}}" type="checkbox" value="{{name}}" name="category" {{#if isChecked }} checked {{/if}}/> {{name}}
</label>
{{/each}}
{{#if canEdit "Posts" "replace"}}
<div class="grid submit">
{{#with post}}
<form class="grid-block form-horizontal">
<div class="control-group">
<label class="control-label">Title</label>
<div class="controls"><input id="title" type="text" value="{{headline}}" /></div>
</div>
</div>
{{#if currentUser.isAdmin}}
<div class="control-group">
<label class="control-label">Sticky?</label>
<div class="controls">
<input type="radio" name="sticky" id="sticky" {{#if sticky}}checked{{/if}} />
</div>
<div class="control-group">
<label class="control-label">URL</label>
<div class="controls"><input id="url" type="text" value="{{url}}" /></div>
</div>
<div class="control-group">
<label class="control-label">Body</label>
<div class="controls" id="editor"><textarea id="body" value="" class="input-xlarge">{{body}}</textarea></div>
</div>
<div class="control-group">
<label class="control-label">Category</label>
<div class="controls">
{{#each categories}}
<label class="radio inline">
<input id="category_{{_id}}" type="checkbox" value="{{name}}" name="category" {{#if isChecked }} checked {{/if}}/> {{name}}
</label>
{{/each}}
</div>
{{/if}}
<div class="form-actions">
<a class="delete-link" href="/posts/deleted">Delete Post</a>
<input type="submit" value="Submit" />
</div>
</form>
{{/with}}
</div>
</div>
{{#if isAdmin}}
<div class="control-group">
<label class="control-label">Sticky?</label>
<div class="controls">
<input type="radio" name="sticky" id="sticky" {{#if sticky}}checked{{/if}} />
</div>
</div>
{{/if}}
<div class="form-actions">
<a class="delete-link" href="/posts/deleted">Delete Post</a>
<input type="submit" value="Submit" />
</div>
</form>
{{/with}}
</div>
{{/if}}
</template>

17
client/views/posts/post_edit.js
View file

@ -50,7 +50,10 @@ Template.post_edit.rendered = function(){
Template.post_edit.events = {
'click input[type=submit]': function(e, instance){
e.preventDefault();
if(!Meteor.user()) throw 'You must be logged in.';
if(!Meteor.user()){
throwError('You must be logged in.');
return false;
}
var selectedPostId=Session.get('selectedPostId');
var title= $('#title').val();
@ -75,11 +78,15 @@ Template.post_edit.events = {
, categories: categories
}
}
,function(error){
if(error){
throwError(error.reason);
}else{
trackEvent("edit post", {'postId': selectedPostId});
Router.navigate("posts/"+selectedPostId, {trigger:true});
}
}
);
trackEvent("edit post", {'postId': selectedPostId});
Router.navigate("posts/"+selectedPostId, {trigger:true});
}
, 'click .delete-link': function(e){

2
common/post.js
View file

@ -13,7 +13,7 @@ Meteor.methods({
post = _.extend(post, {
userId: user._id,
author: user.username,
author: getDisplayName(user),
submitted: new Date().getTime(),
votes: 0,
comments: 0,

21
common/users.js
View file

@ -153,4 +153,25 @@ canDownvote = function(user, collection, action){
var user=(typeof user === 'undefined') ? Meteor.user() : user;
var action=(typeof action === 'undefined') ? null : action;
return canPost(user, action);
}
canEdit = function(user, item, action){
var user=(typeof user === 'undefined') ? Meteor.user() : user;
var action=(typeof action === 'undefined') ? null : action;
try{
if(!user || !item || user._id!==item.userId){
throw "no_rights";
}else{
return true;
}
}catch(error){
if(action){
switch(error){
case "no_rights":
throwError("Sorry, you do not have the rights to edit this item.");
action=='replace' ? Router.goto('no_rights') : Router.navigate('no_rights', {trigger : true});
break;
}
}
return false;
}
}

4
server/publish.js
View file

@ -80,12 +80,14 @@ Meteor.startup(function(){
if(isAdminById(userId) || (docs[0].user_id && docs[0].user_id==userId)){
return true;
}
throw new Meteor.Error(403, 'You do not have permission to edit this post');
return false;
}
, remove: function(userId, docs){
if(isAdminById(userId) || (docs[0].user_id && docs[0].user_id==userId)){
return true;
}
throw new Meteor.Error(403, 'You do not have permission to delete this post');
return false; }
});
});
@ -110,11 +112,13 @@ Meteor.startup(function(){
if(isAdminById(userId) || (docs[0].user_id && docs[0].user_id==userId)){
return true;
}
throw new Meteor.Error(403, 'You do not have permission to edit this comment');
return false;
}
, remove: function(userId, docs){
if(isAdminById(userId) || (docs[0].user_id && docs[0].user_id==userId)){
return true;
throw new Meteor.Error(403, 'You do not have permission to delete this comment');
}
return false;
}