Merge branch 'master' into devel

.meteor/packages

@@ -84,6 +84,6 @@ telescope-post-by-feed
 telescope-releases
 telescope-getting-started
 telescope-subscribe-to-posts
+telescope-tagline-banner
 
 # Custom Packages
-telescope-tagline-banner

History.md

@@ -12,6 +12,7 @@
 * You can now assign a category to posts generated from feeds (thanks @Accentax!).
 * Use tagline as title on homepage.
 * Refactor default view route controller code. 
+* Fixed security issue with post editing.
 
 ## v0.14.0 “GridScope”
 

collections/posts.js

@@ -429,13 +429,13 @@ Meteor.methods({
     // userId
     // sticky (default to false)
 
-    // if user is not admin, go over each schema property and clear it if it's not editable
+    // if user is not admin, go over each schema property and throw an error if it's not editable
     if (!hasAdminRights) {
       _.keys(post).forEach(function (propertyName) {
         var property = postSchemaObject[propertyName];
         if (!property || !property.autoform || !property.autoform.editable) {
-          console.log("// Disallowed property detected: "+propertyName+" (nice try!)");
+          console.log('//' + i18n.t('disallowed_property_detected') + ": " + propertyName);
-          delete post[propertyName]
+          throw new Meteor.Error("disallowed_property", i18n.t('disallowed_property_detected') + ": " + propertyName);
         }
       });
     }
@@ -455,7 +455,8 @@ Meteor.methods({
 
   editPost: function (post, modifier, postId) {
 
-    var user = Meteor.user();
+    var user = Meteor.user(),
+        hasAdminRights = isAdmin(user);
 
     // ------------------------------ Checks ------------------------------ //
 
@@ -463,6 +464,21 @@ Meteor.methods({
     if (!user || !can.edit(user, Posts.findOne(postId)))
       throw new Meteor.Error(601, i18n.t('sorry_you_cannot_edit_this_post'));
 
+    // if user is not admin, go over each schema property and throw an error if it's not editable
+    if (!hasAdminRights) {
+      // loop over each operation ($set, $unset, etc.)
+      _.each(modifier, function (operation) {
+        // loop over each property being operated on
+        _.keys(operation).forEach(function (propertyName) {
+          var property = postSchemaObject[propertyName];
+          if (!property || !property.autoform || !property.autoform.editable) {
+            console.log('//' + i18n.t('disallowed_property_detected') + ": " + propertyName);
+            throw new Meteor.Error("disallowed_property", i18n.t('disallowed_property_detected') + ": " + propertyName);
+          }
+        });
+      });
+    }
+
     // ------------------------------ Callbacks ------------------------------ //
 
     // run all post submit server callbacks on modifier successively

i18n/en.i18n.json

@@ -115,6 +115,7 @@
   "sorry_you_do_not_have_the_rights_to_comments": "Sorry, you do not have the rights to leave comments at this time.",
   "not_found": "Not Found!",
   "were_sorry_whatever_you_were_looking_for_isnt_here": "We're sorry; whatever you were looking for isn't here..",
+  "disallowed_property_detected": "Disallowed property detected",
   
   //Notifications
   "no_notifications": "No notifications",

lib/router/posts.js

@@ -75,17 +75,22 @@ PostsListController = RouteController.extend({
   fastRender: true
 });
 
+var getDefaultViewController = function () {
+  var defaultView = getSetting('defaultView', 'top');
+  defaultView = defaultView.charAt(0).toUpperCase() + defaultView.slice(1);
+  return eval("Posts"+defaultView+"Controller");
+};
+
 // wrap in startup block to make sure Settings collection is defined
 Meteor.startup(function () {
 
-  PostsDefaultController = PostsListController.extend({
+  PostsDefaultController = getDefaultViewController().extend({
     getTitle: function () {
       var title = getSetting('title', 'Telescope');
       var tagline = getSetting('tagline');
       var fullTitle = !!tagline ? title + ' – ' + tagline : title ;
       return fullTitle;
-    },
+    }
-    view: getSetting('defaultView', 'top')
   });
 
 });

lib/version.js

@@ -1 +1 @@
-telescopeVersion = "0.14.0";
+telescopeVersion = "0.14.1";

packages/telescope-notifications/package.js

@@ -11,7 +11,7 @@ Package.onUse(function (api) {
     'telescope-base',
     'telescope-email',
     'iron:router',
-    'kestanous:herald@1.1.3',
+    'kestanous:herald@1.2.0',
     'kestanous:herald-email',
     'tap:i18n'
   ], ['client', 'server']);

packages/telescope-releases/lib/server/import_releases.js

@@ -26,6 +26,7 @@ Meteor.startup(function () {
   importRelease('0.12.0');
   importRelease('0.13.0');
   importRelease('0.14.0');
+  importRelease('0.14.1');
   
   // if this is before the first run, mark all release notes as read to avoid showing them
   if (!Events.findOne({name: 'firstRun'})) {

packages/telescope-releases/package.js

@@ -71,6 +71,7 @@ Package.onUse(function (api) {
   api.addFiles('releases/0.12.0.md', 'server', { isAsset: true });
   api.addFiles('releases/0.13.0.md', 'server', { isAsset: true });
   api.addFiles('releases/0.14.0.md', 'server', { isAsset: true });
+  api.addFiles('releases/0.14.1.md', 'server', { isAsset: true });
 
   // i18n languages (must come last)
 

packages/telescope-releases/releases/0.14.1.md

@@ -0,0 +1,14 @@
+### v0.14.1 “TaglineScope”
+
+* Fix double notification bug. 
+* Fix singleday view bug.
+* Fix post approval date bug.
+* Don't let non-admins access pending posts.
+* Give search field a border on white backgrounds.
+* Spanish, Brazilian, Turkish, Vietnamese, Polish translations (thanks everybody!).
+* Do not put comment reply page behind log-in wall.
+* Various CSS tweaks.
+* Added tagline banner package.
+* You can now assign a category to posts generated from feeds (thanks @Accentax!).
+* Use tagline as title on homepage.
+* Refactor default view route controller code. 

packages/telescope-tagline-banner/lib/client/stylesheets/tagline_banner.scss

@@ -15,28 +15,7 @@ $medium-break: 50em;
 .tagline{
   text-align: center;
   margin: 30px 0 20px 0;
-  position: relative;
-  overflow: hidden;
   text-align: center;
-  font-size: 19px;
+  font-size: 22px;
   font-weight: normal;
-  span{
-    position: relative;
-    display: inline-block;
-    background: #EEEEEE;
-    margin: 0 auto;
-    z-index: 100;
-    padding: 0 15px;
-  }
-  &:after{
-    position: absolute;
-    content: " ";
-    display: block;
-    top: 50%;
-    left: 0px;
-    height: 1px;
-    background: rgba(0,0,0,0.2);
-    width: 100%;
-    z-index: 10;
-  }
 }

packages/telescope-tagline-banner/lib/client/templates/tagline_banner.html

@@ -1,5 +1,5 @@
 <template name="taglineBanner">
-{{#if showBanner}}
+{{#if showTaglineBanner}}
   <h3 class="grid tagline"><span>{{getSetting "tagline"}}</span></h3>
 {{/if}}
 </template>

packages/telescope-tagline-banner/lib/client/templates/tagline_banner.js

@@ -1,6 +1,6 @@
 Template[getTemplate('taglineBanner')].helpers({
-  showBanner: function () {
+  showTaglineBanner: function () {
-    return Router.current().location.get().path == '/' && !!getSetting('tagline') && !!getSetting('showTagline');
+    return Router.current().location.get().path == '/' && !!getSetting('tagline') && !!getSetting('showTaglineBanner');
   }
 });