New permission added: protect wiki pages. Once a page is protected, it can be edited/renamed/deleted only by users who have this permission. git-svn-id: http://redmine.rubyforge.org/svn/trunk@1415 e93f8b46-1217-0410-a6f0-8f06a7374b81tags/0.8.0-RC1
@@ -21,7 +21,7 @@ class WikiController < ApplicationController | |||
layout 'base' | |||
before_filter :find_wiki, :authorize | |||
verify :method => :post, :only => [:destroy, :destroy_attachment], :redirect_to => { :action => :index } | |||
verify :method => :post, :only => [:destroy, :destroy_attachment, :protect], :redirect_to => { :action => :index } | |||
helper :attachments | |||
include AttachmentsHelper | |||
@@ -48,12 +48,14 @@ class WikiController < ApplicationController | |||
send_data(@content.text, :type => 'text/plain', :filename => "#{@page.title}.txt") | |||
return | |||
end | |||
@editable = editable? | |||
render :action => 'show' | |||
end | |||
# edit an existing page or a new one | |||
def edit | |||
@page = @wiki.find_or_new_page(params[:page]) | |||
return render_403 unless editable? | |||
@page.content = WikiContent.new(:page => @page) if @page.new_record? | |||
@content = @page.content_for_version(params[:version]) | |||
@@ -82,7 +84,8 @@ class WikiController < ApplicationController | |||
# rename a page | |||
def rename | |||
@page = @wiki.find_page(params[:page]) | |||
@page = @wiki.find_page(params[:page]) | |||
return render_403 unless editable? | |||
@page.redirect_existing_links = true | |||
# used to display the *original* title if some AR validation errors occur | |||
@original_title = @page.pretty_title | |||
@@ -92,6 +95,12 @@ class WikiController < ApplicationController | |||
end | |||
end | |||
def protect | |||
page = @wiki.find_page(params[:page]) | |||
page.update_attribute :protected, params[:protected] | |||
redirect_to :action => 'index', :id => @project, :page => page.title | |||
end | |||
# show page history | |||
def history | |||
@page = @wiki.find_page(params[:page]) | |||
@@ -122,6 +131,7 @@ class WikiController < ApplicationController | |||
# remove a wiki page and its history | |||
def destroy | |||
@page = @wiki.find_page(params[:page]) | |||
return render_403 unless editable? | |||
@page.destroy if @page | |||
redirect_to :action => 'special', :id => @project, :page => 'Page_index' | |||
end | |||
@@ -152,6 +162,7 @@ class WikiController < ApplicationController | |||
def preview | |||
page = @wiki.find_page(params[:page]) | |||
return render_403 unless editable?(page) | |||
@attachements = page.attachments if page | |||
@text = params[:content][:text] | |||
render :partial => 'common/preview' | |||
@@ -159,12 +170,14 @@ class WikiController < ApplicationController | |||
def add_attachment | |||
@page = @wiki.find_page(params[:page]) | |||
return render_403 unless editable? | |||
attach_files(@page, params[:attachments]) | |||
redirect_to :action => 'index', :page => @page.title | |||
end | |||
def destroy_attachment | |||
@page = @wiki.find_page(params[:page]) | |||
return render_403 unless editable? | |||
@page.attachments.find(params[:attachment_id]).destroy | |||
redirect_to :action => 'index', :page => @page.title | |||
end | |||
@@ -178,4 +191,9 @@ private | |||
rescue ActiveRecord::RecordNotFound | |||
render_404 | |||
end | |||
# Returns true if the current user is allowed to edit the page, otherwise false | |||
def editable?(page = @page) | |||
page.editable_by?(User.current) | |||
end | |||
end |
@@ -105,6 +105,11 @@ class WikiPage < ActiveRecord::Base | |||
def text | |||
content.text if content | |||
end | |||
# Returns true if usr is allowed to edit the page, otherwise false | |||
def editable_by?(usr) | |||
!protected? || usr.allowed_to?(:protect_wiki_pages, wiki.project) | |||
end | |||
end | |||
class WikiDiff |
@@ -1,8 +1,12 @@ | |||
<div class="contextual"> | |||
<% if @editable %> | |||
<%= link_to_if_authorized(l(:button_edit), {:action => 'edit', :page => @page.title}, :class => 'icon icon-edit', :accesskey => accesskey(:edit)) if @content.version == @page.content.version %> | |||
<%= link_to_if_authorized(l(:button_lock), {:action => 'protect', :page => @page.title, :protected => 1}, :method => :post, :class => 'icon icon-lock') if !@page.protected? %> | |||
<%= link_to_if_authorized(l(:button_unlock), {:action => 'protect', :page => @page.title, :protected => 0}, :method => :post, :class => 'icon icon-unlock') if @page.protected? %> | |||
<%= link_to_if_authorized(l(:button_rename), {:action => 'rename', :page => @page.title}, :class => 'icon icon-move') if @content.version == @page.content.version %> | |||
<%= link_to_if_authorized(l(:button_delete), {:action => 'destroy', :page => @page.title}, :method => :post, :confirm => l(:text_are_you_sure), :class => 'icon icon-del') %> | |||
<%= link_to_if_authorized(l(:button_rollback), {:action => 'edit', :page => @page.title, :version => @content.version }, :class => 'icon icon-cancel') if @content.version < @page.content.version %> | |||
<% end %> | |||
<%= link_to(l(:label_history), {:action => 'history', :page => @page.title}, :class => 'icon icon-history') %> | |||
</div> | |||
@@ -22,9 +26,9 @@ | |||
<%= render(:partial => "wiki/content", :locals => {:content => @content}) %> | |||
<%= link_to_attachments @page.attachments, :delete_url => (authorize_for('wiki', 'destroy_attachment') ? {:controller => 'wiki', :action => 'destroy_attachment', :page => @page.title} : nil) %> | |||
<%= link_to_attachments @page.attachments, :delete_url => ((@editable && authorize_for('wiki', 'destroy_attachment')) ? {:controller => 'wiki', :action => 'destroy_attachment', :page => @page.title} : nil) %> | |||
<% if authorize_for('wiki', 'add_attachment') %> | |||
<% if @editable && authorize_for('wiki', 'add_attachment') %> | |||
<p><%= link_to l(:label_attachment_new), {}, :onclick => "Element.show('add_attachment_form'); Element.hide(this); Element.scrollTo('add_attachment_form'); return false;", | |||
:id => 'attach_files_link' %></p> | |||
<% form_tag({ :controller => 'wiki', :action => 'add_attachment', :page => @page.title }, :multipart => true, :id => "add_attachment_form", :style => "display:none;") do %> |
@@ -0,0 +1,9 @@ | |||
class AddWikiPagesProtected < ActiveRecord::Migration | |||
def self.up | |||
add_column :wiki_pages, :protected, :boolean, :default => false, :null => false | |||
end | |||
def self.down | |||
remove_column :wiki_pages, :protected | |||
end | |||
end |
@@ -76,6 +76,7 @@ Redmine::AccessControl.map do |map| | |||
map.permission :delete_wiki_pages, {:wiki => :destroy}, :require => :member | |||
map.permission :view_wiki_pages, :wiki => [:index, :history, :diff, :annotate, :special] | |||
map.permission :edit_wiki_pages, :wiki => [:edit, :preview, :add_attachment, :destroy_attachment] | |||
map.permission :protect_wiki_pages, {:wiki => :protect}, :require => :member | |||
end | |||
map.project_module :repository do |map| |
@@ -29,6 +29,7 @@ roles_001: | |||
- :manage_documents | |||
- :view_wiki_pages | |||
- :edit_wiki_pages | |||
- :protect_wiki_pages | |||
- :delete_wiki_pages | |||
- :rename_wiki_pages | |||
- :add_messages | |||
@@ -69,6 +70,7 @@ roles_002: | |||
- :manage_documents | |||
- :view_wiki_pages | |||
- :edit_wiki_pages | |||
- :protect_wiki_pages | |||
- :delete_wiki_pages | |||
- :add_messages | |||
- :manage_boards |
@@ -4,19 +4,23 @@ wiki_pages_001: | |||
title: CookBook_documentation | |||
id: 1 | |||
wiki_id: 1 | |||
protected: true | |||
wiki_pages_002: | |||
created_on: 2007-03-08 00:18:07 +01:00 | |||
title: Another_page | |||
id: 2 | |||
wiki_id: 1 | |||
protected: false | |||
wiki_pages_003: | |||
created_on: 2007-03-08 00:18:07 +01:00 | |||
title: Start_page | |||
id: 3 | |||
wiki_id: 2 | |||
protected: false | |||
wiki_pages_004: | |||
created_on: 2007-03-08 00:18:07 +01:00 | |||
title: Page_with_an_inline_image | |||
id: 4 | |||
wiki_id: 1 | |||
protected: false | |||
@@ -160,4 +160,60 @@ class WikiControllerTest < Test::Unit::TestCase | |||
get :index, :id => 999 | |||
assert_response 404 | |||
end | |||
def test_protect_page | |||
page = WikiPage.find_by_wiki_id_and_title(1, 'Another_page') | |||
assert !page.protected? | |||
@request.session[:user_id] = 2 | |||
post :protect, :id => 1, :page => page.title, :protected => '1' | |||
assert_redirected_to 'wiki/ecookbook/Another_page' | |||
assert page.reload.protected? | |||
end | |||
def test_unprotect_page | |||
page = WikiPage.find_by_wiki_id_and_title(1, 'CookBook_documentation') | |||
assert page.protected? | |||
@request.session[:user_id] = 2 | |||
post :protect, :id => 1, :page => page.title, :protected => '0' | |||
assert_redirected_to 'wiki/ecookbook' | |||
assert !page.reload.protected? | |||
end | |||
def test_show_page_with_edit_link | |||
@request.session[:user_id] = 2 | |||
get :index, :id => 1 | |||
assert_response :success | |||
assert_template 'show' | |||
assert_tag :tag => 'a', :attributes => { :href => '/wiki/1/CookBook_documentation/edit' } | |||
end | |||
def test_show_page_without_edit_link | |||
@request.session[:user_id] = 4 | |||
get :index, :id => 1 | |||
assert_response :success | |||
assert_template 'show' | |||
assert_no_tag :tag => 'a', :attributes => { :href => '/wiki/1/CookBook_documentation/edit' } | |||
end | |||
def test_edit_unprotected_page | |||
# Non members can edit unprotected wiki pages | |||
@request.session[:user_id] = 4 | |||
get :edit, :id => 1, :page => 'Another_page' | |||
assert_response :success | |||
assert_template 'edit' | |||
end | |||
def test_edit_protected_page_by_nonmember | |||
# Non members can't edit protected wiki pages | |||
@request.session[:user_id] = 4 | |||
get :edit, :id => 1, :page => 'CookBook_documentation' | |||
assert_response 403 | |||
end | |||
def test_edit_protected_page_by_member | |||
@request.session[:user_id] = 2 | |||
get :edit, :id => 1, :page => 'CookBook_documentation' | |||
assert_response :success | |||
assert_template 'edit' | |||
end | |||
end |