diff --git a/app/controllers/wiki_controller.rb b/app/controllers/wiki_controller.rb index 53c5ec53b..44113ebf3 100644 --- a/app/controllers/wiki_controller.rb +++ b/app/controllers/wiki_controller.rb @@ -21,7 +21,7 @@ class WikiController < ApplicationController layout 'base' before_filter :find_wiki, :authorize - verify :method => :post, :only => [:destroy, :destroy_attachment], :redirect_to => { :action => :index } + verify :method => :post, :only => [:destroy, :destroy_attachment, :protect], :redirect_to => { :action => :index } helper :attachments include AttachmentsHelper @@ -48,12 +48,14 @@ class WikiController < ApplicationController send_data(@content.text, :type => 'text/plain', :filename => "#{@page.title}.txt") return end + @editable = editable? render :action => 'show' end # edit an existing page or a new one def edit @page = @wiki.find_or_new_page(params[:page]) + return render_403 unless editable? @page.content = WikiContent.new(:page => @page) if @page.new_record? @content = @page.content_for_version(params[:version]) @@ -82,7 +84,8 @@ class WikiController < ApplicationController # rename a page def rename - @page = @wiki.find_page(params[:page]) + @page = @wiki.find_page(params[:page]) + return render_403 unless editable? @page.redirect_existing_links = true # used to display the *original* title if some AR validation errors occur @original_title = @page.pretty_title @@ -92,6 +95,12 @@ class WikiController < ApplicationController end end + def protect + page = @wiki.find_page(params[:page]) + page.update_attribute :protected, params[:protected] + redirect_to :action => 'index', :id => @project, :page => page.title + end + # show page history def history @page = @wiki.find_page(params[:page]) @@ -122,6 +131,7 @@ class WikiController < ApplicationController # remove a wiki page and its history def destroy @page = @wiki.find_page(params[:page]) + return render_403 unless editable? @page.destroy if @page redirect_to :action => 'special', :id => @project, :page => 'Page_index' end @@ -152,6 +162,7 @@ class WikiController < ApplicationController def preview page = @wiki.find_page(params[:page]) + return render_403 unless editable?(page) @attachements = page.attachments if page @text = params[:content][:text] render :partial => 'common/preview' @@ -159,12 +170,14 @@ class WikiController < ApplicationController def add_attachment @page = @wiki.find_page(params[:page]) + return render_403 unless editable? attach_files(@page, params[:attachments]) redirect_to :action => 'index', :page => @page.title end def destroy_attachment @page = @wiki.find_page(params[:page]) + return render_403 unless editable? @page.attachments.find(params[:attachment_id]).destroy redirect_to :action => 'index', :page => @page.title end @@ -178,4 +191,9 @@ private rescue ActiveRecord::RecordNotFound render_404 end + + # Returns true if the current user is allowed to edit the page, otherwise false + def editable?(page = @page) + page.editable_by?(User.current) + end end diff --git a/app/models/wiki_page.rb b/app/models/wiki_page.rb index 8ce71cb80..95750f37b 100644 --- a/app/models/wiki_page.rb +++ b/app/models/wiki_page.rb @@ -105,6 +105,11 @@ class WikiPage < ActiveRecord::Base def text content.text if content end + + # Returns true if usr is allowed to edit the page, otherwise false + def editable_by?(usr) + !protected? || usr.allowed_to?(:protect_wiki_pages, wiki.project) + end end class WikiDiff diff --git a/app/views/wiki/show.rhtml b/app/views/wiki/show.rhtml index e4413d090..8092525bd 100644 --- a/app/views/wiki/show.rhtml +++ b/app/views/wiki/show.rhtml @@ -1,8 +1,12 @@
<%= link_to l(:label_attachment_new), {}, :onclick => "Element.show('add_attachment_form'); Element.hide(this); Element.scrollTo('add_attachment_form'); return false;", :id => 'attach_files_link' %>
<% form_tag({ :controller => 'wiki', :action => 'add_attachment', :page => @page.title }, :multipart => true, :id => "add_attachment_form", :style => "display:none;") do %> diff --git a/db/migrate/093_add_wiki_pages_protected.rb b/db/migrate/093_add_wiki_pages_protected.rb new file mode 100644 index 000000000..49720fbb7 --- /dev/null +++ b/db/migrate/093_add_wiki_pages_protected.rb @@ -0,0 +1,9 @@ +class AddWikiPagesProtected < ActiveRecord::Migration + def self.up + add_column :wiki_pages, :protected, :boolean, :default => false, :null => false + end + + def self.down + remove_column :wiki_pages, :protected + end +end diff --git a/lib/redmine.rb b/lib/redmine.rb index cef2615df..b21f5716d 100644 --- a/lib/redmine.rb +++ b/lib/redmine.rb @@ -76,6 +76,7 @@ Redmine::AccessControl.map do |map| map.permission :delete_wiki_pages, {:wiki => :destroy}, :require => :member map.permission :view_wiki_pages, :wiki => [:index, :history, :diff, :annotate, :special] map.permission :edit_wiki_pages, :wiki => [:edit, :preview, :add_attachment, :destroy_attachment] + map.permission :protect_wiki_pages, {:wiki => :protect}, :require => :member end map.project_module :repository do |map| diff --git a/public/images/locked.png b/public/images/locked.png index c2789e35c..82d629961 100644 Binary files a/public/images/locked.png and b/public/images/locked.png differ diff --git a/public/images/unlock.png b/public/images/unlock.png index e0d414978..f15fead72 100644 Binary files a/public/images/unlock.png and b/public/images/unlock.png differ diff --git a/test/fixtures/roles.yml b/test/fixtures/roles.yml index 1ede6fca9..e7b142268 100644 --- a/test/fixtures/roles.yml +++ b/test/fixtures/roles.yml @@ -29,6 +29,7 @@ roles_001: - :manage_documents - :view_wiki_pages - :edit_wiki_pages + - :protect_wiki_pages - :delete_wiki_pages - :rename_wiki_pages - :add_messages @@ -69,6 +70,7 @@ roles_002: - :manage_documents - :view_wiki_pages - :edit_wiki_pages + - :protect_wiki_pages - :delete_wiki_pages - :add_messages - :manage_boards diff --git a/test/fixtures/wiki_pages.yml b/test/fixtures/wiki_pages.yml index f89832e44..ef7242430 100644 --- a/test/fixtures/wiki_pages.yml +++ b/test/fixtures/wiki_pages.yml @@ -4,19 +4,23 @@ wiki_pages_001: title: CookBook_documentation id: 1 wiki_id: 1 + protected: true wiki_pages_002: created_on: 2007-03-08 00:18:07 +01:00 title: Another_page id: 2 wiki_id: 1 + protected: false wiki_pages_003: created_on: 2007-03-08 00:18:07 +01:00 title: Start_page id: 3 wiki_id: 2 + protected: false wiki_pages_004: created_on: 2007-03-08 00:18:07 +01:00 title: Page_with_an_inline_image id: 4 wiki_id: 1 + protected: false \ No newline at end of file diff --git a/test/functional/wiki_controller_test.rb b/test/functional/wiki_controller_test.rb index bf31e6614..8688c2e03 100644 --- a/test/functional/wiki_controller_test.rb +++ b/test/functional/wiki_controller_test.rb @@ -160,4 +160,60 @@ class WikiControllerTest < Test::Unit::TestCase get :index, :id => 999 assert_response 404 end + + def test_protect_page + page = WikiPage.find_by_wiki_id_and_title(1, 'Another_page') + assert !page.protected? + @request.session[:user_id] = 2 + post :protect, :id => 1, :page => page.title, :protected => '1' + assert_redirected_to 'wiki/ecookbook/Another_page' + assert page.reload.protected? + end + + def test_unprotect_page + page = WikiPage.find_by_wiki_id_and_title(1, 'CookBook_documentation') + assert page.protected? + @request.session[:user_id] = 2 + post :protect, :id => 1, :page => page.title, :protected => '0' + assert_redirected_to 'wiki/ecookbook' + assert !page.reload.protected? + end + + def test_show_page_with_edit_link + @request.session[:user_id] = 2 + get :index, :id => 1 + assert_response :success + assert_template 'show' + assert_tag :tag => 'a', :attributes => { :href => '/wiki/1/CookBook_documentation/edit' } + end + + def test_show_page_without_edit_link + @request.session[:user_id] = 4 + get :index, :id => 1 + assert_response :success + assert_template 'show' + assert_no_tag :tag => 'a', :attributes => { :href => '/wiki/1/CookBook_documentation/edit' } + end + + def test_edit_unprotected_page + # Non members can edit unprotected wiki pages + @request.session[:user_id] = 4 + get :edit, :id => 1, :page => 'Another_page' + assert_response :success + assert_template 'edit' + end + + def test_edit_protected_page_by_nonmember + # Non members can't edit protected wiki pages + @request.session[:user_id] = 4 + get :edit, :id => 1, :page => 'CookBook_documentation' + assert_response 403 + end + + def test_edit_protected_page_by_member + @request.session[:user_id] = 2 + get :edit, :id => 1, :page => 'CookBook_documentation' + assert_response :success + assert_template 'edit' + end end