Skip to content

Commit

Permalink
Merge pull request #315 from creative-commoners/pulls/4.0/can-archive
Browse files Browse the repository at this point in the history
FIX Check canArchive() permission instead of canDelete()
  • Loading branch information
GuySartorelli authored Aug 7, 2024
2 parents 77a1497 + 05f0bd7 commit 04c0dab
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 7 deletions.
11 changes: 7 additions & 4 deletions src/Controllers/LinkFieldController.php
Original file line number Diff line number Diff line change
Expand Up @@ -127,17 +127,20 @@ private function getLinkData(Link $link): array
*/
public function linkDelete(): HTTPResponse
{
$link = $this->linkFromRequest();
if (!$link->canDelete()) {
$this->jsonError(403);
}
// Check security token on destructive operation
if (!SecurityToken::inst()->checkRequest($this->getRequest())) {
$this->jsonError(400);
}
$link = $this->linkFromRequest();
if ($link->hasExtension(Versioned::class)) {
if (!$link->canArchive()) {
$this->jsonError(403);
}
$link->doArchive();
} else {
if (!$link->canDelete()) {
$this->jsonError(403);
}
$link->delete();
}
// Send response
Expand Down
21 changes: 18 additions & 3 deletions tests/php/Controllers/LinkFieldControllerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
use SilverStripe\LinkField\Controllers\LinkFieldController;
use SilverStripe\LinkField\Tests\Models\LinkTest\LinkOwner;
use SilverStripe\Versioned\Versioned;
use SilverStripe\LinkField\Models\Link;

class LinkFieldControllerTest extends FunctionalTest
{
Expand Down Expand Up @@ -528,14 +529,20 @@ public function provideLinkData(): array
}

/**
* @dataProvider provideLinkDelete
* @dataProvider provideLinkArchive
*/
public function testLinkDelete(
public function testLinkArchive(
string $idType,
string $fail,
int $expectedCode
): void {
TestPhoneLink::$fail = $fail;
if ($fail == 'can-delete') {
// Remove the Versioned extension because there's logic in LinkFieldController
// to use either canArchive() or canDelete() based on the presence of the Versioned extension
// Note that you must remove the extension on the base class rather than a TestOnly subclass
Link::remove_extension(Versioned::class);
}
$owner = $this->getFixtureLinkOwner();
$ownerID = $owner->ID;
$ownerClass = urlencode($owner->ClassName);
Expand All @@ -560,16 +567,24 @@ public function testLinkDelete(
} else {
$this->assertNull(TestPhoneLink::get()->byID($fixtureID));
}
if ($fail == 'can-delete') {
Link::add_extension(Versioned::class);
}
}

public function provideLinkDelete(): array
public function provideLinkArchive(): array
{
return [
'Valid' => [
'idType' => 'existing',
'fail' => '',
'expectedCode' => 204,
],
'Reject fail canArchive()' => [
'idType' => 'existing',
'fail' => 'can-archive',
'expectedCode' => 403,
],
'Reject fail canDelete()' => [
'idType' => 'existing',
'fail' => 'can-delete',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,11 @@ public function canDelete($member = null)
return TestPhoneLink::$fail !== 'can-delete';
}

public function canArchive($member = null)
{
return TestPhoneLink::$fail !== 'can-archive';
}

public function validate(): ValidationResult
{
$validationResult = parent::validate();
Expand Down

0 comments on commit 04c0dab

Please sign in to comment.