From 43f8d697965354855af0988a88242885c734ae3a Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Wed, 14 Feb 2018 15:00:21 +0100
Subject: [news] Use permission helpers; make inputs readonly if no permission
 to edit

---
 modules-available/news/page.inc.php             | 80 ++++++++++++-------------
 modules-available/news/templates/page-news.html | 15 ++---
 2 files changed, 46 insertions(+), 49 deletions(-)

diff --git a/modules-available/news/page.inc.php b/modules-available/news/page.inc.php
index 399fc307..f6f3d251 100644
--- a/modules-available/news/page.inc.php
+++ b/modules-available/news/page.inc.php
@@ -71,41 +71,37 @@ class Page_News extends Page
             /* find out whether it's news or help */
             $pageType = Request::post('news-type');
 
-            if ($pageType == 'news') {
-            	if (User::hasPermission("news.save")) {
-						if (!$this->saveNews()) {
-							// re-set the fields we got
-							Request::post('news-title') ? $this->newsTitle = Request::post('news-title') : $this->newsTitle = false;
-							Request::post('news-content') ? $this->newsContent = Request::post('news-content') : $this->newsContent = false;
-						} else {
-							Message::addSuccess('news-save-success');
-							$lastId = Database::lastInsertId();
-							Util::redirect("?do=News&newsid=$lastId");
-						}
+            if ($pageType === 'news') {
+            	User::assertPermission("news.save");
+					if (!$this->saveNews()) {
+						// re-set the fields we got
+						$this->newsTitle = Request::post('news-title', false, 'string');
+						$this->newsContent = Request::post('news-content', false, 'string');
+					} else {
+						Message::addSuccess('news-save-success');
+						$lastId = Database::lastInsertId();
+						Util::redirect("?do=News&newsid=$lastId");
 					}
-            } elseif ($pageType == 'help') {
-            	if (User::hasPermission("help.save")) {
-						if ($this->saveHelp()) {
-							Message::addSuccess('help-save-success');
-							$lastId = Database::lastInsertId();
-							Util::redirect("?do=News&newsid=$lastId");
-						}
+            } elseif ($pageType === 'help') {
+            	User::assertPermission("help.save");
+					if ($this->saveHelp()) {
+						Message::addSuccess('help-save-success');
+						$lastId = Database::lastInsertId();
+						Util::redirect("?do=News&newsid=$lastId");
 					}
             }
         } elseif ($action === 'delete') {
             // delete it
 			  $pageType = Request::post('news-type');
 
-			  if ($pageType == 'news') {
-			  		if(User::hasPermission("news.delete")) {
-						$this->delNews(Request::post('newsid'));
-						Util::redirect('?do=News&editHelp='.Request::any('editHelp'));
-					}
-			  } elseif ($pageType == 'help') {
-			  		if(User::hasPermission("help.delete")) {
-						$this->delNews(Request::post('newsid'));
-						Util::redirect('?do=News&editHelp='.Request::any('editHelp'));
-					}
+			  if ($pageType === 'news') {
+			  		User::assertPermission("news.delete");
+					$this->delNews(Request::post('newsid'));
+					Util::redirect('?do=News&editHelp='.Request::any('editHelp'));
+			  } elseif ($pageType === 'help') {
+			  		User::assertPermission("help.delete");
+					$this->delNews(Request::post('newsid'));
+					Util::redirect('?do=News&editHelp='.Request::any('editHelp'));
 			  }
         } else {
             // unknown action, redirect user
@@ -146,20 +142,20 @@ class Page_News extends Page
             $linesHelp[] = $row;
         }
 
-        $paginate->render('page-news', array(
-                'token' => Session::get('token'),
-                'latestDate' => ($this->newsDate ? date('d.m.Y H:i', $this->newsDate) : '--'),
-                'latestContent' => $this->newsContent,
-                'latestTitle' => $this->newsTitle,
-                'latestHelp' => $this->helpContent,
-                'editHelp' => $this->editHelp,
-                'list' => $lines,
-                'listHelp' => $linesHelp,
-			  		 'allowedNewsSave' => User::hasPermission("news.save"),
-			  		 'allowedNewsDelete' => User::hasPermission("news.delete"),
-			  		 'allowedHelpSave' => User::hasPermission("help.save"),
-			  		 'allowedHelpDelete' => User::hasPermission("help.delete"),
-                'hasSummernote' => $this->hasSummernote, ));
+        $data = array(
+			  'token' => Session::get('token'),
+			  'latestDate' => ($this->newsDate ? date('d.m.Y H:i', $this->newsDate) : '--'),
+			  'latestContent' => $this->newsContent,
+			  'latestTitle' => $this->newsTitle,
+			  'latestHelp' => $this->helpContent,
+			  'editHelp' => $this->editHelp,
+			  'list' => $lines,
+			  'listHelp' => $linesHelp,
+			  'hasSummernote' => $this->hasSummernote,
+		  );
+        Permission::addGlobalTags($data['perms'], null, ['news.save', 'news.delete', 'help.save', 'help.delete']);
+
+        $paginate->render('page-news', $data);
     }
     /**
      * Loads the news with the given ID into the form.
diff --git a/modules-available/news/templates/page-news.html b/modules-available/news/templates/page-news.html
index 6293b62d..fde95781 100644
--- a/modules-available/news/templates/page-news.html
+++ b/modules-available/news/templates/page-news.html
@@ -11,18 +11,18 @@
 			<p>{{lang_newsIntro}}</p>
 			<div class="form-group">
 				<label for="news-title-id">{{lang_title}}</label>
-				<input type="text" name="news-title" id ="news-title-id" class="form-control" placeholder="{{welcome}}" value="{{latestTitle}}">
+				<input type="text" name="news-title" id ="news-title-id" class="form-control" placeholder="{{welcome}}" value="{{latestTitle}}" {{perms.news.save.readonly}}>
 			</div>
 			<div class="form-group">
 				<label for="news-content-id">{{lang_content}}</label>
-				<textarea name="news-content" id ="news-content-id" class="form-control summernote" rows="5" cols="30"  placeholder="">{{latestContent}}</textarea>
+				<textarea name="news-content" id ="news-content-id" class="form-control summernote" rows="5" cols="30" {{perms.news.save.readonly}}>{{latestContent}}</textarea>
 			</div>
 			<div class="row">
 				<div class="text-left col-md-6">
 					<p>{{lang_latestUpdate}}: {{latestDate}}</p>
 				</div>
 				<div class="text-right col-md-6">
-					<button {{^allowedNewsSave}}disabled{{/allowedNewsSave}} class="btn btn-primary sn-btn" name="news-type" value="news" type="submit"><span class="glyphicon glyphicon-floppy-disk"></span> {{lang_save}}</button>
+					<button {{perms.news.save.disabled}} class="btn btn-primary sn-btn" name="news-type" value="news" type="submit"><span class="glyphicon glyphicon-floppy-disk"></span> {{lang_save}}</button>
 					<input type="hidden" name="token" value="{{token}}">
 				</div>
 			</div>
@@ -57,7 +57,7 @@
 									</td>
 									<td class="text-center">
 										<input type="hidden" name="news-type" value="news">
-										<button {{^allowedNewsDelete}}disabled{{/allowedNewsDelete}} class="btn btn-danger btn-xs" type="submit" name="newsid" value="{{newsid}}"><span class="glyphicon glyphicon-trash"></span></button>
+										<button {{perms.news.delete.disabled}} class="btn btn-danger btn-xs" type="submit" name="newsid" value="{{newsid}}"><span class="glyphicon glyphicon-trash"></span></button>
 									</td>
 								</tr>
 								{{/list}}
@@ -74,10 +74,10 @@
 			<div class="form-group">
 				<br/>
 				<label for="news-content-id">{{lang_content}}</label>
-				<textarea name="help-content" id="help-content-id" class="form-control summernote" style="min-height:400px"  placeholder="">{{latestHelp}}</textarea>
+				<textarea name="help-content" id="help-content-id" class="form-control summernote" style="min-height:400px"  {{perms.help.save.readonly}}>{{latestHelp}}</textarea>
 			</div>
 			<div class="text-right">
-				<button {{^allowedHelpSave}}disabled{{/allowedHelpSave}} class="btn btn-primary sn-btn" name="news-type" value="help" type="submit"><span class="glyphicon glyphicon-floppy-disk"></span> {{lang_save}}</button>
+				<button {{perms.help.save.disabled}} class="btn btn-primary sn-btn" name="news-type" value="help" type="submit"><span class="glyphicon glyphicon-floppy-disk"></span> {{lang_save}}</button>
 				<input type="hidden" name="token" value="{{token}}">
 			</div>
 		</form>
@@ -108,7 +108,7 @@
 									</td>
 									<td class="text-center">
 										<input type="hidden" name="news-type" value="help">
-										<button {{^allowedHelpDelete}}disabled{{/allowedHelpDelete}} class="btn btn-danger btn-xs" type="submit" name="newsid" value="{{newsid}}"><span class="glyphicon glyphicon-trash"></span></button>
+										<button {{perms.help.delete.disabled}} class="btn btn-danger btn-xs" type="submit" name="newsid" value="{{newsid}}"><span class="glyphicon glyphicon-trash"></span></button>
 									</td>
 								</tr>
 								{{/listHelp}}
@@ -129,5 +129,6 @@ document.addEventListener("DOMContentLoaded", function () {
 			$button.click();
 		}
 	});
+	$('.summernote[readonly]').each(function() { $(this).summernote('disable'); });
 }, false);
 // --></script>
\ No newline at end of file
-- 
cgit v1.2.3-55-g7522