From 2db1db0743f02091cb8a31c4ecbaa8e6fee1cc6d Mon Sep 17 00:00:00 2001
From: Christian Hofmaier
Date: Thu, 23 Nov 2017 14:44:30 +0100
Subject: [news] reworked permission system from "click and you get error" to
 "button is disabled due to lack of permission" (this time with double check
 on permissions)

---
 modules-available/news/page.inc.php | 40 ++++++++++++++++++++++---------------
 1 file changed, 24 insertions(+), 16 deletions(-)

(limited to 'modules-available/news/page.inc.php')

diff --git a/modules-available/news/page.inc.php b/modules-available/news/page.inc.php
index 920b9861..5ad79b0e 100644
--- a/modules-available/news/page.inc.php
+++ b/modules-available/news/page.inc.php
@@ -64,20 +64,24 @@ class Page_News extends Page
             $pageType = Request::post('news-type');
 
             if ($pageType == 'news') {
-					if (!$this->saveNews()) {
-						// re-set the fields we got
-						Request::post('news-title') ? $this->newsTitle = Request::post('news-title') : $this->newsTitle = false;
-						Request::post('news-content') ? $this->newsContent = Request::post('news-content') : $this->newsContent = false;
-					} else {
-						Message::addSuccess('news-save-success');
-						$lastId = Database::lastInsertId();
-						Util::redirect("?do=News&newsid=$lastId");
+            	if (User::hasPermission("news.save")) {
+						if (!$this->saveNews()) {
+							// re-set the fields we got
+							Request::post('news-title') ? $this->newsTitle = Request::post('news-title') : $this->newsTitle = false;
+							Request::post('news-content') ? $this->newsContent = Request::post('news-content') : $this->newsContent = false;
+						} else {
+							Message::addSuccess('news-save-success');
+							$lastId = Database::lastInsertId();
+							Util::redirect("?do=News&newsid=$lastId");
+						}
 					}
             } elseif ($pageType == 'help') {
-					if ($this->saveHelp()) {
-						Message::addSuccess('help-save-success');
-						$lastId = Database::lastInsertId();
-						Util::redirect("?do=News&newsid=$lastId");
+            	if (User::hasPermission("help.save")) {
+						if ($this->saveHelp()) {
+							Message::addSuccess('help-save-success');
+							$lastId = Database::lastInsertId();
+							Util::redirect("?do=News&newsid=$lastId");
+						}
 					}
             }
         } elseif ($action === 'delete') {
@@ -85,11 +89,15 @@ class Page_News extends Page
 			  $pageType = Request::post('news-type');
 
 			  if ($pageType == 'news') {
-					$this->delNews(Request::post('newsid'));
-					Util::redirect('?do=News&editHelp='.Request::any('editHelp'));
+			  		if(User::hasPermission("news.delete")) {
+						$this->delNews(Request::post('newsid'));
+						Util::redirect('?do=News&editHelp='.Request::any('editHelp'));
+					}
 			  } elseif ($pageType == 'help') {
-			  		$this->delNews(Request::post('newsid'));
-				   Util::redirect('?do=News&editHelp='.Request::any('editHelp'));
+			  		if(User::hasPermission("help.delete")) {
+						$this->delNews(Request::post('newsid'));
+						Util::redirect('?do=News&editHelp='.Request::any('editHelp'));
+					}
 			  }
         } else {
             // unknown action, redirect user
-- 
cgit v1.2.3-55-g7522