Merge pull request #2364 from tvdeyen/fix-permissions

Fix author edit_content permissions
AlchemyCMS · Sep 2, 2022 · 30f61f1 · 30f61f1
2 parents 85f5dc0 + c98605a
commit 30f61f1
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 13 deletions.
diff --git a/app/controllers/alchemy/api/pages_controller.rb b/app/controllers/alchemy/api/pages_controller.rb
@@ -8,14 +8,9 @@ class Api::PagesController < Api::BaseController
     # Returns all pages as json object
     #
     def index
-      # Fix for cancancan not able to merge multiple AR scopes for logged in users
-      if can? :edit_content, Alchemy::Page
-        @pages = Alchemy::Page.all
-      else
-        language = Alchemy::Language.find_by(id: params[:language_id]) || Alchemy::Language.current
-        @pages = Alchemy::Page.accessible_by(current_ability, :index)
-        @pages = @pages.where(language: language)
-      end
+      language = Alchemy::Language.find_by(id: params[:language_id]) || Alchemy::Language.current
+      @pages = Alchemy::Page.accessible_by(current_ability, :index)
+      @pages = @pages.where(language: language)
       @pages = @pages.includes(*page_includes)
       @pages = @pages.ransack(params[:q]).result
 

diff --git a/lib/alchemy/permissions.rb b/lib/alchemy/permissions.rb
@@ -121,7 +121,9 @@ def alchemy_author_rules
         can :manage, Alchemy::Node
         can [:read, :url], Alchemy::Picture
         can [:read, :autocomplete], Alchemy::Tag
-        can(:edit_content, Alchemy::Page) { |p| p.editable_by?(@user) }
+        can :edit_content, Alchemy::Page, Alchemy::Page.all do |page|
+          page.editable_by?(@user)
+        end
       end
     end
 

diff --git a/spec/controllers/alchemy/api/pages_controller_spec.rb b/spec/controllers/alchemy/api/pages_controller_spec.rb
@@ -85,9 +85,10 @@ module Alchemy
           let(:site_2) { create(:alchemy_site) }
           let(:language_2) { create(:alchemy_language, site: site_2) }
           let!(:site_2_page) { create(:alchemy_page, :public, language: language_2) }
+          let!(:unpublished_page) { create(:alchemy_page, language: default_language) }
 
           context "as guest user" do
-            it "only returns pages for current site" do
+            it "only returns public pages for current site" do
               get :index, format: :json
               expect(result["pages"].map { |r| r["id"] }).to match_array([
                 page.parent_id,
@@ -101,13 +102,12 @@ module Alchemy
               authorize_user(build(:alchemy_dummy_user, :as_author))
             end
 
-            it "returns all pages" do
+            it "returns all pages for current site" do
               get :index, format: :json
               expect(result["pages"].map { |r| r["id"] }).to match_array([
                 page.parent_id,
                 page.id,
-                site_2_page.parent_id,
-                site_2_page.id,
+                unpublished_page.id,
               ])
             end
           end