FIX Check canArchive() permission instead of canDelete()

silverstripe · Aug 6, 2024 · 2ba2e3c · 2ba2e3c
1 parent 77a1497
commit 2ba2e3c
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 6 deletions.
diff --git a/src/Controllers/LinkFieldController.php b/src/Controllers/LinkFieldController.php
@@ -127,17 +127,20 @@ private function getLinkData(Link $link): array
      */
     public function linkDelete(): HTTPResponse
     {
-        $link = $this->linkFromRequest();
-        if (!$link->canDelete()) {
-            $this->jsonError(403);
-        }
         // Check security token on destructive operation
         if (!SecurityToken::inst()->checkRequest($this->getRequest())) {
             $this->jsonError(400);
         }
+        $link = $this->linkFromRequest();
         if ($link->hasExtension(Versioned::class)) {
+            if (!$link->canArchive()) {
+                $this->jsonError(403);
+            }
             $link->doArchive();
         } else {
+            if (!$link->canDelete()) {
+                $this->jsonError(403);
+            }
             $link->delete();
         }
         // Send response

diff --git a/tests/php/Controllers/LinkFieldControllerTest.php b/tests/php/Controllers/LinkFieldControllerTest.php
@@ -570,9 +570,12 @@ public function provideLinkDelete(): array
                 'fail' => '',
                 'expectedCode' => 204,
             ],
-            'Reject fail canDelete()' => [
+            // note there isn't a canDelete() test here because it seems impossible to get an
+            // unversioned Link because there's no way to actually remove the Versioned extension
+            // from any subclass of Link since we're unable to the use app/_config.php method
+            'Reject fail canArchive()' => [
                 'idType' => 'existing',
-                'fail' => 'can-delete',
+                'fail' => 'can-archive',
                 'expectedCode' => 403,
             ],
             'Reject fail csrf-token' => [

diff --git a/tests/php/Controllers/LinkFieldControllerTest/TestPhoneLink.php b/tests/php/Controllers/LinkFieldControllerTest/TestPhoneLink.php
@@ -43,6 +43,11 @@ public function canDelete($member = null)
         return TestPhoneLink::$fail !== 'can-delete';
     }
 
+    public function canArchive($member = null)
+    {
+        return TestPhoneLink::$fail !== 'can-archive';
+    }
+
     public function validate(): ValidationResult
     {
         $validationResult = parent::validate();