From cc9b3cfb9c76295b2b6a5d4b194e56a015cfcf8e Mon Sep 17 00:00:00 2001
From: jamesprior <james@mabonus.net>
Date: Mon, 27 Oct 2014 11:39:21 -0400
Subject: [PATCH] Check permissions before page edits

Check edit and publish permissions before change pages singly or in a group
---
 app/controllers/cms/pages_controller.rb | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/app/controllers/cms/pages_controller.rb b/app/controllers/cms/pages_controller.rb
index 375435096..76e423fac 100644
--- a/app/controllers/cms/pages_controller.rb
+++ b/app/controllers/cms/pages_controller.rb
@@ -73,12 +73,22 @@ def destroy
       define_method status do
         if params[:page_ids]
           @pages = params[:page_ids].map { |id| Page.find(id) }
-          raise Cms::Errors::AccessDenied unless @pages.all? { |page| current_user.able_to_edit?(page) }
+          if status == :publish
+            raise Cms::Errors::AccessDenied unless @pages.all? { |page| current_user.able_to_publish?(page) }
+          else
+            raise Cms::Errors::AccessDenied unless @pages.all? { |page| current_user.able_to_edit?(page) }
+          end
           @pages.each { |page| page.send(status) }
           flash[:notice] = "#{params[:page_ids].size} pages #{verb}"
           redirect_to dashboard_url
         else
           load_page
+          if status == :publish
+            raise Cms::Errors::AccessDenied unless current_user.able_to_publish?(@page)
+          else
+            raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@page)
+          end
+          
           if @page.send(status)
             flash[:notice] = "Page '#{@page.name}' was #{verb}"
           end
@@ -148,4 +158,4 @@ def load_templates
     end
 
   end
-end
\ No newline at end of file
+end