/** * @Route("/", methods="POST") * @Route("/{id}", methods="POST", requirements={"id"="\d+"}) * @Request({"post": "array", "id": "int"}, csrf=true) */ public function saveAction($data, $id = 0) { if (!$id || !($post = Post::find($id))) { if ($id) { App::abort(404, __('Post not found.')); } $post = Post::create(); } if (!($data['slug'] = App::filter($data['slug'] ?: $data['title'], 'slugify'))) { App::abort(400, __('Invalid slug.')); } // user without universal access is not allowed to assign posts to other users if (!App::user()->hasAccess('blog: manage all posts')) { $data['user_id'] = App::user()->id; } // user without universal access can only edit their own posts if (!App::user()->hasAccess('blog: manage all posts') && !App::user()->hasAccess('blog: manage own posts') && $post->user_id !== App::user()->id) { App::abort(400, __('Access denied.')); } $post->save($data); return ['message' => 'success', 'post' => $post]; }
/** * @Route("/post/edit", name="post/edit") * @Access("blog: manage own posts || blog: manage all posts") * @Request({"id": "int"}) */ public function editAction($id = 0) { try { if (!($post = Post::where(compact('id'))->related('user')->first())) { if ($id) { App::abort(404, __('Invalid post id.')); } $module = App::module('blog'); $post = Post::create(['user_id' => App::user()->id, 'status' => Post::STATUS_DRAFT, 'date' => new \DateTime(), 'comment_status' => (bool) $module->config('posts.comments_enabled')]); $post->set('title', $module->config('posts.show_title')); $post->set('markdown', $module->config('posts.markdown_enabled')); } $user = App::user(); if (!$user->hasAccess('blog: manage all posts') && $post->user_id !== $user->id) { App::abort(403, __('Insufficient User Rights.')); } $roles = App::db()->createQueryBuilder()->from('@system_role')->where(['id' => Role::ROLE_ADMINISTRATOR])->whereInSet('permissions', ['blog: manage all posts', 'blog: manage own posts'], false, 'OR')->execute('id')->fetchAll(\PDO::FETCH_COLUMN); $authors = App::db()->createQueryBuilder()->from('@system_user')->whereInSet('roles', $roles)->execute('id, username')->fetchAll(); return ['$view' => ['title' => $id ? __('Edit Post') : __('Add Post'), 'name' => 'blog/admin/post-edit.php'], '$data' => ['post' => $post, 'statuses' => Post::getStatuses(), 'roles' => array_values(Role::findAll()), 'canEditAll' => $user->hasAccess('blog: manage all posts'), 'authors' => $authors], 'post' => $post]; } catch (\Exception $e) { App::message()->error($e->getMessage()); return App::redirect('@blog/post'); } }