Tweaked widget_instance_edit_perms_verify endpoint & handling on clie…

…nt side. Adjusted tests.
ucfopen · May 14, 2024 · f566726 · f566726
1 parent 069669b
commit f566726
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 7 deletions.
diff --git a/fuel/app/classes/materia/api/v1.php b/fuel/app/classes/materia/api/v1.php
@@ -109,21 +109,23 @@ static public function widget_instance_access_perms_verify($inst_id)
 	 * @return object, contains properties indicating whether the current
 	 * user can edit the widget and a message object describing why, if not
 	 */
+
+	 // !! this endpoint should be significantly refactored or removed in the future API overhaul !!
 	static public function widget_instance_edit_perms_verify(string $inst_id)
 	{
 		$response = new \stdClass();
-		$response->is_locked = true;
+
+		$response->is_locked = false;
 		$response->can_publish = false;
+		$response->can_edit = false;
 
 		if ( ! Util_Validator::is_valid_hash($inst_id)) return Msg::invalid_input($inst_id);
 		else if (\Service_User::verify_session() !== true) return Msg::no_login();
 		else if ( ! ($inst = Widget_Instance_Manager::get($inst_id)))  throw new \HttpNotFoundException;
 
-		if (static::has_perms_to_inst($inst_id, [Perm::FULL]))
-		{
-			$response->is_locked = ! Widget_Instance_Manager::locked_by_current_user($inst_id);
-			$response->can_publish = $inst->widget->publishable_by(\Model_User::find_current_id());
-		}
+		$response->is_locked = ! Widget_Instance_Manager::locked_by_current_user($inst_id);
+		$response->can_publish = $inst->widget->publishable_by(\Model_User::find_current_id());
+		$response->can_edit = static::has_perms_to_inst($inst_id, [Perm::FULL]);
 
 		return $response;
 	}

diff --git a/fuel/app/tests/api/v1.php b/fuel/app/tests/api/v1.php
@@ -641,12 +641,14 @@ public function test_widget_instance_edit_perms_verify(): void
 		$output = Api_V1::widget_instance_edit_perms_verify($instance->id);
 		$this->assertFalse($output->is_locked);
 		$this->assertFalse($output->can_publish);
+		$this->assertTrue($output->can_edit);
 
 		// ======= AUTHOR ========
 		$this->_as_author();
 		$output = Api_V1::widget_instance_edit_perms_verify($instance->id);
 		$this->assertFalse($output->is_locked);
 		$this->assertTrue($output->can_publish);
+		$this->assertTrue($output->can_edit);
 
 		// lock widget as author
 		Api_V1::widget_instance_lock($instance->id);
@@ -657,12 +659,23 @@ public function test_widget_instance_edit_perms_verify(): void
 		$output = Api_V1::widget_instance_edit_perms_verify($instance->id);
 		$this->assertTrue($output->is_locked);
 		$this->assertFalse($output->can_publish);
+		$this->assertTrue($output->can_edit);
 
 		// ======= AUTHOR ========
 		$this->_as_author();
 		$output = Api_V1::widget_instance_edit_perms_verify($instance->id);
 		$this->assertFalse($output->is_locked);
 		$this->assertTrue($output->can_publish);
+		$this->assertTrue($output->can_edit);
+
+		//set perms to view scores
+		$accessObj->perms = [Perm::FULL => false];
+		Api_V1::permissions_set(Perm::INSTANCE, $instance->id, [$accessObj]);
+
+		$output = Api_V1::widget_instance_edit_perms_verify($instance->id);
+		$this->assertFalse($output->is_locked);
+		$this->assertTrue($output->can_publish);
+		$this->assertFalse($output->can_edit);
 	}
 
 	public function test_widget_publish_perms_verify(): void

diff --git a/src/components/my-widgets-selected-instance.jsx b/src/components/my-widgets-selected-instance.jsx
@@ -140,7 +140,7 @@ const MyWidgetSelectedInstance = ({
 	}, [myPerms, inst])
 
 	const onEditClick = inst => {
-		if (inst.widget.is_editable && state.perms.editable && editPerms && !permsFetching) {
+		if (inst.widget.is_editable && state.perms.editable && editPerms && editPerms.can_edit && !permsFetching) {
 			const editUrl = `${window.location.origin}/widgets/${inst.widget.dir}create#${inst.id}`
 
 			if(editPerms.is_locked){