pages_controller.rb in caboose-cms-0.9.98

- old
+ new

@@ -167,11 +167,15 @@
     
     # @route GET /admin/pages/:id/permissions
     def admin_edit_permissions
       return unless user_is_allowed('pages', 'edit')
       @page = Page.find(params[:id])
-      render :layout => 'caboose/admin'
+      if @page.site_id != @logged_in_user.site_id
+        redirect_to '/admin/pages'
+      else
+        render :layout => 'caboose/admin'
+      end
     end
     
     # @route PUT /admin/pages/:id/update-child-permissions
     def admin_update_child_permissions
       return unless user_is_allowed('pages', 'edit')      
@@ -184,11 +188,11 @@
                
     # @route GET /admin/pages/:id/content
     def admin_edit_content
       @page = Page.find(params[:id])
       redirect_to "/login?return_url=/admin/pages/#{@page.id}/content" and return if @logged_in_user.nil?
-      condition = @logged_in_user && ( @logged_in_user.is_allowed('all','all') || @logged_in_user.is_allowed('pages','edit') && Page.permissible_actions(@logged_in_user, @page.id).include?('edit'))
+      condition = @logged_in_user && @logged_in_user.site_id == @page.site_id && ( @logged_in_user.is_allowed('all','all') || @logged_in_user.is_allowed('pages','edit') && Page.permissible_actions(@logged_in_user, @page.id).include?('edit'))
       redirect_to "/admin/pages" and return unless condition
       if @page.block.nil?
         redirect_to "/admin/pages/#{@page.id}/layout"
         return
       end
@@ -197,11 +201,15 @@
     
     # @route GET /admin/pages/:id/layout
     def admin_edit_layout
       return unless user_is_allowed('pages', 'edit')      
       @page = Page.find(params[:id])
-      render :layout => 'caboose/admin'
+      if @page.site_id != @logged_in_user.site_id
+        redirect_to '/admin/pages'
+      else
+        render :layout => 'caboose/admin'
+      end
     end
     
     # @route PUT /admin/pages/:id/layout
     def admin_update_layout
       return unless user_is_allowed('pages', 'edit')      
@@ -265,32 +273,48 @@
     
     # @route GET /admin/pages/:id/css
     def admin_edit_css
       return unless user_is_allowed('pages', 'edit')
       @page = Page.find(params[:id])
-      render :layout => 'caboose/admin'
+      if @page.site_id != @logged_in_user.site_id
+        redirect_to '/admin/pages'
+      else
+        render :layout => 'caboose/admin'
+      end
     end
     
     # @route GET /admin/pages/:id/js
     def admin_edit_js
       return unless user_is_allowed('pages', 'edit')
       @page = Page.find(params[:id])
-      render :layout => 'caboose/admin'
+      if @page.site_id != @logged_in_user.site_id
+        redirect_to '/admin/pages'
+      else
+        render :layout => 'caboose/admin'
+      end
     end
     
     # @route GET /admin/pages/:id/seo
     def admin_edit_seo
       return unless user_is_allowed('pages', 'edit')
       @page = Page.find(params[:id])
-      render :layout => 'caboose/admin'
+      if @page.site_id != @logged_in_user.site_id
+        redirect_to '/admin/pages'
+      else
+        render :layout => 'caboose/admin'
+      end
     end
     
     # @route GET /admin/pages/:id/child-order
     def admin_edit_child_sort_order
       return unless user_is_allowed('pages', 'edit')
       @page = Page.find(params[:id])
-      render :layout => 'caboose/admin'
+      if @page.site_id != @logged_in_user.site_id
+        redirect_to '/admin/pages'
+      else
+        render :layout => 'caboose/admin'
+      end
     end
     
     # @route PUT /admin/pages/:id/child-order
     def admin_update_child_sort_order
       return unless user_is_allowed('pages', 'edit')      
@@ -308,11 +332,15 @@
     
     # @route GET /admin/pages/:id/duplicate
     def admin_duplicate_form
       return unless user_is_allowed('pages', 'add')
       @page = Page.find(params[:id])      
-      render :layout => 'caboose/admin'      
+      if @page.site_id != @logged_in_user.site_id
+        redirect_to '/admin/pages'
+      else
+        render :layout => 'caboose/admin'
+      end   
     end
     
     # @route POST /admin/pages/:id/duplicate
     def admin_duplicate
       return unless user_is_allowed('pages', 'add')
@@ -339,11 +367,15 @@
       
     # @route GET /admin/pages/:id/delete
     def admin_delete_form
       return unless user_is_allowed('pages', 'delete')
       @page = Page.find(params[:id])      
-      render :layout => 'caboose/admin'      
+      if @page.site_id != @logged_in_user.site_id
+        redirect_to '/admin/pages'
+      else
+        render :layout => 'caboose/admin'
+      end   
     end
     
     # @route GET /admin/pages/:id/uri
     def admin_page_uri
       return unless user_is_allowed('pages', 'view')
@@ -353,19 +385,27 @@
     
     # @route GET /admin/pages/:id/sitemap
     def admin_sitemap
       return unless user_is_allowed('pages', 'delete')
       @page = Page.find(params[:id])
-      render :layout => 'caboose/admin'
+      if @page.site_id != @logged_in_user.site_id
+        redirect_to '/admin/pages'
+      else
+        render :layout => 'caboose/admin'
+      end
     end
 
     # @route GET /admin/pages/:id
     def admin_edit_general
       return if !user_is_allowed('pages', 'edit')
       #return if !Page.is_allowed(logged_in_user, params[:id], 'edit')            
       @page = Page.find(params[:id])
-      render :layout => 'caboose/admin'
+      if @page.site_id != @logged_in_user.site_id
+        redirect_to '/admin/pages'
+      else
+        render :layout => 'caboose/admin'
+      end
     end
     
     # @route POST /admin/pages
     def admin_create
       return unless user_is_allowed('pages', 'add')
@@ -555,10 +595,9 @@
     # @route DELETE /admin/pages/:id
     def admin_delete
       return unless user_is_allowed('pages', 'delete')
       p = Page.find(params[:id])
       p.destroy
-      
       resp = StdClass.new({
         'redirect' => '/admin/pages'
       })
       render json: resp
     end