From 7303e0b19adae0a3fa5db139e3fafb310dd43485 Mon Sep 17 00:00:00 2001
From: Brett Profitt <brett.profitt@gmail.com>
Date: Tue, 1 May 2012 18:24:13 -0700
Subject: Fixes #1830. Removed access and write access inputs for non-owners
 and non-admins.

---
 mod/pages/actions/pages/edit.php             | 14 +++++++++++++-
 mod/pages/lib/pages.php                      |  2 +-
 mod/pages/views/default/forms/pages/edit.php | 15 +++++++++++++--
 3 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/mod/pages/actions/pages/edit.php b/mod/pages/actions/pages/edit.php
index 6950d4b2f..a32e4a4ba 100644
--- a/mod/pages/actions/pages/edit.php
+++ b/mod/pages/actions/pages/edit.php
@@ -47,7 +47,19 @@ if ($page_guid) {
 }
 
 if (sizeof($input) > 0) {
+	// don't change access if not an owner/admin
+	$user = elgg_get_logged_in_user_entity();
+	$can_change_access = true;
+
+	if ($user && $page) {
+		$can_change_access = $user->isAdmin() || $user->getGUID() == $page->owner_guid;
+	}
+	
 	foreach ($input as $name => $value) {
+		if (($name == 'access_id' || $name == 'write_access_id') && !$can_change_access) {
+			continue;
+		}
+
 		$page->$name = $value;
 	}
 }
@@ -74,6 +86,6 @@ if ($page->save()) {
 
 	forward($page->getURL());
 } else {
-	register_error(elgg_echo('pages:error:no_save'));
+	register_error(elgg_echo('pages:error:notsaved'));
 	forward(REFERER);
 }
diff --git a/mod/pages/lib/pages.php b/mod/pages/lib/pages.php
index 5c5323d6f..dbf7b8917 100644
--- a/mod/pages/lib/pages.php
+++ b/mod/pages/lib/pages.php
@@ -111,4 +111,4 @@ function pages_register_navigation_tree($container) {
 			}
 		}
 	}
-}
+}
\ No newline at end of file
diff --git a/mod/pages/views/default/forms/pages/edit.php b/mod/pages/views/default/forms/pages/edit.php
index 20737a121..9469f5eb9 100644
--- a/mod/pages/views/default/forms/pages/edit.php
+++ b/mod/pages/views/default/forms/pages/edit.php
@@ -6,7 +6,18 @@
  */
 
 $variables = elgg_get_config('pages');
+$user = elgg_get_logged_in_user_entity();
+$entity = elgg_extract('entity', $vars);
+$can_change_access = true;
+if ($user && $entity) {
+	$can_change_access = ($user->isAdmin() || $user->getGUID() == $entity->owner_guid);
+}
+
 foreach ($variables as $name => $type) {
+	// don't show read / write access inputs for non-owners or admin when editing
+	if (($type == 'access' || $type == 'write_access') && !$can_change_access) {
+		continue;
+	}
 ?>
 <div>
 	<label><?php echo elgg_echo("pages:$name") ?></label>
@@ -14,8 +25,8 @@ foreach ($variables as $name => $type) {
 		if ($type != 'longtext') {
 			echo '<br />';
 		}
-	?>
-	<?php echo elgg_view("input/$type", array(
+
+		echo elgg_view("input/$type", array(
 			'name' => $name,
 			'value' => $vars[$name],
 		));
-- 
cgit v1.2.3