v2.0.0-beta.4

Author: kjmartens

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Solspace Freeform Changelog
 
+## 2.0.0-beta.4 - 2018-01-30
+### Fixed
+- Fixed a bug where Freeform would trigger permission related errors when trying to edit users or user groups.
+- Fixed a bug where Freeform would not hide pages from navigation that a user did not have permission access to.
+- Fixed various permission issues throughout Freeform.
+
 ## 2.0.0-beta.3 - 2018-01-29
 ### Added
 - Added Freeform 1.x to 2.x (Craft 2.x to 3.x) migration path.

composer.json

@@ -1,7 +1,7 @@
 {
   "name": "solspace/craft3-freeform",
   "description": "The most intuitive and powerful form builder for Craft.",
-  "version": "2.0.0-beta.3",
+  "version": "2.0.0-beta.4",
   "type": "craft-plugin",
   "minimum-stability": "dev",
   "authors": [

src/Controllers/SettingsController.php

@@ -19,6 +19,7 @@
 use Solspace\Freeform\Library\Exceptions\FreeformException;
 use Solspace\Freeform\Models\Settings;
 use Solspace\Freeform\Resources\Bundles\CodepackBundle;
+use Solspace\FreeformPro\FreeformPro;
 use yii\web\Response;
 
 class SettingsController extends BaseController
@@ -51,23 +52,27 @@ public function actionDefaultView(): Response
 
         if (($isFormView && !$canAccessForms) || ($isSubmissionView && !$canAccessSubmissions)) {
             if ($canAccessForms) {
-                $this->redirect(UrlHelper::cpUrl('freeform/' . Freeform::VIEW_FORMS));
+                return $this->redirect(UrlHelper::cpUrl('freeform/' . Freeform::VIEW_FORMS));
             }
 
             if ($canAccessSubmissions) {
-                $this->redirect(UrlHelper::cpUrl('freeform/' . Freeform::VIEW_SUBMISSIONS));
+                return $this->redirect(UrlHelper::cpUrl('freeform/' . Freeform::VIEW_SUBMISSIONS));
             }
 
             if ($canAccessFields) {
-                $this->redirect(UrlHelper::cpUrl('freeform/' . Freeform::VIEW_FIELDS));
+                return $this->redirect(UrlHelper::cpUrl('freeform/' . Freeform::VIEW_FIELDS));
             }
 
             if ($canAccessNotifications) {
-                $this->redirect(UrlHelper::cpUrl('freeform/' . Freeform::VIEW_NOTIFICATIONS));
+                return $this->redirect(UrlHelper::cpUrl('freeform/' . Freeform::VIEW_NOTIFICATIONS));
             }
 
             if ($canAccessSettings) {
-                $this->redirect(UrlHelper::cpUrl('freeform/' . Freeform::VIEW_SETTINGS));
+                return $this->redirect(UrlHelper::cpUrl('freeform/' . Freeform::VIEW_SETTINGS));
+            }
+
+            if (Freeform::getInstance()->isPro() && PermissionHelper::checkPermission(FreeformPro::PERMISSION_EXPORT_PROFILES_ACCESS)) {
+                return $this->redirect(UrlHelper::cpUrl('freeform/' . FreeformPro::VIEW_EXPORT_PROFILES));
             }
         }
 

src/Controllers/SubmissionsController.php

@@ -192,8 +192,6 @@ public function actionEdit(int $id): Response
      */
     public function actionSave()
     {
-        PermissionHelper::requirePermission(Freeform::PERMISSION_SUBMISSIONS_MANAGE);
-
         $post = \Craft::$app->request->post();
 
         $submissionId = $post['submissionId'] ?? null;
@@ -203,6 +201,13 @@ public function actionSave()
             throw new FreeformException(Freeform::t('Submission not found'));
         }
 
+        PermissionHelper::requirePermission(
+            PermissionHelper::prepareNestedPermission(
+                Freeform::PERMISSION_SUBMISSIONS_MANAGE,
+                $model->formId
+            )
+        );
+
         $model->title    = \Craft::$app->request->post('title', $model->title);
         $model->statusId = $post['statusId'];
         $model->setFormFieldValues($post);
@@ -234,27 +239,4 @@ public function actionSave()
             ]
         );
     }
-
-    /**
-     * Deletes a field
-     *
-     * @return Response
-     * @throws \Exception
-     * @throws BadRequestHttpException
-     * @throws ForbiddenHttpException
-     */
-    public function actionDelete(): Response
-    {
-        $this->requirePostRequest();
-        PermissionHelper::requirePermission(Freeform::PERMISSION_SUBMISSIONS_MANAGE);
-
-        $submissionId = \Craft::$app->request->post('id');
-        $submission   = $this->getSubmissionsService()->getSubmissionById($submissionId);
-
-        if ($submission && !$this->getSubmissionsService()->delete($submission)) {
-            return $this->asErrorJson(implode('; ', $submission->getErrors()));
-        }
-
-        return $this->asJson(['success' => true]);
-    }
 }

src/Elements/Actions/SetSubmissionStatusAction.php

@@ -4,6 +4,7 @@
 
 use craft\base\ElementAction;
 use craft\elements\db\ElementQueryInterface;
+use Solspace\Commons\Helpers\PermissionHelper;
 use Solspace\Freeform\Elements\Submission;
 use Solspace\Freeform\Freeform;
 
@@ -68,12 +69,22 @@ public function performAction(ElementQueryInterface $query): bool
         $submissions = $query->all();
         $failCount = 0;
 
+        static $allowedFormIds;
+
+        if (null === $allowedFormIds) {
+            $allowedFormIds = PermissionHelper::getNestedPermissionIds(Freeform::PERMISSION_SUBMISSIONS_MANAGE);
+        }
+
         foreach ($submissions as $submission) {
             // Skip if there's nothing to change
             if ((int) $submission->statusId === (int) $this->statusId) {
                 continue;
             }
 
+            if (!\in_array($submission->formId, $allowedFormIds, false)) {
+                continue;
+            }
+
             $submission->statusId = $this->statusId;
 
             if ($elementsService->saveElement($submission) === false) {

src/Elements/Submission.php

@@ -8,6 +8,7 @@
 use craft\elements\db\ElementQueryInterface;
 use craft\helpers\Html;
 use craft\helpers\UrlHelper;
+use Solspace\Commons\Helpers\PermissionHelper;
 use Solspace\Freeform\Elements\Actions\DeleteSubmissionAction;
 use Solspace\Freeform\Elements\Actions\ExportCSVAction;
 use Solspace\Freeform\Elements\Actions\SetSubmissionStatusAction;
@@ -492,6 +493,16 @@ public function getIsEditable(): bool
      */
     public function getCpEditUrl()
     {
+        static $allowedFormIds;
+
+        if (null === $allowedFormIds) {
+            $allowedFormIds = PermissionHelper::getNestedPermissionIds(Freeform::PERMISSION_SUBMISSIONS_MANAGE);
+        }
+
+        if (!\in_array($this->formId, $allowedFormIds, false)) {
+            return false;
+        }
+
         return UrlHelper::cpUrl('freeform/submissions/' . $this->id);
     }
 
@@ -617,4 +628,17 @@ private function getFieldByIdentifier($identifier): AbstractField
 
         return self::$fieldIdMap[$this->formId][$id];
     }
+
+    /**
+     * @inheritDoc
+     */
+    public function beforeDelete(): bool
+    {
+        return PermissionHelper::checkPermission(
+            PermissionHelper::prepareNestedPermission(
+                Freeform::PERMISSION_SUBMISSIONS_MANAGE,
+                $this->formId
+            )
+        );
+    }
 }

src/Freeform.php

@@ -227,7 +227,7 @@ function (RegisterUserPermissionsEvent $event) {
                         self::PERMISSION_FORMS_ACCESS         => [
                             'label'  => self::t('Access Forms'),
                             'nested' => [
-                                PermissionHelper::PERMISSION_FORMS_MANAGE => ['label' => self::t('Manage Forms')],
+                                self::PERMISSION_FORMS_MANAGE => ['label' => self::t('Manage Forms')],
                             ],
                         ],
                         self::PERMISSION_FIELDS_ACCESS        => [