From 6811646aaa804c0aeac30e87d044d54226aa1b5c Mon Sep 17 00:00:00 2001
From: drigato <denise.rigato@sourcefabric.org>
Date: Fri, 28 Aug 2015 13:40:38 -0400
Subject: [PATCH] CC-6106: Permission problems with bulk and single edit in the
 Dashboard

---
 .../application/controllers/LibraryController.php   | 12 +++++++-----
 airtime_mvc/application/forms/EditAudioMD.php       | 13 +++++++++++++
 .../views/scripts/library/edit-file-md.phtml        |  8 +++++++-
 3 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/airtime_mvc/application/controllers/LibraryController.php b/airtime_mvc/application/controllers/LibraryController.php
index 364897eb4..2a04b66e8 100644
--- a/airtime_mvc/application/controllers/LibraryController.php
+++ b/airtime_mvc/application/controllers/LibraryController.php
@@ -434,14 +434,17 @@ class LibraryController extends Zend_Controller_Action
         $file_id = $this->_getParam('id', null);
         $file = Application_Model_StoredFile::RecallById($file_id);
 
-        if (!$isAdminOrPM && $file->getFileOwnerId() != $user->getId()) {
-            return;
-        }
-
         $form = new Application_Form_EditAudioMD();
         $form->startForm($file_id);
         $form->populate($file->getDbColMetadata());
 
+        $this->view->permissionDenied = false;
+        if (!$isAdminOrPM && $file->getFileOwnerId() != $user->getId()) {
+            $form->makeReadOnly();
+            $form->removeActionButtons();
+            $this->view->permissionDenied = true;
+        }
+
         if ($request->isPost()) {
 
             $js = $this->_getParam('data');
@@ -460,7 +463,6 @@ class LibraryController extends Zend_Controller_Action
         }
 
         $this->view->form = $form;
-        Logging::info($this->view->form);
         $this->view->id = $file_id;
         $this->view->title = $file->getPropelOrm()->getDbTrackTitle();
         $this->view->type = "md";
diff --git a/airtime_mvc/application/forms/EditAudioMD.php b/airtime_mvc/application/forms/EditAudioMD.php
index 96611520f..562e508e5 100644
--- a/airtime_mvc/application/forms/EditAudioMD.php
+++ b/airtime_mvc/application/forms/EditAudioMD.php
@@ -197,4 +197,17 @@ class Application_Form_EditAudioMD extends Zend_Form
         ));
     }
 
+    public function makeReadOnly()
+    {
+        foreach ($this as $element) {
+            $element->setAttrib('readonly', 'readonly');
+        }
+    }
+
+    public function removeActionButtons()
+    {
+        $this->removeElement('editmdsave');
+        $this->removeElement('editmdcancel');
+    }
+
 }
diff --git a/airtime_mvc/application/views/scripts/library/edit-file-md.phtml b/airtime_mvc/application/views/scripts/library/edit-file-md.phtml
index e3c2a0d11..e573db8a1 100644
--- a/airtime_mvc/application/views/scripts/library/edit-file-md.phtml
+++ b/airtime_mvc/application/views/scripts/library/edit-file-md.phtml
@@ -1,6 +1,12 @@
 <div class="ui-widget ui-widget-content block-shadow simple-formblock clearfix padded-strong" id="edit-md-dialog">
     <div class="inner_editor_title">
-        <H2><?php echo(_("Editing "));?>"<span class="title_obj_name"><?php echo($this->title); ?></span>"</H2>
+        <?php if ($this->permissionDenied) { ?> <h3>You do not have permission to edit this track.</h3> <?php } ?>
+        <H2><?php
+            if ($this->permissionDenied) {
+                echo(_("Viewing "));
+            } else {
+                echo(_("Editing "));
+            }?>"<span class="title_obj_name"><?php echo($this->title); ?></span>"</H2>
     </div>
     <?php echo $this->form; ?>
 </div>