fix(settings): prevent access to settings for non-managers

Author: landonreed

lib/manager/components/FeedSourceSettings.js

@@ -65,15 +65,29 @@ export default class FeedSourceSettings extends Component {
       project,
       user
     } = this.props
+    const {
+      name,
+      url
+    } = this.state
     // const messages = getComponentMessages('FeedSourceSettings')
     const disabled = !user.permissions.hasFeedPermission(project.organizationId, project.id, feedSource.id, 'manage-feed')
     const isProjectAdmin = user.permissions.isProjectAdmin(project.id, project.organizationId)
     // const editGtfsDisabled = !user.permissions.hasFeedPermission(project.organizationId, project.id, feedSource.id, 'edit-gtfs')
     const autoFetchFeed = feedSource.retrievalMethod === 'FETCHED_AUTOMATICALLY'
     const resourceType = activeComponent === 'settings' && activeSubComponent && activeSubComponent.toUpperCase()
+    if (disabled) {
+      return (
+        <Row>
+          <Col xs={6} mdOffset={3}>
+            <p className='lead text-center'><strong>Warning!</strong> You do not have permission to edit details for this feed source.</p>
+          </Col>
+        </Row>
+      )
+    }
     return (
       <Row>
         <Col xs={3}>
+          {/* Side panel */}
           <Panel>
             <ListGroup fill>
               <LinkContainer
@@ -98,19 +112,21 @@ export default class FeedSourceSettings extends Component {
         <Col xs={6} />
         {!resourceType
           ? <Col xs={7}>
+            {/* Settings */}
             <Panel header={<h3>Settings</h3>}>
               <ListGroup fill>
                 <ListGroupItem>
                   <FormGroup>
                     <ControlLabel>Feed source name</ControlLabel>
                     <InputGroup>
                       <FormControl
-                        value={typeof this.state.name !== 'undefined' ? this.state.name : feedSource.name}
+                        value={name || feedSource.name}
                         name={'name'}
+                        disabled={disabled}
                         onChange={this._onChange} />
                       <InputGroup.Button>
                         <Button
-                          disabled={!this.state.name || this.state.name === feedSource.name} // disable if no change or no value.
+                          disabled={disabled || !name || name === feedSource.name} // disable if no change or no value.
                           onClick={this._onNameSaved}>
                           Rename
                         </Button>
@@ -137,12 +153,13 @@ export default class FeedSourceSettings extends Component {
                     <ControlLabel>Feed source fetch URL</ControlLabel>
                     <InputGroup>
                       <FormControl
-                        value={typeof this.state.url !== 'undefined' ? this.state.url : feedSource.url || ''}
+                        value={url || feedSource.url}
                         name={'url'}
+                        disabled={disabled}
                         onChange={this._onChange} />
                       <InputGroup.Button>
                         <Button
-                          disabled={this.state.url === feedSource.url} // disable if no change.
+                          disabled={disabled || url === feedSource.url} // disable if no change.
                           onClick={this._onSaveUrl}>
                           Change URL
                         </Button>
@@ -154,6 +171,7 @@ export default class FeedSourceSettings extends Component {
                   <FormGroup>
                     <Checkbox
                       checked={autoFetchFeed}
+                      disabled={disabled}
                       onChange={this._onToggleAutoFetch}
                       bsStyle='danger'>
                       <strong>Auto fetch feed source</strong>
@@ -168,6 +186,7 @@ export default class FeedSourceSettings extends Component {
                 <ListGroupItem>
                   <Button
                     onClick={this._onTogglePublic}
+                    disabled={disabled}
                     className='pull-right'>
                     Make {feedSource.isPublic ? 'private' : 'public'}
                   </Button>
@@ -178,6 +197,7 @@ export default class FeedSourceSettings extends Component {
                   <Button
                     onClick={confirmDeleteFeedSource}
                     className='pull-right'
+                    disabled={disabled}
                     bsStyle='danger'>
                     <Icon type='trash' /> Delete feed source
                   </Button>

lib/manager/components/GeneralSettings.js

@@ -141,6 +141,9 @@ export default class GeneralSettings extends Component {
     const {project, editDisabled} = this.props
     const noEdits = Object.keys(this.state.general).length === 0 && this.state.general.constructor === Object
     const autoFetchChecked = typeof this.state.general.autoFetchFeeds !== 'undefined' ? this.state.general.autoFetchFeeds : project.autoFetchFeeds
+    if (editDisabled) {
+      return <p className='lead text-center'><strong>Warning!</strong> You do not have permission to edit details for this feed source.</p>
+    }
     return (
       <div className='general-settings-panel'>
         <ConfirmModal ref='confirm' />