Add new 'EditOwnPosts' permission

migrations/20170710013345_add_edit_own_posts_permission.php

@@ -0,0 +1,24 @@
+<?php
+
+use Phinx\Migration\AbstractMigration;
+
+class AddEditOwnPostsPermission extends AbstractMigration
+{
+    public function up()
+    {
+        $this->execute("INSERT INTO permissions (name, description)
+            VALUES ('Edit their own posts', 'Edit their own posts')
+            ");
+
+        $this->execute("INSERT INTO `roles_permissions` (`role`, `permission`)
+            VALUES ('user', 'Edit their own posts')
+            ");
+    }
+
+    public function down()
+    {
+        $this->execute("DELETE FROM permissions WHERE name = 'Edit their own posts'");
+
+        $this->execute("DELETE FROM roles_permissions WHERE permission = 'Edit their own posts'");
+    }
+}

src/Core/Entity/Permission.php

@@ -23,7 +23,8 @@ class Permission extends StaticEntity
 	const DATA_IMPORT      = 'Bulk Data Import';
 	const MANAGE_POSTS     = 'Manage Posts';
 	const MANAGE_SETTINGS  = 'Manage Settings';
-	const MANAGE_USERS     = 'Manage Users';
+    const MANAGE_USERS     = 'Manage Users';
+    const EDIT_OWN_POSTS   = 'Edit their own posts';
 
 	// DataTransformer
 	public function getDefinition()

src/Core/Tool/Authorizer/PostAuthorizer.php

@@ -135,11 +135,28 @@ public function isAllowed(Entity $entity, $privilege)
             return true;
         }
 
-        // We check if the user is the owner of this post. If so, they are allowed
-        // to do almost anything, **except** change ownership and status of the post, which
-        // only admins can do.
-        if ($this->isUserOwner($entity, $user) && !$entity->hasChanged('user_id')
-            && $privilege !== 'change_status') {
+        // Only admins or users with 'Manage Posts' permission can change status
+        if ($privilege === 'change_status') {
+            return false;
+        }
+
+        // Only admins or users with 'Manage Posts' permission can change the ownership of a post
+        if ($entity->hasChanged('user_id')) {
+            return false;
+        }
+
+        // If the user is the owner of this post & they have edit own posts permission
+        // they are allowed to edit or delete the post. They can't change the post status or
+        // ownership but those are already checked above
+        if ($this->isUserOwner($entity, $user)
+            && in_array($privilege, ['update', 'delete'])
+            && $this->hasPermission($user, Permission::EDIT_OWN_POSTS)) {
+            return true;
+        }
+
+        // If the user is the owner of this post they can always view the post
+        if ($this->isUserOwner($entity, $user)
+            && in_array($privilege, ['read'])) {
             return true;
         }
 

tests/datasets/ushahidi/Base.yml

@@ -1899,3 +1899,12 @@ roles_permissions:
   -
     role: importer
     permission: Bulk Data Import
+  -
+    role: user
+    permission: Edit their own posts
+  -
+    role: manager
+    permission: Edit their own posts
+  -
+    role: importer
+    permission: Edit their own posts

tests/integration/permissions.feature

@@ -7,7 +7,7 @@ Feature: Testing the Permissions API
         Then the response is JSON
         And the response has a "count" property
         And the type of the "count" property is "numeric"
-        And the "count" property equals "4"
+        And the "count" property equals "5"
         Then the guzzle status code should be 200
 
     Scenario: Admin cannot create new permission
@@ -22,4 +22,4 @@ Feature: Testing the Permissions API
         When I request "/permissions"
         Then the guzzle status code should be 403
 
-     
+