diff options
| author | Tim Almdal <tnalmdal@shaw.ca> | 2009-07-26 09:29:29 -0700 |
|---|---|---|
| committer | Tim Almdal <tnalmdal@shaw.ca> | 2009-07-26 09:29:29 -0700 |
| commit | 0b97cfd6f098be08be5f3cf1dbca1cce580ae330 (patch) | |
| tree | fb90b32fc7afc050f7dca92ddc4575135c336777 | |
| parent | 809e52d80cbf3beb75b238fddb0da3951fb9a8e7 (diff) | |
Changed access::user_can to force the owner of an item to have
view permission on the parent. Added a whitelist of allowable
owner permissions.
If the requested permission is view and the user requesting access
is the owner, check that they have view permission to the parent.
| -rw-r--r-- | modules/gallery/helpers/access.php | 17 | ||||
| -rw-r--r-- | modules/gallery/tests/Access_Helper_Test.php | 42 |
2 files changed, 56 insertions, 3 deletions
diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php index 2faa922b..4f737c7f 100644 --- a/modules/gallery/helpers/access.php +++ b/modules/gallery/helpers/access.php @@ -95,13 +95,24 @@ class access_Core { return false; } - if ($user->admin && $item->owner_id == $user->id) { + if ($user->admin) { return true; } - $resource = $perm_name == "view" ? - $item : model_cache::get("access_cache", $item->id, "item_id"); + print "Before owner id check\n"; + if ($item->owner_id == $user->id && + in_array($perm_name, array("view_full", "edit", "add"))) { + return true; + } + + if ($perm_name == "view") { + $resource = $item->owner_id == $user->id ? $item->parent() : $item; + } else { + $resource = model_cache::get("access_cache", $item->id, "item_id"); + } + print Kohana::debug($resource->as_array()) . "\n"; foreach ($user->groups as $group) { + print "$group->name\n"; if ($resource->__get("{$perm_name}_{$group->id}") === self::ALLOW) { return true; } diff --git a/modules/gallery/tests/Access_Helper_Test.php b/modules/gallery/tests/Access_Helper_Test.php index 59cec453..737ed8a6 100644 --- a/modules/gallery/tests/Access_Helper_Test.php +++ b/modules/gallery/tests/Access_Helper_Test.php @@ -101,6 +101,48 @@ class Access_Helper_Test extends Unit_Test_Case { $this->assert_false(access::user_can($user, "view", $item), "Should be unable to view"); } + public function owner_can_view_album_test() { + $user = user::create("access_test", "Access Test", ""); + foreach ($user->groups as $group) { + $user->remove($group); + } + $user->save(); + + $root = ORM::factory("item", 1); + $item = album::create($root, rand(), "test album", $user->id); + + $this->assert_true(access::user_can($user, "view", $item), "Should be able to view"); + } + + public function owner_can_view_photo_test() { + $user = user::create("access_test", "Access Test", ""); + foreach ($user->groups as $group) { + $user->remove($group); + } + $user->save(); + + $root = ORM::factory("item", 1); + $album = album::create($root, rand(), "test album", $user->id); + $item = photo::create($album, MODPATH . "gallery/images/gallery.png", "", "", null, $user->id); + + $this->assert_true(access::user_can($user, "view", $item), "Should be able to view"); + } + + public function owner_cant_view_photo_test() { + $user = user::create("access_test", "Access Test", ""); + foreach ($user->groups as $group) { + $user->remove($group); + } + $user->save(); + + $root = ORM::factory("item", 1); + $album = album::create($root, rand(), "test album"); + access::deny(group::everybody(), "view", $album); + $item = photo::create($album, MODPATH . "gallery/images/gallery.png", "", "", null, $user->id); + + $this->assert_false(access::user_can($user, "view", $item), "Should not be able to view"); + } + public function adding_and_removing_items_adds_ands_removes_rows_test() { $root = ORM::factory("item", 1); $item = album::create($root, rand(), "test album"); |