Extend permissions interface to allow resetting to the parental default.

4 files changed, 106 insertions, 68 deletions

diff --git a/core/controllers/permissions.php b/core/controllers/permissions.php
index 7e0d1e43..8ffb63de 100644
--- a/core/controllers/permissions.php
+++ b/core/controllers/permissions.php
@@ -45,7 +45,7 @@ class Permissions_Controller extends Controller {
     print $this->_get_form($item);
   }
 
-  function allow($group_id, $perm_id, $item_id) {
+  function change($command, $group_id, $perm_id, $item_id) {
     access::verify_csrf();
     $group = ORM::factory("group", $group_id);
     $perm = ORM::factory("permission", $perm_id);
@@ -53,19 +53,19 @@ class Permissions_Controller extends Controller {
     access::required("edit", $item);
 
     if ($group->loaded && $perm->loaded && $item->loaded) {
-      access::allow($group, $perm->name, $item);
-    }
-  }
+      switch($command) {
+      case "allow":
+        access::allow($group, $perm->name, $item);
+        break;
 
-  function deny($group_id, $perm_id, $item_id) {
-    access::verify_csrf();
-    $group = ORM::factory("group", $group_id);
-    $perm = ORM::factory("permission", $perm_id);
-    $item = ORM::factory("item", $item_id);
-    access::required("edit", $item);
+      case "deny":
+        access::deny($group, $perm->name, $item);
+        break;
 
-    if ($group->loaded && $perm->loaded && $item->loaded) {
-      access::deny($group, $perm->name, $item);
+      case "reset":
+        access::reset($group, $perm->name, $item);
+        break;
+      }
     }
   }
 
diff --git a/core/helpers/access.php b/core/helpers/access.php
index 9d4cb105..4bfe89d4 100644
--- a/core/helpers/access.php
+++ b/core/helpers/access.php
@@ -71,43 +71,6 @@ class access_Core {
   const UNKNOWN   = 2;
 
   /**
-   * Does this group have this permission on this item?
-   *
-   * @param  Group_Model $group
-   * @param  string      $perm_name
-   * @param  Item_Model  $item
-   * @return boolean
-   */
-  public static function group_can($group, $perm_name, $item) {
-    $resource = $perm_name == "view" ?
-      $item : model_cache::get("access_cache", $item->id, "item_id");
-    return $resource->__get("{$perm_name}_{$group->id}") === self::ALLOW;
-  }
-
-  /**
-   * Can this permission be changed for this item?
-   *
-   * @param  Group_Model $group
-   * @param  string      $perm_name
-   * @param  Item_Model  $item
-   * @return ORM_Model   item that locks this one
-   */
-  public static function locking_items($group, $perm_name, $item) {
-    if ($perm_name != "view") {
-      return null;
-    }
-
-    // For view permissions, if any parent is self::DENY, then those parents lock this one.
-    return ORM::factory("item")
-      ->where("`left` <= $item->left")
-      ->where("`right` >= $item->right")
-      ->where("`id` <> $item->id")
-      ->where("view_$group->id", 0)
-      ->find_all()
-      ->as_array();
-  }
-
-  /**
    * Does the active user have this permission on this item?
    *
    * @param  string     $perm_name
@@ -143,6 +106,66 @@ class access_Core {
   }
 
   /**
+   * Does this group have this permission on this item?
+   *
+   * @param  Group_Model $group
+   * @param  string      $perm_name
+   * @param  Item_Model  $item
+   * @return boolean
+   */
+  public static function group_can($group, $perm_name, $item) {
+    $resource = $perm_name == "view" ?
+      $item : model_cache::get("access_cache", $item->id, "item_id");
+    return $resource->__get("{$perm_name}_{$group->id}") === self::ALLOW;
+  }
+
+  /**
+   * Return this group's intent for this permission on this item.
+   *
+   * @param  Group_Model $group
+   * @param  string      $perm_name
+   * @param  Item_Model  $item
+   * @return integer     access::ALLOW, access::DENY or null for no intent
+   */
+  public static function group_intent($group, $perm_name, $item) {
+    $intent = model_cache::get("access_intent", $item->id, "item_id");
+    return $intent->__get("{$perm_name}_{$group->id}");
+  }
+
+  /**
+   * Is the permission on this item locked by a parent?  If so return the nearest parent that
+   * locks it.
+   *
+   * @param  Group_Model $group
+   * @param  string      $perm_name
+   * @param  Item_Model  $item
+   * @return ORM_Model   item that locks this one
+   */
+  public static function locked_by($group, $perm_name, $item) {
+    if ($perm_name != "view") {
+      return null;
+    }
+
+    // For view permissions, if any parent is self::DENY, then those parents lock this one.
+    // Return
+    $lock = ORM::factory("item")
+      ->where("`left` <= $item->left")
+      ->where("`right` >= $item->right")
+      ->where("`items`.`id` <> $item->id")
+      ->join("access_intents", "items.id", "access_intents.item_id")
+      ->where("access_intents.view_$group->id", 0)
+      ->orderby("level", "desc")
+      ->limit(1)
+      ->find();
+
+    if ($lock->loaded) {
+      return $lock;
+    } else {
+      return null;
+    }
+  }
+
+  /**
    * Terminate immediately with an HTTP 503 Forbidden response.
    */
   public static function forbidden() {
diff --git a/core/views/permissions_browse.html.php b/core/views/permissions_browse.html.php
index 599ba520..56076b4d 100644
--- a/core/views/permissions_browse.html.php
+++ b/core/views/permissions_browse.html.php
@@ -1,9 +1,10 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <script src="<?= url::file("lib/jquery.js") ?>" type="text/javascript"></script>
 <script type="text/javascript">
-  show = function(id, form_url) {
+  var form_url = "<?= url::site("permissions/form/__ITEM__") ?>";
+  show = function(id) {
     $.ajax({
-      url: form_url,
+      url: form_url.replace("__ITEM__", id),
       success: function(data) {
         $("div.form").slideUp();
         $("div#edit-" + id).html(data).slideDown();
@@ -11,8 +12,7 @@
     });
   }
 
-  var action_url = "<?= url::site("permissions/__CMD__/__GROUP__/__PERM__/__ITEM__?csrf=" . access::csrf_token()) ?>";
-  var form_url = "<?= url::site("permissions/form/__ITEM__") ?>";
+  var action_url = "<?= url::site("permissions/change/__CMD__/__GROUP__/__PERM__/__ITEM__?csrf=" . access::csrf_token()) ?>";
   set = function(cmd, group_id, perm_id, item_id) {
     $.ajax({
       url: action_url.replace("__CMD__", cmd).replace("__GROUP__", group_id).
@@ -27,14 +27,14 @@
   <ul>
     <? foreach ($parents as $parent): ?>
     <li>
-      <a href="javascript:show(<?= $parent->id ?>,'<?= url::site("permissions/form/$parent->id") ?>')">
+      <a href="javascript:show(<?= $parent->id ?>)">
         <?= $parent->title ?>
       </a>
       <div class="form" id="edit-<?= $parent->id ?>"></div>
       <ul>
         <? endforeach ?>
         <li>
-          <a href="javascript:show(<?= $item->id ?>,'<?= url::site("permissions/form/$item->id") ?>')">
+          <a href="javascript:show(<?= $item->id ?>)">
             <?= $item->title ?>
           </a>
           <div class="form" id="edit-<?= $item->id ?>">
diff --git a/core/views/permissions_form.html.php b/core/views/permissions_form.html.php
index 80fbedf6..d0b605e2 100644
--- a/core/views/permissions_form.html.php
+++ b/core/views/permissions_form.html.php
@@ -15,20 +15,35 @@
       <td> <?= _($permission->display_name) ?> </td>
       <? foreach ($groups as $group): ?>
       <td>
-        <? $locked = access::locking_items($group, $permission->name, $item) ?>
+        <? $intent = access::group_intent($group, $permission->name, $item) ?>
         <? $allowed = access::group_can($group, $permission->name, $item) ?>
-        <? if ($locked && $allowed): ?>
-        allowed <a href="#">locked</a>
-        <? elseif ($locked && !$allowed): ?>
-        denied <a href="#">locked</a>
-        <? elseif ($allowed): ?>
-        <a href="javascript:set('deny',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)">
-          <?= _("allowed") ?>
-        </a>
-        <? elseif (!$allowed): ?>
-        <a href="javascript:set('allow',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)">
-          <?= _("denied") ?>
-        </a>
+        <? $lock = access::locked_by($group, $permission->name, $item) ?>
+
+        <? if ($lock): ?>
+
+        <? if ($allowed): ?>
+        allowed
+        <? else: ?>
+        denied
+        <? endif ?>
+
+        <a href="javascript:show(<?= $lock->id ?>)">(parental lock)</a>
+        <? else: ?>
+
+        <? if ($allowed): ?>
+        <a href="javascript:set('deny',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)">allowed</a>
+        <? else: ?>
+        <a href="javascript:set('allow',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)">denied</a>
+        <? endif ?>
+
+        <? if ($intent === null): ?>
+        (from parent)
+        <? else: ?>
+        <? if ($item->id != 1): ?>
+        <a href="javascript:set('reset',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)">(reset to parent)</a>
+        <? endif ?>
+        <? endif ?>
+
         <? endif ?>
       </td>
       <? endforeach ?>