Add access::reset() so that you can specify your intent to use the

parent's permissions.

Update scaffolding to demonstrate that it works.

3 files changed, 43 insertions, 4 deletions

diff --git a/core/controllers/welcome.php b/core/controllers/welcome.php
index cabaf0a9..71fdcdc4 100644
--- a/core/controllers/welcome.php
+++ b/core/controllers/welcome.php
@@ -480,4 +480,11 @@ class Welcome_Controller extends Template_Controller {
     access::deny($group_id, $perm, $item_id);
     url::redirect("welcome");
   }
+
+  public function reset_all_perms($group_id, $item_id) {
+    foreach (ORM::factory("permission")->find_all() as $perm) {
+      access::reset($group_id, $perm->name, $item_id);
+    }
+    url::redirect("welcome");
+  }
 }
diff --git a/core/helpers/access.php b/core/helpers/access.php
index d2de30f7..26b19614 100644
--- a/core/helpers/access.php
+++ b/core/helpers/access.php
@@ -65,8 +65,6 @@
  *   directly into Item_Model.  By doing this, we'll be able to find viewable items (the most
  *   common permission access) without doing table joins.
  *
- * o Support setting an intent back to "neutral" so that it can use the parent's value.
- *
  * o Write unit tests.
  */
 class access_Core {
@@ -137,6 +135,17 @@ class access_Core {
   }
 
   /**
+   * Unset the given permission for this item and use inherited values
+   *
+   */
+  public static function reset($group_id, $perm_name, $item_id) {
+    if ($item_id == 1) {
+      throw new Exception("@todo CANT_RESET_ROOT_PERMISSION");
+    }
+    self::_set($group_id, $perm_name, $item_id, null);
+  }
+
+  /**
    * Register a permission so that modules can use it.
    *
    * @param  string $perm_name
@@ -304,12 +313,12 @@ class access_Core {
       // DENY and this ALLOW cannot be obeyed.  So in that case, back up the tree and find any
       // non-DEFAULT and non-ALLOW parent and propagate from there.  If we can't find a matching
       // item, then its safe to propagate from here.
-      if ($access->$field != self::DENY) {
+      if ($access->$field !== self::DENY) {
         $tmp_item = ORM::factory("item")
           ->join("access_intents", "items.id", "access_intents.item_id")
           ->where("left <", $item->left)
           ->where("right >", $item->right)
-          ->where($field, self::DENY)
+          ->where("$field IS NOT", null)
           ->orderby("left", "DESC")
           ->limit(1)
           ->find();
@@ -364,6 +373,24 @@ class access_Core {
         }
       }
     } else {
+      // If the item's intent is ALLOW or DEFAULT, it's possible that some ancestor has specified
+      // DENY and this ALLOW cannot be obeyed.  So in that case, back up the tree and find any
+      // non-DEFAULT and non-ALLOW parent and propagate from there.  If we can't find a matching
+      // item, then its safe to propagate from here.
+      if ($access->$field === null) {
+        $tmp_item = ORM::factory("item")
+          ->join("access_intents", "items.id", "access_intents.item_id")
+          ->where("left <", $item->left)
+          ->where("right >", $item->right)
+          ->where("$field IS NOT", null)
+          ->orderby("left", "DESC")
+          ->limit(1)
+          ->find();
+        if ($tmp_item->loaded) {
+          $item = $tmp_item;
+        }
+      }
+
       // With non-view permissions, each level can override any permissions that came above it
       // so start at the top and work downwards, overlaying permissions as we go.
       $query = $db->query(
diff --git a/core/views/welcome.html.php b/core/views/welcome.html.php
index 7588682d..8a14b386 100644
--- a/core/views/welcome.html.php
+++ b/core/views/welcome.html.php
@@ -358,6 +358,11 @@
                   <?= html::anchor("welcome/add_perm/0/$perm/{$current->album->id}", strtolower($perm), array("class" => "denied")) ?>
                   <? endif ?>
                   <? endforeach ?>
+                  <? if ($current->album->id != 1): ?>
+                  <span class="understate">
+                    (<?= html::anchor("welcome/reset_all_perms/0/{$current->album->id}", "reset") ?>)
+                  </span>
+                  <? endif; ?>
                   <? $stack[] = "CLOSE"; ?>
                   <? if ($current->children): ?>
                   <? $stack = array_merge($stack, $current->children) ?>