Create and delete .htaccess files based on the view permissions for

the group::everybody() user.
author: Bharat Mediratta <bharat@menalto.com> 2008-12-16 01:04:19 +0000
committer: Bharat Mediratta <bharat@menalto.com> 2008-12-16 01:04:19 +0000
commit: 61618af0db392e044ce54ab4cd585cf792b21751 (patch)
tree: a76e1c1d7ab84f94a2eacf4decc76e0bedad5942
parent: 898d001330230569f5cd0c280fbb499fd6005f2f (diff)
2 files changed, 63 insertions, 47 deletions
diff --git a/core/helpers/access.php b/core/helpers/access.php
index 71e085df..36ef9c5c 100644
--- a/core/helpers/access.php
+++ b/core/helpers/access.php
@@ -128,25 +128,32 @@ class access_Core {
    * @param  Item_Model  $item
    * @param  boolean     $value
    */
-  private static function _set($group, $perm_name, $item, $value) {
-    if (!$item->loaded) {
-      throw new Exception("@todo INVALID_ITEM $item->id");
+  private static function _set($group, $perm_name, $album, $value) {
+    if (!$album->loaded) {
+      throw new Exception("@todo INVALID_ALBUM $album->id");
     }
-    if ($item->type != "album") {
-      throw new Exception("@todo INVALID_ITEM_TYPE not an album");
+    if ($album->type != "album") {
+      throw new Exception("@todo INVALID_ALBUM_TYPE not an album");
     }
-    $access = ORM::factory("access_intent")->where("item_id", $item->id)->find();
+    $access = ORM::factory("access_intent")->where("item_id", $album->id)->find();
     if (!$access->loaded) {
-      throw new Exception("@todo MISSING_ACCESS for $item->id");
+      throw new Exception("@todo MISSING_ACCESS for $album->id");
     }
 
     $access->__set("{$perm_name}_{$group->id}", $value);
     $access->save();
 
     if ($perm_name =="view") {
-      self::_update_access_view_cache($group, $item);
+      self::_update_access_view_cache($group, $album);
+      if ($group->id == 1) {
+        if ($value) {
+          self::_delete_htaccess_files($album);
+        } else {
+          self::_create_htaccess_files($album);
+        }
+      }
     } else {
-      self::_update_access_non_view_cache($group, $perm_name, $item);
+      self::_update_access_non_view_cache($group, $perm_name, $album);
     }
   }
 
@@ -344,7 +351,7 @@ class access_Core {
    * @param  Item_Model $item
    * @return void
    */
-  public static function _update_access_view_cache($group, $item) {
+  private static function _update_access_view_cache($group, $item) {
     $access = ORM::factory("access_intent")->where("item_id", $item->id)->find();
 
     $db = Database::instance();
@@ -427,7 +434,7 @@ class access_Core {
    * @param  Item_Model $item
    * @return void
    */
-  public static function _update_access_non_view_cache($group, $perm_name, $item) {
+  private static function _update_access_non_view_cache($group, $perm_name, $item) {
     $access = ORM::factory("access_intent")->where("item_id", $item->id)->find();
 
     $db = Database::instance();
@@ -471,4 +478,24 @@ class access_Core {
         "  AND `right` <= $row->right)");
     }
   }
+
+  /**
+   * Create .htaccess files to prevent direct access to the given album and its hierarchy.
+   */
+  private static function _create_htaccess_files($album) {
+    foreach (array($album->file_path(), dirname($album->resize_path())) as $dir) {
+      $fp = fopen("$dir/.htaccess", "w+");
+      fwrite($fp, "Order Deny,Allow\n");
+      fwrite($fp, "Deny from All\n");
+      fclose($fp);
+    }
+  }
+
+  /**
+   * Delete the .htaccess files that are preventing access to the given album and its hierarchy.
+   */
+  private static function _delete_htaccess_files($album) {
+    @unlink($album->file_path() . "/.htaccess");
+    @unlink(dirname($album->resize_path()) . "/.htaccess");
+  }
 }
diff --git a/core/tests/Access_Helper_Test.php b/core/tests/Access_Helper_Test.php
index 4383a35b..4643eb1a 100644
--- a/core/tests/Access_Helper_Test.php
+++ b/core/tests/Access_Helper_Test.php
@@ -44,13 +44,6 @@ class Access_Helper_Test extends Unit_Test_Case {
     user::set_active(user::guest());
   }
 
-  private function _add_album($parent) {
-    $album  = ORM::factory("item");
-    $album->type = "album";
-    $album->add_to_parent($parent);
-    return $album;
-  }
-
   public function groups_and_permissions_are_bound_to_columns_test() {
     access::register_permission("access_test");
     $group = group::create("access_test");
@@ -91,8 +84,7 @@ class Access_Helper_Test extends Unit_Test_Case {
   public function new_photos_inherit_parent_permissions_test() {
     $root = ORM::factory("item", 1);
 
-    $album = $this->_add_album($root);
-    access::add_item($album);
+    $album = album::create($root->id, rand(), "test album");
     access::allow(group::everybody(), "view", $album);
 
     $photo = ORM::factory("item");
@@ -105,8 +97,7 @@ class Access_Helper_Test extends Unit_Test_Case {
 
   public function can_allow_deny_and_reset_intent_test() {
     $root = ORM::factory("item", 1);
-    $album = $this->_add_album($root);
-    access::add_item($album);
+    $album = album::create($root->id, rand(), "test album");
     $intent = ORM::factory("access_intent")->where("item_id", $album)->find();
 
     // Allow
@@ -158,9 +149,9 @@ class Access_Helper_Test extends Unit_Test_Case {
 
   public function cant_view_child_of_hidden_parent_test() {
     $root = ORM::factory("item", 1);
-    $album = $this->_add_album($root);
-    access::add_item($album);
+    $album = album::create($root->id, rand(), "test album");
 
+    $root->reload();
     access::deny(group::everybody(), "view", $root);
     access::reset(group::everybody(), "view", $album);
 
@@ -170,8 +161,7 @@ class Access_Helper_Test extends Unit_Test_Case {
 
   public function view_permissions_propagate_down_test() {
     $root = ORM::factory("item", 1);
-    $album = $this->_add_album($root);
-    access::add_item($album);
+    $album = album::create($root->id, rand(), "test album");
 
     access::allow(group::everybody(), "view", $root);
     access::reset(group::everybody(), "view", $album);
@@ -181,17 +171,10 @@ class Access_Helper_Test extends Unit_Test_Case {
 
   public function can_toggle_view_permissions_propagate_down_test() {
     $root = ORM::factory("item", 1);
-    $album1 = $this->_add_album($root);
-    access::add_item($album1);
-
-    $album2 = $this->_add_album($album1);
-    access::add_item($album2);
-
-    $album3 = $this->_add_album($album2);
-    access::add_item($album3);
-
-    $album4 = $this->_add_album($album3);
-    access::add_item($album4);
+    $album1 = album::create($root->id, rand(), "test album");
+    $album2 = album::create($album1->id, rand(), "test album");
+    $album3 = album::create($album2->id, rand(), "test album");
+    $album4 = album::create($album3->id, rand(), "test album");
 
     $album1->reload();
     $album2->reload();
@@ -214,9 +197,9 @@ class Access_Helper_Test extends Unit_Test_Case {
 
   public function revoked_view_permissions_cant_be_allowed_lower_down_test() {
     $root = ORM::factory("item", 1);
-    $album = $this->_add_album($root);
-    access::add_item($album);
+    $album = album::create($root->id, rand(), "test album");
 
+    $root->reload();
     access::deny(group::everybody(), "view", $root);
     access::allow(group::everybody(), "view", $album);
 
@@ -232,8 +215,7 @@ class Access_Helper_Test extends Unit_Test_Case {
 
   public function non_view_permissions_propagate_down_test() {
     $root = ORM::factory("item", 1);
-    $album = $this->_add_album($root);
-    access::add_item($album);
+    $album = album::create($root->id, rand(), "test album");
 
     access::allow(group::everybody(), "edit", $root);
     access::reset(group::everybody(), "edit", $album);
@@ -242,15 +224,11 @@ class Access_Helper_Test extends Unit_Test_Case {
 
   public function non_view_permissions_can_be_revoked_lower_down_test() {
     $root = ORM::factory("item", 1);
-    $outer = $this->_add_album($root);
-    access::add_item($outer);
-
+    $outer = album::create($root->id, rand(), "test album");
     $outer_photo = ORM::factory("item")->add_to_parent($outer);
     access::add_item($outer_photo);
 
-    $inner = $this->_add_album($outer);
-    access::add_item($inner);
-
+    $inner = album::create($outer->id, rand(), "test album");
     $inner_photo = ORM::factory("item")->add_to_parent($inner);
     access::add_item($inner_photo);
 
@@ -291,4 +269,15 @@ class Access_Helper_Test extends Unit_Test_Case {
     // And verify that the user can edit.
     $this->assert_true(access::can("edit", $root));
   }
+
+  public function everybody_view_permission_maintains_htaccess_files_test() {
+    $root = ORM::factory("item", 1);
+    $album = album::create($root->id, rand(), "test album");
+
+    $this->assert_false(file_exists($album->file_path() . "/.htaccess"));
+    access::deny(group::everybody(), "view", $album);
+    $this->assert_true(file_exists($album->file_path() . "/.htaccess"));
+    access::allow(group::everybody(), "view", $album);
+    $this->assert_false(file_exists($album->file_path() . "/.htaccess"));
+  }
 }
author	Bharat Mediratta <bharat@menalto.com>	2008-12-16 01:04:19 +0000
committer	Bharat Mediratta <bharat@menalto.com>	2008-12-16 01:04:19 +0000
commit	61618af0db392e044ce54ab4cd585cf792b21751 (patch)
tree	a76e1c1d7ab84f94a2eacf4decc76e0bedad5942
parent	898d001330230569f5cd0c280fbb499fd6005f2f (diff)