Fix a bug where we were accidentally allowing view permissions when

allowing or resetting permission further down in the tree.  This bug
was introduced when I refactored the view permission cache into the
items table.  Updated test to catch it.

2 files changed, 10 insertions, 5 deletions

diff --git a/core/helpers/access.php b/core/helpers/access.php
index 9154fa75..c2f7a76e 100644
--- a/core/helpers/access.php
+++ b/core/helpers/access.php
@@ -400,7 +400,8 @@ class access_Core {
       $tmp_item = ORM::factory("item")
         ->where("left <", $item->left)
         ->where("right >", $item->right)
-        ->where($field, self::DENY)
+        ->join("access_intents", "access_intents.item_id", "items.id")
+        ->where("access_intents.$field", self::DENY)
         ->orderby("left", "DESC")
         ->limit(1)
         ->find();
diff --git a/core/tests/Access_Helper_Test.php b/core/tests/Access_Helper_Test.php
index aaf919b1..d7f014dc 100644
--- a/core/tests/Access_Helper_Test.php
+++ b/core/tests/Access_Helper_Test.php
@@ -197,14 +197,18 @@ class Access_Helper_Test extends Unit_Test_Case {
 
   public function revoked_view_permissions_cant_be_allowed_lower_down_test() {
     $root = ORM::factory("item", 1);
-    $album = album::create($root, rand(), "test album");
+    $album1 = album::create($root, rand(), "test album");
+    $album2 = album::create($album1, rand(), "test album");
 
     $root->reload();
     access::deny(group::everybody(), "view", $root);
-    access::allow(group::everybody(), "view", $album);
+    access::allow(group::everybody(), "view", $album2);
 
-    $album->reload();
-    $this->assert_false(access::group_can(group::everybody(), "view", $album));
+    $album1->reload();
+    $this->assert_false(access::group_can(group::everybody(), "view", $album1));
+
+    $album2->reload();
+    $this->assert_false(access::group_can(group::everybody(), "view", $album2));
   }
 
   public function can_edit_item_test() {