Create a new "add" permission and require it at the controller level

when adding photos/movies/albums

6 files changed, 17 insertions, 10 deletions

diff --git a/core/controllers/albums.php b/core/controllers/albums.php
index adf59c02..6b976163 100644
--- a/core/controllers/albums.php
+++ b/core/controllers/albums.php
@@ -75,7 +75,7 @@ class Albums_Controller extends Items_Controller {
    * @see REST_Controller::_create($resource)
    */
   public function _create($album) {
-    access::required("edit", $album);
+    access::required("add", $album);
 
     switch ($this->input->post("type")) {
     case "album":
@@ -90,7 +90,7 @@ class Albums_Controller extends Items_Controller {
   }
 
   private function _create_album($album) {
-    access::required("edit", $album);
+    access::required("add", $album);
 
     $form = album::get_add_form($album);
     if ($form->validate()) {
@@ -117,7 +117,7 @@ class Albums_Controller extends Items_Controller {
   }
 
   private function _create_photo($album) {
-    access::required("edit", $album);
+    access::required("add", $album);
 
     // If we set the content type as JSON, it triggers saving the result as
     // a document in the browser (well, in Chrome at least).
@@ -185,7 +185,7 @@ class Albums_Controller extends Items_Controller {
    */
   public function _form_add($album_id) {
     $album = ORM::factory("item", $album_id);
-    access::required("edit", $album);
+    access::required("add", $album);
 
     switch ($this->input->get("type")) {
     case "album":
diff --git a/core/controllers/simple_uploader.php b/core/controllers/simple_uploader.php
index 479082d5..8d8bbbc0 100644
--- a/core/controllers/simple_uploader.php
+++ b/core/controllers/simple_uploader.php
@@ -33,7 +33,7 @@ class Simple_Uploader_Controller extends Controller {
 
   public function add_photo($id) {
     $album = ORM::factory("item", $id);
-    access::required("edit", $album);
+    access::required("add", $album);
     access::verify_csrf();
 
     $file_validation = new Validation($_FILES);
diff --git a/core/helpers/core_installer.php b/core/helpers/core_installer.php
index a933762a..724c0b92 100644
--- a/core/helpers/core_installer.php
+++ b/core/helpers/core_installer.php
@@ -192,6 +192,7 @@ class core_installer {
       access::register_permission("view", "View");
       access::register_permission("view_full", "View Full Size");
       access::register_permission("edit", "Edit");
+      access::register_permission("add", "Add");
 
       $root = ORM::factory("item");
       $root->type = "album";
diff --git a/installer/install.sql b/installer/install.sql
index 9a356e7d..62240b50 100644
--- a/installer/install.sql
+++ b/installer/install.sql
@@ -6,12 +6,14 @@ CREATE TABLE {access_caches} (
   `item_id` int(9) default NULL,
   `view_full_1` smallint(6) NOT NULL default '0',
   `edit_1` smallint(6) NOT NULL default '0',
+  `add_1` smallint(6) NOT NULL default '0',
   `view_full_2` smallint(6) NOT NULL default '0',
   `edit_2` smallint(6) NOT NULL default '0',
+  `add_2` smallint(6) NOT NULL default '0',
   PRIMARY KEY  (`id`)
 ) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;
 SET character_set_client = @saved_cs_client;
-INSERT INTO {access_caches} VALUES (1,1,1,0,1,0);
+INSERT INTO {access_caches} VALUES (1,1,1,0,0,1,0,0);
 DROP TABLE IF EXISTS {access_intents};
 SET @saved_cs_client     = @@character_set_client;
 SET character_set_client = utf8;
@@ -21,13 +23,15 @@ CREATE TABLE {access_intents} (
   `view_1` tinyint(1) default NULL,
   `view_full_1` tinyint(1) default NULL,
   `edit_1` tinyint(1) default NULL,
+  `add_1` tinyint(1) default NULL,
   `view_2` tinyint(1) default NULL,
   `view_full_2` tinyint(1) default NULL,
   `edit_2` tinyint(1) default NULL,
+  `add_2` tinyint(1) default NULL,
   PRIMARY KEY  (`id`)
 ) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;
 SET character_set_client = @saved_cs_client;
-INSERT INTO {access_intents} VALUES (1,1,1,1,0,1,1,0);
+INSERT INTO {access_intents} VALUES (1,1,1,1,0,0,1,1,0,0);
 DROP TABLE IF EXISTS {comments};
 SET @saved_cs_client     = @@character_set_client;
 SET character_set_client = utf8;
@@ -226,9 +230,9 @@ CREATE TABLE {permissions} (
   `display_name` varchar(64) default NULL,
   PRIMARY KEY  (`id`),
   UNIQUE KEY `name` (`name`)
-) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8;
+) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=utf8;
 SET character_set_client = @saved_cs_client;
-INSERT INTO {permissions} VALUES (1,'view','View'),(2,'view_full','View Full Size'),(3,'edit','Edit');
+INSERT INTO {permissions} VALUES (1,'view','View'),(2,'view_full','View Full Size'),(3,'edit','Edit'),(4,'add','Add');
 DROP TABLE IF EXISTS {search_records};
 SET @saved_cs_client     = @@character_set_client;
 SET character_set_client = utf8;
@@ -328,4 +332,4 @@ CREATE TABLE {vars} (
   UNIQUE KEY `module_name` (`module_name`,`name`)
 ) ENGINE=InnoDB AUTO_INCREMENT=12 DEFAULT CHARSET=utf8;
 SET character_set_client = @saved_cs_client;
-INSERT INTO {vars} VALUES (1,'core','active_site_theme','default'),(2,'core','active_admin_theme','admin_default'),(3,'core','page_size','9'),(4,'core','thumb_size','200'),(5,'core','resize_size','640'),(6,'core','default_locale','en_US'),(7,'core','blocks_dashboard_sidebar','a:4:{i:531020499;a:2:{i:0;s:4:\"core\";i:1;s:11:\"block_adder\";}i:1479562888;a:2:{i:0;s:4:\"core\";i:1;s:5:\"stats\";}i:1168271687;a:2:{i:0;s:4:\"core\";i:1;s:13:\"platform_info\";}i:1586054560;a:2:{i:0;s:4:\"core\";i:1;s:12:\"project_news\";}}'),(8,'core','blocks_dashboard_center','a:4:{i:691719060;a:2:{i:0;s:4:\"core\";i:1;s:7:\"welcome\";}i:540620474;a:2:{i:0;s:4:\"core\";i:1;s:12:\"photo_stream\";}i:1948724228;a:2:{i:0;s:4:\"core\";i:1;s:11:\"log_entries\";}i:1518099168;a:2:{i:0;s:7:\"comment\";i:1;s:15:\"recent_comments\";}}'),(9,'core','version','3.0 pre-beta svn'),(10,'core','choose_default_tookit','1'),(11,'comment','spam_caught','0');
+INSERT INTO {vars} VALUES (1,'core','active_site_theme','default'),(2,'core','active_admin_theme','admin_default'),(3,'core','page_size','9'),(4,'core','thumb_size','200'),(5,'core','resize_size','640'),(6,'core','default_locale','en_US'),(7,'core','blocks_dashboard_sidebar','a:4:{i:1712034437;a:2:{i:0;s:4:\"core\";i:1;s:11:\"block_adder\";}i:283628656;a:2:{i:0;s:4:\"core\";i:1;s:5:\"stats\";}i:1436662733;a:2:{i:0;s:4:\"core\";i:1;s:13:\"platform_info\";}i:1831514378;a:2:{i:0;s:4:\"core\";i:1;s:12:\"project_news\";}}'),(8,'core','blocks_dashboard_center','a:4:{i:186640350;a:2:{i:0;s:4:\"core\";i:1;s:7:\"welcome\";}i:1060186635;a:2:{i:0;s:4:\"core\";i:1;s:12:\"photo_stream\";}i:769529551;a:2:{i:0;s:4:\"core\";i:1;s:11:\"log_entries\";}i:1182339620;a:2:{i:0;s:7:\"comment\";i:1;s:15:\"recent_comments\";}}'),(9,'core','version','3.0 pre-beta svn'),(10,'core','choose_default_tookit','1'),(11,'comment','spam_caught','0');
diff --git a/modules/server_add/controllers/server_add.php b/modules/server_add/controllers/server_add.php
index 8d3986b0..7cb9a9e2 100644
--- a/modules/server_add/controllers/server_add.php
+++ b/modules/server_add/controllers/server_add.php
@@ -23,6 +23,7 @@ class Server_Add_Controller extends Controller {
 
     $item = ORM::factory("item", $id);
     access::required("server_add", $item);
+    access::required("add", $item);
 
     $view = new View("server_add_tree_dialog.html");
     $view->action = url::site("__ARGS__/{$id}__TASK_ID__?csrf=" . access::csrf_token());
diff --git a/modules/server_add/helpers/server_add_task.php b/modules/server_add/helpers/server_add_task.php
index 3ed770e8..e3e22ab4 100644
--- a/modules/server_add/helpers/server_add_task.php
+++ b/modules/server_add/helpers/server_add_task.php
@@ -32,6 +32,7 @@ class server_add_task_Core {
         $file = $context["files"][$path][$context["position"]];
         $parent = ORM::factory("item", $file["parent_id"]);
         access::required("server_add", $parent);
+        access::required("add", $parent);
         if (!$parent->is_album()) {
           throw new Exception("@todo BAD_ALBUM");
         }