diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2008-12-12 00:59:30 +0000 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2008-12-12 00:59:30 +0000 |
| commit | 2cf3233f546dfa38521bd9ec280dbec9a9fb7612 (patch) | |
| tree | d002407e665c966bb3ccfeedd672ba77fd26541c /core | |
| parent | 0f41cab73201ca2669f4cce88d7e195d7cb28285 (diff) | |
Get rid of all pseudo users and pseudo groups, while preserving all
other functionality. This makes our user/group and access code
fully consistent.
Diffstat (limited to 'core')
| -rw-r--r-- | core/controllers/items.php | 3 | ||||
| -rw-r--r-- | core/controllers/welcome.php | 11 | ||||
| -rw-r--r-- | core/helpers/access.php | 46 | ||||
| -rw-r--r-- | core/helpers/core_installer.php | 3 | ||||
| -rw-r--r-- | core/helpers/core_menu.php | 9 | ||||
| -rw-r--r-- | core/libraries/Theme_View.php | 2 | ||||
| -rw-r--r-- | core/models/item.php | 2 | ||||
| -rw-r--r-- | core/tests/Access_Helper_Test.php | 82 | ||||
| -rw-r--r-- | core/views/welcome.html.php | 18 |
9 files changed, 75 insertions, 101 deletions
diff --git a/core/controllers/items.php b/core/controllers/items.php index a5dd5f1e..efbfa8d9 100644 --- a/core/controllers/items.php +++ b/core/controllers/items.php @@ -51,8 +51,7 @@ class Items_Controller extends REST_Controller { public function _create($item) { // @todo Productionize this code // 1) Add security checks - $user = Session::instance()->get("user"); - $owner_id = $user ? $user->id : $item->owner_id; + $owner_id = user::active()->id; switch ($this->input->post("type")) { case "album": diff --git a/core/controllers/welcome.php b/core/controllers/welcome.php index bddca606..3f70e1dc 100644 --- a/core/controllers/welcome.php +++ b/core/controllers/welcome.php @@ -34,7 +34,6 @@ class Welcome_Controller extends Template_Controller { $this->template->deepest_photo = ORM::factory("item") ->where("type", "photo")->orderby("level", "desc")->find(); $this->template->album_tree = $this->_load_album_tree(); - $this->template->rearrange_html = new View("rearrange.html"); $this->template->add_photo_html = $this->_get_add_photo_html(); if (module::is_installed("local_import")) { $this->template->local_import_html = $this->_get_local_import_html(); @@ -46,7 +45,6 @@ class Welcome_Controller extends Template_Controller { $this->template->photo_count = 0; $this->template->deepest_photo = null; $this->template->album_tree = array(); - $this->template->rearrange_html = ""; $this->template->add_photo_html = ""; $this->template->local_import_html = ""; } @@ -205,13 +203,7 @@ class Welcome_Controller extends Template_Controller { function add_albums_and_photos($count, $desired_type=null) { srand(time()); $parents = ORM::factory("item")->where("type", "album")->find_all()->as_array(); - - try { - $user = Session::instance()->get("user"); - $owner_id = $user ? $user->id : ORM::factory("user")->find()->id; - } catch (Exception $e) { - $owner_id = null; - } + $owner_id = user::active()->id; for ($i = 0; $i < $count; $i++) { set_time_limit(30); @@ -486,6 +478,7 @@ class Welcome_Controller extends Template_Controller { $tree[$album->id]->album = $album; $tree[$album->id]->children = array(); } + return $tree; } diff --git a/core/helpers/access.php b/core/helpers/access.php index ad62595d..82325900 100644 --- a/core/helpers/access.php +++ b/core/helpers/access.php @@ -84,8 +84,7 @@ class access_Core { throw new Exception("@todo MISSING_ACCESS for $item->id"); } - $group_id = $group ? $group->id : 0; - return $access->__get("{$perm_name}_$group_id") === self::ALLOW; + return $access->__get("{$perm_name}_{$group->id}") === self::ALLOW; } /** @@ -96,25 +95,17 @@ class access_Core { * @return boolean */ public static function can($perm_name, $item) { - $user = Session::instance()->get("user", null); - if ($user) { - $access = ORM::factory("access_cache")->where("item_id", $item->id)->find(); - if (!$access) { - throw new Exception("@todo MISSING_ACCESS for $item->id"); - } + $access = ORM::factory("access_cache")->where("item_id", $item->id)->find(); + if (!$access) { + throw new Exception("@todo MISSING_ACCESS for $item->id"); + } - if ($access->view_0 == self::ALLOW) { + foreach (user::active()->groups as $group) { + if ($access->__get("{$perm_name}_{$group->id}") === self::ALLOW) { return true; } - foreach ($user->groups as $group) { - if ($access->__get("{$perm_name}_{$group->id}") === self::ALLOW) { - return true; - } - } - return false; - } else { - return self::group_can(group::EVERYBODY, $perm_name, $item); } + return false; } /** @@ -132,8 +123,7 @@ class access_Core { throw new Exception("@todo MISSING_ACCESS for $item->id"); } - $group_id = $group ? $group->id : 0; - $access->__set("{$perm_name}_$group_id", $value); + $access->__set("{$perm_name}_{$group->id}", $value); $access->save(); if ($perm_name =="view") { @@ -199,7 +189,6 @@ class access_Core { foreach (self::_get_all_groups() as $group) { self::_add_columns($perm_name, $group); } - self::_add_columns($perm_name, null); } /** @@ -212,7 +201,6 @@ class access_Core { foreach (self::_get_all_groups() as $group) { self::_drop_columns($name, $group); } - self::_drop_columns($name, null); $permission = ORM::factory("permission")->where("name", $name)->find(); if ($permission->loaded) { $permission->delete(); @@ -264,8 +252,6 @@ class access_Core { $field = "{$perm->name}_{$group->id}"; $access_cache->$field = $parent_access_cache->$field; } - $field = "{$perm->name}_0"; - $access_cache->$field = $parent_access_cache->$field; } $access_cache->save(); } @@ -302,9 +288,8 @@ class access_Core { * @return void */ private static function _drop_columns($perm_name, $group) { - $group_id = $group ? $group->id : 0; $db = Database::instance(); - $field = "{$perm_name}_$group_id"; + $field = "{$perm_name}_{$group->id}"; $db->query("ALTER TABLE `access_caches` DROP `$field`"); $db->query("ALTER TABLE `access_intents` DROP `$field`"); } @@ -317,11 +302,11 @@ class access_Core { * @return void */ private static function _add_columns($perm_name, $group) { - $group_id = $group ? $group->id : 0; $db = Database::instance(); - $field = "{$perm_name}_$group_id"; + $field = "{$perm_name}_{$group->id}"; $db->query("ALTER TABLE `access_caches` ADD `$field` TINYINT(2) NOT NULL DEFAULT 0"); $db->query("ALTER TABLE `access_intents` ADD `$field` BOOLEAN DEFAULT NULL"); + $db->query("UPDATE `access_intents` SET `$field` = 0 WHERE `item_id` = 1"); } /** @@ -337,9 +322,8 @@ class access_Core { public static function _update_access_view_cache($group, $item) { $access = ORM::factory("access_intent")->where("item_id", $item->id)->find(); - $group_id = $group ? $group->id : 0; $db = Database::instance(); - $field = "view_$group_id"; + $field = "view_{$group->id}"; // With view permissions, deny values in the parent can override allow values in the child, // so start from the bottom of the tree and work upwards overlaying negative on top of @@ -430,10 +414,8 @@ class access_Core { public static function _update_access_non_view_cache($group, $perm_name, $item) { $access = ORM::factory("access_intent")->where("item_id", $item->id)->find(); - $group_id = $group ? $group->id : 0; $db = Database::instance(); - $field = "{$perm_name}_$group_id"; - + $field = "{$perm_name}_{$group->id}"; // If the item's intent is DEFAULT, then we need to back up the chain to find the nearest // parent with an intent and propagate from there. diff --git a/core/helpers/core_installer.php b/core/helpers/core_installer.php index d2c03948..8f24b659 100644 --- a/core/helpers/core_installer.php +++ b/core/helpers/core_installer.php @@ -108,10 +108,7 @@ class core_installer { $root->level = 1; $root->set_thumbnail(DOCROOT . "core/tests/test.jpg", 200, 150) ->save(); - access::add_item($root); - access::allow(0, "view", $root); - access::deny(0, "edit", $root); module::set_version("core", 1); } diff --git a/core/helpers/core_menu.php b/core/helpers/core_menu.php index e4a3dd92..69398302 100644 --- a/core/helpers/core_menu.php +++ b/core/helpers/core_menu.php @@ -32,9 +32,8 @@ class core_menu_Core { ->url(url::site("albums/1"))); $item = $theme->item(); - $user = Session::instance()->get("user", null); - if ($user) { - // @todo need to do a permission check here + + if (access::can("edit", $item)) { $menu->append( Menu::factory("submenu") ->id("options_menu") @@ -50,19 +49,19 @@ class core_menu_Core { ->label(_("Add album")) ->url(url::site("form/add/albums/$item->id")))); + $admin_menu = Menu::factory("submenu") ->id("admin_menu") ->label(_("Admin")); $menu->append($admin_menu); - // @todo need to do a permission check here $admin_menu->append( Menu::factory("dialog") ->id("edit") ->label(_("Edit")) ->url(url::site("form/edit/{$item->type}s/$item->id"))); - if ($user->admin) { + if (user::active()->admin) { $admin_menu->append( Menu::factory("link") ->id("site_admin") diff --git a/core/libraries/Theme_View.php b/core/libraries/Theme_View.php index 8736e87d..51d7c545 100644 --- a/core/libraries/Theme_View.php +++ b/core/libraries/Theme_View.php @@ -33,7 +33,7 @@ class Theme_View_Core extends View { parent::__construct($name); $this->theme_name = $theme_name; $this->set_global('theme', $this); - $this->set_global('user', Session::instance()->get('user', null)); + $this->set_global('user', user::active()); $this->set_global("page_type", $page_type); } diff --git a/core/models/item.php b/core/models/item.php index 866315f7..3f3db0a7 100644 --- a/core/models/item.php +++ b/core/models/item.php @@ -224,7 +224,7 @@ class Item_Model extends ORM_MPTT { public function __get($column) { if (substr($column, -5) == "_edit") { $real_column = substr($column, 0, strlen($column) - 5); - if (Session::instance()->get("user", false)) { + if (access::can("edit", $this)) { return "<span class=\"gInPlaceEdit gEditField-{$this->id}-{$real_column}\">" . "{$this->$real_column}</span>"; } else { diff --git a/core/tests/Access_Helper_Test.php b/core/tests/Access_Helper_Test.php index 066b0a08..2e8f9f54 100644 --- a/core/tests/Access_Helper_Test.php +++ b/core/tests/Access_Helper_Test.php @@ -84,33 +84,33 @@ class Access_Helper_Test extends Unit_Test_Case { $intent = ORM::factory("access_intent")->where("item_id", $item)->find(); // Allow - access::allow(0, "view", $item); - $this->assert_same(access::ALLOW, $intent->reload()->view_0); + access::allow(group::everybody(), "view", $item); + $this->assert_same(access::ALLOW, $intent->reload()->view_1); // Deny - access::deny(0, "view", $item); + access::deny(group::everybody(), "view", $item); $this->assert_same( access::DENY, - ORM::factory("access_intent")->where("item_id", $item)->find()->view_0); + ORM::factory("access_intent")->where("item_id", $item)->find()->view_1); // Allow again. If the initial value was allow, then the first Allow clause above may not // have actually changed any values. - access::allow(0, "view", $item); + access::allow(group::everybody(), "view", $item); $this->assert_same( access::ALLOW, - ORM::factory("access_intent")->where("item_id", $item)->find()->view_0); + ORM::factory("access_intent")->where("item_id", $item)->find()->view_1); - access::reset(0, "view", $item); + access::reset(group::everybody(), "view", $item); $this->assert_same( null, - ORM::factory("access_intent")->where("item_id", $item)->find()->view_0); + ORM::factory("access_intent")->where("item_id", $item)->find()->view_1); $item->delete(); } public function cant_reset_root_item_test() { try { - access::reset(0, "view", ORM::factory("item", 1)); + access::reset(group::everybody(), "view", ORM::factory("item", 1)); } catch (Exception $e) { return; } @@ -120,8 +120,8 @@ class Access_Helper_Test extends Unit_Test_Case { public function can_view_item_test() { $root = ORM::factory("item", 1); - access::allow(0, "view", $root); - $this->assert_true(access::group_can(0, "view", $root)); + access::allow(group::everybody(), "view", $root); + $this->assert_true(access::group_can(group::everybody(), "view", $root)); } public function cant_view_child_of_hidden_parent_test() { @@ -129,9 +129,9 @@ class Access_Helper_Test extends Unit_Test_Case { $album = ORM::factory("item")->add_to_parent($root); access::add_item($album); - access::deny(0, "view", $root); - access::reset(0, "view", $album); - $this->assert_false(access::group_can(0, "view", $album)); + access::deny(group::everybody(), "view", $root); + access::reset(group::everybody(), "view", $album); + $this->assert_false(access::group_can(group::everybody(), "view", $album)); } public function view_permissions_propagate_down_test() { @@ -139,9 +139,9 @@ class Access_Helper_Test extends Unit_Test_Case { $album = ORM::factory("item")->add_to_parent($root); access::add_item($album); - access::allow(0, "view", $root); - access::reset(0, "view", $album); - $this->assert_true(access::group_can(0, "view", $album)); + access::allow(group::everybody(), "view", $root); + access::reset(group::everybody(), "view", $album); + $this->assert_true(access::group_can(group::everybody(), "view", $album)); } public function can_toggle_view_permissions_propagate_down_test() { @@ -171,15 +171,15 @@ class Access_Helper_Test extends Unit_Test_Case { $album3->reload(); $album4->reload(); - access::allow(0, "view", $root); - access::deny(0, "view", $album1); - access::reset(0, "view", $album2); - access::reset(0, "view", $album3); - access::reset(0, "view", $album4); - $this->assert_false(access::group_can(0, "view", $album4)); + access::allow(group::everybody(), "view", $root); + access::deny(group::everybody(), "view", $album1); + access::reset(group::everybody(), "view", $album2); + access::reset(group::everybody(), "view", $album3); + access::reset(group::everybody(), "view", $album4); + $this->assert_false(access::group_can(group::everybody(), "view", $album4)); - access::allow(0, "view", $album1); - $this->assert_true(access::group_can(0, "view", $album4)); + access::allow(group::everybody(), "view", $album1); + $this->assert_true(access::group_can(group::everybody(), "view", $album4)); } public function revoked_view_permissions_cant_be_allowed_lower_down_test() { @@ -187,15 +187,15 @@ class Access_Helper_Test extends Unit_Test_Case { $album = ORM::factory("item")->add_to_parent($root); access::add_item($album); - access::deny(0, "view", $root); - access::allow(0, "view", $album); - $this->assert_false(access::group_can(0, "view", $album)); + access::deny(group::everybody(), "view", $root); + access::allow(group::everybody(), "view", $album); + $this->assert_false(access::group_can(group::everybody(), "view", $album)); } public function can_edit_item_test() { $root = ORM::factory("item", 1); - access::allow(0, "edit", $root); - $this->assert_true(access::group_can(0, "edit", $root)); + access::allow(group::everybody(), "edit", $root); + $this->assert_true(access::group_can(group::everybody(), "edit", $root)); } public function non_view_permissions_propagate_down_test() { @@ -203,9 +203,9 @@ class Access_Helper_Test extends Unit_Test_Case { $album = ORM::factory("item")->add_to_parent($root); access::add_item($album); - access::allow(0, "edit", $root); - access::reset(0, "edit", $album); - $this->assert_true(access::group_can(0, "edit", $album)); + access::allow(group::everybody(), "edit", $root); + access::reset(group::everybody(), "edit", $album); + $this->assert_true(access::group_can(group::everybody(), "edit", $album)); } public function non_view_permissions_can_be_revoked_lower_down_test() { @@ -228,13 +228,13 @@ class Access_Helper_Test extends Unit_Test_Case { $outer->reload(); $inner->reload(); - access::allow(0, "edit", $root); - access::deny(0, "edit", $outer); - access::allow(0, "edit", $inner); + access::allow(group::everybody(), "edit", $root); + access::deny(group::everybody(), "edit", $outer); + access::allow(group::everybody(), "edit", $inner); // Outer album is not editable, inner one is. - $this->assert_false(access::group_can(0, "edit", $outer_photo)); - $this->assert_true(access::group_can(0, "edit", $inner_photo)); + $this->assert_false(access::group_can(group::everybody(), "edit", $outer_photo)); + $this->assert_true(access::group_can(group::everybody(), "edit", $inner_photo)); } public function i_can_edit_test() { @@ -243,7 +243,9 @@ class Access_Helper_Test extends Unit_Test_Case { foreach ($user->groups as $group) { $user->remove($group); } - Session::instance()->set("user", $user); + // @todo remove this reload when http://dev.kohanaphp.com/ticket/959 is resolved + $user->reload(); + user::set_active($user); // This user can't edit anything $root = ORM::factory("item", 1); @@ -253,7 +255,7 @@ class Access_Helper_Test extends Unit_Test_Case { $group = group::create("access_test"); $group->add($user); access::allow($group, "edit", $root); - Session::instance()->set("user", $user->reload()); + user::set_active($user->reload()); // And verify that the user can edit. $this->assert_true(access::can("edit", $root)); diff --git a/core/views/welcome.html.php b/core/views/welcome.html.php index c8352592..d412d119 100644 --- a/core/views/welcome.html.php +++ b/core/views/welcome.html.php @@ -283,10 +283,12 @@ <input type="hidden" name="type" value="album"/> </form> </fieldset> + <? if (module::is_installed("rearrange")): ?> <fieldset> <legend>Rearrange</legend> - <?= $rearrange_html ?> + <?= new View("rearrange.html") ?> </fieldset> + <? endif ?> </div> <div id="access" class="activity"> @@ -301,14 +303,14 @@ <? foreach ($users as $user): ?> <li> <?= $user->name ?> - <? if ($user->id != user::ADMIN): ?> + <? if (!$user->admin): ?> <?= html::anchor("welcome/delete_user/$user->id", "[x]") ?> <? endif ?> <ul> <? foreach ($user->groups as $group): ?> <li> <?= $group->name ?> - <? if ($group->id != group::REGISTERED_USERS): ?> + <? if (!$group->special): ?> <?= html::anchor("welcome/remove_from_group/$group->id/$user->id", "[x]") ?> <? endif ?> </li> @@ -337,7 +339,7 @@ <? foreach ($groups as $group): ?> <li> <?= $group->name ?> - <? if ($group->id != group::REGISTERED_USERS): ?> + <? if (!$group->special): ?> <?= html::anchor("welcome/delete_group/$group->id", "[x]") ?> <? endif ?> </li> @@ -365,15 +367,15 @@ <?= html::anchor("albums/{$current->album->id}", $current->album->title) ?> » <? foreach (array("view", "edit") as $perm): ?> - <? if (access::group_can(group::EVERYBODY, $perm, $current->album)): ?> - <?= html::anchor("welcome/deny_perm/0/$perm/{$current->album->id}", strtoupper($perm), array("class" => "allowed")) ?> + <? if (access::group_can(group::everybody(), $perm, $current->album)): ?> + <?= html::anchor("welcome/deny_perm/1/$perm/{$current->album->id}", strtoupper($perm), array("class" => "allowed")) ?> <? else: ?> - <?= html::anchor("welcome/add_perm/0/$perm/{$current->album->id}", strtolower($perm), array("class" => "denied")) ?> + <?= html::anchor("welcome/add_perm/1/$perm/{$current->album->id}", strtolower($perm), array("class" => "denied")) ?> <? endif ?> <? endforeach ?> <? if ($current->album->id != 1): ?> <span class="understate"> - (<?= html::anchor("welcome/reset_all_perms/0/{$current->album->id}", "reset") ?>) + (<?= html::anchor("welcome/reset_all_perms/1/{$current->album->id}", "reset") ?>) </span> <? endif; ?> <? $stack[] = "CLOSE"; ?> |