diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2008-12-17 22:39:33 +0000 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2008-12-17 22:39:33 +0000 |
| commit | b37047ff557c88becd662bd6622bf27f7a9a78f2 (patch) | |
| tree | bf1fb40207030d4f92afa3b510c9504e4769bf52 /core | |
| parent | fe396410894f9fcf430e31216312f70db800d96e (diff) | |
Add Item_Model::viewable() which we can use to restrict any query to
just items viewable by the active user. Ie:
ORM::factory("item")
->where("name", "foo")
->find_all()
Would get all items with the name "foo".
ORM::factory("item")
->viewable()
->where("name", "foo")
->find_all()
Restricts it to just the set of items that the user is allowed to see.
Diffstat (limited to 'core')
| -rw-r--r-- | core/controllers/albums.php | 25 | ||||
| -rw-r--r-- | core/models/item.php | 16 |
2 files changed, 28 insertions, 13 deletions
diff --git a/core/controllers/albums.php b/core/controllers/albums.php index 7806b8d8..d2453447 100644 --- a/core/controllers/albums.php +++ b/core/controllers/albums.php @@ -24,27 +24,26 @@ class Albums_Controller extends Items_Controller { */ public function _show($item) { if (!access::can("view", $item)) { - return Kohana::show_404(); + Kohana::show_404(); } $theme_name = module::get_var("core", "active_theme", "default"); $page_size = module::get_var("core", "page_size", 9); - - $template = new Theme_View("page.html", "album", $theme_name); - $page = $this->input->get("page", "1"); - - $template->set_global('page_size', $page_size); - $template->set_global('item', $item); + $children_count = $item->viewable()->children_count(); + $offset = ($page-1) * $page_size; // Make sure that the page references a valid offset - $children_count = $item->children_count(); - while (($offset = ($page - 1) * $page_size) > $children_count && $page != 1) { - $page--; + if ($page < 1 || $page > ceil($children_count / $page_size)) { + Kohana::show_404(); } - $template->set_global('children', $item->children($page_size, $offset)); - $template->set_global('children_count', $children_count); - $template->set_global('parents', $item->parents()); + + $template = new Theme_View("page.html", "album", $theme_name); + $template->set_global("page_size", $page_size); + $template->set_global("item", $item); + $template->set_global("children", $item->viewable()->children($page_size, $offset)); + $template->set_global("children_count", $children_count); + $template->set_global("parents", $item->parents()); $template->content = new View("album.html"); print $template; diff --git a/core/models/item.php b/core/models/item.php index 64af79ce..e5eb4039 100644 --- a/core/models/item.php +++ b/core/models/item.php @@ -20,10 +20,26 @@ class Item_Model extends ORM_MPTT { protected $children = 'items'; private $relative_path = null; + private $view_restrictions = array(); var $rules = array(); /** + * Add a set of restrictions to any following queries to restrict access only to items + * viewable by the active user. + * @chainable + */ + public function viewable() { + if (empty($this->view_restrictions)) { + foreach (user::group_ids() as $id) { + $this->view_restrictions["view_$id"] = access::ALLOW; + } + } + $this->where($this->view_restrictions); + return $this; + } + + /** * Is this item an album? * @return true if it's an album */ |