diff options
| author | Tim Almdal <tnalmdal@shaw.ca> | 2009-07-26 09:29:29 -0700 |
|---|---|---|
| committer | Tim Almdal <tnalmdal@shaw.ca> | 2009-07-26 09:29:29 -0700 |
| commit | 0b97cfd6f098be08be5f3cf1dbca1cce580ae330 (patch) | |
| tree | fb90b32fc7afc050f7dca92ddc4575135c336777 /modules/gallery/helpers/access.php | |
| parent | 809e52d80cbf3beb75b238fddb0da3951fb9a8e7 (diff) | |
Changed access::user_can to force the owner of an item to have
view permission on the parent. Added a whitelist of allowable
owner permissions.
If the requested permission is view and the user requesting access
is the owner, check that they have view permission to the parent.
Diffstat (limited to 'modules/gallery/helpers/access.php')
| -rw-r--r-- | modules/gallery/helpers/access.php | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php index 2faa922b..4f737c7f 100644 --- a/modules/gallery/helpers/access.php +++ b/modules/gallery/helpers/access.php @@ -95,13 +95,24 @@ class access_Core { return false; } - if ($user->admin && $item->owner_id == $user->id) { + if ($user->admin) { return true; } - $resource = $perm_name == "view" ? - $item : model_cache::get("access_cache", $item->id, "item_id"); + print "Before owner id check\n"; + if ($item->owner_id == $user->id && + in_array($perm_name, array("view_full", "edit", "add"))) { + return true; + } + + if ($perm_name == "view") { + $resource = $item->owner_id == $user->id ? $item->parent() : $item; + } else { + $resource = model_cache::get("access_cache", $item->id, "item_id"); + } + print Kohana::debug($resource->as_array()) . "\n"; foreach ($user->groups as $group) { + print "$group->name\n"; if ($resource->__get("{$perm_name}_{$group->id}") === self::ALLOW) { return true; } |