diff options
| author | Tim Almdal <tnalmdal@shaw.ca> | 2009-07-26 09:29:29 -0700 |
|---|---|---|
| committer | Tim Almdal <tnalmdal@shaw.ca> | 2009-07-26 09:29:29 -0700 |
| commit | 0b97cfd6f098be08be5f3cf1dbca1cce580ae330 (patch) | |
| tree | fb90b32fc7afc050f7dca92ddc4575135c336777 /modules | |
| parent | 809e52d80cbf3beb75b238fddb0da3951fb9a8e7 (diff) | |
Changed access::user_can to force the owner of an item to have
view permission on the parent. Added a whitelist of allowable
owner permissions.
If the requested permission is view and the user requesting access
is the owner, check that they have view permission to the parent.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/gallery/helpers/access.php | 17 | ||||
| -rw-r--r-- | modules/gallery/tests/Access_Helper_Test.php | 42 |
2 files changed, 56 insertions, 3 deletions
diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php index 2faa922b..4f737c7f 100644 --- a/modules/gallery/helpers/access.php +++ b/modules/gallery/helpers/access.php @@ -95,13 +95,24 @@ class access_Core { return false; } - if ($user->admin && $item->owner_id == $user->id) { + if ($user->admin) { return true; } - $resource = $perm_name == "view" ? - $item : model_cache::get("access_cache", $item->id, "item_id"); + print "Before owner id check\n"; + if ($item->owner_id == $user->id && + in_array($perm_name, array("view_full", "edit", "add"))) { + return true; + } + + if ($perm_name == "view") { + $resource = $item->owner_id == $user->id ? $item->parent() : $item; + } else { + $resource = model_cache::get("access_cache", $item->id, "item_id"); + } + print Kohana::debug($resource->as_array()) . "\n"; foreach ($user->groups as $group) { + print "$group->name\n"; if ($resource->__get("{$perm_name}_{$group->id}") === self::ALLOW) { return true; } diff --git a/modules/gallery/tests/Access_Helper_Test.php b/modules/gallery/tests/Access_Helper_Test.php index 59cec453..737ed8a6 100644 --- a/modules/gallery/tests/Access_Helper_Test.php +++ b/modules/gallery/tests/Access_Helper_Test.php @@ -101,6 +101,48 @@ class Access_Helper_Test extends Unit_Test_Case { $this->assert_false(access::user_can($user, "view", $item), "Should be unable to view"); } + public function owner_can_view_album_test() { + $user = user::create("access_test", "Access Test", ""); + foreach ($user->groups as $group) { + $user->remove($group); + } + $user->save(); + + $root = ORM::factory("item", 1); + $item = album::create($root, rand(), "test album", $user->id); + + $this->assert_true(access::user_can($user, "view", $item), "Should be able to view"); + } + + public function owner_can_view_photo_test() { + $user = user::create("access_test", "Access Test", ""); + foreach ($user->groups as $group) { + $user->remove($group); + } + $user->save(); + + $root = ORM::factory("item", 1); + $album = album::create($root, rand(), "test album", $user->id); + $item = photo::create($album, MODPATH . "gallery/images/gallery.png", "", "", null, $user->id); + + $this->assert_true(access::user_can($user, "view", $item), "Should be able to view"); + } + + public function owner_cant_view_photo_test() { + $user = user::create("access_test", "Access Test", ""); + foreach ($user->groups as $group) { + $user->remove($group); + } + $user->save(); + + $root = ORM::factory("item", 1); + $album = album::create($root, rand(), "test album"); + access::deny(group::everybody(), "view", $album); + $item = photo::create($album, MODPATH . "gallery/images/gallery.png", "", "", null, $user->id); + + $this->assert_false(access::user_can($user, "view", $item), "Should not be able to view"); + } + public function adding_and_removing_items_adds_ands_removes_rows_test() { $root = ORM::factory("item", 1); $item = album::create($root, rand(), "test album"); |