Fix for 641... extend viewable functionality to comments. Viewable unit test is not working.

5 files changed, 157 insertions, 63 deletions

diff --git a/modules/comment/helpers/comment_rss.php b/modules/comment/helpers/comment_rss.php
index ab3d2283..a8171ce7 100644
--- a/modules/comment/helpers/comment_rss.php
+++ b/modules/comment/helpers/comment_rss.php
@@ -33,42 +33,37 @@ class comment_rss_Core {
       return;
     }
 
-    $comments = ORM::factory("comment")
-      ->where("state", "published")
-      ->orderby("created", "DESC");
-    $all_comments = ORM::factory("comment")
+    $comment_model = ORM::factory("comment")
+      ->viewable()
       ->where("state", "published")
       ->orderby("created", "DESC");
 
     if ($feed_id == "item") {
-      $comments->where("item_id", $id);
-      $all_comments->where("item_id", $id);
+      $comment_model->where("item_id", $id);
     }
 
-    if (!empty($comments)) {
-      $feed->view = "comment.mrss";
-      $comments = $comments->find_all($limit, $offset);
-      $feed->children = array();
-      foreach ($comments as $comment) {
-        $item = $comment->item();
-        $feed->children[] = new ArrayObject(
-          array("pub_date" => date("D, d M Y H:i:s T", $comment->created),
-                "text" => nl2br(p::purify($comment->text)),
-                "thumb_url" => $item->thumb_url(),
-                "thumb_height" => $item->thumb_height,
-                "thumb_width" => $item->thumb_width,
-                "item_uri" => url::abs_site("{$item->type}s/$item->id"),
-                "title" => p::purify($item->title),
-                "author" => p::clean($comment->author_name())),
-          ArrayObject::ARRAY_AS_PROPS);
-      }
+    $comments = $comment_model->find_all($limit, $offset);
+    $feed->view = "comment.mrss";
+    $feed->children = array();
+    foreach ($comments as $comment) {
+      $item = $comment->item();
+      $feed->children[] = new ArrayObject(
+        array("pub_date" => date("D, d M Y H:i:s T", $comment->created),
+              "text" => nl2br(p::purify($comment->text)),
+              "thumb_url" => $item->thumb_url(),
+              "thumb_height" => $item->thumb_height,
+              "thumb_width" => $item->thumb_width,
+              "item_uri" => url::abs_site("{$item->type}s/$item->id"),
+              "title" => p::purify($item->title),
+              "author" => p::clean($comment->author_name())),
+        ArrayObject::ARRAY_AS_PROPS);
+    }
 
-      $feed->max_pages = ceil($all_comments->find_all()->count() / $limit);
-      $feed->title = htmlspecialchars(t("Recent Comments"));
-      $feed->uri = url::abs_site("albums/" . (empty($id) ? "1" : $id));
-      $feed->description = t("Recent Comments");
+    $feed->max_pages = ceil($comment_model->count_all() / $limit);
+    $feed->title = htmlspecialchars(t("Recent Comments"));
+    $feed->uri = url::abs_site("albums/" . (empty($id) ? "1" : $id));
+    $feed->description = t("Recent Comments");
 
-      return $feed;
-    }
+    return $feed;
   }
-}
\ No newline at end of file
+}
diff --git a/modules/comment/models/comment.php b/modules/comment/models/comment.php
index 83d0888a..de9b0cd6 100644
--- a/modules/comment/models/comment.php
+++ b/modules/comment/models/comment.php
@@ -80,4 +80,14 @@ class Comment_Model extends ORM {
 
     return $this;
   }
+
+  /**
+   * Add a set of restrictions to any following queries to restrict access only to items
+   * viewable by the active user.
+   * @chainable
+   */
+  public function viewable() {
+    $this->join("items", "items.id", "comments.item_id");
+    return item::viewable($this);
+  }
 }
diff --git a/modules/gallery/helpers/item.php b/modules/gallery/helpers/item.php
index a2d3859f..8839861f 100644
--- a/modules/gallery/helpers/item.php
+++ b/modules/gallery/helpers/item.php
@@ -151,4 +151,41 @@ class item_Core {
       ->get()->current();
     return ($result ? $result->weight : 0) + 1;
   }
+
+  /**
+   * Add a set of restrictions to any following queries to restrict access only to items
+   * viewable by the active user.
+   * @chainable
+   */
+  static function viewable($model) {
+    $view_restrictions = array();
+    if (!user::active()->admin) {
+      foreach (user::group_ids() as $id) {
+        // Separate the first restriction from the rest to make it easier for us to formulate
+        // our where clause below
+        if (empty($view_restrictions)) {
+          $view_restrictions[0] = "items.view_$id";
+        } else {
+          $view_restrictions[1]["items.view_$id"] = access::ALLOW;
+        }
+      }
+    }
+    switch (count($view_restrictions)) {
+    case 0:
+      break;
+
+    case 1:
+      $model->where($view_restrictions[0], access::ALLOW);
+      break;
+
+    default:
+      $model->open_paren();
+      $model->where($view_restrictions[0], access::ALLOW);
+      $model->orwhere($view_restrictions[1]);
+      $model->close_paren();
+      break;
+    }
+
+    return $model;
+  }
 }
\ No newline at end of file
diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php
index 7a3a2ba7..68e89db6 100644
--- a/modules/gallery/models/item.php
+++ b/modules/gallery/models/item.php
@@ -19,7 +19,6 @@
  */
 class Item_Model extends ORM_MPTT {
   protected $children = 'items';
-  private $view_restrictions = null;
   protected $sorting = array();
 
   var $rules = array(
@@ -34,38 +33,7 @@ class Item_Model extends ORM_MPTT {
    * @chainable
    */
   public function viewable() {
-    if (is_null($this->view_restrictions)) {
-      if (user::active()->admin) {
-        $this->view_restrictions = array();
-      } else {
-        foreach (user::group_ids() as $id) {
-          // Separate the first restriction from the rest to make it easier for us to formulate
-          // our where clause below
-          if (empty($this->view_restrictions)) {
-            $this->view_restrictions[0] = "view_$id";
-          } else {
-            $this->view_restrictions[1]["view_$id"] = access::ALLOW;
-          }
-        }
-      }
-    }
-    switch (count($this->view_restrictions)) {
-    case 0:
-      break;
-
-    case 1:
-      $this->where($this->view_restrictions[0], access::ALLOW);
-      break;
-
-    default:
-      $this->open_paren();
-      $this->where($this->view_restrictions[0], access::ALLOW);
-      $this->orwhere($this->view_restrictions[1]);
-      $this->close_paren();
-      break;
-    }
-
-    return $this;
+    return item::viewable($this);
   }
 
   /**
diff --git a/modules/gallery/tests/Item_Helper_Test.php b/modules/gallery/tests/Item_Helper_Test.php
new file mode 100644
index 00000000..48fdd962
--- /dev/null
+++ b/modules/gallery/tests/Item_Helper_Test.php
@@ -0,0 +1,84 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Item_Helper_Test extends Unit_Test_Case {
+  private $_group;
+  private $_album;
+  private $_item;
+  //private $_user;
+
+  public function teardown() {
+    try {
+      $this->_group->delete();
+    } catch (Exception $e) { }
+
+    try {
+      $this->_album->delete();
+    } catch (Exception $e) { }
+
+    //try {
+    //  $this->_user->delete();
+    //} catch (Exception $e) { }
+  }
+
+  public function setup() {
+  }
+
+  public function viewable_item_test() {
+    $this->_group = group::create("access_test");
+    $root = ORM::factory("item", 1);
+    $this->_album = album::create($root, rand(), "visible_test");
+    $this->_user = user::create("visible_test", "Visible Test", "");
+    $this->_user->add($this->_group);
+    $this->_item = self::_create_random_item($this->_album);
+    comment::create($this->_item, $this->_user, "This is a comment");
+    access::deny(group::everybody(), "view", $this->_album);
+    $active = user::active();
+
+    $items = ORM::factory("item")
+      ->where("id", $this->_album->id)
+      ->find_all();
+    print Database::instance()->last_query() . "\n";
+    $items = ORM::factory("item")
+      ->where("id", $this->_album->id)
+      ->viewable()
+      ->find_all();
+    print Database::instance()->last_query() . "\n";
+  }
+
+
+  //public function viewable_one_restrictions_test() {
+  //  $item = self::create_random_item();
+  //  $this->assert_true(!empty($item->created));
+  //  $this->assert_true(!empty($item->updated));
+  //}
+  //public function viewable_multiple_restrictions_test() {
+  //  $item = self::create_random_item();
+  //  $this->assert_true(!empty($item->created));
+  //  $this->assert_true(!empty($item->updated));
+  //}
+
+  private static function _create_random_item($album) {
+    $item = ORM::factory("item");
+    /* Set all required fields (values are irrelevant) */
+    $item->name = rand();
+    $item->type = "photo";
+    return $item->add_to_parent($album);
+  }
+}