diff options
| -rw-r--r-- | core/controllers/permissions.php | 52 | ||||
| -rw-r--r-- | core/helpers/access.php | 35 | ||||
| -rw-r--r-- | core/helpers/core_installer.php | 8 | ||||
| -rw-r--r-- | core/helpers/core_menu.php | 6 | ||||
| -rw-r--r-- | core/models/item.php | 12 | ||||
| -rw-r--r-- | core/views/permission_edit.html.php | 39 |
6 files changed, 138 insertions, 14 deletions
diff --git a/core/controllers/permissions.php b/core/controllers/permissions.php new file mode 100644 index 00000000..2e9dbda1 --- /dev/null +++ b/core/controllers/permissions.php @@ -0,0 +1,52 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2008 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class Permissions_Controller extends Controller { + function form_edit($id) { + $item = ORM::factory("item", $id); + access::required("edit", $item); + + if ($item->type != "album") { + access::forbidden(); + } + + $view = new View("permission_edit.html"); + $view->item = $item; + $view->groups = ORM::factory("group")->find_all(); + $view->permissions = ORM::factory("permission")->find_all(); + print $view; + } + + function edit($id) { + access::verify_csrf(); + + $item = ORM::factory("item", $id); + access::required("edit", $item); + + foreach (ORM::factory("group")->find_all() as $group) { + foreach (ORM::factory("permission")->find_all() as $permission) { + $perm_name = "{$permission->name}_$group->id"; + $value = $this->input->post($perm_name); + + // Set permissions here + } + } + url::redirect("form/edit/permissions/$item->id"); + } +} diff --git a/core/helpers/access.php b/core/helpers/access.php index c2f7a76e..9d4cb105 100644 --- a/core/helpers/access.php +++ b/core/helpers/access.php @@ -85,6 +85,29 @@ class access_Core { } /** + * Can this permission be changed for this item? + * + * @param Group_Model $group + * @param string $perm_name + * @param Item_Model $item + * @return ORM_Model item that locks this one + */ + public static function locking_items($group, $perm_name, $item) { + if ($perm_name != "view") { + return null; + } + + // For view permissions, if any parent is self::DENY, then those parents lock this one. + return ORM::factory("item") + ->where("`left` <= $item->left") + ->where("`right` >= $item->right") + ->where("`id` <> $item->id") + ->where("view_$group->id", 0) + ->find_all() + ->as_array(); + } + + /** * Does the active user have this permission on this item? * * @param string $perm_name @@ -193,19 +216,21 @@ class access_Core { /** * Register a permission so that modules can use it. * - * @param string $perm_name + * @param string $name The internal name for for this permission + * @param string $display_name The internationalized version of the displayable name * @return void */ - public static function register_permission($perm_name) { - $permission = ORM::factory("permission", $perm_name); + public static function register_permission($name, $display_name) { + $permission = ORM::factory("permission", $name); if ($permission->loaded) { throw new Exception("@todo PERMISSION_ALREADY_EXISTS $name"); } - $permission->name = $perm_name; + $permission->name = $name; + $permission->display_name = $display_name; $permission->save(); foreach (self::_get_all_groups() as $group) { - self::_add_columns($perm_name, $group); + self::_add_columns($name, $group); } } diff --git a/core/helpers/core_installer.php b/core/helpers/core_installer.php index b08ac229..d02d8465 100644 --- a/core/helpers/core_installer.php +++ b/core/helpers/core_installer.php @@ -115,7 +115,7 @@ class core_installer { $db->query("CREATE TABLE `permissions` ( `id` int(9) NOT NULL auto_increment, `name` varchar(64) default NULL, - `version` int(9) default NULL, + `display_name` varchar(64) default NULL, PRIMARY KEY (`id`), UNIQUE KEY(`name`)) ENGINE=InnoDB DEFAULT CHARSET=utf8;"); @@ -153,9 +153,9 @@ class core_installer { @mkdir(VARPATH . $dir); } - access::register_permission("view"); - access::register_permission("view_full"); - access::register_permission("edit"); + access::register_permission("view", "View"); + access::register_permission("view_full", "View Full Size"); + access::register_permission("edit", "Edit"); $root = ORM::factory("item"); $root->type = 'album'; diff --git a/core/helpers/core_menu.php b/core/helpers/core_menu.php index 68d6c7d9..5de2b0d7 100644 --- a/core/helpers/core_menu.php +++ b/core/helpers/core_menu.php @@ -55,7 +55,11 @@ class core_menu_Core { ->append(Menu::factory("dialog") ->id("add_album") ->label(_("Add an album")) - ->url(url::site("form/add/albums/$item->id?type=album"))); + ->url(url::site("form/add/albums/$item->id?type=album"))) + ->append(Menu::factory("dialog") + ->id("edit_permissions") + ->label(_("Edit permissions")) + ->url(url::site("form/edit/permissions/$item->id"))); } } diff --git a/core/models/item.php b/core/models/item.php index a21aaf16..a419c2f1 100644 --- a/core/models/item.php +++ b/core/models/item.php @@ -20,7 +20,7 @@ class Item_Model extends ORM_MPTT { protected $children = 'items'; private $relative_path = null; - private $view_restrictions = array(); + private $view_restrictions = null; var $rules = array( "name" => "required|length[0,255]", @@ -34,9 +34,13 @@ class Item_Model extends ORM_MPTT { * @chainable */ public function viewable() { - if (empty($this->view_restrictions)) { - foreach (user::group_ids() as $id) { - $this->view_restrictions["view_$id"] = access::ALLOW; + if (is_null($this->view_restrictions)) { + if (user::active()->admin) { + $this->view_restrictions = array(); + } else { + foreach (user::group_ids() as $id) { + $this->view_restrictions["view_$id"] = access::ALLOW; + } } } $this->where($this->view_restrictions); diff --git a/core/views/permission_edit.html.php b/core/views/permission_edit.html.php new file mode 100644 index 00000000..9e65b864 --- /dev/null +++ b/core/views/permission_edit.html.php @@ -0,0 +1,39 @@ +<?php defined("SYSPATH") or die("No direct script access.") ?> +<div id="gPermissions"> + <form method="post" action="<?= url::site("permissions/edit/$item->id") ?>"> + <?= access::csrf_form_field() ?> + + <table border=1> + <tr> + <th> </th> + <? foreach ($groups as $group): ?> + <th> <?= $group->name ?> </th> + <? endforeach ?> + </tr> + + <? foreach ($permissions as $permission): ?> + <tr> + <td> <?= _($permission->display_name) ?> </td> + <? foreach ($groups as $group): ?> + <td> + <? $locks = access::locking_items($group, $permission->name, $item) ?> + <input type="checkbox" + name="<?= "{$permission->name}_$group->id" ?>" + value="1" + <? if (access::group_can($group, $permission->name, $item)): ?> checked="checked" <? endif ?> + <? if ($locks): ?> disabled="disabled" <? endif ?> + /> + <? if ($locks): ?> + Locked by: <!-- Not internationalized because its hard and this is prob. the wrong UI anyway --> + <? foreach ($locks as $lock): ?> + <a href="<?= url::site("{$lock->type}s/$lock->id") ?>"><?= $lock->title ?></a> + <? endforeach ?> + <? endif ?> + </td> + <? endforeach ?> + </tr> + <? endforeach ?> + </table> + <input type="submit" value="<?= _("Save") ?>"/> + </form> +</div> |