diff options
| -rw-r--r-- | core/helpers/access.php | 49 | ||||
| -rw-r--r-- | core/tests/Access_Helper_Test.php | 61 |
2 files changed, 63 insertions, 47 deletions
diff --git a/core/helpers/access.php b/core/helpers/access.php index 71e085df..36ef9c5c 100644 --- a/core/helpers/access.php +++ b/core/helpers/access.php @@ -128,25 +128,32 @@ class access_Core { * @param Item_Model $item * @param boolean $value */ - private static function _set($group, $perm_name, $item, $value) { - if (!$item->loaded) { - throw new Exception("@todo INVALID_ITEM $item->id"); + private static function _set($group, $perm_name, $album, $value) { + if (!$album->loaded) { + throw new Exception("@todo INVALID_ALBUM $album->id"); } - if ($item->type != "album") { - throw new Exception("@todo INVALID_ITEM_TYPE not an album"); + if ($album->type != "album") { + throw new Exception("@todo INVALID_ALBUM_TYPE not an album"); } - $access = ORM::factory("access_intent")->where("item_id", $item->id)->find(); + $access = ORM::factory("access_intent")->where("item_id", $album->id)->find(); if (!$access->loaded) { - throw new Exception("@todo MISSING_ACCESS for $item->id"); + throw new Exception("@todo MISSING_ACCESS for $album->id"); } $access->__set("{$perm_name}_{$group->id}", $value); $access->save(); if ($perm_name =="view") { - self::_update_access_view_cache($group, $item); + self::_update_access_view_cache($group, $album); + if ($group->id == 1) { + if ($value) { + self::_delete_htaccess_files($album); + } else { + self::_create_htaccess_files($album); + } + } } else { - self::_update_access_non_view_cache($group, $perm_name, $item); + self::_update_access_non_view_cache($group, $perm_name, $album); } } @@ -344,7 +351,7 @@ class access_Core { * @param Item_Model $item * @return void */ - public static function _update_access_view_cache($group, $item) { + private static function _update_access_view_cache($group, $item) { $access = ORM::factory("access_intent")->where("item_id", $item->id)->find(); $db = Database::instance(); @@ -427,7 +434,7 @@ class access_Core { * @param Item_Model $item * @return void */ - public static function _update_access_non_view_cache($group, $perm_name, $item) { + private static function _update_access_non_view_cache($group, $perm_name, $item) { $access = ORM::factory("access_intent")->where("item_id", $item->id)->find(); $db = Database::instance(); @@ -471,4 +478,24 @@ class access_Core { " AND `right` <= $row->right)"); } } + + /** + * Create .htaccess files to prevent direct access to the given album and its hierarchy. + */ + private static function _create_htaccess_files($album) { + foreach (array($album->file_path(), dirname($album->resize_path())) as $dir) { + $fp = fopen("$dir/.htaccess", "w+"); + fwrite($fp, "Order Deny,Allow\n"); + fwrite($fp, "Deny from All\n"); + fclose($fp); + } + } + + /** + * Delete the .htaccess files that are preventing access to the given album and its hierarchy. + */ + private static function _delete_htaccess_files($album) { + @unlink($album->file_path() . "/.htaccess"); + @unlink(dirname($album->resize_path()) . "/.htaccess"); + } } diff --git a/core/tests/Access_Helper_Test.php b/core/tests/Access_Helper_Test.php index 4383a35b..4643eb1a 100644 --- a/core/tests/Access_Helper_Test.php +++ b/core/tests/Access_Helper_Test.php @@ -44,13 +44,6 @@ class Access_Helper_Test extends Unit_Test_Case { user::set_active(user::guest()); } - private function _add_album($parent) { - $album = ORM::factory("item"); - $album->type = "album"; - $album->add_to_parent($parent); - return $album; - } - public function groups_and_permissions_are_bound_to_columns_test() { access::register_permission("access_test"); $group = group::create("access_test"); @@ -91,8 +84,7 @@ class Access_Helper_Test extends Unit_Test_Case { public function new_photos_inherit_parent_permissions_test() { $root = ORM::factory("item", 1); - $album = $this->_add_album($root); - access::add_item($album); + $album = album::create($root->id, rand(), "test album"); access::allow(group::everybody(), "view", $album); $photo = ORM::factory("item"); @@ -105,8 +97,7 @@ class Access_Helper_Test extends Unit_Test_Case { public function can_allow_deny_and_reset_intent_test() { $root = ORM::factory("item", 1); - $album = $this->_add_album($root); - access::add_item($album); + $album = album::create($root->id, rand(), "test album"); $intent = ORM::factory("access_intent")->where("item_id", $album)->find(); // Allow @@ -158,9 +149,9 @@ class Access_Helper_Test extends Unit_Test_Case { public function cant_view_child_of_hidden_parent_test() { $root = ORM::factory("item", 1); - $album = $this->_add_album($root); - access::add_item($album); + $album = album::create($root->id, rand(), "test album"); + $root->reload(); access::deny(group::everybody(), "view", $root); access::reset(group::everybody(), "view", $album); @@ -170,8 +161,7 @@ class Access_Helper_Test extends Unit_Test_Case { public function view_permissions_propagate_down_test() { $root = ORM::factory("item", 1); - $album = $this->_add_album($root); - access::add_item($album); + $album = album::create($root->id, rand(), "test album"); access::allow(group::everybody(), "view", $root); access::reset(group::everybody(), "view", $album); @@ -181,17 +171,10 @@ class Access_Helper_Test extends Unit_Test_Case { public function can_toggle_view_permissions_propagate_down_test() { $root = ORM::factory("item", 1); - $album1 = $this->_add_album($root); - access::add_item($album1); - - $album2 = $this->_add_album($album1); - access::add_item($album2); - - $album3 = $this->_add_album($album2); - access::add_item($album3); - - $album4 = $this->_add_album($album3); - access::add_item($album4); + $album1 = album::create($root->id, rand(), "test album"); + $album2 = album::create($album1->id, rand(), "test album"); + $album3 = album::create($album2->id, rand(), "test album"); + $album4 = album::create($album3->id, rand(), "test album"); $album1->reload(); $album2->reload(); @@ -214,9 +197,9 @@ class Access_Helper_Test extends Unit_Test_Case { public function revoked_view_permissions_cant_be_allowed_lower_down_test() { $root = ORM::factory("item", 1); - $album = $this->_add_album($root); - access::add_item($album); + $album = album::create($root->id, rand(), "test album"); + $root->reload(); access::deny(group::everybody(), "view", $root); access::allow(group::everybody(), "view", $album); @@ -232,8 +215,7 @@ class Access_Helper_Test extends Unit_Test_Case { public function non_view_permissions_propagate_down_test() { $root = ORM::factory("item", 1); - $album = $this->_add_album($root); - access::add_item($album); + $album = album::create($root->id, rand(), "test album"); access::allow(group::everybody(), "edit", $root); access::reset(group::everybody(), "edit", $album); @@ -242,15 +224,11 @@ class Access_Helper_Test extends Unit_Test_Case { public function non_view_permissions_can_be_revoked_lower_down_test() { $root = ORM::factory("item", 1); - $outer = $this->_add_album($root); - access::add_item($outer); - + $outer = album::create($root->id, rand(), "test album"); $outer_photo = ORM::factory("item")->add_to_parent($outer); access::add_item($outer_photo); - $inner = $this->_add_album($outer); - access::add_item($inner); - + $inner = album::create($outer->id, rand(), "test album"); $inner_photo = ORM::factory("item")->add_to_parent($inner); access::add_item($inner_photo); @@ -291,4 +269,15 @@ class Access_Helper_Test extends Unit_Test_Case { // And verify that the user can edit. $this->assert_true(access::can("edit", $root)); } + + public function everybody_view_permission_maintains_htaccess_files_test() { + $root = ORM::factory("item", 1); + $album = album::create($root->id, rand(), "test album"); + + $this->assert_false(file_exists($album->file_path() . "/.htaccess")); + access::deny(group::everybody(), "view", $album); + $this->assert_true(file_exists($album->file_path() . "/.htaccess")); + access::allow(group::everybody(), "view", $album); + $this->assert_false(file_exists($album->file_path() . "/.htaccess")); + } } |