diff options
| -rw-r--r-- | core/helpers/access.php | 4 | ||||
| -rw-r--r-- | core/tests/Access_Helper_Test.php | 9 |
2 files changed, 13 insertions, 0 deletions
diff --git a/core/helpers/access.php b/core/helpers/access.php index f3880b89..3fb7548d 100644 --- a/core/helpers/access.php +++ b/core/helpers/access.php @@ -99,6 +99,10 @@ class access_Core { * @return boolean */ public static function can($perm_name, $item) { + if (!$item->loaded) { + return false; + } + if ($perm_name == "view") { $resource = $item; } else { diff --git a/core/tests/Access_Helper_Test.php b/core/tests/Access_Helper_Test.php index a8e48832..7f5aa656 100644 --- a/core/tests/Access_Helper_Test.php +++ b/core/tests/Access_Helper_Test.php @@ -127,6 +127,15 @@ class Access_Helper_Test extends Unit_Test_Case { $this->assert_true(access::group_can(group::everybody(), "view", $root)); } + public function can_always_fails_on_unloaded_items_test() { + $root = ORM::factory("item", 1); + access::allow(group::everybody(), "view", $root); + $this->assert_true(access::group_can(group::everybody(), "view", $root)); + + $bogus = ORM::factory("item", -1); + $this->assert_false(access::group_can(group::everybody(), "view", $bogus)); + } + public function cant_view_child_of_hidden_parent_test() { $root = ORM::factory("item", 1); $album = ORM::factory("item")->add_to_parent($root); |