diff options
| -rw-r--r-- | core/controllers/file_proxy.php | 5 | ||||
| -rw-r--r-- | core/helpers/access.php | 28 | ||||
| -rw-r--r-- | core/tests/Access_Helper_Test.php | 28 | ||||
| -rw-r--r-- | core/views/welcome.html.php | 3 | ||||
| -rw-r--r-- | modules/user/helpers/user_installer.php | 7 |
5 files changed, 56 insertions, 15 deletions
diff --git a/core/controllers/file_proxy.php b/core/controllers/file_proxy.php index 30117f07..3cf915a6 100644 --- a/core/controllers/file_proxy.php +++ b/core/controllers/file_proxy.php @@ -95,6 +95,11 @@ class File_Proxy_Controller extends Controller { kohana::show_404(); } + // Make sure we have view_full access to the original + if ($type == "albums" && !access::can("view_full", $item)) { + kohana::show_404(); + } + // Don't try to load a directory if ($type == "albums" && $item->is_album()) { kohana::show_404(); diff --git a/core/helpers/access.php b/core/helpers/access.php index a30ce79d..9154fa75 100644 --- a/core/helpers/access.php +++ b/core/helpers/access.php @@ -114,8 +114,8 @@ class access_Core { * @return boolean */ public static function required($perm_name, $item) { - if (!access::can($perm_name, $item)) { - access::forbidden(); + if (!self::can($perm_name, $item)) { + self::forbidden(); } } @@ -147,11 +147,11 @@ class access_Core { if ($perm_name == "view") { self::_update_access_view_cache($group, $album); - self::_update_htaccess_files($album, $group, $perm_name, $value); } else { self::_update_access_non_view_cache($group, $perm_name, $album); } + self::_update_htaccess_files($album, $group, $perm_name, $value); } /** @@ -302,7 +302,7 @@ class access_Core { public static function verify_csrf() { $input = Input::instance(); if ($input->post("csrf", $input->get("csrf", null)) !== Session::instance()->get("csrf")) { - access::forbidden(); + self::forbidden(); } } @@ -519,11 +519,15 @@ class access_Core { return; } - if ($value === self::DENY) { - foreach (array($album->file_path(), - dirname($album->resize_path()), - dirname($album->thumb_path())) as $dir) { - $base_url = url::site("file_proxy"); + $dirs = array($album->file_path()); + if ($perm_name == "view") { + $dirs[] = dirname($album->resize_path()); + $dirs[] = dirname($album->thumb_path()); + } + + $base_url = url::site("file_proxy"); + foreach ($dirs as $dir) { + if ($value === self::DENY) { $fp = fopen("$dir/.htaccess", "w+"); fwrite($fp, "<IfModule mod_rewrite.c>\n"); fwrite($fp, " RewriteEngine On\n"); @@ -534,11 +538,9 @@ class access_Core { fwrite($fp, " Deny from All\n"); fwrite($fp, "</IfModule>\n"); fclose($fp); + } else { + @unlink($dir . "/.htaccess"); } - } else { - @unlink($album->file_path() . "/.htaccess"); - @unlink(dirname($album->resize_path()) . "/.htaccess"); - @unlink(dirname($album->thumb_path()) . "/.htaccess"); } } } diff --git a/core/tests/Access_Helper_Test.php b/core/tests/Access_Helper_Test.php index 6177723b..aaf919b1 100644 --- a/core/tests/Access_Helper_Test.php +++ b/core/tests/Access_Helper_Test.php @@ -289,4 +289,32 @@ class Access_Helper_Test extends Unit_Test_Case { $this->assert_false(file_exists($album->file_path() . "/.htaccess")); } + public function everybody_view_full_permission_maintains_htaccess_files_test() { + $root = ORM::factory("item", 1); + $album = album::create($root, rand(), "test album"); + + $this->assert_false(file_exists($album->file_path() . "/.htaccess")); + $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); + $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); + + access::deny(group::everybody(), "view_full", $album); + $this->assert_true(file_exists($album->file_path() . "/.htaccess")); + $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); + $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); + + access::allow(group::everybody(), "view_full", $album); + $this->assert_false(file_exists($album->file_path() . "/.htaccess")); + $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); + $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); + + access::deny(group::everybody(), "view_full", $album); + $this->assert_true(file_exists($album->file_path() . "/.htaccess")); + $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); + $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); + + access::reset(group::everybody(), "view_full", $album); + $this->assert_false(file_exists($album->file_path() . "/.htaccess")); + $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); + $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); + } } diff --git a/core/views/welcome.html.php b/core/views/welcome.html.php index 79ff40b3..51d00e82 100644 --- a/core/views/welcome.html.php +++ b/core/views/welcome.html.php @@ -293,7 +293,7 @@ <ul class="tabs"> <li><a href="javascript:show('access', 'access_users')">Users</a></li> <li><a href="javascript:show('access', 'access_groups')">Groups</a></li> - <li><a href="javascript:show('access', 'access_permissions')">Permissions</a></li> + <li><a href="javascript:show('access', 'access_permissions')">Guest Permissions</a></li> </ul> <div id="access_users" class="activity"> @@ -365,6 +365,7 @@ <?= html::anchor("albums/{$current->album->id}", $current->album->title) ?> » <? foreach (array("view", "view_full", "edit") as $perm): ?> + <?= $perm != "view" ? " ---- " : "" ?> <? if (access::group_can(group::everybody(), $perm, $current->album)): ?> <?= html::anchor("welcome/deny_perm/1/$perm/{$current->album->id}", strtoupper($perm), array("class" => "allowed")) ?> <? else: ?> diff --git a/modules/user/helpers/user_installer.php b/modules/user/helpers/user_installer.php index 8a583211..731a4a9e 100644 --- a/modules/user/helpers/user_installer.php +++ b/modules/user/helpers/user_installer.php @@ -75,8 +75,13 @@ class user_installer { $root = ORM::factory("item", 1); access::allow($guest, "view", $root); - access::allow($guest, "view", $root); + access::allow($guest, "view_full", $root); + access::allow($registered, "view", $root); + access::allow($registered, "view_full", $root); + + access::allow($admin, "view", $root); + access::allow($admin, "view_full", $root); access::allow($admin, "edit", $root); } } |