2 files changed, 55 insertions, 1 deletions

diff --git a/core/helpers/access.php b/core/helpers/access.php
index 369e1897..8f2453df 100644
--- a/core/helpers/access.php
+++ b/core/helpers/access.php
@@ -84,7 +84,33 @@ class access_Core {
       throw new Exception("@todo MISSING_ACCESS for $item_id");
     }
 
-    return $access->__get("{$perm_name}_{$group_id}") == self::ALLOW;
+    return $access->__get("{$perm_name}_{$group_id}") === self::ALLOW;
+  }
+
+  /**
+   * Does the active user have this permission on this item?
+   *
+   * @param  string  $perm_name
+   * @param  integer $item_id
+   * @return boolean
+   */
+  public static function can($perm_name, $item_id) {
+    $user = Session::instance()->get("user", null);
+    if ($user) {
+      $access = ORM::factory("access_cache")->where("item_id", $item_id)->find();
+      if (!$access) {
+        throw new Exception("@todo MISSING_ACCESS for $item_id");
+      }
+
+      foreach ($user->groups as $group) {
+        if ($access->__get("{$perm_name}_{$group->id}") === self::ALLOW) {
+          return self::ALLOW;
+        }
+      }
+      return self::DENY;
+    } else {
+      return self::group_can(group::EVERYBODY, $perm_name, $item_id);
+    }
   }
 
   /**
diff --git a/core/tests/Access_Helper_Test.php b/core/tests/Access_Helper_Test.php
index ead3c3a5..537aa1e8 100644
--- a/core/tests/Access_Helper_Test.php
+++ b/core/tests/Access_Helper_Test.php
@@ -31,6 +31,13 @@ class Access_Helper_Test extends Unit_Test_Case {
     try {
       access::delete_permission("access_test");
     } catch (Exception $e) { }
+
+    try {
+      $user = ORM::factory("user")->where("name", "access_test")->find();
+      if ($user->loaded) {
+        user::delete($user->id);
+      }
+    } catch (Exception $e) { }
   }
 
   public function groups_and_permissions_are_bound_to_columns_test() {
@@ -221,4 +228,25 @@ class Access_Helper_Test extends Unit_Test_Case {
     $this->assert_false(access::group_can(0, "edit", $outer_photo->id));
     $this->assert_true(access::group_can(0, "edit", $inner_photo->id));
   }
+
+  public function i_can_edit_test() {
+    // Create a new user that belongs to no groups
+    $user = user::create("access_test", "Access Test", "");
+    foreach ($user->groups as $group) {
+      group::remove_user($group->id, $user->id);
+    }
+    Session::instance()->set("user", $user);
+
+    // This user can't edit anything
+    $this->assert_false(access::can("edit", 1));
+
+    // Now add them to a group that has edit permission
+    $group = group::create("access_test");
+    group::add_user($group->id, $user->id);
+    access::allow($group->id, "edit", 1);
+    Session::instance()->set("user", $user->reload());
+
+    // And verify that the user can edit.
+    $this->assert_true(access::can("edit", 1));
+  }
 }