diff options
Diffstat (limited to 'core')
| -rw-r--r-- | core/controllers/welcome.php | 7 | ||||
| -rw-r--r-- | core/helpers/access.php | 35 | ||||
| -rw-r--r-- | core/views/welcome.html.php | 5 |
3 files changed, 43 insertions, 4 deletions
diff --git a/core/controllers/welcome.php b/core/controllers/welcome.php index cabaf0a9..71fdcdc4 100644 --- a/core/controllers/welcome.php +++ b/core/controllers/welcome.php @@ -480,4 +480,11 @@ class Welcome_Controller extends Template_Controller { access::deny($group_id, $perm, $item_id); url::redirect("welcome"); } + + public function reset_all_perms($group_id, $item_id) { + foreach (ORM::factory("permission")->find_all() as $perm) { + access::reset($group_id, $perm->name, $item_id); + } + url::redirect("welcome"); + } } diff --git a/core/helpers/access.php b/core/helpers/access.php index d2de30f7..26b19614 100644 --- a/core/helpers/access.php +++ b/core/helpers/access.php @@ -65,8 +65,6 @@ * directly into Item_Model. By doing this, we'll be able to find viewable items (the most * common permission access) without doing table joins. * - * o Support setting an intent back to "neutral" so that it can use the parent's value. - * * o Write unit tests. */ class access_Core { @@ -137,6 +135,17 @@ class access_Core { } /** + * Unset the given permission for this item and use inherited values + * + */ + public static function reset($group_id, $perm_name, $item_id) { + if ($item_id == 1) { + throw new Exception("@todo CANT_RESET_ROOT_PERMISSION"); + } + self::_set($group_id, $perm_name, $item_id, null); + } + + /** * Register a permission so that modules can use it. * * @param string $perm_name @@ -304,12 +313,12 @@ class access_Core { // DENY and this ALLOW cannot be obeyed. So in that case, back up the tree and find any // non-DEFAULT and non-ALLOW parent and propagate from there. If we can't find a matching // item, then its safe to propagate from here. - if ($access->$field != self::DENY) { + if ($access->$field !== self::DENY) { $tmp_item = ORM::factory("item") ->join("access_intents", "items.id", "access_intents.item_id") ->where("left <", $item->left) ->where("right >", $item->right) - ->where($field, self::DENY) + ->where("$field IS NOT", null) ->orderby("left", "DESC") ->limit(1) ->find(); @@ -364,6 +373,24 @@ class access_Core { } } } else { + // If the item's intent is ALLOW or DEFAULT, it's possible that some ancestor has specified + // DENY and this ALLOW cannot be obeyed. So in that case, back up the tree and find any + // non-DEFAULT and non-ALLOW parent and propagate from there. If we can't find a matching + // item, then its safe to propagate from here. + if ($access->$field === null) { + $tmp_item = ORM::factory("item") + ->join("access_intents", "items.id", "access_intents.item_id") + ->where("left <", $item->left) + ->where("right >", $item->right) + ->where("$field IS NOT", null) + ->orderby("left", "DESC") + ->limit(1) + ->find(); + if ($tmp_item->loaded) { + $item = $tmp_item; + } + } + // With non-view permissions, each level can override any permissions that came above it // so start at the top and work downwards, overlaying permissions as we go. $query = $db->query( diff --git a/core/views/welcome.html.php b/core/views/welcome.html.php index 7588682d..8a14b386 100644 --- a/core/views/welcome.html.php +++ b/core/views/welcome.html.php @@ -358,6 +358,11 @@ <?= html::anchor("welcome/add_perm/0/$perm/{$current->album->id}", strtolower($perm), array("class" => "denied")) ?> <? endif ?> <? endforeach ?> + <? if ($current->album->id != 1): ?> + <span class="understate"> + (<?= html::anchor("welcome/reset_all_perms/0/{$current->album->id}", "reset") ?>) + </span> + <? endif; ?> <? $stack[] = "CLOSE"; ?> <? if ($current->children): ?> <? $stack = array_merge($stack, $current->children) ?> |