From b37047ff557c88becd662bd6622bf27f7a9a78f2 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Wed, 17 Dec 2008 22:39:33 +0000
Subject: Add Item_Model::viewable() which we can use to restrict any query to
 just items viewable by the active user.  Ie:

  ORM::factory("item")
    ->where("name", "foo")
    ->find_all()

Would get all items with the name "foo".

  ORM::factory("item")
    ->viewable()
    ->where("name", "foo")
    ->find_all()

Restricts it to just the set of items that the user is allowed to see.
---
 core/models/item.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'core/models')

diff --git a/core/models/item.php b/core/models/item.php
index 64af79ce..e5eb4039 100644
--- a/core/models/item.php
+++ b/core/models/item.php
@@ -20,9 +20,25 @@
 class Item_Model extends ORM_MPTT {
   protected $children = 'items';
   private $relative_path = null;
+  private $view_restrictions = array();
 
   var $rules = array();
 
+  /**
+   * Add a set of restrictions to any following queries to restrict access only to items
+   * viewable by the active user.
+   * @chainable
+   */
+  public function viewable() {
+    if (empty($this->view_restrictions)) {
+      foreach (user::group_ids() as $id) {
+        $this->view_restrictions["view_$id"] = access::ALLOW;
+      }
+    }
+    $this->where($this->view_restrictions);
+    return $this;
+  }
+
   /**
    * Is this item an album?
    * @return true if it's an album
-- 
cgit v1.2.3