From 1579494ec4acb80e103a40106aea1630628c00d2 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Wed, 31 Dec 2008 04:05:41 +0000
Subject: Preliminary "Edit Permissions" dialog.  You can't change permissions
 yet, but it shows you which items have locked view perms.

---
 core/controllers/permissions.php    | 52 +++++++++++++++++++++++++++++++++++++
 core/helpers/access.php             | 35 +++++++++++++++++++++----
 core/helpers/core_installer.php     |  8 +++---
 core/helpers/core_menu.php          |  6 ++++-
 core/models/item.php                | 12 ++++++---
 core/views/permission_edit.html.php | 39 ++++++++++++++++++++++++++++
 6 files changed, 138 insertions(+), 14 deletions(-)
 create mode 100644 core/controllers/permissions.php
 create mode 100644 core/views/permission_edit.html.php

(limited to 'core')

diff --git a/core/controllers/permissions.php b/core/controllers/permissions.php
new file mode 100644
index 00000000..2e9dbda1
--- /dev/null
+++ b/core/controllers/permissions.php
@@ -0,0 +1,52 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2008 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Permissions_Controller extends Controller {
+  function form_edit($id) {
+    $item = ORM::factory("item", $id);
+    access::required("edit", $item);
+
+    if ($item->type != "album") {
+      access::forbidden();
+    }
+
+    $view = new View("permission_edit.html");
+    $view->item = $item;
+    $view->groups = ORM::factory("group")->find_all();
+    $view->permissions = ORM::factory("permission")->find_all();
+    print $view;
+  }
+
+  function edit($id)  {
+    access::verify_csrf();
+
+    $item = ORM::factory("item", $id);
+    access::required("edit", $item);
+
+    foreach (ORM::factory("group")->find_all() as $group) {
+      foreach (ORM::factory("permission")->find_all() as $permission) {
+        $perm_name = "{$permission->name}_$group->id";
+        $value = $this->input->post($perm_name);
+
+        // Set permissions here
+      }
+    }
+    url::redirect("form/edit/permissions/$item->id");
+  }
+}
diff --git a/core/helpers/access.php b/core/helpers/access.php
index c2f7a76e..9d4cb105 100644
--- a/core/helpers/access.php
+++ b/core/helpers/access.php
@@ -84,6 +84,29 @@ class access_Core {
     return $resource->__get("{$perm_name}_{$group->id}") === self::ALLOW;
   }
 
+  /**
+   * Can this permission be changed for this item?
+   *
+   * @param  Group_Model $group
+   * @param  string      $perm_name
+   * @param  Item_Model  $item
+   * @return ORM_Model   item that locks this one
+   */
+  public static function locking_items($group, $perm_name, $item) {
+    if ($perm_name != "view") {
+      return null;
+    }
+
+    // For view permissions, if any parent is self::DENY, then those parents lock this one.
+    return ORM::factory("item")
+      ->where("`left` <= $item->left")
+      ->where("`right` >= $item->right")
+      ->where("`id` <> $item->id")
+      ->where("view_$group->id", 0)
+      ->find_all()
+      ->as_array();
+  }
+
   /**
    * Does the active user have this permission on this item?
    *
@@ -193,19 +216,21 @@ class access_Core {
   /**
    * Register a permission so that modules can use it.
    *
-   * @param  string $perm_name
+   * @param  string $name           The internal name for for this permission
+   * @param  string $display_name   The internationalized version of the displayable name
    * @return void
   */
-  public static function register_permission($perm_name) {
-    $permission = ORM::factory("permission", $perm_name);
+  public static function register_permission($name, $display_name) {
+    $permission = ORM::factory("permission", $name);
     if ($permission->loaded) {
       throw new Exception("@todo PERMISSION_ALREADY_EXISTS $name");
     }
-    $permission->name = $perm_name;
+    $permission->name = $name;
+    $permission->display_name = $display_name;
     $permission->save();
 
     foreach (self::_get_all_groups() as $group) {
-      self::_add_columns($perm_name, $group);
+      self::_add_columns($name, $group);
     }
   }
 
diff --git a/core/helpers/core_installer.php b/core/helpers/core_installer.php
index b08ac229..d02d8465 100644
--- a/core/helpers/core_installer.php
+++ b/core/helpers/core_installer.php
@@ -115,7 +115,7 @@ class core_installer {
       $db->query("CREATE TABLE `permissions` (
                    `id` int(9) NOT NULL auto_increment,
                    `name` varchar(64) default NULL,
-                   `version` int(9) default NULL,
+                   `display_name` varchar(64) default NULL,
                    PRIMARY KEY (`id`),
                    UNIQUE KEY(`name`))
                  ENGINE=InnoDB DEFAULT CHARSET=utf8;");
@@ -153,9 +153,9 @@ class core_installer {
         @mkdir(VARPATH . $dir);
       }
 
-      access::register_permission("view");
-      access::register_permission("view_full");
-      access::register_permission("edit");
+      access::register_permission("view", "View");
+      access::register_permission("view_full", "View Full Size");
+      access::register_permission("edit", "Edit");
 
       $root = ORM::factory("item");
       $root->type = 'album';
diff --git a/core/helpers/core_menu.php b/core/helpers/core_menu.php
index 68d6c7d9..5de2b0d7 100644
--- a/core/helpers/core_menu.php
+++ b/core/helpers/core_menu.php
@@ -55,7 +55,11 @@ class core_menu_Core {
           ->append(Menu::factory("dialog")
                    ->id("add_album")
                    ->label(_("Add an album"))
-                   ->url(url::site("form/add/albums/$item->id?type=album")));
+                   ->url(url::site("form/add/albums/$item->id?type=album")))
+          ->append(Menu::factory("dialog")
+                   ->id("edit_permissions")
+                   ->label(_("Edit permissions"))
+                   ->url(url::site("form/edit/permissions/$item->id")));
       }
     }
 
diff --git a/core/models/item.php b/core/models/item.php
index a21aaf16..a419c2f1 100644
--- a/core/models/item.php
+++ b/core/models/item.php
@@ -20,7 +20,7 @@
 class Item_Model extends ORM_MPTT {
   protected $children = 'items';
   private $relative_path = null;
-  private $view_restrictions = array();
+  private $view_restrictions = null;
 
   var $rules = array(
     "name" => "required|length[0,255]",
@@ -34,9 +34,13 @@ class Item_Model extends ORM_MPTT {
    * @chainable
    */
   public function viewable() {
-    if (empty($this->view_restrictions)) {
-      foreach (user::group_ids() as $id) {
-        $this->view_restrictions["view_$id"] = access::ALLOW;
+    if (is_null($this->view_restrictions)) {
+      if (user::active()->admin) {
+        $this->view_restrictions = array();
+      } else {
+        foreach (user::group_ids() as $id) {
+          $this->view_restrictions["view_$id"] = access::ALLOW;
+        }
       }
     }
     $this->where($this->view_restrictions);
diff --git a/core/views/permission_edit.html.php b/core/views/permission_edit.html.php
new file mode 100644
index 00000000..9e65b864
--- /dev/null
+++ b/core/views/permission_edit.html.php
@@ -0,0 +1,39 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<div id="gPermissions">
+  <form method="post" action="<?= url::site("permissions/edit/$item->id") ?>">
+    <?= access::csrf_form_field() ?>
+
+    <table border=1>
+      <tr>
+        <th> </th>
+        <? foreach ($groups as $group): ?>
+        <th> <?= $group->name ?> </th>
+        <? endforeach ?>
+      </tr>
+
+      <? foreach ($permissions as $permission): ?>
+      <tr>
+        <td> <?= _($permission->display_name) ?> </td>
+        <? foreach ($groups as $group): ?>
+        <td>
+          <? $locks = access::locking_items($group, $permission->name, $item) ?>
+          <input type="checkbox"
+                 name="<?= "{$permission->name}_$group->id" ?>"
+                 value="1"
+                 <? if (access::group_can($group, $permission->name, $item)): ?> checked="checked" <? endif ?>
+            <? if ($locks): ?> disabled="disabled" <? endif ?>
+            />
+          <? if ($locks): ?>
+          Locked by: <!-- Not internationalized because its hard and this is prob. the wrong UI anyway -->
+          <? foreach ($locks as $lock): ?>
+          <a href="<?= url::site("{$lock->type}s/$lock->id") ?>"><?= $lock->title ?></a>
+          <? endforeach ?>
+          <? endif ?>
+        </td>
+        <? endforeach ?>
+      </tr>
+      <? endforeach ?>
+    </table>
+    <input type="submit" value="<?= _("Save") ?>"/>
+  </form>
+</div>
-- 
cgit v1.2.3