From 8ba5ea3cf832f42e93e98c3b984962ace3abf2d1 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 13 Dec 2008 19:49:33 +0000
Subject: Make sure that access::can fails if the item is not loaded

---
 core/helpers/access.php           | 4 ++++
 core/tests/Access_Helper_Test.php | 9 +++++++++
 2 files changed, 13 insertions(+)

(limited to 'core')

diff --git a/core/helpers/access.php b/core/helpers/access.php
index f3880b89..3fb7548d 100644
--- a/core/helpers/access.php
+++ b/core/helpers/access.php
@@ -99,6 +99,10 @@ class access_Core {
    * @return boolean
    */
   public static function can($perm_name, $item) {
+    if (!$item->loaded) {
+      return false;
+    }
+
     if ($perm_name == "view") {
       $resource = $item;
     } else {
diff --git a/core/tests/Access_Helper_Test.php b/core/tests/Access_Helper_Test.php
index a8e48832..7f5aa656 100644
--- a/core/tests/Access_Helper_Test.php
+++ b/core/tests/Access_Helper_Test.php
@@ -127,6 +127,15 @@ class Access_Helper_Test extends Unit_Test_Case {
     $this->assert_true(access::group_can(group::everybody(), "view", $root));
   }
 
+  public function can_always_fails_on_unloaded_items_test() {
+    $root = ORM::factory("item", 1);
+    access::allow(group::everybody(), "view", $root);
+    $this->assert_true(access::group_can(group::everybody(), "view", $root));
+
+    $bogus = ORM::factory("item", -1);
+    $this->assert_false(access::group_can(group::everybody(), "view", $bogus));
+  }
+
   public function cant_view_child_of_hidden_parent_test() {
     $root = ORM::factory("item", 1);
     $album = ORM::factory("item")->add_to_parent($root);
-- 
cgit v1.2.3