From 381dd0574a9d83ceed1dbf6bcb1f7e158d46c85c Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Fri, 29 May 2009 17:53:33 -0700
Subject: Don't show the add photo/album options to users who don't have the
 permission.  This isn't a security hole, since they can't actually add
 stuff.. but they can try and fail which is a bad user experience.

Also fix it up so that we show the option menu only if there's stuff
to show, and cache some of the permissions for performance (which I'm
guessing at-- didn't benchmark it).
---
 modules/gallery/helpers/gallery_menu.php | 48 +++++++++++++++++++-------------
 1 file changed, 28 insertions(+), 20 deletions(-)

(limited to 'modules')

diff --git a/modules/gallery/helpers/gallery_menu.php b/modules/gallery/helpers/gallery_menu.php
index ccbc681c..7377bc9d 100644
--- a/modules/gallery/helpers/gallery_menu.php
+++ b/modules/gallery/helpers/gallery_menu.php
@@ -19,7 +19,8 @@
  */
 class gallery_menu_Core {
   static function site($menu, $theme) {
-    if (file_exists(MODPATH . "gallery/controllers/scaffold.php") && user::active()->admin) {
+    $is_admin = user::active()->admin;
+    if (file_exists(MODPATH . "gallery/controllers/scaffold.php") && $is_admin) {
       $menu->append($scaffold_menu = Menu::factory("submenu")
                     ->id("scaffold")
                     ->label("Scaffold"));
@@ -36,38 +37,45 @@ class gallery_menu_Core {
 
     $item = $theme->item();
 
-    if (user::active()->admin || ($item && access::can("edit", $item))) {
+    $can_edit = access::can("edit", $item) || $is_admin;
+    $can_add = access::can("add", $item) || $is_admin;
+
+    if ($item && $can_edit || $can_add) {
       $menu->append($options_menu = Menu::factory("submenu")
                     ->id("options_menu")
                     ->label(t("Options")));
 
-      if ($item && access::can("edit", $item)) {
+      if ($can_edit) {
         $options_menu
           ->append(Menu::factory("dialog")
                    ->id("edit_item")
                    ->label($item->is_album() ? t("Edit album") : t("Edit photo"))
                    ->url(url::site("form/edit/{$item->type}s/$item->id")));
+      }
 
-        // @todo Move album options menu to the album quick edit pane
-        if ($item->is_album()) {
-          $options_menu
-            ->append(Menu::factory("dialog")
-                     ->id("add_item")
-                     ->label(t("Add a photo"))
-                     ->url(url::site("simple_uploader/app/$item->id")))
-            ->append(Menu::factory("dialog")
-                     ->id("add_album")
-                     ->label(t("Add an album"))
-                     ->url(url::site("form/add/albums/$item->id?type=album")))
-            ->append(Menu::factory("dialog")
-                     ->id("edit_permissions")
-                     ->label(t("Edit permissions"))
-                     ->url(url::site("permissions/browse/$item->id")));
-        }
+      // @todo Move album options menu to the album quick edit pane
+      if ($item->is_album() && $can_add) {
+        $options_menu
+          ->append(Menu::factory("dialog")
+                   ->id("add_item")
+                   ->label(t("Add a photo"))
+                   ->url(url::site("simple_uploader/app/$item->id")))
+          ->append(Menu::factory("dialog")
+                   ->id("add_album")
+                   ->label(t("Add an album"))
+                   ->url(url::site("form/add/albums/$item->id?type=album")));
+      }
+
+      if ($can_edit) {
+        $options_menu
+          ->append(Menu::factory("dialog")
+                   ->id("edit_permissions")
+                   ->label(t("Edit permissions"))
+                   ->url(url::site("permissions/browse/$item->id")));
       }
     }
 
-    if (user::active()->admin) {
+    if ($is_admin) {
       $menu->append($admin_menu = Menu::factory("submenu")
                     ->id("admin_menu")
                     ->label(t("Admin")));
-- 
cgit v1.2.3