From 38b2efc44cf3345d97798e9637db241b05e2dded Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Sat, 29 Aug 2009 11:43:10 -0700 Subject: Fix for 641... extend viewable functionality to comments. Viewable unit test is not working. --- modules/comment/helpers/comment_rss.php | 55 +++++++++---------- modules/comment/models/comment.php | 10 ++++ modules/gallery/helpers/item.php | 37 +++++++++++++ modules/gallery/models/item.php | 34 +----------- modules/gallery/tests/Item_Helper_Test.php | 84 ++++++++++++++++++++++++++++++ 5 files changed, 157 insertions(+), 63 deletions(-) create mode 100644 modules/gallery/tests/Item_Helper_Test.php (limited to 'modules') diff --git a/modules/comment/helpers/comment_rss.php b/modules/comment/helpers/comment_rss.php index ab3d2283..a8171ce7 100644 --- a/modules/comment/helpers/comment_rss.php +++ b/modules/comment/helpers/comment_rss.php @@ -33,42 +33,37 @@ class comment_rss_Core { return; } - $comments = ORM::factory("comment") - ->where("state", "published") - ->orderby("created", "DESC"); - $all_comments = ORM::factory("comment") + $comment_model = ORM::factory("comment") + ->viewable() ->where("state", "published") ->orderby("created", "DESC"); if ($feed_id == "item") { - $comments->where("item_id", $id); - $all_comments->where("item_id", $id); + $comment_model->where("item_id", $id); } - if (!empty($comments)) { - $feed->view = "comment.mrss"; - $comments = $comments->find_all($limit, $offset); - $feed->children = array(); - foreach ($comments as $comment) { - $item = $comment->item(); - $feed->children[] = new ArrayObject( - array("pub_date" => date("D, d M Y H:i:s T", $comment->created), - "text" => nl2br(p::purify($comment->text)), - "thumb_url" => $item->thumb_url(), - "thumb_height" => $item->thumb_height, - "thumb_width" => $item->thumb_width, - "item_uri" => url::abs_site("{$item->type}s/$item->id"), - "title" => p::purify($item->title), - "author" => p::clean($comment->author_name())), - ArrayObject::ARRAY_AS_PROPS); - } + $comments = $comment_model->find_all($limit, $offset); + $feed->view = "comment.mrss"; + $feed->children = array(); + foreach ($comments as $comment) { + $item = $comment->item(); + $feed->children[] = new ArrayObject( + array("pub_date" => date("D, d M Y H:i:s T", $comment->created), + "text" => nl2br(p::purify($comment->text)), + "thumb_url" => $item->thumb_url(), + "thumb_height" => $item->thumb_height, + "thumb_width" => $item->thumb_width, + "item_uri" => url::abs_site("{$item->type}s/$item->id"), + "title" => p::purify($item->title), + "author" => p::clean($comment->author_name())), + ArrayObject::ARRAY_AS_PROPS); + } - $feed->max_pages = ceil($all_comments->find_all()->count() / $limit); - $feed->title = htmlspecialchars(t("Recent Comments")); - $feed->uri = url::abs_site("albums/" . (empty($id) ? "1" : $id)); - $feed->description = t("Recent Comments"); + $feed->max_pages = ceil($comment_model->count_all() / $limit); + $feed->title = htmlspecialchars(t("Recent Comments")); + $feed->uri = url::abs_site("albums/" . (empty($id) ? "1" : $id)); + $feed->description = t("Recent Comments"); - return $feed; - } + return $feed; } -} \ No newline at end of file +} diff --git a/modules/comment/models/comment.php b/modules/comment/models/comment.php index 83d0888a..de9b0cd6 100644 --- a/modules/comment/models/comment.php +++ b/modules/comment/models/comment.php @@ -80,4 +80,14 @@ class Comment_Model extends ORM { return $this; } + + /** + * Add a set of restrictions to any following queries to restrict access only to items + * viewable by the active user. + * @chainable + */ + public function viewable() { + $this->join("items", "items.id", "comments.item_id"); + return item::viewable($this); + } } diff --git a/modules/gallery/helpers/item.php b/modules/gallery/helpers/item.php index a2d3859f..8839861f 100644 --- a/modules/gallery/helpers/item.php +++ b/modules/gallery/helpers/item.php @@ -151,4 +151,41 @@ class item_Core { ->get()->current(); return ($result ? $result->weight : 0) + 1; } + + /** + * Add a set of restrictions to any following queries to restrict access only to items + * viewable by the active user. + * @chainable + */ + static function viewable($model) { + $view_restrictions = array(); + if (!user::active()->admin) { + foreach (user::group_ids() as $id) { + // Separate the first restriction from the rest to make it easier for us to formulate + // our where clause below + if (empty($view_restrictions)) { + $view_restrictions[0] = "items.view_$id"; + } else { + $view_restrictions[1]["items.view_$id"] = access::ALLOW; + } + } + } + switch (count($view_restrictions)) { + case 0: + break; + + case 1: + $model->where($view_restrictions[0], access::ALLOW); + break; + + default: + $model->open_paren(); + $model->where($view_restrictions[0], access::ALLOW); + $model->orwhere($view_restrictions[1]); + $model->close_paren(); + break; + } + + return $model; + } } \ No newline at end of file diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php index 7a3a2ba7..68e89db6 100644 --- a/modules/gallery/models/item.php +++ b/modules/gallery/models/item.php @@ -19,7 +19,6 @@ */ class Item_Model extends ORM_MPTT { protected $children = 'items'; - private $view_restrictions = null; protected $sorting = array(); var $rules = array( @@ -34,38 +33,7 @@ class Item_Model extends ORM_MPTT { * @chainable */ public function viewable() { - if (is_null($this->view_restrictions)) { - if (user::active()->admin) { - $this->view_restrictions = array(); - } else { - foreach (user::group_ids() as $id) { - // Separate the first restriction from the rest to make it easier for us to formulate - // our where clause below - if (empty($this->view_restrictions)) { - $this->view_restrictions[0] = "view_$id"; - } else { - $this->view_restrictions[1]["view_$id"] = access::ALLOW; - } - } - } - } - switch (count($this->view_restrictions)) { - case 0: - break; - - case 1: - $this->where($this->view_restrictions[0], access::ALLOW); - break; - - default: - $this->open_paren(); - $this->where($this->view_restrictions[0], access::ALLOW); - $this->orwhere($this->view_restrictions[1]); - $this->close_paren(); - break; - } - - return $this; + return item::viewable($this); } /** diff --git a/modules/gallery/tests/Item_Helper_Test.php b/modules/gallery/tests/Item_Helper_Test.php new file mode 100644 index 00000000..48fdd962 --- /dev/null +++ b/modules/gallery/tests/Item_Helper_Test.php @@ -0,0 +1,84 @@ +_group->delete(); + } catch (Exception $e) { } + + try { + $this->_album->delete(); + } catch (Exception $e) { } + + //try { + // $this->_user->delete(); + //} catch (Exception $e) { } + } + + public function setup() { + } + + public function viewable_item_test() { + $this->_group = group::create("access_test"); + $root = ORM::factory("item", 1); + $this->_album = album::create($root, rand(), "visible_test"); + $this->_user = user::create("visible_test", "Visible Test", ""); + $this->_user->add($this->_group); + $this->_item = self::_create_random_item($this->_album); + comment::create($this->_item, $this->_user, "This is a comment"); + access::deny(group::everybody(), "view", $this->_album); + $active = user::active(); + + $items = ORM::factory("item") + ->where("id", $this->_album->id) + ->find_all(); + print Database::instance()->last_query() . "\n"; + $items = ORM::factory("item") + ->where("id", $this->_album->id) + ->viewable() + ->find_all(); + print Database::instance()->last_query() . "\n"; + } + + + //public function viewable_one_restrictions_test() { + // $item = self::create_random_item(); + // $this->assert_true(!empty($item->created)); + // $this->assert_true(!empty($item->updated)); + //} + //public function viewable_multiple_restrictions_test() { + // $item = self::create_random_item(); + // $this->assert_true(!empty($item->created)); + // $this->assert_true(!empty($item->updated)); + //} + + private static function _create_random_item($album) { + $item = ORM::factory("item"); + /* Set all required fields (values are irrelevant) */ + $item->name = rand(); + $item->type = "photo"; + return $item->add_to_parent($album); + } +} -- cgit v1.2.3 From d85a8b20bbe0a5be0a03da70354169d41f418d41 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 29 Aug 2009 11:48:49 -0700 Subject: Rename $comment_model to $comments. --- modules/comment/helpers/comment_rss.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'modules') diff --git a/modules/comment/helpers/comment_rss.php b/modules/comment/helpers/comment_rss.php index a8171ce7..e233de59 100644 --- a/modules/comment/helpers/comment_rss.php +++ b/modules/comment/helpers/comment_rss.php @@ -33,16 +33,16 @@ class comment_rss_Core { return; } - $comment_model = ORM::factory("comment") + $comments = ORM::factory("comment") ->viewable() ->where("state", "published") ->orderby("created", "DESC"); if ($feed_id == "item") { - $comment_model->where("item_id", $id); + $comments->where("item_id", $id); } - $comments = $comment_model->find_all($limit, $offset); + $comments = $comments->find_all($limit, $offset); $feed->view = "comment.mrss"; $feed->children = array(); foreach ($comments as $comment) { @@ -59,7 +59,7 @@ class comment_rss_Core { ArrayObject::ARRAY_AS_PROPS); } - $feed->max_pages = ceil($comment_model->count_all() / $limit); + $feed->max_pages = ceil($comments->count_all() / $limit); $feed->title = htmlspecialchars(t("Recent Comments")); $feed->uri = url::abs_site("albums/" . (empty($id) ? "1" : $id)); $feed->description = t("Recent Comments"); -- cgit v1.2.3 From 0d16cc1c106dc324fde59cac54fa82e4a70e04e2 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 29 Aug 2009 12:12:53 -0700 Subject: Clean up the test and get it working. --- modules/gallery/tests/Item_Helper_Test.php | 69 ++++++++---------------------- 1 file changed, 17 insertions(+), 52 deletions(-) (limited to 'modules') diff --git a/modules/gallery/tests/Item_Helper_Test.php b/modules/gallery/tests/Item_Helper_Test.php index 48fdd962..3f80733f 100644 --- a/modules/gallery/tests/Item_Helper_Test.php +++ b/modules/gallery/tests/Item_Helper_Test.php @@ -18,65 +18,30 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class Item_Helper_Test extends Unit_Test_Case { - private $_group; - private $_album; - private $_item; - //private $_user; - public function teardown() { - try { - $this->_group->delete(); - } catch (Exception $e) { } - - try { - $this->_album->delete(); - } catch (Exception $e) { } - - //try { - // $this->_user->delete(); - //} catch (Exception $e) { } - } - - public function setup() { - } - - public function viewable_item_test() { - $this->_group = group::create("access_test"); + public function viewable_test() { $root = ORM::factory("item", 1); - $this->_album = album::create($root, rand(), "visible_test"); - $this->_user = user::create("visible_test", "Visible Test", ""); - $this->_user->add($this->_group); - $this->_item = self::_create_random_item($this->_album); - comment::create($this->_item, $this->_user, "This is a comment"); - access::deny(group::everybody(), "view", $this->_album); - $active = user::active(); - - $items = ORM::factory("item") - ->where("id", $this->_album->id) - ->find_all(); - print Database::instance()->last_query() . "\n"; - $items = ORM::factory("item") - ->where("id", $this->_album->id) - ->viewable() - ->find_all(); - print Database::instance()->last_query() . "\n"; + $album = album::create($root, rand(), rand(), rand()); + $item = self::_create_random_item($album); + user::set_active(user::guest()); + + // We can see the item when permissions are granted + access::allow(group::everybody(), "view", $album); + $this->assert_equal( + 1, + ORM::factory("item")->viewable()->where("id", $item->id)->count_all()); + + // We can't see the item when permissions are denied + access::deny(group::everybody(), "view", $album); + $this->assert_equal( + 0, + ORM::factory("item")->viewable()->where("id", $item->id)->count_all()); } - //public function viewable_one_restrictions_test() { - // $item = self::create_random_item(); - // $this->assert_true(!empty($item->created)); - // $this->assert_true(!empty($item->updated)); - //} - //public function viewable_multiple_restrictions_test() { - // $item = self::create_random_item(); - // $this->assert_true(!empty($item->created)); - // $this->assert_true(!empty($item->updated)); - //} - private static function _create_random_item($album) { + // Set all required fields (values are irrelevant) $item = ORM::factory("item"); - /* Set all required fields (values are irrelevant) */ $item->name = rand(); $item->type = "photo"; return $item->add_to_parent($album); -- cgit v1.2.3 From 50c624ed1b5a09d965d4e0f18a32bf3c2a94db15 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 29 Aug 2009 12:20:03 -0700 Subject: Fix active() to not use user::guest() as the fallback for our Session::get() call. --- modules/user/helpers/user.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/user/helpers/user.php b/modules/user/helpers/user.php index 69a6ecb3..40acc2ec 100644 --- a/modules/user/helpers/user.php +++ b/modules/user/helpers/user.php @@ -159,7 +159,12 @@ class user_Core { */ static function active() { // @todo (maybe) cache this object so we're not always doing session lookups. - $user = Session::instance()->get("user", self::guest()); + $user = Session::instance()->get("user", null); + if (!isset($user)) { + // Don't do this as a fallback in the Session::get() call because it can trigger unnecessary + // work. + $user = user::guest(); + } return $user; } -- cgit v1.2.3 From cd1fd4989f394f6e8084b8101a8dbdb3030c52aa Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 29 Aug 2009 12:22:00 -0700 Subject: Add a test for Comment_Model::viewable(). --- modules/comment/tests/Comment_Model_Test.php | 40 ++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 modules/comment/tests/Comment_Model_Test.php (limited to 'modules') diff --git a/modules/comment/tests/Comment_Model_Test.php b/modules/comment/tests/Comment_Model_Test.php new file mode 100644 index 00000000..f4c68b15 --- /dev/null +++ b/modules/comment/tests/Comment_Model_Test.php @@ -0,0 +1,40 @@ +assert_equal( + 1, + ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all()); + + // We can't see the comment when permissions are denied on the album + access::deny(group::everybody(), "view", $album); + $this->assert_equal( + 0, + ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all()); + } +} -- cgit v1.2.3