function allowTransition($oDocument, $oUser)
 {
     if (!$this->isLoaded()) {
         return true;
     }
     $iConditionId = $this->aConfig['condition_id'];
     $oCondition = KTSavedSearch::get($this->aConfig['condition_id']);
     if (PEAR::isError($oCondition)) {
         return true;
         // fail safe for cases where the role is deleted.
     }
     return KTSearchUtil::testConditionOnDocument($iConditionId, $oDocument);
 }
<?php

require_once '../../config/dmsDefaults.php';
require_once KT_LIB_DIR . '/search/savedsearch.inc.php';
require_once KT_LIB_DIR . '/search/searchutil.inc.php';
$oSearch = KTSavedSearch::getByNamespace('http://ktcvs.local/local/savedsearches/mp3');
$iDocumentId = 96;
var_dump(KTSearchUtil::testConditionOnDocument($oSearch, $iDocumentId));
 /**
  * Update's the permission lookup on one folder or document,
  * non-recursively.
  */
 function updatePermissionLookup(&$oFolderOrDocument, $aOptions = null)
 {
     $is_a_folder = is_a($oFolderOrDocument, 'Folder');
     $is_a_document = is_a($oFolderOrDocument, 'Document') || is_a($oFolderOrDocument, 'KTDocumentCore');
     //ensure that the document shortcut is being updated.
     if ($is_a_document && $oFolderOrDocument->isSymbolicLink()) {
         $oFolderOrDocument->switchToRealCore();
     }
     $oChannel = null;
     $aMapPermAllowed = null;
     $oPermLookup = null;
     if (!is_null($aOptions)) {
         $oChannel = $aOptions['channel'];
         $aMapPermAllowed = $aOptions['map_allowed'];
         $oPermLookup = $aOptions['perm_lookup'];
     }
     if (!$is_a_folder && !$is_a_document) {
         return;
         // we occasionally get handed a PEAR::raiseError.  Just ignore it.
     }
     if (is_null($oChannel)) {
         $oChannel =& KTPermissionChannel::getSingleton();
     }
     if ($is_a_folder) {
         $msg = sprintf("Updating folder %s", join('/', $oFolderOrDocument->getPathArray()));
     } else {
         if (is_a($oFolderOrDocument, 'Document')) {
             //modify the message to reflect that a shortcut is begin updated
             if ($oFolderOrDocument->isSymbolicLink()) {
                 $msg = sprintf("Updating shortcut to %s", $oFolderOrDocument->getName());
             } else {
                 $msg = sprintf("Updating document %s", $oFolderOrDocument->getName());
             }
         } else {
             $msg = sprintf("Updating document %d", $oFolderOrDocument->getId());
         }
     }
     $oChannel->sendMessage(new KTPermissionGenericMessage($msg));
     //var_dump($msg);
     $iPermissionObjectId = $oFolderOrDocument->getPermissionObjectID();
     if (empty($iPermissionObjectId)) {
         return;
     }
     $oPO = KTPermissionObject::get($iPermissionObjectId);
     if (is_null($aMapPermAllowed)) {
         $aPAs = KTPermissionAssignment::getByObjectMulti($oPO);
         $aMapPermAllowed = array();
         foreach ($aPAs as $oPA) {
             $oPD = KTPermissionDescriptor::get($oPA->getPermissionDescriptorID());
             $aGroupIDs = $oPD->getGroups();
             $aUserIDs = array();
             $aRoleIDs = $oPD->getRoles();
             $aAllowed = array('group' => $aGroupIDs, 'user' => $aUserIDs, 'role' => $aRoleIDs);
             $aMapPermAllowed[$oPA->getPermissionID()] = $aAllowed;
         }
     }
     if (!$is_a_folder) {
         $aDynamicConditions = KTPermissionDynamicCondition::getByPermissionObject($oPO);
         if (!PEAR::isError($aDynamicConditions)) {
             foreach ($aDynamicConditions as $oDynamicCondition) {
                 $iConditionId = $oDynamicCondition->getConditionId();
                 if (KTSearchUtil::testConditionOnDocument($iConditionId, $oFolderOrDocument)) {
                     $iGroupId = $oDynamicCondition->getGroupId();
                     $aPermissionIds = $oDynamicCondition->getAssignment();
                     foreach ($aPermissionIds as $iPermissionId) {
                         $aCurrentAllowed = KTUtil::arrayGet($aMapPermAllowed, $iPermissionId, array());
                         $aCurrentAllowed['group'][] = $iGroupId;
                         $aMapPermAllowed[$iPermissionId] = $aCurrentAllowed;
                     }
                 }
             }
         }
     }
     if (!$is_a_folder) {
         $oState = KTWorkflowUtil::getWorkflowStateForDocument($oFolderOrDocument);
         if (!(PEAR::isError($oState) || is_null($oState) || $oState == false)) {
             $aWorkflowStatePermissionAssignments = KTWorkflowStatePermissionAssignment::getByState($oState);
             foreach ($aWorkflowStatePermissionAssignments as $oAssignment) {
                 $iPermissionId = $oAssignment->getPermissionId();
                 $iPermissionDescriptorId = $oAssignment->getDescriptorId();
                 $oPD = KTPermissionDescriptor::get($iPermissionDescriptorId);
                 $aGroupIDs = $oPD->getGroups();
                 $aUserIDs = array();
                 $aRoleIDs = $oPD->getRoles();
                 $aAllowed = array('group' => $aGroupIDs, 'user' => $aUserIDs, 'role' => $aRoleIDs);
                 $aMapPermAllowed[$iPermissionId] = $aAllowed;
             }
         }
     }
     // if we have roles:  nearest folder.
     $iRoleSourceFolder = null;
     if ($is_a_document) {
         $iRoleSourceFolder = $oFolderOrDocument->getFolderID();
     } else {
         $iRoleSourceFolder = $oFolderOrDocument->getId();
     }
     // very minor perf win:  map role_id (in context) to PD.
     $_roleCache = array();
     foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) {
         $aAfterRoles = array();
         if (array_key_exists('role', $aAllowed)) {
             foreach ($aAllowed['role'] as $k => $iRoleId) {
                 // store the PD <-> RoleId map
                 // special-case "all" or "authenticated".
                 if ($iRoleId == -3 || $iRoleId == -4) {
                     $aAfterRoles[] = $iRoleId;
                     continue;
                 }
                 if (!array_key_exists($iRoleId, $_roleCache)) {
                     $oRoleAllocation = null;
                     if ($is_a_document) {
                         $oRoleAllocation =& DocumentRoleAllocation::getAllocationsForDocumentAndRole($oFolderOrDocument->getId(), $iRoleId);
                         if (PEAR::isError($oRoleAllocation)) {
                             $oRoleAllocation = null;
                         }
                     }
                     // if that's null - not set _on_ the document, then
                     if (is_null($oRoleAllocation)) {
                         $oRoleAllocation =& RoleAllocation::getAllocationsForFolderAndRole($iRoleSourceFolder, $iRoleId);
                     }
                     $_roleCache[$iRoleId] = $oRoleAllocation;
                 }
                 // roles are _not_ always assigned (can be null at root)
                 if (!is_null($_roleCache[$iRoleId])) {
                     $aMapPermAllowed[$iPermissionId]['user'] = kt_array_merge($aMapPermAllowed[$iPermissionId]['user'], $_roleCache[$iRoleId]->getUserIds());
                     $aMapPermAllowed[$iPermissionId]['group'] = kt_array_merge($aMapPermAllowed[$iPermissionId]['group'], $_roleCache[$iRoleId]->getGroupIds());
                     // naturally, roles cannot be assigned roles, or madness follows.
                 }
                 unset($aAllowed['role'][$k]);
             }
         }
         unset($aMapPermAllowed[$iPermissionId]['role']);
         if (!empty($aAfterRoles)) {
             $aMapPermAllowed[$iPermissionId]['role'] = $aAfterRoles;
         }
     }
     /*
     print '<pre>';
     print '=======' . $oFolderOrDocument->getName();
     print '<br />';
     var_dump($aMapPermAllowed);
     print '</pre>';
     */
     //if (is_null($oPermLookup)) {
     $aMapPermDesc = array();
     foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) {
         $oLookupPD = KTPermissionUtil::getOrCreateDescriptor($aAllowed);
         $aMapPermDesc[$iPermissionId] = $oLookupPD->getID();
     }
     $oPermLookup = KTPermissionLookupAssignment::findOrCreateLookupByPermissionDescriptorMap($aMapPermDesc);
     //}
     $oFolderOrDocument->setPermissionLookupID($oPermLookup->getID());
     $oFolderOrDocument->update();
 }
 function do_resolved_users()
 {
     $this->oPage->setBreadcrumbDetails(_kt("Permissions"));
     $oTemplate = $this->oValidator->validateTemplate("ktcore/document/resolved_permissions_user");
     $oPL = KTPermissionLookup::get($this->oDocument->getPermissionLookupID());
     $aPermissions = KTPermission::getList();
     $aMapPermissionGroup = array();
     $aMapPermissionRole = array();
     $aMapPermissionUser = array();
     $aUsers = User::getList();
     foreach ($aPermissions as $oPermission) {
         $oPLA = KTPermissionLookupAssignment::getByPermissionAndLookup($oPermission, $oPL);
         if (PEAR::isError($oPLA)) {
             continue;
         }
         $oDescriptor = KTPermissionDescriptor::get($oPLA->getPermissionDescriptorID());
         $iPermissionID = $oPermission->getID();
         $aMapPermissionGroup[$iPermissionID] = array();
         foreach ($aUsers as $oUser) {
             if (KTPermissionUtil::userHasPermissionOnItem($oUser, $oPermission, $this->oDocument)) {
                 $aMapPermissionUser[$iPermissionID][$oUser->getId()] = true;
                 $aActiveUsers[$oUser->getId()] = true;
             }
         }
     }
     // now we constitute the actual sets.
     $users = array();
     $groups = array();
     $roles = array();
     // should _always_ be empty, barring a bug in permissions::updatePermissionLookup
     // this should be quite limited - direct role -> user assignment is typically rare.
     foreach ($aActiveUsers as $id => $marker) {
         $oUser = User::get($id);
         $users[$oUser->getName()] = $oUser;
     }
     asort($users);
     // ascending, per convention.
     $bEdit = false;
     $sInherited = '';
     $aDynamicControls = array();
     $aWorkflowControls = array();
     // handle conditions
     $iPermissionObjectId = $this->oDocument->getPermissionObjectID();
     if (!empty($iPermissionObjectId)) {
         $oPO = KTPermissionObject::get($iPermissionObjectId);
         $aDynamicConditions = KTPermissionDynamicCondition::getByPermissionObject($oPO);
         if (!PEAR::isError($aDynamicConditions)) {
             foreach ($aDynamicConditions as $oDynamicCondition) {
                 $iConditionId = $oDynamicCondition->getConditionId();
                 if (KTSearchUtil::testConditionOnDocument($iConditionId, $this->oDocument)) {
                     $aPermissionIds = $oDynamicCondition->getAssignment();
                     foreach ($aPermissionIds as $iPermissionId) {
                         $aDynamicControls[$iPermissionId] = true;
                     }
                 }
             }
         }
     }
     // indicate that workflow controls a given permission
     $oState = KTWorkflowUtil::getWorkflowStateForDocument($this->oDocument);
     if (!(PEAR::isError($oState) || is_null($oState) || $oState == false)) {
         $aWorkflowStatePermissionAssignments = KTWorkflowStatePermissionAssignment::getByState($oState);
         foreach ($aWorkflowStatePermissionAssignments as $oAssignment) {
             $aWorkflowControls[$oAssignment->getPermissionId()] = true;
             unset($aDynamicControls[$oAssignment->getPermissionId()]);
         }
     }
     $aTemplateData = array("context" => $this, "permissions" => $aPermissions, "groups" => $groups, "users" => $users, "roles" => $roles, "oDocument" => $this->oDocument, "aMapPermissionGroup" => $aMapPermissionGroup, "aMapPermissionRole" => $aMapPermissionRole, "aMapPermissionUser" => $aMapPermissionUser, "edit" => $bEdit, "inherited" => $sInherited, 'workflow_controls' => $aWorkflowControls, 'conditions_control' => $aDynamicControls);
     return $oTemplate->render($aTemplateData);
 }