Beispiel #1
0
 /**
  * Is the requested action allowed for this user?
  * If the permission applies to content, the "obj" cannot be empty. Owner-
  * dependent permissions use the {@link OBJECT_IN_FOLDER::owner()} to
  * determine the full permission. {@link APPLICATION_USER_OPTIONS} defines a
  * few settings that control which permissions are owner-dependent. If the
  * permission set is {@link Privilege_set_user}, the "obj" must be a {@link
  * USER} instead.
  * @param string $set_name Check this set of permissions.
  * @param integer $type Check this permission (or permissions).
  * @param OBJECT_IN_FOLDER|USER $obj
  * @see OBJECT_IN_FOLDER
  * @return boolean
  */
 public function is_allowed($set_name, $type, $obj = null)
 {
     $this->assert(!$this->ad_hoc_login, 'Cannot use an ad-hoc login.', 'is_allowed', 'USER');
     $user_options = $this->app->user_options;
     $user_permissions = $this->permissions();
     if ($user_permissions->global_privileges->supports($set_name)) {
         $Result = $user_permissions->global_privileges->enabled($set_name, $type);
         if ($set_name == Privilege_set_user) {
             switch ($type) {
                 case Privilege_view:
                     if ($obj) {
                         $Result = $Result || $obj->equals($this);
                     }
                     break;
                 case Privilege_modify:
                     $Result = $Result || $user_options->users_can_edit_self && $obj->equals($this);
                     break;
             }
         }
         if ($set_name == Privilege_set_global) {
             switch ($type) {
                 case Privilege_subscribe:
                 case Privilege_password:
                     if ($obj) {
                         $Result = $Result || $obj->equals($this);
                     }
                     break;
             }
         }
     } else {
         if ($user_permissions->allow_privileges->enabled($set_name, $type)) {
             $Result = true;
         } else {
             if ($user_permissions->deny_privileges->enabled($set_name, $type)) {
                 $Result = false;
             } else {
                 /** @var FOLDER $folder */
                 $folder = $obj->security_context();
                 $folder_permissions = $folder->permissions();
                 $Result = $folder_permissions->enabled($set_name, $type);
                 if (!$Result) {
                     /** @var USER $owner */
                     $owner = $obj->owner();
                     switch ($type) {
                         case Privilege_view:
                         case Privilege_view_history:
                             $Result |= $owner->equals($this);
                             break;
                         case Privilege_modify:
                             $Result |= $user_options->users_can_modify_own_content && $owner->equals($this);
                             break;
                         case Privilege_delete:
                             $Result |= $user_options->users_can_delete_own_content && $owner->equals($this);
                             break;
                         case Privilege_purge:
                             $Result |= $user_options->users_can_purge_own_content && $owner->equals($this);
                             break;
                     }
                 }
             }
         }
     }
     return $Result;
 }