function change($command, $group_id, $perm_id, $item_id) { access::verify_csrf(); $group = identity::lookup_group($group_id); $perm = ORM::factory("permission", $perm_id); $item = ORM::factory("item", $item_id); access::required("view", $item); access::required("edit", $item); if (!empty($group) && $perm->loaded() && $item->loaded()) { switch ($command) { case "allow": access::allow($group, $perm->name, $item); break; case "deny": access::deny($group, $perm->name, $item); break; case "reset": access::reset($group, $perm->name, $item); break; } // If the active user just took away their own edit permissions, give it back. if ($perm->name == "edit") { if (!access::user_can(identity::active_user(), "edit", $item)) { access::allow($group, $perm->name, $item); } } } }
private function _get_proxy() { $album = test::random_album(); $photo = test::random_photo($album); access::deny(identity::everybody(), "view_full", $album); access::deny(identity::registered_users(), "view_full", $album); $proxy = ORM::factory("digibug_proxy"); $proxy->uuid = random::hash(); $proxy->item_id = $photo->id; return $proxy->save(); }
public function viewable_test() { $root = ORM::factory("item", 1); $album = album::create($root, rand(), rand(), rand()); $item = self::_create_random_item($album); identity::set_active_user(identity::guest()); // We can see the item when permissions are granted access::allow(identity::everybody(), "view", $album); $this->assert_equal(1, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); // We can't see the item when permissions are denied access::deny(identity::everybody(), "view", $album); $this->assert_equal(0, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); }
public function viewable_test() { $album = test::random_album(); $item = test::random_photo($album); $album->reload(); identity::set_active_user(identity::guest()); // We can see the item when permissions are granted access::allow(identity::everybody(), "view", $album); $this->assert_equal(1, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); // We can't see the item when permissions are denied access::deny(identity::everybody(), "view", $album); $this->assert_equal(0, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); }
public function post_fails_without_permissions_test() { access::deny(identity::everybody(), "edit", item::root()); identity::set_active_user(identity::guest()); try { $request->params->name = "test tag"; tags_rest::post($request); } catch (Exception $e) { $this->assert_equal(403, $e->getCode()); return; } $this->assert_true(false, "Shouldnt get here"); }
public function cant_view_comments_for_unviewable_items_test() { $root = ORM::factory("item", 1); $album = album::create($root, rand(), rand(), rand()); $comment = comment::create($album, user::guest(), "text", "name", "email", "url"); user::set_active(user::guest()); // We can see the comment when permissions are granted on the album access::allow(group::everybody(), "view", $album); $this->assert_equal(1, ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all()); // We can't see the comment when permissions are denied on the album access::deny(group::everybody(), "view", $album); $this->assert_equal(0, ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all()); }
public function setup() { $this->_server = $_SERVER; $root = ORM::factory("item", 1); $this->_album = album::create($root, rand(), "test album"); access::deny(identity::everybody(), "view_full", $this->_album); access::deny(identity::registered_users(), "view_full", $this->_album); $rand = rand(); $this->_item = photo::create($this->_album, MODPATH . "gallery/tests/test.jpg", "{$rand}.jpg", $rand, $rand); $this->_proxy = ORM::factory("digibug_proxy"); $this->_proxy->uuid = md5(rand()); $this->_proxy->item_id = $this->_item->id; $this->_proxy->save(); }
public function cant_view_comments_for_unviewable_items_test() { $album = test::random_album(); $comment = ORM::factory("comment"); $comment->item_id = $album->id; $comment->author_id = identity::admin_user()->id; $comment->text = "text"; $comment->save(); identity::set_active_user(identity::guest()); // We can see the comment when permissions are granted on the album access::allow(identity::everybody(), "view", $album); $this->assert_true(ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all()); // We can't see the comment when permissions are denied on the album access::deny(identity::everybody(), "view", $album); $this->assert_false(ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all()); }
public function illegal_access_test() { $album = test::random_album(); $photo = test::random_photo($album); $album->reload(); access::deny(identity::everybody(), "view", $album); identity::set_active_user(identity::guest()); $request = new stdClass(); $request->url = rest::url("data", $photo, "thumb"); $request->params = new stdClass(); $request->params->size = "thumb"; try { data_rest::get($request); $this->assert_true(false); } catch (Kohana_404_Exception $e) { // pass } }
function change($command, $group_id, $perm_id, $item_id) { access::verify_csrf(); $group = ORM::factory("group", $group_id); $perm = ORM::factory("permission", $perm_id); $item = ORM::factory("item", $item_id); access::required("edit", $item); if ($group->loaded && $perm->loaded && $item->loaded) { switch ($command) { case "allow": access::allow($group, $perm->name, $item); break; case "deny": access::deny($group, $perm->name, $item); break; case "reset": access::reset($group, $perm->name, $item); break; } } }
static function hotfix_all() { $messages = array(); $messages[] = t('Running Hotfix'); /* ON THE LAST RUN WE NEED TO RE-FIX ALL DAMAGED ALBUM THUMBS! */ $albumDir = self::$album_dir; if (substr($albumDir, -1) != DIRECTORY_SEPARATOR) { $albumDir .= DIRECTORY_SEPARATOR; } foreach (self::$albums_flat as $g1_album) { $album_id = self::map($g1_album, '', 'album'); if (!$album_id) { $messages[] = t('Album %name not found', array('name' => $g1_album)); continue; } $album = ORM::factory('item', $album_id); $importDir = $albumDir . $g1_album . DIRECTORY_SEPARATOR; try { require_once 'Gallery1DataParser.php'; list($result, $items) = Gallery1DataParser::getPhotos($importDir); if ($result == null) { foreach ($items as $object) { if (isset($object->highlight) && $object->highlight == 1 && isset($object->highlightImage) && is_a($object->highlightImage, 'G1Img')) { $g1_path = $importDir . $object->highlightImage->name . '.' . $object->highlightImage->type; if (is_file($g1_path) && @copy($g1_path, $album->thumb_path())) { $album->thumb_height = $object->highlightImage->height; $album->thumb_width = $object->highlightImage->width; $album->thumb_dirty = false; $album->save(); } } } } } catch (Exception $e) { $messages[] = (string) new G1_Import_Exception(t('Failed to copy thumb for album %name.', array('name' => $g1_album)), $e); } } /* ON THE LAST RUN WE NEED TO RE-FIX ALL ALBUM PERMISSIONS */ foreach (self::$albums_hidden as $g1_album => $dummy) { try { $album_id = self::map($g1_album, '', 'album'); $album = ORM::factory('item', $album_id); access::deny(identity::everybody(), 'view', $album); $messages[] = t('Denying access to %album', array('album' => $g1_album)); } catch (Exception $e) { $messages[] = (string) new G1_Import_Exception(t('Failed to set access permission for hidden album %name.', array('name' => $g1_album)), $e); } } return $messages; }
public function delete_album_fails_without_permission_test() { $album1 = test::random_album(); access::deny(identity::everybody(), "edit", $album1); identity::set_active_user(identity::guest()); $request->url = rest::url("item", $album1); try { item_rest::delete($request); } catch (Exception $e) { $this->assert_equal("@todo FORBIDDEN", $e->getMessage()); return; } $this->assert_true(false, "Shouldn't get here"); }
/** * Imports G2 permissions, mapping G2's permission model to G3's * much simplified permissions. * * - Ignores user permissions, G3 only supports group permissions. * - Ignores item permissions, G3 only supports album permissions. * * G2 permission -> G3 permission * --------------------------------- * core.view view * core.viewSource view_full * core.edit edit * core.addDataItem add * core.addAlbumItem add * core.viewResizes <ignored> * core.delete <ignored> * comment.* <ignored> */ private static function _import_permissions($g2_album, $g3_album) { // No need to do anything if this album has the same G2 ACL as its parent. if ($g2_album->getParentId() != null && g2(GalleryCoreApi::fetchAccessListId($g2_album->getId())) == g2(GalleryCoreApi::fetchAccessListId($g2_album->getParentId()))) { return; } $granted_permissions = self::_map_permissions($g2_album->getId()); if ($g2_album->getParentId() == null) { // Compare to current permissions, and change them if necessary. $g3_parent_album = item::root(); } else { $g3_parent_album = $g3_album->parent(); } $granted_parent_permissions = array(); $perm_ids = array_unique(array_values(self::$_permission_map)); foreach (identity::groups() as $group) { $granted_parent_permissions[$group->id] = array(); foreach ($perm_ids as $perm_id) { if (access::group_can($group, $perm_id, $g3_parent_album)) { $granted_parent_permissions[$group->id][$perm_id] = 1; } } } // Note: Only registering permissions if they're not the same as // the inherited ones. foreach ($granted_permissions as $group_id => $permissions) { if (!isset($granted_parent_permissions[$group_id])) { foreach (array_keys($permissions) as $perm_id) { access::allow(identity::lookup_group($group_id), $perm_id, $g3_album); } } else { if ($permissions != $granted_parent_permissions[$group_id]) { $parent_permissions = $granted_parent_permissions[$group_id]; // @todo Probably worth caching the group instances. $group = identity::lookup_group($group_id); // Note: Cannot use array_diff_key. foreach (array_keys($permissions) as $perm_id) { if (!isset($parent_permissions[$perm_id])) { access::allow($group, $perm_id, $g3_album); } } foreach (array_keys($parent_permissions) as $perm_id) { if (!isset($permissions[$perm_id])) { access::deny($group, $perm_id, $g3_album); } } } } } foreach ($granted_parent_permissions as $group_id => $parent_permissions) { if (isset($granted_permissions[$group_id])) { continue; // handled above } $group = identity::lookup_group($group_id); foreach (array_keys($parent_permissions) as $perm_id) { access::deny($group, $perm_id, $g3_album); } } }
public function moved_items_inherit_new_permissions_test() { identity::set_active_user(identity::lookup_user_by_name("admin")); $public_album = test::random_album(); $public_photo = test::random_photo($public_album); access::allow(identity::everybody(), "view", $public_album); access::allow(identity::everybody(), "edit", $public_album); item::root()->reload(); // Account for MPTT changes $private_album = test::random_album(); access::deny(identity::everybody(), "view", $private_album); access::deny(identity::everybody(), "edit", $private_album); $private_photo = test::random_photo($private_album); // Make sure that we now have a public photo and private photo. $this->assert_true(access::group_can(identity::everybody(), "view", $public_photo)); $this->assert_false(access::group_can(identity::everybody(), "view", $private_photo)); // Swap the photos item::move($public_photo, $private_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); item::move($private_photo, $public_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); // Make sure that the public_photo is now private, and the private_photo is now public. $this->assert_false(access::group_can(identity::everybody(), "view", $public_photo)); $this->assert_false(access::group_can(identity::everybody(), "edit", $public_photo)); $this->assert_true(access::group_can(identity::everybody(), "view", $private_photo)); $this->assert_true(access::group_can(identity::everybody(), "edit", $private_photo)); }
public function everybody_view_full_permission_maintains_htaccess_files_test() { $root = ORM::factory("item", 1); $album = album::create($root, rand(), "test album"); $this->assert_false(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); access::deny(group::everybody(), "view_full", $album); $this->assert_true(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); access::allow(group::everybody(), "view_full", $album); $this->assert_false(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); access::deny(group::everybody(), "view_full", $album); $this->assert_true(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); access::reset(group::everybody(), "view_full", $album); $this->assert_false(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); }
public function moved_items_inherit_new_permissions_test() { user::set_active(user::lookup_by_name("admin")); $root = ORM::factory("item", 1); $public_album = album::create($root, rand(), "public album"); $public_photo = photo::create($public_album, MODPATH . "gallery/images/gallery.png", "", ""); access::allow(group::everybody(), "view", $public_album); $root->reload(); // Account for MPTT changes $private_album = album::create($root, rand(), "private album"); access::deny(group::everybody(), "view", $private_album); $private_photo = photo::create($private_album, MODPATH . "gallery/images/gallery.png", "", ""); // Make sure that we now have a public photo and private photo. $this->assert_true(access::group_can(group::everybody(), "view", $public_photo)); $this->assert_false(access::group_can(group::everybody(), "view", $private_photo)); // Swap the photos item::move($public_photo, $private_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); item::move($private_photo, $public_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); // Make sure that the public_photo is now private, and the private_photo is now public. $this->assert_false(access::group_can(group::everybody(), "view", $public_photo)); $this->assert_true(access::group_can(group::everybody(), "view", $private_photo)); }
public function as_restful_array_with_add_bit_test() { $response = item::root()->as_restful_array(); $this->assert_true($response["can_add"]); access::deny(identity::everybody(), "add", item::root()); identity::set_active_user(identity::guest()); $response = item::root()->as_restful_array(); $this->assert_false($response["can_add"]); }
public function need_view_full_permission_to_view_original_test() { $album = test::random_album(); $photo = test::random_photo($album); $album = $album->reload(); // adding the photo changed the album in the db $_SERVER["REQUEST_URI"] = url::file("var/albums/{$album->name}/{$photo->name}"); $controller = new File_Proxy_Controller(); access::deny(identity::everybody(), "view_full", $album); identity::set_active_user(identity::guest()); try { $controller->__call("", array()); $this->assert_true(false); } catch (Kohana_404_Exception $e) { $this->assert_same(5, $e->test_fail_code); } }
static function album_add_form_completed($album, $form) { if ($form->privacy->private->checked) { $username = $form->privacy->username->value; $password = $form->privacy->password->value; // TODO validation // create a group based on username $group = identity::create_group($username); // create a user based on username $user = identity::create_user($username, $username, $password, $username . "@unknown.com"); identity::add_user_to_group($user, $group); // create user home $home = ORM::factory("user_home")->where("id", "=", $user->id)->find(); $home->id = $user->id; $home->home = $album->id; $home->save(); // reload album $album->reload(); // set permissions // deny all groups. $groups = ORM::factory("group")->find_all(); foreach ($groups as $group2) { if ($group->id != $group2->id) { access::deny($group2, "view", $album); access::deny($group2, "view_full", $album); } } // deny all other albums $albums = ORM::factory("item")->where("type", "=", "album")->find_all(); foreach ($albums as $albumt) { access::deny($group, "view", $albumt); } // allow access to newly created group access::allow($group, "view_full", $album); $parents = $album->parents(); foreach ($parents as $parent) { access::allow($group, "view", $parent); } access::allow($group, "view", $album); } }