function change($command, $group_id, $perm_id, $item_id)
{
access::verify_csrf();
$group = identity::lookup_group($group_id);
$perm = ORM::factory("permission", $perm_id);
$item = ORM::factory("item", $item_id);
access::required("view", $item);
access::required("edit", $item);
if (!empty($group) && $perm->loaded() && $item->loaded()) {
switch ($command) {
case "allow":
access::allow($group, $perm->name, $item);
break;
case "deny":
access::deny($group, $perm->name, $item);
break;
case "reset":
access::reset($group, $perm->name, $item);
break;
}
// If the active user just took away their own edit permissions, give it back.
if ($perm->name == "edit") {
if (!access::user_can(identity::active_user(), "edit", $item)) {
access::allow($group, $perm->name, $item);
}
}
}
}
/**
* Imports G2 permissions, mapping G2's permission model to G3's
* much simplified permissions.
*
* - Ignores user permissions, G3 only supports group permissions.
* - Ignores item permissions, G3 only supports album permissions.
*
* G2 permission -> G3 permission
* ---------------------------------
* core.view view
* core.viewSource view_full
* core.edit edit
* core.addDataItem add
* core.addAlbumItem add
* core.viewResizes <ignored>
* core.delete <ignored>
* comment.* <ignored>
*/
private static function _import_permissions($g2_album, $g3_album)
{
// No need to do anything if this album has the same G2 ACL as its parent.
if ($g2_album->getParentId() != null && g2(GalleryCoreApi::fetchAccessListId($g2_album->getId())) == g2(GalleryCoreApi::fetchAccessListId($g2_album->getParentId()))) {
return;
}
$granted_permissions = self::_map_permissions($g2_album->getId());
if ($g2_album->getParentId() == null) {
// Compare to current permissions, and change them if necessary.
$g3_parent_album = item::root();
} else {
$g3_parent_album = $g3_album->parent();
}
$granted_parent_permissions = array();
$perm_ids = array_unique(array_values(self::$_permission_map));
foreach (identity::groups() as $group) {
$granted_parent_permissions[$group->id] = array();
foreach ($perm_ids as $perm_id) {
if (access::group_can($group, $perm_id, $g3_parent_album)) {
$granted_parent_permissions[$group->id][$perm_id] = 1;
}
}
}
// Note: Only registering permissions if they're not the same as
// the inherited ones.
foreach ($granted_permissions as $group_id => $permissions) {
if (!isset($granted_parent_permissions[$group_id])) {
foreach (array_keys($permissions) as $perm_id) {
access::allow(identity::lookup_group($group_id), $perm_id, $g3_album);
}
} else {
if ($permissions != $granted_parent_permissions[$group_id]) {
$parent_permissions = $granted_parent_permissions[$group_id];
// @todo Probably worth caching the group instances.
$group = identity::lookup_group($group_id);
// Note: Cannot use array_diff_key.
foreach (array_keys($permissions) as $perm_id) {
if (!isset($parent_permissions[$perm_id])) {
access::allow($group, $perm_id, $g3_album);
}
}
foreach (array_keys($parent_permissions) as $perm_id) {
if (!isset($permissions[$perm_id])) {
access::deny($group, $perm_id, $g3_album);
}
}
}
}
}
foreach ($granted_parent_permissions as $group_id => $parent_permissions) {
if (isset($granted_permissions[$group_id])) {
continue;
// handled above
}
$group = identity::lookup_group($group_id);
foreach (array_keys($parent_permissions) as $perm_id) {
access::deny($group, $perm_id, $g3_album);
}
}
}
/**
* Import a single user.
*/
static function import_user(&$queue)
{
$g2_user_id = array_shift($queue);
if (self::map($g2_user_id)) {
return t("User with id: %id already imported, skipping", array("id" => $g2_user_id));
}
if (g2(GalleryCoreApi::isAnonymousUser($g2_user_id))) {
self::set_map($g2_user_id, identity::guest()->id);
return t("Skipping anonymous user");
}
$g2_admin_group_id = g2(GalleryCoreApi::getPluginParameter("module", "core", "id.adminGroup"));
try {
$g2_user = g2(GalleryCoreApi::loadEntitiesById($g2_user_id));
} catch (Exception $e) {
return t("Failed to import Gallery 2 user with id: %id\n%exception", array("id" => $g2_user_id, "exception" => $e->__toString()));
}
$g2_groups = g2(GalleryCoreApi::fetchGroupsForUser($g2_user->getId()));
try {
$user = identity::create_user($g2_user->getUsername(), $g2_user->getfullname(), "");
$message = t("Created user: '******'.", array("name" => $user->name));
} catch (Exception $e) {
// @todo For now we assume this is a "duplicate user" exception
$user = identity::lookup_user_by_name($g2_user->getUsername());
$message = t("Loaded existing user: '******'.", array("name" => $user->name));
}
$user->hashed_password = $g2_user->getHashedPassword();
$user->email = $g2_user->getEmail();
$user->locale = $g2_user->getLanguage();
foreach ($g2_groups as $g2_group_id => $g2_group_name) {
if ($g2_group_id == $g2_admin_group_id) {
$user->admin = true;
$message .= t("\n\tAdded 'admin' flag to user");
} else {
$group = identity::lookup_group(self::map($g2_group_id));
$user->add($group);
$message .= t("\n\tAdded user to group '%group'.", array("group" => $group->name));
}
}
$user->save();
self::set_map($g2_user->getId(), $user->id);
return $message;
}
