/**
  * Check whether a given user has the given permission on the given
  * object, by virtue of a direct or indirect assignment due to the
  * user, its groups, its roles, or the roles assigned to its groups,
  * and so forth.
  */
 function userHasPermissionOnItem($oUser, $oPermission, $oFolderOrDocument)
 {
     if (is_string($oPermission)) {
         $oPermission =& KTPermission::getByName($oPermission);
     }
     if (PEAR::isError($oPermission)) {
         return false;
     }
     if (PEAR::isError($oFolderOrDocument) || $oFolderOrDocument == null) {
         return false;
     }
     // Quick fix for multiple permissions look ups.
     // For the current lookup, if the permissions have been checked then return their value
     $iPermId = $oPermission->getID();
     $iDocId = $oFolderOrDocument->getID();
     $lookup = 'folders';
     if (is_a($oFolderOrDocument, 'Document') || is_a($oFolderOrDocument, 'DocumentProxy')) {
         $lookup = 'docs';
     }
     // check if permission has been set
     // $permArr[permId] = array('folders' => array('id' => bool), 'docs' => array('id' => bool));
     if (isset(KTPermissionUtil::$permArr[$iPermId][$lookup][$iDocId])) {
         //return KTPermissionUtil::$permArr[$iPermId][$lookup][$iDocId];
     }
     $oPL = KTPermissionLookup::get($oFolderOrDocument->getPermissionLookupID());
     $oPLA = KTPermissionLookupAssignment::getByPermissionAndLookup($oPermission, $oPL);
     if (PEAR::isError($oPLA)) {
         //print $oPL->getID();
         KTPermissionUtil::$permArr[$iPermId][$lookup][$iDocId] = false;
         return false;
     }
     $oPD = KTPermissionDescriptor::get($oPLA->getPermissionDescriptorID());
     // set permission array to true
     KTPermissionUtil::$permArr[$iPermId][$lookup][$iDocId] = true;
     // check for permissions
     $aGroups = GroupUtil::listGroupsForUserExpand($oUser);
     if ($oPD->hasRoles(array(-3))) {
         return true;
     } else {
         if ($oPD->hasUsers(array($oUser))) {
             return true;
         } else {
             if ($oPD->hasGroups($aGroups)) {
                 return true;
             } else {
                 if ($oPD->hasRoles(array(-4)) && !$oUser->isAnonymous()) {
                     return true;
                 }
             }
         }
     }
     // permission isn't true, set to false
     KTPermissionUtil::$permArr[$iPermId][$lookup][$iDocId] = false;
     return false;
 }
 function do_resolved_users()
 {
     $this->oPage->setBreadcrumbDetails(_kt('Permissions'));
     $oTemplate = $this->oValidator->validateTemplate('ktcore/folder/resolved_permissions_user');
     $oPL = KTPermissionLookup::get($this->oFolder->getPermissionLookupID());
     $aPermissions = KTPermission::getList();
     $aMapPermissionGroup = array();
     $aMapPermissionRole = array();
     $aMapPermissionUser = array();
     $aActiveUsers = array();
     $aUsers = User::getList();
     foreach ($aPermissions as $oPermission) {
         $oPLA = KTPermissionLookupAssignment::getByPermissionAndLookup($oPermission, $oPL);
         if (PEAR::isError($oPLA)) {
             continue;
         }
         $oDescriptor =& KTPermissionDescriptor::get($oPLA->getPermissionDescriptorID());
         $iPermissionID = $oPermission->getID();
         $aMapPermissionGroup[$iPermissionID] = array();
         $hasPermission = false;
         $everyone = $oDescriptor->hasRoles(array(-3));
         $authenticated = $oDescriptor->hasRoles(array(-4));
         // TODO : paginate this page, when there are too many users
         foreach ($aUsers as $oUser) {
             if ($everyone || $authenticated && $oUser->isAnonymous() || KTPermissionUtil::userHasPermissionOnItem($oUser, $oPermission, $this->oFolder)) {
                 $aMapPermissionUser[$iPermissionID][$oUser->getId()] = true;
                 $aActiveUsers[$oUser->getId()] = $oUser->getName();
             }
         }
     }
     // now we constitute the actual sets.
     $users = array();
     $groups = array();
     $roles = array();
     // should _always_ be empty, barring a bug in permissions::updatePermissionLookup
     $users = $aActiveUsers;
     asort($users);
     // ascending, per convention.
     $bEdit = false;
     $sInherited = '';
     $aTemplateData = array('context' => $this, 'permissions' => $aPermissions, 'groups' => $groups, 'users' => $users, 'roles' => $roles, 'oFolder' => $this->oFolder, 'aMapPermissionGroup' => $aMapPermissionGroup, 'aMapPermissionRole' => $aMapPermissionRole, 'aMapPermissionUser' => $aMapPermissionUser, 'edit' => $bEdit, 'inherited' => $sInherited, 'foldername' => $this->oFolder->getName(), 'iFolderId' => $this->oFolder->getId());
     return $oTemplate->render($aTemplateData);
 }
 function &findOrCreateLookupByPermissionDescriptorMap($aMapPermDesc)
 {
     $aOptions = array();
     foreach ($aMapPermDesc as $iPermissionID => $iDescriptorID) {
         $aThisOptions = array();
         foreach (KTPermissionLookupAssignment::_getLookupIDsByPermissionIDAndDescriptorID($iPermissionID, $iDescriptorID) as $iPLID) {
             $aThisOptions[] = $iPLID;
         }
         $aOptions[] = $aThisOptions;
     }
     if (count($aOptions) > 1) {
         $aPLIDs = call_user_func_array('array_intersect', $aOptions);
     } elseif (count($aOptions) == 1) {
         $aPLIDs = $aOptions[0];
     } else {
         $aPLIDs = array();
     }
     if (empty($aPLIDs)) {
         $oPL = KTPermissionLookup::createFromArray(array());
         $iPLID = $oPL->getID();
         foreach ($aMapPermDesc as $iPermissionID => $iDescriptorID) {
             $res = KTPermissionLookupAssignment::createFromArray(array('permissionlookupid' => $iPLID, 'permissionid' => $iPermissionID, 'permissiondescriptorid' => $iDescriptorID));
         }
         return $oPL;
     }
     sort($aPLIDs);
     $res = KTPermissionLookup::get($aPLIDs[0]);
     return $res;
 }
 function do_resolved_users()
 {
     $this->oPage->setBreadcrumbDetails(_kt("Permissions"));
     $oTemplate = $this->oValidator->validateTemplate("ktcore/document/resolved_permissions_user");
     $oPL = KTPermissionLookup::get($this->oDocument->getPermissionLookupID());
     $aPermissions = KTPermission::getList();
     $aMapPermissionGroup = array();
     $aMapPermissionRole = array();
     $aMapPermissionUser = array();
     $aUsers = User::getList();
     foreach ($aPermissions as $oPermission) {
         $oPLA = KTPermissionLookupAssignment::getByPermissionAndLookup($oPermission, $oPL);
         if (PEAR::isError($oPLA)) {
             continue;
         }
         $oDescriptor = KTPermissionDescriptor::get($oPLA->getPermissionDescriptorID());
         $iPermissionID = $oPermission->getID();
         $aMapPermissionGroup[$iPermissionID] = array();
         foreach ($aUsers as $oUser) {
             if (KTPermissionUtil::userHasPermissionOnItem($oUser, $oPermission, $this->oDocument)) {
                 $aMapPermissionUser[$iPermissionID][$oUser->getId()] = true;
                 $aActiveUsers[$oUser->getId()] = true;
             }
         }
     }
     // now we constitute the actual sets.
     $users = array();
     $groups = array();
     $roles = array();
     // should _always_ be empty, barring a bug in permissions::updatePermissionLookup
     // this should be quite limited - direct role -> user assignment is typically rare.
     foreach ($aActiveUsers as $id => $marker) {
         $oUser = User::get($id);
         $users[$oUser->getName()] = $oUser;
     }
     asort($users);
     // ascending, per convention.
     $bEdit = false;
     $sInherited = '';
     $aDynamicControls = array();
     $aWorkflowControls = array();
     // handle conditions
     $iPermissionObjectId = $this->oDocument->getPermissionObjectID();
     if (!empty($iPermissionObjectId)) {
         $oPO = KTPermissionObject::get($iPermissionObjectId);
         $aDynamicConditions = KTPermissionDynamicCondition::getByPermissionObject($oPO);
         if (!PEAR::isError($aDynamicConditions)) {
             foreach ($aDynamicConditions as $oDynamicCondition) {
                 $iConditionId = $oDynamicCondition->getConditionId();
                 if (KTSearchUtil::testConditionOnDocument($iConditionId, $this->oDocument)) {
                     $aPermissionIds = $oDynamicCondition->getAssignment();
                     foreach ($aPermissionIds as $iPermissionId) {
                         $aDynamicControls[$iPermissionId] = true;
                     }
                 }
             }
         }
     }
     // indicate that workflow controls a given permission
     $oState = KTWorkflowUtil::getWorkflowStateForDocument($this->oDocument);
     if (!(PEAR::isError($oState) || is_null($oState) || $oState == false)) {
         $aWorkflowStatePermissionAssignments = KTWorkflowStatePermissionAssignment::getByState($oState);
         foreach ($aWorkflowStatePermissionAssignments as $oAssignment) {
             $aWorkflowControls[$oAssignment->getPermissionId()] = true;
             unset($aDynamicControls[$oAssignment->getPermissionId()]);
         }
     }
     $aTemplateData = array("context" => $this, "permissions" => $aPermissions, "groups" => $groups, "users" => $users, "roles" => $roles, "oDocument" => $this->oDocument, "aMapPermissionGroup" => $aMapPermissionGroup, "aMapPermissionRole" => $aMapPermissionRole, "aMapPermissionUser" => $aMapPermissionUser, "edit" => $bEdit, "inherited" => $sInherited, 'workflow_controls' => $aWorkflowControls, 'conditions_control' => $aDynamicControls);
     return $oTemplate->render($aTemplateData);
 }