function change($command, $group_id, $perm_id, $item_id)
{
access::verify_csrf();
$group = identity::lookup_group($group_id);
$perm = ORM::factory("permission", $perm_id);
$item = ORM::factory("item", $item_id);
access::required("view", $item);
access::required("edit", $item);
if (!empty($group) && $perm->loaded() && $item->loaded()) {
switch ($command) {
case "allow":
access::allow($group, $perm->name, $item);
break;
case "deny":
access::deny($group, $perm->name, $item);
break;
case "reset":
access::reset($group, $perm->name, $item);
break;
}
// If the active user just took away their own edit permissions, give it back.
if ($perm->name == "edit") {
if (!access::user_can(identity::active_user(), "edit", $item)) {
access::allow($group, $perm->name, $item);
}
}
}
}
static function get_subscribers($item)
{
// @todo don't access the user table directly
// @todo only return distinct email addresses
$users = ORM::factory("user")->join("subscriptions", "users.id", "subscriptions.user_id")->join("items", "subscriptions.item_id", "items.id")->where("email IS NOT", null)->where("items.left_ptr <=", $item->left_ptr)->where("items.right_ptr >", $item->right_ptr)->find_all();
$subscribers = array();
foreach ($users as $user) {
if (access::user_can($user, "view", $item)) {
$subscribers[$user->email] = 1;
}
}
return array_keys($subscribers);
}
static function get_subscribers($item)
{
// @todo only return distinct email addresses
$subscriber_ids = array();
foreach (ORM::factory("subscription")->select("user_id")->join("items", "subscriptions.item_id", "items.id")->where("items.left_ptr <=", $item->left_ptr)->where("items.right_ptr >", $item->right_ptr)->find_all()->as_array() as $subscriber) {
$subscriber_ids[] = $subscriber->user_id;
}
$users = user::get_user_list(array("in" => array("id", $subscriber_ids), "where" => array("email IS NOT" => null)));
$subscribers = array();
foreach ($users as $user) {
if (access::user_can($user, "view", $item)) {
$subscribers[$user->email] = 1;
}
}
return array_keys($subscribers);
}
static function get_subscribers($item)
{
$subscriber_ids = array();
foreach (ORM::factory("subscription")->select("user_id")->join("items", "subscriptions.item_id", "items.id")->where("items.left_ptr", "<=", $item->left_ptr)->where("items.right_ptr", ">", $item->right_ptr)->find_all()->as_array() as $subscriber) {
$subscriber_ids[] = $subscriber->user_id;
}
if (empty($subscriber_ids)) {
return array();
}
$users = identity::get_user_list($subscriber_ids);
$subscribers = array();
foreach ($users as $user) {
if (access::user_can($user, "view", $item) && !empty($user->email)) {
$subscribers[$user->email] = 1;
}
}
return array_keys($subscribers);
}
/**
* If the gallery is only available to registered users and the user is not logged in, present
* the login page.
*/
static function private_gallery()
{
if (identity::active_user()->guest && !access::user_can(identity::guest(), "view", item::root()) && php_sapi_name() != "cli") {
try {
$class = new ReflectionClass(ucfirst(Router::$controller) . '_Controller');
$allowed = $class->getConstant("ALLOW_PRIVATE_GALLERY") === true;
} catch (ReflectionClass $e) {
$allowed = false;
}
if (!$allowed) {
if (Router::$controller == "admin") {
// At this point we're in the admin theme and it doesn't have a themed login page, so
// we can't just swap in the login controller and have it work. So redirect back to the
// root item where we'll run this code again with the site theme.
url::redirect(item::root()->abs_url());
} else {
Session::instance()->set("continue_url", url::abs_current());
Router::$controller = "login";
Router::$controller_path = MODPATH . "gallery/controllers/login.php";
Router::$method = "html";
}
}
}
}
/**
* Same as ORM::as_array() but convert id fields into their RESTful form.
*
* @param array if specified, only return the named fields
*/
public function as_restful_array($fields = array())
{
if ($fields) {
$data = array();
foreach ($fields as $field) {
if (isset($this->object[$field])) {
$data[$field] = $this->__get($field);
}
}
$fields = array_flip($fields);
} else {
$data = $this->as_array();
}
// Convert item ids to rest URLs for consistency
if (empty($fields) || isset($fields["parent"])) {
if ($tmp = $this->parent()) {
$data["parent"] = rest::url("item", $tmp);
}
unset($data["parent_id"]);
}
if (empty($fields) || isset($fields["album_cover"])) {
if ($tmp = $this->album_cover()) {
$data["album_cover"] = rest::url("item", $tmp);
}
unset($data["album_cover_item_id"]);
}
if (empty($fields) || isset($fields["web_url"])) {
$data["web_url"] = $this->abs_url();
}
if (!$this->is_album()) {
if (access::can("view_full", $this)) {
if (empty($fields) || isset($fields["file_url"])) {
$data["file_url"] = rest::url("data", $this, "full");
}
if (empty($fields) || isset($fields["file_size"])) {
$data["file_size"] = filesize($this->file_path());
}
if (access::user_can(identity::guest(), "view_full", $this)) {
if (empty($fields) || isset($fields["file_url_public"])) {
$data["file_url_public"] = $this->file_url(true);
}
}
}
}
if ($this->is_photo()) {
if (empty($fields) || isset($fields["resize_url"])) {
$data["resize_url"] = rest::url("data", $this, "resize");
}
if (empty($fields) || isset($fields["resize_size"])) {
$data["resize_size"] = filesize($this->resize_path());
}
if (access::user_can(identity::guest(), "view", $this)) {
if (empty($fields) || isset($fields["resize_url_public"])) {
$data["resize_url_public"] = $this->resize_url(true);
}
}
}
if ($this->has_thumb()) {
if (empty($fields) || isset($fields["thumb_url"])) {
$data["thumb_url"] = rest::url("data", $this, "thumb");
}
if (empty($fields) || isset($fields["thumb_size"])) {
$data["thumb_size"] = filesize($this->thumb_path());
}
if (access::user_can(identity::guest(), "view", $this)) {
if (empty($fields) || isset($fields["thumb_url_public"])) {
$data["thumb_url_public"] = $this->thumb_url(true);
}
}
}
if (empty($fields) || isset($fields["can_edit"])) {
$data["can_edit"] = access::can("edit", $this);
}
// Elide some internal-only data that is going to cause confusion in the client.
foreach (array("relative_path_cache", "relative_url_cache", "left_ptr", "right_ptr", "thumb_dirty", "resize_dirty", "weight") as $key) {
unset($data[$key]);
}
return $data;
}
public function user_can_no_access_test()
{
$item = test::random_album();
access::deny(identity::everybody(), "view", $item);
access::deny(identity::registered_users(), "view", $item);
$user = identity::create_user("access_test", "Access Test", "*****", "*****@*****.**");
foreach ($user->groups() as $group) {
$user->remove($group);
}
$user->save();
$this->assert_false(access::user_can($user, "view", $item), "Should be unable to view");
}
public function user_can_no_access_test()
{
$root = ORM::factory("item", 1);
$item = album::create($root, rand(), "test album");
access::deny(group::everybody(), "view", $item);
access::deny(group::registered_users(), "view", $item);
$user = user::create("access_test", "Access Test", "");
foreach ($user->groups as $group) {
$user->remove($group);
}
$user->save();
$this->assert_false(access::user_can($user, "view", $item), "Should be unable to view");
}
echo $layout;
?>
" data-width="180" data-show-faces="<?php
echo $show_faces;
?>
" data-action="<?php
echo $action;
?>
"></div>
<?php
}
}
?>
</div>
<?php
/**
* Only show the like button, css and JS if the item is vewable by the guest user
* as facebook is a guest user to get the thumb of the item. If this is a dynamic
* album then use the root album to check to see if the guest has permissions.
*/
$guest = user::lookup("1");
$item = "";
if ($theme->item()) {
$item = $theme->item();
} else {
$item = ORM::factory("item", 1);
}
if (access::user_can($guest, "view", $item)) {
$show_like_code = true;
}
/**
* Does the active user have this permission on this item?
*
* @param string $perm_name
* @param Item_Model $item
* @return boolean
*/
static function can($perm_name, $item)
{
return access::user_can(identity::active_user(), $perm_name, $item);
}
static function user_menu($menu, $theme)
{
if ($theme->page_subtype != "login") {
$user = identity::active_user();
if ($user->guest) {
$menu->append(Menu::factory("dialog")->id("user_menu_login")->css_id("g-login-link")->url(url::site("login/ajax"))->label(t("Login")));
} else {
$csrf = access::csrf_token();
$menu->append(Menu::factory("link")->id("user_menu_edit_profile")->css_id("g-user-profile-link")->view("login_current_user.html")->url(user_profile::url($user->id))->label($user->display_name()));
if (Router::$controller == "admin") {
$continue_url = url::abs_site("");
} else {
if ($item = $theme->item()) {
if (access::user_can(identity::guest(), "view", $theme->item)) {
$continue_url = $item->abs_url();
} else {
$continue_url = item::root()->abs_url();
}
} else {
$continue_url = url::abs_current();
}
}
$menu->append(Menu::factory("link")->id("user_menu_logout")->css_id("g-logout-link")->url(url::site("logout?csrf={$csrf}&continue_url=" . urlencode($continue_url)))->label(t("Logout")));
}
}
}
public function owner_cant_view_photo_test()
{
$user = user::create("access_test", "Access Test", "");
foreach ($user->groups as $group) {
$user->remove($group);
}
$user->save();
$root = ORM::factory("item", 1);
$album = album::create($root, rand(), "test album");
access::deny(group::everybody(), "view", $album);
$item = photo::create($album, MODPATH . "gallery/images/gallery.png", "", "", null, $user->id);
$this->assert_false(access::user_can($user, "view", $item), "Should not be able to view");
}
private function _fetch_album_images(&$input, &$reply)
{
$name = trim($input->post('set_albumName'));
$albums = trim($input->post('albums_too'));
//yes/no [optional, since 2.13]
$random = trim($input->post('random'));
//yes/no [optional, G2 since ***]
$limit = trim($input->post('limit'));
//number-of-images [optional, G2 since ***]
$extra = trim($input->post('extrafields'));
//yes/no [optional, G2 since 2.12]
$sizes = trim($input->post('all_sizes'));
//yes/no [optional, G2 since 2.14]
if ($name == '0') {
$album = item::root();
}
$album = ORM::factory("item")->where("id", "=", $name)->find();
if (isset($album) && $album->loaded() && $album->id != '' && access::can('view', $album)) {
if ($albums != 'no') {
$iterator = ORM::factory("item")->where("parent_id", "=", $album->id)->find_all();
} else {
$iterator = ORM::factory("item")->where("parent_id", "=", $album->id)->where("type", "<>", "album")->find_all();
}
$reply->set('status_text', 'Album images query successful.');
$reply->set('album.caption', $album->title);
$reply->set('album.extrafields', 'Summary');
/*
$reply->set('image_count', '0');
$reply->send();
return;
//*/
$count = 0;
foreach ($iterator as $item) {
if (access::can('view', $item)) {
$count++;
if ($item->type != "album") {
$info = pathinfo($item->file_path());
$reply->set('image.name.' . $count, $item->id);
$reply->set('image.raw_width.' . $count, $item->width);
$reply->set('image.raw_height.' . $count, $item->height);
$reply->set('image.raw_filesize.' . $count, filesize($item->file_path()));
$reply->set('image.resizedName.' . $count, $item->name);
//g3 stores resizes and thumbs different than g1
$reply->set('image.resized_width.' . $count, $item->resize_width);
$reply->set('image.resized_height.' . $count, $item->resize_height);
/*
$reply->set('image.resizedNum.'.$count, 'the number of resized versions for this image [since 2.14]');
$reply->set('image.resized.resized-num.name.'.$count, 'filename of the resized-numth resize [G2 since 2.14]');
$reply->set('image.resized.resized-num.width.'.$count, 'the width of the resized-numth resize [G2 since 2.14]');
$reply->set('image.resized.resized-num.height.'.$count, 'the height of the resized-numth resize [G2 since 2.14]');
//*/
$reply->set('image.thumbName.' . $count, $item->name);
//g3 stores resizes and thumbs different than g1
$reply->set('image.thumb_width.' . $count, $item->thumb_width);
$reply->set('image.thumb_height.' . $count, $item->thumb_height);
$reply->set('image.caption.' . $count, $item->title);
$reply->set('image.title.' . $count, $item->name);
//$reply->set('image.extrafield.fieldname.'.$count, 'value of the extra field of key fieldname');
$reply->set('image.extrafield.summary.' . $count, $item->description);
$reply->set('image.clicks.' . $count, $item->view_count);
$reply->set('image.capturedate.year.' . $count, date("Y", $item->captured));
$reply->set('image.capturedate.mon.' . $count, date("m", $item->captured));
$reply->set('image.capturedate.mday.' . $count, date("d", $item->captured));
$reply->set('image.capturedate.hours.' . $count, date("H", $item->captured));
$reply->set('image.capturedate.minutes.' . $count, date("i", $item->captured));
$reply->set('image.capturedate.seconds.' . $count, date("s", $item->captured));
$reply->set('image.forceExtension.' . $count, $info['extension']);
$reply->set('image.hidden.' . $count, access::user_can(identity::guest(), 'view', $item) ? 'no' : 'yes');
} else {
$reply->set('album.name.' . $count, $item->id);
}
}
}
$reply->set('image_count', $count);
//* The baseurl contains a fully-qualified URL. A URL to each image
// can be obtained by appending the filename of the image to this.
if (isset($item) && $item->loaded()) {
$url = $item->file_url(true);
$pos = strrpos($url, '/');
$reply->set('baseurl', $pos !== false ? substr($url, 0, $pos + 1) : $url);
} else {
$reply->set('baseurl', $album->abs_url());
}
//*/
$reply->send();
} else {
$reply->set('status_text', t('Failed to load album with name %name.', array('name' => $name)));
$reply->send(gallery_remote::NO_VIEW_PERMISSION);
}
}