static function initialize()
{
$db = Database::instance();
$db->query("CREATE TABLE IF NOT EXISTS {users} (\n `id` int(9) NOT NULL auto_increment,\n `name` varchar(32) NOT NULL,\n `full_name` varchar(255) NOT NULL,\n `password` varchar(64) NOT NULL,\n `login_count` int(10) unsigned NOT NULL DEFAULT 0,\n `last_login` int(10) unsigned NOT NULL DEFAULT 0,\n `email` varchar(64) default NULL,\n `admin` BOOLEAN default 0,\n `guest` BOOLEAN default 0,\n `hash` char(32) default NULL,\n `url` varchar(255) default NULL,\n `locale` char(10) default NULL,\n PRIMARY KEY (`id`),\n UNIQUE KEY(`hash`),\n UNIQUE KEY(`name`))\n DEFAULT CHARSET=utf8;");
$db->query("CREATE TABLE IF NOT EXISTS {groups} (\n `id` int(9) NOT NULL auto_increment,\n `name` char(64) default NULL,\n `special` BOOLEAN default 0,\n PRIMARY KEY (`id`),\n UNIQUE KEY(`name`))\n DEFAULT CHARSET=utf8;");
$db->query("CREATE TABLE IF NOT EXISTS {groups_users} (\n `group_id` int(9) NOT NULL,\n `user_id` int(9) NOT NULL,\n PRIMARY KEY (`group_id`, `user_id`),\n UNIQUE KEY(`user_id`, `group_id`))\n DEFAULT CHARSET=utf8;");
$everybody = ORM::factory("group");
$everybody->name = "Everybody";
$everybody->special = true;
$everybody->save();
$registered = ORM::factory("group");
$registered->name = "Registered Users";
$registered->special = true;
$registered->save();
$guest = ORM::factory("user");
$guest->name = "guest";
$guest->full_name = "Guest User";
$guest->password = "";
$guest->guest = true;
$guest->save();
$admin = ORM::factory("user");
$admin->name = "admin";
$admin->full_name = "Gallery Administrator";
$admin->password = "******";
$admin->email = "*****@*****.**";
$admin->admin = true;
$admin->save();
$root = ORM::factory("item", 1);
access::allow($everybody, "view", $root);
access::allow($everybody, "view_full", $root);
access::allow($registered, "view", $root);
access::allow($registered, "view_full", $root);
module::set_version("user", 2);
module::set_var("user", "mininum_password_length", 5);
}
static function install()
{
$db = Database::instance();
$version = module::get_version("user");
if ($version == 0) {
$db->query("CREATE TABLE IF NOT EXISTS {users} (\n `id` int(9) NOT NULL auto_increment,\n `name` varchar(32) NOT NULL,\n `full_name` varchar(255) NOT NULL,\n `password` varchar(64) NOT NULL,\n `login_count` int(10) unsigned NOT NULL DEFAULT 0,\n `last_login` int(10) unsigned NOT NULL DEFAULT 0,\n `email` varchar(64) default NULL,\n `admin` BOOLEAN default 0,\n `guest` BOOLEAN default 0,\n `hash` char(32) default NULL,\n `url` varchar(255) default NULL,\n `locale` char(10) default NULL,\n PRIMARY KEY (`id`),\n UNIQUE KEY(`hash`),\n UNIQUE KEY(`name`))\n ENGINE=InnoDB DEFAULT CHARSET=utf8;");
$db->query("CREATE TABLE IF NOT EXISTS {groups} (\n `id` int(9) NOT NULL auto_increment,\n `name` char(64) default NULL,\n `special` BOOLEAN default 0,\n PRIMARY KEY (`id`),\n UNIQUE KEY(`name`))\n ENGINE=InnoDB DEFAULT CHARSET=utf8;");
$db->query("CREATE TABLE IF NOT EXISTS {groups_users} (\n `group_id` int(9) NOT NULL,\n `user_id` int(9) NOT NULL,\n PRIMARY KEY (`group_id`, `user_id`),\n UNIQUE KEY(`user_id`, `group_id`))\n ENGINE=InnoDB DEFAULT CHARSET=utf8;");
$everybody = group::create("Everybody");
$everybody->special = true;
$everybody->save();
$registered = group::create("Registered Users");
$registered->special = true;
$registered->save();
$guest = user::create("guest", "Guest User", "");
$guest->guest = true;
$guest->remove($registered);
$guest->save();
$admin = user::create("admin", "Gallery Administrator", "admin");
$admin->admin = true;
$admin->save();
// Let the admin own everything
$db->update("items", array("owner_id" => $admin->id), array("owner_id" => "IS NULL"));
module::set_version("user", 1);
$root = ORM::factory("item", 1);
access::allow($everybody, "view", $root);
access::allow($everybody, "view_full", $root);
access::allow($registered, "view", $root);
access::allow($registered, "view_full", $root);
}
}
/**
* Create an album for the newly created user and give him view and edit permissions.
*/
static function user_created($user)
{
// Create a group with the same name, if necessary
$group_name = "auto: {$user->name}";
$group = identity::lookup_group_by_name($group_name);
if (!$group) {
$group = identity::create_group($group_name);
identity::add_user_to_group($user, $group);
}
// Create an album for the user, if it doesn't exist
$album = ORM::factory("item")->where("parent_id", "=", item::root()->id)->where("name", "=", $user->name)->find();
if (!$album->loaded()) {
$album->type = "album";
$album->name = $user->name;
$album->title = "{$user->name}'s album";
$album->parent_id = item::root()->id;
$album->sort_column = "weight";
$album->sort_order = "asc";
$album->save();
access::allow($group, "view", item::root());
access::allow($group, "view_full", $album);
access::allow($group, "edit", $album);
access::allow($group, "add", $album);
}
}
function change($command, $group_id, $perm_id, $item_id)
{
access::verify_csrf();
$group = identity::lookup_group($group_id);
$perm = ORM::factory("permission", $perm_id);
$item = ORM::factory("item", $item_id);
access::required("view", $item);
access::required("edit", $item);
if (!empty($group) && $perm->loaded() && $item->loaded()) {
switch ($command) {
case "allow":
access::allow($group, $perm->name, $item);
break;
case "deny":
access::deny($group, $perm->name, $item);
break;
case "reset":
access::reset($group, $perm->name, $item);
break;
}
// If the active user just took away their own edit permissions, give it back.
if ($perm->name == "edit") {
if (!access::user_can(identity::active_user(), "edit", $item)) {
access::allow($group, $perm->name, $item);
}
}
}
}
public function post_test()
{
access::allow(identity::everybody(), "edit", item::root());
$request = new stdClass();
$request->params = new stdClass();
$request->params->name = "test tag";
$this->assert_equal(array("url" => url::site("rest/tag/1")), tags_rest::post($request));
}
static function initialize()
{
module::set_version("ldap", 1);
$root = item::root();
foreach (IdentityProvider::instance()->groups() as $group) {
module::event("group_created", $group);
access::allow($group, "view", $root);
access::allow($group, "view_full", $root);
}
}
public function post_test()
{
$tag = test::random_tag();
// Create an editable item to be tagged
$album = test::random_album();
access::allow(identity::everybody(), "edit", $album);
// Add the album to the tag
$request->url = rest::url("tag", $tag);
$request->params->url = rest::url("item", $album);
$this->assert_equal_array(array("url" => rest::url("tag_item", $tag, $album)), tag_rest::post($request));
}
static function install()
{
module::set_version("ldap", 1);
$root = item::root();
$ldap_provider = new IdentityProvider("ldap");
foreach ($ldap_provider->groups() as $group) {
module::event("group_created", $group);
access::allow($group, "view", $root);
access::allow($group, "view_full", $root);
}
}
public function cant_view_comments_for_unviewable_items_test()
{
$root = ORM::factory("item", 1);
$album = album::create($root, rand(), rand(), rand());
$comment = comment::create($album, user::guest(), "text", "name", "email", "url");
user::set_active(user::guest());
// We can see the comment when permissions are granted on the album
access::allow(group::everybody(), "view", $album);
$this->assert_equal(1, ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all());
// We can't see the comment when permissions are denied on the album
access::deny(group::everybody(), "view", $album);
$this->assert_equal(0, ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all());
}
public function viewable_test()
{
$album = test::random_album();
$item = test::random_photo($album);
$album->reload();
identity::set_active_user(identity::guest());
// We can see the item when permissions are granted
access::allow(identity::everybody(), "view", $album);
$this->assert_equal(1, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all());
// We can't see the item when permissions are denied
access::deny(identity::everybody(), "view", $album);
$this->assert_equal(0, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all());
}
public function viewable_test()
{
$root = ORM::factory("item", 1);
$album = album::create($root, rand(), rand(), rand());
$item = self::_create_random_item($album);
identity::set_active_user(identity::guest());
// We can see the item when permissions are granted
access::allow(identity::everybody(), "view", $album);
$this->assert_equal(1, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all());
// We can't see the item when permissions are denied
access::deny(identity::everybody(), "view", $album);
$this->assert_equal(0, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all());
}
public function change_album_no_csrf_fails_test()
{
$controller = new Albums_Controller();
$album = test::random_album();
$_POST["name"] = "new name";
$_POST["title"] = "new title";
$_POST["description"] = "new description";
access::allow(identity::everybody(), "edit", item::root());
try {
$controller->update($album->id);
$this->assert_true(false, "This should fail");
} catch (Exception $e) {
// pass
$this->assert_same("@todo FORBIDDEN", $e->getMessage());
}
}
public function cant_view_comments_for_unviewable_items_test()
{
$album = test::random_album();
$comment = ORM::factory("comment");
$comment->item_id = $album->id;
$comment->author_id = identity::admin_user()->id;
$comment->text = "text";
$comment->save();
identity::set_active_user(identity::guest());
// We can see the comment when permissions are granted on the album
access::allow(identity::everybody(), "view", $album);
$this->assert_true(ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all());
// We can't see the comment when permissions are denied on the album
access::deny(identity::everybody(), "view", $album);
$this->assert_false(ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all());
}
public function change_photo_no_csrf_fails_test()
{
$controller = new Photos_Controller();
$root = ORM::factory("item", 1);
$photo = photo::create($root, MODPATH . "gallery/tests/test.jpg", "test", "test", "test");
$_POST["name"] = "new name";
$_POST["title"] = "new title";
$_POST["description"] = "new description";
access::allow(group::everybody(), "edit", $root);
try {
$controller->_update($photo);
$this->assert_true(false, "This should fail");
} catch (Exception $e) {
// pass
}
}
public function change_album_no_csrf_fails_test()
{
$controller = new Albums_Controller();
$root = ORM::factory("item", 1);
$this->_album = album::create($root, "test", "test", "test");
$_POST["name"] = "new name";
$_POST["title"] = "new title";
$_POST["description"] = "new description";
access::allow(group::everybody(), "edit", $root);
try {
$controller->_update($this->_album);
$this->assert_true(false, "This should fail");
} catch (Exception $e) {
// pass
}
}
function change($command, $group_id, $perm_id, $item_id)
{
access::verify_csrf();
$group = ORM::factory("group", $group_id);
$perm = ORM::factory("permission", $perm_id);
$item = ORM::factory("item", $item_id);
access::required("edit", $item);
if ($group->loaded && $perm->loaded && $item->loaded) {
switch ($command) {
case "allow":
access::allow($group, $perm->name, $item);
break;
case "deny":
access::deny($group, $perm->name, $item);
break;
case "reset":
access::reset($group, $perm->name, $item);
break;
}
}
}
static function install()
{
$db = Database::instance();
$db->query("CREATE TABLE IF NOT EXISTS {users} (\n `id` int(9) NOT NULL auto_increment,\n `name` varchar(32) NOT NULL,\n `full_name` varchar(255) NOT NULL,\n `password` varchar(64) NOT NULL,\n `login_count` int(10) unsigned NOT NULL DEFAULT 0,\n `last_login` int(10) unsigned NOT NULL DEFAULT 0,\n `email` varchar(64) default NULL,\n `admin` BOOLEAN default 0,\n `guest` BOOLEAN default 0,\n `hash` char(32) default NULL,\n `url` varchar(255) default NULL,\n `locale` char(10) default NULL,\n PRIMARY KEY (`id`),\n UNIQUE KEY(`hash`),\n UNIQUE KEY(`name`))\n DEFAULT CHARSET=utf8;");
$db->query("CREATE TABLE IF NOT EXISTS {groups} (\n `id` int(9) NOT NULL auto_increment,\n `name` char(64) default NULL,\n `special` BOOLEAN default 0,\n PRIMARY KEY (`id`),\n UNIQUE KEY(`name`))\n DEFAULT CHARSET=utf8;");
$db->query("CREATE TABLE IF NOT EXISTS {groups_users} (\n `group_id` int(9) NOT NULL,\n `user_id` int(9) NOT NULL,\n PRIMARY KEY (`group_id`, `user_id`),\n UNIQUE KEY(`user_id`, `group_id`))\n DEFAULT CHARSET=utf8;");
$everybody = group::create("Everybody");
$everybody->special = true;
$everybody->save();
$registered = group::create("Registered Users");
$registered->special = true;
$registered->save();
$guest = user::create("guest", "Guest User", "");
$guest->guest = true;
$guest->remove($registered);
$guest->save();
$admin = user::create("admin", "Gallery Administrator", "admin");
$admin->admin = true;
$admin->save();
$current_provider = module::get_var("gallery", "identity_provider");
if (empty($current_provider)) {
// If there is no provider defined then we are doing an initial install
// so we need to set the provider and make the administrator own everything
// If the installer is called and there is an identity provider, then we
// are switching identity providers and and the event handlers will do the
// right things
module::set_var("gallery", "identity_provider", "user");
// Let the admin own everything
$db->query("update {items} set owner_id = {$admin->id}");
}
$root = ORM::factory("item", 1);
access::allow($everybody, "view", $root);
access::allow($everybody, "view_full", $root);
access::allow($registered, "view", $root);
access::allow($registered, "view_full", $root);
module::set_var("user", "mininum_password_length", 5);
module::set_version("user", 2);
}
public function delete_album_test()
{
$album1 = test::random_album();
access::allow(identity::everybody(), "edit", $album1);
$request->url = rest::url("item", $album1);
item_rest::delete($request);
$album1->reload();
$this->assert_false($album1->loaded());
}
/**
* Imports G2 permissions, mapping G2's permission model to G3's
* much simplified permissions.
*
* - Ignores user permissions, G3 only supports group permissions.
* - Ignores item permissions, G3 only supports album permissions.
*
* G2 permission -> G3 permission
* ---------------------------------
* core.view view
* core.viewSource view_full
* core.edit edit
* core.addDataItem add
* core.addAlbumItem add
* core.viewResizes <ignored>
* core.delete <ignored>
* comment.* <ignored>
*/
private static function _import_permissions($g2_album, $g3_album)
{
// No need to do anything if this album has the same G2 ACL as its parent.
if ($g2_album->getParentId() != null && g2(GalleryCoreApi::fetchAccessListId($g2_album->getId())) == g2(GalleryCoreApi::fetchAccessListId($g2_album->getParentId()))) {
return;
}
$granted_permissions = self::_map_permissions($g2_album->getId());
if ($g2_album->getParentId() == null) {
// Compare to current permissions, and change them if necessary.
$g3_parent_album = item::root();
} else {
$g3_parent_album = $g3_album->parent();
}
$granted_parent_permissions = array();
$perm_ids = array_unique(array_values(self::$_permission_map));
foreach (identity::groups() as $group) {
$granted_parent_permissions[$group->id] = array();
foreach ($perm_ids as $perm_id) {
if (access::group_can($group, $perm_id, $g3_parent_album)) {
$granted_parent_permissions[$group->id][$perm_id] = 1;
}
}
}
// Note: Only registering permissions if they're not the same as
// the inherited ones.
foreach ($granted_permissions as $group_id => $permissions) {
if (!isset($granted_parent_permissions[$group_id])) {
foreach (array_keys($permissions) as $perm_id) {
access::allow(identity::lookup_group($group_id), $perm_id, $g3_album);
}
} else {
if ($permissions != $granted_parent_permissions[$group_id]) {
$parent_permissions = $granted_parent_permissions[$group_id];
// @todo Probably worth caching the group instances.
$group = identity::lookup_group($group_id);
// Note: Cannot use array_diff_key.
foreach (array_keys($permissions) as $perm_id) {
if (!isset($parent_permissions[$perm_id])) {
access::allow($group, $perm_id, $g3_album);
}
}
foreach (array_keys($parent_permissions) as $perm_id) {
if (!isset($permissions[$perm_id])) {
access::deny($group, $perm_id, $g3_album);
}
}
}
}
}
foreach ($granted_parent_permissions as $group_id => $parent_permissions) {
if (isset($granted_permissions[$group_id])) {
continue;
// handled above
}
$group = identity::lookup_group($group_id);
foreach (array_keys($parent_permissions) as $perm_id) {
access::deny($group, $perm_id, $g3_album);
}
}
}
public function moved_items_inherit_new_permissions_test()
{
identity::set_active_user(identity::lookup_user_by_name("admin"));
$public_album = test::random_album();
$public_photo = test::random_photo($public_album);
access::allow(identity::everybody(), "view", $public_album);
access::allow(identity::everybody(), "edit", $public_album);
item::root()->reload();
// Account for MPTT changes
$private_album = test::random_album();
access::deny(identity::everybody(), "view", $private_album);
access::deny(identity::everybody(), "edit", $private_album);
$private_photo = test::random_photo($private_album);
// Make sure that we now have a public photo and private photo.
$this->assert_true(access::group_can(identity::everybody(), "view", $public_photo));
$this->assert_false(access::group_can(identity::everybody(), "view", $private_photo));
// Swap the photos
item::move($public_photo, $private_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
item::move($private_photo, $public_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
// Make sure that the public_photo is now private, and the private_photo is now public.
$this->assert_false(access::group_can(identity::everybody(), "view", $public_photo));
$this->assert_false(access::group_can(identity::everybody(), "edit", $public_photo));
$this->assert_true(access::group_can(identity::everybody(), "view", $private_photo));
$this->assert_true(access::group_can(identity::everybody(), "edit", $private_photo));
}
static function album_add_form_completed($album, $form)
{
if ($form->privacy->private->checked) {
$username = $form->privacy->username->value;
$password = $form->privacy->password->value;
// TODO validation
// create a group based on username
$group = identity::create_group($username);
// create a user based on username
$user = identity::create_user($username, $username, $password, $username . "@unknown.com");
identity::add_user_to_group($user, $group);
// create user home
$home = ORM::factory("user_home")->where("id", "=", $user->id)->find();
$home->id = $user->id;
$home->home = $album->id;
$home->save();
// reload album
$album->reload();
// set permissions
// deny all groups.
$groups = ORM::factory("group")->find_all();
foreach ($groups as $group2) {
if ($group->id != $group2->id) {
access::deny($group2, "view", $album);
access::deny($group2, "view_full", $album);
}
}
// deny all other albums
$albums = ORM::factory("item")->where("type", "=", "album")->find_all();
foreach ($albums as $albumt) {
access::deny($group, "view", $albumt);
}
// allow access to newly created group
access::allow($group, "view_full", $album);
$parents = $album->parents();
foreach ($parents as $parent) {
access::allow($group, "view", $parent);
}
access::allow($group, "view", $album);
}
}
public function everybody_view_full_permission_maintains_htaccess_files_test()
{
$root = ORM::factory("item", 1);
$album = album::create($root, rand(), "test album");
$this->assert_false(file_exists($album->file_path() . "/.htaccess"));
$this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
$this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
access::deny(group::everybody(), "view_full", $album);
$this->assert_true(file_exists($album->file_path() . "/.htaccess"));
$this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
$this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
access::allow(group::everybody(), "view_full", $album);
$this->assert_false(file_exists($album->file_path() . "/.htaccess"));
$this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
$this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
access::deny(group::everybody(), "view_full", $album);
$this->assert_true(file_exists($album->file_path() . "/.htaccess"));
$this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
$this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
access::reset(group::everybody(), "view_full", $album);
$this->assert_false(file_exists($album->file_path() . "/.htaccess"));
$this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
$this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
}
public function moved_items_inherit_new_permissions_test()
{
user::set_active(user::lookup_by_name("admin"));
$root = ORM::factory("item", 1);
$public_album = album::create($root, rand(), "public album");
$public_photo = photo::create($public_album, MODPATH . "gallery/images/gallery.png", "", "");
access::allow(group::everybody(), "view", $public_album);
$root->reload();
// Account for MPTT changes
$private_album = album::create($root, rand(), "private album");
access::deny(group::everybody(), "view", $private_album);
$private_photo = photo::create($private_album, MODPATH . "gallery/images/gallery.png", "", "");
// Make sure that we now have a public photo and private photo.
$this->assert_true(access::group_can(group::everybody(), "view", $public_photo));
$this->assert_false(access::group_can(group::everybody(), "view", $private_photo));
// Swap the photos
item::move($public_photo, $private_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
item::move($private_photo, $public_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
// Make sure that the public_photo is now private, and the private_photo is now public.
$this->assert_false(access::group_can(group::everybody(), "view", $public_photo));
$this->assert_true(access::group_can(group::everybody(), "view", $private_photo));
}
