function change($command, $group_id, $perm_id, $item_id)
{
access::verify_csrf();
$group = identity::lookup_group($group_id);
$perm = ORM::factory("permission", $perm_id);
$item = ORM::factory("item", $item_id);
access::required("view", $item);
access::required("edit", $item);
if (!empty($group) && $perm->loaded() && $item->loaded()) {
switch ($command) {
case "allow":
access::allow($group, $perm->name, $item);
break;
case "deny":
access::deny($group, $perm->name, $item);
break;
case "reset":
access::reset($group, $perm->name, $item);
break;
}
// If the active user just took away their own edit permissions, give it back.
if ($perm->name == "edit") {
if (!access::user_can(identity::active_user(), "edit", $item)) {
access::allow($group, $perm->name, $item);
}
}
}
}
private function _get_proxy()
{
$album = test::random_album();
$photo = test::random_photo($album);
access::deny(identity::everybody(), "view_full", $album);
access::deny(identity::registered_users(), "view_full", $album);
$proxy = ORM::factory("digibug_proxy");
$proxy->uuid = random::hash();
$proxy->item_id = $photo->id;
return $proxy->save();
}
public function viewable_test()
{
$root = ORM::factory("item", 1);
$album = album::create($root, rand(), rand(), rand());
$item = self::_create_random_item($album);
identity::set_active_user(identity::guest());
// We can see the item when permissions are granted
access::allow(identity::everybody(), "view", $album);
$this->assert_equal(1, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all());
// We can't see the item when permissions are denied
access::deny(identity::everybody(), "view", $album);
$this->assert_equal(0, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all());
}
public function viewable_test()
{
$album = test::random_album();
$item = test::random_photo($album);
$album->reload();
identity::set_active_user(identity::guest());
// We can see the item when permissions are granted
access::allow(identity::everybody(), "view", $album);
$this->assert_equal(1, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all());
// We can't see the item when permissions are denied
access::deny(identity::everybody(), "view", $album);
$this->assert_equal(0, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all());
}
public function post_fails_without_permissions_test()
{
access::deny(identity::everybody(), "edit", item::root());
identity::set_active_user(identity::guest());
try {
$request->params->name = "test tag";
tags_rest::post($request);
} catch (Exception $e) {
$this->assert_equal(403, $e->getCode());
return;
}
$this->assert_true(false, "Shouldnt get here");
}
public function cant_view_comments_for_unviewable_items_test()
{
$root = ORM::factory("item", 1);
$album = album::create($root, rand(), rand(), rand());
$comment = comment::create($album, user::guest(), "text", "name", "email", "url");
user::set_active(user::guest());
// We can see the comment when permissions are granted on the album
access::allow(group::everybody(), "view", $album);
$this->assert_equal(1, ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all());
// We can't see the comment when permissions are denied on the album
access::deny(group::everybody(), "view", $album);
$this->assert_equal(0, ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all());
}
public function setup()
{
$this->_server = $_SERVER;
$root = ORM::factory("item", 1);
$this->_album = album::create($root, rand(), "test album");
access::deny(identity::everybody(), "view_full", $this->_album);
access::deny(identity::registered_users(), "view_full", $this->_album);
$rand = rand();
$this->_item = photo::create($this->_album, MODPATH . "gallery/tests/test.jpg", "{$rand}.jpg", $rand, $rand);
$this->_proxy = ORM::factory("digibug_proxy");
$this->_proxy->uuid = md5(rand());
$this->_proxy->item_id = $this->_item->id;
$this->_proxy->save();
}
public function cant_view_comments_for_unviewable_items_test()
{
$album = test::random_album();
$comment = ORM::factory("comment");
$comment->item_id = $album->id;
$comment->author_id = identity::admin_user()->id;
$comment->text = "text";
$comment->save();
identity::set_active_user(identity::guest());
// We can see the comment when permissions are granted on the album
access::allow(identity::everybody(), "view", $album);
$this->assert_true(ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all());
// We can't see the comment when permissions are denied on the album
access::deny(identity::everybody(), "view", $album);
$this->assert_false(ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all());
}
public function illegal_access_test()
{
$album = test::random_album();
$photo = test::random_photo($album);
$album->reload();
access::deny(identity::everybody(), "view", $album);
identity::set_active_user(identity::guest());
$request = new stdClass();
$request->url = rest::url("data", $photo, "thumb");
$request->params = new stdClass();
$request->params->size = "thumb";
try {
data_rest::get($request);
$this->assert_true(false);
} catch (Kohana_404_Exception $e) {
// pass
}
}
function change($command, $group_id, $perm_id, $item_id)
{
access::verify_csrf();
$group = ORM::factory("group", $group_id);
$perm = ORM::factory("permission", $perm_id);
$item = ORM::factory("item", $item_id);
access::required("edit", $item);
if ($group->loaded && $perm->loaded && $item->loaded) {
switch ($command) {
case "allow":
access::allow($group, $perm->name, $item);
break;
case "deny":
access::deny($group, $perm->name, $item);
break;
case "reset":
access::reset($group, $perm->name, $item);
break;
}
}
}
static function hotfix_all()
{
$messages = array();
$messages[] = t('Running Hotfix');
/* ON THE LAST RUN WE NEED TO RE-FIX ALL DAMAGED ALBUM THUMBS! */
$albumDir = self::$album_dir;
if (substr($albumDir, -1) != DIRECTORY_SEPARATOR) {
$albumDir .= DIRECTORY_SEPARATOR;
}
foreach (self::$albums_flat as $g1_album) {
$album_id = self::map($g1_album, '', 'album');
if (!$album_id) {
$messages[] = t('Album %name not found', array('name' => $g1_album));
continue;
}
$album = ORM::factory('item', $album_id);
$importDir = $albumDir . $g1_album . DIRECTORY_SEPARATOR;
try {
require_once 'Gallery1DataParser.php';
list($result, $items) = Gallery1DataParser::getPhotos($importDir);
if ($result == null) {
foreach ($items as $object) {
if (isset($object->highlight) && $object->highlight == 1 && isset($object->highlightImage) && is_a($object->highlightImage, 'G1Img')) {
$g1_path = $importDir . $object->highlightImage->name . '.' . $object->highlightImage->type;
if (is_file($g1_path) && @copy($g1_path, $album->thumb_path())) {
$album->thumb_height = $object->highlightImage->height;
$album->thumb_width = $object->highlightImage->width;
$album->thumb_dirty = false;
$album->save();
}
}
}
}
} catch (Exception $e) {
$messages[] = (string) new G1_Import_Exception(t('Failed to copy thumb for album %name.', array('name' => $g1_album)), $e);
}
}
/* ON THE LAST RUN WE NEED TO RE-FIX ALL ALBUM PERMISSIONS */
foreach (self::$albums_hidden as $g1_album => $dummy) {
try {
$album_id = self::map($g1_album, '', 'album');
$album = ORM::factory('item', $album_id);
access::deny(identity::everybody(), 'view', $album);
$messages[] = t('Denying access to %album', array('album' => $g1_album));
} catch (Exception $e) {
$messages[] = (string) new G1_Import_Exception(t('Failed to set access permission for hidden album %name.', array('name' => $g1_album)), $e);
}
}
return $messages;
}
public function delete_album_fails_without_permission_test()
{
$album1 = test::random_album();
access::deny(identity::everybody(), "edit", $album1);
identity::set_active_user(identity::guest());
$request->url = rest::url("item", $album1);
try {
item_rest::delete($request);
} catch (Exception $e) {
$this->assert_equal("@todo FORBIDDEN", $e->getMessage());
return;
}
$this->assert_true(false, "Shouldn't get here");
}
/**
* Imports G2 permissions, mapping G2's permission model to G3's
* much simplified permissions.
*
* - Ignores user permissions, G3 only supports group permissions.
* - Ignores item permissions, G3 only supports album permissions.
*
* G2 permission -> G3 permission
* ---------------------------------
* core.view view
* core.viewSource view_full
* core.edit edit
* core.addDataItem add
* core.addAlbumItem add
* core.viewResizes <ignored>
* core.delete <ignored>
* comment.* <ignored>
*/
private static function _import_permissions($g2_album, $g3_album)
{
// No need to do anything if this album has the same G2 ACL as its parent.
if ($g2_album->getParentId() != null && g2(GalleryCoreApi::fetchAccessListId($g2_album->getId())) == g2(GalleryCoreApi::fetchAccessListId($g2_album->getParentId()))) {
return;
}
$granted_permissions = self::_map_permissions($g2_album->getId());
if ($g2_album->getParentId() == null) {
// Compare to current permissions, and change them if necessary.
$g3_parent_album = item::root();
} else {
$g3_parent_album = $g3_album->parent();
}
$granted_parent_permissions = array();
$perm_ids = array_unique(array_values(self::$_permission_map));
foreach (identity::groups() as $group) {
$granted_parent_permissions[$group->id] = array();
foreach ($perm_ids as $perm_id) {
if (access::group_can($group, $perm_id, $g3_parent_album)) {
$granted_parent_permissions[$group->id][$perm_id] = 1;
}
}
}
// Note: Only registering permissions if they're not the same as
// the inherited ones.
foreach ($granted_permissions as $group_id => $permissions) {
if (!isset($granted_parent_permissions[$group_id])) {
foreach (array_keys($permissions) as $perm_id) {
access::allow(identity::lookup_group($group_id), $perm_id, $g3_album);
}
} else {
if ($permissions != $granted_parent_permissions[$group_id]) {
$parent_permissions = $granted_parent_permissions[$group_id];
// @todo Probably worth caching the group instances.
$group = identity::lookup_group($group_id);
// Note: Cannot use array_diff_key.
foreach (array_keys($permissions) as $perm_id) {
if (!isset($parent_permissions[$perm_id])) {
access::allow($group, $perm_id, $g3_album);
}
}
foreach (array_keys($parent_permissions) as $perm_id) {
if (!isset($permissions[$perm_id])) {
access::deny($group, $perm_id, $g3_album);
}
}
}
}
}
foreach ($granted_parent_permissions as $group_id => $parent_permissions) {
if (isset($granted_permissions[$group_id])) {
continue;
// handled above
}
$group = identity::lookup_group($group_id);
foreach (array_keys($parent_permissions) as $perm_id) {
access::deny($group, $perm_id, $g3_album);
}
}
}
public function moved_items_inherit_new_permissions_test()
{
identity::set_active_user(identity::lookup_user_by_name("admin"));
$public_album = test::random_album();
$public_photo = test::random_photo($public_album);
access::allow(identity::everybody(), "view", $public_album);
access::allow(identity::everybody(), "edit", $public_album);
item::root()->reload();
// Account for MPTT changes
$private_album = test::random_album();
access::deny(identity::everybody(), "view", $private_album);
access::deny(identity::everybody(), "edit", $private_album);
$private_photo = test::random_photo($private_album);
// Make sure that we now have a public photo and private photo.
$this->assert_true(access::group_can(identity::everybody(), "view", $public_photo));
$this->assert_false(access::group_can(identity::everybody(), "view", $private_photo));
// Swap the photos
item::move($public_photo, $private_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
item::move($private_photo, $public_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
// Make sure that the public_photo is now private, and the private_photo is now public.
$this->assert_false(access::group_can(identity::everybody(), "view", $public_photo));
$this->assert_false(access::group_can(identity::everybody(), "edit", $public_photo));
$this->assert_true(access::group_can(identity::everybody(), "view", $private_photo));
$this->assert_true(access::group_can(identity::everybody(), "edit", $private_photo));
}
public function everybody_view_full_permission_maintains_htaccess_files_test()
{
$root = ORM::factory("item", 1);
$album = album::create($root, rand(), "test album");
$this->assert_false(file_exists($album->file_path() . "/.htaccess"));
$this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
$this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
access::deny(group::everybody(), "view_full", $album);
$this->assert_true(file_exists($album->file_path() . "/.htaccess"));
$this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
$this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
access::allow(group::everybody(), "view_full", $album);
$this->assert_false(file_exists($album->file_path() . "/.htaccess"));
$this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
$this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
access::deny(group::everybody(), "view_full", $album);
$this->assert_true(file_exists($album->file_path() . "/.htaccess"));
$this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
$this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
access::reset(group::everybody(), "view_full", $album);
$this->assert_false(file_exists($album->file_path() . "/.htaccess"));
$this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
$this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
}
public function moved_items_inherit_new_permissions_test()
{
user::set_active(user::lookup_by_name("admin"));
$root = ORM::factory("item", 1);
$public_album = album::create($root, rand(), "public album");
$public_photo = photo::create($public_album, MODPATH . "gallery/images/gallery.png", "", "");
access::allow(group::everybody(), "view", $public_album);
$root->reload();
// Account for MPTT changes
$private_album = album::create($root, rand(), "private album");
access::deny(group::everybody(), "view", $private_album);
$private_photo = photo::create($private_album, MODPATH . "gallery/images/gallery.png", "", "");
// Make sure that we now have a public photo and private photo.
$this->assert_true(access::group_can(group::everybody(), "view", $public_photo));
$this->assert_false(access::group_can(group::everybody(), "view", $private_photo));
// Swap the photos
item::move($public_photo, $private_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
item::move($private_photo, $public_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
// Make sure that the public_photo is now private, and the private_photo is now public.
$this->assert_false(access::group_can(group::everybody(), "view", $public_photo));
$this->assert_true(access::group_can(group::everybody(), "view", $private_photo));
}
public function as_restful_array_with_add_bit_test()
{
$response = item::root()->as_restful_array();
$this->assert_true($response["can_add"]);
access::deny(identity::everybody(), "add", item::root());
identity::set_active_user(identity::guest());
$response = item::root()->as_restful_array();
$this->assert_false($response["can_add"]);
}
public function need_view_full_permission_to_view_original_test()
{
$album = test::random_album();
$photo = test::random_photo($album);
$album = $album->reload();
// adding the photo changed the album in the db
$_SERVER["REQUEST_URI"] = url::file("var/albums/{$album->name}/{$photo->name}");
$controller = new File_Proxy_Controller();
access::deny(identity::everybody(), "view_full", $album);
identity::set_active_user(identity::guest());
try {
$controller->__call("", array());
$this->assert_true(false);
} catch (Kohana_404_Exception $e) {
$this->assert_same(5, $e->test_fail_code);
}
}
static function album_add_form_completed($album, $form)
{
if ($form->privacy->private->checked) {
$username = $form->privacy->username->value;
$password = $form->privacy->password->value;
// TODO validation
// create a group based on username
$group = identity::create_group($username);
// create a user based on username
$user = identity::create_user($username, $username, $password, $username . "@unknown.com");
identity::add_user_to_group($user, $group);
// create user home
$home = ORM::factory("user_home")->where("id", "=", $user->id)->find();
$home->id = $user->id;
$home->home = $album->id;
$home->save();
// reload album
$album->reload();
// set permissions
// deny all groups.
$groups = ORM::factory("group")->find_all();
foreach ($groups as $group2) {
if ($group->id != $group2->id) {
access::deny($group2, "view", $album);
access::deny($group2, "view_full", $album);
}
}
// deny all other albums
$albums = ORM::factory("item")->where("type", "=", "album")->find_all();
foreach ($albums as $albumt) {
access::deny($group, "view", $albumt);
}
// allow access to newly created group
access::allow($group, "view_full", $album);
$parents = $album->parents();
foreach ($parents as $parent) {
access::allow($group, "view", $parent);
}
access::allow($group, "view", $album);
}
}
