public function print_photo($id)
{
access::verify_csrf();
$item = ORM::factory("item", $id);
access::required("view", $item);
if (access::group_can(identity::everybody(), "view_full", $item)) {
$full_url = $item->file_url(true);
$thumb_url = $item->thumb_url(true);
} else {
$proxy = ORM::factory("digibug_proxy");
$proxy->uuid = random::hash();
$proxy->item_id = $item->id;
$proxy->save();
$full_url = url::abs_site("digibug/print_proxy/full/{$proxy->uuid}/{$item->id}");
$thumb_url = url::abs_site("digibug/print_proxy/thumb/{$proxy->uuid}/{$item->id}");
}
$v = new View("digibug_form.html");
$v->order_params = array("digibug_api_version" => "100", "company_id" => module::get_var("digibug", "company_id"), "event_id" => module::get_var("digibug", "event_id"), "cmd" => "addimg", "partner_code" => "69", "return_url" => url::abs_site("digibug/close_window"), "num_images" => "1", "image_1" => $full_url, "thumb_1" => $thumb_url, "image_height_1" => $item->height, "image_width_1" => $item->width, "thumb_height_1" => $item->thumb_height, "thumb_width_1" => $item->thumb_width, "title_1" => html::purify($item->title));
print $v;
}
<th> <?php
echo p::clean($group->name);
?>
</th>
<? endforeach ?>
</tr>
<? foreach ($permissions as $permission): ?>
<tr>
<td> <?php
echo t($permission->display_name);
?>
</td>
<? foreach ($groups as $group): ?>
<? $intent = access::group_intent($group, $permission->name, $item) ?>
<? $allowed = access::group_can($group, $permission->name, $item) ?>
<? $lock = access::locked_by($group, $permission->name, $item) ?>
<? if ($lock): ?>
<td class="gDenied">
<img src="<?php
echo url::file('themes/default/images/ico-denied.png');
?>
" title="<?php
echo t('denied and locked through parent album');
?>
" alt="<?php
echo t('denied icon');
?>
" />
<a href="javascript:show(<?php
/**
* Imports G2 permissions, mapping G2's permission model to G3's
* much simplified permissions.
*
* - Ignores user permissions, G3 only supports group permissions.
* - Ignores item permissions, G3 only supports album permissions.
*
* G2 permission -> G3 permission
* ---------------------------------
* core.view view
* core.viewSource view_full
* core.edit edit
* core.addDataItem add
* core.addAlbumItem add
* core.viewResizes <ignored>
* core.delete <ignored>
* comment.* <ignored>
*/
private static function _import_permissions($g2_album, $g3_album)
{
// No need to do anything if this album has the same G2 ACL as its parent.
if ($g2_album->getParentId() != null && g2(GalleryCoreApi::fetchAccessListId($g2_album->getId())) == g2(GalleryCoreApi::fetchAccessListId($g2_album->getParentId()))) {
return;
}
$granted_permissions = self::_map_permissions($g2_album->getId());
if ($g2_album->getParentId() == null) {
// Compare to current permissions, and change them if necessary.
$g3_parent_album = item::root();
} else {
$g3_parent_album = $g3_album->parent();
}
$granted_parent_permissions = array();
$perm_ids = array_unique(array_values(self::$_permission_map));
foreach (identity::groups() as $group) {
$granted_parent_permissions[$group->id] = array();
foreach ($perm_ids as $perm_id) {
if (access::group_can($group, $perm_id, $g3_parent_album)) {
$granted_parent_permissions[$group->id][$perm_id] = 1;
}
}
}
// Note: Only registering permissions if they're not the same as
// the inherited ones.
foreach ($granted_permissions as $group_id => $permissions) {
if (!isset($granted_parent_permissions[$group_id])) {
foreach (array_keys($permissions) as $perm_id) {
access::allow(identity::lookup_group($group_id), $perm_id, $g3_album);
}
} else {
if ($permissions != $granted_parent_permissions[$group_id]) {
$parent_permissions = $granted_parent_permissions[$group_id];
// @todo Probably worth caching the group instances.
$group = identity::lookup_group($group_id);
// Note: Cannot use array_diff_key.
foreach (array_keys($permissions) as $perm_id) {
if (!isset($parent_permissions[$perm_id])) {
access::allow($group, $perm_id, $g3_album);
}
}
foreach (array_keys($parent_permissions) as $perm_id) {
if (!isset($permissions[$perm_id])) {
access::deny($group, $perm_id, $g3_album);
}
}
}
}
}
foreach ($granted_parent_permissions as $group_id => $parent_permissions) {
if (isset($granted_permissions[$group_id])) {
continue;
// handled above
}
$group = identity::lookup_group($group_id);
foreach (array_keys($parent_permissions) as $perm_id) {
access::deny($group, $perm_id, $g3_album);
}
}
}
public function moved_items_inherit_new_permissions_test()
{
identity::set_active_user(identity::lookup_user_by_name("admin"));
$public_album = test::random_album();
$public_photo = test::random_photo($public_album);
access::allow(identity::everybody(), "view", $public_album);
access::allow(identity::everybody(), "edit", $public_album);
item::root()->reload();
// Account for MPTT changes
$private_album = test::random_album();
access::deny(identity::everybody(), "view", $private_album);
access::deny(identity::everybody(), "edit", $private_album);
$private_photo = test::random_photo($private_album);
// Make sure that we now have a public photo and private photo.
$this->assert_true(access::group_can(identity::everybody(), "view", $public_photo));
$this->assert_false(access::group_can(identity::everybody(), "view", $private_photo));
// Swap the photos
item::move($public_photo, $private_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
item::move($private_photo, $public_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
// Make sure that the public_photo is now private, and the private_photo is now public.
$this->assert_false(access::group_can(identity::everybody(), "view", $public_photo));
$this->assert_false(access::group_can(identity::everybody(), "edit", $public_photo));
$this->assert_true(access::group_can(identity::everybody(), "view", $private_photo));
$this->assert_true(access::group_can(identity::everybody(), "edit", $private_photo));
}
public function non_view_permissions_can_be_revoked_lower_down_test()
{
$root = ORM::factory("item", 1);
$outer = album::create($root, rand(), "test album");
$outer_photo = ORM::factory("item");
$outer_photo->type = "photo";
$outer_photo->add_to_parent($outer);
access::add_item($outer_photo);
$inner = album::create($outer, rand(), "test album");
$inner_photo = ORM::factory("item");
$inner_photo->type = "photo";
$inner_photo->add_to_parent($inner);
access::add_item($inner_photo);
$outer->reload();
$inner->reload();
access::allow(group::everybody(), "edit", $root);
access::deny(group::everybody(), "edit", $outer);
access::allow(group::everybody(), "edit", $inner);
// Outer album is not editable, inner one is.
$this->assert_false(access::group_can(group::everybody(), "edit", $outer_photo));
$this->assert_true(access::group_can(group::everybody(), "edit", $inner_photo));
}
public function moved_items_inherit_new_permissions_test()
{
user::set_active(user::lookup_by_name("admin"));
$root = ORM::factory("item", 1);
$public_album = album::create($root, rand(), "public album");
$public_photo = photo::create($public_album, MODPATH . "gallery/images/gallery.png", "", "");
access::allow(group::everybody(), "view", $public_album);
$root->reload();
// Account for MPTT changes
$private_album = album::create($root, rand(), "private album");
access::deny(group::everybody(), "view", $private_album);
$private_photo = photo::create($private_album, MODPATH . "gallery/images/gallery.png", "", "");
// Make sure that we now have a public photo and private photo.
$this->assert_true(access::group_can(group::everybody(), "view", $public_photo));
$this->assert_false(access::group_can(group::everybody(), "view", $private_photo));
// Swap the photos
item::move($public_photo, $private_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
item::move($private_photo, $public_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
// Make sure that the public_photo is now private, and the private_photo is now public.
$this->assert_false(access::group_can(group::everybody(), "view", $public_photo));
$this->assert_true(access::group_can(group::everybody(), "view", $private_photo));
}
