static function initialize() { $db = Database::instance(); $db->query("CREATE TABLE IF NOT EXISTS {users} (\n `id` int(9) NOT NULL auto_increment,\n `name` varchar(32) NOT NULL,\n `full_name` varchar(255) NOT NULL,\n `password` varchar(64) NOT NULL,\n `login_count` int(10) unsigned NOT NULL DEFAULT 0,\n `last_login` int(10) unsigned NOT NULL DEFAULT 0,\n `email` varchar(64) default NULL,\n `admin` BOOLEAN default 0,\n `guest` BOOLEAN default 0,\n `hash` char(32) default NULL,\n `url` varchar(255) default NULL,\n `locale` char(10) default NULL,\n PRIMARY KEY (`id`),\n UNIQUE KEY(`hash`),\n UNIQUE KEY(`name`))\n DEFAULT CHARSET=utf8;"); $db->query("CREATE TABLE IF NOT EXISTS {groups} (\n `id` int(9) NOT NULL auto_increment,\n `name` char(64) default NULL,\n `special` BOOLEAN default 0,\n PRIMARY KEY (`id`),\n UNIQUE KEY(`name`))\n DEFAULT CHARSET=utf8;"); $db->query("CREATE TABLE IF NOT EXISTS {groups_users} (\n `group_id` int(9) NOT NULL,\n `user_id` int(9) NOT NULL,\n PRIMARY KEY (`group_id`, `user_id`),\n UNIQUE KEY(`user_id`, `group_id`))\n DEFAULT CHARSET=utf8;"); $everybody = ORM::factory("group"); $everybody->name = "Everybody"; $everybody->special = true; $everybody->save(); $registered = ORM::factory("group"); $registered->name = "Registered Users"; $registered->special = true; $registered->save(); $guest = ORM::factory("user"); $guest->name = "guest"; $guest->full_name = "Guest User"; $guest->password = ""; $guest->guest = true; $guest->save(); $admin = ORM::factory("user"); $admin->name = "admin"; $admin->full_name = "Gallery Administrator"; $admin->password = "******"; $admin->email = "*****@*****.**"; $admin->admin = true; $admin->save(); $root = ORM::factory("item", 1); access::allow($everybody, "view", $root); access::allow($everybody, "view_full", $root); access::allow($registered, "view", $root); access::allow($registered, "view_full", $root); module::set_version("user", 2); module::set_var("user", "mininum_password_length", 5); }
static function install() { $db = Database::instance(); $version = module::get_version("user"); if ($version == 0) { $db->query("CREATE TABLE IF NOT EXISTS {users} (\n `id` int(9) NOT NULL auto_increment,\n `name` varchar(32) NOT NULL,\n `full_name` varchar(255) NOT NULL,\n `password` varchar(64) NOT NULL,\n `login_count` int(10) unsigned NOT NULL DEFAULT 0,\n `last_login` int(10) unsigned NOT NULL DEFAULT 0,\n `email` varchar(64) default NULL,\n `admin` BOOLEAN default 0,\n `guest` BOOLEAN default 0,\n `hash` char(32) default NULL,\n `url` varchar(255) default NULL,\n `locale` char(10) default NULL,\n PRIMARY KEY (`id`),\n UNIQUE KEY(`hash`),\n UNIQUE KEY(`name`))\n ENGINE=InnoDB DEFAULT CHARSET=utf8;"); $db->query("CREATE TABLE IF NOT EXISTS {groups} (\n `id` int(9) NOT NULL auto_increment,\n `name` char(64) default NULL,\n `special` BOOLEAN default 0,\n PRIMARY KEY (`id`),\n UNIQUE KEY(`name`))\n ENGINE=InnoDB DEFAULT CHARSET=utf8;"); $db->query("CREATE TABLE IF NOT EXISTS {groups_users} (\n `group_id` int(9) NOT NULL,\n `user_id` int(9) NOT NULL,\n PRIMARY KEY (`group_id`, `user_id`),\n UNIQUE KEY(`user_id`, `group_id`))\n ENGINE=InnoDB DEFAULT CHARSET=utf8;"); $everybody = group::create("Everybody"); $everybody->special = true; $everybody->save(); $registered = group::create("Registered Users"); $registered->special = true; $registered->save(); $guest = user::create("guest", "Guest User", ""); $guest->guest = true; $guest->remove($registered); $guest->save(); $admin = user::create("admin", "Gallery Administrator", "admin"); $admin->admin = true; $admin->save(); // Let the admin own everything $db->update("items", array("owner_id" => $admin->id), array("owner_id" => "IS NULL")); module::set_version("user", 1); $root = ORM::factory("item", 1); access::allow($everybody, "view", $root); access::allow($everybody, "view_full", $root); access::allow($registered, "view", $root); access::allow($registered, "view_full", $root); } }
/** * Create an album for the newly created user and give him view and edit permissions. */ static function user_created($user) { // Create a group with the same name, if necessary $group_name = "auto: {$user->name}"; $group = identity::lookup_group_by_name($group_name); if (!$group) { $group = identity::create_group($group_name); identity::add_user_to_group($user, $group); } // Create an album for the user, if it doesn't exist $album = ORM::factory("item")->where("parent_id", "=", item::root()->id)->where("name", "=", $user->name)->find(); if (!$album->loaded()) { $album->type = "album"; $album->name = $user->name; $album->title = "{$user->name}'s album"; $album->parent_id = item::root()->id; $album->sort_column = "weight"; $album->sort_order = "asc"; $album->save(); access::allow($group, "view", item::root()); access::allow($group, "view_full", $album); access::allow($group, "edit", $album); access::allow($group, "add", $album); } }
function change($command, $group_id, $perm_id, $item_id) { access::verify_csrf(); $group = identity::lookup_group($group_id); $perm = ORM::factory("permission", $perm_id); $item = ORM::factory("item", $item_id); access::required("view", $item); access::required("edit", $item); if (!empty($group) && $perm->loaded() && $item->loaded()) { switch ($command) { case "allow": access::allow($group, $perm->name, $item); break; case "deny": access::deny($group, $perm->name, $item); break; case "reset": access::reset($group, $perm->name, $item); break; } // If the active user just took away their own edit permissions, give it back. if ($perm->name == "edit") { if (!access::user_can(identity::active_user(), "edit", $item)) { access::allow($group, $perm->name, $item); } } } }
public function post_test() { access::allow(identity::everybody(), "edit", item::root()); $request = new stdClass(); $request->params = new stdClass(); $request->params->name = "test tag"; $this->assert_equal(array("url" => url::site("rest/tag/1")), tags_rest::post($request)); }
static function initialize() { module::set_version("ldap", 1); $root = item::root(); foreach (IdentityProvider::instance()->groups() as $group) { module::event("group_created", $group); access::allow($group, "view", $root); access::allow($group, "view_full", $root); } }
public function post_test() { $tag = test::random_tag(); // Create an editable item to be tagged $album = test::random_album(); access::allow(identity::everybody(), "edit", $album); // Add the album to the tag $request->url = rest::url("tag", $tag); $request->params->url = rest::url("item", $album); $this->assert_equal_array(array("url" => rest::url("tag_item", $tag, $album)), tag_rest::post($request)); }
static function install() { module::set_version("ldap", 1); $root = item::root(); $ldap_provider = new IdentityProvider("ldap"); foreach ($ldap_provider->groups() as $group) { module::event("group_created", $group); access::allow($group, "view", $root); access::allow($group, "view_full", $root); } }
public function cant_view_comments_for_unviewable_items_test() { $root = ORM::factory("item", 1); $album = album::create($root, rand(), rand(), rand()); $comment = comment::create($album, user::guest(), "text", "name", "email", "url"); user::set_active(user::guest()); // We can see the comment when permissions are granted on the album access::allow(group::everybody(), "view", $album); $this->assert_equal(1, ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all()); // We can't see the comment when permissions are denied on the album access::deny(group::everybody(), "view", $album); $this->assert_equal(0, ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all()); }
public function viewable_test() { $album = test::random_album(); $item = test::random_photo($album); $album->reload(); identity::set_active_user(identity::guest()); // We can see the item when permissions are granted access::allow(identity::everybody(), "view", $album); $this->assert_equal(1, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); // We can't see the item when permissions are denied access::deny(identity::everybody(), "view", $album); $this->assert_equal(0, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); }
public function viewable_test() { $root = ORM::factory("item", 1); $album = album::create($root, rand(), rand(), rand()); $item = self::_create_random_item($album); identity::set_active_user(identity::guest()); // We can see the item when permissions are granted access::allow(identity::everybody(), "view", $album); $this->assert_equal(1, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); // We can't see the item when permissions are denied access::deny(identity::everybody(), "view", $album); $this->assert_equal(0, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); }
public function change_album_no_csrf_fails_test() { $controller = new Albums_Controller(); $album = test::random_album(); $_POST["name"] = "new name"; $_POST["title"] = "new title"; $_POST["description"] = "new description"; access::allow(identity::everybody(), "edit", item::root()); try { $controller->update($album->id); $this->assert_true(false, "This should fail"); } catch (Exception $e) { // pass $this->assert_same("@todo FORBIDDEN", $e->getMessage()); } }
public function cant_view_comments_for_unviewable_items_test() { $album = test::random_album(); $comment = ORM::factory("comment"); $comment->item_id = $album->id; $comment->author_id = identity::admin_user()->id; $comment->text = "text"; $comment->save(); identity::set_active_user(identity::guest()); // We can see the comment when permissions are granted on the album access::allow(identity::everybody(), "view", $album); $this->assert_true(ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all()); // We can't see the comment when permissions are denied on the album access::deny(identity::everybody(), "view", $album); $this->assert_false(ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all()); }
public function change_photo_no_csrf_fails_test() { $controller = new Photos_Controller(); $root = ORM::factory("item", 1); $photo = photo::create($root, MODPATH . "gallery/tests/test.jpg", "test", "test", "test"); $_POST["name"] = "new name"; $_POST["title"] = "new title"; $_POST["description"] = "new description"; access::allow(group::everybody(), "edit", $root); try { $controller->_update($photo); $this->assert_true(false, "This should fail"); } catch (Exception $e) { // pass } }
public function change_album_no_csrf_fails_test() { $controller = new Albums_Controller(); $root = ORM::factory("item", 1); $this->_album = album::create($root, "test", "test", "test"); $_POST["name"] = "new name"; $_POST["title"] = "new title"; $_POST["description"] = "new description"; access::allow(group::everybody(), "edit", $root); try { $controller->_update($this->_album); $this->assert_true(false, "This should fail"); } catch (Exception $e) { // pass } }
function change($command, $group_id, $perm_id, $item_id) { access::verify_csrf(); $group = ORM::factory("group", $group_id); $perm = ORM::factory("permission", $perm_id); $item = ORM::factory("item", $item_id); access::required("edit", $item); if ($group->loaded && $perm->loaded && $item->loaded) { switch ($command) { case "allow": access::allow($group, $perm->name, $item); break; case "deny": access::deny($group, $perm->name, $item); break; case "reset": access::reset($group, $perm->name, $item); break; } } }
static function install() { $db = Database::instance(); $db->query("CREATE TABLE IF NOT EXISTS {users} (\n `id` int(9) NOT NULL auto_increment,\n `name` varchar(32) NOT NULL,\n `full_name` varchar(255) NOT NULL,\n `password` varchar(64) NOT NULL,\n `login_count` int(10) unsigned NOT NULL DEFAULT 0,\n `last_login` int(10) unsigned NOT NULL DEFAULT 0,\n `email` varchar(64) default NULL,\n `admin` BOOLEAN default 0,\n `guest` BOOLEAN default 0,\n `hash` char(32) default NULL,\n `url` varchar(255) default NULL,\n `locale` char(10) default NULL,\n PRIMARY KEY (`id`),\n UNIQUE KEY(`hash`),\n UNIQUE KEY(`name`))\n DEFAULT CHARSET=utf8;"); $db->query("CREATE TABLE IF NOT EXISTS {groups} (\n `id` int(9) NOT NULL auto_increment,\n `name` char(64) default NULL,\n `special` BOOLEAN default 0,\n PRIMARY KEY (`id`),\n UNIQUE KEY(`name`))\n DEFAULT CHARSET=utf8;"); $db->query("CREATE TABLE IF NOT EXISTS {groups_users} (\n `group_id` int(9) NOT NULL,\n `user_id` int(9) NOT NULL,\n PRIMARY KEY (`group_id`, `user_id`),\n UNIQUE KEY(`user_id`, `group_id`))\n DEFAULT CHARSET=utf8;"); $everybody = group::create("Everybody"); $everybody->special = true; $everybody->save(); $registered = group::create("Registered Users"); $registered->special = true; $registered->save(); $guest = user::create("guest", "Guest User", ""); $guest->guest = true; $guest->remove($registered); $guest->save(); $admin = user::create("admin", "Gallery Administrator", "admin"); $admin->admin = true; $admin->save(); $current_provider = module::get_var("gallery", "identity_provider"); if (empty($current_provider)) { // If there is no provider defined then we are doing an initial install // so we need to set the provider and make the administrator own everything // If the installer is called and there is an identity provider, then we // are switching identity providers and and the event handlers will do the // right things module::set_var("gallery", "identity_provider", "user"); // Let the admin own everything $db->query("update {items} set owner_id = {$admin->id}"); } $root = ORM::factory("item", 1); access::allow($everybody, "view", $root); access::allow($everybody, "view_full", $root); access::allow($registered, "view", $root); access::allow($registered, "view_full", $root); module::set_var("user", "mininum_password_length", 5); module::set_version("user", 2); }
public function delete_album_test() { $album1 = test::random_album(); access::allow(identity::everybody(), "edit", $album1); $request->url = rest::url("item", $album1); item_rest::delete($request); $album1->reload(); $this->assert_false($album1->loaded()); }
/** * Imports G2 permissions, mapping G2's permission model to G3's * much simplified permissions. * * - Ignores user permissions, G3 only supports group permissions. * - Ignores item permissions, G3 only supports album permissions. * * G2 permission -> G3 permission * --------------------------------- * core.view view * core.viewSource view_full * core.edit edit * core.addDataItem add * core.addAlbumItem add * core.viewResizes <ignored> * core.delete <ignored> * comment.* <ignored> */ private static function _import_permissions($g2_album, $g3_album) { // No need to do anything if this album has the same G2 ACL as its parent. if ($g2_album->getParentId() != null && g2(GalleryCoreApi::fetchAccessListId($g2_album->getId())) == g2(GalleryCoreApi::fetchAccessListId($g2_album->getParentId()))) { return; } $granted_permissions = self::_map_permissions($g2_album->getId()); if ($g2_album->getParentId() == null) { // Compare to current permissions, and change them if necessary. $g3_parent_album = item::root(); } else { $g3_parent_album = $g3_album->parent(); } $granted_parent_permissions = array(); $perm_ids = array_unique(array_values(self::$_permission_map)); foreach (identity::groups() as $group) { $granted_parent_permissions[$group->id] = array(); foreach ($perm_ids as $perm_id) { if (access::group_can($group, $perm_id, $g3_parent_album)) { $granted_parent_permissions[$group->id][$perm_id] = 1; } } } // Note: Only registering permissions if they're not the same as // the inherited ones. foreach ($granted_permissions as $group_id => $permissions) { if (!isset($granted_parent_permissions[$group_id])) { foreach (array_keys($permissions) as $perm_id) { access::allow(identity::lookup_group($group_id), $perm_id, $g3_album); } } else { if ($permissions != $granted_parent_permissions[$group_id]) { $parent_permissions = $granted_parent_permissions[$group_id]; // @todo Probably worth caching the group instances. $group = identity::lookup_group($group_id); // Note: Cannot use array_diff_key. foreach (array_keys($permissions) as $perm_id) { if (!isset($parent_permissions[$perm_id])) { access::allow($group, $perm_id, $g3_album); } } foreach (array_keys($parent_permissions) as $perm_id) { if (!isset($permissions[$perm_id])) { access::deny($group, $perm_id, $g3_album); } } } } } foreach ($granted_parent_permissions as $group_id => $parent_permissions) { if (isset($granted_permissions[$group_id])) { continue; // handled above } $group = identity::lookup_group($group_id); foreach (array_keys($parent_permissions) as $perm_id) { access::deny($group, $perm_id, $g3_album); } } }
public function moved_items_inherit_new_permissions_test() { identity::set_active_user(identity::lookup_user_by_name("admin")); $public_album = test::random_album(); $public_photo = test::random_photo($public_album); access::allow(identity::everybody(), "view", $public_album); access::allow(identity::everybody(), "edit", $public_album); item::root()->reload(); // Account for MPTT changes $private_album = test::random_album(); access::deny(identity::everybody(), "view", $private_album); access::deny(identity::everybody(), "edit", $private_album); $private_photo = test::random_photo($private_album); // Make sure that we now have a public photo and private photo. $this->assert_true(access::group_can(identity::everybody(), "view", $public_photo)); $this->assert_false(access::group_can(identity::everybody(), "view", $private_photo)); // Swap the photos item::move($public_photo, $private_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); item::move($private_photo, $public_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); // Make sure that the public_photo is now private, and the private_photo is now public. $this->assert_false(access::group_can(identity::everybody(), "view", $public_photo)); $this->assert_false(access::group_can(identity::everybody(), "edit", $public_photo)); $this->assert_true(access::group_can(identity::everybody(), "view", $private_photo)); $this->assert_true(access::group_can(identity::everybody(), "edit", $private_photo)); }
static function album_add_form_completed($album, $form) { if ($form->privacy->private->checked) { $username = $form->privacy->username->value; $password = $form->privacy->password->value; // TODO validation // create a group based on username $group = identity::create_group($username); // create a user based on username $user = identity::create_user($username, $username, $password, $username . "@unknown.com"); identity::add_user_to_group($user, $group); // create user home $home = ORM::factory("user_home")->where("id", "=", $user->id)->find(); $home->id = $user->id; $home->home = $album->id; $home->save(); // reload album $album->reload(); // set permissions // deny all groups. $groups = ORM::factory("group")->find_all(); foreach ($groups as $group2) { if ($group->id != $group2->id) { access::deny($group2, "view", $album); access::deny($group2, "view_full", $album); } } // deny all other albums $albums = ORM::factory("item")->where("type", "=", "album")->find_all(); foreach ($albums as $albumt) { access::deny($group, "view", $albumt); } // allow access to newly created group access::allow($group, "view_full", $album); $parents = $album->parents(); foreach ($parents as $parent) { access::allow($group, "view", $parent); } access::allow($group, "view", $album); } }
public function everybody_view_full_permission_maintains_htaccess_files_test() { $root = ORM::factory("item", 1); $album = album::create($root, rand(), "test album"); $this->assert_false(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); access::deny(group::everybody(), "view_full", $album); $this->assert_true(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); access::allow(group::everybody(), "view_full", $album); $this->assert_false(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); access::deny(group::everybody(), "view_full", $album); $this->assert_true(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); access::reset(group::everybody(), "view_full", $album); $this->assert_false(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); }
public function moved_items_inherit_new_permissions_test() { user::set_active(user::lookup_by_name("admin")); $root = ORM::factory("item", 1); $public_album = album::create($root, rand(), "public album"); $public_photo = photo::create($public_album, MODPATH . "gallery/images/gallery.png", "", ""); access::allow(group::everybody(), "view", $public_album); $root->reload(); // Account for MPTT changes $private_album = album::create($root, rand(), "private album"); access::deny(group::everybody(), "view", $private_album); $private_photo = photo::create($private_album, MODPATH . "gallery/images/gallery.png", "", ""); // Make sure that we now have a public photo and private photo. $this->assert_true(access::group_can(group::everybody(), "view", $public_photo)); $this->assert_false(access::group_can(group::everybody(), "view", $private_photo)); // Swap the photos item::move($public_photo, $private_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); item::move($private_photo, $public_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); // Make sure that the public_photo is now private, and the private_photo is now public. $this->assert_false(access::group_can(group::everybody(), "view", $public_photo)); $this->assert_true(access::group_can(group::everybody(), "view", $private_photo)); }