public function print_photo($id) { access::verify_csrf(); $item = ORM::factory("item", $id); access::required("view", $item); if (access::group_can(identity::everybody(), "view_full", $item)) { $full_url = $item->file_url(true); $thumb_url = $item->thumb_url(true); } else { $proxy = ORM::factory("digibug_proxy"); $proxy->uuid = random::hash(); $proxy->item_id = $item->id; $proxy->save(); $full_url = url::abs_site("digibug/print_proxy/full/{$proxy->uuid}/{$item->id}"); $thumb_url = url::abs_site("digibug/print_proxy/thumb/{$proxy->uuid}/{$item->id}"); } $v = new View("digibug_form.html"); $v->order_params = array("digibug_api_version" => "100", "company_id" => module::get_var("digibug", "company_id"), "event_id" => module::get_var("digibug", "event_id"), "cmd" => "addimg", "partner_code" => "69", "return_url" => url::abs_site("digibug/close_window"), "num_images" => "1", "image_1" => $full_url, "thumb_1" => $thumb_url, "image_height_1" => $item->height, "image_width_1" => $item->width, "thumb_height_1" => $item->thumb_height, "thumb_width_1" => $item->thumb_width, "title_1" => html::purify($item->title)); print $v; }
<th> <?php echo p::clean($group->name); ?> </th> <? endforeach ?> </tr> <? foreach ($permissions as $permission): ?> <tr> <td> <?php echo t($permission->display_name); ?> </td> <? foreach ($groups as $group): ?> <? $intent = access::group_intent($group, $permission->name, $item) ?> <? $allowed = access::group_can($group, $permission->name, $item) ?> <? $lock = access::locked_by($group, $permission->name, $item) ?> <? if ($lock): ?> <td class="gDenied"> <img src="<?php echo url::file('themes/default/images/ico-denied.png'); ?> " title="<?php echo t('denied and locked through parent album'); ?> " alt="<?php echo t('denied icon'); ?> " /> <a href="javascript:show(<?php
/** * Imports G2 permissions, mapping G2's permission model to G3's * much simplified permissions. * * - Ignores user permissions, G3 only supports group permissions. * - Ignores item permissions, G3 only supports album permissions. * * G2 permission -> G3 permission * --------------------------------- * core.view view * core.viewSource view_full * core.edit edit * core.addDataItem add * core.addAlbumItem add * core.viewResizes <ignored> * core.delete <ignored> * comment.* <ignored> */ private static function _import_permissions($g2_album, $g3_album) { // No need to do anything if this album has the same G2 ACL as its parent. if ($g2_album->getParentId() != null && g2(GalleryCoreApi::fetchAccessListId($g2_album->getId())) == g2(GalleryCoreApi::fetchAccessListId($g2_album->getParentId()))) { return; } $granted_permissions = self::_map_permissions($g2_album->getId()); if ($g2_album->getParentId() == null) { // Compare to current permissions, and change them if necessary. $g3_parent_album = item::root(); } else { $g3_parent_album = $g3_album->parent(); } $granted_parent_permissions = array(); $perm_ids = array_unique(array_values(self::$_permission_map)); foreach (identity::groups() as $group) { $granted_parent_permissions[$group->id] = array(); foreach ($perm_ids as $perm_id) { if (access::group_can($group, $perm_id, $g3_parent_album)) { $granted_parent_permissions[$group->id][$perm_id] = 1; } } } // Note: Only registering permissions if they're not the same as // the inherited ones. foreach ($granted_permissions as $group_id => $permissions) { if (!isset($granted_parent_permissions[$group_id])) { foreach (array_keys($permissions) as $perm_id) { access::allow(identity::lookup_group($group_id), $perm_id, $g3_album); } } else { if ($permissions != $granted_parent_permissions[$group_id]) { $parent_permissions = $granted_parent_permissions[$group_id]; // @todo Probably worth caching the group instances. $group = identity::lookup_group($group_id); // Note: Cannot use array_diff_key. foreach (array_keys($permissions) as $perm_id) { if (!isset($parent_permissions[$perm_id])) { access::allow($group, $perm_id, $g3_album); } } foreach (array_keys($parent_permissions) as $perm_id) { if (!isset($permissions[$perm_id])) { access::deny($group, $perm_id, $g3_album); } } } } } foreach ($granted_parent_permissions as $group_id => $parent_permissions) { if (isset($granted_permissions[$group_id])) { continue; // handled above } $group = identity::lookup_group($group_id); foreach (array_keys($parent_permissions) as $perm_id) { access::deny($group, $perm_id, $g3_album); } } }
public function moved_items_inherit_new_permissions_test() { identity::set_active_user(identity::lookup_user_by_name("admin")); $public_album = test::random_album(); $public_photo = test::random_photo($public_album); access::allow(identity::everybody(), "view", $public_album); access::allow(identity::everybody(), "edit", $public_album); item::root()->reload(); // Account for MPTT changes $private_album = test::random_album(); access::deny(identity::everybody(), "view", $private_album); access::deny(identity::everybody(), "edit", $private_album); $private_photo = test::random_photo($private_album); // Make sure that we now have a public photo and private photo. $this->assert_true(access::group_can(identity::everybody(), "view", $public_photo)); $this->assert_false(access::group_can(identity::everybody(), "view", $private_photo)); // Swap the photos item::move($public_photo, $private_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); item::move($private_photo, $public_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); // Make sure that the public_photo is now private, and the private_photo is now public. $this->assert_false(access::group_can(identity::everybody(), "view", $public_photo)); $this->assert_false(access::group_can(identity::everybody(), "edit", $public_photo)); $this->assert_true(access::group_can(identity::everybody(), "view", $private_photo)); $this->assert_true(access::group_can(identity::everybody(), "edit", $private_photo)); }
public function non_view_permissions_can_be_revoked_lower_down_test() { $root = ORM::factory("item", 1); $outer = album::create($root, rand(), "test album"); $outer_photo = ORM::factory("item"); $outer_photo->type = "photo"; $outer_photo->add_to_parent($outer); access::add_item($outer_photo); $inner = album::create($outer, rand(), "test album"); $inner_photo = ORM::factory("item"); $inner_photo->type = "photo"; $inner_photo->add_to_parent($inner); access::add_item($inner_photo); $outer->reload(); $inner->reload(); access::allow(group::everybody(), "edit", $root); access::deny(group::everybody(), "edit", $outer); access::allow(group::everybody(), "edit", $inner); // Outer album is not editable, inner one is. $this->assert_false(access::group_can(group::everybody(), "edit", $outer_photo)); $this->assert_true(access::group_can(group::everybody(), "edit", $inner_photo)); }
public function moved_items_inherit_new_permissions_test() { user::set_active(user::lookup_by_name("admin")); $root = ORM::factory("item", 1); $public_album = album::create($root, rand(), "public album"); $public_photo = photo::create($public_album, MODPATH . "gallery/images/gallery.png", "", ""); access::allow(group::everybody(), "view", $public_album); $root->reload(); // Account for MPTT changes $private_album = album::create($root, rand(), "private album"); access::deny(group::everybody(), "view", $private_album); $private_photo = photo::create($private_album, MODPATH . "gallery/images/gallery.png", "", ""); // Make sure that we now have a public photo and private photo. $this->assert_true(access::group_can(group::everybody(), "view", $public_photo)); $this->assert_false(access::group_can(group::everybody(), "view", $private_photo)); // Swap the photos item::move($public_photo, $private_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); item::move($private_photo, $public_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); // Make sure that the public_photo is now private, and the private_photo is now public. $this->assert_false(access::group_can(group::everybody(), "view", $public_photo)); $this->assert_true(access::group_can(group::everybody(), "view", $private_photo)); }