public function cant_view_comments_for_unviewable_items_test() { $root = ORM::factory("item", 1); $album = album::create($root, rand(), rand(), rand()); $comment = comment::create($album, user::guest(), "text", "name", "email", "url"); user::set_active(user::guest()); // We can see the comment when permissions are granted on the album access::allow(group::everybody(), "view", $album); $this->assert_equal(1, ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all()); // We can't see the comment when permissions are denied on the album access::deny(group::everybody(), "view", $album); $this->assert_equal(0, ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all()); }
public function viewable_test() { $root = ORM::factory("item", 1); $album = album::create($root, rand(), rand(), rand()); $item = self::_create_random_item($album); user::set_active(user::guest()); // We can see the item when permissions are granted access::allow(group::everybody(), "view", $album); $this->assert_equal(1, ORM::factory("item")->viewable()->where("id", $item->id)->count_all()); // We can't see the item when permissions are denied access::deny(group::everybody(), "view", $album); $this->assert_equal(0, ORM::factory("item")->viewable()->where("id", $item->id)->count_all()); }
/** * Create a new user. * * @param string $name * @param string $full_name * @param string $password * @return User_Model */ static function create($name, $full_name, $password) { $user = ORM::factory("user")->where("name", $name)->find(); if ($user->loaded) { throw new Exception("@todo USER_ALREADY_EXISTS {$name}"); } $user->name = $name; $user->full_name = $full_name; $user->password = $password; // Required groups $user->add(group::everybody()); $user->add(group::registered_users()); $user->save(); return $user; }
public function change_album_no_csrf_fails_test() { $controller = new Albums_Controller(); $root = ORM::factory("item", 1); $this->_album = album::create($root, "test", "test", "test"); $_POST["name"] = "new name"; $_POST["title"] = "new title"; $_POST["description"] = "new description"; access::allow(group::everybody(), "edit", $root); try { $controller->_update($this->_album); $this->assert_true(false, "This should fail"); } catch (Exception $e) { // pass } }
public function change_photo_no_csrf_fails_test() { $controller = new Photos_Controller(); $root = ORM::factory("item", 1); $photo = photo::create($root, MODPATH . "gallery/tests/test.jpg", "test", "test", "test"); $_POST["name"] = "new name"; $_POST["title"] = "new title"; $_POST["description"] = "new description"; access::allow(group::everybody(), "edit", $root); try { $controller->_update($photo); $this->assert_true(false, "This should fail"); } catch (Exception $e) { // pass } }
/** * Handle any business logic necessary to create or update a user. * @see ORM::save() * * @return ORM User_Model */ public function save() { if (!$this->loaded()) { // New user $this->add(group::everybody()); if (!$this->guest) { $this->add(group::registered_users()); } parent::save(); module::event("user_created", $this); } else { // Updated user $original = ORM::factory("user", $this->id); parent::save(); module::event("user_updated", $original, $this); } return $this; }
public function print_photo($id) { access::verify_csrf(); $item = ORM::factory("item", $id); access::required("view", $item); if (access::group_can(group::everybody(), "view_full", $item)) { $full_url = $item->file_url(true); $thumb_url = $item->thumb_url(true); } else { $proxy = ORM::factory("digibug_proxy"); $proxy->uuid = md5(rand()); $proxy->item_id = $item->id; $proxy->save(); $full_url = url::abs_site("digibug/print_proxy/full/{$proxy->uuid}"); $thumb_url = url::abs_site("digibug/print_proxy/thumb/{$proxy->uuid}"); } $v = new View("digibug_form.html"); $v->order_parms = array("digibug_api_version" => "100", "company_id" => module::get_var("digibug", "company_id"), "event_id" => module::get_var("digibug", "event_id"), "cmd" => "addimg", "partner_code" => "69", "return_url" => url::abs_site("digibug/close_window"), "num_images" => "1", "image_1" => $full_url, "thumb_1" => $thumb_url, "image_height_1" => $item->height, "image_width_1" => $item->width, "thumb_height_1" => $item->thumb_height, "thumb_width_1" => $item->thumb_width, "title_1" => html::purify($item->title)); print $v; }
/** * Import a single group. */ static function import_group(&$queue) { $g2_group_id = array_shift($queue); if (self::map($g2_group_id)) { return t("Group with id: %id already imported, skipping", array("id" => $g2_group_id)); } try { $g2_group = g2(GalleryCoreApi::loadEntitiesById($g2_group_id)); } catch (Exception $e) { return t("Failed to import Gallery 2 group with id: %id\n%exception", array("id" => $g2_group_id, "exception" => $e->__toString())); } switch ($g2_group->getGroupType()) { case GROUP_NORMAL: try { $group = group::create($g2_group->getGroupName()); } catch (Exception $e) { // @todo For now we assume this is a "duplicate group" exception $group = group::lookup_by_name($g2_group->getGroupname()); } $message = t("Group '%name' was imported", array("name" => $g2_group->getGroupname())); break; case GROUP_ALL_USERS: $group = group::registered_users(); $message = t("Group 'Registered' was converted to '%name'", array("name" => $group->name)); break; case GROUP_SITE_ADMINS: $message = t("Group 'Admin' does not exist in Gallery 3, skipping"); break; // This is not a group in G3 // This is not a group in G3 case GROUP_EVERYBODY: $group = group::everybody(); $message = t("Group 'Everybody' was converted to '%name'", array("name" => $group->name)); break; } if (isset($group)) { self::set_map($g2_group->getId(), $group->id); } return $message; }
/** * Import a single group. */ static function import_group(&$queue) { $g2_group_id = array_shift($queue); if (self::map($g2_group_id)) { return; } try { $g2_group = g2(GalleryCoreApi::loadEntitiesById($g2_group_id)); } catch (Exception $e) { g2_import::log(t("Failed to import Gallery 2 group with id: %id", array("id" => $g2_group_id))); return; } switch ($g2_group->getGroupType()) { case GROUP_NORMAL: try { $group = group::create($g2_group->getGroupName()); } catch (Exception $e) { // @todo For now we assume this is a "duplicate group" exception $group = group::lookup_by_name($g2_group->getGroupname()); } break; case GROUP_ALL_USERS: $group = group::registered_users(); break; case GROUP_SITE_ADMINS: break; // This is not a group in G3 // This is not a group in G3 case GROUP_EVERYBODY: $group = group::everybody(); break; } if (isset($group)) { self::set_map($g2_group->getId(), $group->id); } }
public function everybody_view_full_permission_maintains_htaccess_files_test() { $root = ORM::factory("item", 1); $album = album::create($root, rand(), "test album"); $this->assert_false(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); access::deny(group::everybody(), "view_full", $album); $this->assert_true(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); access::allow(group::everybody(), "view_full", $album); $this->assert_false(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); access::deny(group::everybody(), "view_full", $album); $this->assert_true(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); access::reset(group::everybody(), "view_full", $album); $this->assert_false(file_exists($album->file_path() . "/.htaccess")); $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); }
public function moved_items_inherit_new_permissions_test() { user::set_active(user::lookup_by_name("admin")); $root = ORM::factory("item", 1); $public_album = album::create($root, rand(), "public album"); $public_photo = photo::create($public_album, MODPATH . "gallery/images/gallery.png", "", ""); access::allow(group::everybody(), "view", $public_album); $root->reload(); // Account for MPTT changes $private_album = album::create($root, rand(), "private album"); access::deny(group::everybody(), "view", $private_album); $private_photo = photo::create($private_album, MODPATH . "gallery/images/gallery.png", "", ""); // Make sure that we now have a public photo and private photo. $this->assert_true(access::group_can(group::everybody(), "view", $public_photo)); $this->assert_false(access::group_can(group::everybody(), "view", $private_photo)); // Swap the photos item::move($public_photo, $private_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); item::move($private_photo, $public_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); // Make sure that the public_photo is now private, and the private_photo is now public. $this->assert_false(access::group_can(group::everybody(), "view", $public_photo)); $this->assert_true(access::group_can(group::everybody(), "view", $private_photo)); }
/** * @see IdentityProvider_Driver::everybody. */ public function everybody() { return group::everybody(); }