function change($command, $group_id, $perm_id, $item_id) { access::verify_csrf(); $group = identity::lookup_group($group_id); $perm = ORM::factory("permission", $perm_id); $item = ORM::factory("item", $item_id); access::required("view", $item); access::required("edit", $item); if (!empty($group) && $perm->loaded() && $item->loaded()) { switch ($command) { case "allow": access::allow($group, $perm->name, $item); break; case "deny": access::deny($group, $perm->name, $item); break; case "reset": access::reset($group, $perm->name, $item); break; } // If the active user just took away their own edit permissions, give it back. if ($perm->name == "edit") { if (!access::user_can(identity::active_user(), "edit", $item)) { access::allow($group, $perm->name, $item); } } } }
/** * Imports G2 permissions, mapping G2's permission model to G3's * much simplified permissions. * * - Ignores user permissions, G3 only supports group permissions. * - Ignores item permissions, G3 only supports album permissions. * * G2 permission -> G3 permission * --------------------------------- * core.view view * core.viewSource view_full * core.edit edit * core.addDataItem add * core.addAlbumItem add * core.viewResizes <ignored> * core.delete <ignored> * comment.* <ignored> */ private static function _import_permissions($g2_album, $g3_album) { // No need to do anything if this album has the same G2 ACL as its parent. if ($g2_album->getParentId() != null && g2(GalleryCoreApi::fetchAccessListId($g2_album->getId())) == g2(GalleryCoreApi::fetchAccessListId($g2_album->getParentId()))) { return; } $granted_permissions = self::_map_permissions($g2_album->getId()); if ($g2_album->getParentId() == null) { // Compare to current permissions, and change them if necessary. $g3_parent_album = item::root(); } else { $g3_parent_album = $g3_album->parent(); } $granted_parent_permissions = array(); $perm_ids = array_unique(array_values(self::$_permission_map)); foreach (identity::groups() as $group) { $granted_parent_permissions[$group->id] = array(); foreach ($perm_ids as $perm_id) { if (access::group_can($group, $perm_id, $g3_parent_album)) { $granted_parent_permissions[$group->id][$perm_id] = 1; } } } // Note: Only registering permissions if they're not the same as // the inherited ones. foreach ($granted_permissions as $group_id => $permissions) { if (!isset($granted_parent_permissions[$group_id])) { foreach (array_keys($permissions) as $perm_id) { access::allow(identity::lookup_group($group_id), $perm_id, $g3_album); } } else { if ($permissions != $granted_parent_permissions[$group_id]) { $parent_permissions = $granted_parent_permissions[$group_id]; // @todo Probably worth caching the group instances. $group = identity::lookup_group($group_id); // Note: Cannot use array_diff_key. foreach (array_keys($permissions) as $perm_id) { if (!isset($parent_permissions[$perm_id])) { access::allow($group, $perm_id, $g3_album); } } foreach (array_keys($parent_permissions) as $perm_id) { if (!isset($permissions[$perm_id])) { access::deny($group, $perm_id, $g3_album); } } } } } foreach ($granted_parent_permissions as $group_id => $parent_permissions) { if (isset($granted_permissions[$group_id])) { continue; // handled above } $group = identity::lookup_group($group_id); foreach (array_keys($parent_permissions) as $perm_id) { access::deny($group, $perm_id, $g3_album); } } }
/** * Import a single user. */ static function import_user(&$queue) { $g2_user_id = array_shift($queue); if (self::map($g2_user_id)) { return t("User with id: %id already imported, skipping", array("id" => $g2_user_id)); } if (g2(GalleryCoreApi::isAnonymousUser($g2_user_id))) { self::set_map($g2_user_id, identity::guest()->id); return t("Skipping anonymous user"); } $g2_admin_group_id = g2(GalleryCoreApi::getPluginParameter("module", "core", "id.adminGroup")); try { $g2_user = g2(GalleryCoreApi::loadEntitiesById($g2_user_id)); } catch (Exception $e) { return t("Failed to import Gallery 2 user with id: %id\n%exception", array("id" => $g2_user_id, "exception" => $e->__toString())); } $g2_groups = g2(GalleryCoreApi::fetchGroupsForUser($g2_user->getId())); try { $user = identity::create_user($g2_user->getUsername(), $g2_user->getfullname(), ""); $message = t("Created user: '******'.", array("name" => $user->name)); } catch (Exception $e) { // @todo For now we assume this is a "duplicate user" exception $user = identity::lookup_user_by_name($g2_user->getUsername()); $message = t("Loaded existing user: '******'.", array("name" => $user->name)); } $user->hashed_password = $g2_user->getHashedPassword(); $user->email = $g2_user->getEmail(); $user->locale = $g2_user->getLanguage(); foreach ($g2_groups as $g2_group_id => $g2_group_name) { if ($g2_group_id == $g2_admin_group_id) { $user->admin = true; $message .= t("\n\tAdded 'admin' flag to user"); } else { $group = identity::lookup_group(self::map($g2_group_id)); $user->add($group); $message .= t("\n\tAdded user to group '%group'.", array("group" => $group->name)); } } $user->save(); self::set_map($g2_user->getId(), $user->id); return $message; }