Author: david
Date: Thu Sep 17 14:03:59 2009
New Revision: 3377
Log:
Fix bugs in QubitAcl::check() logic.
Modified:
trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php
trunk/plugins/qbAclPlugin/lib/model/QubitAclPermission.php
Modified: trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php
==============================================================================
--- trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php Thu Sep 17 14:02:36
2009 (r3376)
+++ trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php Thu Sep 17 14:03:59
2009 (r3377)
@@ -59,7 +59,10 @@
{
// Check permissions with repository condition
case 'QubitInformationObject':
- $options['parameters']['repositoryId'] = $aco->getRepository()->id;
+ if (null !== ($repository = $aco->getRepository(array('inherit' =>
true))))
+ {
+ $options['parameters']['repositoryId'] = $repository->id;
+ }
$hasAccess = self::allowAccess($user, $aco, $actionId, $options);
break;
@@ -100,22 +103,21 @@
}
}
- protected static function getAcoLineage($aco)
+ protected static function getAcoChain($aco)
{
- $lineage = array($aco->id);
- foreach ($aco->getAscendants()->orderBy('rgt') as $ascendant)
+ foreach ($aco->getAncestors()->andSelf()->orderBy('rgt') as $node)
{
- $lineage[] = $scendant;
+ $chain[] = $node;
}
- return $lineage;
+ return $chain;
}
- protected static function allowAccess($user, $aco, $actionId, $options)
+ protected static function allowAccess($user, $aco, $actionId, $options =
array())
{
$permission = self::INHERIT;
- $acoChain = $aco->getAncestors()->andSelf()->orderBy('rgt');
+ $acoChain = self::getAcoChain($aco);
// Check user permissions first
$permission = self::checkUserPermissions($user, $acoChain, $actionId,
$options);
@@ -136,9 +138,9 @@
$criteria->add(QubitAclPermission::ACTION_ID, $actionId, Criteria::EQUAL);
// Check 'last-in' permissions first
- $criteria->addDescendingOrderyByColumn(QubitAclPermission::ID);
+ $criteria->addDescendingOrderByColumn(QubitAclPermission::ID);
- return checkAcoPermissionChain($acoChain, $criteria, $options);
+ return self::checkAcoPermissionChain($acoChain, $criteria, $options);
}
protected static function checkGroupPermissions($user, $acoChain, $actionId,
$options = array())
@@ -149,12 +151,12 @@
$criteria->add(QubitAclPermission::ACTION_ID, $actionId, Criteria::EQUAL);
// Check 'higher level' groups first
- $criteria->addAscendingOrderyByColumn(QubitAclPermission::GROUP_ID);
+ $criteria->addAscendingOrderByColumn(QubitAclPermission::GROUP_ID);
// Check 'last-in' permissions first
- $criteria->addDescendingOrderyByColumn(QubitAclPermission::ID);
+ $criteria->addDescendingOrderByColumn(QubitAclPermission::ID);
- return checkAcoPermissionChain($acoChain, $criteria, $options);
+ return self::checkAcoPermissionChain($acoChain, $criteria, $options);
}
protected static function checkAcoPermissionChain($acoChain, $criteria,
$options = array())
@@ -168,24 +170,25 @@
}
$aco = array_shift($acoChain);
- $acoCriteria = self::addObjectCriteria($criteria, $aco);
+ $acoCriteria = clone $criteria;
+ $acoCriteria = self::addObjectCriteria($acoCriteria, $aco->id);
if (0 < count($permissions = QubitAclPermission::get($acoCriteria)))
{
$authorize = self::checkPermissionList($permissions, $parameters);
}
// If 'inherit' work way up aco chain
- if (self::INHERIT == $authorize)
+ if (self::INHERIT == $authorize && null != $acoChain)
{
if (0 < count($acoChain))
{
- $authorize = self::checkAcoPermissionChain($acoChain, $criteria,
$options = array());
+ $authorize = self::checkAcoPermissionChain($acoChain, $criteria,
$options);
}
else
{
// Check for global (objectId == null) permissions if specific
// permissions for ACO chain are not found
- $authorize = self::checkAcoPermissionChain(null, $criteria, $options =
array());
+ $authorize = self::checkAcoPermissionChain(null, $criteria, $options);
}
}
@@ -196,7 +199,7 @@
{
if (null == $objectId)
{
- $criteria->add(QubitAclPermission::OBJECT_ID, null, Criteria::IS_NULL);
+ $criteria->add(QubitAclPermission::OBJECT_ID, null, Criteria::ISNULL);
}
else
{
@@ -214,7 +217,7 @@
// precedence)
foreach ($permissions as $permission)
{
- $grantDeny = $permission->check($permission->userId, $permission->acoId,
$permission->actionId, $parameters);
+ $grantDeny = $permission->check($permission->userId,
$permission->objectId, $permission->actionId, $parameters);
$permission->debug($parameters);
if (null != $grantDeny)
Modified: trunk/plugins/qbAclPlugin/lib/model/QubitAclPermission.php
==============================================================================
--- trunk/plugins/qbAclPlugin/lib/model/QubitAclPermission.php Thu Sep 17
14:02:36 2009 (r3376)
+++ trunk/plugins/qbAclPlugin/lib/model/QubitAclPermission.php Thu Sep 17
14:03:59 2009 (r3377)
@@ -21,8 +21,10 @@
{
public function check($userId, $objectId, $actionId, $parameters = array())
{
+ $user = QubitUser::getById($userId);
+
if (
- $userId == $this->userId &&
+ ($userId == $this->userId || $user->hasGroup($this->groupId)) &&
$objectId == $this->objectId &&
$actionId == $this->actionId &&
$this->evaluateConditional($parameters))
@@ -92,6 +94,10 @@
{
$conditional = str_replace('%p['.$match.']',
'\''.$parameters[$match].'\'', $conditional);
}
+ else
+ {
+ $conditional = str_replace('%p['.$match.']', '\'0\'', $conditional);
+ }
}
}
@@ -103,11 +109,13 @@
{
$debug = 'permission_'.$this->id.'( ';
$debug .= 'userId: '.$this->userId.', ';
+ $debug .= 'groupId: '.$this->groupId.', ';
$debug .= 'objectId: '.$this->objectId.', ';
$debug .= 'actionId: '.$this->actionId.', ';
- $debug .= 'parameters: array('.print_r($parameters).'))<br />';
- $debug .= "\n";
-
+ $debug .= 'grantDeny: '.$this->grantDeny.' )';
+ $debug .= "<br />\n";
echo $debug;
+
+ //var_dump($parameters);
}
}
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Qubit Toolkit Commits" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.ca/group/qubit-commits?hl=en
-~----------~----~----~----~------~----~------~--~---
