Author: sevein
Date: Fri Dec 4 13:20:46 2009
New Revision: 4094
Log:
Add more ACL checks and tune the last ones added to check against the current
infoObject.
Modified:
trunk/apps/qubit/modules/digitalobject/actions/deleteAction.class.php
trunk/apps/qubit/modules/digitalobject/actions/showFullScreenAction.class.php
trunk/apps/qubit/modules/digitalobject/actions/updateAction.class.php
trunk/apps/qubit/modules/digitalobject/actions/uploadAction.class.php
Modified: trunk/apps/qubit/modules/digitalobject/actions/deleteAction.class.php
==============================================================================
--- trunk/apps/qubit/modules/digitalobject/actions/deleteAction.class.php
Fri Dec 4 12:39:27 2009 (r4093)
+++ trunk/apps/qubit/modules/digitalobject/actions/deleteAction.class.php
Fri Dec 4 13:20:46 2009 (r4094)
@@ -38,12 +38,12 @@
$parent = $digitalObject->getParent();
if (null == $parent)
{
- $informationObject = $digitalObject->getInformationObject();
+ $informationObject = $digitalObject->informationObject;
$this->forward404Unless($informationObject);
}
// Check user authorization
- if (!QubitAcl::check(QubitInformationObject::getRoot(),
QubitAclAction::DELETE_ID))
+ if (!QubitAcl::check($digitalObject->informationObject,
QubitAclAction::DELETE_ID))
{
QubitAcl::forwardUnauthorized();
}
Modified:
trunk/apps/qubit/modules/digitalobject/actions/showFullScreenAction.class.php
==============================================================================
---
trunk/apps/qubit/modules/digitalobject/actions/showFullScreenAction.class.php
Fri Dec 4 12:39:27 2009 (r4093)
+++
trunk/apps/qubit/modules/digitalobject/actions/showFullScreenAction.class.php
Fri Dec 4 13:20:46 2009 (r4094)
@@ -32,10 +32,16 @@
$this->digitalObject =
QubitDigitalObject::getById($this->getRequestParameter('id'));
$this->forward404Unless($this->digitalObject);
+ // Check user authorization
+ if (!QubitAcl::check($this->digitalObject->informationObject,
QubitAclAction::READ_ID))
+ {
+ QubitAcl::forwardUnauthorized();
+ }
+
// Get ancestor information object
$this->informationObject =
$this->digitalObject->getTopAncestorOrSelf()->getInformationObject();
$this->forward404Unless($this->informationObject);
-
+
// Get refering page for "back" link
$this->referer = $this->getRequest()->getReferer();
}
Modified: trunk/apps/qubit/modules/digitalobject/actions/updateAction.class.php
==============================================================================
--- trunk/apps/qubit/modules/digitalobject/actions/updateAction.class.php
Fri Dec 4 12:39:27 2009 (r4093)
+++ trunk/apps/qubit/modules/digitalobject/actions/updateAction.class.php
Fri Dec 4 13:20:46 2009 (r4094)
@@ -34,7 +34,7 @@
$this->forward404Unless($digitalObject);
// Check user authorization
- if (!QubitAcl::check(QubitInformationObject::getRoot(),
QubitAclAction::UPDATE_ID))
+ if (!QubitAcl::check($digitalObject->informationObject,
QubitAclAction::UPDATE_ID))
{
QubitAcl::forwardUnauthorized();
}
Modified: trunk/apps/qubit/modules/digitalobject/actions/uploadAction.class.php
==============================================================================
--- trunk/apps/qubit/modules/digitalobject/actions/uploadAction.class.php
Fri Dec 4 12:39:27 2009 (r4093)
+++ trunk/apps/qubit/modules/digitalobject/actions/uploadAction.class.php
Fri Dec 4 13:20:46 2009 (r4094)
@@ -21,6 +21,12 @@
{
public function execute($request)
{
+ // Check user authorization
+ if (!QubitAcl::check(QubitInformationObject::getRoot(),
QubitAclAction::UPDATE_ID))
+ {
+ QubitAcl::forwardUnauthorized();
+ }
+
sfLoader::loadHelpers('Qubit');
$uploadFiles = array();
--
You received this message because you are subscribed to the Google Groups
"Qubit Toolkit Commits" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/qubit-commits?hl=en.
