stian/gallery3
1
0
Fork 0
mirror of https://github.com/Pathduck/gallery3.git synced 2026-05-20 03:19:13 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
f28353f4e1c573a33dc1c3375585ab040f8be2fc
gallery3/modules/gallery/controllers/permissions.php
Bharat Mediratta 14ba8505cc Don't allow users to take away their own edit permissions. If we 
detect that they did, just give it back.  There's no visible message
in that case.
2009-09-06 11:45:41 -07:00

92 lines
2.7 KiB
PHP
Raw Blame History

<?php defined("SYSPATH") or die("No direct script access.");
/**
* Gallery - a web based photo album viewer and editor
* Copyright (C) 2000-2009 Bharat Mediratta
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at
* your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
*/
class Permissions_Controller extends Controller {
function browse($id) {
$item = ORM::factory("item", $id);
access::required("view", $item);
access::required("edit", $item);
if (!$item->is_album()) {
access::forbidden();
}
$view = new View("permissions_browse.html");
$view->htaccess_works = access::htaccess_works();
$view->item = $item;
$view->parents = $item->parents();
$view->form = $this->_get_form($item);
print $view;
}
function form($id) {
$item = ORM::factory("item", $id);
access::required("view", $item);
access::required("edit", $item);
if (!$item->is_album()) {
access::forbidden();
}
print $this->_get_form($item);
}
function change($command, $group_id, $perm_id, $item_id) {
access::verify_csrf();
$group = ORM::factory("group", $group_id);
$perm = ORM::factory("permission", $perm_id);
$item = ORM::factory("item", $item_id);
access::required("view", $item);
access::required("edit", $item);
if ($group->loaded && $perm->loaded && $item->loaded) {
switch($command) {
case "allow":
access::allow($group, $perm->name, $item);
break;
case "deny":
access::deny($group, $perm->name, $item);
break;
case "reset":
access::reset($group, $perm->name, $item);
break;
}
// If the active user just took away their own edit permissions, give it back.
if ($perm->name == "edit") {
if (!access::user_can(user::active(), "edit", $item)) {
access::allow($group, $perm->name, $item);
}
}
}
}
function _get_form($item) {
$view = new View("permissions_form.html");
$view->item = $item;
$view->groups = ORM::factory("group")->find_all();
$view->permissions = ORM::factory("permission")->find_all();
return $view;
}
}
Reference in New Issue View Git Blame Copy Permalink