Interim commit

collectiveaccess · Jun 4, 2012 · db9e7ad · db9e7ad
1 parent 60765f4
commit db9e7ad
Show file tree

Hide file tree

Showing 3 changed files with 106 additions and 5 deletions.
diff --git a/app/conf/app.conf b/app/conf/app.conf
@@ -12,7 +12,6 @@ session_domain =
 # -------------------
 # Search engine configuration
 # -------------------
-#search_engine_plugin = MysqlFulltext
 #search_engine_plugin = Solr
 search_engine_plugin = SqlSearch
 
@@ -811,4 +810,5 @@ default_type_access_level = __CA_BUNDLE_ACCESS_EDIT__
 # -------------------------
 # Item-level access control
 # -------------------------
+perform_item_level_access_checking = 1
 default_item_access_level = __CA_BUNDLE_ACCESS_EDIT__
diff --git a/app/lib/ca/BundlableLabelableBaseModelWithAttributes.php b/app/lib/ca/BundlableLabelableBaseModelWithAttributes.php
@@ -897,6 +897,14 @@ public function isSaveable($po_request) {
 			}
 		}
 
+		// Check item level restrictions
+		if ((bool)$this->getAppConfig()->get('perform_item_level_access_checking')) {
+			$vn_item_access = $this->checkACLAccessForUser($po_request->user);
+			if ($vn_item_access < __CA_ACL_EDIT_ACCESS__) {
+				return false;
+			}
+		}
+
  		// Check actions
  		if (!$this->getPrimaryKey() && !$po_request->user->canDoAction('can_create_'.$this->tableName())) {
  			return false;
@@ -923,6 +931,14 @@ public function isDeletable($po_request) {
 			}
 		}
 
+		// Check item level restrictions
+		if ((bool)$this->getAppConfig()->get('perform_item_level_access_checking')) {
+			$vn_item_access = $this->checkACLAccessForUser($po_request->user);
+			if ($vn_item_access < __CA_ACL_EDIT_DELETE_ACCESS__) {
+				return false;
+			}
+		}
+
  		// Check actions
  		if (!$this->getPrimaryKey() && !$po_request->user->canDoAction('can_delete_'.$this->tableName())) {
  			return false;
@@ -4081,6 +4097,17 @@ public function setACLWorldAccess($pn_world_access) {
 
 		return true;
 	}
+	# --------------------------------------------------------------------------------------------		
+	/**
+	 * 
+	 */
+	public function checkACLAccessForUser($t_user) {
+		if (!($vn_id = (int)$this->getPrimaryKey())) { return null; }
+
+		require_once(__CA_MODELS_DIR__.'/ca_acl.php');
+
+		return ca_acl::loadACLForRow($t_user, $this->tableNum(), $vn_id);
+	}
 	# ------------------------------------------------------
 }
 ?>
diff --git a/app/models/ca_acl.php b/app/models/ca_acl.php
@@ -35,6 +35,11 @@
    */
 
 
+define('__CA_ACL_NO_ACCESS__', 0);
+define('__CA_ACL_READ_ACCESS__', 1);
+define('__CA_ACL_EDIT_ACCESS__', 2);
+define('__CA_ACL_DELETE_ACCESS__', 3);
+
  BaseModel::$s_ca_models_definitions['ca_acl'] = array(
  	'NAME_SINGULAR' 	=> _t('access control list'),
  	'NAME_PLURAL' 		=> _t('access control lists'),
@@ -82,10 +87,10 @@
 				'DEFAULT' => '',
 				'LABEL' => _t('Access'), 'DESCRIPTION' => _t('Access'),
 				'BOUNDS_CHOICE_LIST' => array(
-					_t('none') => 0,
-					_t('can read') => 1,
-					_t('can edit') => 2,
-					_t('can edit + delete') => 3
+					_t('none') => __CA_ACL_NO_ACCESS__,
+					_t('can read') => __CA_ACL_READ_ACCESS__,
+					_t('can edit') => __CA_ACL_EDIT_ACCESS__,
+					_t('can edit + delete') => __CA_ACL_EDIT_DELETE_ACCESS__
 				)
 		),
 		'notes' => array(
@@ -200,5 +205,74 @@ public function __construct($pn_id=null) {
 		parent::__construct($pn_id);	# call superclass constructor
 	}
 	# ------------------------------------------------------
+	/** 
+	 *
+	 */
+	public static function loadACLForRow($t_user, $pn_table_num, $pn_row_id) {
+		if (!is_object($t_user)) { $t_user = new ca_users(); }
+		$o_db = new Db();
+
+		$vn_access = null;
+
+		// try to load ACL for user
+		if ($vn_user_id = (int)$t_user->getPrimaryKey()) {
+			$qr_res = $o_db->query("
+				SELECT max(access) a
+				FROM ca_acl
+				WHERE
+					table_num = ? AND row_id = ? AND user_id = ?
+					
+			", (int)$pn_table_num, (int)$pn_row_id, $vn_user_id);
+
+			if ($qr_res->nextRow()) {
+				if (strlen($vs_access = $qr_res->get('a'))) {
+					$vn_access = (int)$vs_access;
+					if ($vn_access >= 3) { return $vn_access; } // max access found so just return
+				}
+			}
+
+			$va_groups = $t_user->getUserGroups();
+			if (is_array($va_groups)) {
+				$va_group_ids = array_keys($va_groups);
+				if (is_array($va_group_ids) && (sizeof($va_group_ids) > 0)) {
+					$qr_res = $o_db->query("
+						SELECT max(access) a 
+						FROM ca_acl
+						WHERE
+							table_num = ? AND row_id = ? AND group_id IN (?)
+							
+					", (int)$pn_table_num, (int)$pn_row_id, $va_group_ids);
+
+					if ($qr_res->nextRow()) {
+						if (strlen($vs_access = $qr_res->get('a'))) {
+							$vn_acl_access = (int)$vs_access;
+							if ($vn_acl_access >= $vn_access) { $vn_access = $vn_acl_access; }
+							if ($vn_access >= 3) { return $vn_access; } // max access found so just return
+						}
+					}
+				}
+			}
+		}
+
+		// Get world access
+		$qr_res = $o_db->query("
+			SELECT max(access) a 
+			FROM ca_acl
+			WHERE
+				table_num = ? AND row_id = ? AND group_id IS NULL AND user_id IS NULL
+				
+		", (int)$pn_table_num, (int)$pn_row_id);
+		if ($qr_res->nextRow()) {
+			if (strlen($vs_access = $qr_res->get('a')) && ((int)$vs_access > $vn_access)) {
+				return (int)$vs_access;
+			}
+		}
+		if (!is_null($vn_access)) { return $vn_access; }
+
+		// If no ACL exists return default
+		$o_config = Configuration::load();
+		return (int)$o_config->get('default_item_access_level');
+	}
+	# ------------------------------------------------------
 }
 ?>