From 1b1f3944f5d59e711ae41d09bd88551ab37120b5 Mon Sep 17 00:00:00 2001
From: Steve Hackbarth <stephenhackbarth@gmail.com>
Date: Fri, 4 Jan 2013 12:42:34 -0500
Subject: [PATCH] issue #18861: compound privilege checking

---
 source/xt/javascript/data.sql | 40 ++++++++++++++++++++++++-----------
 1 file changed, 28 insertions(+), 12 deletions(-)

diff --git a/source/xt/javascript/data.sql b/source/xt/javascript/data.sql
index 7dfe16d..572e397 100644
--- a/source/xt/javascript/data.sql
+++ b/source/xt/javascript/data.sql
@@ -213,21 +213,37 @@ select xt.install_js('XT','Data','xtuple', $$
       @returns {Boolean}
     */
     checkPrivilege: function (privilege) {
-      var ret = privilege,
-       sql = 'select coalesce(userpriv_priv_id, userrolepriv_priv_id, -1) > 0 as granted ' +
-             'from xt.priv ' +
-             'left join xt.userpriv on (priv_id=userpriv_priv_id) and (userpriv_username=$1) ' +
-             'left join ( ' +
-             '  select distinct userrolepriv_priv_id ' +
-             '  from xt.userrolepriv ' +
-             '    join xt.useruserrole on (userrolepriv_userrole_id=useruserrole_userrole_id) and (useruserrole_username=$1) ' +
-             '  ) userrolepriv on (userrolepriv_priv_id=priv_id) ' +
-             'where priv_name = $2;';
+      var privArray,
+        ret = privilege,
+        i,
+        res,
+        sql;
       if (typeof privilege === 'string') {
+        
         if (!this._granted) { this._granted = {}; }
         if (this._granted[privilege] !== undefined) { return this._granted[privilege]; }
-        var res = plv8.execute(sql, [ XT.username, privilege ]),
-          ret = res.length ? res[0].granted : false;
+
+        /* The privilege name is allowed to be a set of space-delimited privileges */
+        /* If a user has any of the applicable privileges then they get access */
+        privArray = privilege.split(" ");
+        sql = 'select coalesce(userpriv_priv_id, userrolepriv_priv_id, -1) > 0 as granted ' +
+               'from xt.priv ' +
+               'left join xt.userpriv on (priv_id=userpriv_priv_id) and (userpriv_username=$1) ' +
+               'left join ( ' +
+               '  select distinct userrolepriv_priv_id ' +
+               '  from xt.userrolepriv ' +
+               '    join xt.useruserrole on (userrolepriv_userrole_id=useruserrole_userrole_id) and (useruserrole_username=$1) ' +
+               '  ) userrolepriv on (userrolepriv_priv_id=priv_id) ' +
+               'where priv_name = $2';
+
+        for(i = 1; i < privArray.length; i++) {
+          sql = sql + ' or priv_name = $' + (i + 2);
+        }
+        sql = sql + ";";
+        /* cleverness: the query parameters are just the priv array with the username tacked on front */
+        privArray.unshift(XT.username);
+        res = plv8.execute(sql, privArray),
+        ret = res.length ? res[0].granted : false;
         /* memoize */
         this._granted[privilege] = ret;
       }