Changeset 2850

Timestamp:

11/23/08 21:35:41 (7 weeks ago)

Author:

bjohnson

Message:

Converting ACL class to use a bitmask permission flag. Almost guaranteed to
have bugs.

Location:

trunk/htdocs/system/classes

Files:

• acl.php (modified) (9 diffs)
• bitmask.php (modified) (1 diff)

trunk/htdocs/system/classes/acl.php

@@ -24 +24 @@
     const ACCESS_NONEXISTANT_PERMISSION = true;
 
-    private static $access_ids = array();
-    private static $access_names = array();
-
-    /**
-     * Static initializer to fill the $access_ids array
-     */
-    public static function __static()
-    {
-        /*self::$access_ids = DB::get_keyvalue( 'SELECT name, id FROM {permissions};' );
-
-        if ( ! isset(self::$access_ids) ) {
-            self::$access_ids = array();
-        }
-        */
-        self::$access_ids = array( 0 => 'read', 1 => 'write', 2 => 'deny' );
-        self::$access_names = array_flip( self::$access_ids );
-    }
-
-    /**
-     * Convert a permission access name (read, write, denied) into an ID
-     * @param string The access name
-     * @return mixed the ID of the permission, or boolean FALSE if it does not exist
-     **/
-    public static function access_id( $name )
-    {
-        // if $name is numeric, assume it is already an access ID
-        if ( is_numeric( $name ) ) {
-            return $name;
-        }
-        return isset( self::$access_ids[$name] ) ? self::$access_ids[$name] : FALSE;
-    }
-
-    /**
-     * Convert a permission access ID into a name
-     * @param ID The access ID
-     * @return mixed the name of the permission, or boolean FALSE if it does not exist
-     **/
-    public static function access_name( $id )
-    {
-        // if $id is not numeric, assume it is already an access name
-        if ( ! is_numeric( $id ) ) {
-            return $id;
-        }
-        return isset( self::$access_names[$id] ) ? self::$access_names[$id] : FALSE;
-    }
-
-    /**
-     * Check access. Implements hierarchy of access terms.
-     * @param mixed $access_given The ID or name of the access given
-     * @param mixed $access_check The ID or name of the access to check against
+    private static $access_names = array( 'read', 'write' );
+
+    /**
+     * Check the permission bitmask for a particular access type.
+     * @param mixed $permission The permission bitmask
+     * @param mixed $access The name of the access to check against (read, write, delete)
      * @return bool Returns true if the given access meets exceeds the access to check against
      */
-    public static function access_check( $access_given, $access_check )
-    {
-        $access_given = self::access_name( $access_given );
-        $access_check = self::access_name( $access_check );
-
-        if ( $access_given == 'deny' ) {
-            return false;
-        }
-        if ( $access_given == 'full' ) {
-            return true;
-        }
-        if ( $access_given == 'read' || $access_given == 'write' ) {
-            if ( $access_check == 'full' ) {
-                return false;
-            }
-            if ( $access_given == $access_check ) {
-                return true;
-            }
-            else {
-                return false;
-            }
-        }
-        // unknown access
-        return false;
+    public static function access_check( $permission_flag, $access )
+    {       
+        $bitmask = new Bitmask( self::$access_names, $permission );
+        
+        return $bitmask->$access;
     }
 
@@ -132 +69 @@
         $perm = ACL::token_id( $name );
         $admin = UserGroup::get( 'admin');
-        if( $admin ) {
-            ACL::grant_group( $admin->id, $perm );
+        if ( $admin ) {
+            ACL::grant_group( $admin->id, $perm, 'full' );
         }
 
@@ -259 +196 @@
      * @param mixed $group A group ID or name
      * @param mixed $permission An action ID or name
-     * @param string $access Check for 'read', 'write', or 'full' access
+     * @param string $access Check for 'read', 'write', or 'delete' access
      * @return bool Whether the group can perform the action
     **/
-    public static function group_can( $group, $permission, $access = 'full' )
+    public static function group_can( $group, $permission, $access = 'write' )
     {
         // Use only numeric ids internally
@@ -284 +221 @@
      * @param mixed $user A user object, user ID or a username
      * @param mixed $permission A permission ID or name
-     * @param string $access Check for 'read', 'write', or 'full' access
+     * @param string $access Check for 'read', 'write', or 'delete' access
      * @return bool Whether the user can perform the action
     **/
-    public static function user_can( $user, $permission, $access = 'full' )
+    public static function user_can( $user, $permission, $access = 'write' )
     {
         // Use only numeric ids internally
@@ -339 +276 @@
   ON ug.group_id = gp.group_id
   AND ug.user_id = :user_id
-  AND gp.token_id = :token_id;
+  AND gp.token_id = :token_id
+  ORDER BY gp.permission_id
+  LIMIT 1;
 SQL;
         $result = DB::get_value( $sql, array( ':user_id' => $user_id, ':token_id' => $permission ) );
@@ -355 +294 @@
      * Get all the tokens for a given user with a particular kind of access
      * @param mixed $user A user object, user ID or a username
-     * @param string $access Check for 'read', 'write', or 'full' access
+     * @param string $access Check for 'read' or 'write' access
      * @return array of token IDs
     **/
     public static function user_tokens( $user, $access = 'write' )
     {
-        // convert $user and $access to IDs
+        // convert $user to an ID
         if ( is_numeric( $user ) ) {
             $user_id = $user;
@@ -369 +308 @@
             $user_id = $user->id;
         }
-        $access_id = self::access_id( $access );
-        
-        $tokens = DB::get_results( 'SELECT token_id FROM {user_token_permissions} WHERE user_id = ? AND permission_id = ?', array( $user_id, $access_id) );
+        
+        $result = DB::get_results( 'SELECT token_id, permission_id FROM {user_token_permissions} WHERE user_id = ?', array( $user_id ) );
+        $bitmask = new Bitmask ( self::$access_names );
+        $tokens = array();
+
+        foreach ( $result as $token ) {
+            $bitmask->value = $token->permission_id;
+            if ( $bitmask->$access ) {
+                $tokens[] = $token->token_id;
+            }
+        }
         return $tokens;
     }
@@ -384 +331 @@
     public static function grant_group( $group_id, $token_id, $access = 'full' )
     {
+        $permission_id = DB::get_value( 'SELECT permission_id FROM {group_token_permissions} WHERE group_id=? AND token_id=?',
+            array( $group_id, $token_id ) );
+        if ( $permission_id ===  false ) {
+            $permission_id = 0; // default is 'deny' (bitmask 0)
+        }
+        
+        $bitmask = new Bitmask( self::$access_names, $permission_id );
+        
+        if ( $access == 'full' || $access == 'deny' ) {
+            if ( $access == 'full' ) {
+                $access = true;
+            }
+            else {
+                $access = false;
+            }
+            foreach ( self::$access_names as $access_name ) {
+                $bitmask->$access_name = $access;
+            }
+        }
+        else {
+            $bitmask->$access = true;
+        }
+
         // DB::update will insert if the token is not already in the group tokens table
         $result = DB::update(
             '{group_token_permissions}',
-            array( 'permission_id' => self::$access_ids[$access] ),
+            array( 'permission_id' => $bitmask->value ),
             array( 'group_id' => $group_id, 'token_id' => self::token_id( $token_id ) )
         );
@@ -406 +376 @@
     public static function grant_user( $user_id, $token_id, $access = 'full' )
     {
+        $permission_id = DB::get_value( 'SELECT permission_id FROM {user_token_permissions} WHERE group_id=? AND token_id=?',
+            array( $user_id, $token_id ) );
+        if ( $permission_id ===  false ) {
+            $permission_id = 0; // default is 'deny' (bitmask 0)
+        }
+        
+        $bitmask = new Bitmask( self::$access_names, $permission_id );
+        
+        if ( $access == 'full' || $access == 'deny' ) {
+            if ( $access == 'full' ) {
+                $access = true;
+            }
+            else {
+                $access = false;
+            }
+            foreach ( self::$access_names as $access_name ) {
+                $bitmask->$access_name = $access;
+            }
+        }
+        else {
+            $bitmask->$access = true;
+        }
+
         $result = DB::update(
             '{user_token_permissions}',
-            array( 'permission_id' => self::$access_ids[$access] ),
+            array( 'permission_id' => $bitmask->value ),
             array( 'user_id' => $user_id, 'token_id' => self::token_id( $token_id ) )
         );

trunk/htdocs/system/classes/bitmask.php

@@ -5 +5 @@
 class Bitmask {
     public $flags = array();  // set of flag bit masks
-    protected $value = 0;        // internal integer value of the bitmask
+    public $value = 0;        // internal integer value of the bitmask
 
     /**