fixed bug in permissions (node was displayed even with external_access=no)

[mirrors/Kyberia-bloodline.git] / wwwroot / backend / mysql / permissions.inc

diff --git a/wwwroot/backend/mysql/permissions.inc b/wwwroot/backend/mysql/permissions.inc
index 78e85565fae14a2f4af93e5c12524f106dc81e33..6ef959610a41be99105e7433cf45730f8461abf2 100644 (file)
--- a/wwwroot/backend/mysql/permissions.inc
+++ b/wwwroot/backend/mysql/permissions.inc
@@ -3,12 +3,28 @@
 class permissions {
 
 //trillion lights to Hierarchy!
-function checkPerms($node) {
+//$node input parameter can be a numeric node_id of a node-to-be-checked or a hash containing node_id,node_vector
+public static function checkPerms($node) {
     // new permissions checking
     global $db;
-       $node_id=$node['node_id'];
-       $node_vector=$node['node_vector'];
-    $user_id = $_SESSION['user_id'];
+       
+       if (is_array($node)) {
+               $node_id=$node['node_id'];
+               $node_vector=$node['node_vector'];
+       }
+
+       elseif (is_numeric($node)) {
+               $node_id=$node;
+       }
+       
+
+       if (empty($node_vector)) {
+               $set=$db->query("select node_vector from  nodes where node_id='$node_id'");
+               $set->next();
+               $node_vector=$set->getString('node_vector');
+       }
+       
+       $user_id=(empty($_SESSION['user_id'])) ? "" : $_SESSION['user_id'];
 
     $perms['r'] = 0;
     $perms['w'] = 0;
@@ -22,6 +38,7 @@ function checkPerms($node) {
     $nv_arr = str_split($node_vector, VECTOR_CHARS);
     $nv_arr = array_map('intval', $nv_arr);
     $node_list = implode(', ', $nv_arr);
+       $node_list.=",$node_id";
 
     $q_np = sprintf('select n.node_id, n.node_creator, length(n.node_vector) as nv_length
                           , n.node_system_access, n.node_external_access, na.node_permission
@@ -30,6 +47,7 @@ function checkPerms($node) {
                                              and na.user_id = %d
                      where n.node_id in(%s)
                      order by nv_length desc', $user_id, $node_list);
+
     $qr_np = $db->query($q_np);
 
     while ($qr_np->next()) {
@@ -40,6 +58,20 @@ function checkPerms($node) {
             $perms['node_system_access']   = $qr_np->getString('node_system_access');
             $perms['node_external_access'] = $qr_np->getString('node_external_access');
 
+        // external access must go first
+            if ($user_id == "") {
+                if ($perms['node_system_access'] != 'private'
+                && $perms['node_external_access'] == 'yes') {
+                        $perms['r'] = 1;
+                        $perms['w'] = 0;
+                    break;
+                } else {
+                        $perms['r'] = 0;
+                        $perms['w'] = 0;
+                    break;
+                }
+            }
+
             // r/w prava podla system accessu
             if ($perms['node_system_access'] == 'public') {
                 $perms['r'] = 1;
@@ -61,14 +93,6 @@ function checkPerms($node) {
                 break;
             }
 
-            if ($perms['node_system_access'] != 'private'
-                && !$_SESSION['user_id']
-                && $perms['node_external_access'] == 'yes') {
-                    $perms['r'] = 1;
-                    $perms['w'] = 0;
-                    break;
-            }
-
         } // if ($perms['node_permission'] == '' && $perms['node_system_access'] == '')
         else {
             // ked som v public alebo moderated fore a dalsie nadradene su uz privatne
@@ -109,7 +133,7 @@ function checkPerms($node) {
             break;
         }
 
-        if ($qr_np->getInt('node_creator') == $user_id) {
+        if ($qr_np->getString('node_creator') == $user_id) {
             $perms['node_permission'] = 'owner';
             $perms['r'] = 1;
             $perms['w'] = 1;
@@ -122,4 +146,4 @@ function checkPerms($node) {
 
 }
 
-?>
\ No newline at end of file
+?>