Index: openacs-4/packages/acs-tcl/tcl/acs-permissions-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/acs-permissions-procs.tcl,v
diff -u -N -r1.15 -r1.16
--- openacs-4/packages/acs-tcl/tcl/acs-permissions-procs.tcl 25 Sep 2003 12:23:17 -0000 1.15
+++ openacs-4/packages/acs-tcl/tcl/acs-permissions-procs.tcl 16 Oct 2003 23:06:29 -0000 1.16
@@ -8,145 +8,190 @@
}
-namespace eval permission {
+namespace eval permission {}
- # define cache_p to be 0 here. Note that it is redefined on init to be
- # the value of the PermissionCacheP kernel parameter.
- # see request-processor-init.tcl
- ad_proc cache_p {} {
- returns 0 or 1 depending if permission_p caching is enabled or disabled.
- by default caching is disabled.
- } {
- return 0
+# define cache_p to be 0 here. Note that it is redefined on init to be
+# the value of the PermissionCacheP kernel parameter.
+# see request-processor-init.tcl
+ad_proc permission::cache_p {} {
+ returns 0 or 1 depending if permission_p caching is enabled or disabled.
+ by default caching is disabled.
+} {
+ return 0
+}
+
+ad_proc -public permission::grant {
+ {-party_id:required}
+ {-object_id:required}
+ {-privilege:required}
+} {
+ grant privilege Y to party X on object Z
+} {
+ db_exec_plsql grant_permission {}
+ util_memoize_flush "permission::permission_p_not_cached -party_id $party_id -object_id $object_id -privilege $privilege"
+}
+
+ad_proc -public permission::revoke {
+ {-party_id:required}
+ {-object_id:required}
+ {-privilege:required}
+} {
+ revoke privilege Y from party X on object Z
+} {
+ db_exec_plsql revoke_permission {}
+ util_memoize_flush "permission::permission_p_not_cached -party_id $party_id -object_id $object_id -privilege $privilege"
+}
+
+# args to permission_p and permission_p_no_cache must match
+ad_proc -public permission::permission_p {
+ {-no_cache:boolean}
+ {-party_id ""}
+ {-object_id:required}
+ {-privilege:required}
+} {
+ does party X have privilege Y on object Z
+
+ @param nocache force loading from db even if cached (flushes cache as well)
+ @param party_id if null then it is the current user_id
+} {
+ if {[empty_string_p $party_id]} {
+ set party_id [ad_conn user_id]
}
-
- ad_proc -public grant {
- {-party_id:required}
- {-object_id:required}
- {-privilege:required}
- } {
- grant privilege Y to party X on object Z
- } {
- db_exec_plsql grant_permission {}
+ if { $no_cache_p || ![permission::cache_p] } {
util_memoize_flush "permission::permission_p_not_cached -party_id $party_id -object_id $object_id -privilege $privilege"
+ return [permission::permission_p_not_cached -party_id $party_id -object_id $object_id -privilege $privilege]
+ } else {
+ return [util_memoize "permission::permission_p_not_cached -party_id $party_id -object_id $object_id -privilege $privilege" \
+ [parameter::get -package_id [ad_acs_kernel_id] -parameter PermissionCacheTimeout -default 300]]
}
+}
- ad_proc -public revoke {
- {-party_id:required}
- {-object_id:required}
- {-privilege:required}
- } {
- revoke privilege Y from party X on object Z
- } {
- db_exec_plsql revoke_permission {}
- util_memoize_flush "permission::permission_p_not_cached -party_id $party_id -object_id $object_id -privilege $privilege"
+
+# accepts nocache to match permission_p arguments
+# since we alias it to permission::permission_p if
+# caching disabled.
+ad_proc -private permission::permission_p_not_cached {
+ {-no_cache:boolean}
+ {-party_id ""}
+ {-object_id:required}
+ {-privilege:required}
+} {
+ does party X have privilege Y on object Z
+
+ @see permission::permission_p
+} {
+ if {[empty_string_p $party_id]} {
+ set party_id [ad_conn user_id]
}
+ return [db_0or1row select_permission_p {}]
+}
- # args to permission_p and permission_p_no_cache must match
- ad_proc -public permission_p {
- {-no_cache:boolean}
- {-party_id ""}
- {-object_id:required}
- {-privilege:required}
- } {
- does party X have privilege Y on object Z
-
- @param nocache force loading from db even if cached (flushes cache as well)
- @param party_id if null then it is the current user_id
- } {
- if {[empty_string_p $party_id]} {
- set party_id [ad_conn user_id]
+ad_proc -public permission::require_permission {
+ {-party_id ""}
+ {-object_id:required}
+ {-privilege:required}
+} {
+ require that party X have privilege Y on object Z
+} {
+ if {[empty_string_p $party_id]} {
+ set party_id [ad_conn user_id]
+ }
+
+ if {![permission_p -party_id $party_id -object_id $object_id -privilege $privilege]} {
+ if {!${party_id}} {
+ ad_maybe_redirect_for_registration
+ } else {
+ ns_log notice "$party_id doesn't have $privilege on object $object_id"
+ ad_return_forbidden \
+ "Permission Denied" \
+ "
+ You don't have permission to $privilege [db_string name {}].
+
"
}
- if { $no_cache_p || ![permission::cache_p] } {
- util_memoize_flush "permission::permission_p_not_cached -party_id $party_id -object_id $object_id -privilege $privilege"
- return [permission::permission_p_not_cached -party_id $party_id -object_id $object_id -privilege $privilege]
- } else {
- return [util_memoize "permission::permission_p_not_cached -party_id $party_id -object_id $object_id -privilege $privilege" \
- [parameter::get -package_id [ad_acs_kernel_id] -parameter PermissionCacheTimeout -default 300]]
- }
+
+ ad_script_abort
}
+}
+ad_proc -public permission::inherit_p {
+ {-object_id:required}
+} {
+ does this object inherit permissions
+} {
+ return [db_string select_inherit_p {} -default 0]
+}
- # accepts nocache to match permission_p arguments
- # since we alias it to permission::permission_p if
- # caching disabled.
- ad_proc -private permission_p_not_cached {
- {-no_cache:boolean}
- {-party_id ""}
- {-object_id:required}
- {-privilege:required}
- } {
- does party X have privilege Y on object Z
+ad_proc -public permission::toggle_inherit {
+ {-object_id:required}
+} {
+ toggle whether or not this object inherits permissions from it's parent
+} {
+ db_dml toggle_inherit {}
+}
- @see permission::permission_p
- } {
- if {[empty_string_p $party_id]} {
- set party_id [ad_conn user_id]
- }
- return [db_0or1row select_permission_p {}]
- }
+ad_proc -public permission::set_inherit {
+ {-object_id:required}
+} {
+ set inherit to true
+} {
+ db_dml set_inherit {}
+}
- ad_proc -public require_permission {
- {-party_id ""}
- {-object_id:required}
- {-privilege:required}
- } {
- require that party X have privilege Y on object Z
- } {
- if {[empty_string_p $party_id]} {
- set party_id [ad_conn user_id]
- }
+ad_proc -public permission::set_not_inherit {
+ {-object_id:required}
+} {
+ set inherit to false
+} {
+ db_dml set_not_inherit {}
+}
- if {![permission_p -party_id $party_id -object_id $object_id -privilege $privilege]} {
- if {!${party_id}} {
- ad_maybe_redirect_for_registration
- } else {
- ns_log notice "$party_id doesn't have $privilege on object $object_id"
- ad_return_forbidden \
- "Permission Denied" \
- "
- You don't have permission to $privilege [db_string name {}].
-
"
- }
+ad_proc -public permission::write_permission_p {
+ {-object_id:required}
+ {-creation_user ""}
+} {
+ Returns whether a user is allowed to edit an object.
+ The logic is that you must have either write permission,
+ or you must be the one who created the object.
- ad_script_abort
- }
- }
+ @param object_id The object you want to check write permissions for
+ @param creation_user Optionally specify creation_user directly as an optimization. Otherwise a query will be executed.
+ @return True (1) if user has permission to edit the object, 0 otherwise.
- ad_proc -public inherit_p {
- {-object_id:required}
- } {
- does this object inherit permissions
- } {
- return [db_string select_inherit_p {} -default 0]
+ @see permission::require_write_permission
+} {
+ if { [permission::permission_p -privilege write -object_id $object_id] } {
+ return 1
}
-
- ad_proc -public toggle_inherit {
- {-object_id:required}
- } {
- toggle whether or not this object inherits permissions from it's parent
- } {
- db_dml toggle_inherit {}
+ if { [empty_string_p $creation_user] } {
+ set creation_user [acs_object::get_element -object_id $object_id -element creation_user]
}
-
- ad_proc -public set_inherit {
- {-object_id:required}
- } {
- set inherit to true
- } {
- db_dml set_inherit {}
+ if { [ad_conn user_id] == $creation_user } {
+ return 1
}
+ return 0
+}
- ad_proc -public set_not_inherit {
- {-object_id:required}
- } {
- set inherit to false
- } {
- db_dml set_not_inherit {}
- }
+ad_proc -public permission::require_write_permission {
+ {-object_id:required}
+ {-creation_user ""}
+ {-action "edit"}
+} {
+ If the user is not allowed to edit this object, returns a permission denied page.
+ @param creation_user Optionally specify creation_user directly as an optimization. Otherwise a query will be executed.
+
+ @see permission::write_permission_p
+} {
+ if { ![permission::write_permission_p -object_id $object_id] } {
+ ad_return_forbidden "Permission Denied" "
+ You don't have permission to $action this object.
+
"
+ ad_script_abort
+ }
}
+
+
ad_proc -deprecated ad_permission_grant {
user_id
object_id