Index: openacs-4/packages/acs-subsite/www/permissions/index-oracle.xql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/index-oracle.xql,v
diff -u -r1.2 -r1.2.4.1
--- openacs-4/packages/acs-subsite/www/permissions/index-oracle.xql	28 Nov 2001 18:39:39 -0000	1.2
+++ openacs-4/packages/acs-subsite/www/permissions/index-oracle.xql	7 Dec 2002 16:06:29 -0000	1.2.4.1
@@ -5,15 +5,17 @@
 
 <fullquery name="adminable_objects">      
       <querytext>
-      
-  select distinct o.object_id, acs_object.name(o.object_id) as name
+ select distinct o.object_id, acs_object.name(o.object_id) as name, context_id, object_type,
+    (case when o.object_id = :root then 0 else 1 end) as child
   from acs_objects o, all_object_party_privilege_map map
   where map.object_id = o.object_id
     and map.party_id = :user_id
     and map.privilege = 'admin'
-
+    and (o.object_id = :root or o.context_id = :root)
+    order by child, object_type, name      
       </querytext>
 </fullquery>
 
  
 </queryset>
+
Index: openacs-4/packages/acs-subsite/www/permissions/index-postgresql.xql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/index-postgresql.xql,v
diff -u -r1.4 -r1.4.4.1
--- openacs-4/packages/acs-subsite/www/permissions/index-postgresql.xql	13 Dec 2001 02:00:01 -0000	1.4
+++ openacs-4/packages/acs-subsite/www/permissions/index-postgresql.xql	7 Dec 2002 16:06:29 -0000	1.4.4.1
@@ -5,13 +5,14 @@
 
 <fullquery name="adminable_objects">      
       <querytext>
-      
-  select distinct o.object_id, acs_object__name(o.object_id) as name
-  from acs_objects o, all_object_party_privilege_map map
+ select distinct o.object_id, acs_object__name(o.object_id) as name, context_id, object_type,
+    (case when o.object_id = :root then 0 else 1 end) as child
+  from acs_objects o, acs_permissions_all map
   where map.object_id = o.object_id
-    and map.party_id = :user_id
+    and map.grantee_id = :user_id
     and map.privilege = 'admin'
-
+    and (o.object_id = :root or o.context_id = :root)
+    order by child, object_type, name
       </querytext>
 </fullquery>
 
Fisheye: Tag 1.1 refers to a dead (removed) revision in file `openacs-4/packages/acs-subsite/www/permissions/index.adp'.
Fisheye: No comparison available.  Pass `N' to diff?
Index: openacs-4/packages/acs-subsite/www/permissions/index.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/index.tcl,v
diff -u -r1.1.1.1 -r1.1.1.1.4.1
--- openacs-4/packages/acs-subsite/www/permissions/index.tcl	13 Mar 2001 22:59:26 -0000	1.1.1.1
+++ openacs-4/packages/acs-subsite/www/permissions/index.tcl	7 Dec 2002 16:06:29 -0000	1.1.1.1.4.1
@@ -1,46 +1,28 @@
 # packages/acs-core-ui/www/permissions/index.tcl
-
 ad_page_contract {
-  Display all objects that the user has admin on.
-
-  @author rhs@mit.edu
-  @creation-date 2000-08-29
-  @cvs-id $Id$
+    Display all objects that the user has admin on.
+    
+    Templated and changed to browse heirarchy by davis@xarg.net 
+    since all objects can be a *lot* of objects.
+    
+    @author rhs@mit.edu
+    @creation-date 2000-08-29
+    @cvs-id $Id$
+} { 
+    root:trim,integer,optional
 }
 
 set user_id [ad_maybe_redirect_for_registration]
 
-doc_body_append "[ad_header "Permissions"]
-
-<h2>Permissions</h2>
-
-[ad_context_bar "Permissions"]
-<hr>
-
-<form method=\"get\" action=\"one\">
-Select an Object by Id:
-<input name=\"object_id\" type=\"text\"> <input value=\"Continue\" type=\"submit\">
-</form><p>
-
-You have admin on the following objects:
-
-<ul>
-"
-
-db_foreach adminable_objects {
-  select o.object_id, acs_object.name(o.object_id) as name
-  from acs_objects o, acs_object_party_privilege_map map
-  where map.object_id = o.object_id
-    and map.party_id = :user_id
-    and map.privilege = 'admin'
-} {
-  doc_body_append "  <li><a href=one?[export_url_vars object_id]>$name</a></li>\n"
-} if_no_rows {
-  doc_body_append "  <li>(none)</li>\n"
+if {![exists_and_not_null root]} { 
+    set root [ad_conn package_id]
 }
 
-doc_body_append "
-</ul>
+db_multirow objects adminable_objects { *SQL* }
 
-[ad_footer]
-"
+set context "Permissions"
+
+set security_context_root [acs_magic_object security_context_root]
+set default_context [acs_magic_object default_context]
+set admin_p [permission::permission_p -object_id $security_context_root -party_id $user_id -privilege admin]
+set subsite [ad_conn package_id]
Index: openacs-4/packages/acs-subsite/www/permissions/one-oracle.xql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/one-oracle.xql,v
diff -u -r1.3 -r1.3.4.1
--- openacs-4/packages/acs-subsite/www/permissions/one-oracle.xql	7 Dec 2001 22:45:41 -0000	1.3
+++ openacs-4/packages/acs-subsite/www/permissions/one-oracle.xql	7 Dec 2002 16:06:29 -0000	1.3.4.1
@@ -45,9 +45,9 @@
 <fullquery name="context">      
       <querytext>
       
-  select acs_object.name(context_id)
-  from acs_objects
-  where object_id = :object_id
+SELECT acs_object.name(context_id) as context_name, context_id, security_inherit_p
+  FROM acs_objects
+ WHERE object_id = :object_id
 
       </querytext>
 </fullquery>
@@ -56,7 +56,7 @@
 <fullquery name="children">      
       <querytext>
       
-	select object_id as c_object_id,acs_object.name(object_id) as c_name
+	select object_id as c_object_id,acs_object.name(object_id) as c_name, object_type as c_type
 	from acs_objects o
 	where context_id = :object_id
               and exists (select 1
Index: openacs-4/packages/acs-subsite/www/permissions/one-postgresql.xql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/one-postgresql.xql,v
diff -u -r1.4 -r1.4.4.1
--- openacs-4/packages/acs-subsite/www/permissions/one-postgresql.xql	7 Dec 2001 22:46:40 -0000	1.4
+++ openacs-4/packages/acs-subsite/www/permissions/one-postgresql.xql	7 Dec 2002 16:06:29 -0000	1.4.4.1
@@ -44,27 +44,26 @@
  
 <fullquery name="context">      
       <querytext>
-      
-  select acs_object__name(context_id)
-  from acs_objects
-  where object_id = :object_id
 
+SELECT acs_object__name(context_id) as context_name, context_id, security_inherit_p
+  FROM acs_objects
+ WHERE object_id = :object_id
+
       </querytext>
 </fullquery>
 
  
 <fullquery name="children">      
       <querytext>
       
-	select object_id as c_object_id,acs_object__name(object_id) as c_name
+	select object_id as c_object_id,acs_object__name(object_id) as c_name, object_type as c_type
 	from acs_objects o
 	where context_id = :object_id
               and exists (select 1
-                          from all_object_party_privilege_map
+                          from acs_object_party_privilege_map
                           where object_id = o.object_id
                           and party_id = :user_id
                           and privilege = 'admin')    
-    
       </querytext>
 </fullquery>
 
Fisheye: Tag 1.1 refers to a dead (removed) revision in file `openacs-4/packages/acs-subsite/www/permissions/one.adp'.
Fisheye: No comparison available.  Pass `N' to diff?
Index: openacs-4/packages/acs-subsite/www/permissions/one.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/one.tcl,v
diff -u -r1.2 -r1.2.2.1
--- openacs-4/packages/acs-subsite/www/permissions/one.tcl	6 Sep 2002 21:50:06 -0000	1.2
+++ openacs-4/packages/acs-subsite/www/permissions/one.tcl	7 Dec 2002 16:06:29 -0000	1.2.2.1
@@ -1,158 +1,51 @@
 # packages/acs-core-ui/www/acs_object/permissions/index.tcl
-
 ad_page_contract {
+    Display permissions and children for the given object_id
 
-  @author rhs@mit.edu
-  @creation-date 2000-08-20
-  @cvs-id $Id$
+    Templated + cross site scripting holes patched by davis@xarg.net
+
+    @author rhs@mit.edu
+    @creation-date 2000-08-20
+    @cvs-id $Id$
 } {
     object_id:integer,notnull
     {children_p "f"}
 }
 
+set user_id [ad_maybe_redirect_for_registration]
 ad_require_permission $object_id admin
 
-set user_id [ad_maybe_redirect_for_registration]
+set name [ad_quotehtml [db_string name {select acs_object.name(:object_id) from dual}]]
 
-set name [db_string name {select acs_object.name(:object_id) from dual}]
+set context [list [list "./" "Permissions"] "Permissions for $name"]
 
-doc_body_append "[ad_header "Permissions for $name"]
-
-<h2>Permissions for $name</h2>
-
-[ad_context_bar [list "./" "Permissions"] "Permissions for $name"]
-<hr>
-
-<h3>Inherited Permissions</h3>
-
-<ul>
-"
-
-db_foreach inherited_permissions {
-  select grantee_id, grantee_name, privilege
-  from (select grantee_id, acs_object.name(grantee_id) as grantee_name,
-               privilege, 1 as counter
-        from acs_permissions_all
-        where object_id = :object_id
-        union all
-        select grantee_id, acs_object.name(grantee_id) as grantee_name,
-               privilege, -1 as counter
-        from acs_permissions
-        where object_id = :object_id)
-  group by grantee_id, grantee_name, privilege
-  having sum(counter) > 0
-} {
-  doc_body_append "  <li>$grantee_name, $privilege</li>\n"
-} if_no_rows {
-  doc_body_append "  <li>(none)</li>\n"
+db_multirow inherited inherited_permissions { *SQL* } { 
+    set grantee_name [ad_quotehtml $grantee_name]
 }
 
-doc_body_append "
-</ul>
-
-<form method=get action=revoke>
-
-[export_form_vars object_id]
-
-<h3>Direct Permissions</h3>
-
-<ul>
-"
-
-db_foreach acl {
-  select grantee_id, acs_object.name(grantee_id) as grantee_name,
-         privilege
-  from acs_permissions
-  where object_id = :object_id
-} {
-  doc_body_append "  <li>$grantee_name, $privilege (<font size=-1><input type=checkbox name=revoke_list value=\"$grantee_id $privilege\"></font>)</li>\n"
-} if_no_rows {
-  doc_body_append "  <li>(none)</li>\n"
+db_multirow acl acl { *SQL* } {
+    set grantee_name [ad_quotehtml $grantee_name]
 }
 
 set controls [list]
 
 lappend controls "<a href=grant?[export_url_vars object_id]>Grant Permission</a>"
 
-set context [db_string context {
-  select acs_object.name(context_id)
-  from acs_objects
-  where object_id = :object_id
-}]
+db_1row context { *SQL* }
 
-if {![empty_string_p $context]} {
-  db_1row security_inherit_p {
-    select security_inherit_p
-    from acs_objects
-    where object_id = :object_id
-  }
-
-
-  if {$security_inherit_p == "t"} {
-    lappend controls "<a href=toggle-inherit?[export_url_vars object_id]>Don't Inherit Permissions from $context</a>"
-  } else {
-    lappend controls "<a href=toggle-inherit?[export_url_vars object_id]>Inherit Permissions from $context</a>"
-  }
+if { $security_inherit_p == "t" && ![empty_string_p $context_id] } {
+    lappend controls "<a href=toggle-inherit?[export_url_vars object_id]>Don't Inherit Permissions from $context_name</a>"
+} else {
+    lappend controls "<a href=toggle-inherit?[export_url_vars object_id]>Inherit Permissions from $context_name</a>"
 }
 
-doc_body_append "
-</ul>
+set controls "\[ [join $controls " | "] \]"
 
-<blockquote>
 
-\[ [join $controls " | "] \]
-
-</blockquote>
-
-<input type=submit value=\"Revoke Checked\">
-
-</form>"
-
-doc_body_append "<h3>Children</h3>
-<blockquote>"
-
 if [string equal $children_p "t"] {
-
-    doc_body_append "<ul>"
-
-    db_foreach children {
-	select object_id as c_object_id,acs_object.name(object_id) as c_name
-	from acs_objects o
-	where context_id = :object_id
-              and exists (select 1
-                          from acs_object_party_privilege_map
-                          where object_id = o.object_id
-                          and party_id = :user_id
-                          and privilege = 'admin')    
-    } {
-	doc_body_append "  <li><a href=one?object_id=$c_object_id>$c_name</a></li>\n"
-    } if_no_rows {
-	doc_body_append "  <em>(none)</em>\n"
+    db_multirow children children { *SQL* } {
+        set c_name [ad_quotehtml $c_name]
     }
-
-    doc_body_append "</ul>"
-
 } else {
-    db_1row children_count {
-	select count(*) as num_children
-	from acs_objects o
-	where context_id = :object_id
-              and exists (select 1
-                          from acs_object_party_privilege_map
-                          where object_id = o.object_id
-                          and party_id = :user_id
-                          and privilege = 'admin')    
-    }
-
-    set children_p "t"
-    doc_body_append "<em>$num_children Children Hidden</em> "
-    if {$num_children > 0} {
-	doc_body_append "\[<a href=\"one?[export_url_vars object_id children_p]\">Show</a>\] "
-    }
+    db_1row children_count { *SQL* } 
 }
-
-
-doc_body_append "</blockquote>
-
-
-[ad_footer]"