- Added a brand-new access.module which allows you to manage 'roles'

(groups) and 'permissions' ... (inspired by Zope's system). + Once installed, click the help-link for more information. + See updates/2.00-to-x.xx.sql for the SQL updates. - Modified loads of code to use our new access.module. The system still has to mature though: new permissions have to be added and existing permissions need stream-lining. Awaiting suggestions. - As a direct result of the new access system, I had to rewrite the way the top-level links in admin.php are rendered and displayed, and xhtml-ified admin.php while I was at it. TODO - Home-brewed modules need updating, home-brewed themes not. (Examples: file.module, trip_link.module) - As soon we *finished* the refactoring of the user system (KJ has been working on this refactoring already) we should consider to embed this role and permission code into account.module ...
author: Dries Buytaert <dries@buytaert.net> 2001-06-20 20:00:40 +0000
committer: Dries Buytaert <dries@buytaert.net> 2001-06-20 20:00:40 +0000
commit: 72065fb8351b54eee5f1928c18e06ad81aa9b502 (patch)
tree: 59052fb790134eed81b52b69150a1e231bd44083 /includes
parent: 7752dc4c7c4cffda07152d8ee89bce05f16a5d6c (diff)
download: brdo-72065fb8351b54eee5f1928c18e06ad81aa9b502.tar.gz
brdo-72065fb8351b54eee5f1928c18e06ad81aa9b502.tar.bz2
5 files changed, 98 insertions, 82 deletions
diff --git a/includes/comment.inc b/includes/comment.inc
index cf49b49e6..e7f14cb06 100644
--- a/includes/comment.inc
+++ b/includes/comment.inc
@@ -50,16 +50,16 @@ function comment_settings($mode, $order, $threshold) {
 function comment_form($edit) {
   global $REQUEST_URI, $user;
 
-  // Name field:
+  // name field:
   $form .= form_item(t("Your name"), format_username($user->userid));
 
-  // Subject field:
+  // subject field:
   $form .= form_textfield(t("Subject"), "subject", check_input($edit[subject]), 50, 60);
 
-  // Comment field:
+  // comment field:
   $form .= form_textarea(t("Comment"), "comment", check_input($edit[comment]), 50, 10, t("Allowed HTML tags") .": ". htmlspecialchars(variable_get("allowed_html", "")));
 
-  // Preview button:
+  // preview button:
   $form .= form_hidden("pid", check_input($edit[pid]));
   $form .= form_hidden("id", check_input($edit[id]));
 
@@ -87,7 +87,12 @@ function comment_reply($pid, $id) {
     $pid = 0;
   }
 
-  $theme->box(t("Reply"), comment_form(array(pid=>$pid, id=>$id)));
+  if (user_access($user, "post comments")) {
+    $theme->box(t("Reply"), comment_form(array(pid=>$pid, id=>$id)));
+  }
+  else {
+    $theme->box(t("Reply"), t("You are not authorized to post comments."));
+  }
 }
 
 function comment_preview($edit) {
@@ -102,24 +107,26 @@ function comment_preview($edit) {
 function comment_post($edit) {
   global $theme, $user;
 
-  // check comment submission rate:
-  throttle("post comment", variable_get(max_comment_rate, 60));
+  if (user_access($user, "post comments")) {
+    // check comment submission rate:
+    throttle("post comment", variable_get(max_comment_rate, 60));
 
-  // check for duplicate comments:
-  $duplicate = db_result(db_query("SELECT COUNT(cid) FROM comments WHERE pid = '". check_input($edit[pid]) ."' AND lid = '". check_input($edit[id]) ."' AND subject = '". check_input($edit[subject]) ."' AND comment = '". check_input($edit[comment]) ."'"), 0);
+    // check for duplicate comments:
+    $duplicate = db_result(db_query("SELECT COUNT(cid) FROM comments WHERE pid = '". check_input($edit[pid]) ."' AND lid = '". check_input($edit[id]) ."' AND subject = '". check_input($edit[subject]) ."' AND comment = '". check_input($edit[comment]) ."'"), 0);
 
-  if ($duplicate != 0) {
-    watchdog("warning", "comment: duplicate '$subject'");
-  }
-  else {
-    // validate subject:
-    $subject = ($subject) ? $subject : substr($comment, 0, 29);
+    if ($duplicate != 0) {
+      watchdog("warning", "comment: duplicate '$subject'");
+    }
+    else {
+      // validate subject:
+      $subject = ($subject) ? $subject : substr($comment, 0, 29);
 
-    // add watchdog entry:
-    watchdog("special", "comment: added '$subject'");
+      // add watchdog entry:
+      watchdog("special", "comment: added '$subject'");
 
-    // add comment to database:
-    db_query("INSERT INTO comments (lid, pid, author, subject, comment, hostname, timestamp, score) VALUES ('". check_input($edit[id]) ."', '". check_input($edit[pid]) ."', '$user->id', '". check_input($edit[subject]) ."', '". check_input($edit[comment]) ."', '". getenv("REMOTE_ADDR") ."', '". time() ."', '". ($user->userid ? 1 : 0) ."')");
+      // add comment to database:
+      db_query("INSERT INTO comments (lid, pid, author, subject, comment, hostname, timestamp, score) VALUES ('". check_input($edit[id]) ."', '". check_input($edit[pid]) ."', '$user->id', '". check_input($edit[subject]) ."', '". check_input($edit[comment]) ."', '". getenv("REMOTE_ADDR") ."', '". time() ."', '". ($user->userid ? 1 : 0) ."')");
+    }
   }
 }
 
@@ -250,68 +257,71 @@ function comment_thread_max($cid, $mode, $threshold, $level = 0, $dummy = 0) {
 }
 
 function comment_render($lid, $cid) {
-  global $theme, $REQUEST_URI, $user;
+  global $user, $theme, $REQUEST_URI;
 
-  // Pre-process variables:
-  $lid = empty($lid) ? 0 : $lid;
-  $cid = empty($cid) ? 0 : $cid;
-  $mode  = ($user->id) ? $user->mode : variable_get(default_comment_mode, 4);
-  $order = ($user->id) ? $user->sort : variable_get(default_comment_order, 1);
-  $threshold = ($user->id) ? $user->threshold : variable_get(default_comment_threshold, 3);
+  if (user_access($user, "view comments")) {
 
-  if ($user->id) {
-    // Comment control:
-    $theme->box(t("Comment control"), comment_controls($threshold, $mode, $order));
+    // Pre-process variables:
+    $lid = empty($lid) ? 0 : $lid;
+    $cid = empty($cid) ? 0 : $cid;
+    $mode  = ($user->id) ? $user->mode : variable_get(default_comment_mode, 4);
+    $order = ($user->id) ? $user->sort : variable_get(default_comment_order, 1);
+    $threshold = ($user->id) ? $user->threshold : variable_get(default_comment_threshold, 3);
 
-    // Print moderation form:
-    print "<FORM METHOD=\"post\" ACTION=\"$REQUEST_URI\">\n";
-  }
+    if ($user->id) {
+      // Comment control:
+      $theme->box(t("Comment control"), comment_controls($threshold, $mode, $order));
 
-  if ($cid > 0) {
-    $result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE cid = '$cid'");
-    if ($comment = db_fetch_object($result)) {
-      comment_view($comment, comment_link($comment));
+      // Print moderation form:
+      print "<FORM METHOD=\"post\" ACTION=\"$REQUEST_URI\">\n";
     }
-  }
-  else {
-    if ($mode == 1) {
-      $result = comment_query($lid, $order);
-      print "<TABLE BORDER=\"0\" CELLPADDING=\"2\" CELLSPACING=\"2\">\n";
-      print " <TR><TH>Subject</TH><TH>Author</TH><TH>Date</TH><TH>Score</TH></TR>\n";
-      while ($comment = db_fetch_object($result)) {
-        if (comment_visible($comment, $threshold)) {
-          print " <TR><TD><A HREF=\"". comment_uri("id=$comment->lid&cid=$comment->cid#$comment->cid") ."\">". check_output($comment->subject) ."</A></TD><TD>". format_username($comment->userid) ."</TD><TD>". format_date($comment->timestamp, "small") ."</TD><TD>". comment_score($comment) ."</TD></TR>\n";
-        }
+
+    if ($cid > 0) {
+      $result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE cid = '$cid'");
+      if ($comment = db_fetch_object($result)) {
+        comment_view($comment, comment_link($comment));
       }
-      print "</TABLE>\n";
     }
-    else if ($mode == 2) {
-      $result = comment_query($lid, $order);
-      while ($comment = db_fetch_object($result)) {
-        comment_view($comment, (comment_visible($comment, $threshold) ? comment_link($comment, 0) : 0));
+    else {
+      if ($mode == 1) {
+        $result = comment_query($lid, $order);
+        print "<TABLE BORDER=\"0\" CELLPADDING=\"2\" CELLSPACING=\"2\">\n";
+        print " <TR><TH>Subject</TH><TH>Author</TH><TH>Date</TH><TH>Score</TH></TR>\n";
+        while ($comment = db_fetch_object($result)) {
+          if (comment_visible($comment, $threshold)) {
+            print " <TR><TD><A HREF=\"". comment_uri("id=$comment->lid&cid=$comment->cid#$comment->cid") ."\">". check_output($comment->subject) ."</A></TD><TD>". format_username($comment->userid) ."</TD><TD>". format_date($comment->timestamp, "small") ."</TD><TD>". comment_score($comment) ."</TD></TR>\n";
+          }
+        }
+        print "</TABLE>\n";
       }
-    }
-    else if ($mode == 3) {
-      $result = comment_query($lid, $order, 0);
-      while ($comment = db_fetch_object($result)) {
-        comment_view($comment);
-        comment_thread_min($comment->cid, $threshold);
+      else if ($mode == 2) {
+        $result = comment_query($lid, $order);
+        while ($comment = db_fetch_object($result)) {
+          comment_view($comment, (comment_visible($comment, $threshold) ? comment_link($comment, 0) : 0));
+        }
       }
-    }
-    else {
-      $result = comment_query($lid, $order, 0);
-      while ($comment = db_fetch_object($result)) {
-        comment_view($comment, (comment_visible($comment, $threshold) ? comment_link($comment, 0) : 0));
-        comment_thread_max($comment->cid, $mode, $threshold, $level + 1);
+      else if ($mode == 3) {
+        $result = comment_query($lid, $order, 0);
+        while ($comment = db_fetch_object($result)) {
+          comment_view($comment);
+          comment_thread_min($comment->cid, $threshold);
+        }
+      }
+      else {
+        $result = comment_query($lid, $order, 0);
+        while ($comment = db_fetch_object($result)) {
+          comment_view($comment, (comment_visible($comment, $threshold) ? comment_link($comment, 0) : 0));
+          comment_thread_max($comment->cid, $mode, $threshold, $level + 1);
+        }
       }
     }
-  }
 
-  if ($user->id) {
-    // Print moderation form:
-    print "  <INPUT TYPE=\"hidden\" NAME=\"id\" VALUE=\"$lid\">\n";
-    print "  <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"". t("Moderate comments") ."\">\n";
-    print "</FORM>\n";
+    if ($user->id) {
+      // Print moderation form:
+      print "  <INPUT TYPE=\"hidden\" NAME=\"id\" VALUE=\"$lid\">\n";
+      print "  <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"". t("Moderate comments") ."\">\n";
+      print "</FORM>\n";
+    }
   }
 }
 
diff --git a/includes/common.inc b/includes/common.inc
index 2fc7c8a42..778f87a39 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -25,7 +25,7 @@ function watchdog($type, $message) {
 
 function throttle($type, $rate) {
   global $user;
-  if (!user_access($user)) {
+  if (!user_access($user, "access administration pages")) {
     if ($throttle = db_fetch_object(db_query("SELECT * FROM watchdog WHERE type = '$type' AND hostname = '". getenv("REMOTE_ADDR") ."' AND ". time() ." - timestamp < $rate"))) {
       watchdog("warning", "throttle: '". getenv("REMOTE_ADDR") ."' exceeded submission rate - $throttle->type");
       die(message_throttle());
@@ -46,8 +46,8 @@ function path_img() {
   return "./images/";
 }
 
-function message_account() {
-  return t("This page requires a valid user account.  Please <A HREF=\"account.php\">create a user account</A> and <A HREF=\"account.php\">login</A> prior to accessing it.");
+function message_access() {
+  return t("You are not authorized to access to this page.");
 }
 
 function message_throttle() {
@@ -136,7 +136,7 @@ function format_date($timestamp, $type = "medium", $format = "") {
 
 function format_username($username) {
   global $user;
-  if ($username) return (user_access($user, "account") ? "<A HREF=\"admin.php?mod=account&op=view&name=". urlencode($username) ."\">$username</A>" : "<A HREF=\"account.php?op=view&name=". urlencode($username) ."\">$username</A>");
+  if ($username) return (user_access($user, "add and edit user accounts") ? "<A HREF=\"admin.php?mod=account&op=view&name=". urlencode($username) ."\">$username</A>" : "<A HREF=\"account.php?op=view&name=". urlencode($username) ."\">$username</A>");
   else return variable_get(anonymous, "Anonymous");
 }
 
diff --git a/includes/node.inc b/includes/node.inc
index 20c47cde6..affb44371 100644
--- a/includes/node.inc
+++ b/includes/node.inc
@@ -236,7 +236,7 @@ function node_index($node) {
 
 function node_visible($node) {
   global $user, $status;
-  return ($node->status == $status[posted]) || ($node->status == $status[queued] && $user->id) || user_access($user, $node->type) || user_access($user, "node");
+  return ($node->status == $status[posted]) || ($node->status == $status[queued] && $user->id) || user_access($user, $node->type) || user_access($user, "add and edit nodes");
 }
 
 function node_access($account, $node) {
diff --git a/includes/theme.inc b/includes/theme.inc
index ff0e93167..68c2d5adf 100644
--- a/includes/theme.inc
+++ b/includes/theme.inc
@@ -59,9 +59,9 @@ function theme_account($theme) {
     $content .= "<A HREF=\"account.php?op=edit&topic=content\">". t("edit your content") ."</A><BR>\n";
     $content .= "<P>\n";
 
-    if (user_access($user)) {
+    if (user_access($user, "access administration pages")) {
       $content .= "<A HREF=\"admin.php\">". strtr(t("administer %a"), array("%a" => variable_get("site_name", "drupal"))) ."</A><BR>\n";
-    $content .= "<P>\n";
+      $content .= "<P>\n";
     }
 
     foreach (module_list() as $name) {
diff --git a/includes/user.inc b/includes/user.inc
index 73d3243bd..2abdf094a 100644
--- a/includes/user.inc
+++ b/includes/user.inc
@@ -3,14 +3,14 @@
 class User {
   function User($userid, $passwd = 0) {
     if ($passwd) {
-      $result = db_query("SELECT * FROM users WHERE LOWER(userid) = LOWER('$userid') && passwd = PASSWORD('$passwd') && STATUS = 2");
+      $result = db_query("SELECT u.*, r.perm FROM users u LEFT JOIN role r ON u.role = r.name WHERE LOWER(userid) = LOWER('$userid') && passwd = PASSWORD('$passwd') AND status = 2");
       if (db_num_rows($result) == 1) {
         foreach (db_fetch_row($result) as $key=>$value) { $field = mysql_field_name($result, $key); $this->$field = stripslashes($value); $this->field[] = $field; }
         db_query("UPDATE users SET last_access = '". time() ."', last_host = '$GLOBALS[REMOTE_ADDR]' WHERE id = $this->id");
       }
     }
     else {
-      $result = db_query("SELECT * FROM users WHERE userid = '$userid' && STATUS = 2");
+      $result = db_query("SELECT u.*, r.perm FROM users u LEFT JOIN role r ON u.role = r.name WHERE u.userid = '$userid' AND u.status = 2");
       if (db_num_rows($result) == 1) {
         foreach (db_fetch_row($result) as $key=>$value) { $field = mysql_field_name($result, $key); $this->$field = stripslashes($value); $this->field[] = $field; }
         db_query("UPDATE users SET last_access = '". time() ."', last_host = '$GLOBALS[REMOTE_ADDR]' WHERE id = $this->id");
@@ -52,10 +52,16 @@ function user_save($account, $array) {
   return user_load(($account->userid ? $account->userid : $array[userid]));
 }
 
-function user_access($account, $section = 0) {
-  global $user;
-  if ($section) return (field_get($account->access, $section) || $account->id == 1);
-  else return ($account->access || $account->id == 1);
+function user_access($account, $perm) {
+  if ($account->id == 1) {
+    return 1;
+  }
+  else if ($account->perm) {
+    return strstr($account->perm, $perm);
+  }
+  else {
+    return db_fetch_object(db_query("SELECT * FROM role WHERE name = 'anonymous user' AND perm LIKE '%$perm%'"));
+  }
 }
 
 function user_ban($mask, $type) {
author	Dries Buytaert <dries@buytaert.net>	2001-06-20 20:00:40 +0000
committer	Dries Buytaert <dries@buytaert.net>	2001-06-20 20:00:40 +0000
commit	72065fb8351b54eee5f1928c18e06ad81aa9b502 (patch)
tree	59052fb790134eed81b52b69150a1e231bd44083 /includes
parent	7752dc4c7c4cffda07152d8ee89bce05f16a5d6c (diff)
download	brdo-72065fb8351b54eee5f1928c18e06ad81aa9b502.tar.gz brdo-72065fb8351b54eee5f1928c18e06ad81aa9b502.tar.bz2