From ee4978878fc346d02c6be7a91e63ba659ddeca22 Mon Sep 17 00:00:00 2001
From: Andy Heathershaw <andy@andysh.uk>
Date: Sun, 16 Sep 2018 22:11:53 +0100
Subject: [PATCH] #71: Permissions are now fully inherited from an "ultimate
 parent". Most actions that can change the outcome of a user's permissions
 rebuild the permissions cache. Corrected a few minor HTML issues in layouts.

---
 app/Album.php                                 | 23 ++++++++
 app/Helpers/PermissionsHelper.php             | 18 ++++---
 .../Controllers/Admin/AlbumController.php     | 42 +++++++++++----
 app/Http/Controllers/Admin/UserController.php |  5 ++
 ...6_create_album_permissions_cache_table.php |  2 +-
 resources/assets/js/admin.js                  | 23 ++++++++
 resources/lang/en/admin.php                   |  6 ++-
 resources/lang/en/forms.php                   |  1 +
 .../themes/base/admin/create_album.blade.php  | 52 ++++++++++++++++---
 .../partials/album_permissions_tab.blade.php  | 19 ++++---
 .../partials/album_redirects_tab.blade.php    | 44 ++++++++--------
 .../partials/album_settings_tab.blade.php     |  5 ++
 12 files changed, 185 insertions(+), 55 deletions(-)

diff --git a/app/Album.php b/app/Album.php
index bbed4c9..8e94eda 100644
--- a/app/Album.php
+++ b/app/Album.php
@@ -103,6 +103,29 @@ class Album extends Model
         }
     }
 
+    /**
+     * Try and locate the parent album ID that permissions are inherited from.
+     * @return integer
+     */
+    public function effectiveAlbumIDForPermissions()
+    {
+        $current = $this;
+
+        while (!is_null($current->parent_album_id))
+        {
+            if ($current->is_permissions_inherited)
+            {
+                $current = $current->parent;
+            }
+            else
+            {
+                break;
+            }
+        }
+
+        return $current->id;
+    }
+
     public function generateAlias()
     {
         $this->url_alias = MiscHelper::capitaliseWord(preg_replace('/[^a-z0-9\-]/', '-', strtolower($this->name)));
diff --git a/app/Helpers/PermissionsHelper.php b/app/Helpers/PermissionsHelper.php
index 8709631..1e3d626 100644
--- a/app/Helpers/PermissionsHelper.php
+++ b/app/Helpers/PermissionsHelper.php
@@ -10,13 +10,13 @@ use Illuminate\Support\Facades\DB;
 
 class PermissionsHelper
 {
-    public function getAlbumIDs($permission = 'list', $user)
+    public function getAlbumIDs($permission = 'list', User $user = null)
     {
         $result = [];
         $query = DB::table('album_permissions_cache')
             ->join('permissions', 'permissions.id', '=', 'album_permissions_cache.permission_id')
             ->where([
-                ['album_permissions_cache.user_id', (is_null($user) ? null : $user->id)],
+                ['album_permissions_cache.user_id', (is_null($user) || $user->isAnonymous() ? null : $user->id)],
                 ['permissions.section', 'album'],
                 ['permissions.description', $permission]
             ])
@@ -69,9 +69,11 @@ class PermissionsHelper
         /** @var Album $album */
         foreach ($albums as $album)
         {
-            $anonymousPermissions = array_filter($albumAnonPermissions->toArray(), function($item) use ($album)
+            $effectiveAlbumID = $album->effectiveAlbumIDForPermissions();
+
+            $anonymousPermissions = array_filter($albumAnonPermissions->toArray(), function($item) use ($effectiveAlbumID)
             {
-                return ($item->album_id == $album->id);
+                return ($item->album_id == $effectiveAlbumID);
             });
 
             foreach ($anonymousPermissions as $anonymousPermission)
@@ -84,9 +86,9 @@ class PermissionsHelper
                 ];
             }
 
-            $userPermissions = array_filter($albumUserPermissions->toArray(), function($item) use ($album)
+            $userPermissions = array_filter($albumUserPermissions->toArray(), function($item) use ($effectiveAlbumID)
             {
-                return ($item->album_id == $album->id);
+                return ($item->album_id == $effectiveAlbumID);
             });
 
             foreach ($userPermissions as $userPermission)
@@ -100,9 +102,9 @@ class PermissionsHelper
                 ];
             }
 
-            $groupPermissions = array_filter($albumGroupPermissions->toArray(), function($item) use ($album)
+            $groupPermissions = array_filter($albumGroupPermissions->toArray(), function($item) use ($effectiveAlbumID)
             {
-                return ($item->album_id == $album->id);
+                return ($item->album_id == $effectiveAlbumID);
             });
 
             foreach ($groupPermissions as $groupPermission)
diff --git a/app/Http/Controllers/Admin/AlbumController.php b/app/Http/Controllers/Admin/AlbumController.php
index 499c3dd..21791d7 100644
--- a/app/Http/Controllers/Admin/AlbumController.php
+++ b/app/Http/Controllers/Admin/AlbumController.php
@@ -10,6 +10,7 @@ use App\Group;
 use App\Helpers\DbHelper;
 use App\Helpers\FileHelper;
 use App\Helpers\MiscHelper;
+use App\Helpers\PermissionsHelper;
 use App\Http\Controllers\Controller;
 use App\Http\Requests;
 use App\Label;
@@ -267,6 +268,10 @@ class AlbumController extends Controller
 
         $album->save();
 
+        // Rebuild the permissions cache
+        $helper = new PermissionsHelper();
+        $helper->rebuildCache();
+
         return redirect(route('albums.show', [$album->id, 'tab' => 'permissions']));
     }
 
@@ -342,6 +347,10 @@ class AlbumController extends Controller
 
         $album->save();
 
+        // Rebuild the permissions cache
+        $helper = new PermissionsHelper();
+        $helper->rebuildCache();
+
         return redirect(route('albums.show', [$album->id, 'tab' => 'permissions']));
     }
 
@@ -451,6 +460,7 @@ class AlbumController extends Controller
 
         $album = new Album();
         $album->fill($request->only(['name', 'description', 'storage_id', 'parent_album_id']));
+        $album->is_permissions_inherited = (strtolower($request->get('is_permissions_inherited')) == 'on');
 
         if (strlen($album->parent_album_id) == 0)
         {
@@ -465,20 +475,27 @@ class AlbumController extends Controller
         $album->save();
 
         // Link all default permissions to anonymous users (if a public album)
-        $isPrivate = (strtolower($request->get('is_private')) == 'on');
-
-        if (!$isPrivate)
+        if (!$album->is_permissions_inherited)
         {
-            /** @var Permission $permission */
-            foreach (Permission::where(['section' => 'album', 'is_default' => true])->get() as $permission)
+            $isPrivate = (strtolower($request->get('is_private')) == 'on');
+
+            if (!$isPrivate)
             {
-                $album->anonymousPermissions()->attach($permission->id, [
-                    'created_at' => new \DateTime(),
-                    'updated_at' => new \DateTime()
-                ]);
+                /** @var Permission $permission */
+                foreach (Permission::where(['section' => 'album', 'is_default' => true])->get() as $permission)
+                {
+                    $album->anonymousPermissions()->attach($permission->id, [
+                        'created_at' => new \DateTime(),
+                        'updated_at' => new \DateTime()
+                    ]);
+                }
             }
         }
 
+        // Rebuild the permissions cache
+        $helper = new PermissionsHelper();
+        $helper->rebuildCache();
+
         return redirect(route('albums.show', ['id' => $album->id]));
     }
 
@@ -512,7 +529,7 @@ class AlbumController extends Controller
         $currentParentID = $album->parent_album_id;
 
         $album->fill($request->only(['name', 'description', 'parent_album_id']));
-        $album->is_permissions_inherited = $request->has('is_permissions_inherited');
+        $album->is_permissions_inherited = (strtolower($request->get('is_permissions_inherited')) == 'on');
 
         if (strlen($album->parent_album_id) == 0)
         {
@@ -549,6 +566,11 @@ class AlbumController extends Controller
         }
         
         $album->save();
+
+        // Rebuild the permissions cache
+        $helper = new PermissionsHelper();
+        $helper->rebuildCache();
+
         $request->session()->flash('success', trans('admin.album_saved_successfully', ['name' => $album->name]));
 
         return redirect(route('albums.show', ['id' => $id]));
diff --git a/app/Http/Controllers/Admin/UserController.php b/app/Http/Controllers/Admin/UserController.php
index 2534cca..d1928ba 100644
--- a/app/Http/Controllers/Admin/UserController.php
+++ b/app/Http/Controllers/Admin/UserController.php
@@ -5,6 +5,7 @@ namespace App\Http\Controllers\Admin;
 use App\Facade\Theme;
 use App\Facade\UserConfig;
 use App\Group;
+use App\Helpers\PermissionsHelper;
 use App\User;
 
 use App\Http\Requests;
@@ -200,6 +201,10 @@ class UserController extends Controller
 
         $user->save();
 
+        // Rebuild the permissions cache
+        $helper = new PermissionsHelper();
+        $helper->rebuildCache();
+
         return redirect(route('users.index'));
     }
 
diff --git a/database/migrations/2018_09_14_091046_create_album_permissions_cache_table.php b/database/migrations/2018_09_14_091046_create_album_permissions_cache_table.php
index 91b7ca5..8d1a7e5 100644
--- a/database/migrations/2018_09_14_091046_create_album_permissions_cache_table.php
+++ b/database/migrations/2018_09_14_091046_create_album_permissions_cache_table.php
@@ -14,8 +14,8 @@ class CreateAlbumPermissionsCacheTable extends Migration
     public function up()
     {
         Schema::create('album_permissions_cache', function (Blueprint $table) {
-            $table->unsignedInteger('user_id')->nullable(true);
             $table->unsignedInteger('album_id');
+            $table->unsignedInteger('user_id')->nullable(true);
             $table->unsignedInteger('permission_id');
             $table->timestamps();
 
diff --git a/resources/assets/js/admin.js b/resources/assets/js/admin.js
index 962a721..1f2358f 100644
--- a/resources/assets/js/admin.js
+++ b/resources/assets/js/admin.js
@@ -46,6 +46,29 @@ function AboutViewModel(urls) {
     };
 }
 
+/**
+ * This model is used by admin/create_album.blade.php.
+ * @constructor
+ */
+function CreateAlbumViewModel() {
+    this.el = '#create-album-app';
+
+    this.data = {
+        is_inherit_permissions: true,
+        is_private: false,
+        parent_id: ''
+    };
+
+    this.computed = {
+        isParentAlbum: function() {
+            return this.parent_id == '';
+        },
+        isPrivateDisabled: function() {
+            return !this.isParentAlbum && this.is_inherit_permissions;
+        }
+    }
+}
+
 /**
  * This model is used by admin/edit_album.blade.php.
  * @constructor
diff --git a/resources/lang/en/admin.php b/resources/lang/en/admin.php
index 0631788..4bb7b50 100644
--- a/resources/lang/en/admin.php
+++ b/resources/lang/en/admin.php
@@ -32,8 +32,10 @@ return [
     'album_cameras_heading' => 'Cameras used in this album',
     'album_cameras_tab' => 'Cameras',
     'album_cameras_text' => 'Blue Twilight analyses the Exif data in your photos to determine which cameras have been used. The cameras that were found are displayed below.',
-    'album_inheriting_permissions_p1' => 'Permissions inherited from parent album',
-    'album_inheriting_permissions_p2' => 'This album is inheriting permissions from its parent album. You can change the permissions applied to this album from the :l_parent_startparent album\'s permissions tab:l_parent_end. ',
+    'album_change_more_details' => 'You can change more details about this album by editing it. Click the button below to go to the album\'s Edit page.',
+    'album_inheriting_permissions_p1' => 'Inherited permissions are in effect',
+    'album_inheriting_permissions_p2' => 'This album is inheriting permissions from a parent album and therefore permissions cannot be applied directly to it.',
+    'album_inheriting_permissions_p3' => 'You can change the permissions applied to this album (and other albums under the same parent) from the :l_parent_start parent album\'s permissions tab:l_parent_end, or stop permissions from being inherited by :l_edit_start editing this album:l_edit_end.',
     'album_no_cameras_found_p1' => 'No cameras were found',
     'album_no_cameras_found_p2' => 'Upload more photos to this album or ensure the cameras you use support Exif image tagging.',
     'album_no_photos_p1' => 'No photos in this album',
diff --git a/resources/lang/en/forms.php b/resources/lang/en/forms.php
index 9ddf871..f151404 100644
--- a/resources/lang/en/forms.php
+++ b/resources/lang/en/forms.php
@@ -24,6 +24,7 @@ return [
     'description_label' => 'Description:',
     'download_action' => 'Download',
     'edit_action' => 'Edit',
+    'edit_album_action' => 'Edit this album',
     'email_label' => 'E-mail address:',
     'enable_profile_page_label' => 'Allow others to see my profile page',
     'inherit_album_permissions' => 'Inherit permissions from parent album',
diff --git a/resources/views/themes/base/admin/create_album.blade.php b/resources/views/themes/base/admin/create_album.blade.php
index 075f67b..db9e9c1 100644
--- a/resources/views/themes/base/admin/create_album.blade.php
+++ b/resources/views/themes/base/admin/create_album.blade.php
@@ -9,7 +9,7 @@
 @endsection
 
 @section('content')
-    <div class="container">
+    <div class="container" id="create-album-app">
         <div class="row">
             <div class="col">
                 <h1>@lang('admin.create_album')</h1>
@@ -37,10 +37,10 @@
 
                     <div class="form-group">
                         <label class="form-control-label" for="parent-album">@lang('forms.parent_album_label')</label>
-                        <select class="form-control" name="parent_album_id" id="parent-album">
+                        <select class="form-control" name="parent_album_id" id="parent-album" v-model="parent_id">
                             <option value="">@lang('forms.parent_album_placeholder')</option>
                             @foreach ($parent_albums as $key => $value)
-                                <option value="{{ $key }}"{{ $key == old('parent_album_id') ? ' selected="selected"' : '' }}>{{ $value->display_name }}</option>
+                                <option value="{{ $key }}">{{ $value->display_name }}</option>
                             @endforeach
                         </select>
                     </div>
@@ -54,9 +54,18 @@
                         </select>
                     </div>
 
+                    <div class="form-group" v-if="!isParentAlbum">
+                        <div class="mt-3 form-check">
+                            <input type="checkbox" class="form-check-input" id="inherit-permissions" name="is_permissions_inherited" v-model="is_inherit_permissions" />
+                            <label class="form-check-label" for="inherit-permissions">
+                                @lang('forms.inherit_album_permissions')
+                            </label>
+                        </div>
+                    </div>
+
                     <div class="form-check">
-                        <label class="form-check-label">
-                            <input class="form-check-inline" type="checkbox" name="is_private">
+                        <input class="form-check-input" type="checkbox" name="is_private" id="is-private" v-bind:disabled="isPrivateDisabled" v-model="is_private">
+                        <label class="form-check-label" for="is-private">
                             <i class="fa fa-fw fa-lock"></i> @lang('forms.private_album_label')
                         </label>
                     </div>
@@ -69,4 +78,35 @@
             </div>
         </div>
     </div>
-@endsection
\ No newline at end of file
+@endsection
+
+@push('scripts')
+    <script type="text/javascript">
+        var createAlbumViewModel = new CreateAlbumViewModel();
+        createAlbumViewModel.data.parent_id = '{{ old('parent_album_id') }}';
+
+        var app = null;
+
+        $(document).ready(function()
+        {
+            app = new Vue(createAlbumViewModel);
+            app.$watch('is_private', function()
+            {
+                // If user chooses to make the album private, it cannot then inherit permissions (secure by default)
+                if (app.is_private)
+                {
+                    app.is_inherit_permissions = false;
+                }
+            });
+
+            app.$watch('is_inherit_permissions', function()
+            {
+                // If user chooses to inherit permissions, it cannot also be private
+                if (app.is_inherit_permissions)
+                {
+                    app.is_private = false;
+                }
+            });
+        });
+    </script>
+@endpush
\ No newline at end of file
diff --git a/resources/views/themes/base/partials/album_permissions_tab.blade.php b/resources/views/themes/base/partials/album_permissions_tab.blade.php
index ba09919..249a180 100644
--- a/resources/views/themes/base/partials/album_permissions_tab.blade.php
+++ b/resources/views/themes/base/partials/album_permissions_tab.blade.php
@@ -1,14 +1,19 @@
 <div role="tabpanel" class="tab-pane{{ $active_tab == 'permissions' ? ' active' : '' }}" id="permissions-tab">
-    <h4>@lang('admin.security_heading')</h4>
-    <p>@lang('admin.security_text')</p>
-    <hr/>
-
     @if ($album->is_permissions_inherited)
-        <div class="text-center mt-4">
-            <h4 class="text-success"><b>@lang('admin.album_inheriting_permissions_p1')</b></h4>
-            <p class="mb-0">@lang('admin.album_inheriting_permissions_p2', ['l_parent_start' => '<a href="' . route('albums.show', [$album->parent_album_id]) . '?tab=permissions">', 'l_parent_end' => '</a>'])</p>
+        <div class="text-center mt-3">
+            <h4 class="text-info"><b>@lang('admin.album_inheriting_permissions_p1')</b></h4>
+            <p>@lang('admin.album_inheriting_permissions_p2')</p>
+            <p>@lang('admin.album_inheriting_permissions_p3', [
+                'l_parent_start' => sprintf('<a href="%s">', route('albums.show', [$album->effectiveAlbumIDForPermissions(), 'tab' => 'permissions'])),
+                'l_parent_end' => '</a>',
+                'l_edit_start' => sprintf('<a href="%s">', route('albums.edit', [$album->id])),
+                'l_edit_end' => '</a>'
+            ])</p>
         </div>
     @else
+        <h4>@lang('admin.security_heading')</h4>
+        <p>@lang('admin.security_text')</p>
+        <hr/>
         <h5 style="font-weight: bold;">@lang('admin.security_groups_heading')</h5>
 
         <form action="{{ route('albums.set_group_permissions', ['id' => $album->id]) }}" method="post">
diff --git a/resources/views/themes/base/partials/album_redirects_tab.blade.php b/resources/views/themes/base/partials/album_redirects_tab.blade.php
index d5012d0..5c0b3a1 100644
--- a/resources/views/themes/base/partials/album_redirects_tab.blade.php
+++ b/resources/views/themes/base/partials/album_redirects_tab.blade.php
@@ -4,29 +4,31 @@
     @if ($album->redirects()->count() > 0)
         <p>@lang('admin.existing_album_redirects')</p>
 
-        <table class="table table-striped table-responsive">
-            <thead>
-                <tr>
-                    <th>@lang('admin.redirects_source_url_heading')</th>
-                    <th style="width: 100px;">@lang('admin.redirects_actions_heading')</th>
-                </tr>
-            </thead>
-            <tbody>
-                @foreach ($album->redirects as $redirect)
+        <div class="table-responsive">
+            <table class="table table-striped">
+                <thead>
                     <tr>
-                        <td><a href="{{ route('home') }}/a{{ $redirect->source_url }}">{{ route('home') }}/a{{ $redirect->source_url }}</a></td>
-                        <td>
-                            <form method="post" action="{{ route('albums.delete_redirect', [$album->id, $redirect->id]) }}">
-                                {{ csrf_field() }}
-                                {{ method_field('DELETE') }}
-                                <input type="hidden" name="redirect_id" value="{{ $redirect->id }}" />
-                                <button type="submit" class="btn btn-sm btn-danger delete-redirect">@lang('forms.delete_action')</button>
-                            </form>
-                        </td>
+                        <th>@lang('admin.redirects_source_url_heading')</th>
+                        <th style="width: 100px;">@lang('admin.redirects_actions_heading')</th>
                     </tr>
-                @endforeach
-            </tbody>
-        </table>
+                </thead>
+                <tbody>
+                    @foreach ($album->redirects as $redirect)
+                        <tr>
+                            <td><a href="{{ route('home') }}/a{{ $redirect->source_url }}">{{ route('home') }}/a{{ $redirect->source_url }}</a></td>
+                            <td>
+                                <form method="post" action="{{ route('albums.delete_redirect', [$album->id, $redirect->id]) }}">
+                                    {{ csrf_field() }}
+                                    {{ method_field('DELETE') }}
+                                    <input type="hidden" name="redirect_id" value="{{ $redirect->id }}" />
+                                    <button type="submit" class="btn btn-sm btn-danger delete-redirect">@lang('forms.delete_action')</button>
+                                </form>
+                            </td>
+                        </tr>
+                    @endforeach
+                </tbody>
+            </table>
+        </div>
         <br/>
 
     @endif
diff --git a/resources/views/themes/base/partials/album_settings_tab.blade.php b/resources/views/themes/base/partials/album_settings_tab.blade.php
index 1de87b1..dd0e46f 100644
--- a/resources/views/themes/base/partials/album_settings_tab.blade.php
+++ b/resources/views/themes/base/partials/album_settings_tab.blade.php
@@ -22,6 +22,11 @@
             <textarea class="form-control" id="album-description" name="description" rows="5">{{ old('description') }}</textarea>
         </div>
 
+        <div class="form-group">
+            <p>@lang('admin.album_change_more_details')</p>
+            <a href="{{ route('albums.edit', [$album->id]) }}" class="btn btn-outline-primary">@lang('forms.edit_album_action')</a>
+        </div>
+
         <hr/>
 
         <h4><i class="fa fa-fw fa-paint-brush"></i> @lang('admin.album_appearance_heading')</h4>