#71: Permissions are now fully inherited from an "ultimate parent". Most actions that can change the outcome of a user's permissions rebuild the permissions cache. Corrected a few minor HTML issues in layouts.

This commit is contained in:
Andy Heathershaw 2018-09-16 22:11:53 +01:00
parent 138cb91986
commit ee4978878f
12 changed files with 185 additions and 55 deletions

View File

@ -103,6 +103,29 @@ class Album extends Model
} }
} }
/**
* Try and locate the parent album ID that permissions are inherited from.
* @return integer
*/
public function effectiveAlbumIDForPermissions()
{
$current = $this;
while (!is_null($current->parent_album_id))
{
if ($current->is_permissions_inherited)
{
$current = $current->parent;
}
else
{
break;
}
}
return $current->id;
}
public function generateAlias() public function generateAlias()
{ {
$this->url_alias = MiscHelper::capitaliseWord(preg_replace('/[^a-z0-9\-]/', '-', strtolower($this->name))); $this->url_alias = MiscHelper::capitaliseWord(preg_replace('/[^a-z0-9\-]/', '-', strtolower($this->name)));

View File

@ -10,13 +10,13 @@ use Illuminate\Support\Facades\DB;
class PermissionsHelper class PermissionsHelper
{ {
public function getAlbumIDs($permission = 'list', $user) public function getAlbumIDs($permission = 'list', User $user = null)
{ {
$result = []; $result = [];
$query = DB::table('album_permissions_cache') $query = DB::table('album_permissions_cache')
->join('permissions', 'permissions.id', '=', 'album_permissions_cache.permission_id') ->join('permissions', 'permissions.id', '=', 'album_permissions_cache.permission_id')
->where([ ->where([
['album_permissions_cache.user_id', (is_null($user) ? null : $user->id)], ['album_permissions_cache.user_id', (is_null($user) || $user->isAnonymous() ? null : $user->id)],
['permissions.section', 'album'], ['permissions.section', 'album'],
['permissions.description', $permission] ['permissions.description', $permission]
]) ])
@ -69,9 +69,11 @@ class PermissionsHelper
/** @var Album $album */ /** @var Album $album */
foreach ($albums as $album) foreach ($albums as $album)
{ {
$anonymousPermissions = array_filter($albumAnonPermissions->toArray(), function($item) use ($album) $effectiveAlbumID = $album->effectiveAlbumIDForPermissions();
$anonymousPermissions = array_filter($albumAnonPermissions->toArray(), function($item) use ($effectiveAlbumID)
{ {
return ($item->album_id == $album->id); return ($item->album_id == $effectiveAlbumID);
}); });
foreach ($anonymousPermissions as $anonymousPermission) foreach ($anonymousPermissions as $anonymousPermission)
@ -84,9 +86,9 @@ class PermissionsHelper
]; ];
} }
$userPermissions = array_filter($albumUserPermissions->toArray(), function($item) use ($album) $userPermissions = array_filter($albumUserPermissions->toArray(), function($item) use ($effectiveAlbumID)
{ {
return ($item->album_id == $album->id); return ($item->album_id == $effectiveAlbumID);
}); });
foreach ($userPermissions as $userPermission) foreach ($userPermissions as $userPermission)
@ -100,9 +102,9 @@ class PermissionsHelper
]; ];
} }
$groupPermissions = array_filter($albumGroupPermissions->toArray(), function($item) use ($album) $groupPermissions = array_filter($albumGroupPermissions->toArray(), function($item) use ($effectiveAlbumID)
{ {
return ($item->album_id == $album->id); return ($item->album_id == $effectiveAlbumID);
}); });
foreach ($groupPermissions as $groupPermission) foreach ($groupPermissions as $groupPermission)

View File

@ -10,6 +10,7 @@ use App\Group;
use App\Helpers\DbHelper; use App\Helpers\DbHelper;
use App\Helpers\FileHelper; use App\Helpers\FileHelper;
use App\Helpers\MiscHelper; use App\Helpers\MiscHelper;
use App\Helpers\PermissionsHelper;
use App\Http\Controllers\Controller; use App\Http\Controllers\Controller;
use App\Http\Requests; use App\Http\Requests;
use App\Label; use App\Label;
@ -267,6 +268,10 @@ class AlbumController extends Controller
$album->save(); $album->save();
// Rebuild the permissions cache
$helper = new PermissionsHelper();
$helper->rebuildCache();
return redirect(route('albums.show', [$album->id, 'tab' => 'permissions'])); return redirect(route('albums.show', [$album->id, 'tab' => 'permissions']));
} }
@ -342,6 +347,10 @@ class AlbumController extends Controller
$album->save(); $album->save();
// Rebuild the permissions cache
$helper = new PermissionsHelper();
$helper->rebuildCache();
return redirect(route('albums.show', [$album->id, 'tab' => 'permissions'])); return redirect(route('albums.show', [$album->id, 'tab' => 'permissions']));
} }
@ -451,6 +460,7 @@ class AlbumController extends Controller
$album = new Album(); $album = new Album();
$album->fill($request->only(['name', 'description', 'storage_id', 'parent_album_id'])); $album->fill($request->only(['name', 'description', 'storage_id', 'parent_album_id']));
$album->is_permissions_inherited = (strtolower($request->get('is_permissions_inherited')) == 'on');
if (strlen($album->parent_album_id) == 0) if (strlen($album->parent_album_id) == 0)
{ {
@ -465,20 +475,27 @@ class AlbumController extends Controller
$album->save(); $album->save();
// Link all default permissions to anonymous users (if a public album) // Link all default permissions to anonymous users (if a public album)
$isPrivate = (strtolower($request->get('is_private')) == 'on'); if (!$album->is_permissions_inherited)
if (!$isPrivate)
{ {
/** @var Permission $permission */ $isPrivate = (strtolower($request->get('is_private')) == 'on');
foreach (Permission::where(['section' => 'album', 'is_default' => true])->get() as $permission)
if (!$isPrivate)
{ {
$album->anonymousPermissions()->attach($permission->id, [ /** @var Permission $permission */
'created_at' => new \DateTime(), foreach (Permission::where(['section' => 'album', 'is_default' => true])->get() as $permission)
'updated_at' => new \DateTime() {
]); $album->anonymousPermissions()->attach($permission->id, [
'created_at' => new \DateTime(),
'updated_at' => new \DateTime()
]);
}
} }
} }
// Rebuild the permissions cache
$helper = new PermissionsHelper();
$helper->rebuildCache();
return redirect(route('albums.show', ['id' => $album->id])); return redirect(route('albums.show', ['id' => $album->id]));
} }
@ -512,7 +529,7 @@ class AlbumController extends Controller
$currentParentID = $album->parent_album_id; $currentParentID = $album->parent_album_id;
$album->fill($request->only(['name', 'description', 'parent_album_id'])); $album->fill($request->only(['name', 'description', 'parent_album_id']));
$album->is_permissions_inherited = $request->has('is_permissions_inherited'); $album->is_permissions_inherited = (strtolower($request->get('is_permissions_inherited')) == 'on');
if (strlen($album->parent_album_id) == 0) if (strlen($album->parent_album_id) == 0)
{ {
@ -549,6 +566,11 @@ class AlbumController extends Controller
} }
$album->save(); $album->save();
// Rebuild the permissions cache
$helper = new PermissionsHelper();
$helper->rebuildCache();
$request->session()->flash('success', trans('admin.album_saved_successfully', ['name' => $album->name])); $request->session()->flash('success', trans('admin.album_saved_successfully', ['name' => $album->name]));
return redirect(route('albums.show', ['id' => $id])); return redirect(route('albums.show', ['id' => $id]));

View File

@ -5,6 +5,7 @@ namespace App\Http\Controllers\Admin;
use App\Facade\Theme; use App\Facade\Theme;
use App\Facade\UserConfig; use App\Facade\UserConfig;
use App\Group; use App\Group;
use App\Helpers\PermissionsHelper;
use App\User; use App\User;
use App\Http\Requests; use App\Http\Requests;
@ -200,6 +201,10 @@ class UserController extends Controller
$user->save(); $user->save();
// Rebuild the permissions cache
$helper = new PermissionsHelper();
$helper->rebuildCache();
return redirect(route('users.index')); return redirect(route('users.index'));
} }

View File

@ -14,8 +14,8 @@ class CreateAlbumPermissionsCacheTable extends Migration
public function up() public function up()
{ {
Schema::create('album_permissions_cache', function (Blueprint $table) { Schema::create('album_permissions_cache', function (Blueprint $table) {
$table->unsignedInteger('user_id')->nullable(true);
$table->unsignedInteger('album_id'); $table->unsignedInteger('album_id');
$table->unsignedInteger('user_id')->nullable(true);
$table->unsignedInteger('permission_id'); $table->unsignedInteger('permission_id');
$table->timestamps(); $table->timestamps();

View File

@ -46,6 +46,29 @@ function AboutViewModel(urls) {
}; };
} }
/**
* This model is used by admin/create_album.blade.php.
* @constructor
*/
function CreateAlbumViewModel() {
this.el = '#create-album-app';
this.data = {
is_inherit_permissions: true,
is_private: false,
parent_id: ''
};
this.computed = {
isParentAlbum: function() {
return this.parent_id == '';
},
isPrivateDisabled: function() {
return !this.isParentAlbum && this.is_inherit_permissions;
}
}
}
/** /**
* This model is used by admin/edit_album.blade.php. * This model is used by admin/edit_album.blade.php.
* @constructor * @constructor

View File

@ -32,8 +32,10 @@ return [
'album_cameras_heading' => 'Cameras used in this album', 'album_cameras_heading' => 'Cameras used in this album',
'album_cameras_tab' => 'Cameras', 'album_cameras_tab' => 'Cameras',
'album_cameras_text' => 'Blue Twilight analyses the Exif data in your photos to determine which cameras have been used. The cameras that were found are displayed below.', 'album_cameras_text' => 'Blue Twilight analyses the Exif data in your photos to determine which cameras have been used. The cameras that were found are displayed below.',
'album_inheriting_permissions_p1' => 'Permissions inherited from parent album', 'album_change_more_details' => 'You can change more details about this album by editing it. Click the button below to go to the album\'s Edit page.',
'album_inheriting_permissions_p2' => 'This album is inheriting permissions from its parent album. You can change the permissions applied to this album from the :l_parent_startparent album\'s permissions tab:l_parent_end. ', 'album_inheriting_permissions_p1' => 'Inherited permissions are in effect',
'album_inheriting_permissions_p2' => 'This album is inheriting permissions from a parent album and therefore permissions cannot be applied directly to it.',
'album_inheriting_permissions_p3' => 'You can change the permissions applied to this album (and other albums under the same parent) from the :l_parent_start parent album\'s permissions tab:l_parent_end, or stop permissions from being inherited by :l_edit_start editing this album:l_edit_end.',
'album_no_cameras_found_p1' => 'No cameras were found', 'album_no_cameras_found_p1' => 'No cameras were found',
'album_no_cameras_found_p2' => 'Upload more photos to this album or ensure the cameras you use support Exif image tagging.', 'album_no_cameras_found_p2' => 'Upload more photos to this album or ensure the cameras you use support Exif image tagging.',
'album_no_photos_p1' => 'No photos in this album', 'album_no_photos_p1' => 'No photos in this album',

View File

@ -24,6 +24,7 @@ return [
'description_label' => 'Description:', 'description_label' => 'Description:',
'download_action' => 'Download', 'download_action' => 'Download',
'edit_action' => 'Edit', 'edit_action' => 'Edit',
'edit_album_action' => 'Edit this album',
'email_label' => 'E-mail address:', 'email_label' => 'E-mail address:',
'enable_profile_page_label' => 'Allow others to see my profile page', 'enable_profile_page_label' => 'Allow others to see my profile page',
'inherit_album_permissions' => 'Inherit permissions from parent album', 'inherit_album_permissions' => 'Inherit permissions from parent album',

View File

@ -9,7 +9,7 @@
@endsection @endsection
@section('content') @section('content')
<div class="container"> <div class="container" id="create-album-app">
<div class="row"> <div class="row">
<div class="col"> <div class="col">
<h1>@lang('admin.create_album')</h1> <h1>@lang('admin.create_album')</h1>
@ -37,10 +37,10 @@
<div class="form-group"> <div class="form-group">
<label class="form-control-label" for="parent-album">@lang('forms.parent_album_label')</label> <label class="form-control-label" for="parent-album">@lang('forms.parent_album_label')</label>
<select class="form-control" name="parent_album_id" id="parent-album"> <select class="form-control" name="parent_album_id" id="parent-album" v-model="parent_id">
<option value="">@lang('forms.parent_album_placeholder')</option> <option value="">@lang('forms.parent_album_placeholder')</option>
@foreach ($parent_albums as $key => $value) @foreach ($parent_albums as $key => $value)
<option value="{{ $key }}"{{ $key == old('parent_album_id') ? ' selected="selected"' : '' }}>{{ $value->display_name }}</option> <option value="{{ $key }}">{{ $value->display_name }}</option>
@endforeach @endforeach
</select> </select>
</div> </div>
@ -54,9 +54,18 @@
</select> </select>
</div> </div>
<div class="form-group" v-if="!isParentAlbum">
<div class="mt-3 form-check">
<input type="checkbox" class="form-check-input" id="inherit-permissions" name="is_permissions_inherited" v-model="is_inherit_permissions" />
<label class="form-check-label" for="inherit-permissions">
@lang('forms.inherit_album_permissions')
</label>
</div>
</div>
<div class="form-check"> <div class="form-check">
<label class="form-check-label"> <input class="form-check-input" type="checkbox" name="is_private" id="is-private" v-bind:disabled="isPrivateDisabled" v-model="is_private">
<input class="form-check-inline" type="checkbox" name="is_private"> <label class="form-check-label" for="is-private">
<i class="fa fa-fw fa-lock"></i> @lang('forms.private_album_label') <i class="fa fa-fw fa-lock"></i> @lang('forms.private_album_label')
</label> </label>
</div> </div>
@ -69,4 +78,35 @@
</div> </div>
</div> </div>
</div> </div>
@endsection @endsection
@push('scripts')
<script type="text/javascript">
var createAlbumViewModel = new CreateAlbumViewModel();
createAlbumViewModel.data.parent_id = '{{ old('parent_album_id') }}';
var app = null;
$(document).ready(function()
{
app = new Vue(createAlbumViewModel);
app.$watch('is_private', function()
{
// If user chooses to make the album private, it cannot then inherit permissions (secure by default)
if (app.is_private)
{
app.is_inherit_permissions = false;
}
});
app.$watch('is_inherit_permissions', function()
{
// If user chooses to inherit permissions, it cannot also be private
if (app.is_inherit_permissions)
{
app.is_private = false;
}
});
});
</script>
@endpush

View File

@ -1,14 +1,19 @@
<div role="tabpanel" class="tab-pane{{ $active_tab == 'permissions' ? ' active' : '' }}" id="permissions-tab"> <div role="tabpanel" class="tab-pane{{ $active_tab == 'permissions' ? ' active' : '' }}" id="permissions-tab">
<h4>@lang('admin.security_heading')</h4>
<p>@lang('admin.security_text')</p>
<hr/>
@if ($album->is_permissions_inherited) @if ($album->is_permissions_inherited)
<div class="text-center mt-4"> <div class="text-center mt-3">
<h4 class="text-success"><b>@lang('admin.album_inheriting_permissions_p1')</b></h4> <h4 class="text-info"><b>@lang('admin.album_inheriting_permissions_p1')</b></h4>
<p class="mb-0">@lang('admin.album_inheriting_permissions_p2', ['l_parent_start' => '<a href="' . route('albums.show', [$album->parent_album_id]) . '?tab=permissions">', 'l_parent_end' => '</a>'])</p> <p>@lang('admin.album_inheriting_permissions_p2')</p>
<p>@lang('admin.album_inheriting_permissions_p3', [
'l_parent_start' => sprintf('<a href="%s">', route('albums.show', [$album->effectiveAlbumIDForPermissions(), 'tab' => 'permissions'])),
'l_parent_end' => '</a>',
'l_edit_start' => sprintf('<a href="%s">', route('albums.edit', [$album->id])),
'l_edit_end' => '</a>'
])</p>
</div> </div>
@else @else
<h4>@lang('admin.security_heading')</h4>
<p>@lang('admin.security_text')</p>
<hr/>
<h5 style="font-weight: bold;">@lang('admin.security_groups_heading')</h5> <h5 style="font-weight: bold;">@lang('admin.security_groups_heading')</h5>
<form action="{{ route('albums.set_group_permissions', ['id' => $album->id]) }}" method="post"> <form action="{{ route('albums.set_group_permissions', ['id' => $album->id]) }}" method="post">

View File

@ -4,29 +4,31 @@
@if ($album->redirects()->count() > 0) @if ($album->redirects()->count() > 0)
<p>@lang('admin.existing_album_redirects')</p> <p>@lang('admin.existing_album_redirects')</p>
<table class="table table-striped table-responsive"> <div class="table-responsive">
<thead> <table class="table table-striped">
<tr> <thead>
<th>@lang('admin.redirects_source_url_heading')</th>
<th style="width: 100px;">@lang('admin.redirects_actions_heading')</th>
</tr>
</thead>
<tbody>
@foreach ($album->redirects as $redirect)
<tr> <tr>
<td><a href="{{ route('home') }}/a{{ $redirect->source_url }}">{{ route('home') }}/a{{ $redirect->source_url }}</a></td> <th>@lang('admin.redirects_source_url_heading')</th>
<td> <th style="width: 100px;">@lang('admin.redirects_actions_heading')</th>
<form method="post" action="{{ route('albums.delete_redirect', [$album->id, $redirect->id]) }}">
{{ csrf_field() }}
{{ method_field('DELETE') }}
<input type="hidden" name="redirect_id" value="{{ $redirect->id }}" />
<button type="submit" class="btn btn-sm btn-danger delete-redirect">@lang('forms.delete_action')</button>
</form>
</td>
</tr> </tr>
@endforeach </thead>
</tbody> <tbody>
</table> @foreach ($album->redirects as $redirect)
<tr>
<td><a href="{{ route('home') }}/a{{ $redirect->source_url }}">{{ route('home') }}/a{{ $redirect->source_url }}</a></td>
<td>
<form method="post" action="{{ route('albums.delete_redirect', [$album->id, $redirect->id]) }}">
{{ csrf_field() }}
{{ method_field('DELETE') }}
<input type="hidden" name="redirect_id" value="{{ $redirect->id }}" />
<button type="submit" class="btn btn-sm btn-danger delete-redirect">@lang('forms.delete_action')</button>
</form>
</td>
</tr>
@endforeach
</tbody>
</table>
</div>
<br/> <br/>
@endif @endif

View File

@ -22,6 +22,11 @@
<textarea class="form-control" id="album-description" name="description" rows="5">{{ old('description') }}</textarea> <textarea class="form-control" id="album-description" name="description" rows="5">{{ old('description') }}</textarea>
</div> </div>
<div class="form-group">
<p>@lang('admin.album_change_more_details')</p>
<a href="{{ route('albums.edit', [$album->id]) }}" class="btn btn-outline-primary">@lang('forms.edit_album_action')</a>
</div>
<hr/> <hr/>
<h4><i class="fa fa-fw fa-paint-brush"></i> @lang('admin.album_appearance_heading')</h4> <h4><i class="fa fa-fw fa-paint-brush"></i> @lang('admin.album_appearance_heading')</h4>