[MKDoc-commit] [1.6] group access recurses to sub-documents (Sam Tregar)

bruno at mkdoc.demon.co.uk bruno at mkdoc.demon.co.uk
Tue Feb 8 10:38:48 GMT 2005 

Log Message:
-----------
[1.6] group access recurses to sub-documents (Sam Tregar)

Tags:
----
mkdoc-1-6

Modified Files:
--------------
    mkd/MKDoc/Handler:
        GroupAuthz.pm

-------------- next part --------------
Index: GroupAuthz.pm
===================================================================
RCS file: /var/spool/cvs/mkd/MKDoc/Handler/Attic/GroupAuthz.pm,v
retrieving revision 1.1.2.1
retrieving revision 1.1.2.2
diff -LMKDoc/Handler/GroupAuthz.pm -LMKDoc/Handler/GroupAuthz.pm -u -r1.1.2.1 -r1.1.2.2
--- MKDoc/Handler/GroupAuthz.pm
+++ MKDoc/Handler/GroupAuthz.pm
@@ -81,15 +81,11 @@
     # (could be a CSS link, an image, etc)
     return OK unless $document;
 
-    # check if this document is assigned to one or more groups
-    my $document_grp_t = flo::Standard::table('Document_Grp');
-    my @res = $document_grp_t->select (
-	cols => 'Grp_ID',
-        where => lib::sql::Condition->new(Document_ID => $document->id)
-                                      )->fetch_all();
+    # get groups for this document, searching up the tree as needed
+    my @doc_group_ids = _find_groups($document);
 
     # no results means this document is available to all
-    return OK unless @res;
+    return OK unless @doc_group_ids;
 
     # if the user isn't correctly logged in then they can't see this
     # page
@@ -109,12 +105,35 @@
 
     # allow through if the user is in one of the document's groups
     my %groups = map { ($_->{Grp_ID}, 1) } @groups;
-    return OK if grep { $groups{$_->{Grp_ID}} } @res;
+    return OK if grep { $groups{$_} } @doc_group_ids;
 
     # otherwise, no dice
     return FORBIDDEN;
 }
 
+# find all groups relevent to a document, searching up the tree to the
+# root
+sub _find_groups {
+    my $document = shift;
+    my $document_grp_t = flo::Standard::table('Document_Grp');
+
+    # get list of all documents to check
+    my @documents = ($document, $document->ancestors);
+
+    # get results for each document 
+    my %groups;
+    foreach my $doc (@documents) {
+        my @res = $document_grp_t->select (
+	cols => 'Grp_ID',
+        where => lib::sql::Condition->new(Document_ID => $doc->id)
+                                      )->fetch_all();
+        $groups{$_->{Grp_ID}} = 1 for @res;
+    }
+
+    return keys %groups;
+}
+
+
 # an authen handler that does nothing.  This is needed to allow the
 # group authz mechanism to work on www.* which doesn't do
 # authentication.

More information about the MKDoc-commit mailing list