From c9475c76a8b4c2bf32d1d3293b03b646e7e7a91e Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Sun, 15 Nov 2009 15:59:10 +0100 Subject: define rights around how to silence, sandbox, and delete a user --- lib/right.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lib/right.php') diff --git a/lib/right.php b/lib/right.php index 4fc981af0..88abdf780 100644 --- a/lib/right.php +++ b/lib/right.php @@ -47,5 +47,8 @@ class Right { const DELETEOTHERSNOTICE = 'deleteothersnotice'; const CONFIGURESITE = 'configuresite'; + const DELETEUSER = 'deleteuser'; + const SILENCEUSER = 'silenceuser'; + const SANDBOXUSER = 'sandboxuser'; } -- cgit v1.2.3-54-g00ecf From d2145a5b7f3a95dcfa90edb4bcd5e5b3bf66c116 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Mon, 16 Nov 2009 19:03:59 +0100 Subject: Move rights check to profile and add right for new notices Added a right for new notices, realized that the hasRight() method should be on the profile, and moved it. Makes this a less atomic commit but that's the way it goes sometimes. --- classes/Notice.php | 6 ++---- classes/Profile.php | 38 ++++++++++++++++++++++++++++++++++++++ classes/User.php | 33 ++------------------------------- lib/right.php | 1 + 4 files changed, 43 insertions(+), 35 deletions(-) (limited to 'lib/right.php') diff --git a/classes/Notice.php b/classes/Notice.php index 291e6202b..fde40240f 100644 --- a/classes/Notice.php +++ b/classes/Notice.php @@ -195,10 +195,8 @@ class Notice extends Memcached_DataObject ' take a breather and post again in a few minutes.')); } - $banned = common_config('profile', 'banned'); - - if ( in_array($profile_id, $banned) || in_array($profile->nickname, $banned)) { - common_log(LOG_WARNING, "Attempted post from banned user: $profile->nickname (user id = $profile_id)."); + if (!$profile->hasRight(Right::NEWNOTICE)) { + common_log(LOG_WARNING, "Attempted post from user disallowed to post: " . $profile->nickname); throw new ClientException(_('You are banned from posting notices on this site.')); } diff --git a/classes/Profile.php b/classes/Profile.php index 5b4394d3b..e3b35533a 100644 --- a/classes/Profile.php +++ b/classes/Profile.php @@ -661,4 +661,42 @@ class Profile extends Memcached_DataObject { $this->revokeRole(Profile_role::SILENCED); } + + /** + * Does this user have the right to do X? + * + * With our role-based authorization, this is merely a lookup for whether the user + * has a particular role. The implementation currently uses a switch statement + * to determine if the user has the pre-defined role to exercise the right. Future + * implementations may allow per-site roles, and different mappings of roles to rights. + * + * @param $right string Name of the right, usually a constant in class Right + * @return boolean whether the user has the right in question + */ + + function hasRight($right) + { + $result = false; + if (Event::handle('UserRightsCheck', array($this, $right, &$result))) { + switch ($right) + { + case Right::DELETEOTHERSNOTICE: + case Right::SANDBOXUSER: + case Right::SILENCEUSER: + case Right::DELETEUSER: + $result = $this->hasRole(Profile_role::MODERATOR); + break; + case Right::CONFIGURESITE: + $result = $this->hasRole(Profile_role::ADMINISTRATOR); + break; + case Right::NEWNOTICE: + $result = !$this->isSilenced(); + break; + default: + $result = false; + break; + } + } + return $result; + } } diff --git a/classes/User.php b/classes/User.php index 82d3bd59a..a466369a1 100644 --- a/classes/User.php +++ b/classes/User.php @@ -657,39 +657,10 @@ class User extends Memcached_DataObject return Design::staticGet('id', $this->design_id); } - /** - * Does this user have the right to do X? - * - * With our role-based authorization, this is merely a lookup for whether the user - * has a particular role. The implementation currently uses a switch statement - * to determine if the user has the pre-defined role to exercise the right. Future - * implementations may allow per-site roles, and different mappings of roles to rights. - * - * @param $right string Name of the right, usually a constant in class Right - * @return boolean whether the user has the right in question - */ - function hasRight($right) { - $result = false; - if (Event::handle('UserRightsCheck', array($this, $right, &$result))) { - switch ($right) - { - case Right::DELETEOTHERSNOTICE: - case Right::SANDBOXUSER: - case Right::SILENCEUSER: - case Right::DELETEUSER: - $result = $this->hasRole(Profile_role::MODERATOR); - break; - case Right::CONFIGURESITE: - $result = $this->hasRole(Profile_role::ADMINISTRATOR); - break; - default: - $result = false; - break; - } - } - return $result; + $profile = $this->getProfile(); + return $profile->hasRight($right); } function delete() diff --git a/lib/right.php b/lib/right.php index 88abdf780..ae8516602 100644 --- a/lib/right.php +++ b/lib/right.php @@ -50,5 +50,6 @@ class Right const DELETEUSER = 'deleteuser'; const SILENCEUSER = 'silenceuser'; const SANDBOXUSER = 'sandboxuser'; + const NEWNOTICE = 'newnotice'; } -- cgit v1.2.3-54-g00ecf From f1efb845e4955f398be3a7e36499474dc67bdade Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Mon, 16 Nov 2009 19:22:22 +0100 Subject: don't allow sandboxed users to post public notices --- classes/Notice.php | 5 ++--- classes/Profile.php | 3 +++ lib/right.php | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) (limited to 'lib/right.php') diff --git a/classes/Notice.php b/classes/Notice.php index fde40240f..1db431f2a 100644 --- a/classes/Notice.php +++ b/classes/Notice.php @@ -203,12 +203,11 @@ class Notice extends Memcached_DataObject $notice = new Notice(); $notice->profile_id = $profile_id; - $blacklist = common_config('public', 'blacklist'); $autosource = common_config('public', 'autosource'); - # Blacklisted are non-false, but not 1, either + # Sandboxed are non-false, but not 1, either - if (($blacklist && in_array($profile_id, $blacklist)) || + if (!$user->hasRight(Right::PUBLICNOTICE) || ($source && $autosource && in_array($source, $autosource))) { $notice->is_local = Notice::LOCAL_NONPUBLIC; } else { diff --git a/classes/Profile.php b/classes/Profile.php index e3b35533a..291e3f064 100644 --- a/classes/Profile.php +++ b/classes/Profile.php @@ -692,6 +692,9 @@ class Profile extends Memcached_DataObject case Right::NEWNOTICE: $result = !$this->isSilenced(); break; + case Right::PUBLICNOTICE: + $result = !$this->isSandboxed(); + break; default: $result = false; break; diff --git a/lib/right.php b/lib/right.php index ae8516602..1a3a7d49a 100644 --- a/lib/right.php +++ b/lib/right.php @@ -51,5 +51,6 @@ class Right const SILENCEUSER = 'silenceuser'; const SANDBOXUSER = 'sandboxuser'; const NEWNOTICE = 'newnotice'; + const PUBLICNOTICE = 'publicnotice'; } -- cgit v1.2.3-54-g00ecf From e9321a18063911f28bb55e355298ce65b36b5b71 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Mon, 16 Nov 2009 19:46:08 +0100 Subject: more rights denied to silenced and sandboxed --- classes/Profile.php | 4 ++++ lib/right.php | 4 ++++ 2 files changed, 8 insertions(+) (limited to 'lib/right.php') diff --git a/classes/Profile.php b/classes/Profile.php index 291e3f064..8754c506c 100644 --- a/classes/Profile.php +++ b/classes/Profile.php @@ -690,9 +690,13 @@ class Profile extends Memcached_DataObject $result = $this->hasRole(Profile_role::ADMINISTRATOR); break; case Right::NEWNOTICE: + case Right::NEWMESSAGE: + case Right::SUBSCRIBE: $result = !$this->isSilenced(); break; case Right::PUBLICNOTICE: + case Right::EMAILONREPLY: + case Right::EMAILONSUBSCRIBE: $result = !$this->isSandboxed(); break; default: diff --git a/lib/right.php b/lib/right.php index 1a3a7d49a..90ca75fd5 100644 --- a/lib/right.php +++ b/lib/right.php @@ -52,5 +52,9 @@ class Right const SANDBOXUSER = 'sandboxuser'; const NEWNOTICE = 'newnotice'; const PUBLICNOTICE = 'publicnotice'; + const NEWMESSAGE = 'newmessage'; + const SUBSCRIBE = 'subscribe'; + const EMAILONREPLY = 'emailonreply'; + const EMAILONSUBSCRIBE = 'emailonsubscribe'; } -- cgit v1.2.3-54-g00ecf From d59af0296070cd868855564a0280e4be2c16410d Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Mon, 16 Nov 2009 14:28:55 -0500 Subject: disallow email on faves from sandboxed users --- classes/Profile.php | 1 + lib/mail.php | 4 ++++ lib/right.php | 1 + 3 files changed, 6 insertions(+) (limited to 'lib/right.php') diff --git a/classes/Profile.php b/classes/Profile.php index 8754c506c..d52dff5af 100644 --- a/classes/Profile.php +++ b/classes/Profile.php @@ -697,6 +697,7 @@ class Profile extends Memcached_DataObject case Right::PUBLICNOTICE: case Right::EMAILONREPLY: case Right::EMAILONSUBSCRIBE: + case Right::EMAILONFAVE: $result = !$this->isSandboxed(); break; default: diff --git a/lib/mail.php b/lib/mail.php index 6e74d1806..dffac3262 100644 --- a/lib/mail.php +++ b/lib/mail.php @@ -546,6 +546,10 @@ function mail_notify_message($message, $from=null, $to=null) function mail_notify_fave($other, $user, $notice) { + if (!$user->hasRight(Right::EMAILONFAVE)) { + return; + } + $profile = $user->getProfile(); $bestname = $profile->getBestName(); diff --git a/lib/right.php b/lib/right.php index 90ca75fd5..5e66eae0e 100644 --- a/lib/right.php +++ b/lib/right.php @@ -56,5 +56,6 @@ class Right const SUBSCRIBE = 'subscribe'; const EMAILONREPLY = 'emailonreply'; const EMAILONSUBSCRIBE = 'emailonsubscribe'; + const EMAILONFAVE = 'emailonfave'; } -- cgit v1.2.3-54-g00ecf