From 51e8f84023b210218c846e0d9cfa7e2caf7b099b Mon Sep 17 00:00:00 2001
From: Nigel Banks <nigel.g.banks@gmail.com>
Date: Wed, 13 Mar 2013 01:51:47 +0100
Subject: [PATCH 1/3] Added a new function islandora_user_access() to simplify
 access callbacks.

This function will check the given object/datastream against the given
permissions and required content models using the given user. If no user is
given the user identified by the GET token will be used, if no token is present
the global user will be used.
---
 islandora.module | 82 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)

diff --git a/islandora.module b/islandora.module
index 94aedbe0..57ee5d9b 100644
--- a/islandora.module
+++ b/islandora.module
@@ -334,6 +334,88 @@ function islandora_forms($form_id) {
   return $forms;
 }
 
+/**
+ * Checks whether the user can access the given object.
+ *
+ * Checks for repository access, object/datastream existance, namespace access,
+ * user permissions, content models.
+ *
+ * Will check the given user or the user repersented by the GET token parameter,
+ * failing that it will use the global user.
+ *
+ * @global $user
+ *
+ * @param mixed $object
+ *   The FedoraObject or FedoraDatastream to test for accessibility, if NULL
+ *   is given the object is assumed to not exist or be inaccessible.
+ * @param array $permissions
+ *   The required user permissions.
+ * @param array $content_models
+ *   The required content models.
+ * @param bool $access_any
+ *   (optional) TRUE to grant access if any single requirement is met from both
+ *   the permissions and content models parameters. FALSE if all requirements
+ *   must be met from both the permissions and content model parameters.
+ * @param object $account
+ *   (optional) The account to check, if not given check the GET parameters for
+ *   a token to restore the user. If no GET parameter is present use currently
+ *   logged in user.
+ *
+ * @return bool
+ *   TRUE if the user is allowed to access this object/datastream, FALSE
+ *   otherwise.
+ */
+function islandora_user_access($object, array $permissions, $content_models = array(), $access_any = TRUE, $account = NULL) {
+  module_load_include('inc', 'islandora', 'includes/utilities');
+  $is_repository_accessible = &drupal_static(__FUNCTION__);
+  // If the repository is inaccessible then access always fails.
+  if (!isset($is_repository_accessible)) {
+    $is_repository_accessible = islandora_describe_repository();
+    if (!$is_repository_accessible) {
+      // Only display the inaccessible message once.
+      islandora_display_repository_inaccessible_message();
+      return FALSE;
+    }
+  }
+  if (!$is_repository_accessible || !is_object($object)) {
+    return FALSE;
+  }
+  // Determine the user account to test against.
+  if (!isset($account)) {
+    $token = filter_input(INPUT_GET, 'token', FILTER_SANITIZE_STRING);
+    if ($token) {
+      module_load_include('inc', 'islandora', 'includes/authtokens');
+      $user = islandora_validate_object_token($object->id, $datastream->id, $token);
+      if ($user) {
+        $account = user_load($user->uid);
+      }
+    }
+    else {
+      global $user;
+      $account = $user;
+    }
+  }
+  // Determine what has been passed as $object.
+  if (is_subclass_of($object, 'FedoraObject')) {
+    $object = $object;
+  }
+  elseif (is_subclass_of($object, 'FedoraDatastream')) {
+    $datastream = $object;
+    $object = $datstream->parent;
+  }
+  // Check for access.
+  $accessible_namespace = islandora_namespace_accessible($object->id);
+  if ($access_any) {
+    $has_required_permissions = islandora_user_access_any($permissions, $account);
+    $has_required_content_models = empty($content_models) ? TRUE : count(array_intersect($object->models, $content_models)) > 0;
+  }
+  else {
+    $has_required_permissions = islandora_user_access_all($permissions, $account);
+    $has_required_content_models = count(array_diff($content_models, $object->models)) == 0;
+  }
+  return $accessible_namespace && $has_required_permissions && $has_required_content_models;
+}
+
 /**
  * Checks whether the user can access the given object.
  *

From 8204d1f8fd8a8409701003a45fa4c77305ddedb0 Mon Sep 17 00:00:00 2001
From: Nigel Banks <nigel.g.banks@gmail.com>
Date: Mon, 1 Apr 2013 16:33:49 +0200
Subject: [PATCH 2/3] Standards Compliance

---
 tests/islandora_manage_permissions.test | 64 ++++++++++++++-----------
 1 file changed, 35 insertions(+), 29 deletions(-)

diff --git a/tests/islandora_manage_permissions.test b/tests/islandora_manage_permissions.test
index 76f43a6d..5e20b374 100644
--- a/tests/islandora_manage_permissions.test
+++ b/tests/islandora_manage_permissions.test
@@ -1,7 +1,17 @@
 <?php
 
+/**
+ * @file
+ * Tests islandora permissions, and permission related funcitons.
+ */
+
 class IslandoraPermissionsTestCase extends IslandoraWebTestCase {
-  
+
+  /**
+   * Gets info to display to describe this test.
+   *
+   * @see IslandoraWebTestCase::getInfo()
+   */
   public static function getInfo() {
     return array(
       'name' => 'Islandora Manage Permissions',
@@ -10,69 +20,65 @@ class IslandoraPermissionsTestCase extends IslandoraWebTestCase {
     );
   }
 
+  /**
+   * Prepares enviroment for testing.
+   *
+   * @see IslandoraWebTestCase::setUp()
+   */
   public function setUp() {
     parent::setUp(array('islandora'));
   }
 
+  /**
+   * Test manage permissions.
+   */
   public function testManagePermissions() {
-
-
-    // permission FEDORA_VIEW_OBJECTS
-    // create a user with permission
+    // Test permission FEDORA_VIEW_OBJECTS.
+    // Create a user with permission.
     $user = $this->drupalCreateUser(array(FEDORA_VIEW_OBJECTS));
-     // log the user in
+    // Log the user in.
     $this->drupalLogin($user);
     $this->clickLink(t('Islandora Repository'));
     $this->assertNoLink('Manage', 'Manage tab is not on current page.');
-    
-    
-    // permission FEDORA_VIEW_OBJECTS, FEDORA_MANAGE_PROPERTIES
+
+    // Test permission FEDORA_VIEW_OBJECTS, FEDORA_MANAGE_PROPERTIES.
     $user = $this->drupalCreateUser(array(FEDORA_VIEW_OBJECTS, FEDORA_MANAGE_PROPERTIES));
-     // log the user in
     $this->drupalLogin($user);
     $this->clickLink(t('Islandora Repository'));
     $this->assertLink('Manage', 0, 'Manage tab is on current page.');
     $this->clickLink(t('Manage'));
     $this->assertLink('Properties', 0, 'Properties tab is on current page.');
     $this->assertNoLink('Datastreams', 'Datastreams tab is not on current page.');
-    $this->assertNoLink('Collection','Collection tab is not on current page.');
+    $this->assertNoLink('Collection', 'Collection tab is not on current page.');
 
-    
-    // permission FEDORA_VIEW_OBJECTS, FEDORA_ADD_DS
+    // Test permission FEDORA_VIEW_OBJECTS, FEDORA_ADD_DS.
     $user = $this->drupalCreateUser(array(FEDORA_VIEW_OBJECTS, FEDORA_ADD_DS));
-     // log the user in
     $this->drupalLogin($user);
     $this->clickLink(t('Islandora Repository'));
     $this->assertLink('Manage', 0, 'Manage tab is on current page.');
     $this->clickLink(t('Manage'));
     $this->assertLink('Datastreams', 0, 'Datastreams tab is on current page.');
     $this->assertNoLink('Properties', 'Properties tab is not on current page.');
-    $this->assertNoLink('Collection','Collection tab is not on current page.');
-    
-    
-    // permission FEDORA_VIEW_OBJECTS, FEDORA_METADATA_EDIT
+    $this->assertNoLink('Collection', 'Collection tab is not on current page.');
+
+    // Test permission FEDORA_VIEW_OBJECTS, FEDORA_METADATA_EDIT.
     $user = $this->drupalCreateUser(array(FEDORA_VIEW_OBJECTS, FEDORA_METADATA_EDIT));
-     // log the user in
-   $this->drupalLogin($user);
+    $this->drupalLogin($user);
     $this->clickLink(t('Islandora Repository'));
     $this->assertLink('Manage', 0, 'Manage tab is on current page.');
     $this->clickLink(t('Manage'));
     $this->assertLink('Datastreams', 0, 'Datastreams tab is on current page.');
     $this->assertNoLink('Properties', 'Properties tab is not on current page.');
-    $this->assertNoLink('Collection','Collection tab is not on current page.');
-    
-    
-    // permission FEDORA_VIEW_OBJECTS, FEDORA_PURGE
+    $this->assertNoLink('Collection', 'Collection tab is not on current page.');
+
+    // Test permission FEDORA_VIEW_OBJECTS, FEDORA_PURGE.
     $user = $this->drupalCreateUser(array(FEDORA_VIEW_OBJECTS, FEDORA_PURGE));
-     // log the user in
     $this->drupalLogin($user);
     $this->clickLink(t('Islandora Repository'));
     $this->assertLink('Manage', 0, 'Manage tab is on current page.');
     $this->clickLink(t('Manage'));
     $this->assertLink('Datastreams', 0, 'Datastreams tab is on current page.');
     $this->assertNoLink('Properties', 'Properties tab is not on current page.');
-    $this->assertNoLink('Collection','Collection tab is not on current page.');
-       
+    $this->assertNoLink('Collection', 'Collection tab is not on current page.');
   }
-
- }
\ No newline at end of file
+}

From 68bbbe163e3e67fddb4adf26eb4fd02a31d1597b Mon Sep 17 00:00:00 2001
From: Nigel Banks <nigel.g.banks@gmail.com>
Date: Mon, 1 Apr 2013 17:30:41 +0200
Subject: [PATCH 3/3] Added tests for islandora_user_access().

Caught a spelling mistake as part of the testing writing.
---
 islandora.module                        |  2 +-
 tests/islandora_manage_permissions.test | 52 +++++++++++++++++++++++++
 2 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/islandora.module b/islandora.module
index 57ee5d9b..47fed2e6 100644
--- a/islandora.module
+++ b/islandora.module
@@ -401,7 +401,7 @@ function islandora_user_access($object, array $permissions, $content_models = ar
   }
   elseif (is_subclass_of($object, 'FedoraDatastream')) {
     $datastream = $object;
-    $object = $datstream->parent;
+    $object = $datastream->parent;
   }
   // Check for access.
   $accessible_namespace = islandora_namespace_accessible($object->id);
diff --git a/tests/islandora_manage_permissions.test b/tests/islandora_manage_permissions.test
index 5e20b374..72aebd89 100644
--- a/tests/islandora_manage_permissions.test
+++ b/tests/islandora_manage_permissions.test
@@ -81,4 +81,56 @@ class IslandoraPermissionsTestCase extends IslandoraWebTestCase {
     $this->assertNoLink('Properties', 'Properties tab is not on current page.');
     $this->assertNoLink('Collection', 'Collection tab is not on current page.');
   }
+
+  /**
+   * Test generic access functions.
+   *
+   * Note that we can't test with the Global user as SimpleTest doesn't support
+   * it. Therefore we can't test the authtoken support.
+   */
+  public function testAccessFunctions() {
+    $object = islandora_object_load(variable_get('islandora_repository_pid', 'islandora:root'));
+    // Test islandora_user_access();
+    // Test no object/permissions.
+    $ret = islandora_user_access(NULL, array());
+    $this->assertFalse($ret, 'User access denied when no object/permissions are provided.');
+    // Test with object no permissions.
+    $ret = islandora_user_access($object, array());
+    $this->assertFalse($ret, 'User access denied when no permissions are provided.');
+    // Test access with matching permission.
+    $user = $this->drupalCreateUser(array(FEDORA_VIEW_OBJECTS));
+    $ret = islandora_user_access($object, array(FEDORA_VIEW_OBJECTS), array(), TRUE, $user);
+    $this->assertTrue($ret, 'User access granted when permissions match.');
+    // Test access with matching permission but access any is FALSE.
+    $user = $this->drupalCreateUser(array(FEDORA_VIEW_OBJECTS));
+    $ret = islandora_user_access($object, array(FEDORA_VIEW_OBJECTS, FEDORA_PURGE), array(), FALSE, $user);
+    $this->assertFalse($ret, 'User access denied for matching permission but with access any set to FALSE.');
+    // Test access with non-matching permission.
+    $user = $this->drupalCreateUser(array(FEDORA_PURGE));
+    $ret = islandora_user_access($object, array(FEDORA_VIEW_OBJECTS), array(), TRUE, $user);
+    $this->assertFalse($ret, 'User access denied when permissions did not match.');
+    // Test access with both permissions and content model.
+    $user = $this->drupalCreateUser(array(FEDORA_VIEW_OBJECTS));
+    $model = $object->models;
+    $model = reset($model);
+    $ret = islandora_user_access($object, array(FEDORA_VIEW_OBJECTS), array($model), TRUE, $user);
+    $this->assertTrue($ret, 'User access granted for matching permission and model.');
+    // Test access with matching permissions and non-matching content model.
+    $user = $this->drupalCreateUser(array(FEDORA_VIEW_OBJECTS));
+    $ret = islandora_user_access($object, array(FEDORA_VIEW_OBJECTS), array('islandora:obviouslyNotACModel'), TRUE, $user);
+    $this->assertFalse($ret, 'User access denied for matching permission and non-matching model.');
+    // Test access with all matching permissions and one matching model but
+    // access any is FALSE.
+    $user = $this->drupalCreateUser(array(FEDORA_VIEW_OBJECTS, FEDORA_PURGE));
+    $model = $object->models;
+    $model = reset($model);
+    $ret = islandora_user_access($object, array(FEDORA_VIEW_OBJECTS, FEDORA_PURGE), array($model, 'islandora:obviouslyNotACModel'), FALSE, $user);
+    $this->assertFalse($ret, 'User access denied for all matching permissions and one matching model but with access any set to FALSE.');
+    $ret = islandora_user_access($object, array(FEDORA_VIEW_OBJECTS, FEDORA_PURGE), array($model), FALSE, $user);
+    $this->assertTrue($ret, 'User access granted for all matching permissions and matching models with access any set to FALSE.');
+    // Test passing in a Datastream.
+    $user = $this->drupalCreateUser(array(FEDORA_VIEW_OBJECTS, FEDORA_PURGE));
+    $ret = islandora_user_access($object['DC'], array(FEDORA_VIEW_OBJECTS), array(), TRUE, $user);
+    $this->assertTrue($ret, 'User access granted for matching permissions, with a datastream given instead of an object.');
+  }
 }