From 12f9c81e281e2fffd53aec8a15612a4148ccd92b Mon Sep 17 00:00:00 2001
From: Kris Bulman <kris@bulman.ca>
Date: Thu, 3 Jan 2013 15:39:50 -0400
Subject: [PATCH 1/2] Broke apart permissions to view objects and datastreams. 
 They are now two seperate permissions.  Got rid of permission to view
 management tabs, as these are now displayed only if the user has appropriate
 permissions to use the tabs.

---
 islandora.module | 51 +++++++++++++++++++++++++++---------------------
 1 file changed, 29 insertions(+), 22 deletions(-)

diff --git a/islandora.module b/islandora.module
index f8673546..ff0a7472 100644
--- a/islandora.module
+++ b/islandora.module
@@ -26,13 +26,13 @@
 define('DS_COMP_STREAM', 'DS-COMPOSITE-MODEL');
 
 // Permissions
-define('FEDORA_VIEW', 'view fedora repository');
+define('FEDORA_VIEW_OBJECTS', 'view fedora repository objects');
+define('FEDORA_VIEW_DATASTREAMS', 'view fedora repository datastreams');
 define('FEDORA_METADATA_EDIT', 'edit fedora metadata');
 define('FEDORA_ADD_DS', 'add fedora datastreams');
 define('FEDORA_INGEST', 'ingest fedora objects');
 define('FEDORA_PURGE', 'delete fedora objects and datastreams');
 define('FEDORA_MANAGE_PROPERTIES', 'manage object properties');
-define('FEDORA_MANAGE', 'manage fedora items');
 
 // Hooks
 define('ISLANDORA_VIEW_HOOK', 'islandora_view_object');
@@ -82,7 +82,7 @@ function islandora_menu() {
     'title' => 'Islandora Repository',
     'page callback' => 'islandora_view_default_object',
     'type' => MENU_NORMAL_ITEM,
-    'access arguments' => array(FEDORA_VIEW),
+    'access arguments' => array(FEDORA_VIEW_OBJECTS),
   );
   $items['islandora/object/%islandora_object'] = array(
     'title' => 'Repository',
@@ -90,7 +90,7 @@ function islandora_menu() {
     'page arguments' => array(2),
     'type' => MENU_NORMAL_ITEM,
     'access callback' => 'islandora_object_access_callback',
-    'access arguments' => array(FEDORA_VIEW, 2),
+    'access arguments' => array(array(FEDORA_VIEW_OBJECTS), 2),
   );
   $items['islandora/object/%islandora_object/view'] = array(
     'title' => 'View',
@@ -108,7 +108,7 @@ function islandora_menu() {
     'page arguments' => array(2),
     'type' => MENU_LOCAL_TASK,
     'access callback' => 'islandora_object_access_callback',
-    'access arguments' => array(FEDORA_MANAGE, 2),
+    'access arguments' => array(array(FEDORA_VIEW_OBJECTS, FEDORA_VIEW_DATASTREAMS), 2),
   );
   $items['islandora/object/%islandora_object/manage/datastreams'] = array(
     'title' => 'Datastreams',
@@ -122,7 +122,7 @@ function islandora_menu() {
     'page arguments' => array('islandora_object_properties_form', 2),
     'type' => MENU_LOCAL_TASK,
     'access callback' => 'islandora_object_access_callback',
-    'access arguments' => array(FEDORA_MANAGE_PROPERTIES, 2),
+    'access arguments' => array(array(FEDORA_MANAGE_PROPERTIES), 2),
     'weight' => -5,
   );
   $items['islandora/object/%islandora_object/delete'] = array(
@@ -132,7 +132,7 @@ function islandora_menu() {
     'page arguments' => array('islandora_delete_object_form', 2),
     'type' => MENU_CALLBACK,
     'access callback' => 'islandora_object_access_callback',
-    'access arguments' => array(FEDORA_PURGE, 2),
+    'access arguments' => array(array(FEDORA_PURGE), 2),
   );
   $items['islandora/object/%islandora_object/manage/datastreams/add'] = array(
     'title' => 'Add a datastream',
@@ -141,7 +141,7 @@ function islandora_menu() {
     'page arguments' => array('islandora_add_datastream_form', 2),
     'type' => MENU_LOCAL_ACTION,
     'access callback' => 'islandora_object_access_callback',
-    'access arguments' => array(FEDORA_ADD_DS, 2)
+    'access arguments' => array(array(FEDORA_ADD_DS), 2)
   );
   $items['islandora/object/%islandora_object/manage/datastreams/add/autocomplete'] = array(
     'file' => 'includes/add_datastream.form.inc',
@@ -149,7 +149,7 @@ function islandora_menu() {
     'page arguments' => array(2),
     'type' => MENU_CALLBACK,
     'access callback' => 'islandora_object_access_callback',
-    'access arguments' => array(FEDORA_ADD_DS, 2)
+    'access arguments' => array(array(FEDORA_ADD_DS), 2)
   );
   $items['islandora/object/%islandora_object/datastream/%islandora_datastream'] = array(
     'title' => 'View datastream',
@@ -158,7 +158,7 @@ function islandora_menu() {
     'type' => MENU_CALLBACK,
     'file' => 'includes/datastream.inc',
     'access callback' => 'islandora_object_datastream_access_callback',
-    'access arguments' => array(FEDORA_VIEW, 2, 4),
+    'access arguments' => array(FEDORA_VIEW_DATASTREAMS, 2, 4),
     'load arguments' => array(2),
   );
   // This menu item uses token authentication in islandora_tokened_object.
@@ -174,7 +174,7 @@ function islandora_menu() {
     'type' => MENU_CALLBACK,
     'file' => 'includes/datastream.inc',
     'access callback' => 'islandora_object_datastream_access_callback',
-    'access arguments' => array(FEDORA_VIEW, 2, 4),
+    'access arguments' => array(FEDORA_VIEW_DATASTREAMS, 2, 4),
     'load arguments' => array(2),
   );
   $items['islandora/object/%islandora_object/datastream/%islandora_datastream/edit'] = array(
@@ -248,9 +248,13 @@ function islandora_theme() {
  */
 function islandora_permission() {
   return array(
-    FEDORA_VIEW => array(
-      'title' => t('View repository objects and datastreams'),
-      'description' => t('View objects in the repository and their associated datastreams. Note: Fedora XACML security policies may override this permission.')
+    FEDORA_VIEW_OBJECTS => array(
+      'title' => t('View repository objects'),
+      'description' => t('View objects in the repository. Note: Fedora XACML security policies may override this permission.')
+    ),
+    FEDORA_VIEW_DATASTREAMS => array(
+      'title' => t('View repository object datastreams'),
+      'description' => t('View datastreams of objects in the repository. Note: Fedora XACML security policies may override this permission.')
     ),
     FEDORA_ADD_DS => array(
       'title' => t('Add datastreams to repository objects'),
@@ -272,10 +276,6 @@ function islandora_permission() {
       'title' => t('Manage object properties'),
       'description' => t('Modify object labels, owner IDs, and states.')
     ),
-    FEDORA_MANAGE => array(
-      'title' => t('View object management tabs'),
-      'description' => t('View tabs that provide object management functions.')
-    )
   );
 }
 
@@ -302,8 +302,8 @@ function islandora_forms($form_id) {
  * @see islandora_object_load() To find potential solutions to enable
  *   page not found errors.
  *
- * @param string $perm
- *   The user permission to test for.
+ * @param string $perms
+ *   Array of user permission to test for.
  * @param FedoraObject $object
  *   The object to test, if NULL given the object doesn't exist or is
  *   inaccessible.
@@ -311,7 +311,7 @@ function islandora_forms($form_id) {
  * @return boolean
  *   TRUE if the user is allowed to access this object, FALSE otherwise.
  */
-function islandora_object_access_callback($perm, $object = NULL) {
+function islandora_object_access_callback($perms, $object = NULL) {
   module_load_include('inc', 'islandora', 'includes/utilities');
 
   if (!$object && !islandora_describe_repository()) {
@@ -319,7 +319,14 @@ function islandora_object_access_callback($perm, $object = NULL) {
     return FALSE;
   }
 
-  return user_access($perm) && is_object($object) && islandora_namespace_accessible($object->id);
+  // Check to see if user has one of any of the allowable permissions
+  $has_access = FALSE;
+
+  for ($i = 0; $i < count($perms) && !$has_access; $i++) {
+    $has_access = $has_access || user_access($perms[$i]);
+  }
+
+  return $has_access && is_object($object) && islandora_namespace_accessible($object->id);
 }
 
 /**

From 159f64c5193d8f707efe7e126ef9eef0f76fe611 Mon Sep 17 00:00:00 2001
From: Daniel Lamb <daniel@discoverygarden.ca>
Date: Mon, 14 Jan 2013 14:02:55 -0400
Subject: [PATCH 2/2] Reworked split FEDORA_VIEW permissions based on convo
 with David.  Now it's FEDORA_VIEW_OBJECTS and FEDORA_MANAGE_DATASTREAMS

---
 islandora.module | 76 +++++++++++++++++++++++++++++++++---------------
 1 file changed, 52 insertions(+), 24 deletions(-)

diff --git a/islandora.module b/islandora.module
index ad5b8dba..b649fcb0 100644
--- a/islandora.module
+++ b/islandora.module
@@ -27,7 +27,7 @@ define('DS_COMP_STREAM', 'DS-COMPOSITE-MODEL');
 
 // Permissions
 define('FEDORA_VIEW_OBJECTS', 'view fedora repository objects');
-define('FEDORA_VIEW_DATASTREAMS', 'view fedora repository datastreams');
+define('FEDORA_MANAGE_DATASTREAMS', 'view fedora repository datastreams');
 define('FEDORA_METADATA_EDIT', 'edit fedora metadata');
 define('FEDORA_ADD_DS', 'add fedora datastreams');
 define('FEDORA_INGEST', 'ingest fedora objects');
@@ -90,7 +90,7 @@ function islandora_menu() {
     'page arguments' => array(2),
     'type' => MENU_NORMAL_ITEM,
     'access callback' => 'islandora_object_access_callback',
-    'access arguments' => array(array(FEDORA_VIEW_OBJECTS), 2),
+    'access arguments' => array(FEDORA_VIEW_OBJECTS, 2),
   );
   $items['islandora/object/%islandora_object/view'] = array(
     'title' => 'View',
@@ -107,8 +107,8 @@ function islandora_menu() {
     'page callback' => 'islandora_edit_object',
     'page arguments' => array(2),
     'type' => MENU_LOCAL_TASK,
-    'access callback' => 'islandora_object_access_callback',
-    'access arguments' => array(array(FEDORA_VIEW_OBJECTS, FEDORA_VIEW_DATASTREAMS), 2),
+    'access callback' => 'islandora_object_manage_access_callback',
+    'access arguments' => array(array(FEDORA_MANAGE_DATASTREAMS, FEDORA_MANAGE_PROPERTIES, FEDORA_ADD_DS), 2),
   );
   $items['islandora/object/%islandora_object/manage/datastreams'] = array(
     'title' => 'Datastreams',
@@ -122,7 +122,7 @@ function islandora_menu() {
     'page arguments' => array('islandora_object_properties_form', 2),
     'type' => MENU_LOCAL_TASK,
     'access callback' => 'islandora_object_access_callback',
-    'access arguments' => array(array(FEDORA_MANAGE_PROPERTIES), 2),
+    'access arguments' => array(FEDORA_MANAGE_PROPERTIES, 2),
     'weight' => -5,
   );
   $items['islandora/object/%islandora_object/delete'] = array(
@@ -132,7 +132,7 @@ function islandora_menu() {
     'page arguments' => array('islandora_delete_object_form', 2),
     'type' => MENU_CALLBACK,
     'access callback' => 'islandora_object_access_callback',
-    'access arguments' => array(array(FEDORA_PURGE), 2),
+    'access arguments' => array(FEDORA_PURGE, 2),
   );
   $items['islandora/object/%islandora_object/manage/datastreams/add'] = array(
     'title' => 'Add a datastream',
@@ -141,7 +141,7 @@ function islandora_menu() {
     'page arguments' => array('islandora_add_datastream_form', 2),
     'type' => MENU_LOCAL_ACTION,
     'access callback' => 'islandora_object_access_callback',
-    'access arguments' => array(array(FEDORA_ADD_DS), 2)
+    'access arguments' => array(FEDORA_ADD_DS, 2)
   );
   $items['islandora/object/%islandora_object/manage/datastreams/add/autocomplete'] = array(
     'file' => 'includes/add_datastream.form.inc',
@@ -149,7 +149,7 @@ function islandora_menu() {
     'page arguments' => array(2),
     'type' => MENU_CALLBACK,
     'access callback' => 'islandora_object_access_callback',
-    'access arguments' => array(array(FEDORA_ADD_DS), 2)
+    'access arguments' => array(FEDORA_ADD_DS, 2)
   );
   $items['islandora/object/%islandora_object/datastream/%islandora_datastream'] = array(
     'title' => 'View datastream',
@@ -158,7 +158,7 @@ function islandora_menu() {
     'type' => MENU_CALLBACK,
     'file' => 'includes/datastream.inc',
     'access callback' => 'islandora_object_datastream_access_callback',
-    'access arguments' => array(FEDORA_VIEW_DATASTREAMS, 2, 4),
+    'access arguments' => array(FEDORA_VIEW_OBJECTS, 2, 4),
     'load arguments' => array(2),
   );
   // This menu item uses token authentication in islandora_tokened_object.
@@ -174,7 +174,7 @@ function islandora_menu() {
     'type' => MENU_CALLBACK,
     'file' => 'includes/datastream.inc',
     'access callback' => 'islandora_object_datastream_access_callback',
-    'access arguments' => array(FEDORA_VIEW_DATASTREAMS, 2, 4),
+    'access arguments' => array(FEDORA_VIEW_OBJECTS, 2, 4),
     'load arguments' => array(2),
   );
   $items['islandora/object/%islandora_object/datastream/%islandora_datastream/edit'] = array(
@@ -252,9 +252,9 @@ function islandora_permission() {
       'title' => t('View repository objects'),
       'description' => t('View objects in the repository. Note: Fedora XACML security policies may override this permission.')
     ),
-    FEDORA_VIEW_DATASTREAMS => array(
-      'title' => t('View repository object datastreams'),
-      'description' => t('View datastreams of objects in the repository. Note: Fedora XACML security policies may override this permission.')
+    FEDORA_MANAGE_DATASTREAMS => array(
+      'title' => t('Manage repository object datastreams'),
+      'description' => t('Manage datastreams of objects in the repository. Note: Fedora XACML security policies may override this permission.')
     ),
     FEDORA_ADD_DS => array(
       'title' => t('Add datastreams to repository objects'),
@@ -302,8 +302,8 @@ function islandora_forms($form_id) {
  * @see islandora_object_load() To find potential solutions to enable
  *   page not found errors.
  *
- * @param string $perms
- *   Array of user permission to test for.
+ * @param string $perm
+ *   User permission to test for.
  * @param FedoraObject $object
  *   The object to test, if NULL given the object doesn't exist or is
  *   inaccessible.
@@ -311,7 +311,7 @@ function islandora_forms($form_id) {
  * @return boolean
  *   TRUE if the user is allowed to access this object, FALSE otherwise.
  */
-function islandora_object_access_callback($perms, $object = NULL) {
+function islandora_object_access_callback($perm, $object = NULL) {
   module_load_include('inc', 'islandora', 'includes/utilities');
 
   if (!$object && !islandora_describe_repository()) {
@@ -319,14 +319,7 @@ function islandora_object_access_callback($perms, $object = NULL) {
     return FALSE;
   }
 
-  // Check to see if user has one of any of the allowable permissions
-  $has_access = FALSE;
-
-  for ($i = 0; $i < count($perms) && !$has_access; $i++) {
-    $has_access = $has_access || user_access($perms[$i]);
-  }
-
-  return $has_access && is_object($object) && islandora_namespace_accessible($object->id);
+  return user_access($perm) && is_object($object) && islandora_namespace_accessible($object->id);
 }
 
 /**
@@ -356,6 +349,41 @@ function islandora_object_datastream_access_callback($perm, $object = NULL, $dat
   return user_access($perm) && is_object($object) && islandora_namespace_accessible($object->id) && is_object($datastream);
 }
 
+/**
+ * Checks whether the user can access the given object's manage tab
+ * with the given array of permissions.
+ *
+ * Checks for object existance, accessiblitly, namespace permissions,
+ * and user permissions
+ *
+ * @see islandora_object_load() To find potential solutions to enable
+ *   page not found errors.
+ *
+ * @param array $perms
+ *   Array of user permission to test for.
+ * @param FedoraObject $object
+ *   The object to test, if NULL given the object doesn't exist or is
+ *   inaccessible.
+ *
+ * @return boolean
+ *   TRUE if the user is allowed to access this object, FALSE otherwise.
+ */
+function islandora_object_manage_access_callback($perms, $object = NULL) {
+  module_load_include('inc', 'islandora', 'includes/utilities');
+
+  if (!$object && !islandora_describe_repository()) {
+    islandora_display_repository_inaccessible_message();
+    return FALSE;
+  }
+
+  $has_access = FALSE;
+  for ($i = 0; $i < count($perms) && !$has_access; $i++) {
+    $has_access = $has_access || user_access($perms[$i]);
+  }
+
+  return $has_access && is_object($object) && islandora_namespace_accessible($object->id);
+}
+
 /**
  * Renders the given objects manage page.
  *