Index: trunk/core/units/general/helpers/permissions_helper.php =================================================================== diff -u -N -r8363 -r8369 --- trunk/core/units/general/helpers/permissions_helper.php (.../permissions_helper.php) (revision 8363) +++ trunk/core/units/general/helpers/permissions_helper.php (.../permissions_helper.php) (revision 8369) @@ -163,16 +163,13 @@ $owner_id = $item_info['CreatedById']; } - $item_prefix = $this->Application->getUnitOption($top_prefix, 'PermItemPrefix'); - + // specific permission check for pending & owner permissions: begin if (substr($event->Name, 0, 9) == 'OnPreSave' || $event->Name == 'OnCreate' || $event->Name == 'OnUpdate') { if ($event_handler->isNewItemCreate($event)) { - $check_status = $this->CheckPermission($item_prefix.'.ADD', 0, $category_id) || - $this->CheckPermission($item_prefix.'.ADD.PENDING', 0, $category_id); + $check_status = $this->AddCheckPermission($category_id, $top_prefix); } else { - $check_status = $this->CheckPermission($item_prefix.'.ADD', 0, $category_id) || - $this->CheckPermission($item_prefix.'.ADD.PENDING', 0, $category_id) || + $check_status = $this->AddCheckPermission($category_id, $top_prefix) || $this->ModifyCheckPermission($owner_id, $category_id, $top_prefix); } @@ -182,6 +179,16 @@ return $check_status; } + if ($event->Name == 'OnMassDelete') { + $check_status = $this->DeleteCheckPermission($owner_id, $category_id, $top_prefix); + if (!$check_status) { + $event->status = erPERM_FAIL; + } + return $check_status; + } + // specific permission check for pending & owner permissions: end + + $perm_status = false; $check_perms = $this->getPermissionByEvent($event, $event_perm_mapping); @@ -190,6 +197,7 @@ return true; } + $item_prefix = $this->Application->getUnitOption($top_prefix, 'PermItemPrefix'); foreach ($check_perms as $perm_name) { // check if at least one of required permissions is set if (!isset($perm_mapping[$perm_name])) { @@ -239,7 +247,7 @@ $permission_groups = explode('|', $permission_groups); $group_has_permission = false; - $perm_category = $this->Application->GetVar('m_cat_id'); + $perm_category = isset($params['cat_id']) ? $params['cat_id'] : $this->Application->GetVar('m_cat_id'); if ($perm_prefix) { // use primary category of item with id from {perm_prefix}_id as base for permission checking @@ -471,6 +479,34 @@ } /** + * Allows to check DELETE & OWNER.DELETE permission combinations on item + * + * @param int $owner_id user_id, that is owner of the item + * @param int $category_id primary category of item + * @param string $prefix prefix of item + * @return int {0 - no DELETE permission, 1 - has DELETE/OWNER.DELETE permission} + */ + function DeleteCheckPermission($owner_id, $category_id, $prefix) + { + $perm_prefix = $this->Application->getUnitOption($prefix, 'PermItemPrefix'); + + $live_delete = $this->CheckPermission($perm_prefix.'.DELETE', ptCATEGORY, $category_id); + if ($live_delete) { + return 1; + } + + if ($owner_id == $this->Application->RecallVar('user_id')) { + // user is item's OWNER -> check this permissions first + $live_delete = $this->CheckPermission($perm_prefix.'.OWNER.DELETE', ptCATEGORY, $category_id); + if ($live_delete) { + return 1; + } + } + + return 0; + } + + /** * Allows to check ADD +/- PENDING permission combinations on item * * @param int $category_id primary category of item @@ -481,8 +517,8 @@ { $perm_prefix = $this->Application->getUnitOption($prefix, 'PermItemPrefix'); - $live_modify = $this->CheckPermission($perm_prefix.'.ADD', ptCATEGORY, $category_id); - if ($live_modify) { + $live_add = $this->CheckPermission($perm_prefix.'.ADD', ptCATEGORY, $category_id); + if ($live_add) { return 1; } else if ($this->CheckPermission($perm_prefix.'.ADD.PENDING', ptCATEGORY, $category_id)) {