From: Jan Schneider <jan@horde.org>
Date: Wed, 8 Dec 2010 18:14:50 +0000 (+0100)
Subject: Fix permission checking.
X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=5a7efa5185cea1b9696ca122dc70bd02caa0135e;p=horde.git

Fix permission checking.
---

diff --git a/vilma/domains/index.php b/vilma/domains/index.php
index 4656cdde1..5391d1324 100644
--- a/vilma/domains/index.php
+++ b/vilma/domains/index.php
@@ -12,8 +12,8 @@ require_once dirname(__FILE__) . '/../lib/Application.php';
 $vilma = Horde_Registry::appInit('vilma');
 
 /* Only admin should be using this. */
-if (!Vilma::hasPermission($domain)) {
-    $registry->authenticateFailure('vilma', $e);
+if (!Vilma::hasPermission()) {
+    $registry->authenticateFailure('vilma');
 }
 
 // Having a current domain doesn't make sense on this page
diff --git a/vilma/lib/Vilma.php b/vilma/lib/Vilma.php
index 2ee06ab33..f824e3346 100644
--- a/vilma/lib/Vilma.php
+++ b/vilma/lib/Vilma.php
@@ -9,41 +9,40 @@
  * @author  David Cummings <davidcummings@acm.org>
  * @package Vilma
  */
-class Vilma {
-
+class Vilma
+{
     /**
-     * Check whether the current user has administrative permissions over
-     * the requested domain at the given permissions level.
-     * Also checks to see if the user is a Vilma superadmin.
-     * If the user is a Horde admin they automatically have permission.
+     * Check whether the current user has administrative permissions over the
+     * requested domain at the given permissions level.
+     *
+     * Also checks to see if the user is a Vilma superadmin.  If the user is a
+     * Horde admin they automatically have permission.
      *
-     * @param string $domain Domain for which to check permissions
-     * @param int $permmask  Permissions that must be set for the user
+     * @param string $domain     Domain for which to check permissions.
+     * @param integer $permmask  Permissions that must be set for the user.
      *
-     * @return boolean       True if the user has the requested permission
+     * @return boolean  True if the user has the requested permission.
      */
-    function hasPermission($domain, $permmask = null)
+    public function hasPermission($domain = null, $permmask = null)
     {
-        // FIXME Should this really be the case?  Superadmin is more granular
         if ($GLOBALS['registry']->isAdmin()) {
             return true;
         }
 
-        if ($permmask === null) {
-            $permmask = Horde_Perms::SHOW|Horde_Perms::READ;
+        if (is_null($permmask)) {
+            $permmask = Horde_Perms::SHOW | Horde_Perms::READ;
         }
-
-        # Default deny all permissions
-        $user = 0;
-        $superadmin = 0;
-
         $perms = $GLOBALS['injector']->getInstance('Horde_Perms');
-        $superadmin = $perms->hasPermission('vilma:domains',
-                                            $GLOBALS['registry']->getAuth(), $permmask);
 
-        $user = $perms->hasPermission($permname, $GLOBALS['registry']->getAuth(), $permmask);
+        if ($perms->hasPermission('vilma:domains', $GLOBALS['registry']->getAuth(), $permmask)) {
+            return true;
+        }
+        if ($domain &&
+            $perms->hasPermission('vilma:domains:' . $domain, $GLOBALS['registry']->getAuth(), $permmask)) {
+            return true;
+        }
 
-        return ($superadmin | $user);
+        return false;
     }
 
     function getUserMgrTypes()