From 3e318bdeda941f78e9ae7b78bf337f67c4475849 Mon Sep 17 00:00:00 2001
From: Brett Profitt <brett.profitt@gmail.com>
Date: Wed, 6 Jul 2011 21:08:03 -0400
Subject: Revert "Merged ACL fixes from 1.7 branch."

This reverts commit de111da23258cd2b513c8f4ab84712ee50272b23. Reverted because of problems in how 1.8 populates the access dropdown.
---
 actions/friends/collections/add.php    |  38 ++++----
 actions/friends/collections/delete.php |  34 ++++---
 actions/friends/collections/edit.php   |  20 ++--
 engine/lib/access.php                  | 167 +++++++++++++++------------------
 languages/en.php                       |   2 -
 5 files changed, 126 insertions(+), 135 deletions(-)

diff --git a/actions/friends/collections/add.php b/actions/friends/collections/add.php
index 8383e4db2..8ec6a085f 100644
--- a/actions/friends/collections/add.php
+++ b/actions/friends/collections/add.php
@@ -2,31 +2,35 @@
 /**
  * Elgg collection add page
  *
- * @package Elgg
- * @subpackage Core
+ * @package Elgg.Core
+ * @subpackage Friends.Collections
  */
 
 $collection_name = get_input('collection_name');
 $friends = get_input('friends_collection');
 
-if (!$collection_name) {
-	register_error(elgg_echo("friends:nocollectionname"));
-	forward(REFERER);
-}
+//first check to make sure that a collection name has been set and create the new colection
+if ($collection_name) {
 
-$id = create_access_collection($collection_name);
+	//create the collection
+	$create_collection = create_access_collection($collection_name, elgg_get_logged_in_user_guid());
 
-if ($id) {
-	$result = update_access_collection($id, $friends);
-	if ($result) {
-		system_message(elgg_echo("friends:collectionadded"));
-		// go to the collections page
-		forward("pg/collections/" . get_loggedin_user()->username);
-	} else {
-		register_error(elgg_echo("friends:nocollectionname"));
-		forward(REFERER);
+	//if the collection was created and the user passed some friends from the form, add them
+	if ($create_collection && (!empty($friends))) {
+		//add friends to the collection
+		foreach ($friends as $friend) {
+			add_user_to_access_collection($friend, $create_collection);
+		}
 	}
+
+	// Success message
+	system_message(elgg_echo("friends:collectionadded"));
+	// Forward to the collections page
+	forward("collections/" . elgg_get_logged_in_user_entity()->username);
+
 } else {
 	register_error(elgg_echo("friends:nocollectionname"));
-	forward(REFERER);
+
+	// Forward to the add collection page
+	forward("collections/add");
 }
diff --git a/actions/friends/collections/delete.php b/actions/friends/collections/delete.php
index 5b0aa8e10..fe719d74b 100644
--- a/actions/friends/collections/delete.php
+++ b/actions/friends/collections/delete.php
@@ -1,24 +1,36 @@
 <?php
-
 /**
  * Elgg friends: delete collection action
  *
- * @package Elgg
- * @subpackage Core
+ * @package Elgg.Core
+ * @subpackage Friends.Collections
  */
 
 $collection_id = (int) get_input('collection');
 
-// check the ACL exists and we can edit
-if (!can_edit_access_collection($collection_id)) {
-	register_error(elgg_echo("friends:collectiondeletefailed"));
-	forward(REFERER);
-}
+// Check to see that the access collection exist and grab its owner
+$get_collection = get_access_collection($collection_id);
+
+if ($get_collection) {
+
+	if ($get_collection->owner_guid == elgg_get_logged_in_user_guid()) {
+
+		$delete_collection = delete_access_collection($collection_id);
 
-if (delete_access_collection($collection_id)) {
-	system_message(elgg_echo("friends:collectiondeleted"));
+		// Success message
+		if ($delete_collection) {
+			system_message(elgg_echo("friends:collectiondeleted"));
+		} else {
+			register_error(elgg_echo("friends:collectiondeletefailed"));
+		}
+	} else {
+		// Failure message
+		register_error(elgg_echo("friends:collectiondeletefailed"));
+	}
 } else {
+	// Failure message
 	register_error(elgg_echo("friends:collectiondeletefailed"));
 }
 
-forward(REFERER);
+// Forward to the collections page
+forward("collections/" . elgg_get_logged_in_user_entity()->username);
diff --git a/actions/friends/collections/edit.php b/actions/friends/collections/edit.php
index 581b21353..b7fb716f2 100644
--- a/actions/friends/collections/edit.php
+++ b/actions/friends/collections/edit.php
@@ -1,23 +1,15 @@
 <?php
 /**
- * Elgg collection add page
+ * Friends collection edit action
  *
- * @package Elgg
- * @subpackage Core
+ * @package Elgg.Core
+ * @subpackage Friends.Collections
  */
 
 $collection_id = get_input('collection_id');
 $friends = get_input('friend');
 
-// check it exists and we can edit
-if (!can_edit_access_collection($collection_id)) {
-	system_message(elgg_echo('friends:collection:edit_failed'));
-}
+//chech the collection exists and the current user owners it
+update_access_collection($collection_id, $friends);
 
-if (update_access_collection($collection_id, $friends)) {
-	system_message(elgg_echo('friends:collections:edited'));
-} else {
-	system_message(elgg_echo('friends:collection:edit_failed'));
-}
-
-forward(REFERER);
\ No newline at end of file
+exit;
diff --git a/engine/lib/access.php b/engine/lib/access.php
index 855d0d53c..cde3d256f 100644
--- a/engine/lib/access.php
+++ b/engine/lib/access.php
@@ -411,43 +411,7 @@ function get_write_access_array($user_id = 0, $site_id = 0, $flush = false) {
 }
 
 /**
- * Can the user write to the access collection?
- *
- * Hook into the access:collections:write, user to change this.
- *
- * Respects access control disabling for admin users and {@see elgg_set_ignore_access()}
- *
- * @see get_write_access_array()
- * 
- * @param int   $collection_id The collection id
- * @param mixed $user_guid     The user GUID to check for. Defaults to logged in user.
- * @return bool
- */
-function can_edit_access_collection($collection_id, $user_guid = null) {
-	if ($user_guid) {
-		$user = get_entity((int) $user_guid);
-	} else {
-		$user = get_loggedin_user();
-	}
-
-	$collection = get_access_collection($collection_id);
-
-	if (!($user instanceof ElggUser) || !$collection) {
-		return false;
-	}
-
-	$write_access = get_write_access_array($user->getGUID(), null, true);
-
-	// don't ignore access when checking users.
-	if ($user_guid) {
-		return array_key_exists($collection_id, $write_access);
-	} else {
-		return elgg_get_ignore_access() || array_key_exists($collection_id, $write_access);
-	}
-}
-
-/**
- * Creates a new access control collection owned by the specified user.
+ * Creates a new access collection.
  *
  * Access colletions allow plugins and users to create granular access
  * for entities.
@@ -484,7 +448,6 @@ function create_access_collection($name, $owner_guid = 0, $site_guid = 0) {
 		SET name = '{$name}',
 			owner_guid = {$owner_guid},
 			site_guid = {$site_guid}";
-
 	if (!$id = insert_data($q)) {
 		return false;
 	}
@@ -520,31 +483,37 @@ function create_access_collection($name, $owner_guid = 0, $site_guid = 0) {
 function update_access_collection($collection_id, $members) {
 	global $CONFIG;
 
-	$acl = get_access_collection($collection_id);
+	$collection_id = (int) $collection_id;
+	$members = (is_array($members)) ? $members : array();
 
-	if (!$acl) {
-		return false;
-	}
+	$collections = get_write_access_array();
 
-	$members = (is_array($members)) ? $members : array();
+	if (array_key_exists($collection_id, $collections)) {
+		$cur_members = get_members_of_access_collection($collection_id, true);
+		$cur_members = (is_array($cur_members)) ? $cur_members : array();
 
-	$cur_members = get_members_of_access_collection($collection_id, true);
-	$cur_members = (is_array($cur_members)) ? $cur_members : array();
+		$remove_members = array_diff($cur_members, $members);
+		$add_members = array_diff($members, $cur_members);
 
-	$remove_members = array_diff($cur_members, $members);
-	$add_members = array_diff($members, $cur_members);
+		$params = array(
+			'collection_id' => $collection_id,
+			'members' => $members,
+			'add_members' => $add_members,
+			'remove_members' => $remove_members
+		);
 
-	$result = true;
+		foreach ($add_members as $guid) {
+			add_user_to_access_collection($guid, $collection_id);
+		}
 
-	foreach ($add_members as $guid) {
-		$result = $result && add_user_to_access_collection($guid, $collection_id);
-	}
+		foreach ($remove_members as $guid) {
+			remove_user_from_access_collection($guid, $collection_id);
+		}
 
-	foreach ($remove_members as $guid) {
-		$result = $result && remove_user_from_access_collection($guid, $collection_id);
+		return true;
 	}
 
-	return $result;
+	return false;
 }
 
 /**
@@ -558,25 +527,27 @@ function update_access_collection($collection_id, $members) {
  * @see update_access_collection()
  */
 function delete_access_collection($collection_id) {
-	global $CONFIG;
-	
 	$collection_id = (int) $collection_id;
+	$collections = get_write_access_array(null, null, TRUE);
 	$params = array('collection_id' => $collection_id);
 
 	if (!elgg_trigger_plugin_hook('access:collections:deletecollection', 'collection', $params, true)) {
 		return false;
 	}
 
-	// Deleting membership doesn't affect result of deleting ACL.
-	$q = "DELETE FROM {$CONFIG->dbprefix}access_collection_membership
-		WHERE access_collection_id = {$collection_id}";
-	delete_data($q);
+	if (array_key_exists($collection_id, $collections)) {
+		global $CONFIG;
+		$query = "delete from {$CONFIG->dbprefix}access_collection_membership"
+			. " where access_collection_id = {$collection_id}";
+		delete_data($query);
 
-	$q = "DELETE FROM {$CONFIG->dbprefix}access_collections
-		WHERE id = {$collection_id}";
-	$result = delete_data($q);
+		$query = "delete from {$CONFIG->dbprefix}access_collections where id = {$collection_id}";
+		delete_data($query);
+		return true;
+	} else {
+		return false;
+	}
 
-	return $result;
 }
 
 /**
@@ -613,33 +584,45 @@ function get_access_collection($collection_id) {
  * @see remove_user_from_access_collection()
  */
 function add_user_to_access_collection($user_guid, $collection_id) {
-	global $CONFIG;
-
 	$collection_id = (int) $collection_id;
 	$user_guid = (int) $user_guid;
-	$user = get_user($user_guid);
+	$collections = get_write_access_array();
 
-	$collection = get_access_collection($collection_id);
+	if (!($collection = get_access_collection($collection_id))) {
+		return false;
+	}
 
-	if (!($user instanceof Elgguser) || !$collection) {
+	$user = get_user($user_guid);
+	if (!$user) {
 		return false;
 	}
 
+	// to add someone to a collection, the user must be a member of the collection or
+	// no one must own it
+	if ((array_key_exists($collection_id, $collections) || $collection->owner_guid == 0)) {
+		$result = true;
+	} else {
+		$result = false;
+	}
+	
 	$params = array(
 		'collection_id' => $collection_id,
+		'collection' => $collection,
 		'user_guid' => $user_guid
 	);
 
-	if (!elgg_trigger_plugin_hook('access:collections:add_user', 'collection', $params, true)) {
+	$result = elgg_trigger_plugin_hook('access:collections:add_user', 'collection', $params, $result);
+	if ($result == false) {
 		return false;
 	}
 
 	try {
-		$q = "INSERT INTO {$CONFIG->dbprefix}access_collection_membership
-			SET access_collection_id = {$collection_id},
-				user_guid = {$user_guid}";
-		insert_data($q);
+		global $CONFIG;
+		$query = "insert into {$CONFIG->dbprefix}access_collection_membership"
+				. " set access_collection_id = {$collection_id}, user_guid = {$user_guid}";
+		insert_data($query);
 	} catch (DatabaseException $e) {
+		// nothing.
 		return false;
 	}
 
@@ -657,32 +640,34 @@ function add_user_to_access_collection($user_guid, $collection_id) {
  * @return true|false Depending on success
  */
 function remove_user_from_access_collection($user_guid, $collection_id) {
-	global $CONFIG;
-
 	$collection_id = (int) $collection_id;
 	$user_guid = (int) $user_guid;
-	$user = get_user($user_guid);
+	$collections = get_write_access_array();
+	$user = $user = get_user($user_guid);
 
-	$collection = get_access_collection($collection_id);
-
-	if (!($user instanceof Elgguser) || !$collection) {
+	if (!($collection = get_access_collection($collection_id))) {
 		return false;
 	}
 
-	$params = array(
-		'collection_id' => $collection_id,
-		'user_guid' => $user_guid
-	);
+	if ((array_key_exists($collection_id, $collections) || $collection->owner_guid == 0) && $user) {
+		global $CONFIG;
+		$params = array(
+			'collection_id' => $collection_id,
+			'user_guid' => $user_guid
+		);
 
-	if (!elgg_trigger_plugin_hook('access:collections:remove_user', 'collection', $params, true)) {
-		return false;
-	}
+		if (!elgg_trigger_plugin_hook('access:collections:remove_user', 'collection', $params, true)) {
+			return false;
+		}
 
-	$q = "DELETE FROM {$CONFIG->dbprefix}access_collection_membership
-		WHERE access_collection_id = {$collection_id}
-			AND user_guid = {$user_guid}";
+		delete_data("delete from {$CONFIG->dbprefix}access_collection_membership "
+			. "where access_collection_id = {$collection_id} and user_guid = {$user_guid}");
+
+		return true;
 
-	return delete_data($q);
+	}
+
+	return false;
 }
 
 /**
diff --git a/languages/en.php b/languages/en.php
index b525a2043..c30a1bdd8 100644
--- a/languages/en.php
+++ b/languages/en.php
@@ -343,8 +343,6 @@ $english = array(
 	'friends:nocollectionname' => "You need to give your collection a name before it can be created.",
 	'friends:collections:members' => "Collection members",
 	'friends:collections:edit' => "Edit collection",
-	'friends:collections:edited' => "Saved collection",
-	'friends:collection:edit_failed' => 'Could not save collection.',
 
 	'friendspicker:chararray' => 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
 
-- 
cgit v1.2.3