Modified permissions from controller:action to prefix/controller/action.

Had to move welcome to the acf-util prefix.
Changed format of roles files: old ACF format will still work, but authenticator format won't.

14 files changed, 107 insertions, 137 deletions

diff --git a/app/Makefile b/app/Makefile
index ba4258a..4c5a7aa 100644
--- a/app/Makefile
+++ b/app/Makefile
@@ -18,13 +18,13 @@ APP_DIST= \
 	acf-util/password-model.lua \
 	acf-util/password-status-html.lsp \
 	acf-util/password.menu \
+	acf-util/welcome-controller.lua\
+	acf-util/welcome-html.lsp\
 	acf_www-controller.lua\
 	acf_cli-controller.lua\
 	menuhints.menu\
 	template-html.lsp\
 	template-stream.lsp\
-	welcome-controller.lua\
-	welcome-html.lsp\
 	dispatcherror-html.lsp\
 	exception-html.lsp\
 	status-html.lsp\
diff --git a/app/acf-util/acf-util.roles b/app/acf-util/acf-util.roles
index b31297c..7433fcc 100644
--- a/app/acf-util/acf-util.roles
+++ b/app/acf-util/acf-util.roles
@@ -1,4 +1,4 @@
-GUEST=logon:logon,logon:logout,logon:status,welcome:read
-USER=password:editme,roles:read
+GUEST=logon/logon,logon/logout,logon/status,welcome/read
+USER=password/editme,roles/read
 EXPERT=
-ADMIN=logon:logon,logon:logout,logon:status,password:editme,password:status,password:edituser,password:newuser,password:deleteuser,roles:read,roles:getpermslist,roles:viewuserroles,roles:viewroleperms,roles:viewroles,roles:editrole,roles:deleterole,roles:newrole,welcome:read,password:status,password:edituser,password:newuser,password:deleteuser,roles:getpermslist,roles:viewuserroles,roles:viewroleperms,roles:viewroles,roles:editrole,roles:deleterole,roles:newrole
+ADMIN=logon/logon,logon/logout,logon/status,password/editme,password/status,password/edituser,password/newuser,password/deleteuser,roles/read,roles/getpermslist,roles/viewuserroles,roles/viewroleperms,roles/viewroles,roles/editrole,roles/deleterole,roles/newrole,welcome/read,password/status,password/edituser,password/newuser,password/deleteuser,roles/getpermslist,roles/viewuserroles,roles/viewroleperms,roles/viewroles,roles/editrole,roles/deleterole,roles/newrole
diff --git a/app/acf-util/logon-controller.lua b/app/acf-util/logon-controller.lua
index d71d257..f1fa93d 100644
--- a/app/acf-util/logon-controller.lua
+++ b/app/acf-util/logon-controller.lua
@@ -9,17 +9,17 @@ logon = function(self)
 	-- If there are no users defined, add privileges and dispatch password/newuser
 	local users = self.model:list_users()
 	if #users.value == 0 then
-		self.sessiondata.permissions.password = {}
-		self.sessiondata.permissions.password.newuser = {"temp"}
+		self.sessiondata.permissions[self.conf.prefix].password = {}
+		self.sessiondata.permissions[self.conf.prefix].password.newuser = {"temp"}
 		self:dispatch(self.conf.prefix, "password", "newuser")
-		self.sessiondata.permissions.password = nil
+		self.sessiondata.permissions[self.conf.prefix].password = nil
 		self.conf.suppress_view = true
 		return
 	end
 
 	local userid = cfe({ value=clientdata.userid or "", label="User ID" })
 	local password = cfe({ label="Password" })
-	local redir = cfe({ value=clientdata.redir or "/welcome/read", label="" })
+	local redir = cfe({ value=clientdata.redir or "welcome/read", label="" })
 	local cmdresult = cfe({ type="form", value={userid=userid, password=password, redir=redir}, label="Logon", option="Logon" })
 	if clientdata.Logon then
 		local logonredirect = self.sessiondata.logonredirect
diff --git a/app/acf-util/roles-editrole-html.lsp b/app/acf-util/roles-editrole-html.lsp
index cec9af0..5d1582f 100644
--- a/app/acf-util/roles-editrole-html.lsp
+++ b/app/acf-util/roles-editrole-html.lsp
@@ -1,10 +1,6 @@
 <% local form, viewtable, page_info = ... %> 
 <% require("viewfunctions") %>
 
-<% --[[
-	io.write(html.cfe_unpack(form))
---]] %>
-
 <H1><%= html.html_escape(form.label) %></H1>
 <%
 	displayformstart(form, page_info)
diff --git a/app/acf-util/roles-html.lsp b/app/acf-util/roles-html.lsp
index 090421f..32000af 100644
--- a/app/acf-util/roles-html.lsp
+++ b/app/acf-util/roles-html.lsp
@@ -1,9 +1,5 @@
 <% local view= ... %> 
-<% --[[
-	io.write(html.cfe_unpack(view))
---]] %>
 
-<% ---[[ %>
 <% if view.value.userid then %>
 	<H1>Roles/Permission list for <%= html.html_escape(view.value.userid.value) %>:</H1>
 <% elseif view.value.role then %>
@@ -20,9 +16,7 @@
 	end %>
 	</DL>
 <% end %>
-<% --]] %>
 
-<% ---[[ %>
 <% if view.value.permissions then %>
 	<% if view.value.userid then %>
 		<H2><%= html.html_escape(view.value.userid.value) %>'s full permissions are</H2>
@@ -30,29 +24,36 @@
 		<H2><%= html.html_escape(view.value.role.value) %>'s full permissions are</H2>
 	<% end %>
 	<DL>
-	<% local controllers = {}
-	   -- It's nice to have it in alphabetical order
-	   for cont in pairs(view.value.permissions.value) do
-		controllers[#controllers + 1] = cont
-	   end
-	   table.sort(controllers)
-	   io.write("<TABLE>")
-	   io.write("<TR><TD CLASS='header'>Controller</TD><TD CLASS='header'>Action(s)</TD>")
-	   for x,cont in ipairs(controllers) do
-		print("<TR><TD STYLE='font-weight:bold;'>",html.html_escape(cont),"</TD><TD>")
-		-- Again, alphabetical order
-		local actions = {}
-		for act in pairs(view.value.permissions.value[cont]) do
-			actions[#actions + 1] = act
+	<TABLE>
+		<TR><TD CLASS='header'>Controller</TD><TD CLASS='header'>Action(s)</TD></TR>
+		<% local prefixes = {}
+		-- It's nice to have it in alphabetical order
+		for pref in pairs(view.value.permissions.value) do
+			prefixes[#prefixes + 1] = pref
 		end
-		table.sort(actions)
-		for y,act in pairs(actions) do
-			print((html.html_escape(act)))
+		table.sort(prefixes)
+		for w,pref in ipairs(prefixes) do
+			local controllers = {}
+			-- Again, alphabetical order
+			for cont in pairs(view.value.permissions.value[pref]) do
+				controllers[#controllers + 1] = cont
+			end
+			table.sort(controllers)
+			for x,cont in ipairs(controllers) do
+				print("<TR><TD STYLE='font-weight:bold;'>",html.html_escape(pref..cont),"</TD><TD>")
+				-- Again, alphabetical order
+				local actions = {}
+				for act in pairs(view.value.permissions.value[pref][cont]) do
+					actions[#actions + 1] = act
+				end
+				table.sort(actions)
+				for y,act in pairs(actions) do
+					print((html.html_escape(act)))
+				end
+				io.write("<TD></TR>")
+			end
 		end
-		io.write("<TD></TR>")
-	    end
-	    io.write("</TABLE>")
-	    %>
+		%>
+	</TABLE>
 	</DL>
 <% end %>
-<% --]] %>
diff --git a/app/acf-util/roles-model.lua b/app/acf-util/roles-model.lua
index 79c1b14..6b12dd9 100644
--- a/app/acf-util/roles-model.lua
+++ b/app/acf-util/roles-model.lua
@@ -11,19 +11,22 @@ local get_all_permissions = function(self)
 	local table_perm = {}
 	local array_perm = {}
 	for a,b in pairs(controllers) do
-		if nil == table_perm[b.sname] then
-			table_perm[b.sname] = {}
+		if nil == table_perm[b.prefix] then
+			table_perm[b.prefix] = {}
+		end
+		if nil == table_perm[b.prefix][b.sname] then
+			table_perm[b.prefix][b.sname] = {}
 		end
 		local temp = roles.get_controllers_func(self,b)
 		for x,y in ipairs(temp) do
-			table_perm[b.sname][y] = {}
-			array_perm[#array_perm + 1] = b.sname .. ":" .. y
+			table_perm[b.prefix][b.sname][y] = {}
+			array_perm[#array_perm + 1] = b.prefix .. b.sname .. "/" .. y
 		end
 		temp = roles.get_controllers_view(self,b)
 		for x,y in ipairs(temp) do
-			if not table_perm[b.sname][y] then
-				table_perm[b.sname][y] = {}
-				array_perm[#array_perm + 1] = b.sname .. ":" .. y
+			if not table_perm[b.prefix][b.sname][y] then
+				table_perm[b.prefix][b.sname][y] = {}
+				array_perm[#array_perm + 1] = b.prefix .. b.sname .. "/" .. y
 			end
 		end
 	end
diff --git a/app/acf-util/roles-viewroles-html.lsp b/app/acf-util/roles-viewroles-html.lsp
index 3e818fb..68aac01 100644
--- a/app/acf-util/roles-viewroles-html.lsp
+++ b/app/acf-util/roles-viewroles-html.lsp
@@ -16,24 +16,26 @@
 
 <H2>Existing roles</H2>
 <DL>
+<TABLE>
 <% if view.value.default_roles then %>
 	<% for x,role in pairs(view.value.default_roles.value) do %>
-		<dt><img src='/skins/static/tango/16x16/categories/applications-system.png' height='16' width='16'> <%= html.html_escape(role) %></dt>
+		<TR><TD><dt><img src='/skins/static/tango/16x16/categories/applications-system.png' height='16' width='16'> <%= html.html_escape(role) %></dt>
 		<dd>
 		[<a href='viewroleperms?role=<%= html.html_escape(role) %>'>View this role</a>]
 		[<a href='editrole?role=<%= html.html_escape(role) %>&redir=<%= html.html_escape(page_info.orig_action) %>'>Edit this role</a>]
-		</dd>
+		</dd></TD></TR>
 	<% end %>
 <% end %>
 <% if view.value.defined_roles then %>
 	<% table.sort(view.value.defined_roles.value) %>
 	<% for x,role in pairs(view.value.defined_roles.value) do %>
-		<dt><img src='/skins/static/tango/16x16/apps/system-users.png' height='16' width='16'> <%= html.html_escape(role) %></dt>
+		<TR><TD><dt><img src='/skins/static/tango/16x16/apps/system-users.png' height='16' width='16'> <%= html.html_escape(role) %></dt>
 		<dd>
 		[<a href='viewroleperms?role=<%= html.html_escape(role) %>'>View this role</a>]
 		[<a href='editrole?role=<%= html.html_escape(role) %>&redir=<%= html.html_escape(page_info.orig_action) %>'>Edit this role</a>]
 		[<a href='deleterole?role=<%= html.html_escape(role) %>'>Delete this role</a>]
-		</dd>
+		</dd></TD></TR>
 	<% end %>
 <% end %>
+</TABLE>
 </DL>
diff --git a/app/welcome-controller.lua b/app/acf-util/welcome-controller.lua
index 77735ec..77735ec 100644
--- a/app/welcome-controller.lua
+++ b/app/acf-util/welcome-controller.lua
diff --git a/app/welcome-html.lsp b/app/acf-util/welcome-html.lsp
index 88bc934..88bc934 100644
--- a/app/welcome-html.lsp
+++ b/app/acf-util/welcome-html.lsp
diff --git a/app/acf_cli-controller.lua b/app/acf_cli-controller.lua
index e3f160d..d2b57e2 100644
--- a/app/acf_cli-controller.lua
+++ b/app/acf_cli-controller.lua
@@ -9,6 +9,7 @@ mvc.on_load = function (self, parent)
 	self.conf.libdir = self.conf.libdir or ( self.conf.appdir .. "/lib/" )
 	self.conf.sessiondir = self.conf.sessiondir or "/tmp/"
 	self.conf.script = ""
+	self.conf.default_prefix = "/acf-util/"	
 	self.conf.default_controller = "welcome"	
 
 	parent_exception_handler = parent.exception_handler
diff --git a/app/acf_www-controller.lua b/app/acf_www-controller.lua
index e71ba4f..12a7a43 100644
--- a/app/acf_www-controller.lua
+++ b/app/acf_www-controller.lua
@@ -34,12 +34,12 @@ local function build_menus(self)
 		local cat = cats[x]
 		for y = #cat.groups,1,-1 do
 			local group = cat.groups[y]
-			if nil == permissions[group.controller] then
+			if nil == permissions[group.prefix] or nil == permissions[group.prefix][group.controller] then
 				table.remove(cat.groups, y)
 			else
 				for z = #group.tabs,1,-1 do
 					local tab = group.tabs[z]
-					if nil == permissions[group.controller][tab.action] then
+					if nil == permissions[group.prefix][group.controller][tab.action] then
 						table.remove(group.tabs, z)
 					end
 				end
@@ -59,12 +59,12 @@ local function build_menus(self)
 	self.sessiondata.menu.timestamp = {tab="Menu_created: " .. os.date(),action="Menu_created: " .. os.date(),}
 end
 
-local check_permission = function(self, controller, action)
-	--logevent("Trying " .. (controller or "nil") .. ":" .. (action or "nil"))
+local check_permission = function(self, prefix, controller, action)
+	--logevent("Trying "..(prefix or "/")..(controller or "nil").."/"..(action or "nil"))
 	if nil == self.sessiondata.permissions then return false end
-	if controller then
-		if nil == self.sessiondata.permissions[controller] then return false end
-		if action and nil == self.sessiondata.permissions[controller][action] then return false end
+	if prefix and controller then
+		if nil == self.sessiondata.permissions[prefix] or nil == self.sessiondata.permissions[prefix][controller] then return false end
+		if action and nil == self.sessiondata.permissions[prefix][controller][action] then return false end
 	end
 	return true
 end
@@ -77,7 +77,7 @@ local check_permission_string = function (self, str)
 	if "" == action then
 		action = rawget(self.worker, "default_action") or ""
 	end
-	return check_permission(self, controller, action)
+	return check_permission(self, prefix, controller, action)
 end
 
 -- look for a template
@@ -231,7 +231,7 @@ mvc.on_load = function (self, parent)
 	self.conf.libdir = self.conf.libdir or ( self.conf.appdir .. "/lib/" )
 	self.conf.sessiondir = self.conf.sessiondir or "/tmp/"
 	self.conf.script = ENV.SCRIPT_NAME
-	self.conf.default_prefix = "/"
+	self.conf.default_prefix = "/acf-util/"
 	self.conf.default_controller = self.conf.default_controller or "welcome"
 	self.clientdata = FORM
 	self.conf.clientip = ENV.REMOTE_ADDR
@@ -394,7 +394,7 @@ dispatch = function (self, userprefix, userctlr, useraction)
 	end
 	if "" ~= self.conf.controller then
 		-- We now know the controller / action combo, check if we're allowed to do it
-		local perm = check_permission(self, self.conf.controller)
+		local perm = check_permission(self, self.conf.prefix, self.conf.controller)
 		local worker_loaded = false
 
 		if perm then
@@ -404,7 +404,7 @@ dispatch = function (self, userprefix, userctlr, useraction)
 			local default_action = rawget(controller.worker, "default_action") or ""
 			if self.conf.action == "" then self.conf.action = default_action end
 			if "" ~= self.conf.action then
-				local perm = check_permission(controller, self.conf.controller, self.conf.action)
+				local perm = check_permission(controller, self.conf.prefix, self.conf.controller, self.conf.action)
 				-- Because of the inheritance, normally the 
 				-- controller.worker.action will flow up, so that all children have
 				-- actions of all parents.  We use rawget to make sure that only
@@ -428,7 +428,7 @@ dispatch = function (self, userprefix, userctlr, useraction)
 	-- If the controller or action are missing, display an error view
 	if nil == controller then
 		-- If we have a view w/o an action, just display the view (passing in the clientdata)
-		if (not self.conf.suppress_view) and has_view(self) and check_permission(self, self.conf.controller, self.conf.action) then
+		if (not self.conf.suppress_view) and has_view(self) and check_permission(self, self.conf.prefix, self.conf.controller, self.conf.action) then
 			viewtable = self.clientdata
 		else
 			origconf.type = "dispatch"
diff --git a/app/template-html.lsp b/app/template-html.lsp
index 5af16c7..c1aeafd 100644
--- a/app/template-html.lsp
+++ b/app/template-html.lsp
@@ -74,13 +74,13 @@ end
 			for x,cat in ipairs(session.menu.cats) do
 				io.write (string.format("\n\t\t\t\t<li>%s\n\t\t\t\t\t<ul>\n", html.html_escape(cat.name)))	--start row
 				for y,group in ipairs(cat.groups) do
-					if pageinfo.prefix == group.prefix .. '/' and pageinfo.controller == group.controller then
+					if pageinfo.prefix == group.prefix and pageinfo.controller == group.controller then
 						class="class='selected'"
 						tabs = group.tabs
 					else
 						class=""
 					end
-					io.write (string.format("\t\t\t\t\t\t<li %s><a href=\"%s%s/%s/%s\">%s</a></li>\n", 
+					io.write (string.format("\t\t\t\t\t\t<li %s><a href=\"%s%s%s/%s\">%s</a></li>\n", 
 						class,html.html_escape(pageinfo.script),html.html_escape(group.prefix), html.html_escape(group.controller), html.html_escape(group.tabs[1].action), html.html_escape(group.name) ))
 				end
 				io.write ( "\t\t\t\t\t</ul>" )
diff --git a/lib/menubuilder.lua b/lib/menubuilder.lua
index 5b9509b..975c31a 100644
--- a/lib/menubuilder.lua
+++ b/lib/menubuilder.lua
@@ -64,7 +64,7 @@ get_menuitems = function (startdir)
 	startdir = (string.gsub(startdir, "/$", ""))	--remove trailing /
 	for k,filename in pairs(get_candidates(startdir)) do
 		local controller = mvc.basename(filename, ".menu")
-		local prefix = (string.gsub(mvc.dirname(filename), startdir, ""))
+		local prefix = (string.gsub(mvc.dirname(filename), startdir, "")).."/"
 
 		-- open the menu file, and parse the contents
 		local handle = io.open(filename)
diff --git a/lib/roles.lua b/lib/roles.lua
index 1ca8ae2..b554aea 100644
--- a/lib/roles.lua
+++ b/lib/roles.lua
@@ -34,10 +34,11 @@ get_controllers = function(self,controller)
 	local temp = {}
 	for k,v in pairs(list) do
 		path = string.match(v,"[/%w_-]+/")
+		prefix = string.match(path,"/[^/]+/$")
 		filename = string.match(v,"[^/]*.lua")
 		name = string.match(filename,"[^.]*")
 		sname = string.match(filename,"[^-]*")
-		temp[sname] = {path=path,filename=filename,name=name,sname=sname}
+		temp[sname] = {path=path,prefix=prefix,filename=filename,name=name,sname=sname}
 	end
 	if controller then
 		return temp[controller]
@@ -118,34 +119,38 @@ list_all_roles = function(self)
 	return default_roles
 end	
 
--- Go through the roles files and determine the permissions for the specified list of roles (including guest)
-get_roles_perm = function(self,roles)
-	permissions = {}
-	permissions_array = {}
+-- Go through the roles files and determine the permissions for the specified list of roles
+local determine_perms = function(self,roles)
+	local permissions = {}
+	local permissions_array = {}
+	local default_permissions_array = {}
 
 	local reverseroles = {}
 	for x,role in ipairs(roles) do
 		reverseroles[role] = x
 	end
-	reverseroles[guest_role] = 0 -- always include guest role
 
 	-- find all of the default roles files and parse them
 	local rolesfiles = get_roles_candidates(self.conf.appdir)
 
 	for x,file in ipairs(rolesfiles) do
+		local prefix = string.match(file, "(/[^/]+/)[^/]+$") or "/"
+		permissions[prefix] = permissions[prefix] or {}
 		f = fs.read_file_as_array(file) or {}
 		for y,line in pairs(f) do
 			if reverseroles[string.match(line,"^[%w_]+")] then
-				temp = format.string_to_table(string.match(line,"[,%w_:]+$"),",")
+				temp = format.string_to_table(string.match(line,"[,%w_:/]+$"),",")
 				for z,perm in pairs(temp) do
-					local control,action = string.match(perm,"([%w_]+):([%w_]+)")
+					-- we'll allow for : or / to not break old format
+					local control,action = string.match(perm,"([%w_]+)[:/]([%w_]+)")
 					if control then
-						if nil == permissions[control] then
-							permissions[control] = {}
+						if nil == permissions[prefix][control] then
+							permissions[prefix][control] = {}
 						end
 						if action then
-							permissions[control][action] = {file}
-							permissions_array[#permissions_array + 1] = control .. ":" .. action
+							permissions[prefix][control][action] = {file}
+							permissions_array[#permissions_array + 1] = prefix .. control .. "/" .. action
+							default_permissions_array[#default_permissions_array + 1] = prefix .. control .. "/" .. action
 						end
 					end
 				end
@@ -159,73 +164,33 @@ get_roles_perm = function(self,roles)
 		if reverseroles[entry.id] then
 			temp = format.string_to_table(entry.entry, ",")
 			for z,perm in pairs(temp) do
-				local control,action = string.match(perm,"([%w_]+):([%w_]+)")
+				local prefix,control,action = mvc.parse_path_info(perm)
 				if control then
-					if nil == permissions[control] then
-						permissions[control] = {}
+					if nil == permissions[prefix] then
+						permissions[prefix] = {}
 					end
-					if action then
-						permissions[control][action] = {}
-						permissions_array[#permissions_array + 1] = control .. ":" .. action
+					if nil == permissions[prefix][control] then
+						permissions[prefix][control] = {}
 					end
+					permissions[prefix][control][action] = {}
+					permissions_array[#permissions_array + 1] = prefix .. control .. "/" .. action
 				end
 			end
 		end
 	end
 	
-	return permissions, permissions_array
+	return permissions, permissions_array, default_permissions_array
+end
+
+-- Go through the roles files and determine the permissions for the specified list of roles (including guest)
+get_roles_perm = function(self,roles)
+	roles[#roles+1] = guest_role
+	return determine_perms(self, roles)
 end
 
 -- Go through the roles files and determine the permissions for the specified role
 get_role_perm = function(self,role)
-	permissions = {}
-	permissions_array = {}
-	default_permissions_array = {}
-
-	-- find all of the default roles files and parse them
-	local rolesfiles = get_roles_candidates(self.conf.appdir)
-
-	for x,file in ipairs(rolesfiles) do
-		f = fs.read_file_as_array(file) or {}
-		for y,line in pairs(f) do
-			if role == string.match(line,"^[%w_]+") then
-				temp = format.string_to_table(string.match(line,"[,%w_:]+$"),",")
-				for z,perm in pairs(temp) do
-					local control,action = string.match(perm,"([%w_]+):([%w_]+)")
-					if control then
-						if nil == permissions[control] then
-							permissions[control] = {}
-						end
-						if action then
-							permissions[control][action] = {file}
-							permissions_array[#permissions_array + 1] = control .. ":" .. action
-							default_permissions_array[#default_permissions_array + 1] = control .. ":" .. action
-						end
-					end
-				end
-			end
-		end
-	end
-
-	-- then look in the user-editable roles
-	local entry = authenticator.auth.read_entry(self, authenticator.roletable, "", role)
-	if entry then
-		temp = format.string_to_table(entry, ",")
-		for z,perm in pairs(temp) do
-			local control,action = string.match(perm,"([%w_]+):([%w_]+)")
-			if control then
-				if nil == permissions[control] then
-					permissions[control] = {}
-				end
-				if action then
-					permissions[control][action] = {}
-					permissions_array[#permissions_array + 1] = control .. ":" .. action
-				end
-			end
-		end
-	end
-
-	return permissions, permissions_array, default_permissions_array
+	return determine_perms(self, {role})
 end
 
 -- Delete a role from role file
@@ -247,9 +212,11 @@ set_role_perm = function(self, role, permissions, permissions_array)
 	end
 	if permissions and not permissions_array then
 		permissions_array = {}
-		for cont,actions in pairs(permissions) do
-			for action in pairs(actions) do
-				permissions_array[#permissions_array + 1] = cont .. ":" .. action
+		for prefix,contrllrs in pairs(permissions) do
+			for cont,actions in pairs(contrllrs) do
+				for action in pairs(actions) do
+					permissions_array[#permissions_array + 1] = prefix .. cont .. "/" .. action
+				end
 			end
 		end
 	end