Minor change to roles code and major change to roles. Replaced ALL, CREATE, READ, UPDATE, and DELETE with GUEST, USER, EDITOR, EXPERT, and ADMIN. Changed all roles files and modified some html files to hide options without permissions. Determine default roles from roles files, rather than hard-coded, and added ability to modify default roles by adding permissions.

git-svn-id: svn://svn.alpinelinux.org/acf/core/trunk@1563 ab2d0c66-481e-0410-8bed-d214d4d58bed

1 files changed, 36 insertions, 33 deletions

diff --git a/lib/roles.lua b/lib/roles.lua
index ecd9798..85f59da 100644
--- a/lib/roles.lua
+++ b/lib/roles.lua
@@ -6,7 +6,7 @@ require ("format")
 
 module (..., package.seeall)
 
-local default_roles = { "CREATE", "UPDATE", "DELETE", "READ", "ALL" }
+guest_role = "GUEST"
 
 -- returns a table of the *.roles files
 -- startdir should be the app dir
@@ -81,16 +81,29 @@ get_controllers_view = function(self,controller_info)
 	return temp	
 end
 
-list_default_roles = function()
-	return default_roles
+list_default_roles = function(self)
+	local default_roles = {}
+	local reverseroles = {}
+
+	-- find all of the default roles files and parse them
+	local rolesfiles = get_roles_candidates(self.conf.appdir)
+
+	for x,file in ipairs(rolesfiles) do
+		f = fs.read_file_as_array(file)
+		for y,line in pairs(f) do
+			if not reverseroles[string.match(line,"^[%w_]+")] then
+				default_roles[#default_roles+1] = string.match(line,"^[%w_]+")
+				reverseroles[default_roles[#default_roles]] = #default_roles
+			end
+		end
+	end
+
+	return default_roles, reverseroles
 end
 
 list_roles = function(self)
 	local defined_roles = {}
-	local reverseroles = {}
-	for x,role in ipairs(default_roles) do
-		reverseroles[role] = x
-	end
+	local default_roles, reverseroles = list_default_roles(self)
 
 	-- Open the roles file and parse for defined roles
 	local entries = authenticator.auth.read_field(self, authenticator.roletable, "") or {}
@@ -111,19 +124,19 @@ list_all_roles = function(self)
 	return default_roles
 end	
 
--- Go through the roles files and determine the permissions for the specified roles
+-- Go through the roles files and determine the permissions for the specified list of roles (including guest)
 get_roles_perm = function(self,roles)
 	permissions = {}
 	permissions_array = {}
 
-	-- find all of the roles files and add in the master file
-	local rolesfiles = get_roles_candidates(self.conf.appdir)
-
 	local reverseroles = {}
 	for x,role in ipairs(roles) do
-		reverseroles[role] = {}
+		reverseroles[role] = x
 	end
-	reverseroles["ALL"] = {} -- always include ALL role
+	reverseroles[guest_role] = 0 -- always include guest role
+
+	-- find all of the default roles files and parse them
+	local rolesfiles = get_roles_candidates(self.conf.appdir)
 
 	for x,file in ipairs(rolesfiles) do
 		f = fs.read_file_as_array(file)
@@ -137,7 +150,7 @@ get_roles_perm = function(self,roles)
 							permissions[control] = {}
 						end
 						if action then
-							permissions[control][action] = {}
+							permissions[control][action] = {file}
 							permissions_array[#permissions_array + 1] = control .. ":" .. action
 						end
 					end
@@ -146,6 +159,7 @@ get_roles_perm = function(self,roles)
 		end
 	end
 
+	-- then look in the user-editable roles
 	local entries = authenticator.auth.read_field(self, authenticator.roletable, "") or {}
 	for x,entry in ipairs(entries) do
 		if reverseroles[entry.id] then
@@ -172,8 +186,9 @@ end
 get_role_perm = function(self,role)
 	permissions = {}
 	permissions_array = {}
+	default_permissions_array = {}
 
-	-- find all of the roles files and add in the master file
+	-- find all of the default roles files and parse them
 	local rolesfiles = get_roles_candidates(self.conf.appdir)
 
 	for x,file in ipairs(rolesfiles) do
@@ -188,15 +203,17 @@ get_role_perm = function(self,role)
 							permissions[control] = {}
 						end
 						if action then
-							permissions[control][action] = {}
+							permissions[control][action] = {file}
 							permissions_array[#permissions_array + 1] = control .. ":" .. action
+							default_permissions_array[#default_permissions_array + 1] = control .. ":" .. action
 						end
 					end
 				end
 			end
 		end
 	end
-	
+
+	-- then look in the user-editable roles
 	local entry = authenticator.auth.read_entry(self, authenticator.roletable, "", role)
 	if entry then
 		temp = format.string_to_table(entry, ",")
@@ -214,17 +231,11 @@ get_role_perm = function(self,role)
 		end
 	end
 
-	return permissions, permissions_array
+	return permissions, permissions_array, default_permissions_array
 end
 
 -- Delete a role from role file
 delete_role = function(self, role)
-	for x,ro in ipairs(default_roles) do
-		if role==ro then
-			return false, "Cannot delete default roles"
-		end
-	end
-	
 	local result = authenticator.auth.delete_entry(self, authenticator.roletable, "", role)
 	local cmdresult = "Role entry not found"
 	if result then cmdresult = "Role deleted" end
@@ -237,11 +248,6 @@ set_role_perm = function(self, role, permissions, permissions_array)
 	if role==nil or role=="" then
 		return false, "Invalid Role"
 	end
-	for x,ro in ipairs(default_roles) do
-		if role==ro then
-			return false, "Cannot modify default roles"
-		end
-	end
 	if string.find(role, '[^%w_]') then
 		return false, "Role can only contain letters, numbers, and '_'"
 	end
@@ -253,9 +259,6 @@ set_role_perm = function(self, role, permissions, permissions_array)
 			end
 		end
 	end
-	if permissions_array==nil or #permissions_array==0 then
-		return false, "No permissions set"
-	end
 	
-	return authenticator.auth.write_entry(self, authenticator.roletable, "", role, table.concat(permissions_array,","))
+	return authenticator.auth.write_entry(self, authenticator.roletable, "", role, table.concat(permissions_array or {},","))
 end