ad_permission

ad_permission_p

one of the documented procedures in this installation of the ACS

Usage:

ad_permission_p db { module "" } { submodule "" } { action "" } { user_id "" } { group_id "" }

What it does:

For groups with basic administration: Returns 1 if user has a role of administrator or all; O otherwise. For groups with advanced administration: Returns 1 if user has authority for the action; 0 otherwise.

Defined in: /web/philip/packages/acs-core/user-groups-procs.tcl

Source code:



    if { ![empty_string_p $module] && ![empty_string_p $group_id] } {
	error "specify either module or group_id, not both"
    }

    # If no user_id was specified, then use the ID of the logged-in
    # user.
    #
    if [empty_string_p $user_id] {
	set user_id [ad_verify_and_get_user_id]
    }

    # Identify the group. Either the group_id will be explicitly
    # specified or we derive it from the module by querying to
    # find out which group is the administration group for the
    # module. If submodule is specified in addition to module, then
    # find out which group is the administration group for the
    # submodule.
    #
    if { [empty_string_p $group_id] } {
	set group_id [ad_administration_group_id $db $module $submodule]

	# If we fail to find a corresponding group_id, return false.
	# This probably should raise an error but I (Michael Y) don't
	# want to risk breaking any more code right now.
	#
	if { [empty_string_p $group_id] } {
	    return 0
	}
    }

    # Next, find out if the group use basic or advanced (a.k.a.
    # multi-role) administration.
    #
    set multi_role_p [database_to_tcl_string $db "select multi_role_p from user_groups where group_id = $group_id"]

    if { $multi_role_p == "f" } {
	# If administration is basic, then return true if the user has
	# either the 'administrator' role or the 'all' role for the
	# group.
	#
	set permission_p [database_to_tcl_string $db "select decode(count(*), 0, 0, 1) from user_group_map where user_id = $user_id and group_id = $group_id and role in ('administrator', 'all')"]

    } else {
	# If administration is advanced, then check to see if the
	# user is an administrator; if not, make sure that action
	# was specified and then check to see if the user has a
	# role that is authorized to perform the specified action.
	#
	set permission_p [database_to_tcl_string $db "select decode(count(*), 0, 0, 1) from user_group_map where user_id = $user_id and group_id = $group_id and role = 'administrator'"]

	if { !$permission_p } {
	    if { [empty_string_p $action] } {
		error "no action specified for group with multi-role administration (ID $group_id)"
	    }

	    set permission_p [database_to_tcl_string $db "select decode(count(*), 0, 0, 1) from user_group_action_role_map where group_id = $group_id and action = '[DoubleApos $action]' and role in (select role from user_group_map where group_id = $group_id and user_id = $user_id)"]
	}
    }

    # If necessary, make a final check to see if the user is a
    # site-wide administrator.
    #
    if { !$permission_p } {
	set permission_p [ad_administrator_p $db $user_id]
    }

    return $permission_p

philg@mit.edu