From 20fbad77e8fd49c48dccaadae9353ac4c9c18f1d Mon Sep 17 00:00:00 2001
From: Toby Zerner <toby.zerner@gmail.com>
Date: Fri, 15 May 2015 17:05:46 +0930
Subject: [PATCH] Simplify permissions and add API to register configurable
 ones

Lots of thought has gone into this; it will show up later when I do the
admin permissions interface / category permissions :)
---
 ..._02_24_000000_create_permissions_table.php |  5 +--
 .../core/src/Core/CoreServiceProvider.php     | 40 ++++++++++---------
 framework/core/src/Core/Models/Permission.php | 11 +++++
 framework/core/src/Core/Models/User.php       | 24 ++---------
 .../core/src/Support/ServiceProvider.php      |  6 +++
 5 files changed, 43 insertions(+), 43 deletions(-)

diff --git a/framework/core/migrations/2015_02_24_000000_create_permissions_table.php b/framework/core/migrations/2015_02_24_000000_create_permissions_table.php
index 3169a0e1b..bd01c52c6 100644
--- a/framework/core/migrations/2015_02_24_000000_create_permissions_table.php
+++ b/framework/core/migrations/2015_02_24_000000_create_permissions_table.php
@@ -14,10 +14,9 @@ class CreatePermissionsTable extends Migration {
 	{
 		Schema::create('permissions', function($table)
 		{
-			$table->string('grantee', 100);
-			$table->string('entity', 100);
+			$table->integer('group_id')->unsigned();
 			$table->string('permission', 100);
-			$table->primary(['grantee', 'entity', 'permission']);
+			$table->primary(['group_id', 'permission']);
 		});
 	}
 
diff --git a/framework/core/src/Core/CoreServiceProvider.php b/framework/core/src/Core/CoreServiceProvider.php
index 6224f7d58..9ab64507f 100644
--- a/framework/core/src/Core/CoreServiceProvider.php
+++ b/framework/core/src/Core/CoreServiceProvider.php
@@ -3,7 +3,7 @@
 use Illuminate\Bus\Dispatcher as Bus;
 use Illuminate\Contracts\Container\Container;
 use Illuminate\Contracts\Events\Dispatcher;
-use Illuminate\Support\ServiceProvider;
+use Flarum\Support\ServiceProvider;
 use Flarum\Core\Formatter\FormatterManager;
 use Flarum\Core\Models\CommentPost;
 use Flarum\Core\Models\Post;
@@ -138,12 +138,20 @@ class CoreServiceProvider extends ServiceProvider
 
     public function registerPermissions()
     {
+        $this->permission('forum.view');
+        $this->permission('forum.startDiscussion');
+        $this->permission('discussion.rename');
+        $this->permission('discussion.delete');
+        $this->permission('discussion.reply');
+        $this->permission('post.edit');
+        $this->permission('post.delete');
+
         Forum::grantPermission(function ($grant, $user, $permission) {
-            return $user->hasPermission($permission, 'forum');
+            return $user->hasPermission('forum.'.$permission);
         });
 
         Post::grantPermission(function ($grant, $user, $permission) {
-            return $user->hasPermission($permission, 'post');
+            return $user->hasPermission('post'.$permission);
         });
 
         // Grant view access to a post only if the user can also view the
@@ -161,19 +169,14 @@ class CoreServiceProvider extends ServiceProvider
         // Allow a user to edit their own post, unless it has been hidden by
         // someone else.
         Post::grantPermission('edit', function ($grant, $user) {
-            $grant->whereCan('editOwn')
-                  ->where('user_id', $user->id);
-        });
-
-        Post::demandPermission('editOwn', function ($demand, $user) {
-            $demand->whereNull('hide_user_id');
-            if ($user) {
-                $demand->orWhere('hide_user_id', $user->id);
-            }
+            $grant->where('user_id', $user->id)
+                  ->whereNull('hide_user_id')
+                  ->orWhere('hide_user_id', $user->id);
+            // @todo add limitations to time etc. according to a config setting
         });
 
         User::grantPermission(function ($grant, $user, $permission) {
-            return $user->hasPermission($permission, 'forum');
+            return $user->hasPermission('user.'.$permission);
         });
 
         // Grant view access to a user if the user can view the forum.
@@ -187,7 +190,7 @@ class CoreServiceProvider extends ServiceProvider
         });
 
         Discussion::grantPermission(function ($grant, $user, $permission) {
-            return $user->hasPermission($permission, 'discussion');
+            return $user->hasPermission('discussion.'.$permission);
         });
 
         // Grant view access to a discussion if the user can view the forum.
@@ -195,11 +198,10 @@ class CoreServiceProvider extends ServiceProvider
             $grant->whereCan('view', 'forum');
         });
 
-        // Allow a user to edit their own discussion.
-        Discussion::grantPermission('edit', function ($grant, $user) {
-            if ($user->hasPermission('editOwn', 'discussion')) {
-                $grant->where('start_user_id', $user->id);
-            }
+        // Allow a user to rename their own discussion.
+        Discussion::grantPermission('rename', function ($grant, $user) {
+            $grant->where('start_user_id', $user->id);
+            // @todo add limitations to time etc. according to a config setting
         });
     }
 }
diff --git a/framework/core/src/Core/Models/Permission.php b/framework/core/src/Core/Models/Permission.php
index 22a876e04..33c7c6d80 100644
--- a/framework/core/src/Core/Models/Permission.php
+++ b/framework/core/src/Core/Models/Permission.php
@@ -2,4 +2,15 @@
 
 class Permission extends Model
 {
+    protected static $permissions = [];
+
+    public static function getPermissions()
+    {
+        return static::$permissions;
+    }
+
+    public static function addPermission($permission)
+    {
+        static::$permissions[] = $permission;
+    }
 }
diff --git a/framework/core/src/Core/Models/User.php b/framework/core/src/Core/Models/User.php
index e1480cbea..957ff8a05 100755
--- a/framework/core/src/Core/Models/User.php
+++ b/framework/core/src/Core/Models/User.php
@@ -307,24 +307,6 @@ class User extends Model
         return $this;
     }
 
-    /**
-     * Get a list of the user's grantees according to their ID and groups.
-     *
-     * @return array
-     */
-    public function getGrantees()
-    {
-        $grantees = ['group.'.GROUP::GUEST_ID]; // guests
-        if ($this->id) {
-            $grantees[] = 'user.'.$this->id;
-        }
-        foreach ($this->groups as $group) {
-            $grantees[] = 'group.'.$group->id;
-        }
-
-        return $grantees;
-    }
-
     /**
      * Check whether the user has a certain permission based on their groups.
      *
@@ -332,13 +314,13 @@ class User extends Model
      * @param  string  $entity
      * @return boolean
      */
-    public function hasPermission($permission, $entity)
+    public function hasPermission($permission)
     {
         if ($this->isAdmin()) {
             return true;
         }
 
-        $count = $this->permissions()->where('entity', $entity)->where('permission', $permission)->count();
+        $count = $this->permissions()->where('permission', $permission)->count();
 
         return (bool) $count;
     }
@@ -468,7 +450,7 @@ class User extends Model
      */
     public function permissions()
     {
-        return Permission::whereIn('grantee', $this->getGrantees());
+        return Permission::whereIn('group_id', $this->groups()->lists('id'));
     }
 
     /**
diff --git a/framework/core/src/Support/ServiceProvider.php b/framework/core/src/Support/ServiceProvider.php
index 08501519f..8bc434a98 100644
--- a/framework/core/src/Support/ServiceProvider.php
+++ b/framework/core/src/Support/ServiceProvider.php
@@ -5,6 +5,7 @@ use Illuminate\Contracts\Events\Dispatcher;
 use Flarum\Core\Models\Notification;
 use Flarum\Core\Models\User;
 use Flarum\Core\Models\Post;
+use Flarum\Core\Models\Permission;
 use Closure;
 
 class ServiceProvider extends IlluminateServiceProvider
@@ -90,4 +91,9 @@ class ServiceProvider extends IlluminateServiceProvider
             }
         });
     }
+
+    protected function permission($permission)
+    {
+        Permission::addPermission($permission);
+    }
 }