source: Base/Permission.php

<?php

include_once(dirname(__FILE__).'/Model.php');

class Permission extends Model
{
  var $BuildCache = true;

  function Check($Module, $Action, $Item = '')
  {
    if($this->BuildCache)
    {
      $this->RebuildCache();
      $this->BuildCache = false;
    }
    $Result = false;
    if($Item != '') $ItemFilter = ' AND (Item='.$Item.')';
      else $ItemFilter = ' AND (Item IS NULL)';

    // Check global access
    $DbResult = $this->Database->query('SELECT * FROM `PermissionAssignment` WHERE `ModuleAction`=(SELECT `Id` FROM `ModuleAction` WHERE (`Module` IS NULL) AND (`Name` IS NULL))');
    if($DbResult->num_rows > 0)
    {
      $DbRow = $DbResult->fetch_assoc();
      $DbResult = $this->Database->query('SELECT * FROM `PermissionAssignmentCache` WHERE (`Group`='.$DbRow['Group'].') AND (`User`='.
        $this->System->Modules['User']->Data['Id'].')');
      $Result = $DbResult->num_rows > 0;
      if($Result) return(true);
    }

    // Check module-action-item access
    $DbResult = $this->Database->query('SELECT * FROM `PermissionAssignment` WHERE `ModuleAction`=(SELECT `Id` FROM `ModuleAction` WHERE (`Module`=(SELECT `Id` FROM `Module` WHERE `Name` = "'.$Module.'")) AND (`Name`="'.$Action.'"))'.$ItemFilter);
    while($DbRow = $DbResult->fetch_assoc())
    {
      $DbResult2 = $this->Database->query('SELECT * FROM `PermissionAssignmentCache` WHERE (`Group`='.$DbRow['Group'].') AND (`User`='.
        $this->System->Modules['User']->Data['Id'].')');
      if($DbResult2->num_rows > 0) return(true);
    }
    return($Result);
  }

  function AppendFilter($Module, $Action, $Table, $Key)
  {
    if($this->Check($Module, 'Show')) return('');
    else return(' JOIN PermissionAssignment ON (PermissionAssignment.Item='.$Table.'.'.$Key.
      ') AND (PermissionAssignment.ModuleAction=(SELECT `Id` FROM `ModuleAction` WHERE (`Module`=(SELECT `Id` FROM `Module` WHERE `Name` = "'.$Module.'")) AND (`Name`="'.$Action.'"))) JOIN PermissionAssignmentCache ON PermissionAssignmentCache.Group=PermissionAssignment.Group AND PermissionAssignmentCache.User='.
      $this->System->Modules['User']->Data['Id']);
  }

  function RebuildCache()
  {
    $this->Database->query('TRUNCATE `PermissionAssignmentCache`');
    $DbResult = $this->Database->query('SELECT * FROM `PermissionAssignment` WHERE (`User` > 0) AND (`SubGroup` > 0)');
    while($UserAssignment = $DbResult->fetch_assoc())
    {
      $Cache = array($UserAssignment['SubGroup']);
      $Cache = array_merge($Cache, $this->RebuildCacheGroup($UserAssignment['SubGroup']));
      foreach($Cache as $Item)
      {
        $this->Database->insert('PermissionAssignmentCache', array('Group' => $Item, 'User' => $UserAssignment['User']));
      }
    }
  }

  function RebuildCacheGroup($Id)
  {
    $Cache = array();
    $DbResult = $this->Database->query('SELECT * FROM `PermissionAssignment` WHERE (`Group` = '.$Id.') AND (`SubGroup` > 0)');
    while($DbRow = $DbResult->fetch_assoc())
    {
      $Cache[] = $DbRow['SubGroup'];
      $Cache = array_merge($Cache, $this->RebuildCacheGroup($DbRow['SubGroup']));
    }
    return($Cache);
  }
}

?>