From 7a84ffee5e0d5a07e0b048a91c42b90d6dadddae Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Tue, 12 Apr 2016 09:17:35 +0200
Subject: [PATCH 1/6] fix typo in description of extension

---
 ext/example/conf.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/example/conf.php b/ext/example/conf.php
index c6fd2ce56..931cc14a4 100644
--- a/ext/example/conf.php
+++ b/ext/example/conf.php
@@ -1,7 +1,7 @@
 <?php
 $EXT_CONF['example'] = array(
 	'title' => 'Example Extension',
-	'description' => 'This sample extension demonstrate the use of various hooks',
+	'description' => 'This sample extension demonstrates the use of various hooks',
 	'disable' => true,
 	'version' => '1.0.0',
 	'releasedate' => '2013-05-03',

From 0511d06d6335d37847010435bee8d456e7559528 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Tue, 12 Apr 2016 12:21:55 +0200
Subject: [PATCH 2/6] add field for access restrictions by document status

---
 SeedDMS_Core/Core/inc.ClassUser.php | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/SeedDMS_Core/Core/inc.ClassUser.php b/SeedDMS_Core/Core/inc.ClassUser.php
index 3a18a60b2..4f55bbc29 100644
--- a/SeedDMS_Core/Core/inc.ClassUser.php
+++ b/SeedDMS_Core/Core/inc.ClassUser.php
@@ -44,6 +44,13 @@ class SeedDMS_Core_Role { /* {{{ */
 	 */
 	var $_role;
 
+	/**
+	 * @var array list of status without access
+	 *
+	 * @access protected
+	 */
+	var $_noaccess;
+
 	/**
 	 * @var object reference to the dms instance this user belongs to
 	 *
@@ -55,10 +62,11 @@ class SeedDMS_Core_Role { /* {{{ */
 	const role_admin = '1';
 	const role_guest = '2';
 
-	function SeedDMS_Core_Role($id, $name, $role) { /* {{{ */
+	function SeedDMS_Core_Role($id, $name, $role, $noaccess=array()) { /* {{{ */
 		$this->_id = $id;
 		$this->_name = $name;
 		$this->_role = $role;
+		$this->_noaccess = $noaccess;
 		$this->_dms = $role;
 	} /* }}} */
 
@@ -91,7 +99,7 @@ class SeedDMS_Core_Role { /* {{{ */
 
 		$resArr = $resArr[0];
 
-		$role = new self($resArr["id"], $resArr["name"], $resArr["role"]);
+		$role = new self($resArr["id"], $resArr["name"], $resArr["role"], $resArr['noaccess'] ? explode(',', $resArr['noaccess']) : array());
 		$role->setDMS($dms);
 		return $role;
 	} /* }}} */
@@ -111,7 +119,7 @@ class SeedDMS_Core_Role { /* {{{ */
 		$roles = array();
 
 		for ($i = 0; $i < count($resArr); $i++) {
-			$role = new self($resArr[$i]["id"], $resArr[$i]["name"], $resArr[$i]["role"]);
+			$role = new self($resArr[$i]["id"], $resArr[$i]["name"], $resArr[$i]["role"], explode(',', $resArr[$i]['noaccess']));
 			$role->setDMS($dms);
 			$roles[$i] = $role;
 		}
@@ -156,6 +164,19 @@ class SeedDMS_Core_Role { /* {{{ */
 		return true;
 	} /* }}} */
 
+	function getNoAccess() { return $this->_noaccess; }
+
+	function setNoAccess($noaccess) { /* {{{ */
+		$db = $this->_dms->getDB();
+
+		$queryStr = "UPDATE tblRoles SET noaccess = " . $db->qstr(implode(',',$noaccess)) . " WHERE id = " . $this->_id;
+		if (!$db->getResult($queryStr))
+			return false;
+
+		$this->_noaccess = $noaccess;
+		return true;
+	} /* }}} */
+
 	/**
 	 * Delete role
 	 *

From 6278dd8df364c596366c451ae9cba1689c027d3d Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Tue, 12 Apr 2016 12:22:36 +0200
Subject: [PATCH 3/6] set access restrictions by role

---
 inc/inc.Authentication.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/inc/inc.Authentication.php b/inc/inc.Authentication.php
index 5c1134dd6..9ff61afe4 100644
--- a/inc/inc.Authentication.php
+++ b/inc/inc.Authentication.php
@@ -92,6 +92,8 @@ $theme = $resArr["theme"];
 $lang = $resArr["language"];
 
 $dms->setUser($user);
+$role = $user->getRole();
+$dms->noReadForStatus = $role->getNoAccess();
 
 $notifier = new SeedDMS_NotificationService();
 

From 795eb1e028e56194f4dc23089e0149c0b6acce0d Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Tue, 12 Apr 2016 12:23:04 +0200
Subject: [PATCH 4/6] manage access restrictions

---
 op/op.RoleMgr.php                 |  2 ++
 views/bootstrap/class.RoleMgr.php | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/op/op.RoleMgr.php b/op/op.RoleMgr.php
index 73e0656b9..8b2080014 100644
--- a/op/op.RoleMgr.php
+++ b/op/op.RoleMgr.php
@@ -116,11 +116,13 @@ else if ($action == "editrole") {
 
 	$name    = $_POST["name"];
 	$role    = preg_replace('/[^0-2]+/', '', $_POST["role"]);
+	$noaccess = isset($_POST['noaccess']) ? $_POST['noaccess'] : null;
 	
 	if ($editedRole->getName() != $name)
 		$editedRole->setName($name);
 	if ($editedRole->getRole() != $role)
 		$editedRole->setRole($role);
+	$editedRole->setNoAccess($noaccess);
 
 	$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_edit_role')));
 	add_log_line(".php&action=editrole&roleid=".$roleid);
diff --git a/views/bootstrap/class.RoleMgr.php b/views/bootstrap/class.RoleMgr.php
index f807f8435..031d77238 100644
--- a/views/bootstrap/class.RoleMgr.php
+++ b/views/bootstrap/class.RoleMgr.php
@@ -149,6 +149,18 @@ $(document).ready( function() {
 			<td><?php printMLText("role_type");?>:</td>
 			<td><select name="role"><option value="<?php echo SeedDMS_Core_Role::role_user ?>"><?php printMLText("role_user"); ?></option><option value="<?php echo SeedDMS_Core_Role::role_admin ?>" <?php if($currRole && $currRole->getRole() == SeedDMS_Core_Role::role_admin) echo "selected"; ?>><?php printMLText("role_admin"); ?></option><option value="<?php echo SeedDMS_Core_Role::role_guest ?>" <?php if($currRole && $currRole->getRole() == SeedDMS_Core_Role::role_guest) echo "selected"; ?>><?php printMLText("role_guest"); ?></option></select></td>
 		</tr>
+<?php
+		if($currRole && $currRole->getRole() == SeedDMS_Core_Role::role_user) {
+			echo "<tr>";
+			echo "<td>".getMLText('restrict_access')."</td>";
+			echo "<td>";
+			foreach(array(S_DRAFT_REV, S_DRAFT_APP, S_IN_WORKFLOW, S_REJECTED, S_RELEASED, S_IN_REVISION, S_DRAFT, S_OBSOLETE) as $status) {
+				echo "<input type=\"checkbox\" name=\"noaccess[]\" value=\"".$status."\" ".(in_array($status, $currRole->getNoAccess()) ? "checked" : "")."> ".getOverallStatusText($status)."<br />";
+			}
+			echo "</td>";
+			echo "</tr>";
+		}
+?>
 		<tr>
 			<td></td>
 			<td><button type="submit" class="btn"><i class="icon-save"></i> <?php printMLText($currRole ? "save" : "add_role")?></button></td>

From 5bdc6fe3cca554dcc62d2f68f214987a6d814be7 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Tue, 12 Apr 2016 12:23:26 +0200
Subject: [PATCH 5/6] filter result by new access restrictions derived from
 status

---
 out/out.Search.php | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/out/out.Search.php b/out/out.Search.php
index 8110dfc26..dd312a21b 100644
--- a/out/out.Search.php
+++ b/out/out.Search.php
@@ -143,9 +143,11 @@ if(isset($_GET["fullsearch"]) && $_GET["fullsearch"] && $settings->_enableFullSe
 				foreach($hits as $hit) {
 					if($tmp = $dms->getDocument($hit['document_id'])) {
 						if($tmp->getAccessMode($user) >= M_READ) {
-							$tmp->verifyLastestContentExpriry();
-							$entries[] = $tmp;
-							$dcount++;
+							if($tmp->getLatestContent()) {
+								$tmp->verifyLastestContentExpriry();
+								$entries[] = $tmp;
+								$dcount++;
+							}
 						}
 					}
 				}
@@ -383,9 +385,11 @@ if(isset($_GET["fullsearch"]) && $_GET["fullsearch"] && $settings->_enableFullSe
 	if($resArr['docs']) {
 		foreach ($resArr['docs'] as $entry) {
 			if ($entry->getAccessMode($user) >= M_READ) {
-				$entry->verifyLastestContentExpriry();
-				$entries[] = $entry;
-				$dcount++;
+				if($entry->getLatestContent()) {
+					$entry->verifyLastestContentExpriry();
+					$entries[] = $entry;
+					$dcount++;
+				}
 			}
 		}
 	}

From ece56944d825026a940bddaf8294dbb440a23c7b Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Tue, 12 Apr 2016 12:23:57 +0200
Subject: [PATCH 6/6] add new field noAccess in tblRoles

---
 install/create_tables-innodb.sql        | 1 +
 install/create_tables-sqlite3.sql       | 1 +
 install/update-5.1.0/update-sqlite3.sql | 1 +
 install/update-5.1.0/update.sql         | 1 +
 4 files changed, 4 insertions(+)

diff --git a/install/create_tables-innodb.sql b/install/create_tables-innodb.sql
index 4cf60c387..83af2822f 100644
--- a/install/create_tables-innodb.sql
+++ b/install/create_tables-innodb.sql
@@ -54,6 +54,7 @@ CREATE TABLE `tblRoles` (
   `id` int(11) NOT NULL auto_increment,
   `name` varchar(50) default NULL,
   `role` smallint(1) NOT NULL default '0',
+  `noaccess` varchar(30) NOT NULL default '',
   PRIMARY KEY (`id`),
   UNIQUE (`name`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
diff --git a/install/create_tables-sqlite3.sql b/install/create_tables-sqlite3.sql
index 4241e437c..1bd57c948 100644
--- a/install/create_tables-sqlite3.sql
+++ b/install/create_tables-sqlite3.sql
@@ -51,6 +51,7 @@ CREATE TABLE `tblRoles` (
   `id` INTEGER PRIMARY KEY AUTOINCREMENT,
   `name` varchar(50) default NULL,
   `role` INTEGER NOT NULL default '0',
+  `noaccess` varchar(30) NOT NULL default '',
   UNIQUE (`name`)
 ) ;
 
diff --git a/install/update-5.1.0/update-sqlite3.sql b/install/update-5.1.0/update-sqlite3.sql
index 9ddf8ea10..6d136b90b 100644
--- a/install/update-5.1.0/update-sqlite3.sql
+++ b/install/update-5.1.0/update-sqlite3.sql
@@ -77,6 +77,7 @@ CREATE TABLE `tblRoles` (
   `id` INTEGER PRIMARY KEY AUTOINCREMENT,
   `name` varchar(50) default NULL,
   `role` INTEGER NOT NULL default '0',
+  `noaccess` varchar(30) NOT NULL default '',
   UNIQUE (`name`)
 );
 
diff --git a/install/update-5.1.0/update.sql b/install/update-5.1.0/update.sql
index 95b36d9bb..a68b965e9 100644
--- a/install/update-5.1.0/update.sql
+++ b/install/update-5.1.0/update.sql
@@ -98,6 +98,7 @@ CREATE TABLE `tblRoles` (
   `id` int(11) NOT NULL auto_increment,
   `name` varchar(50) default NULL,
   `role` smallint(1) NOT NULL default '0',
+  `noaccess` varchar(30) NOT NULL default '',
   PRIMARY KEY (`id`),
   UNIQUE (`name`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;