getPermission function

The permissions on an item can be specific or inherited. A user can be granted permissions in the following ways:

1. Explicitly. i.e. the user name appears on the access tab of the item properties. If this is the case then the user does not get any extra access rights through group membership.

2. By group membership. The user gets a superset of all permissions from the groups they are a member of.

3. Default. If the user has no explicit permissions and no permissions via group membership, then they get whatever is set for “Everyone Else”.

This function allows you to find the permissions a particular user has on an item. The function takes an Item handle and a user name as parameters and return the permissions that the user has on the item. This includes permissions the user has through inherited access, group membership etc. The function does not support groups.

/***************************************************
	Returns the permissions for the specified user for the item.
	Does not support groups.
***************************************************/
Permission getPermissions(Item itm, string userName)
{
	Permission perm = null
	AccessRec  ar = null
	Group      grp = null
	User       usr = null
	bool       isDisabled = false
	bool       hasGroupPermissions = false

	// loop through access records for item.
	// note that the "all" ensures the loop includes inherited access
	for ar in all itm do
	{
		if (username(ar) == userName)
		{
			// user-specific permissions these are the only permissions that apply
			// group membership has no effect.
			perm = none

			if (read ar) perm = perm | read
			if (modify ar) perm = perm | modify
			if (create ar) perm = perm | create
			if (delete ar) perm = perm | delete
			if (control ar) perm = perm | control

			return(perm)
		}
		else if (null username(ar))
		{
			// default permissions for "Everyone Else".
			// these only apply if the user doies not have any permissions
			// through group membership
			if (!hasGroupPermissions)
			{
				perm = none

				if (read ar) perm = perm | read
				if (modify ar) perm = perm | modify
				if (create ar) perm = perm | create
				if (delete ar) perm = perm | delete
				if (control ar) perm = perm | control
			}
		}
		else if (existsGroup(username(ar)))
		{
			grp = find(username(ar))

			isDisabled = grp.disabled

			if (!isDisabled)
			{
				usr = find(userName)

				if (member(grp, usr))
				{
					// if this is the first time we are assigning permissions
					// through group membership, then ensure that default
					// permissions are removed first
					if (!hasGroupPermissions)
					{
						perm = none
					}

					// user gets superset of permissions from all groups
					if (read ar) perm = perm | read
					if (modify ar) perm = perm | modify
					if (create ar) perm = perm | create
					if (delete ar) perm = perm | delete
					if (control ar) perm = perm | control

					// flag used to preserve permissions and ensure we get
					// a true superset of all the permissions from all groups
					// the user is a member of.
					hasGroupPermissions = true
				}
			}
		}
	}

	return(perm)
}

The following is an example of using this function. This example also makes use of a simple function stringOf(Permission) which allows you to print the results.

Item i = item(fullName(current Module))

Permission perm = getPermissions(i, "fredbrooks")

print stringOf(perm)

And the stringOf function is defined here:

string stringOf(Permission p)
{
	string str = ""

	if (p == none)
	{
		return("None")
	}
	else
	{
		if (p & read != none)
		{
			str = str "R"
		}

		if (p & modify != none)
		{
			str = str "M"
		}

		if (p & create != none)
		{
			str = str "C"
		}

		if (p & delete != none)
		{
			str = str "D"
		}

		if (p & control != none)
		{
			str = str "A"
		}
	}

	return(str)
}