Brad Shuttleworth 2006-04-13 major merge...

Brad Shuttleworth 2006-04-13 add anon-login default. Brad Shuttleworth 2006-04-13 improve group cache management somewhat. Brad Shuttleworth 2006-04-12 add in the changes to make anonymous a firs... Brad Shuttleworth 2006-04-12 new owner location in db. Brad Shuttleworth 2006-04-12 reset the memory-cache "each" after we're d... Brad Shuttleworth 2006-04-12 fix for KTS-786: workflow transitions don'... Brad Shuttleworth 2006-04-12 minor fix. Brad Shuttleworth 2006-04-12 KTS-739: add more fail-out and checking cod... Brad Shuttleworth 2006-04-12 remove object cache: it causes havoc with ... Brad Shuttleworth 2006-04-12 fix for role-management non-editable bug. Brad Shuttleworth 2006-04-12 fix for translation issue. git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@5241 c91229c3-7414-0410-bfa2-8a42b809f60b

Brad Shuttleworth 2006-04-13 major merge...
Brad Shuttleworth 2006-04-13 add anon-login default. Brad Shuttleworth 2006-04-13 improve group cache management somewhat. Brad Shuttleworth 2006-04-12 add in the changes to make anonymous a firs... Brad Shuttleworth 2006-04-12 new owner location in db. Brad Shuttleworth 2006-04-12 reset the memory-cache "each" after we're d... Brad Shuttleworth 2006-04-12 fix for KTS-786: workflow transitions don'... Brad Shuttleworth 2006-04-12 minor fix. Brad Shuttleworth 2006-04-12 KTS-739: add more fail-out and checking cod... Brad Shuttleworth 2006-04-12 remove object cache: it causes havoc with ... Brad Shuttleworth 2006-04-12 fix for role-management non-editable bug. Brad Shuttleworth 2006-04-12 fix for translation issue. git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@5241 c91229c3-7414-0410-bfa2-8a42b809f60b
Brad Shuttleworth
1 parent 7df8705e
Showing 31 changed files with 312 additions and 59 deletions
config/config.ini
config/siteMap.inc
control.php
lib/dispatcher.inc.php
lib/documentmanagement/DocumentType.inc
lib/foldermanagement/Folder.inc
lib/groups/Group.inc
lib/groups/GroupUtil.php
lib/ktentity.inc
lib/permissions/permissiondescriptor.inc.php
lib/permissions/permissionutil.inc.php
lib/roles/documentroleallocation.inc.php
lib/roles/roleallocation.inc.php
lib/session/Session.inc
lib/session/control.inc
lib/templating/kt3template.inc.php
lib/users/User.inc
lib/util/ktutil.inc
login.php
plugins/ktcore/KTPermissions.php
@@ -140,6 +140,7 @@ uiUrl  = ${rootUrl}/presentation/lookAndFeel/knowledgeTree
 [session]
 ; session timeout (in seconds)
 sessionTimeout = 1200
+allowAnonymousLogin = true
 [import]
 ; unzip command - will use execSearchPath to find if the path to the
@@ -34,27 +34,27 @@ $default-&gt;siteMap-&gt;addPage(&quot;dashboard&quot;, &quot;/dashboard.php&quot;, &quot;General&quot;, Guest, &quot;das
 // dashboard news
 //pages for manage documents section
-$default->siteMap->addPage("browse", "/browse.php", "Manage Documents", Guest, _("browse documents"));
-$default->siteMap->addPage("viewDocument", "/view.php", "Manage Documents", Guest, _("View Document"), false);
-$default->siteMap->addPage("editDocument", "/edit.php", "Manage Documents", Guest, _("Edit Document"), false);
+$default->siteMap->addPage("browse", "/browse.php", "Manage Documents", Guest, _kt("browse documents"));
+$default->siteMap->addPage("viewDocument", "/view.php", "Manage Documents", Guest, _kt("View Document"), false);
+$default->siteMap->addPage("editDocument", "/edit.php", "Manage Documents", Guest, _kt("Edit Document"), false);
 // pages for administration section
-$default->siteMap->addDefaultPage("administration", "/admin.php", "Administration", UnitAdmin, _("Administration"));
+$default->siteMap->addDefaultPage("administration", "/admin.php", "Administration", UnitAdmin, _kt("Administration"));
 // pages for advanced search section
-$default->siteMap->addDefaultPage("advancedSearch", "/search/advancedSearchBL.php", "Advanced Search", Guest, _("Advanced Search"), true);
-$default->siteMap->addPage("booleanSearch", "/search/booleanSearch.php", "Boolean Search", Guest, _("Boolean Search"), false);
+$default->siteMap->addDefaultPage("advancedSearch", "/search/advancedSearchBL.php", "Advanced Search", Guest, _kt("Advanced Search"), true);
+$default->siteMap->addPage("booleanSearch", "/search/booleanSearch.php", "Boolean Search", Guest, _kt("Boolean Search"), false);
 $default->siteMap->addSectionColour("Advanced Search", "th", "A1571B");
 $default->siteMap->addSectionColour("Standard Search", "th", "A1571B");
 // pages for prefs section
-$default->siteMap->addDefaultPage("preferences", "/preferences.php", "Preferences", User, _("Preferences"));
+$default->siteMap->addDefaultPage("preferences", "/preferences.php", "Preferences", User, _kt("Preferences"));
 // pages for Help section
-$default->siteMap->addDefaultPage("help", "/presentation/lookAndFeel/knowledgeTree/help.php", "Help", Guest, _("Help"));
+$default->siteMap->addDefaultPage("help", "/presentation/lookAndFeel/knowledgeTree/help.php", "Help", Guest, _kt("Help"));
 // pages for logout section section
-$default->siteMap->addDefaultPage("logout", "/presentation/logout.php", "Logout", Guest, _("Logout"));
+$default->siteMap->addDefaultPage("logout", "/presentation/logout.php", "Logout", Guest, _kt("Logout"));
 ?>
@@ -63,9 +63,13 @@ if ($action != &quot;login&quot;) {
         }
     } else {
         // session check fails, so default action should be the login form if no action was specified
+        $oKTConfig = KTConfig::getSingleton();
+        $dest = 'login';
+        if ($oKTConfig->get('allowAnonymousLogin', false)) { $dest = 'dashboard'; }
+            
         if (!isset($action)) {
-            $action = "login";
-        } elseif ($action <> "login") {
+            $action = $dest;
+        } elseif ($action <> $dest) {
             // we have a controller link and auth has failed, so redirect to the login page
             // with the controller link as the redirect
             $url = generateControllerUrl("login");
@@ -218,6 +218,25 @@ class KTStandardDispatcher extends KTDispatcher {
     }
     function loginRequired() {
+		$oKTConfig =& KTConfig::getSingleton();
+	    if ($oKTConfig->get('allowAnonymousLogin', false)) {
+		    // anonymous logins are now allowed.
+			// the anonymous user is -1.
+			// 
+			// we short-circuit the login mechanisms, setup the session, and go.
+			
+			$oUser =& User::get(-2);
+			if (PEAR::isError($oUser) || ($oUser->getName() != 'Anonymous')) { 
+			    ; // do nothing - the database integrity would break if we log the user in now.
+			} else {
+			    $session = new Session();
+                $sessionID = $session->create($oUser);
+				
+				return ;
+			}
+		}	
+	
+	
         $sErrorMessage = "";
         if (PEAR::isError($this->sessionStatus)) {
             $sErrorMessage = $this->sessionStatus->getMessage();
@@ -249,9 +268,9 @@ class KTStandardDispatcher extends KTDispatcher {
             $this->session = new Session();
             $this->sessionStatus = $this->session->verify();
             if ($this->sessionStatus !== true) {
-                $this->loginRequired();
+                $this->loginRequired();	
             }
-
+			//var_dump($this->sessionStatus);
             $this->oUser =& User::get($_SESSION['userID']);
             $oProvider =& KTAuthenticationUtil::getAuthenticationProviderForUser($this->oUser);
             $oProvider->verify($this->oUser);
@@ -185,10 +185,18 @@ class DocumentType extends KTEntity {
 	function &getList($sWhereClause = null) {
         return KTEntityUtil::getList2('DocumentType', $sWhereClause);
 	}
+	
+	/* alternative for use in creation:  delegate for user and location */
+	function &getListForUserAndFolder($oUser, $oFolder) {
+	    $src =& KTDocumentTypeManager::getSingleton();
+		return $src->getListForUserAndFolder($oUser, $oFolder);
+	}
     function &createFromArray($aArray) {
         return KTEntityUtil::createFromArray('DocumentType', $aArray);
     }
+	
+	
 }
@@ -207,4 +215,71 @@ function &amp; documenttypeCreateFromArray($aParameters) {
 	return $oDocType;
 }
+
+class DemoDelegation {
+    var $handler_ns = 'brad.oddhandler';
+	var $handler_name = null;
+	
+	function DemoDelegation() {
+	    $this->handler_name = _kt('Demo Delegator');
+	}
+	
+    function &getListForUserAndFolder($oUser, $oFolder) {
+	    $list =&  DocumentType::getList();
+		$finallist = array();
+		foreach ($list as $oType) {
+		    if ($oType->getId() % 2 == 0) {
+			    $finallist[] = $oType;
+			}
+		}
+		return $finallist;
+	}
+}
+
+/* simple singleton util class */
+class KTDocumentTypeManager {
+    var $_handlers = array();
+	var $_active_handler = null;
+	var $_checked = false;
+
+    function &getSingleton() {
+        if (!KTUtil::arrayGet($GLOBALS, 'oKTDocumentTypeManager')) {
+            $GLOBALS['oKTDocumentTypeManager'] = new KTDocumentTypeManager;
+        }
+        return $GLOBALS['oKTDocumentTypeManager'];
+    }
+		
+	function &getListForUserAndFolder($oUser, $oFolder) {
+	    $this->checkActiveHandler();
+	    if (is_null($this->_active_handler)) {
+		    // as totally normal if nothing is registered.
+		    return DocumentType::getList();
+		} else {
+		    return $this->_active_handler->getListForUserAndFolder($oUser, $oFolder);
+		}
+	}
+	
+	function checkActiveHandler() {
+	    if ($this->_checked) { return ; }
+	    // not perfect - see workflow-delegator for explanation.
+		$res = KTUtil::getSystemSetting('documenttypehandler');
+		
+		if (empty($res) || PEAR::isError($res)) { // just fail silently - don't degrade the system
+		    $this->_active_handler = null;
+		} else {
+		    $ns = $res;
+			$this->_active_handler = KTUtil::arrayGet($this->handlers, $ns);
+		}
+		
+		$this->_checked = true;
+		
+		return ;
+	}
+	
+	function registerHandler($oHandler) {
+	    $this->_handlers[$oHandler->handler_ns] = $oHandler;
+	}
+}
+
+
 ?>
@@ -143,6 +143,7 @@ class Folder extends KTEntity {
         }
         $oFolder =& Folder::get($iFolderId);
+		if (PEAR::isError($oFolder)) { sprintf("The invalid folder id is: %s", print_r($iFolderId, true)); }
         $iParentId = $oFolder->getParentId();
         if (empty($iParentId)) {
             return $oFolder->getName();
@@ -235,6 +235,9 @@ class Group extends KTEntity {
         if (PEAR::isError($res)) {
             return $res;
         }
+		
+		GroupUtil::clearGroupCacheForUser($oUser);
+		
         return true;
     }
     // }}}
@@ -368,6 +368,14 @@ class GroupUtil {
         // }
     }
     // }}}
+    
+    function clearGroupCacheForUser($oUser) {
+        $oCache =& KTCache::getSingleton();
+        if (PEAR::isError($oUser)) { return $oUser; }
+        $group = "groupidsforuser";
+        $iUserId = KTUtil::getId($oUser);
+        $oCache->remove($group, $iUserId);
+    }
 }
 // }}}
@@ -610,14 +610,16 @@ class KTEntityUtil {
         }
         return $oObject;
         /* */
-        $oObject =& KTUtil::arrayGet($GLOBALS['_OBJECTCACHE'][$sClassName], $iId);
-        if ($oObject) { return $oObject; }
+        // XXX Object cache currently causes hard-to-trace inconsistencies in data. 
+        // $oObject =& KTUtil::arrayGet($GLOBALS['_OBJECTCACHE'][$sClassName], $iId);
+        // if ($oObject) { return $oObject; }
         $oObject =& new $sClassName;
         $res = $oObject->load($iId);
         if (PEAR::isError($res)) {
             return $res;
         }
-        $GLOBALS['_OBJECTCACHE'][$sClassName][$iId] =& $oObject;
+        // XXX Object cache currently causes hard-to-trace inconsistencies in data. 
+        //$GLOBALS['_OBJECTCACHE'][$sClassName][$iId] =& $oObject;
         return $oObject;
         /* */
     }
@@ -276,13 +276,14 @@ class KTPermissionDescriptor extends KTEntity {
     // {{{ hasRoles
     function hasRoles($aRoles) {
+        if (!is_array($aRoles)) { return false; }
         $sTable = KTUtil::getTableName('permission_descriptor_roles');
         if (count($aRoles) === 0) {
             return false;
         }
         $aRoleIDs = array();
         foreach ($aRoles as $oRole) {
-            $aRoleIDs[] = $oRole->getID();
+            $aRoleIDs[] = KTUtil::getId($oRole);
         }
         $sRoleIDs = DBUtil::paramArray($aRoleIDs);
         $sQuery = "SELECT COUNT(role_id) AS num FROM $sTable
@@ -83,10 +83,19 @@ class KTPermissionUtil {
         $sDescriptor = KTPermissionUtil::generateDescriptor($aAllowed);
         $oDescriptor =& KTPermissionDescriptor::getByDescriptor(md5($sDescriptor));
         if (PEAR::isError($oDescriptor)) {
+            
             $oDescriptor =& KTPermissionDescriptor::createFromArray(array(
                 "descriptortext" => $sDescriptor,
             ));
+            if (PEAR::isError($oDescriptor)) {
+                print '<pre>';
+                print_r($aAllowed);
+                print "-----------\n";
+                print_r($oDescriptor);
+                print '</pre>';
+            }
             $oDescriptor->saveAllowed($aAllowed);
+            
         }
         return $oDescriptor;
     }
@@ -137,8 +146,8 @@ class KTPermissionUtil {
      * previous assignment.
      */
     function setPermissionForID($sPermission, $iObjectID, $aAllowed) {
-        $oPermissionAssignment = KTPermissionUtil::getOrCreateAssignment($sPermission, $iObjectID);
-        $oDescriptor = KTPermissionUtil::getOrCreateDescriptor($aAllowed);
+        $oPermissionAssignment =& KTPermissionUtil::getOrCreateAssignment($sPermission, $iObjectID);
+        $oDescriptor =& KTPermissionUtil::getOrCreateDescriptor($aAllowed);
         $oPermissionAssignment->setPermissionDescriptorID($oDescriptor->getID());
         $res = $oPermissionAssignment->update();
         return $res;
@@ -167,12 +176,16 @@ class KTPermissionUtil {
         $sWhere = 'permission_object_id = ?';
         $aParams = array($oPO->getID());
         $aFolders =& Folder::getList(array($sWhere, $aParams));
-        foreach ($aFolders as $oFolder) {
-            KTPermissionUtil::updatePermissionLookup($oFolder);
+        if (!PEAR::isError($aFolders)) { 
+            foreach ($aFolders as $oFolder) {
+                KTPermissionUtil::updatePermissionLookup($oFolder);
+            }
         }
         $aDocuments =& Document::getList(array($sWhere, $aParams));
-        foreach ($aDocuments as $oDocument) {
-            KTPermissionUtil::updatePermissionLookup($oDocument);
+        if (!PEAR::isError($aDocuments)) {
+            foreach ($aDocuments as $oDocument) {
+                KTPermissionUtil::updatePermissionLookup($oDocument);
+            }
         }
     }
     // }}}
@@ -219,9 +232,7 @@ class KTPermissionUtil {
         if (!is_a($oFolderOrDocument, 'Folder')) {
             if (!is_a($oFolderOrDocument, 'Document')) {
                 if (!is_a($oFolderOrDocument, 'KTDocumentCore')) {
-                    echo "<pre>";
-                    var_dump($oFolderOrDocument);
-                    echo "</pre>";
+                    return ; // we occasionally get handed a PEAR::raiseError.  Just ignore it.
                 }
             }
         }
@@ -307,9 +318,16 @@ class KTPermissionUtil {
         $_roleCache = array(); 
         foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) {
+            $aAfterRoles = array();
             if (array_key_exists('role', $aAllowed)) {
-                foreach ($aAllowed['role'] as $iRoleId) {
+                foreach ($aAllowed['role'] as $k => $iRoleId) {
                     // store the PD <-> RoleId map
+                    
+                    // special-case "all" or "authenticated".
+                    if (($iRoleId == -3) || ($iRoleId == -4)) {
+                        $aAfterRoles[] = $iRoleId;
+                        continue;
+                    }
                     if (!array_key_exists($iRoleId, $_roleCache)) {
                         $oRoleAllocation = null;
                         if (is_a($oFolderOrDocument, 'KTDocumentCore') || is_a($oFolderOrDocument, 'Document')) {
@@ -328,10 +346,16 @@ class KTPermissionUtil {
                         $aMapPermAllowed[$iPermissionId]['group'] = kt_array_merge($aAllowed['group'], $_roleCache[$iRoleId]->getGroupIds());
                         // naturally, roles cannot be assigned roles, or madness follows.
                     }
+                    
+                    unset($aAllowed['role'][$k]);
                 }
             }
+            
             unset($aMapPermAllowed[$iPermissionId]['role']);            
+            if (!empty($aAfterRoles)) { 
+                $aMapPermAllowed[$iPermissionId]['role'] = $aAfterRoles;
+            }
         }
         /*
@@ -370,9 +394,15 @@ class KTPermissionUtil {
             return false;
         }
         $oPD = KTPermissionDescriptor::get($oPLA->getPermissionDescriptorID());
+        
         $aGroups = GroupUtil::listGroupsForUserExpand($oUser);
-        if ($oPD->hasUsers(array($oUser))) { return true; }
-        else { return $oPD->hasGroups($aGroups); }
+        if ($oPD->hasRoles(array(-3))) { return true; } // everyone has access.
+        else if ($oPD->hasUsers(array($oUser))) { return true; }
+        else if ($oPD->hasGroups($aGroups)) { return true; }
+        // here we specialcase roles -3 [everyone] 
+        else if ($oPD->hasRoles(-4) && !$oUser->isAnonymous()) { return true; }
+            
+        return false;
     }
     // }}}
@@ -52,7 +52,7 @@ class DocumentRoleAllocation extends KTEntity {
 		    $aAllowed = array();
 		}
 		// special case "document owner".
-		if ($this->iRoleId == -1) {
+		if ($this->iRoleId == -2) {
 		    $oDoc = KTDocumentCore::get($this->iDocumentId);
@@ -139,7 +139,7 @@ class DocumentRoleAllocation extends KTEntity {
 		}
 		// magic for the Owner role here.
-		if (empty($iAllocId) && ($iRoleId == -1)) {
+		if (empty($iAllocId) && ($iRoleId == -2)) {
 		    $permDescriptor = null;
 			// THIS OBJECT MUST NEVER BE MODIFIED, without first calling CREATE.
 		    $oFakeAlloc = new DocumentRoleAllocation();
@@ -101,6 +101,10 @@ class RoleAllocation extends KTEntity {
 		$fTable = Folder::_table();
 		$oFolder =& Folder::get($iFolderId);
+		// if its an invalid folder, we simply return null, since this is undefined anyway.
+		if (PEAR::isError($oFolder)) { 
+			return null;
+		}
 		$parents = Folder::generateFolderIds($iFolderId);
 		// FIXME what (if anything) do we need to do to check that this can't be used as an attack?
@@ -92,14 +92,17 @@ class Session {
         $iUserID = $_SESSION["userID"];
         // remove the session information from the database
-        $sql = $default->db;
-        $query = "DELETE FROM $default->sessions_table WHERE session_id = '$sSessionID'" . ($iUserID ? " AND user_id=$iUserID" : "");
-        $default->log->info("Session::destroy $query");
-        $sql->query($query);
+
+		$sTable = KTUtil::getTableName('sessions');
+		$res = DBUtil::whereDelete($sTable, array('session_id' => $sSessionID));
+
+
         // remove the php4 session
+		unset($_SESSION['userID']);
+		unset($_SESSION['sessionStatus']);
         session_unset();
-        session_destroy();
+        session_destroy();	
     }
     /**
@@ -139,6 +142,7 @@ class Session {
         // this should be an existing session, so check the db
         $aRows = DBUtil::getResultArray(array("SELECT * FROM $default->sessions_table WHERE session_id = ?", $sessionID));
+				
         $numrows = count($aRows);
         // FIXME: if there aren't more rows that the max sessions for this user
@@ -151,10 +155,14 @@ class Session {
         $default->log->debug("Session::verify found session in db");
         $aRow = $aRows[0];
-        // foreach ($aRows as $aRow) {
         $iUserID = $aRow["user_id"];
-
+		
+        $oKTConfig = KTConfig::getSingleton();	
+		$allowAnon = $oKTConfig->get('allowAnonymousLogin', false);
+		$ANON = -2;
+        if ((!allowAnon) && ($iUserId == $ANON)) { return false; }
+            
         // check that ip matches
         $ip = $this->getClientIP();
         if ($ip != trim($aRow["ip"])) {
@@ -143,12 +143,17 @@ function checkSessionAndRedirect($bRedirect, $bDownload = false) {
     if (PEAR::isError($sessionStatus)) {
         $sErrorMessage = $sessionStatus->getMessage();
     }
+    
+    $oKTConfig = KTConfig::getSingleton();
+    $dest = 'login';
+    if ($oKTConfig->get('allowAnonymousLogin', false)) { $dest = 'dashboard'; }
+    
     // redirect to login with error message
     if ($sErrorMessage) {
         // session timed out
-        $url = generateControllerUrl("login", "errorMessage=" . urlencode($sErrorMessage));
+        $url = generateControllerUrl($dest, "errorMessage=" . urlencode($sErrorMessage));
     } else {
-        $url = generateControllerUrl("login");
+        $url = generateControllerUrl($dest);
     }
     $redirect = urlencode(KTUtil::addQueryStringSelf($_SERVER["QUERY_STRING"]));
@@ -123,10 +123,7 @@ class KTPage {
 			"administration" => $this->_actionHelper(array("name" => _kt("DMS Administration"), "action" => "administration", "active" => 0)),
 		);
-		$this->userMenu = array(
-		    "preferences" => $this->_actionHelper(array("name" => _kt("Preferences"), "action" => "preferences", "active" => 0)),
-			"logout" => $this->_actionHelper(array("name" => _kt("Logout"), "action" => "logout", "active" => 0)),
-		);
+
 	}
@@ -303,6 +300,18 @@ class KTPage {
 			}
 		}
+		$this->userMenu = array();
+		if (!(PEAR::isError($this->user) || is_null($this->user) || $this->user->isAnonymous())) {
+			$this->userMenu = array(
+				"preferences" => $this->_actionHelper(array("name" => _kt("Preferences"), "action" => "preferences", "active" => 0)),
+				"logout" => $this->_actionHelper(array("name" => _kt("Logout"), "action" => "logout", "active" => 0)),
+			);
+		} else {
+			$this->userMenu = array(
+			    "login" => $this->_actionHelper(array("name" => _kt("Login"), "action" => "login")),
+			);
+		}		
+		
 		// FIXME we need a more complete solution to navigation restriction
 		if (!is_null($this->menu['administration']) && !is_null($this->user)) {
 			if (!Permission::userIsSystemAdministrator($this->user->getId())) {
@@ -285,4 +285,6 @@ class User extends KTEntity {
             'last_login' => array('type' => 'after', 'value' => $dDateTime),
         ), array('multi' => true));
     }
+	
+    function isAnonymous() { return $this->iId == -2; }
 }
@@ -587,6 +587,52 @@ class KTUtil {
         }
         return null;
     }
+    
+    function getSystemSetting($name, $default = null) {
+        // XXX make this use a cache layer?
+        $sTable = KTUtil::getTableName('system_settings');
+        $aQuery = array(
+            sprintf('SELECT value FROM %s WHERE name = ?', $sTable),
+            array($name),
+        );
+        $res = DBUtil::getOneResultKey($aQuery, 'value');
+        if (PEAR::isError($res)) { 
+            return PEAR::raiseError(sprintf(_kt('Unable to retrieve system setting %s: %s'), $name, $res->getMessage()));
+        }
+        
+        if (empty($res)) { return $default; }
+        
+        return $res;
+    }
+    
+    function setSystemSetting($name, $value) {
+        // we either need to insert or update:
+        $sTable = KTUtil::getTableName('system_settings');
+        $current_value = KTUtil::getSystemSetting($name);
+        if (is_null($current_value)) {
+            // insert
+            $res = DBUtil::autoInsert(
+                $sTable,
+                array(
+                    'name' => $name,
+                    'value' => $value,
+                ),
+                null // opts
+            );
+            if (PEAR::isError($res)) { return $res; }
+            else { return true; }
+        } else {
+            // update
+            $aQuery = array(
+                sprintf('UPDATE %s SET value = ? WHERE name = ?', $sTable),
+                array($value, $name),
+            );
+            $res = DBUtil::runQuery($aQuery);
+            if (PEAR::isError($res)) { return $res; }
+            return true;
+        }
+    }
+
 }
 /**
@@ -37,9 +37,15 @@ require_once(KT_LIB_DIR . &#39;/authentication/authenticationutil.inc.php&#39;);
 class LoginPageDispatcher extends KTDispatcher {
     function check() {
+        $oKTConfig = KTConfig::getSingleton();
         $this->session = new Session();
-        if ($this->session->verify() == 1) { // erk.  neil - DOUBLE CHECK THIS PLEASE.
-            exit(redirect(generateControllerLink('dashboard')));
+        if ($this->session->verify() == 1) { // the session is valid
+            if ($_SESSION['userID'] == -2 && $oKTConfig->get('allowAnonymousLogin', false)) {
+                ; // that's ok - we want to login.
+            }
+            else {
+                exit(redirect(generateControllerLink('dashboard')));
+            }
         } else {
             $this->session->destroy(); // toast it - its probably a hostile session.
         }
@@ -165,7 +165,7 @@ class KTRoleAllocationPlugin extends KTFolderAction {
         //   - and that allocation id
         $aRoles = array(); // stores data for display.
-        $aRoleList = Role::getList();
+        $aRoleList = Role::getList('id > 0');
         foreach ($aRoleList as $oRole) {
             $iRoleId = $oRole->getId();
             $aRoles[$iRoleId] = array("name" => $oRole->getName());
@@ -541,7 +541,9 @@ class KTRoleAllocationPlugin extends KTFolderAction {
 			}
 			foreach ($aDocList as $oDoc) { 
-			    KTPermissionUtil::updatePermissionLookup($oDoc);
+			    if (!PEAR::isError($oDoc)) {
+			        KTPermissionUtil::updatePermissionLookup($oDoc);
+				}
 			}
 		}
 	}
@@ -64,9 +64,9 @@ class KTGroupAdminDispatcher extends KTAdminDispatcher {
 		$search_fields[] =  new KTStringWidget(_kt('Group Name'), _kt("Enter part of the group's name.  e.g. <strong>ad</strong> will match <strong>administrators</strong>."), 'name', $name, $this->oPage, true);
 		if (!empty($name)) {
-			$search_results =& Group::getList('WHERE name LIKE \'%' . DBUtil::escapeSimple($name) . '%\'');
+			$search_results =& Group::getList('WHERE name LIKE \'%' . DBUtil::escapeSimple($name) . '%\' AND id > 0');
 		} else if ($show_all !== false) {
-			$search_results =& Group::getList();
+			$search_results =& Group::getList('id > 0');
 			$no_search = false;
 		}
@@ -211,7 +211,7 @@ class KTGroupAdminDispatcher extends KTAdminDispatcher {
         $this->oPage->requireJSStandalone($initJS);
         $aInitialUsers = $oGroup->getMembers();
-        $aAllUsers = User::getList();
+        $aAllUsers = User::getList('id > 0');
         // FIXME this is massively non-performant for large userbases..
@@ -41,7 +41,11 @@ class RoleAdminDispatcher extends KTAdminDispatcher {
         $edit_fields = array();
         $role_id = KTUtil::arrayGet($_REQUEST, 'role_id', null);
-        $oRole = Role::get($role_id);
+        if (is_null($role_id)) {
+            $oRole = null; // handle broken case of role == -1
+        } else {
+            $oRole = Role::get($role_id);
+        }
         if (PEAR::isError($oRole) || ($oRole == false)) { $for_edit = false; }
         else {
@@ -68,9 +68,9 @@ class KTUserAdminDispatcher extends KTAdminDispatcher {
         // FIXME handle group search stuff.
         $search_results = null;
         if (!empty($name)) {
-            $search_results =& User::getList('WHERE username LIKE \'%' . DBUtil::escapeSimple($name) . '%\'');
+            $search_results =& User::getList('WHERE username LIKE \'%' . DBUtil::escapeSimple($name) . '%\' AND id > 0');
         } else if ($show_all !== false) {
-            $search_results =& User::getList();
+            $search_results =& User::getList('id > 0');
             $no_search = false;
         }
@@ -1330,6 +1330,22 @@ class KTWorkflowDispatcher extends KTAdminDispatcher {
             'redirect_to' => array('editTransition', 'fWorkflowId=' . $oWorkflow->getId() . '&fTransitionId=' . $oTransition->getId()),
             'message' => _kt('Error saving transition'),
         ));
+        
+        // also grab the list of transitions for the dest state, and remove this one if application
+        $aDestTransitions = KTWorkflowUtil::getTransitionsFrom($oState, array('ids' => true));
+        $bClean = true;
+        $aNewTransitions = array();
+        foreach ($aDestTransitions as $iOldTransitionId) {
+            if ($oTransition->getId() == $iOldTransitionId) {
+                $bClean = false;
+            } else {
+                $aNewTransitions[] = $iOldTransitionId;
+            }
+        }
+        if (!$bClean) {
+            KTWorkflowUtil::saveTransitionsFrom($oState, $aNewTransitions);
+        }
+        
         $this->successRedirectTo('editTransition', _kt('Changes saved'), 'fWorkflowId=' . $oWorkflow->getId() . '&fTransitionId=' .  $oTransition->getId());
         exit(0);
     }
@@ -63,7 +63,7 @@ class KTBulkImportFolderAction extends KTFolderAction {
         $add_fields[] = new KTStringWidget(_kt('Path'), _kt('The path containing the documents to be added to the document management system.'), 'path', "", $this->oPage, true);
         $aVocab = array('' => _kt('&lt;Please select a document type&gt;'));
-        foreach (DocumentType::getList() as $oDocumentType) {
+        foreach (DocumentType::getListForUserAndFolder($this->oUser, $this->oFolder) as $oDocumentType) {
             if(!$oDocumentType->getDisabled()) {
                 $aVocab[$oDocumentType->getId()] = $oDocumentType->getName();
             }
@@ -70,7 +70,7 @@ class KTBulkUploadFolderAction extends KTFolderAction {
         $add_fields[] = new KTFileUploadWidget(_kt('Archive file'), _kt('The archive file containing the documents you wish to add to the document management system.'), 'file', "", $this->oPage, true);
         $aVocab = array('' => _kt('&lt;Please select a document type&gt;'));
-        foreach (DocumentType::getList() as $oDocumentType) {
+        foreach (DocumentType::getListForUserAndFolder($this->oUser, $this->oFolder) as $oDocumentType) {
             if(!$oDocumentType->getDisabled()) {
                 $aVocab[$oDocumentType->getId()] = $oDocumentType->getName();
             }
@@ -74,7 +74,7 @@ class KTFolderAddDocumentAction extends KTFolderAction {
         $aVocab = array('' => _kt('&lt;Please select a document type&gt;'));
-        foreach (DocumentType::getList() as $oDocumentType) {
+        foreach (DocumentType::getListForUserAndFolder($this->oUser, $this->oFolder) as $oDocumentType) {
             if(!$oDocumentType->getDisabled()) {
                 $aVocab[$oDocumentType->getId()] = $oDocumentType->getName();
             }
@@ -39,6 +39,11 @@ require_once(KT_LIB_DIR . &#39;/widgets/fieldWidgets.php&#39;);
 class PreferencesDispatcher extends KTStandardDispatcher {
     var $sSection = 'preferences';
+	function check() {
+	    if ($this->oUser->getId() == -2) { return false; }
+		return parent::check();
+	}
+
     function PreferencesDispatcher() {
         $this->aBreadcrumbs = array(
             array('action' => 'preferences', 'name' => _kt('Preferences')),
@@ -657,7 +657,7 @@ INSERT INTO `plugins` VALUES (15, &#39;nbm.browseable.plugin&#39;, &#39;plugins/browseableda
 -- Dumping data for table `roles`
 -- 
-INSERT INTO `roles` VALUES (-1, 'Owner');
+INSERT INTO `roles` VALUES (-2, 'Owner');
 -- 
 -- Dumping data for table `saved_searches`
+UPDATE roles SET id = -2 WHERE id = -1;
@@ -70,8 +70,9 @@
       <li class="pref">{if ($page->user)}
         <span class="ktLoggedInUser">{$page->user->getName()}</span>
         {/if}
+        {if !empty($page->userMenu)}
         &middot;
-        
+        {/if}
         {foreach item=aMenuItem from=$page->userMenu name=prefmenu}
          {if ($aMenuItem.active == 1)}