- add role-allocations

- ensure that workflow and permission respect role-based allocations. git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@4454 c91229c3-7414-0410-bfa2-8a42b809f60b

- add role-allocations
- ensure that workflow and permission respect role-based allocations. git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@4454 c91229c3-7414-0410-bfa2-8a42b809f60b
bshuttle
1 parent 3189d37e
Showing 14 changed files with 904 additions and 151 deletions
config/tableMappings.inc
lib/permissions/permissionutil.inc.php
lib/roles/Role.inc
lib/roles/roleallocation.inc.php
lib/workflow/workflowutil.inc.php
plugins/ktcore/KTPermissions.php
presentation/lookAndFeel/knowledgeTree/browse.php
resources/css/kt-framing.css
sql/mysql/install/structure.sql
sql/mysql/upgrade/2.99.5/role_allocations.sql
sql/mysql/upgrade/2.99.5/role_changes.sql
templates/ktcore/folder/roles.smarty
templates/ktcore/folder/roles_managegroups.smarty
templates/ktcore/folder/roles_manageusers.smarty
@@ -142,4 +142,5 @@ $default-&gt;permission_dynamic_assignments_table = &#39;permission_dynamic_assignments
 $default->notifications_table = "notifications";
 $default->authentication_sources_table = "authentication_sources";
 $default->dashlet_disable_table = "dashlet_disables";
+$default->role_allocations_table = "role_allocations";
 ?>
@@ -10,6 +10,7 @@ require_once(KT_LIB_DIR . &quot;/permissions/permissionlookupassignment.inc.php&quot;);
 require_once(KT_LIB_DIR . "/permissions/permissionobject.inc.php");
 require_once(KT_LIB_DIR . "/permissions/permissiondynamiccondition.inc.php");
 require_once(KT_LIB_DIR . "/groups/GroupUtil.php");
+require_once(KT_LIB_DIR . "/roles/roleallocation.inc.php");
  
 class KTPermissionUtil {
     // {{{ generateDescriptor
@@ -182,9 +183,11 @@ class KTPermissionUtil {
             $oPD = KTPermissionDescriptor::get($oPA->getPermissionDescriptorID());
             $aGroupIDs = $oPD->getGroups();
             $aUserIDs = array();
+            $aRoleIDs = $oPD->getRoles();
             $aAllowed = array(
                 "group" => $aGroupIDs,
                 "user" => $aUserIDs,
+                "role" => $aRoleIDs,
             );
             $aMapPermAllowed[$oPA->getPermissionID()] = $aAllowed;
         }
@@ -207,6 +210,31 @@ class KTPermissionUtil {
             }
         }
  
+        // if we have roles:  nearest folder.
+        $iRoleSourceFolder = null;
+        if (is_a($oFolderOrDocument, 'Document')) { $iRoleSourceFolder = $oFolderOrDocument->getFolderID(); }
+        else { $iRoleSourceFolder = $oFolderOrDocument->getId(); }
+            
+        // very minor perf win:  map role_id (in context) to PD.
+        $_roleCache = array(); 
+            
+        foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) {
+            if (array_key_exists('role', $aAllowed)) {
+                foreach ($aAllowed['role'] as $iRoleId) {
+                    // store the PD <-> RoleId map
+                    if (!array_key_exists($iRoleId, $_roleCache)) {
+                        $oRoleAllocation =& RoleAllocation::getAllocationsForFolderAndRole($iRoleSourceFolder, $iRoleId);
+                        $_roleCache[$iRoleId] = $oRoleAllocation;
+                    }
+                    // roles are _not_ always assigned (can be null at root)
+                    if ($_roleCache[$iRoleId] != null) {
+                        $aAllowed['user'] = array_merge($aAllowed['user'], $_roleCache[$iRoleId]->getUsers());
+                        $aAllowed['group'] = array_merge($aAllowed['group'], $_roleCache[$iRoleId]->getGroups());
+                    }
+                }
+            }
+        }
+
         $aMapPermDesc = array();
         foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) {
             $oLookupPD = KTPermissionUtil::getOrCreateDescriptor($aAllowed);
@@ -21,170 +21,43 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  *
  * @version $Revision$
- * @author Rob Cherry, Jam Warehouse (Pty) Ltd, South Africa
+ * @author Brad Shuttleworth, Jam Warehouse (Pty) Ltd, South Africa
  * @package lib.roles
  */
+ 
+require_once(KT_LIB_DIR . "/ktentity.inc"); 
+require_once(KT_LIB_DIR . "/util/ktutil.inc"); 
+ 
 class Role extends KTEntity {
  
 	/** role object primary key */
 	var $iId;
-	/** role name */
 	var $sName;
-	/** is an active user*/
-	var $bActive;
-	/** role has document read permission */
-	var $bCanRead;
-	/** role has document write */
-	var $bCanWrite;
  
+	var $_aFieldToSelect = array(
+	    'iId' => 'id',
+		'sName' => 'name',
+	);
  
-	
-	/**
-	* Default constructor
-	*
-	* @param 	String		Role name
-	* @param 	boolean		Role has document read permission
-	* @param 	boolean		Role has document write permission
-	*
-	*/
-	function Role($sNewName = null, $bNewCanRead = false, $bNewCanWrite = false) {
+	function Role($sNewName = null, $x=null, $y=null) {
 		//object not yet created in database
 		$this->iId = -1;
 		$this->sName = $sNewName;
-		$this->bCanRead = $bNewCanRead;
-		$this->bCanWrite = $bNewCanWrite;
-	}
-	
-	function getName() {
-		return $this->sName;
-	}
-	
-	function getID() {
-		return $this->iId;
-	}
-	
-	function getActive() {
-		return $this->bActive;
-	}
-	
-	function setActive($bNewValue) {
-		$this->bActive = $bNewValue;
-	}
-	
-	function getReadable() {
-		return $this->bCanRead;
-	}
-	
-	function setReadable($bNewValue) {
-		$this->bCanRead = $bNewValue;
-	}
-	
-	function getWriteable() {
-		return $this->bCanWrite;
-	}
-	
-	function setWriteable($bNewValue) {
-		$this->bCanWrite = $bNewValue;
-	}
-	
-	function setName($bNewValue) {
-		$this->sName = $bNewValue;
 	}
  
-    function _fieldValues () {
-        return array(
+	function getName() { return $this->sName; }	
+	function setName($sNewValue) { $this->sName = $sNewValue; }
+	
+    function _fieldValues () { return array(
+		    'id' => $this->iId,
             'name' => $this->sName,
-            'active' => KTUtil::anyToBool($this->bActive),
-            'can_read' => KTUtil::anyToBool($this->bCanRead),
-            'can_write' => KTUtil::anyToBool($this->bCanWrite),
         );
     }
  
-    function _table () {
-        global $default;
-        return $default->roles_table;
-    }
-	
-	/**
-	* Delete the current object from the database
-	*
-	* @return boolean true on successful deletion, false otherwise and set $_SESSION["errorMessage"]
-	*
-	*/
-	function delete() {
-		global $default, $lang_err_database, $lang_err_object_key;
-		//only delete the object if it exists in the database
-		/*
-		if ($this->iId >= 0) {
-			
-			$sql = $default->db;
-			$query = "SELECT role_id FROM ". $default->groups_folders_approval_table ." WHERE role_id = ?";
-            $aParams = array($this->iId);
-            $sql->query(array($query, $aParams));
-            $rows = $sql->num_rows($sql);
-        
-             if ($rows > 0){
-                 $_SESSION["errorMessage"] = "Role::The Role " . $this->sName . " is Assigned to a folder!";
-                 return false;
-             }
-        }
-		*/
-        return parent::delete();
-	}
-	
-	/**
-	* Static function.
-	* Given a roles primary key it will create a 
-	* Roles object and populate it with the 
-	* corresponding database values
-	*
-	* @return Role populated Role object on successful query, false otherwise and set $_SESSION["errorMessage"]
-	*/
-	function & get($iRoleID) {
-		global $default;
-		$sql = $default->db;
-		$result = $sql->query(array("SELECT * FROM $default->roles_table WHERE id = ?", $iRoleID));/*ok*/
-		if ($result) {
-			if ($sql->next_record()) {
-				$oRole = & new Role($sql->f("name"), $sql->f("can_read"), $sql->f("can_write"));
-				$oRole->iId = $iRoleID;
-				$oRole->bActive = $sql->f("active");
-				return $oRole;
-			}
-			$_SESSION["errorMessage"] = $lang_err_object_not_exist . "id = " . $iRoleID . " table = $default->roles_table";
-			return false;
-		}
-		$_SESSION["errorMessage"] = $lang_err_database;
-		return false;
-	}
-
-/**
-	* Static function
-	* Get a list of web documents
-	*
-	* @param 	String		Where clause (not required)
-	*
-	* @return Array array of Role objects, false otherwise and set $_SESSION["errorMessage"]
-	*/
-	function getList($sWhereClause = null) {
-            return KTEntityUtil::getList(Role::_table(), 'Role', $sWhereClause);
-	}
-}
-
-
-
-/**
-* Static function
-*
-* Creates a roles object from an array
-*
-* @param 	Array		Array of parameters.  Must match order of parameters in constructor
-*
-* @return User user object
-*/
-function & roleCreateFromArray($aParameters) {
-	$oRole = & new Role($aParameters[0], $aParameters[1], $aParameters[2], $aParameters[3], $aParameters[4], $aParameters[5], $aParameters[6], $aParameters[7], $aParameters[8], $aParameters[9], $aParameters[10]);
-	return $oRole;
+    function _table () { return KTUtil::getTableName('roles'); }
+    function & get($iRoleId) { return KTEntityUtil::get('Role', $iRoleId); }
+	function & getList($sWhereClause = null) { return KTEntityUtil::getList2('Role', $sWhereClause); }
+	function & createFromArray($aOptions) { return KTEntityUtil::createFromArray('Role', $aOptions); }
 }
  
 ?>
+<?php
+
+require_once(KT_LIB_DIR . "/ktentity.inc"); 
+require_once(KT_LIB_DIR . "/util/ktutil.inc"); 
+require_once(KT_LIB_DIR . "/database/dbutil.inc"); 
+ 
+require_once(KT_LIB_DIR . "/permissions/permissiondescriptor.inc.php");
+require_once(KT_LIB_DIR . "/permissions/permissionutil.inc.php");
+require_once(KT_LIB_DIR . "/users/User.inc");
+require_once(KT_LIB_DIR . "/groups/Group.inc");
+require_once(KT_LIB_DIR . "/foldermanagement/Folder.inc");
+ 
+class RoleAllocation extends KTEntity {
+	
+	/** role object primary key */
+	var $iId=-1;
+	var $iFolderId;
+	var $iRoleId;
+	var $iPermissionDescriptorId;
+	
+	var $_bUsePearError = true;
+	
+	var $_aFieldToSelect = array(
+	    'iId' => 'id',
+		'iRoleId' => 'role_id',
+		'iFolderId' => 'folder_id',
+		'iPermissionDescriptorId' => 'permission_descriptor_id',
+	);
+
+	function setFolderId($iFolderId) { $this->iFolderId = $iFolderId; }
+	function setRoleId($iRoleId) { $this->iRoleId = $iRoleId; }
+	function setPermissionDescriptorId($iPermissionDescriptorId) { $this->iPermissionDescriptorId = $iPermissionDescriptorId; }
+	function getFolderId() {  return $this->iFolderId; }
+	function getRoleId() { return $this->iRoleId; }
+	function getPermissionDescriptorId() { return $this->iPermissionDescriptorId; }
+
+	// aggregate:  set (for this alloc) the array('user' => array(), 'group' => array()).
+	function setAllowed($aAllowed) {
+		$oDescriptor = KTPermissionUtil::getOrCreateDescriptor($aAllowed); // fully done, etc.
+		$this->iPermissionDescriptorId = $oDescriptor->getId();
+	}
+	
+    function _fieldValues () { return array(
+            'role_id' => $this->iRoleId,
+            'folder_id' => $this->iFolderId,
+			'permission_descriptor_id' => $this->iPermissionDescriptorId,
+        );
+    }
+
+	/* getAllocationForFolderAndRole($iFolderId, $iRoleId)
+	 *
+	 *   this is the key function:  for a given folder and role,
+	 *   returns either a RoleAllocation object, or null 
+	 *   (if there is none).  It scans _up_ the hierachy of folders,
+	 *   trying to find the nearest such object with a folder_id
+	 *   in the mapping.
+	 */
+	function & getAllocationsForFolderAndRole($iFolderId, $iRoleId) {
+		// FIXME the query we use here is ... not very pleasant.  
+		// NBM: is this the "right" way to do this?
+		$raTable = KTUtil::getTableName('role_allocations');
+		
+		$fTable = Folder::_table();
+		
+		$oFolder =& Folder::get($iFolderId);
+		$parents = $oFolder->getParentFolderIDs() . ',' . $iFolderId; // this is formatted as 1,2,3,4,5,6 - perfect for "WHERE".
+		
+		// FIXME what (if anything) do we need to do to check that this can't be used as an attack?
+		$folders = '(' . $parents . ')';
+		
+		$sQuery = "SELECT ra.id as `id` FROM " . $raTable . " AS ra " .
+		' LEFT JOIN ' . $fTable . ' AS f ON (f.id = ra.folder_id) ' .
+		' WHERE f.id IN ' . $folders .
+		' ORDER BY CHAR_LENGTH(f.parent_folder_ids) desc, f.parent_folder_ids DESC; ';
+		$aParams = array();
+		
+		$aRoleAllocIds = DBUtil::getResultArrayKey(array($sQuery, $aParams), 'id');
+		
+		if (false) {
+		    print '<pre>';
+			var_dump($aRoleAllocIds);
+			print '';
+			print $sQuery;
+			print '</pre>';		
+		}
+		
+		if (empty($aRoleAllocIds)) { 
+		    return null;
+		}
+		
+		$iAllocId = $aRoleAllocIds[0]; // array pop?
+		return RoleAllocation::get($iAllocId);
+	}
+	
+	// static, boilerplate.
+    function _table () { return KTUtil::getTableName('role_allocations'); }
+    function & get($iRoleId) { return KTEntityUtil::get('RoleAllocation', $iRoleId); }
+	function & getList($sWhereClause = null) { return KTEntityUtil::getList2('RoleAllocation', $sWhereClause); }
+	function & createFromArray($aOptions) { return KTEntityUtil::createFromArray('RoleAllocation', $aOptions); }
+
+	function getPermissionDescriptor() {
+	    // could be an error - return as-is.
+		$oDescriptor =& KTPermissionDescriptor::get($this->iPermissionDescriptorId);
+		return $oDescriptor;
+	}
+
+	// setting users and groups needs to use permissionutil::getOrCreateDescriptor
+	function getUsers() {
+	    $oDescriptor = $this->getPermissionDescriptor();
+		$aUsers = array();
+		if (PEAR::isError($oDescriptor) || ($oDescriptor == false)) {
+		     return $aUsers;
+		}
+		$aAllowed = $oDescriptor->getAllowed();
+		if ($aAllowed['user'] !== null) {
+		    $aUsers = $aAllowed['user'];
+		} 
+		
+		// now we want to map to oUsers, since that's what groups do.
+		$aFullUsers = array();
+		foreach ($aUsers as $iUserId) {
+		    $oUser = User::get($iUserId);
+			if (!(PEAR::isError($oUser) || ($oUser == false))) {
+			    $aFullUsers[] = $oUser;
+			}
+		}
+		
+		return $aFullUsers;
+	}
+	
+	function getGroups() {
+	    $oDescriptor = $this->getPermissionDescriptor();
+		$aGroups = array();
+		if (PEAR::isError($oDescriptor) || ($oDescriptor == false)) {
+		     return $aGroups;
+		}
+		$aAllowed = $oDescriptor->getAllowed();
+		if ($aAllowed['group'] !== null) {
+		    $aGroups = $aAllowed['group'];
+		} 
+		
+		// now we want to map to oUsers, since that's what groups do.
+		$aFullGroups = array();
+		foreach ($aGroups as $iGroupId) {
+		    $oGroup = Group::get($iGroupId);
+			if (!(PEAR::isError($oGroup) || ($oGroup == false))) {
+			    $aFullGroups[] = $oGroup;
+			}
+		}
+		
+		return $aFullGroups;
+	}
+	
+	// utility function to establish user membership in this allocation.
+	// FIXME nbm:  is there are more coherent way to do this ITO your PD infrastructure?
+	function hasMember($oUser) {
+	    $oPD = $this->getPermissionDescriptor();
+		if (PEAR::isError($oPD) || ($oPD == false)) {
+		    return false;
+		}
+		$aAllowed = $oPD->getAllowed();
+		$iUserId = $oUser->getId();
+		
+		if ($aAllowed['user'] != null) {
+			if (array_search($iUserId, $aAllowed['user']) !== false) {
+			    return true;
+			}
+		}
+		
+		// now we need the group objects.
+		// FIXME this could accelerated to a single SQL query on group_user_link.
+		$aGroups = $this->getGroups();
+		if (PEAR::isError($aGroups) || ($aGroups == false)) {
+		    return false;
+		} else {
+		    foreach ($aGroups as $oGroup) {
+				if ($oGroup->hasMember($oUser)) {
+				    return true;
+				}
+			}
+		}
+	    
+	    return false;
+	}
+	
+}
+
+?>
@@ -8,6 +8,7 @@ require_once(KT_LIB_DIR . &#39;/permissions/permissionutil.inc.php&#39;);
 require_once(KT_LIB_DIR . '/groups/GroupUtil.php');
 require_once(KT_LIB_DIR . '/documentmanagement/DocumentTransaction.inc');
 require_once(KT_LIB_DIR . '/search/searchutil.inc.php');
+require_once(KT_LIB_DIR . '/roles/roleallocation.inc.php');
  
 class KTWorkflowUtil {
     // {{{ saveTransitionsFrom
@@ -338,6 +339,18 @@ class KTWorkflowUtil {
                     continue;
                 }
             }
+            $iRoleId = $oTransition->getGuardRoleId();
+            if ($iRoleId) {
+                $oRoleAllocation = RoleAllocation::getAllocationsForFolderAndRole($oDocument->getFolderID(), $iRoleId);
+                
+                if ($oRoleAllocation == null) {   // no role allocation, no fulfillment.
+                    continue;
+                }
+                
+                if (!$oRoleAllocation->hasMember($oUser)) {
+                    continue;
+                }
+            }
  
             $iConditionId = $oTransition->getGuardConditionId();
             if ($iConditionId) {
 <?php
  
+require_once(KT_LIB_DIR . '/actions/folderaction.inc.php');
 require_once(KT_LIB_DIR . '/actions/documentaction.inc.php');
 require_once(KT_LIB_DIR . '/widgets/fieldWidgets.php');
  
 require_once(KT_LIB_DIR . "/foldermanagement/Folder.inc");
 require_once(KT_LIB_DIR . "/groups/Group.inc");
+require_once(KT_LIB_DIR . "/users/User.inc");
+require_once(KT_LIB_DIR . "/roles/Role.inc");
+require_once(KT_LIB_DIR . "/roles/roleallocation.inc.php");
+
  
 require_once(KT_LIB_DIR . "/permissions/permission.inc.php");
 require_once(KT_LIB_DIR . "/permissions/permissionobject.inc.php");
@@ -77,3 +82,413 @@ class KTDocumentPermissionsAction extends KTDocumentAction {
 }
 $oPlugin->registerAction('documentaction', 'KTDocumentPermissionsAction', 'ktcore.actions.document.permissions');
  
+
+class KTRoleAllocationPlugin extends KTFolderAction {
+    var $sDisplayName = 'Allocate Roles';
+    var $sName = 'ktcore.actions.folder.roles';
+
+    var $_sShowPermission = "ktcore.permissions.write";
+    var $bAutomaticTransaction = true;
+
+    function do_main() {
+        $this->oPage->setTitle(_("Allocate Roles"));
+        $this->oPage->setBreadcrumbDetails(_("Allocate Roles"));
+        $oTemplating = new KTTemplating;
+        $oTemplate = $oTemplating->loadTemplate("ktcore/folder/roles");
+        
+        // we need to have:
+        //   - a list of roles
+        //   - with their users / groups
+        //   - and that allocation id
+        $aRoles = array(); // stores data for display.
+        
+        $aRoleList = Role::getList();
+        foreach ($aRoleList as $oRole) {
+            $iRoleId = $oRole->getId();
+            $aRoles[$iRoleId] = array("name" => $oRole->getName());
+            $oRoleAllocation = RoleAllocation::getAllocationsForFolderAndRole($this->oFolder->getId(), $iRoleId);
+            
+            $u = array();
+            $g = array();
+            $aid = null;
+            $raid = null;
+            if ($oRoleAllocation == null) {
+                ; // nothing.
+            } else {
+                $raid = $oRoleAllocation->getId(); // real_alloc_id
+                if ($oRoleAllocation->getFolderId() == $this->oFolder->getId()) {
+                    $aid = $oRoleAllocation->getid(); // alloc_id
+                }
+                $oPermDesc = KTPermissionDescriptor::get($oRoleAllocation->getPermissionDescriptorId());
+                if (!PEAR::isError($oPermDesc)) {
+                    $aAllowed = $oPermDesc->getAllowed();
+                    if (!empty($aAllowed['user'])) {
+                        $u = $aAllowed['user'];
+                    }
+                    if (!empty($aAllowed['group'])) {
+                        $g = $aAllowed['group'];
+                    }
+                }
+            }
+            $aRoles[$iRoleId]['users'] = $u;
+            $aRoles[$iRoleId]['groups'] = $g;
+            $aRoles[$iRoleId]['allocation_id'] = $aid;
+            $aRoles[$iRoleId]['real_allocation_id'] = $raid;
+        }
+        
+        /*
+        print '<pre>';
+        var_dump($aRoles);
+        print '</pre>';
+        */
+        
+
+        
+        // FIXME this is test data.
+        /*
+        $aRoles = array(
+            1 => array('name' => 'Manager', 'users' => array(1), 'groups' => array(1), 'allocation_id' => 1),
+            2 => array('name' => 'Peasant', 'users' => array(1), 'groups' => array(), 'allocation_id' => 2),
+            3 => array('name' => 'Inherited', 'users' => array(), 'groups' => array(1), 'allocation_id' => null),
+        );
+        */
+        
+        
+        // final step.
+        
+        // map to users, groups.
+        foreach ($aRoles as $key => $role) {
+            $_users = array();
+            foreach ($aRoles[$key]['users'] as $iUserId) {
+                $oUser = User::get($iUserId);
+                if (!(PEAR::isError($oUser) || ($oUser == false))) {
+                    $_users[] = $oUser->getName();
+                }
+            }
+			if (empty($_users)) {
+			    $aRoles[$key]['users'] = '<span class="descriptiveText"> ' . _('no users') . '</span>'; 	
+			} else {
+                $aRoles[$key]['users'] = join(', ',$_users);
+			}
+            
+            $_groups = array();
+            foreach ($aRoles[$key]['groups'] as $iGroupId) {
+                $oGroup = Group::get($iGroupId);
+                if (!(PEAR::isError($oGroup) || ($oGroup == false))) {
+                    $_groups[] = $oGroup->getName();
+                }
+            }
+			if (empty($_groups)) {
+			    $aRoles[$key]['groups'] = '<span class="descriptiveText"> ' . _('no groups') . '</span>'; 	
+			} else {
+			    $aRoles[$key]['groups'] = join(', ',$_groups);
+			}
+        }
+        
+        $aTemplateData = array(
+            'context' => &$this,
+            'roles' => $aRoles,
+        );
+        return $oTemplate->render($aTemplateData);
+    }
+    
+    
+    
+    function do_overrideParent() {
+        $role_id = KTUtil::arrayGet($_REQUEST, 'role_id', null);
+        $oRole = Role::get($role_id);
+        if (PEAR::isError($oRole)) {
+            $this->errorRedirectToMain(_('Invalid Role.'));
+        }
+        // FIXME do we need to check that this role _isn't_ allocated?
+        $oRoleAllocation = new RoleAllocation();
+        $oRoleAllocation->setFolderId($this->oFolder->getId());
+        $oRoleAllocation->setRoleId($role_id);
+        
+        // create a new permission descriptor. 
+        // FIXME we really want to duplicate the original (if it exists)
+        
+        $aAllowed = array(); // no-op, for now.
+		$this->startTransaction();
+		
+        $oRoleAllocation->setAllowed($aAllowed);
+        $res = $oRoleAllocation->create();
+		
+		if (PEAR::isError($res) || ($res == false)) {
+			$this->errorRedirectToMain(_('Failed to create the role allocation.') . print_r($res, true), sprintf('fFolderId=%d', $this->oFolder->getId()));
+		}
+        
+		$this->renegeratePermissionsForRole($oRoleAllocation->getRoleId());
+        
+        $this->successRedirectToMain(_('Role allocation created.'), sprintf('fFolderId=%d', $this->oFolder->getId()));
+    }
+    
+    function do_useParent() { 
+        $role_id = KTUtil::arrayGet($_REQUEST, 'role_id', null);
+        $oRole = Role::get($role_id);
+        if (PEAR::isError($oRole)) {
+            $this->errorRedirectToMain(_('Invalid Role.'), sprintf('fFolderId=%d',$this->oFolder->getId())); 
+        }
+        $role_id = $oRole->getId(); // numeric, for various testing purposes.
+        
+        $oRoleAllocation = RoleAllocation::getAllocationsForFolderAndRole($this->oFolder->getId(), $role_id);
+        
+        if ($oRoleAllocation->getFolderId() != $this->oFolder->getId()) {
+            $this->errorRedirectToMain(_('Already using a different descriptor.'), sprintf('fFolderId=%d',$this->oFolder->getId())); 
+        } 
+        $this->startTransaction();
+		
+        $res = $oRoleAllocation->delete();
+		
+        if (PEAR::isError($res) || ($res == false)) {
+            $this->errorRedirectToMain(_('Unable to change role allocation.') . print_r($res, true), sprintf('fFolderId=%d',$this->oFolder->getId())); 
+            exit(0);
+        }
+		
+		$this->renegeratePermissionsForRole($oRoleAllocation->getRoleId());
+        $this->successRedirectToMain(_('Role now uses parent.'), sprintf('fFolderId=%d',$this->oFolder->getId())); 
+    }
+    
+    function do_editRoleUsers() {
+
+        $role_allocation_id = KTUtil::arrayGet($_REQUEST, 'alloc_id');
+        $oRoleAllocation = RoleAllocation::get($role_allocation_id);
+        if ((PEAR::isError($oRoleAllocation)) || ($oRoleAllocation=== false)) {
+            $this->errorRedirectToMain(_('No such role allocation.'), sprintf('fFolderId=%d',$this->oFolder->getId()));
+        }
+        
+        
+        $this->oPage->setBreadcrumbDetails(_('Manage Users for Role'));
+        $this->oPage->setTitle(sprintf(_('Manage Users for Role')));
+        
+        $initJS = 'var optGroup = new OptionTransfer("userSelect","chosenUsers"); ' .
+        'function startTrans() { var f = getElement("userroleform"); ' .
+        ' optGroup.saveNewRightOptions("userFinal"); ' .
+        ' optGroup.init(f); }; ' .
+        ' addLoadEvent(startTrans); '; 
+        $this->oPage->requireJSStandalone($initJS);
+        
+        $aInitialUsers = $oRoleAllocation->getUsers();
+        $aAllUsers = User::getList();
+        
+        
+        // FIXME this is massively non-performant for large userbases..
+        $aRoleUsers = array();
+        $aFreeUsers = array();
+        foreach ($aInitialUsers as $oUser) {
+            $aRoleUsers[$oUser->getId()] = $oUser;
+        }
+        foreach ($aAllUsers as $oUser) {
+            if (!array_key_exists($oUser->getId(), $aRoleUsers)) {
+                $aFreeUsers[$oUser->getId()] = $oUser;
+            }
+        }
+        
+        $oTemplating = new KTTemplating;        
+        $oTemplate = $oTemplating->loadTemplate("ktcore/folder/roles_manageusers");
+        $aTemplateData = array(
+            "context" => $this,
+            "edit_rolealloc" => $oRoleAllocation,
+			'unused_users' => $aFreeUsers,
+			'role_users' => $aRoleUsers,
+        );
+        return $oTemplate->render($aTemplateData);
+    }
+	
+    function do_editRoleGroups() { 
+
+        $role_allocation_id = KTUtil::arrayGet($_REQUEST, 'alloc_id');
+        $oRoleAllocation = RoleAllocation::get($role_allocation_id);
+        if ((PEAR::isError($oRoleAllocation)) || ($oRoleAllocation=== false)) {
+            $this->errorRedirectToMain(_('No such role allocation.'), sprintf('fFolderId=%d',$this->oFolder->getId()));
+        }
+        
+        
+        $this->oPage->setBreadcrumbDetails(_('Manage Groups for Role'));
+        $this->oPage->setTitle(sprintf(_('Manage Groups for Role')));
+        
+        $initJS = 'var optGroup = new OptionTransfer("groupSelect","chosenGroups"); ' .
+        'function startTrans() { var f = getElement("grouproleform"); ' .
+        ' optGroup.saveNewRightOptions("groupFinal"); ' .
+        ' optGroup.init(f); }; ' .
+        ' addLoadEvent(startTrans); '; 
+        $this->oPage->requireJSStandalone($initJS);
+        
+        $aInitialUsers = $oRoleAllocation->getGroups();
+        $aAllUsers = Group::getList();
+        
+        
+        // FIXME this is massively non-performant for large userbases..
+        $aRoleUsers = array();
+        $aFreeUsers = array();
+        foreach ($aInitialUsers as $oGroup) {
+            $aRoleUsers[$oGroup->getId()] = $oGroup;
+        }
+        foreach ($aAllUsers as $oGroup) {
+            if (!array_key_exists($oGroup->getId(), $aRoleUsers)) {
+                $aFreeUsers[$oGroup->getId()] = $oGroup;
+            }
+        }
+        
+        $oTemplating = new KTTemplating;        
+        $oTemplate = $oTemplating->loadTemplate("ktcore/folder/roles_managegroups");
+        $aTemplateData = array(
+            "context" => $this,
+            "edit_rolealloc" => $oRoleAllocation,
+			'unused_groups' => $aFreeUsers,
+			'role_groups' => $aRoleUsers,
+        );
+        return $oTemplate->render($aTemplateData);
+	}
+    
+    function do_setRoleUsers() {
+
+        $role_allocation_id = KTUtil::arrayGet($_REQUEST, 'allocation_id');
+        $oRoleAllocation = RoleAllocation::get($role_allocation_id);
+        if ((PEAR::isError($oRoleAllocation)) || ($oRoleAllocation=== false)) {
+            $this->errorRedirectToMain(_('No such role allocation.'), sprintf('fFolderId=%d',$this->oFolder->getId()));
+        }
+        $users = KTUtil::arrayGet($_REQUEST, 'userFinal', '');
+		$aUserIds = explode(',', $users);
+
+		// check that its not corrupt..
+		$aFinalUserIds = array();
+		foreach ($aUserIds as $iUserId) {
+			$oUser =& User::get($iUserId);
+			if (!(PEAR::isError($oUser) || ($oUser == false))) {
+				$aFinalUserIds[] = $iUserId;
+			}
+		}
+		if (empty($aFinalUserIds)) { $aFinalUserIds = null; }
+		
+		// hack straight in.
+		$oPD = $oRoleAllocation->getPermissionDescriptor();
+		$aAllowed = $oPD->getAllowed();		
+		
+		
+		
+		// now, grab the existing allowed and modify.
+
+		$aAllowed['user'] = $aFinalUserIds;
+		
+		$oRoleAllocation->setAllowed($aAllowed);
+		$res = $oRoleAllocation->update();
+		
+		if (PEAR::isError($res) || ($res == false)) {
+			$this->errorRedirectToMain(_('Failed to change the role allocation.') . print_r($res, true), sprintf('fFolderId=%d', $this->oFolder->getId()));
+		}
+		
+		$this->renegeratePermissionsForRole($oRoleAllocation->getRoleId());
+		
+        $this->successRedirectToMain(_('Allocation changed.'), sprintf('fFolderId=%d',$this->oFolder->getId())); 
+    }
+    
+    function do_setRoleGroups() {
+	    
+        $role_allocation_id = KTUtil::arrayGet($_REQUEST, 'allocation_id');
+        $oRoleAllocation = RoleAllocation::get($role_allocation_id);
+        if ((PEAR::isError($oRoleAllocation)) || ($oRoleAllocation=== false)) {
+            $this->errorRedirectToMain(_('No such role allocation.'), sprintf('fFolderId=%d',$this->oFolder->getId()));
+        }
+        $groups = KTUtil::arrayGet($_REQUEST, 'groupFinal', '');
+		$aGroupIds = explode(',', $groups);
+
+		// check that its not corrupt..
+		$aFinalGroupIds = array();
+		foreach ($aGroupIds as $iGroupId) {
+			$oGroup =& Group::get($iGroupId);
+			if (!(PEAR::isError($oGroup) || ($oGroup == false))) {
+				$aFinalGroupIds[] = $iGroupId;
+			}
+		}
+		if (empty($aFinalGroupIds)) { $aFinalGroupIds = null; }
+		
+		// hack straight in.
+		$oPD = $oRoleAllocation->getPermissionDescriptor();
+		$aAllowed = $oPD->getAllowed();		
+		
+		
+		
+		// now, grab the existing allowed and modify.
+
+		$aAllowed['group'] = $aFinalGroupIds;
+		
+		$oRoleAllocation->setAllowed($aAllowed);
+		$res = $oRoleAllocation->update();
+		
+		if (PEAR::isError($res) || ($res == false)) {
+			$this->errorRedirectToMain(_('Failed to change the role allocation.') . print_r($res, true), sprintf('fFolderId=%d', $this->oFolder->getId()));
+		}
+		
+		$this->renegeratePermissionsForRole($oRoleAllocation->getRoleId());
+		
+        $this->successRedirectToMain(_('Allocation changed.'), sprintf('fFolderId=%d',$this->oFolder->getId()));     
+    }
+   	
+	function renegeratePermissionsForRole($iRoleId) {
+	    $iStartFolderId = $this->oFolder->getId();
+		$oRoleAllocation = RoleAllocation::getAllocationsForFolderAndRole($iStartFolderId, $iRoleId);		
+		/* 
+		 * 1. find all folders & documents "below" this one which use the role 
+		 *    definition _active_ (not necessarily present) at this point.
+		 * 2. tell permissionutil to regen their permissions.
+		 *
+		 * The find algorithm is:
+		 *
+		 *  folder_queue <- (iStartFolderId)
+		 *  while folder_queue is not empty:
+		 *     active_folder = 
+		 *     for each folder in the active_folder:
+		 *         find folders in _this_ folder without a role-allocation on the iRoleId
+		 *            add them to the folder_queue
+		 *         update the folder's permissions.
+		 *         find documents in this folder:
+		 *            update their permissions.
+		 */
+		
+		$sQuery = 'SELECT f.id as `id` FROM ' . Folder::_table() . ' AS f LEFT JOIN ' . RoleAllocation::_table() . ' AS ra ON (f.id = ra.folder_id) WHERE f.parent_id = ? AND ra.role_id ';
+		if ($oRoleAllocation == null) { // no alloc.
+		    $sQuery .= ' IS NULL ';
+			$hasId = false;
+		} else {
+		    $sQuery .= ' = ? ';
+			$aId = $oRoleAllocation->getId();
+			$hasId = true;
+		}
+		
+		
+		$folder_queue = array($iStartFolderId);
+		while (!empty($folder_queue)) {
+			$active_folder = array_pop($folder_queue);
+			
+			
+			$aParams = array($active_folder);
+			if ($hasId) { $aParams[] = $aId; }
+			
+			
+			$aNewFolders = DBUtil::getResultArrayKey(array($sQuery, $aParams), 'id');
+			if (PEAR::isError($aNewFolders)) {
+				$this->errorRedirectToMain(_('Failure to generate folderlisting.'));
+			}
+			$folder_queue = array_merge ($folder_queue, $aNewFolders); // push.
+
+			
+			// update the folder.
+			$oFolder =& Folder::get($active_folder);
+			if (PEAR::isError($oFolder) || ($oFolder == false)) {
+			    $this->errorRedirectToMain(_('Unable to locate folder: ') . $active_folder);
+			}
+			
+			KTPermissionUtil::updatePermissionLookup($oFolder);
+			$aDocList =& Document::getList(array('folder_id = ?', $active_folder));
+			if (PEAR::isError($aDocList) || ($aDocList == false)) {
+			    $this->errorRedirectToMain(_('Unable to get documents in folder: ') . $active_folder);
+			}
+			
+			foreach ($aDocList as $oDoc) { 
+			    KTPermissionUtil::updatePermissionLookup($oDoc);
+			}
+		}
+	}
+}
+$oPlugin->registerAction('folderaction', 'KTRoleAllocationPlugin', 'ktcore.actions.folder.roles');
@@ -46,7 +46,7 @@ $sectionName = &quot;browse&quot;;
  
 class BrowseDispatcher extends KTStandardDispatcher {
  
-    var $oFolder = null;    
+    var $oFolder = null;
     var $sSection = "browse";
     var $browse_mode = null;
     var $query = null;
@@ -79,12 +79,12 @@ class BrowseDispatcher extends KTStandardDispatcher {
  
             // here we need the folder object to do the breadcrumbs.
             $oFolder =& Folder::get($folder_id);
+            $this->oFolder =& $oFolder;
             if (PEAR::isError($oFolder)) {
                 $this->oPage->addError(_("invalid folder"));
                 $folder_id = 1;
                 $oFolder =& Folder::get($folder_id);
             }
-	    $this->oFolder =& $oFolder;
  
             // we now have a folder, and need to create the query.
             $this->oQuery =  new BrowseQuery($oFolder->getId());
@@ -622,6 +622,7 @@ The text will be hidden for screen view.  The generic fahrner-ish approach comes
  
 .listing td {
    padding: 0.5em;
+   vertical-align: top;
 }
  
 .listing thead th {
@@ -1008,9 +1008,6 @@ CREATE TABLE `permissions` (
 CREATE TABLE `roles` (
   `id` int(11) NOT NULL default '0',
   `name` char(255) NOT NULL default '',
-  `active` tinyint(1) NOT NULL default '0',
-  `can_read` tinyint(1) NOT NULL default '0',
-  `can_write` tinyint(1) NOT NULL default '0',
   UNIQUE KEY `id` (`id`),
   UNIQUE KEY `name` (`name`)
 ) ENGINE=InnoDB ;
@@ -1018,6 +1015,22 @@ CREATE TABLE `roles` (
 -- --------------------------------------------------------
  
 -- 
+-- Table structure for table `role_allocations`
+-- 
+
+CREATE TABLE `role_allocations` (
+  `id` int(11) NOT NULL default '0',
+  `folder_id` int(11) NOT NULL default '0',
+  `role_id` int(11) NOT NULL default '0',
+  `permission_descriptor_id` int(11) NOT NULL default '0',
+  UNIQUE KEY `id` (`id`),
+  KEY `folder_id` (`folder_id`)
+) ENGINE=InnoDB ;
+
+-- --------------------------------------------------------
+
+
+-- 
 -- Table structure for table `saved_searches`
 -- 
  
@@ -1916,6 +1929,19 @@ CREATE TABLE `zseq_roles` (
  
 -- --------------------------------------------------------
  
+
+-- 
+-- Table structure for table `zseq_role_allocations`
+-- 
+
+CREATE TABLE `zseq_role_allocations` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  PRIMARY KEY  (`id`)
+) ENGINE=MyISAM ;
+
+-- --------------------------------------------------------
+
+
 -- 
 -- Table structure for table `zseq_saved_searches`
 -- 
+SET FOREIGN_KEY_CHECKS=0;
+
+CREATE TABLE `role_allocations` (
+  `id` int(11) NOT NULL default '0',
+  `folder_id` int(11) NOT NULL default '0',
+  `role_id` int(11) NOT NULL default '0',
+  `permission_descriptor_id` int(11) NOT NULL default '0',
+  UNIQUE KEY `id` (`id`),
+  KEY `folder_id` (`folder_id`)
+) ENGINE=InnoDB ;
+
+CREATE TABLE `zseq_role_allocations` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  PRIMARY KEY  (`id`)
+) ENGINE=MyISAM ;
+
+
+SET FOREIGN_KEY_CHECKS=1;
+SET FOREIGN_KEY_CHECKS=0;
+
+ALTER TABLE `roles` DROP `active`;
+ALTER TABLE `roles` DROP `can_read`;
+ALTER TABLE `roles` DROP `can_write`;
+
+SET FOREIGN_KEY_CHECKS=1;
+<h2>{i18n}Allocate Roles{/i18n}</h2>
+
+<p class="descriptiveText">{i18n}
+    In many cases, workflow actions will be assigned to certain <strong>roles</strong>
+    (e.g. Manager, Interviewer, Researcher, Journalist).  You can assign these roles
+    to specific groups in particular areas of the document management system.
+{/i18n}</p>
+
+<div class='ktInfo'><p><strong>{i18n}Warning:{/i18n}</strong>{i18n} Please note that changing
+role allocations can take very long time, depending on the number of folders below this one.{/i18n}</p></div>
+
+<table class="listing">
+<thead>
+    <tr>
+        <th>{i18n}Role{/i18n}</th>
+        <th>{i18n}Allocated users{/i18n}</th>
+        <th>{i18n}Edit Users{/i18n}</th>
+        <th>{i18n}Edit Groups{/i18n}</th>
+        <th>{i18n}Use Parent{/i18n}</th>
+    </tr>
+</thead>
+<tbody>
+{foreach item=aRole key=role_id from=$roles}
+    <tr class="{cycle values=odd,even}">
+        <td>{$aRole.name}</td>
+        <td>
+           {if ($aRole.allocation_id === null)}
+              <strong>{i18n}inherited from parent folder.{/i18n}</strong><br />
+              <span class="descriptiveText">
+           {/if}
+           {if ($aRole.users != null)}<strong>{i18n}Users:{/i18n}</strong> {$aRole.users}<br />{/if}
+           {if ($aRole.groups != null)}<strong>{i18n}Groups:{/i18n}</strong> {$aRole.groups}{/if}
+           {if ($aRole.allocation_id === null)}
+              </span class="descriptiveText">
+           {/if}
+        </td>
+        {if ($aRole.allocation_id === null)}
+        <td colspan="3"><a href="{$smarty.server.PHP_SELF}?action=overrideParent&role_id={$role_id}&fFolderId={$context->oFolder->getId()}">{i18n}Override Parent Allocation{/i18n}</a></td>
+        {else}
+        <td><a href="{$smarty.server.PHP_SELF}?action=editRoleUsers&alloc_id={$aRole.allocation_id}&fFolderId={$context->oFolder->getId()}" class="ktAction ktEdit" title="{i18n}Edit{/i18n}">Edit</a></td>
+        <td><a href="{$smarty.server.PHP_SELF}?action=editRoleGroups&alloc_id={$aRole.allocation_id}&fFolderId={$context->oFolder->getId()}" class="ktAction ktEdit" title="{i18n}Edit{/i18n}">Edit</a></td>
+        <td><a href="{$smarty.server.PHP_SELF}?action=useParent&role_id={$role_id}&fFolderId={$context->oFolder->getId()}" class="ktAction ktDelete" title="{i18n}Use parent's allocation{/i18n}">{i18n}Use parent's allocation{/i18n}</a></td>
+        {/if}
+    </tr>
+{/foreach}
+</tbody>
+</table>
 \ No newline at end of file
+<h2>{i18n}Allocate Groups to Role{/i18n}</h2>
+
+{$context->oPage->requireJSResource('thirdpartyjs/OptionTransfer.js')}
+{$context->oPage->requireJSResource('thirdpartyjs/MochiKit/Base.js')}
+{$context->oPage->requireJSResource('thirdpartyjs/MochiKit/Iter.js')}
+{$context->oPage->requireJSResource('thirdpartyjs/MochiKit/DOM.js')}
+
+<p class="descriptiveText"><strong>FIXME</strong> help text for role-editing.  </p>
+
+<form action="{$smarty.server.PHP_SELF}" method="POST" id="grouproleform">
+   <input type="hidden" name="action" value="setRoleGroups" />
+   <input type="hidden" name="allocation_id" value="{$edit_rolealloc->getId()}" />
+   <input type="hidden" name="fFolderId" value="{$context->oFolder->getId()}" />
+   <!-- erk. FIXME clean up and remove OptionTransfer.js. -->
+   
+   <input type="hidden" name="groupFinal" />
+   
+   
+   <fieldset>
+      <legend>{i18n}Allocate Groups to Role{/i18n}</legend>
+      <p class="descriptiveText">{i18n}Select the groups which should be part of this role.{/i18n} <strong>FIXME</strong> this helptext is v. awkward.</p>
+
+<table border="0" width="600">
+   <thead>
+      <tr>
+         <th>{i18n}Available Groups{/i18n}</th>
+         <th>&nbsp;</th>
+         <th>{i18n}Member groups{/i18n}</th>
+      </tr>
+   </thead>
+   <tbody>
+      <tr>
+         <td valign="top" width="1%">
+           <select name="groupSelect" size="10" multiple="multiple">
+               {foreach item=oGroup from=$unused_groups}
+               <option value="{$oGroup->getId()}" ondblclick="optGroup.transferRight()">{$oGroup->getName()}</option>
+               {/foreach}
+           </select>
+         </td>
+         <td align="center">
+            <input name="right" style="width: 60px;" value="&raquo;" onclick="optGroup.transferRight()" type="button"><br /><br />
+            <input name="left" style="width: 60px;" value="&laquo;" onclick="optGroup.transferLeft()" type="button">
+         </td>
+         <td valign="top" width="1%">
+            <select name="chosenGroups" size="10" multiple="multiple">
+               {foreach item=oGroup from=$role_groups}
+               <option value="{$oGroup->getId()}" ondblclick="optGroup.transferRight()">{$oGroup->getName()}</option>
+               {/foreach}
+            </select>
+         </td>
+      </tr>
+      <tr>
+         <td><label for="ug-filter">{i18n}Filter{/i18n}</label>
+            <input name="filterUG" id="ug-filter" onkeyup="optGroup.sortSelectMatch(groupSelect, this.value)" onchange="optGroup.sortSelectMatch(groupSelect, this.value)" type="text">
+         </td>
+         <td>&nbsp;</td>
+         <td><label for="og-filter">{i18n}Filter{/i18n}</label>
+            <input name="filterOG" id="og-filter" onkeyup="optGroup.sortSelectMatch(chosenGroups, this.value)" onchange="optGroup.sortSelectMatch(chosenGroups, this.value)" type="text">
+         </td>
+      </tr>
+</tbody></table>
+
+      <div class="form_actions">
+         <input type="submit" value="{i18n}save changes{/i18n}" />
+         <a href="?action=main" class="ktCancelLink">{i18n}Cancel{/i18n}</a>
+      </div>
+   </fieldset>
+   </form>
+<h2>{i18n}Allocate User to Role{/i18n}</h2>
+
+{$context->oPage->requireJSResource('thirdpartyjs/OptionTransfer.js')}
+{$context->oPage->requireJSResource('thirdpartyjs/MochiKit/Base.js')}
+{$context->oPage->requireJSResource('thirdpartyjs/MochiKit/Iter.js')}
+{$context->oPage->requireJSResource('thirdpartyjs/MochiKit/DOM.js')}
+
+<p class="descriptiveText"><strong>FIXME</strong> help text for role-editing.  </p>
+
+<form action="{$smarty.server.PHP_SELF}" method="POST" id="userroleform">
+   <input type="hidden" name="action" value="setRoleUsers" />
+   <input type="hidden" name="allocation_id" value="{$edit_rolealloc->getId()}" />
+   <input type="hidden" name="fFolderId" value="{$context->oFolder->getId()}" />
+   <!-- erk. FIXME clean up and remove OptionTransfer.js. -->
+   
+   <input type="hidden" name="userFinal" />
+   
+   
+   <fieldset>
+      <legend>{i18n}Allocate User to Role{/i18n}</legend>
+      <p class="descriptiveText">{i18n}Select the users which should be part of this role.{/i18n} <strong>FIXME</strong> this helptext is v. awkward.</p>
+
+<table border="0" width="600">
+   <thead>
+      <tr>
+         <th>{i18n}Available Users{/i18n}</th>
+         <th>&nbsp;</th>
+         <th>{i18n}Member users{/i18n}</th>
+      </tr>
+   </thead>
+   <tbody>
+      <tr>
+         <td valign="top" width="1%">
+           <select name="userSelect" size="10" multiple="multiple">
+               {foreach item=oUser from=$unused_users}
+               <option value="{$oUser->getId()}" ondblclick="optGroup.transferRight()">{$oUser->getName()}</option>
+               {/foreach}
+           </select>
+         </td>
+         <td align="center">
+            <input name="right" style="width: 60px;" value="&raquo;" onclick="optGroup.transferRight()" type="button"><br /><br />
+            <input name="left" style="width: 60px;" value="&laquo;" onclick="optGroup.transferLeft()" type="button">
+         </td>
+         <td valign="top" width="1%">
+            <select name="chosenUsers" size="10" multiple="multiple">
+               {foreach item=oUser from=$role_users}
+               <option value="{$oUser->getId()}" ondblclick="optGroup.transferRight()">{$oUser->getName()}</option>
+               {/foreach}
+            </select>
+         </td>
+      </tr>
+      <tr>
+         <td><label for="ug-filter">{i18n}Filter{/i18n}</label>
+            <input name="filterUG" id="ug-filter" onkeyup="optGroup.sortSelectMatch(userSelect, this.value)" onchange="optGroup.sortSelectMatch(groupSelect, this.value)" type="text">
+         </td>
+         <td>&nbsp;</td>
+         <td><label for="og-filter">{i18n}Filter{/i18n}</label>
+            <input name="filterOG" id="og-filter" onkeyup="optGroup.sortSelectMatch(chosenUsers, this.value)" onchange="optGroup.sortSelectMatch(chosenGroups, this.value)" type="text">
+         </td>
+      </tr>
+</tbody></table>
+
+      <div class="form_actions">
+         <input type="submit" value="{i18n}save changes{/i18n}" />
+         <a href="?action=main" class="ktCancelLink">{i18n}Cancel{/i18n}</a>
+      </div>
+   </fieldset>
+   </form>