Chapter 11: Content M anagement System 307

submitted are passed as an array named $stages. The script loops through the array granting rights to the appropriate stage table (for example, proofreading_table) and making the needed inserts into the user_stage_map table.

safe_query(“delete from user_stage_map where user_id = $user_id”); if (is_array($stages)) {

while (list(,$stage) = each($stages)) {

$stage_table = strtolower(trim($stage)).”_stories”; safe_query(“grant select,insert,update,delete on $stage_table to $username “); $pquery = “insert into user_stage_map

(user_id, stage_id) select $user_id, stage_id from content_stages where stage = ‘$stage’

“; safe_query($pquery);

Finally this script prints out the appropriate user information (if existing user information exists) and the stages as a series of checkboxes. The checkboxes are checked if the user has rights for that stage.

The following query is intended to work with the checkbox_field() function you created earlier. That function takes three arguments (for name, value, and matchvalue). If the second and third match, the checkbox will be marked as checked.

$query = “select distinct

if(m.user_id is null,’-’,s.stage) as matchvalue , s.stage_id, s.stage, s.stage_dsc from content_stages s, content_users u left join user_stage_map m

on s.stage_id = m.stage_id and m.user_id = u.user_id

where u.user_id=$user_id “;

308 Part IV: Not So Simple Applications

This query gathers all of the stages and does an outer join on the content_users table. If the user has been granted access to a stage, that stage name appears in the returned record set, in the matchvalue field. If not, a dash is returned in the field. When the checkbox_field() function is run later in the loop, the third argument will either be a dash or will have the same value as the stage field. The results of this query might look like this:

+------------+----------+--------------+----------------------+ | matchvalue | stage_id | stage | stage_dsc | +------------+----------+--------------+----------------------+ | Writing | 1 | Writing | Being written. | | Editing | 2 | Editing | Ready for review. | | - | 3 | Proofreading | Spellchecking, etc. | | Live | 4 | Live | Story is available. | | Killed | 5 | Killed | Dead. | +------------+----------+--------------+----------------------+

This knowledge should allow you to read the rest of this script. And, of course, there are further comments included with the application on the CD-ROM.

content/ edit_story.php

At almost 500 lines, this script is long, but it isn’t especially complicated. Given the data structure we discussed earlier, it needs to create new stories and update exist- ing stories after they have been through an editorial pass. Along the way the script will need to check if the user has the rights to do the work on the story, and clean up text that a users put into the forms.

The file should be readable by examining the comments within the page, which are supplied on the accompanying CD-ROM. There are quite a few decisions that need to be made in order to get this page to work correctly, and that adds to the length. But decisions that are made within the file are pretty straight forward. Additionally, there are quite a few insert and update statements. If you keep figure 11-8 close by while you’re reading through the code, this shouldn’t be too tough to get through.

This chapter has spent a fair amount of space discussing how to assign rights to

a user using MySQL’s grant statements. Hopefully at this point you see how those rights are assigned. The short piece of script following tests whether the current user has the rights to work on a story, based on the rights in the grants tables.

It first gets the stage name, based on a stage_id, then creates the string of the table name by appending the stage name with “_table”. Then a select statement runs that includes the table name you have just created. If that query is not allowed, the query will fail and return false. Also within the query, we are involv- ing the user_stage_map table. That table provides our primary security, and the user must have rights for the current stage in the user_stage_map table. If the user