I use HTTP Auth for one of my Textpattern installations, and so, I wanted people that could get to the textpattern pages to have, by default, staff writer permissions.

Checking Privledges

In Textpattern 1.0 (rc1-3), check_privs returns a message if the requested privs are not present. There is no way to non-destructively check privledges.

I made the following changes to lib/txp_misc.php:

function check_privs()
{
  global $txp_user;
  $args = func_get_args();

  // Change check for privs to call new method, has_privs
  $result = call_user_func_array('has_privs', $args);

  if( !$result )
  {
    exit(pageTop('Restricted').
         '<p style="margin-top:3em;text-align:center">'.
         gTxt('restricted_area').'</p>');
  }
}

// New method - non-desructively checks for given privs
// Also sets privs retrieved from DB in a global to reduce DB load
function has_privs()
{
  global $myprivs, $txp_user;

  if ( !isset($myprivs) || empty($myprivs) )
  {
    $myprivs = safe_field('privs', 'txp_users', "name = '$txp_user'");

    // if we didn't find privs in the DB, assign default of 4 (Staff Writer)
    if ( empty($myprivs) && isset($_SERVER['REMOTE_USER'])
      $myprivs = 4;
  }

  // Get requested privs, and test requested privs
  // against assigned privs..

  $args = func_get_args();

  if ( in_array($myprivs,$args) )
    return true;

  return false;
}

Centralizing priv lookups.

The next part is to change lookups for privs (which look something like this:

$myprivs = safe_field('privs', 'txp_users', "name = '$txp_user'");

To call the new has_privs method instead.