/**
* Checks if the current user has enough privileges for the requested ACL area. This overridden method supports
* asset tracking as well.
*
* @param string $area The ACL area, e.g. core.manage
*
* @return boolean True if the user has the ACL privilege specified
*/
protected function checkACL($area)
{
$area = $this->getACLRuleFor($area);
$result = parent::checkACL($area);
// Check if we're dealing with ids
$ids = null;
// First, check if there is an asset for this record
/** @var DataModel $model */
$model = $this->getModel();
$ids = null;
if (is_object($model) && $model instanceof DataModel && $model->isAssetsTracked()) {
$ids = $this->getIDsFromRequest($model, false);
}
// No IDs tracked, return parent's result
if (empty($ids)) {
return $result;
}
// Asset tracking
if (!is_array($ids)) {
$ids = array($ids);
}
$resource = $this->container->inflector->singularize($this->view);
$isEditState = $area == 'core.edit.state';
foreach ($ids as $id) {
$asset = $this->container->componentName . '.' . $resource . '.' . $id;
// Dedicated permission found, check it!
$platform = $this->container->platform;
if ($platform->authorise($area, $asset)) {
return true;
}
// Fallback on edit.own, if not edit.state. First test if the permission is available.
$editOwn = $this->getACLRuleFor('@*editown');
if (!$isEditState && $platform->authorise($editOwn, $asset)) {
$model->load($id);
if (!$model->hasField('created_by')) {
return false;
}
// Now test the owner is the user.
$owner_id = (int) $model->getFieldValue('created_by', null);
// If the owner matches 'me' then do the test.
if ($owner_id == $platform->getUser()->id) {
return true;
}
return false;
}
}
// No result found? Not authorised.
return false;
}
