/**
* Creates a View for the given user, based off a given template and other
* View information supplied.
*
* Will set a default title of 'Copy of $viewtitle' if title is not
* specified in $viewdata and $titlefromtemplate == false.
*
* @param array $viewdata See View::_create
* @param int $templateid The ID of the View to copy
* @param int $userid The user who has issued the command to create the
* view. See View::_create
* @param int $checkaccess Whether to check that the user can see the view before copying it
* @return array A list consisting of the new view, the template view and
* information about the copy - i.e. how many blocks and
* artefacts were copied
* @throws SystemException under various circumstances, see the source for
* more information
*/
public static function create_from_template($viewdata, $templateid, $userid = null, $checkaccess = true, $titlefromtemplate = false)
{
if (is_null($userid)) {
global $USER;
$userid = $USER->get('id');
}
$user = new User();
$user->find_by_id($userid);
db_begin();
$template = new View($templateid);
if ($template->get('deleted')) {
throw new SystemException("View::create_from_template: This template has been deleted");
}
if ($checkaccess && !$template->get('template') && !$user->can_edit_view($template)) {
throw new SystemException("View::create_from_template: Attempting to create a View from another View that is not marked as a template");
} else {
if ($checkaccess && !can_view_view($templateid, $userid)) {
throw new SystemException("View::create_from_template: User {$userid} is not permitted to copy View {$templateid}");
}
}
$view = self::_create($viewdata, $userid);
// Set a default title if one wasn't set
if ($titlefromtemplate) {
$view->set('title', $template->get('title'));
} else {
if (!isset($viewdata['title']) && !($template->get('owner') == 0 && $template->get('type') == 'portfolio')) {
$desiredtitle = $template->get('title');
if (get_config('renamecopies')) {
$desiredtitle = get_string('Copyof', 'mahara', $desiredtitle);
}
$view->set('title', self::new_title($desiredtitle, (object) $viewdata));
$view->set('dirty', true);
}
}
$view->urlid = generate_urlid($view->title, get_config('cleanurlviewdefault'), 3, 100);
$viewdata['owner'] = $userid;
$view->urlid = self::new_urlid($view->urlid, (object) $viewdata);
try {
$copystatus = $view->copy_contents($template);
} catch (QuotaExceededException $e) {
db_rollback();
return array(null, $template, array('quotaexceeded' => true));
}
$view->commit();
// if layout is set, and it's not a default layout
// add an entry to usr_custom_layout if one does not already exist
if ($template->get('layout') !== null) {
$customlayout = get_record('view_layout', 'id', $template->get('layout'), 'iscustom', 1);
if ($customlayout !== false) {
// is the owner of the copy going to be a group or institution or not?
$owner = $view->owner;
$group = $view->group;
$institution = $view->institution;
$haslayout = false;
if (!empty($group)) {
$owner = null;
$haslayout = get_record('usr_custom_layout', 'layout', $template->get('layout'), 'group', $group);
}
if (!empty($institution)) {
$owner = null;
$haslayout = get_record('usr_custom_layout', 'layout', $template->get('layout'), 'institution', $institution);
} else {
if (isset($owner)) {
$haslayout = get_record('usr_custom_layout', 'layout', $template->get('layout'), 'usr', $owner);
}
}
if (!$haslayout) {
$newcustomlayout = insert_record('usr_custom_layout', (object) array('usr' => $owner, 'group' => $group, 'institution' => $institution, 'layout' => $template->get('layout')));
}
}
}
$blocks = get_records_array('block_instance', 'view', $view->get('id'));
if ($blocks) {
foreach ($blocks as $b) {
// As some artefact references have been changed, e.g embedded images
// we need to rebuild the artefact list for each block
$bi = new BlockInstance($b->id);
$bi->rebuild_artefact_list();
$configdata = unserialize($b->configdata);
if (!isset($configdata['artefactid'])) {
continue;
}
if (!isset($configdata['copytype']) || $configdata['copytype'] !== 'reference') {
continue;
}
$va = new StdClass();
$va->view = $b->view;
$va->artefact = $configdata['artefactid'];
$va->block = $b->id;
insert_record('view_artefact', $va);
}
}
if ($template->get('retainview') && !$template->get('institution')) {
$obj = new StdClass();
$obj->view = $view->get('id');
$obj->ctime = db_format_timestamp(time());
$obj->usr = $template->get('owner');
$obj->group = $template->get('group');
insert_record('view_access', $obj);
}
db_commit();
return array($view, $template, $copystatus);
}
/**
* Given a view id, and a user id (defaults to currently logged in user if not
* specified) will return wether this user is allowed to look at this view.
*
* @param mixed $view viewid or View to check
* @param integer $user_id User trying to look at the view (defaults to
* currently logged in user, or null if user isn't logged in)
*
* @returns boolean Wether the specified user can look at the specified view.
*/
function can_view_view($view, $user_id = null)
{
global $USER, $SESSION;
if (defined('BULKEXPORT')) {
return true;
}
$now = time();
$dbnow = db_format_timestamp($now);
if ($user_id === null) {
$user = $USER;
$user_id = $USER->get('id');
} else {
$user = new User();
if ($user_id) {
try {
$user->find_by_id($user_id);
} catch (AuthUnknownUserException $e) {
}
}
}
$publicviews = get_config('allowpublicviews');
$publicprofiles = get_config('allowpublicprofiles');
// If the user is logged out and the publicviews & publicprofiles sitewide configs are false,
// we can deny access without having to hit the database at all
if (!$user_id && !$publicviews && !$publicprofiles) {
return false;
}
require_once get_config('libroot') . 'view.php';
if ($view instanceof View) {
$view_id = $view->get('id');
} else {
$view = new View($view_id = $view);
}
// If the page belongs to an individual, check for individual-specific overrides
if ($view->get('owner')) {
$ownerobj = $view->get_owner_object();
// Suspended user
if ($ownerobj->suspendedctime) {
return false;
}
// Probationary user (no public pages or profiles)
// (setting these here instead of doing a return-false, so that we can do checks for
// logged-in users later)
require_once get_config('libroot') . 'antispam.php';
$onprobation = is_probationary_user($ownerobj->id);
$publicviews = $publicviews && !$onprobation;
$publicprofiles = $publicprofiles && !$onprobation;
// Member of an institution that prohibits public pages
// (group views and logged in users are not affected by
// the institution level config for public views)
$owner = new User();
$owner->find_by_id($ownerobj->id);
$publicviews = $publicviews && $owner->institution_allows_public_views();
}
// Now that we've examined the page owner, check again for whether it can be viewed by a logged-out user
if (!$user_id && !$publicviews && !$publicprofiles) {
return false;
}
if ($user_id && $user->can_edit_view($view)) {
return true;
}
// If the view's owner is suspended, deny access to the view
if ($view->get('owner')) {
if (!($owner = $view->get_owner_object()) || $owner->suspendedctime) {
return false;
}
}
if ($SESSION->get('mnetuser')) {
$mnettoken = get_cookie('mviewaccess:' . $view_id);
}
// If the page has been marked "objectionable" admins should be able to view
// it for review purposes.
if ($view->is_objectionable()) {
if ($owner = $view->get('owner')) {
if ($user->is_admin_for_user($owner)) {
return true;
}
} else {
if ($view->get('group') && $user->get('admin')) {
return true;
}
}
}
// Overriding start/stop dates are set by the owner to deny access
// to users who would otherwise be allowed to see the view. However,
// for some kinds of access (e.g. objectionable content, submitted
// views), we have to override the override and let the logged in
// user see it anyway. So we can't return false now, we have to wait
// till we find out what kind of view_access record is being used.
$overridestart = $view->get('startdate');
$overridestop = $view->get('stopdate');
$allowedbyoverride = (empty($overridestart) || $overridestart < $dbnow) && (empty($overridestop) || $overridestop > $dbnow);
$access = View::user_access_records($view_id, $user_id);
if (empty($access)) {
return false;
}
foreach ($access as &$a) {
if ($a->accesstype == 'public' && $allowedbyoverride) {
if ($publicviews) {
return true;
} else {
if ($publicprofiles && $view->get('type') == 'profile') {
return true;
}
}
} else {
if ($a->token && ($allowedbyoverride || !$a->visible)) {
$usertoken = get_cookie('viewaccess:' . $view_id);
if ($a->token == $usertoken && $publicviews) {
return true;
}
if (!empty($mnettoken) && $a->token == $mnettoken) {
$mnetviewlist = $SESSION->get('mnetviewaccess');
if (empty($mnetviewlist)) {
$mnetviewlist = array();
}
$mnetviewlist[$view_id] = true;
$SESSION->set('mnetviewaccess', $mnetviewlist);
return true;
}
// Don't bother to pull the collection out unless the user actually
// has some collection access cookies.
if ($ctokens = get_cookies('caccess:')) {
$cid = $view->collection_id();
if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) {
return true;
}
}
} else {
if ($user_id) {
if ($a->accesstype == 'friends') {
$owner = $view->get('owner');
if (!get_field_sql('
SELECT COUNT(*) FROM {usr_friend} f WHERE (usr1=? AND usr2=?) OR (usr1=? AND usr2=?)', array($owner, $user_id, $user_id, $owner))) {
continue;
}
} else {
if ($a->institution) {
// Check if user belongs to the allowed institution
if (!in_array($a->institution, array_keys($user->get('institutions')))) {
continue;
}
}
}
if (!$allowedbyoverride && $a->visible) {
continue;
}
// The view must have loggedin access, user access for the user
// or group/role access for one of the user's groups
return true;
}
}
}
}
return false;
}
/**
* Given a view id, and a user id (defaults to currently logged in user if not
* specified) will return wether this user is allowed to look at this view.
*
* @param mixed $view viewid or View to check
* @param integer $user_id User trying to look at the view (defaults to
* currently logged in user, or null if user isn't logged in)
*
* @returns boolean Wether the specified user can look at the specified view.
*/
function can_view_view($view, $user_id = null)
{
global $USER, $SESSION;
if (defined('BULKEXPORT')) {
return true;
}
$now = time();
$dbnow = db_format_timestamp($now);
if ($user_id === null) {
$user = $USER;
$user_id = $USER->get('id');
} else {
$user = new User();
if ($user_id) {
try {
$user->find_by_id($user_id);
} catch (AuthUnknownUserException $e) {
}
}
}
$publicviews = get_config('allowpublicviews');
$publicprofiles = get_config('allowpublicprofiles');
// OVERWRITE 1: deletion
//if (!$user_id && !$publicviews && !$publicprofiles) {
// return false;
//}
// END OVERWRITE 1
if (!class_exists('View')) {
require_once get_config('libroot') . 'view.php';
}
if ($view instanceof View) {
$view_id = $view->get('id');
} else {
$view = new View($view_id = $view);
}
// group views and logged in users are not affected by
// the institution level config for public views
if (empty($user_id) && ($ownerobj = $view->get_owner_object())) {
$owner = new User();
$owner->find_by_id($ownerobj->id);
if (!$owner->institution_allows_public_views()) {
return false;
}
}
if ($user_id && $user->can_edit_view($view)) {
return true;
}
$access = View::user_access_records($view_id, $user_id);
if (empty($access)) {
return false;
}
// If the view's owner is suspended, deny access to the view
if ($view->get('owner')) {
if (!($owner = $view->get_owner_object()) || $owner->suspendedctime) {
return false;
}
}
// Overriding start/stop dates are set by the owner to deny access
// to users who would otherwise be allowed to see the view. However,
// for some kinds of access (e.g. objectionable content, submitted
// views), we have to override the override and let the logged in
// user see it anyway. So we can't return false now, we have to wait
// till we find out what kind of view_access record is being used.
$overridestart = $view->get('startdate');
$overridestop = $view->get('stopdate');
$allowedbyoverride = (empty($overridestart) || $overridestart < $dbnow) && (empty($overridestop) || $overridestop > $dbnow);
if ($SESSION->get('mnetuser')) {
$mnettoken = get_cookie('mviewaccess:' . $view_id);
}
foreach ($access as &$a) {
if ($a->accesstype == 'public' && $allowedbyoverride) {
if ($publicviews) {
return true;
} else {
if ($publicprofiles && $view->get('type') == 'profile') {
return true;
}
}
} else {
if ($a->token && ($allowedbyoverride || !$a->visible)) {
$usertoken = get_cookie('viewaccess:' . $view_id);
// OVERWRITE 2: replacement, changed from:
//if ($a->token == $usertoken && $publicviews) {
// return true;
//}
// to:
if ($a->token == $usertoken) {
if (!$publicviews) {
global $CFG;
$mhr_view = $CFG->current_app->selectFromMhrTable('view', 'id', $view_id, true);
if ($mhr_view) {
if (!isset($mhr_view->institution) || $mhr_view->institution == '') {
return false;
}
}
}
return true;
}
// END OVERWRITE 2
if (!empty($mnettoken) && $a->token == $mnettoken) {
$mnetviewlist = $SESSION->get('mnetviewaccess');
if (empty($mnetviewlist)) {
$mnetviewlist = array();
}
$mnetviewlist[$view_id] = true;
$SESSION->set('mnetviewaccess', $mnetviewlist);
return true;
}
// Don't bother to pull the collection out unless the user actually
// has some collection access cookies.
if ($ctokens = get_cookies('caccess:')) {
$cid = $view->collection_id();
if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) {
return true;
}
}
} else {
if ($user_id) {
if ($a->accesstype == 'friends') {
$owner = $view->get('owner');
if (!get_field_sql('
SELECT COUNT(*) FROM {usr_friend} f WHERE (usr1=? AND usr2=?) OR (usr1=? AND usr2=?)', array($owner, $user_id, $user_id, $owner))) {
continue;
}
} else {
if ($a->institution) {
// Check if user belongs to the allowed institution
if (!in_array($a->institution, array_keys($user->get('institutions')))) {
continue;
}
} else {
if ($a->accesstype == 'objectionable') {
if ($owner = $view->get('owner')) {
if ($user->is_admin_for_user($owner)) {
return true;
}
} else {
if ($view->get('group') && $user->get('admin')) {
return true;
}
}
continue;
}
}
}
if (!$allowedbyoverride && $a->visible) {
continue;
}
// The view must have loggedin access, user access for the user
// or group/role access for one of the user's groups
return true;
}
}
}
}
return false;
}
/**
* Creates a View for the given user, based off a given template and other
* View information supplied.
*
* Will set a default title of 'Copy of $viewtitle' if title is not
* specified in $viewdata.
*
* @param array $viewdata See View::_create
* @param int $templateid The ID of the View to copy
* @param int $userid The user who has issued the command to create the
* view. See View::_create
* @param int $checkaccess Whether to check that the user can see the view before copying it
* @return array A list consisting of the new view, the template view and
* information about the copy - i.e. how many blocks and
* artefacts were copied
* @throws SystemException under various circumstances, see the source for
* more information
*/
public static function create_from_template($viewdata, $templateid, $userid = null, $checkaccess = true)
{
if (is_null($userid)) {
global $USER;
$userid = $USER->get('id');
}
$user = new User();
$user->find_by_id($userid);
db_begin();
$template = new View($templateid);
if ($template->get('deleted')) {
throw new SystemException("View::create_from_template: This template has been deleted");
}
if (!$template->get('template') && !$user->can_edit_view($template)) {
throw new SystemException("View::create_from_template: Attempting to create a View from another View that is not marked as a template");
} else {
if ($checkaccess && !can_view_view($templateid, $userid)) {
throw new SystemException("View::create_from_template: User {$userid} is not permitted to copy View {$templateid}");
}
}
$view = self::_create($viewdata, $userid);
// Set a default title if one wasn't set
if (!isset($viewdata['title'])) {
$view->set('title', self::new_title(get_string('Copyof', 'mahara', $template->get('title')), (object) $viewdata));
$view->set('dirty', true);
}
try {
$copystatus = $view->copy_contents($template);
} catch (QuotaExceededException $e) {
db_rollback();
return array(null, $template, array('quotaexceeded' => true));
}
$view->commit();
db_commit();
return array($view, $template, $copystatus);
}
/**
* Given a view id, and a user id (defaults to currently logged in user if not
* specified) will return wether this user is allowed to look at this view.
*
* @param integer $view_id View ID to check
* @param integer $user_id User trying to look at the view (defaults to
* currently logged in user, or null if user isn't logged in)
*
* @returns boolean Wether the specified user can look at the specified view.
*/
function can_view_view($view_id, $user_id = null)
{
global $USER, $SESSION;
if (defined('BULKEXPORT')) {
return true;
}
$now = time();
$dbnow = db_format_timestamp($now);
if ($user_id === null) {
$user = $USER;
$user_id = $USER->get('id');
} else {
$user = new User();
if ($user_id) {
try {
$user->find_by_id($user_id);
} catch (AuthUnknownUserException $e) {
}
}
}
$publicviews = get_config('allowpublicviews');
$publicprofiles = get_config('allowpublicprofiles');
if (!$user_id && !$publicviews && !$publicprofiles) {
return false;
}
require_once get_config('libroot') . 'view.php';
$view = new View($view_id);
if ($user_id && $user->can_edit_view($view)) {
return true;
}
$access = View::user_access_records($view_id, $user_id);
if (empty($access)) {
return false;
}
if ($SESSION->get('mnetuser')) {
$mnettoken = get_cookie('mviewaccess:' . $view_id);
}
foreach ($access as &$a) {
if ($a->accesstype == 'public') {
if ($publicviews) {
return true;
} else {
if ($publicprofiles && $view->get('type') == 'profile') {
return true;
}
}
} else {
if ($a->token) {
$usertoken = get_cookie('viewaccess:' . $view_id);
if ($a->token == $usertoken && $publicviews) {
return true;
}
if (!empty($mnettoken) && $a->token == $mnettoken) {
$mnetviewlist = $SESSION->get('mnetviewaccess');
if (empty($mnetviewlist)) {
$mnetviewlist = array();
}
$mnetviewlist[$view_id] = true;
$SESSION->set('mnetviewaccess', $mnetviewlist);
return true;
}
// Don't bother to pull the collection out unless the user actually
// has some collection access cookies.
if ($ctokens = get_cookies('caccess:')) {
$cid = $view->collection_id();
if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) {
return true;
}
}
} else {
if ($user_id) {
if ($a->accesstype == 'friends') {
$owner = $view->get('owner');
if (!get_field_sql('
SELECT COUNT(*) FROM {usr_friend} f WHERE (usr1=? AND usr2=?) OR (usr1=? AND usr2=?)', array($owner, $user_id, $user_id, $owner))) {
continue;
}
} else {
if ($a->accesstype == 'objectionable') {
if ($owner = $view->get('owner')) {
if ($user->is_admin_for_user($owner)) {
return true;
}
} else {
if ($view->get('group') && $user->get('admin')) {
return true;
}
}
continue;
}
}
// The view must have loggedin access, user access for the user
// or group/role access for one of the user's groups
return true;
}
}
}
}
return false;
}
