/** * Creates a View for the given user, based off a given template and other * View information supplied. * * Will set a default title of 'Copy of $viewtitle' if title is not * specified in $viewdata and $titlefromtemplate == false. * * @param array $viewdata See View::_create * @param int $templateid The ID of the View to copy * @param int $userid The user who has issued the command to create the * view. See View::_create * @param int $checkaccess Whether to check that the user can see the view before copying it * @return array A list consisting of the new view, the template view and * information about the copy - i.e. how many blocks and * artefacts were copied * @throws SystemException under various circumstances, see the source for * more information */ public static function create_from_template($viewdata, $templateid, $userid = null, $checkaccess = true, $titlefromtemplate = false) { if (is_null($userid)) { global $USER; $userid = $USER->get('id'); } $user = new User(); $user->find_by_id($userid); db_begin(); $template = new View($templateid); if ($template->get('deleted')) { throw new SystemException("View::create_from_template: This template has been deleted"); } if ($checkaccess && !$template->get('template') && !$user->can_edit_view($template)) { throw new SystemException("View::create_from_template: Attempting to create a View from another View that is not marked as a template"); } else { if ($checkaccess && !can_view_view($templateid, $userid)) { throw new SystemException("View::create_from_template: User {$userid} is not permitted to copy View {$templateid}"); } } $view = self::_create($viewdata, $userid); // Set a default title if one wasn't set if ($titlefromtemplate) { $view->set('title', $template->get('title')); } else { if (!isset($viewdata['title']) && !($template->get('owner') == 0 && $template->get('type') == 'portfolio')) { $desiredtitle = $template->get('title'); if (get_config('renamecopies')) { $desiredtitle = get_string('Copyof', 'mahara', $desiredtitle); } $view->set('title', self::new_title($desiredtitle, (object) $viewdata)); $view->set('dirty', true); } } $view->urlid = generate_urlid($view->title, get_config('cleanurlviewdefault'), 3, 100); $viewdata['owner'] = $userid; $view->urlid = self::new_urlid($view->urlid, (object) $viewdata); try { $copystatus = $view->copy_contents($template); } catch (QuotaExceededException $e) { db_rollback(); return array(null, $template, array('quotaexceeded' => true)); } $view->commit(); // if layout is set, and it's not a default layout // add an entry to usr_custom_layout if one does not already exist if ($template->get('layout') !== null) { $customlayout = get_record('view_layout', 'id', $template->get('layout'), 'iscustom', 1); if ($customlayout !== false) { // is the owner of the copy going to be a group or institution or not? $owner = $view->owner; $group = $view->group; $institution = $view->institution; $haslayout = false; if (!empty($group)) { $owner = null; $haslayout = get_record('usr_custom_layout', 'layout', $template->get('layout'), 'group', $group); } if (!empty($institution)) { $owner = null; $haslayout = get_record('usr_custom_layout', 'layout', $template->get('layout'), 'institution', $institution); } else { if (isset($owner)) { $haslayout = get_record('usr_custom_layout', 'layout', $template->get('layout'), 'usr', $owner); } } if (!$haslayout) { $newcustomlayout = insert_record('usr_custom_layout', (object) array('usr' => $owner, 'group' => $group, 'institution' => $institution, 'layout' => $template->get('layout'))); } } } $blocks = get_records_array('block_instance', 'view', $view->get('id')); if ($blocks) { foreach ($blocks as $b) { // As some artefact references have been changed, e.g embedded images // we need to rebuild the artefact list for each block $bi = new BlockInstance($b->id); $bi->rebuild_artefact_list(); $configdata = unserialize($b->configdata); if (!isset($configdata['artefactid'])) { continue; } if (!isset($configdata['copytype']) || $configdata['copytype'] !== 'reference') { continue; } $va = new StdClass(); $va->view = $b->view; $va->artefact = $configdata['artefactid']; $va->block = $b->id; insert_record('view_artefact', $va); } } if ($template->get('retainview') && !$template->get('institution')) { $obj = new StdClass(); $obj->view = $view->get('id'); $obj->ctime = db_format_timestamp(time()); $obj->usr = $template->get('owner'); $obj->group = $template->get('group'); insert_record('view_access', $obj); } db_commit(); return array($view, $template, $copystatus); }
/** * Given a view id, and a user id (defaults to currently logged in user if not * specified) will return wether this user is allowed to look at this view. * * @param mixed $view viewid or View to check * @param integer $user_id User trying to look at the view (defaults to * currently logged in user, or null if user isn't logged in) * * @returns boolean Wether the specified user can look at the specified view. */ function can_view_view($view, $user_id = null) { global $USER, $SESSION; if (defined('BULKEXPORT')) { return true; } $now = time(); $dbnow = db_format_timestamp($now); if ($user_id === null) { $user = $USER; $user_id = $USER->get('id'); } else { $user = new User(); if ($user_id) { try { $user->find_by_id($user_id); } catch (AuthUnknownUserException $e) { } } } $publicviews = get_config('allowpublicviews'); $publicprofiles = get_config('allowpublicprofiles'); // If the user is logged out and the publicviews & publicprofiles sitewide configs are false, // we can deny access without having to hit the database at all if (!$user_id && !$publicviews && !$publicprofiles) { return false; } require_once get_config('libroot') . 'view.php'; if ($view instanceof View) { $view_id = $view->get('id'); } else { $view = new View($view_id = $view); } // If the page belongs to an individual, check for individual-specific overrides if ($view->get('owner')) { $ownerobj = $view->get_owner_object(); // Suspended user if ($ownerobj->suspendedctime) { return false; } // Probationary user (no public pages or profiles) // (setting these here instead of doing a return-false, so that we can do checks for // logged-in users later) require_once get_config('libroot') . 'antispam.php'; $onprobation = is_probationary_user($ownerobj->id); $publicviews = $publicviews && !$onprobation; $publicprofiles = $publicprofiles && !$onprobation; // Member of an institution that prohibits public pages // (group views and logged in users are not affected by // the institution level config for public views) $owner = new User(); $owner->find_by_id($ownerobj->id); $publicviews = $publicviews && $owner->institution_allows_public_views(); } // Now that we've examined the page owner, check again for whether it can be viewed by a logged-out user if (!$user_id && !$publicviews && !$publicprofiles) { return false; } if ($user_id && $user->can_edit_view($view)) { return true; } // If the view's owner is suspended, deny access to the view if ($view->get('owner')) { if (!($owner = $view->get_owner_object()) || $owner->suspendedctime) { return false; } } if ($SESSION->get('mnetuser')) { $mnettoken = get_cookie('mviewaccess:' . $view_id); } // If the page has been marked "objectionable" admins should be able to view // it for review purposes. if ($view->is_objectionable()) { if ($owner = $view->get('owner')) { if ($user->is_admin_for_user($owner)) { return true; } } else { if ($view->get('group') && $user->get('admin')) { return true; } } } // Overriding start/stop dates are set by the owner to deny access // to users who would otherwise be allowed to see the view. However, // for some kinds of access (e.g. objectionable content, submitted // views), we have to override the override and let the logged in // user see it anyway. So we can't return false now, we have to wait // till we find out what kind of view_access record is being used. $overridestart = $view->get('startdate'); $overridestop = $view->get('stopdate'); $allowedbyoverride = (empty($overridestart) || $overridestart < $dbnow) && (empty($overridestop) || $overridestop > $dbnow); $access = View::user_access_records($view_id, $user_id); if (empty($access)) { return false; } foreach ($access as &$a) { if ($a->accesstype == 'public' && $allowedbyoverride) { if ($publicviews) { return true; } else { if ($publicprofiles && $view->get('type') == 'profile') { return true; } } } else { if ($a->token && ($allowedbyoverride || !$a->visible)) { $usertoken = get_cookie('viewaccess:' . $view_id); if ($a->token == $usertoken && $publicviews) { return true; } if (!empty($mnettoken) && $a->token == $mnettoken) { $mnetviewlist = $SESSION->get('mnetviewaccess'); if (empty($mnetviewlist)) { $mnetviewlist = array(); } $mnetviewlist[$view_id] = true; $SESSION->set('mnetviewaccess', $mnetviewlist); return true; } // Don't bother to pull the collection out unless the user actually // has some collection access cookies. if ($ctokens = get_cookies('caccess:')) { $cid = $view->collection_id(); if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) { return true; } } } else { if ($user_id) { if ($a->accesstype == 'friends') { $owner = $view->get('owner'); if (!get_field_sql(' SELECT COUNT(*) FROM {usr_friend} f WHERE (usr1=? AND usr2=?) OR (usr1=? AND usr2=?)', array($owner, $user_id, $user_id, $owner))) { continue; } } else { if ($a->institution) { // Check if user belongs to the allowed institution if (!in_array($a->institution, array_keys($user->get('institutions')))) { continue; } } } if (!$allowedbyoverride && $a->visible) { continue; } // The view must have loggedin access, user access for the user // or group/role access for one of the user's groups return true; } } } } return false; }
/** * Given a view id, and a user id (defaults to currently logged in user if not * specified) will return wether this user is allowed to look at this view. * * @param mixed $view viewid or View to check * @param integer $user_id User trying to look at the view (defaults to * currently logged in user, or null if user isn't logged in) * * @returns boolean Wether the specified user can look at the specified view. */ function can_view_view($view, $user_id = null) { global $USER, $SESSION; if (defined('BULKEXPORT')) { return true; } $now = time(); $dbnow = db_format_timestamp($now); if ($user_id === null) { $user = $USER; $user_id = $USER->get('id'); } else { $user = new User(); if ($user_id) { try { $user->find_by_id($user_id); } catch (AuthUnknownUserException $e) { } } } $publicviews = get_config('allowpublicviews'); $publicprofiles = get_config('allowpublicprofiles'); // OVERWRITE 1: deletion //if (!$user_id && !$publicviews && !$publicprofiles) { // return false; //} // END OVERWRITE 1 if (!class_exists('View')) { require_once get_config('libroot') . 'view.php'; } if ($view instanceof View) { $view_id = $view->get('id'); } else { $view = new View($view_id = $view); } // group views and logged in users are not affected by // the institution level config for public views if (empty($user_id) && ($ownerobj = $view->get_owner_object())) { $owner = new User(); $owner->find_by_id($ownerobj->id); if (!$owner->institution_allows_public_views()) { return false; } } if ($user_id && $user->can_edit_view($view)) { return true; } $access = View::user_access_records($view_id, $user_id); if (empty($access)) { return false; } // If the view's owner is suspended, deny access to the view if ($view->get('owner')) { if (!($owner = $view->get_owner_object()) || $owner->suspendedctime) { return false; } } // Overriding start/stop dates are set by the owner to deny access // to users who would otherwise be allowed to see the view. However, // for some kinds of access (e.g. objectionable content, submitted // views), we have to override the override and let the logged in // user see it anyway. So we can't return false now, we have to wait // till we find out what kind of view_access record is being used. $overridestart = $view->get('startdate'); $overridestop = $view->get('stopdate'); $allowedbyoverride = (empty($overridestart) || $overridestart < $dbnow) && (empty($overridestop) || $overridestop > $dbnow); if ($SESSION->get('mnetuser')) { $mnettoken = get_cookie('mviewaccess:' . $view_id); } foreach ($access as &$a) { if ($a->accesstype == 'public' && $allowedbyoverride) { if ($publicviews) { return true; } else { if ($publicprofiles && $view->get('type') == 'profile') { return true; } } } else { if ($a->token && ($allowedbyoverride || !$a->visible)) { $usertoken = get_cookie('viewaccess:' . $view_id); // OVERWRITE 2: replacement, changed from: //if ($a->token == $usertoken && $publicviews) { // return true; //} // to: if ($a->token == $usertoken) { if (!$publicviews) { global $CFG; $mhr_view = $CFG->current_app->selectFromMhrTable('view', 'id', $view_id, true); if ($mhr_view) { if (!isset($mhr_view->institution) || $mhr_view->institution == '') { return false; } } } return true; } // END OVERWRITE 2 if (!empty($mnettoken) && $a->token == $mnettoken) { $mnetviewlist = $SESSION->get('mnetviewaccess'); if (empty($mnetviewlist)) { $mnetviewlist = array(); } $mnetviewlist[$view_id] = true; $SESSION->set('mnetviewaccess', $mnetviewlist); return true; } // Don't bother to pull the collection out unless the user actually // has some collection access cookies. if ($ctokens = get_cookies('caccess:')) { $cid = $view->collection_id(); if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) { return true; } } } else { if ($user_id) { if ($a->accesstype == 'friends') { $owner = $view->get('owner'); if (!get_field_sql(' SELECT COUNT(*) FROM {usr_friend} f WHERE (usr1=? AND usr2=?) OR (usr1=? AND usr2=?)', array($owner, $user_id, $user_id, $owner))) { continue; } } else { if ($a->institution) { // Check if user belongs to the allowed institution if (!in_array($a->institution, array_keys($user->get('institutions')))) { continue; } } else { if ($a->accesstype == 'objectionable') { if ($owner = $view->get('owner')) { if ($user->is_admin_for_user($owner)) { return true; } } else { if ($view->get('group') && $user->get('admin')) { return true; } } continue; } } } if (!$allowedbyoverride && $a->visible) { continue; } // The view must have loggedin access, user access for the user // or group/role access for one of the user's groups return true; } } } } return false; }
/** * Creates a View for the given user, based off a given template and other * View information supplied. * * Will set a default title of 'Copy of $viewtitle' if title is not * specified in $viewdata. * * @param array $viewdata See View::_create * @param int $templateid The ID of the View to copy * @param int $userid The user who has issued the command to create the * view. See View::_create * @param int $checkaccess Whether to check that the user can see the view before copying it * @return array A list consisting of the new view, the template view and * information about the copy - i.e. how many blocks and * artefacts were copied * @throws SystemException under various circumstances, see the source for * more information */ public static function create_from_template($viewdata, $templateid, $userid = null, $checkaccess = true) { if (is_null($userid)) { global $USER; $userid = $USER->get('id'); } $user = new User(); $user->find_by_id($userid); db_begin(); $template = new View($templateid); if ($template->get('deleted')) { throw new SystemException("View::create_from_template: This template has been deleted"); } if (!$template->get('template') && !$user->can_edit_view($template)) { throw new SystemException("View::create_from_template: Attempting to create a View from another View that is not marked as a template"); } else { if ($checkaccess && !can_view_view($templateid, $userid)) { throw new SystemException("View::create_from_template: User {$userid} is not permitted to copy View {$templateid}"); } } $view = self::_create($viewdata, $userid); // Set a default title if one wasn't set if (!isset($viewdata['title'])) { $view->set('title', self::new_title(get_string('Copyof', 'mahara', $template->get('title')), (object) $viewdata)); $view->set('dirty', true); } try { $copystatus = $view->copy_contents($template); } catch (QuotaExceededException $e) { db_rollback(); return array(null, $template, array('quotaexceeded' => true)); } $view->commit(); db_commit(); return array($view, $template, $copystatus); }
/** * Given a view id, and a user id (defaults to currently logged in user if not * specified) will return wether this user is allowed to look at this view. * * @param integer $view_id View ID to check * @param integer $user_id User trying to look at the view (defaults to * currently logged in user, or null if user isn't logged in) * * @returns boolean Wether the specified user can look at the specified view. */ function can_view_view($view_id, $user_id = null) { global $USER, $SESSION; if (defined('BULKEXPORT')) { return true; } $now = time(); $dbnow = db_format_timestamp($now); if ($user_id === null) { $user = $USER; $user_id = $USER->get('id'); } else { $user = new User(); if ($user_id) { try { $user->find_by_id($user_id); } catch (AuthUnknownUserException $e) { } } } $publicviews = get_config('allowpublicviews'); $publicprofiles = get_config('allowpublicprofiles'); if (!$user_id && !$publicviews && !$publicprofiles) { return false; } require_once get_config('libroot') . 'view.php'; $view = new View($view_id); if ($user_id && $user->can_edit_view($view)) { return true; } $access = View::user_access_records($view_id, $user_id); if (empty($access)) { return false; } if ($SESSION->get('mnetuser')) { $mnettoken = get_cookie('mviewaccess:' . $view_id); } foreach ($access as &$a) { if ($a->accesstype == 'public') { if ($publicviews) { return true; } else { if ($publicprofiles && $view->get('type') == 'profile') { return true; } } } else { if ($a->token) { $usertoken = get_cookie('viewaccess:' . $view_id); if ($a->token == $usertoken && $publicviews) { return true; } if (!empty($mnettoken) && $a->token == $mnettoken) { $mnetviewlist = $SESSION->get('mnetviewaccess'); if (empty($mnetviewlist)) { $mnetviewlist = array(); } $mnetviewlist[$view_id] = true; $SESSION->set('mnetviewaccess', $mnetviewlist); return true; } // Don't bother to pull the collection out unless the user actually // has some collection access cookies. if ($ctokens = get_cookies('caccess:')) { $cid = $view->collection_id(); if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) { return true; } } } else { if ($user_id) { if ($a->accesstype == 'friends') { $owner = $view->get('owner'); if (!get_field_sql(' SELECT COUNT(*) FROM {usr_friend} f WHERE (usr1=? AND usr2=?) OR (usr1=? AND usr2=?)', array($owner, $user_id, $user_id, $owner))) { continue; } } else { if ($a->accesstype == 'objectionable') { if ($owner = $view->get('owner')) { if ($user->is_admin_for_user($owner)) { return true; } } else { if ($view->get('group') && $user->get('admin')) { return true; } } continue; } } // The view must have loggedin access, user access for the user // or group/role access for one of the user's groups return true; } } } } return false; }