function resource_download_allowed($resource, $size, $resource_type, $alternative = -1)
{
# For the given resource and size, can the curent user download it?
# resource type and access may already be available in the case of search, so pass them along to get_resource_access to avoid extra queries
# $resource can be a resource-specific search result array.
$access = get_resource_access($resource);
if ((checkperm('X' . $resource_type . "_" . $size) || checkperm('T' . $resource_type . "_" . $size)) && $alternative == -1) {
# Block access to this resource type / size? Not if an alternative file
# Only if no specific user access override (i.e. they have successfully requested this size).
global $userref;
$usercustomaccess = get_custom_access_user($resource, $userref);
$usergroupcustomaccess = get_custom_access($resource, $usergroup);
if (($usercustomaccess === false || !($usercustomaccess === '0')) && ($usergroupcustomaccess === false || !($usergroupcustomaccess === '0'))) {
return false;
}
}
# Full access
if ($access == 0) {
return true;
}
# Special case for purchased downloads.
global $userref;
if (isset($userref)) {
$complete = sql_value("select cr.purchase_complete value from collection_resource cr join collection c on cr.collection=c.ref where c.user='******' and cr.resource='{$resource}' and cr.purchase_size='" . escape_check($size) . "'", 0);
if ($complete == 1) {
return true;
}
}
# Restricted
if ($access == 1) {
if ($size == "") {
# Original file - access depends on the 'restricted_full_download' config setting.
global $restricted_full_download;
return $restricted_full_download;
} else {
# Return the restricted access setting for this resource type.
return sql_value("select allow_restricted value from preview_size where id='" . escape_check($size) . "'", 0) == 1;
}
}
# Confidential
if ($access == 2) {
return false;
}
}
function get_resource_access($resource)
{
# $resource may be a resource_data array from a search, in which case, many of the permissions checks are already done.
# Returns the access that the currently logged-in user has to $resource.
# Return values:
# 0 = Full Access (download all sizes)
# 1 = Restricted Access (download only those sizes that are set to allow restricted downloads)
# 2 = Confidential (no access)
# Load the 'global' access level set on the resource
# In the case of a search, resource type and global,group and user access are passed through to this point, to avoid multiple unnecessary get_resource_data queries.
# passthru signifies that this is the case, so that blank values in group or user access mean that there is no data to be found, so don't check again .
$passthru="no";
// get_resource_data doesn't contain permissions, so fix for the case that such an array could be passed into this function unintentionally.
if (is_array($resource) && !isset($resource['group_access']) && !isset($resource['user_access'])){$resource=$resource['ref'];}
if (!is_array($resource)){
$resourcedata=get_resource_data($resource,true);
}
else {
$resourcedata=$resource;
$passthru="yes";
}
$ref=$resourcedata['ref'];
$access=$resourcedata["access"];
$resource_type=$resourcedata['resource_type'];
global $k;
if ($k!="")
{
# External access - check how this was shared.
$extaccess=sql_value("select access value from external_access_keys where resource=".$ref." and access_key='" . escape_check($k) . "'",-1);
if ($extaccess!=-1) {return $extaccess;}
}
if (checkperm("v"))
{
# Permission to access all resources
# Always return 0
return 0;
}
if ($access==3)
{
# Load custom access level
if ($passthru=="no"){
global $usergroup;
$access=get_custom_access($resource,$usergroup);
//echo "checked group access: ".$access;
}
else {
$access=$resource['group_access'];
}
}
if ($access == 1 && get_edit_access($ref, $resourcedata['archive']))
{
# If access is restricted and user has edit access, grant open access.
$access = 0;
}
global $open_access_for_contributor, $userref;
if ($open_access_for_contributor && $access == 1 && $resourcedata['created_by'] == $userref)
{
# If access is restricted and user has contributed resource, grant open access.
$access = 0;
}
# Check for user-specific access (overrides any other restriction)
global $userref;
if ($passthru=="no"){
$userspecific=get_custom_access_user($resource,$userref);
//echo "checked user access: ".$userspecific;
}
else {
$userspecific=$resourcedata['user_access'];
}
if ($userspecific!="")
{
return $userspecific;
}
global $usersearchfilter, $search_filter_strict;
if ((trim($usersearchfilter)!="") && $search_filter_strict)
{
# A search filter has been set. Perform filter processing to establish if the user can view this resource.
# Always load metadata, because the provided metadata may be missing fields due to permissions.
$metadata=get_resource_field_data($ref,false,false);
for ($n=0;$n<count($metadata);$n++)
{
$name=$metadata[$n]["name"];
$value=$metadata[$n]["value"];
if ($name!="")
{
$match=filter_match($usersearchfilter,$name,$value);
if ($match==1) {return 2;} # The match for this field was incorrect, always show as confidential in this event.
}
}
# Also check resource type
# Disabled until also implented in do_search() - future feature - syntax supported in edit filter only for now.
/*
$match=filter_match($usersearchfilter,"resource_type",$resource_type);
if ($match==1) {return 2;} # The match for this field was incorrect, always show as confidential in this event.
*/
}
if ($access==0 && !checkperm("g"))
{
# User does not have the 'g' permission. Always return restricted for active resources.
return 1;
}
if (checkperm('X'.$resource_type)){
// this resource type is always restricted for this user group
return 1;
}
if (checkperm('T'.$resource_type)){
// this resource type is always confidential/hidden for this user group
return 2;
}
return $access;
}
function get_resource_access($resource)
{
# $resource may be a resource_data array from a search, in which case, many of the permissions checks are already done.
# Returns the access that the currently logged-in user has to $resource.
# Return values:
# 0 = Full Access (download all sizes)
# 1 = Restricted Access (download only those sizes that are set to allow restricted downloads)
# 2 = Confidential (no access)
# Load the 'global' access level set on the resource
# In the case of a search, resource type and global,group and user access are passed through to this point, to avoid multiple unnecessary get_resource_data queries.
# passthru signifies that this is the case, so that blank values in group or user access mean that there is no data to be found, so don't check again .
$passthru = "no";
// get_resource_data doesn't contain permissions, so fix for the case that such an array could be passed into this function unintentionally.
if (is_array($resource) && !isset($resource['group_access']) && !isset($resource['user_access'])) {
$resource = $resource['ref'];
}
if (!is_array($resource)) {
$resourcedata = get_resource_data($resource, true);
} else {
$resourcedata = $resource;
$passthru = "yes";
}
$ref = $resourcedata['ref'];
$access = $resourcedata["access"];
$resource_type = $resourcedata['resource_type'];
// Set a couple of flags now that we can check later on if we need to check whether sharing is permitted based on whether access has been specifically granted to user/group
global $customgroupaccess, $customuseraccess;
$customgroupaccess = false;
$customuseraccess = false;
global $k;
if ($k != "") {
# External access - check how this was shared.
$extaccess = sql_value("select access value from external_access_keys where resource=" . $ref . " and access_key='" . escape_check($k) . "' and (expires is null or expires>now())", -1);
if ($extaccess != -1) {
return $extaccess;
}
}
global $uploader_view_override, $userref;
if (checkperm("z" . $resourcedata['archive']) && !($uploader_view_override && $resourcedata['created_by'] == $userref)) {
// User has no access to this archive state
return 2;
}
if (checkperm("v")) {
# Permission to access all resources
# Always return 0
return 0;
}
if ($access == 3) {
$customgroupaccess = true;
# Load custom access level
if ($passthru == "no") {
global $usergroup;
$access = get_custom_access($resource, $usergroup);
} else {
$access = $resource['group_access'];
}
}
if ($access == 1 && get_edit_access($ref, $resourcedata['archive'], false, $resourcedata)) {
# If access is restricted and user has edit access, grant open access.
$access = 0;
}
global $open_access_for_contributor;
if ($open_access_for_contributor && $access == 1 && $resourcedata['created_by'] == $userref) {
# If access is restricted and user has contributed resource, grant open access.
$access = 0;
}
# Check for user-specific access (overrides any other restriction)
global $userref;
if ($passthru == "no") {
$userspecific = get_custom_access_user($resource, $userref);
} else {
$userspecific = $resourcedata['user_access'];
}
if ($userspecific != "") {
$customuseraccess = true;
return $userspecific;
}
if (checkperm('T' . $resource_type)) {
// this resource type is always confidential/hidden for this user group
return 2;
}
global $usersearchfilter, $search_filter_strict;
if (trim($usersearchfilter) != "" && $search_filter_strict) {
# A search filter has been set. Perform filter processing to establish if the user can view this resource.
# Always load metadata, because the provided metadata may be missing fields due to permissions.
/*
# ***** OLD METHOD ***** - used filter_match() - required duplication and was very difficult to implement OR matching for the field name supporting OR across fields
$metadata=get_resource_field_data($ref,false,false);
for ($n=0;$n<count($metadata);$n++)
{
$name=$metadata[$n]["name"];
$value=$metadata[$n]["value"];
if ($name!="")
{
$match=filter_match($usersearchfilter,$name,$value);
echo "<br />$name/$value = $match";
if ($match==1) {return 2;} # The match for this field was incorrect, always show as confidential in this event.
}
}
# Also check resource type
# Disabled until also implented in do_search() - future feature - syntax supported in edit filter only for now.
/*
$match=filter_match($usersearchfilter,"resource_type",$resource_type);
if ($match==1) {return 2;} # The match for this field was incorrect, always show as confidential in this event.
*/
# ***** NEW METHOD ***** - search for the resource, utilising the existing filter matching in do_search to avoid duplication.
global $search_all_workflow_states;
$search_all_workflow_states_cache = $search_all_workflow_states;
$search_all_workflow_states = TRUE;
$results = do_search("!resource" . $ref);
$search_all_workflow_states = $search_all_workflow_states_cache;
if (count($results) == 0) {
return 2;
}
# Not found in results, so deny
}
if ($access == 0 && !checkperm("g") && !$customgroupaccess) {
# User does not have the 'g' permission. Return restricted for active resources unless group has been granted overide access.
$access = 1;
}
if ($access == 0 && checkperm('X' . $resource_type)) {
// this resource type is always restricted for this user group
$access = 1;
}
// Check derestrict filter
global $userderestrictfilter;
if ($access == 1 && trim($userderestrictfilter) != "") {
# A filter has been set to derestrict access when certain metadata criteria are met
if (!isset($metadata)) {
# load metadata if not already loaded
$metadata = get_resource_field_data($ref, false, false);
}
$matchedfilter = false;
for ($n = 0; $n < count($metadata); $n++) {
$name = $metadata[$n]["name"];
$value = $metadata[$n]["value"];
if ($name != "") {
$match = filter_match($userderestrictfilter, $name, $value);
if ($match == 1) {
$matchedfilter = false;
break;
}
if ($match == 2) {
$matchedfilter = true;
}
}
}
if ($matchedfilter) {
$access = 0;
}
}
return $access;
}
