function userHasFieldAccess($fieldSchema)
{
// args changed as of 2.16, used to be ($tableName, $accessRule) {
global $CURRENT_USER;
if (!array_key_exists('_tableName', $fieldSchema)) {
dieAsCaller("Fieldschema missing '_tableName' value!");
}
if (!array_key_exists('name', $fieldSchema)) {
dieAsCaller("Fieldschema missing 'name' value!");
}
// check if user has access to this field
$hasAccess = false;
$accessRule = @$fieldSchema['adminOnly'];
// this schema key is a legacy fieldname that will be renamed in future
$hasEditorAccess = userSectionAccess($fieldSchema['_tableName']) >= 9;
if ($CURRENT_USER['isAdmin']) {
$hasAccess = true;
} elseif (!$accessRule) {
$hasAccess = true;
} elseif ($accessRule == 1 && $hasEditorAccess) {
$hasAccess = true;
} elseif ($accessRule == 2 && $CURRENT_USER['isAdmin']) {
$hasAccess = true;
}
// requires admin access (ignored since admins can access all fields)
$hasAccess = applyFilters('userHasFieldAccess', $hasAccess, $fieldSchema);
return $hasAccess;
}
function getMenuLinks()
{
global $CURRENT_USER, $APP;
$menuLinks = '';
foreach (_getMenuList() as $row) {
// set defaults
if (!array_key_exists('menuType', $row)) {
$row['menuType'] = '';
}
if (!array_key_exists('tableName', $row)) {
$row['tableName'] = '';
}
if (!array_key_exists('linkTarget', $row)) {
$row['linkTarget'] = '';
}
// check menu access
if (!$CURRENT_USER) {
$hasMenuAccess = false;
} elseif (!$row['tableName'] && $CURRENT_USER['isAdmin']) {
$hasMenuAccess = true;
} else {
$hasMenuAccess = userSectionAccess($row['tableName']) >= 3;
}
// accessLevel: viewer or better
if (!$hasMenuAccess) {
continue;
}
// don't display if user doesn't have access
$rowHtml = '';
// show menu groups
if ($row['menuType'] == 'menugroup') {
$rowHtml .= _openMenuGroupList($row['menuName'], $row['isSelected']);
} else {
$rowHtml .= _openMenuGroupList('', $row['isSelected'], true);
$class = $row['isSelected'] ? 'current ' : '';
$style = "";
$menuName = htmlencode($row['menuName']);
if (@$row['_indent']) {
$class .= 'indented_menu';
}
if (@$row['tableName'] == '_error_log' && @$row['recordCount'] > 0) {
$style .= 'color: #F55;';
}
// highlight errors
$jsEscapedMessage = jsEncode(htmlencode(@$row['linkMessage']));
$onclick = @$row['linkMessage'] ? "onclick=\"alert('{$jsEscapedMessage}');\"" : "";
$target = $row['linkTarget'];
$href = $row['link'];
$rowHtml .= " <li><a class='{$class}' style='{$style}' href='{$href}' {$target} {$onclick}>{$menuName}</a></li>\n";
}
$rowHtml = applyFilters('menulinks_rowHtml', $rowHtml, $row);
$menuLinks .= $rowHtml;
}
//
$menuLinks .= _closeMenuGroupList();
//
return $menuLinks;
}
function displayListColumns($listFields, $record, $options = array())
{
global $CURRENT_USER, $tableName, $schema;
$showView = @$options['isRelatedRecords'] ? @$options['showView'] : !@$schema['_disableView'];
$showModify = @$options['isRelatedRecords'] ? @$options['showModify'] : !@$schema['_disableModify'];
$showErase = @$options['isRelatedRecords'] ? @$options['showErase'] : !@$schema['_disableErase'];
$hasAuthorViewerAccessOnly = userSectionAccess($tableName) == 7;
$hasViewerAccessOnly = userSectionAccess($tableName) == 3;
// remove modify/erase for users with view only access -OR- with Author/Viewer access who don't own the record
if ($hasViewerAccessOnly) {
$showModify = false;
$showErase = false;
}
if ($hasAuthorViewerAccessOnly) {
$showModify = $showModify && ($record['createdByUserNum'] && $record['createdByUserNum'] == $CURRENT_USER['num']);
$showErase = $showErase && ($record['createdByUserNum'] && $record['createdByUserNum'] == $CURRENT_USER['num']);
}
// checkboxes - for "Advanced Commands" pulldown
if (!@$options['isRelatedRecords']) {
print "<td>";
if (@$schema['num']) {
print "<input type='checkbox' name='selectedRecords[]' value='{$record['num']}' class='selectRecordCheckbox' />";
}
print "</td>\n";
}
// category sections - add up/down sorting links and drag field
if (@$schema['menuType'] == 'category' && !@$options['isRelatedRecords']) {
//
$tableNameJsEncoded = jsencode($tableName);
$upClick = "return redirectWithPost('?', {menu:'{$tableNameJsEncoded}', _action:'categoryMove', 'direction':'up', 'num':'{$record['num']}', '_CSRFToken': \$('[name=_CSRFToken]').val()});";
$dnClick = "return redirectWithPost('?', {menu:'{$tableNameJsEncoded}', _action:'categoryMove', 'direction':'down', 'num':'{$record['num']}', '_CSRFToken': \$('[name=_CSRFToken]').val()});";
//
print "<td class='dragger'>";
print "<img src='lib/images/drag.gif' height='6' width='19' title='" . t('Click and drag to change order.') . "' alt='' />";
print "<a href='#' onclick=\"{$upClick}\"><!-- " . t('UP') . ' --></a>';
print "<a href='#' onclick=\"{$dnClick}\"><!-- " . t('DN') . ' --></a>';
print "</td>";
}
// display all other fields
foreach ($listFields as $fieldnameWithSuffix) {
@(list($fieldname, $suffix) = explode(":", $fieldnameWithSuffix));
// to support fieldname:label
if ($fieldnameWithSuffix == 'dragSortOrder') {
if (@$options['isRelatedRecords'] && !@$GLOBALS['SETTINGS']['advanced']['allowRelatedRecordsDragSorting']) {
continue;
}
if ($hasViewerAccessOnly) {
continue;
}
if (!userHasFieldAccess($schema[$fieldname])) {
continue;
}
// skip fields that the user has no access to
}
list($displayValue, $tdAttributes) = _getColumnDisplayValueAndAttributes($fieldname, $record);
$displayValue = applyFilters('listRow_displayValue', $displayValue, $tableName, $fieldname, $record);
$tdAttributes = applyFilters('listRow_tdAttributes', $tdAttributes, $tableName, $fieldname, $record);
print "<td {$tdAttributes}>{$displayValue}</td>\n";
}
### display actions
$actionLinks = '';
// view
if ($showView) {
$viewLink = '?menu=' . htmlencode($tableName) . "&action=view&num=" . @$record['num'];
if (@$options['isRelatedRecords']) {
$viewLink .= "&returnUrl=" . urlencode('?' . $_SERVER['QUERY_STRING']);
}
$actionLinks .= "<a href='{$viewLink}'>" . t('view') . "</a>\n";
}
// modify
if ($showModify) {
$modifyLink = '?menu=' . htmlencode($tableName) . "&action=edit&num=" . @$record['num'];
if (@$options['isRelatedRecords']) {
$modifyLink .= "&returnUrl=" . urlencode('?' . $_SERVER['QUERY_STRING']);
}
$actionLinks .= "<a href='{$modifyLink}'>" . t('modify') . "</a>\n";
}
// erase
if ($showErase) {
$returnArg = @$options['isRelatedRecords'] ? ',' . htmlencode(json_encode('?' . urlencode($_SERVER['QUERY_STRING']))) : '';
$disableErase = $tableName == 'accounts' && $CURRENT_USER['num'] == $record['num'];
$eraseLink = "javascript:confirmEraseRecord('" . htmlencode($tableName) . "','" . @$record['num'] . "'{$returnArg});";
if ($disableErase) {
$actionLinks .= "<span class='disabled'>" . t('erase') . "</span>\n";
} else {
$actionLinks .= "<a href=\"{$eraseLink}\">" . t('erase') . "</a>\n";
}
}
//
$actionLinks = applyFilters('listRow_actionLinks', $actionLinks, $tableName, $record);
// show erase link
print "<td class='listActions'>{$actionLinks}</td>";
}
function _getRecords_preview($schemaIn, $options)
{
global $CURRENT_USER, $schema;
// these globals are used by the functions called below
$schema = $schemaIn;
// get productionRecord from database if 'num' was supplied
$previewNum = intval(@$_REQUEST['preview:num']);
list($productionRecords, ) = getRecords(array('tableName' => @$options['tableName'], 'where' => "num = {$previewNum}", 'ignoreHidden' => true, 'ignorePublishDate' => true, 'ignoreRemoveDate' => true, 'loadPseudoFields' => false, 'loadCreatedBy' => false, 'allowSearch' => false, 'loadUploads' => false));
$productionRecord = @$productionRecords[0];
// security: check access
require_once SCRIPT_DIR . "/lib/admin_functions.php";
require_once SCRIPT_DIR . "/lib/user_functions.php";
require_once SCRIPT_DIR . "/lib/login_functions.php";
$CURRENT_USER = getCurrentUserFromCMS();
// v2.51 support preview even if website membership enabled with different accounts table and separate login
global $hasEditorAccess;
// needed by /lib/common.php _getRecordValuesFromFormInput
$hasEditorAccess = userSectionAccess($options['tableName']) >= 9;
$hasAuthorAccess = userSectionAccess($options['tableName']) >= 6;
$userOwnsRecord = !$productionRecord || $CURRENT_USER['num'] == $productionRecord['createdByUserNum'];
// user is creating record (no num) or is owner
if (!$CURRENT_USER) {
die(t("You must be logged in to use this feature!"));
}
if (!$hasAuthorAccess) {
die(t("You don't have permissions to access this menu."));
}
if (!$hasEditorAccess && !$userOwnsRecord) {
die(sprintf(t("You don't have permission to access these records: %s"), $productionRecord['createdByUserNum']));
}
// build up our record from form input
$record = _getRecordValuesFromFormInput('preview:');
// if this is an existing record, load any fields not supplied by form input
$record['num'] = $previewNum;
if ($productionRecord) {
$record = array_merge($productionRecord, $record);
} else {
$record = _addUndefinedDefaultsToNewRecord($record, getMySqlColsAndType(mysql_escape(getTableNameWithPrefix($options['tableName']))));
}
// if there was no production record available, default some fields
if (@$schema['updatedByUserNum']) {
$record['updatedByUserNum'] = $CURRENT_USER['num'];
}
if (@$schema['updatedDate']) {
$record['updatedDate'] = date('Y-m-d H:i:s');
}
$filenameValue = getFilenameFieldValue($record, @$schema['_filenameFields']);
$record['_filename'] = rtrim($filenameValue, '-');
if (@(!$schema['_detailPage'])) {
$record['_link'] = "javascript:alert('Set Detail Page Url for this section in: Admin > Section Editors > Viewer Urls')";
} elseif (@$options['useSeoUrls']) {
$record['_link'] = PREFIX_URL . @$schema['_detailPage'] . '/' . $filenameValue . $record['num'] . "/";
} else {
$record['_link'] = PREFIX_URL . @$schema['_detailPage'] . '?' . $filenameValue . $record['num'];
}
$rows = array($record);
// Add pseudo-fields
if (@$options['loadPseudoFields']) {
_getRecords_addPseudoFields($rows, $options, $schema);
}
// Add uploads
if (@$options['loadUploads']) {
// single record sections: don't use preSaveTempId so if no record has ever been created yet make sure 'num' is set to 1
_getRecords_addUploadFields($rows, $options, $schema, $_REQUEST['preview:preSaveTempId']);
}
// Add createdBy.fields to records
if (@$options['loadCreatedBy'] && @$schema['createdByUserNum']) {
_getRecords_joinTable($rows, $options, 'accounts');
}
// Add joinTable fields
if (@$options['joinTable']) {
_getRecords_joinTable($rows, $options);
}
// get List Details
$listDetails = array();
if ($options['loadListDetails']) {
$listDetails = _getRecords_getListDetails($options, 1, 1, $schema);
}
return array($rows, $listDetails, $schema);
}
// load libraries
require_once "lib/menus/default/common.php";
require_once file_exists('lib/wysiwyg_custom.php') ? 'lib/wysiwyg_custom.php' : 'lib/wysiwyg.php';
// set globals
global $TABLE_PREFIX, $tableName, $escapedTableName, $action, $schema, $CURRENT_USER, $hasEditorAccess, $hasAuthorAccess, $hasViewerAccess, $hasViewerAccessOnly, $hasAuthorViewerAccess, $isMyAccountMenu, $isSingleMenu;
$isMyAccountMenu = $menu == '_myaccount';
$tableName = $isMyAccountMenu ? 'accounts' : $menu;
$schema = loadSchema($tableName);
$schema = array_merge($schema, getSchemaFields($schema));
// v2.16+, add pseudo-fields name and _tableName to all fieldSchemas. Doing this once here instead of every time in loadSchema() is less expensive
$escapedTableName = mysql_escape($TABLE_PREFIX . $tableName);
$hasEditorAccess = userSectionAccess($tableName) >= 9;
$hasAuthorAccess = userSectionAccess($tableName) >= 6;
$hasViewerAccess = userSectionAccess($tableName) >= 3;
$hasViewerAccessOnly = userSectionAccess($tableName) == 3;
$hasAuthorViewerAccess = userSectionAccess($tableName) >= 7;
$isSingleMenu = @$schema['menuType'] == 'single';
// get action
if ($isSingleMenu && $hasAuthorAccess) {
$_defaultAction = 'edit';
} elseif ($isSingleMenu && $hasViewerAccess) {
$_defaultAction = 'view';
} else {
$_defaultAction = 'list';
}
$action = getRequestedAction($_defaultAction);
//
doAction('section_init', $tableName, $action);
//
_redirectForCustomMenus();
// If file exists, call: /lib/menus/$menu/actionHandler.php
function userHasSectionAuthorViewerAccessOnly($tableName)
{
return userSectionAccess($tableName) == 7;
}