/**
* Return true is $user has $access_level (R/W) over $object
*
* @param User $user
* @param ApplicationDataObject $object
* @param int $access_level // 1 = read ; 2 = write
* @return unknown
*/
function can_access(User $user, ApplicationDataObject $object, $access_level)
{
try {
if (!$object instanceof ApplicationDataObject) {
throw new Exception(lang('object dnx'));
}
$hookargs = array("user" => $user, "object" => $object, "access_level" => $access_level);
$ret = null;
Hook::fire('can_access', $hookargs, $ret);
if (is_bool($ret)) {
return $ret;
}
if ($object instanceof Comment) {
return can_access($user, $object->getObject(), $access_level);
}
if ($user->isGuest() && $access_level == ACCESS_LEVEL_WRITE) {
return false;
}
if ($object instanceof ProjectFileRevision) {
return can_access($user, $object->getFile(), $access_level);
}
if ($object->columnExists('project_id')) {
$user_id = $user->getId();
if (!$object instanceof ProjectContact && $object->getCreatedById() == $user_id) {
return true;
}
// the user is the creator of the object
if ($object instanceof ProjectDataObject && $object->getProject() instanceof Project && $object->getProject()->getId() == $user->getPersonalProjectId()) {
return true;
}
// The object belongs to the user's personal project
$perms = ObjectUserPermissions::getAllPermissionsByObject($object, $user->getId());
if ($perms && is_array($perms)) {
//if the permissions for the user in the object are specially set
return has_access_level($perms[0], $access_level);
}
$group_ids = GroupUsers::getGroupsCSVsByUser($user_id);
if ($group_ids && $group_ids != '') {
//user belongs to at least one group
$perms = ObjectUserPermissions::getAllPermissionsByObject($object, $group_ids);
if ($perms) {
foreach ($perms as $perm) {
if (has_access_level($perm, $access_level)) {
return true;
}
//there is one group permission that allows the user to access
}
}
}
if ($object instanceof ProjectDataObject && $object->getProject()) {
//if the object has a project assigned to it
$proj_perm = ProjectUsers::findOne(array('conditions' => array('user_id = ? AND project_id = ? ', $user_id, $object->getProject()->getId())));
if ($proj_perm && can_manage_type(get_class($object->manager()), $proj_perm, $access_level)) {
return true;
// if user has permissions over type of object in the project
}
if ($group_ids && $group_ids != '') {
//user belongs to at least one group
$proj_perms = ProjectUsers::findAll(array('conditions' => array('project_id = ' . $object->getProject()->getId() . ' AND user_id in (' . $group_ids . ')')));
if ($proj_perms) {
foreach ($proj_perms as $perm) {
if (can_manage_type(get_class($object->manager()), $perm, $access_level)) {
return true;
}
// if any group has permissions over type of object in the project
}
}
}
}
} else {
// handle object in multiple workspaces
$user_id = $user->getId();
if ($object->getCreatedById() == $user_id) {
return true;
// the user is the creator of the object
}
if ($object instanceof MailContent) {
$acc = MailAccounts::findById($object->getAccountId());
if (!$acc instanceof MailAccount) {
return false;
// it's an email with no account and not created by the user
} else {
if ($access_level == ACCESS_LEVEL_READ && $acc->canView($user) || $access_level == ACCESS_LEVEL_WRITE && $acc->canDelete($user)) {
return true;
}
}
}
$perms = ObjectUserPermissions::getAllPermissionsByObject($object, $user->getId());
if ($perms && is_array($perms)) {
//if the permissions for the user in the object are specially set
return has_access_level($perms[0], $access_level);
}
$group_ids = GroupUsers::getGroupsCSVsByUser($user_id);
if ($group_ids && $group_ids != '') {
//user belongs to at least one group
$perms = ObjectUserPermissions::getAllPermissionsByObject($object, $group_ids);
if ($perms) {
foreach ($perms as $perm) {
if (has_access_level($perm, $access_level)) {
return true;
//there is one group permission that allows the user to access
}
}
}
}
if ($object instanceof ProjectDataObject) {
$ws = $object->getWorkspaces();
foreach ($ws as $w) {
// if the object has a project assigned to it
$proj_perm = ProjectUsers::findOne(array('conditions' => array('user_id = ? AND project_id = ? ', $user_id, $w->getId())));
if ($proj_perm && can_manage_type(get_class($object->manager()), $proj_perm, $access_level)) {
return true;
// if user has permissions over type of object in the project
}
if ($group_ids && $group_ids != '') {
//user belongs to at least one group
$proj_perms = ProjectUsers::findAll(array('conditions' => array('project_id = ' . $w->getId() . ' AND user_id in (' . $group_ids . ')')));
if ($proj_perms) {
foreach ($proj_perms as $perm) {
if (can_manage_type(get_class($object->manager()), $perm, $access_level)) {
return true;
}
// if any group has permissions over type of object in the project
}
}
}
}
}
}
} catch (Exception $e) {
tpl_assign('error', $e);
return false;
}
return false;
}
