/** * this function handles the access policy to contents indexed as searchable documents. If this * function does not exist, the search engine assumes access is allowed. * When this point is reached, we already know that : * - user is legitimate in the surrounding context * - user may be guest and guest access is allowed to the module * - the function may perform local checks within the module information logic * @param string $path the access path to the module script code * @param string $itemtype the information subclassing (usefull for complex modules, defaults to 'standard') * @param int $this_id the item id within the information class denoted by entry_type. In chats, this id * points out a session history which is a close sequence of messages. * @param object $user the user record denoting the user who searches * @param int $group_id the current group used by the user when searching * @uses $CFG, $DB * @return true if access is allowed, false elsewhere */ function user_check_text_access($path, $itemtype, $this_id, $user, $group_id, $context_id) { global $CFG, $DB; include_once "{$CFG->dirroot}/{$path}/lib.php"; if ($itemtype == 'user') { // get the user $userrecord = $DB->get_record('user', array('id' => $this_id)); // we cannot see nothing from unconfirmed users if (!$userrecord->confirmed and !has_capability('moodle/site:doanything', get_context_instance(CONTEXT_SYSTEM))) { if (!empty($CFG->search_access_debug)) { echo "search reject : unconfirmed user "; } return false; } } elseif ($itemtype == 'post' || $itemtype == 'attachment') { // get the post $post = $DB->get_record('post', array('id' => $this_id)); $userrecord = $DB->get_record('user', array('id' => $post->userid)); // we can try using blog visibility check return blog_user_can_view_user_post($user->id, $post); } $context = $DB->get_record('context', array('id' => $context_id)); return true; }
if ($user->deleted) { print_header(); print_heading(get_string('userdeleted')); print_footer(); die; } if ($USER->id == $filterselect) { if (!has_capability('moodle/blog:create', $sitecontext) and !has_capability('moodle/blog:view', $sitecontext)) { print_error('donothaveblog', 'blog'); } } else { $personalcontext = get_context_instance(CONTEXT_USER, $filterselect); if (!has_capability('moodle/blog:view', $sitecontext) and !has_capability('moodle/user:readuserblogs', $personalcontext)) { print_error('cannotviewuserblog', 'blog'); } if (!blog_user_can_view_user_post($filterselect)) { print_error('cannotviewcourseblog', 'blog'); } } $userid = $filterselect; if (!empty($courseid)) { require_login($courseid); } break; default: print_error('incorrectblogfilter', 'blog'); break; } if (empty($courseid)) { $courseid = SITEID; }
if ($user->deleted) { print_header(); echo $OUTPUT->heading(get_string('userdeleted')); echo $OUTPUT->footer(); die; } if ($USER->id == $userid) { if (!has_capability('moodle/blog:create', $sitecontext) and !has_capability('moodle/blog:view', $sitecontext)) { print_error('donothaveblog', 'blog'); } } else { $personalcontext = get_context_instance(CONTEXT_USER, $userid); if (!has_capability('moodle/blog:view', $sitecontext) and !has_capability('moodle/user:readuserblogs', $personalcontext)) { print_error('cannotviewuserblog', 'blog'); } if (!blog_user_can_view_user_post($userid)) { print_error('cannotviewcourseblog', 'blog'); } } } if (empty($courseid)) { $courseid = SITEID; } if (!empty($postid)) { $filters['post'] = $postid; } if (!empty($courseid)) { $filters['course'] = $courseid; } if (!empty($modid)) { $filters['mod'] = $modid;
/** * Main filter function. */ function blog_fetch_entries($postid = '', $fetchlimit = 10, $fetchstart = '', $filtertype = '', $filterselect = '', $tagid = '', $tag = '', $sort = 'lastmodified DESC', $limit = true) { global $CFG, $USER; /// the post table will be used for other things too $typesql = " AND p.module = 'blog' "; /// set the tag id for searching if ($tagid) { $tag = $tagid; } else { if ($tag) { if ($tagrec = get_record_sql('SELECT * FROM ' . $CFG->prefix . 'tag WHERE name LIKE "' . addslashes($tag) . '"')) { $tag = $tagrec->id; } else { $tag = -1; //no records found } } } // If we have specified an ID // Just return 1 entry if ($postid) { if ($post = get_record('post', 'id', $postid)) { if (blog_user_can_view_user_post($post->userid, $post)) { if ($user = get_record('user', 'id', $post->userid)) { $post->email = $user->email; $post->firstname = $user->firstname; $post->lastname = $user->lastname; } $retarray[] = $post; return $retarray; } else { return null; } } else { // bad postid return null; } } if ($tag) { $tagtablesql = $CFG->prefix . 'tag_instance ti, '; $tagquerysql = ' AND ti.itemid = p.id AND ti.tagid = ' . $tag . ' AND ti.itemtype = \'post\' '; } else { $tagtablesql = ''; $tagquerysql = ''; } if (isloggedin() && !has_capability('moodle/legacy:guest', get_context_instance(CONTEXT_SYSTEM), $USER->id, false)) { $permissionsql = 'AND (p.publishstate = \'site\' OR p.publishstate = \'public\' OR p.userid = ' . $USER->id . ')'; } else { $permissionsql = 'AND p.publishstate = \'public\''; } // fix for MDL-9165, use with readuserblogs capability in a user context can read that user's private blogs // admins can see all blogs regardless of publish states, as described on the help page if (has_capability('moodle/user:readuserblogs', get_context_instance(CONTEXT_SYSTEM))) { $permissionsql = ''; } else { if ($filtertype == 'user' && has_capability('moodle/user:readuserblogs', get_context_instance(CONTEXT_USER, $filterselect))) { $permissionsql = ''; } } /**************************************** * depending on the type, there are 4 * * different possible sqls * ****************************************/ $requiredfields = 'p.*, u.firstname,u.lastname,u.email'; if ($filtertype == 'course' && $filterselect == SITEID) { // Really a site $filtertype = 'site'; } switch ($filtertype) { case 'site': $SQL = 'SELECT ' . $requiredfields . ' FROM ' . $CFG->prefix . 'post p, ' . $tagtablesql . $CFG->prefix . 'user u WHERE p.userid = u.id ' . $tagquerysql . ' AND u.deleted = 0 ' . $permissionsql . $typesql; break; case 'course': // all users with a role assigned $context = get_context_instance(CONTEXT_COURSE, $filterselect); // MDL-10037, hidden users' blogs should not appear if (has_capability('moodle/role:viewhiddenassigns', $context)) { $hiddensql = ''; } else { $hiddensql = ' AND ra.hidden = 0 '; } $SQL = 'SELECT ' . $requiredfields . ' FROM ' . $CFG->prefix . 'post p, ' . $tagtablesql . $CFG->prefix . 'role_assignments ra, ' . $CFG->prefix . 'user u WHERE p.userid = ra.userid ' . $tagquerysql . ' AND ra.contextid ' . get_related_contexts_string($context) . ' AND u.id = p.userid AND u.deleted = 0 ' . $hiddensql . $permissionsql . $typesql; break; case 'group': $SQL = 'SELECT ' . $requiredfields . ' FROM ' . $CFG->prefix . 'post p, ' . $tagtablesql . $CFG->prefix . 'groups_members gm, ' . $CFG->prefix . 'user u WHERE p.userid = gm.userid AND u.id = p.userid ' . $tagquerysql . ' AND gm.groupid = ' . $filterselect . ' AND u.deleted = 0 ' . $permissionsql . $typesql; break; case 'user': // a hack to publish some blogs openly. Uses $CFG->openblogs = array(44, 322); in config.php if (isset($CFG->openblogs) && in_array($filterselect, $CFG->openblogs)) { $permissionsql = ' AND (p.publishstate = \'site\' OR p.publishstate = \'public\') '; } $SQL = 'SELECT ' . $requiredfields . ' FROM ' . $CFG->prefix . 'post p, ' . $tagtablesql . $CFG->prefix . 'user u WHERE p.userid = u.id ' . $tagquerysql . ' AND u.id = ' . $filterselect . ' AND u.deleted = 0 ' . $permissionsql . $typesql; break; } $limitfrom = 0; $limitnum = 0; if ($fetchstart !== '' && $limit) { $limitfrom = $fetchstart; $limitnum = $fetchlimit; } $orderby = ' ORDER BY ' . $sort . ' '; //global $db; $db->debug = true; $records = get_records_sql($SQL . $orderby, $limitfrom, $limitnum); //$db->debug = false; if (empty($records)) { return array(); } return $records; }
/** * Main filter function. */ function blog_fetch_entries($postid = '', $fetchlimit = 10, $fetchstart = '', $filtertype = '', $filterselect = '', $tagid = '', $tag = '', $sort = 'lastmodified DESC', $limit = true) { global $CFG, $USER, $DB; /// the post table will be used for other things too $typesql = "AND p.module = 'blog'"; /// set the tag id for searching if ($tagid) { $tag = $tagid; } else { if ($tag) { if ($tagrec = $DB->get_record_sql("SELECT * FROM {tag} WHERE name LIKE ?", array($tag))) { $tag = $tagrec->id; } else { $tag = -1; //no records found } } } // If we have specified an ID // Just return 1 entry if ($postid) { if ($post = $DB->get_record('post', array('id' => $postid))) { if (blog_user_can_view_user_post($post->userid, $post)) { if ($user = $DB->get_record('user', array('id' => $post->userid))) { $post->email = $user->email; $post->firstname = $user->firstname; $post->lastname = $user->lastname; } $retarray[] = $post; return $retarray; } else { return null; } } else { // bad postid return null; } } $params = array(); if ($tag) { $tagtablesql = ", {tag_instance} ti"; $tagquerysql = "AND ti.itemid = p.id AND ti.tagid = :tag AND ti.itemtype = 'post'"; $params['tag'] = $tag; } else { $tagtablesql = ''; $tagquerysql = ''; } if (isloggedin() && !has_capability('moodle/legacy:guest', get_context_instance(CONTEXT_SYSTEM), $USER->id, false)) { $permissionsql = "AND (p.publishstate = 'site' OR p.publishstate = 'public' OR p.userid = :userid)"; $params['userid'] = $USER->id; } else { $permissionsql = "AND p.publishstate = 'public'"; } // fix for MDL-9165, use with readuserblogs capability in a user context can read that user's private blogs // admins can see all blogs regardless of publish states, as described on the help page if (has_capability('moodle/user:readuserblogs', get_context_instance(CONTEXT_SYSTEM))) { $permissionsql = ''; } else { if ($filtertype == 'user' && has_capability('moodle/user:readuserblogs', get_context_instance(CONTEXT_USER, $filterselect))) { $permissionsql = ''; } } /**************************************** * depending on the type, there are 4 * * different possible sqls * ****************************************/ $requiredfields = "p.*, u.firstname,u.lastname,u.email"; if ($filtertype == 'course' && $filterselect == SITEID) { // Really a site $filtertype = 'site'; } switch ($filtertype) { case 'site': $SQL = "SELECT {$requiredfields}\n FROM {post} p, {user} u {$tagtablesql}\n WHERE p.userid = u.id {$tagquerysql}\n AND u.deleted = 0\n {$permissionsql} {$typesql}"; break; case 'course': // all users with a role assigned $context = get_context_instance(CONTEXT_COURSE, $filterselect); // MDL-10037, hidden users' blogs should not appear if (has_capability('moodle/role:viewhiddenassigns', $context)) { $hiddensql = ''; } else { $hiddensql = 'AND ra.hidden = 0'; } $SQL = "SELECT {$requiredfields}\n FROM {post} p, {user} u, {role_assignments} ra {$tagtablesql}\n WHERE p.userid = ra.userid {$tagquerysql}\n AND ra.contextid " . get_related_contexts_string($context) . "\n AND u.id = p.userid\n AND u.deleted = 0\n {$hiddensql} {$permissionsql} {$typesql}"; break; case 'group': $SQL = "SELECT {$requiredfields}\n FROM {post} p, {user} u, {groups_members} gm {$tagtablesql}\n WHERE p.userid = gm.userid AND u.id = p.userid {$tagquerysql}\n AND gm.groupid = :groupid\n AND u.deleted = 0\n {$permissionsql} {$typesql}"; $params['groupid'] = $filterselect; break; case 'user': $SQL = "SELECT {$requiredfields}\n FROM {post} p, {user} u {$tagtablesql}\n WHERE p.userid = u.id {$tagquerysql}\n AND u.id = :uid\n AND u.deleted = 0\n {$permissionsql} {$typesql}"; $params['uid'] = $filterselect; break; } $limitfrom = 0; $limitnum = 0; if ($fetchstart !== '' && $limit) { $limitfrom = $fetchstart; $limitnum = $fetchlimit; } $orderby = "ORDER BY {$sort}"; $records = $DB->get_records_sql("{$SQL} {$orderby}", $params, $limitfrom, $limitnum); if (empty($records)) { return array(); } return $records; }