/**
* this function handles the access policy to contents indexed as searchable documents. If this
* function does not exist, the search engine assumes access is allowed.
* When this point is reached, we already know that :
* - user is legitimate in the surrounding context
* - user may be guest and guest access is allowed to the module
* - the function may perform local checks within the module information logic
* @param string $path the access path to the module script code
* @param string $itemtype the information subclassing (usefull for complex modules, defaults to 'standard')
* @param int $this_id the item id within the information class denoted by entry_type. In chats, this id
* points out a session history which is a close sequence of messages.
* @param object $user the user record denoting the user who searches
* @param int $group_id the current group used by the user when searching
* @uses $CFG, $DB
* @return true if access is allowed, false elsewhere
*/
function user_check_text_access($path, $itemtype, $this_id, $user, $group_id, $context_id)
{
global $CFG, $DB;
include_once "{$CFG->dirroot}/{$path}/lib.php";
if ($itemtype == 'user') {
// get the user
$userrecord = $DB->get_record('user', array('id' => $this_id));
// we cannot see nothing from unconfirmed users
if (!$userrecord->confirmed and !has_capability('moodle/site:doanything', get_context_instance(CONTEXT_SYSTEM))) {
if (!empty($CFG->search_access_debug)) {
echo "search reject : unconfirmed user ";
}
return false;
}
} elseif ($itemtype == 'post' || $itemtype == 'attachment') {
// get the post
$post = $DB->get_record('post', array('id' => $this_id));
$userrecord = $DB->get_record('user', array('id' => $post->userid));
// we can try using blog visibility check
return blog_user_can_view_user_post($user->id, $post);
}
$context = $DB->get_record('context', array('id' => $context_id));
return true;
}
if ($user->deleted) {
print_header();
print_heading(get_string('userdeleted'));
print_footer();
die;
}
if ($USER->id == $filterselect) {
if (!has_capability('moodle/blog:create', $sitecontext) and !has_capability('moodle/blog:view', $sitecontext)) {
print_error('donothaveblog', 'blog');
}
} else {
$personalcontext = get_context_instance(CONTEXT_USER, $filterselect);
if (!has_capability('moodle/blog:view', $sitecontext) and !has_capability('moodle/user:readuserblogs', $personalcontext)) {
print_error('cannotviewuserblog', 'blog');
}
if (!blog_user_can_view_user_post($filterselect)) {
print_error('cannotviewcourseblog', 'blog');
}
}
$userid = $filterselect;
if (!empty($courseid)) {
require_login($courseid);
}
break;
default:
print_error('incorrectblogfilter', 'blog');
break;
}
if (empty($courseid)) {
$courseid = SITEID;
}
if ($user->deleted) {
print_header();
echo $OUTPUT->heading(get_string('userdeleted'));
echo $OUTPUT->footer();
die;
}
if ($USER->id == $userid) {
if (!has_capability('moodle/blog:create', $sitecontext) and !has_capability('moodle/blog:view', $sitecontext)) {
print_error('donothaveblog', 'blog');
}
} else {
$personalcontext = get_context_instance(CONTEXT_USER, $userid);
if (!has_capability('moodle/blog:view', $sitecontext) and !has_capability('moodle/user:readuserblogs', $personalcontext)) {
print_error('cannotviewuserblog', 'blog');
}
if (!blog_user_can_view_user_post($userid)) {
print_error('cannotviewcourseblog', 'blog');
}
}
}
if (empty($courseid)) {
$courseid = SITEID;
}
if (!empty($postid)) {
$filters['post'] = $postid;
}
if (!empty($courseid)) {
$filters['course'] = $courseid;
}
if (!empty($modid)) {
$filters['mod'] = $modid;
/**
* Main filter function.
*/
function blog_fetch_entries($postid = '', $fetchlimit = 10, $fetchstart = '', $filtertype = '', $filterselect = '', $tagid = '', $tag = '', $sort = 'lastmodified DESC', $limit = true)
{
global $CFG, $USER;
/// the post table will be used for other things too
$typesql = " AND p.module = 'blog' ";
/// set the tag id for searching
if ($tagid) {
$tag = $tagid;
} else {
if ($tag) {
if ($tagrec = get_record_sql('SELECT * FROM ' . $CFG->prefix . 'tag WHERE name LIKE "' . addslashes($tag) . '"')) {
$tag = $tagrec->id;
} else {
$tag = -1;
//no records found
}
}
}
// If we have specified an ID
// Just return 1 entry
if ($postid) {
if ($post = get_record('post', 'id', $postid)) {
if (blog_user_can_view_user_post($post->userid, $post)) {
if ($user = get_record('user', 'id', $post->userid)) {
$post->email = $user->email;
$post->firstname = $user->firstname;
$post->lastname = $user->lastname;
}
$retarray[] = $post;
return $retarray;
} else {
return null;
}
} else {
// bad postid
return null;
}
}
if ($tag) {
$tagtablesql = $CFG->prefix . 'tag_instance ti, ';
$tagquerysql = ' AND ti.itemid = p.id AND ti.tagid = ' . $tag . ' AND ti.itemtype = \'post\' ';
} else {
$tagtablesql = '';
$tagquerysql = '';
}
if (isloggedin() && !has_capability('moodle/legacy:guest', get_context_instance(CONTEXT_SYSTEM), $USER->id, false)) {
$permissionsql = 'AND (p.publishstate = \'site\' OR p.publishstate = \'public\' OR p.userid = ' . $USER->id . ')';
} else {
$permissionsql = 'AND p.publishstate = \'public\'';
}
// fix for MDL-9165, use with readuserblogs capability in a user context can read that user's private blogs
// admins can see all blogs regardless of publish states, as described on the help page
if (has_capability('moodle/user:readuserblogs', get_context_instance(CONTEXT_SYSTEM))) {
$permissionsql = '';
} else {
if ($filtertype == 'user' && has_capability('moodle/user:readuserblogs', get_context_instance(CONTEXT_USER, $filterselect))) {
$permissionsql = '';
}
}
/****************************************
* depending on the type, there are 4 *
* different possible sqls *
****************************************/
$requiredfields = 'p.*, u.firstname,u.lastname,u.email';
if ($filtertype == 'course' && $filterselect == SITEID) {
// Really a site
$filtertype = 'site';
}
switch ($filtertype) {
case 'site':
$SQL = 'SELECT ' . $requiredfields . ' FROM ' . $CFG->prefix . 'post p, ' . $tagtablesql . $CFG->prefix . 'user u
WHERE p.userid = u.id ' . $tagquerysql . '
AND u.deleted = 0
' . $permissionsql . $typesql;
break;
case 'course':
// all users with a role assigned
$context = get_context_instance(CONTEXT_COURSE, $filterselect);
// MDL-10037, hidden users' blogs should not appear
if (has_capability('moodle/role:viewhiddenassigns', $context)) {
$hiddensql = '';
} else {
$hiddensql = ' AND ra.hidden = 0 ';
}
$SQL = 'SELECT ' . $requiredfields . ' FROM ' . $CFG->prefix . 'post p, ' . $tagtablesql . $CFG->prefix . 'role_assignments ra, ' . $CFG->prefix . 'user u
WHERE p.userid = ra.userid ' . $tagquerysql . '
AND ra.contextid ' . get_related_contexts_string($context) . '
AND u.id = p.userid
AND u.deleted = 0
' . $hiddensql . $permissionsql . $typesql;
break;
case 'group':
$SQL = 'SELECT ' . $requiredfields . ' FROM ' . $CFG->prefix . 'post p, ' . $tagtablesql . $CFG->prefix . 'groups_members gm, ' . $CFG->prefix . 'user u
WHERE p.userid = gm.userid AND u.id = p.userid ' . $tagquerysql . '
AND gm.groupid = ' . $filterselect . '
AND u.deleted = 0
' . $permissionsql . $typesql;
break;
case 'user':
// a hack to publish some blogs openly. Uses $CFG->openblogs = array(44, 322); in config.php
if (isset($CFG->openblogs) && in_array($filterselect, $CFG->openblogs)) {
$permissionsql = ' AND (p.publishstate = \'site\' OR p.publishstate = \'public\') ';
}
$SQL = 'SELECT ' . $requiredfields . ' FROM ' . $CFG->prefix . 'post p, ' . $tagtablesql . $CFG->prefix . 'user u
WHERE p.userid = u.id ' . $tagquerysql . '
AND u.id = ' . $filterselect . '
AND u.deleted = 0
' . $permissionsql . $typesql;
break;
}
$limitfrom = 0;
$limitnum = 0;
if ($fetchstart !== '' && $limit) {
$limitfrom = $fetchstart;
$limitnum = $fetchlimit;
}
$orderby = ' ORDER BY ' . $sort . ' ';
//global $db; $db->debug = true;
$records = get_records_sql($SQL . $orderby, $limitfrom, $limitnum);
//$db->debug = false;
if (empty($records)) {
return array();
}
return $records;
}
/**
* Main filter function.
*/
function blog_fetch_entries($postid = '', $fetchlimit = 10, $fetchstart = '', $filtertype = '', $filterselect = '', $tagid = '', $tag = '', $sort = 'lastmodified DESC', $limit = true)
{
global $CFG, $USER, $DB;
/// the post table will be used for other things too
$typesql = "AND p.module = 'blog'";
/// set the tag id for searching
if ($tagid) {
$tag = $tagid;
} else {
if ($tag) {
if ($tagrec = $DB->get_record_sql("SELECT * FROM {tag} WHERE name LIKE ?", array($tag))) {
$tag = $tagrec->id;
} else {
$tag = -1;
//no records found
}
}
}
// If we have specified an ID
// Just return 1 entry
if ($postid) {
if ($post = $DB->get_record('post', array('id' => $postid))) {
if (blog_user_can_view_user_post($post->userid, $post)) {
if ($user = $DB->get_record('user', array('id' => $post->userid))) {
$post->email = $user->email;
$post->firstname = $user->firstname;
$post->lastname = $user->lastname;
}
$retarray[] = $post;
return $retarray;
} else {
return null;
}
} else {
// bad postid
return null;
}
}
$params = array();
if ($tag) {
$tagtablesql = ", {tag_instance} ti";
$tagquerysql = "AND ti.itemid = p.id AND ti.tagid = :tag AND ti.itemtype = 'post'";
$params['tag'] = $tag;
} else {
$tagtablesql = '';
$tagquerysql = '';
}
if (isloggedin() && !has_capability('moodle/legacy:guest', get_context_instance(CONTEXT_SYSTEM), $USER->id, false)) {
$permissionsql = "AND (p.publishstate = 'site' OR p.publishstate = 'public' OR p.userid = :userid)";
$params['userid'] = $USER->id;
} else {
$permissionsql = "AND p.publishstate = 'public'";
}
// fix for MDL-9165, use with readuserblogs capability in a user context can read that user's private blogs
// admins can see all blogs regardless of publish states, as described on the help page
if (has_capability('moodle/user:readuserblogs', get_context_instance(CONTEXT_SYSTEM))) {
$permissionsql = '';
} else {
if ($filtertype == 'user' && has_capability('moodle/user:readuserblogs', get_context_instance(CONTEXT_USER, $filterselect))) {
$permissionsql = '';
}
}
/****************************************
* depending on the type, there are 4 *
* different possible sqls *
****************************************/
$requiredfields = "p.*, u.firstname,u.lastname,u.email";
if ($filtertype == 'course' && $filterselect == SITEID) {
// Really a site
$filtertype = 'site';
}
switch ($filtertype) {
case 'site':
$SQL = "SELECT {$requiredfields}\n FROM {post} p, {user} u {$tagtablesql}\n WHERE p.userid = u.id {$tagquerysql}\n AND u.deleted = 0\n {$permissionsql} {$typesql}";
break;
case 'course':
// all users with a role assigned
$context = get_context_instance(CONTEXT_COURSE, $filterselect);
// MDL-10037, hidden users' blogs should not appear
if (has_capability('moodle/role:viewhiddenassigns', $context)) {
$hiddensql = '';
} else {
$hiddensql = 'AND ra.hidden = 0';
}
$SQL = "SELECT {$requiredfields}\n FROM {post} p, {user} u, {role_assignments} ra {$tagtablesql}\n WHERE p.userid = ra.userid {$tagquerysql}\n AND ra.contextid " . get_related_contexts_string($context) . "\n AND u.id = p.userid\n AND u.deleted = 0\n {$hiddensql} {$permissionsql} {$typesql}";
break;
case 'group':
$SQL = "SELECT {$requiredfields}\n FROM {post} p, {user} u, {groups_members} gm {$tagtablesql}\n WHERE p.userid = gm.userid AND u.id = p.userid {$tagquerysql}\n AND gm.groupid = :groupid\n AND u.deleted = 0\n {$permissionsql} {$typesql}";
$params['groupid'] = $filterselect;
break;
case 'user':
$SQL = "SELECT {$requiredfields}\n FROM {post} p, {user} u {$tagtablesql}\n WHERE p.userid = u.id {$tagquerysql}\n AND u.id = :uid\n AND u.deleted = 0\n {$permissionsql} {$typesql}";
$params['uid'] = $filterselect;
break;
}
$limitfrom = 0;
$limitnum = 0;
if ($fetchstart !== '' && $limit) {
$limitfrom = $fetchstart;
$limitnum = $fetchlimit;
}
$orderby = "ORDER BY {$sort}";
$records = $DB->get_records_sql("{$SQL} {$orderby}", $params, $limitfrom, $limitnum);
if (empty($records)) {
return array();
}
return $records;
}
