/** * Get all views & collections for a (user,group), grouped * by their accesslists as defined by the accessconf column * * @param integer $owner * @param integer $group * * @return array */ public static function get_accesslists($owner = null, $group = null, $institution = null) { require_once 'institution.php'; if (!is_null($owner) && !is_array($owner) && $owner > 0) { $ownerobj = new User(); $ownerobj->find_by_id($owner); } $data = array(); list($data['collections'], $data['views']) = self::get_views_and_collections($owner, $group, $institution); // Remember one representative viewid in each collection $viewindex = array(); // Add strings to describe startdate/stopdate access overrides foreach ($data['collections'] as &$c) { $view = current($c['views']); $viewindex[$view['id']] = array('type' => 'collections', 'id' => $c['id']); $c['access'] = self::access_override_description($view); $c['viewid'] = $view['id']; } foreach ($data['views'] as &$v) { $viewindex[$v['id']] = array('type' => 'views', 'id' => $v['id']); $v['access'] = self::access_override_description($v); $v['viewid'] = $v['id']; } if (empty($viewindex)) { return $data; } // Get view_access records, apart from those with visible = 0 (system access records) $accessgroups = get_records_sql_array(' SELECT va.*, g.grouptype, g.name, g.urlid FROM {view_access} va LEFT OUTER JOIN {group} g ON (g.id = va.group AND g.deleted = 0) WHERE va.view IN (' . join(',', array_keys($viewindex)) . ') AND va.visible = 1 ORDER BY va.view, va.accesstype, g.grouptype, va.role, g.name, va.group, va.usr', array()); if (!$accessgroups) { return $data; } if (!function_exists('is_probationary_user')) { require_once get_config('libroot') . 'antispam.php'; } foreach ($accessgroups as $access) { // remove 'Public' from the list if the owner isn't allowed to have them if ($access->accesstype == 'public' && (get_config('allowpublicviews') != 1 || isset($ownerobj) && !$ownerobj->institution_allows_public_views() || isset($ownerobj) && is_probationary_user($ownerobj->id))) { continue; } $vi = $viewindex[$access->view]; // Just count secret urls. if ($access->token) { if (!isset($data[$vi['type']][$vi['id']]['secreturls'])) { $data[$vi['type']][$vi['id']]['secreturls'] = 0; } $data[$vi['type']][$vi['id']]['secreturls']++; continue; } $key = null; if ($access->usr) { $access->accesstype = 'user'; $access->id = $access->usr; } else { if ($access->group) { $access->accesstype = 'group'; $access->id = $access->group; if ($access->role) { $access->roledisplay = get_string($access->role, 'grouptype.' . $access->grouptype); } $access->groupurl = group_homepage_url((object) array('id' => $access->group, 'urlid' => $access->urlid)); } else { if ($access->institution) { $access->accesstype = 'institution'; $access->id = $access->institution; $access->name = institution_display_name($access->institution); } else { $key = $access->accesstype; } } } if ($key) { if (!isset($data[$vi['type']][$vi['id']]['accessgroups'][$key])) { $data[$vi['type']][$vi['id']]['accessgroups'][$key] = (array) $access; } } else { $data[$vi['type']][$vi['id']]['accessgroups'][] = (array) $access; } } return $data; }
} else { $elements['grouptype'] = array('type' => 'select', 'title' => get_string('Roles', 'group'), 'options' => $grouptypeoptions, 'defaultvalue' => $group_data->grouptype, 'help' => true); } $elements['invitefriends'] = array('type' => 'switchbox', 'title' => get_string('friendinvitations', 'group'), 'description' => get_string('invitefriendsdescription1', 'group'), 'defaultvalue' => $group_data->invitefriends); $elements['suggestfriends'] = array('type' => 'switchbox', 'title' => get_string('Recommendations', 'group'), 'description' => get_string('suggestfriendsdescription1', 'group'), 'defaultvalue' => $group_data->suggestfriends && ($group_data->open || $group_data->request), 'disabled' => !$group_data->open && !$group_data->request); $elements['pages'] = array('type' => 'html', 'value' => '<h4>' . get_string('content') . '</h4>'); $elements['editroles'] = array('type' => 'select', 'options' => group_get_editroles_options(), 'title' => get_string('editroles1', 'group'), 'description' => get_string('editrolesdescription1', 'group'), 'defaultvalue' => $group_data->editroles, 'help' => true); if ($cancreatecontrolled) { $elements['submittableto'] = array('type' => 'switchbox', 'title' => get_string('allowsubmissions', 'group'), 'description' => get_string('allowssubmissionsdescription1', 'group'), 'defaultvalue' => $group_data->submittableto); $elements['allowarchives'] = array('type' => 'switchbox', 'title' => get_string('allowsarchives', 'group'), 'description' => get_string('allowsarchivesdescription', 'group'), 'defaultvalue' => $group_data->allowarchives, 'disabled' => !$group_data->submittableto, 'help' => true); } else { $form['elements']['submittableto'] = array('type' => 'hidden', 'value' => $group_data->submittableto); $form['elements']['allowarchives'] = array('type' => 'hidden', 'value' => $group_data->allowarchives); } $publicallowed = get_config('createpublicgroups') == 'all' || get_config('createpublicgroups') == 'admins' && $USER->get('admin'); $publicallowed = $publicallowed && !is_probationary_user(); if (!$id && !param_exists('pieform_editgroup')) { // If a 'public=0' parameter is passed on the first page load, hide the // public checkbox. The only purpose of this is to allow custom create // group buttons/links which lead to a slightly simplified form. $publicparam = param_integer('public', null); } $ignorepublic = !$publicallowed || isset($publicparam) && $publicparam === 0; if ($cancreatecontrolled || !$ignorepublic) { $elements['visibility'] = array('type' => 'html', 'value' => '<h4>' . get_string('Visibility') . '</h4>'); } $elements['public'] = array('type' => 'switchbox', 'title' => get_string('publiclyviewablegroup', 'group'), 'description' => get_string('publiclyviewablegroupdescription1', 'group'), 'defaultvalue' => $group_data->public, 'help' => true, 'ignore' => $ignorepublic); if ($cancreatecontrolled) { $elements['hidden'] = array('type' => 'switchbox', 'title' => get_string('hiddengroup', 'group'), 'description' => get_string('hiddengroupdescription1', 'group'), 'defaultvalue' => $group_data->hidden); $elements['hidemembers'] = array('type' => 'switchbox', 'title' => get_string('hidemembers', 'group'), 'description' => get_string('hidemembersdescription', 'group'), 'defaultvalue' => $group_data->hidemembers || $group_data->hidemembersfrommembers, 'disabled' => $group_data->hidemembersfrommembers); $elements['hidemembersfrommembers'] = array('type' => 'switchbox', 'title' => get_string('hidemembersfrommembers', 'group'), 'description' => get_string('hidemembersfrommembersdescription1', 'group'), 'defaultvalue' => $group_data->hidemembersfrommembers);
/** * Given a view id, and a user id (defaults to currently logged in user if not * specified) will return wether this user is allowed to look at this view. * * @param mixed $view viewid or View to check * @param integer $user_id User trying to look at the view (defaults to * currently logged in user, or null if user isn't logged in) * * @returns boolean Wether the specified user can look at the specified view. */ function can_view_view($view, $user_id = null) { global $USER, $SESSION; if (defined('BULKEXPORT')) { return true; } $now = time(); $dbnow = db_format_timestamp($now); if ($user_id === null) { $user = $USER; $user_id = $USER->get('id'); } else { $user = new User(); if ($user_id) { try { $user->find_by_id($user_id); } catch (AuthUnknownUserException $e) { } } } $publicviews = get_config('allowpublicviews'); $publicprofiles = get_config('allowpublicprofiles'); // If the user is logged out and the publicviews & publicprofiles sitewide configs are false, // we can deny access without having to hit the database at all if (!$user_id && !$publicviews && !$publicprofiles) { return false; } require_once get_config('libroot') . 'view.php'; if ($view instanceof View) { $view_id = $view->get('id'); } else { $view = new View($view_id = $view); } // If the page belongs to an individual, check for individual-specific overrides if ($view->get('owner')) { $ownerobj = $view->get_owner_object(); // Suspended user if ($ownerobj->suspendedctime) { return false; } // Probationary user (no public pages or profiles) // (setting these here instead of doing a return-false, so that we can do checks for // logged-in users later) require_once get_config('libroot') . 'antispam.php'; $onprobation = is_probationary_user($ownerobj->id); $publicviews = $publicviews && !$onprobation; $publicprofiles = $publicprofiles && !$onprobation; // Member of an institution that prohibits public pages // (group views and logged in users are not affected by // the institution level config for public views) $owner = new User(); $owner->find_by_id($ownerobj->id); $publicviews = $publicviews && $owner->institution_allows_public_views(); } // Now that we've examined the page owner, check again for whether it can be viewed by a logged-out user if (!$user_id && !$publicviews && !$publicprofiles) { return false; } if ($user_id && $user->can_edit_view($view)) { return true; } // If the view's owner is suspended, deny access to the view if ($view->get('owner')) { if (!($owner = $view->get_owner_object()) || $owner->suspendedctime) { return false; } } if ($SESSION->get('mnetuser')) { $mnettoken = get_cookie('mviewaccess:' . $view_id); } // If the page has been marked "objectionable" admins should be able to view // it for review purposes. if ($view->is_objectionable()) { if ($owner = $view->get('owner')) { if ($user->is_admin_for_user($owner)) { return true; } } else { if ($view->get('group') && $user->get('admin')) { return true; } } } // Overriding start/stop dates are set by the owner to deny access // to users who would otherwise be allowed to see the view. However, // for some kinds of access (e.g. objectionable content, submitted // views), we have to override the override and let the logged in // user see it anyway. So we can't return false now, we have to wait // till we find out what kind of view_access record is being used. $overridestart = $view->get('startdate'); $overridestop = $view->get('stopdate'); $allowedbyoverride = (empty($overridestart) || $overridestart < $dbnow) && (empty($overridestop) || $overridestop > $dbnow); $access = View::user_access_records($view_id, $user_id); if (empty($access)) { return false; } foreach ($access as &$a) { if ($a->accesstype == 'public' && $allowedbyoverride) { if ($publicviews) { return true; } else { if ($publicprofiles && $view->get('type') == 'profile') { return true; } } } else { if ($a->token && ($allowedbyoverride || !$a->visible)) { $usertoken = get_cookie('viewaccess:' . $view_id); if ($a->token == $usertoken && $publicviews) { return true; } if (!empty($mnettoken) && $a->token == $mnettoken) { $mnetviewlist = $SESSION->get('mnetviewaccess'); if (empty($mnetviewlist)) { $mnetviewlist = array(); } $mnetviewlist[$view_id] = true; $SESSION->set('mnetviewaccess', $mnetviewlist); return true; } // Don't bother to pull the collection out unless the user actually // has some collection access cookies. if ($ctokens = get_cookies('caccess:')) { $cid = $view->collection_id(); if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) { return true; } } } else { if ($user_id) { if ($a->accesstype == 'friends') { $owner = $view->get('owner'); if (!get_field_sql(' SELECT COUNT(*) FROM {usr_friend} f WHERE (usr1=? AND usr2=?) OR (usr1=? AND usr2=?)', array($owner, $user_id, $user_id, $owner))) { continue; } } else { if ($a->institution) { // Check if user belongs to the allowed institution if (!in_array($a->institution, array_keys($user->get('institutions')))) { continue; } } } if (!$allowedbyoverride && $a->visible) { continue; } // The view must have loggedin access, user access for the user // or group/role access for one of the user's groups return true; } } } } return false; }
global $view, $collection; $viewid = $view->get('id'); if ($collection) { $collection->new_token(); $viewid = reset($collection->get_viewids()); } else { View::new_token($viewid); } redirect('/view/urls.php?id=' . $viewid); } // Determine whether $allownew = get_config('allowpublicviews') && (!$view->get('owner') || $USER->institution_allows_public_views()); // The page belongs to a user in an institution without public views // If the user would be allowed to create new views, check whether they should be prohibited because they're on probation if ($allownew) { $onprobation = get_config('allowpublicviews') && is_probationary_user(); $allownew = !$onprobation; } else { $onprobation = false; } $newform = $allownew ? pieform($newform) : null; $js .= <<<EOF jQuery(function(\$) { \$('.url-open-editform').click(function(e) { e.preventDefault(); \$('#' + this.id + '-form').toggleClass('js-hidden'); }); }); EOF; $smarty = smarty(array('js/zeroclipboard/ZeroClipboard.min.js'), array(), array(), array('sidebars' => true)); $smarty->assign('PAGEHEADING', TITLE);
/** * Check for external links and images being posted by a probationary user * @param string $text * @return BOOLEAN true if the text is okay, false if not */ function probation_validate_content($text) { if (!is_using_probation()) { return true; } if (!has_external_links_or_images($text)) { return true; } if (is_probationary_user()) { return false; } return true; }
/** * Provides an element to manage a view ACL * * @param array $element The element to render * @param Pieform $form The form to render the element for * @return string The HTML for the element */ function pieform_element_viewacl(Pieform $form, $element) { global $USER, $SESSION, $LANGDIRECTION; $strlen = function_exists('mb_strlen') ? 'mb_strlen' : 'strlen'; $smarty = smarty_core(); $smarty->left_delimiter = '{{'; $smarty->right_delimiter = '}}'; $value = $form->get_value($element); // Look for the presets and split them into two groups require_once get_config('libroot') . 'antispam.php'; $public = false; if (is_probationary_user()) { $public = false; } else { if (get_config('allowpublicviews') && $USER->institution_allows_public_views()) { $public = true; } else { if (get_config('allowpublicprofiles') && $element['viewtype'] == 'profile') { $public = true; } } } $allpresets = array('public', 'loggedin', 'friends'); $allowedpresets = array(); $loggedinindex = 0; if ($public) { $allowedpresets[] = 'public'; $loggedinindex = 1; } $allowedpresets[] = 'loggedin'; if ($form->get_property('userview')) { $allowedpresets[] = 'friends'; } $accesslist = array(); if ($value) { foreach ($value as $item) { if (is_array($item)) { if ($item['type'] == 'public') { $item['publicallowed'] = (int) $public; } if (in_array($item['type'], $allpresets)) { $item['name'] = get_string($item['type'] == 'loggedin' ? 'registeredusers' : $item['type'], 'view'); $item['preset'] = true; } else { $item['name'] = pieform_render_viewacl_getvaluebytype($item['type'], $item['id']); } if ($strlen($item['name']) > 30) { $item['shortname'] = str_shorten_text($item['name'], 30, true); } // only show access that is still current. Expired access will be deleted if the form is saved if ($form->is_submitted() || empty($item['stopdate']) || time() <= strtotime($item['stopdate'])) { $accesslist[] = $item; } } } } $defaultaccesslist = $accesslist ? 0 : 1; $myinstitutions = array(); foreach ($USER->get('institutions') as $i) { $myinstitutions[] = array('type' => 'institution', 'id' => $i->institution, 'start' => null, 'end' => null, 'name' => hsc($i->displayname), 'preset' => false); } foreach ($allowedpresets as &$preset) { $preset = array('type' => $preset, 'id' => $preset, 'start' => null, 'end' => null, 'name' => get_string($preset == 'loggedin' ? 'registeredusers' : $preset, 'view'), 'preset' => true); } $allgroups = array('type' => 'allgroups', 'id' => 'allgroups', 'start' => null, 'end' => null, 'name' => get_string('allmygroups', 'group'), 'preset' => true); $mygroups = array(); foreach (group_get_user_groups($USER->get('id')) as $g) { $group = array('type' => 'group', 'id' => $g->id, 'start' => null, 'end' => null, 'name' => $g->name, 'preset' => false); if ($strlen($g->name) > 30) { $group['shortname'] = str_shorten_text($g->name, 30, true); } $mygroups[] = $group; } $faves = array(); foreach (get_user_favorites($USER->get('id')) as $u) { $fave = array('type' => 'user', 'id' => $u->id, 'start' => null, 'end' => null, 'name' => $u->name, 'preset' => false); if ($strlen($u->name) > 30) { $fave['shortname'] = str_shorten_text($u->name, 30, true); } $faves[] = $fave; } require_once get_config('libroot') . 'pieforms/pieform/elements/calendar.php'; $options = array('dateFormat' => get_string('calendar_dateFormat', 'langconfig'), 'timeFormat' => get_string('calendar_timeFormat', 'langconfig'), 'stepHour' => 1, 'stepMinute' => 5); $options = pieform_element_calendar_get_lang_strings($options, $LANGDIRECTION); $datepickeroptionstr = ''; foreach ($options as $key => $option) { if (is_numeric($option)) { $datepickeroptionstr .= $key . ': ' . $option . ','; } else { if (is_array($option)) { foreach ($option as $k => $v) { if (!is_numeric($v)) { if (preg_match('/^\'(.*)\'$/', $v, $match)) { $v = $match[1]; } $option[$k] = json_encode($v); } } $option = '[' . implode(',', $option) . ']'; $datepickeroptionstr .= $key . ': ' . $option . ','; } else { $datepickeroptionstr .= $key . ': ' . json_encode($option) . ','; } } } $smarty->assign('datepickeroptions', $datepickeroptionstr); $smarty->assign('viewtype', $element['viewtype']); $smarty->assign('potentialpresets', json_encode($allowedpresets)); $smarty->assign('loggedinindex', $loggedinindex); $smarty->assign('accesslist', json_encode($accesslist)); $smarty->assign('defaultaccesslist', $defaultaccesslist); $smarty->assign('viewid', $form->get_property('viewid')); $smarty->assign('formname', $form->get_property('name')); $smarty->assign('myinstitutions', json_encode($myinstitutions)); $smarty->assign('allowcomments', $element['allowcomments']); $smarty->assign('allgroups', json_encode($allgroups)); $smarty->assign('mygroups', json_encode($mygroups)); $smarty->assign('faves', json_encode($faves)); return $smarty->fetch('form/viewacl.tpl'); }