} else {
$row = db_fetch_array($result);
}
$from_group_id = $group_id;
// Get group_id of the document group containing the doc.
$res_group = db_query("SELECT group_id FROM doc_groups WHERE doc_group=" . $row['doc_group']);
$object_group_id = db_result($res_group, 0, 'group_id');
// Visual layout should be that of the document group_id
$group_id = $object_group_id;
// Check permissions for document, then document group
if (permission_exist('DOCUMENT_READ', $docid)) {
if (!permission_is_authorized('DOCUMENT_READ', $docid, user_getid(), $object_group_id)) {
exit_error($Language->getText('global', 'perm_denied'), $Language->getText('global', 'error_perm_denied'));
}
} else {
if (!permission_is_authorized('DOCGROUP_READ', $row['doc_group'], user_getid(), $object_group_id)) {
exit_error($Language->getText('global', 'perm_denied'), $Language->getText('global', 'error_perm_denied'));
}
}
if (user_isloggedin()) {
//Insert a new entry in the doc_log table only for restricted documents
$sql = "INSERT INTO doc_log(user_id,docid,time) " . "VALUES ('" . user_getid() . "','" . $docid . "','" . time() . "')";
$res_insert = db_query($sql);
}
// HTML or text files that were copy/pasted are displayed in a Codendi-formatted page.
// Uploaded files are always displayed as-is.
if (($row['filetype'] == 'text/html' || $row['filetype'] == 'text/plain') && $row['filesize'] == 0) {
docman_header(array('title' => $row['title'], 'help' => 'DocumentManager.html'));
if ($object_group_id != $from_group_id) {
$group_name = util_get_group_name_from_id($object_group_id);
print '<H3><span class="feedback">' . $Language->getText('docman_display_doc', 'warning_different_group', array($group_name)) . '</span></H3>';
/**
* Check if user can access to whole wiki
*
* checkPermissions - Public
* @param int User identifier
* @return boolean Is the given user allowed to access to the Wiki
*/
function isAutorized($uid)
{
$autorized = permission_is_authorized('WIKI_READ', $this->gid, $uid, $this->gid);
return $autorized;
}
protected function permission_is_authorized($type, $transition_id, $user_id, $group_id)
{
include_once 'www/project/admin/permissions.php';
return permission_is_authorized($type, $transition_id, $user_id, $group_id);
}
/**
* _getPackagesForUser
*
* return the packages the user can see
*
* @param user_id
*/
function _getPackagesForUser($user_id)
{
$frspf = $this->getFRSPackageFactory();
$packages = array();
$sql = "SELECT frs_package.package_id,frs_package.name AS package_name,frs_release.name AS release_name,frs_release.release_id AS release_id,frs_release.release_date AS release_date " . "FROM frs_package,frs_release " . "WHERE frs_package.package_id=frs_release.package_id " . "AND frs_package.group_id='" . db_ei($this->getGroupId()) . "' " . "AND frs_release.status_id=' " . db_ei($frspf->STATUS_ACTIVE) . "' " . "ORDER BY frs_package.rank,frs_package.package_id,frs_release.release_date DESC, frs_release.release_id DESC";
$res_files = db_query($sql);
$rows_files = db_numrows($res_files);
if ($res_files && $rows_files >= 1) {
for ($f = 0; $f < $rows_files; $f++) {
$package_id = db_result($res_files, $f, 'package_id');
$release_id = db_result($res_files, $f, 'release_id');
if ($frspf->userCanRead($this->getGroupId(), $package_id, $user_id)) {
if (isset($package_displayed[$package_id]) && $package_displayed[$package_id]) {
//if ($package_id==db_result($res_files,($f-1),'package_id')) {
//same package as last iteration - don't show this release
} else {
$authorized = false;
// check access.
if (permission_exist('RELEASE_READ', $release_id)) {
$authorized = permission_is_authorized('RELEASE_READ', $release_id, $user_id, $this->getGroupId());
} else {
$authorized = permission_is_authorized('PACKAGE_READ', $package_id, $user_id, $this->getGroupId());
}
if ($authorized) {
$packages[] = array('package_name' => db_result($res_files, $f, 'package_name'), 'release_name' => db_result($res_files, $f, 'release_name'), 'release_id' => $release_id, 'package_id' => $package_id);
$package_displayed[$package_id] = true;
}
}
}
}
}
return $packages;
}
public function isAutorized($uid)
{
if ($this->referenced == true) {
$userCanAccess = false;
$eM =& EventManager::instance();
$eM->processEvent('userCanAccessWikiDocument', array('canAccess' => &$userCanAccess, 'wiki_page' => $this->pagename, 'group_id' => $this->gid));
if (!$userCanAccess) {
return false;
}
} else {
// Check if user is authorized.
if ($this->permissionExist()) {
if (!permission_is_authorized(Wiki_PermissionsManager::WIKI_PERMISSION_READ, $this->id, $uid, $this->gid)) {
return false;
}
}
}
return true;
}
/**
* userCanDownload : determine if the user can download the file or not
*
* WARNING : for the moment, user can download the file if the user can view the package and can view the release the file belongs to.
*
* @param int $user_id the ID of the user. If $user_id is 0, then we take the current user.
* @return boolean true if the user has permissions to download the file, false otherwise
*/
function userCanDownload($user_id = 0)
{
if ($user_id == 0) {
$user_id = user_getid();
}
$user = UserManager::instance()->getUserById($user_id);
if ($user) {
if ($user->isSuperUser()) {
return true;
}
}
$user_can_download = false;
if (!$this->isDeleted()) {
$group = $this->getGroup();
$group_id = $group->getID();
if (permission_exist('RELEASE_READ', $this->getReleaseID())) {
if (permission_is_authorized('RELEASE_READ', $this->getReleaseID(), $user_id, $group_id)) {
$user_can_download = true;
}
} else {
if (permission_is_authorized('PACKAGE_READ', $this->getPackageID(), $user_id, $group_id)) {
$user_can_download = true;
}
}
}
return $user_can_download;
}
/**
* Return true if user can do "$permissionType" on "$objectId"
*
* Note: this method is not useable in trackerV2 because it doesn't use "instances" parameter of getUgroups.
*
* @param String $permissionType Permission nature
* @param String $objectId Object to test
* @param Integer $groupId Project the object belongs to
*
* @return Boolean
*/
public function hasPermission($permissionType, $objectId, $groupId)
{
return permission_is_authorized($permissionType, $objectId, $this->getId(), $groupId);
}
/**
Display list of docs in welcome page
*/
function display_doc_list($group_id)
{
global $Language;
//get a list of group numbers that this project owns
$query = "select * " . "from doc_groups " . "where group_id = {$group_id} " . "order by group_rank, groupname";
$result = db_query($query);
$doc_displayed = 0;
//otherwise, throw up an error
if (db_numrows($result) > 0) {
// Retain only document groupsthe user is authorized to access, or those that contain authorized documents...
$authorized_user = false;
if (user_ismember($group_id, 'D2') || user_ismember($group_id, 'A')) {
$authorized_user = true;
}
while ($row = db_fetch_array($result)) {
$doc_group = $row['doc_group'];
$authorized = false;
$authorized_on_docgroup = false;
if ($authorized_user || permission_is_authorized('DOCGROUP_READ', $doc_group, user_getid(), $group_id)) {
$authorized = true;
$authorized_on_docgroup = true;
} else {
// Get corresponding documents and check access.
// When set, the document permission overwrite document group permission
$sql2 = "SELECT * FROM doc_data WHERE doc_group=" . $doc_group;
$res2 = db_query($sql2);
if (db_numrows($res2) > 0) {
while ($row2 = db_fetch_array($res2)) {
if (permission_exist('DOCUMENT_READ', $row2['docid'])) {
if (permission_is_authorized('DOCUMENT_READ', $row2['docid'], user_getid(), $group_id)) {
$authorized = true;
break;
}
}
}
}
}
if ($authorized) {
// get the groupings and display them with their members.
$query = "select description, docid, title, doc_group " . "from doc_data " . "where doc_group = '" . $doc_group . "' ";
$query .= " order by rank";
$subresult = db_query($query);
if (!(db_numrows($subresult) < 1)) {
print "<p><b>" . $row['groupname'] . "</b>";
if ($authorized_user) {
if (permission_exist('DOCGROUP_READ', $doc_group)) {
if (!$pv) {
print ' <a href="/docman/admin/editdocgrouppermissions.php?doc_group=' . $doc_group . '&group_id=' . $group_id . '"><img src="' . util_get_image_theme("ic/lock.png") . '" border="0"></a>';
}
}
}
print "\n<ul>\n";
while ($subrow = db_fetch_array($subresult)) {
if (permission_exist('DOCUMENT_READ', $subrow['docid'])) {
if (!permission_is_authorized('DOCUMENT_READ', $subrow['docid'], user_getid(), $group_id)) {
continue;
}
} else {
if (!$authorized_on_docgroup) {
continue;
}
}
// LJ We want the title and the description to
// possibly contain HTML but NOT php code
print "<li><a href=\"/docman/display_doc.php?docid=" . $subrow['docid'] . "&group_id=" . $group_id . "\" title=\"" . $subrow['docid'] . " - " . strip_tags(util_unconvert_htmlspecialchars($subrow['title'])) . "\">";
print util_unconvert_htmlspecialchars($subrow['title']);
print "</a>\n";
if ($authorized_user) {
if (permission_exist('DOCUMENT_READ', $subrow['docid'])) {
if (!isset($pv) || !$pv) {
print ' <a href="/docman/admin/editdocpermissions.php?docid=' . $subrow['docid'] . '&group_id=' . $group_id . '"><img src="' . util_get_image_theme("ic/lock.png") . '" border="0"></a>';
}
}
}
print "<BR><i>" . $Language->getText('docman_index', 'description') . ":</i> ";
print util_unconvert_htmlspecialchars($subrow['description']);
$doc_displayed++;
}
print "</ul>\n\n";
}
}
}
}
if ($doc_displayed < 1) {
print "<b>" . $Language->getText('docman_index', 'nodoc') . "</b><p>";
}
}
function news_check_permission($forum_id, $group_id)
{
/*
Takes a forum_id and checks if user is authorized to read the piece of news associated to this forum_id
*/
//cast input
if ($group_id == $GLOBALS['sys_news_group']) {
//search for the real group_id of the news
$sql = "SELECT g.access FROM news_bytes AS n INNER JOIN groups AS g USING(group_id) WHERE n.forum_id = " . db_ei($forum_id);
$res = db_query($sql);
if ($res && db_numrows($res)) {
$row = db_fetch_array($res);
//see if it is public to continue permissions check
if ($row['access'] === Project::ACCESS_PRIVATE) {
return false;
}
}
}
if (permission_exist('NEWS_READ', $forum_id) && permission_is_authorized('NEWS_READ', $forum_id, user_getid(), $group_id) || !permission_exist('NEWS_READ', $forum_id)) {
return true;
} else {
return false;
}
}
/**
* @access public
*/
public function isAutorized($uid)
{
require_once 'www/project/admin/permissions.php';
return $this->permissionExist() == false || permission_is_authorized('PHPWIKIATTACHMENT_READ', $this->id, $uid, $this->gid);
}
//
require_once 'pre.php';
require_once 'www/project/admin/permissions.php';
$sql = "SELECT description,data,filename,filesize,filetype,doc_group FROM doc_data WHERE docid='{$docid}'";
$result = db_query($sql);
if ($result && db_numrows($result) > 0) {
// Get group_id of the document group containing the doc.
$res_group = db_query("SELECT group_id FROM doc_groups WHERE doc_group=" . db_result($result, 0, 'doc_group'));
$object_group_id = db_result($res_group, 0, 'group_id');
// Check permissions for document, then document group
if (permission_exist('DOCUMENT_READ', $docid)) {
if (!permission_is_authorized('DOCUMENT_READ', $docid, user_getid(), $object_group_id)) {
exit_error($Language->getText('global', 'perm_denied'), $Language->getText('global', 'error_perm_denied'));
}
} else {
if (!permission_is_authorized('DOCGROUP_READ', db_result($result, 0, 'doc_group'), user_getid(), $object_group_id)) {
exit_error($Language->getText('global', 'perm_denied'), $Language->getText('global', 'error_perm_denied'));
}
}
if (db_result($result, 0, 'filesize') == 0) {
exit_error($Language->getText('global', 'error'), $Language->getText('docman_download', 'error_nofile'));
} else {
// Download the patch with the correct filetype
header('Content-Type: ' . db_result($result, 0, 'filetype'));
header('Content-Length: ' . db_result($result, 0, 'filesize'));
header('Content-Disposition: filename="' . db_result($result, 0, 'filename') . '"');
echo db_result($result, 0, 'data');
}
} else {
exit_error($Language->getText('global', 'error'), $Language->getText('docman_download', 'error_nodoc', array($docid)));
}
protected function permission_is_authorized($type, $transition_id, $user_id, $group_id)
{
return permission_is_authorized($type, $transition_id, $user_id, $group_id);
}
function forum_utils_news_access($forum_id)
{
/*
Takes a forum_id (associated to a news) and checks if the user is allowed to access the corresponding forum
*/
$qry1 = "SELECT group_id FROM news_bytes WHERE forum_id=" . db_ei($forum_id);
$res1 = db_query($qry1);
if ($res1 && db_numrows($res1) > 0) {
//if the forum is accessed from Summary page (Latest News section), the group_id variable is not set
$g_id = db_result($res1, 0, 'group_id');
return permission_is_authorized('NEWS_READ', intval($forum_id), user_getid(), $g_id);
}
return true;
}
/**
* @access public
*/
function isAutorized($uid)
{
//Check for Docman Perms
$eM =& EventManager::instance();
$referenced = false;
$eM->processEvent('isWikiPageReferenced', array('referenced' => &$referenced, 'wiki_page' => $this->pagename, 'group_id' => $this->gid));
if ($referenced == true) {
$userCanAccess = false;
$eM->processEvent('userCanAccessWikiDocument', array('canAccess' => &$userCanAccess, 'wiki_page' => $this->pagename, 'group_id' => $this->gid));
if (!$userCanAccess) {
return false;
}
} else {
// Check if user is authorized.
if ($this->permissionExist()) {
if (!permission_is_authorized('WIKIPAGE_READ', $this->id, $uid, $this->gid)) {
return false;
}
}
}
return true;
}