function getBaseQuery($aOptions)
{
$aCriteriaSet = array('join' => 'AND', 'subgroup' => array(0 => array('join' => 'AND', 'values' => array(1 => array('data' => array('ktcore.criteria.tagcloud' => $this->sTag, 'ktcore.criteria.tagcloud_not' => 0), 'type' => 'ktcore.criteria.tagcloud')))));
$aQuery = KTSearchUtil::criteriaToQuery($aCriteriaSet, $this->oUser, 'ktcore.permissions.read', $aOptions);
return $aQuery;
}
function testConditionOnFolder($oSearch, $oFolder)
{
$oSearch =& KTUtil::getObject('KTSavedSearch', $oSearch);
$iFolderId = KTUtil::getId($oFolder);
/*
* Make a new criteria set, an AND of the existing criteria set
* and the sql statement requiring that D.id be the document id
* given to us.
*/
$aCriteriaSet = array("join" => "AND", "subgroup" => array($oSearch->getSearch(), array("join" => "AND", "values" => array(array("sql" => array("F.id = ?", array($iFolderId)))))));
$aOptions = array('select' => 'COUNT(DISTINCT(F.id)) AS cnt');
$aQuery = KTSearchUtil::criteriaToFolderQuery($aCriteriaSet, null, null, $aOptions);
if (PEAR::isError($aQuery)) {
// caused by no permissions being set.
return false;
}
$cnt = DBUtil::getOneResultKey($aQuery, 'cnt');
if (PEAR::isError($cnt)) {
return $cnt;
}
if (is_null($cnt)) {
return false;
}
if (!is_numeric($cnt)) {
return PEAR::raiseError(_kt("Non-integer returned when looking for count"));
}
return $cnt > 0;
}
function getTransactionsMatchingQuery($oUser, $sJoinClause, $aExternalWhereClauses, $aExternalWhereParams, $aOptions = null)
{
$sSelectItems = 'DTT.name AS transaction_name, U.name AS user_name, DT.version AS version, DT.comment AS comment, DT.datetime AS datetime, D.id as document_id, DT.transaction_namespace as namespace';
$sBaseJoin = "FROM " . KTUtil::getTableName("document_transactions") . " AS DT " . "INNER JOIN " . KTUtil::getTableName("users") . " AS U ON DT.user_id = U.id " . "INNER JOIN " . KTUtil::getTableName("transaction_types") . " AS DTT ON DTT.namespace = DT.transaction_namespace " . "INNER JOIN " . KTUtil::getTableName("documents") . " AS D ON D.id = DT.document_id ";
// now we're almost at partialquery like status.
$perm_res = KTSearchUtil::permissionToSQL($oUser, 'ktcore.permissions.read');
if (PEAR::isError($perm_res)) {
return $perm_res;
}
list($sPermissionString, $aPermissionParams, $sPermissionJoin) = $perm_res;
// compile the final list
$aFinalWhere = kt_array_merge(array($sPermissionString, 'D.creator_id IS NOT NULL'), $aExternalWhereClauses, array('D.status_id = ?'));
$aFinalWhereParams = kt_array_merge($aPermissionParams, $aExternalWhereParams, array(LIVE));
if (!is_array($aOptions)) {
$aOptions = (array) $aOptions;
}
$sOrderBy = KTUtil::arrayGet($aOptions, 'orderby', 'DT.datetime DESC');
// compile these.
// NBM: do we need to wrap these in ()?
$sWhereClause = implode(' AND ', $aFinalWhere);
if (!empty($sWhereClause)) {
$sWhereClause = 'WHERE ' . $sWhereClause;
}
$sQuery = sprintf("SELECT %s %s %s %s %s ORDER BY %s", $sSelectItems, $sBaseJoin, $sPermissionJoin, $sJoinClause, $sWhereClause, $sOrderBy);
//var_dump(array($sQuery, $aFinalWhereParams));
$res = DBUtil::getResultArray(array($sQuery, $aFinalWhereParams));
//var_dump($res); exit(0);
return $res;
}
function _getDocumentQuery($aOptions = null)
{
$oUser = User::get($_SESSION['userID']);
$res = KTSearchUtil::permissionToSQL($oUser, $this->sPermissionName);
if (PEAR::isError($res)) {
return $res;
}
list($sPermissionString, $aPermissionParams, $sPermissionJoin) = $res;
$aPotentialWhere = array($sPermissionString, 'D.folder_id = ?', 'D.status_id = ' . ARCHIVED);
$aWhere = array();
foreach ($aPotentialWhere as $sWhere) {
if (empty($sWhere)) {
continue;
}
if ($sWhere == '()') {
continue;
}
$aWhere[] = $sWhere;
}
$sWhere = '';
if ($aWhere) {
$sWhere = "\tWHERE " . join(' AND ', $aWhere);
}
$sSelect = KTUtil::arrayGet($aOptions, 'select', 'D.id');
$sQuery = sprintf('SELECT %s FROM %s AS D
LEFT JOIN %s AS DM ON D.metadata_version_id = DM.id
LEFT JOIN %s AS DC ON DM.content_version_id = DC.id
%s %s', $sSelect, KTUtil::getTableName('documents'), KTUtil::getTableName('document_metadata_version'), KTUtil::getTableName('document_content_version'), $sPermissionJoin, $sWhere);
$aParams = array();
$aParams = kt_array_merge($aParams, $aPermissionParams);
$aParams[] = $this->folder_id;
return array($sQuery, $aParams);
}
function allowTransition($oDocument, $oUser)
{
if (!$this->isLoaded()) {
return true;
}
$iConditionId = $this->aConfig['condition_id'];
$oCondition = KTSavedSearch::get($this->aConfig['condition_id']);
if (PEAR::isError($oCondition)) {
return true;
// fail safe for cases where the role is deleted.
}
return KTSearchUtil::testConditionOnDocument($iConditionId, $oDocument);
}
/**
* Update's the permission lookup on one folder or document,
* non-recursively.
*/
function updatePermissionLookup(&$oFolderOrDocument, $aOptions = null)
{
$is_a_folder = is_a($oFolderOrDocument, 'Folder');
$is_a_document = is_a($oFolderOrDocument, 'Document') || is_a($oFolderOrDocument, 'KTDocumentCore');
//ensure that the document shortcut is being updated.
if ($is_a_document && $oFolderOrDocument->isSymbolicLink()) {
$oFolderOrDocument->switchToRealCore();
}
$oChannel = null;
$aMapPermAllowed = null;
$oPermLookup = null;
if (!is_null($aOptions)) {
$oChannel = $aOptions['channel'];
$aMapPermAllowed = $aOptions['map_allowed'];
$oPermLookup = $aOptions['perm_lookup'];
}
if (!$is_a_folder && !$is_a_document) {
return;
// we occasionally get handed a PEAR::raiseError. Just ignore it.
}
if (is_null($oChannel)) {
$oChannel =& KTPermissionChannel::getSingleton();
}
if ($is_a_folder) {
$msg = sprintf("Updating folder %s", join('/', $oFolderOrDocument->getPathArray()));
} else {
if (is_a($oFolderOrDocument, 'Document')) {
//modify the message to reflect that a shortcut is begin updated
if ($oFolderOrDocument->isSymbolicLink()) {
$msg = sprintf("Updating shortcut to %s", $oFolderOrDocument->getName());
} else {
$msg = sprintf("Updating document %s", $oFolderOrDocument->getName());
}
} else {
$msg = sprintf("Updating document %d", $oFolderOrDocument->getId());
}
}
$oChannel->sendMessage(new KTPermissionGenericMessage($msg));
//var_dump($msg);
$iPermissionObjectId = $oFolderOrDocument->getPermissionObjectID();
if (empty($iPermissionObjectId)) {
return;
}
$oPO = KTPermissionObject::get($iPermissionObjectId);
if (is_null($aMapPermAllowed)) {
$aPAs = KTPermissionAssignment::getByObjectMulti($oPO);
$aMapPermAllowed = array();
foreach ($aPAs as $oPA) {
$oPD = KTPermissionDescriptor::get($oPA->getPermissionDescriptorID());
$aGroupIDs = $oPD->getGroups();
$aUserIDs = array();
$aRoleIDs = $oPD->getRoles();
$aAllowed = array('group' => $aGroupIDs, 'user' => $aUserIDs, 'role' => $aRoleIDs);
$aMapPermAllowed[$oPA->getPermissionID()] = $aAllowed;
}
}
if (!$is_a_folder) {
$aDynamicConditions = KTPermissionDynamicCondition::getByPermissionObject($oPO);
if (!PEAR::isError($aDynamicConditions)) {
foreach ($aDynamicConditions as $oDynamicCondition) {
$iConditionId = $oDynamicCondition->getConditionId();
if (KTSearchUtil::testConditionOnDocument($iConditionId, $oFolderOrDocument)) {
$iGroupId = $oDynamicCondition->getGroupId();
$aPermissionIds = $oDynamicCondition->getAssignment();
foreach ($aPermissionIds as $iPermissionId) {
$aCurrentAllowed = KTUtil::arrayGet($aMapPermAllowed, $iPermissionId, array());
$aCurrentAllowed['group'][] = $iGroupId;
$aMapPermAllowed[$iPermissionId] = $aCurrentAllowed;
}
}
}
}
}
if (!$is_a_folder) {
$oState = KTWorkflowUtil::getWorkflowStateForDocument($oFolderOrDocument);
if (!(PEAR::isError($oState) || is_null($oState) || $oState == false)) {
$aWorkflowStatePermissionAssignments = KTWorkflowStatePermissionAssignment::getByState($oState);
foreach ($aWorkflowStatePermissionAssignments as $oAssignment) {
$iPermissionId = $oAssignment->getPermissionId();
$iPermissionDescriptorId = $oAssignment->getDescriptorId();
$oPD = KTPermissionDescriptor::get($iPermissionDescriptorId);
$aGroupIDs = $oPD->getGroups();
$aUserIDs = array();
$aRoleIDs = $oPD->getRoles();
$aAllowed = array('group' => $aGroupIDs, 'user' => $aUserIDs, 'role' => $aRoleIDs);
$aMapPermAllowed[$iPermissionId] = $aAllowed;
}
}
}
// if we have roles: nearest folder.
$iRoleSourceFolder = null;
if ($is_a_document) {
$iRoleSourceFolder = $oFolderOrDocument->getFolderID();
} else {
$iRoleSourceFolder = $oFolderOrDocument->getId();
}
// very minor perf win: map role_id (in context) to PD.
$_roleCache = array();
foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) {
$aAfterRoles = array();
if (array_key_exists('role', $aAllowed)) {
foreach ($aAllowed['role'] as $k => $iRoleId) {
// store the PD <-> RoleId map
// special-case "all" or "authenticated".
if ($iRoleId == -3 || $iRoleId == -4) {
$aAfterRoles[] = $iRoleId;
continue;
}
if (!array_key_exists($iRoleId, $_roleCache)) {
$oRoleAllocation = null;
if ($is_a_document) {
$oRoleAllocation =& DocumentRoleAllocation::getAllocationsForDocumentAndRole($oFolderOrDocument->getId(), $iRoleId);
if (PEAR::isError($oRoleAllocation)) {
$oRoleAllocation = null;
}
}
// if that's null - not set _on_ the document, then
if (is_null($oRoleAllocation)) {
$oRoleAllocation =& RoleAllocation::getAllocationsForFolderAndRole($iRoleSourceFolder, $iRoleId);
}
$_roleCache[$iRoleId] = $oRoleAllocation;
}
// roles are _not_ always assigned (can be null at root)
if (!is_null($_roleCache[$iRoleId])) {
$aMapPermAllowed[$iPermissionId]['user'] = kt_array_merge($aMapPermAllowed[$iPermissionId]['user'], $_roleCache[$iRoleId]->getUserIds());
$aMapPermAllowed[$iPermissionId]['group'] = kt_array_merge($aMapPermAllowed[$iPermissionId]['group'], $_roleCache[$iRoleId]->getGroupIds());
// naturally, roles cannot be assigned roles, or madness follows.
}
unset($aAllowed['role'][$k]);
}
}
unset($aMapPermAllowed[$iPermissionId]['role']);
if (!empty($aAfterRoles)) {
$aMapPermAllowed[$iPermissionId]['role'] = $aAfterRoles;
}
}
/*
print '<pre>';
print '=======' . $oFolderOrDocument->getName();
print '<br />';
var_dump($aMapPermAllowed);
print '</pre>';
*/
//if (is_null($oPermLookup)) {
$aMapPermDesc = array();
foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) {
$oLookupPD = KTPermissionUtil::getOrCreateDescriptor($aAllowed);
$aMapPermDesc[$iPermissionId] = $oLookupPD->getID();
}
$oPermLookup = KTPermissionLookupAssignment::findOrCreateLookupByPermissionDescriptorMap($aMapPermDesc);
//}
$oFolderOrDocument->setPermissionLookupID($oPermLookup->getID());
$oFolderOrDocument->update();
}
function buildQuery($aFolderIds)
{
$sFolderList = implode(', ', $aFolderIds);
// First we get any document shortcuts
$query = "SELECT linked_document_id FROM documents\n WHERE linked_document_id IS NOT NULL\n AND folder_id IN ({$sFolderList})";
$aLinkedDocIds = DBUtil::getResultArrayKey($query, 'linked_document_id');
if (PEAR::isError($aLinkedDocIds) || empty($aLinkedDocIds)) {
$sDocList = '';
} else {
$sDocList = implode(', ', $aLinkedDocIds);
}
// Get the permissions sql
$oUser = User::get($_SESSION['userID']);
$res = KTSearchUtil::permissionToSQL($oUser, $this->sPermissionName);
if (PEAR::isError($res)) {
return $res;
}
list($sPermissionString, $aPermissionParams, $sPermissionJoin) = $res;
// Create the "where" criteria
$sWhere = "WHERE {$sPermissionString} AND (D.folder_id IN ({$sFolderList})";
$sWhere .= !empty($sDocList) ? " OR D.id IN ({$sDocList}))" : ')';
$sWhere .= ' AND D.status_id = 1 AND linked_document_id IS NULL';
// Create the query
$sQuery = "SELECT DISTINCT(D.id) FROM documents AS D\n LEFT JOIN document_metadata_version AS DM ON D.metadata_version_id = DM.id\n LEFT JOIN document_content_version AS DC ON DM.content_version_id = DC.id\n {$sPermissionJoin} {$sWhere}";
return array($sQuery, $aPermissionParams);
}
<?php
require_once '../../config/dmsDefaults.php';
require_once KT_LIB_DIR . '/search/savedsearch.inc.php';
require_once KT_LIB_DIR . '/search/searchutil.inc.php';
$oSearch = KTSavedSearch::getByNamespace('http://ktcvs.local/local/savedsearches/mp3');
$iDocumentId = 96;
var_dump(KTSearchUtil::testConditionOnDocument($oSearch, $iDocumentId));
/**
* Returns the relevant tags for the current user
*
* @return array
*/
function get_relevant_tags()
{
$aUserPermissions = KTSearchUtil::permissionToSQL($this->oUser, null);
if (PEAR::isError($aUserPermissions)) {
return false;
}
list($where, $params, $joins) = $aUserPermissions;
$sql = "\n \t\tSELECT\n \t\t\tTW.tag, count(*) as freq\n \t\tFROM\n \t\t\tdocument_tags DT INNER JOIN tag_words TW ON DT.tag_id=TW.id\n \t\tWHERE DT.document_id in (SELECT D.id FROM documents D {$joins} WHERE {$where} AND D.status_id = '1') GROUP BY TW.tag";
$tags = DBUtil::getResultArray(array($sql, $params));
$aTags = array();
foreach ($tags as $tag) {
$word = $tag['tag'];
$freq = $tag['freq'];
$aTags[$word] = $freq;
}
return $aTags;
}
function do_resolved_users()
{
$this->oPage->setBreadcrumbDetails(_kt("Permissions"));
$oTemplate = $this->oValidator->validateTemplate("ktcore/document/resolved_permissions_user");
$oPL = KTPermissionLookup::get($this->oDocument->getPermissionLookupID());
$aPermissions = KTPermission::getList();
$aMapPermissionGroup = array();
$aMapPermissionRole = array();
$aMapPermissionUser = array();
$aUsers = User::getList();
foreach ($aPermissions as $oPermission) {
$oPLA = KTPermissionLookupAssignment::getByPermissionAndLookup($oPermission, $oPL);
if (PEAR::isError($oPLA)) {
continue;
}
$oDescriptor = KTPermissionDescriptor::get($oPLA->getPermissionDescriptorID());
$iPermissionID = $oPermission->getID();
$aMapPermissionGroup[$iPermissionID] = array();
foreach ($aUsers as $oUser) {
if (KTPermissionUtil::userHasPermissionOnItem($oUser, $oPermission, $this->oDocument)) {
$aMapPermissionUser[$iPermissionID][$oUser->getId()] = true;
$aActiveUsers[$oUser->getId()] = true;
}
}
}
// now we constitute the actual sets.
$users = array();
$groups = array();
$roles = array();
// should _always_ be empty, barring a bug in permissions::updatePermissionLookup
// this should be quite limited - direct role -> user assignment is typically rare.
foreach ($aActiveUsers as $id => $marker) {
$oUser = User::get($id);
$users[$oUser->getName()] = $oUser;
}
asort($users);
// ascending, per convention.
$bEdit = false;
$sInherited = '';
$aDynamicControls = array();
$aWorkflowControls = array();
// handle conditions
$iPermissionObjectId = $this->oDocument->getPermissionObjectID();
if (!empty($iPermissionObjectId)) {
$oPO = KTPermissionObject::get($iPermissionObjectId);
$aDynamicConditions = KTPermissionDynamicCondition::getByPermissionObject($oPO);
if (!PEAR::isError($aDynamicConditions)) {
foreach ($aDynamicConditions as $oDynamicCondition) {
$iConditionId = $oDynamicCondition->getConditionId();
if (KTSearchUtil::testConditionOnDocument($iConditionId, $this->oDocument)) {
$aPermissionIds = $oDynamicCondition->getAssignment();
foreach ($aPermissionIds as $iPermissionId) {
$aDynamicControls[$iPermissionId] = true;
}
}
}
}
}
// indicate that workflow controls a given permission
$oState = KTWorkflowUtil::getWorkflowStateForDocument($this->oDocument);
if (!(PEAR::isError($oState) || is_null($oState) || $oState == false)) {
$aWorkflowStatePermissionAssignments = KTWorkflowStatePermissionAssignment::getByState($oState);
foreach ($aWorkflowStatePermissionAssignments as $oAssignment) {
$aWorkflowControls[$oAssignment->getPermissionId()] = true;
unset($aDynamicControls[$oAssignment->getPermissionId()]);
}
}
$aTemplateData = array("context" => $this, "permissions" => $aPermissions, "groups" => $groups, "users" => $users, "roles" => $roles, "oDocument" => $this->oDocument, "aMapPermissionGroup" => $aMapPermissionGroup, "aMapPermissionRole" => $aMapPermissionRole, "aMapPermissionUser" => $aMapPermissionUser, "edit" => $bEdit, "inherited" => $sInherited, 'workflow_controls' => $aWorkflowControls, 'conditions_control' => $aDynamicControls);
return $oTemplate->render($aTemplateData);
}
