/**
* Given a post id & the id of an image artefact, check that the logged-in user
* has permission to see the image in the context of the post.
*/
public static function can_see_attached_file($file, $postid)
{
global $USER;
require_once 'group.php';
if (!$file instanceof ArtefactTypeImage) {
return false;
}
$post = get_record_sql('
SELECT
p.body, p.poster, g.id AS groupid, g.public
FROM {interaction_forum_post} p
INNER JOIN {interaction_forum_topic} t ON (t.id = p.topic AND t.deleted = 0)
INNER JOIN {interaction_forum_post} fp ON (fp.parent IS NULL AND fp.topic = t.id)
INNER JOIN {interaction_instance} f ON (t.forum = f.id AND f.deleted = 0)
INNER JOIN {group} g ON (f.group = g.id AND g.deleted = 0)
WHERE p.id = ? AND p.deleted = 0', array($postid));
if (!$post) {
return false;
}
if (!$post->public && !group_user_access($post->groupid, $USER->get('id'))) {
return false;
}
// Check that the author of the post is allowed to publish the file
$poster = new User();
$poster->find_by_id($post->poster);
if (!$poster->can_publish_artefact($file)) {
return false;
}
// Load the post as an html fragment & make sure it has the image in it
$page = new DOMDocument();
libxml_use_internal_errors(true);
$success = $page->loadHTML($post->body);
libxml_use_internal_errors(false);
if (!$success) {
return false;
}
$xpath = new DOMXPath($page);
$srcstart = get_config('wwwroot') . 'artefact/file/download.php?file=' . $file->get('id') . '&';
$query = '//img[starts-with(@src,"' . $srcstart . '")]';
$elements = $xpath->query($query);
if ($elements->length < 1) {
return false;
}
return true;
}