/** * Given a view id, and a user id (defaults to currently logged in user if not * specified) will return wether this user is allowed to look at this view. * * @param mixed $view viewid or View to check * @param integer $user_id User trying to look at the view (defaults to * currently logged in user, or null if user isn't logged in) * * @returns boolean Wether the specified user can look at the specified view. */ function can_view_view($view, $user_id = null) { global $USER, $SESSION; if (defined('BULKEXPORT')) { return true; } $now = time(); $dbnow = db_format_timestamp($now); if ($user_id === null) { $user = $USER; $user_id = $USER->get('id'); } else { $user = new User(); if ($user_id) { try { $user->find_by_id($user_id); } catch (AuthUnknownUserException $e) { } } } $publicviews = get_config('allowpublicviews'); $publicprofiles = get_config('allowpublicprofiles'); // If the user is logged out and the publicviews & publicprofiles sitewide configs are false, // we can deny access without having to hit the database at all if (!$user_id && !$publicviews && !$publicprofiles) { return false; } require_once get_config('libroot') . 'view.php'; if ($view instanceof View) { $view_id = $view->get('id'); } else { $view = new View($view_id = $view); } // If the page belongs to an individual, check for individual-specific overrides if ($view->get('owner')) { $ownerobj = $view->get_owner_object(); // Suspended user if ($ownerobj->suspendedctime) { return false; } // Probationary user (no public pages or profiles) // (setting these here instead of doing a return-false, so that we can do checks for // logged-in users later) require_once get_config('libroot') . 'antispam.php'; $onprobation = is_probationary_user($ownerobj->id); $publicviews = $publicviews && !$onprobation; $publicprofiles = $publicprofiles && !$onprobation; // Member of an institution that prohibits public pages // (group views and logged in users are not affected by // the institution level config for public views) $owner = new User(); $owner->find_by_id($ownerobj->id); $publicviews = $publicviews && $owner->institution_allows_public_views(); } // Now that we've examined the page owner, check again for whether it can be viewed by a logged-out user if (!$user_id && !$publicviews && !$publicprofiles) { return false; } if ($user_id && $user->can_edit_view($view)) { return true; } // If the view's owner is suspended, deny access to the view if ($view->get('owner')) { if (!($owner = $view->get_owner_object()) || $owner->suspendedctime) { return false; } } if ($SESSION->get('mnetuser')) { $mnettoken = get_cookie('mviewaccess:' . $view_id); } // If the page has been marked "objectionable" admins should be able to view // it for review purposes. if ($view->is_objectionable()) { if ($owner = $view->get('owner')) { if ($user->is_admin_for_user($owner)) { return true; } } else { if ($view->get('group') && $user->get('admin')) { return true; } } } // Overriding start/stop dates are set by the owner to deny access // to users who would otherwise be allowed to see the view. However, // for some kinds of access (e.g. objectionable content, submitted // views), we have to override the override and let the logged in // user see it anyway. So we can't return false now, we have to wait // till we find out what kind of view_access record is being used. $overridestart = $view->get('startdate'); $overridestop = $view->get('stopdate'); $allowedbyoverride = (empty($overridestart) || $overridestart < $dbnow) && (empty($overridestop) || $overridestop > $dbnow); $access = View::user_access_records($view_id, $user_id); if (empty($access)) { return false; } foreach ($access as &$a) { if ($a->accesstype == 'public' && $allowedbyoverride) { if ($publicviews) { return true; } else { if ($publicprofiles && $view->get('type') == 'profile') { return true; } } } else { if ($a->token && ($allowedbyoverride || !$a->visible)) { $usertoken = get_cookie('viewaccess:' . $view_id); if ($a->token == $usertoken && $publicviews) { return true; } if (!empty($mnettoken) && $a->token == $mnettoken) { $mnetviewlist = $SESSION->get('mnetviewaccess'); if (empty($mnetviewlist)) { $mnetviewlist = array(); } $mnetviewlist[$view_id] = true; $SESSION->set('mnetviewaccess', $mnetviewlist); return true; } // Don't bother to pull the collection out unless the user actually // has some collection access cookies. if ($ctokens = get_cookies('caccess:')) { $cid = $view->collection_id(); if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) { return true; } } } else { if ($user_id) { if ($a->accesstype == 'friends') { $owner = $view->get('owner'); if (!get_field_sql(' SELECT COUNT(*) FROM {usr_friend} f WHERE (usr1=? AND usr2=?) OR (usr1=? AND usr2=?)', array($owner, $user_id, $user_id, $owner))) { continue; } } else { if ($a->institution) { // Check if user belongs to the allowed institution if (!in_array($a->institution, array_keys($user->get('institutions')))) { continue; } } } if (!$allowedbyoverride && $a->visible) { continue; } // The view must have loggedin access, user access for the user // or group/role access for one of the user's groups return true; } } } } return false; }
/** * Given a view id, and a user id (defaults to currently logged in user if not * specified) will return wether this user is allowed to look at this view. * * @param mixed $view viewid or View to check * @param integer $user_id User trying to look at the view (defaults to * currently logged in user, or null if user isn't logged in) * * @returns boolean Wether the specified user can look at the specified view. */ function can_view_view($view, $user_id = null) { global $USER, $SESSION; if (defined('BULKEXPORT')) { return true; } $now = time(); $dbnow = db_format_timestamp($now); if ($user_id === null) { $user = $USER; $user_id = $USER->get('id'); } else { $user = new User(); if ($user_id) { try { $user->find_by_id($user_id); } catch (AuthUnknownUserException $e) { } } } $publicviews = get_config('allowpublicviews'); $publicprofiles = get_config('allowpublicprofiles'); // OVERWRITE 1: deletion //if (!$user_id && !$publicviews && !$publicprofiles) { // return false; //} // END OVERWRITE 1 if (!class_exists('View')) { require_once get_config('libroot') . 'view.php'; } if ($view instanceof View) { $view_id = $view->get('id'); } else { $view = new View($view_id = $view); } // group views and logged in users are not affected by // the institution level config for public views if (empty($user_id) && ($ownerobj = $view->get_owner_object())) { $owner = new User(); $owner->find_by_id($ownerobj->id); if (!$owner->institution_allows_public_views()) { return false; } } if ($user_id && $user->can_edit_view($view)) { return true; } $access = View::user_access_records($view_id, $user_id); if (empty($access)) { return false; } // If the view's owner is suspended, deny access to the view if ($view->get('owner')) { if (!($owner = $view->get_owner_object()) || $owner->suspendedctime) { return false; } } // Overriding start/stop dates are set by the owner to deny access // to users who would otherwise be allowed to see the view. However, // for some kinds of access (e.g. objectionable content, submitted // views), we have to override the override and let the logged in // user see it anyway. So we can't return false now, we have to wait // till we find out what kind of view_access record is being used. $overridestart = $view->get('startdate'); $overridestop = $view->get('stopdate'); $allowedbyoverride = (empty($overridestart) || $overridestart < $dbnow) && (empty($overridestop) || $overridestop > $dbnow); if ($SESSION->get('mnetuser')) { $mnettoken = get_cookie('mviewaccess:' . $view_id); } foreach ($access as &$a) { if ($a->accesstype == 'public' && $allowedbyoverride) { if ($publicviews) { return true; } else { if ($publicprofiles && $view->get('type') == 'profile') { return true; } } } else { if ($a->token && ($allowedbyoverride || !$a->visible)) { $usertoken = get_cookie('viewaccess:' . $view_id); // OVERWRITE 2: replacement, changed from: //if ($a->token == $usertoken && $publicviews) { // return true; //} // to: if ($a->token == $usertoken) { if (!$publicviews) { global $CFG; $mhr_view = $CFG->current_app->selectFromMhrTable('view', 'id', $view_id, true); if ($mhr_view) { if (!isset($mhr_view->institution) || $mhr_view->institution == '') { return false; } } } return true; } // END OVERWRITE 2 if (!empty($mnettoken) && $a->token == $mnettoken) { $mnetviewlist = $SESSION->get('mnetviewaccess'); if (empty($mnetviewlist)) { $mnetviewlist = array(); } $mnetviewlist[$view_id] = true; $SESSION->set('mnetviewaccess', $mnetviewlist); return true; } // Don't bother to pull the collection out unless the user actually // has some collection access cookies. if ($ctokens = get_cookies('caccess:')) { $cid = $view->collection_id(); if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) { return true; } } } else { if ($user_id) { if ($a->accesstype == 'friends') { $owner = $view->get('owner'); if (!get_field_sql(' SELECT COUNT(*) FROM {usr_friend} f WHERE (usr1=? AND usr2=?) OR (usr1=? AND usr2=?)', array($owner, $user_id, $user_id, $owner))) { continue; } } else { if ($a->institution) { // Check if user belongs to the allowed institution if (!in_array($a->institution, array_keys($user->get('institutions')))) { continue; } } else { if ($a->accesstype == 'objectionable') { if ($owner = $view->get('owner')) { if ($user->is_admin_for_user($owner)) { return true; } } else { if ($view->get('group') && $user->get('admin')) { return true; } } continue; } } } if (!$allowedbyoverride && $a->visible) { continue; } // The view must have loggedin access, user access for the user // or group/role access for one of the user's groups return true; } } } } return false; }