Example #1
0
/**
 * Given a view id, and a user id (defaults to currently logged in user if not
 * specified) will return wether this user is allowed to look at this view.
 *
 * @param mixed $view           viewid or View to check
 * @param integer $user_id      User trying to look at the view (defaults to
 * currently logged in user, or null if user isn't logged in)
 *
 * @returns boolean Wether the specified user can look at the specified view.
 */
function can_view_view($view, $user_id = null)
{
    global $USER, $SESSION;
    if (defined('BULKEXPORT')) {
        return true;
    }
    $now = time();
    $dbnow = db_format_timestamp($now);
    if ($user_id === null) {
        $user = $USER;
        $user_id = $USER->get('id');
    } else {
        $user = new User();
        if ($user_id) {
            try {
                $user->find_by_id($user_id);
            } catch (AuthUnknownUserException $e) {
            }
        }
    }
    $publicviews = get_config('allowpublicviews');
    $publicprofiles = get_config('allowpublicprofiles');
    // If the user is logged out and the publicviews & publicprofiles sitewide configs are false,
    // we can deny access without having to hit the database at all
    if (!$user_id && !$publicviews && !$publicprofiles) {
        return false;
    }
    require_once get_config('libroot') . 'view.php';
    if ($view instanceof View) {
        $view_id = $view->get('id');
    } else {
        $view = new View($view_id = $view);
    }
    // If the page belongs to an individual, check for individual-specific overrides
    if ($view->get('owner')) {
        $ownerobj = $view->get_owner_object();
        // Suspended user
        if ($ownerobj->suspendedctime) {
            return false;
        }
        // Probationary user (no public pages or profiles)
        // (setting these here instead of doing a return-false, so that we can do checks for
        // logged-in users later)
        require_once get_config('libroot') . 'antispam.php';
        $onprobation = is_probationary_user($ownerobj->id);
        $publicviews = $publicviews && !$onprobation;
        $publicprofiles = $publicprofiles && !$onprobation;
        // Member of an institution that prohibits public pages
        // (group views and logged in users are not affected by
        // the institution level config for public views)
        $owner = new User();
        $owner->find_by_id($ownerobj->id);
        $publicviews = $publicviews && $owner->institution_allows_public_views();
    }
    // Now that we've examined the page owner, check again for whether it can be viewed by a logged-out user
    if (!$user_id && !$publicviews && !$publicprofiles) {
        return false;
    }
    if ($user_id && $user->can_edit_view($view)) {
        return true;
    }
    // If the view's owner is suspended, deny access to the view
    if ($view->get('owner')) {
        if (!($owner = $view->get_owner_object()) || $owner->suspendedctime) {
            return false;
        }
    }
    if ($SESSION->get('mnetuser')) {
        $mnettoken = get_cookie('mviewaccess:' . $view_id);
    }
    // If the page has been marked "objectionable" admins should be able to view
    // it for review purposes.
    if ($view->is_objectionable()) {
        if ($owner = $view->get('owner')) {
            if ($user->is_admin_for_user($owner)) {
                return true;
            }
        } else {
            if ($view->get('group') && $user->get('admin')) {
                return true;
            }
        }
    }
    // Overriding start/stop dates are set by the owner to deny access
    // to users who would otherwise be allowed to see the view.  However,
    // for some kinds of access (e.g. objectionable content, submitted
    // views), we have to override the override and let the logged in
    // user see it anyway.  So we can't return false now, we have to wait
    // till we find out what kind of view_access record is being used.
    $overridestart = $view->get('startdate');
    $overridestop = $view->get('stopdate');
    $allowedbyoverride = (empty($overridestart) || $overridestart < $dbnow) && (empty($overridestop) || $overridestop > $dbnow);
    $access = View::user_access_records($view_id, $user_id);
    if (empty($access)) {
        return false;
    }
    foreach ($access as &$a) {
        if ($a->accesstype == 'public' && $allowedbyoverride) {
            if ($publicviews) {
                return true;
            } else {
                if ($publicprofiles && $view->get('type') == 'profile') {
                    return true;
                }
            }
        } else {
            if ($a->token && ($allowedbyoverride || !$a->visible)) {
                $usertoken = get_cookie('viewaccess:' . $view_id);
                if ($a->token == $usertoken && $publicviews) {
                    return true;
                }
                if (!empty($mnettoken) && $a->token == $mnettoken) {
                    $mnetviewlist = $SESSION->get('mnetviewaccess');
                    if (empty($mnetviewlist)) {
                        $mnetviewlist = array();
                    }
                    $mnetviewlist[$view_id] = true;
                    $SESSION->set('mnetviewaccess', $mnetviewlist);
                    return true;
                }
                // Don't bother to pull the collection out unless the user actually
                // has some collection access cookies.
                if ($ctokens = get_cookies('caccess:')) {
                    $cid = $view->collection_id();
                    if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) {
                        return true;
                    }
                }
            } else {
                if ($user_id) {
                    if ($a->accesstype == 'friends') {
                        $owner = $view->get('owner');
                        if (!get_field_sql('
                    SELECT COUNT(*) FROM {usr_friend} f WHERE (usr1=? AND usr2=?) OR (usr1=? AND usr2=?)', array($owner, $user_id, $user_id, $owner))) {
                            continue;
                        }
                    } else {
                        if ($a->institution) {
                            // Check if user belongs to the allowed institution
                            if (!in_array($a->institution, array_keys($user->get('institutions')))) {
                                continue;
                            }
                        }
                    }
                    if (!$allowedbyoverride && $a->visible) {
                        continue;
                    }
                    // The view must have loggedin access, user access for the user
                    // or group/role access for one of the user's groups
                    return true;
                }
            }
        }
    }
    return false;
}
Example #2
0
/**
 * Given a view id, and a user id (defaults to currently logged in user if not
 * specified) will return wether this user is allowed to look at this view.
 *
 * @param mixed $view           viewid or View to check
 * @param integer $user_id      User trying to look at the view (defaults to
 * currently logged in user, or null if user isn't logged in)
 *
 * @returns boolean Wether the specified user can look at the specified view.
 */
function can_view_view($view, $user_id = null)
{
    global $USER, $SESSION;
    if (defined('BULKEXPORT')) {
        return true;
    }
    $now = time();
    $dbnow = db_format_timestamp($now);
    if ($user_id === null) {
        $user = $USER;
        $user_id = $USER->get('id');
    } else {
        $user = new User();
        if ($user_id) {
            try {
                $user->find_by_id($user_id);
            } catch (AuthUnknownUserException $e) {
            }
        }
    }
    $publicviews = get_config('allowpublicviews');
    $publicprofiles = get_config('allowpublicprofiles');
    // OVERWRITE 1: deletion
    //if (!$user_id && !$publicviews && !$publicprofiles) {
    //    return false;
    //}
    // END OVERWRITE 1
    if (!class_exists('View')) {
        require_once get_config('libroot') . 'view.php';
    }
    if ($view instanceof View) {
        $view_id = $view->get('id');
    } else {
        $view = new View($view_id = $view);
    }
    // group views and logged in users are not affected by
    // the institution level config for public views
    if (empty($user_id) && ($ownerobj = $view->get_owner_object())) {
        $owner = new User();
        $owner->find_by_id($ownerobj->id);
        if (!$owner->institution_allows_public_views()) {
            return false;
        }
    }
    if ($user_id && $user->can_edit_view($view)) {
        return true;
    }
    $access = View::user_access_records($view_id, $user_id);
    if (empty($access)) {
        return false;
    }
    // If the view's owner is suspended, deny access to the view
    if ($view->get('owner')) {
        if (!($owner = $view->get_owner_object()) || $owner->suspendedctime) {
            return false;
        }
    }
    // Overriding start/stop dates are set by the owner to deny access
    // to users who would otherwise be allowed to see the view.  However,
    // for some kinds of access (e.g. objectionable content, submitted
    // views), we have to override the override and let the logged in
    // user see it anyway.  So we can't return false now, we have to wait
    // till we find out what kind of view_access record is being used.
    $overridestart = $view->get('startdate');
    $overridestop = $view->get('stopdate');
    $allowedbyoverride = (empty($overridestart) || $overridestart < $dbnow) && (empty($overridestop) || $overridestop > $dbnow);
    if ($SESSION->get('mnetuser')) {
        $mnettoken = get_cookie('mviewaccess:' . $view_id);
    }
    foreach ($access as &$a) {
        if ($a->accesstype == 'public' && $allowedbyoverride) {
            if ($publicviews) {
                return true;
            } else {
                if ($publicprofiles && $view->get('type') == 'profile') {
                    return true;
                }
            }
        } else {
            if ($a->token && ($allowedbyoverride || !$a->visible)) {
                $usertoken = get_cookie('viewaccess:' . $view_id);
                // OVERWRITE 2: replacement, changed from:
                //if ($a->token == $usertoken && $publicviews) {
                //    return true;
                //}
                // to:
                if ($a->token == $usertoken) {
                    if (!$publicviews) {
                        global $CFG;
                        $mhr_view = $CFG->current_app->selectFromMhrTable('view', 'id', $view_id, true);
                        if ($mhr_view) {
                            if (!isset($mhr_view->institution) || $mhr_view->institution == '') {
                                return false;
                            }
                        }
                    }
                    return true;
                }
                // END OVERWRITE 2
                if (!empty($mnettoken) && $a->token == $mnettoken) {
                    $mnetviewlist = $SESSION->get('mnetviewaccess');
                    if (empty($mnetviewlist)) {
                        $mnetviewlist = array();
                    }
                    $mnetviewlist[$view_id] = true;
                    $SESSION->set('mnetviewaccess', $mnetviewlist);
                    return true;
                }
                // Don't bother to pull the collection out unless the user actually
                // has some collection access cookies.
                if ($ctokens = get_cookies('caccess:')) {
                    $cid = $view->collection_id();
                    if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) {
                        return true;
                    }
                }
            } else {
                if ($user_id) {
                    if ($a->accesstype == 'friends') {
                        $owner = $view->get('owner');
                        if (!get_field_sql('
                    SELECT COUNT(*) FROM {usr_friend} f WHERE (usr1=? AND usr2=?) OR (usr1=? AND usr2=?)', array($owner, $user_id, $user_id, $owner))) {
                            continue;
                        }
                    } else {
                        if ($a->institution) {
                            // Check if user belongs to the allowed institution
                            if (!in_array($a->institution, array_keys($user->get('institutions')))) {
                                continue;
                            }
                        } else {
                            if ($a->accesstype == 'objectionable') {
                                if ($owner = $view->get('owner')) {
                                    if ($user->is_admin_for_user($owner)) {
                                        return true;
                                    }
                                } else {
                                    if ($view->get('group') && $user->get('admin')) {
                                        return true;
                                    }
                                }
                                continue;
                            }
                        }
                    }
                    if (!$allowedbyoverride && $a->visible) {
                        continue;
                    }
                    // The view must have loggedin access, user access for the user
                    // or group/role access for one of the user's groups
                    return true;
                }
            }
        }
    }
    return false;
}