/**
* Check view and edit permissions.
*
* @param $op
* The type of operation. Either 'view' or 'edit'.
*/
function have_access($op)
{
global $user;
$db = DBConnection::instance();
$field_id = (int) _post('fid');
if (!$field_id) {
$field_id = (int) _get('fid');
}
$field = (object) $db->dq("SELECT entity_id, entity_type, delta FROM {mytinytodo_fields} WHERE id = ?", $field_id)->fetch_assoc();
$field_info = field_info_field_by_id($field->delta);
if ($field->entity_type == 'node') {
if (!($node = node_load($field->entity_id))) {
return false;
}
$node_access = $op == 'edit' ? 'update' : $op;
if (node_access($node_access, $node, $user) && field_access($op, $field_info, $field->entity_type, $node, $user)) {
return true;
}
} else {
if ($field->entity_type == 'user') {
if (!($account = user_load($field->entity_id))) {
return false;
}
if (field_access($op, $field_info, $field->entity_type, $account, $user)) {
return true;
}
} else {
if ($field->entity_type == 'comment') {
if (!($comment = comment_load($field->entity_id))) {
return false;
}
if ($op == 'view' && !user_access('access comments')) {
return false;
} else {
if ($op == 'edit' && !comment_access($op, $comment)) {
return false;
}
}
if (field_access($op, $field_info, $field->entity_type, $comment, $user)) {
return true;
}
} else {
if (module_exists('entity')) {
if (!($entity = entity_load($field_id))) {
return false;
}
$entity_access = $op == 'edit' ? 'update' : $op;
if (entity_access($entity_access, $field->entity_type, $entity, $user) && field_access($op, $field_info, $field->entity_type, $entity, $user)) {
return true;
}
}
}
}
}
return false;
}
public function entity_access($op, $entity)
{
if ($op == 'edit') {
return comment_access($op, $entity);
}
// The view operation is not implemented by core.
if ($op == 'view') {
return TRUE;
}
return FALSE;
}
/**
* Whether user has access to update, view or delete the entity.
*
* @param string $op
* This can either be "update", "view" or "delete".
*
* @return bool
* TRUE if user has access and FALSE otherwise.
*/
public function hasObjectAccess($op)
{
if (!in_array($op, array('update', 'view', 'delete'))) {
return FALSE;
}
$entity_type = $this->getEntityType();
if (module_exists('entity')) {
return entity_access($op, $entity_type, $this->getEntity());
} elseif ($entity_type == 'node') {
return node_access($op, $this->getEntity());
} elseif ($entity_type == 'comment' && $op == 'update') {
return comment_access('edit', $this->getEntity());
} elseif (($info = entity_get_info()) && isset($info[$entity_type]['access callback'])) {
return $info[$entity_type]['access callback']($op, $this->getEntity(), NULL, $entity_type);
}
return FALSE;
}
public function post($route, $form)
{
global $user;
if ($route == 'comments.json') {
$options = $this->getOptions();
$node = node_load($options['nid']);
if ($options['uid'] != $user->uid || !is_object($node)) {
return false;
}
// Should we let the comment pass ?
if ($node->comment != COMMENT_NODE_OPEN || !user_access('post comments')) {
// Access denied.
return false;
}
if (!empty($form->values['cid'])) {
$comment = comment_load($form->values['cid']);
if (!is_object($comment)) {
// Not existent CID.. Access denied
return false;
}
$nodeSubmittedComment = node_load($comment->nid);
if (!is_object($nodeSubmittedComment) || $nodeSubmittedComment->nid != $node->nid) {
return FALSE;
// BAD nid.. Or node non existent
}
// Publish
if ($form->values['toPublish']) {
if (user_access('administer comments') && user_access('post comments')) {
$comment->status = COMMENT_PUBLISHED;
comment_save($comment);
}
return;
}
// Deletion
if ($form->values['toDelete']) {
if (user_access('administer comments') && user_access('post comments')) {
comment_delete($comment->cid);
}
return;
}
if (!comment_access('edit', $comment)) {
return FALSE;
// No access to edit the comment.
}
}
if (empty($comment)) {
$pid = NULL;
if (!empty($form->values['pid'])) {
if ($form->values['pid'] == (int) $form->values['pid']) {
if ($comment_parent = comment_load((int) $form->values['pid'])) {
$pid = $form->values['pid'];
}
}
}
$comment = new stdClass();
$comment->nid = $node->nid;
$comment->pid = $pid;
$comment->uid = $user->uid;
$comment->name = check_plain($form->values['author']);
}
$comment->subject = check_plain($form->values['subject']);
$field = field_info_field('comment_body');
$langcode = field_is_translatable('comment', $field) ? entity_language('comment', $comment) : LANGUAGE_NONE;
$field_infos = field_info_instance('comment', 'comment_body', 'comment_node_' . $node->type);
$format = $options['comment-body-format'];
$text_processing = $field_infos['settings']['text_processing'];
$body = $form->values['body'];
$body = $format != 'plain_text' && $text_processing ? check_markup($body, $format) : check_plain($body);
if ($text_processing) {
$comment->comment_body[$langcode][0]['format'] = $format;
}
$comment->comment_body = array($langcode => array());
$comment->comment_body[$langcode][0]['value'] = $body;
comment_submit($comment);
comment_save($comment);
cache_clear_all();
}
}