function resource_download_allowed($resource, $size, $resource_type, $alternative = -1) { # For the given resource and size, can the curent user download it? # resource type and access may already be available in the case of search, so pass them along to get_resource_access to avoid extra queries # $resource can be a resource-specific search result array. $access = get_resource_access($resource); if ((checkperm('X' . $resource_type . "_" . $size) || checkperm('T' . $resource_type . "_" . $size)) && $alternative == -1) { # Block access to this resource type / size? Not if an alternative file # Only if no specific user access override (i.e. they have successfully requested this size). global $userref; $usercustomaccess = get_custom_access_user($resource, $userref); $usergroupcustomaccess = get_custom_access($resource, $usergroup); if (($usercustomaccess === false || !($usercustomaccess === '0')) && ($usergroupcustomaccess === false || !($usergroupcustomaccess === '0'))) { return false; } } # Full access if ($access == 0) { return true; } # Special case for purchased downloads. global $userref; if (isset($userref)) { $complete = sql_value("select cr.purchase_complete value from collection_resource cr join collection c on cr.collection=c.ref where c.user='******' and cr.resource='{$resource}' and cr.purchase_size='" . escape_check($size) . "'", 0); if ($complete == 1) { return true; } } # Restricted if ($access == 1) { if ($size == "") { # Original file - access depends on the 'restricted_full_download' config setting. global $restricted_full_download; return $restricted_full_download; } else { # Return the restricted access setting for this resource type. return sql_value("select allow_restricted value from preview_size where id='" . escape_check($size) . "'", 0) == 1; } } # Confidential if ($access == 2) { return false; } }
function get_resource_access($resource) { # $resource may be a resource_data array from a search, in which case, many of the permissions checks are already done. # Returns the access that the currently logged-in user has to $resource. # Return values: # 0 = Full Access (download all sizes) # 1 = Restricted Access (download only those sizes that are set to allow restricted downloads) # 2 = Confidential (no access) # Load the 'global' access level set on the resource # In the case of a search, resource type and global,group and user access are passed through to this point, to avoid multiple unnecessary get_resource_data queries. # passthru signifies that this is the case, so that blank values in group or user access mean that there is no data to be found, so don't check again . $passthru="no"; // get_resource_data doesn't contain permissions, so fix for the case that such an array could be passed into this function unintentionally. if (is_array($resource) && !isset($resource['group_access']) && !isset($resource['user_access'])){$resource=$resource['ref'];} if (!is_array($resource)){ $resourcedata=get_resource_data($resource,true); } else { $resourcedata=$resource; $passthru="yes"; } $ref=$resourcedata['ref']; $access=$resourcedata["access"]; $resource_type=$resourcedata['resource_type']; global $k; if ($k!="") { # External access - check how this was shared. $extaccess=sql_value("select access value from external_access_keys where resource=".$ref." and access_key='" . escape_check($k) . "'",-1); if ($extaccess!=-1) {return $extaccess;} } if (checkperm("v")) { # Permission to access all resources # Always return 0 return 0; } if ($access==3) { # Load custom access level if ($passthru=="no"){ global $usergroup; $access=get_custom_access($resource,$usergroup); //echo "checked group access: ".$access; } else { $access=$resource['group_access']; } } if ($access == 1 && get_edit_access($ref, $resourcedata['archive'])) { # If access is restricted and user has edit access, grant open access. $access = 0; } global $open_access_for_contributor, $userref; if ($open_access_for_contributor && $access == 1 && $resourcedata['created_by'] == $userref) { # If access is restricted and user has contributed resource, grant open access. $access = 0; } # Check for user-specific access (overrides any other restriction) global $userref; if ($passthru=="no"){ $userspecific=get_custom_access_user($resource,$userref); //echo "checked user access: ".$userspecific; } else { $userspecific=$resourcedata['user_access']; } if ($userspecific!="") { return $userspecific; } global $usersearchfilter, $search_filter_strict; if ((trim($usersearchfilter)!="") && $search_filter_strict) { # A search filter has been set. Perform filter processing to establish if the user can view this resource. # Always load metadata, because the provided metadata may be missing fields due to permissions. $metadata=get_resource_field_data($ref,false,false); for ($n=0;$n<count($metadata);$n++) { $name=$metadata[$n]["name"]; $value=$metadata[$n]["value"]; if ($name!="") { $match=filter_match($usersearchfilter,$name,$value); if ($match==1) {return 2;} # The match for this field was incorrect, always show as confidential in this event. } } # Also check resource type # Disabled until also implented in do_search() - future feature - syntax supported in edit filter only for now. /* $match=filter_match($usersearchfilter,"resource_type",$resource_type); if ($match==1) {return 2;} # The match for this field was incorrect, always show as confidential in this event. */ } if ($access==0 && !checkperm("g")) { # User does not have the 'g' permission. Always return restricted for active resources. return 1; } if (checkperm('X'.$resource_type)){ // this resource type is always restricted for this user group return 1; } if (checkperm('T'.$resource_type)){ // this resource type is always confidential/hidden for this user group return 2; } return $access; }
function get_resource_access($resource) { # $resource may be a resource_data array from a search, in which case, many of the permissions checks are already done. # Returns the access that the currently logged-in user has to $resource. # Return values: # 0 = Full Access (download all sizes) # 1 = Restricted Access (download only those sizes that are set to allow restricted downloads) # 2 = Confidential (no access) # Load the 'global' access level set on the resource # In the case of a search, resource type and global,group and user access are passed through to this point, to avoid multiple unnecessary get_resource_data queries. # passthru signifies that this is the case, so that blank values in group or user access mean that there is no data to be found, so don't check again . $passthru = "no"; // get_resource_data doesn't contain permissions, so fix for the case that such an array could be passed into this function unintentionally. if (is_array($resource) && !isset($resource['group_access']) && !isset($resource['user_access'])) { $resource = $resource['ref']; } if (!is_array($resource)) { $resourcedata = get_resource_data($resource, true); } else { $resourcedata = $resource; $passthru = "yes"; } $ref = $resourcedata['ref']; $access = $resourcedata["access"]; $resource_type = $resourcedata['resource_type']; // Set a couple of flags now that we can check later on if we need to check whether sharing is permitted based on whether access has been specifically granted to user/group global $customgroupaccess, $customuseraccess; $customgroupaccess = false; $customuseraccess = false; global $k; if ($k != "") { # External access - check how this was shared. $extaccess = sql_value("select access value from external_access_keys where resource=" . $ref . " and access_key='" . escape_check($k) . "' and (expires is null or expires>now())", -1); if ($extaccess != -1) { return $extaccess; } } global $uploader_view_override, $userref; if (checkperm("z" . $resourcedata['archive']) && !($uploader_view_override && $resourcedata['created_by'] == $userref)) { // User has no access to this archive state return 2; } if (checkperm("v")) { # Permission to access all resources # Always return 0 return 0; } if ($access == 3) { $customgroupaccess = true; # Load custom access level if ($passthru == "no") { global $usergroup; $access = get_custom_access($resource, $usergroup); } else { $access = $resource['group_access']; } } if ($access == 1 && get_edit_access($ref, $resourcedata['archive'], false, $resourcedata)) { # If access is restricted and user has edit access, grant open access. $access = 0; } global $open_access_for_contributor; if ($open_access_for_contributor && $access == 1 && $resourcedata['created_by'] == $userref) { # If access is restricted and user has contributed resource, grant open access. $access = 0; } # Check for user-specific access (overrides any other restriction) global $userref; if ($passthru == "no") { $userspecific = get_custom_access_user($resource, $userref); } else { $userspecific = $resourcedata['user_access']; } if ($userspecific != "") { $customuseraccess = true; return $userspecific; } if (checkperm('T' . $resource_type)) { // this resource type is always confidential/hidden for this user group return 2; } global $usersearchfilter, $search_filter_strict; if (trim($usersearchfilter) != "" && $search_filter_strict) { # A search filter has been set. Perform filter processing to establish if the user can view this resource. # Always load metadata, because the provided metadata may be missing fields due to permissions. /* # ***** OLD METHOD ***** - used filter_match() - required duplication and was very difficult to implement OR matching for the field name supporting OR across fields $metadata=get_resource_field_data($ref,false,false); for ($n=0;$n<count($metadata);$n++) { $name=$metadata[$n]["name"]; $value=$metadata[$n]["value"]; if ($name!="") { $match=filter_match($usersearchfilter,$name,$value); echo "<br />$name/$value = $match"; if ($match==1) {return 2;} # The match for this field was incorrect, always show as confidential in this event. } } # Also check resource type # Disabled until also implented in do_search() - future feature - syntax supported in edit filter only for now. /* $match=filter_match($usersearchfilter,"resource_type",$resource_type); if ($match==1) {return 2;} # The match for this field was incorrect, always show as confidential in this event. */ # ***** NEW METHOD ***** - search for the resource, utilising the existing filter matching in do_search to avoid duplication. global $search_all_workflow_states; $search_all_workflow_states_cache = $search_all_workflow_states; $search_all_workflow_states = TRUE; $results = do_search("!resource" . $ref); $search_all_workflow_states = $search_all_workflow_states_cache; if (count($results) == 0) { return 2; } # Not found in results, so deny } if ($access == 0 && !checkperm("g") && !$customgroupaccess) { # User does not have the 'g' permission. Return restricted for active resources unless group has been granted overide access. $access = 1; } if ($access == 0 && checkperm('X' . $resource_type)) { // this resource type is always restricted for this user group $access = 1; } // Check derestrict filter global $userderestrictfilter; if ($access == 1 && trim($userderestrictfilter) != "") { # A filter has been set to derestrict access when certain metadata criteria are met if (!isset($metadata)) { # load metadata if not already loaded $metadata = get_resource_field_data($ref, false, false); } $matchedfilter = false; for ($n = 0; $n < count($metadata); $n++) { $name = $metadata[$n]["name"]; $value = $metadata[$n]["value"]; if ($name != "") { $match = filter_match($userderestrictfilter, $name, $value); if ($match == 1) { $matchedfilter = false; break; } if ($match == 2) { $matchedfilter = true; } } } if ($matchedfilter) { $access = 0; } } return $access; }