public static function checkAccess(eZContentObject $contentobject, eZUser $user, $functionName, $originalClassID = false, $parentClassID = false, $returnAccessList = false, $language = false) { $classID = $originalClassID; $userID = $user->attribute('contentobject_id'); $origFunctionName = $functionName; // Fetch the ID of the language if we get a string with a language code // e.g. 'eng-GB' $originalLanguage = $language; if (is_string($language) && strlen($language) > 0) { $language = eZContentLanguage::idByLocale($language); } else { $language = false; } // This will be filled in with the available languages of the object // if a Language check is performed. $languageList = false; // The 'move' function simply reuses 'edit' for generic access // but adds another top-level check below // The original function is still available in $origFunctionName if ($functionName == 'move') { $functionName = 'edit'; } $accessResult = $user->hasAccessTo('content', $functionName); $accessWord = $accessResult['accessWord']; /* // Uncomment this part if 'create' permissions should become implied 'edit'. // Merges in 'create' policies with 'edit' if ( $functionName == 'edit' && !in_array( $accessWord, array( 'yes', 'no' ) ) ) { // Add in create policies. $accessExtraResult = $user->hasAccessTo( 'content', 'create' ); if ( $accessExtraResult['accessWord'] != 'no' ) { $accessWord = $accessExtraResult['accessWord']; if ( isset( $accessExtraResult['policies'] ) ) { $accessResult['policies'] = array_merge( $accessResult['policies'], $accessExtraResult['policies'] ); } if ( isset( $accessExtraResult['accessList'] ) ) { $accessResult['accessList'] = array_merge( $accessResult['accessList'], $accessExtraResult['accessList'] ); } } } */ if ($origFunctionName == 'remove' or $origFunctionName == 'move') { $mainNode = $contentobject->attribute('main_node'); // We do not allow these actions on objects placed at top-level // - remove // - move if ($mainNode and $mainNode->attribute('parent_node_id') <= 1) { return 0; } } if ($classID === false) { $classID = $contentobject->attribute('contentclass_id'); } if ($accessWord == 'yes') { return 1; } else { if ($accessWord == 'no') { if ($functionName == 'edit') { // Check if we have 'create' access under the main parent if ($contentobject->attribute('current_version') == 1 && !$contentobject->attribute('status')) { $mainNode = eZNodeAssignment::fetchForObject($contentobject->attribute('id'), $contentobject->attribute('current_version')); $parentObj = $mainNode[0]->attribute('parent_contentobject'); $result = $parentObj->checkAccess('create', $contentobject->attribute('contentclass_id'), $parentObj->attribute('contentclass_id'), false, $originalLanguage); return $result; } else { return 0; } } if ($returnAccessList === false) { return 0; } else { return $accessResult['accessList']; } } else { $policies =& $accessResult['policies']; $access = 'denied'; foreach (array_keys($policies) as $pkey) { $limitationArray =& $policies[$pkey]; if ($access == 'allowed') { break; } $limitationList = array(); if (isset($limitationArray['Subtree'])) { $checkedSubtree = false; } else { $checkedSubtree = true; $accessSubtree = false; } if (isset($limitationArray['Node'])) { $checkedNode = false; } else { $checkedNode = true; $accessNode = false; } foreach (array_keys($limitationArray) as $key) { $access = 'denied'; switch ($key) { case 'Class': if ($functionName == 'create' and !$originalClassID) { $access = 'allowed'; } else { if ($functionName == 'create' and in_array($classID, $limitationArray[$key])) { $access = 'allowed'; } else { if ($functionName != 'create' and in_array($contentobject->attribute('contentclass_id'), $limitationArray[$key])) { $access = 'allowed'; } else { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } } } break; case 'ParentClass': if (in_array($contentobject->attribute('contentclass_id'), $limitationArray[$key])) { $access = 'allowed'; } else { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } break; case 'ParentDepth': $assignedNodes = $contentobject->attribute('assigned_nodes'); if (count($assignedNodes) > 0) { foreach ($assignedNodes as $assignedNode) { $depth = $assignedNode->attribute('depth'); if (in_array($depth, $limitationArray[$key])) { $access = 'allowed'; break; } } } if ($access != 'allowed') { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } break; case 'Section': case 'User_Section': if (in_array($contentobject->attribute('section_id'), $limitationArray[$key])) { $access = 'allowed'; } else { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } break; case 'Language': $languageMask = 0; // If we don't have a language list yet we need to fetch it // and optionally filter out based on $language. if ($functionName == 'create') { // If the function is 'create' we do not use the language_mask for matching. if ($language !== false) { $languageMask = $language; } else { // If the create is used and no language specified then // we need to match against all possible languages (which // is all bits set, ie. -1). $languageMask = -1; } } else { if ($language !== false) { if ($languageList === false) { $languageMask = (int) $contentobject->attribute('language_mask'); // We are restricting language check to just one language $languageMask &= (int) $language; // If the resulting mask is 0 it means that the user is trying to // edit a language which does not exist, ie. translating. // The mask will then become the language trying to edit. if ($languageMask == 0) { $languageMask = $language; } } } else { $languageMask = -1; } } // Fetch limit mask for limitation list $limitMask = eZContentLanguage::maskByLocale($limitationArray[$key]); if (($languageMask & $limitMask) != 0) { $access = 'allowed'; } else { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } break; case 'Owner': case 'ParentOwner': // if limitation value == 2, anonymous limited to current session. if (in_array(2, $limitationArray[$key]) && $user->isAnonymous()) { $createdObjectIDList = eZPreferences::value('ObjectCreationIDList'); if ($createdObjectIDList && in_array($contentobject->ID, unserialize($createdObjectIDList))) { $access = 'allowed'; } } else { if ($contentobject->attribute('owner_id') == $userID || $contentobject->ID == $userID) { $access = 'allowed'; } } if ($access != 'allowed') { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } break; case 'Group': case 'ParentGroup': $access = $contentobject->checkGroupLimitationAccess($limitationArray[$key], $userID); if ($access != 'allowed') { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } break; case 'State': if (count(array_intersect($limitationArray[$key], $contentobject->attribute('state_id_array'))) == 0) { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } else { $access = 'allowed'; } break; case 'Node': $accessNode = false; $mainNodeID = $contentobject->attribute('main_node_id'); foreach ($limitationArray[$key] as $nodeID) { $node = eZContentObjectTreeNode::fetch($nodeID, false, false); $limitationNodeID = $node['main_node_id']; if ($mainNodeID == $limitationNodeID) { $access = 'allowed'; $accessNode = true; break; } } if ($access != 'allowed' && $checkedSubtree && !$accessSubtree) { $access = 'denied'; // ??? TODO: if there is a limitation on Subtree, return two limitations? $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } else { $access = 'allowed'; } $checkedNode = true; break; case 'Subtree': $accessSubtree = false; $assignedNodes = $contentobject->attribute('assigned_nodes'); if (count($assignedNodes) != 0) { foreach ($assignedNodes as $assignedNode) { $path = $assignedNode->attribute('path_string'); $subtreeArray = $limitationArray[$key]; foreach ($subtreeArray as $subtreeString) { if (strstr($path, $subtreeString)) { $access = 'allowed'; $accessSubtree = true; break; } } } } else { $parentNodes = $contentobject->attribute('parent_nodes'); if (count($parentNodes) == 0) { if ($contentobject->attribute('owner_id') == $userID || $contentobject->ID == $userID) { $access = 'allowed'; $accessSubtree = true; } } else { foreach ($parentNodes as $parentNode) { $parentNode = eZContentObjectTreeNode::fetch($parentNode, false, false); $path = $parentNode['path_string']; $subtreeArray = $limitationArray[$key]; foreach ($subtreeArray as $subtreeString) { if (strstr($path, $subtreeString)) { $access = 'allowed'; $accessSubtree = true; break; } } } } } if ($access != 'allowed' && $checkedNode && !$accessNode) { $access = 'denied'; // ??? TODO: if there is a limitation on Node, return two limitations? $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } else { $access = 'allowed'; } $checkedSubtree = true; break; case 'User_Subtree': $assignedNodes = $contentobject->attribute('assigned_nodes'); if (count($assignedNodes) != 0) { foreach ($assignedNodes as $assignedNode) { $path = $assignedNode->attribute('path_string'); $subtreeArray = $limitationArray[$key]; foreach ($subtreeArray as $subtreeString) { if (strstr($path, $subtreeString)) { $access = 'allowed'; } } } } else { $parentNodes = $contentobject->attribute('parent_nodes'); if (count($parentNodes) == 0) { if ($contentobject->attribute('owner_id') == $userID || $contentobject->ID == $userID) { $access = 'allowed'; } } else { foreach ($parentNodes as $parentNode) { $parentNode = eZContentObjectTreeNode::fetch($parentNode, false, false); $path = $parentNode['path_string']; $subtreeArray = $limitationArray[$key]; foreach ($subtreeArray as $subtreeString) { if (strstr($path, $subtreeString)) { $access = 'allowed'; break; } } } } } if ($access != 'allowed') { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } break; default: if (strncmp($key, 'StateGroup_', 11) === 0) { if (count(array_intersect($limitationArray[$key], $contentobject->attribute('state_id_array'))) == 0) { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } else { $access = 'allowed'; } } } if ($access == 'denied') { break; } } $policyList[] = array('PolicyID' => $pkey, 'LimitationList' => $limitationList); } if ($access == 'denied') { if ($functionName == 'edit') { // Check if we have 'create' access under the main parent if ($contentobject->attribute('current_version') == 1 && !$contentobject->attribute('status')) { $mainNode = eZNodeAssignment::fetchForObject($contentobject->attribute('id'), $contentobject->attribute('current_version')); $parentObj = $mainNode[0]->attribute('parent_contentobject'); $result = $parentObj->checkAccess('create', $contentobject->attribute('contentclass_id'), $parentObj->attribute('contentclass_id'), false, $originalLanguage); if ($result) { $access = 'allowed'; } return $result; } } } if ($access == 'denied') { if ($returnAccessList === false) { return 0; } else { return array('FunctionRequired' => array('Module' => 'content', 'Function' => $origFunctionName, 'ClassID' => $classID, 'MainNodeID' => $contentobject->attribute('main_node_id')), 'PolicyList' => $policyList); } } else { return 1; } } } }