/** * Join a user to a group, add river event, clean-up invitations * * @param ElggGroup $group * @param ElggUser $user * @return bool */ function groups_join_group($group, $user) { // access ignore so user can be added to access collection of invisible group $ia = elgg_set_ignore_access(TRUE); $result = $group->join($user); elgg_set_ignore_access($ia); if ($result) { // flush user's access info so the collection is added get_access_list($user->guid, 0, true); // Remove any invite or join request flags remove_entity_relationship($group->guid, 'invited', $user->guid); remove_entity_relationship($user->guid, 'membership_request', $group->guid); elgg_create_river_item(array('view' => 'river/relationship/member/create', 'action_type' => 'join', 'subject_guid' => $user->guid, 'object_guid' => $group->guid)); return true; } return false; }
/** * Extend container permissions checking to extend can_write_to_container for write users. * * @param string $hook * @param string $entity_type * @param bool $returnvalue * @param array $params * * @return bool */ function pages_container_permission_check($hook, $entity_type, $returnvalue, $params) { if (elgg_get_context() != "pages") { return null; } if (elgg_get_page_owner_guid() && can_write_to_container(elgg_get_logged_in_user_guid(), elgg_get_page_owner_guid())) { return true; } if ($page_guid = get_input('page_guid', 0)) { $entity = get_entity($page_guid); } elseif ($parent_guid = get_input('parent_guid', 0)) { $entity = get_entity($parent_guid); } if (isset($entity) && pages_is_page($entity)) { if (can_write_to_container(elgg_get_logged_in_user_guid(), $entity->container_guid) || in_array($entity->write_access_id, get_access_list())) { return true; } } }
/** * Join a user to a group, add river event, clean-up invitations * * @param ElggGroup $group * @param ElggUser $user * @return bool */ function groups_join_group($group, $user) { global $NOTIFICATION_HANDLERS; // access ignore so user can be added to access collection of invisible group $ia = elgg_set_ignore_access(TRUE); $result = $group->join($user); elgg_set_ignore_access($ia); if ($result) { // flush user's access info so the collection is added get_access_list($user->guid, 0, true); // Remove any invite or join request flags remove_entity_relationship($group->guid, 'invited', $user->guid); remove_entity_relationship($user->guid, 'membership_request', $group->guid); //check if notifications are turned off for the group if ($group->notifications == "false") { //turn users notifications off foreach ($NOTIFICATION_HANDLERS as $method => $dummy) { error_log("group" . $method); remove_entity_relationship($user->getGUID(), "notify" . $method, $group->getGUID()); } } add_to_river('river/relationship/member/create', 'join', $user->guid, $group->guid); return true; } return false; }
/** * Extend container permissions checking to extend can_write_to_container for write users. * * @param unknown_type $hook * @param unknown_type $entity_type * @param unknown_type $returnvalue * @param unknown_type $params */ function tasks_container_permission_check($hook, $entity_type, $returnvalue, $params) { if (elgg_get_context() == "tasks") { if (elgg_get_page_owner_guid()) { if (can_write_to_container(elgg_get_logged_in_user_guid(), elgg_get_page_owner_guid())) { return true; } } if ($task_guid = get_input('task_guid', 0)) { $entity = get_entity($task_guid); } else { if ($parent_guid = get_input('parent_guid', 0)) { $entity = get_entity($parent_guid); } } if ($entity instanceof ElggObject) { if (can_write_to_container(elgg_get_logged_in_user_guid(), $entity->container_guid) || in_array($entity->write_access_id, get_access_list())) { return true; } } } }
/** * Returns the SQL where clause for a table with a access_id and enabled columns. * * This handles returning where clauses for ACCESS_FRIENDS and the currently * unused block and filter lists in addition to using get_access_list() for * access collections and the standard access levels. * * @param string $table_prefix Optional table. prefix for the access code. * @param int $owner The guid to check access for. Defaults to logged in user. * * @return string The SQL for a where clause * @access private */ function get_access_sql_suffix($table_prefix = '', $owner = null) { global $ENTITY_SHOW_HIDDEN_OVERRIDE, $CONFIG; $sql = ""; $friends_bit = ""; $enemies_bit = ""; if ($table_prefix) { $table_prefix = sanitise_string($table_prefix) . "."; } if (!isset($owner)) { $owner = elgg_get_logged_in_user_guid(); } if (!$owner) { $owner = -1; } $ignore_access = elgg_check_access_overrides($owner); $access = get_access_list($owner); if ($ignore_access) { $sql = " (1 = 1) "; } else { if ($owner != -1) { // we have an entity's guid and auto check for friend relationships $friends_bit = "{$table_prefix}access_id = " . ACCESS_FRIENDS . "\n\t\t\tAND {$table_prefix}owner_guid IN (\n\t\t\t\tSELECT guid_one FROM {$CONFIG->dbprefix}entity_relationships\n\t\t\t\tWHERE relationship='friend' AND guid_two={$owner}\n\t\t\t)"; $friends_bit = '(' . $friends_bit . ') OR '; // @todo untested and unsupported at present if (isset($CONFIG->user_block_and_filter_enabled) && $CONFIG->user_block_and_filter_enabled) { // check to see if the user is in the entity owner's block list // or if the entity owner is in the user's filter list // if so, disallow access $enemies_bit = get_access_restriction_sql('elgg_block_list', "{$table_prefix}owner_guid", $owner, false); $enemies_bit = '(' . $enemies_bit . ' AND ' . get_access_restriction_sql('elgg_filter_list', $owner, "{$table_prefix}owner_guid", false) . ')'; } } } if (empty($sql)) { $sql = " {$friends_bit} ({$table_prefix}access_id IN {$access}\n\t\t\tOR ({$table_prefix}owner_guid = {$owner})\n\t\t\tOR (\n\t\t\t\t{$table_prefix}access_id = " . ACCESS_PRIVATE . "\n\t\t\t\tAND {$table_prefix}owner_guid = {$owner}\n\t\t\t)\n\t\t)"; } if ($enemies_bit) { $sql = "{$enemies_bit} AND ({$sql})"; } if (!$ENTITY_SHOW_HIDDEN_OVERRIDE) { $sql .= " and {$table_prefix}enabled='yes'"; } return '(' . $sql . ')'; }
/** * Returns the SQL where clause for enforcing read access to data. * * Note that if this code is executed in privileged mode it will return (1=1). * * Otherwise it returns a where clause to retrieve the data that a user has * permission to read. * * Plugin authors can hook into the 'get_sql', 'access' plugin hook to modify, * remove, or add to the where clauses. The plugin hook will pass an array with the current * ors and ands to the function in the form: * array( * 'ors' => array(), * 'ands' => array() * ) * * The results will be combined into an SQL where clause in the form: * ((or1 OR or2 OR orN) AND (and1 AND and2 AND andN)) * * @param array $options Array in format: * * table_alias => STR Optional table alias. This is based on the select and join clauses. * Default is 'e'. * * user_guid => INT Optional GUID for the user that we are retrieving data for. * Defaults to the logged in user. * * use_enabled_clause => BOOL Optional. Should we append the enabled clause? The default * is set by access_show_hidden_entities(). * * access_column => STR Optional access column name. Default is 'access_id'. * * owner_guid_column => STR Optional owner_guid column. Default is 'owner_guid'. * * guid_column => STR Optional guid_column. Default is 'guid'. * * @return string * @access private */ function getWhereSql(array $options = array()) { global $ENTITY_SHOW_HIDDEN_OVERRIDE; $defaults = array('table_alias' => 'e', 'user_guid' => _elgg_services()->session->getLoggedInUserGuid(), 'use_enabled_clause' => !$ENTITY_SHOW_HIDDEN_OVERRIDE, 'access_column' => 'access_id', 'owner_guid_column' => 'owner_guid', 'guid_column' => 'guid'); $options = array_merge($defaults, $options); // just in case someone passes a . at the end $options['table_alias'] = rtrim($options['table_alias'], '.'); foreach (array('table_alias', 'access_column', 'owner_guid_column', 'guid_column') as $key) { $options[$key] = sanitize_string($options[$key]); } $options['user_guid'] = sanitize_int($options['user_guid'], false); // only add dot if we have an alias or table name $table_alias = $options['table_alias'] ? $options['table_alias'] . '.' : ''; $options['ignore_access'] = elgg_check_access_overrides($options['user_guid']); $clauses = array('ors' => array(), 'ands' => array()); $prefix = _elgg_services()->db->getTablePrefix(); if ($options['ignore_access']) { $clauses['ors'][] = '1 = 1'; } else { if ($options['user_guid']) { // include content of user's friends $clauses['ors'][] = "{$table_alias}{$options['access_column']} = " . ACCESS_FRIENDS . "\n\t\t\t\tAND {$table_alias}{$options['owner_guid_column']} IN (\n\t\t\t\t\tSELECT guid_one FROM {$prefix}entity_relationships\n\t\t\t\t\tWHERE relationship = 'friend' AND guid_two = {$options['user_guid']}\n\t\t\t\t)"; // include user's content $clauses['ors'][] = "{$table_alias}{$options['owner_guid_column']} = {$options['user_guid']}"; } } // include standard accesses (public, logged in, access collections) if (!$options['ignore_access']) { $access_list = get_access_list($options['user_guid']); $clauses['ors'][] = "{$table_alias}{$options['access_column']} IN {$access_list}"; } if ($options['use_enabled_clause']) { $clauses['ands'][] = "{$table_alias}enabled = 'yes'"; } $clauses = _elgg_services()->hooks->trigger('get_sql', 'access', $options, $clauses); $clauses_str = ''; if (is_array($clauses['ors']) && $clauses['ors']) { $clauses_str = '(' . implode(' OR ', $clauses['ors']) . ')'; } if (is_array($clauses['ands']) && $clauses['ands']) { if ($clauses_str) { $clauses_str .= ' AND '; } $clauses_str .= '(' . implode(' AND ', $clauses['ands']) . ')'; } return "({$clauses_str})"; }
/** * Add access restriction sql code to a given query. * * Note that if this code is executed in privileged mode it will return blank. * * TODO: DELETE once Query classes are fully integrated * * @param string $table_prefix Optional xxx. prefix for the access code. */ function get_access_sql_suffix($table_prefix = "", $owner = null) { global $ENTITY_SHOW_HIDDEN_OVERRIDE, $CONFIG; $sql = ""; $friends_bit = ""; $enemies_bit = ""; if ($table_prefix) { $table_prefix = sanitise_string($table_prefix) . "."; } $access = get_access_list(); if (!isset($owner)) { $owner = get_loggedin_userid(); } if (!$owner) { $owner = -1; } global $is_admin; if (isset($is_admin) && $is_admin == true) { $sql = " (1 = 1) "; } else { if ($owner != -1) { $friends_bit = $table_prefix . 'access_id = ' . ACCESS_FRIENDS . ' AND '; $friends_bit .= "{$table_prefix}owner_guid IN (SELECT guid_one FROM {$CONFIG->dbprefix}entity_relationships WHERE relationship='friend' AND guid_two={$owner})"; $friends_bit = '(' . $friends_bit . ') OR '; if (isset($CONFIG->user_block_and_filter_enabled) && $CONFIG->user_block_and_filter_enabled) { // check to see if the user is in the entity owner's block list // or if the entity owner is in the user's filter list // if so, disallow access $enemies_bit = get_annotation_sql('elgg_block_list', "{$table_prefix}owner_guid", $owner, false); $enemies_bit = '(' . $enemies_bit . ' AND ' . get_annotation_sql('elgg_filter_list', $owner, "{$table_prefix}owner_guid", false) . ')'; } } } if (empty($sql)) { $sql = " {$friends_bit} ({$table_prefix}access_id in {$access} or ({$table_prefix}owner_guid = {$owner}) or ({$table_prefix}access_id = " . ACCESS_PRIVATE . " and {$table_prefix}owner_guid = {$owner}))"; } if ($enemies_bit) { $sql = "{$enemies_bit} AND ({$sql})"; } if (!$ENTITY_SHOW_HIDDEN_OVERRIDE) { $sql .= " and {$table_prefix}enabled='yes'"; } return '(' . $sql . ')'; }
/** * Extend container permissions checking to extend can_write_to_container for write users. * * @param string $hook * @param string $entity_type * @param bool $returnvalue * @param array $params * * @return bool */ function pages_container_permission_check($hook, $entity_type, $returnvalue, $params) { $container = elgg_extract('container', $params); $user = elgg_extract('user', $params); $subtype = elgg_extract('subtype', $params); // check type/subtype if ($entity_type !== 'object' || !in_array($subtype, ['page', 'page_top'])) { return null; } // OK if you can write to the container if ($container && $container->canWriteToContainer($user->guid)) { return true; } // look up a page object given via input if ($page_guid = get_input('page_guid', 0)) { $page = get_entity($page_guid); } elseif ($parent_guid = get_input('parent_guid', 0)) { $page = get_entity($parent_guid); } if (!pages_is_page($page)) { return null; } // try the page's container $page_container = $page->getContainerEntity(); if ($page_container && $page_container->canWriteToContainer($user->guid)) { return true; } // I don't understand this but it's old - mrclay if (in_array($page->write_access_id, get_access_list())) { return true; } }
/** * Returns the SQL where clause for a table with a access_id and enabled columns. * * This handles returning where clauses for ACCESS_FRIENDS and the currently * unused block and filter lists in addition to using get_access_list() for * access collections and the standard access levels. * * @param string $table_prefix Optional table. prefix for the access code. * @param int $owner The guid to check access for. Defaults to logged in user. * * @return string The SQL for a where clause * @access private */ function get_access_sql_suffix($table_prefix = '', $owner = null) { global $ENTITY_SHOW_HIDDEN_OVERRIDE, $CONFIG; static $friends_cache; $sql = ""; $friends_bit = ""; $enemies_bit = ""; if ($table_prefix) { $table_prefix = sanitise_string($table_prefix) . "."; } if (!isset($owner)) { $owner = elgg_get_logged_in_user_guid(); } if (!$owner) { $owner = -1; } $ignore_access = elgg_check_access_overrides($owner); $access = get_access_list($owner); if ($ignore_access) { $sql = " (1 = 1) "; } else { if ($owner != -1) { // we have an entity's guid and auto check for friend relationships // $friends_bit = "{$table_prefix}access_id = " . ACCESS_FRIENDS . " // AND {$table_prefix}owner_guid IN ( // SELECT guid_one FROM {$CONFIG->dbprefix}entity_relationships // WHERE relationship='friend' AND guid_two=$owner // )"; // $friends_bit = '(' . $friends_bit . ') OR '; if (!isset($friends_cache)) { $friends_cache = array(); } if (!isset($friends_cache[$owner])) { $friends_cache[$owner] = array(); $friends_query = "SELECT guid_one"; $friends_query .= " FROM {$CONFIG->dbprefix}entity_relationships"; $friends_query .= " WHERE relationship='friend'"; $friends_query .= " AND guid_two={$owner}"; if ($friends_result = get_data($friends_query, "elgg_row_to_array")) { foreach ($friends_result as $friend_row) { $friends_cache[$owner][] = $friend_row["guid_one"]; } } } if (!empty($friends_cache[$owner])) { $friends_bit = "{$table_prefix}access_id = " . ACCESS_FRIENDS . " AND {$table_prefix}owner_guid IN (" . implode(",", $friends_cache[$owner]) . ")"; $friends_bit = '(' . $friends_bit . ') OR '; } // @todo untested and unsupported at present if (isset($CONFIG->user_block_and_filter_enabled) && $CONFIG->user_block_and_filter_enabled) { // check to see if the user is in the entity owner's block list // or if the entity owner is in the user's filter list // if so, disallow access $enemies_bit = get_access_restriction_sql('elgg_block_list', "{$table_prefix}owner_guid", $owner, false); $enemies_bit = '(' . $enemies_bit . ' AND ' . get_access_restriction_sql('elgg_filter_list', $owner, "{$table_prefix}owner_guid", false) . ')'; } } } if (empty($sql)) { $sql = " {$friends_bit} ({$table_prefix}access_id IN {$access}\n\t\t\tOR ({$table_prefix}owner_guid = {$owner})\n\t\t\tOR (\n\t\t\t\t{$table_prefix}access_id = " . ACCESS_PRIVATE . "\n\t\t\t\tAND {$table_prefix}owner_guid = {$owner}\n\t\t\t)\n\t\t)"; // Subsite manager - extend access $params = array("table_prefix" => $table_prefix, "owner" => $owner, "sql" => $sql, "ignore_access" => $ignore_access, "access" => $access); $sql = elgg_trigger_plugin_hook("access:get_sql_suffix", "user", $params, $sql); } if ($enemies_bit) { $sql = "{$enemies_bit} AND ({$sql})"; } if (!$ENTITY_SHOW_HIDDEN_OVERRIDE) { $sql .= " and {$table_prefix}enabled='yes'"; } return '(' . $sql . ')'; }
/** * Extend container permissions checking to extend can_write_to_container for write users. * * @param unknown_type $hook * @param unknown_type $entity_type * @param unknown_type $returnvalue * @param unknown_type $params */ function pages_container_permission_check($hook, $entity_type, $returnvalue, $params) { if (get_context() == "pages") { if (page_owner()) { if (can_write_to_container($_SESSION['user']->guid, page_owner())) { return true; } } if ($page_guid = get_input('page_guid', 0)) { $entity = get_entity($page_guid); } else { if ($parent_guid = get_input('parent_guid', 0)) { $entity = get_entity($parent_guid); } } if ($entity instanceof ElggObject) { if (can_write_to_container($_SESSION['user']->guid, $entity->container_guid) || in_array($entity->write_access_id, get_access_list())) { return true; } } } }