/**
* Indicates whether the user can see the artefact *in the artefact chooser*, and use
* it in Pages within its ownership context. In other words, if it's a group file, they
* can use it in Pages for that group, but not in their own personal Pages. The function
* name refers to the "view" permission for group files.
*
* WARNING: Despite the similarity in name to can_view_view(), this method DOESN'T
* check for general permission to "see" an artefact, i.e. to download it or view
* its artefact detail page. For that, you need to use artefact_in_view() followed by
* can_view_view().
*
* TODO: Rename this to something less misleading?
*
* @param ArtefactType $a
*/
public function can_view_artefact($a)
{
global $USER;
// Files in the public site folder and its subfolders
if ($a instanceof ArtefactTypeFileBase) {
$publicfolderid = ArtefactTypeFolder::admin_public_folder_id();
$fileispublic = $a->get('id') == $publicfolderid || $a->get('institution') == 'mahara' && (bool) get_field('artefact', 'id', 'id', $a->get('id'), 'parent', $publicfolderid);
if ($fileispublic) {
return true;
}
}
$parent = $a->get_parent_instance();
if ($parent) {
if (!$this->can_view_artefact($parent)) {
return false;
}
}
if ($this->get('admin') || ($this->get('id') and $this->get('id') == $a->get('owner')) || ($a->get('institution') and $this->is_institutional_admin($a->get('institution'))) || $a->get('institution') && $this->in_institution($a->get('institution')) && in_array($a->get('artefacttype'), array('blog', 'blogpost'))) {
return true;
} else {
if ($a->get('institution') == 'mahara') {
$thisparent = $a->get('parent');
// if we are looking at the public folder or items in it
if ($a->get('id') == ArtefactTypeFolder::admin_public_folder_id() || !empty($thisparent) && $thisparent == ArtefactTypeFolder::admin_public_folder_id()) {
return true;
}
}
}
if ($a->get('group')) {
if ($USER->get('id') == $a->get('author')) {
// uploader of group file should always have access to it
return true;
}
// Only group artefacts can have artefact_access_role & artefact_access_usr records
return (bool) count_records_sql("SELECT COUNT(*) FROM {artefact_access_role} ar\n INNER JOIN {group_member} g ON ar.role = g.role\n WHERE ar.artefact = ? AND g.member = ? AND ar.can_view = 1 AND g.group = ?", array($a->get('id'), $this->get('id'), $a->get('group'))) || record_exists('artefact_access_usr', 'usr', $this->get('id'), 'artefact', $a->get('id'));
}
return false;
}
function pieform_element_filebrowser_changeowner(Pieform $form, $element)
{
$prefix = $form->get_name() . '_' . $element['name'];
$newtabdata = pieform_element_filebrowser_configure_tabs($element['tabs'], $prefix);
$smarty = smarty_core();
$smarty->assign('prefix', $prefix);
$smarty->assign('querybase', $element['page'] . (strpos($element['page'], '?') === false ? '?' : '&'));
$smarty->assign('tabs', $newtabdata);
$newtabhtml = $smarty->fetch('artefact:file:form/ownertabs.tpl');
$newsubtabhtml = $smarty->fetch('artefact:file:form/ownersubtabs.tpl');
$group = null;
$institution = null;
$user = null;
$userid = null;
$folder = 0;
if ($newtabdata['owner'] == 'site') {
global $USER;
if (!$USER->get('admin')) {
$folder = ArtefactTypeFolder::admin_public_folder_id();
}
$institution = 'mahara';
} else {
if ($newtabdata['owner'] == 'institution') {
$institution = $newtabdata['ownerid'];
} else {
if ($newtabdata['owner'] == 'group') {
$group = $newtabdata['ownerid'];
} else {
if ($newtabdata['owner'] == 'user') {
$user = true;
$userid = $newtabdata['ownerid'];
}
}
}
}
return array('error' => false, 'changedowner' => true, 'changedfolder' => true, 'editmeta' => (int) ($user && !$element['config']['edit'] && !empty($element['config']['tag'])), 'newtabdata' => $newtabdata, 'folder' => $folder, 'disableedit' => $group && !pieform_element_filebrowser_edit_group_folder($group, $folder), 'newlist' => pieform_element_filebrowser_build_filelist($form, $element, $folder, null, $user, $group, $institution), 'newpath' => pieform_element_filebrowser_build_path($form, $element, $folder, $newtabdata['owner'], $newtabdata['ownerid']), 'newtabs' => $newtabhtml, 'newsubtabs' => $newsubtabhtml);
}
public static function get_admin_files($public)
{
$pubfolder = ArtefactTypeFolder::admin_public_folder_id();
$artefacts = get_records_sql_assoc("\n SELECT\n a.id, a.title, a.parent, a.artefacttype\n FROM {artefact} a\n INNER JOIN {artefact_file_files} f ON f.artefact = a.id\n WHERE a.institution = 'mahara'", array());
$files = array();
if (!empty($artefacts)) {
foreach ($artefacts as $a) {
if ($a->artefacttype != 'folder') {
$title = $a->title;
$parent = $a->parent;
while (!empty($parent)) {
if ($public && $parent == $pubfolder) {
$files[] = array('name' => $title, 'id' => $a->id);
continue 2;
}
$title = $artefacts[$parent]->title . '/' . $title;
$parent = $artefacts[$parent]->parent;
}
if (!$public) {
$files[] = array('name' => $title, 'id' => $a->id);
}
}
}
}
return $files;
}
/**
* Return artefacts available for inclusion in a particular block
*
*/
public static function get_artefactchooser_artefacts($data, $owner = null, $group = null, $institution = null, $short = false)
{
if ($owner === null) {
global $USER;
$user = $USER;
} else {
if ($owner instanceof User) {
$user = $owner;
} else {
if (intval($owner) != 0 || $owner == "0") {
$user = new User();
$user->find_by_id(intval($owner));
} else {
throw new SystemException("Invalid argument type " . gettype($owner) . " passed to View::get_artefactchooser_artefacts");
}
}
}
$offset = !empty($data['offset']) ? $data['offset'] : null;
$limit = !empty($data['limit']) ? $data['limit'] : null;
$sortorder = '';
if (!empty($data['sortorder'])) {
foreach ($data['sortorder'] as $field) {
if (!preg_match('/^[a-zA-Z_0-9"]+$/', $field['fieldname'])) {
continue;
// skip this item (it fails validation)
}
$order = 'ASC';
if (!empty($field['order']) && 'DESC' == strtoupper($field['order'])) {
$order = 'DESC';
}
if (empty($sortorder)) {
$sortorder .= ' ORDER BY ';
} else {
$sortorder .= ', ';
}
$sortorder .= $field['fieldname'] . ' ' . $order;
}
}
$extraselect = '';
if (isset($data['extraselect'])) {
foreach ($data['extraselect'] as $field) {
if (!preg_match('/^[a-zA-Z_0-9"]+$/', $field['fieldname'])) {
continue;
// skip this item (it fails validation)
}
// Sanitise all values
$values = $field['values'];
foreach ($values as &$val) {
if ($field['type'] == 'int') {
$val = (int) $val;
} elseif ($field['type'] == 'string') {
$val = db_quote($val);
} else {
throw new SystemException("Unsupported field type '" . $field['type'] . "' passed to View::get_artefactchooser_artefacts");
}
}
$extraselect .= ' AND ';
if (count($values) > 1) {
$extraselect .= $field['fieldname'] . ' IN (' . implode(', ', $values) . ')';
} else {
$extraselect .= $field['fieldname'] . ' = ' . reset($values);
}
}
}
$from = ' FROM {artefact} a ';
if ($group) {
// Get group-owned artefacts that the user has view
// permission on, and site-owned artefacts
$from .= '
LEFT OUTER JOIN (
SELECT
r.artefact, r.can_view, r.can_edit, m.group
FROM
{group_member} m
JOIN {artefact} aa ON aa.group = m.group
JOIN {artefact_access_role} r ON aa.id = r.artefact AND r.role = m.role
WHERE
m.group = ?
AND m.member = ?
AND r.can_view = 1
) ga ON (ga.group = a.group AND a.id = ga.artefact)';
$select = "(a.institution = 'mahara' OR ga.can_view = 1";
$ph = array((int) $group, $user->get('id'));
if (!empty($data['userartefactsallowed'])) {
$select .= ' OR a.owner = ?';
$ph[] = $user->get('id');
}
$select .= ')';
} else {
if ($institution) {
// Site artefacts & artefacts owned by this institution
$select = "(a.institution = 'mahara' OR a.institution = ?)";
$ph = array($institution);
} else {
// The view is owned by a normal user
// Get artefacts owned by the user, group-owned artefacts
// the user has republish permission on, artefacts owned
// by the user's institutions.
safe_require('artefact', 'file');
$public = (int) ArtefactTypeFolder::admin_public_folder_id();
$select = '(
a.owner = ?
OR a.id IN (
SELECT id
FROM {artefact}
WHERE (path = ? OR path LIKE ?) AND institution = \'mahara\'
)
OR a.id IN (
SELECT aar.artefact
FROM {group_member} m
JOIN {artefact} aa ON m.group = aa.group
JOIN {artefact_access_role} aar ON aar.role = m.role AND aar.artefact = aa.id
WHERE m.member = ? AND aar.can_republish = 1
)
OR a.id IN (SELECT artefact FROM {artefact_access_usr} WHERE usr = ? AND can_republish = 1)';
$ph = array($user->get('id'), "/{$public}", db_like_escape("/{$public}/") . '%', $user->get('id'), $user->get('id'));
$institutions = array_keys($user->get('institutions'));
if ($user->get('admin')) {
$institutions[] = 'mahara';
}
if ($institutions) {
$select .= '
OR a.institution IN (' . join(',', array_fill(0, count($institutions), '?')) . ')';
$ph = array_merge($ph, $institutions);
}
$select .= "\n )";
}
}
if (!empty($data['artefacttypes']) && is_array($data['artefacttypes'])) {
$select .= ' AND artefacttype IN(' . join(',', array_fill(0, count($data['artefacttypes']), '?')) . ')';
$ph = array_merge($ph, $data['artefacttypes']);
}
if (!empty($data['search'])) {
$search = db_quote('%' . str_replace('%', '%%', $data['search']) . '%');
$select .= 'AND (title ' . db_ilike() . '(' . $search . ') OR description ' . db_ilike() . '(' . $search . ') )';
}
$select .= $extraselect;
$selectph = $countph = $ph;
if ($short) {
// We just want to know which artefact ids are allowed for inclusion in a view,
// but get_records_sql_assoc wants > 1 column
$cols = 'a.id, a.id AS b';
} else {
$cols = 'a.*';
// We also want to know which artefacts can be edited by the logged-in user within
// the context of the view. For an institution view, all artefacts from the same
// institution are editable. For an individual view, artefacts with the same 'owner'
// are editable. For group views, only those artefacts with the can_edit permission
// out of artefact_access_role are editable.
if ($group) {
$expr = 'ga.can_edit IS NOT NULL AND ga.can_edit = 1';
} else {
if ($institution) {
$expr = 'a.institution = ?';
array_unshift($selectph, $institution);
} else {
$expr = 'a.owner IS NOT NULL AND a.owner = ?';
array_unshift($selectph, $user->get('id'));
}
}
if (is_mysql()) {
$cols .= ", ({$expr}) AS editable";
} else {
$cols .= ", CAST({$expr} AS INTEGER) AS editable";
}
}
$artefacts = get_records_sql_assoc('SELECT ' . $cols . $from . ' WHERE ' . $select . $sortorder, $selectph, $offset, $limit);
$totalartefacts = count_records_sql('SELECT COUNT(*) ' . $from . ' WHERE ' . $select, $countph);
return array($artefacts, $totalartefacts);
}
/**
* Return artefacts available for inclusion in a particular block
*
*/
public static function get_artefactchooser_artefacts($data, $owner = null, $group = null, $institution = null, $short = false)
{
if ($owner === null) {
global $USER;
$user = $USER;
} else {
if ($owner instanceof User) {
$user = $owner;
} else {
if (intval($owner) != 0) {
$user = new User();
$user->find_by_id(intval($owner));
} else {
throw new SystemException("Invalid argument type " . gettype($owner) . " passed to View::get_artefactchooser_artefacts");
}
}
}
$offset = !empty($data['offset']) ? $data['offset'] : null;
$limit = !empty($data['limit']) ? $data['limit'] : null;
$sortorder = '';
if (!empty($data['sortorder'])) {
foreach ($data['sortorder'] as $field) {
if (!preg_match('/^[a-zA-Z_0-9"]+$/', $field['fieldname'])) {
continue;
// skip this item (it fails validation)
}
$order = 'ASC';
if (!empty($field['order']) && 'DESC' == strtoupper($field['order'])) {
$order = 'DESC';
}
if (empty($sortorder)) {
$sortorder .= 'ORDER BY ';
} else {
$sortorder .= ', ';
}
$sortorder .= $field['fieldname'] . ' ' . $order;
}
}
$extraselect = '';
if (isset($data['extraselect'])) {
foreach ($data['extraselect'] as $field) {
if (!preg_match('/^[a-zA-Z_0-9"]+$/', $field['fieldname'])) {
continue;
// skip this item (it fails validation)
}
// Sanitise all values
$values = $field['values'];
foreach ($values as &$val) {
if ($field['type'] == 'int') {
$val = (int) $val;
} elseif ($field['type'] == 'string') {
$val = db_quote($val);
} else {
throw new SystemException("Unsupported field type '" . $field['type'] . "' passed to View::get_artefactchooser_artefacts");
}
}
$extraselect .= ' AND ';
if (count($values) > 1) {
$extraselect .= $field['fieldname'] . ' IN (' . implode(', ', $values) . ')';
} else {
$extraselect .= $field['fieldname'] . ' = ' . reset($values);
}
}
}
$from = ' FROM {artefact} a ';
if ($group) {
// Get group-owned artefacts that the user has view
// permission on, and site-owned artefacts
$from .= '
LEFT OUTER JOIN (
SELECT
r.artefact, r.can_view, m.group
FROM
{artefact_access_role} r
INNER JOIN {group_member} m ON r.role = m.role
WHERE
m."group" = ' . (int) $group . '
AND m.member = ' . $user->get('id') . '
AND r.can_view = 1
) ga ON (ga.group = a.group AND a.id = ga.artefact)';
$select = "(a.institution = 'mahara' OR ga.can_view = 1";
if (!empty($data['userartefactsallowed'])) {
$select .= ' OR "owner" = ' . $user->get('id');
}
$select .= ')';
} else {
if ($institution) {
// Site artefacts & artefacts owned by this institution
$select = "(a.institution = 'mahara' OR a.institution = '{$institution}')";
} else {
// The view is owned by a normal user
// Get artefacts owned by the user, group-owned artefacts
// the user has republish permission on, artefacts owned
// by the user's institutions.
$from .= '
LEFT OUTER JOIN {artefact_access_usr} aau ON (a.id = aau.artefact AND aau.usr = '******'id') . ')
LEFT OUTER JOIN {artefact_parent_cache} apc ON (a.id = apc.artefact)
LEFT OUTER JOIN (
SELECT
aar.artefact, aar.can_republish, m.group
FROM
{artefact_access_role} aar
INNER JOIN {group_member} m ON aar.role = m.role
WHERE
m.member = ' . $user->get('id') . '
AND aar.can_republish = 1
) ra ON (a.id = ra.artefact AND a.group = ra.group)';
$institutions = array_keys($user->get('institutions'));
$select = '(
"owner" = ' . $user->get('id') . '
OR ra.can_republish = 1
OR aau.can_republish = 1';
if ($user->get('admin')) {
$institutions[] = 'mahara';
} else {
safe_require('artefact', 'file');
$select .= "\n OR ( a.institution = 'mahara' AND apc.parent = " . (int) ArtefactTypeFolder::admin_public_folder_id() . ')';
}
if ($institutions) {
$select .= '
OR a.institution IN (' . join(',', array_map('db_quote', $institutions)) . ')';
}
$select .= "\n )";
}
}
if (!empty($data['artefacttypes']) && is_array($data['artefacttypes'])) {
$select .= ' AND artefacttype IN(' . implode(',', array_map('db_quote', $data['artefacttypes'])) . ')';
}
if (!empty($data['search'])) {
$search = db_quote('%' . str_replace('%', '%%', $data['search']) . '%');
$select .= 'AND (title ' . db_ilike() . '(' . $search . ') OR description ' . db_ilike() . '(' . $search . ') )';
}
$select .= $extraselect;
$cols = $short ? 'a.id, a.id AS b' : 'a.*';
// get_records_sql_assoc wants > 1 column
$artefacts = get_records_sql_assoc('SELECT ' . $cols . $from . ' WHERE ' . $select . $sortorder, null, $offset, $limit);
$totalartefacts = count_records_sql('SELECT COUNT(*) ' . $from . ' WHERE ' . $select);
return array($artefacts, $totalartefacts);
}
}
if (!can_view_view($viewid)) {
throw new AccessDeniedException('');
}
if (!$file instanceof ArtefactTypeFile) {
throw new NotFoundException();
}
} else {
// We just have a file ID
$file = artefact_instance_from_id($fileid);
if (!$file instanceof ArtefactTypeFile) {
throw new NotFoundException();
}
// If the file is in the public directory, it's fine to serve
$fileispublic = $file->get('institution') == 'mahara';
$fileispublic = $fileispublic && (bool) get_field('artefact', 'id', 'id', $fileid, 'parent', ArtefactTypeFolder::admin_public_folder_id());
if (!$fileispublic) {
// If the file is in the logged in menu and the user is logged in then
// they can view it
$fileinloggedinmenu = $file->get('institution') == 'mahara';
// check if users are allowed to access files in subfolders
if (!get_config('sitefilesaccess')) {
$fileinloggedinmenu = $fileinloggedinmenu && $file->get('parent') == null;
}
$fileinloggedinmenu = $fileinloggedinmenu && $USER->is_logged_in();
$fileinloggedinmenu = $fileinloggedinmenu && record_exists('site_menu', 'file', $fileid, 'public', 0);
if (!$fileinloggedinmenu) {
// Alternatively, if you own the file or you are an admin, it should always work
if (!$USER->can_view_artefact($file)) {
// Check for images sitting in visible forum posts
$visibleinpost = false;
/**
* Return artefacts available for inclusion in a particular block
*
*/
public static function get_artefactchooser_artefacts($data, $group = null, $institution = null, $short = false)
{
global $USER;
$offset = !empty($data['offset']) ? $data['offset'] : null;
$limit = !empty($data['limit']) ? $data['limit'] : null;
$sortorder = !empty($data['sortorder']) ? $data['sortorder'] : false;
$extraselect = isset($data['extraselect']) ? ' AND ' . $data['extraselect'] : '';
$from = ' FROM {artefact} a ';
if (isset($data['extrajoin'])) {
$from .= $data['extrajoin'];
}
if ($group) {
// Get group-owned artefacts that the user has view
// permission on, and site-owned artefacts
$from .= '
LEFT OUTER JOIN (
SELECT
r.artefact, r.can_view, m.group
FROM
{artefact_access_role} r
INNER JOIN {group_member} m ON r.role = m.role
WHERE
m."group" = ' . $group . '
AND m.member = ' . $USER->get('id') . '
AND r.can_view = 1
) ga ON (ga.group = a.group AND a.id = ga.artefact)';
$select = "(a.institution = 'mahara' OR ga.can_view = 1)";
} else {
if ($institution) {
// Site artefacts & artefacts owned by this institution
$select = "(a.institution = 'mahara' OR a.institution = '{$institution}')";
} else {
// The view is owned by a normal user
// Get artefacts owned by the user, group-owned artefacts
// the user has republish permission on, artefacts owned
// by the user's institutions.
$from .= '
LEFT OUTER JOIN {artefact_access_usr} aau ON (a.id = aau.artefact AND aau.usr = '******'id') . ')
LEFT OUTER JOIN {artefact_parent_cache} apc ON (a.id = apc.artefact)
LEFT OUTER JOIN (
SELECT
aar.artefact, aar.can_republish, m.group
FROM
{artefact_access_role} aar
INNER JOIN {group_member} m ON aar.role = m.role
WHERE
m.member = ' . $USER->get('id') . '
AND aar.can_republish = 1
) ra ON (a.id = ra.artefact AND a.group = ra.group)';
$institutions = array_keys($USER->get('institutions'));
$select = '(
owner = ' . $USER->get('id') . '
OR ra.can_republish = 1
OR aau.can_republish = 1';
if ($USER->get('admin')) {
$institutions[] = 'mahara';
} else {
safe_require('artefact', 'file');
$select .= "\n OR ( a.institution = 'mahara' AND apc.parent = " . ArtefactTypeFolder::admin_public_folder_id() . ')';
}
if ($institutions) {
$select .= '
OR a.institution IN (' . join(',', array_map('db_quote', $institutions)) . ')';
}
$select .= "\n )";
}
}
if (!empty($data['artefacttypes']) && is_array($data['artefacttypes'])) {
$select .= ' AND artefacttype IN(' . implode(',', array_map('db_quote', $data['artefacttypes'])) . ')';
}
if (!empty($data['search'])) {
$search = db_quote('%' . str_replace('%', '%%', $data['search']) . '%');
$select .= 'AND (title ' . db_ilike() . '(' . $search . ') OR description ' . db_ilike() . '(' . $search . ') )';
}
$select .= $extraselect;
$cols = $short ? 'a.id, a.id AS b' : 'a.*';
// get_records_sql_assoc wants > 1 column
$artefacts = get_records_sql_assoc('SELECT ' . $cols . $from . ' WHERE ' . $select . ($sortorder ? ' ORDER BY ' . $sortorder : ''), null, $offset, $limit);
$totalartefacts = count_records_sql('SELECT COUNT(*) ' . $from . ' WHERE ' . $select);
return array($artefacts, $totalartefacts);
}
// Home folder
if ($folderid === 0) {
if (function_exists('zip_open')) {
global $USER;
$userid = $USER->get('id');
$select = '
SELECT a.id, a.artefacttype, a.title';
$from = '
FROM {artefact} a';
$in = "('" . join("','", PluginArtefactFile::get_artefact_types()) . "')";
$where = "\n WHERE artefacttype IN {$in}";
$phvals = array();
if ($institution) {
if ($institution == 'mahara' && !$USER->get('admin')) {
// If non-admins are browsing site files, only let them see the public folder & its contents
$publicfolder = ArtefactTypeFolder::admin_public_folder_id();
$where .= '
AND (a.path = ? OR a.path LIKE ?)';
$phvals = array("/{$publicfolder}", db_like_escape("/{$publicfolder}/") . '%');
}
$where .= '
AND a.institution = ? AND a.owner IS NULL';
$phvals[] = $institution;
} else {
if ($groupid) {
$select .= ',
r.can_edit, r.can_view, r.can_republish, a.author';
$from .= '
LEFT OUTER JOIN (
SELECT ar.artefact, ar.can_edit, ar.can_view, ar.can_republish
FROM {artefact_access_role} ar
}
if (!can_view_view($viewid)) {
throw new AccessDeniedException('');
}
$file = artefact_instance_from_id($fileid);
if (!$file instanceof ArtefactTypeFile) {
throw new NotFoundException();
}
} else {
// We just have a file ID
$file = artefact_instance_from_id($fileid);
if (!$file instanceof ArtefactTypeFile) {
throw new NotFoundException();
}
// If the file is in the public directory, it's fine to serve
$fileispublic = (bool) get_field('artefact_parent_cache', 'artefact', 'artefact', $fileid, 'parent', ArtefactTypeFolder::admin_public_folder_id());
$fileispublic &= $file->get('institution') == 'mahara';
if (!$fileispublic) {
// If the file is in the logged in menu and the user is logged in then
// they can view it
$fileinloggedinmenu = $file->get('institution') == 'mahara';
$fileinloggedinmenu &= $file->get('parent') == null;
$fileinloggedinmenu &= record_exists('site_menu', 'file', $fileid, 'public', 0);
$fileinloggedinmenu &= $USER->is_logged_in();
if (!$fileinloggedinmenu) {
// Alternatively, if you own the file or you are an admin, it should always work
if (!$USER->can_view_artefact($file)) {
throw new AccessDeniedException(get_string('accessdenied', 'error'));
}
}
}
