/** * Indicates whether the user can see the artefact *in the artefact chooser*, and use * it in Pages within its ownership context. In other words, if it's a group file, they * can use it in Pages for that group, but not in their own personal Pages. The function * name refers to the "view" permission for group files. * * WARNING: Despite the similarity in name to can_view_view(), this method DOESN'T * check for general permission to "see" an artefact, i.e. to download it or view * its artefact detail page. For that, you need to use artefact_in_view() followed by * can_view_view(). * * TODO: Rename this to something less misleading? * * @param ArtefactType $a */ public function can_view_artefact($a) { global $USER; // Files in the public site folder and its subfolders if ($a instanceof ArtefactTypeFileBase) { $publicfolderid = ArtefactTypeFolder::admin_public_folder_id(); $fileispublic = $a->get('id') == $publicfolderid || $a->get('institution') == 'mahara' && (bool) get_field('artefact', 'id', 'id', $a->get('id'), 'parent', $publicfolderid); if ($fileispublic) { return true; } } $parent = $a->get_parent_instance(); if ($parent) { if (!$this->can_view_artefact($parent)) { return false; } } if ($this->get('admin') || ($this->get('id') and $this->get('id') == $a->get('owner')) || ($a->get('institution') and $this->is_institutional_admin($a->get('institution'))) || $a->get('institution') && $this->in_institution($a->get('institution')) && in_array($a->get('artefacttype'), array('blog', 'blogpost'))) { return true; } else { if ($a->get('institution') == 'mahara') { $thisparent = $a->get('parent'); // if we are looking at the public folder or items in it if ($a->get('id') == ArtefactTypeFolder::admin_public_folder_id() || !empty($thisparent) && $thisparent == ArtefactTypeFolder::admin_public_folder_id()) { return true; } } } if ($a->get('group')) { if ($USER->get('id') == $a->get('author')) { // uploader of group file should always have access to it return true; } // Only group artefacts can have artefact_access_role & artefact_access_usr records return (bool) count_records_sql("SELECT COUNT(*) FROM {artefact_access_role} ar\n INNER JOIN {group_member} g ON ar.role = g.role\n WHERE ar.artefact = ? AND g.member = ? AND ar.can_view = 1 AND g.group = ?", array($a->get('id'), $this->get('id'), $a->get('group'))) || record_exists('artefact_access_usr', 'usr', $this->get('id'), 'artefact', $a->get('id')); } return false; }
function pieform_element_filebrowser_changeowner(Pieform $form, $element) { $prefix = $form->get_name() . '_' . $element['name']; $newtabdata = pieform_element_filebrowser_configure_tabs($element['tabs'], $prefix); $smarty = smarty_core(); $smarty->assign('prefix', $prefix); $smarty->assign('querybase', $element['page'] . (strpos($element['page'], '?') === false ? '?' : '&')); $smarty->assign('tabs', $newtabdata); $newtabhtml = $smarty->fetch('artefact:file:form/ownertabs.tpl'); $newsubtabhtml = $smarty->fetch('artefact:file:form/ownersubtabs.tpl'); $group = null; $institution = null; $user = null; $userid = null; $folder = 0; if ($newtabdata['owner'] == 'site') { global $USER; if (!$USER->get('admin')) { $folder = ArtefactTypeFolder::admin_public_folder_id(); } $institution = 'mahara'; } else { if ($newtabdata['owner'] == 'institution') { $institution = $newtabdata['ownerid']; } else { if ($newtabdata['owner'] == 'group') { $group = $newtabdata['ownerid']; } else { if ($newtabdata['owner'] == 'user') { $user = true; $userid = $newtabdata['ownerid']; } } } } return array('error' => false, 'changedowner' => true, 'changedfolder' => true, 'editmeta' => (int) ($user && !$element['config']['edit'] && !empty($element['config']['tag'])), 'newtabdata' => $newtabdata, 'folder' => $folder, 'disableedit' => $group && !pieform_element_filebrowser_edit_group_folder($group, $folder), 'newlist' => pieform_element_filebrowser_build_filelist($form, $element, $folder, null, $user, $group, $institution), 'newpath' => pieform_element_filebrowser_build_path($form, $element, $folder, $newtabdata['owner'], $newtabdata['ownerid']), 'newtabs' => $newtabhtml, 'newsubtabs' => $newsubtabhtml); }
public static function get_admin_files($public) { $pubfolder = ArtefactTypeFolder::admin_public_folder_id(); $artefacts = get_records_sql_assoc("\n SELECT\n a.id, a.title, a.parent, a.artefacttype\n FROM {artefact} a\n INNER JOIN {artefact_file_files} f ON f.artefact = a.id\n WHERE a.institution = 'mahara'", array()); $files = array(); if (!empty($artefacts)) { foreach ($artefacts as $a) { if ($a->artefacttype != 'folder') { $title = $a->title; $parent = $a->parent; while (!empty($parent)) { if ($public && $parent == $pubfolder) { $files[] = array('name' => $title, 'id' => $a->id); continue 2; } $title = $artefacts[$parent]->title . '/' . $title; $parent = $artefacts[$parent]->parent; } if (!$public) { $files[] = array('name' => $title, 'id' => $a->id); } } } } return $files; }
/** * Return artefacts available for inclusion in a particular block * */ public static function get_artefactchooser_artefacts($data, $owner = null, $group = null, $institution = null, $short = false) { if ($owner === null) { global $USER; $user = $USER; } else { if ($owner instanceof User) { $user = $owner; } else { if (intval($owner) != 0 || $owner == "0") { $user = new User(); $user->find_by_id(intval($owner)); } else { throw new SystemException("Invalid argument type " . gettype($owner) . " passed to View::get_artefactchooser_artefacts"); } } } $offset = !empty($data['offset']) ? $data['offset'] : null; $limit = !empty($data['limit']) ? $data['limit'] : null; $sortorder = ''; if (!empty($data['sortorder'])) { foreach ($data['sortorder'] as $field) { if (!preg_match('/^[a-zA-Z_0-9"]+$/', $field['fieldname'])) { continue; // skip this item (it fails validation) } $order = 'ASC'; if (!empty($field['order']) && 'DESC' == strtoupper($field['order'])) { $order = 'DESC'; } if (empty($sortorder)) { $sortorder .= ' ORDER BY '; } else { $sortorder .= ', '; } $sortorder .= $field['fieldname'] . ' ' . $order; } } $extraselect = ''; if (isset($data['extraselect'])) { foreach ($data['extraselect'] as $field) { if (!preg_match('/^[a-zA-Z_0-9"]+$/', $field['fieldname'])) { continue; // skip this item (it fails validation) } // Sanitise all values $values = $field['values']; foreach ($values as &$val) { if ($field['type'] == 'int') { $val = (int) $val; } elseif ($field['type'] == 'string') { $val = db_quote($val); } else { throw new SystemException("Unsupported field type '" . $field['type'] . "' passed to View::get_artefactchooser_artefacts"); } } $extraselect .= ' AND '; if (count($values) > 1) { $extraselect .= $field['fieldname'] . ' IN (' . implode(', ', $values) . ')'; } else { $extraselect .= $field['fieldname'] . ' = ' . reset($values); } } } $from = ' FROM {artefact} a '; if ($group) { // Get group-owned artefacts that the user has view // permission on, and site-owned artefacts $from .= ' LEFT OUTER JOIN ( SELECT r.artefact, r.can_view, r.can_edit, m.group FROM {group_member} m JOIN {artefact} aa ON aa.group = m.group JOIN {artefact_access_role} r ON aa.id = r.artefact AND r.role = m.role WHERE m.group = ? AND m.member = ? AND r.can_view = 1 ) ga ON (ga.group = a.group AND a.id = ga.artefact)'; $select = "(a.institution = 'mahara' OR ga.can_view = 1"; $ph = array((int) $group, $user->get('id')); if (!empty($data['userartefactsallowed'])) { $select .= ' OR a.owner = ?'; $ph[] = $user->get('id'); } $select .= ')'; } else { if ($institution) { // Site artefacts & artefacts owned by this institution $select = "(a.institution = 'mahara' OR a.institution = ?)"; $ph = array($institution); } else { // The view is owned by a normal user // Get artefacts owned by the user, group-owned artefacts // the user has republish permission on, artefacts owned // by the user's institutions. safe_require('artefact', 'file'); $public = (int) ArtefactTypeFolder::admin_public_folder_id(); $select = '( a.owner = ? OR a.id IN ( SELECT id FROM {artefact} WHERE (path = ? OR path LIKE ?) AND institution = \'mahara\' ) OR a.id IN ( SELECT aar.artefact FROM {group_member} m JOIN {artefact} aa ON m.group = aa.group JOIN {artefact_access_role} aar ON aar.role = m.role AND aar.artefact = aa.id WHERE m.member = ? AND aar.can_republish = 1 ) OR a.id IN (SELECT artefact FROM {artefact_access_usr} WHERE usr = ? AND can_republish = 1)'; $ph = array($user->get('id'), "/{$public}", db_like_escape("/{$public}/") . '%', $user->get('id'), $user->get('id')); $institutions = array_keys($user->get('institutions')); if ($user->get('admin')) { $institutions[] = 'mahara'; } if ($institutions) { $select .= ' OR a.institution IN (' . join(',', array_fill(0, count($institutions), '?')) . ')'; $ph = array_merge($ph, $institutions); } $select .= "\n )"; } } if (!empty($data['artefacttypes']) && is_array($data['artefacttypes'])) { $select .= ' AND artefacttype IN(' . join(',', array_fill(0, count($data['artefacttypes']), '?')) . ')'; $ph = array_merge($ph, $data['artefacttypes']); } if (!empty($data['search'])) { $search = db_quote('%' . str_replace('%', '%%', $data['search']) . '%'); $select .= 'AND (title ' . db_ilike() . '(' . $search . ') OR description ' . db_ilike() . '(' . $search . ') )'; } $select .= $extraselect; $selectph = $countph = $ph; if ($short) { // We just want to know which artefact ids are allowed for inclusion in a view, // but get_records_sql_assoc wants > 1 column $cols = 'a.id, a.id AS b'; } else { $cols = 'a.*'; // We also want to know which artefacts can be edited by the logged-in user within // the context of the view. For an institution view, all artefacts from the same // institution are editable. For an individual view, artefacts with the same 'owner' // are editable. For group views, only those artefacts with the can_edit permission // out of artefact_access_role are editable. if ($group) { $expr = 'ga.can_edit IS NOT NULL AND ga.can_edit = 1'; } else { if ($institution) { $expr = 'a.institution = ?'; array_unshift($selectph, $institution); } else { $expr = 'a.owner IS NOT NULL AND a.owner = ?'; array_unshift($selectph, $user->get('id')); } } if (is_mysql()) { $cols .= ", ({$expr}) AS editable"; } else { $cols .= ", CAST({$expr} AS INTEGER) AS editable"; } } $artefacts = get_records_sql_assoc('SELECT ' . $cols . $from . ' WHERE ' . $select . $sortorder, $selectph, $offset, $limit); $totalartefacts = count_records_sql('SELECT COUNT(*) ' . $from . ' WHERE ' . $select, $countph); return array($artefacts, $totalartefacts); }
/** * Return artefacts available for inclusion in a particular block * */ public static function get_artefactchooser_artefacts($data, $owner = null, $group = null, $institution = null, $short = false) { if ($owner === null) { global $USER; $user = $USER; } else { if ($owner instanceof User) { $user = $owner; } else { if (intval($owner) != 0) { $user = new User(); $user->find_by_id(intval($owner)); } else { throw new SystemException("Invalid argument type " . gettype($owner) . " passed to View::get_artefactchooser_artefacts"); } } } $offset = !empty($data['offset']) ? $data['offset'] : null; $limit = !empty($data['limit']) ? $data['limit'] : null; $sortorder = ''; if (!empty($data['sortorder'])) { foreach ($data['sortorder'] as $field) { if (!preg_match('/^[a-zA-Z_0-9"]+$/', $field['fieldname'])) { continue; // skip this item (it fails validation) } $order = 'ASC'; if (!empty($field['order']) && 'DESC' == strtoupper($field['order'])) { $order = 'DESC'; } if (empty($sortorder)) { $sortorder .= 'ORDER BY '; } else { $sortorder .= ', '; } $sortorder .= $field['fieldname'] . ' ' . $order; } } $extraselect = ''; if (isset($data['extraselect'])) { foreach ($data['extraselect'] as $field) { if (!preg_match('/^[a-zA-Z_0-9"]+$/', $field['fieldname'])) { continue; // skip this item (it fails validation) } // Sanitise all values $values = $field['values']; foreach ($values as &$val) { if ($field['type'] == 'int') { $val = (int) $val; } elseif ($field['type'] == 'string') { $val = db_quote($val); } else { throw new SystemException("Unsupported field type '" . $field['type'] . "' passed to View::get_artefactchooser_artefacts"); } } $extraselect .= ' AND '; if (count($values) > 1) { $extraselect .= $field['fieldname'] . ' IN (' . implode(', ', $values) . ')'; } else { $extraselect .= $field['fieldname'] . ' = ' . reset($values); } } } $from = ' FROM {artefact} a '; if ($group) { // Get group-owned artefacts that the user has view // permission on, and site-owned artefacts $from .= ' LEFT OUTER JOIN ( SELECT r.artefact, r.can_view, m.group FROM {artefact_access_role} r INNER JOIN {group_member} m ON r.role = m.role WHERE m."group" = ' . (int) $group . ' AND m.member = ' . $user->get('id') . ' AND r.can_view = 1 ) ga ON (ga.group = a.group AND a.id = ga.artefact)'; $select = "(a.institution = 'mahara' OR ga.can_view = 1"; if (!empty($data['userartefactsallowed'])) { $select .= ' OR "owner" = ' . $user->get('id'); } $select .= ')'; } else { if ($institution) { // Site artefacts & artefacts owned by this institution $select = "(a.institution = 'mahara' OR a.institution = '{$institution}')"; } else { // The view is owned by a normal user // Get artefacts owned by the user, group-owned artefacts // the user has republish permission on, artefacts owned // by the user's institutions. $from .= ' LEFT OUTER JOIN {artefact_access_usr} aau ON (a.id = aau.artefact AND aau.usr = '******'id') . ') LEFT OUTER JOIN {artefact_parent_cache} apc ON (a.id = apc.artefact) LEFT OUTER JOIN ( SELECT aar.artefact, aar.can_republish, m.group FROM {artefact_access_role} aar INNER JOIN {group_member} m ON aar.role = m.role WHERE m.member = ' . $user->get('id') . ' AND aar.can_republish = 1 ) ra ON (a.id = ra.artefact AND a.group = ra.group)'; $institutions = array_keys($user->get('institutions')); $select = '( "owner" = ' . $user->get('id') . ' OR ra.can_republish = 1 OR aau.can_republish = 1'; if ($user->get('admin')) { $institutions[] = 'mahara'; } else { safe_require('artefact', 'file'); $select .= "\n OR ( a.institution = 'mahara' AND apc.parent = " . (int) ArtefactTypeFolder::admin_public_folder_id() . ')'; } if ($institutions) { $select .= ' OR a.institution IN (' . join(',', array_map('db_quote', $institutions)) . ')'; } $select .= "\n )"; } } if (!empty($data['artefacttypes']) && is_array($data['artefacttypes'])) { $select .= ' AND artefacttype IN(' . implode(',', array_map('db_quote', $data['artefacttypes'])) . ')'; } if (!empty($data['search'])) { $search = db_quote('%' . str_replace('%', '%%', $data['search']) . '%'); $select .= 'AND (title ' . db_ilike() . '(' . $search . ') OR description ' . db_ilike() . '(' . $search . ') )'; } $select .= $extraselect; $cols = $short ? 'a.id, a.id AS b' : 'a.*'; // get_records_sql_assoc wants > 1 column $artefacts = get_records_sql_assoc('SELECT ' . $cols . $from . ' WHERE ' . $select . $sortorder, null, $offset, $limit); $totalartefacts = count_records_sql('SELECT COUNT(*) ' . $from . ' WHERE ' . $select); return array($artefacts, $totalartefacts); }
} if (!can_view_view($viewid)) { throw new AccessDeniedException(''); } if (!$file instanceof ArtefactTypeFile) { throw new NotFoundException(); } } else { // We just have a file ID $file = artefact_instance_from_id($fileid); if (!$file instanceof ArtefactTypeFile) { throw new NotFoundException(); } // If the file is in the public directory, it's fine to serve $fileispublic = $file->get('institution') == 'mahara'; $fileispublic = $fileispublic && (bool) get_field('artefact', 'id', 'id', $fileid, 'parent', ArtefactTypeFolder::admin_public_folder_id()); if (!$fileispublic) { // If the file is in the logged in menu and the user is logged in then // they can view it $fileinloggedinmenu = $file->get('institution') == 'mahara'; // check if users are allowed to access files in subfolders if (!get_config('sitefilesaccess')) { $fileinloggedinmenu = $fileinloggedinmenu && $file->get('parent') == null; } $fileinloggedinmenu = $fileinloggedinmenu && $USER->is_logged_in(); $fileinloggedinmenu = $fileinloggedinmenu && record_exists('site_menu', 'file', $fileid, 'public', 0); if (!$fileinloggedinmenu) { // Alternatively, if you own the file or you are an admin, it should always work if (!$USER->can_view_artefact($file)) { // Check for images sitting in visible forum posts $visibleinpost = false;
/** * Return artefacts available for inclusion in a particular block * */ public static function get_artefactchooser_artefacts($data, $group = null, $institution = null, $short = false) { global $USER; $offset = !empty($data['offset']) ? $data['offset'] : null; $limit = !empty($data['limit']) ? $data['limit'] : null; $sortorder = !empty($data['sortorder']) ? $data['sortorder'] : false; $extraselect = isset($data['extraselect']) ? ' AND ' . $data['extraselect'] : ''; $from = ' FROM {artefact} a '; if (isset($data['extrajoin'])) { $from .= $data['extrajoin']; } if ($group) { // Get group-owned artefacts that the user has view // permission on, and site-owned artefacts $from .= ' LEFT OUTER JOIN ( SELECT r.artefact, r.can_view, m.group FROM {artefact_access_role} r INNER JOIN {group_member} m ON r.role = m.role WHERE m."group" = ' . $group . ' AND m.member = ' . $USER->get('id') . ' AND r.can_view = 1 ) ga ON (ga.group = a.group AND a.id = ga.artefact)'; $select = "(a.institution = 'mahara' OR ga.can_view = 1)"; } else { if ($institution) { // Site artefacts & artefacts owned by this institution $select = "(a.institution = 'mahara' OR a.institution = '{$institution}')"; } else { // The view is owned by a normal user // Get artefacts owned by the user, group-owned artefacts // the user has republish permission on, artefacts owned // by the user's institutions. $from .= ' LEFT OUTER JOIN {artefact_access_usr} aau ON (a.id = aau.artefact AND aau.usr = '******'id') . ') LEFT OUTER JOIN {artefact_parent_cache} apc ON (a.id = apc.artefact) LEFT OUTER JOIN ( SELECT aar.artefact, aar.can_republish, m.group FROM {artefact_access_role} aar INNER JOIN {group_member} m ON aar.role = m.role WHERE m.member = ' . $USER->get('id') . ' AND aar.can_republish = 1 ) ra ON (a.id = ra.artefact AND a.group = ra.group)'; $institutions = array_keys($USER->get('institutions')); $select = '( owner = ' . $USER->get('id') . ' OR ra.can_republish = 1 OR aau.can_republish = 1'; if ($USER->get('admin')) { $institutions[] = 'mahara'; } else { safe_require('artefact', 'file'); $select .= "\n OR ( a.institution = 'mahara' AND apc.parent = " . ArtefactTypeFolder::admin_public_folder_id() . ')'; } if ($institutions) { $select .= ' OR a.institution IN (' . join(',', array_map('db_quote', $institutions)) . ')'; } $select .= "\n )"; } } if (!empty($data['artefacttypes']) && is_array($data['artefacttypes'])) { $select .= ' AND artefacttype IN(' . implode(',', array_map('db_quote', $data['artefacttypes'])) . ')'; } if (!empty($data['search'])) { $search = db_quote('%' . str_replace('%', '%%', $data['search']) . '%'); $select .= 'AND (title ' . db_ilike() . '(' . $search . ') OR description ' . db_ilike() . '(' . $search . ') )'; } $select .= $extraselect; $cols = $short ? 'a.id, a.id AS b' : 'a.*'; // get_records_sql_assoc wants > 1 column $artefacts = get_records_sql_assoc('SELECT ' . $cols . $from . ' WHERE ' . $select . ($sortorder ? ' ORDER BY ' . $sortorder : ''), null, $offset, $limit); $totalartefacts = count_records_sql('SELECT COUNT(*) ' . $from . ' WHERE ' . $select); return array($artefacts, $totalartefacts); }
// Home folder if ($folderid === 0) { if (function_exists('zip_open')) { global $USER; $userid = $USER->get('id'); $select = ' SELECT a.id, a.artefacttype, a.title'; $from = ' FROM {artefact} a'; $in = "('" . join("','", PluginArtefactFile::get_artefact_types()) . "')"; $where = "\n WHERE artefacttype IN {$in}"; $phvals = array(); if ($institution) { if ($institution == 'mahara' && !$USER->get('admin')) { // If non-admins are browsing site files, only let them see the public folder & its contents $publicfolder = ArtefactTypeFolder::admin_public_folder_id(); $where .= ' AND (a.path = ? OR a.path LIKE ?)'; $phvals = array("/{$publicfolder}", db_like_escape("/{$publicfolder}/") . '%'); } $where .= ' AND a.institution = ? AND a.owner IS NULL'; $phvals[] = $institution; } else { if ($groupid) { $select .= ', r.can_edit, r.can_view, r.can_republish, a.author'; $from .= ' LEFT OUTER JOIN ( SELECT ar.artefact, ar.can_edit, ar.can_view, ar.can_republish FROM {artefact_access_role} ar
} if (!can_view_view($viewid)) { throw new AccessDeniedException(''); } $file = artefact_instance_from_id($fileid); if (!$file instanceof ArtefactTypeFile) { throw new NotFoundException(); } } else { // We just have a file ID $file = artefact_instance_from_id($fileid); if (!$file instanceof ArtefactTypeFile) { throw new NotFoundException(); } // If the file is in the public directory, it's fine to serve $fileispublic = (bool) get_field('artefact_parent_cache', 'artefact', 'artefact', $fileid, 'parent', ArtefactTypeFolder::admin_public_folder_id()); $fileispublic &= $file->get('institution') == 'mahara'; if (!$fileispublic) { // If the file is in the logged in menu and the user is logged in then // they can view it $fileinloggedinmenu = $file->get('institution') == 'mahara'; $fileinloggedinmenu &= $file->get('parent') == null; $fileinloggedinmenu &= record_exists('site_menu', 'file', $fileid, 'public', 0); $fileinloggedinmenu &= $USER->is_logged_in(); if (!$fileinloggedinmenu) { // Alternatively, if you own the file or you are an admin, it should always work if (!$USER->can_view_artefact($file)) { throw new AccessDeniedException(get_string('accessdenied', 'error')); } } }