/** * Check bean ACLs * @param string $module * @param string $action * @param array $context */ protected function beanACL($module, $action, $context) { $bean = $context['bean']; //if we don't implent acls return true if (!$bean->bean_implements('ACL')) { return true; } if (!empty($context['owner_override'])) { $is_owner = $context['owner_override']; } else { $is_owner = $bean->isOwner($this->getUserID($context)); } if (isset(self::$action_translate[$action])) { $action = self::$action_translate[$action]; } // Some modules (Trackers, TrackerSessions, TrackerPerfs, TrackerQueries) use special acltype $aclType = 'module'; if (!empty($bean->acltype)) { $aclType = $bean->acltype; } switch ($action) { case 'import': case 'list': return ACLController::checkAccessInternal($module, $action, true, $aclType); case 'delete': case 'view': case 'export': case 'massupdate': return ACLController::checkAccessInternal($module, $action, $is_owner, $aclType); case 'edit': if (!isset($context['owner_override']) && !empty($bean->id)) { if (!empty($bean->fetched_row) && !empty($bean->fetched_row['id']) && !empty($bean->fetched_row['assigned_user_id']) && !empty($bean->fetched_row['created_by'])) { $temp = BeanFactory::newBean($bean->module_dir); $temp->populateFromRow($bean->fetched_row); } else { if ($bean->new_with_id) { $is_owner = true; } else { $temp = BeanFactory::getBean($bean->module_dir, $bean->id); } } if (!empty($temp)) { $is_owner = $temp->isOwner($this->getUserID($context)); unset($temp); } } case 'popupeditview': case 'editview': return ACLController::checkAccessInternal($module, 'edit', $is_owner, $aclType); } //if it is not one of the above views then it should be implemented on the page level return true; }