/** * Return true if this user may change the state of this attachment * * (Note that all of the arguments are assumed to be valid; no sanity checking is done. * It is up to the caller to validate the arguments before calling this function.) * * @param int $parent_id the ID for the parent object * @param string $parent_entity the type of entity for this parent type * @param int $attachment_creator_id the ID of the creator of the attachment * @param object $user_id the user_id to check (optional, primarily for testing) * * @return true if this user may change the state of this attachment */ public function userMayChangeAttachmentState($parent_id, $parent_entity, $attachment_creator_id, $user_id = null) { // If the user generally has permissions to edit all content, they // may change this attachment state (editor, publisher, admin, etc) $user = JFactory::getUser($user_id); if ($user->authorise('com_content', 'edit', 'content', 'all')) { return true; } require_once JPATH_ADMINISTRATOR . '/components/com_attachments/permissions.php'; // Handle each entity type switch ($parent_entity) { case 'category': // ?? Deal with parents being created (parent_id == 0) // First, determine if the user can edit this category if (!AttachmentsPermissions::userMayEditCategory($parent_id)) { return false; } // See if the user can change the state of any attachment if ($user->authorise('core.edit.state', 'com_attachments')) { return true; } // See if the user has permissions to change the state of their own attachments if ($user->authorise('attachments.edit.state.own', 'com_attachments') && (int) $user->id == (int) $attachment_creator_id) { return true; } // See if the user has permission to change the state of any attachments for categories they created if ($user->authorise('attachments.edit.state.ownparent', 'com_attachments')) { $category_creator_id = $this->getParentCreatorId($parent_id, 'category'); return (int) $user->id == (int) $category_creator_id; } break; default: // Articles // ?? Deal with parents being created (parent_id == 0) // First, determine if the user can edit this article if (!AttachmentsPermissions::userMayEditArticle($parent_id)) { return false; } // See if the user can change the state of any attachment if ($user->authorise('core.edit.state', 'com_attachments')) { return true; } // See if the user has permissions to change the state of their own attachments if ($user->authorise('attachments.edit.state.own', 'com_attachments') && (int) $user->id == (int) $attachment_creator_id) { return true; } // See if the user has permission to edit the state of any attachments for articles they created if ($user->authorise('attachments.edit.state.ownparent', 'com_attachments')) { $article_creator_id = $this->getParentCreatorId($parent_id, 'article'); return (int) $user->id == (int) $article_creator_id; } } return false; }
/** * Test to see whether a user may edit a specified article * * @dataProvider provider * * @param int $user_id the id of the user to test * @param string $username the username (for error printouts) * @param int $art_id the id of the article to test * @param int $may_edit the expected result of the test */ public function testArticleEdit($user_id, $username, $art_id, $may_edit) { $result = AttachmentsPermissions::userMayEditArticle((int) $art_id, (int) $user_id); $errmsg = "----> Failed test for {$username} edit article {$art_id}, expected {$may_edit}, got {$result}"; $this->assertEquals($result, (bool) $may_edit, $errmsg); }