/** * Adds limits to a db select query to only pull items the user * has permissions to view * * Note that BEFORE this is called, the developer should check whether * the user has ANY rights to edit items in the first place. * In other words, if Current_User::allow('module', 'edit_permission') == false * then they shouldn't even use this function. If it is used anyway, a forced negative * will be added (i.e. where 1 = 0); * If you wish to add other qualifications, use the $db->addWhere() group 'key_id' * in your module code. * * @modified Eloi George * @param object db : Database object to modify * @param string module : Calling module * @param string edit_permission : Name of the editing permission * @param string source_table : (optional) Name of the main table being searched * @param string key_id_column : (optional) Usually "key_id". Only use this if you allow edits where "key_id=0" * @param string owner_id_column : (optional) Only use this if you allow edits on content created by the user */ public static function restrictEdit($db, $module, $edit_permission = null, $source_table = null, $key_id_column = null, $owner_id_column = null) { if (Current_User::isDeity()) { return; } // if the user doesn't have rights for the module or subpermissions, // then we just stymie the whole query if (!Current_User::allow($module, $edit_permission)) { $db->setQWhere('1=0'); return; } // If the current user has unrestricted rights to edit the item // linked to this key, no further restrictions are necessary if (Current_User::isUnrestricted($module)) { return; } else { $db->setDistinct(1); if (empty($source_table)) { $source_table = $db->tables[0]; } if (!empty($key_id_column)) { $db->addWhere($source_table . '.' . $key_id_column, 0, null, 'or', 'key_1'); } if (!empty($owner_id_column)) { $db->addWhere($source_table . '.' . $owner_id_column, Current_User::getId(), null, 'or', 'key_1'); } $groups = Current_User::getGroups(); if (!empty($groups)) { $db->addJoin('left', $source_table, 'phpws_key_edit', 'key_id', 'key_id'); $db->addWhere('phpws_key_edit.group_id', $groups, 'in', 'or', 'key_1'); } return; } }
public static function allowView() { if (Current_User::allow('blog')) { return true; } // Only logged users may view and user is not logged in if (PHPWS_Settings::get('blog', 'logged_users_only') && !Current_User::isLogged()) { return false; } $view_groups = PHPWS_Settings::get('blog', 'view_only'); if (!empty($view_groups)) { $allowed_groups = explode(':', $view_groups); } else { $allowed_groups = null; } // Allowed groups is set, check the user if ($allowed_groups) { // User isn't even logged in. Don't show blog if (!Current_User::isLogged()) { return false; } // get logged user's groups $user_groups = Current_User::getGroups(); // check intersection $intersect = array_intersect($user_groups, $allowed_groups); //no intersection found, deny if (empty($intersect)) { return false; } } return true; }