/** * Given a post id & the id of an image artefact, check that the logged-in user * has permission to see the image in the context of the post. */ public static function can_see_attached_file($file, $postid) { global $USER; require_once 'group.php'; if (!$file instanceof ArtefactTypeImage) { return false; } $post = get_record_sql(' SELECT p.body, p.poster, g.id AS groupid, g.public FROM {interaction_forum_post} p INNER JOIN {interaction_forum_topic} t ON (t.id = p.topic AND t.deleted = 0) INNER JOIN {interaction_forum_post} fp ON (fp.parent IS NULL AND fp.topic = t.id) INNER JOIN {interaction_instance} f ON (t.forum = f.id AND f.deleted = 0) INNER JOIN {group} g ON (f.group = g.id AND g.deleted = 0) WHERE p.id = ? AND p.deleted = 0', array($postid)); if (!$post) { return false; } if (!$post->public && !group_user_access($post->groupid, $USER->get('id'))) { return false; } // Check that the author of the post is allowed to publish the file $poster = new User(); $poster->find_by_id($post->poster); if (!$poster->can_publish_artefact($file)) { return false; } // Load the post as an html fragment & make sure it has the image in it $page = new DOMDocument(); libxml_use_internal_errors(true); $success = $page->loadHTML($post->body); libxml_use_internal_errors(false); if (!$success) { return false; } $xpath = new DOMXPath($page); $srcstart = get_config('wwwroot') . 'artefact/file/download.php?file=' . $file->get('id') . '&'; $query = '//img[starts-with(@src,"' . $srcstart . '")]'; $elements = $xpath->query($query); if ($elements->length < 1) { return false; } return true; }