/**
* Prepare security- and filter-based restrictions.
* @access private
*/
protected function _prepare_restrictions()
{
parent::_prepare_restrictions();
if (!$this->_returns_no_data()) {
include_once 'webcore/db/query_security.php';
$restriction = new QUERY_SECURITY_RESTRICTION($this, $this->_user);
$sql = $restriction->as_sql(array(Privilege_set_folder, Privilege_set_entry, $this->_privilege_set));
if (!$sql) {
$this->_set_returns_no_data();
} else {
$this->_calculated_restrictions[] = $sql;
}
}
}
/**
* Prepare security- and filter-based restrictions.
* @access private
*/
protected function _prepare_restrictions()
{
parent::_prepare_restrictions();
if (!$this->_returns_no_data()) {
$p = $this->_user->permissions();
$vis = $p->value_for(Privilege_set_folder, Privilege_view);
$invis = $p->value_for(Privilege_set_folder, Privilege_view_hidden);
/* The all-denied case is already checked in OBJECT_IN_FOLDER_QUERY. */
if ($vis == Privilege_always_granted) {
// all visible folders are returned, regardless of folder permissions
$join_type = "LEFT";
// All folders are returned, filtered by user request
if ($invis == Privilege_always_granted) {
if ($this->_filter != All) {
$usable = "fldr.state & {$this->_filter} = fldr.state";
} else {
$usable = '1';
}
} else {
if ($invis == Privilege_always_denied) {
// all visible folders are returned, regardless of folder permissions
// all invisible folders are blocked, regardless of folder permissions
$usable = "fldr.state & " . ($this->_filter & ~Invisible) . " = fldr.state";
// Disallow any invisible folders
} else {
// Return all visible folders and only invisible folders with folder-level permissions
if ($this->_filter & Visible) {
if ($this->_filter & Invisible) {
$usable = "((fldr.state & " . Visible . ")" . " OR ((fldr.state & " . Invisible . ") AND (perm.folder_permissions & " . Privilege_view_hidden . ")))" . " AND (fldr.state & {$this->_filter} = fldr.state)";
} else {
$usable = "(fldr.state & {$this->_filter})";
}
} else {
if ($this->_filter & Invisible) {
$usable = "((fldr.state & {$this->_filter} = fldr.state) AND (perm.folder_permissions & " . Privilege_view_hidden . "))";
} else {
$this->raise('Unreachable state (logic error)', '_prepare_restrictions', 'USER_FOLDER_QUERY');
}
}
}
}
} else {
// only those folders for which folder permissions allow this user are returned
$join_type = "INNER";
if ($invis == Privilege_always_denied) {
// no invisible folders are returned, regardless of folder permissions
$usable = "(fldr.state & " . ($this->_filter & ~Invisible) . " = fldr.state) AND (perm.folder_permissions & " . Privilege_view . ")";
} else {
if ($invis == Privilege_always_granted) {
// all folder-granted visible folders and all invisible folders, regardless
// of whether invisible is granted (view_folder is sufficient)
$usable = "(perm.folder_permissions & " . Privilege_view . ") AND (fldr.state & {$this->_filter} = fldr.state)";
} else {
// no user-rights case: all visible folders with view_folder permissions
}
if ($this->_filter & Visible) {
if ($this->_filter & Invisible) {
$usable = "(perm.folder_permissions & " . Privilege_view . ") AND ((fldr.state & " . Visible . ")" . " OR ((fldr.state & " . Invisible . ") AND (perm.folder_permissions & " . Privilege_view_hidden . ")))" . " AND (fldr.state & {$this->_filter} = fldr.state)";
} else {
$usable = "(perm.folder_permissions & " . Privilege_view . ") AND (fldr.state & {$this->_filter} = fldr.state)";
}
} else {
if ($this->_filter & Invisible) {
$usable = "(perm.folder_permissions & " . Privilege_view . ") AND (perm.folder_permissions & " . Privilege_view_hidden . ") AND (fldr.state & {$this->_filter} = fldr.state)";
} else {
$this->raise('Unreachable state (logic error)', '_prepare_restrictions', 'USER_FOLDER_QUERY');
}
}
}
}
if (!$this->_returns_no_data()) {
$this->add_select("({$usable}) AS usable");
$this->_usable_restriction = $usable;
$this->_tables = "{$this->app->table_names->folders} fldr" . " {$join_type} JOIN {$this->app->table_names->folder_permissions} perm ON perm.folder_id = fldr.permissions_id" . " LEFT JOIN {$this->app->table_names->groups} grp on perm.ref_id = grp.id" . " LEFT JOIN {$this->app->table_names->users_to_groups} utg ON utg.group_id = grp.id";
if ($this->_num_records) {
// this query is special and can't use the LIMIT function
// so record the number of records elsewhere. The record
// count will be limited with '_is_valid_object'
$this->_num_folders = $this->_num_records;
$this->_first_folder = $this->_first_record;
$this->_num_records = 0;
}
if ($this->_user->is_anonymous()) {
$global_type = Privilege_kind_anonymous;
} else {
$global_type = Privilege_kind_registered;
}
$user_id = $this->_user->id;
$this->_calculated_restrictions[] = "(perm.kind = '{$global_type}')" . " OR ((perm.kind = '" . Privilege_kind_user . "') AND (perm.ref_id = {$user_id}))" . " OR ((perm.kind = '" . Privilege_kind_group . "') AND (perm.ref_id = grp.id) AND (utg.user_id = {$user_id}))";
}
}
}
