private static function user_can_modify_entry($action, $form_id, $user_id, $entry_id) { if (!in_array($action, array("update", "delete"))) { throw new Exception("Error: specify either update or delete when calling user_can_modify_entry();"); } $cache_key = "{$action} {$form_id} {$user_id} {$entry_id}"; if (!isset(self::$cached_permissions[$cache_key])) { self::$cached_permissions[$cache_key] = false; if (null == self::$formulize_module_id) { self::$formulize_module_id = getFormulizeModId(); } $gperm_handler =& xoops_gethandler('groupperm'); $member_handler =& xoops_gethandler('member'); $groups = $member_handler->getGroupsByUser($user_id); if ("new" == $entry_id or "" == $entry_id) { if ("update" == $action) { // user has permission to add new entries self::$cached_permissions[$cache_key] = $gperm_handler->checkRight("add_own_entry", $form_id, $groups, self::$formulize_module_id); if (!self::$cached_permissions[$cache_key]) { self::$cached_permissions[$cache_key] = $gperm_handler->checkRight("add_proxy_entries", $form_id, $groups, self::$formulize_module_id); } } else { self::$cached_permissions[$cache_key] = false; // cannot delete an entry which has not been saved } } else { // first check if this an entry by current user and they can edit their own entries if (getEntryOwner($entry_id, $form_id) == $user_id) { // user can update entry because it is their own and they have permission to update their own entries self::$cached_permissions[$cache_key] = $gperm_handler->checkRight("{$action}_own_entry", $form_id, $groups, self::$formulize_module_id); } // next, check group and other permissions, even for own entries if (!self::$cached_permissions[$cache_key]) { // user can update entry because they have permission to update entries by others self::$cached_permissions[$cache_key] = $gperm_handler->checkRight("{$action}_other_entries", $form_id, $groups, self::$formulize_module_id); if (!self::$cached_permissions[$cache_key]) { // check if the user belongs to a group with group-edit permission if ($gperm_handler->checkRight("{$action}_group_entries", $form_id, $groups, self::$formulize_module_id)) { // sometimes users can have a special group scope set, so use that if available $formulize_permHandler = new formulizePermHandler($form_id); $view_form_groups = $formulize_permHandler->getGroupScopeGroupIds($groups); if ($view_form_groups === false) { // no special group scope, so use normal view-form permissions $view_form_groups = $gperm_handler->getGroupIds("view_form", $form_id, self::$formulize_module_id); // need the groups the user is a member of, that have view form permission $view_form_groups = array_intersect($view_form_groups, $groups); } // get the owner groups for the entry $data_handler = new formulizeDataHandler($form_id); $owner_groups = $data_handler->getEntryOwnerGroups($entry_id); // check if the entry belongs to a group that is part of the scope that the user is permitted to interact with self::$cached_permissions[$cache_key] = count(array_intersect($owner_groups, $view_form_groups)); } } } } //Second update to include custom edit check code if ("update" == $action && $entry_id > 0) { $formHandler = xoops_getmodulehandler('forms', 'formulize'); $formObject = $formHandler->get($form_id); self::$cached_permissions[$cache_key] = $formObject->customEditCheck($form_id, $entry_id, $user_id, self::$cached_permissions[$cache_key]); } } return self::$cached_permissions[$cache_key]; }