/**
* Transforms a database condition to an equivalent search filter.
*
* @param \Drupal\Core\Database\Query\ConditionInterface $db_condition
* The condition to transform.
*
* @return \Drupal\search_api\Query\ConditionGroupInterface|null
* A search filter equivalent to $condition, or NULL if the transformation
* failed.
*/
protected function transformDbCondition(ConditionInterface $db_condition)
{
$conditions = $db_condition->conditions();
$filter = $this->query->createConditionGroup($conditions['#conjunction']);
unset($conditions['#conjunction']);
foreach ($conditions as $condition) {
if ($condition['operator'] === NULL) {
$this->abort('Trying to include a raw SQL condition in a Search API query.');
return NULL;
}
if ($condition['field'] instanceof ConditionInterface) {
$nested_filter = $this->transformDbCondition($condition['field']);
if ($nested_filter) {
$filter->addConditionGroup($nested_filter);
} else {
return NULL;
}
} else {
$filter->addCondition($this->sanitizeFieldId($condition['field']), $condition['value'], $this->sanitizeOperator($condition['operator']));
}
}
return $filter;
}
/**
* Adds a node access filter to a search query, if applicable.
*
* @param \Drupal\search_api\Query\QueryInterface $query
* The query to which a node access filter should be added, if applicable.
* @param \Drupal\Core\Session\AccountInterface $account
* The user for whom the search is executed.
*
* @throws \Drupal\search_api\SearchApiException
* Thrown if not all necessary fields are indexed on the index.
*/
protected function addNodeAccess(QueryInterface $query, AccountInterface $account)
{
// Don't do anything if the user can access all content.
if ($account->hasPermission('bypass node access')) {
return;
}
// Gather the affected datasources, grouped by entity type, as well as the
// unaffected ones.
$affected_datasources = array();
$unaffected_datasources = array();
foreach ($this->index->getDatasources() as $datasource_id => $datasource) {
$entity_type = $datasource->getEntityTypeId();
if (in_array($entity_type, array('node', 'comment'))) {
$affected_datasources[$entity_type][] = $datasource_id;
} else {
$unaffected_datasources[] = $datasource_id;
}
}
// The filter structure we want looks like this:
// [belongs to other datasource]
// OR
// (
// [is enabled (or was created by the user, if applicable)]
// AND
// [grants view access to one of the user's gid/realm combinations]
// )
// If there are no "other" datasources, we don't need the nested OR,
// however, and can add the "ADD"
// @todo Add a filter tag, once they are implemented.
if ($unaffected_datasources) {
$outer_conditions = $query->createConditionGroup('OR', array('content_access'));
$query->addConditionGroup($outer_conditions);
foreach ($unaffected_datasources as $datasource_id) {
$outer_conditions->addCondition('search_api_datasource', $datasource_id);
}
$access_conditions = $query->createConditionGroup('AND');
$outer_conditions->addConditionGroup($access_conditions);
} else {
$access_conditions = $query;
}
if (!$account->hasPermission('access content')) {
unset($affected_datasources['node']);
}
if (!$account->hasPermission('access comments')) {
unset($affected_datasources['comment']);
}
// If the user does not have the permission to see any content at all, deny
// access to all items from affected datasources.
if (!$affected_datasources) {
// If there were "other" datasources, the existing filter will already
// remove all results of node or comment datasources. Otherwise, we should
// not return any results at all.
if (!$unaffected_datasources) {
// @todo More elegant way to return no results?
// @todo Now that field IDs can be picked freely, this can theoretically
// even fail! Needs to be fixed!
$query->addCondition('search_api_language', '');
}
return;
}
// Collect all the required fields that need to be part of the index.
$unpublished_own = $account->hasPermission('view own unpublished content');
$enabled_conditions = $query->createConditionGroup('OR', array('content_access_enabled'));
foreach ($affected_datasources as $entity_type => $datasources) {
foreach ($datasources as $datasource_id) {
// If this is a comment datasource, or users cannot view their own
// unpublished nodes, a simple filter on "status" is enough. Otherwise,
// it's a bit more complicated.
$status_field = $this->findField($datasource_id, 'status', 'boolean');
if ($status_field) {
$enabled_conditions->addCondition($status_field->getFieldIdentifier(), TRUE);
}
if ($entity_type == 'node' && $unpublished_own) {
$author_field = $this->findField($datasource_id, 'uid', 'integer');
if ($author_field) {
$enabled_conditions->addCondition($author_field->getFieldIdentifier(), $account->id());
}
}
}
}
$access_conditions->addConditionGroup($enabled_conditions);
// Filter by the user's node access grants.
$node_grants_field = $this->findField(NULL, 'search_api_node_grants', 'string');
if (!$node_grants_field) {
return;
}
$node_grants_field_id = $node_grants_field->getFieldIdentifier();
$grants_conditions = $query->createConditionGroup('OR', array('content_access_grants'));
$grants = node_access_grants('view', $account);
foreach ($grants as $realm => $gids) {
foreach ($gids as $gid) {
$grants_conditions->addCondition($node_grants_field_id, "node_access_{$realm}:{$gid}");
}
}
// Also add items that are accessible for everyone by checking the "access
// all" pseudo grant.
$grants_conditions->addCondition($node_grants_field_id, 'node_access__all');
$access_conditions->addConditionGroup($grants_conditions);
}