diff --git a/includes/admin.form.inc b/includes/admin.form.inc index 6736596b..4259c956 100644 --- a/includes/admin.form.inc +++ b/includes/admin.form.inc @@ -138,6 +138,12 @@ function islandora_repository_admin(array $form, array &$form_state) { '#description' => t('During the ingest workflow, make the OBJ file upload step mandatory.'), '#default_value' => variable_get('islandora_require_obj_upload', TRUE), ), + 'islandora_deny_inactive_and_deleted' => array( + '#type' => 'checkbox', + '#title' => t('Lock down inactive and deleted objects.'), + '#description' => t('Deny access to inactive or deleted objects using a separate permission than for active objects.'), + '#default_value' => variable_get('islandora_deny_inactive_and_deleted', FALSE), + ), ), 'islandora_namespace' => array( '#type' => 'fieldset', diff --git a/includes/object_properties.form.inc b/includes/object_properties.form.inc index dcd59b4b..85a98342 100644 --- a/includes/object_properties.form.inc +++ b/includes/object_properties.form.inc @@ -19,6 +19,9 @@ * The drupal form definition. */ function islandora_object_properties_form(array $form, array &$form_state, AbstractObject $object) { + if (isset($form_state['islandora']['needs_confirmation'])) { + return islandora_object_properties_confirm_form($form_state); + } $form_state['object'] = $object; $temp = islandora_invoke_hook_list(ISLANDORA_UPDATE_RELATED_OBJECTS_PROPERTIES_HOOK, $object->models, array($object)); $related_objects_pids = array(); @@ -110,6 +113,22 @@ function islandora_object_properties_form(array $form, array &$form_state, Abstr * The Drupal form state. */ function islandora_object_properties_form_submit(array $form, array &$form_state) { + if (isset($form_state['islandora']['needs_confirmation'])) { + $form_state['values'] = $form_state['islandora']['values']; + } + else { + // Confirm if user is about to lock themselves out of this object. + if (variable_get('islandora_deny_inactive_and_deleted', FALSE) && in_array($form_state['values']['object_state'], array('I', 'D'))) { + if ($form_state['object']->state == 'A') { + if (!user_access(ISLANDORA_ACCESS_INACTIVE_AND_DELETED_OBJECTS)) { + $form_state['islandora']['needs_confirmation'] = TRUE; + $form_state['islandora']['values'] = $form_state['values']; + $form_state['rebuild'] = TRUE; + return; + } + } + } + } $object = $form_state['object']; $owner = $form_state['values']['object_owner']; $state = $form_state['values']['object_state']; @@ -214,3 +233,20 @@ function islandora_update_object_properties($pid, $update_states, $state, $updat function islandora_object_properties_regenerate_derivatives(array $form, array &$form_state) { drupal_goto("islandora/object/{$form_state['object']}/regenerate"); } + +/** + * Confirmation form for object properties admin form. + * + * @param array $form_state + * The Drupal form state. + */ +function islandora_object_properties_confirm_form(array &$form_state) { + $desc = t('You do not have permission to view Inactive or Deleted objects, so you will no longer be able to view or manage this object. Are you sure?'); + $path = "islandora/object/{$form_state['object']->id}/manage/properties"; + return confirm_form(array(), + t('Are you sure you want to set the object state?'), + $path, + $desc, + t('Continue'), + t('Cancel')); +} diff --git a/islandora.install b/islandora.install index 95cca708..ef3c570f 100644 --- a/islandora.install +++ b/islandora.install @@ -60,6 +60,7 @@ function islandora_uninstall() { 'islandora_require_obj_upload', 'islandora_breadcrumbs_backends', 'islandora_render_context_ingeststep', + 'islandora_deny_inactive_and_deleted', ); array_walk($variables, 'variable_del'); } diff --git a/islandora.module b/islandora.module index e58c2d71..29899c1b 100644 --- a/islandora.module +++ b/islandora.module @@ -34,6 +34,7 @@ define('ISLANDORA_INGEST', 'ingest fedora objects'); define('ISLANDORA_PURGE', 'delete fedora objects and datastreams'); define('ISLANDORA_MANAGE_PROPERTIES', 'manage object properties'); define('ISLANDORA_VIEW_DATASTREAM_HISTORY', 'view old datastream versions'); +define('ISLANDORA_ACCESS_INACTIVE_AND_DELETED_OBJECTS', 'access inactive and deleted objects'); define('ISLANDORA_MANAGE_DELETED_OBJECTS', 'manage deleted objects'); define('ISLANDORA_REVERT_DATASTREAM', 'revert to old datastream'); define('ISLANDORA_REGENERATE_DERIVATIVES', 'regenerate derivatives for an object'); @@ -578,7 +579,7 @@ function islandora_theme() { * Implements hook_permission(). */ function islandora_permission() { - return array( + $permissions = array( ISLANDORA_VIEW_OBJECTS => array( 'title' => t('View repository objects'), 'description' => t('View objects in the repository. Note: Fedora XACML security policies may override this permission.'), @@ -624,6 +625,13 @@ function islandora_permission() { 'description' => t('Add new datastream content as latest version.'), ), ); + if (variable_get('islandora_deny_inactive_and_deleted', FALSE)) { + $permissions[ISLANDORA_ACCESS_INACTIVE_AND_DELETED_OBJECTS] = array( + 'title' => t('Access inactive and deleted objects'), + 'description' => t('Access objects with a Fedora state of Inactive or Deleted.'), + ); + } + return $permissions; } /** @@ -1685,8 +1693,11 @@ function islandora_object_access($op, $object, $user = NULL) { */ function islandora_islandora_object_access($op, $object, $user) { module_load_include('inc', 'islandora', 'includes/utilities'); - - return islandora_namespace_accessible($object->id) && user_access($op, $user); + $access = (islandora_namespace_accessible($object->id) && user_access($op, $user)); + if (($object->state != 'A') && variable_get('islandora_deny_inactive_and_deleted', FALSE)) { + $access = ($access && user_access(ISLANDORA_ACCESS_INACTIVE_AND_DELETED_OBJECTS, $user)); + } + return $access; } /**