From 51e8f84023b210218c846e0d9cfa7e2caf7b099b Mon Sep 17 00:00:00 2001 From: Nigel Banks Date: Wed, 13 Mar 2013 01:51:47 +0100 Subject: [PATCH] Added a new function islandora_user_access() to simplify access callbacks. This function will check the given object/datastream against the given permissions and required content models using the given user. If no user is given the user identified by the GET token will be used, if no token is present the global user will be used. --- islandora.module | 82 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/islandora.module b/islandora.module index 94aedbe0..57ee5d9b 100644 --- a/islandora.module +++ b/islandora.module @@ -334,6 +334,88 @@ function islandora_forms($form_id) { return $forms; } +/** + * Checks whether the user can access the given object. + * + * Checks for repository access, object/datastream existance, namespace access, + * user permissions, content models. + * + * Will check the given user or the user repersented by the GET token parameter, + * failing that it will use the global user. + * + * @global $user + * + * @param mixed $object + * The FedoraObject or FedoraDatastream to test for accessibility, if NULL + * is given the object is assumed to not exist or be inaccessible. + * @param array $permissions + * The required user permissions. + * @param array $content_models + * The required content models. + * @param bool $access_any + * (optional) TRUE to grant access if any single requirement is met from both + * the permissions and content models parameters. FALSE if all requirements + * must be met from both the permissions and content model parameters. + * @param object $account + * (optional) The account to check, if not given check the GET parameters for + * a token to restore the user. If no GET parameter is present use currently + * logged in user. + * + * @return bool + * TRUE if the user is allowed to access this object/datastream, FALSE + * otherwise. + */ +function islandora_user_access($object, array $permissions, $content_models = array(), $access_any = TRUE, $account = NULL) { + module_load_include('inc', 'islandora', 'includes/utilities'); + $is_repository_accessible = &drupal_static(__FUNCTION__); + // If the repository is inaccessible then access always fails. + if (!isset($is_repository_accessible)) { + $is_repository_accessible = islandora_describe_repository(); + if (!$is_repository_accessible) { + // Only display the inaccessible message once. + islandora_display_repository_inaccessible_message(); + return FALSE; + } + } + if (!$is_repository_accessible || !is_object($object)) { + return FALSE; + } + // Determine the user account to test against. + if (!isset($account)) { + $token = filter_input(INPUT_GET, 'token', FILTER_SANITIZE_STRING); + if ($token) { + module_load_include('inc', 'islandora', 'includes/authtokens'); + $user = islandora_validate_object_token($object->id, $datastream->id, $token); + if ($user) { + $account = user_load($user->uid); + } + } + else { + global $user; + $account = $user; + } + } + // Determine what has been passed as $object. + if (is_subclass_of($object, 'FedoraObject')) { + $object = $object; + } + elseif (is_subclass_of($object, 'FedoraDatastream')) { + $datastream = $object; + $object = $datstream->parent; + } + // Check for access. + $accessible_namespace = islandora_namespace_accessible($object->id); + if ($access_any) { + $has_required_permissions = islandora_user_access_any($permissions, $account); + $has_required_content_models = empty($content_models) ? TRUE : count(array_intersect($object->models, $content_models)) > 0; + } + else { + $has_required_permissions = islandora_user_access_all($permissions, $account); + $has_required_content_models = count(array_diff($content_models, $object->models)) == 0; + } + return $accessible_namespace && $has_required_permissions && $has_required_content_models; +} + /** * Checks whether the user can access the given object. *