From 70333d8783e33de80c5b28c7eb4a8b77b7beb959 Mon Sep 17 00:00:00 2001 From: Adam Vessey Date: Fri, 7 Jun 2013 13:32:42 -0300 Subject: [PATCH] Add the strict access flag. --- includes/admin.form.inc | 7 +++++++ islandora.module | 6 ++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/includes/admin.form.inc b/includes/admin.form.inc index a1f22652..f4db785b 100644 --- a/includes/admin.form.inc +++ b/includes/admin.form.inc @@ -108,6 +108,13 @@ function islandora_repository_admin(array $form, array &$form_state) { '#required' => TRUE, ); + $form['islandora_tabs']['islandora_general']['islandora_strict_user_access_enforcement'] = array( + '#type' => 'checkbox', + '#title' => t('Strict User Access Enforcement'), + '#description' => t('Restrict permissions to the result of user_access(); other modules will be able to deny things, but other modules will not be able to allow operations not allowed via Drupal permissions.'), + '#default_value' => variable_get('islandora_strict_user_access_enforcement', TRUE), + ); + $form['islandora_tabs']['islandora_namespace'] = array( '#type' => 'fieldset', '#title' => t('Namespaces'), diff --git a/islandora.module b/islandora.module index daa612a9..b5319122 100644 --- a/islandora.module +++ b/islandora.module @@ -1181,11 +1181,13 @@ function islandora_islandora_object_access($op, $object, $user) { module_load_include('inc', 'islandora', 'includes/utilities'); $to_return = islandora_namespace_accessible($object->id); - if ($to_return && user_access($op, $user)) { + $user_access_result = user_access($op, $user); + + if ($to_return && $user_access_result) { // Straight Drupal permissions, let's allow it. return TRUE; } - elseif ($to_return === FALSE) { + elseif ($to_return === FALSE || variable_get('islandora_strict_user_access_enforcement', TRUE) && !$user_access_result) { // PID namespace is outside of those allowed. Forbid! return FALSE; }