Add access checks.

12 years ago · a8f13b0a46
4 changed files with 76 additions and 40 deletions
--- a/includes/datastream.inc
+++ b/includes/datastream.inc
@ -144,3 +144,37 @@ function islandora_edit_datastream_registry_render(array $edit_registry) {
    '#markup' => $markup,
  );
 }
+
+/**
+ * Get markup for a download link.
+ *
+ * @param AbstractDatastream $datastream
+ *   The datastream for which to generate a link.
+ *
+ * @return string
+ *   Either the link markup if the user has access or an empty string if the
+ *   user is not allowed to see the given datastream.
+ */
+function islandora_datastream_get_download_link(AbstractDatastream $datastream) {
+  $label = t('download');
+  return islandora_datastream_access(FEDORA_VIEW_OBJECTS, $datastream) ?
+    l($label, islandora_datastream_get_url($datastream, 'download')) :
+    '';
+}
+
+/**
+ * Get markup for a view link.
+ *
+ * @param AbstractDatastream $datastream
+ *   The datastream for which to generate a link.
+ *
+ * @return string
+ *   Either the link markup if the user has access or a string containing the
+ *   datastream ID if the user is not allowed to see the given datastream.
+ */
+function islandora_datastream_get_view_link(AbstractDatastream $datastream) {
+  $label = check_plain($datastream->id);
+  return islandora_datastream_access(FEDORA_VIEW_OBJECTS, $datastream) ?
+    l($label, islandora_datastream_get_url($datastream, 'view')) :
+    $label;
+}
--- a/includes/object_properties.form.inc
+++ b/includes/object_properties.form.inc
@ -60,6 +60,7 @@ function islandora_object_properties_form(array $form, array &$form_state, Abstr
    ),
    'delete' => array(
      '#type' => 'submit',
+      '#access' => islandora_object_access(FEDORA_PURGE, $object),
      '#value' => t('Delete'),
      '#submit' => array('islandora_object_properties_form_delete'),
      '#limit_validation_errors' => array(array('pid')),
--- a/islandora.module
+++ b/islandora.module
@ -475,7 +475,7 @@ function islandora_object_access_callback($perm, $object = NULL) {
    return FALSE;
  }

-  return islandora_object_access($perm);
+  return islandora_object_access($perm, $object);
 }

 /**
@ -1138,8 +1138,8 @@ function islandora_file_mimetype_mapping_alter(&$mapping) {
 *   An optional loaded user object. Defaults to the global $user.
 *
 * @return bool
- *   TRUE if at least one implementation of hook_islandora_object_access() returned
- *   TRUE, and no implementation return FALSE; FALSE otherwise.
+ *   TRUE if at least one implementation of hook_islandora_object_access()
+ *   returned TRUE, and no implementation return FALSE; FALSE otherwise.
 */
 function islandora_object_access($op, $object, $user = NULL) {
  $cache = &drupal_static(__FUNCTION__);
@ -1203,7 +1203,7 @@ function islandora_islandora_object_access($op, $object, $user) {
 function islandora_datastream_access($op, $datastream, $user = NULL) {
  $cache = &drupal_static(__FUNCTION__);

-  if (!$datastream) {
+  if (!is_object($datastream)) {
    // The object could not be loaded... Presumably, we don't have
    // permission.
    return NULL;
@ -1213,28 +1213,27 @@ function islandora_datastream_access($op, $datastream, $user = NULL) {
  }

  // Populate the cache on a miss.
-  if (!isset($cache[$op][$object->id][$user->uid])) {
-    if ($cache[$op][$datastream->parent->id][$datastream->id][$user->uid]) {
-      module_load_include('inc', 'islandora', 'includes/utilities');
-      $object_results = islandora_invoke_hook_list('islandora_object_access', $datastream->parent->models, array(
-        $op,
-        $datastream->parent,
-        $user,
-      ));
-
-      $datastream_results = islandora_invoke_hook_list('islandora_datastream_access', $datastream->parent->models, array(
-        $op,
-        $datastream,
-        $user,
-      ));
-
-      // Neither the object nor the datastream check returned FALSE, and one in
-      // the object or datastream checks returned TRUE.
-      $cache[$op][$datastream->parent->id][$datastream->id][$user->uid] =
-        !in_array(FALSE, $object_results, TRUE) &&
-        !in_array(FALSE, $datastream_results, TRUE) &&
-        (in_array(TRUE, $object_results, TRUE) ||  in_array(TRUE, $datastream_results, TRUE));
-    }
+  if (!isset($cache[$op][$datastream->parent->id][$datastream->id][$user->uid])) {
+    module_load_include('inc', 'islandora', 'includes/utilities');
+    $object_results = islandora_invoke_hook_list('islandora_object_access', $datastream->parent->models, array(
+      $op,
+      $datastream->parent,
+      $user,
+    ));
+
+    $datastream_results = islandora_invoke_hook_list('islandora_datastream_access', $datastream->parent->models, array(
+      $op,
+      $datastream,
+      $user,
+    ));
+
+    // Neither the object nor the datastream check returned FALSE, and one in
+    // the object or datastream checks returned TRUE.
+    $cache[$op][$datastream->parent->id][$datastream->id][$user->uid] = (
+      !in_array(FALSE, $object_results, TRUE) &&
+      !in_array(FALSE, $datastream_results, TRUE) &&
+      (in_array(TRUE, $object_results, TRUE) ||  in_array(TRUE, $datastream_results, TRUE))
+    );
  }

  return $cache[$op][$datastream->parent->id][$datastream->id][$user->uid];
--- a/theme/theme.inc
+++ b/theme/theme.inc
@ -29,9 +29,7 @@ function islandora_preprocess_islandora_default_edit(array &$variables) {
    $rows[] = array(
      array(
        'class' => 'datastream-id',
-        'data' => (islandora_datastream_access(FEDORA_VIEW_OBJECTS, $ds) ?
-          l($ds->id, islandora_datastream_get_url($ds, 'view')) :
-          ''),
+        'data' => islandora_datastream_get_view_link($ds),
      ),
      array(
        'class' => 'datastream-label',
@ -51,9 +49,7 @@ function islandora_preprocess_islandora_default_edit(array &$variables) {
      ),
      array(
        'class' => 'datastream-download',
-        'data' => (islandora_datastream_access(FEDORA_VIEW_OBJECTS, $ds) ?
-          l(t('download'), islandora_datastream_get_url($ds, 'download')) :
-          ''),
+        'data' => islandora_datastream_get_download_link($ds),
      ),
      array(
        'class' => 'datstream-edit',
@ -99,7 +95,9 @@ function islandora_preprocess_islandora_default(&$variables) {
      $download_path = islandora_datastream_get_url($ds, 'download');
      $datastreams[$id]['id'] = $id;
      $datastreams[$id]['label'] = $label;
-      $datastreams[$id]['label_link'] = l($label, $download_path);
+      $datastreams[$id]['label_link'] = islandora_datastream_access(FEDORA_VIEW_OBJECTS, $ds) ?
+        l($label, $download_path) :
+        $label;
      $datastreams[$id]['download_url'] = $download_path;
      $datastreams[$id]['mimetype'] = $ds->mimetype;
      $datastreams[$id]['size'] = islandora_datastream_get_human_readable_size($ds);
@ -112,14 +110,14 @@ function islandora_preprocess_islandora_default(&$variables) {
  }
  $variables['datastreams'] = $datastreams;
  // Objects in fcrepo4 don't always contain a DC datastream.
-  if (isset($islandora_object['DC'])) {
+  if (isset($islandora_object['DC']) && islandora_datastream_access(FEDORA_VIEW_OBJECTS, $islandora_object['DC'])) {
    $dc_object = DublinCore::importFromXMLString($islandora_object['DC']->content);
    $dc_array = $dc_object->asArray();
  }
  $variables['dc_array'] = isset($dc_array) ? $dc_array : array();
  $variables['islandora_dublin_core'] = isset($dc_object) ? $dc_object : NULL;
  $variables['islandora_object_label'] = $islandora_object->label;
-  if (isset($islandora_object['TN'])) {
+  if (isset($islandora_object['TN']) && islandora_datastream_access(FEDORA_VIEW_OBJECTS, $islandora_object['TN'])) {
    $variables['islandora_thumbnail_url'] = url("islandora/object/{$islandora_object->id}/datastream/TN/view");
  }
 }
@ -201,12 +199,16 @@ function islandora_preprocess_islandora_objects(array &$variables) {
    $o = islandora_object_load($o);
    $url = "islandora/object/{$o->id}";
    $link_options = array('html' => TRUE, 'attributes' => array('title' => $o->label));
-    $img = theme_image(array('path' => url("$url/datastream/TN/view"), 'attributes' => array()));
+    $img = islandora_datastream_access(FEDORA_VIEW_OBJECTS, $o['TN']) ?
+      theme('image', array('path' => url("$url/datastream/TN/view"), 'attributes' => array())) :
+      '';
    $description = NULL;
-    $dc = DublinCore::importFromXMLString($o['DC']->content);
-    if ($dc) {
-      $dc = $dc->asArray();
-      $description = $dc['dc:description']['value'];
+    if (islandora_datastream_access($o['DC'])) {
+      $dc = DublinCore::importFromXMLString($o['DC']->content);
+      if ($dc) {
+        $dc = $dc->asArray();
+        $description = $dc['dc:description']['value'];
+      }
    }
    return array(
      'label' => $o->label,