PHP elgg_check_access_overrides函数代码示例

/**
 * Determines if $viewer has access to $user's friends list
 *
 * @param ElggUser $user   User whose friends are to be displayed
 * @param ElggUser $viewer Viewer
 * @return bool
 */
function user_friends_can_view_friends(ElggUser $user, ElggUser $viewer = null)
{
    if (!isset($viewer)) {
        $viewer = elgg_get_logged_in_user_entity();
    }
    $permission = false;
    if ($viewer && elgg_check_access_overrides($viewer->guid)) {
        $permission = true;
    }
    $setting = elgg_get_plugin_user_setting('friend_list_visibility', $user->guid, 'user_friends');
    if (!isset($setting)) {
        $setting = elgg_get_plugin_setting('friend_list_visibility', 'user_friends', ACCESS_PUBLIC);
    }
    switch ((int) $setting) {
        case ACCESS_PRIVATE:
            $permission = $viewer && $user->canEdit($viewer->guid);
            break;
        case ACCESS_FRIENDS:
            $permission = $viewer && $user->isFriendsWith($viewer->guid);
            break;
        case ACCESS_LOGGED_IN:
            $permission = $viewer;
            break;
        case ACCESS_PUBLIC:
            $permission = true;
            break;
    }
    $params = array('viewer' => $viewer, 'user' => $user);
    return elgg_trigger_plugin_hook('permissions_check:view_friends_list', 'user', $params, $permission);
}

 public function __construct($index, $searchtype = SEARCH_DEFAULT)
 {
     $this->searchtype = $searchtype;
     $this->params['index'] = $index;
     $this->params['body'] = array();
     $site = elgg_get_site_entity();
     $this->params['body']['query']['bool']['must'][] = array('term' => array('site_guid' => $site->guid));
     $user = elgg_get_logged_in_user_guid();
     $ignore_access = elgg_check_access_overrides($user);
     if ($ignore_access != true && !elgg_is_admin_logged_in()) {
         $this->access_array = get_access_array();
         $this->params['body']['query']['bool']['must'][] = array('terms' => array('access_id' => $this->access_array));
     }
     //@todo: implement $sort and $order
     $this->params['body']['sort'] = array('time_updated' => 'desc');
     $this->params['body']['facets'] = array();
     $this->params['body']['facets']['type']['terms'] = array('field' => '_type');
     $this->params['body']['facets']['subtype']['terms'] = array('field' => 'subtype');
 }

/**
 * Determines whether or not the specified user can edit the specified piece of extender
 *
 * @param int    $extender_id The ID of the piece of extender
 * @param string $type        'metadata' or 'annotation'
 * @param int    $user_guid   The GUID of the user
 *
 * @return bool
 * @deprecated 1.9 Use the appropriate canEdit() method on metadata or annotations
 */
function can_edit_extender($extender_id, $type, $user_guid = 0)
{
    elgg_deprecated_notice(__FUNCTION__ . ' is deprecated. Use \\ElggExtender::canEdit()', 1.9);
    // Since Elgg 1.0, Elgg has returned false from can_edit_extender()
    // if no user was logged in. This breaks the access override so we add this
    // special check here.
    if (!elgg_check_access_overrides($user_guid)) {
        if (!elgg_is_logged_in()) {
            return false;
        }
    }
    $user_guid = (int) $user_guid;
    $user = get_user($user_guid);
    if (!$user) {
        $user = elgg_get_logged_in_user_entity();
        $user_guid = elgg_get_logged_in_user_guid();
    }
    $functionname = "elgg_get_{$type}_from_id";
    if (is_callable($functionname)) {
        $extender = call_user_func($functionname, $extender_id);
    } else {
        return false;
    }
    if (!$extender instanceof \ElggExtender) {
        return false;
    }
    /* @var \ElggExtender $extender */
    // If the owner is the specified user, great! They can edit.
    if ($extender->getOwnerGUID() == $user_guid) {
        return true;
    }
    // If the user can edit the entity this is attached to, great! They can edit.
    $entity = $extender->getEntity();
    if ($entity->canEdit($user_guid)) {
        return true;
    }
    // Trigger plugin hook - note that $user may be null
    $params = array('entity' => $entity, 'user' => $user);
    return elgg_trigger_plugin_hook('permissions_check', $type, $params, false);
}

/**
 * Overrides the access system if appropriate.
 *
 * Allows admin users and calls after {@link elgg_set_ignore_access} to
 * bypass the access system.
 *
 * Registered for the 'permissions_check', 'all' and the 
 * 'container_permissions_check', 'all' plugin hooks.
 *
 * Returns true to override the access system or null if no change is needed.
 *
 * @return true|null
 * @access private
 */
function elgg_override_permissions($hook, $type, $value, $params)
{
    $user = elgg_extract('user', $params);
    if ($user) {
        $user_guid = $user->getGUID();
    } else {
        $user_guid = elgg_get_logged_in_user_guid();
    }
    // don't do this so ignore access still works with no one logged in
    //if (!$user instanceof ElggUser) {
    //	return false;
    //}
    // check for admin
    if ($user_guid && elgg_is_admin_user($user_guid)) {
        return true;
    }
    // check access overrides
    if (elgg_check_access_overrides($user_guid)) {
        return true;
    }
    // consult other hooks
    return NULL;
}

/**
 * Determines whether or not the specified user can edit the specified piece of extender
 *
 * @param int    $extender_id The ID of the piece of extender
 * @param string $type        'metadata' or 'annotation'
 * @param int    $user_guid   The GUID of the user
 *
 * @return bool
 */
function can_edit_extender($extender_id, $type, $user_guid = 0)
{
    // @todo Since Elgg 1.0, Elgg has returned false from can_edit_extender()
    // if no user was logged in. This breaks the access override. This is a
    // temporary work around. This function needs to be rewritten in Elgg 1.9
    if (!elgg_check_access_overrides($user_guid)) {
        if (!elgg_is_logged_in()) {
            return false;
        }
    }
    $user_guid = (int) $user_guid;
    $user = get_user($user_guid);
    if (!$user) {
        $user = elgg_get_logged_in_user_entity();
        $user_guid = elgg_get_logged_in_user_guid();
    }
    $functionname = "elgg_get_{$type}_from_id";
    if (is_callable($functionname)) {
        $extender = call_user_func($functionname, $extender_id);
    } else {
        return false;
    }
    if (!$extender instanceof ElggExtender) {
        return false;
    }
    /* @var ElggExtender $extender */
    // If the owner is the specified user, great! They can edit.
    if ($extender->getOwnerGUID() == $user_guid) {
        return true;
    }
    // If the user can edit the entity this is attached to, great! They can edit.
    if (can_edit_entity($extender->entity_guid, $user_guid)) {
        return true;
    }
    // Trigger plugin hook - note that $user may be null
    $params = array('entity' => $extender->getEntity(), 'user' => $user);
    return elgg_trigger_plugin_hook('permissions_check', $type, $params, false);
}

function get_access_array($user_id, $site_id, $flush)
{
    global $CONFIG, $init_finished;
    $cache = _elgg_get_access_cache();
    if ($flush) {
        $cache->clear();
    }
    if ($user_id == 0) {
        $user_id = elgg_get_logged_in_user_guid();
    }
    if ($site_id == 0 && isset($CONFIG->site_guid)) {
        $site_id = $CONFIG->site_guid;
    }
    $user_id = (int) $user_id;
    $site_id = (int) $site_id;
    $hash = $user_id . $site_id . 'get_access_array';
    if ($cache[$hash]) {
        $access_array = $cache[$hash];
    } else {
        $access_array = array(ACCESS_PUBLIC);
        // The following can only return sensible data if the user is logged in. - @Matt - nope!
        if ($user_id) {
            $access_array[] = ACCESS_LOGGED_IN;
            // Get ACL memberships
            $query = "SELECT am.access_collection_id" . " FROM {$CONFIG->dbprefix}access_collection_membership am" . " LEFT JOIN {$CONFIG->dbprefix}access_collections ag ON ag.id = am.access_collection_id" . " WHERE am.user_guid = {$user_id} AND (ag.site_guid = {$site_id} OR ag.site_guid = 0)";
            $collections = get_data($query);
            if ($collections) {
                foreach ($collections as $collection) {
                    if (!empty($collection->access_collection_id)) {
                        $access_array[] = (int) $collection->access_collection_id;
                    }
                }
            }
            // Get ACLs owned.
            $query = "SELECT ag.id FROM {$CONFIG->dbprefix}access_collections ag ";
            $query .= "WHERE ag.owner_guid = {$user_id} AND (ag.site_guid = {$site_id} OR ag.site_guid = 0)";
            $collections = get_data($query);
            if ($collections) {
                foreach ($collections as $collection) {
                    if (!empty($collection->id)) {
                        $access_array[] = (int) $collection->id;
                    }
                }
            }
            $ignore_access = elgg_check_access_overrides($user_id);
            if ($ignore_access == true) {
                $access_array[] = ACCESS_PRIVATE;
            }
        }
        if ($init_finished) {
            $cache[$hash] = $access_array;
        }
    }
    $options = array('user_id' => $user_id, 'site_id' => $site_id);
    return elgg_trigger_plugin_hook('access:collections:read', 'user', $options, $access_array);
}

 /**
  * Returns the SQL where clause for enforcing read access to data.
  *
  * Note that if this code is executed in privileged mode it will return (1=1).
  * 
  * Otherwise it returns a where clause to retrieve the data that a user has
  * permission to read.
  *
  * Plugin authors can hook into the 'get_sql', 'access' plugin hook to modify,
  * remove, or add to the where clauses. The plugin hook will pass an array with the current
  * ors and ands to the function in the form:
  *  array(
  *      'ors' => array(),
  *      'ands' => array()
  *  )
  *
  * The results will be combined into an SQL where clause in the form:
  *  ((or1 OR or2 OR orN) AND (and1 AND and2 AND andN))
  * 
  * @param array $options Array in format:
  *
  * 	table_alias => STR Optional table alias. This is based on the select and join clauses.
  *                     Default is 'e'. 
  *
  *  user_guid => INT Optional GUID for the user that we are retrieving data for.
  *                   Defaults to the logged in user.
  * 
  *  use_enabled_clause => BOOL Optional. Should we append the enabled clause? The default 
  *                             is set by access_show_hidden_entities().
  * 
  *  access_column => STR Optional access column name. Default is 'access_id'.
  * 
  *  owner_guid_column => STR Optional owner_guid column. Default is 'owner_guid'.
  * 
  *  guid_column => STR Optional guid_column. Default is 'guid'.
  * 
  * @return string
  * @access private
  */
 function getWhereSql(array $options = array())
 {
     global $ENTITY_SHOW_HIDDEN_OVERRIDE;
     $defaults = array('table_alias' => 'e', 'user_guid' => _elgg_services()->session->getLoggedInUserGuid(), 'use_enabled_clause' => !$ENTITY_SHOW_HIDDEN_OVERRIDE, 'access_column' => 'access_id', 'owner_guid_column' => 'owner_guid', 'guid_column' => 'guid');
     $options = array_merge($defaults, $options);
     // just in case someone passes a . at the end
     $options['table_alias'] = rtrim($options['table_alias'], '.');
     foreach (array('table_alias', 'access_column', 'owner_guid_column', 'guid_column') as $key) {
         $options[$key] = sanitize_string($options[$key]);
     }
     $options['user_guid'] = sanitize_int($options['user_guid'], false);
     // only add dot if we have an alias or table name
     $table_alias = $options['table_alias'] ? $options['table_alias'] . '.' : '';
     $options['ignore_access'] = elgg_check_access_overrides($options['user_guid']);
     $clauses = array('ors' => array(), 'ands' => array());
     $prefix = _elgg_services()->db->getTablePrefix();
     if ($options['ignore_access']) {
         $clauses['ors'][] = '1 = 1';
     } else {
         if ($options['user_guid']) {
             // include content of user's friends
             $clauses['ors'][] = "{$table_alias}{$options['access_column']} = " . ACCESS_FRIENDS . "\n\t\t\t\tAND {$table_alias}{$options['owner_guid_column']} IN (\n\t\t\t\t\tSELECT guid_one FROM {$prefix}entity_relationships\n\t\t\t\t\tWHERE relationship = 'friend' AND guid_two = {$options['user_guid']}\n\t\t\t\t)";
             // include user's content
             $clauses['ors'][] = "{$table_alias}{$options['owner_guid_column']} = {$options['user_guid']}";
         }
     }
     // include standard accesses (public, logged in, access collections)
     if (!$options['ignore_access']) {
         $access_list = get_access_list($options['user_guid']);
         $clauses['ors'][] = "{$table_alias}{$options['access_column']} IN {$access_list}";
     }
     if ($options['use_enabled_clause']) {
         $clauses['ands'][] = "{$table_alias}enabled = 'yes'";
     }
     $clauses = _elgg_services()->hooks->trigger('get_sql', 'access', $options, $clauses);
     $clauses_str = '';
     if (is_array($clauses['ors']) && $clauses['ors']) {
         $clauses_str = '(' . implode(' OR ', $clauses['ors']) . ')';
     }
     if (is_array($clauses['ands']) && $clauses['ands']) {
         if ($clauses_str) {
             $clauses_str .= ' AND ';
         }
         $clauses_str .= '(' . implode(' AND ', $clauses['ands']) . ')';
     }
     return "({$clauses_str})";
 }

 public function addEntityAccessFilter($user_guid = 0)
 {
     $user_guid = sanitise_int($user_guid, false);
     if (empty($user_guid)) {
         $user_guid = elgg_get_logged_in_user_guid();
     }
     if (elgg_check_access_overrides($user_guid)) {
         return;
     }
     $access_filter = [];
     if (!empty($user_guid)) {
         // check for owned content
         $access_filter[]['term']['owner_guid'] = $user_guid;
         // add friends check
         $friends = elgg_get_entities_from_relationship(['type' => 'user', 'relationship' => 'friend', 'relationship_guid' => $user_guid, 'inverse_relationship' => true, 'limit' => false, 'callback' => function ($row) {
             return $row->guid;
         }]);
         if (!empty($friends)) {
             $access_filter[] = ['bool' => ['must' => ['term' => ['owner_guid' => $friends], 'term' => ['access_id' => ACCESS_FRIENDS]]]];
         }
     }
     // add acl filter
     $access_array = get_access_array($user_guid);
     if (!empty($access_array)) {
         $access_filter[]['terms']['access_id'] = $access_array;
     }
     if (empty($access_filter)) {
         return;
     }
     $filter['bool']['must'][]['bool']['should'] = $access_filter;
     $this->addFilter($filter);
 }

/**
 * Check if the access system should be overridden.
 *
 * Allows admin users and calls after {@link elgg_set_ignore_access} to
 * by pass the access system.
 *
 * @return true|null
 * @since 1.7.0
 * @elgg_event_handler permissions_check all
 */
function elgg_override_permissions_hook()
{
    $user_guid = elgg_get_logged_in_user_guid();
    // check for admin
    if ($user_guid && elgg_is_admin_user($user_guid)) {
        return true;
    }
    // check access overrides
    if (elgg_check_access_overrides($user_guid)) {
        return true;
    }
    // consult other hooks
    return NULL;
}

/**
 * Override permissions system
 *
 * @return true|null
 */
function elgg_override_permissions_hook($hook, $type, $returnval, $params)
{
    $user_guid = get_loggedin_userid();
    // check for admin
    if ($user_guid && elgg_is_admin_user($user_guid)) {
        return true;
    }
    // check access overrides
    if (elgg_check_access_overrides($user_guid)) {
        return true;
    }
    // consult other hooks
    return NULL;
}

/**
 * This function has been added here until we decide if it is going to roll into core or not
 * Add access restriction sql code to a given query.
 * Note that if this code is executed in privileged mode it will return blank.
 * @TODO: DELETE once Query classes are fully integrated
 *
 * @param string $table_prefix Optional table. prefix for the access code.
 * @param int $owner
 */
function get_access_sql_suffix_new($table_prefix_one = '', $table_prefix_two = '', $owner = null)
{
    global $ENTITY_SHOW_HIDDEN_OVERRIDE, $CONFIG;
    $sql = "";
    $friends_bit = "";
    $enemies_bit = "";
    if ($table_prefix_one) {
        $table_prefix_one = sanitise_string($table_prefix_one) . ".";
    }
    if ($table_prefix_two) {
        $table_prefix_two = sanitise_string($table_prefix_two) . ".";
    }
    if (!isset($owner)) {
        $owner = get_loggedin_userid();
    }
    if (!$owner) {
        $owner = -1;
    }
    $ignore_access = elgg_check_access_overrides($owner);
    $access = get_access_list($owner);
    if ($ignore_access) {
        $sql = " (1 = 1) ";
    } else {
        if ($owner != -1) {
            $friends_bit = "{$table_prefix_one}access_id = " . ACCESS_FRIENDS . "\n\t\t\tAND {$table_prefix_one}owner_guid IN (\n\t\t\t\tSELECT guid_one FROM {$CONFIG->dbprefix}entity_relationships\n\t\t\t\tWHERE relationship='friend' AND guid_two={$owner}\n\t\t\t)";
            $friends_bit = '(' . $friends_bit . ') OR ';
            if (isset($CONFIG->user_block_and_filter_enabled) && $CONFIG->user_block_and_filter_enabled) {
                // check to see if the user is in the entity owner's block list
                // or if the entity owner is in the user's filter list
                // if so, disallow access
                $enemies_bit = get_annotation_sql('elgg_block_list', "{$table_prefix_one}owner_guid", $owner, false);
                $enemies_bit = '(' . $enemies_bit . '	AND ' . get_annotation_sql('elgg_filter_list', $owner, "{$table_prefix_one}owner_guid", false) . ')';
            }
        }
    }
    if (empty($sql)) {
        $sql = " {$friends_bit} ({$table_prefix_one}access_id IN {$access}\n\t\t\tOR ({$table_prefix_one}owner_guid = {$owner})\n\t\t\tOR (\n\t\t\t\t{$table_prefix_one}access_id = " . ACCESS_PRIVATE . "\n\t\t\t\tAND {$table_prefix_one}owner_guid = {$owner}\n\t\t\t)\n\t\t)";
    }
    if ($enemies_bit) {
        $sql = "{$enemies_bit} AND ({$sql})";
    }
    if (!$ENTITY_SHOW_HIDDEN_OVERRIDE) {
        $sql .= " and {$table_prefix_two}enabled='yes'";
    }
    return '(' . $sql . ')';
}