diff options
| author | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-10-11 16:37:43 +0000 |
|---|---|---|
| committer | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-10-11 16:37:43 +0000 |
| commit | 0ada4f136a51b3e0a0098543fa4977f945728905 (patch) | |
| tree | cbd9da419724f6e9aee59721f0d5147c1e389599 | |
| parent | fc599a7415f85840e21e4151b6025f089691531e (diff) | |
| download | brdo-0ada4f136a51b3e0a0098543fa4977f945728905.tar.gz brdo-0ada4f136a51b3e0a0098543fa4977f945728905.tar.bz2 | |
#72487 by chx, pwolanin and moshe weitzman: let node_access() work on arbitrary users, so independent user access checks can be done in a request
| -rw-r--r-- | modules/blog/blog.module | 8 | ||||
| -rw-r--r-- | modules/forum/forum.module | 8 | ||||
| -rw-r--r-- | modules/node/node.module | 51 | ||||
| -rw-r--r-- | modules/poll/poll.module | 4 |
4 files changed, 38 insertions, 33 deletions
diff --git a/modules/blog/blog.module b/modules/blog/blog.module index 8d1a08a42..2784d720d 100644 --- a/modules/blog/blog.module +++ b/modules/blog/blog.module @@ -29,15 +29,13 @@ function blog_perm() { /** * Implementation of hook_access(). */ -function blog_access($op, $node) { - global $user; - +function blog_access($op, $node, $account) { if ($op == 'create') { - return user_access('edit own blog') && $user->uid; + return user_access('edit own blog', $account) && $account->uid; } if ($op == 'update' || $op == 'delete') { - if (user_access('edit own blog') && ($user->uid == $node->uid)) { + if (user_access('edit own blog', $account) && ($node->uid == $account->uid)) { return TRUE; } } diff --git a/modules/forum/forum.module b/modules/forum/forum.module index a7424cbcc..a52dcb5e9 100644 --- a/modules/forum/forum.module +++ b/modules/forum/forum.module @@ -295,15 +295,13 @@ function forum_node_info() { /** * Implementation of hook_access(). */ -function forum_access($op, $node) { - global $user; - +function forum_access($op, $node, $account) { if ($op == 'create') { - return user_access('create forum topics'); + return user_access('create forum topics', $account); } if ($op == 'update' || $op == 'delete') { - if (user_access('edit own forum topics') && ($user->uid == $node->uid)) { + if (user_access('edit own forum topics', $account) && ($account->uid == $node->uid)) { return TRUE; } } diff --git a/modules/node/node.module b/modules/node/node.module index 71fb9a5f0..c3a60311d 100644 --- a/modules/node/node.module +++ b/modules/node/node.module @@ -1770,10 +1770,13 @@ function node_search_validate($form, &$form_state) { * @param $node * The node object (or node array) on which the operation is to be performed, * or node type (e.g. 'forum') for "create" operation. + * @param $account + * Optional, a user object representing the user for whom the operation is to + * be performed. Determines access for a user other than the current user. * @return * TRUE if the operation may be performed. */ -function node_access($op, $node) { +function node_access($op, $node, $account = NULL) { global $user; if (!$node) { @@ -1783,16 +1786,20 @@ function node_access($op, $node) { if ($op != 'create') { $node = (object)$node; } + // If no user object is supplied, the access check is for the current user. + if (empty($account)) { + $account = $user; + } // If the node is in a restricted format, disallow editing. if ($op == 'update' && !filter_access($node->format)) { return FALSE; } - if (user_access('administer nodes')) { + if (user_access('administer nodes', $account)) { return TRUE; } - if (!user_access('access content')) { + if (!user_access('access content', $account)) { return FALSE; } @@ -1802,7 +1809,7 @@ function node_access($op, $node) { if ($module == 'node') { $module = 'node_content'; // Avoid function name collisions. } - $access = module_invoke($module, 'access', $op, $node); + $access = module_invoke($module, 'access', $op, $node, $account); if (!is_null($access)) { return $access; } @@ -1811,7 +1818,7 @@ function node_access($op, $node) { // node_access table. if ($op != 'create' && $node->nid && $node->status) { $grants = array(); - foreach (node_access_grants($op) as $realm => $gids) { + foreach (node_access_grants($op, $account) as $realm => $gids) { foreach ($gids as $gid) { $grants[] = "(gid = $gid AND realm = '$realm')"; } @@ -1828,7 +1835,7 @@ function node_access($op, $node) { } // Let authors view their own nodes. - if ($op == 'view' && $user->uid == $node->uid && $user->uid != 0) { + if ($op == 'view' && $account->uid == $node->uid && $account->uid != 0) { return TRUE; } @@ -1863,16 +1870,19 @@ function _node_access_join_sql($node_alias = 'n', $node_access_alias = 'na') { * @param $node_access_alias * If the node_access table has been given an SQL alias other than the default * "na", that must be passed here. + * @param $account + * The user object for the user performing the operation. If omitted, the + * current user is used. * @return * An SQL where clause. */ -function _node_access_where_sql($op = 'view', $node_access_alias = 'na', $uid = NULL) { +function _node_access_where_sql($op = 'view', $node_access_alias = 'na', $account = NULL) { if (user_access('administer nodes')) { return; } $grants = array(); - foreach (node_access_grants($op, $uid) as $realm => $gids) { + foreach (node_access_grants($op, $account) as $realm => $gids) { foreach ($gids as $gid) { $grants[] = "($node_access_alias.gid = $gid AND $node_access_alias.realm = '$realm')"; } @@ -1896,23 +1906,20 @@ function _node_access_where_sql($op = 'view', $node_access_alias = 'na', $uid = * * @param $op * The operation that the user is trying to perform. - * @param $uid - * The user ID performing the operation. If omitted, the current user is used. + * @param $account + * The user object for the user performing the operation. If omitted, the + * current user is used. * @return * An associative array in which the keys are realms, and the values are * arrays of grants for those realms. */ -function node_access_grants($op, $uid = NULL) { - global $user; +function node_access_grants($op, $account = NULL) { - if (isset($uid)) { - $user_object = user_load(array('uid' => $uid)); - } - else { - $user_object = $user; + if (!isset($account)) { + $account = $GLOBALS['user']; } - return array_merge(array('all' => array(0)), module_invoke_all('node_grants', $user_object, $op)); + return array_merge(array('all' => array(0)), module_invoke_all('node_grants', $account, $op)); } /** @@ -2183,17 +2190,19 @@ function _node_access_rebuild_batch_finished($success, $results, $operations) { /** * Implementation of hook_access(). + * + * Named so as not to conflict with node_access() */ -function node_content_access($op, $node) { +function node_content_access($op, $node, $account) { global $user; $type = is_string($node) ? $node : (is_array($node) ? $node['type'] : $node->type); if ($op == 'create') { - return user_access('create '. $type .' content'); + return user_access('create '. $type .' content', $account); } if ($op == 'update') { - if (user_access('edit '. $type .' content') || (user_access('edit own '. $type .' content') && ($user->uid == $node->uid))) { + if (user_access('edit '. $type .' content', $account) || (user_access('edit own '. $type .' content', $account) && ($user->uid == $node->uid))) { return TRUE; } } diff --git a/modules/poll/poll.module b/modules/poll/poll.module index f1cdb7a77..3f4f28bac 100644 --- a/modules/poll/poll.module +++ b/modules/poll/poll.module @@ -57,9 +57,9 @@ function poll_perm() { /** * Implementation of hook_access(). */ -function poll_access($op, $node) { +function poll_access($op, $node, $account) { if ($op == 'create') { - return user_access('create polls'); + return user_access('create polls', $account); } } |