#201536 by chx: centralizing permission checking code in node revision handling, removing lots of duplicate code

author: Gábor Hojtsy <gabor@hojtsy.hu> 2007-12-20 09:20:41 +0000
committer: Gábor Hojtsy <gabor@hojtsy.hu> 2007-12-20 09:20:41 +0000
commit: 1e63dd1ae61c1e70e33c6cfa5b269c661f3122f7 (patch)
tree: b3f289352d198e79cc70fc24929c3dfe80e88c4e /modules
parent: f761b8745c306703e0f78b5abdcc900044f5b602 (diff)
download: brdo-1e63dd1ae61c1e70e33c6cfa5b269c661f3122f7.tar.gz
brdo-1e63dd1ae61c1e70e33c6cfa5b269c661f3122f7.tar.bz2
2 files changed, 47 insertions, 85 deletions
diff --git a/modules/node/node.module b/modules/node/node.module
index 76c000a50..5839b5889 100644
--- a/modules/node/node.module
+++ b/modules/node/node.module
@@ -1043,7 +1043,10 @@ function node_build_content($node, $teaser = FALSE, $page = FALSE) {
 /**
  * Generate a page displaying a single node, along with its comments.
  */
-function node_show($node, $cid) {
+function node_show($node, $cid, $message = FALSE) {
+  if ($message) {
+    drupal_set_title(t('Revision of %title from %date', array('%title' => $node->title, '%date' => format_date($node->revision_timestamp))));
+  }
   $output = node_view($node, FALSE, TRUE);
 
   if (function_exists('comment_render') && $node->comment) {
@@ -1069,7 +1072,7 @@ function theme_node_log_message($log) {
  * Implementation of hook_perm().
  */
 function node_perm() {
-  $perms = array('administer content types', 'administer nodes', 'access content', 'view revisions', 'revert revisions');
+  $perms = array('administer content types', 'administer nodes', 'access content', 'view revisions', 'revert revisions', 'delete revisions');
 
   foreach (node_get_types() as $type) {
     if ($type->module == 'node') {
@@ -1304,8 +1307,31 @@ function node_link($type, $node = NULL, $teaser = FALSE) {
   return $links;
 }
 
-function _node_revision_access($node) {
-  return (user_access('view revisions') || user_access('administer nodes')) && node_access('view', $node) && db_result(db_query('SELECT COUNT(vid) FROM {node_revisions} WHERE nid = %d', $node->nid)) > 1;
+function _node_revision_access($node, $op = 'view') {
+  static $access = array();
+  if (!isset($access[$node->vid])) {
+    $node_current_revision = node_load($node->nid);
+    $is_current_revision = $node_current_revision->vid == $node->vid;
+    // There should be at least two revisions. If the vid of the given node
+    // and the vid of the current revision differs, then we already have two
+    // different revisions so there is no need for a separate database check.
+    // Also, if you try to revert to or delete the current revision, that's
+    // not good.
+    if ($is_current_revision && (db_result(db_query('SELECT COUNT(vid) FROM {node_revisions} WHERE nid = %d', $node->nid)) == 1 || $op == 'update' || $op == 'delete')) {
+      $access[$node->vid] = FALSE;
+    }
+    elseif (user_access('administer nodes')) {
+      $access[$node->vid] = TRUE;
+    }
+    else {
+      $map = array('view' => 'view revisions', 'update' => 'revert revisions', 'delete' => 'delete revisions');
+      // First check the user permission, second check the access to the
+      // current revision and finally, if the node passed in is not the current
+      // revision then access to that, too.
+      $access[$node->vid] = isset($map[$op]) && user_access($map[$op]) && node_access($op, $node_current_revision) && ($is_current_revision || node_access($op, $node));
+    }
+  }
+  return $access[$node->vid];
 }
 
 function _node_add_access() {
@@ -1450,28 +1476,37 @@ function node_menu() {
     'type' => MENU_CALLBACK);
   $items['node/%node/revisions'] = array(
     'title' => 'Revisions',
-    'page callback' => 'node_revisions',
+    'page callback' => 'node_revision_overview',
+    'page arguments' => array(1),
     'access callback' => '_node_revision_access',
     'access arguments' => array(1),
     'weight' => 2,
     'file' => 'node.pages.inc',
     'type' => MENU_LOCAL_TASK,
   );
+  $items['node/%node/revisions/%/view'] = array(
+    'title' => 'Revisions',
+    'page callback' => 'node_show',
+    'page arguments' => array(1, NULL, TRUE),
+    'type' => MENU_CALLBACK,
+  );
   $items['node/%node/revisions/%/revert'] = array(
     'title' => 'Revert to earlier revision',
-    'page callback' => 'node_revision_revert',
-    'page arguments' => array(1, 3),
+    'load arguments' => array(3),
+    'page callback' => 'drupal_get_form',
+    'page arguments' => array('node_revision_revert_confirm', 1),
     'access callback' => '_node_revision_access',
-    'access arguments' => array(1, 3),
+    'access arguments' => array(1, 'update'),
     'file' => 'node.pages.inc',
     'type' => MENU_CALLBACK,
   );
   $items['node/%node/revisions/%/delete'] = array(
     'title' => 'Delete earlier revision',
-    'page callback' => 'node_revision_delete',
-    'page arguments' => array(1, 3),
+    'load arguments' => array(3),
+    'page callback' => 'drupal_get_form',
+    'page arguments' => array('node_revision_delete_confirm', 1),
     'access callback' => '_node_revision_access',
-    'access arguments' => array(1, 3),
+    'access arguments' => array(1, 'delete'),
     'file' => 'node.pages.inc',
     'type' => MENU_CALLBACK,
   );
diff --git a/modules/node/node.pages.inc b/modules/node/node.pages.inc
index 1092240f1..6861626c6 100644
--- a/modules/node/node.pages.inc
+++ b/modules/node/node.pages.inc
@@ -506,38 +506,6 @@ function node_delete_confirm_submit($form, &$form_state) {
 }
 
 /**
- * Menu callback for revisions related activities.
- */
-function node_revisions() {
-  if (is_numeric(arg(1)) && arg(2) == 'revisions') {
-    $op = arg(4) ? arg(4) : 'overview';
-    switch ($op) {
-      case 'overview':
-        $node = node_load(arg(1));
-        if ((user_access('view revisions') || user_access('administer nodes')) && node_access('view', $node)) {
-          return node_revision_overview($node);
-        }
-        drupal_access_denied();
-        return;
-      case 'view':
-        if (is_numeric(arg(3))) {
-          $node = node_load(arg(1), arg(3));
-          if ($node->nid) {
-            if ((user_access('view revisions') || user_access('administer nodes')) && node_access('view', $node)) {
-              drupal_set_title(t('Revision of %title from %date', array('%title' => $node->title, '%date' => format_date($node->revision_timestamp))));
-              return node_show($node, arg(2));
-            }
-            drupal_access_denied();
-            return;
-          }
-        }
-        break;
-    }
-  }
-  drupal_not_found();
-}
-
-/**
  * Generate an overview table of older revisions of a node.
  */
 function node_revision_overview($node) {
@@ -553,7 +521,7 @@ function node_revision_overview($node) {
     $revert_permission = TRUE;
   }
   $delete_permission = FALSE;
-  if (user_access('administer nodes')) {
+  if ((user_access('delete revisions') || user_access('administer nodes')) && node_access('delete', $node)) {
     $delete_permission = TRUE;
   }
   foreach ($revisions as $revision) {
@@ -583,25 +551,6 @@ function node_revision_overview($node) {
 }
 
 /**
- * Revert to the revision with the specified revision number. A node and nodeapi "update" event is triggered
- * (via the node_save() call) when a revision is reverted.
- */
-function node_revision_revert($node, $revision) {
-  global $user;
-
-  if ((user_access('revert revisions') || user_access('administer nodes')) && node_access('update', $node)) {
-    $node_revision = node_load($node->nid, $revision);
-    if ($node_revision->vid) {
-      return drupal_get_form('node_revision_revert_confirm', $node_revision);
-    }
-    else {
-      drupal_set_message(t('You tried to revert to an invalid revision.'), 'error');
-      drupal_goto('node/'. $node->nid .'/revisions');
-    }
-  }
-  drupal_access_denied();
-}
-/**
  * Ask for confirmation of the reversion to prevent against CSRF attacks.
  */
 function node_revision_revert_confirm($form_state, $node_revision) {
@@ -624,28 +573,6 @@ function node_revision_revert_confirm_submit($form, &$form_state) {
   $form_state['redirect'] = 'node/'. $node_revision->nid .'/revisions';
 }
 
-/**
- * Delete the revision with specified revision number. A "delete revision" nodeapi event is invoked when a
- * revision is deleted.
- */
-function node_revision_delete($node, $revision) {
-  if (user_access('administer nodes')) {
-    if (node_access('delete', $node)) {
-      // Don't allow deleting the current revision.
-      if ($revision != $node->vid) {
-        // Load the specific revision instead of the current one.
-        $node_revision = node_load($node->nid, $revision);
-        return drupal_get_form('node_revision_delete_confirm', $node_revision);
-      }
-      else {
-        drupal_set_message(t('Deletion failed. You tried to delete the current revision.'));
-        drupal_goto('node/'. $node->nid .'/revisions');
-      }
-    }
-  }
-  drupal_access_denied();
-}
-
 function node_revision_delete_confirm($form_state, $node_revision) {
   $form['#node_revision'] = $node_revision;
   return confirm_form($form, t('Are you sure you want to delete the revision from %revision-date?', array('%revision-date' =>  format_date($node_revision->revision_timestamp))), 'node/'. $node_revision->nid .'/revisions', t('This action cannot be undone.'), t('Delete'), t('Cancel'));
author	Gábor Hojtsy <gabor@hojtsy.hu>	2007-12-20 09:20:41 +0000
committer	Gábor Hojtsy <gabor@hojtsy.hu>	2007-12-20 09:20:41 +0000
commit	1e63dd1ae61c1e70e33c6cfa5b269c661f3122f7 (patch)
tree	b3f289352d198e79cc70fc24929c3dfe80e88c4e /modules
parent	f761b8745c306703e0f78b5abdcc900044f5b602 (diff)
download	brdo-1e63dd1ae61c1e70e33c6cfa5b269c661f3122f7.tar.gz brdo-1e63dd1ae61c1e70e33c6cfa5b269c661f3122f7.tar.bz2