PageRenderTime 26ms CodeModel.GetById 19ms RepoModel.GetById 0ms app.codeStats 1ms

/engine/lib/access.php

https://github.com/fragilbert/Elgg
PHP | 1087 lines | 491 code | 146 blank | 450 comment | 104 complexity | 805f5037e97aca07b7639335cebd1ca9 MD5 | raw file
Possible License(s): MIT, BSD-3-Clause, LGPL-2.1, GPL-2.0 
    

  1. <?php
    2. 

  2. /**
    3. 

  3.  * Functions for Elgg's access system for entities, metadata, and annotations.
    4. 

  4.  *
    5. 

  5.  * Access is generally saved in the database as access_id.  This corresponds to
    6. 

  6.  * one of the ACCESS_* constants defined in {@link elgglib.php} or the ID of an
    7. 

  7.  * access collection.
    8. 

  8.  *
    9. 

  9.  * @package Elgg.Core
    10. 

  10.  * @subpackage Access
    11. 

  11.  * @link http://docs.elgg.org/Access
    12. 

  12.  */
    13. 

  13. 

  14. /**
    15. 

  15.  * Return an ElggCache static variable cache for the access caches
    16. 

  16.  *
    17. 

  17.  * @staticvar ElggStaticVariableCache $access_cache
    18. 

  18.  * @return \ElggStaticVariableCache
    19. 

  19.  * @access private
    20. 

  20.  */
    21. 

  21. function _elgg_get_access_cache() {
    22. 

  22. 	/**
    23. 

  23. 	 * A default filestore cache using the dataroot.
    24. 

  24. 	 */
    25. 

  25. 	static $access_cache;
    26. 

  26. 

  27. 	if (!$access_cache) {
    28. 

  28. 		$access_cache = new ElggStaticVariableCache('access');
    29. 

  29. 	}
    30. 

  30. 

  31. 	return $access_cache;
    32. 

  32. }
    33. 

  33. 

  34. /**
    35. 

  35.  * Return a string of access_ids for $user_id appropriate for inserting into an SQL IN clause.
    36. 

  36.  *
    37. 

  37.  * @uses get_access_array
    38. 

  38.  *
    39. 

  39.  * @link http://docs.elgg.org/Access
    40. 

  40.  * @see get_access_array()
    41. 

  41.  *
    42. 

  42.  * @param int  $user_id User ID; defaults to currently logged in user
    43. 

  43.  * @param int  $site_id Site ID; defaults to current site
    44. 

  44.  * @param bool $flush   If set to true, will refresh the access list from the
    45. 

  45.  *                      database rather than using this function's cache.
    46. 

  46.  *
    47. 

  47.  * @return string A list of access collections suitable for using in an SQL call
    48. 

  48.  * @access private
    49. 

  49.  */
    50. 

  50. function get_access_list($user_id = 0, $site_id = 0, $flush = false) {
    51. 

  51. 	global $CONFIG, $init_finished;
    52. 

  52. 	$cache = _elgg_get_access_cache();
    53. 

  53. 	
    54. 

  54. 	if ($flush) {
    55. 

  55. 		$cache->clear();
    56. 

  56. 	}
    57. 

  57. 

  58. 	if ($user_id == 0) {
    59. 

  59. 		$user_id = elgg_get_logged_in_user_guid();
    60. 

  60. 	}
    61. 

  61. 

  62. 	if (($site_id == 0) && (isset($CONFIG->site_id))) {
    63. 

  63. 		$site_id = $CONFIG->site_id;
    64. 

  64. 	}
    65. 

  65. 	$user_id = (int) $user_id;
    66. 

  66. 	$site_id = (int) $site_id;
    67. 

  67. 

  68. 	$hash = $user_id . $site_id . 'get_access_list';
    69. 

  69. 

  70. 	if ($cache[$hash]) {
    71. 

  71. 		return $cache[$hash];
    72. 

  72. 	}
    73. 

  73. 	
    74. 

  74. 	$access_array = get_access_array($user_id, $site_id, $flush);
    75. 

  75. 	$access = "(" . implode(",", $access_array) . ")";
    76. 

  76. 

  77. 	if ($init_finished) {
    78. 

  78. 		$cache[$hash] = $access;
    79. 

  79. 	}
    80. 

  80. 	
    81. 

  81. 	return $access;
    82. 

  82. }
    83. 

  83. 

  84. /**
    85. 

  85.  * Returns an array of access IDs a user is permitted to see.
    86. 

  86.  *
    87. 

  87.  * Can be overridden with the 'access:collections:read', 'user' plugin hook.
    88. 

  88.  *
    89. 

  89.  * This returns a list of all the collection ids a user owns or belongs
    90. 

  90.  * to plus public and logged in access levels. If the user is an admin, it includes
    91. 

  91.  * the private access level.
    92. 

  92.  *
    93. 

  93.  * @internal this is only used in core for creating the SQL where clause when
    94. 

  94.  * retrieving content from the database. The friends access level is handled by
    95. 

  95.  * get_access_sql_suffix().
    96. 

  96.  *
    97. 

  97.  * @see get_write_access_array() for the access levels that a user can write to.
    98. 

  98.  *
    99. 

  99.  * @param int  $user_id User ID; defaults to currently logged in user
    100. 

  100.  * @param int  $site_id Site ID; defaults to current site
    101. 

  101.  * @param bool $flush   If set to true, will refresh the access ids from the
    102. 

  102.  *                      database rather than using this function's cache.
    103. 

  103.  *
    104. 

  104.  * @return array An array of access collections ids
    105. 

  105.  */
    106. 

  106. function get_access_array($user_id = 0, $site_id = 0, $flush = false) {
    107. 

  107. 	global $CONFIG, $init_finished;
    108. 

  108. 

  109. 	$cache = _elgg_get_access_cache();
    110. 

  110. 

  111. 	if ($flush) {
    112. 

  112. 		$cache->clear();
    113. 

  113. 	}
    114. 

  114. 

  115. 	if ($user_id == 0) {
    116. 

  116. 		$user_id = elgg_get_logged_in_user_guid();
    117. 

  117. 	}
    118. 

  118. 

  119. 	if (($site_id == 0) && (isset($CONFIG->site_guid))) {
    120. 

  120. 		$site_id = $CONFIG->site_guid;
    121. 

  121. 	}
    122. 

  122. 

  123. 	$user_id = (int) $user_id;
    124. 

  124. 	$site_id = (int) $site_id;
    125. 

  125. 

  126. 	$hash = $user_id . $site_id . 'get_access_array';
    127. 

  127. 

  128. 	if ($cache[$hash]) {
    129. 

  129. 		$access_array = $cache[$hash];
    130. 

  130. 	} else {
    131. 

  131. 		$access_array = array(ACCESS_PUBLIC);
    132. 

  132. 

  133. 		// The following can only return sensible data if the user is logged in.
    134. 

  134. 		if (elgg_is_logged_in()) {
    135. 

  135. 			$access_array[] = ACCESS_LOGGED_IN;
    136. 

  136. 

  137. 			// Get ACL memberships
    138. 

  138. 			$query = "SELECT am.access_collection_id"
    139. 

  139. 				. " FROM {$CONFIG->dbprefix}access_collection_membership am"
    140. 

  140. 				. " LEFT JOIN {$CONFIG->dbprefix}access_collections ag ON ag.id = am.access_collection_id"
    141. 

  141. 				. " WHERE am.user_guid = $user_id AND (ag.site_guid = $site_id OR ag.site_guid = 0)";
    142. 

  142. 

  143. 			$collections = get_data($query);
    144. 

  144. 			if ($collections) {
    145. 

  145. 				foreach ($collections as $collection) {
    146. 

  146. 					if (!empty($collection->access_collection_id)) {
    147. 

  147. 						$access_array[] = (int)$collection->access_collection_id;
    148. 

  148. 					}
    149. 

  149. 				}
    150. 

  150. 			}
    151. 

  151. 

  152. 			// Get ACLs owned.
    153. 

  153. 			$query = "SELECT ag.id FROM {$CONFIG->dbprefix}access_collections ag ";
    154. 

  154. 			$query .= "WHERE ag.owner_guid = $user_id AND (ag.site_guid = $site_id OR ag.site_guid = 0)";
    155. 

  155. 

  156. 			$collections = get_data($query);
    157. 

  157. 			if ($collections) {
    158. 

  158. 				foreach ($collections as $collection) {
    159. 

  159. 					if (!empty($collection->id)) {
    160. 

  160. 						$access_array[] = (int)$collection->id;
    161. 

  161. 					}
    162. 

  162. 				}
    163. 

  163. 			}
    164. 

  164. 

  165. 			$ignore_access = elgg_check_access_overrides($user_id);
    166. 

  166. 

  167. 			if ($ignore_access == true) {
    168. 

  168. 				$access_array[] = ACCESS_PRIVATE;
    169. 

  169. 			}
    170. 

  170. 		}
    171. 

  171. 

  172. 		if ($init_finished) {
    173. 

  173. 			$cache[$hash] = $access_array;
    174. 

  174. 		}
    175. 

  175. 	}
    176. 

  176. 

  177. 	$options = array(
    178. 

  178. 		'user_id' => $user_id,
    179. 

  179. 		'site_id' => $site_id
    180. 

  180. 	);
    181. 

  181. 	
    182. 

  182. 	return elgg_trigger_plugin_hook('access:collections:read', 'user', $options, $access_array);
    183. 

  183. }
    184. 

  184. 

  185. /**
    186. 

  186.  * Gets the default access permission.
    187. 

  187.  *
    188. 

  188.  * This returns the default access level for the site or optionally of the user.
    189. 

  189.  * If want you to change the default access based on group of other information,
    190. 

  190.  * use the 'default', 'access' plugin hook.
    191. 

  191.  *
    192. 

  192.  * @param ElggUser $user Get the user's default access. Defaults to logged in user.
    193. 

  193.  *
    194. 

  194.  * @return int default access id (see ACCESS defines in elgglib.php)
    195. 

  195.  * @link http://docs.elgg.org/Access
    196. 

  196.  */
    197. 

  197. function get_default_access(ElggUser $user = null) {
    198. 

  198. 	global $CONFIG;
    199. 

  199. 

  200. 	// site default access
    201. 

  201. 	$default_access = $CONFIG->default_access;
    202. 

  202. 

  203. 	// user default access if enabled
    204. 

  204. 	if ($CONFIG->allow_user_default_access) {
    205. 

  205. 		$user = $user ? $user : elgg_get_logged_in_user_entity();
    206. 

  206. 		if ($user) {
    207. 

  207. 			$user_access = $user->getPrivateSetting('elgg_default_access');
    208. 

  208. 			if ($user_access !== false) {
    209. 

  209. 				$default_access = $user_access;
    210. 

  210. 			}
    211. 

  211. 		}
    212. 

  212. 	}
    213. 

  213. 

  214. 	$params = array(
    215. 

  215. 		'user' => $user,
    216. 

  216. 		'default_access' => $default_access,
    217. 

  217. 	);
    218. 

  218. 	return elgg_trigger_plugin_hook('default', 'access', $params, $default_access);
    219. 

  219. }
    220. 

  220. 

  221. /**
    222. 

  222.  * Allow disabled entities and metadata to be returned by getter functions
    223. 

  223.  *
    224. 

  224.  * @todo Replace this with query object!
    225. 

  225.  * @global bool $ENTITY_SHOW_HIDDEN_OVERRIDE
    226. 

  226.  * @access private
    227. 

  227.  */
    228. 

  228. $ENTITY_SHOW_HIDDEN_OVERRIDE = false;
    229. 

  229. 

  230. /**
    231. 

  231.  * Show or hide disabled entities.
    232. 

  232.  *
    233. 

  233.  * @param bool $show_hidden Show disabled entities.
    234. 

  234.  * @return bool
    235. 

  235.  * @access private
    236. 

  236.  */
    237. 

  237. function access_show_hidden_entities($show_hidden) {
    238. 

  238. 	global $ENTITY_SHOW_HIDDEN_OVERRIDE;
    239. 

  239. 	$current_value = $ENTITY_SHOW_HIDDEN_OVERRIDE;
    240. 

  240. 	$ENTITY_SHOW_HIDDEN_OVERRIDE = $show_hidden;
    241. 

  241. 	return $current_value;
    242. 

  242. }
    243. 

  243. 

  244. /**
    245. 

  245.  * Return current status of showing disabled entities.
    246. 

  246.  *
    247. 

  247.  * @return bool
    248. 

  248.  * @access private
    249. 

  249.  */
    250. 

  250. function access_get_show_hidden_status() {
    251. 

  251. 	global $ENTITY_SHOW_HIDDEN_OVERRIDE;
    252. 

  252. 	return $ENTITY_SHOW_HIDDEN_OVERRIDE;
    253. 

  253. }
    254. 

  254. 

  255. /**
    256. 

  256.  * Returns the SQL where clause for a table with a access_id and enabled columns.
    257. 

  257.  *
    258. 

  258.  * This handles returning where clauses for ACCESS_FRIENDS and the currently
    259. 

  259.  * unused block and filter lists in addition to using get_access_list() for
    260. 

  260.  * access collections and the standard access levels.
    261. 

  261.  *
    262. 

  262.  * @param string $table_prefix Optional table. prefix for the access code.
    263. 

  263.  * @param int    $owner        The guid to check access for. Defaults to logged in user.
    264. 

  264.  *
    265. 

  265.  * @return string The SQL for a where clause
    266. 

  266.  * @access private
    267. 

  267.  */
    268. 

  268. function get_access_sql_suffix($table_prefix = '', $owner = null) {
    269. 

  269. 	global $ENTITY_SHOW_HIDDEN_OVERRIDE, $CONFIG;
    270. 

  270. 

  271. 	$sql = "";
    272. 

  272. 	$friends_bit = "";
    273. 

  273. 	$enemies_bit = "";
    274. 

  274. 

  275. 	if ($table_prefix) {
    276. 

  276. 		$table_prefix = sanitise_string($table_prefix) . ".";
    277. 

  277. 	}
    278. 

  278. 

  279. 	if (!isset($owner)) {
    280. 

  280. 		$owner = elgg_get_logged_in_user_guid();
    281. 

  281. 	}
    282. 

  282. 

  283. 	if (!$owner) {
    284. 

  284. 		$owner = -1;
    285. 

  285. 	}
    286. 

  286. 

  287. 	$ignore_access = elgg_check_access_overrides($owner);
    288. 

  288. 	$access = get_access_list($owner);
    289. 

  289. 

  290. 	if ($ignore_access) {
    291. 

  291. 		$sql = " (1 = 1) ";
    292. 

  292. 	} else if ($owner != -1) {
    293. 

  293. 		// we have an entity's guid and auto check for friend relationships
    294. 

  294. 		$friends_bit = "{$table_prefix}access_id = " . ACCESS_FRIENDS . "
    295. 

  295. 			AND {$table_prefix}owner_guid IN (
    296. 

  296. 				SELECT guid_one FROM {$CONFIG->dbprefix}entity_relationships
    297. 

  297. 				WHERE relationship='friend' AND guid_two=$owner
    298. 

  298. 			)";
    299. 

    300. 

  300. 		$friends_bit = '(' . $friends_bit . ') OR ';
    301. 

  301. 

  302. 		// @todo untested and unsupported at present
    303. 

  303. 		if ((isset($CONFIG->user_block_and_filter_enabled)) && ($CONFIG->user_block_and_filter_enabled)) {
    304. 

  304. 			// check to see if the user is in the entity owner's block list
    305. 

  305. 			// or if the entity owner is in the user's filter list
    306. 

  306. 			// if so, disallow access
    307. 

  307. 			$enemies_bit = get_access_restriction_sql('elgg_block_list', "{$table_prefix}owner_guid", $owner, false);
    308. 

  308. 			$enemies_bit = '('
    309. 

  309. 				. $enemies_bit
    310. 

  310. 				. '	AND ' . get_access_restriction_sql('elgg_filter_list', $owner, "{$table_prefix}owner_guid", false)
    311. 

  311. 			. ')';
    312. 

  312. 		}
    313. 

  313. 	}
    314. 

  314. 

  315. 	if (empty($sql)) {
    316. 

  316. 		$sql = " $friends_bit ({$table_prefix}access_id IN {$access}
    317. 

  317. 			OR ({$table_prefix}owner_guid = {$owner})
    318. 

  318. 			OR (
    319. 

  319. 				{$table_prefix}access_id = " . ACCESS_PRIVATE . "
    320. 

  320. 				AND {$table_prefix}owner_guid = $owner
    321. 

  321. 			)
    322. 

  322. 		)";
    323. 

  323. 	}
    324. 

  324. 

  325. 	if ($enemies_bit) {
    326. 

  326. 		$sql = "$enemies_bit AND ($sql)";
    327. 

  327. 	}
    328. 

  328. 

  329. 	if (!$ENTITY_SHOW_HIDDEN_OVERRIDE) {
    330. 

  330. 		$sql .= " and {$table_prefix}enabled='yes'";
    331. 

  331. 	}
    332. 

  332. 

  333. 	return '(' . $sql . ')';
    334. 

  334. }
    335. 

  335. 

  336. /**
    337. 

  337.  * Get the where clause for an access restriction based on annotations
    338. 

  338.  *
    339. 

  339.  * Returns an SQL fragment that is true (or optionally false) if the given user has
    340. 

  340.  * added an annotation with the given name to the given entity.
    341. 

  341.  *
    342. 

  342.  * @warning this is a private function for an untested capability and will likely
    343. 

  343.  * be removed from a future version of Elgg.
    344. 

  344.  *
    345. 

  345.  * @param string  $annotation_name Name of the annotation
    346. 

  346.  * @param string  $entity_guid     SQL GUID of entity the annotation is attached to.
    347. 

  347.  * @param string  $owner_guid      SQL string that evaluates to the GUID of the annotation owner
    348. 

  348.  * @param boolean $exists          If true, returns BOOL if the annotation exists
    349. 

  349.  *
    350. 

  350.  * @return string An SQL fragment suitable for inserting into a WHERE clause
    351. 

  351.  * @access private
    352. 

  352.  */
    353. 

  353. function get_access_restriction_sql($annotation_name, $entity_guid, $owner_guid, $exists) {
    354. 

  354. 	global $CONFIG;
    355. 

  355. 

  356. 	if ($exists) {
    357. 

  357. 		$not = '';
    358. 

  358. 	} else {
    359. 

  359. 		$not = 'NOT';
    360. 

  360. 	}
    361. 

  361. 

  362. 	$sql = <<<END
    363. 

  363. $not EXISTS (SELECT * FROM {$CONFIG->dbprefix}annotations a
    364. 

  364. INNER JOIN {$CONFIG->dbprefix}metastrings ms ON (a.name_id = ms.id)
    365. 

  365. WHERE ms.string = '$annotation_name'
    366. 

  366. AND a.entity_guid = $entity_guid
    367. 

  367. AND a.owner_guid = $owner_guid)
    368. 

  368. END;
    369. 

  369. 	return $sql;
    370. 

  370. }
    371. 

  371. 

  372. /**
    373. 

  373.  * Can a user access an entity.
    374. 

  374.  *
    375. 

  375.  * @warning If a logged in user doesn't have access to an entity, the
    376. 

  376.  * core engine will not load that entity.
    377. 

  377.  *
    378. 

  378.  * @tip This is mostly useful for checking if a user other than the logged in
    379. 

  379.  * user has access to an entity that is currently loaded.
    380. 

  380.  *
    381. 

  381.  * @todo This function would be much more useful if we could pass the guid of the
    382. 

  382.  * entity to test access for. We need to be able to tell whether the entity exists
    383. 

  383.  * and whether the user has access to the entity.
    384. 

  384.  *
    385. 

  385.  * @param ElggEntity $entity The entity to check access for.
    386. 

  386.  * @param ElggUser   $user   Optionally user to check access for. Defaults to
    387. 

  387.  *                           logged in user (which is a useless default).
    388. 

  388.  *
    389. 

  389.  * @return bool
    390. 

  390.  * @link http://docs.elgg.org/Access
    391. 

  391.  */
    392. 

  392. function has_access_to_entity($entity, $user = null) {
    393. 

  393. 	global $CONFIG;
    394. 

  394. 

  395. 	if (!isset($user)) {
    396. 

  396. 		$access_bit = get_access_sql_suffix("e");
    397. 

  397. 	} else {
    398. 

  398. 		$access_bit = get_access_sql_suffix("e", $user->getGUID());
    399. 

  399. 	}
    400. 

  400. 

  401. 	$query = "SELECT guid from {$CONFIG->dbprefix}entities e WHERE e.guid = " . $entity->getGUID();
    402. 

  402. 	// Add access controls
    403. 

  403. 	$query .= " AND " . $access_bit;
    404. 

  404. 	if (get_data($query)) {
    405. 

  405. 		return true;
    406. 

  406. 	} else {
    407. 

  407. 		return false;
    408. 

  408. 	}
    409. 

  409. }
    410. 

  410. 

  411. /**
    412. 

  412.  * Returns an array of access permissions that the user is allowed to save content with.
    413. 

  413.  * Permissions returned are of the form (id => 'name').
    414. 

  414.  *
    415. 

  415.  * Example return value in English:
    416. 

  416.  * array(
    417. 

  417.  *     0 => 'Private',
    418. 

  418.  *    -2 => 'Friends',
    419. 

  419.  *     1 => 'Logged in users',
    420. 

  420.  *     2 => 'Public',
    421. 

  421.  *    34 => 'My favorite friends',
    422. 

  422.  * );
    423. 

  423.  *
    424. 

  424.  * Plugin hook of 'access:collections:write', 'user'
    425. 

  425.  *
    426. 

  426.  * @warning this only returns access collections that the user owns plus the
    427. 

  427.  * standard access levels. It does not return access collections that the user
    428. 

  428.  * belongs to such as the access collection for a group.
    429. 

  429.  *
    430. 

  430.  * @param int  $user_id The user's GUID.
    431. 

  431.  * @param int  $site_id The current site.
    432. 

  432.  * @param bool $flush   If this is set to true, this will ignore a cached access array
    433. 

  433.  *
    434. 

  434.  * @return array List of access permissions
    435. 

  435.  * @link http://docs.elgg.org/Access
    436. 

  436.  */
    437. 

  437. function get_write_access_array($user_id = 0, $site_id = 0, $flush = false) {
    438. 

  438. 	global $CONFIG, $init_finished;
    439. 

  439. 	$cache = _elgg_get_access_cache();
    440. 

  440. 

  441. 	if ($flush) {
    442. 

  442. 		$cache->clear();
    443. 

  443. 	}
    444. 

  444. 

  445. 	if ($user_id == 0) {
    446. 

  446. 		$user_id = elgg_get_logged_in_user_guid();
    447. 

  447. 	}
    448. 

  448. 

  449. 	if (($site_id == 0) && (isset($CONFIG->site_id))) {
    450. 

  450. 		$site_id = $CONFIG->site_id;
    451. 

  451. 	}
    452. 

  452. 

  453. 	$user_id = (int) $user_id;
    454. 

  454. 	$site_id = (int) $site_id;
    455. 

  455. 

  456. 	$hash = $user_id . $site_id . 'get_write_access_array';
    457. 

  457. 

  458. 	if ($cache[$hash]) {
    459. 

  459. 		$access_array = $cache[$hash];
    460. 

  460. 	} else {
    461. 

  461. 		// @todo is there such a thing as public write access?
    462. 

  462. 		$access_array = array(
    463. 

  463. 			ACCESS_PRIVATE => elgg_echo("PRIVATE"),
    464. 

  464. 			ACCESS_FRIENDS => elgg_echo("access:friends:label"),
    465. 

  465. 			ACCESS_LOGGED_IN => elgg_echo("LOGGED_IN"),
    466. 

  466. 			ACCESS_PUBLIC => elgg_echo("PUBLIC")
    467. 

  467. 		);
    468. 

  468. 		
    469. 

  469. 		$query = "SELECT ag.* FROM {$CONFIG->dbprefix}access_collections ag ";
    470. 

  470. 		$query .= " WHERE (ag.site_guid = $site_id OR ag.site_guid = 0)";
    471. 

  471. 		$query .= " AND (ag.owner_guid = $user_id)";
    472. 

  472. 

  473. 		$collections = get_data($query);
    474. 

  474. 		if ($collections) {
    475. 

  475. 			foreach ($collections as $collection) {
    476. 

  476. 				$access_array[$collection->id] = $collection->name;
    477. 

  477. 			}
    478. 

  478. 		}
    479. 

  479. 

  480. 		if ($init_finished) {
    481. 

  481. 			$cache[$hash] = $access_array;
    482. 

  482. 		}
    483. 

  483. 	}
    484. 

  484. 

  485. 	$options = array(
    486. 

  486. 		'user_id' => $user_id,
    487. 

  487. 		'site_id' => $site_id
    488. 

  488. 	);
    489. 

  489. 	return elgg_trigger_plugin_hook('access:collections:write', 'user',
    490. 

  490. 		$options, $access_array);
    491. 

  491. }
    492. 

  492. 

  493. /**
    494. 

  494.  * Can the user change this access collection?
    495. 

  495.  *
    496. 

  496.  * Use the plugin hook of 'access:collections:write', 'user' to change this.
    497. 

  497.  * @see get_write_access_array() for details on the hook.
    498. 

  498.  *
    499. 

  499.  * Respects access control disabling for admin users and {@see elgg_set_ignore_access()}
    500. 

  500.  *
    501. 

  501.  * @see get_write_access_array()
    502. 

  502.  *
    503. 

  503.  * @param int   $collection_id The collection id
    504. 

  504.  * @param mixed $user_guid     The user GUID to check for. Defaults to logged in user.
    505. 

  505.  * @return bool
    506. 

  506.  */
    507. 

  507. function can_edit_access_collection($collection_id, $user_guid = null) {
    508. 

  508. 	if ($user_guid) {
    509. 

  509. 		$user = get_entity((int) $user_guid);
    510. 

  510. 	} else {
    511. 

  511. 		$user = elgg_get_logged_in_user_entity();
    512. 

  512. 	}
    513. 

  513. 

  514. 	$collection = get_access_collection($collection_id);
    515. 

  515. 

  516. 	if (!($user instanceof ElggUser) || !$collection) {
    517. 

  517. 		return false;
    518. 

  518. 	}
    519. 

  519. 

  520. 	$write_access = get_write_access_array($user->getGUID(), 0, true);
    521. 

  521. 

  522. 	// don't ignore access when checking users.
    523. 

  523. 	if ($user_guid) {
    524. 

  524. 		return array_key_exists($collection_id, $write_access);
    525. 

  525. 	} else {
    526. 

  526. 		return elgg_get_ignore_access() || array_key_exists($collection_id, $write_access);
    527. 

  527. 	}
    528. 

  528. }
    529. 

  529. 

  530. /**
    531. 

  531.  * Creates a new access collection.
    532. 

  532.  *
    533. 

  533.  * Access colletions allow plugins and users to create granular access
    534. 

  534.  * for entities.
    535. 

  535.  *
    536. 

  536.  * Triggers plugin hook 'access:collections:addcollection', 'collection'
    537. 

  537.  *
    538. 

  538.  * @internal Access collections are stored in the access_collections table.
    539. 

  539.  * Memberships to collections are in access_collections_membership.
    540. 

  540.  *
    541. 

  541.  * @param string $name       The name of the collection.
    542. 

  542.  * @param int    $owner_guid The GUID of the owner (default: currently logged in user).
    543. 

  543.  * @param int    $site_guid  The GUID of the site (default: current site).
    544. 

  544.  *
    545. 

  545.  * @return int|false The collection ID if successful and false on failure.
    546. 

  546.  * @link http://docs.elgg.org/Access/Collections
    547. 

  547.  * @see update_access_collection()
    548. 

  548.  * @see delete_access_collection()
    549. 

  549.  */
    550. 

  550. function create_access_collection($name, $owner_guid = 0, $site_guid = 0) {
    551. 

  551. 	global $CONFIG;
    552. 

  552. 

  553. 	$name = trim($name);
    554. 

  554. 	if (empty($name)) {
    555. 

  555. 		return false;
    556. 

  556. 	}
    557. 

  557. 

  558. 	if ($owner_guid == 0) {
    559. 

  559. 		$owner_guid = elgg_get_logged_in_user_guid();
    560. 

  560. 	}
    561. 

  561. 	if (($site_guid == 0) && (isset($CONFIG->site_guid))) {
    562. 

  562. 		$site_guid = $CONFIG->site_guid;
    563. 

  563. 	}
    564. 

  564. 	$name = sanitise_string($name);
    565. 

  565. 

  566. 	$q = "INSERT INTO {$CONFIG->dbprefix}access_collections
    567. 

  567. 		SET name = '{$name}',
    568. 

  568. 			owner_guid = {$owner_guid},
    569. 

  569. 			site_guid = {$site_guid}";
    570. 

  570. 	$id = insert_data($q);
    571. 

  571. 	if (!$id) {
    572. 

  572. 		return false;
    573. 

  573. 	}
    574. 

  574. 

  575. 	$params = array(
    576. 

  576. 		'collection_id' => $id
    577. 

  577. 	);
    578. 

  578. 

  579. 	if (!elgg_trigger_plugin_hook('access:collections:addcollection', 'collection', $params, true)) {
    580. 

  580. 		return false;
    581. 

  581. 	}
    582. 

  582. 

  583. 	return $id;
    584. 

  584. }
    585. 

  585. 

  586. /**
    587. 

  587.  * Updates the membership in an access collection.
    588. 

  588.  *
    589. 

  589.  * @warning Expects a full list of all members that should
    590. 

  590.  * be part of the access collection
    591. 

  591.  *
    592. 

  592.  * @note This will run all hooks associated with adding or removing
    593. 

  593.  * members to access collections.
    594. 

  594.  *
    595. 

  595.  * @param int   $collection_id The ID of the collection.
    596. 

  596.  * @param array $members       Array of member GUIDs
    597. 

  597.  *
    598. 

  598.  * @return bool
    599. 

  599.  * @link http://docs.elgg.org/Access/Collections
    600. 

  600.  * @see add_user_to_access_collection()
    601. 

  601.  * @see remove_user_from_access_collection()
    602. 

  602.  */
    603. 

  603. function update_access_collection($collection_id, $members) {
    604. 

  604. 	$acl = get_access_collection($collection_id);
    605. 

  605. 

  606. 	if (!$acl) {
    607. 

  607. 		return false;
    608. 

  608. 	}
    609. 

  609. 	$members = (is_array($members)) ? $members : array();
    610. 

  610. 

  611. 	$cur_members = get_members_of_access_collection($collection_id, true);
    612. 

  612. 	$cur_members = (is_array($cur_members)) ? $cur_members : array();
    613. 

  613. 

  614. 	$remove_members = array_diff($cur_members, $members);
    615. 

  615. 	$add_members = array_diff($members, $cur_members);
    616. 

  616. 

  617. 	$result = true;
    618. 

  618. 

  619. 	foreach ($add_members as $guid) {
    620. 

  620. 		$result = $result && add_user_to_access_collection($guid, $collection_id);
    621. 

  621. 	}
    622. 

  622. 

  623. 	foreach ($remove_members as $guid) {
    624. 

  624. 		$result = $result && remove_user_from_access_collection($guid, $collection_id);
    625. 

  625. 	}
    626. 

  626. 

  627. 	return $result;
    628. 

  628. }
    629. 

  629. 

  630. /**
    631. 

  631.  * Deletes a specified access collection and its membership.
    632. 

  632.  *
    633. 

  633.  * @param int $collection_id The collection ID
    634. 

  634.  *
    635. 

  635.  * @return bool
    636. 

  636.  * @link http://docs.elgg.org/Access/Collections
    637. 

  637.  * @see create_access_collection()
    638. 

  638.  * @see update_access_collection()
    639. 

  639.  */
    640. 

  640. function delete_access_collection($collection_id) {
    641. 

  641. 	global $CONFIG;
    642. 

  642. 

  643. 	$collection_id = (int) $collection_id;
    644. 

  644. 	$params = array('collection_id' => $collection_id);
    645. 

  645. 

  646. 	if (!elgg_trigger_plugin_hook('access:collections:deletecollection', 'collection', $params, true)) {
    647. 

  647. 		return false;
    648. 

  648. 	}
    649. 

  649. 

  650. 	// Deleting membership doesn't affect result of deleting ACL.
    651. 

  651. 	$q = "DELETE FROM {$CONFIG->dbprefix}access_collection_membership
    652. 

  652. 		WHERE access_collection_id = {$collection_id}";
    653. 

  653. 	delete_data($q);
    654. 

  654. 

  655. 	$q = "DELETE FROM {$CONFIG->dbprefix}access_collections
    656. 

  656. 		WHERE id = {$collection_id}";
    657. 

  657. 	$result = delete_data($q);
    658. 

  658. 

  659. 	return (bool)$result;
    660. 

  660. }
    661. 

  661. 

  662. /**
    663. 

  663.  * Get a specified access collection
    664. 

  664.  *
    665. 

  665.  * @note This doesn't return the members of an access collection,
    666. 

  666.  * just the database row of the actual collection.
    667. 

  667.  *
    668. 

  668.  * @see get_members_of_access_collection()
    669. 

  669.  *
    670. 

  670.  * @param int $collection_id The collection ID
    671. 

  671.  *
    672. 

  672.  * @return object|false
    673. 

  673.  */
    674. 

  674. function get_access_collection($collection_id) {
    675. 

  675. 	global $CONFIG;
    676. 

  676. 	$collection_id = (int) $collection_id;
    677. 

  677. 

  678. 	$query = "SELECT * FROM {$CONFIG->dbprefix}access_collections WHERE id = {$collection_id}";
    679. 

  679. 	$get_collection = get_data_row($query);
    680. 

  680. 

  681. 	return $get_collection;
    682. 

  682. }
    683. 

  683. 

  684. /**
    685. 

  685.  * Adds a user to an access collection.
    686. 

  686.  *
    687. 

  687.  * Triggers the 'access:collections:add_user', 'collection' plugin hook.
    688. 

  688.  *
    689. 

  689.  * @param int $user_guid     The GUID of the user to add
    690. 

  690.  * @param int $collection_id The ID of the collection to add them to
    691. 

  691.  *
    692. 

  692.  * @return bool
    693. 

  693.  * @see update_access_collection()
    694. 

  694.  * @see remove_user_from_access_collection()
    695. 

  695.  * @link http://docs.elgg.org/Access/Collections
    696. 

  696.  */
    697. 

  697. function add_user_to_access_collection($user_guid, $collection_id) {
    698. 

  698. 	global $CONFIG;
    699. 

  699. 

  700. 	$collection_id = (int) $collection_id;
    701. 

  701. 	$user_guid = (int) $user_guid;
    702. 

  702. 	$user = get_user($user_guid);
    703. 

  703. 

  704. 	$collection = get_access_collection($collection_id);
    705. 

  705. 

  706. 	if (!($user instanceof Elgguser) || !$collection) {
    707. 

  707. 		return false;
    708. 

  708. 	}
    709. 

  709. 

  710. 	$params = array(
    711. 

  711. 		'collection_id' => $collection_id,
    712. 

  712. 		'user_guid' => $user_guid
    713. 

  713. 	);
    714. 

  714. 

  715. 	$result = elgg_trigger_plugin_hook('access:collections:add_user', 'collection', $params, true);
    716. 

  716. 	if ($result == false) {
    717. 

  717. 		return false;
    718. 

  718. 	}
    719. 

  719. 

  720. 	// if someone tries to insert the same data twice, we do a no-op on duplicate key
    721. 

  721. 	$q = "INSERT INTO {$CONFIG->dbprefix}access_collection_membership
    722. 

  722. 			SET access_collection_id = $collection_id, user_guid = $user_guid
    723. 

  723. 			ON DUPLICATE KEY UPDATE user_guid = user_guid";
    724. 

  724. 	$result = insert_data($q);
    725. 

  725. 

  726. 	return $result !== false;
    727. 

  727. }
    728. 

  728. 

  729. /**
    730. 

  730.  * Removes a user from an access collection.
    731. 

  731.  *
    732. 

  732.  * Triggers the 'access:collections:remove_user', 'collection' plugin hook.
    733. 

  733.  *
    734. 

  734.  * @param int $user_guid     The user GUID
    735. 

  735.  * @param int $collection_id The access collection ID
    736. 

  736.  *
    737. 

  737.  * @return bool
    738. 

  738.  * @see update_access_collection()
    739. 

  739.  * @see remove_user_from_access_collection()
    740. 

  740.  * @link http://docs.elgg.org/Access/Collections
    741. 

  741.  */
    742. 

  742. function remove_user_from_access_collection($user_guid, $collection_id) {
    743. 

  743. 	global $CONFIG;
    744. 

  744. 

  745. 	$collection_id = (int) $collection_id;
    746. 

  746. 	$user_guid = (int) $user_guid;
    747. 

  747. 	$user = get_user($user_guid);
    748. 

  748. 

  749. 	$collection = get_access_collection($collection_id);
    750. 

  750. 

  751. 	if (!($user instanceof Elgguser) || !$collection) {
    752. 

  752. 		return false;
    753. 

  753. 	}
    754. 

  754. 

  755. 	$params = array(
    756. 

  756. 		'collection_id' => $collection_id,
    757. 

  757. 		'user_guid' => $user_guid
    758. 

  758. 	);
    759. 

  759. 

  760. 	if (!elgg_trigger_plugin_hook('access:collections:remove_user', 'collection', $params, true)) {
    761. 

  761. 		return false;
    762. 

  762. 	}
    763. 

  763. 

  764. 	$q = "DELETE FROM {$CONFIG->dbprefix}access_collection_membership
    765. 

  765. 		WHERE access_collection_id = {$collection_id}
    766. 

  766. 			AND user_guid = {$user_guid}";
    767. 

    768. 

  768. 	return (bool)delete_data($q);
    769. 

  769. }
    770. 

  770. 

  771. /**
    772. 

  772.  * Returns an array of database row objects of the access collections owned by $owner_guid.
    773. 

  773.  *
    774. 

  774.  * @param int $owner_guid The entity guid
    775. 

  775.  * @param int $site_guid  The GUID of the site (default: current site).
    776. 

  776.  *
    777. 

  777.  * @return array|false
    778. 

  778.  * @see add_access_collection()
    779. 

  779.  * @see get_members_of_access_collection()
    780. 

  780.  * @link http://docs.elgg.org/Access/Collections
    781. 

  781.  */
    782. 

  782. function get_user_access_collections($owner_guid, $site_guid = 0) {
    783. 

  783. 	global $CONFIG;
    784. 

  784. 	$owner_guid = (int) $owner_guid;
    785. 

  785. 	$site_guid = (int) $site_guid;
    786. 

  786. 

  787. 	if (($site_guid == 0) && (isset($CONFIG->site_guid))) {
    788. 

  788. 		$site_guid = $CONFIG->site_guid;
    789. 

  789. 	}
    790. 

  790. 

  791. 	$query = "SELECT * FROM {$CONFIG->dbprefix}access_collections
    792. 

  792. 			WHERE owner_guid = {$owner_guid}
    793. 

  793. 			AND site_guid = {$site_guid}";
    794. 

    795. 

  795. 	$collections = get_data($query);
    796. 

  796. 

  797. 	return $collections;
    798. 

  798. }
    799. 

  799. 

  800. /**
    801. 

  801.  * Get all of members of an access collection
    802. 

  802.  *
    803. 

  803.  * @param int  $collection The collection's ID
    804. 

  804.  * @param bool $idonly     If set to true, will only return the members' GUIDs (default: false)
    805. 

  805.  *
    806. 

  806.  * @return array ElggUser guids or entities if successful, false if not
    807. 

  807.  * @see add_user_to_access_collection()
    808. 

  808.  * @see http://docs.elgg.org/Access/Collections
    809. 

  809.  */
    810. 

  810. function get_members_of_access_collection($collection, $idonly = FALSE) {
    811. 

  811. 	global $CONFIG;
    812. 

  812. 	$collection = (int)$collection;
    813. 

  813. 

  814. 	if (!$idonly) {
    815. 

  815. 		$query = "SELECT e.* FROM {$CONFIG->dbprefix}access_collection_membership m"
    816. 

  816. 			. " JOIN {$CONFIG->dbprefix}entities e ON e.guid = m.user_guid"
    817. 

  817. 			. " WHERE m.access_collection_id = {$collection}";
    818. 

  818. 		$collection_members = get_data($query, "entity_row_to_elggstar");
    819. 

  819. 	} else {
    820. 

  820. 		$query = "SELECT e.guid FROM {$CONFIG->dbprefix}access_collection_membership m"
    821. 

  821. 			. " JOIN {$CONFIG->dbprefix}entities e ON e.guid = m.user_guid"
    822. 

  822. 			. " WHERE m.access_collection_id = {$collection}";
    823. 

  823. 		$collection_members = get_data($query);
    824. 

  824. 		if (!$collection_members) {
    825. 

  825. 			return FALSE;
    826. 

  826. 		}
    827. 

  827. 		foreach ($collection_members as $key => $val) {
    828. 

  828. 			$collection_members[$key] = $val->guid;
    829. 

  829. 		}
    830. 

  830. 	}
    831. 

  831. 

  832. 	return $collection_members;
    833. 

  833. }
    834. 

  834. 

  835. /**
    836. 

  836.  * Return entities based upon access id.
    837. 

  837.  *
    838. 

  838.  * @param array $options Any options accepted by {@link elgg_get_entities()} and
    839. 

  839.  * 	access_id => int The access ID of the entity.
    840. 

  840.  *
    841. 

  841.  * @see elgg_get_entities()
    842. 

  842.  * @return mixed If count, int. If not count, array. false on errors.
    843. 

  843.  * @since 1.7.0
    844. 

  844.  */
    845. 

  845. function elgg_get_entities_from_access_id(array $options = array()) {
    846. 

  846. 	// restrict the resultset to access collection provided
    847. 

  847. 	if (!isset($options['access_id'])) {
    848. 

  848. 		return FALSE;
    849. 

  849. 	}
    850. 

  850. 

  851. 	// @todo add support for an array of collection_ids
    852. 

  852. 	$where = "e.access_id = '{$options['access_id']}'";
    853. 

  853. 	if (isset($options['wheres'])) {
    854. 

  854. 		if (is_array($options['wheres'])) {
    855. 

  855. 			$options['wheres'][] = $where;
    856. 

  856. 		} else {
    857. 

  857. 			$options['wheres'] = array($options['wheres'], $where);
    858. 

  858. 		}
    859. 

  859. 	} else {
    860. 

  860. 		$options['wheres'] = array($where);
    861. 

  861. 	}
    862. 

  862. 

  863. 	// return entities with the desired options
    864. 

  864. 	return elgg_get_entities($options);
    865. 

  865. }
    866. 

  866. 

  867. /**
    868. 

  868.  * Lists entities from an access collection
    869. 

  869.  *
    870. 

  870.  * @param array $options See elgg_list_entities() and elgg_get_entities_from_access_id()
    871. 

  871.  * 
    872. 

  872.  * @see elgg_list_entities()
    873. 

  873.  * @see elgg_get_entities_from_access_id()
    874. 

  874.  * 
    875. 

  875.  * @return string
    876. 

  876.  */
    877. 

  877. function elgg_list_entities_from_access_id(array $options = array()) {
    878. 

  878. 	return elgg_list_entities($options, 'elgg_get_entities_from_access_id');
    879. 

  879. }
    880. 

  880. 

  881. /**
    882. 

  882.  * Return the name of an ACCESS_* constant or a access collection,
    883. 

  883.  * but only if the user has write access on that ACL.
    884. 

  884.  *
    885. 

  885.  * @warning This function probably doesn't work how it's meant to.
    886. 

  886.  *
    887. 

  887.  * @param int $entity_access_id The entity's access id
    888. 

  888.  *
    889. 

  889.  * @return string 'Public', 'Private', etc.
    890. 

  890.  * @since 1.7.0
    891. 

  891.  * @todo I think this probably wants get_access_array() instead of get_write_access_array(),
    892. 

  892.  * but those two functions return different types of arrays.
    893. 

  893.  */
    894. 

  894. function get_readable_access_level($entity_access_id) {
    895. 

  895. 	$access = (int) $entity_access_id;
    896. 

  896. 

  897. 	//get the access level for object in readable string
    898. 

  898. 	$options = get_write_access_array();
    899. 

  899. 

  900. 	if (array_key_exists($access, $options)) {
    901. 

  901. 		return $options[$access];
    902. 

  902. 	}
    903. 

  903. 

  904. 	// return 'Limited' if the user does not have access to the access collection
    905. 

  905. 	return elgg_echo('access:limited:label');
    906. 

  906. }
    907. 

  907. 

  908. /**
    909. 

  909.  * Set if entity access system should be ignored.
    910. 

  910.  *
    911. 

  911.  * The access system will not return entities in any getter
    912. 

  912.  * functions if the user doesn't have access.
    913. 

  913.  *
    914. 

  914.  * @internal For performance reasons this is done at the database access clause level.
    915. 

  915.  *
    916. 

  916.  * @tip Use this to access entities in automated scripts
    917. 

  917.  * when no user is logged in.
    918. 

  918.  *
    919. 

  919.  * @note This clears the access cache.
    920. 

  920.  *
    921. 

  921.  * @warning This will not show disabled entities.
    922. 

  922.  * Use {@link access_show_hidden_entities()} to access disabled entities.
    923. 

  923.  *
    924. 

  924.  * @param bool $ignore If true, disables all access checks.
    925. 

  925.  *
    926. 

  926.  * @return bool Previous ignore_access setting.
    927. 

  927.  * @since 1.7.0
    928. 

  928.  * @see http://docs.elgg.org/Access/IgnoreAccess
    929. 

  929.  * @see elgg_get_ignore_access()
    930. 

  930.  */
    931. 

  931. function elgg_set_ignore_access($ignore = true) {
    932. 

  932. 	$cache = _elgg_get_access_cache();
    933. 

  933. 	$cache->clear();
    934. 

  934. 	$elgg_access = elgg_get_access_object();
    935. 

  935. 	return $elgg_access->setIgnoreAccess($ignore);
    936. 

  936. }
    937. 

  937. 

  938. /**
    939. 

  939.  * Get current ignore access setting.
    940. 

  940.  *
    941. 

  941.  * @return bool
    942. 

  942.  * @since 1.7.0
    943. 

  943.  * @see http://docs.elgg.org/Access/IgnoreAccess
    944. 

  944.  * @see elgg_set_ignore_access()
    945. 

  945.  */
    946. 

  946. function elgg_get_ignore_access() {
    947. 

  947. 	return elgg_get_access_object()->getIgnoreAccess();
    948. 

  948. }
    949. 

  949. 

  950. /**
    951. 

  951.  * Decides if the access system should be ignored for a user.
    952. 

  952.  *
    953. 

  953.  * Returns true (meaning ignore access) if either of these 2 conditions are true:
    954. 

  954.  *   1) an admin user guid is passed to this function.
    955. 

  955.  *   2) {@link elgg_get_ignore_access()} returns true.
    956. 

  956.  *
    957. 

  957.  * @see elgg_set_ignore_access()
    958. 

  958.  *
    959. 

  959.  * @param int $user_guid The user to check against.
    960. 

  960.  *
    961. 

  961.  * @return bool
    962. 

  962.  * @since 1.7.0
    963. 

  963.  */
    964. 

  964. function elgg_check_access_overrides($user_guid = 0) {
    965. 

  965. 	if (!$user_guid || $user_guid <= 0) {
    966. 

  966. 		$is_admin = false;
    967. 

  967. 	} else {
    968. 

  968. 		$is_admin = elgg_is_admin_user($user_guid);
    969. 

  969. 	}
    970. 

  970. 

  971. 	return ($is_admin || elgg_get_ignore_access());
    972. 

  972. }
    973. 

  973. 

  974. /**
    975. 

  975.  * Returns the ElggAccess object.
    976. 

  976.  *
    977. 

  977.  * // @todo comment is incomplete
    978. 

  978.  * This is used to
    979. 

  979.  *
    980. 

  980.  * @return ElggAccess
    981. 

  981.  * @since 1.7.0
    982. 

  982.  * @access private
    983. 

  983.  */
    984. 

  984. function elgg_get_access_object() {
    985. 

  985. 	static $elgg_access;
    986. 

  986. 

  987. 	if (!$elgg_access) {
    988. 

  988. 		$elgg_access = new ElggAccess();
    989. 

  989. 	}
    990. 

  990. 

  991. 	return $elgg_access;
    992. 

  992. }
    993. 

  993. 

  994. /**
    995. 

  995.  * A flag to set if Elgg's access initialization is finished.
    996. 

  996.  *
    997. 

  997.  * @global bool $init_finished
    998. 

  998.  * @access private
    999. 

  999.  * @todo This is required to tell the access system to start caching because
    1000. 

  1000.  * calls are made while in ignore access mode and before the user is logged in.
    1001. 

  1001.  */
    1002. 

  1002. $init_finished = false;
    1003. 

  1003. 

  1004. /**
    1005. 

  1005.  * A quick and dirty way to make sure the access permissions have been correctly set up
    1006. 

  1006.  *
    1007. 

  1007.  * @elgg_event_handler init system
    1008. 

  1008.  * @todo Invesigate
    1009. 

  1009.  *
    1010. 

  1010.  * @return void
    1011. 

  1011.  */
    1012. 

  1012. function access_init() {
    1013. 

  1013. 	global $init_finished;
    1014. 

  1014. 	$init_finished = true;
    1015. 

  1015. }
    1016. 

  1016. 

  1017. /**
    1018. 

  1018.  * Overrides the access system if appropriate.
    1019. 

  1019.  *
    1020. 

  1020.  * Allows admin users and calls after {@link elgg_set_ignore_access} to
    1021. 

  1021.  * bypass the access system.
    1022. 

  1022.  *
    1023. 

  1023.  * Registered for the 'permissions_check', 'all' and the 
    1024. 

  1024.  * 'container_permissions_check', 'all' plugin hooks.
    1025. 

  1025.  *
    1026. 

  1026.  * Returns true to override the access system or null if no change is needed.
    1027. 

  1027.  *
    1028. 

  1028.  * @param string $hook
    1029. 

  1029.  * @param string $type
    1030. 

  1030.  * @param bool $value
    1031. 

  1031.  * @param array $params
    1032. 

  1032.  * @return true|null
    1033. 

  1033.  * @access private
    1034. 

  1034.  */
    1035. 

  1035. function elgg_override_permissions($hook, $type, $value, $params) {
    1036. 

  1036. 	$user = elgg_extract('user', $params);
    1037. 

  1037. 	if ($user) {
    1038. 

  1038. 		$user_guid = $user->getGUID();
    1039. 

  1039. 	} else {
    1040. 

  1040. 		$user_guid = elgg_get_logged_in_user_guid();
    1041. 

  1041. 	}
    1042. 

  1042. 

  1043. 	// don't do this so ignore access still works with no one logged in
    1044. 

  1044. 	//if (!$user instanceof ElggUser) {
    1045. 

  1045. 	//	return false;
    1046. 

  1046. 	//}
    1047. 

  1047. 

  1048. 	// check for admin
    1049. 

  1049. 	if ($user_guid && elgg_is_admin_user($user_guid)) {
    1050. 

  1050. 		return true;
    1051. 

  1051. 	}
    1052. 

  1052. 

  1053. 	// check access overrides
    1054. 

  1054. 	if ((elgg_check_access_overrides($user_guid))) {
    1055. 

  1055. 		return true;
    1056. 

  1056. 	}
    1057. 

  1057. 

  1058. 	// consult other hooks
    1059. 

  1059. 	return NULL;
    1060. 

  1060. }
    1061. 

  1061. 

  1062. /**
    1063. 

  1063.  * Runs unit tests for the entities object.
    1064. 

  1064.  *
    1065. 

  1065.  * @param string $hook
    1066. 

  1066.  * @param string $type
    1067. 

  1067.  * @param array $value
    1068. 

  1068.  * @param array $params
    1069. 

  1069.  * @return array
    1070. 

  1070.  *
    1071. 

  1071.  * @access private
    1072. 

  1072.  */
    1073. 

  1073. function access_test($hook, $type, $value, $params) {
    1074. 

  1074. 	global $CONFIG;
    1075. 

  1075. 	$value[] = $CONFIG->path . 'engine/tests/ElggCoreAccessCollectionsTest.php';
    1076. 

  1076. 	return $value;
    1077. 

  1077. }
    1078. 

  1078. 

  1079. // Tell the access functions the system has booted, plugins are loaded,
    1080. 

  1080. // and the user is logged in so it can start caching
    1081. 

  1081. elgg_register_event_handler('ready', 'system', 'access_init');
    1082. 

  1082. 

  1083. // For overrided permissions
    1084. 

  1084. elgg_register_plugin_hook_handler('permissions_check', 'all', 'elgg_override_permissions');
    1085. 

  1085. elgg_register_plugin_hook_handler('container_permissions_check', 'all', 'elgg_override_permissions');
    1086. 

  1086. 

  1087. elgg_register_plugin_hook_handler('unit_test', 'system', 'access_test');
    1088.