You are here

function fillpdf_merge_pdf_access in FillPDF 7

Same name and namespace in other branches
  1. 6 fillpdf.module \fillpdf_merge_pdf_access()
  2. 7.2 fillpdf.module \fillpdf_merge_pdf_access()

Make sure the user has access to data they want to populate the PDF.

@todo Support passing $account, for testability.

Parameters

array $nodes:

array $webforms:

array $uc_orders:

array $uc_order_products:

array $entities:

Return value

bool Whether the user has access.

2 calls to fillpdf_merge_pdf_access()
fillpdf_file_download in ./fillpdf.module
Implements hook_file_download().
fillpdf_merge_pdf in ./fillpdf.module
Constructs a page and sends it to the browser or saves it.

File

./fillpdf.module, line 1271

Code

function fillpdf_merge_pdf_access($nodes = array(), $webforms = array(), $uc_orders = array(), $uc_order_products = array(), $entities = array()) {
  if (user_access('administer pdfs') || user_access('publish all pdfs')) {
    return TRUE;
  }
  if (!user_access('publish own pdfs')) {
    return FALSE;
  }
  global $user;
  $account = user_load($user->uid);
  if (empty($webforms)) {
    foreach ($nodes as $node) {

      // Own node?
      // @todo It's probably enough to check node_access() here. Figure out what the expected behavior should be, write a test, and remove the second condition if it isn't needed. Otherwise, add an appropriate comment. The permission is called "publish own pdfs", but it's really "publish pdfs" (without it or better, no PDFs can be published despite access).
      if (!node_access('view', $node) || $node->uid != $user->uid) {
        return FALSE;
      }
    }
  }
  else {
    foreach ($webforms as $webform) {

      // In this case, we only care that they can view the Webform.
      if (!node_access('view', node_load($webform['webform']->nid))) {
        return FALSE;
      }
    }
  }

  // Own webform submission?
  if (!empty($webforms)) {
    foreach ($webforms as $webform) {
      if (!webform_submission_access($webform['webform'], $webform['submission'], 'view')) {
        return FALSE;
      }
    }
  }

  // Access to order?
  if (!empty($uc_orders)) {
    foreach ($uc_orders as $uc_order) {
      $order_status = $uc_order->order_status;

      // KLUDGE: Ubercart 3 seems to check its own view all orders permission
      // incorrectly, so we check it manually as well. Not less secure.
      if ((!uc_order_order_entity_access('view', $uc_order, $account) || !user_access("publish {$order_status} order data")) && !user_access('view all orders')) {
        return FALSE;
      }
    }
  }

  // Access to order product?
  if (!empty($uc_order_products)) {
    foreach ($uc_order_products as $uc_order_product) {
      $order = uc_order_load($uc_order_product->order_id);
      $order_status = $order->order_status;

      // KLUDGE: Ubercart 3 seems to check its own view all orders permission
      // incorrectly, so we check it manually as well. Not less secure.
      if ((!uc_order_order_product_access('view', $uc_order_product, $account) || !user_access("publish {$order_status} order data")) && !user_access('view all orders')) {
        return FALSE;
      }
    }
  }

  // Access to entities?
  if (!empty($entities)) {
    foreach ($entities as $entity_type => $entities_of_type) {
      foreach ($entities_of_type as $entity_id => $entity) {
        if (!entity_access('view', $entity_type, $entity, $account)) {
          return FALSE;
        }
      }
    }
  }

  // If no access checks have failed by this point, this must be a sample PDF,
  // and we allow it.
  return TRUE;
}