function oa_core_query_media_browser_alter in Open Atrium Core 7.2

Implements hook_query_media_browser_alter(). Add private file access support to media browser

File

includes/oa_core.access.inc, line 475

Code for Access Control functions for OpenAtrium spaces

Code

function oa_core_query_media_browser_alter(QueryAlterableInterface $query) {
  if (!user_access('administer nodes') && module_implements('node_grants')) {

    // first, remove the existing condition from media.media.inc that prevents private files
    $where =& $query
      ->conditions();
    foreach ($where as $delta => $condition) {
      if (isset($condition['value']) && isset($condition['operator']) && $condition['value'] == 'private://%' && $condition['operator'] == 'NOT LIKE') {
        unset($where[$delta]);
        break;
      }
    }

    // next, add a proper node_access query restriction
    $or = db_or();

    // Ensure that the query is against the file_managed table.
    $tables = $query
      ->getTables();
    if (empty($tables['file_managed'])) {
      throw new Exception(t('Media browser being queried without the file_managed table.'));
    }
    $alias = $tables['file_managed']['alias'];

    // get down to which node has the attachment
    $query
      ->addJoin('LEFT', 'field_data_field_oa_media', 'media_field', "media_field.field_oa_media_fid = {$alias}.fid AND media_field.entity_type = 'node'");
    $query
      ->addJoin('LEFT', 'node', 'node', "node.nid = media_field.entity_id");
    $query
      ->addJoin('LEFT', 'node_access', 'node_access', "node.nid = node_access.nid");

    // this is from views_handler_filter_node_access.inc
    // cannot just use the addTag('node access') because base table of query is not node
    $table = 'node_access';
    $grants = db_or();
    foreach (node_access_grants('view') as $realm => $gids) {
      foreach ($gids as $gid) {
        $grants
          ->condition(db_and()
          ->condition($table . '.gid', $gid)
          ->condition($table . '.realm', $realm));
      }
    }
    $or
      ->condition(db_and()
      ->condition($grants)
      ->condition($table . '.grant_view', 1, '>='));

    // finally, put back the "private" condition as an OR state for public files
    $or
      ->condition($alias . '.uri', db_like('private://') . '%', 'NOT LIKE');
    $query
      ->condition($or);
  }
}