You are here

Home » API reference » Search by Page 6 » sbp_attach.module

function sbp_attach_sbp_query_modify in Search by Page 6

Same name and namespace in other branches
  1. 7 sbp_attach.module \sbp_attach_sbp_query_modify()

Implementation of Search by Page hook_sbp_query_modify().

Adds an access permission check to the search query.

File

./sbp_attach.module, line 183
Module file for Search by Page Attachments, a sub-module for Search by Page.

Code

function sbp_attach_sbp_query_modify($environment) {

  // Figure out permissions for viewing files.
  // We only allow the file to be viewed if the node it's attached to can be.
  // We don't worry about the "only listed" option, because this is checked
  // at indexing time. We also need to add in the general permission from
  // the Uploads module of 'view uploaded files'.
  // Figure out if this user can view files from Uploads module.
  $user_can_view_uploads = user_access('view uploaded files');

  // If we have files from CCK FileField, we might have by-field permissions.
  // So check on the permissions for this user for each field we're using.
  // If there are no by-field permissions, just use generic "access content"
  // permission (node stuff below will take care of the specific node perms).
  // Postgres note: integers are not booleans!
  $user_can_view_cck = '0=1';
  if (user_access('access content')) {
    $user_can_view_cck = '1=1';
  }
  $user_can_view_cck_params = array();
  if (module_exists('content_permissions')) {

    // More fine-grained per-field permissions...
    $fieldlist = search_by_page_setting_get('sbp_attach_field_types', $environment, array());
    if (!is_array($fieldlist) || !count($fieldlist)) {
      $user_can_view_cck = '0=0';
    }
    else {
      $user_can_view_cck = '';
      $sep = '';
      foreach ($fieldlist as $fieldname => $value) {
        if ($value) {
          $canview = user_access('view ' . $fieldname);
          if ($canview) {
            $user_can_view_cck .= $sep . '(saf.fieldname = \'%s\')';
            $user_can_view_cck_params[] = $fieldname;
            $sep = ' OR ';
          }
        }
      }
    }
  }

  // Postgres note: integers are not booleans!
  $where = '1=1';

  // Add in the file permissions.
  $join = ' LEFT JOIN ({sbpa_files} saf ';
  $joinend = ') ON sp.modid = saf.fid';
  $filewhere = '0=1';
  if ($user_can_view_uploads) {
    $filewhere .= ' OR (saf.source = \'upload\')';
  }
  if ($user_can_view_cck) {
    $filewhere .= ' OR (saf.source = \'cck\' AND (' . $user_can_view_cck . '))';
  }
  $where .= ' AND (' . $filewhere . ')';

  // Get node access permissions from db_rewrite_sql().
  $stuff = search_by_page_unique_rewrite('sbpa_');

  // Add node information to query -- only allowing published nodes, plus
  // db_rewrite_sql stuff
  if ($stuff[0]) {
    $join .= ' INNER JOIN ({node} sbpa_n ' . $stuff[0] . ')';
  }
  else {

    // PostgreSQL does not support () around simple joins.
    $join .= ' INNER JOIN {node} sbpa_n';
  }
  $join .= ' ON sbpa_n.nid = saf.nid AND sbpa_n.vid = saf.vid ';
  $where .= ' AND sbpa_n.status = 1';
  if ($stuff[1]) {
    $where .= ' AND ' . $stuff[1];
  }
  return array(
    'join' => $join . $joinend,
    'where' => $where,
    'arguments' => $user_can_view_cck_params,
  );
}