aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--engine/lib/entities.php8
-rw-r--r--engine/lib/metadata.php49
2 files changed, 46 insertions, 11 deletions
diff --git a/engine/lib/entities.php b/engine/lib/entities.php
index eba5b8a4d..9d7f98079 100644
--- a/engine/lib/entities.php
+++ b/engine/lib/entities.php
@@ -681,10 +681,10 @@
// TODO Make sure this deletes all metadata/annotations/relationships/etc!!
$guid = (int)$guid;
-
- $access = get_access_list();
-
- return delete_data("DELETE from {$CONFIG->dbprefix}entities where where guid=$guid and (access_id in {$access} or (access_id = 0 and owner_guid = {$_SESSION['id']}))");
+ $entity = get_entity($guid);
+
+ if ($entity->canEdit())
+ return delete_data("DELETE from {$CONFIG->dbprefix}entities where where guid=$guid");
}
diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php
index 37a89f09e..99153a98a 100644
--- a/engine/lib/metadata.php
+++ b/engine/lib/metadata.php
@@ -72,9 +72,40 @@
{
return delete_metadata($this->id);
}
+
+ /**
+ * Determines whether or not the specified user can edit this
+ *
+ * @param int $user_guid The GUID of the user (defaults to currently logged in user)
+ * @return true|false
+ */
+ function canEdit($user_guid = 0) {
+ return can_edit_metadata($this->id,$user_guid);
+ }
}
-
+
+ /**
+ * Determines whether or not the specified user can edit the specified piece of metadata
+ *
+ * @param int $metadata_id The ID of the piece of metadata
+ * @param int $user_guid The GUID of the user
+ * @return true|false
+ */
+ function can_edit_metadata($metadata_id, $user_guid = 0) {
+
+ if ($user_guid == 0) {
+ $user = $_SESSION['user'];
+ } else {
+ $user = get_entity($user_guid);
+ }
+ $metadata = get_metadata($metadata_id);
+
+ if ($metadata->owner_guid == $user->getGUID()) return true;
+
+ return trigger_plugin_hook('permissions_check','metadata',array('entity' => $entity, 'user' => $user),false);
+
+ }
/**
* Convert a database row to a new ElggMetadata
@@ -244,10 +275,11 @@
{
global $CONFIG;
- $id = (int)$id;
- $access = get_access_list();
-
- return delete_data("DELETE from {$CONFIG->dbprefix}metadata where id=$id and (access_id in {$access} or (access_id = 0 and owner_guid = {$_SESSION['id']}))");
+ $id = (int)$id;
+ $metadata = get_metadata($id);
+
+ if ($metadata->canEdit())
+ return delete_data("DELETE from {$CONFIG->dbprefix}metadata where id=$id");
}
@@ -346,8 +378,11 @@
global $CONFIG;
$entity_guid = (int)$entity_guid;
-
- return delete_data("DELETE from {$CONFIG->dbprefix}metadata where entity_guid=$entity_guid and access_id in {$access} or (access_id = 0 and owner_guid = {$_SESSION['id']})");
+ if ($entity = get_entity($entity_guid)) {
+ if ($entity->canEdit())
+ return delete_data("DELETE from {$CONFIG->dbprefix}metadata where entity_guid={$entity_guid}");
+ }
+ return false;
}
/**