diff options
Diffstat (limited to 'engine')
-rw-r--r-- | engine/lib/entities.php | 8 | ||||
-rw-r--r-- | engine/lib/metadata.php | 49 |
2 files changed, 46 insertions, 11 deletions
diff --git a/engine/lib/entities.php b/engine/lib/entities.php index eba5b8a4d..9d7f98079 100644 --- a/engine/lib/entities.php +++ b/engine/lib/entities.php @@ -681,10 +681,10 @@ // TODO Make sure this deletes all metadata/annotations/relationships/etc!!
$guid = (int)$guid; - - $access = get_access_list(); - - return delete_data("DELETE from {$CONFIG->dbprefix}entities where where guid=$guid and (access_id in {$access} or (access_id = 0 and owner_guid = {$_SESSION['id']}))"); + $entity = get_entity($guid); +
+ if ($entity->canEdit()) + return delete_data("DELETE from {$CONFIG->dbprefix}entities where where guid=$guid"); } diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php index 37a89f09e..99153a98a 100644 --- a/engine/lib/metadata.php +++ b/engine/lib/metadata.php @@ -72,9 +72,40 @@ { return delete_metadata($this->id); } +
+ /**
+ * Determines whether or not the specified user can edit this
+ *
+ * @param int $user_guid The GUID of the user (defaults to currently logged in user)
+ * @return true|false
+ */
+ function canEdit($user_guid = 0) {
+ return can_edit_metadata($this->id,$user_guid);
+ }
} - +
+ /**
+ * Determines whether or not the specified user can edit the specified piece of metadata
+ *
+ * @param int $metadata_id The ID of the piece of metadata
+ * @param int $user_guid The GUID of the user
+ * @return true|false
+ */ + function can_edit_metadata($metadata_id, $user_guid = 0) {
+
+ if ($user_guid == 0) {
+ $user = $_SESSION['user'];
+ } else {
+ $user = get_entity($user_guid);
+ }
+ $metadata = get_metadata($metadata_id);
+
+ if ($metadata->owner_guid == $user->getGUID()) return true;
+
+ return trigger_plugin_hook('permissions_check','metadata',array('entity' => $entity, 'user' => $user),false);
+
+ }
/** * Convert a database row to a new ElggMetadata @@ -244,10 +275,11 @@ { global $CONFIG; - $id = (int)$id; - $access = get_access_list(); - - return delete_data("DELETE from {$CONFIG->dbprefix}metadata where id=$id and (access_id in {$access} or (access_id = 0 and owner_guid = {$_SESSION['id']}))"); + $id = (int)$id;
+ $metadata = get_metadata($id); +
+ if ($metadata->canEdit()) + return delete_data("DELETE from {$CONFIG->dbprefix}metadata where id=$id"); } @@ -346,8 +378,11 @@ global $CONFIG; $entity_guid = (int)$entity_guid; - - return delete_data("DELETE from {$CONFIG->dbprefix}metadata where entity_guid=$entity_guid and access_id in {$access} or (access_id = 0 and owner_guid = {$_SESSION['id']})"); + if ($entity = get_entity($entity_guid)) {
+ if ($entity->canEdit()) + return delete_data("DELETE from {$CONFIG->dbprefix}metadata where entity_guid={$entity_guid}");
+ }
+ return false; } /** |