diff options
Diffstat (limited to 'engine')
-rw-r--r-- | engine/lib/access.php | 1435 | ||||
-rw-r--r-- | engine/lib/sessions.php | 1301 |
2 files changed, 1401 insertions, 1335 deletions
diff --git a/engine/lib/access.php b/engine/lib/access.php index 80348a692..b39cb1455 100644 --- a/engine/lib/access.php +++ b/engine/lib/access.php @@ -1,739 +1,758 @@ <?php +/** + * Elgg access permissions + * For users, objects, collections and all metadata + * + * @package Elgg + * @subpackage Core - /** - * Elgg access permissions - * For users, objects, collections and all metadata - * - * @package Elgg - * @subpackage Core - - * @author Curverider Ltd - - * @link http://elgg.org/ - */ - - /** - * Get the list of access restrictions the given user is allowed to see on this site - * - * @uses get_access_array - * @param int $user_id User ID; defaults to currently logged in user - * @param int $site_id Site ID; defaults to current site - * @param boolean $flush If set to true, will refresh the access list from the database - * @return string A list of access collections suitable for injection in an SQL call - */ - function get_access_list($user_id = 0, $site_id = 0, $flush = false) { - - global $CONFIG, $init_finished, $SESSION; - static $access_list; - - if (!isset($access_list) || !$init_finished) - $access_list = array(); - - if ($user_id == 0) $user_id = $SESSION['id']; - if (($site_id == 0) && (isset($CONFIG->site_id))) $site_id = $CONFIG->site_id; - $user_id = (int) $user_id; - $site_id = (int) $site_id; - - if (isset($access_list[$user_id])) return $access_list[$user_id]; - - $access_list[$user_id] = "(" . implode(",",get_access_array($user_id, $site_id, $flush)) . ")"; - - return $access_list[$user_id]; - - } - - /** - * Gets an array of access restrictions the given user is allowed to see on this site - * - * @param int $user_id User ID; defaults to currently logged in user - * @param int $site_id Site ID; defaults to current site - * @param boolean $flush If set to true, will refresh the access list from the database - * @return array An array of access collections suitable for injection in an SQL call - */ - function get_access_array($user_id = 0, $site_id = 0, $flush = false) { - - global $CONFIG, $init_finished; - static $access_array, $acm, $ac; // Caches. $ac* flag whether we have executed a query previously, and stop it being run again if no data is returned. - - if (!isset($access_array) || (!isset($init_finished)) || (!$init_finished)) - $access_array = array(); - - if ($user_id == 0) $user_id = get_loggedin_userid(); - - if (($site_id == 0) && (isset($CONFIG->site_guid))) $site_id = $CONFIG->site_guid; - $user_id = (int) $user_id; - $site_id = (int) $site_id; - - if (empty($access_array[$user_id]) || $flush == true) { - - $query = "SELECT am.access_collection_id FROM {$CONFIG->dbprefix}access_collection_membership am "; - $query .= " LEFT JOIN {$CONFIG->dbprefix}access_collections ag ON ag.id = am.access_collection_id "; - $query .= " WHERE am.user_guid = {$user_id} AND (ag.site_guid = {$site_id} OR ag.site_guid = 0)"; - - $tmp_access_array = array(ACCESS_PUBLIC); - if (isloggedin()) { - $tmp_access_array[] = ACCESS_LOGGED_IN; - - // The following can only return sensible data if the user is logged in. - - if ($collections = get_data($query)) { - foreach($collections as $collection) - if (!empty($collection->access_collection_id)) $tmp_access_array[] = $collection->access_collection_id; - - } - - $query = "SELECT ag.id FROM {$CONFIG->dbprefix}access_collections ag "; - $query .= " WHERE ag.owner_guid = {$user_id} AND (ag.site_guid = {$site_id} OR ag.site_guid = 0)"; - - if ($collections = get_data($query)) { - foreach($collections as $collection) - if (!empty($collection->id)) $tmp_access_array[] = $collection->id; - } - - - global $is_admin; - - if (isset($is_admin) && $is_admin == true) { - $tmp_access_array[] = ACCESS_PRIVATE; - } + * @author Curverider Ltd + + * @link http://elgg.org/ + */ + +/** + * Return a string of access_ids for $user_id appropriate for inserting into an SQL IN clause. + * + * @uses get_access_array + * @param int $user_id User ID; defaults to currently logged in user + * @param int $site_id Site ID; defaults to current site + * @param boolean $flush If set to true, will refresh the access list from the database + * @return string A list of access collections suitable for injection in an SQL call + */ +function get_access_list($user_id = 0, $site_id = 0, $flush = false) { + global $CONFIG, $init_finished, $SESSION; + static $access_list; + + if (!isset($access_list) || !$init_finished) { + $access_list = array(); + } + + if ($user_id == 0) { + $user_id = $SESSION['id']; + } + + if (($site_id == 0) && (isset($CONFIG->site_id))) { + $site_id = $CONFIG->site_id; + } + $user_id = (int) $user_id; + $site_id = (int) $site_id; + + if (isset($access_list[$user_id])) { + return $access_list[$user_id]; + } + + $access_list[$user_id] = "(" . implode(",", get_access_array($user_id, $site_id, $flush)) . ")"; + + return $access_list[$user_id]; +} + +/** + * Gets an array of access restrictions the given user is allowed to see on this site + * + * @param int $user_id User ID; defaults to currently logged in user + * @param int $site_id Site ID; defaults to current site + * @param boolean $flush If set to true, will refresh the access list from the database + * @return array An array of access collections suitable for injection in an SQL call + */ +function get_access_array($user_id = 0, $site_id = 0, $flush = false) { + global $CONFIG, $init_finished; + + // @todo everything from the db is cached. + // this cache might be redundant. + static $access_array; + + if (!isset($access_array) || (!isset($init_finished)) || (!$init_finished)) { + $access_array = array(); + } + + if ($user_id == 0) { + $user_id = get_loggedin_userid(); + } + + if (($site_id == 0) && (isset($CONFIG->site_guid))) { + $site_id = $CONFIG->site_guid; + } + + $user_id = (int) $user_id; + $site_id = (int) $site_id; + + if (empty($access_array[$user_id]) || $flush == true) { + $tmp_access_array = array(ACCESS_PUBLIC); + if (isloggedin()) { + $tmp_access_array[] = ACCESS_LOGGED_IN; + + // The following can only return sensible data if the user is logged in. + + // Get ACL memberships + $query = "SELECT am.access_collection_id FROM {$CONFIG->dbprefix}access_collection_membership am "; + $query .= " LEFT JOIN {$CONFIG->dbprefix}access_collections ag ON ag.id = am.access_collection_id "; + $query .= " WHERE am.user_guid = {$user_id} AND (ag.site_guid = {$site_id} OR ag.site_guid = 0)"; - $access_array[$user_id] = $tmp_access_array; + if ($collections = get_data($query)) { + foreach($collections as $collection) { + if (!empty($collection->access_collection_id)) { + $tmp_access_array[] = $collection->access_collection_id; + } } - else - $tmp_return = $tmp_access_array; // No user id logged in so we can only access public info - - - } else { - $tmp_access_array = $access_array[$user_id]; - } - - $tmp_return = $access_array[$user_id]; - - return trigger_plugin_hook('access:collections:read','user',array('user_id' => $user_id, 'site_id' => $site_id),$tmp_access_array); - } - - /** - * Gets the default access permission for new content - * - * @return int default access id (see ACCESS defines in elgglib.php) - */ - function get_default_access($user=null) - { - global $CONFIG; - - if (!$CONFIG->allow_user_default_access) { - return $CONFIG->default_access; } - - if (!$user) { - if (isloggedin()) { - $user = $_SESSION['user']; - } else { - return $CONFIG->default_access; + + // Get ACLs owned. + $query = "SELECT ag.id FROM {$CONFIG->dbprefix}access_collections ag "; + $query .= " WHERE ag.owner_guid = {$user_id} AND (ag.site_guid = {$site_id} OR ag.site_guid = 0)"; + + if ($collections = get_data($query)) { + foreach($collections as $collection) { + if (!empty($collection->id)) { + $tmp_access_array[] = $collection->id; + } } } - - if (false !== ($default_access = $user->getPrivateSetting('elgg_default_access'))) { - return $default_access; - } else { - return $CONFIG->default_access; + + $is_admin = is_admin_user($user_id); + + if ($is_admin == true) { + $tmp_access_array[] = ACCESS_PRIVATE; } + + $access_array[$user_id] = $tmp_access_array; + } else { + // No user id logged in so we can only access public info + $tmp_return = $tmp_access_array; } - - /** - * Override the default behaviour and allow results to show hidden entities as well. - * THIS IS A HACK. - * - * TODO: Replace this with query object! - */ - $ENTITY_SHOW_HIDDEN_OVERRIDE = false; - - /** - * This will be replaced. Do not use in plugins! - * - * @param bool $show - */ - function access_show_hidden_entities($show_hidden) - { - global $ENTITY_SHOW_HIDDEN_OVERRIDE; - $ENTITY_SHOW_HIDDEN_OVERRIDE = $show_hidden; - } - - /** - * This will be replaced. Do not use in plugins! - */ - function access_get_show_hidden_status() - { - global $ENTITY_SHOW_HIDDEN_OVERRIDE; - return $ENTITY_SHOW_HIDDEN_OVERRIDE; - } - - /** - * Add annotation restriction - * - * Returns an SQL fragment that is true (or optionally false) if the given user has - * added an annotation with the given name to the given entity. - * - * TODO: This is fairly generic so perhaps it could be moved to annotations.php - * - * @param string $annotation_name name of the annotation - * @param string $entity_guid SQL string that evaluates to the GUID of the entity the annotation should be attached to - * @param string $owner_guid SQL string that evaluates to the GUID of the owner of the annotation * - * @param boolean $exists If set to true, will return true if the annotation exists, otherwise returns false - * @return string An SQL fragment suitable for inserting into a WHERE clause - */ - - function get_annotation_sql($annotation_name,$entity_guid,$owner_guid,$exists) { - global $CONFIG; - - if ($exists) { - $not = ''; - } else { - $not = 'NOT'; - } - - $sql = <<<END -$not EXISTS (SELECT * FROM {$CONFIG->dbprefix}annotations a + + } else { + + $tmp_access_array = $access_array[$user_id]; + } + + $tmp_return = $access_array[$user_id]; + + return trigger_plugin_hook('access:collections:read','user',array('user_id' => $user_id, 'site_id' => $site_id),$tmp_access_array); +} + +/** + * Gets the default access permission for new content + * + * @return int default access id (see ACCESS defines in elgglib.php) + */ +function get_default_access(ElggUser $user = null) { + global $CONFIG; + + if (!$CONFIG->allow_user_default_access) { + return $CONFIG->default_access; + } + + if (!($user) || (!$user = get_loggedin_user())) { + return $CONFIG->default_access; + } + + if (false !== ($default_access = $user->getPrivateSetting('elgg_default_access'))) { + return $default_access; + } else { + return $CONFIG->default_access; + } +} + +/** + * Override the default behaviour and allow results to show hidden entities as well. + * THIS IS A HACK. + * + * TODO: Replace this with query object! + */ +$ENTITY_SHOW_HIDDEN_OVERRIDE = false; + +/** + * This will be replaced. Do not use in plugins! + * + * @param bool $show + */ +function access_show_hidden_entities($show_hidden) { + global $ENTITY_SHOW_HIDDEN_OVERRIDE; + $ENTITY_SHOW_HIDDEN_OVERRIDE = $show_hidden; +} + +/** + * This will be replaced. Do not use in plugins! + */ +function access_get_show_hidden_status() { + global $ENTITY_SHOW_HIDDEN_OVERRIDE; + return $ENTITY_SHOW_HIDDEN_OVERRIDE; +} + +/** + * Add annotation restriction + * + * Returns an SQL fragment that is true (or optionally false) if the given user has + * added an annotation with the given name to the given entity. + * + * TODO: This is fairly generic so perhaps it could be moved to annotations.php + * + * @param string $annotation_name name of the annotation + * @param string $entity_guid SQL string that evaluates to the GUID of the entity the annotation should be attached to + * @param string $owner_guid SQL string that evaluates to the GUID of the owner of the annotation * + * @param boolean $exists If set to true, will return true if the annotation exists, otherwise returns false + * @return string An SQL fragment suitable for inserting into a WHERE clause + */ +function get_annotation_sql($annotation_name, $entity_guid, $owner_guid, $exists) { + global $CONFIG; + + if ($exists) { + $not = ''; + } else { + $not = 'NOT'; + } + + $sql = <<<END +$not EXISTS (SELECT * FROM {$CONFIG->dbprefix}annotations a INNER JOIN {$CONFIG->dbprefix}metastrings ms ON (a.name_id = ms.id) WHERE ms.string = '$annotation_name' AND a.entity_guid = $entity_guid AND a.owner_guid = $owner_guid) END; - return $sql; - } - - /** - * Add access restriction sql code to a given query. - * - * Note that if this code is executed in privileged mode it will return blank. - * - * TODO: DELETE once Query classes are fully integrated - * - * @param string $table_prefix Optional xxx. prefix for the access code. - */ - function get_access_sql_suffix($table_prefix = "",$owner=null) - { - global $ENTITY_SHOW_HIDDEN_OVERRIDE, $CONFIG; - - $sql = ""; - $friends_bit = ""; - $enemies_bit = ""; - - if ($table_prefix) - $table_prefix = sanitise_string($table_prefix) . "."; - - if (!isset($owner)) { - $owner = get_loggedin_userid(); - } - - // do NOT use $is_admin global here, since that only checks against - // the current logged in user. - // Can't use metadata here because because of recursion. - // (get_entity, get_*() calls this function.) - if (!$owner) { - $owner = -1; - $admin = false; - } else { - $admin = is_admin_user($owner); - } - - $access = get_access_list($owner); - - if ($admin) { - $sql = " (1 = 1) "; - } else if ($owner != -1) { - $friends_bit = $table_prefix.'access_id = '.ACCESS_FRIENDS.' AND '; - $friends_bit .= "{$table_prefix}owner_guid IN (SELECT guid_one FROM {$CONFIG->dbprefix}entity_relationships WHERE relationship='friend' AND guid_two=$owner)"; - $friends_bit = '('.$friends_bit.') OR '; - - if ((isset($CONFIG->user_block_and_filter_enabled)) && ($CONFIG->user_block_and_filter_enabled)) { - // check to see if the user is in the entity owner's block list - // or if the entity owner is in the user's filter list - // if so, disallow access - - $enemies_bit = get_annotation_sql('elgg_block_list',"{$table_prefix}owner_guid",$owner,false); - $enemies_bit = '('.$enemies_bit. ' AND '.get_annotation_sql('elgg_filter_list',$owner,"{$table_prefix}owner_guid",false).')'; - } - } + return $sql; +} - if (empty($sql)) - $sql = " $friends_bit ({$table_prefix}access_id in {$access} or ({$table_prefix}owner_guid = {$owner}) or ({$table_prefix}access_id = " . ACCESS_PRIVATE . " and {$table_prefix}owner_guid = $owner))"; - - if ($enemies_bit) { - $sql = "$enemies_bit AND ($sql)"; - } - - if (!$ENTITY_SHOW_HIDDEN_OVERRIDE) - $sql .= " and {$table_prefix}enabled='yes'"; - return '('.$sql.')'; +/** + * Add access restriction sql code to a given query. + * Note that if this code is executed in privileged mode it will return blank. + * @TODO: DELETE once Query classes are fully integrated + * + * @param string $table_prefix Optional table. prefix for the access code. + * @param int $owner + */ +function get_access_sql_suffix($table_prefix = "", $owner = null) { + global $ENTITY_SHOW_HIDDEN_OVERRIDE, $CONFIG; + + $sql = ""; + $friends_bit = ""; + $enemies_bit = ""; + + if ($table_prefix) + $table_prefix = sanitise_string($table_prefix) . "."; + + if (!isset($owner)) { + $owner = get_loggedin_userid(); + } + + if (!$owner) { + $owner = -1; + } + + $is_admin = is_admin_user($owner); + $access = get_access_list($owner); + + if ($is_admin) { + $sql = " (1 = 1) "; + } else if ($owner != -1) { + $friends_bit = "{$table_prefix}access_id = " . ACCESS_FRIENDS . " + AND {$table_prefix}owner_guid IN ( + SELECT guid_one FROM {$CONFIG->dbprefix}entity_relationships + WHERE relationship='friend' AND guid_two=$owner + )"; + + $friends_bit = '('.$friends_bit.') OR '; + + if ((isset($CONFIG->user_block_and_filter_enabled)) && ($CONFIG->user_block_and_filter_enabled)) { + // check to see if the user is in the entity owner's block list + // or if the entity owner is in the user's filter list + // if so, disallow access + $enemies_bit = get_annotation_sql('elgg_block_list', "{$table_prefix}owner_guid", $owner, false); + $enemies_bit = '(' + . $enemies_bit + . ' AND ' . get_annotation_sql('elgg_filter_list', $owner, "{$table_prefix}owner_guid", false) + . ')'; } - - /** - * Determines whether the given user has access to the given entity - * - * @param ElggEntity $entity The entity to check access for. - * @param ElggUser $user Optionally the user to check access for. - * - * @return boolean True if the user can access the entity - */ - - function has_access_to_entity($entity,$user = null) { - global $CONFIG; - - if (!isset($user)) { - $access_bit = get_access_sql_suffix("e"); - } else { - $access_bit = get_access_sql_suffix("e",$user->getGUID()); + } + + if (empty($sql)) { + $sql = " $friends_bit ({$table_prefix}access_id IN {$access} + OR ({$table_prefix}owner_guid = {$owner}) + OR ( + {$table_prefix}access_id = " . ACCESS_PRIVATE . " + AND {$table_prefix}owner_guid = $owner + ) + )"; + } + + if ($enemies_bit) { + $sql = "$enemies_bit AND ($sql)"; + } + + if (!$ENTITY_SHOW_HIDDEN_OVERRIDE) + $sql .= " and {$table_prefix}enabled='yes'"; + return '('.$sql.')'; +} + +/** + * Determines whether the given user has access to the given entity + * + * @param ElggEntity $entity The entity to check access for. + * @param ElggUser $user Optionally the user to check access for. + * + * @return boolean True if the user can access the entity + */ +function has_access_to_entity($entity, $user = null) { + global $CONFIG; + + if (!isset($user)) { + $access_bit = get_access_sql_suffix("e"); + } else { + $access_bit = get_access_sql_suffix("e", $user->getGUID()); + } + + $query = "SELECT guid from {$CONFIG->dbprefix}entities e WHERE e.guid = " . $entity->getGUID(); + $query .= " AND " . $access_bit; // Add access controls + if (get_data($query)) { + return true; + } else { + return false; + } +} + +/** + * Returns an array of access permissions that the specified user is allowed to save objects with. + * Permissions are of the form ('id' => 'Description') + * + * @param int $user_id The user's GUID. + * @param int $site_id The current site. + * @param true|false $flush If this is set to true, this will shun any cached version + * + * @return array List of access permissions + */ +function get_write_access_array($user_id = 0, $site_id = 0, $flush = false) { + global $CONFIG; + //@todo this is probably not needed since caching happens at the DB level. + static $access_array; + + if ($user_id == 0) { + $user_id = get_loggedin_userid(); + } + + if (($site_id == 0) && (isset($CONFIG->site_id))) { + $site_id = $CONFIG->site_id; + } + + $user_id = (int) $user_id; + $site_id = (int) $site_id; + + if (empty($access_array[$user_id]) || $flush == true) { + $query = "SELECT ag.* FROM {$CONFIG->dbprefix}access_collections ag "; + $query .= " WHERE (ag.site_guid = {$site_id} OR ag.site_guid = 0)"; + $query .= " AND (ag.owner_guid = {$user_id})"; + $query .= " AND ag.id >= 3"; + + $tmp_access_array = array(0 => elgg_echo("PRIVATE"), ACCESS_FRIENDS => elgg_echo("access:friends:label"), 1 => elgg_echo("LOGGED_IN"), 2 => elgg_echo("PUBLIC")); + if ($collections = get_data($query)) { + foreach($collections as $collection) { + $tmp_access_array[$collection->id] = $collection->name; } - - $query = "SELECT guid from {$CONFIG->dbprefix}entities e WHERE e.guid = ".$entity->getGUID(); - $query .= " AND ".$access_bit; // Add access controls - if (get_data($query)) { - return true; - } else { - return false; - } } - - /** - * Returns an array of access permissions that the specified user is allowed to save objects with. - * Permissions are of the form ('id' => 'Description') - * - * @param int $user_id The user's GUID. - * @param int $site_id The current site. - * @param true|false $flush If this is set to true, this will shun any cached version - * @return array List of access permissions= - */ - function get_write_access_array($user_id = 0, $site_id = 0, $flush = false) { - - global $CONFIG; - static $access_array; - - if ($user_id == 0) $user_id = get_loggedin_userid(); - if (($site_id == 0) && (isset($CONFIG->site_id))) $site_id = $CONFIG->site_id; - $user_id = (int) $user_id; - $site_id = (int) $site_id; - - if (empty($access_array[$user_id]) || $flush == true) { - - $query = "SELECT ag.* FROM {$CONFIG->dbprefix}access_collections ag "; - $query .= " WHERE (ag.site_guid = {$site_id} OR ag.site_guid = 0)"; - $query .= " AND (ag.owner_guid = {$user_id})"; - $query .= " AND ag.id >= 3"; - - $tmp_access_array = array(0 => elgg_echo("PRIVATE"), ACCESS_FRIENDS => elgg_echo("access:friends:label"), 1 => elgg_echo("LOGGED_IN"), 2 => elgg_echo("PUBLIC")); - if ($collections = get_data($query)) { - foreach($collections as $collection) - $tmp_access_array[$collection->id] = $collection->name; - } - - $access_array[$user_id] = $tmp_access_array; - - } else { - $tmp_access_array = $access_array[$user_id]; - } - - $tmp_access_array = trigger_plugin_hook('access:collections:write','user',array('user_id' => $user_id, 'site_id' => $site_id),$tmp_access_array); - - return $tmp_access_array; - + + $access_array[$user_id] = $tmp_access_array; + } else { + $tmp_access_array = $access_array[$user_id]; + } + + $tmp_access_array = trigger_plugin_hook('access:collections:write','user',array('user_id' => $user_id, 'site_id' => $site_id),$tmp_access_array); + + return $tmp_access_array; +} + +/** + * Creates a new access control collection owned by the specified user. + * + * @param string $name The name of the collection. + * @param int $owner_guid The GUID of the owner (default: currently logged in user). + * @param int $site_guid The GUID of the site (default: current site). + * + * @return int|false Depending on success (the collection ID if successful). + */ +function create_access_collection($name, $owner_guid = 0, $site_guid = 0) { + global $CONFIG; + + $name = trim($name); + if (empty($name)) { + return false; + } + + if ($owner_guid == 0) { + $owner_guid = get_loggedin_userid(); + } + if (($site_id == 0) && (isset($CONFIG->site_guid))) { + $site_id = $CONFIG->site_guid; + } + $name = sanitise_string($name); + + $q = "INSERT INTO {$CONFIG->dbprefix}access_collections + SET name = '{$name}', + owner_guid = {$owner_guid}, + site_guid = {$site_id}"; + if (!$id = insert_data($q)) { + return false; + } + + $params = array( + 'collection_id' => $id + ); + + if (!trigger_plugin_hook('access:collections:addcollection', 'collection', $params, true)) { + return false; + } + + return $id; +} + +/** + * Updates the membership in an access collection. + * + * @param int $collection_id The ID of the collection. + * @param array $members Array of member GUIDs + * @return true|false Depending on success + */ +function update_access_collection($collection_id, $members) { + global $CONFIG; + + $collection_id = (int) $collection_id; + $members = (is_array($members)) ? $members : array(); + + $collections = get_write_access_array(); + + if (array_key_exists($collection_id, $collections)) { + $cur_members = get_members_of_access_collection($collection_id, true); + $cur_members = (is_array($cur_members)) ? $cur_members : array(); + + $remove_members = array_diff($cur_members, $members); + $add_members = array_diff($members, $cur_members); + + $params = array( + 'collection_id' => $collection_id, + 'members' => $members, + 'add_members' => $add_members, + 'remove_members' => $remove_members + ); + + foreach ($add_members as $guid) { + add_user_to_access_collection($guid, $collection_id); } - /** - * Creates a new access control collection owned by the specified user. - * - * @param string $name The name of the collection. - * @param int $owner_guid The GUID of the owner (default: currently logged in user). - * @param int $site_guid The GUID of the site (default: current site). - * @return int|false Depending on success (the collection ID if successful). - */ - function create_access_collection($name, $owner_guid = 0, $site_guid = 0) { - - global $CONFIG; - - $name = trim($name); - if (empty($name)) return false; - - if ($owner_guid == 0) $owner_guid = get_loggedin_userid(); - if (($site_id == 0) && (isset($CONFIG->site_guid))) $site_id = $CONFIG->site_guid; - $name = sanitise_string($name); - - if (!$id = insert_data("insert into {$CONFIG->dbprefix}access_collections set name = '{$name}', owner_guid = {$owner_guid}, site_guid = {$site_id}")) { - return false; - } - - $params = array( - 'collection_id' => $id - ); - - if (!trigger_plugin_hook('access:collections:addcollection', 'collection', $params, true)) { - return false; - } - - return $id; + foreach ($remove_members as $guid) { + remove_user_from_access_collection($guid, $collection_id); } - - /** - * Updates the membership in an access collection. - * - * @param int $collection_id The ID of the collection. - * @param array $members Array of member GUIDs - * @return true|false Depending on success - */ - function update_access_collection($collection_id, $members) { - - global $CONFIG; - $collection_id = (int) $collection_id; - $members = (is_array($members)) ? $members : array(); - - $collections = get_write_access_array(); - - if (array_key_exists($collection_id, $collections)) { - $cur_members = get_members_of_access_collection($collection_id, true); - $cur_members = (is_array($cur_members)) ? $cur_members : array(); - - $remove_members = array_diff($cur_members, $members); - $add_members = array_diff($members, $cur_members); - - $params = array( - 'collection_id' => $collection_id, - 'members' => $members, - 'add_members' => $add_members, - 'remove_members' => $remove_members - ); - - foreach ($add_members as $guid) { - add_user_to_access_collection($guid, $collection_id); - } - - foreach ($remove_members as $guid) { - remove_user_from_access_collection($guid, $collection_id); - } - - return true; - } - + + return true; + } + + return false; +} + +/** + * Deletes a specified access collection + * + * @param int $collection_id The collection ID + * @return true|false Depending on success + */ +function delete_access_collection($collection_id) { + + $collection_id = (int) $collection_id; + $collections = get_write_access_array(); + $params = array('collection_id' => $collection_id); + + if (!trigger_plugin_hook('access:collections:deletecollection', 'collection', $params, true)) { + return false; + } + + if (array_key_exists($collection_id, $collections)) { + global $CONFIG; + delete_data("delete from {$CONFIG->dbprefix}access_collection_membership where access_collection_id = {$collection_id}"); + delete_data("delete from {$CONFIG->dbprefix}access_collections where id = {$collection_id}"); + return true; + } else { + return false; + } + +} + +/** + * Get a specified access collection + * + * @param int $collection_id The collection ID + * @return array|false Depending on success + */ +function get_access_collection($collection_id) { + global $CONFIG; + $collection_id = (int) $collection_id; + + $get_collection = get_data_row("SELECT * FROM {$CONFIG->dbprefix}access_collections WHERE id = {$collection_id}"); + + return $get_collection; +} + +/** + * Adds a user to the specified user collection + * + * @param int $user_guid The GUID of the user to add + * @param int $collection_id The ID of the collection to add them to + * @return true|false Depending on success + */ +function add_user_to_access_collection($user_guid, $collection_id) { + $collection_id = (int) $collection_id; + $user_guid = (int) $user_guid; + $collections = get_write_access_array(); + + if (!($collection = get_access_collection($collection_id))) + return false; + + if ((array_key_exists($collection_id, $collections) || $collection->owner_guid == 0) + && $user = get_user($user_guid)) { + global $CONFIG; + + $params = array( + 'collection_id' => $collection_id, + 'user_guid' => $user_guid + ); + + if (!trigger_plugin_hook('access:collections:add_user', 'collection', $params, true)) { return false; } - - /** - * Deletes a specified access collection - * - * @param int $collection_id The collection ID - * @return true|false Depending on success - */ - function delete_access_collection($collection_id) { - - $collection_id = (int) $collection_id; - $collections = get_write_access_array(); - $params = array('collection_id' => $collection_id); - - if (!trigger_plugin_hook('access:collections:deletecollection', 'collection', $params, true)) { - return false; - } - - if (array_key_exists($collection_id, $collections)) { - global $CONFIG; - delete_data("delete from {$CONFIG->dbprefix}access_collection_membership where access_collection_id = {$collection_id}"); - delete_data("delete from {$CONFIG->dbprefix}access_collections where id = {$collection_id}"); - return true; - } else { - return false; - } - - } - - /** - * Get a specified access collection - * - * @param int $collection_id The collection ID - * @return array|false Depending on success - */ - function get_access_collection($collection_id) { - - $collection_id = (int) $collection_id; - global $CONFIG; - $get_collection = get_data_row("SELECT * FROM {$CONFIG->dbprefix}access_collections WHERE id = {$collection_id}"); - - return $get_collection; - - } - - /** - * Adds a user to the specified user collection - * - * @param int $user_guid The GUID of the user to add - * @param int $collection_id The ID of the collection to add them to - * @return true|false Depending on success - */ - function add_user_to_access_collection($user_guid, $collection_id) { - - $collection_id = (int) $collection_id; - $user_guid = (int) $user_guid; - $collections = get_write_access_array(); - - if (!($collection = get_access_collection($collection_id))) - return false; - - if ((array_key_exists($collection_id, $collections) || $collection->owner_guid == 0) - && $user = get_user($user_guid)) { - global $CONFIG; - - $params = array( - 'collection_id' => $collection_id, - 'user_guid' => $user_guid - ); - - if (!trigger_plugin_hook('access:collections:add_user', 'collection', $params, true)) { - return false; - } - - try { - insert_data("insert into {$CONFIG->dbprefix}access_collection_membership set access_collection_id = {$collection_id}, user_guid = {$user_guid}"); - } catch (DatabaseException $e) {} - return true; - - } - - return false; - + + try { + insert_data("insert into {$CONFIG->dbprefix}access_collection_membership set access_collection_id = {$collection_id}, user_guid = {$user_guid}"); + } catch (DatabaseException $e) { + // nothing. } + return true; - /** - * Removes a user from an access collection - * - * @param int $user_guid The user GUID - * @param int $collection_id The access collection ID - * @return true|false Depending on success - */ - function remove_user_from_access_collection($user_guid, $collection_id) { - - $collection_id = (int) $collection_id; - $user_guid = (int) $user_guid; - $collections = get_write_access_array(); - - if (!($collection = get_access_collection($collection_id))) - return false; - - if ((array_key_exists($collection_id, $collections) || $collection->owner_guid == 0) && $user = get_user($user_guid)) { - global $CONFIG; - $params = array( - 'collection_id' => $collection_id, - 'user_guid' => $user_guid - ); - - if (!trigger_plugin_hook('access:collections:remove_user', 'collection', $params, true)) { - return false; - } - - delete_data("delete from {$CONFIG->dbprefix}access_collection_membership where access_collection_id = {$collection_id} and user_guid = {$user_guid}"); - return true; - - } - + } + + return false; +} + +/** + * Removes a user from an access collection + * + * @param int $user_guid The user GUID + * @param int $collection_id The access collection ID + * @return true|false Depending on success + */ +function remove_user_from_access_collection($user_guid, $collection_id) { + $collection_id = (int) $collection_id; + $user_guid = (int) $user_guid; + $collections = get_write_access_array(); + + if (!($collection = get_access_collection($collection_id))) + return false; + + if ((array_key_exists($collection_id, $collections) || $collection->owner_guid == 0) && $user = get_user($user_guid)) { + global $CONFIG; + $params = array( + 'collection_id' => $collection_id, + 'user_guid' => $user_guid + ); + + if (!trigger_plugin_hook('access:collections:remove_user', 'collection', $params, true)) { return false; - - } - - /** - * Get all of a users collections - * - * @param int $owner_guid The user ID - * @return true|false Depending on success - */ - function get_user_access_collections($owner_guid) { - - $owner_guid = (int) $owner_guid; - - global $CONFIG; - - $collections = get_data("SELECT * FROM {$CONFIG->dbprefix}access_collections WHERE owner_guid = {$owner_guid}"); - - return $collections; - } - - /** - * Get all of members of a friend collection - * - * @param int $collection The collection's ID - * @param true|false $idonly If set to true, will only return the members' IDs (default: false) - * @return ElggUser entities if successful, false if not - */ - function get_members_of_access_collection($collection, $idonly = false) { - - $collection = (int)$collection; - - global $CONFIG; - - if (!$idonly) { - $query = "SELECT e.* FROM {$CONFIG->dbprefix}access_collection_membership m JOIN {$CONFIG->dbprefix}entities e ON e.guid = m.user_guid WHERE m.access_collection_id = {$collection}"; - $collection_members = get_data($query, "entity_row_to_elggstar"); - } else { - $query = "SELECT e.guid FROM {$CONFIG->dbprefix}access_collection_membership m JOIN {$CONFIG->dbprefix}entities e ON e.guid = m.user_guid WHERE m.access_collection_id = {$collection}"; - $collection_members = get_data($query); - foreach($collection_members as $key => $val) - $collection_members[$key] = $val->guid; - } - - return $collection_members; - - } - - /** - * Displays a user's access collections, using the friends/collections view - * - * @param int $owner_guid The GUID of the owning user - * @return string A formatted rendition of the collections - */ - function elgg_view_access_collections($owner_guid) { - - if ($collections = get_user_access_collections($owner_guid)) { - - foreach($collections as $key => $collection) { - $collections[$key]->members = get_members_of_access_collection($collection->id, true); - $collections[$key]->entities = get_user_friends($owner_guid,"",9999); - } - - } - - return elgg_view('friends/collections',array('collections' => $collections)); - - } - - /** - * Get entities with the specified access collection id. - * - * @param $collection_id - * @param $entity_type - * @param $entity_subtype - * @param $owner_guid - * @param $limit - * @param $offset - * @param $order_by - * @param $site_guid - * @param $count - * @return unknown_type - */ - function get_entities_from_access_id($collection_id, $entity_type = "", $entity_subtype = "", $owner_guid = 0, $limit = 10, $offset = 0, $order_by = "", $site_guid = 0, $count = false) { - global $CONFIG; - - if (!$collection_id) - return false; - - $entity_type = sanitise_string($entity_type); - $entity_subtype = get_subtype_id($entity_type, $entity_subtype); - $limit = (int)$limit; - $offset = (int)$offset; - if ($order_by == "") - $order_by = "e.time_created desc"; - else - $order_by = "e.time_created, {$order_by}"; - $order_by = sanitise_string($order_by); - $site_guid = (int) $site_guid; - if ((is_array($owner_guid) && (count($owner_guid)))) { - foreach($owner_guid as $key => $guid) { - $owner_guid[$key] = (int) $guid; - } - } else { - $owner_guid = (int) $owner_guid; - } - if ($site_guid == 0) - $site_guid = $CONFIG->site_guid; - - //$access = get_access_list(); - - $where = array("e.access_id = $collection_id"); - - if ($entity_type!=="") - $where[] = "e.type='$entity_type'"; - if ($entity_subtype) - $where[] = "e.subtype=$entity_subtype"; - if ($site_guid > 0) - $where[] = "e.site_guid = {$site_guid}"; - if (is_array($owner_guid)) { - $where[] = "e.container_guid in (".implode(",",$owner_guid).")"; - } else if ($owner_guid > 0) - $where[] = "e.container_guid = {$owner_guid}"; - - if (!$count) { - $query = "SELECT distinct e.* "; - } else { - $query = "SELECT count(distinct e.guid) as total "; - } - - $query .= "from {$CONFIG->dbprefix}entities e where"; - foreach ($where as $w) - $query .= " $w and "; - $query .= get_access_sql_suffix("e"); // Add access controls - //$query .= ' and ' . get_access_sql_suffix("m"); // Add access controls - - if (!$count) { - $query .= " order by $order_by limit $offset, $limit"; // Add order and limit - return get_data($query, "entity_row_to_elggstar"); - } else { - if ($row = get_data_row($query)) - return $row->total; - } - return false; + + delete_data("delete from {$CONFIG->dbprefix}access_collection_membership where access_collection_id = {$collection_id} and user_guid = {$user_guid}"); + return true; + + } + + return false; +} + +/** + * Get all of a users collections + * + * @param int $owner_guid The user ID + * @return true|false Depending on success + */ +function get_user_access_collections($owner_guid) { + global $CONFIG; + $owner_guid = (int) $owner_guid; + + $collections = get_data("SELECT * FROM {$CONFIG->dbprefix}access_collections WHERE owner_guid = {$owner_guid}"); + + return $collections; +} + +/** + * Get all of members of a friend collection + * + * @param int $collection The collection's ID + * @param true|false $idonly If set to true, will only return the members' IDs (default: false) + * @return ElggUser entities if successful, false if not + */ +function get_members_of_access_collection($collection, $idonly = false) { + global $CONFIG; + $collection = (int)$collection; + + if (!$idonly) { + $query = "SELECT e.* FROM {$CONFIG->dbprefix}access_collection_membership m JOIN {$CONFIG->dbprefix}entities e ON e.guid = m.user_guid WHERE m.access_collection_id = {$collection}"; + $collection_members = get_data($query, "entity_row_to_elggstar"); + } else { + $query = "SELECT e.guid FROM {$CONFIG->dbprefix}access_collection_membership m JOIN {$CONFIG->dbprefix}entities e ON e.guid = m.user_guid WHERE m.access_collection_id = {$collection}"; + $collection_members = get_data($query); + foreach($collection_members as $key => $val) { + $collection_members[$key] = $val->guid; } - - /** - * Lists entities from an access collection - * - * @param $collection_id - * @param $entity_type - * @param $entity_subtype - * @param $owner_guid - * @param $limit - * @param $fullview - * @param $viewtypetoggle - * @param $pagination - * @return str - */ - function list_entities_from_access_id($collection_id, $entity_type = "", $entity_subtype = "", $owner_guid = 0, $limit = 10, $fullview = true, $viewtypetoggle = true, $pagination = true) { - $offset = (int) get_input('offset'); - $limit = (int) $limit; - $count = get_entities_from_access_id($collection_id, $entity_type, $entity_subtype, $owner_guid, $limit, $offset, "", 0, true); - $entities = get_entities_from_access_id($collection_id, $entity_type, $entity_subtype, $owner_guid, $limit, $offset, "", 0, false); - - return elgg_view_entity_list($entities, $count, $offset, $limit, $fullview, $viewtypetoggle, $pagination); + } + + return $collection_members; +} + +/** + * Displays a user's access collections, using the friends/collections view + * + * @param int $owner_guid The GUID of the owning user + * @return string A formatted rendition of the collections + */ +function elgg_view_access_collections($owner_guid) { + if ($collections = get_user_access_collections($owner_guid)) { + foreach($collections as $key => $collection) { + $collections[$key]->members = get_members_of_access_collection($collection->id, true); + $collections[$key]->entities = get_user_friends($owner_guid,"",9999); } - - /** - * Return a humanreadable version of an entity's access level - * - * @param $entity_accessid (int) The entity's access id - * @return string e.g. Public, Private etc - **/ - - function get_readable_access_level($entity_accessid){ - $access = (int) $entity_accessid; - //get the access level for object in readable string - $options = get_write_access_array(); - foreach($options as $key => $option) { - if($key == $access){ - $entity_acl = htmlentities($option, ENT_QUOTES, 'UTF-8'); - return $entity_acl; - break; - } - } - return false; + } + + return elgg_view('friends/collections',array('collections' => $collections)); +} + +/** + * Get entities with the specified access collection id. + * + * @param $collection_id + * @param $entity_type + * @param $entity_subtype + * @param $owner_guid + * @param $limit + * @param $offset + * @param $order_by + * @param $site_guid + * @param $count + * @return unknown_type + */ +function get_entities_from_access_id($collection_id, $entity_type = "", $entity_subtype = "", $owner_guid = 0, $limit = 10, $offset = 0, $order_by = "", $site_guid = 0, $count = false) { + global $CONFIG; + + if (!$collection_id) { + return false; + } + + $entity_type = sanitise_string($entity_type); + $entity_subtype = get_subtype_id($entity_type, $entity_subtype); + $limit = (int)$limit; + $offset = (int)$offset; + + if ($order_by == "") { + $order_by = "e.time_created desc"; + } else { + $order_by = "e.time_created, {$order_by}"; + } + + $order_by = sanitise_string($order_by); + $site_guid = (int) $site_guid; + if ((is_array($owner_guid) && (count($owner_guid)))) { + foreach($owner_guid as $key => $guid) { + $owner_guid[$key] = (int) $guid; } - - global $init_finished; - $init_finished = false; - - /** - * A quick and dirty way to make sure the access permissions have been correctly set up - * - */ - function access_init() { - global $init_finished; - $init_finished = true; + } else { + $owner_guid = (int) $owner_guid; + } + if ($site_guid == 0) + $site_guid = $CONFIG->site_guid; + + //$access = get_access_list(); + + $where = array("e.access_id = $collection_id"); + + if ($entity_type!=="") + $where[] = "e.type='$entity_type'"; + if ($entity_subtype) + $where[] = "e.subtype=$entity_subtype"; + if ($site_guid > 0) + $where[] = "e.site_guid = {$site_guid}"; + if (is_array($owner_guid)) { + $where[] = "e.container_guid in (".implode(",",$owner_guid).")"; + } else if ($owner_guid > 0) + $where[] = "e.container_guid = {$owner_guid}"; + + if (!$count) { + $query = "SELECT distinct e.* "; + } else { + $query = "SELECT count(distinct e.guid) as total "; + } + + $query .= "from {$CONFIG->dbprefix}entities e where"; + foreach ($where as $w) + $query .= " $w and "; + $query .= get_access_sql_suffix("e"); // Add access controls + //$query .= ' and ' . get_access_sql_suffix("m"); // Add access controls + + if (!$count) { + $query .= " order by $order_by limit $offset, $limit"; // Add order and limit + return get_data($query, "entity_row_to_elggstar"); + } else { + if ($row = get_data_row($query)) + return $row->total; + } + return false; +} + +/** + * Lists entities from an access collection + * + * @param $collection_id + * @param $entity_type + * @param $entity_subtype + * @param $owner_guid + * @param $limit + * @param $fullview + * @param $viewtypetoggle + * @param $pagination + * @return str + */ +function list_entities_from_access_id($collection_id, $entity_type = "", $entity_subtype = "", $owner_guid = 0, $limit = 10, $fullview = true, $viewtypetoggle = true, $pagination = true) { + $offset = (int) get_input('offset'); + $limit = (int) $limit; + $count = get_entities_from_access_id($collection_id, $entity_type, $entity_subtype, $owner_guid, $limit, $offset, "", 0, true); + $entities = get_entities_from_access_id($collection_id, $entity_type, $entity_subtype, $owner_guid, $limit, $offset, "", 0, false); + + return elgg_view_entity_list($entities, $count, $offset, $limit, $fullview, $viewtypetoggle, $pagination); +} + +/** + * Return a humanreadable version of an entity's access level + * + * @param $entity_accessid (int) The entity's access id + * @return string e.g. Public, Private etc + **/ +function get_readable_access_level($entity_accessid){ + $access = (int) $entity_accessid; + //get the access level for object in readable string + $options = get_write_access_array(); + foreach($options as $key => $option) { + if($key == $access){ + $entity_acl = htmlentities($option, ENT_QUOTES, 'UTF-8'); + return $entity_acl; + break; } - - // This function will let us know when 'init' has finished - register_elgg_event_handler('init','system','access_init',9999); - -?> + } + return false; +} + +global $init_finished; +$init_finished = false; + +/** + * A quick and dirty way to make sure the access permissions have been correctly set up + * + */ +function access_init() { + global $init_finished; + $init_finished = true; +} + +// This function will let us know when 'init' has finished +register_elgg_event_handler('init','system','access_init',9999);
\ No newline at end of file diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php index b34f07725..d3e4a499d 100644 --- a/engine/lib/sessions.php +++ b/engine/lib/sessions.php @@ -1,669 +1,716 @@ <?php - /** - * Elgg session management - * Functions to manage logins - * - * @package Elgg - * @subpackage Core +/** + * Elgg session management + * Functions to manage logins + * + * @package Elgg + * @subpackage Core + * @author Curverider Ltd + * @link http://elgg.org/ + */ - * @author Curverider Ltd +/** Elgg magic session */ +global $SESSION; - * @link http://elgg.org/ - */ +/** + * Magic session class. + * This class is intended to extend the $_SESSION magic variable by providing an API hook + * to plug in other values. + * + * Primarily this is intended to provide a way of supplying "logged in user" details without touching the session + * (which can cause problems when accessed server side). + * + * If a value is present in the session then that value is returned, otherwise a plugin hook 'session:get', '$var' is called, + * where $var is the variable being requested. + * + * Setting values will store variables in the session in the normal way. + * + * LIMITATIONS: You can not access multidimensional arrays + * + * This is EXPERIMENTAL. + */ +class ElggSession implements ArrayAccess { + /** Local cache of trigger retrieved variables */ + private static $__localcache; - /** Elgg magic session */ - global $SESSION; + function __isset($key) { + return $this->offsetExists($key); + } + + /** Set a value, go straight to session. */ + function offsetSet($key, $value) { + $_SESSION[$key] = $value; + } /** - * Magic session class. - * This class is intended to extend the $_SESSION magic variable by providing an API hook - * to plug in other values. - * - * Primarily this is intended to provide a way of supplying "logged in user" details without touching the session - * (which can cause problems when accessed server side). - * - * If a value is present in the session then that value is returned, otherwise a plugin hook 'session:get', '$var' is called, - * where $var is the variable being requested. - * - * Setting values will store variables in the session in the normal way. - * - * LIMITATIONS: You can not access multidimensional arrays - * - * This is EXPERIMENTAL. + * Get a variable from either the session, or if its not in the session attempt to get it from + * an api call. */ - class ElggSession implements ArrayAccess - { - /** Local cache of trigger retrieved variables */ - private static $__localcache; - - function __isset($key) { return $this->offsetExists($key); } - - /** Set a value, go straight to session. */ - function offsetSet($key, $value) { $_SESSION[$key] = $value; } - - /** - * Get a variable from either the session, or if its not in the session attempt to get it from - * an api call. - */ - function offsetGet($key) - { - if (!ElggSession::$__localcache) - ElggSession::$__localcache = array(); - - if (isset($_SESSION[$key])) - return $_SESSION[$key]; - - if (isset(ElggSession::$__localcache[$key])) - return ElggSession::$__localcache[$key]; - - $value = null; - $value = trigger_plugin_hook('session:get', $key, null, $value); - - ElggSession::$__localcache[$key] = $value; - - return ElggSession::$__localcache[$key]; - } - - /** - * Unset a value from the cache and the session. - */ - function offsetUnset($key) - { - unset(ElggSession::$__localcache[$key]); - unset($_SESSION[$key]); - } - - /** - * Return whether the value is set in either the session or the cache. - */ - function offsetExists($offset) { - if (isset(ElggSession::$__localcache[$offset])) - return true; - - if (isset($_SESSION[$offset])) - return true; + function offsetGet($key) { + if (!ElggSession::$__localcache) { + ElggSession::$__localcache = array(); + } + + if (isset($_SESSION[$key])) { + return $_SESSION[$key]; + } - if ($this->offsetGet($offset)) return true; + if (isset(ElggSession::$__localcache[$key])) { + return ElggSession::$__localcache[$key]; } + + $value = null; + $value = trigger_plugin_hook('session:get', $key, null, $value); + + ElggSession::$__localcache[$key] = $value; + + return ElggSession::$__localcache[$key]; } - - + /** - * Return the current logged in user, or null if no user is logged in. - * - * If no user can be found in the current session, a plugin hook - 'session:get' 'user' to give plugin - * authors another way to provide user details to the ACL system without touching the session. - */ - function get_loggedin_user() - { - global $SESSION; - - if (isset($SESSION)) - return $SESSION['user']; - - return false; - } - + * Unset a value from the cache and the session. + */ + function offsetUnset($key) { + unset(ElggSession::$__localcache[$key]); + unset($_SESSION[$key]); + } + /** - * Return the current logged in user by id. - * - * @see get_loggedin_user() - * @return int - */ - function get_loggedin_userid() - { - $user = get_loggedin_user(); - if ($user) - return $user->guid; - - return 0; + * Return whether the value is set in either the session or the cache. + */ + function offsetExists($offset) { + if (isset(ElggSession::$__localcache[$offset])) { + return true; } - /** - * Returns whether or not the user is currently logged in - * - * @return true|false - */ - function isloggedin() { - - if (!is_installed()) return false; - - $user = get_loggedin_user(); - - if ((isset($user)) && ($user instanceof ElggUser) && ($user->guid > 0)) - return true; - - return false; - + if (isset($_SESSION[$offset])) { + return true; } - /** - * Returns whether or not the user is currently logged in and that they are an admin user. - * - * @uses isloggedin() - * @return true|false - */ - function isadminloggedin() - { - if (!is_installed()) return false; - - $user = get_loggedin_user(); - - if ((isloggedin()) && (($user->admin || $user->siteadmin))) - return true; - - return false; + if ($this->offsetGet($offset)){ + return true; } - - /** - * Check if the given user is an admin. - * - * @param $user_guid - * @return bool - */ - function is_admin_user($user_guid) { - global $CONFIG; - - // caching is done at the db level so no need to here. - $query = "SELECT * FROM {$CONFIG->dbprefix}users_entity as e, {$CONFIG->dbprefix}metastrings as ms1, {$CONFIG->dbprefix}metastrings as ms2, {$CONFIG->dbprefix}metadata as md - WHERE ( - ms1.string = 'admin' AND ms2.string = 'yes' - AND md.name_id = ms1.id AND md.value_id = ms2.id - AND e.guid = md.entity_guid - AND e.guid = {$user_guid} - AND e.banned = 'no' - ) - OR ( - ms1.string = 'admin' AND ms2.string = '1' - AND md.name_id = ms1.id AND md.value_id = ms2.id - AND e.guid = md.entity_guid - AND e.guid = {$user_guid} - AND e.banned = 'no' - )"; - - // normalizing the results from get_data() - // See #1242 - $info = get_data($query); - if (!((is_array($info) && count($info) < 1) || $info === false)) { - return true; + } +} + + +/** + * Return the current logged in user, or null if no user is logged in. + * + * If no user can be found in the current session, a plugin hook - 'session:get' 'user' to give plugin + * authors another way to provide user details to the ACL system without touching the session. + */ +function get_loggedin_user() { + global $SESSION; + + if (isset($SESSION)) { + return $SESSION['user']; + } + + return false; +} + +/** + * Return the current logged in user by id. + * + * @see get_loggedin_user() + * @return int + */ +function get_loggedin_userid() { + $user = get_loggedin_user(); + if ($user) + return $user->guid; + + return 0; +} + +/** + * Returns whether or not the user is currently logged in + * + * @return true|false + */ +function isloggedin() { + if (!is_installed()) { + return false; + } + + $user = get_loggedin_user(); + + if ((isset($user)) && ($user instanceof ElggUser) && ($user->guid > 0)) { + return true; + } + + return false; +} + +/** + * Returns whether or not the user is currently logged in and that they are an admin user. + * + * @uses isloggedin() + * @return true|false + */ +function isadminloggedin() { + if (!is_installed()) { + return false; + } + + $user = get_loggedin_user(); + + if ((isloggedin()) && (($user->admin || $user->siteadmin))) { + return true; + } + + return false; +} + +/** + * Check if the given user has full access. + * @todo: Will always return full access if the user is an admin. + * + * @param $user_guid + * @return bool + */ +function is_admin_user($user_guid) { + global $CONFIG; + + // cannot use metadata here because + // caching is done at the db level so no need to here. + $query = "SELECT * FROM {$CONFIG->dbprefix}users_entity as e, {$CONFIG->dbprefix}metastrings as ms1, {$CONFIG->dbprefix}metastrings as ms2, {$CONFIG->dbprefix}metadata as md + WHERE ( + ms1.string = 'admin' AND ms2.string = 'yes' + AND md.name_id = ms1.id AND md.value_id = ms2.id + AND e.guid = md.entity_guid + AND e.guid = {$user_guid} + AND e.banned = 'no' + ) + OR ( + ms1.string = 'admin' AND ms2.string = '1' + AND md.name_id = ms1.id AND md.value_id = ms2.id + AND e.guid = md.entity_guid + AND e.guid = {$user_guid} + AND e.banned = 'no' + )"; + + // normalizing the results from get_data() + // See #1242 + $info = get_data($query); + if (!((is_array($info) && count($info) < 1) || $info === false)) { + return true; + } + return false; +} + +/** + * Perform standard authentication with a given username and password. + * Returns an ElggUser object for use with login. + * + * @see login + * @param string $username The username, optionally (for standard logins) + * @param string $password The password, optionally (for standard logins) + * @return ElggUser|false The authenticated user object, or false on failure. + */ + +function authenticate($username, $password) { + if (pam_authenticate(array('username' => $username, 'password' => $password))) { + return get_user_by_username($username); + } + + return false; +} + +/** + * Hook into the PAM system which accepts a username and password and attempts to authenticate + * it against a known user. + * + * @param array $credentials Associated array of credentials passed to pam_authenticate. This function expects + * 'username' and 'password' (cleartext). + */ +function pam_auth_userpass($credentials = NULL) { + $max_in_period = 3; // max 3 login attempts in + $period_length = 5; // 5 minutes + $periods = array(); + + if (is_array($credentials) && ($credentials['username']) && ($credentials['password'])) { + if ($user = get_user_by_username($credentials['username'])) { + + // Let admins log in without validating their email, but normal users must have validated their email or been admin created + if ((!$user->admin) && (!$user->validated) && (!$user->admin_created)) { + return false; } - return false; - } - - /** - * Perform standard authentication with a given username and password. - * Returns an ElggUser object for use with login. - * - * @see login - * @param string $username The username, optionally (for standard logins) - * @param string $password The password, optionally (for standard logins) - * @return ElggUser|false The authenticated user object, or false on failure. - */ - - function authenticate($username, $password) { - - if (pam_authenticate(array('username' => $username, 'password' => $password))) - return get_user_by_username($username); - - return false; - - } - - /** - * Hook into the PAM system which accepts a username and password and attempts to authenticate - * it against a known user. - * - * @param array $credentials Associated array of credentials passed to pam_authenticate. This function expects - * 'username' and 'password' (cleartext). - */ - function pam_auth_userpass($credentials = NULL) - { - $max_in_period = 3; // max 3 login attempts in - $period_length = 5; // 5 minutes - $periods = array(); - - if (is_array($credentials) && ($credentials['username']) && ($credentials['password'])) - { - //$dbpassword = md5($credentials['password']); - - - if ($user = get_user_by_username($credentials['username'])) { - - // Let admins log in without validating their email, but normal users must have validated their email or been admin created - if ((!$user->admin) && (!$user->validated) && (!$user->admin_created)) - return false; - - // User has been banned, so bin them. - if ($user->isBanned()) return false; - - if ($user->password == generate_user_password($user, $credentials['password'])) - - return true; - else - // Password failed, log. - log_login_failure($user->guid); - - } + + // User has been banned, so bin them. + if ($user->isBanned()) { + return false; } - - return false; - } - - function log_login_failure($user_guid) - { - $user_guid = (int)$user_guid; - $user = get_entity($user_guid); - - if (($user_guid) && ($user) && ($user instanceof ElggUser)) - { - $fails = (int)$user->getPrivateSetting("login_failures"); - $fails++; - - $user->setPrivateSetting("login_failures", $fails); - $user->setPrivateSetting("login_failure_$fails", time()); + + if ($user->password == generate_user_password($user, $credentials['password'])) { + return true; + } else { + // Password failed, log. + log_login_failure($user->guid); } + } - - function reset_login_failure_count($user_guid) - { - $user_guid = (int)$user_guid; - $user = get_entity($user_guid); - - if (($user_guid) && ($user) && ($user instanceof ElggUser)) - { - $fails = (int)$user->getPrivateSetting("login_failures"); - - if ($fails) { - for ($n=1; $n <= $fails; $n++) - $user->removePrivateSetting("login_failure_$n"); - - $user->removePrivateSetting("login_failures"); - } + } + + return false; +} + +/** + * Log a failed login for $user_guid + * + * @param $user_guid + * @return bool on success + */ +function log_login_failure($user_guid) { + $user_guid = (int)$user_guid; + $user = get_entity($user_guid); + + if (($user_guid) && ($user) && ($user instanceof ElggUser)) { + $fails = (int)$user->getPrivateSetting("login_failures"); + $fails++; + + $user->setPrivateSetting("login_failures", $fails); + $user->setPrivateSetting("login_failure_$fails", time()); + return true; + } + + return false; +} + +/** + * Resets the fail login count for $user_guid + * + * @param $user_guid + * @return bool on success (success = user has no logged failed attempts) + */ +function reset_login_failure_count($user_guid) { + $user_guid = (int)$user_guid; + $user = get_entity($user_guid); + + if (($user_guid) && ($user) && ($user instanceof ElggUser)) { + $fails = (int)$user->getPrivateSetting("login_failures"); + + if ($fails) { + for ($n=1; $n <= $fails; $n++) { + $user->removePrivateSetting("login_failure_$n"); } + + $user->removePrivateSetting("login_failures"); + + return true; } - - function check_rate_limit_exceeded($user_guid) - { - $limit = 5; - $user_guid = (int)$user_guid; - $user = get_entity($user_guid); - - if (($user_guid) && ($user) && ($user instanceof ElggUser)) - { - $fails = (int)$user->getPrivateSetting("login_failures"); - if ($fails >= $limit) - { - $cnt = 0; - $time = time(); - for ($n=$fails; $n>0; $n--) - { - $f = $user->getPrivateSetting("login_failure_$n"); - if ($f > $time - (60*5)) - $cnt++; - - if ($cnt==$limit) return true; // Limit reached - } + + // nothing to reset + return true; + } + + return false; +} + +/** + * Checks if the rate limit of failed logins has been exceeded for $user_guid. + * + * @param $user_guid + * @return bool on exceeded limit. + */ +function check_rate_limit_exceeded($user_guid) { + $limit = 5; + $user_guid = (int)$user_guid; + $user = get_entity($user_guid); + + if (($user_guid) && ($user) && ($user instanceof ElggUser)) { + $fails = (int)$user->getPrivateSetting("login_failures"); + if ($fails >= $limit) { + $cnt = 0; + $time = time(); + for ($n=$fails; $n>0; $n--) { + $f = $user->getPrivateSetting("login_failure_$n"); + if ($f > $time - (60*5)) { + $cnt++; + } + + if ($cnt==$limit) { + // Limit reached + return true; } - } - - return false; } - - /** - * Logs in a specified ElggUser. For standard registration, use in conjunction - * with authenticate. - * - * @see authenticate - * @param ElggUser $user A valid Elgg user object - * @param boolean $persistent Should this be a persistent login? - * @return true|false Whether login was successful - */ - function login(ElggUser $user, $persistent = false) { - - global $CONFIG; - - if ($user->isBanned()) return false; // User is banned, return false. - if (check_rate_limit_exceeded($user->guid)) return false; // Check rate limit - - $_SESSION['user'] = $user; - $_SESSION['guid'] = $user->getGUID(); - $_SESSION['id'] = $_SESSION['guid']; - $_SESSION['username'] = $user->username; - $_SESSION['name'] = $user->name; - - $code = (md5($user->name . $user->username . time() . rand())); - - $user->code = md5($code); - - $_SESSION['code'] = $code; - - if (($persistent)) - setcookie("elggperm", $code, (time()+(86400 * 30)),"/"); - - if (!$user->save() || !trigger_elgg_event('login','user',$user)) { - unset($_SESSION['username']); - unset($_SESSION['name']); - unset($_SESSION['code']); - unset($_SESSION['guid']); - unset($_SESSION['id']); - unset($_SESSION['user']); - setcookie("elggperm", "", (time()-(86400 * 30)),"/"); - return false; - } - - // Users privilege has been elevated, so change the session id (help prevent session hijacking) - session_regenerate_id(); - - // Update statistics - set_last_login($_SESSION['guid']); - reset_login_failure_count($user->guid); // Reset any previous failed login attempts - - // Set admin shortcut flag if this is an admin - if (isadminloggedin()) { - global $is_admin; - $is_admin = true; - } - - return true; - + } + + return false; +} + +/** + * Logs in a specified ElggUser. For standard registration, use in conjunction + * with authenticate. + * + * @see authenticate + * @param ElggUser $user A valid Elgg user object + * @param boolean $persistent Should this be a persistent login? + * @return true|false Whether login was successful + */ +function login(ElggUser $user, $persistent = false) { + global $CONFIG; + + // User is banned, return false. + if ($user->isBanned()) { + return false; + } + + // Check rate limit + if (check_rate_limit_exceeded($user->guid)) { + return false; + } + + $_SESSION['user'] = $user; + $_SESSION['guid'] = $user->getGUID(); + $_SESSION['id'] = $_SESSION['guid']; + $_SESSION['username'] = $user->username; + $_SESSION['name'] = $user->name; + + $code = (md5($user->name . $user->username . time() . rand())); + + $user->code = md5($code); + + $_SESSION['code'] = $code; + + if (($persistent)) { + setcookie("elggperm", $code, (time()+(86400 * 30)),"/"); + } + + if (!$user->save() || !trigger_elgg_event('login','user',$user)) { + unset($_SESSION['username']); + unset($_SESSION['name']); + unset($_SESSION['code']); + unset($_SESSION['guid']); + unset($_SESSION['id']); + unset($_SESSION['user']); + setcookie("elggperm", "", (time()-(86400 * 30)),"/"); + return false; + } + + // Users privilege has been elevated, so change the session id (help prevent session hijacking) + session_regenerate_id(); + + // Update statistics + set_last_login($_SESSION['guid']); + reset_login_failure_count($user->guid); // Reset any previous failed login attempts + + // Set admin shortcut flag if this is an admin + if (isadminloggedin()) { + //@todo REMOVE THIS. + global $is_admin; + $is_admin = true; + } + + return true; +} + +/** + * Log the current user out + * + * @return true|false + */ +function logout() { + global $CONFIG; + + if (isset($_SESSION['user'])) { + if (!trigger_elgg_event('logout','user',$_SESSION['user'])) { + return false; } - - /** - * Log the current user out - * - * @return true|false - */ - function logout() { - global $CONFIG; - - if (isset($_SESSION['user'])) { - if (!trigger_elgg_event('logout','user',$_SESSION['user'])) return false; - $_SESSION['user']->code = ""; - $_SESSION['user']->save(); - } - - unset($_SESSION['username']); - unset($_SESSION['name']); - unset($_SESSION['code']); - unset($_SESSION['guid']); - unset($_SESSION['id']); - unset($_SESSION['user']); - - setcookie("elggperm", "", (time()-(86400 * 30)),"/"); - - session_destroy(); - - return true; - } - - function get_session_fingerprint() - { - global $CONFIG; - - return md5($_SERVER['HTTP_USER_AGENT'] . get_site_secret()); - } - - /** - * Initialises the system session and potentially logs the user in - * - * This function looks for: - * - * 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0 - * 2. The cookie 'elggperm' - if present, checks it for an authentication token, validates it, and potentially logs the user in - * - * @uses $_SESSION - * @param unknown_type $event - * @param unknown_type $object_type - * @param unknown_type $object - */ - function session_init($event, $object_type, $object) { - - global $DB_PREFIX, $CONFIG; - - if (!is_db_installed()) return false; - - // Use database for sessions - $DB_PREFIX = $CONFIG->dbprefix; // HACK to allow access to prefix after object distruction - if ((!isset($CONFIG->use_file_sessions))) - session_set_save_handler("__elgg_session_open", "__elgg_session_close", "__elgg_session_read", "__elgg_session_write", "__elgg_session_destroy", "__elgg_session_gc"); - - session_name('Elgg'); - session_start(); - - // Do some sanity checking by generating a fingerprint (makes some XSS attacks harder) - if (isset($_SESSION['__elgg_fingerprint'])) - { - if ($_SESSION['__elgg_fingerprint'] != get_session_fingerprint()) - { - session_destroy(); - return false; - } - } - else - { - $_SESSION['__elgg_fingerprint'] = get_session_fingerprint(); - } - - // Generate a simple token (private from potentially public session id) - if (!isset($_SESSION['__elgg_session'])) $_SESSION['__elgg_session'] = md5(microtime().rand()); - - if (empty($_SESSION['guid'])) { - if (isset($_COOKIE['elggperm'])) { - $code = $_COOKIE['elggperm']; - $code = md5($code); - unset($_SESSION['guid']);//$_SESSION['guid'] = 0; - unset($_SESSION['id']);//$_SESSION['id'] = 0; - if ($user = get_user_by_code($code)) { - $_SESSION['user'] = $user; - $_SESSION['id'] = $user->getGUID(); - $_SESSION['guid'] = $_SESSION['id']; - $_SESSION['code'] = $_COOKIE['elggperm']; - } - } else { - unset($_SESSION['id']); //$_SESSION['id'] = 0; - unset($_SESSION['guid']);//$_SESSION['guid'] = 0; - unset($_SESSION['code']);//$_SESSION['code'] = ""; - } - } else { - if (!empty($_SESSION['code'])) { - $code = md5($_SESSION['code']); - if ($user = get_user_by_code($code)) { - $_SESSION['user'] = $user; - $_SESSION['id'] = $user->getGUID(); - $_SESSION['guid'] = $_SESSION['id']; - } else { - unset($_SESSION['user']); - unset($_SESSION['id']); //$_SESSION['id'] = 0; - unset($_SESSION['guid']);//$_SESSION['guid'] = 0; - unset($_SESSION['code']);//$_SESSION['code'] = ""; - } - } else { - //$_SESSION['user'] = new ElggDummy(); - unset($_SESSION['id']); //$_SESSION['id'] = 0; - unset($_SESSION['guid']);//$_SESSION['guid'] = 0; - unset($_SESSION['code']);//$_SESSION['code'] = ""; - } - } - if ($_SESSION['id'] > 0) { - set_last_action($_SESSION['id']); - } - - register_action("login",true); - register_action("logout"); - - // Register a default PAM handler - register_pam_handler('pam_auth_userpass'); - - // Initialise the magic session - global $SESSION; - $SESSION = new ElggSession(); - - // Finally we ensure that a user who has been banned with an open session is kicked. - if ((isset($_SESSION['user'])) && ($_SESSION['user']->isBanned())) - { - session_destroy(); - return false; - } - - // Since we have loaded a new user, this user may have different language preferences - register_translations(dirname(dirname(dirname(__FILE__))) . "/languages/"); - - return true; - + $_SESSION['user']->code = ""; + $_SESSION['user']->save(); + } + + unset($_SESSION['username']); + unset($_SESSION['name']); + unset($_SESSION['code']); + unset($_SESSION['guid']); + unset($_SESSION['id']); + unset($_SESSION['user']); + + setcookie("elggperm", "", (time()-(86400 * 30)),"/"); + + session_destroy(); + + return true; +} + +/** + * Returns a fingerprint for an elgg session. + * + * @return string + */ +function get_session_fingerprint() { + global $CONFIG; + + return md5($_SERVER['HTTP_USER_AGENT'] . get_site_secret()); +} + +/** + * Initialises the system session and potentially logs the user in + * + * This function looks for: + * + * 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0 + * 2. The cookie 'elggperm' - if present, checks it for an authentication token, validates it, and potentially logs the user in + * + * @uses $_SESSION + * @param unknown_type $event + * @param unknown_type $object_type + * @param unknown_type $object + */ +function session_init($event, $object_type, $object) { + global $DB_PREFIX, $CONFIG; + + if (!is_db_installed()) { + return false; + } + + // Use database for sessions + // HACK to allow access to prefix after object destruction + $DB_PREFIX = $CONFIG->dbprefix; + if ((!isset($CONFIG->use_file_sessions))) { + session_set_save_handler("__elgg_session_open", + "__elgg_session_close", + "__elgg_session_read", + "__elgg_session_write", + "__elgg_session_destroy", + "__elgg_session_gc"); + } + + session_name('Elgg'); + session_start(); + + // Do some sanity checking by generating a fingerprint (makes some XSS attacks harder) + if (isset($_SESSION['__elgg_fingerprint'])) { + if ($_SESSION['__elgg_fingerprint'] != get_session_fingerprint()) { + session_destroy(); + return false; } - - /** - * Used at the top of a page to mark it as logged in users only. - * - */ - function gatekeeper() { - if (!isloggedin()) { - $_SESSION['last_forward_from'] = current_page_url(); - forward(); + } else { + $_SESSION['__elgg_fingerprint'] = get_session_fingerprint(); + } + + // Generate a simple token (private from potentially public session id) + if (!isset($_SESSION['__elgg_session'])) { + $_SESSION['__elgg_session'] = md5(microtime().rand()); + } + + if (empty($_SESSION['guid'])) { + if (isset($_COOKIE['elggperm'])) { + $code = $_COOKIE['elggperm']; + $code = md5($code); + unset($_SESSION['guid']);//$_SESSION['guid'] = 0; + unset($_SESSION['id']);//$_SESSION['id'] = 0; + if ($user = get_user_by_code($code)) { + $_SESSION['user'] = $user; + $_SESSION['id'] = $user->getGUID(); + $_SESSION['guid'] = $_SESSION['id']; + $_SESSION['code'] = $_COOKIE['elggperm']; } + } else { + unset($_SESSION['id']); //$_SESSION['id'] = 0; + unset($_SESSION['guid']);//$_SESSION['guid'] = 0; + unset($_SESSION['code']);//$_SESSION['code'] = ""; } - - /** - * Used at the top of a page to mark it as logged in admin or siteadmin only. - * - */ - function admin_gatekeeper() - { - gatekeeper(); - if (!isadminloggedin()) { - $_SESSION['last_forward_from'] = current_page_url(); - forward(); + } else { + if (!empty($_SESSION['code'])) { + $code = md5($_SESSION['code']); + if ($user = get_user_by_code($code)) { + $_SESSION['user'] = $user; + $_SESSION['id'] = $user->getGUID(); + $_SESSION['guid'] = $_SESSION['id']; + } else { + unset($_SESSION['user']); + unset($_SESSION['id']); //$_SESSION['id'] = 0; + unset($_SESSION['guid']);//$_SESSION['guid'] = 0; + unset($_SESSION['code']);//$_SESSION['code'] = ""; } + } else { + //$_SESSION['user'] = new ElggDummy(); + unset($_SESSION['id']); //$_SESSION['id'] = 0; + unset($_SESSION['guid']);//$_SESSION['guid'] = 0; + unset($_SESSION['code']);//$_SESSION['code'] = ""; } - - /** - * DB Based session handling code. - */ - function __elgg_session_open($save_path, $session_name) - { - global $sess_save_path; - $sess_save_path = $save_path; - - return true; + } + + if ($_SESSION['id'] > 0) { + set_last_action($_SESSION['id']); + } + + register_action("login",true); + register_action("logout"); + + // Register a default PAM handler + register_pam_handler('pam_auth_userpass'); + + // Initialise the magic session + global $SESSION; + $SESSION = new ElggSession(); + + // Finally we ensure that a user who has been banned with an open session is kicked. + if ((isset($_SESSION['user'])) && ($_SESSION['user']->isBanned())) { + session_destroy(); + return false; + } + + // Since we have loaded a new user, this user may have different language preferences + register_translations(dirname(dirname(dirname(__FILE__))) . "/languages/"); + + return true; +} + +/** + * Used at the top of a page to mark it as logged in users only. + * + */ +function gatekeeper() { + if (!isloggedin()) { + $_SESSION['last_forward_from'] = current_page_url(); + forward(); + } +} + +/** + * Used at the top of a page to mark it as logged in admin or siteadmin only. + * + */ +function admin_gatekeeper() { + gatekeeper(); + + if (!isadminloggedin()) { + $_SESSION['last_forward_from'] = current_page_url(); + forward(); + } +} + +/** + * DB Based session handling code. + */ +function __elgg_session_open($save_path, $session_name) { + global $sess_save_path; + $sess_save_path = $save_path; + + return true; +} + +/** + * DB Based session handling code. + */ +function __elgg_session_close() { + return true; +} + +/** + * DB Based session handling code. + */ +function __elgg_session_read($id) { + global $DB_PREFIX; + + $id = sanitise_string($id); + + try { + $result = get_data_row("SELECT * from {$DB_PREFIX}users_sessions where session='$id'"); + + if ($result) { + return (string)$result->data; } - - /** - * DB Based session handling code. - */ - function __elgg_session_close() - { + + } catch (DatabaseException $e) { + + // Fall back to file store in this case, since this likely means + // that the database hasn't been upgraded + global $sess_save_path; + + $sess_file = "$sess_save_path/sess_$id"; + return (string) @file_get_contents($sess_file); + } + + return ''; +} + +/** + * DB Based session handling code. + */ +function __elgg_session_write($id, $sess_data) { + global $DB_PREFIX; + + $id = sanitise_string($id); + $time = time(); + + try { + $sess_data_sanitised = sanitise_string($sess_data); + + $q = "REPLACE INTO {$DB_PREFIX}users_sessions + (session, ts, data) VALUES + ('$id', '$time', '$sess_data_sanitised')"; + + if (insert_data($q)!==false) { return true; } - - /** - * DB Based session handling code. - */ - function __elgg_session_read($id) - { - global $DB_PREFIX; - - $id = sanitise_string($id); - - try { - $result = get_data_row("SELECT * from {$DB_PREFIX}users_sessions where session='$id'"); - - if ($result) - return (string)$result->data; - - } catch (DatabaseException $e) { - - // Fall back to file store in this case, since this likely means that the database hasn't been upgraded - global $sess_save_path; - - $sess_file = "$sess_save_path/sess_$id"; - return (string) @file_get_contents($sess_file); - } - - return ''; - } - - /** - * DB Based session handling code. - */ - function __elgg_session_write($id, $sess_data) - { - global $DB_PREFIX; - - $id = sanitise_string($id); - $time = time(); - - try { - $sess_data_sanitised = sanitise_string($sess_data); + } catch (DatabaseException $e) { + // Fall back to file store in this case, since this likely means + // that the database hasn't been upgraded + global $sess_save_path; - if (insert_data("REPLACE INTO {$DB_PREFIX}users_sessions (session, ts, data) VALUES ('$id', '$time', '$sess_data_sanitised')")!==false) - return true; - - } catch (DatabaseException $e) { - // Fall back to file store in this case, since this likely means that the database hasn't been upgraded - global $sess_save_path; - - $sess_file = "$sess_save_path/sess_$id"; - if ($fp = @fopen($sess_file, "w")) { - $return = fwrite($fp, $sess_data); - fclose($fp); - return $return; - } - - } - - return false; - } - - /** - * DB Based session handling code. - */ - function __elgg_session_destroy($id) - { - global $DB_PREFIX; - - $id = sanitise_string($id); - - try { - return (bool)delete_data("DELETE from {$DB_PREFIX}users_sessions where session='$id'"); - } catch (DatabaseException $e) { - // Fall back to file store in this case, since this likely means that the database hasn't been upgraded - global $sess_save_path; - - $sess_file = "$sess_save_path/sess_$id"; - return(@unlink($sess_file)); - } - - return false; + $sess_file = "$sess_save_path/sess_$id"; + if ($fp = @fopen($sess_file, "w")) { + $return = fwrite($fp, $sess_data); + fclose($fp); + return $return; } - - /** - * DB Based session handling code. - */ - function __elgg_session_gc($maxlifetime) - { - global $DB_PREFIX; - - $life = time()-$maxlifetime; - - try { - return (bool)delete_data("DELETE from {$DB_PREFIX}users_sessions where ts<'$life'"); - } catch (DatabaseException $e) { - // Fall back to file store in this case, since this likely means that the database hasn't been upgraded - global $sess_save_path; - - foreach (glob("$sess_save_path/sess_*") as $filename) { - if (filemtime($filename) < $life) { - @unlink($filename); - } - } + } + + return false; +} + +/** + * DB Based session handling code. + */ +function __elgg_session_destroy($id) { + global $DB_PREFIX; + + $id = sanitise_string($id); + + try { + return (bool)delete_data("DELETE from {$DB_PREFIX}users_sessions where session='$id'"); + } catch (DatabaseException $e) { + // Fall back to file store in this case, since this likely means that + // the database hasn't been upgraded + global $sess_save_path; + + $sess_file = "$sess_save_path/sess_$id"; + return(@unlink($sess_file)); + } + + return false; +} + +/** + * DB Based session handling code. + */ +function __elgg_session_gc($maxlifetime) { + global $DB_PREFIX; + + $life = time()-$maxlifetime; + + try { + return (bool)delete_data("DELETE from {$DB_PREFIX}users_sessions where ts<'$life'"); + } catch (DatabaseException $e) { + // Fall back to file store in this case, since this likely means that the database hasn't been upgraded + global $sess_save_path; + + foreach (glob("$sess_save_path/sess_*") as $filename) { + if (filemtime($filename) < $life) { + @unlink($filename); } - - return true; } - - register_elgg_event_handler("boot","system","session_init",20); + } + return true; +} -?>
\ No newline at end of file +register_elgg_event_handler("boot","system","session_init",20);
\ No newline at end of file |