From 3702d3c283af3f48ec76ebca66f1885ec7bcd3ca Mon Sep 17 00:00:00 2001 From: kevinjardine Date: Thu, 26 Feb 2009 11:19:42 +0000 Subject: Added "enemies" code to get_access_sql_suffix. This implements two features: a. a user can prevent another user from seeing any of his content and b. a user can filter out all the content created by another user. There is no interface for this yet, but adding one should be easy with this core support. git-svn-id: https://code.elgg.org/elgg/trunk@2959 36083f99-b078-4883-b0ff-0f9b5a30f544 --- engine/lib/access.php | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) (limited to 'engine/lib') diff --git a/engine/lib/access.php b/engine/lib/access.php index df851e7cd..085e29d1a 100644 --- a/engine/lib/access.php +++ b/engine/lib/access.php @@ -167,6 +167,40 @@ return $ENTITY_SHOW_HIDDEN_OVERRIDE; } + /** + * Add annotation restriction + * + * Returns an SQL fragment that is true (or optionally false) if the given user has + * added an annotation with the given name to the given entity. + * + * TODO: This is fairly generic so perhaps it could be moved to annotations.php + * + * @param string $annotation_name name of the annotation + * @param string $entity_guid SQL string that evaluates to the GUID of the entity the annotation should be attached to + * @param string $owner_guid SQL string that evaluates to the GUID of the owner of the annotation * + * @param boolean $exists If set to true, will return true if the annotation exists, otherwise returns false + * @return string An SQL fragment suitable for inserting into a WHERE clause + */ + + function get_annotation_sql($annotation_name,$entity_guid,$owner_guid,$exists) { + global $CONFIG; + + if ($exists) { + $not = ''; + } else { + $not = 'NOT'; + } + + $sql = <<dbprefix}annotations a +INNER JOIN {$CONFIG->dbprefix}metastrings ms ON (a.name_id = ms.id) +WHERE ms.string = '$annotation_name' +AND a.entity_guid = $entity_guid +AND a.owner_guid = $owner_guid) +END; + return $sql; + } + /** * Add access restriction sql code to a given query. * @@ -181,6 +215,8 @@ global $ENTITY_SHOW_HIDDEN_OVERRIDE, $CONFIG; $sql = ""; + $friends_bit = ""; + $enemies_bit = ""; if ($table_prefix) $table_prefix = sanitise_string($table_prefix) . "."; @@ -198,10 +234,23 @@ $friends_bit = $table_prefix.'access_id = '.ACCESS_FRIENDS.' AND '; $friends_bit .= "{$table_prefix}owner_guid IN (SELECT guid_one FROM {$CONFIG->dbprefix}entity_relationships WHERE relationship='friend' AND guid_two=$owner)"; $friends_bit = '('.$friends_bit.') OR '; + + if ($CONFIG->user_block_and_filter_enabled) { + // check to see if the user is in the entity owner's block list + // or if the entity owner is in the user's filter list + // if so, disallow access + + $enemies_bit = get_annotation_sql('elgg_block_list',"{$table_prefix}owner_guid",$owner,false); + $enemies_bit = '('.$enemies_bit. ' AND '.get_annotation_sql('elgg_filter_list',$owner,"{$table_prefix}owner_guid",false).')'; + } } if (empty($sql)) $sql = " $friends_bit ({$table_prefix}access_id in {$access} or ({$table_prefix}access_id = " . ACCESS_PRIVATE . " and {$table_prefix}owner_guid = $owner))"; + + if ($enemies_bit) { + $sql = "$enemies_bit AND ($sql)"; + } if (!$ENTITY_SHOW_HIDDEN_OVERRIDE) $sql .= " and {$table_prefix}enabled='yes'"; -- cgit v1.2.3