<?php
/**
 * Functions for Elgg's access system for entities, metadata, and annotations.
 *
 * Access is generally saved in the database as access_id.  This corresponds to
 * one of the ACCESS_* constants defined in {@link elgglib.php} or the ID of an
 * access collection.
 *
 * @package Elgg.Core
 * @subpackage Access
 * @link http://docs.elgg.org/Access
 */

/**
 * Return a string of access_ids for $user_id appropriate for inserting into an SQL IN clause.
 *
 * @uses get_access_array
 *
 * @link http://docs.elgg.org/Access
 * @see get_access_array()
 *
 * @param int  $user_id User ID; defaults to currently logged in user
 * @param int  $site_id Site ID; defaults to current site
 * @param bool $flush   If set to true, will refresh the access list from the
 *                      database rather than using this function's cache.
 *
 * @return string A list of access collections suitable for using in an SQL call
 * @access private
 */
function get_access_list($user_id = 0, $site_id = 0, $flush = false) {
	global $CONFIG, $init_finished;
	static $access_list;

	if (!isset($access_list)) {
		$access_list = array();
	}

	if ($user_id == 0) {
		$user_id = elgg_get_logged_in_user_guid();
	}

	if (($site_id == 0) && (isset($CONFIG->site_id))) {
		$site_id = $CONFIG->site_id;
	}
	$user_id = (int) $user_id;
	$site_id = (int) $site_id;

	if (isset($access_list[$user_id]) && $flush == false) {
		return $access_list[$user_id];
	}

	$access = "(" . implode(",", get_access_array($user_id, $site_id, $flush)) . ")";

	// only cache if done with init and access is enabled (unless admin user)
	// session is loaded before init is finished, so don't need to check for user session
	if ($init_finished && (elgg_is_admin_logged_in() || !elgg_get_ignore_access())) {
		$access_list[$user_id] = $access;
		return $access_list[$user_id];
	} else {
		return $access;
	}
}

/**
 * Returns an array of access IDs a user is permitted to see.
 *
 * Can be overridden with the 'access:collections:read', 'user' plugin hook.
 *
 * This returns a list of all the collection ids a user owns or belongs
 * to plus public and logged in access levels. If the user is an admin, it includes
 * the private access level.
 *
 * @internal this is only used in core for creating the SQL where clause when
 * retrieving content from the database. The friends access level is handled by
 * get_access_sql_suffix().
 *
 * @see get_write_access_array() for the access levels that a user can write to.
 *
 * @param int  $user_id User ID; defaults to currently logged in user
 * @param int  $site_id Site ID; defaults to current site
 * @param bool $flush   If set to true, will refresh the access ids from the
 *                      database rather than using this function's cache.
 *
 * @return array An array of access collections ids
 */
function get_access_array($user_id = 0, $site_id = 0, $flush = false) {
	global $CONFIG, $init_finished;

	// @todo everything from the db is cached.
	// this cache might be redundant. But db cache is flushed on every db write.
	static $access_array;

	if (!isset($access_array)) {
		$access_array = array();
	}

	if ($user_id == 0) {
		$user_id = elgg_get_logged_in_user_guid();
	}

	if (($site_id == 0) && (isset($CONFIG->site_guid))) {
		$site_id = $CONFIG->site_guid;
	}

	$user_id = (int) $user_id;
	$site_id = (int) $site_id;

	if (empty($access_array[$user_id]) || $flush == true) {
		$tmp_access_array = array(ACCESS_PUBLIC);

		// The following can only return sensible data if the user is logged in.
		if (elgg_is_logged_in()) {
			$tmp_access_array[] = ACCESS_LOGGED_IN;

			// Get ACL memberships
			$query = "SELECT am.access_collection_id"
				. " FROM {$CONFIG->dbprefix}access_collection_membership am"
				. " LEFT JOIN {$CONFIG->dbprefix}access_collections ag ON ag.id = am.access_collection_id"
				. " WHERE am.user_guid = {$user_id} AND (ag.site_guid = {$site_id} OR ag.site_guid = 0)";

			if ($collections = get_data($query)) {
				foreach ($collections as $collection) {
					if (!empty($collection->access_collection_id)) {
						$tmp_access_array[] = (int)$collection->access_collection_id;
					}
				}
			}

			// Get ACLs owned.
			$query = "SELECT ag.id FROM {$CONFIG->dbprefix}access_collections ag ";
			$query .= "WHERE ag.owner_guid = {$user_id} AND (ag.site_guid = {$site_id} OR ag.site_guid = 0)";

			if ($collections = get_data($query)) {
				foreach ($collections as $collection) {
					if (!empty($collection->id)) {
						$tmp_access_array[] = (int)$collection->id;
					}
				}
			}

			$ignore_access = elgg_check_access_overrides($user_id);

			if ($ignore_access == true) {
				$tmp_access_array[] = ACCESS_PRIVATE;
			}

			// only cache if done with init and access is enabled (unless admin user)
			// session is loaded before init is finished, so don't need to check for user session
			if ($init_finished && (elgg_is_admin_logged_in() || !elgg_get_ignore_access())) {
				$access_array[$user_id] = $tmp_access_array;
			}
		}
	} else {
		$tmp_access_array = $access_array[$user_id];
	}

	$options = array('user_id' => $user_id, 'site_id' => $site_id);
	return elgg_trigger_plugin_hook('access:collections:read', 'user', $options, $tmp_access_array);
}

/**
 * Gets the default access permission.
 *
 * This returns the default access level for the site or optionally for the user.
 *
 * @param ElggUser $user Get the user's default access. Defaults to logged in user.
 *
 * @return int default access id (see ACCESS defines in elgglib.php)
 * @link http://docs.elgg.org/Access
 */
function get_default_access(ElggUser $user = null) {
	global $CONFIG;

	if (!$CONFIG->allow_user_default_access) {
		return $CONFIG->default_access;
	}

	if (!($user) && (!$user = elgg_get_logged_in_user_entity())) {
		return $CONFIG->default_access;
	}

	if (false !== ($default_access = $user->getPrivateSetting('elgg_default_access'))) {
		return $default_access;
	} else {
		return $CONFIG->default_access;
	}
}

/**
 * Allow disabled entities and metadata to be returned by getter functions
 *
 * @todo Replace this with query object!
 * @global bool $ENTITY_SHOW_HIDDEN_OVERRIDE
 * @access private
 */
$ENTITY_SHOW_HIDDEN_OVERRIDE = false;

/**
 * Show or hide disabled entities.
 *
 * @param bool $show_hidden Show disabled entities.
 * @return void
 * @access private
 */
function access_show_hidden_entities($show_hidden) {
	global $ENTITY_SHOW_HIDDEN_OVERRIDE;
	$ENTITY_SHOW_HIDDEN_OVERRIDE = $show_hidden;
}

/**
 * Return current status of showing disabled entities.
 *
 * @return bool
 * @access private
 */
function access_get_show_hidden_status() {
	global $ENTITY_SHOW_HIDDEN_OVERRIDE;
	return $ENTITY_SHOW_HIDDEN_OVERRIDE;
}

/**
 * Returns the SQL where clause for a table with a access_id and enabled columns.
 *
 * This handles returning where clauses for ACCESS_FRIENDS and the currently
 * unused block and filter lists in addition to using get_access_list() for
 * access collections and the standard access levels.
 *
 * @param string $table_prefix Optional table. prefix for the access code.
 * @param int    $owner        The guid to check access for. Defaults to logged in user.
 *
 * @return string The SQL for a where clause
 * @access private
 */
function get_access_sql_suffix($table_prefix = '', $owner = null) {
	global $ENTITY_SHOW_HIDDEN_OVERRIDE, $CONFIG;

	$sql = "";
	$friends_bit = "";
	$enemies_bit = "";

	if ($table_prefix) {
		$table_prefix = sanitise_string($table_prefix) . ".";
	}

	if (!isset($owner)) {
		$owner = elgg_get_logged_in_user_guid();
	}

	if (!$owner) {
		$owner = -1;
	}

	$ignore_access = elgg_check_access_overrides($owner);
	$access = get_access_list($owner);

	if ($ignore_access) {
		$sql = " (1 = 1) ";
	} else if ($owner != -1) {
		// we have an entity's guid and auto check for friend relationships
		$friends_bit = "{$table_prefix}access_id = " . ACCESS_FRIENDS . "
			AND {$table_prefix}owner_guid IN (
				SELECT guid_one FROM {$CONFIG->dbprefix}entity_relationships
				WHERE relationship='friend' AND guid_two=$owner
			)";

		$friends_bit = '(' . $friends_bit . ') OR ';

		// @todo untested and unsupported at present
		if ((isset($CONFIG->user_block_and_filter_enabled)) && ($CONFIG->user_block_and_filter_enabled)) {
			// check to see if the user is in the entity owner's block list
			// or if the entity owner is in the user's filter list
			// if so, disallow access
			$enemies_bit = get_access_restriction_sql('elgg_block_list', "{$table_prefix}owner_guid", $owner, false);
			$enemies_bit = '('
				. $enemies_bit
				. '	AND ' . get_access_restriction_sql('elgg_filter_list', $owner, "{$table_prefix}owner_guid", false)
			. ')';
		}
	}

	if (empty($sql)) {
		$sql = " $friends_bit ({$table_prefix}access_id IN {$access}
			OR ({$table_prefix}owner_guid = {$owner})
			OR (
				{$table_prefix}access_id = " . ACCESS_PRIVATE . "
				AND {$table_prefix}owner_guid = $owner
			)
		)";
	}

	if ($enemies_bit) {
		$sql = "$enemies_bit AND ($sql)";
	}

	if (!$ENTITY_SHOW_HIDDEN_OVERRIDE) {
		$sql .= " and {$table_prefix}enabled='yes'";
	}

	return '(' . $sql . ')';
}

/**
 * Get the where clause for an access restriction based on annotations
 *
 * Returns an SQL fragment that is true (or optionally false) if the given user has
 * added an annotation with the given name to the given entity.
 *
 * @warning this is a private function for an untested capability and will likely
 * be removed from a future version of Elgg.
 *
 * @param string  $annotation_name Name of the annotation
 * @param string  $entity_guid     SQL GUID of entity the annotation is attached to.
 * @param string  $owner_guid      SQL string that evaluates to the GUID of the annotation owner
 * @param boolean $exists          If true, returns BOOL if the annotation exists
 *
 * @return string An SQL fragment suitable for inserting into a WHERE clause
 * @access private
 */
function get_access_restriction_sql($annotation_name, $entity_guid, $owner_guid, $exists) {
	global $CONFIG;

	if ($exists) {
		$not = '';
	} else {
		$not = 'NOT';
	}

	$sql = <<<END
$not EXISTS (SELECT * FROM {$CONFIG->dbprefix}annotations a
INNER JOIN {$CONFIG->dbprefix}metastrings ms ON (a.name_id = ms.id)
WHERE ms.string = '$annotation_name'
AND a.entity_guid = $entity_guid
AND a.owner_guid = $owner_guid)
END;
	return $sql;
}

/**
 * Can a user access an entity.
 *
 * @warning If a logged in user doesn't have access to an entity, the
 * core engine will not load that entity.
 *
 * @tip This is mostly useful for checking if a user other than the logged in
 * user has access to an entity that is currently loaded.
 *
 * @todo This function would be much more useful if we could pass the guid of the
 * entity to test access for. We need to be able to tell whether the entity exists
 * and whether the user has access to the entity.
 *
 * @param ElggEntity $entity The entity to check access for.
 * @param ElggUser   $user   Optionally user to check access for. Defaults to
 *                           logged in user (which is a useless default).
 *
 * @return bool
 * @link http://docs.elgg.org/Access
 */
function has_access_to_entity($entity, $user = null) {
	global $CONFIG;

	if (!isset($user)) {
		$access_bit = get_access_sql_suffix("e");
	} else {
		$access_bit = get_access_sql_suffix("e", $user->getGUID());
	}

	$query = "SELECT guid from {$CONFIG->dbprefix}entities e WHERE e.guid = " . $entity->getGUID();
	// Add access controls
	$query .= " AND " . $access_bit;
	if (get_data($query)) {
		return true;
	} else {
		return false;
	}
}

/**
 * Returns an array of access permissions that the user is allowed to save content with.
 * Permissions returned are of the form (id => 'name').
 *
 * Example return value in English:
 * array(
 *     0 => 'Private',
 *    -2 => 'Friends',
 *     1 => 'Logged in users',
 *     2 => 'Public',
 *    34 => 'My favorite friends',
 * );
 *
 * Plugin hook of 'access:collections:write', 'user'
 *
 * @warning this only returns access collections that the user owns plus the
 * standard access levels. It does not return access collections that the user
 * belongs to such as the access collection for a group.
 *
 * @param int  $user_id The user's GUID.
 * @param int  $site_id The current site.
 * @param bool $flush   If this is set to true, this will ignore a cached access array
 *
 * @return array List of access permissions
 * @link http://docs.elgg.org/Access
 */
function get_write_access_array($user_id = 0, $site_id = 0, $flush = false) {
	global $CONFIG;
	//@todo this is probably not needed since caching happens at the DB level.
	static $access_array;

	if ($user_id == 0) {
		$user_id = elgg_get_logged_in_user_guid();
	}

	if (($site_id == 0) && (isset($CONFIG->site_id))) {
		$site_id = $CONFIG->site_id;
	}

	$user_id = (int) $user_id;
	$site_id = (int) $site_id;

	if (empty($access_array[$user_id]) || $flush == true) {
		$query = "SELECT ag.* FROM {$CONFIG->dbprefix}access_collections ag ";
		$query .= " WHERE (ag.site_guid = {$site_id} OR ag.site_guid = 0)";
		$query .= " AND (ag.owner_guid = {$user_id})";
		// ACCESS_PRIVATE through ACCESS_PUBLIC take 0 through 2
		// @todo this AND clause is unnecessary because of id starts at 3 for table
		$query .= " AND ag.id >= 3";

		$tmp_access_array = array(
			ACCESS_PRIVATE => elgg_echo("PRIVATE"),
			ACCESS_FRIENDS => elgg_echo("access:friends:label"),
			ACCESS_LOGGED_IN => elgg_echo("LOGGED_IN"),
			ACCESS_PUBLIC => elgg_echo("PUBLIC")
		);
		$collections = get_data($query);
		if ($collections) {
			foreach ($collections as $collection) {
				$tmp_access_array[$collection->id] = $collection->name;
			}
		}

		$access_array[$user_id] = $tmp_access_array;
	} else {
		$tmp_access_array = $access_array[$user_id];
	}

	$options = array('user_id' => $user_id, 'site_id' => $site_id);
	$tmp_access_array = elgg_trigger_plugin_hook('access:collections:write', 'user',
		$options, $tmp_access_array);

	return $tmp_access_array;
}

/**
 * Can the user change this access collection?
 *
 * Use the plugin hook of 'access:collections:write', 'user' to change this.
 * @see get_write_access_array() for details on the hook.
 *
 * Respects access control disabling for admin users and {@see elgg_set_ignore_access()}
 *
 * @see get_write_access_array()
 *
 * @param int   $collection_id The collection id
 * @param mixed $user_guid     The user GUID to check for. Defaults to logged in user.
 * @return bool
 */
function can_edit_access_collection($collection_id, $user_guid = null) {
	if ($user_guid) {
		$user = get_entity((int) $user_guid);
	} else {
		$user = elgg_get_logged_in_user_entity();
	}

	$collection = get_access_collection($collection_id);

	if (!($user instanceof ElggUser) || !$collection) {
		return false;
	}

	$write_access = get_write_access_array($user->getGUID(), null, true);

	// don't ignore access when checking users.
	if ($user_guid) {
		return array_key_exists($collection_id, $write_access);
	} else {
		return elgg_get_ignore_access() || array_key_exists($collection_id, $write_access);
	}
}

/**
 * Creates a new access collection.
 *
 * Access colletions allow plugins and users to create granular access
 * for entities.
 *
 * Triggers plugin hook 'access:collections:addcollection', 'collection'
 *
 * @internal Access collections are stored in the access_collections table.
 * Memberships to collections are in access_collections_membership.
 *
 * @param string $name       The name of the collection.
 * @param int    $owner_guid The GUID of the owner (default: currently logged in user).
 * @param int    $site_guid  The GUID of the site (default: current site).
 *
 * @return int|false The collection ID if successful and false on failure.
 * @link http://docs.elgg.org/Access/Collections
 * @see update_access_collection()
 * @see delete_access_collection()
 */
function create_access_collection($name, $owner_guid = 0, $site_guid = 0) {
	global $CONFIG;

	$name = trim($name);
	if (empty($name)) {
		return false;
	}

	if ($owner_guid == 0) {
		$owner_guid = elgg_get_logged_in_user_guid();
	}
	if (($site_guid == 0) && (isset($CONFIG->site_guid))) {
		$site_guid = $CONFIG->site_guid;
	}
	$name = sanitise_string($name);

	$q = "INSERT INTO {$CONFIG->dbprefix}access_collections
		SET name = '{$name}',
			owner_guid = {$owner_guid},
			site_guid = {$site_guid}";
	$id = insert_data($q);
	if (!$id) {
		return false;
	}

	$params = array(
		'collection_id' => $id
	);

	if (!elgg_trigger_plugin_hook('access:collections:addcollection', 'collection', $params, true)) {
		return false;
	}

	return $id;
}

/**
 * Updates the membership in an access collection.
 *
 * @warning Expects a full list of all members that should
 * be part of the access collection
 *
 * @note This will run all hooks associated with adding or removing
 * members to access collections.
 *
 * @param int   $collection_id The ID of the collection.
 * @param array $members       Array of member GUIDs
 *
 * @return bool
 * @link http://docs.elgg.org/Access/Collections
 * @see add_user_to_access_collection()
 * @see remove_user_from_access_collection()
 */
function update_access_collection($collection_id, $members) {
	global $CONFIG;

	$acl = get_access_collection($collection_id);

	if (!$acl) {
		return false;
	}
	$members = (is_array($members)) ? $members : array();

	$cur_members = get_members_of_access_collection($collection_id, true);
	$cur_members = (is_array($cur_members)) ? $cur_members : array();

	$remove_members = array_diff($cur_members, $members);
	$add_members = array_diff($members, $cur_members);

	$result = true;

	foreach ($add_members as $guid) {
		$result = $result && add_user_to_access_collection($guid, $collection_id);
	}

	foreach ($remove_members as $guid) {
		$result = $result && remove_user_from_access_collection($guid, $collection_id);
	}

	return $result;
}

/**
 * Deletes a specified access collection and its membership.
 *
 * @param int $collection_id The collection ID
 *
 * @return bool
 * @link http://docs.elgg.org/Access/Collections
 * @see create_access_collection()
 * @see update_access_collection()
 */
function delete_access_collection($collection_id) {
	global $CONFIG;

	$collection_id = (int) $collection_id;
	$params = array('collection_id' => $collection_id);

	if (!elgg_trigger_plugin_hook('access:collections:deletecollection', 'collection', $params, true)) {
		return false;
	}

	// Deleting membership doesn't affect result of deleting ACL.
	$q = "DELETE FROM {$CONFIG->dbprefix}access_collection_membership
		WHERE access_collection_id = {$collection_id}";
	delete_data($q);

	$q = "DELETE FROM {$CONFIG->dbprefix}access_collections
		WHERE id = {$collection_id}";
	$result = delete_data($q);

	return (bool)$result;
}

/**
 * Get a specified access collection
 *
 * @note This doesn't return the members of an access collection,
 * just the database row of the actual collection.
 *
 * @see get_members_of_access_collection()
 *
 * @param int $collection_id The collection ID
 *
 * @return object|false
 */
function get_access_collection($collection_id) {
	global $CONFIG;
	$collection_id = (int) $collection_id;

	$query = "SELECT * FROM {$CONFIG->dbprefix}access_collections WHERE id = {$collection_id}";
	$get_collection = get_data_row($query);

	return $get_collection;
}

/**
 * Adds a user to an access collection.
 *
 * Triggers the 'access:collections:add_user', 'collection' plugin hook.
 *
 * @param int $user_guid     The GUID of the user to add
 * @param int $collection_id The ID of the collection to add them to
 *
 * @return bool
 * @see update_access_collection()
 * @see remove_user_from_access_collection()
 * @link http://docs.elgg.org/Access/Collections
 */
function add_user_to_access_collection($user_guid, $collection_id) {
	global $CONFIG;

	$collection_id = (int) $collection_id;
	$user_guid = (int) $user_guid;
	$user = get_user($user_guid);

	$collection = get_access_collection($collection_id);

	if (!($user instanceof Elgguser) || !$collection) {
		return false;
	}

	$params = array(
		'collection_id' => $collection_id,
		'user_guid' => $user_guid
	);

	$result = elgg_trigger_plugin_hook('access:collections:add_user', 'collection', $params, true);
	if ($result == false) {
		return false;
	}

	// if someone tries to insert the same data twice, we do a no-op on duplicate key
	$q = "INSERT INTO {$CONFIG->dbprefix}access_collection_membership
			SET access_collection_id = $collection_id, user_guid = $user_guid
			ON DUPLICATE KEY UPDATE user_guid = user_guid";
	$result = insert_data($q);

	return $result !== false;
}

/**
 * Removes a user from an access collection.
 *
 * Triggers the 'access:collections:remove_user', 'collection' plugin hook.
 *
 * @param int $user_guid     The user GUID
 * @param int $collection_id The access collection ID
 *
 * @return bool
 * @see update_access_collection()
 * @see remove_user_from_access_collection()
 * @link http://docs.elgg.org/Access/Collections
 */
function remove_user_from_access_collection($user_guid, $collection_id) {
	global $CONFIG;

	$collection_id = (int) $collection_id;
	$user_guid = (int) $user_guid;
	$user = get_user($user_guid);

	$collection = get_access_collection($collection_id);

	if (!($user instanceof Elgguser) || !$collection) {
		return false;
	}

	$params = array(
		'collection_id' => $collection_id,
		'user_guid' => $user_guid
	);

	if (!elgg_trigger_plugin_hook('access:collections:remove_user', 'collection', $params, true)) {
		return false;
	}

	$q = "DELETE FROM {$CONFIG->dbprefix}access_collection_membership
		WHERE access_collection_id = {$collection_id}
			AND user_guid = {$user_guid}";

	return (bool)delete_data($q);
}

/**
 * Returns an array of database row objects of the access collections owned by $owner_guid.
 *
 * @param int $owner_guid The entity guid
 * @param int $site_guid  The GUID of the site (default: current site).
 *
 * @return array|false
 * @see add_access_collection()
 * @see get_members_of_access_collection()
 * @link http://docs.elgg.org/Access/Collections
 */
function get_user_access_collections($owner_guid, $site_guid = 0) {
	global $CONFIG;
	$owner_guid = (int) $owner_guid;
	$site_guid = (int) $site_guid;

	if (($site_guid == 0) && (isset($CONFIG->site_guid))) {
		$site_guid = $CONFIG->site_guid;
	}

	$query = "SELECT * FROM {$CONFIG->dbprefix}access_collections
			WHERE owner_guid = {$owner_guid}
			AND site_guid = {$site_guid}";

	$collections = get_data($query);

	return $collections;
}

/**
 * Get all of members of an access collection
 *
 * @param int  $collection The collection's ID
 * @param bool $idonly     If set to true, will only return the members' GUIDs (default: false)
 *
 * @return array ElggUser guids or entities if successful, false if not
 * @see add_user_to_access_collection()
 * @see http://docs.elgg.org/Access/Collections
 */
function get_members_of_access_collection($collection, $idonly = FALSE) {
	global $CONFIG;
	$collection = (int)$collection;

	if (!$idonly) {
		$query = "SELECT e.* FROM {$CONFIG->dbprefix}access_collection_membership m"
			. " JOIN {$CONFIG->dbprefix}entities e ON e.guid = m.user_guid"
			. " WHERE m.access_collection_id = {$collection}";
		$collection_members = get_data($query, "entity_row_to_elggstar");
	} else {
		$query = "SELECT e.guid FROM {$CONFIG->dbprefix}access_collection_membership m"
			. " JOIN {$CONFIG->dbprefix}entities e ON e.guid = m.user_guid"
			. " WHERE m.access_collection_id = {$collection}";
		$collection_members = get_data($query);
		if (!$collection_members) {
			return FALSE;
		}
		foreach ($collection_members as $key => $val) {
			$collection_members[$key] = $val->guid;
		}
	}

	return $collection_members;
}

/**
 * Return entities based upon access id.
 *
 * @param array $options Any options accepted by {@link elgg_get_entities()} and
 * 	access_id => int The access ID of the entity.
 *
 * @see elgg_get_entities()
 * @return mixed If count, int. If not count, array. false on errors.
 * @since 1.7.0
 */
function elgg_get_entities_from_access_id(array $options = array()) {
	// restrict the resultset to access collection provided
	if (!isset($options['access_id'])) {
		return FALSE;
	}

	// @todo add support for an array of collection_ids
	$where = "e.access_id = '{$options['access_id']}'";
	if (isset($options['wheres'])) {
		if (is_array($options['wheres'])) {
			$options['wheres'][] = $where;
		} else {
			$options['wheres'] = array($options['wheres'], $where);
		}
	} else {
		$options['wheres'] = array($where);
	}

	// return entities with the desired options
	return elgg_get_entities($options);
}

/**
 * Lists entities from an access collection
 *
 * @param array $options See elgg_list_entities() and elgg_get_entities_from_access_id()
 * 
 * @see elgg_list_entities()
 * @see elgg_get_entities_from_access_id()
 * 
 * @return string
 */
function elgg_list_entities_from_access_id(array $options = array()) {
	return elgg_list_entities($options, 'elgg_get_entities_from_access_id');
}

/**
 * Return the name of an ACCESS_* constant or a access collection,
 * but only if the user has write access on that ACL.
 *
 * @warning This function probably doesn't work how it's meant to.
 *
 * @param int $entity_access_id The entity's access id
 *
 * @return string 'Public', 'Private', etc.
 * @since 1.7.0
 * @todo I think this probably wants get_access_array() instead of get_write_access_array(),
 * but those two functions return different types of arrays.
 */
function get_readable_access_level($entity_access_id) {
	$access = (int) $entity_access_id;

	//get the access level for object in readable string
	$options = get_write_access_array();

	if (array_key_exists($access, $options)) {
		return $options[$access];
	}

	// return 'Limited' if the user does not have access to the access collection
	return elgg_echo('access:limited:label');
}

/**
 * Set if entity access system should be ignored.
 *
 * The access system will not return entities in any getter
 * functions if the user doesn't have access.
 *
 * @internal For performance reasons this is done at the database access clause level.
 *
 * @tip Use this to access entities in automated scripts
 * when no user is logged in.
 *
 * @warning This will not show disabled entities.
 * Use {@link access_show_hidden_entities()} to access disabled entities.
 *
 * @param bool $ignore If true, disables all access checks.
 *
 * @return bool Previous ignore_access setting.
 * @since 1.7.0
 * @see http://docs.elgg.org/Access/IgnoreAccess
 * @see elgg_get_ignore_access()
 */
function elgg_set_ignore_access($ignore = true) {
	$elgg_access = elgg_get_access_object();
	return $elgg_access->setIgnoreAccess($ignore);
}

/**
 * Get current ignore access setting.
 *
 * @return bool
 * @since 1.7.0
 * @see http://docs.elgg.org/Access/IgnoreAccess
 * @see elgg_set_ignore_access()
 */
function elgg_get_ignore_access() {
	return elgg_get_access_object()->getIgnoreAccess();
}

/**
 * Decides if the access system should be ignored for a user.
 *
 * Returns true (meaning ignore access) if either of these 2 conditions are true:
 *   1) an admin user guid is passed to this function.
 *   2) {@link elgg_get_ignore_access()} returns true.
 *
 * @see elgg_set_ignore_access()
 *
 * @param int $user_guid The user to check against.
 *
 * @return bool
 * @since 1.7.0
 */
function elgg_check_access_overrides($user_guid = 0) {
	if (!$user_guid || $user_guid <= 0) {
		$is_admin = false;
	} else {
		$is_admin = elgg_is_admin_user($user_guid);
	}

	return ($is_admin || elgg_get_ignore_access());
}

/**
 * Returns the ElggAccess object.
 *
 * // @todo comment is incomplete
 * This is used to
 *
 * @return ElggAccess
 * @since 1.7.0
 * @access private
 */
function elgg_get_access_object() {
	static $elgg_access;

	if (!$elgg_access) {
		$elgg_access = new ElggAccess();
	}

	return $elgg_access;
}

/**
 * A flag to set if Elgg's access initialization is finished.
 *
 * @global bool $init_finished
 * @access private
 * @todo This is required to tell the access system to start caching because
 * calls are made while in ignore access mode and before the user is logged in.
 */
$init_finished = false;

/**
 * A quick and dirty way to make sure the access permissions have been correctly set up
 *
 * @elgg_event_handler init system
 * @todo Invesigate
 *
 * @return void
 */
function access_init() {
	global $init_finished;
	$init_finished = true;
}

/**
 * Overrides the access system if appropriate.
 *
 * Allows admin users and calls after {@link elgg_set_ignore_access} to
 * bypass the access system.
 *
 * Registered for the 'permissions_check', 'all' and the 
 * 'container_permissions_check', 'all' plugin hooks.
 *
 * Returns true to override the access system or null if no change is needed.
 *
 * @return true|null
 * @access private
 */
function elgg_override_permissions($hook, $type, $value, $params) {
	$user = elgg_extract('user', $params);
	if ($user) {
		$user_guid = $user->getGUID();
	} else {
		$user_guid = elgg_get_logged_in_user_guid();
	}

	// don't do this so ignore access still works with no one logged in
	//if (!$user instanceof ElggUser) {
	//	return false;
	//}

	// check for admin
	if ($user_guid && elgg_is_admin_user($user_guid)) {
		return true;
	}

	// check access overrides
	if ((elgg_check_access_overrides($user_guid))) {
		return true;
	}

	// consult other hooks
	return NULL;
}

/**
 * Runs unit tests for the entities object.
 * @access private
 */
function access_test($hook, $type, $value, $params) {
	global $CONFIG;
	$value[] = $CONFIG->path . 'engine/tests/api/access_collections.php';
	return $value;
}

// Tell the access functions the system has booted, plugins are loaded,
// and the user is logged in so it can start caching
elgg_register_event_handler('ready', 'system', 'access_init');

// For overrided permissions
elgg_register_plugin_hook_handler('permissions_check', 'all', 'elgg_override_permissions');
elgg_register_plugin_hook_handler('container_permissions_check', 'all', 'elgg_override_permissions');

elgg_register_plugin_hook_handler('unit_test', 'system', 'access_test');