Commit 8912abba03eef0daa55323a1d8add04dc3ac9cc8
1 parent
9ed687fc
added permission checks before returning browse results
git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@333 c91229c3-7414-0410-bfa2-8a42b809f60b
Showing
1 changed file
with
61 additions
and
42 deletions
lib/documentmanagement/DocumentBrowser.inc
| 1 | 1 | <?php |
| 2 | 2 | |
| 3 | +require_once("$default->owl_fs_root/lib/security/permission.inc"); | |
| 4 | + | |
| 3 | 5 | /** |
| 4 | 6 | * $Id$ |
| 5 | 7 | * |
| ... | ... | @@ -75,50 +77,61 @@ class DocumentBrowser { |
| 75 | 77 | |
| 76 | 78 | // retrieve folder details |
| 77 | 79 | $folders = $this->retrieveFolderDetails($folderQuery); |
| 78 | - // lookup the name of the root folder | |
| 79 | - $folderName = lookupField($default->owl_folders_table, "name", "id", $folderID); | |
| 80 | - | |
| 81 | - $default->log->debug("DocumentBrowser::browseByFolder folderID=$folderID; folderName=$folderName"); | |
| 82 | - $default->log->debug("DocumentBrowser::browseByFolder folders=" . arrayToString($folders)); | |
| 83 | - | |
| 84 | - // now find all the child folders relative to this one | |
| 85 | - $folderQuery = "SELECT * from $default->owl_folders_table WHERE parent_id=" . $folderID; | |
| 86 | - $default->log->debug("DocumentBrowser::browseByFolder child folder query=$folderQuery"); | |
| 87 | - $childFolders = $this->retrieveFolderDetails($folderQuery); | |
| 88 | - $default->log->debug("DocumentBrowser::browseByFolder childFolders=" . arrayToString($childFolders)); | |
| 89 | - | |
| 90 | - // add children to array | |
| 91 | - $folders[$folderName]["folders"] = $childFolders; | |
| 92 | 80 | |
| 93 | - // create query to retrieve documents in this folder | |
| 94 | - $documentQuery = "SELECT * FROM $default->owl_documents_table WHERE folder_id=$folderID"; | |
| 95 | - $default->log->debug("DocumentBrowser::browseByFolder about to execute $documentQuery"); | |
| 96 | - if ($sql->query($documentQuery)) { | |
| 97 | - while ($sql->next_record()) { | |
| 98 | - $default->log->debug("DocumentBrowser::browseByFolder got the next document record"); | |
| 99 | - // add documents to array | |
| 100 | - $documentName = $sql->f("name"); | |
| 101 | - // set file attributes | |
| 102 | - $folders[$folderName]["documents"][$documentName] = | |
| 103 | - array("id" => $sql->f("id"), | |
| 104 | - "document_type_id" => $sql->f("id"), | |
| 105 | - "name" => $documentName, | |
| 106 | - "filename" => $sql->f("filename"), | |
| 107 | - "size" => $sql->f("size"), | |
| 108 | - "creator_id" => $sql->f("creator_id"), | |
| 109 | - "modified" => $sql->f("modified"), | |
| 110 | - "description" => $sql->f("description"), | |
| 111 | - "mime_id" => $sql->f("mime_id"), | |
| 112 | - "folder_id" => $sql->f("folder_id"), | |
| 113 | - "major_version" => $sql->f("major_version"), | |
| 114 | - "minor_version" => $sql->f("minor_version"), | |
| 115 | - "is_checked_out" => $sql->f("is_checked_out")); | |
| 81 | + // check if the user has access to this folder | |
| 82 | + if (Permission::userHasFolderReadPermission($folderID)) { | |
| 83 | + | |
| 84 | + // lookup the name of the root folder | |
| 85 | + $folderName = lookupField($default->owl_folders_table, "name", "id", $folderID); | |
| 86 | + | |
| 87 | + $default->log->debug("DocumentBrowser::browseByFolder folderID=$folderID; folderName=$folderName"); | |
| 88 | + $default->log->debug("DocumentBrowser::browseByFolder folders=" . arrayToString($folders)); | |
| 89 | + | |
| 90 | + // now find all the child folders relative to this one | |
| 91 | + $folderQuery = "SELECT * from $default->owl_folders_table WHERE parent_id=" . $folderID; | |
| 92 | + $default->log->debug("DocumentBrowser::browseByFolder child folder query=$folderQuery"); | |
| 93 | + $childFolders = $this->retrieveFolderDetails($folderQuery); | |
| 94 | + $default->log->debug("DocumentBrowser::browseByFolder childFolders=" . arrayToString($childFolders)); | |
| 95 | + | |
| 96 | + // add children to array | |
| 97 | + $folders[$folderName]["folders"] = $childFolders; | |
| 98 | + | |
| 99 | + // create query to retrieve documents in this folder | |
| 100 | + $documentQuery = "SELECT * FROM $default->owl_documents_table WHERE folder_id=$folderID"; | |
| 101 | + $default->log->debug("DocumentBrowser::browseByFolder about to execute $documentQuery"); | |
| 102 | + if ($sql->query($documentQuery)) { | |
| 103 | + while ($sql->next_record()) { | |
| 104 | + // check permissions | |
| 105 | + if (Permission::userHasDocumentReadPermission($sql->f("id"))) { | |
| 106 | + // add documents to array | |
| 107 | + // set file attributes | |
| 108 | + $folders[$folderName]["documents"][$sql->f("name")] = | |
| 109 | + array("id" => $sql->f("id"), | |
| 110 | + "document_type_id" => $documentID, | |
| 111 | + "name" => $documentName, | |
| 112 | + "filename" => $sql->f("filename"), | |
| 113 | + "size" => $sql->f("size"), | |
| 114 | + "creator_id" => $sql->f("creator_id"), | |
| 115 | + "modified" => $sql->f("modified"), | |
| 116 | + "description" => $sql->f("description"), | |
| 117 | + "mime_id" => $sql->f("mime_id"), | |
| 118 | + "folder_id" => $sql->f("folder_id"), | |
| 119 | + "major_version" => $sql->f("major_version"), | |
| 120 | + "minor_version" => $sql->f("minor_version"), | |
| 121 | + "is_checked_out" => $sql->f("is_checked_out")); | |
| 122 | + } | |
| 123 | + } | |
| 124 | + } else { | |
| 125 | + $_SESSION["errorMessage"] = "documents table select failed"; | |
| 116 | 126 | } |
| 127 | + | |
| 128 | + return $folders; | |
| 129 | + | |
| 117 | 130 | } else { |
| 118 | - $_SESSION["errorMessage"] = "documents table select failed"; | |
| 131 | + // permission to view this folder denied | |
| 132 | + $_SESSION["errorMessage"] = "you do not have permission to view this folder (" . $_SESSION["errorMessage"] . ")"; | |
| 133 | + return false; | |
| 119 | 134 | } |
| 120 | - | |
| 121 | - return $folders; | |
| 122 | 135 | } |
| 123 | 136 | |
| 124 | 137 | /** |
| ... | ... | @@ -166,7 +179,10 @@ class DocumentBrowser { |
| 166 | 179 | // loop through resultset and build comma separated list of documentIDs |
| 167 | 180 | $documentIDs = array(); |
| 168 | 181 | while ($sql->next_record()) { |
| 169 | - $documentIDs[] = $sql->f("document_id"); | |
| 182 | + // check permissions | |
| 183 | + if (Permission::userHasDocumentReadPermission($sql->f("document_id"))) { | |
| 184 | + $documentIDs[] = $sql->f("document_id"); | |
| 185 | + } | |
| 170 | 186 | } |
| 171 | 187 | $default->log->debug("DocumentBrowser::browseByCategory documentIDs=" . arrayToString($documentIDs)); |
| 172 | 188 | // use lookup function to retrieve details |
| ... | ... | @@ -207,7 +223,10 @@ class DocumentBrowser { |
| 207 | 223 | $documentIDs = array(); |
| 208 | 224 | $sql->query($query); |
| 209 | 225 | while ($sql->next_record()) { |
| 210 | - $documentIDs[] = $sql->f("id"); | |
| 226 | + // check permission | |
| 227 | + if (Permission::userHasDocumentReadPermission($sql->f("id"))) { | |
| 228 | + $documentIDs[] = $sql->f("id"); | |
| 229 | + } | |
| 211 | 230 | } |
| 212 | 231 | $default->log->debug("DocumentBrowser::browseByCategory documentIDs=" . arrayToString($documentIDs)); |
| 213 | 232 | // use lookup function to retrieve details | ... | ... |