Commit 8912abba03eef0daa55323a1d8add04dc3ac9cc8
1 parent
9ed687fc
added permission checks before returning browse results
git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@333 c91229c3-7414-0410-bfa2-8a42b809f60b
Showing
1 changed file
with
61 additions
and
42 deletions
lib/documentmanagement/DocumentBrowser.inc
| 1 | <?php | 1 | <?php |
| 2 | 2 | ||
| 3 | +require_once("$default->owl_fs_root/lib/security/permission.inc"); | ||
| 4 | + | ||
| 3 | /** | 5 | /** |
| 4 | * $Id$ | 6 | * $Id$ |
| 5 | * | 7 | * |
| @@ -75,50 +77,61 @@ class DocumentBrowser { | @@ -75,50 +77,61 @@ class DocumentBrowser { | ||
| 75 | 77 | ||
| 76 | // retrieve folder details | 78 | // retrieve folder details |
| 77 | $folders = $this->retrieveFolderDetails($folderQuery); | 79 | $folders = $this->retrieveFolderDetails($folderQuery); |
| 78 | - // lookup the name of the root folder | ||
| 79 | - $folderName = lookupField($default->owl_folders_table, "name", "id", $folderID); | ||
| 80 | - | ||
| 81 | - $default->log->debug("DocumentBrowser::browseByFolder folderID=$folderID; folderName=$folderName"); | ||
| 82 | - $default->log->debug("DocumentBrowser::browseByFolder folders=" . arrayToString($folders)); | ||
| 83 | - | ||
| 84 | - // now find all the child folders relative to this one | ||
| 85 | - $folderQuery = "SELECT * from $default->owl_folders_table WHERE parent_id=" . $folderID; | ||
| 86 | - $default->log->debug("DocumentBrowser::browseByFolder child folder query=$folderQuery"); | ||
| 87 | - $childFolders = $this->retrieveFolderDetails($folderQuery); | ||
| 88 | - $default->log->debug("DocumentBrowser::browseByFolder childFolders=" . arrayToString($childFolders)); | ||
| 89 | - | ||
| 90 | - // add children to array | ||
| 91 | - $folders[$folderName]["folders"] = $childFolders; | ||
| 92 | 80 | ||
| 93 | - // create query to retrieve documents in this folder | ||
| 94 | - $documentQuery = "SELECT * FROM $default->owl_documents_table WHERE folder_id=$folderID"; | ||
| 95 | - $default->log->debug("DocumentBrowser::browseByFolder about to execute $documentQuery"); | ||
| 96 | - if ($sql->query($documentQuery)) { | ||
| 97 | - while ($sql->next_record()) { | ||
| 98 | - $default->log->debug("DocumentBrowser::browseByFolder got the next document record"); | ||
| 99 | - // add documents to array | ||
| 100 | - $documentName = $sql->f("name"); | ||
| 101 | - // set file attributes | ||
| 102 | - $folders[$folderName]["documents"][$documentName] = | ||
| 103 | - array("id" => $sql->f("id"), | ||
| 104 | - "document_type_id" => $sql->f("id"), | ||
| 105 | - "name" => $documentName, | ||
| 106 | - "filename" => $sql->f("filename"), | ||
| 107 | - "size" => $sql->f("size"), | ||
| 108 | - "creator_id" => $sql->f("creator_id"), | ||
| 109 | - "modified" => $sql->f("modified"), | ||
| 110 | - "description" => $sql->f("description"), | ||
| 111 | - "mime_id" => $sql->f("mime_id"), | ||
| 112 | - "folder_id" => $sql->f("folder_id"), | ||
| 113 | - "major_version" => $sql->f("major_version"), | ||
| 114 | - "minor_version" => $sql->f("minor_version"), | ||
| 115 | - "is_checked_out" => $sql->f("is_checked_out")); | 81 | + // check if the user has access to this folder |
| 82 | + if (Permission::userHasFolderReadPermission($folderID)) { | ||
| 83 | + | ||
| 84 | + // lookup the name of the root folder | ||
| 85 | + $folderName = lookupField($default->owl_folders_table, "name", "id", $folderID); | ||
| 86 | + | ||
| 87 | + $default->log->debug("DocumentBrowser::browseByFolder folderID=$folderID; folderName=$folderName"); | ||
| 88 | + $default->log->debug("DocumentBrowser::browseByFolder folders=" . arrayToString($folders)); | ||
| 89 | + | ||
| 90 | + // now find all the child folders relative to this one | ||
| 91 | + $folderQuery = "SELECT * from $default->owl_folders_table WHERE parent_id=" . $folderID; | ||
| 92 | + $default->log->debug("DocumentBrowser::browseByFolder child folder query=$folderQuery"); | ||
| 93 | + $childFolders = $this->retrieveFolderDetails($folderQuery); | ||
| 94 | + $default->log->debug("DocumentBrowser::browseByFolder childFolders=" . arrayToString($childFolders)); | ||
| 95 | + | ||
| 96 | + // add children to array | ||
| 97 | + $folders[$folderName]["folders"] = $childFolders; | ||
| 98 | + | ||
| 99 | + // create query to retrieve documents in this folder | ||
| 100 | + $documentQuery = "SELECT * FROM $default->owl_documents_table WHERE folder_id=$folderID"; | ||
| 101 | + $default->log->debug("DocumentBrowser::browseByFolder about to execute $documentQuery"); | ||
| 102 | + if ($sql->query($documentQuery)) { | ||
| 103 | + while ($sql->next_record()) { | ||
| 104 | + // check permissions | ||
| 105 | + if (Permission::userHasDocumentReadPermission($sql->f("id"))) { | ||
| 106 | + // add documents to array | ||
| 107 | + // set file attributes | ||
| 108 | + $folders[$folderName]["documents"][$sql->f("name")] = | ||
| 109 | + array("id" => $sql->f("id"), | ||
| 110 | + "document_type_id" => $documentID, | ||
| 111 | + "name" => $documentName, | ||
| 112 | + "filename" => $sql->f("filename"), | ||
| 113 | + "size" => $sql->f("size"), | ||
| 114 | + "creator_id" => $sql->f("creator_id"), | ||
| 115 | + "modified" => $sql->f("modified"), | ||
| 116 | + "description" => $sql->f("description"), | ||
| 117 | + "mime_id" => $sql->f("mime_id"), | ||
| 118 | + "folder_id" => $sql->f("folder_id"), | ||
| 119 | + "major_version" => $sql->f("major_version"), | ||
| 120 | + "minor_version" => $sql->f("minor_version"), | ||
| 121 | + "is_checked_out" => $sql->f("is_checked_out")); | ||
| 122 | + } | ||
| 123 | + } | ||
| 124 | + } else { | ||
| 125 | + $_SESSION["errorMessage"] = "documents table select failed"; | ||
| 116 | } | 126 | } |
| 127 | + | ||
| 128 | + return $folders; | ||
| 129 | + | ||
| 117 | } else { | 130 | } else { |
| 118 | - $_SESSION["errorMessage"] = "documents table select failed"; | 131 | + // permission to view this folder denied |
| 132 | + $_SESSION["errorMessage"] = "you do not have permission to view this folder (" . $_SESSION["errorMessage"] . ")"; | ||
| 133 | + return false; | ||
| 119 | } | 134 | } |
| 120 | - | ||
| 121 | - return $folders; | ||
| 122 | } | 135 | } |
| 123 | 136 | ||
| 124 | /** | 137 | /** |
| @@ -166,7 +179,10 @@ class DocumentBrowser { | @@ -166,7 +179,10 @@ class DocumentBrowser { | ||
| 166 | // loop through resultset and build comma separated list of documentIDs | 179 | // loop through resultset and build comma separated list of documentIDs |
| 167 | $documentIDs = array(); | 180 | $documentIDs = array(); |
| 168 | while ($sql->next_record()) { | 181 | while ($sql->next_record()) { |
| 169 | - $documentIDs[] = $sql->f("document_id"); | 182 | + // check permissions |
| 183 | + if (Permission::userHasDocumentReadPermission($sql->f("document_id"))) { | ||
| 184 | + $documentIDs[] = $sql->f("document_id"); | ||
| 185 | + } | ||
| 170 | } | 186 | } |
| 171 | $default->log->debug("DocumentBrowser::browseByCategory documentIDs=" . arrayToString($documentIDs)); | 187 | $default->log->debug("DocumentBrowser::browseByCategory documentIDs=" . arrayToString($documentIDs)); |
| 172 | // use lookup function to retrieve details | 188 | // use lookup function to retrieve details |
| @@ -207,7 +223,10 @@ class DocumentBrowser { | @@ -207,7 +223,10 @@ class DocumentBrowser { | ||
| 207 | $documentIDs = array(); | 223 | $documentIDs = array(); |
| 208 | $sql->query($query); | 224 | $sql->query($query); |
| 209 | while ($sql->next_record()) { | 225 | while ($sql->next_record()) { |
| 210 | - $documentIDs[] = $sql->f("id"); | 226 | + // check permission |
| 227 | + if (Permission::userHasDocumentReadPermission($sql->f("id"))) { | ||
| 228 | + $documentIDs[] = $sql->f("id"); | ||
| 229 | + } | ||
| 211 | } | 230 | } |
| 212 | $default->log->debug("DocumentBrowser::browseByCategory documentIDs=" . arrayToString($documentIDs)); | 231 | $default->log->debug("DocumentBrowser::browseByCategory documentIDs=" . arrayToString($documentIDs)); |
| 213 | // use lookup function to retrieve details | 232 | // use lookup function to retrieve details |