Coding standards
Security in ResourceSpace
Developer reference
Database
Action functions
Admin functions
Ajax functions
Annotation functions
API functions
Collections functions
Comment functions
Config functions
CSV export functions
Dash functions
Debug functions
Encryption functions
Facial recognition functions
File functions
General functions
Language functions
Log functions
Login functions
Message functions
Migration functions
Node functions
PDF functions
Plugin functions
Render functions
Reporting functions
Request functions
Research functions
Slideshow functions
Theme permission functions
User functions
Video functions
Database functions
Metadata functions
Resource functions
Search functions
Map functions
Job functions
Tab functions
Test functions

get_resource_access()

Description

Retrieves the access level for the currently logged-in user for a specified resource.

The access levels returned are:
- 0 = Full Access (download all sizes)
- 1 = Restricted Access (download only those sizes that are set to allow restricted downloads)
- 2 = Confidential (no access)

Parameters

ColumnTypeDefaultDescription
$resource int|array The reference ID of the resource or a resource data array.

Return

int The access level for the resource.

Location

include/resource_functions.php lines 5383 to 5593

Definition

 
function get_resource_access($resource)
    {
    global 
$customgroupaccess,$customuseraccess$internal_share_access$k,$uploader_view_override$userref$open_access_for_contributor,
        
$userref,$usergroup$usersearchfilter$search_all_workflow_states,
        
$userderestrictfilter$userdata$custom_access;
    
    
$passthru="no";

    
// get_resource_data doesn't contain permissions, so fix for the case that such an array could be passed into this function unintentionally.
    
if (is_array($resource) && !isset($resource['group_access']) && !isset($resource['user_access'])){$resource=$resource['ref'];}

    if (!
is_array($resource))
        {
        
$resourcedata=get_resource_data($resource,true);
        if(!
$resourcedata)
            { return 
RESOURCE_ACCESS_INVALID_REQUEST; }
        }
    else
        {
        
$resourcedata=$resource;
        
$passthru="yes";
        }

    
$ref=$resourcedata['ref'];
    
$access=$resourcedata["access"];
    
$resource_type=$resourcedata['resource_type'];

    
// Set a couple of flags now that we can check later on if we need to check whether sharing is permitted based on whether access has been specifically granted to user/group
    
$customgroupaccess=false;
    
$customuseraccess=false;

    if(
'' != $k)
        {

        
# External access - check how this was shared.
        
$extaccess ps_value("SELECT access `value` FROM external_access_keys WHERE resource = ? AND access_key = ? AND (expires IS NULL OR expires > NOW())", array("i",$ref,"s",$k), -1);

        if(-
!= $extaccess && (!$internal_share_access || ($internal_share_access && $extaccess $access)))
            {
            return (int) 
$extaccess;
            }
        }

    if (
checkperm("z" $resourcedata['archive']) && !($uploader_view_override && $resourcedata['created_by'] == $userref))
        {
        
// User has no access to this archive state
        
return 2;
        }

    
$usersearchfilter_isvalid false;
    
$usersearchfilter_isset trim($usersearchfilter ?? "") != "";
    if (
$usersearchfilter_isset)
        {
        
# A search filter has been set. Perform filter processing to establish if the user can view this resource.
        # Apply filters by searching for the resource, utilising the existing filter matching in do_search to avoid duplication of logic.
        
$search_all_workflow_states_cache $search_all_workflow_states;
        
$search_all_workflow_states true;
        
$results do_search("!resource" $ref);
        
$search_all_workflow_states $search_all_workflow_states_cache;
        if (
count($results) > 0)
            {
            
$usersearchfilter_isvalid true;
            }
        }

    if (
checkperm("v") && (!$usersearchfilter_isset || $usersearchfilter_isvalid))
        {
        
# Permission to access all resources
        # Always return 0
        
return 0;
        }

    if (
$access == 3)
        {
        
$customgroupaccess true;
        
# Load custom access level
        
if ($passthru == "no")
            {
            
$access get_custom_access($resource$usergroup);
            if (
$access === false)
                {
                
# Custom access disabled? Always return 'open' access for resources marked as custom.
                
$access 0;
                
$customgroupaccess false;
                }
            }
        else
            {
            if (
$custom_access)
                {
                
$access $resource['group_access'];
                }
            else
                {
                
# Custom access disabled? Always return 'open' access for resources marked as custom.
                
$access 0;
                
$customgroupaccess false;
                }
            }
        }

    if (
$access == && get_edit_access($ref,$resourcedata['archive'],$resourcedata))
        {
        
# If access is restricted and user has edit access, grant open access.
        
$access 0;
        }

    if (
$open_access_for_contributor && $resourcedata['created_by'] == $userref)
        {
        
# If user has contributed resource, grant open access and ignore any further filters.
        
return 0;
        }

    
# Check for user-specific and group-specific access (overrides any other restriction)

    // We need to check for custom access either when access is set to be custom or
    // when the user group has restricted access to all resource types or specific resource types
    // are restricted
    
if ($access!=|| !checkperm('g') || checkperm('X' $resource_type) || checkperm("rws{$resourcedata['archive']}"))
        {
        if (
$passthru=="no")
            {
            
$userspecific=get_custom_access_user($resource,$userref);
            
$groupspecific=get_custom_access($resource,$usergroup,false);
            }
        else
            {
            
$userspecific=$resourcedata['user_access'];
            
$groupspecific=$resourcedata['group_access'];
            }
        }
    if (isset(
$userspecific) && $userspecific !== false)
        {
        
$customuseraccess=true;
        return (int) 
$userspecific;
        }        
    if (isset(
$groupspecific) && $groupspecific !== false)
        {
        
$customgroupaccess=true;
        return (int) 
$groupspecific;
        }

    if (
checkperm('T'.$resource_type))
        {
        
// this resource type is always confidential/hidden for this user group
        
return 2;
        }

    if (
$usersearchfilter_isset && !$usersearchfilter_isvalid)
        {
        return 
2# Not found in results, so deny
        
}

    
/*
    Restricted access to all available resources
    OR Restricted access to resources in a particular workflow state
    OR Restricted access to resources of a particular resource type
    UNLESS user/ group has been granted custom (override) access
    */
    
if (
        
$access == 0
        
&& ((!checkperm("g") || checkperm("rws{$resourcedata['archive']}") || checkperm('X'.$resource_type))
        && !
$customgroupaccess
        
&& !$customuseraccess)
        )
        {
        
$access 1;
        }

    
// Check for a derestrict filter, this allows exceptions for users without the 'g' permission who normally have restricted accesss to all available resources)
    
if ($access==&& !checkperm("g") && !checkperm("rws{$resourcedata['archive']}") && !checkperm('X'.$resource_type) && trim((string) $userderestrictfilter) != "")
        {
        if( 
strlen(trim((string) $userderestrictfilter)) > 0
            
&& !is_numeric($userderestrictfilter)
            && 
trim((string) $userdata[0]["derestrict_filter"]) != ""
            
&& $userdata[0]["derestrict_filter_id"] != -1
        
)
            {
            
// Migrate unless marked not to due to failure (flag will be reset if group is edited)
            
$migrateresult migrate_filter($userderestrictfilter);
            
$notification_users get_notification_users();
            global 
$userdata$lang$baseurl;
            if(
is_numeric($migrateresult))
                {
                
// Successfully migrated - now use the new filter
                
ps_query("UPDATE usergroup SET derestrict_filter_id=? WHERE ref=?",array("i",$migrateresult,"i",$usergroup));
                
debug("FILTER MIGRATION: Migrated derestrict_filter_id filter - '" $userderestrictfilter "' filter id#" $migrateresult);
                
$userderestrictfilter $migrateresult;
                }
            elseif(
is_array($migrateresult))
                {
                
debug("FILTER MIGRATION: Error migrating filter: '" $userderestrictfilter "' - " implode('\n' ,$migrateresult));
                
// Error - set flag so as not to reattempt migration and notify admins of failure
                
ps_query("UPDATE usergroup SET derestrict_filter_id='-1' WHERE ref=?",array("i",$usergroup));
                
message_add(array_column($notification_users,"ref"), $lang["filter_migration"] . " - " $lang["filter_migrate_error"] . ": <br/>" implode('\n' ,$migrateresult),generateURL($baseurl "/pages/admin/admin_group_management_edit.php",array("ref"=>$usergroup)));
                }
            }

        if(
is_int_loose($userderestrictfilter) && $userderestrictfilter 0)
            {
            
$matchedfilter filter_check($userderestrictfilterget_resource_nodes($ref));
            if(
$matchedfilter)
                {
                
$access=0;
                
$customgroupaccess true;
                }
            }        
        }

    return (int) 
$access;
    }

This article was last updated 4th December 2024 08:35 Europe/London time based on the source file dated 28th November 2024 12:10 Europe/London time.