content_access.module

<?php

/**
 * @file Content access module file.
 */

/**
 * Implements hook_config_info().
 */
function content_access_config_info()
{
    $prefixes['content_access.settings'] = array(
        'label' => t('Content Access settings'),
        'group' => t('Configuration')
    );
    return $prefixes;
}

/**
 * Implements hook_admin_paths().
 */
function content_access_admin_paths() {
  $paths = array(
    'node/*/access' => TRUE,
  );
  return $paths;
}

/**
 * Implements hook_menu().
 */
function content_access_menu() {
  $items = array();

  $items['node/%node/access'] = array(
    'title' => 'Access control',
    'page callback' => 'backdrop_get_form',
    'page arguments' => array('content_access_page', 1),
    'access callback' => 'content_access_node_page_access',
    'access arguments' => array(1),
    'file' => 'content_access.admin.inc',
    'theme callback' => '_node_custom_theme',
    'type' => MENU_LOCAL_TASK,
    'weight' => 3,
    'context' => MENU_CONTEXT_PAGE | MENU_CONTEXT_INLINE,
  );

  $items['admin/structure/types/manage/%node_type/access'] = array(
    'title' => 'Access control',
    'description' => 'Configure content access control.',
    'page callback' => 'backdrop_get_form',
    'page arguments' => array('content_access_admin_settings', 4),
    'access callback' => 'content_access_admin_settings_access',
    'access arguments' => array(),
    'type' => MENU_LOCAL_TASK,
    'file' => 'content_access.admin.inc',
    'theme callback' => '_node_custom_theme',
    'weight' => 1,
  );

  return $items;
}

/**
 * Implements hook_perm().
 */
function content_access_permission() {
  return array(
    'grant content access' => array(
      'title' => t('Grant content access'),
      'description' => t('View and modify content access for any nodes'),
    ),
    'grant own content access' => array(
      'title' => t('Grant own content access'),
      'description' => t('View and modify content access for own nodes'),
    ),
  );
}

/**
 * Get access tab page for the viewed node.
 */
function content_access_node_page_access($node) {
  global $user;
  return content_access_get_settings('per_node', $node->type) && user_access('grant content access') ||
    content_access_get_settings('per_node', $node->type) && (user_access('grant own content access') && ($user->uid == $node->uid));
}

/**
 * Content access settings for content type.
 */
function content_access_admin_settings_access() {
  return user_access('administer nodes') && user_access('administer content types');
}

/**
 * Implements hook_node_grants().
 */
function content_access_node_grants($account, $op) {
  return array(
    'content_access_author' => array($account->uid),
    'content_access_rid' => array_keys($account->roles),
  );
}

/**
 * Implements hook_node_access_records().
 */
function content_access_node_access_records($node) {
  if (content_access_disabling() || !$node->status) {
    return;
  }

  // Apply per node settings if necessary.
  if (content_access_get_settings('per_node', $node->type)) {
    $grants = array();
    foreach (array('view', 'update', 'delete') as $op) {
      foreach (content_access_get_rids_per_node_op($op, $node) as $rid) {
        $grants[$rid]['grant_' . $op] = 1;
      }
    }
    foreach ($grants as $rid => $grant) {
      $grants[$rid] = content_access_proccess_grant($grant, $rid, $node);
    }

    // Care for the author grant.
    $grant = array();
    foreach (array('view', 'update', 'delete') as $op) {
      // Get all roles that have access to use $op on this node.
      $any_roles = backdrop_map_assoc(content_access_per_node_setting($op, $node));
      $any_roles = $any_roles ? $any_roles : array();
      $any_roles += ($op != 'view') ? content_access_get_settings($op, $node->type) : array();
      $grant['grant_' . $op] = content_access_own_op($node, $any_roles, content_access_get_rids_per_node_op($op . '_own', $node));
    }

    if (array_filter($grant)) {
      $grant['realm'] = 'content_access_author';
      $grants[] = content_access_proccess_grant($grant, $node->uid, $node);
    }
  }
  else {
    // Apply the content type defaults.
    $grants = content_access_get_type_grant($node);
  }

  if (empty($grants)) {
    // This means we grant no access.
    $grants[] = content_access_proccess_grant(array(), 0, $node);
  }
  else {
    content_access_optimize_grants($grants, $node);
  }

  return $grants;
}

/**
 * Implements hook_node_delete().
 */
function content_access_node_delete($node) {
  db_delete('content_access')
    ->condition('nid', $node->nid)
    ->execute();
}

/**
 * Used by the ACL module.
 */
function content_access_enabled() {
  return !content_access_disabling();
}

/**
 * Implements hook_disable().
 */
function content_access_disable() {
  content_access_disabling(TRUE);
}

/**
 * Remembers if we have disabled access.
 */
function content_access_disabling($set = NULL) {
  static $disabling = FALSE;

  if (isset($set)) {
    $disabling = $set;
  }
  return $disabling;
}

/**
 * Return content_access' settings.
 *
 * @param $setting
 *   One of the content_access_available_settings(), e.g. 'view' or 'per_node'.
 *   If 'all' is passed, all available settings are returned.
 * @param $type_name
 *   The name of the content type to return settings for.
 *
 * @return
 *   The value of the given setting or an array of all settings.
 */
function content_access_get_settings($setting, $type_name) {
  $settings = array();
  // $settings = config_get('content_access.settings', 'content_access_' . $type_name);
  $settings += content_access_get_setting_defaults($type_name);
  if ($setting == 'all') {
    return $settings;
  }
  return isset($settings[$setting]) ? $settings[$setting] : NULL;
}

/**
 * Save content_access settings of a content type.
 */
function content_access_set_settings($settings, $type_name) {
  // Do not store default values so we do not have to care about synching our
  // settings with the permissions.
  foreach (content_access_get_setting_defaults($type_name) as $setting => $default_value) {
    if (isset($settings[$setting]) && $settings[$setting] == $default_value) {
      unset($settings[$setting]);
    }
  }
  $config = config('content_access.settings');
  $config->set('content_access_' . $type_name, $settings);
  $config->save();
}

/**
 * Return an array containing all available content_access settings.
 */
function content_access_available_settings() {
  return array('view', 'update', 'delete', 'view_own', 'update_own', 'delete_own', 'per_node', 'priority');
}

/**
 * Defines default values for settings.
 */
function content_access_get_setting_defaults($type) {
  $defaults = array();
  $defaults['view'] = $defaults['view_own'] = array(BACKDROP_ANONYMOUS_RID, BACKDROP_AUTHENTICATED_RID);
  foreach (array('update', 'delete') as $op) {
    $defaults[$op] = content_access_get_permission_access(content_access_get_permission_by_op($op, $type));
    $defaults[$op . '_own'] = content_access_get_permission_access(content_access_get_permission_by_op($op . '_own', $type));
  }
  $defaults['priority'] = 0;
  $defaults['per_node'] = FALSE;
  return $defaults;
}

/**
 * Returns an array of role ids that contain the given permission.
 */
function content_access_get_permission_access($perm, $reset = FALSE) {
  $roles = &backdrop_static(__FUNCTION__, array());

  if ($reset) {
    $roles = array();
  }
  if (!isset($roles[$perm]) && $perm) {
    $roles[$perm] = array_keys(user_roles(0, $perm));
  }
  return isset($roles[$perm]) ? $roles[$perm] : array();
}

/**
 * Gets the name of a permission for the given operation, if there is a suiting one.
 */
function content_access_get_permission_by_op($op, $type) {
  switch ($op) {
    default:
      return FALSE;
    case 'update':
      return 'edit any ' . $type . ' content';
    case 'update_own':
      return 'edit own ' . $type . ' content';
    case 'delete':
      return 'delete any ' . $type . ' content';
    case 'delete_own':
      return 'delete own ' . $type . ' content';
  }
}

/**
 * Returns the default grants for a given node type.
 */
function content_access_get_type_grant($node) {
  // Cache per type default grants in a static array
  static $defaults = array();

  if (!isset($defaults[$node->type])) {
    $grants = array();

    // Only process the 'view' op as node_access() will take care of edit and delete
    foreach (content_access_get_settings('view', $node->type) as $rid) {
      $grants[$rid]['grant_view'] = 1;
      $grants[$rid] = content_access_proccess_grant($grants[$rid], $rid, $node);
    }
    $defaults[$node->type] = $grants;
  }

  // Care for the author grant.
  $grant = $grants = array();
  $grant['grant_view'] = content_access_own_op($node, content_access_get_settings('view', $node->type), content_access_get_settings('view_own', $node->type));
  if ($grant['grant_view']) {
    $grant['realm'] = 'content_access_author';
    $grants = array('author' => content_access_proccess_grant($grant, $node->uid, $node));
  }

  return $defaults[$node->type] + $grants;
}

/**
 * Process a grant, which means add priority, realm and other properties.
 */
function content_access_proccess_grant($grant, $gid, $node) {
  $grant += array('grant_view' => 0, 'grant_update' => 0, 'grant_delete' => 0, 'realm' => 'content_access_rid');
  $grant['gid'] = $gid;
  $grant['priority'] = content_access_get_settings('priority', $node->type);
  return $grant;
}

/**
 * Determines the grant for the node author and the given allowed roles of a operation.
 *
 * @param $any_roles
 *   The roles with which anybody has access (not optimized!)
 * @param $own_roles
 *   The roles with which only the author has acess (optimized!)
 */
function content_access_own_op($node, $any_roles, $own_roles) {
  static $roles = array();

  if (!isset($roles[$node->uid])) {
    $roles[$node->uid] = $node->uid ? array(BACKDROP_AUTHENTICATED_RID) : array(BACKDROP_ANONYMOUS_RID);
    $result = db_query('SELECT rid FROM {users_roles} WHERE uid = :uid', array(':uid' => $node->uid));

    foreach ($result as $role) {
      $roles[$node->uid][] = $role->rid;
    }
  }
  if (array_intersect($roles[$node->uid], $any_roles)) {
    // If there is access due to "any permissions" there is no need to at an author grant.
    return 0;
  }
  return array_intersect($roles[$node->uid], $own_roles) ? 1 : 0;
}

/**
 * Returns optimized role ids for the given operation and node to
 * grant access for.
 *
 * If to a role access is granted by permissions, it's not necessary
 * to write a grant for it. So it won't be returned.
 *
 * @param $op
 *   One of the supported operations.
 * @param $node
 *   The node object.
 */
function content_access_get_rids_per_node_op($op, $node) {
  $rids = content_access_per_node_setting($op, $node);

  if ($permission = content_access_get_permission_by_op($op, $node->type)) {
    $perm_roles = content_access_get_permission_access($permission);
    $rids = array_diff($rids, $perm_roles);

    if (in_array(BACKDROP_AUTHENTICATED_RID, $perm_roles)) {
      return in_array(BACKDROP_ANONYMOUS_RID, $rids) ? array(BACKDROP_ANONYMOUS_RID, BACKDROP_AUTHENTICATED_RID) : array(BACKDROP_AUTHENTICATED_RID);
    }
  }
  return $rids;
}


/**
 * Returns the per node role settings. If no per node settings are available,
 * it will return the content type settings.
 *
 * @param $op
 *   One of the supported operations.
 * @param $node
 *   The node object.
 * @param $settings
 *    Optional array used to update the settings cache with the given settings.
 * @return
 *   An array of role ids which have access.
 */
function content_access_per_node_setting($op, $node, $settings = NULL) {
  static $grants = array();

  if (isset($settings)) {
    // Update settings cache
    $grants[$node->nid] = $settings;
    return;
  }

  if (!isset($grants[$node->nid]) || $grants[$node->nid] === FALSE) {
    $grants[$node->nid] = content_access_get_per_node_settings($node);
  }

  // Return the content type defaults if no per node settings are available
  return isset($grants[$node->nid][$op]) ? $grants[$node->nid][$op] : content_access_get_settings($op, $node->type);
}

/**
 * Gets the per node settings of a node.
 *
 * @note
 *   This function won't apply defaults, so if there are no other settings
 *   it will return an empty array.
 */
function content_access_get_per_node_settings($node) {
  foreach (db_query("SELECT settings FROM {content_access} WHERE nid = :nid", array(':nid' => $node->nid)) as $record) {
    $settings = $record->settings;
    if (!$settings) {
      return array();
    }
    return unserialize($settings);
  }
}

/**
 * Saves custom per node settings in the own content_access table.
 */
function content_access_save_per_node_settings($node, $settings) {
  $count = db_select('content_access')
            ->condition('nid', $node->nid)
            ->countQuery()->execute()->fetchField();

  if ($count > 0) {
    db_update('content_access')
      ->condition('nid', $node->nid)
      ->fields(array('settings' => serialize($settings)))
      ->execute();
  }
  else {
    db_insert('content_access')
      ->fields(array('nid' => $node->nid, 'settings' => serialize($settings)))
      ->execute();
  }

  // Make content_access_per_node_setting() use the new settings
  content_access_per_node_setting(NULL, $node, $settings);
}

/**
 * Deletes all custom per node settings, so that content type defaults are used again.
 */
function content_access_delete_per_node_settings($node) {
  db_delete('content_access')
    ->condition('nid', $node->nid)
    ->execute();

  // Clear the cache.
  content_access_per_node_setting(NULL, $node, FALSE);

  // Delete possible acl settings
  if (module_exists('acl')) {
    // @todo why content_access.admin.inc is not loaded before?
    module_load_include('inc', 'content_access', 'content_access.admin');
    foreach (array('view', 'update', 'delete') as $op) {
      $acl_id = content_access_get_acl_id($node, $op);
      acl_delete_acl($acl_id);
    }
  }
}

/**
 * Removes grants that doesn't change anything.
 *
 * @note
 *   The grants are compared with the normal access control settings.
 */
function content_access_optimize_grants(&$grants, $node) {
  $rids = array('view' => array(), 'update' => array(), 'delete' => array());

  foreach ($grants as $key => $grant) {
    foreach (array('view', 'update', 'delete') as $op) {
      if (is_numeric($key) && !empty($grant['grant_' . $op])) {
        $rids[$op][] = $key;
      }
    }
  }

  // Detect if all are allowed to view
  $all = array(BACKDROP_ANONYMOUS_RID, BACKDROP_AUTHENTICATED_RID);
  if (count(array_diff($all, $rids['view'])) == 0) {
    //grant view access to all instead of single roles
    $rids['view'] = array('all');
    $grants['all'] = array('realm' => 'all', 'gid' => 0, 'grant_view' => 1, 'grant_update' => 0, 'grant_delete' => 0, 'priority' => content_access_get_settings('priority', $node->type));
  }

  // If authenticated users are involved, remove unnecessary other roles.
  foreach (array('view', 'update', 'delete') as $op) {
    if (in_array(BACKDROP_AUTHENTICATED_RID, $rids[$op])) {
      $rids[$op] = in_array(BACKDROP_ANONYMOUS_RID, $rids[$op]) ? array(BACKDROP_ANONYMOUS_RID, BACKDROP_AUTHENTICATED_RID) : array(BACKDROP_AUTHENTICATED_RID);
    }
  }

  // Now let's remove unnecessary grants, if any.
  foreach ($grants as $key => $grant) {
    if (!is_numeric($key)) {
      continue;
    }
    foreach (array('view', 'update', 'delete') as $op) {
      if ($grant['grant_' . $op] && in_array($key, $rids[$op])) {
        //it's still here, so we can't remove this grant
        continue 2;
      }
    }
    //ok, remove it
    unset($grants[$key]);
  }
}

/**
 * Implements hook_node_type_delete().
 */
function content_access_node_type_delete($info) {
  $config = config('content_access.settings');
  $config->delete('content_access_' . $info->type);
  $config->save();
}

/**
 * Implements hook_node_type_update().
 *
 * Updates settings on node type name change.
 */
function content_access_node_type_update($info) {
  if (!empty($info->old_type) && $info->old_type != $info->type) {
    $settings = content_access_get_settings('all', $info->old_type);
    content_access_set_settings($settings, $info->type);
    $config = config('content_access.settings');
    $config->delete('content_access_' . $info->old_type);
    $config->save();
  }
}

/**
 * Implements hook_node_access_explain().
 */
function content_access_node_access_explain($row) {
  static $roles;

  if (!isset($roles)) {
    $roles = user_roles();
  }
  if (!$row->gid && $row->realm == 'content_access_rid') {
    return t('Content access: No access is granted.');
  }
  switch ($row->realm) {
    case 'content_access_author':
      return t('Content access: author of the content can access');
    case 'content_access_rid':
      return t('Content access: %role can access', array('%role' => $roles[$row->gid]));
  }
}

/**
 * Implements hook_form_alter().
 */
function content_access_form_alter(&$form, $form_state, $form_id) {
  if ($form_id == 'user_admin_perm') {
    module_load_include('inc', 'content_access', 'content_access.admin');
    $form['#submit'][] = 'content_access_user_admin_perm_submit';
  }
}

/**
 * Returns an array of possible operations on content and their labels.
 */
function _content_access_get_operations($type = NULL) {
  $operations = array(
    'view' => t('View any @type content', array('@type' => $type)),
    'view_own' => t('View own @type content', array('@type' => $type)),
    'update' => t('Edit any @type content', array('@type' => $type)),
    'update_own' => t('Edit own @type content', array('@type' => $type)),
    'delete' => t('Delete any @type content', array('@type' => $type)),
    'delete_own' => t('Delete own @type content', array('@type' => $type)),
  );
  return $operations;
}

/**
 * Formapi #process callback, that disables checkboxes for roles without access to content
 */
function content_access_disable_checkboxes($element) {
  $access_roles = content_access_get_permission_access('access content');
  $admin_roles = content_access_get_permission_access('administer nodes');

  foreach (element_children($element) as $key) {
    if (!in_array($key, $access_roles) &&
        $key == BACKDROP_ANONYMOUS_RID &&
        !in_array(BACKDROP_AUTHENTICATED_RID, $access_roles)) {
      $element[$key]['#disabled'] = TRUE;
      $element[$key]['#default_value'] = FALSE;
      $element[$key]['#prefix'] = '<span' . backdrop_attributes(array('title' => t("This role is lacking the permission '@perm', so it has no access.", array('@perm' => t('access content'))))) . '>';
      $element[$key]['#suffix'] = "</span>";
    }
    elseif (in_array($key, $admin_roles) ||
            ($key != BACKDROP_ANONYMOUS_RID && in_array(BACKDROP_AUTHENTICATED_RID, $admin_roles))) {
      // Fix the checkbox to be enabled for users with administer node privileges
      $element[$key]['#disabled'] = TRUE;
      $element[$key]['#default_value'] = TRUE;
      $element[$key]['#prefix'] = '<span' . backdrop_attributes(array('title' => t("This role has '@perm' permission, so access is granted.", array('@perm' => t('administer nodes'))))) . '>';
      $element[$key]['#suffix'] = "</span>";
    }
  }

  return $element;
}

/**
 * Gets node's access permissions.
 */
function _content_access_get_node_permissions($type) {
  return array_filter(array_map('content_access_get_permission_by_op', array_flip(_content_access_get_operations()), array_fill(0, 6, $type)));
}

/**
 * Gets the content access acl id of the node.
 */
function content_access_get_acl_id($node, $op) {
  $acl_id = acl_get_id_by_name('content_access', $op . '_' . $node->nid);
  if (!$acl_id) {
    $acl_id = acl_create_new_acl('content_access', $op . '_' . $node->nid);
  }
  return $acl_id;
}

/**
 * Detaches all our ACLs for the nodes of the given type.
 */
function _content_access_remove_acls($type) {
  $result = db_query("SELECT n.nid FROM {node} n WHERE type = :type", array('type' => $type));
  foreach ($result as $node) {
    acl_node_clear_acls($node->nid, 'content_access');
  }
}