#105125: (by moshe) Per field access control; fields will now remove...

#105125: (by moshe) Per field access control; fields will now remove themselves from views if the viewing user does not have access to see the field.

#105125: (by moshe) Per field access control; fields will now remove...
#105125: (by moshe) Per field access control; fields will now remove themselves from views if the viewing user does not have access to see the field.
7ae4dc41 · merlinofchaos · 691c8574 · 7ae4dc41 · 7ae4dc41 · 7ae4dc41
Commit 7ae4dc41 authored Mar 18, 2008 by merlinofchaos
7 changed files
--- a/includes/admin.inc
+++ b/includes/admin.inc
@@ -618,7 +618,7 @@ function template_preprocess_views_ui_edit_view(&$vars) {
  $vars['preview'] = drupal_build_form('views_ui_preview_form', $form_state);

  $vars['locked'] = NULL;
-  if (is_object($view->locked)) {
+  if (isset($view->locked) && is_object($view->locked)) {
    $account = user_load($view->locked->uid);
    $vars['locked'] = theme('username', $account);
    $vars['lock_age'] = format_interval(time() - $view->locked->updated);

--- a/includes/handlers.inc
+++ b/includes/handlers.inc
@@ -238,6 +238,15 @@ class views_handler extends views_object {
   *   - label: The label to use for this piece.
   */
  function exposed_info() { }
+  
+ /**
+  * Check whether current user has access to this handler.
+  *
+  * @return boolean
+  */ 
+  function access() {
+    return TRUE;
+  }

  /**
   * Run before the view is built.

--- a/includes/plugins.inc
+++ b/includes/plugins.inc
@@ -1788,9 +1788,11 @@ class views_plugin_style_table extends views_plugin_style {
   *   An array of all fields; the key is the id of the field and the
   *   value is the id of the column the field should be in.
   */
-  function sanitize_columns($columns) {
+  function sanitize_columns($columns, $fields = NULL) {
    $sanitized = array();
-    $fields = $this->display->handler->get_option('fields');
+    if ($fields === NULL) {
+      $fields = $this->display->handler->get_option('fields');
+    }

    // Preconfigure the sanitized array so that the order is retained.
    foreach ($fields as $field => $info) {

--- a/includes/view.inc
+++ b/includes/view.inc
@@ -276,8 +276,14 @@ class view extends views_db_object {
      $handler = views_get_handler($data['table'], $data['field'], $key);
      if (is_object($handler)) {
        $handler->init($this, $data);
-        // Deal with difficult PHP indirection:
-        $items[$id]['handler'] = $handler;
+        // Remove any handlers which are inaccessible to the current user. For example, see users.mail
+        if ($handler->access()) {
+          // Deal with difficult PHP indirection:
+          $items[$id]['handler'] = $handler;
+        }
+        else { 
+          unset($items[$id]); 
+        }
      }
    }
  }

--- a/modules/user.views.inc
+++ b/modules/user.views.inc
@@ -42,6 +42,21 @@ function user_views_data() {
      'click sortable' => TRUE,
    ),
  );
+
+  // mail
+  // Note that this field implements field level access control. Neato.
+  $data['users']['mail'] = array(
+    'title' => t('E-mail'), // The item it appears as on the UI,
+    'help' => t('Email address for a given user. Only accessible to users with <em>administer users</em> permission'), // The help that appears on the UI,
+    'field' => array(
+      'field' => 'mail', // the real field
+      'group' => t('User'), // The group it appears in on the UI,
+      // TODO: mailto link?
+      'handler' => 'views_handler_field_user_mail',
+      'click sortable' => TRUE,
+    ),
+  );
+
  // uid
  $data['users']['uid'] = array(
    'title' => t('Uid'),
@@ -79,7 +94,7 @@ class views_handler_field_user extends views_handler_field {
   */
  function init(&$view, &$data) {
    parent::init($view, $data);
-    if (!empty($this->options['link_to_user']) && $this->view->base_table != 'user') {
+    if (!empty($this->options['link_to_user']) && $this->view->base_table != 'users') {
      $this->additional_fields[] = 'uid';
      $this->uid_field = 'users_uid';
    }
@@ -119,6 +134,19 @@ class views_handler_field_user extends views_handler_field {
  }
 }

+/**
+ * Field handler to provide acess control for the email field
+ *
+ * @ingroup views_field_handlers
+ */
+class views_handler_field_user_mail extends views_handler_field {
+
+  // An example of field level access control.
+  function access() {
+    return user_access('administer users');
+  }
+}
+
 /**
 * Field handler to provide simple renderer that allows using a themed user link
 *

--- a/theme/theme.inc
+++ b/theme/theme.inc
@@ -116,9 +116,8 @@ function template_preprocess_views_view_table(&$vars) {
  $options  = $view->style_handler->options;
  $handler  = $view->style_handler;

-  $columns  = $handler->sanitize_columns($options['columns']);
-
  $fields   = $view->field;
+  $columns  = $handler->sanitize_columns($options['columns'], $fields);

  $active   = !empty($handler->active) ? $handler->active : '';
  $order    = !empty($handler->order) ? $handler->order : 'asc';

--- a/views_ui.module
+++ b/views_ui.module
@@ -227,9 +227,11 @@ function views_ui_cache_load($name) {
      $view = drupal_clone($v);
    }

-    // Check to see if someone else is already editing this view.
-    global $user;
-    $view->locked = db_fetch_object(db_query("SELECT s.uid, v.updated FROM {views_object_cache} v INNER JOIN {sessions}  s ON v.sid = s.sid WHERE s.uid != %d and v.name = '%s' and v.obj = 'view' ORDER BY v.updated ASC", $user->uid, $view->name));
+    if (!empty($view)) {
+      // Check to see if someone else is already editing this view.
+      global $user;
+      $view->locked = db_fetch_object(db_query("SELECT s.uid, v.updated FROM {views_object_cache} v INNER JOIN {sessions}  s ON v.sid = s.sid WHERE s.uid != %d and v.name = '%s' and v.obj = 'view' ORDER BY v.updated ASC", $user->uid, $view->name));
+    }
  }

  if (empty($view)) {