Commit 7ae4dc41 authored by merlinofchaos's avatar merlinofchaos

#105125: (by moshe) Per field access control; fields will now remove...

#105125: (by moshe) Per field access control; fields will now remove themselves from views if the viewing user does not have access to see the field.
parent 691c8574
......@@ -618,7 +618,7 @@ function template_preprocess_views_ui_edit_view(&$vars) {
$vars['preview'] = drupal_build_form('views_ui_preview_form', $form_state);
$vars['locked'] = NULL;
if (is_object($view->locked)) {
if (isset($view->locked) && is_object($view->locked)) {
$account = user_load($view->locked->uid);
$vars['locked'] = theme('username', $account);
$vars['lock_age'] = format_interval(time() - $view->locked->updated);
......
......@@ -238,6 +238,15 @@ class views_handler extends views_object {
* - label: The label to use for this piece.
*/
function exposed_info() { }
/**
* Check whether current user has access to this handler.
*
* @return boolean
*/
function access() {
return TRUE;
}
/**
* Run before the view is built.
......
......@@ -1788,9 +1788,11 @@ class views_plugin_style_table extends views_plugin_style {
* An array of all fields; the key is the id of the field and the
* value is the id of the column the field should be in.
*/
function sanitize_columns($columns) {
function sanitize_columns($columns, $fields = NULL) {
$sanitized = array();
$fields = $this->display->handler->get_option('fields');
if ($fields === NULL) {
$fields = $this->display->handler->get_option('fields');
}
// Preconfigure the sanitized array so that the order is retained.
foreach ($fields as $field => $info) {
......
......@@ -276,8 +276,14 @@ class view extends views_db_object {
$handler = views_get_handler($data['table'], $data['field'], $key);
if (is_object($handler)) {
$handler->init($this, $data);
// Deal with difficult PHP indirection:
$items[$id]['handler'] = $handler;
// Remove any handlers which are inaccessible to the current user. For example, see users.mail
if ($handler->access()) {
// Deal with difficult PHP indirection:
$items[$id]['handler'] = $handler;
}
else {
unset($items[$id]);
}
}
}
}
......
......@@ -42,6 +42,21 @@ function user_views_data() {
'click sortable' => TRUE,
),
);
// mail
// Note that this field implements field level access control. Neato.
$data['users']['mail'] = array(
'title' => t('E-mail'), // The item it appears as on the UI,
'help' => t('Email address for a given user. Only accessible to users with <em>administer users</em> permission'), // The help that appears on the UI,
'field' => array(
'field' => 'mail', // the real field
'group' => t('User'), // The group it appears in on the UI,
// TODO: mailto link?
'handler' => 'views_handler_field_user_mail',
'click sortable' => TRUE,
),
);
// uid
$data['users']['uid'] = array(
'title' => t('Uid'),
......@@ -79,7 +94,7 @@ class views_handler_field_user extends views_handler_field {
*/
function init(&$view, &$data) {
parent::init($view, $data);
if (!empty($this->options['link_to_user']) && $this->view->base_table != 'user') {
if (!empty($this->options['link_to_user']) && $this->view->base_table != 'users') {
$this->additional_fields[] = 'uid';
$this->uid_field = 'users_uid';
}
......@@ -119,6 +134,19 @@ class views_handler_field_user extends views_handler_field {
}
}
/**
* Field handler to provide acess control for the email field
*
* @ingroup views_field_handlers
*/
class views_handler_field_user_mail extends views_handler_field {
// An example of field level access control.
function access() {
return user_access('administer users');
}
}
/**
* Field handler to provide simple renderer that allows using a themed user link
*
......
......@@ -116,9 +116,8 @@ function template_preprocess_views_view_table(&$vars) {
$options = $view->style_handler->options;
$handler = $view->style_handler;
$columns = $handler->sanitize_columns($options['columns']);
$fields = $view->field;
$columns = $handler->sanitize_columns($options['columns'], $fields);
$active = !empty($handler->active) ? $handler->active : '';
$order = !empty($handler->order) ? $handler->order : 'asc';
......
......@@ -227,9 +227,11 @@ function views_ui_cache_load($name) {
$view = drupal_clone($v);
}
// Check to see if someone else is already editing this view.
global $user;
$view->locked = db_fetch_object(db_query("SELECT s.uid, v.updated FROM {views_object_cache} v INNER JOIN {sessions} s ON v.sid = s.sid WHERE s.uid != %d and v.name = '%s' and v.obj = 'view' ORDER BY v.updated ASC", $user->uid, $view->name));
if (!empty($view)) {
// Check to see if someone else is already editing this view.
global $user;
$view->locked = db_fetch_object(db_query("SELECT s.uid, v.updated FROM {views_object_cache} v INNER JOIN {sessions} s ON v.sid = s.sid WHERE s.uid != %d and v.name = '%s' and v.obj = 'view' ORDER BY v.updated ASC", $user->uid, $view->name));
}
}
if (empty($view)) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment