<?php
// $Id: acl.module,v 1.35 2011-01-08 11:56:42 salvis Exp $

/**
 * @file
 * An API module providing by-user access control lists.
 *
 * This module handles ACLs on behalf of other modules. The two main reasons
 * to do this are so that modules using ACLs can share them with each
 * other without having to actually know much about them, and so that
 * ACLs can easily co-exist with the existing node_access system.
 */

/**
 * Create a new ACL.
 *
 * The client module will have to keep track of the ACL. For that it can
 * assign either a $name or a $number to this ACL.
 *
 * @param $module
 *   The name of the client module.
 * @param $name
 *   An arbitrary name for this ACL, freely defined by the client module.
 * @param $number
 *   An arbitrary number for this ACL, freely defined by the client module.
 * @return
 *   The ID of the newly created ACL.
 */
function acl_create_new_acl($module, $name = NULL, $number = NULL) {
  $acl = array(
    'module' => $module,
    'name' => $name,
    'number' => $number
  );
  drupal_write_record('acl', $acl);
  return $acl['acl_id'];
}

/**
 * Delete an existing ACL.
 */
function acl_delete_acl($acl_id) {
  db_delete('acl')
    ->condition('acl_id', $acl_id)
    ->execute();
  db_delete('acl_user')
    ->condition('acl_id', $acl_id)
    ->execute();
  db_delete('acl_node')
    ->condition('acl_id', $acl_id)
    ->execute();
}

/**
 * Add the specified UID to an ACL.
 */
function acl_add_user($acl_id, $uid) {
  $test_uid = db_query("SELECT uid FROM {acl_user} WHERE acl_id = :acl_id AND uid = :uid", array(
    'acl_id' => $acl_id,
    'uid' => $uid,
  ))->fetchField();
  if (!$test_uid) {
    db_insert('acl_user')
    ->fields(array(
      'acl_id' => $acl_id,
      'uid' => $uid,
    ))
    ->execute();
  }
}

/**
 * Remove the specified UID from an ACL.
 */
function acl_remove_user($acl_id, $uid) {
  db_delete('acl_user')
    ->condition('acl_id', $acl_id)
    ->condition('uid', $uid)
    ->execute();
}

/**
 * Provide a form to edit the ACL that can be embedded in other forms.
 * Pass $new_acl=TRUE if you have no ACL yet, but do supply a string
 * like 'my_module_new_acl' as $acl_id anyway.
 */
function acl_edit_form(&$form_state, $acl_id, $label = NULL, $new_acl = FALSE) {
  $form_state['build_info']['files'][] = _acl_module_load_include('admin.inc');
  return _acl_edit_form($acl_id, $label, $new_acl);
}

/**
 * Provide access control to all nodes selected by a subquery, based upon an ACL id.
 */
function acl_add_nodes($subselect, $acl_id, $view, $update, $delete, $priority = 0) {
  db_delete('acl_node')
    ->condition('acl_id', $acl_id)
    ->condition('nid', $subselect, 'IN')
    ->execute();
  $subselect->addExpression($acl_id, 'acl_id');
  $subselect->addExpression((int) $view, 'grant_view');
  $subselect->addExpression((int) $update, 'grant_update');
  $subselect->addExpression((int) $delete, 'grant_delete');
  $subselect->addExpression($priority, 'priority');
  db_insert('acl_node')
    ->from($subselect)
    ->execute();
}

/**
 * Provide access control to a node based upon an ACL id.
 */
function acl_node_add_acl($nid, $acl_id, $view, $update, $delete, $priority = 0) {
  db_delete('acl_node')
    ->condition('acl_id', $acl_id)
    ->condition('nid', $nid)
    ->execute();
  db_insert('acl_node')
  ->fields(array(
    'acl_id' => $acl_id,
    'nid' => $nid,
    'grant_view' => (int) $view,
    'grant_update' => (int) $update,
    'grant_delete' => (int) $delete,
    'priority' => $priority,
  ))
  ->execute();
}

/**
 * Remove an ACL completely from a node.
 */
function acl_node_remove_acl($nid, $acl_id) {
  db_delete('acl_node')
    ->condition('acl_id', $acl_id)
    ->condition('nid', $nid)
    ->execute();
}

/**
 * Clear all of a module's ACL's from a node.
 */
function acl_node_clear_acls($nid, $module) {
  $acl_ids = db_query("SELECT acl_id FROM {acl} WHERE module = :module", array(
    'module' => $module
  ))->fetchCol();
  if ($acl_ids) {
    db_delete('acl_node')
      ->condition('nid', $nid)
      ->condition('acl_id', $acl_ids, 'IN')
      ->execute();
  }
}

/**
 * Gets the id of an ACL by name (+ optionally number).
 */
function acl_get_id_by_name($module, $name, $number = NULL) {
  $query = db_select('acl', 'acl')
    ->addField('acl', 'acl_id')
    ->condition('module', $module)
    ->condition('name', $name);
  if (isset($number)) {
    $query->condition('number', $number);
  }
  return $query->execute()->fetchField();
}

/**
 * Gets the id of an ACL by number.
 */
function acl_get_id_by_number($module, $number) {
  return db_query("SELECT acl_id FROM {acl} WHERE module = :module AND number = :number", array(
    'module' => $module,
    'number' => $number,
  ))->fetchField();
}

/**
 * Determines if an acl has some assigned users
 */
function acl_has_users($acl_id) {
  return db_query("SELECT COUNT(uid) FROM {acl_user} WHERE acl_id = :acl_id", array(
    'acl_id' => $acl_id,
  ))->fetchField();
}

/**
 * Determines if an acl has a specific assigned user
 */
function acl_has_user($acl_id, $uid) {
  return db_query("SELECT COUNT(uid) FROM {acl_user} WHERE acl_id = :acl_id AND uid = :uid", array(
    'acl_id' => $acl_id,
    'uid' => $uid,
  ))->fetchField();
}

/**
 * Gets an array of acl_ids held by a user
 */
function acl_get_ids_by_user($module, $uid, $name = NULL, $number = NULL) {
  $query = db_select('acl', 'a');
  $query->join('acl_user', 'au', 'a.acl_id = au.acl_id');
  $query
    ->fields('a', array('acl_id'))
    ->condition('a.module', $module)
    ->condition('au.uid', $uid);
  if (isset($name)) {
    $query->condition('a.name', $name);
  }
  if (isset($number)) {
    $query->condition('a.number', $number);
  }
  $acl_ids = $query->execute()->fetchCol();
  return $acl_ids;
}

/**
 * Gets the uids of an acl
 */
function acl_get_uids($acl_id) {
  $uids = db_query("SELECT uid FROM {acl_user} WHERE acl_id = :acl_id", array(
    'acl_id' => $acl_id,
  ))->fetchCol();
  return $uids;
}

/**
 * Implementation of hook_node_access_records().
 */
function acl_node_access_records($node) {
  if (!$node->nid) {
    return;
  }
  $result = db_query("SELECT n.*, 'acl' AS realm, n.acl_id AS gid, a.module FROM {acl_node} n INNER JOIN {acl} a ON n.acl_id = a.acl_id WHERE nid = :nid", array(
    'nid' => $node->nid,
  ), array('fetch' => PDO::FETCH_ASSOC));
  $grants = array();
  foreach ($result as $grant) {
    if (module_invoke($grant['module'], 'enabled')) {
      if (acl_has_users($grant['gid'])) {
        $grants[] = $grant;
      }
      else {
        //just deny access
        $grants[] = array(
          'realm' => 'acl',
          'gid' => $grant['gid'],
          'grant_view' => 0,
          'grant_update' => 0,
          'grant_delete' => 0,
          'priority' => $grant['priority'],
        );
      }
    }
  }
  return $grants;
}

/**
 * Implementation of hook_node_grants().
 */
function acl_node_grants($account, $op) {
  $acl_ids = db_query("SELECT acl_id FROM {acl_user} WHERE uid = :uid", array(
    'uid' => $account->uid,
  ))->fetchCol();
  return (!empty($acl_ids) ? array('acl' => $acl_ids) : NULL);
}

/**
 * Implementation of hook_node_delete().
 */
function acl_node_delete($node) {
  db_delete('acl_node')
    ->condition('nid', $node->nid)
    ->execute();
}

/**
 * Implementation of hook_user_cancel().
 */
function acl_user_cancel($edit, $account, $method) {
  db_delete('acl_user')
    ->condition('uid', $account->uid)
    ->execute();
}

function _acl_module_load_include($type) {
  static $loaded = array();

  if (!isset($loaded[$type])) {
    $path = module_load_include($type, 'acl');
    $loaded[$type] = drupal_get_path('module', 'acl') . "/acl.$type";
  }
  return $loaded[$type];
}

/**
 * Implementation of hook_node_access_explain().
 */
function acl_node_access_explain($row) {
  static $interpretations = array();
  if ($row->realm == 'acl') {
    if (!isset($interpretations[$row->gid])) {
      $acl = db_query("SELECT * FROM {acl} WHERE acl_id = :acl_id", array(
        'acl_id' => $row->gid,
      ))->fetchObject();
      $acl->tag = '?';
      if (!isset($acl->name)) {
        $acl->tag = $acl->number;
      }
      elseif (!isset($acl->number)) {
        $acl->tag = $acl->name;
      }
      else {
        $acl->tag = $acl->name . '-' . $acl->number;
      }
      $result = db_query("SELECT u.name FROM {acl_user} au, {users} u WHERE au.acl_id = :acl_id AND au.uid = u.uid", array(
        'acl_id' => $row->gid,
      ));
      foreach ($result as $user) {
        $users[] = $user->name;
      }
      if (isset($users)) {
        $users = implode(', ', $users);
        $interpretations[$row->gid] = _acl_get_explanation("$acl->module/$acl->tag: $users", $acl->acl_id, $acl->module, $acl->name, $acl->number, $users);
      }
      elseif ($row->gid == 0) {
        $result = db_query("SELECT an.acl_id, a.module, a.name FROM {acl_node} an JOIN {acl} a ON an.acl_id = a.acl_id LEFT JOIN {acl_user} au ON a.acl_id = au.acl_id WHERE an.nid = :nid AND au.uid IS NULL", array(
          'nid' => $row->nid,
        ));
        foreach ($result as $acl) {
          $rows[] = _acl_get_explanation("$acl->acl_id:&nbsp;$acl->module/$acl->tag", $acl->acl_id, $acl->module, $acl->name, $acl->number);
        }
        if (!empty($rows)) {
          return implode('<br />', $rows);
        }
        return 'No access via ACL.';
      }
      else {
        $interpretations[$row->gid] = _acl_get_explanation("$acl->module/$acl->tag: no users!", $acl->acl_id, $acl->module, $acl->name, $acl->number);
      }
    }
    return $interpretations[$row->gid];
  }
}

/**
 * Asks the client for its interpretation of the given grant record.
 */
function _acl_get_explanation($text, $acl_id, $module, $name, $number, $users = NULL) {
  $hook = $module .'_acl_explain';
  if (function_exists($hook)) {
    return '<span title="'. $hook($acl_id, $name, $number, $users) .'">'. $text .'</span>';
  }
  return $text;
}