--- node.module.6.4.orig 2008-09-29 10:29:56.000000000 -0700 +++ node.module 2008-09-29 11:25:27.000000000 -0700 @@ -2016,22 +2016,19 @@ function node_access($op, $node, $accoun // If the module did not override the access rights, use those set in the // node_access table. - if ($op != 'create' && $node->nid && $node->status) { - $grants = array(); - foreach (node_access_grants($op, $account) as $realm => $gids) { - foreach ($gids as $gid) { - $grants[] = "(gid = $gid AND realm = '$realm')"; - } + if ($op != 'create' && $node->nid) { + $grants_sql = node_access_grants_sql($op, NULL, $account, $node->status); + // If the return value is FALSE, then the node status is unpublished and + // none of the grants requested an access check be run. In which case, + // we should fall through to the final 'if' statement. + if ($grants_sql !== FALSE) { + if (!empty($grants_sql)) { + $grants_sql .= ' AND'; + } + $sql = "SELECT COUNT(*) FROM {node_access} WHERE (nid = 0 OR nid = %d) $grants_sql grant_$op >= 1"; + $result = db_query($sql, $node->nid); + return (db_result($result)); } - - $grants_sql = ''; - if (count($grants)) { - $grants_sql = 'AND ('. implode(' OR ', $grants) .')'; - } - - $sql = "SELECT COUNT(*) FROM {node_access} WHERE (nid = 0 OR nid = %d) $grants_sql AND grant_$op >= 1"; - $result = db_query($sql, $node->nid); - return (db_result($result)); } // Let authors view their own nodes. @@ -2081,17 +2078,7 @@ function _node_access_where_sql($op = 'v return; } - $grants = array(); - foreach (node_access_grants($op, $account) as $realm => $gids) { - foreach ($gids as $gid) { - $grants[] = "($node_access_alias.gid = $gid AND $node_access_alias.realm = '$realm')"; - } - } - - $grants_sql = ''; - if (count($grants)) { - $grants_sql = 'AND ('. implode(' OR ', $grants) .')'; - } + $grants_sql = node_access_grants_sql('view', $node_access_alias, $account); $sql = "$node_access_alias.grant_$op >= 1 $grants_sql"; return $sql; @@ -2129,17 +2116,8 @@ function node_access_view_all_nodes() { static $access; if (!isset($access)) { - $grants = array(); - foreach (node_access_grants('view') as $realm => $gids) { - foreach ($gids as $gid) { - $grants[] = "(gid = $gid AND realm = '$realm')"; - } - } - - $grants_sql = ''; - if (count($grants)) { - $grants_sql = 'AND ('. implode(' OR ', $grants) .')'; - } + + $grants_sql = node_access_grants_sql('view'); $sql = "SELECT COUNT(*) FROM {node_access} WHERE nid = 0 $grants_sql AND grant_view >= 1"; $result = db_query($sql); @@ -2148,6 +2126,153 @@ function node_access_view_all_nodes() { return $access; } + + /** + * Check the logic of node grants and prepare the sql statement. + * + * @param $op + * The operation that the user is trying to perform. + * @param $account + * The user object performing the operation. If omitted, the current user is used. + * @param $status + * The publication status of the node being checked. Typically, node_access + * checks are not run for unpublished nodes. However, some advanced uses + * require that users can act on unpublished nodes. + * @return + * There are three possible return values. + * - A sql string containing the appropriate WHERE clauses, grouped together + * according to the logic of hook_node_grants. + * - An empty string, indicating that no extra rules are needed. + * - Boolean FALSE, indicating that all nodes are unpublished and no module + * has explicitly requested an access check. + */ +function node_access_grants_sql($op = 'view', $node_access_alias = NULL, $account = NULL, $status = TRUE) { + if (!isset($account)) { + $account = $GLOBALS['user']; + } + // Define the grants array. + $grants = array(); + $template = array(); + // First, acquire all the grants as an array of rules. + $rules = node_access_grants($op, $account); + + // Get whatever is stored in multinode table. + // Add to rules + if (db_table_exists('multinode_access')) { + $result = db_query("SELECT * FROM {multinode_access}"); + while ($row = db_fetch_object($result)) { + foreach ($rules as $realm => $rule_grants) { + if ($row->realm == $realm) { + $rules[$realm]['group'] = $row->groupname; + $rules[$realm]['logic'] = $row->logic; + $rules[$realm]['weight'] = $row->weight; + $rules[$realm]['check'] = $row->checkstatus; + } + } + } + } + + // Prepare the table alias, if needed. + if (!empty($node_access_alias)) { + $alias = $node_access_alias .'.'; + } + // It may be that only the default rule is active. In that case, we can skip the + // process below. + if (count($rules) == 1 && key($rules) == 'all') { + $grants_sql .= "AND (". $alias ."realm = 'all' AND ". $alias ."gid = 0)"; + } + else { + // Process the grants into logical groupings. + foreach ($rules as $realm => $rule) { + // Set the status flag. + $status += $rule['check']; + // Set the default clause group. Then check for options. + $group = 'all'; + if (!empty($rule['group'])) { + $group = $rule['group']; + $template[$group]['name'] = $rule['group']; + } + if (!empty($rule['logic'])) { + $template[$group]['logic'] = $rule['logic']; + } + if (!empty($rule['weight'])) { + $template[$group]['weight'] = $rule['weight']; + } + foreach ($rule as $key => $gid) { + // Grants ids must be numeric. + if (is_numeric($key)) { + $grants[$group][$realm][] = $gid; + } + } + } + // In most cases, node status must be set to TRUE. However, there are use-cases where + // we allow access to unpublished nodes. So we check the status to see if we need to + // continue with the logic or end this IF statement. + if (!$status) { + return FALSE; + } + + $grants_sql = ''; + $subquery = array(); + $subqueries = 'no'; + + // Run throught the $grants, if needed and generate the query SQL. + if (count($grants)) { + foreach ($grants as $group => $grant) { + $clauses = array(); + foreach ($grant as $key => $value) { + foreach ($value as $gid) { + $clauses[] = "(". $alias ."realm = '$key' AND ". $alias ."gid = $gid)"; + } + } + if ($group == 'all') { + $grants_sql .= 'AND ('. implode(' OR ', $clauses) .') '; + } + else { + // Required elements must go into a subquery. Will not work prior to MySQL 4.1.x. + // Set defaults. + $subqueries = 'yes'; + $weight = 0; + $logic = 'AND'; + + if ($template[$group]['weight']) { + $weight = $template[$group]['weight']; + } + + if ($template[$group]['logic']) { + $logic = $template[$group]['logic']; + } + + if ($logic == 'OR') { + $this_query = "OR ". $alias ."nid IN (SELECT ". $alias ."nid FROM {node_access} ". $node_access_alias ." WHERE "; + } else { + $this_query = "AND ". $alias ."nid IN (SELECT ". $alias ."nid FROM {node_access} ". $node_access_alias ." WHERE "; + } + $this_query = $this_query .'('. implode(' OR ', $clauses) .')) '; + + $subquery[$this_query] = $weight; + } + } + if ($subqueries == 'yes') { + // Get subqueries from subquery table; + // Sort if first by weight. + $subquery_phrase = ''; + asort($subquery); + foreach ($subquery as $query=>$weight) { + $subquery_phrase .= $query; + } + // Need to add parenthesis after first OR or AND and at the end of the query. + $grants_sql .= $subquery_phrase; + // Place everything after "AND" within parenthesis + $pattern = '/^AND /'; + $replacement = 'AND ('; + $grants_sql = preg_replace($pattern, $replacement, $grants_sql); + $grants_sql = $grants_sql . ')'; + } + } + } + return $grants_sql; +} /** * Implementation of hook_db_rewrite_sql