Merge pull request #4868 from javiexin/ticket/15266

[ticket/15266] Fix events in content_visibility
author: Marc Alexander <admin@m-a-styles.de> 2017-12-27 14:15:27 +0100
committer: Marc Alexander <admin@m-a-styles.de> 2017-12-27 14:15:27 +0100
commit: 6acfe2a0cb584de823bc0633e6a864180effebf8 (patch)
tree: 38fd99900468ccea5ea20a59fa299cb4c3d08dc8 /phpBB
parent: cb233c862babd5492d34ad8adcf384b28a28fb75 (diff)
parent: dc48f28da1d4ff4ae2956648c70b8291de1d904e (diff)
download: forums-6acfe2a0cb584de823bc0633e6a864180effebf8.tar
forums-6acfe2a0cb584de823bc0633e6a864180effebf8.tar.gz
forums-6acfe2a0cb584de823bc0633e6a864180effebf8.tar.bz2
forums-6acfe2a0cb584de823bc0633e6a864180effebf8.tar.xz
forums-6acfe2a0cb584de823bc0633e6a864180effebf8.zip
6 files changed, 88 insertions, 58 deletions
diff --git a/phpBB/download/file.php b/phpBB/download/file.php
index a9cd4a3b3c..9ee489cef4 100644
--- a/phpBB/download/file.php
+++ b/phpBB/download/file.php
@@ -159,6 +159,8 @@ $user->session_begin(false);
 $auth->acl($user->data);
 $user->setup('viewtopic');
 
+$phpbb_content_visibility = $phpbb_container->get('content.visibility');
+
 if (!$config['allow_attachments'] && !$config['allow_pm_attach'])
 {
 	send_status_line(404, 'Not Found');
@@ -225,7 +227,7 @@ else
 			$post_row = $db->sql_fetchrow($result);
 			$db->sql_freeresult($result);
 
-			if (!$post_row || ($post_row['post_visibility'] != ITEM_APPROVED && !$auth->acl_get('m_approve', $post_row['forum_id'])))
+			if (!$post_row || !$phpbb_content_visibility->is_visible('post', $post_row['forum_id'], $post_row))
 			{
 				// Attachment of a soft deleted post and the user is not allowed to see the post
 				send_status_line(404, 'Not Found');
diff --git a/phpBB/includes/functions_download.php b/phpBB/includes/functions_download.php
index e00be1e01a..e3af294b75 100644
--- a/phpBB/includes/functions_download.php
+++ b/phpBB/includes/functions_download.php
@@ -662,6 +662,8 @@ function phpbb_increment_downloads($db, $ids)
 */
 function phpbb_download_handle_forum_auth($db, $auth, $topic_id)
 {
+	global $phpbb_container;
+
 	$sql_array = array(
 		'SELECT'	=> 't.topic_visibility, t.forum_id, f.forum_name, f.forum_password, f.parent_id',
 		'FROM'		=> array(
@@ -677,7 +679,9 @@ function phpbb_download_handle_forum_auth($db, $auth, $topic_id)
 	$row = $db->sql_fetchrow($result);
 	$db->sql_freeresult($result);
 
-	if ($row && $row['topic_visibility'] != ITEM_APPROVED && !$auth->acl_get('m_approve', $row['forum_id']))
+	$phpbb_content_visibility = $phpbb_container->get('content.visibility');
+
+	if ($row && !$phpbb_content_visibility->is_visible('topic', $row['forum_id'], $row))
 	{
 		send_status_line(404, 'Not Found');
 		trigger_error('ERROR_NO_ATTACHMENT');
diff --git a/phpBB/includes/functions_mcp.php b/phpBB/includes/functions_mcp.php
index dfe3fefbd0..7ab2da8e5c 100644
--- a/phpBB/includes/functions_mcp.php
+++ b/phpBB/includes/functions_mcp.php
@@ -197,7 +197,7 @@ function phpbb_get_topic_data($topic_ids, $acl_list = false, $read_tracking = fa
 */
 function phpbb_get_post_data($post_ids, $acl_list = false, $read_tracking = false)
 {
-	global $db, $auth, $config, $user;
+	global $db, $auth, $config, $user, $phpbb_container;
 
 	$rowset = array();
 
@@ -246,6 +246,8 @@ function phpbb_get_post_data($post_ids, $acl_list = false, $read_tracking = fals
 	$result = $db->sql_query($sql);
 	unset($sql_array);
 
+	$phpbb_content_visibility = $phpbb_container->get('content.visibility');
+
 	while ($row = $db->sql_fetchrow($result))
 	{
 		if ($acl_list && !$auth->acl_gets($acl_list, $row['forum_id']))
@@ -253,7 +255,7 @@ function phpbb_get_post_data($post_ids, $acl_list = false, $read_tracking = fals
 			continue;
 		}
 
-		if ($row['post_visibility'] != ITEM_APPROVED && !$auth->acl_get('m_approve', $row['forum_id']))
+		if (!$phpbb_content_visibility->is_visible('post', $row['forum_id'], $row))
 		{
 			// Moderators without the permission to approve post should at least not see them. ;)
 			continue;
diff --git a/phpBB/phpbb/content_visibility.php b/phpBB/phpbb/content_visibility.php
index bf7dc2c703..237300894b 100644
--- a/phpBB/phpbb/content_visibility.php
+++ b/phpBB/phpbb/content_visibility.php
@@ -131,6 +131,42 @@ class content_visibility
 		return (int) $data[$mode . '_approved'] + (int) $data[$mode . '_unapproved'] + (int) $data[$mode . '_softdeleted'];
 	}
 
+
+	/**
+	* Check topic/post visibility for a given forum ID
+	*
+	* Note: Read permissions are not checked.
+	*
+	* @param $mode		string	Either "topic" or "post"
+	* @param $forum_id	int		The forum id is used for permission checks
+	* @param $data		array	Array with item information to check visibility
+	* @return bool		True if the item is visible, false if not
+	*/
+	public function is_visible($mode, $forum_id, $data)
+	{
+		$is_visible = $this->auth->acl_get('m_approve', $forum_id) || $data[$mode . '_visibility'] == ITEM_APPROVED;
+
+		/**
+		* Allow changing the result of calling is_visible
+		*
+		* @event core.phpbb_content_visibility_is_visible
+		* @var	bool		is_visible			Default visibility condition, to be modified by extensions if needed.
+		* @var	string		mode				Either "topic" or "post"
+		* @var	int			forum_id			Forum id of the current item
+		* @var	array		data				Array of item information
+		* @since 3.2.2-RC1
+		*/
+		$vars = array(
+			'is_visible',
+			'mode',
+			'forum_id',
+			'data',
+		);
+		extract($this->phpbb_dispatcher->trigger_event('core.phpbb_content_visibility_is_visible', compact($vars)));
+
+		return $is_visible;
+	}
+
 	/**
 	* Create topic/post visibility SQL for a given forum ID
 	*
@@ -176,10 +212,14 @@ class content_visibility
 
 		if ($this->auth->acl_get('m_approve', $forum_id))
 		{
-			return $where_sql . '1 = 1';
+			$where_sql .= '1 = 1';
+		}
+		else
+		{
+			$where_sql .= $table_alias . $mode . '_visibility = ' . ITEM_APPROVED;
 		}
 
-		return $where_sql . $table_alias . $mode . '_visibility = ' . ITEM_APPROVED;
+		return '(' . $where_sql . ')';
 	}
 
 	/**
@@ -195,16 +235,21 @@ class content_visibility
 	*/
 	public function get_forums_visibility_sql($mode, $forum_ids = array(), $table_alias = '')
 	{
-		$where_sql = '(';
+		$where_sql = '';
 
-		$approve_forums = array_intersect($forum_ids, array_keys($this->auth->acl_getf('m_approve', true)));
+		$approve_forums = array_keys($this->auth->acl_getf('m_approve', true));
+		if (!empty($forum_ids) && !empty($approve_forums))
+		{
+			$approve_forums = array_intersect($forum_ids, $approve_forums);
+			$forum_ids = array_diff($forum_ids, $approve_forums);
+		}
 
 		$get_forums_visibility_sql_overwrite = false;
 		/**
 		* Allow changing the result of calling get_forums_visibility_sql
 		*
 		* @event core.phpbb_content_visibility_get_forums_visibility_before
-		* @var	string		where_sql							The action the user tried to execute
+		* @var	string		where_sql							Extra visibility conditions. It must end with either an SQL "AND" or an "OR"
 		* @var	string		mode								Either "topic" or "post" depending on the query this is being used in
 		* @var	array		forum_ids							Array of forum ids which the posts/topics are limited to
 		* @var	string		table_alias							Table alias to prefix in SQL queries
@@ -229,33 +274,13 @@ class content_visibility
 			return $get_forums_visibility_sql_overwrite;
 		}
 
-		if (sizeof($approve_forums))
-		{
-			// Remove moderator forums from the rest
-			$forum_ids = array_diff($forum_ids, $approve_forums);
-
-			if (!sizeof($forum_ids))
-			{
-				// The user can see all posts/topics in all specified forums
-				return $where_sql . $this->db->sql_in_set($table_alias . 'forum_id', $approve_forums) . ')';
-			}
-			else
-			{
-				// Moderator can view all posts/topics in some forums
-				$where_sql .= $this->db->sql_in_set($table_alias . 'forum_id', $approve_forums) . ' OR ';
-			}
-		}
-		else
-		{
-			// The user is just a normal user
-			return $where_sql . $table_alias . $mode . '_visibility = ' . ITEM_APPROVED . '
-				AND ' . $this->db->sql_in_set($table_alias . 'forum_id', $forum_ids, false, true) . ')';
-		}
-
+		// Moderator can view all posts/topics in the moderated forums
+		$where_sql .= '(' . $this->db->sql_in_set($table_alias . 'forum_id', $approve_forums, false, true) . ' OR ';
+		// Normal user can view approved items only
 		$where_sql .= '(' . $table_alias . $mode . '_visibility = ' . ITEM_APPROVED . '
-			AND ' . $this->db->sql_in_set($table_alias . 'forum_id', $forum_ids) . '))';
+			AND ' . $this->db->sql_in_set($table_alias . 'forum_id', $forum_ids, false, true) . '))';
 
-		return $where_sql;
+		return '(' . $where_sql . ')';
 	}
 
 	/**
@@ -281,12 +306,12 @@ class content_visibility
 		* Allow changing the result of calling get_global_visibility_sql
 		*
 		* @event core.phpbb_content_visibility_get_global_visibility_before
-		* @var	array		where_sqls							The action the user tried to execute
+		* @var	array		where_sqls							Array of extra visibility conditions. Will be joined by imploding with "OR".
 		* @var	string		mode								Either "topic" or "post" depending on the query this is being used in
 		* @var	array		exclude_forum_ids					Array of forum ids the current user doesn't have access to
 		* @var	string		table_alias							Table alias to prefix in SQL queries
 		* @var	array		approve_forums						Array of forums where the user has m_approve permissions
-		* @var	string		visibility_sql_overwrite	Forces the function to return an implosion of where_sqls (joined by "OR")
+		* @var	string		visibility_sql_overwrite			If not empty, forces the function to return visibility_sql_overwrite after executing the event
 		* @since 3.1.3-RC1
 		*/
 		$vars = array(
@@ -304,24 +329,17 @@ class content_visibility
 			return $visibility_sql_overwrite;
 		}
 
-		if (sizeof($exclude_forum_ids))
-		{
-			$where_sqls[] = '(' . $this->db->sql_in_set($table_alias . 'forum_id', $exclude_forum_ids, true) . '
-				AND ' . $table_alias . $mode . '_visibility = ' . ITEM_APPROVED . ')';
-		}
-		else
-		{
-			$where_sqls[] = $table_alias . $mode . '_visibility = ' . ITEM_APPROVED;
-		}
+		// Include approved items in all forums but the excluded
+		$where_sqls[] = '(' . $this->db->sql_in_set($table_alias . 'forum_id', $exclude_forum_ids, true, true) . '
+			AND ' . $table_alias . $mode . '_visibility = ' . ITEM_APPROVED . ')';
 
+		// If user has moderator permissions, add everything in the moderated forums
 		if (sizeof($approve_forums))
 		{
 			$where_sqls[] = $this->db->sql_in_set($table_alias . 'forum_id', $approve_forums);
-			return '(' . implode(' OR ', $where_sqls) . ')';
 		}
 
-		// There is only one element, so we just return that one
-		return $where_sqls[0];
+		return '(' . implode(' OR ', $where_sqls) . ')';
 	}
 
 	/**
@@ -437,12 +455,13 @@ class content_visibility
 		 * @var			int			topic_id		Topic of the post IDs to be modified.
 		 * @var			int			forum_id		Forum ID that the topic_id resides in.
 		 * @var			int			user_id			User ID doing this action.
-		 * @var			int			timestamp		Timestamp of this action.
+		 * @var			int			time			Timestamp of this action.
 		 * @var			string		reason			Reason specified by the user for this change.
 		 * @var			bool		is_starter		Are we changing the topic's starter?
 		 * @var			bool		is_latest		Are we changing the topic's latest post?
 		 * @var			array		data			The data array for this action.
 		 * @since 3.1.10-RC1
+		 * @changed 3.2.2-RC1 Use time instead of non-existent timestamp
 		 */
 		$vars = array(
 			'visibility',
@@ -450,7 +469,7 @@ class content_visibility
 			'topic_id',
 			'forum_id',
 			'user_id',
-			'timestamp',
+			'time',
 			'reason',
 			'is_starter',
 			'is_latest',
@@ -622,12 +641,13 @@ class content_visibility
 		 * @var			int			topic_id		Topic of the post IDs to be modified.
 		 * @var			int			forum_id		Forum ID that the topic_id resides in.
 		 * @var			int			user_id			User ID doing this action.
-		 * @var			int			timestamp		Timestamp of this action.
+		 * @var			int			time			Timestamp of this action.
 		 * @var			string		reason			Reason specified by the user for this change.
 		 * @var			bool		is_starter		Are we changing the topic's starter?
 		 * @var			bool		is_latest		Are we changing the topic's latest post?
 		 * @var			array		data			The data array for this action.
 		 * @since 3.1.10-RC1
+		 * @changed 3.2.2-RC1 Use time instead of non-existent timestamp
 		 */
 		$vars = array(
 			'visibility',
@@ -635,7 +655,7 @@ class content_visibility
 			'topic_id',
 			'forum_id',
 			'user_id',
-			'timestamp',
+			'time',
 			'reason',
 			'is_starter',
 			'is_latest',
@@ -709,18 +729,19 @@ class content_visibility
 		 * @var			int			topic_id			Topic of the post IDs to be modified.
 		 * @var			int			forum_id			Forum ID that the topic_id resides in.
 		 * @var			int			user_id				User ID doing this action.
-		 * @var			int			timestamp			Timestamp of this action.
+		 * @var			int			time				Timestamp of this action.
 		 * @var			string		reason				Reason specified by the user for this change.
 		 * @var			bool		force_update_all	Force an update on all posts within the topic, regardless of their current approval state.
 		 * @var			array		data				The data array for this action.
 		 * @since 3.1.10-RC1
+		 * @changed 3.2.2-RC1 Use time instead of non-existent timestamp
 		 */
 		$vars = array(
 			'visibility',
 			'topic_id',
 			'forum_id',
 			'user_id',
-			'timestamp',
+			'time',
 			'reason',
 			'force_update_all',
 			'data',
@@ -758,18 +779,19 @@ class content_visibility
 		 * @var			int			topic_id			Topic of the post IDs to be modified.
 		 * @var			int			forum_id			Forum ID that the topic_id resides in.
 		 * @var			int			user_id				User ID doing this action.
-		 * @var			int			timestamp			Timestamp of this action.
+		 * @var			int			time				Timestamp of this action.
 		 * @var			string		reason				Reason specified by the user for this change.
 		 * @var			bool		force_update_all	Force an update on all posts within the topic, regardless of their current approval state.
 		 * @var			array		data				The data array for this action.
 		 * @since 3.1.10-RC1
+		 * @changed 3.2.2-RC1 Use time instead of non-existent timestamp
 		 */
 		$vars = array(
 			'visibility',
 			'topic_id',
 			'forum_id',
 			'user_id',
-			'timestamp',
+			'time',
 			'reason',
 			'force_update_all',
 			'data',
diff --git a/phpBB/viewforum.php b/phpBB/viewforum.php
index 79d75a18f8..e4cf08d548 100644
--- a/phpBB/viewforum.php
+++ b/phpBB/viewforum.php
@@ -538,7 +538,7 @@ if ($forum_data['forum_type'] == FORUM_POST)
 
 	while ($row = $db->sql_fetchrow($result))
 	{
-		if ($row['topic_visibility'] != ITEM_APPROVED && !$auth->acl_get('m_approve', $row['forum_id']))
+		if (!$phpbb_content_visibility->is_visible('topic', $row['forum_id'], $row))
 		{
 			// Do not display announcements that are waiting for approval or soft deleted.
 			continue;
diff --git a/phpBB/viewtopic.php b/phpBB/viewtopic.php
index 3f117eef6b..9037918a20 100644
--- a/phpBB/viewtopic.php
+++ b/phpBB/viewtopic.php
@@ -268,7 +268,7 @@ $forum_id = (int) $topic_data['forum_id'];
 $user->page['forum'] = $forum_id;
 
 // Now we know the forum_id and can check the permissions
-if ($topic_data['topic_visibility'] != ITEM_APPROVED && !$auth->acl_get('m_approve', $forum_id))
+if (!$phpbb_content_visibility->is_visible('topic', $forum_id, $topic_data))
 {
 	trigger_error('NO_TOPIC');
 }
author	Marc Alexander <admin@m-a-styles.de>	2017-12-27 14:15:27 +0100
committer	Marc Alexander <admin@m-a-styles.de>	2017-12-27 14:15:27 +0100
commit	6acfe2a0cb584de823bc0633e6a864180effebf8 (patch)
tree	38fd99900468ccea5ea20a59fa299cb4c3d08dc8 /phpBB
parent	cb233c862babd5492d34ad8adcf384b28a28fb75 (diff)
parent	dc48f28da1d4ff4ae2956648c70b8291de1d904e (diff)
download	forums-6acfe2a0cb584de823bc0633e6a864180effebf8.tar forums-6acfe2a0cb584de823bc0633e6a864180effebf8.tar.gz forums-6acfe2a0cb584de823bc0633e6a864180effebf8.tar.bz2 forums-6acfe2a0cb584de823bc0633e6a864180effebf8.tar.xz forums-6acfe2a0cb584de823bc0633e6a864180effebf8.zip