modules/workflow/workflow_access.module

<?php
// $Id: workflow_access.module,v 1.5 2008/08/01 15:01:36 jvandyk Exp $

/**
 * @file 
 *   Provides node access permissions based on workflow states.
 */

/**
 * Implementation of hook_node_grants().
 *
 * Supply the workflow access grants. We are simply using
 * roles as access lists, so rids translate directly to gids.
 */
function workflow_access_node_grants($account, $op) {
  return array(
    'workflow_access'       => array_keys($account->roles),
    'workflow_access_owner' => array($account->uid),
  );
}

/**
 * Implementation of hook_node_access_records().
 *
 * Returns a list of grant records for the passed in node object.
 */
function workflow_access_node_access_records($node) {
  $grants = array();
  $sid = db_result(db_query("SELECT sid FROM {workflow_node} WHERE nid = %d", $node->nid));

  // We have state information about this node, so get permissions for this state.
  if (is_numeric($sid)) {
    $result = db_query('SELECT * FROM {workflow_access} WHERE sid = %d', $sid);
    while ($grant = db_fetch_object($result)) {
      $grants[] = array(
        'realm'        => ($grant->rid == -1) ? 'workflow_access_owner' : 'workflow_access',
        'gid'          => ($grant->rid == -1) ? $node->uid : $grant->rid,
        'grant_view'   => $grant->grant_view,
        'grant_update' => $grant->grant_update,
        'grant_delete' => $grant->grant_delete
      ); 
    }
  }

  return $grants;
}

/**
 * Implementation of hook_form_alter().
 *
 * Add a "three dimensional" (state, role, permission type) configuration 
 * interface to the workflow edit form.
 */
function workflow_access_form_workflow_edit_form_alter(&$form, $form_state) {
  // A list of roles available on the site and our 
  // special -1 role used to represent the node author.
  $rids = user_roles();
  $rids['-1'] = t('author');
  
  $form['workflow_access'] = array(
    '#type' => 'fieldset', 
    '#title' => t('Access control'),
    '#collapsible' => TRUE,
    '#tree' => TRUE,
  );

  // Add a table for every workflow state.
  $states = workflow_get_states($form['wid']['#value']);
  foreach ($states as $sid => $state) {
    
    if (workflow_is_system_state($state)) {
      // No need to set perms on creation.
      continue;
    }
        
    $view = $update = $delete = array();

    $result = db_query("SELECT * from {workflow_access} where sid = %d", $sid);
    $count = 0;
    while ($access = db_fetch_object($result)) {
      $count++;
      if ($access->grant_view) {
        $view[] = $access->rid;
      }
      if ($access->grant_update) {
        $update[] = $access->rid;
      }
      if ($access->grant_delete) {
        $delete[] = $access->rid;
      }
    }
    
    // Allow view grants by default for anonymous and authenticated users, 
    // if no grants were set up earlier.
    if (!$count) {
      $view = array(DRUPAL_ANONYMOUS_RID, DRUPAL_AUTHENTICATED_RID);     
    }
    
    // TODO better tables using a #theme function instead of direct #prefixing
    $form['workflow_access'][$sid] = array(
      '#type' => 'fieldset', 
      '#title' => $state,
      '#collapsible' => TRUE,
      '#tree' => TRUE,
    );
    $form['workflow_access'][$sid]['view'] = array(
      '#type' => 'checkboxes',
      '#options' => $rids,
      '#default_value' => $view,
      '#title' => t('Roles who can view posts in this state'),
      '#prefix' => '<table width="100%" style="border: 0;"><tbody style="border: 0;"><tr><td>',
    );
    $form['workflow_access'][$sid]['update'] = array(
      '#type' => 'checkboxes',
      '#options' => $rids,
      '#default_value' => $update,
      '#title' => t('Roles who can edit posts in this state'),
      '#prefix' => "</td><td>",
    );
    $form['workflow_access'][$sid]['delete'] = array(
      '#type' => 'checkboxes',
      '#options' => $rids,
      '#default_value' => $delete,
      '#title' => t('Roles who can delete posts in this state'),
      '#prefix' => "</td><td>",
      '#suffix' => "</td></tr></tbody></table>",
    );
  }
  // Place our block comfortably down the page.
  $form['submit']['#weight'] = 10;
  $form['#submit'][] = 'workflow_access_form_submit';
}

/**
 * Store permission settings for workflow states.
 */
function workflow_access_form_submit($form, $form_state) {
  foreach ($form_state['values']['workflow_access'] as $sid => $access) {
    // Ignore irrelevant keys.
    if (!is_numeric($sid)) {
      continue; 
    }

    $grants = array();
    db_query("DELETE FROM {workflow_access} WHERE sid = %d", $sid);
    foreach ($access['view'] as $rid => $checked) {
      $grants[] = array(
        'realm'        => ($rid == -1) ? 'workflow_access_owner' : 'workflow_access',
        'gid'          => ($rid == -1) ? $node->uid : $rid,
        'grant_view'   => (bool)$checked,
        'grant_update' => (bool)$access['update'][$rid],
        'grant_delete' => (bool)$access['delete'][$rid],
      );

      db_query("INSERT INTO {workflow_access} (sid, rid, grant_view, grant_update, grant_delete) VALUES (%d, %d, %d, %d, %d)", $sid, $rid, (bool)$checked, (bool)$access['update'][$rid], (bool)$access['delete'][$rid]);
    }

    // Update all nodes having same workflow state to reflect new settings.
    $result = db_query("SELECT n.nid FROM {node} n LEFT JOIN {workflow_node} wn ON wn.nid = n.nid WHERE wn.sid = %d", $sid);
    while ($node = db_fetch_object($result)) {
      // TODO: this only works with workflow_access realm, not the workflow_access_owner realm?!
      node_access_write_grants($node, $grants, 'workflow_access');
    }
  }
  drupal_set_message(t('Workflow access permissions updated.'));
}

/**
 * Implementation of hook_workflow().
 *
 * Update grants when a node changes workflow state.
 */
function workflow_access_workflow($op, $old_sid, $sid, $node) {
  if ($op == 'transition post' && $old_sid != $sid) {
    node_access_acquire_grants($node);
  }
}
1	<?php
2	// $Id: workflow_access.module,v 1.5 2008/08/01 15:01:36 jvandyk Exp $
3
4	/**
5	* @file
6	* Provides node access permissions based on workflow states.
7	*/
8
9	/**
10	* Implementation of hook_node_grants().
11	*
12	* Supply the workflow access grants. We are simply using
13	* roles as access lists, so rids translate directly to gids.
14	*/
15	function workflow_access_node_grants($account, $op) {
16	return array(
17	'workflow_access' => array_keys($account->roles),
18	'workflow_access_owner' => array($account->uid),
19	);
20	}
21
22	/**
23	* Implementation of hook_node_access_records().
24	*
25	* Returns a list of grant records for the passed in node object.
26	*/
27	function workflow_access_node_access_records($node) {
28	$grants = array();
29	$sid = db_result(db_query("SELECT sid FROM {workflow_node} WHERE nid = %d", $node->nid));
30
31	// We have state information about this node, so get permissions for this state.
32	if (is_numeric($sid)) {
33	$result = db_query('SELECT * FROM {workflow_access} WHERE sid = %d', $sid);
34	while ($grant = db_fetch_object($result)) {
35	$grants[] = array(
36	'realm' => ($grant->rid == -1) ? 'workflow_access_owner' : 'workflow_access',
37	'gid' => ($grant->rid == -1) ? $node->uid : $grant->rid,
38	'grant_view' => $grant->grant_view,
39	'grant_update' => $grant->grant_update,
40	'grant_delete' => $grant->grant_delete
41	);
42	}
43	}
44
45	return $grants;
46	}
47
48	/**
49	* Implementation of hook_form_alter().
50	*
51	* Add a "three dimensional" (state, role, permission type) configuration
52	* interface to the workflow edit form.
53	*/
54	function workflow_access_form_workflow_edit_form_alter(&$form, $form_state) {
55	// A list of roles available on the site and our
56	// special -1 role used to represent the node author.
57	$rids = user_roles();
58	$rids['-1'] = t('author');
59
60	$form['workflow_access'] = array(
61	'#type' => 'fieldset',
62	'#title' => t('Access control'),
63	'#collapsible' => TRUE,
64	'#tree' => TRUE,
65	);
66
67	// Add a table for every workflow state.
68	$states = workflow_get_states($form['wid']['#value']);
69	foreach ($states as $sid => $state) {
70
71	if (workflow_is_system_state($state)) {
72	// No need to set perms on creation.
73	continue;
74	}
75
76	$view = $update = $delete = array();
77
78	$result = db_query("SELECT * from {workflow_access} where sid = %d", $sid);
79	$count = 0;
80	while ($access = db_fetch_object($result)) {
81	$count++;
82	if ($access->grant_view) {
83	$view[] = $access->rid;
84	}
85	if ($access->grant_update) {
86	$update[] = $access->rid;
87	}
88	if ($access->grant_delete) {
89	$delete[] = $access->rid;
90	}
91	}
92
93	// Allow view grants by default for anonymous and authenticated users,
94	// if no grants were set up earlier.
95	if (!$count) {
96	$view = array(DRUPAL_ANONYMOUS_RID, DRUPAL_AUTHENTICATED_RID);
97	}
98
99	// TODO better tables using a #theme function instead of direct #prefixing
100	$form['workflow_access'][$sid] = array(
101	'#type' => 'fieldset',
102	'#title' => $state,
103	'#collapsible' => TRUE,
104	'#tree' => TRUE,
105	);
106	$form['workflow_access'][$sid]['view'] = array(
107	'#type' => 'checkboxes',
108	'#options' => $rids,
109	'#default_value' => $view,
110	'#title' => t('Roles who can view posts in this state'),
111	'#prefix' => '<table width="100%" style="border: 0;"><tbody style="border: 0;"><tr><td>',
112	);
113	$form['workflow_access'][$sid]['update'] = array(
114	'#type' => 'checkboxes',
115	'#options' => $rids,
116	'#default_value' => $update,
117	'#title' => t('Roles who can edit posts in this state'),
118	'#prefix' => "</td><td>",
119	);
120	$form['workflow_access'][$sid]['delete'] = array(
121	'#type' => 'checkboxes',
122	'#options' => $rids,
123	'#default_value' => $delete,
124	'#title' => t('Roles who can delete posts in this state'),
125	'#prefix' => "</td><td>",
126	'#suffix' => "</td></tr></tbody></table>",
127	);
128	}
129	// Place our block comfortably down the page.
130	$form['submit']['#weight'] = 10;
131	$form['#submit'][] = 'workflow_access_form_submit';
132	}
133
134	/**
135	* Store permission settings for workflow states.
136	*/
137	function workflow_access_form_submit($form, $form_state) {
138	foreach ($form_state['values']['workflow_access'] as $sid => $access) {
139	// Ignore irrelevant keys.
140	if (!is_numeric($sid)) {
141	continue;
142	}
143
144	$grants = array();
145	db_query("DELETE FROM {workflow_access} WHERE sid = %d", $sid);
146	foreach ($access['view'] as $rid => $checked) {
147	$grants[] = array(
148	'realm' => ($rid == -1) ? 'workflow_access_owner' : 'workflow_access',
149	'gid' => ($rid == -1) ? $node->uid : $rid,
150	'grant_view' => (bool)$checked,
151	'grant_update' => (bool)$access['update'][$rid],
152	'grant_delete' => (bool)$access['delete'][$rid],
153	);
154
155	db_query("INSERT INTO {workflow_access} (sid, rid, grant_view, grant_update, grant_delete) VALUES (%d, %d, %d, %d, %d)", $sid, $rid, (bool)$checked, (bool)$access['update'][$rid], (bool)$access['delete'][$rid]);
156	}
157
158	// Update all nodes having same workflow state to reflect new settings.
159	$result = db_query("SELECT n.nid FROM {node} n LEFT JOIN {workflow_node} wn ON wn.nid = n.nid WHERE wn.sid = %d", $sid);
160	while ($node = db_fetch_object($result)) {
161	// TODO: this only works with workflow_access realm, not the workflow_access_owner realm?!
162	node_access_write_grants($node, $grants, 'workflow_access');
163	}
164	}
165	drupal_set_message(t('Workflow access permissions updated.'));
166	}
167
168	/**
169	* Implementation of hook_workflow().
170	*
171	* Update grants when a node changes workflow state.
172	*/
173	function workflow_access_workflow($op, $old_sid, $sid, $node) {
174	if ($op == 'transition post' && $old_sid != $sid) {
175	node_access_acquire_grants($node);
176	}
177	}