islandora_managed_access.module

<?php

/**
 * @file
 * The islandora_managed_access module.
 */

/**
 * Implements hook_menu().
 */
function islandora_managed_access_menu() {
  $items = array();
  
  $items['admin/islandora/tools/managed_access'] = array(
    'title' => 'Islandora Managed Access',
    'description' => 'Configure Managed Access settings.',
    'access arguments' => array('administer managed access configuration'),
    'type' => MENU_NORMAL_ITEM,
    'page callback' => 'drupal_goto',
    'page arguments' => array('admin/islandora/tools/managed_access/profiles'),
  ); 

  $items['managed-access'] = array(
    'title' => 'Managed Access Policy',
    'access callback' => TRUE,
    'page callback' => 'islandora_managed_access_soft403',
    'menu_name' => FALSE,
  );

  $items['register-user'] = array(
    'title' => 'Register for access',
    'access callback' => TRUE,
    'page callback' => 'islandora_managed_access_register_user',
    'menu_name' => FALSE,
  );

  $items['post-registration'] = array(
    'title' => 'Post Registration',
    'access callback' => TRUE,
    'page callback' => 'islandora_managed_access_post_registration',
    'menu_name' => FALSE,
  );
  
  $items['islandora/object/%islandora_object/access_info'] = array(
    'title' => 'Terms of Use',
    'type' => MENU_LOCAL_TASK,
    'page callback' => 'islandora_managed_access_info_tab',
    'page arguments' => array(2),
    'access callback' => 'islandora_managed_access_object_is_managed',
    'access arguments' => array(2),
    'weight' => 1,
  );

  return $items;
}

/**
 * Implements hook_entity_info().
 */
function islandora_managed_access_entity_info() {
  $info = array();

  $info['islandora_managed_access_profile'] = array(
    'label' => t('Managed Access Profile'),
    'base table' => 'islandora_managed_access_profile',
    'entity keys' => array(
      'id' => 'id',
      'label' => 'hname',
    ),
    'entity class' => 'IslandoraManagedAccessProfileEntity',
    'controller class' => 'IslandoraManagedAccessProfileEntityController',
    'admin ui' => array(
      'path' => 'admin/islandora/tools/managed_access/profiles',
      'controller class' => 'IslandoraManagedAccessProfileEntityUIController',
      'file' => 'includes/admin.form.inc',
    ),
    'module' => 'islandora_managed_access',
    'access callback' => 'islandora_managed_access_admin_access_callback',
  );
  $info['islandora_managed_access_object'] = array(
    'label' => t('Managed Access Object'),
    'base table' => 'islandora_managed_access_object',
    'entity keys' => array(
      'id' => 'id',
      'label' => 'pid',
    ),
    'entity class' => 'IslandoraManagedAccessObjectEntity',
    'controller class' => 'IslandoraManagedAccessObjectEntityController',
    'admin ui' => array(
      'path' => 'admin/islandora/tools/managed_access/objects',
      'controller class' => 'IslandoraManagedAccessObjectEntityUIController',
      'file' => 'includes/admin.form.inc',
    ),
    'module' => 'islandora_managed_access',
    'access callback' => 'islandora_managed_access_admin_access_callback',
  );
  $info['islandora_managed_access_user'] = array(
    'label' => t('Managed Access User'),
    'base table' => 'islandora_managed_access_user',
    'entity keys' => array(
      'id' => 'id',
      'label' => 'uid'
    ),
    'entity class' => 'IslandoraManagedAccessUserEntity',
    'controller class' => 'IslandoraManagedAccessUserEntityController',
    'admin ui' => array(
      'path' => 'admin/islandora/tools/managed_access/users',
      'controller class' => 'IslandoraManagedAccessUserEntityUIController',
      'file' => 'includes/admin.form.inc',
    ),
    'module' => 'islandora_managed_access',
    'access callback' => 'islandora_managed_access_admin_access_callback',
  );

  return $info;
}

/**
 * Implements hook_permission().
 */
function islandora_managed_access_permission() {
  return array(
    'administer managed access configuration' => array(
      'title' => t('Administer Managed Access configurations'),
    ),
  );
}

/**
 * Implements hook_mail().
 */
function islandora_managed_access_mail($key, &$message, $params) {
  switch ($key) {

    case 'notify_new_user_admin':
      global $base_url;
      $ma_user_array = entity_load("islandora_managed_access_user", array($params['ma_user_id']));
      $ma_user = $ma_user_array["{$params['ma_user_id']}"];
      $drupal_user = user_load($ma_user->uid);
      $ma_profile = islandora_managed_access_get_users_profile($ma_user);

      $message['headers']['Content-Type'] = 'text/plain; charset=UTF-8; format=flowed';
      $message['subject'] = "New Managed Access User created";
      $message['body'][] = "A new Managed Access User has been created at {$base_url}:";
      $message['body'][] = "Name: {$ma_user->name}";
      $message['body'][] = "Affiliated Institution: {$ma_user->institution}";
      $message['body'][] = "Requested Profile: {$ma_profile->hname}";
      $message['body'][] = "Request Information: {$ma_user->request_info}";
      break;

    case 'notify_inactive_new_user':
      global $base_url;
      $ma_user_array = entity_load("islandora_managed_access_user", array($params['ma_user_id']));
      $ma_user = $ma_user_array["{$params['ma_user_id']}"];
      $drupal_user = user_load($ma_user->uid);
      $ma_profile = islandora_managed_access_get_users_profile($ma_user);

      $message['headers']['Content-Type'] = 'text/plain; charset=UTF-8; format=flowed';
      $message['subject'] = "Your user account request has been received";
      $message['body'][] = "Hello, {$ma_user->name},";
      $message['body'][] = "Thank you for registering. Your request for a user account to access the {$ma_profile->hname} materials at {$base_url} has been received.";
      $message['body'][] = "{$ma_profile->review_statement}";
      $message['body'][] = "Please monitor this email account for your credentials once your account has been approved, and contact {$ma_profile->contact_email} if you have any questions.";
      $message['body'][] = "{$ma_profile->signature}";
      break;

    case 'notify_user_activated':
      global $base_url;
      $ma_user_array = entity_load("islandora_managed_access_user", array($params['ma_user_id']));
      $ma_user = $ma_user_array["{$params['ma_user_id']}"];
      $drupal_user = user_load($ma_user->uid);
      $ma_profile = islandora_managed_access_get_users_profile($ma_user);

      $message['headers']['Content-Type'] = 'text/plain; charset=UTF-8; format=flowed';
      $message['subject'] = "Your user account has been activated";
      $message['body'][] = "Hello, {$ma_user->name}:";
      $message['body'][] = "Thank you for registering. Your request for an account to access the {$ma_profile->hname} materials at {$base_url} has been approved.";
      $message['body'][] = "You will recieve an additional email containing your username and instructions for initial log-in. After logging in, you will be prompted to change your password.";
      $message['body'][] = "Contact {$ma_profile->contact_email} if you have any questions.";
      $message['body'][] = "{$ma_profile->signature}";
      break;

    case 'notify_user_expiry':
      global $base_url;
      $ma_user_array = entity_load("islandora_managed_access_user", array($params['ma_user_id']));
      $ma_user = $ma_user_array["{$params['ma_user_id']}"];
      $drupal_user = user_load($ma_user->uid);
      $ma_profile = islandora_managed_access_get_users_profile($ma_user);

      $message['headers']['Content-Type'] = 'text/plain; charset=UTF-8; format=flowed';
      $message['subject'] = "Your account has been deactivated";
      $message['body'][] = "Hello, {$ma_user->name}:";
      $message['body'][] = "Your account at {$base_url} for browsing the {$ma_profile->hname} materials has been deactivated. The time period for registered access has passed and we did not receive a renewal request.";  
      $message['body'][] = "If you still require access to the {$ma_profile->hname}, you will need to re-register for an account at {$base_url}/{$ma_profile->mname}/register.";
      $message['body'][] = "Contact {$ma_profile->contact_email} if you have any questions.";
      $message['body'][] = "{$ma_profile->signature}";
      break;

    case 'notify_user_expiry_warning':
      global $base_url;
      $message['headers']['Content-Type'] = 'text/plain; charset=UTF-8; format=flowed';
      $message['subject'] = "Your account will soon expire";
      $message['body'][] = "Hello, {$params['real_name']}:";
      $message['body'][] = "Your account at {$base_url} for browsing the {$params['profile_name']} materials will automatically expire in 7 days.";
      $message['body'][] = "To renew your access, please contact the administrator for this collection at {$params['contact_email']}.";
      $message['body'][] = "If you choose not to renew your account now, you will be able to re-register at a later date if needed.";
      $message['body'][] = "{$ma_profile->signature}";
      break;
  }
}

/**
 * Implements hook_cron().
 */
function islandora_managed_access_cron() {
  watchdog("islandora_managed_access", "Running expiration checks for managed access users."); 
  $users = entity_load('islandora_managed_access_user');
  $now = time();
  foreach ($users as $user) {
    $ma_profile = islandora_managed_access_get_users_profile($user);
    $drupal_user = user_load($user->uid);
    $lifetime = $ma_profile->lifetime;
    $expiry_fmt = "+{$lifetime} days";
    $expiry = strtotime($expiry_fmt, $user->refreshed_at);
    $warning_time = strtotime('-7 days', $expiry);
    if ($lifetime == 0) {
      break;
    }
    elseif ($now > $warning_time && $user->warned == 0) {
      watchdog("islandora_managed_access", "Warning managed access user '{$user->name}.'"); 
      $params = array(
        'real_name' => $user->name,
        'profile_name' => $ma_profile->hname,
        'contact_email' => $ma_profile->contact_email,
      );
      $email = $drupal_user->mail;
      $from = variable_get('site_mail', 'admin@example.com');
      drupal_mail('islandora_managed_access', 'notify_user_expiry_warning', $email, language_default(), $params, $from, TRUE);
      $user->warned = 1;
      $user->save();
    }
    elseif ($now > $expiry) {
      watchdog("islandora_managed_access", "Expiring managed access user '{$user->name}.'"); 
      IslandoraManagedAccessUserEntityController::expire_ma_user($user);
    }
  }
}

/**
 * Implements hook_islandora_view_object()
 *
 * When an object is loaded, check to see if it has a 'hasManagedAccessProfile' predicate in the RELS-EXT
 * and if it DOES, check to see if user has sufficient permission to view it. If not, bounce.
 */
function islandora_managed_access_islandora_view_object($object) {
  if (islandora_managed_access_object_is_managed($object)) {
    $ma_profile = islandora_managed_access_get_object_profile($object);
    // Check user IP to see if it matches profile whitelist
    $user_ip = $_SERVER['REMOTE_ADDR'];
    $allowed_ips = explode(',', str_replace(' ', '', $ma_profile->ip_whitelist));
    $results = array();
    foreach ($allowed_ips as $allowed_ip) {
      if (strpos($allowed_ip, "/")) {
        $result = ip_cidr_check($user_ip, $allowed_ip);
      }
      else { 
        $result = ($user_ip == $allowed_ip);
      }
      $results[] = $result;
    }
    if (!in_array(TRUE, $results, TRUE)) {
      // Check user role to see if it matches profile rid
      $ma_profile_rid = (int)$ma_profile->rid;
      $admin_rid = (int)user_role_load_by_name('administrator')->rid;
      $allowed_rids = array($admin_rid, $ma_profile_rid);
      $user_rids = array_keys($GLOBALS['user']->roles);
      if (count(array_intersect($allowed_rids, $user_rids)) < 1) {
        drupal_goto("/managed-access/{$ma_profile->mname}");
      }
    }
  }
}

# utilities

/**
 * Check access permissions for Managed Access configurations.
 */
function islandora_managed_access_admin_access_callback($op, $maentity = NULL, $account = NULL) {
  if (user_access('administer managed access configuration', $account)) {
    return TRUE;
  }
  return FALSE;
}

function islandora_managed_access_object_is_managed($object) {
  $managed_data = $object->relationships->get(ISLANDORA_RELS_EXT_URI, 'hasManagedAccessProfile');
  if (count($managed_data) > 0) {
    $ma_profile_mname = $managed_data[0]['object']['value'];
    return TRUE;
  }
  else {
    return FALSE;
  }
}

function islandora_managed_access_get_object_profile($object) {
  $managed_data = $object->relationships->get(ISLANDORA_RELS_EXT_URI, 'hasManagedAccessProfile');
  if (count($managed_data) > 0) {
    $ma_profile_mname = $managed_data[0]['object']['value'];
    return islandora_managed_access_get_profile_by_machine_name($ma_profile_mname);
  }
  else {
    return FALSE;
  }
}

function islandora_managed_access_info_message($ma_profile) {
  $message = <<<EOM
<h1>This item has access restrictions:</h1>
<p>{$ma_profile->justification_info}</p>
<h2>Usage Information:</h2>
<p>{$ma_profile->usage_info}</p>
<h2>Contact Information:</h2>
<p>{$ma_profile->contact_info}</p>
<h2>Contact Email:</h2>
<p><a href='mailto:{$ma_profile->contact_email}'>{$ma_profile->contact_email}</a></p>
EOM;
  return $message;
}

function islandora_managed_access_info_tab($object) {
  $ma_profile = islandora_managed_access_get_object_profile($object);
  return islandora_managed_access_info_message($ma_profile);
}


function islandora_managed_access_soft403($profile_mname = FALSE) {
  if ($profile_mname == FALSE) {
    drupal_goto("/");
  }
  $ma_profile = islandora_managed_access_get_profile_by_machine_name($profile_mname);
  if (is_null($ma_profile)) {
    drupal_goto("/");
  }

  $message = islandora_managed_access_info_message($ma_profile);
  $message .= <<<EOQ
<a href="/register-user/{$ma_profile->mname}">
  <button>Register for access to $ma_profile->hname materials</button>
</a><br/><br/>
<a href="/user">
  <button>Log in with existing account</button>
</a>

EOQ;
  return $message;
}

function islandora_managed_access_get_profile_by_machine_name($ma_profile_mname) {
  $query = new EntityFieldQuery();
  $result = $query->entityCondition('entity_type', 'islandora_managed_access_profile')->propertyCondition('mname', $ma_profile_mname)->execute();
  if ($result) {
    $ma_profile_array = array_keys($result['islandora_managed_access_profile']);
    $ma_profile_id = $ma_profile_array[0];
    $ma_profiles = entity_load('islandora_managed_access_profile', array($ma_profile_id));
    return $ma_profiles[$ma_profile_id];
  }
  else {
    return NULL;
  }
}

function islandora_managed_access_get_profile_by_role_id($ma_profile_rid) {
  $query = new EntityFieldQuery();
  $result = $query->entityCondition('entity_type', 'islandora_managed_access_profile')->propertyCondition('rid', $ma_profile_rid)->execute();
  if ($result) {
    $ma_profile_array = array_keys($result['islandora_managed_access_profile']);
    $ma_profile_id = $ma_profile_array[0];
    $ma_profile = entity_load('islandora_managed_access_profile', array($ma_profile_id));
    return $ma_profile[$ma_profile_id];
  }
  else {
    return NULL;
  }
}

function islandora_managed_access_get_users_profile($ma_user) {
  $drupal_user = user_load($ma_user->uid);
  $drupal_user_roles = array_keys($drupal_user->roles);
  return islandora_managed_access_get_profile_by_role_id(array_pop($drupal_user_roles));
}

function islandora_managed_access_register_user($ma_profile_mname) {
  $ma_profile = islandora_managed_access_get_profile_by_machine_name($ma_profile_mname);
  $message = <<<EOQ
<form action="/post-registration/$ma_profile->mname" method="post">

  <label for="name">Name <span style="color:red">*</span></label>
  <input type="text" name="name" id="name" required><br/><br/>

  <label for="mail">Mail <span style="color:red">*</span></label>
  <input type="email" name="mail" id="mail"><br/><br/>

  <label for="inst">Institution <span style="color:red">*</span></label>
  <input type="text" name="inst" id="inst"><br/><br/>

  <label for="phone">Phone # <span style="color:red">*</span></label>
  <input type="tel" name="phone" id="phone"><br/><br/>

  <label for="addr">Address <span style="color:red">*</span></label>
  <textarea rows="4" cols="50" name="addr" id="addr"></textarea><br/><br/>

  <label for="req">Reason for Request for Access <span style="color:red">*</span></label>
  <input type="radio" name="req" value="Class Assignment"> Class Assignment<br/>
  <input type="radio" name="req" value="Thesis/Dissertation Research"> Thesis/Dissertation Research<br>
  <input type="radio" name="req" value="Article/Book Research"> Article/Book Research<br/>  
  <input type="radio" name="req" value="Work-Related Reason"> Work-Related Reason<br/>  
  <input type="radio" name="req" value="Personal Interest"> Personal Interest<br/><br/>
  <input type="checkbox" required> I have read and agree to the following terms of use:
  <blockquote>{$ma_profile->usage_info}</blockquote>
  <input type="submit" value="Submit">
</form>
EOQ;

  $content['raw_markup'] = array(
    '#type' => 'markup',
    '#markup' => $message,
  );
 
  return $content;
}

function islandora_managed_access_post_registration($ma_profile_mname) {
  global $base_url;
  $ma_profile = islandora_managed_access_get_profile_by_machine_name($ma_profile_mname);

  if (user_load_by_mail($_POST['mail'])) {
    drupal_set_title("Error: Submitted email already exists"); 
    $message = <<<EOQ
<p>The email address that you have submitted is already in use by the system. This most likely means that you already have an account. Please log in using your existing user account instead of creating a new one.</p>
<p>If you have forgotten your username and/or password, you may request a password reset. This will send a one-time login link to your existing email allowing you to login and not only reset your password, but also see your username.</p>
<p>If you do not already have an existing account and are still having issues registering, please contact <a href='mailto:{$ma_profile->contact_email}'>{$ma_profile->contact_email}</a> for further support.</p>
<a href="/user/password?name={$_POST['mail']}">
  <button>Request Password Reset</button>
</a>
EOQ;
  }
  else {
    drupal_set_title("Registration Success!"); 
    $role = user_role_load($ma_profile->rid);
    $ma_user = entity_create('islandora_managed_access_user', array());
    $ma_user->name = $_POST['name'];
    $ma_user->institution = $_POST['inst'];
    $ma_user->phone = $_POST['phone'];
    $ma_user->address = $_POST['addr'];
    $ma_user->request_info = $_POST['req'];
    $ma_user->active = $ma_profile->user_active_by_default;
    $user_info = IslandoraManagedAccessUserEntityController::save_new_ma_user($ma_user, $ma_profile, $_POST['mail']);

    if ($ma_user->active == 1) {
      $validity = ($ma_profile->lifetime == 0 ? "indefinitely" : "for the next {$ma_profile->lifetime} days");
      $message = <<<EOQ
<p>Thank you for registering, {$_POST['name']}!</p>
<p>Your login information has been sent to the email specified in the registration form (check your spam/junk folder if you don't see it in your inbox).</p>
<p>Your new credentials will be valid {$validity}.</p>
<p>Please contact <a href='mailto:{$ma_profile->contact_email}'>{$ma_profile->contact_email}</a> if you have any questions.</p>
<a href="/user">
  <button>Log In</button>
</a>
EOQ;
    }
    else {
      $message = <<<EOQ
<p>Thank you for registering, {$_POST['name']}!</p>
<p>You have registered to view materials that are restricted for the following reasons:</p>
<p>{$ma_profile->justification_info}</p>
<p>{$ma_profile->review_statement}</p>
<p>Please monitor the provided email account (<a href='mailto:{$_POST['mail']}'>{$_POST['mail']}</a>, check your spam/junk folder if you don't see it in your inbox) for a message with next steps.</p> 
<p>Contact <a href='mailto:{$ma_profile->contact_email}'>{$ma_profile->contact_email}</a> if you have any questions.</p>
EOQ;
    }
  }

  $content['raw_markup'] = array(
    '#type' => 'markup',
    '#markup' => $message,
  );
 
  return $content;
}

/*
 * Helper function for determining whether user IP matches IP ranges allowed by MA profile.
 * Used in islandora_managed_access_islandora_view_object()
 * Retrieved from http://php.net/manual/en/ref.network.php#74656
 */
function ip_cidr_check($ip, $cidr) {
  list($net, $mask) = explode("/", $cidr);
  $ip_net = ip2long($net);
  $ip_mask = ~((1 << (32 - $mask)) - 1);
  $ip_ip = ip2long($ip);
  $ip_ip_net = $ip_ip & $ip_mask;
  return ($ip_ip_net == $ip_net);
}

/**
 * Load all MA Profiles for use in Object/User forms
 */
function get_islandora_managed_access_profiles() {
  $profiles = entity_load('islandora_managed_access_profile', FALSE);
  $profile_selects = array();
  foreach ($profiles as $profile) {
    $profile_selects[$profile->id] = $profile->hname;
  }
  return $profile_selects;
}