I'm in the process of creating a plugin to notify admins when a new record is submitted into a workflow process. They'll receive an email with the admin URL for the record...so something like: http://www.blah.com/admin/items/show/2973.
Obviously, that URL won't be accessible until they've logged in. Currently, however, when you get to this bit of code in application\libraries\controller\omeka\action.php (line #597):
//Check to see whether to record exists at all
if (!$table->checkExists($id)) {
throw new Omeka_Controller_Exception_404(get_class($this) . ": No record with ID # $id exists" );
} else {
throw new Omeka_Controller_Exception_403('You do not have permission to access this page.');
}
...it throws a 404 rather than a 403. That appears to be because of the nature of the query that's run in the $table->checkExists() call. If I look at the logs, here's what happens:
2011-08-18T12:20:37+01:00 DEBUG (7): SELECT <code>i</code>.* FROM <code>omeka_items</code> AS <code>i</code>
INNER JOIN
(SELECT er_perm.relation_id as item_id
FROM omeka_entities_relations er_perm
INNER JOIN omeka_entities e ON e.id = er_perm.entity_id
INNER JOIN omeka_users u ON u.entity_id = e.id
INNER JOIN omeka_items i ON i.id = er_perm.relation_id
LEFT JOIN omeka_entity_relationships ier ON ier.id = er_perm.relationship_id
WHERE
(u.id = '11'
AND (ier.name = "added" OR ier.name = "modified")
AND er_perm.type = "Item"
)
OR i.public = 1) AS <code>i_perm</code> ON i_perm.item_id = i.id WHERE (i.id = 2973) LIMIT 1
2011-08-18T12:20:37+01:00 DEBUG (7): SELECT COUNT(DISTINCT(i.id)) FROM <code>omeka_items</code> AS <code>i</code>
INNER JOIN
(SELECT er_perm.relation_id as item_id
FROM omeka_entities_relations er_perm
INNER JOIN omeka_entities e ON e.id = er_perm.entity_id
INNER JOIN omeka_users u ON u.entity_id = e.id
INNER JOIN omeka_items i ON i.id = er_perm.relation_id
LEFT JOIN omeka_entity_relationships ier ON ier.id = er_perm.relationship_id
WHERE
(u.id = '11'
AND (ier.name = "added" OR ier.name = "modified")
AND er_perm.type = "Item"
)
OR i.public = 1) AS <code>i_perm</code> ON i_perm.item_id = i.id WHERE (i.id = '2973')
...so it runs the query to check the permission, then runs the same query again as part of the checkExists() call. It isn't clearing any of the permission checks, in other words, so that second query fails too.
Any clues, anyone...?
Many thanks in advance.