Commit | Line | Data |
---|---|---|
6a488035 | 1 | <?php |
6a488035 TO |
2 | /* |
3 | +--------------------------------------------------------------------+ | |
bc77d7c0 | 4 | | Copyright CiviCRM LLC. All rights reserved. | |
6a488035 | 5 | | | |
bc77d7c0 TO |
6 | | This work is published under the GNU AGPLv3 license with some | |
7 | | permitted exceptions and without any warranty. For full license | | |
8 | | and copyright information, see https://civicrm.org/licensing | | |
6a488035 | 9 | +--------------------------------------------------------------------+ |
d25dd0ee | 10 | */ |
6a488035 TO |
11 | |
12 | /** | |
13 | * | |
14 | * @package CRM | |
ca5cec67 | 15 | * @copyright CiviCRM LLC https://civicrm.org/licensing |
6a488035 TO |
16 | */ |
17 | class CRM_ACL_API { | |
18 | ||
19 | /** | |
d2e5d2ce | 20 | * The various type of permissions. |
6a488035 TO |
21 | * |
22 | * @var int | |
23 | */ | |
7da04cde TO |
24 | const EDIT = 1; |
25 | const VIEW = 2; | |
26 | const DELETE = 3; | |
27 | const CREATE = 4; | |
28 | const SEARCH = 5; | |
29 | const ALL = 6; | |
6a488035 TO |
30 | |
31 | /** | |
100fef9d | 32 | * Given a permission string, check for access requirements |
6a488035 | 33 | * |
b758c7d5 TO |
34 | * @param string $str |
35 | * The permission to check. | |
36 | * @param int $contactID | |
37 | * The contactID for whom the check is made. | |
6a488035 | 38 | * |
acb1052e | 39 | * @return bool |
a6c01b45 | 40 | * true if yes, else false |
6a488035 | 41 | */ |
00be9182 | 42 | public static function check($str, $contactID = NULL) { |
6a488035 | 43 | if ($contactID == NULL) { |
3bdcd4ec | 44 | $contactID = CRM_Core_Session::getLoggedInContactID(); |
6a488035 TO |
45 | } |
46 | ||
47 | if (!$contactID) { | |
48 | // anonymous user | |
49 | $contactID = 0; | |
50 | } | |
51 | ||
52 | return CRM_ACL_BAO_ACL::check($str, $contactID); | |
53 | } | |
54 | ||
55 | /** | |
d2e5d2ce | 56 | * Get the permissioned where clause for the user. |
6a488035 | 57 | * |
b758c7d5 TO |
58 | * @param int $type |
59 | * The type of permission needed. | |
60 | * @param array $tables | |
61 | * (reference ) add the tables that are needed for the select clause. | |
62 | * @param array $whereTables | |
63 | * (reference ) add the tables that are needed for the where clause. | |
64 | * @param int $contactID | |
65 | * The contactID for whom the check is made. | |
66 | * @param bool $onlyDeleted | |
67 | * Whether to include only deleted contacts. | |
68 | * @param bool $skipDeleteClause | |
69 | * Don't add delete clause if this is true,. | |
a1258782 | 70 | * this means it is handled by generating query |
9aea8e14 | 71 | * @param bool $skipOwnContactClause |
72 | * Do not add 'OR contact_id = $userID' to the where clause. | |
73 | * This is a hideously inefficient query and should be avoided | |
74 | * wherever possible. | |
6a488035 | 75 | * |
a6c01b45 CW |
76 | * @return string |
77 | * the group where clause for this user | |
6a488035 | 78 | */ |
e6a83034 TO |
79 | public static function whereClause( |
80 | $type, | |
6a488035 TO |
81 | &$tables, |
82 | &$whereTables, | |
100b0ec6 TO |
83 | $contactID = NULL, |
84 | $onlyDeleted = FALSE, | |
9aea8e14 | 85 | $skipDeleteClause = FALSE, |
86 | $skipOwnContactClause = FALSE | |
6a488035 | 87 | ) { |
5bd6e0a3 | 88 | // the default value which is valid for the final AND |
6a488035 TO |
89 | $deleteClause = ' ( 1 ) '; |
90 | if (!$skipDeleteClause) { | |
b3df61d8 CW |
91 | if (CRM_Core_Permission::check('access deleted contacts')) { |
92 | if ($onlyDeleted) { | |
93 | $deleteClause = '(contact_a.is_deleted)'; | |
94 | } | |
6a488035 TO |
95 | } |
96 | else { | |
b3df61d8 | 97 | // Exclude deleted contacts due to permissions |
6a488035 TO |
98 | $deleteClause = '(contact_a.is_deleted = 0)'; |
99 | } | |
100 | } | |
101 | ||
1a4651ba CW |
102 | if (!$contactID) { |
103 | $contactID = CRM_Core_Session::getLoggedInContactID(); | |
6a488035 | 104 | } |
1a4651ba | 105 | $contactID = (int) $contactID; |
6a488035 | 106 | |
a7d9f31a CW |
107 | // first see if the contact has edit / view all permission |
108 | if (CRM_Core_Permission::check('edit all contacts', $contactID) || | |
109 | ($type == self::VIEW && CRM_Core_Permission::check('view all contacts', $contactID)) | |
110 | ) { | |
111 | return $deleteClause; | |
112 | } | |
113 | ||
cf0d1c08 | 114 | $whereClause = CRM_ACL_BAO_ACL::whereClause($type, |
115 | $tables, | |
116 | $whereTables, | |
117 | $contactID | |
6a488035 | 118 | ); |
cf0d1c08 | 119 | $where = implode(' AND ', [$whereClause, $deleteClause]); |
1a4651ba | 120 | |
9aea8e14 | 121 | // Add permission on self if we really hate our server or have hardly any contacts. |
122 | if (!$skipOwnContactClause && $contactID && (CRM_Core_Permission::check('edit my contact') || | |
123 | $type == self::VIEW && CRM_Core_Permission::check('view my contact')) | |
1a4651ba | 124 | ) { |
f8d66365 | 125 | $where = "(contact_a.id = $contactID OR ($where))"; |
1a4651ba CW |
126 | } |
127 | return $where; | |
6a488035 TO |
128 | } |
129 | ||
130 | /** | |
d2e5d2ce | 131 | * Get all the groups the user has access to for the given operation. |
6a488035 | 132 | * |
b758c7d5 TO |
133 | * @param int $type |
134 | * The type of permission needed. | |
135 | * @param int $contactID | |
136 | * The contactID for whom the check is made. | |
fd31fa4c EM |
137 | * |
138 | * @param string $tableName | |
139 | * @param null $allGroups | |
140 | * @param null $includedGroups | |
6a488035 | 141 | * |
a6c01b45 CW |
142 | * @return array |
143 | * the ids of the groups for which the user has permissions | |
6a488035 TO |
144 | */ |
145 | public static function group( | |
146 | $type, | |
100b0ec6 TO |
147 | $contactID = NULL, |
148 | $tableName = 'civicrm_saved_search', | |
149 | $allGroups = NULL, | |
6a488035 TO |
150 | $includedGroups = NULL |
151 | ) { | |
152 | if ($contactID == NULL) { | |
3bdcd4ec | 153 | $contactID = CRM_Core_Session::getLoggedInContactID(); |
6a488035 TO |
154 | } |
155 | ||
156 | if (!$contactID) { | |
157 | // anonymous user | |
158 | $contactID = 0; | |
159 | } | |
160 | ||
161 | return CRM_ACL_BAO_ACL::group($type, $contactID, $tableName, $allGroups, $includedGroups); | |
162 | } | |
163 | ||
164 | /** | |
100fef9d | 165 | * Check if the user has access to this group for operation $type |
6a488035 | 166 | * |
b758c7d5 TO |
167 | * @param int $type |
168 | * The type of permission needed. | |
100fef9d | 169 | * @param int $groupID |
b758c7d5 TO |
170 | * @param int $contactID |
171 | * The contactID for whom the check is made. | |
da6b46f4 EM |
172 | * @param string $tableName |
173 | * @param null $allGroups | |
174 | * @param null $includedGroups | |
6a488035 | 175 | * |
6d054a8e | 176 | * @return bool |
6a488035 TO |
177 | */ |
178 | public static function groupPermission( | |
179 | $type, | |
180 | $groupID, | |
100b0ec6 TO |
181 | $contactID = NULL, |
182 | $tableName = 'civicrm_saved_search', | |
183 | $allGroups = NULL, | |
6d054a8e | 184 | $includedGroups = NULL |
6a488035 | 185 | ) { |
6a488035 | 186 | |
6d054a8e | 187 | if (!isset(Civi::$statics[__CLASS__]) || !isset(Civi::$statics[__CLASS__]['group_permission'])) { |
cf0d1c08 | 188 | Civi::$statics[__CLASS__]['group_permission'] = []; |
90dee8d1 | 189 | } |
6d054a8e | 190 | |
6a488035 | 191 | if (!$contactID) { |
2dbdb9b9 | 192 | $contactID = CRM_Core_Session::getLoggedInContactID(); |
6a488035 TO |
193 | } |
194 | ||
195 | $key = "{$tableName}_{$type}_{$contactID}"; | |
6d054a8e | 196 | if (!array_key_exists($key, Civi::$statics[__CLASS__]['group_permission'])) { |
197 | Civi::$statics[__CLASS__]['group_permission'][$key] = self::group($type, $contactID, $tableName, $allGroups, $includedGroups); | |
e7d6f8f8 | 198 | } |
6a488035 | 199 | |
6d054a8e | 200 | return in_array($groupID, Civi::$statics[__CLASS__]['group_permission'][$key]); |
6a488035 | 201 | } |
96025800 | 202 | |
6a488035 | 203 | } |