Commit | Line | Data |
---|---|---|
6a488035 | 1 | <?php |
6a488035 TO |
2 | /* |
3 | +--------------------------------------------------------------------+ | |
bc77d7c0 | 4 | | Copyright CiviCRM LLC. All rights reserved. | |
6a488035 | 5 | | | |
bc77d7c0 TO |
6 | | This work is published under the GNU AGPLv3 license with some | |
7 | | permitted exceptions and without any warranty. For full license | | |
8 | | and copyright information, see https://civicrm.org/licensing | | |
6a488035 | 9 | +--------------------------------------------------------------------+ |
d25dd0ee | 10 | */ |
6a488035 TO |
11 | |
12 | /** | |
13 | * | |
14 | * @package CRM | |
ca5cec67 | 15 | * @copyright CiviCRM LLC https://civicrm.org/licensing |
6a488035 TO |
16 | */ |
17 | class CRM_ACL_API { | |
18 | ||
19 | /** | |
d2e5d2ce | 20 | * The various type of permissions. |
6a488035 TO |
21 | * |
22 | * @var int | |
23 | */ | |
7da04cde TO |
24 | const EDIT = 1; |
25 | const VIEW = 2; | |
26 | const DELETE = 3; | |
27 | const CREATE = 4; | |
28 | const SEARCH = 5; | |
29 | const ALL = 6; | |
6a488035 TO |
30 | |
31 | /** | |
100fef9d | 32 | * Given a permission string, check for access requirements |
6a488035 | 33 | * |
b758c7d5 TO |
34 | * @param string $str |
35 | * The permission to check. | |
36 | * @param int $contactID | |
37 | * The contactID for whom the check is made. | |
6a488035 | 38 | * |
acb1052e | 39 | * @return bool |
a6c01b45 | 40 | * true if yes, else false |
6a488035 | 41 | */ |
00be9182 | 42 | public static function check($str, $contactID = NULL) { |
a963992d | 43 | \CRM_Core_Error::deprecatedWarning(__CLASS__ . '::' . __FUNCTION__ . ' is deprecated.'); |
6a488035 | 44 | if ($contactID == NULL) { |
3bdcd4ec | 45 | $contactID = CRM_Core_Session::getLoggedInContactID(); |
6a488035 TO |
46 | } |
47 | ||
48 | if (!$contactID) { | |
49 | // anonymous user | |
50 | $contactID = 0; | |
51 | } | |
52 | ||
53 | return CRM_ACL_BAO_ACL::check($str, $contactID); | |
54 | } | |
55 | ||
56 | /** | |
d2e5d2ce | 57 | * Get the permissioned where clause for the user. |
6a488035 | 58 | * |
b758c7d5 TO |
59 | * @param int $type |
60 | * The type of permission needed. | |
61 | * @param array $tables | |
62 | * (reference ) add the tables that are needed for the select clause. | |
63 | * @param array $whereTables | |
64 | * (reference ) add the tables that are needed for the where clause. | |
65 | * @param int $contactID | |
66 | * The contactID for whom the check is made. | |
67 | * @param bool $onlyDeleted | |
68 | * Whether to include only deleted contacts. | |
69 | * @param bool $skipDeleteClause | |
70 | * Don't add delete clause if this is true,. | |
a1258782 | 71 | * this means it is handled by generating query |
9aea8e14 | 72 | * @param bool $skipOwnContactClause |
73 | * Do not add 'OR contact_id = $userID' to the where clause. | |
74 | * This is a hideously inefficient query and should be avoided | |
75 | * wherever possible. | |
6a488035 | 76 | * |
a6c01b45 CW |
77 | * @return string |
78 | * the group where clause for this user | |
6a488035 | 79 | */ |
e6a83034 TO |
80 | public static function whereClause( |
81 | $type, | |
6a488035 TO |
82 | &$tables, |
83 | &$whereTables, | |
100b0ec6 TO |
84 | $contactID = NULL, |
85 | $onlyDeleted = FALSE, | |
9aea8e14 | 86 | $skipDeleteClause = FALSE, |
87 | $skipOwnContactClause = FALSE | |
6a488035 | 88 | ) { |
5bd6e0a3 | 89 | // the default value which is valid for the final AND |
6a488035 TO |
90 | $deleteClause = ' ( 1 ) '; |
91 | if (!$skipDeleteClause) { | |
b3df61d8 CW |
92 | if (CRM_Core_Permission::check('access deleted contacts')) { |
93 | if ($onlyDeleted) { | |
94 | $deleteClause = '(contact_a.is_deleted)'; | |
95 | } | |
6a488035 TO |
96 | } |
97 | else { | |
b3df61d8 | 98 | // Exclude deleted contacts due to permissions |
6a488035 TO |
99 | $deleteClause = '(contact_a.is_deleted = 0)'; |
100 | } | |
101 | } | |
102 | ||
1a4651ba CW |
103 | if (!$contactID) { |
104 | $contactID = CRM_Core_Session::getLoggedInContactID(); | |
6a488035 | 105 | } |
1a4651ba | 106 | $contactID = (int) $contactID; |
6a488035 | 107 | |
a7d9f31a CW |
108 | // first see if the contact has edit / view all permission |
109 | if (CRM_Core_Permission::check('edit all contacts', $contactID) || | |
110 | ($type == self::VIEW && CRM_Core_Permission::check('view all contacts', $contactID)) | |
111 | ) { | |
112 | return $deleteClause; | |
113 | } | |
114 | ||
cf0d1c08 | 115 | $whereClause = CRM_ACL_BAO_ACL::whereClause($type, |
116 | $tables, | |
117 | $whereTables, | |
118 | $contactID | |
6a488035 | 119 | ); |
cf0d1c08 | 120 | $where = implode(' AND ', [$whereClause, $deleteClause]); |
1a4651ba | 121 | |
9aea8e14 | 122 | // Add permission on self if we really hate our server or have hardly any contacts. |
123 | if (!$skipOwnContactClause && $contactID && (CRM_Core_Permission::check('edit my contact') || | |
124 | $type == self::VIEW && CRM_Core_Permission::check('view my contact')) | |
1a4651ba | 125 | ) { |
f8d66365 | 126 | $where = "(contact_a.id = $contactID OR ($where))"; |
1a4651ba CW |
127 | } |
128 | return $where; | |
6a488035 TO |
129 | } |
130 | ||
131 | /** | |
d2e5d2ce | 132 | * Get all the groups the user has access to for the given operation. |
6a488035 | 133 | * |
b758c7d5 TO |
134 | * @param int $type |
135 | * The type of permission needed. | |
136 | * @param int $contactID | |
137 | * The contactID for whom the check is made. | |
fd31fa4c EM |
138 | * |
139 | * @param string $tableName | |
140 | * @param null $allGroups | |
141 | * @param null $includedGroups | |
6a488035 | 142 | * |
a6c01b45 CW |
143 | * @return array |
144 | * the ids of the groups for which the user has permissions | |
6a488035 TO |
145 | */ |
146 | public static function group( | |
147 | $type, | |
100b0ec6 TO |
148 | $contactID = NULL, |
149 | $tableName = 'civicrm_saved_search', | |
150 | $allGroups = NULL, | |
6a488035 TO |
151 | $includedGroups = NULL |
152 | ) { | |
153 | if ($contactID == NULL) { | |
3bdcd4ec | 154 | $contactID = CRM_Core_Session::getLoggedInContactID(); |
6a488035 TO |
155 | } |
156 | ||
157 | if (!$contactID) { | |
158 | // anonymous user | |
159 | $contactID = 0; | |
160 | } | |
161 | ||
162 | return CRM_ACL_BAO_ACL::group($type, $contactID, $tableName, $allGroups, $includedGroups); | |
163 | } | |
164 | ||
165 | /** | |
100fef9d | 166 | * Check if the user has access to this group for operation $type |
6a488035 | 167 | * |
b758c7d5 TO |
168 | * @param int $type |
169 | * The type of permission needed. | |
100fef9d | 170 | * @param int $groupID |
b758c7d5 TO |
171 | * @param int $contactID |
172 | * The contactID for whom the check is made. | |
da6b46f4 EM |
173 | * @param string $tableName |
174 | * @param null $allGroups | |
175 | * @param null $includedGroups | |
6a488035 | 176 | * |
6d054a8e | 177 | * @return bool |
6a488035 TO |
178 | */ |
179 | public static function groupPermission( | |
180 | $type, | |
181 | $groupID, | |
100b0ec6 TO |
182 | $contactID = NULL, |
183 | $tableName = 'civicrm_saved_search', | |
184 | $allGroups = NULL, | |
6d054a8e | 185 | $includedGroups = NULL |
6a488035 | 186 | ) { |
6a488035 | 187 | |
6d054a8e | 188 | if (!isset(Civi::$statics[__CLASS__]) || !isset(Civi::$statics[__CLASS__]['group_permission'])) { |
cf0d1c08 | 189 | Civi::$statics[__CLASS__]['group_permission'] = []; |
90dee8d1 | 190 | } |
6d054a8e | 191 | |
6a488035 | 192 | if (!$contactID) { |
2dbdb9b9 | 193 | $contactID = CRM_Core_Session::getLoggedInContactID(); |
6a488035 TO |
194 | } |
195 | ||
196 | $key = "{$tableName}_{$type}_{$contactID}"; | |
6d054a8e | 197 | if (!array_key_exists($key, Civi::$statics[__CLASS__]['group_permission'])) { |
198 | Civi::$statics[__CLASS__]['group_permission'][$key] = self::group($type, $contactID, $tableName, $allGroups, $includedGroups); | |
e7d6f8f8 | 199 | } |
6a488035 | 200 | |
6d054a8e | 201 | return in_array($groupID, Civi::$statics[__CLASS__]['group_permission'][$key]); |
6a488035 | 202 | } |
96025800 | 203 | |
6a488035 | 204 | } |