Commit | Line | Data |
---|---|---|
6a488035 | 1 | <?php |
6a488035 TO |
2 | /* |
3 | +--------------------------------------------------------------------+ | |
fee14197 | 4 | | CiviCRM version 5 | |
6a488035 | 5 | +--------------------------------------------------------------------+ |
6b83d5bd | 6 | | Copyright CiviCRM LLC (c) 2004-2019 | |
6a488035 TO |
7 | +--------------------------------------------------------------------+ |
8 | | This file is a part of CiviCRM. | | |
9 | | | | |
10 | | CiviCRM is free software; you can copy, modify, and distribute it | | |
11 | | under the terms of the GNU Affero General Public License | | |
12 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | | |
13 | | | | |
14 | | CiviCRM is distributed in the hope that it will be useful, but | | |
15 | | WITHOUT ANY WARRANTY; without even the implied warranty of | | |
16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | |
17 | | See the GNU Affero General Public License for more details. | | |
18 | | | | |
19 | | You should have received a copy of the GNU Affero General Public | | |
20 | | License and the CiviCRM Licensing Exception along | | |
21 | | with this program; if not, contact CiviCRM LLC | | |
22 | | at info[AT]civicrm[DOT]org. If you have questions about the | | |
23 | | GNU Affero General Public License or the licensing of CiviCRM, | | |
24 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | | |
25 | +--------------------------------------------------------------------+ | |
d25dd0ee | 26 | */ |
6a488035 TO |
27 | |
28 | /** | |
29 | * | |
30 | * @package CRM | |
6b83d5bd | 31 | * @copyright CiviCRM LLC (c) 2004-2019 |
6a488035 TO |
32 | */ |
33 | class CRM_ACL_API { | |
34 | ||
35 | /** | |
d2e5d2ce | 36 | * The various type of permissions. |
6a488035 TO |
37 | * |
38 | * @var int | |
39 | */ | |
7da04cde TO |
40 | const EDIT = 1; |
41 | const VIEW = 2; | |
42 | const DELETE = 3; | |
43 | const CREATE = 4; | |
44 | const SEARCH = 5; | |
45 | const ALL = 6; | |
6a488035 TO |
46 | |
47 | /** | |
100fef9d | 48 | * Given a permission string, check for access requirements |
6a488035 | 49 | * |
b758c7d5 TO |
50 | * @param string $str |
51 | * The permission to check. | |
52 | * @param int $contactID | |
53 | * The contactID for whom the check is made. | |
6a488035 | 54 | * |
acb1052e | 55 | * @return bool |
a6c01b45 | 56 | * true if yes, else false |
6a488035 | 57 | */ |
00be9182 | 58 | public static function check($str, $contactID = NULL) { |
6a488035 | 59 | if ($contactID == NULL) { |
3bdcd4ec | 60 | $contactID = CRM_Core_Session::getLoggedInContactID(); |
6a488035 TO |
61 | } |
62 | ||
63 | if (!$contactID) { | |
64 | // anonymous user | |
65 | $contactID = 0; | |
66 | } | |
67 | ||
68 | return CRM_ACL_BAO_ACL::check($str, $contactID); | |
69 | } | |
70 | ||
71 | /** | |
d2e5d2ce | 72 | * Get the permissioned where clause for the user. |
6a488035 | 73 | * |
b758c7d5 TO |
74 | * @param int $type |
75 | * The type of permission needed. | |
76 | * @param array $tables | |
77 | * (reference ) add the tables that are needed for the select clause. | |
78 | * @param array $whereTables | |
79 | * (reference ) add the tables that are needed for the where clause. | |
80 | * @param int $contactID | |
81 | * The contactID for whom the check is made. | |
82 | * @param bool $onlyDeleted | |
83 | * Whether to include only deleted contacts. | |
84 | * @param bool $skipDeleteClause | |
85 | * Don't add delete clause if this is true,. | |
a1258782 | 86 | * this means it is handled by generating query |
9aea8e14 | 87 | * @param bool $skipOwnContactClause |
88 | * Do not add 'OR contact_id = $userID' to the where clause. | |
89 | * This is a hideously inefficient query and should be avoided | |
90 | * wherever possible. | |
6a488035 | 91 | * |
a6c01b45 CW |
92 | * @return string |
93 | * the group where clause for this user | |
6a488035 | 94 | */ |
e6a83034 TO |
95 | public static function whereClause( |
96 | $type, | |
6a488035 TO |
97 | &$tables, |
98 | &$whereTables, | |
100b0ec6 TO |
99 | $contactID = NULL, |
100 | $onlyDeleted = FALSE, | |
9aea8e14 | 101 | $skipDeleteClause = FALSE, |
102 | $skipOwnContactClause = FALSE | |
6a488035 | 103 | ) { |
5bd6e0a3 | 104 | // the default value which is valid for the final AND |
6a488035 TO |
105 | $deleteClause = ' ( 1 ) '; |
106 | if (!$skipDeleteClause) { | |
107 | if (CRM_Core_Permission::check('access deleted contacts') and $onlyDeleted) { | |
108 | $deleteClause = '(contact_a.is_deleted)'; | |
109 | } | |
110 | else { | |
111 | // CRM-6181 | |
112 | $deleteClause = '(contact_a.is_deleted = 0)'; | |
113 | } | |
114 | } | |
115 | ||
1a4651ba CW |
116 | if (!$contactID) { |
117 | $contactID = CRM_Core_Session::getLoggedInContactID(); | |
6a488035 | 118 | } |
1a4651ba | 119 | $contactID = (int) $contactID; |
6a488035 | 120 | |
a7d9f31a CW |
121 | // first see if the contact has edit / view all permission |
122 | if (CRM_Core_Permission::check('edit all contacts', $contactID) || | |
123 | ($type == self::VIEW && CRM_Core_Permission::check('view all contacts', $contactID)) | |
124 | ) { | |
125 | return $deleteClause; | |
126 | } | |
127 | ||
cf0d1c08 | 128 | $whereClause = CRM_ACL_BAO_ACL::whereClause($type, |
129 | $tables, | |
130 | $whereTables, | |
131 | $contactID | |
6a488035 | 132 | ); |
cf0d1c08 | 133 | $where = implode(' AND ', [$whereClause, $deleteClause]); |
1a4651ba | 134 | |
9aea8e14 | 135 | // Add permission on self if we really hate our server or have hardly any contacts. |
136 | if (!$skipOwnContactClause && $contactID && (CRM_Core_Permission::check('edit my contact') || | |
137 | $type == self::VIEW && CRM_Core_Permission::check('view my contact')) | |
1a4651ba | 138 | ) { |
f8d66365 | 139 | $where = "(contact_a.id = $contactID OR ($where))"; |
1a4651ba CW |
140 | } |
141 | return $where; | |
6a488035 TO |
142 | } |
143 | ||
144 | /** | |
d2e5d2ce | 145 | * Get all the groups the user has access to for the given operation. |
6a488035 | 146 | * |
b758c7d5 TO |
147 | * @param int $type |
148 | * The type of permission needed. | |
149 | * @param int $contactID | |
150 | * The contactID for whom the check is made. | |
fd31fa4c EM |
151 | * |
152 | * @param string $tableName | |
153 | * @param null $allGroups | |
154 | * @param null $includedGroups | |
6a488035 | 155 | * |
a6c01b45 CW |
156 | * @return array |
157 | * the ids of the groups for which the user has permissions | |
6a488035 TO |
158 | */ |
159 | public static function group( | |
160 | $type, | |
100b0ec6 TO |
161 | $contactID = NULL, |
162 | $tableName = 'civicrm_saved_search', | |
163 | $allGroups = NULL, | |
6a488035 TO |
164 | $includedGroups = NULL |
165 | ) { | |
166 | if ($contactID == NULL) { | |
3bdcd4ec | 167 | $contactID = CRM_Core_Session::getLoggedInContactID(); |
6a488035 TO |
168 | } |
169 | ||
170 | if (!$contactID) { | |
171 | // anonymous user | |
172 | $contactID = 0; | |
173 | } | |
174 | ||
175 | return CRM_ACL_BAO_ACL::group($type, $contactID, $tableName, $allGroups, $includedGroups); | |
176 | } | |
177 | ||
178 | /** | |
100fef9d | 179 | * Check if the user has access to this group for operation $type |
6a488035 | 180 | * |
b758c7d5 TO |
181 | * @param int $type |
182 | * The type of permission needed. | |
100fef9d | 183 | * @param int $groupID |
b758c7d5 TO |
184 | * @param int $contactID |
185 | * The contactID for whom the check is made. | |
da6b46f4 EM |
186 | * @param string $tableName |
187 | * @param null $allGroups | |
188 | * @param null $includedGroups | |
6a488035 | 189 | * |
6d054a8e | 190 | * @return bool |
6a488035 TO |
191 | */ |
192 | public static function groupPermission( | |
193 | $type, | |
194 | $groupID, | |
100b0ec6 TO |
195 | $contactID = NULL, |
196 | $tableName = 'civicrm_saved_search', | |
197 | $allGroups = NULL, | |
6d054a8e | 198 | $includedGroups = NULL |
6a488035 | 199 | ) { |
6a488035 | 200 | |
6d054a8e | 201 | if (!isset(Civi::$statics[__CLASS__]) || !isset(Civi::$statics[__CLASS__]['group_permission'])) { |
cf0d1c08 | 202 | Civi::$statics[__CLASS__]['group_permission'] = []; |
90dee8d1 | 203 | } |
6d054a8e | 204 | |
6a488035 | 205 | if (!$contactID) { |
6d054a8e | 206 | $contactID = CRM_Core_Session::singleton()->getLoggedInContactID(); |
6a488035 TO |
207 | } |
208 | ||
209 | $key = "{$tableName}_{$type}_{$contactID}"; | |
6d054a8e | 210 | if (!array_key_exists($key, Civi::$statics[__CLASS__]['group_permission'])) { |
211 | Civi::$statics[__CLASS__]['group_permission'][$key] = self::group($type, $contactID, $tableName, $allGroups, $includedGroups); | |
e7d6f8f8 | 212 | } |
6a488035 | 213 | |
6d054a8e | 214 | return in_array($groupID, Civi::$statics[__CLASS__]['group_permission'][$key]); |
6a488035 | 215 | } |
96025800 | 216 | |
6a488035 | 217 | } |