Commit | Line | Data |
---|---|---|
6a488035 | 1 | <?php |
6a488035 TO |
2 | /* |
3 | +--------------------------------------------------------------------+ | |
bc77d7c0 | 4 | | Copyright CiviCRM LLC. All rights reserved. | |
6a488035 | 5 | | | |
bc77d7c0 TO |
6 | | This work is published under the GNU AGPLv3 license with some | |
7 | | permitted exceptions and without any warranty. For full license | | |
8 | | and copyright information, see https://civicrm.org/licensing | | |
6a488035 | 9 | +--------------------------------------------------------------------+ |
d25dd0ee | 10 | */ |
6a488035 TO |
11 | |
12 | /** | |
13 | * | |
14 | * @package CRM | |
ca5cec67 | 15 | * @copyright CiviCRM LLC https://civicrm.org/licensing |
6a488035 TO |
16 | */ |
17 | class CRM_ACL_API { | |
18 | ||
19 | /** | |
d2e5d2ce | 20 | * The various type of permissions. |
6a488035 TO |
21 | * |
22 | * @var int | |
23 | */ | |
7da04cde TO |
24 | const EDIT = 1; |
25 | const VIEW = 2; | |
26 | const DELETE = 3; | |
27 | const CREATE = 4; | |
28 | const SEARCH = 5; | |
29 | const ALL = 6; | |
6a488035 TO |
30 | |
31 | /** | |
100fef9d | 32 | * Given a permission string, check for access requirements |
6a488035 | 33 | * |
b758c7d5 TO |
34 | * @param string $str |
35 | * The permission to check. | |
36 | * @param int $contactID | |
37 | * The contactID for whom the check is made. | |
6a488035 | 38 | * |
acb1052e | 39 | * @return bool |
a6c01b45 | 40 | * true if yes, else false |
f87a8e30 MW |
41 | * |
42 | * @deprecated | |
6a488035 | 43 | */ |
00be9182 | 44 | public static function check($str, $contactID = NULL) { |
a963992d | 45 | \CRM_Core_Error::deprecatedWarning(__CLASS__ . '::' . __FUNCTION__ . ' is deprecated.'); |
6a488035 | 46 | if ($contactID == NULL) { |
3bdcd4ec | 47 | $contactID = CRM_Core_Session::getLoggedInContactID(); |
6a488035 TO |
48 | } |
49 | ||
50 | if (!$contactID) { | |
51 | // anonymous user | |
52 | $contactID = 0; | |
53 | } | |
54 | ||
55 | return CRM_ACL_BAO_ACL::check($str, $contactID); | |
56 | } | |
57 | ||
58 | /** | |
d2e5d2ce | 59 | * Get the permissioned where clause for the user. |
6a488035 | 60 | * |
b758c7d5 TO |
61 | * @param int $type |
62 | * The type of permission needed. | |
63 | * @param array $tables | |
64 | * (reference ) add the tables that are needed for the select clause. | |
65 | * @param array $whereTables | |
66 | * (reference ) add the tables that are needed for the where clause. | |
67 | * @param int $contactID | |
68 | * The contactID for whom the check is made. | |
69 | * @param bool $onlyDeleted | |
70 | * Whether to include only deleted contacts. | |
71 | * @param bool $skipDeleteClause | |
72 | * Don't add delete clause if this is true,. | |
a1258782 | 73 | * this means it is handled by generating query |
9aea8e14 | 74 | * @param bool $skipOwnContactClause |
75 | * Do not add 'OR contact_id = $userID' to the where clause. | |
76 | * This is a hideously inefficient query and should be avoided | |
77 | * wherever possible. | |
6a488035 | 78 | * |
a6c01b45 CW |
79 | * @return string |
80 | * the group where clause for this user | |
6a488035 | 81 | */ |
e6a83034 TO |
82 | public static function whereClause( |
83 | $type, | |
6a488035 TO |
84 | &$tables, |
85 | &$whereTables, | |
100b0ec6 TO |
86 | $contactID = NULL, |
87 | $onlyDeleted = FALSE, | |
9aea8e14 | 88 | $skipDeleteClause = FALSE, |
89 | $skipOwnContactClause = FALSE | |
6a488035 | 90 | ) { |
5bd6e0a3 | 91 | // the default value which is valid for the final AND |
6a488035 TO |
92 | $deleteClause = ' ( 1 ) '; |
93 | if (!$skipDeleteClause) { | |
b3df61d8 CW |
94 | if (CRM_Core_Permission::check('access deleted contacts')) { |
95 | if ($onlyDeleted) { | |
96 | $deleteClause = '(contact_a.is_deleted)'; | |
97 | } | |
6a488035 TO |
98 | } |
99 | else { | |
b3df61d8 | 100 | // Exclude deleted contacts due to permissions |
6a488035 TO |
101 | $deleteClause = '(contact_a.is_deleted = 0)'; |
102 | } | |
103 | } | |
104 | ||
1a4651ba CW |
105 | if (!$contactID) { |
106 | $contactID = CRM_Core_Session::getLoggedInContactID(); | |
6a488035 | 107 | } |
1a4651ba | 108 | $contactID = (int) $contactID; |
6a488035 | 109 | |
a7d9f31a CW |
110 | // first see if the contact has edit / view all permission |
111 | if (CRM_Core_Permission::check('edit all contacts', $contactID) || | |
112 | ($type == self::VIEW && CRM_Core_Permission::check('view all contacts', $contactID)) | |
113 | ) { | |
114 | return $deleteClause; | |
115 | } | |
116 | ||
cf0d1c08 | 117 | $whereClause = CRM_ACL_BAO_ACL::whereClause($type, |
118 | $tables, | |
119 | $whereTables, | |
120 | $contactID | |
6a488035 | 121 | ); |
cf0d1c08 | 122 | $where = implode(' AND ', [$whereClause, $deleteClause]); |
1a4651ba | 123 | |
9aea8e14 | 124 | // Add permission on self if we really hate our server or have hardly any contacts. |
125 | if (!$skipOwnContactClause && $contactID && (CRM_Core_Permission::check('edit my contact') || | |
126 | $type == self::VIEW && CRM_Core_Permission::check('view my contact')) | |
1a4651ba | 127 | ) { |
f8d66365 | 128 | $where = "(contact_a.id = $contactID OR ($where))"; |
1a4651ba CW |
129 | } |
130 | return $where; | |
6a488035 TO |
131 | } |
132 | ||
133 | /** | |
d2e5d2ce | 134 | * Get all the groups the user has access to for the given operation. |
6a488035 | 135 | * |
b758c7d5 TO |
136 | * @param int $type |
137 | * The type of permission needed. | |
138 | * @param int $contactID | |
139 | * The contactID for whom the check is made. | |
fd31fa4c EM |
140 | * |
141 | * @param string $tableName | |
142 | * @param null $allGroups | |
143 | * @param null $includedGroups | |
6a488035 | 144 | * |
a6c01b45 CW |
145 | * @return array |
146 | * the ids of the groups for which the user has permissions | |
6a488035 TO |
147 | */ |
148 | public static function group( | |
149 | $type, | |
100b0ec6 TO |
150 | $contactID = NULL, |
151 | $tableName = 'civicrm_saved_search', | |
152 | $allGroups = NULL, | |
6a488035 TO |
153 | $includedGroups = NULL |
154 | ) { | |
155 | if ($contactID == NULL) { | |
3bdcd4ec | 156 | $contactID = CRM_Core_Session::getLoggedInContactID(); |
6a488035 TO |
157 | } |
158 | ||
f7a0f12e | 159 | return CRM_ACL_BAO_ACL::group($type, (int) $contactID, $tableName, $allGroups, $includedGroups); |
6a488035 TO |
160 | } |
161 | ||
162 | /** | |
100fef9d | 163 | * Check if the user has access to this group for operation $type |
6a488035 | 164 | * |
b758c7d5 TO |
165 | * @param int $type |
166 | * The type of permission needed. | |
100fef9d | 167 | * @param int $groupID |
b758c7d5 TO |
168 | * @param int $contactID |
169 | * The contactID for whom the check is made. | |
da6b46f4 EM |
170 | * @param string $tableName |
171 | * @param null $allGroups | |
172 | * @param null $includedGroups | |
6a488035 | 173 | * |
6d054a8e | 174 | * @return bool |
6a488035 TO |
175 | */ |
176 | public static function groupPermission( | |
177 | $type, | |
178 | $groupID, | |
100b0ec6 TO |
179 | $contactID = NULL, |
180 | $tableName = 'civicrm_saved_search', | |
181 | $allGroups = NULL, | |
6d054a8e | 182 | $includedGroups = NULL |
6a488035 | 183 | ) { |
6a488035 | 184 | |
6d054a8e | 185 | if (!isset(Civi::$statics[__CLASS__]) || !isset(Civi::$statics[__CLASS__]['group_permission'])) { |
cf0d1c08 | 186 | Civi::$statics[__CLASS__]['group_permission'] = []; |
90dee8d1 | 187 | } |
6d054a8e | 188 | |
6a488035 | 189 | if (!$contactID) { |
2dbdb9b9 | 190 | $contactID = CRM_Core_Session::getLoggedInContactID(); |
6a488035 TO |
191 | } |
192 | ||
193 | $key = "{$tableName}_{$type}_{$contactID}"; | |
6d054a8e | 194 | if (!array_key_exists($key, Civi::$statics[__CLASS__]['group_permission'])) { |
195 | Civi::$statics[__CLASS__]['group_permission'][$key] = self::group($type, $contactID, $tableName, $allGroups, $includedGroups); | |
e7d6f8f8 | 196 | } |
6a488035 | 197 | |
6d054a8e | 198 | return in_array($groupID, Civi::$statics[__CLASS__]['group_permission'][$key]); |
6a488035 | 199 | } |
96025800 | 200 | |
6a488035 | 201 | } |