Commit | Line | Data |
---|---|---|
6a488035 TO |
1 | <?php |
2 | // $Id$ | |
3 | ||
4 | /* | |
5 | +--------------------------------------------------------------------+ | |
6 | | CiviCRM version 4.3 | | |
7 | +--------------------------------------------------------------------+ | |
8 | | Copyright CiviCRM LLC (c) 2004-2013 | | |
9 | +--------------------------------------------------------------------+ | |
10 | | This file is a part of CiviCRM. | | |
11 | | | | |
12 | | CiviCRM is free software; you can copy, modify, and distribute it | | |
13 | | under the terms of the GNU Affero General Public License | | |
14 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | | |
15 | | | | |
16 | | CiviCRM is distributed in the hope that it will be useful, but | | |
17 | | WITHOUT ANY WARRANTY; without even the implied warranty of | | |
18 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | |
19 | | See the GNU Affero General Public License for more details. | | |
20 | | | | |
21 | | You should have received a copy of the GNU Affero General Public | | |
22 | | License and the CiviCRM Licensing Exception along | | |
23 | | with this program; if not, contact CiviCRM LLC | | |
24 | | at info[AT]civicrm[DOT]org. If you have questions about the | | |
25 | | GNU Affero General Public License or the licensing of CiviCRM, | | |
26 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | | |
27 | +--------------------------------------------------------------------+ | |
28 | */ | |
29 | ||
30 | /** | |
31 | * | |
32 | * @package CRM | |
33 | * @copyright CiviCRM LLC (c) 2004-2013 | |
34 | * $Id$ | |
35 | * | |
36 | */ | |
37 | class CRM_ACL_API { | |
38 | ||
39 | /** | |
40 | * The various type of permissions | |
41 | * | |
42 | * @var int | |
43 | */ | |
44 | CONST EDIT = 1; | |
45 | CONST VIEW = 2; | |
46 | CONST DELETE = 3; | |
47 | CONST CREATE = 4; | |
48 | CONST SEARCH = 5; | |
49 | CONST ALL = 6; | |
50 | ||
51 | /** | |
52 | * given a permission string, check for access requirements | |
53 | * | |
54 | * @param string $str the permission to check | |
55 | * @param int $contactID the contactID for whom the check is made | |
56 | * | |
57 | * @return boolean true if yes, else false | |
58 | * @static | |
59 | * @access public | |
60 | */ | |
61 | static function check($str, $contactID = NULL) { | |
62 | if ($contactID == NULL) { | |
63 | $session = CRM_Core_Session::singleton(); | |
64 | $contactID = $session->get('userID'); | |
65 | } | |
66 | ||
67 | if (!$contactID) { | |
68 | // anonymous user | |
69 | $contactID = 0; | |
70 | } | |
71 | ||
72 | return CRM_ACL_BAO_ACL::check($str, $contactID); | |
73 | } | |
74 | ||
75 | /** | |
76 | * Get the permissioned where clause for the user | |
77 | * | |
78 | * @param int $type the type of permission needed | |
79 | * @param array $tables (reference ) add the tables that are needed for the select clause | |
80 | * @param array $whereTables (reference ) add the tables that are needed for the where clause | |
81 | * @param int $contactID the contactID for whom the check is made | |
82 | * @param bool $onlyDeleted whether to include only deleted contacts | |
83 | * @param bool $skipDeleteClause don't add delete clause if this is true, | |
84 | * this means it is handled by generating query | |
85 | * | |
86 | * @return string the group where clause for this user | |
87 | * @access public | |
88 | */ | |
89 | public static function whereClause($type, | |
90 | &$tables, | |
91 | &$whereTables, | |
92 | $contactID = NULL, | |
93 | $onlyDeleted = FALSE, | |
94 | $skipDeleteClause = FALSE | |
95 | ) { | |
96 | // the default value which is valid for rhe final AND | |
97 | $deleteClause = ' ( 1 ) '; | |
98 | if (!$skipDeleteClause) { | |
99 | if (CRM_Core_Permission::check('access deleted contacts') and $onlyDeleted) { | |
100 | $deleteClause = '(contact_a.is_deleted)'; | |
101 | } | |
102 | else { | |
103 | // CRM-6181 | |
104 | $deleteClause = '(contact_a.is_deleted = 0)'; | |
105 | } | |
106 | } | |
107 | ||
108 | // first see if the contact has edit / view all contacts | |
109 | if (CRM_Core_Permission::check('edit all contacts') || | |
110 | ($type == self::VIEW && | |
111 | CRM_Core_Permission::check('view all contacts') | |
112 | ) | |
113 | ) { | |
114 | return $skipDeleteClause ? ' ( 1 ) ' : $deleteClause; | |
115 | } | |
116 | ||
117 | if ($contactID == NULL) { | |
118 | $session = CRM_Core_Session::singleton(); | |
119 | $contactID = $session->get('userID'); | |
120 | } | |
121 | ||
122 | if (!$contactID) { | |
123 | // anonymous user | |
124 | $contactID = 0; | |
125 | } | |
126 | ||
127 | return implode(' AND ', | |
128 | array( | |
129 | CRM_ACL_BAO_ACL::whereClause($type, | |
130 | $tables, | |
131 | $whereTables, | |
132 | $contactID | |
133 | ), | |
134 | $deleteClause, | |
135 | ) | |
136 | ); | |
137 | } | |
138 | ||
139 | /** | |
140 | * get all the groups the user has access to for the given operation | |
141 | * | |
142 | * @param int $type the type of permission needed | |
143 | * @param int $contactID the contactID for whom the check is made | |
144 | * | |
145 | * @return array the ids of the groups for which the user has permissions | |
146 | * @access public | |
147 | */ | |
148 | public static function group( | |
149 | $type, | |
150 | $contactID = NULL, | |
151 | $tableName = 'civicrm_saved_search', | |
152 | $allGroups = NULL, | |
153 | $includedGroups = NULL | |
154 | ) { | |
155 | if ($contactID == NULL) { | |
156 | $session = CRM_Core_Session::singleton(); | |
157 | $contactID = $session->get('userID'); | |
158 | } | |
159 | ||
160 | if (!$contactID) { | |
161 | // anonymous user | |
162 | $contactID = 0; | |
163 | } | |
164 | ||
165 | return CRM_ACL_BAO_ACL::group($type, $contactID, $tableName, $allGroups, $includedGroups); | |
166 | } | |
167 | ||
168 | /** | |
169 | * check if the user has access to this group for operation $type | |
170 | * | |
171 | * @param int $type the type of permission needed | |
172 | * @param int $contactID the contactID for whom the check is made | |
173 | * | |
174 | * @return array the ids of the groups for which the user has permissions | |
175 | * @access public | |
176 | */ | |
177 | public static function groupPermission( | |
178 | $type, | |
179 | $groupID, | |
180 | $contactID = NULL, | |
181 | $tableName = 'civicrm_saved_search', | |
182 | $allGroups = NULL, | |
183 | $includedGroups = NULL | |
184 | ) { | |
185 | static $cache = array(); | |
186 | ||
187 | if (!$contactID) { | |
188 | $session = CRM_Core_Session::singleton(); | |
189 | $contactID = NULL; | |
190 | if ($session->get('userID')) { | |
191 | $contactID = $session->get('userID'); | |
192 | } | |
193 | } | |
194 | ||
195 | $key = "{$tableName}_{$type}_{$contactID}"; | |
196 | if (array_key_exists($key, $cache)) { | |
197 | $groups = &$cache[$key]; | |
198 | } | |
199 | else { | |
200 | $groups = self::group($type, $contactID, $tableName, $allGroups, $includedGroups); | |
201 | $cache[$key] = $groups; | |
202 | } | |
203 | ||
204 | return in_array($groupID, $groups) ? TRUE : FALSE; | |
205 | } | |
206 | } | |
207 |