Commit | Line | Data |
---|---|---|
6a488035 | 1 | <?php |
6a488035 TO |
2 | /* |
3 | +--------------------------------------------------------------------+ | |
06b69b18 | 4 | | CiviCRM version 4.5 | |
6a488035 | 5 | +--------------------------------------------------------------------+ |
06b69b18 | 6 | | Copyright CiviCRM LLC (c) 2004-2014 | |
6a488035 TO |
7 | +--------------------------------------------------------------------+ |
8 | | This file is a part of CiviCRM. | | |
9 | | | | |
10 | | CiviCRM is free software; you can copy, modify, and distribute it | | |
11 | | under the terms of the GNU Affero General Public License | | |
12 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | | |
13 | | | | |
14 | | CiviCRM is distributed in the hope that it will be useful, but | | |
15 | | WITHOUT ANY WARRANTY; without even the implied warranty of | | |
16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | |
17 | | See the GNU Affero General Public License for more details. | | |
18 | | | | |
19 | | You should have received a copy of the GNU Affero General Public | | |
20 | | License and the CiviCRM Licensing Exception along | | |
21 | | with this program; if not, contact CiviCRM LLC | | |
22 | | at info[AT]civicrm[DOT]org. If you have questions about the | | |
23 | | GNU Affero General Public License or the licensing of CiviCRM, | | |
24 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | | |
25 | +--------------------------------------------------------------------+ | |
26 | */ | |
27 | ||
28 | /** | |
29 | * | |
30 | * @package CRM | |
06b69b18 | 31 | * @copyright CiviCRM LLC (c) 2004-2014 |
6a488035 TO |
32 | * $Id$ |
33 | * | |
34 | */ | |
35 | ||
36 | /** | |
37 | * Access Control List | |
38 | */ | |
39 | class CRM_ACL_BAO_ACL extends CRM_ACL_DAO_ACL { | |
40 | static $_entityTable = NULL; | |
41 | static $_objectTable = NULL; | |
42 | static $_operation = NULL; | |
43 | ||
44 | static $_fieldKeys = NULL; | |
45 | ||
46 | static function entityTable() { | |
47 | if (!self::$_entityTable) { | |
48 | self::$_entityTable = array( | |
49 | 'civicrm_contact' => ts('Contact'), | |
50 | 'civicrm_acl_role' => ts('ACL Role'), | |
51 | ); | |
52 | } | |
53 | return self::$_entityTable; | |
54 | } | |
55 | ||
56 | static function objectTable() { | |
57 | if (!self::$_objectTable) { | |
58 | self::$_objectTable = array( | |
59 | 'civicrm_contact' => ts('Contact'), | |
60 | 'civicrm_group' => ts('Group'), | |
61 | 'civicrm_saved_search' => ts('Contact Group'), | |
62 | 'civicrm_admin' => ts('Administer'), | |
63 | 'civicrm_admin' => ts('Import'), | |
64 | ); | |
65 | } | |
66 | return self::$_objectTable; | |
67 | } | |
68 | ||
69 | static function operation() { | |
70 | if (!self::$_operation) { | |
71 | self::$_operation = array( | |
72 | 'View' => ts('View'), | |
73 | 'Edit' => ts('Edit'), | |
74 | 'Create' => ts('Create'), | |
75 | 'Delete' => ts('Delete'), | |
76 | 'Search' => ts('Search'), | |
77 | 'All' => ts('All'), | |
78 | ); | |
79 | } | |
80 | return self::$_operation; | |
81 | } | |
82 | ||
83 | /** | |
84 | * Construct a WHERE clause to handle permissions to $object_* | |
85 | * | |
77b97be7 | 86 | * @param $tables |
6a488035 TO |
87 | * @param string $operation - The operation being attempted |
88 | * @param string $object_table - The table of the object in question | |
77b97be7 EM |
89 | * @param int $object_id - The ID of the object in question |
90 | * @param int $acl_id - If it's a grant/revoke operation, the ACL ID | |
6a488035 TO |
91 | * @param boolean $acl_role - For grant operations, this flag determines if we're granting a single acl (false) or an entire group. |
92 | * | |
77b97be7 | 93 | * @internal param \ref $array $tables - Any tables that may be needed in the FROM |
6a488035 TO |
94 | * @return string - The WHERE clause, or 0 on failure |
95 | * @access public | |
96 | * @static | |
97 | */ | |
98 | public static function permissionClause(&$tables, $operation, | |
99 | $object_table = NULL, $object_id = NULL, | |
100 | $acl_id = NULL, $acl_role = FALSE | |
101 | ) { | |
102 | $dao = new CRM_ACL_DAO_ACL; | |
103 | ||
104 | $t = array( | |
105 | 'ACL' => self::getTableName(), | |
106 | 'ACLRole' => 'civicrm_acl_role', | |
107 | 'ACLEntityRole' => CRM_ACL_DAO_EntityRole::getTableName(), | |
108 | 'Contact' => CRM_Contact_DAO_Contact::getTableName(), | |
109 | 'Group' => CRM_Contact_DAO_Group::getTableName(), | |
110 | 'GroupContact' => CRM_Contact_DAO_GroupContact::getTableName(), | |
111 | ); | |
112 | ||
113 | $session = CRM_Core_Session::singleton(); | |
114 | $contact_id = $session->get('userID'); | |
115 | ||
116 | $where = " {$t['ACL']}.operation = '" . CRM_Utils_Type::escape($operation, 'String') . "'"; | |
117 | ||
118 | /* Include clause if we're looking for a specific table/id permission */ | |
119 | ||
120 | ||
121 | if (!empty($object_table)) { | |
122 | $where .= " AND ( {$t['ACL']}.object_table IS null | |
123 | OR ({$t['ACL']}.object_table = '" . CRM_Utils_Type::escape($object_table, 'String') . "'"; | |
124 | if (!empty($object_id)) { | |
125 | $where .= " AND ({$t['ACL']}.object_id IS null | |
126 | OR {$t['ACL']}.object_id = " . CRM_Utils_Type::escape($object_id, 'Integer') . ')'; | |
127 | } | |
128 | $where .= '))'; | |
129 | } | |
130 | ||
131 | /* Include clause if we're granting an ACL or ACL Role */ | |
132 | ||
133 | ||
134 | if (!empty($acl_id)) { | |
135 | $where .= " AND ({$t['ACL']}.acl_id IS null | |
136 | OR {$t['ACL']}.acl_id = " . CRM_Utils_Type::escape($acl_id, 'Integer') . ')'; | |
137 | if ($acl_role) { | |
138 | $where .= " AND {$t['ACL']}.acl_table = '{$t['ACLRole']}'"; | |
139 | } | |
140 | else { | |
141 | $where .= " AND {$t['ACL']}.acl_table = '{$t['ACL']}'"; | |
142 | } | |
143 | } | |
144 | ||
145 | $query = array(); | |
146 | ||
147 | /* Query for permissions granted to all contacts in the domain */ | |
148 | ||
149 | ||
150 | $query[] = "SELECT {$t['ACL']}.*, 0 as override | |
151 | FROM {$t['ACL']} | |
152 | ||
153 | WHERE {$t['ACL']}.entity_table = '{$t['Domain']}' | |
154 | AND ($where)"; | |
155 | ||
156 | /* Query for permissions granted to all contacts through an ACL group */ | |
157 | ||
158 | ||
159 | $query[] = "SELECT {$t['ACL']}.*, 0 as override | |
160 | FROM {$t['ACL']} | |
161 | ||
162 | INNER JOIN {$t['ACLEntityRole']} | |
163 | ON ({$t['ACL']}.entity_table = '{$t['ACLRole']}' | |
164 | AND {$t['ACL']}.entity_id = | |
165 | {$t['ACLEntityRole']}.acl_role_id) | |
166 | ||
167 | INNER JOIN {$t['ACLRole']} | |
168 | ON {$t['ACL']}.entity_id = | |
169 | {$t['ACLRole']}.id | |
170 | ||
171 | WHERE {$t['ACLEntityRole']}.entity_table = | |
172 | '{$t['Domain']}' | |
173 | AND {$t['ACLRole']}.is_active = 1 | |
174 | AND ($where)"; | |
175 | ||
176 | /* Query for permissions granted directly to the contact */ | |
177 | ||
178 | ||
179 | $query[] = "SELECT {$t['ACL']}.*, 1 as override | |
180 | FROM {$t['ACL']} | |
181 | ||
182 | INNER JOIN {$t['Contact']} | |
183 | ON ({$t['ACL']}.entity_table = '{$t['Contact']}' | |
184 | AND {$t['ACL']}.entity_id = {$t['Contact']}.id) | |
185 | ||
186 | WHERE {$t['Contact']}.id = $contact_id | |
187 | AND ($where)"; | |
188 | ||
189 | /* Query for permissions granted to the contact through an ACL group */ | |
190 | ||
191 | ||
192 | $query[] = "SELECT {$t['ACL']}.*, 1 as override | |
193 | FROM {$t['ACL']} | |
194 | ||
195 | INNER JOIN {$t['ACLEntityRole']} | |
196 | ON ({$t['ACL']}.entity_table = '{$t['ACLRole']}' | |
197 | AND {$t['ACL']}.entity_id = | |
198 | {$t['ACLEntityRole']}.acl_role_id) | |
199 | ||
200 | INNER JOIN {$t['ACLRole']} | |
201 | ON {$t['ACL']}.entity_id = {$t['ACLRole']}.id | |
202 | ||
203 | WHERE {$t['ACLEntityRole']}.entity_table = | |
204 | '{$t['Contact']}' | |
205 | AND {$t['ACLRole']}.is_active = 1 | |
206 | AND {$t['ACLEntityRole']}.entity_id = $contact_id | |
207 | AND ($where)"; | |
208 | ||
209 | /* Query for permissions granted to the contact through a group */ | |
210 | ||
211 | ||
212 | $query[] = "SELECT {$t['ACL']}.*, 0 as override | |
213 | FROM {$t['ACL']} | |
214 | ||
215 | INNER JOIN {$t['GroupContact']} | |
216 | ON ({$t['ACL']}.entity_table = '{$t['Group']}' | |
217 | AND {$t['ACL']}.entity_id = | |
218 | {$t['GroupContact']}.group_id) | |
219 | ||
220 | WHERE ($where) | |
221 | AND {$t['GroupContact']}.contact_id = $contact_id | |
222 | AND {$t['GroupContact']}.status = 'Added')"; | |
223 | ||
224 | ||
225 | /* Query for permissions granted through an ACL group to a Contact | |
226 | * group */ | |
227 | ||
228 | ||
229 | $query[] = "SELECT {$t['ACL']}.*, 0 as override | |
230 | FROM {$t['ACL']} | |
231 | ||
232 | INNER JOIN {$t['ACLEntityRole']} | |
233 | ON ({$t['ACL']}.entity_table = '{$t['ACLRole']}' | |
234 | AND {$t['ACL']}.entity_id = | |
235 | {$t['ACLEntityRole']}.acl_role_id) | |
236 | ||
237 | INNER JOIN {$t['ACLRole']} | |
238 | ON {$t['ACL']}.entity_id = {$t['ACLRole']}.id | |
239 | ||
240 | INNER JOIN {$t['GroupContact']} | |
241 | ON ({$t['ACLEntityRole']}.entity_table = | |
242 | '{$t['Group']}' | |
243 | AND {$t['ACLEntityRole']}.entity_id = | |
244 | {$t['GroupContact']}.group_id) | |
245 | ||
246 | WHERE ($where) | |
247 | AND {$t['ACLRole']}.is_active = 1 | |
248 | AND {$t['GroupContact']}.contact_id = $contact_id | |
249 | AND {$t['GroupContact']}.status = 'Added'"; | |
250 | ||
251 | $union = '(' . implode(') UNION DISTINCT (', $query) . ')'; | |
252 | ||
253 | $dao->query($union); | |
254 | ||
255 | $allow = array(0); | |
256 | $deny = array(0); | |
257 | $override = array(); | |
258 | ||
259 | while ($dao->fetch()) { | |
260 | /* Instant bypass for the following cases: | |
261 | * 1) the rule governs all tables | |
262 | * 2) the rule governs all objects in the table in question | |
263 | * 3) the rule governs the specific object we want | |
264 | */ | |
265 | ||
266 | ||
267 | if (empty($dao->object_table) || | |
268 | ($dao->object_table == $object_table | |
269 | && (empty($dao->object_id) | |
270 | || $dao->object_id == $object_id | |
271 | ) | |
272 | ) | |
273 | ) { | |
274 | $clause = 1; | |
275 | } | |
276 | else { | |
277 | /* Otherwise try to generate a clause for this rule */ | |
278 | ||
279 | ||
280 | $clause = self::getClause( | |
281 | $dao->object_table, $dao->object_id, $tables | |
282 | ); | |
283 | ||
284 | /* If the clause returned is null, then the rule is a blanket | |
285 | * (id is null) on a table other than the one we're interested | |
286 | * in. So skip it. */ | |
287 | ||
288 | ||
289 | if (empty($clause)) { | |
290 | continue; | |
291 | } | |
292 | } | |
293 | ||
294 | /* Now we figure out if this is an allow or deny rule, and possibly | |
295 | * a contact-level override */ | |
296 | ||
297 | ||
298 | if ($dao->deny) { | |
299 | $deny[] = $clause; | |
300 | } | |
301 | else { | |
302 | $allow[] = $clause; | |
303 | ||
304 | if ($dao->override) { | |
305 | $override[] = $clause; | |
306 | } | |
307 | } | |
308 | } | |
309 | ||
310 | $allows = '(' . implode(' OR ', $allow) . ')'; | |
311 | $denies = '(' . implode(' OR ', $deny) . ')'; | |
312 | if (!empty($override)) { | |
313 | $denies = '(NOT (' . implode(' OR ', $override) . ") AND $denies)"; | |
314 | } | |
315 | ||
316 | return "($allows AND NOT $denies)"; | |
317 | } | |
318 | ||
319 | /** | |
320 | * Given a table and id pair, return the filter clause | |
321 | * | |
322 | * @param string $table - The table owning the object | |
77b97be7 EM |
323 | * @param int $id - The ID of the object |
324 | * @param $tables | |
325 | * | |
326 | * @internal param \ref $array $tables - Tables that will be needed in the FROM | |
6a488035 TO |
327 | * |
328 | * @return string|null - WHERE-style clause to filter results, | |
77b97be7 | 329 | * or null if $table or $id is null |
6a488035 TO |
330 | * @access public |
331 | * @static | |
332 | */ | |
333 | public static function getClause($table, $id, &$tables) { | |
334 | $table = CRM_Utils_Type::escape($table, 'String'); | |
335 | $id = CRM_Utils_Type::escape($id, 'Integer'); | |
336 | $whereTables = array(); | |
337 | ||
338 | $ssTable = CRM_Contact_BAO_SavedSearch::getTableName(); | |
339 | ||
340 | if (empty($table)) { | |
341 | return NULL; | |
342 | } | |
343 | elseif ($table == $ssTable) { | |
344 | return CRM_Contact_BAO_SavedSearch::whereClause($id, $tables, $whereTables); | |
345 | } | |
346 | elseif (!empty($id)) { | |
347 | $tables[$table] = TRUE; | |
348 | return "$table.id = $id"; | |
349 | } | |
350 | return NULL; | |
351 | } | |
352 | ||
353 | /** | |
354 | * Construct an associative array of an ACL rule's properties | |
355 | * | |
356 | * @param string sprintf format for array | |
357 | * @param bool empty only return elemnts that have a value set. | |
358 | * | |
359 | * @return array - Assoc. array of the ACL rule's properties | |
360 | * @access public | |
361 | */ | |
362 | function toArray($format = '%s', $hideEmpty = false) { | |
363 | $result = array(); | |
364 | ||
365 | if (!self::$_fieldKeys) { | |
366 | $fields = CRM_ACL_DAO_ACL::fields(); | |
367 | self::$_fieldKeys = array_keys($fields); | |
368 | } | |
369 | ||
370 | foreach (self::$_fieldKeys as $field) { | |
371 | $result[$field] = $this->$field; | |
372 | } | |
373 | return $result; | |
374 | } | |
375 | ||
376 | /** | |
377 | * Retrieve ACLs for a contact or group. Note that including a contact id | |
378 | * without a group id will return those ACL rules which are granted | |
379 | * directly to the contact, but not those granted to the contact through | |
380 | * any/all of his group memberships. | |
381 | * | |
382 | * @param int $contact_id - ID of a contact to search for | |
383 | * @param int $group_id - ID of a group to search for | |
384 | * @param boolean $aclRoles - Should we include ACL Roles | |
385 | * | |
386 | * @return array - Array of assoc. arrays of ACL rules | |
387 | * @access public | |
388 | * @static | |
389 | */ | |
390 | public static function &getACLs($contact_id = NULL, $group_id = NULL, $aclRoles = FALSE) { | |
391 | $results = array(); | |
392 | ||
393 | if (empty($contact_id)) { | |
394 | return $results; | |
395 | } | |
396 | ||
397 | $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer'); | |
398 | if ($group_id) { | |
399 | $group_id = CRM_Utils_Type::escape($group_id, 'Integer'); | |
400 | } | |
401 | ||
402 | $rule = new CRM_ACL_BAO_ACL(); | |
403 | ||
404 | ||
405 | $acl = self::getTableName(); | |
406 | $contact = CRM_Contact_BAO_Contact::getTableName(); | |
407 | $c2g = CRM_Contact_BAO_GroupContact::getTableName(); | |
408 | $group = CRM_Contact_BAO_Group::getTableName(); | |
409 | ||
410 | $query = " SELECT $acl.* | |
411 | FROM $acl "; | |
412 | ||
413 | if (!empty($group_id)) { | |
414 | $query .= " INNER JOIN $c2g | |
415 | ON $acl.entity_id = $c2g.group_id | |
416 | WHERE $acl.entity_table = '$group' | |
417 | AND $acl.is_active = 1 | |
418 | AND $c2g.group_id = $group_id"; | |
419 | ||
420 | if (!empty($contact_id)) { | |
421 | $query .= " AND $c2g.contact_id = $contact_id | |
422 | AND $c2g.status = 'Added'"; | |
423 | } | |
424 | } | |
425 | else { | |
426 | if (!empty($contact_id)) { | |
427 | $query .= " WHERE $acl.entity_table = '$contact' | |
428 | AND $acl.entity_id = $contact_id"; | |
429 | } | |
430 | } | |
431 | ||
432 | $rule->query($query); | |
433 | ||
434 | while ($rule->fetch()) { | |
435 | $results[$rule->id] = $rule->toArray(); | |
436 | } | |
437 | ||
438 | if ($aclRoles) { | |
439 | $results += self::getACLRoles($contact_id, $group_id); | |
440 | } | |
441 | ||
442 | return $results; | |
443 | } | |
444 | ||
445 | /** | |
446 | * Get all of the ACLs through ACL groups | |
447 | * | |
448 | * @param int $contact_id - ID of a contact to search for | |
449 | * @param int $group_id - ID of a group to search for | |
450 | * | |
451 | * @return array - Array of assoc. arrays of ACL rules | |
452 | * @access public | |
453 | * @static | |
454 | */ | |
455 | public static function &getACLRoles($contact_id = NULL, $group_id = NULL) { | |
456 | $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer'); | |
457 | if ($group_id) { | |
458 | $group_id = CRM_Utils_Type::escape($group_id, 'Integer'); | |
459 | } | |
460 | ||
461 | $rule = new CRM_ACL_BAO_ACL(); | |
462 | ||
463 | $acl = self::getTableName(); | |
464 | $aclRole = 'civicrm_acl_role'; | |
465 | $aclRoleJoin = CRM_ACL_DAO_EntityRole::getTableName(); | |
466 | $contact = CRM_Contact_BAO_Contact::getTableName(); | |
467 | $c2g = CRM_Contact_BAO_GroupContact::getTableName(); | |
468 | $group = CRM_Contact_BAO_Group::getTableName(); | |
469 | ||
470 | $query = " SELECT $acl.* | |
471 | FROM $acl | |
472 | INNER JOIN civicrm_option_group og | |
473 | ON og.name = 'acl_role' | |
474 | INNER JOIN civicrm_option_value ov | |
475 | ON $acl.entity_table = '$aclRole' | |
476 | AND ov.option_group_id = og.id | |
477 | AND $acl.entity_id = ov.value"; | |
478 | ||
479 | if (!empty($group_id)) { | |
480 | $query .= " INNER JOIN $c2g | |
481 | ON $acl.entity_id = $c2g.group_id | |
482 | WHERE $acl.entity_table = '$group' | |
483 | AND $acl.is_active = 1 | |
484 | AND $c2g.group_id = $group_id"; | |
485 | ||
486 | if (!empty($contact_id)) { | |
487 | $query .= " AND $c2g.contact_id = $contact_id | |
488 | AND $c2g.status = 'Added'"; | |
489 | } | |
490 | } | |
491 | else { | |
492 | if (!empty($contact_id)) { | |
493 | $query .= " WHERE $acl.entity_table = '$contact' | |
494 | AND $acl.is_active = 1 | |
495 | AND $acl.entity_id = $contact_id"; | |
496 | } | |
497 | } | |
498 | ||
499 | $results = array(); | |
500 | ||
501 | $rule->query($query); | |
502 | ||
503 | while ($rule->fetch()) { | |
a5611c8e | 504 | $results[$rule->id] = $rule->toArray(); |
6a488035 TO |
505 | } |
506 | ||
507 | return $results; | |
508 | } | |
509 | ||
510 | /** | |
511 | * Get all ACLs granted to a contact through all group memberships | |
512 | * | |
513 | * @param int $contact_id - The contact's ID | |
514 | * @param boolean $aclRoles - Include ACL Roles? | |
515 | * | |
516 | * @return array - Assoc array of ACL rules | |
517 | * @access public | |
518 | * @static | |
519 | */ | |
520 | public static function &getGroupACLs($contact_id, $aclRoles = FALSE) { | |
521 | $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer'); | |
522 | ||
523 | $rule = new CRM_ACL_BAO_ACL(); | |
524 | ||
525 | ||
526 | $acl = self::getTableName(); | |
527 | $c2g = CRM_Contact_BAO_GroupContact::getTableName(); | |
528 | $group = CRM_Contact_BAO_Group::getTableName(); | |
529 | $results = array(); | |
530 | ||
531 | if ($contact_id) { | |
532 | $query = " | |
533 | SELECT $acl.* | |
534 | FROM $acl | |
535 | INNER JOIN $c2g | |
536 | ON $acl.entity_id = $c2g.group_id | |
537 | WHERE $acl.entity_table = '$group' | |
538 | AND $c2g.contact_id = $contact_id | |
539 | AND $c2g.status = 'Added'"; | |
540 | ||
541 | $rule->query($query); | |
542 | ||
543 | while ($rule->fetch()) { | |
79380078 | 544 | $results[$rule->id] = $rule->toArray(); |
6a488035 TO |
545 | } |
546 | } | |
547 | ||
548 | if ($aclRoles) { | |
549 | $results += self::getGroupACLRoles($contact_id); | |
550 | } | |
551 | ||
552 | return $results; | |
553 | } | |
554 | ||
555 | /** | |
556 | * Get all of the ACLs for a contact through ACL groups owned by Contact | |
557 | * groups. | |
558 | * | |
559 | * @param int $contact_id - ID of a contact to search for | |
560 | * | |
561 | * @return array - Array of assoc. arrays of ACL rules | |
562 | * @access public | |
563 | * @static | |
564 | */ | |
565 | public static function &getGroupACLRoles($contact_id) { | |
566 | $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer'); | |
567 | ||
568 | $rule = new CRM_ACL_BAO_ACL(); | |
569 | ||
570 | $acl = self::getTableName(); | |
571 | $aclRole = 'civicrm_acl_role'; | |
572 | ||
573 | ||
574 | $aclER = CRM_ACL_DAO_EntityRole::getTableName(); | |
575 | $c2g = CRM_Contact_BAO_GroupContact::getTableName(); | |
576 | $group = CRM_Contact_BAO_Group::getTableName(); | |
577 | ||
578 | $query = " SELECT $acl.* | |
579 | FROM $acl | |
580 | INNER JOIN civicrm_option_group og | |
581 | ON og.name = 'acl_role' | |
582 | INNER JOIN civicrm_option_value ov | |
583 | ON $acl.entity_table = '$aclRole' | |
584 | AND ov.option_group_id = og.id | |
585 | AND $acl.entity_id = ov.value | |
586 | AND ov.is_active = 1 | |
587 | INNER JOIN $aclER | |
588 | ON $aclER.acl_role_id = $acl.entity_id | |
589 | AND $aclER.is_active = 1 | |
590 | INNER JOIN $c2g | |
591 | ON $aclER.entity_id = $c2g.group_id | |
592 | AND $aclER.entity_table = 'civicrm_group' | |
593 | WHERE $acl.entity_table = '$aclRole' | |
594 | AND $acl.is_active = 1 | |
595 | AND $c2g.contact_id = $contact_id | |
596 | AND $c2g.status = 'Added'"; | |
597 | ||
598 | $results = array(); | |
599 | ||
600 | $rule->query($query); | |
601 | ||
602 | while ($rule->fetch()) { | |
39eb89f4 | 603 | $results[$rule->id] = $rule->toArray(); |
6a488035 TO |
604 | } |
605 | ||
606 | // also get all acls for "Any Role" case | |
607 | // and authenticated User Role if present | |
608 | $roles = "0"; | |
609 | $session = CRM_Core_Session::singleton(); | |
610 | if ($session->get('ufID') > 0) { | |
611 | $roles .= ",2"; | |
612 | } | |
613 | ||
614 | $query = " | |
615 | SELECT $acl.* | |
616 | FROM $acl | |
617 | WHERE $acl.entity_id IN ( $roles ) | |
618 | AND $acl.entity_table = 'civicrm_acl_role' | |
619 | "; | |
620 | ||
621 | $rule->query($query); | |
622 | while ($rule->fetch()) { | |
623 | $results[$rule->id] = $rule->toArray(); | |
624 | } | |
625 | ||
626 | return $results; | |
627 | } | |
628 | ||
629 | /** | |
630 | * Get all ACLs owned by a given contact, including domain and group-level. | |
631 | * | |
632 | * @param int $contact_id - The contact ID | |
633 | * | |
634 | * @return array - Assoc array of ACL rules | |
635 | * @access public | |
636 | * @static | |
637 | */ | |
638 | public static function &getAllByContact($contact_id) { | |
639 | $result = array(); | |
640 | ||
641 | /* First, the contact-specific ACLs, including ACL Roles */ | |
642 | $result += self::getACLs($contact_id, NULL, TRUE); | |
643 | ||
644 | /* Then, all ACLs granted through group membership */ | |
645 | $result += self::getGroupACLs($contact_id, TRUE); | |
646 | ||
647 | return $result; | |
648 | } | |
649 | ||
650 | static function create(&$params) { | |
651 | $dao = new CRM_ACL_DAO_ACL(); | |
652 | $dao->copyValues($params); | |
653 | $dao->save(); | |
1fe97a01 | 654 | return $dao; |
6a488035 TO |
655 | } |
656 | ||
657 | static function retrieve(&$params, &$defaults) { | |
658 | CRM_Core_DAO::commonRetrieve('CRM_ACL_DAO_ACL', $params, $defaults); | |
659 | } | |
660 | ||
661 | /** | |
662 | * update the is_active flag in the db | |
663 | * | |
664 | * @param int $id id of the database record | |
665 | * @param boolean $is_active value we want to set the is_active field | |
666 | * | |
667 | * @return Object DAO object on sucess, null otherwise | |
668 | * @static | |
669 | */ | |
670 | static function setIsActive($id, $is_active) { | |
671 | // note this also resets any ACL cache | |
672 | CRM_Core_BAO_Cache::deleteGroup('contact fields'); | |
673 | ||
674 | return CRM_Core_DAO::setFieldValue('CRM_ACL_DAO_ACL', $id, 'is_active', $is_active); | |
675 | } | |
676 | ||
677 | static function check($str, $contactID) { | |
678 | ||
679 | $acls = CRM_ACL_BAO_Cache::build($contactID); | |
680 | ||
681 | $aclKeys = array_keys($acls); | |
682 | $aclKeys = implode(',', $aclKeys); | |
683 | ||
684 | if (empty($aclKeys)) { | |
685 | return FALSE; | |
686 | } | |
687 | ||
688 | ||
689 | $query = " | |
690 | SELECT count( a.id ) | |
691 | FROM civicrm_acl_cache c, civicrm_acl a | |
692 | WHERE c.acl_id = a.id | |
693 | AND a.is_active = 1 | |
694 | AND a.object_table = %1 | |
695 | AND a.id IN ( $aclKeys ) | |
696 | "; | |
697 | $params = array(1 => array($str, 'String')); | |
698 | ||
699 | $count = CRM_Core_DAO::singleValueQuery($query, $params); | |
700 | return ($count) ? TRUE : FALSE; | |
701 | } | |
702 | ||
703 | public static function whereClause($type, &$tables, &$whereTables, $contactID = NULL) { | |
6a488035 TO |
704 | $acls = CRM_ACL_BAO_Cache::build($contactID); |
705 | //CRM_Core_Error::debug( "a: $contactID", $acls ); | |
706 | ||
707 | $whereClause = NULL; | |
708 | $clauses = array(); | |
709 | ||
710 | if (!empty($acls)) { | |
711 | $aclKeys = array_keys($acls); | |
712 | $aclKeys = implode(',', $aclKeys); | |
713 | ||
714 | $query = " | |
715 | SELECT a.operation, a.object_id | |
716 | FROM civicrm_acl_cache c, civicrm_acl a | |
717 | WHERE c.acl_id = a.id | |
718 | AND a.is_active = 1 | |
719 | AND a.object_table = 'civicrm_saved_search' | |
720 | AND a.id IN ( $aclKeys ) | |
721 | ORDER BY a.object_id | |
722 | "; | |
723 | ||
724 | $dao = CRM_Core_DAO::executeQuery($query); | |
725 | ||
726 | // do an or of all the where clauses u see | |
727 | $ids = array(); | |
728 | while ($dao->fetch()) { | |
729 | // make sure operation matches the type TODO | |
730 | if (self::matchType($type, $dao->operation)) { | |
731 | if (!$dao->object_id) { | |
732 | $ids = array(); | |
733 | $whereClause = ' ( 1 ) '; | |
734 | break; | |
735 | } | |
736 | $ids[] = $dao->object_id; | |
737 | } | |
738 | } | |
739 | ||
740 | if (!empty($ids)) { | |
741 | $ids = implode(',', $ids); | |
742 | $query = " | |
743 | SELECT g.* | |
744 | FROM civicrm_group g | |
745 | WHERE g.id IN ( $ids ) | |
746 | AND g.is_active = 1 | |
747 | "; | |
748 | $dao = CRM_Core_DAO::executeQuery($query); | |
749 | $staticGroupIDs = array(); | |
750 | $cachedGroupIDs = array(); | |
751 | while ($dao->fetch()) { | |
752 | // currently operation is restrcited to VIEW/EDIT | |
753 | if ($dao->where_clause) { | |
754 | if ($dao->select_tables) { | |
755 | $tmpTables = array(); | |
756 | foreach (unserialize($dao->select_tables) as $tmpName => $tmpInfo) { | |
757 | if ($tmpName == '`civicrm_group_contact-' . $dao->id . '`') { | |
758 | $tmpName = '`civicrm_group_contact-ACL`'; | |
759 | $tmpInfo = str_replace('civicrm_group_contact-' . $dao->id, 'civicrm_group_contact-ACL', $tmpInfo); | |
760 | } | |
761 | elseif ($tmpName == '`civicrm_group_contact_cache_' . $dao->id . '`') { | |
762 | $tmpName = '`civicrm_group_contact_cache-ACL`'; | |
763 | $tmpInfo = str_replace('civicrm_group_contact_cache_' . $dao->id, 'civicrm_group_contact_cache-ACL', $tmpInfo); | |
764 | } | |
765 | $tmpTables[$tmpName] = $tmpInfo; | |
766 | } | |
767 | $tables = array_merge($tables, | |
768 | $tmpTables | |
769 | ); | |
770 | } | |
771 | if ($dao->where_tables) { | |
772 | $tmpTables = array(); | |
773 | foreach (unserialize($dao->where_tables) as $tmpName => $tmpInfo) { | |
774 | if ($tmpName == '`civicrm_group_contact-' . $dao->id . '`') { | |
775 | $tmpName = '`civicrm_group_contact-ACL`'; | |
776 | $tmpInfo = str_replace('civicrm_group_contact-' . $dao->id, 'civicrm_group_contact-ACL', $tmpInfo); | |
777 | $staticGroupIDs[] = $dao->id; | |
778 | } | |
779 | elseif ($tmpName == '`civicrm_group_contact_cache_' . $dao->id . '`') { | |
780 | $tmpName = '`civicrm_group_contact_cache-ACL`'; | |
781 | $tmpInfo = str_replace('civicrm_group_contact_cache_' . $dao->id, 'civicrm_group_contact_cache-ACL', $tmpInfo); | |
782 | $cachedGroupIDs[] = $dao->id; | |
783 | } | |
784 | $tmpTables[$tmpName] = $tmpInfo; | |
785 | } | |
786 | $whereTables = array_merge($whereTables, $tmpTables); | |
787 | } | |
788 | } | |
789 | ||
790 | if (($dao->saved_search_id || $dao->children || $dao->parents) && | |
791 | $dao->cache_date == NULL) { | |
792 | CRM_Contact_BAO_GroupContactCache::load($dao); | |
793 | } | |
794 | } | |
795 | ||
796 | if ($staticGroupIDs) { | |
797 | $clauses[] = '( `civicrm_group_contact-ACL`.group_id IN (' . join(', ', $staticGroupIDs) . ') AND `civicrm_group_contact-ACL`.status IN ("Added") )'; | |
798 | } | |
799 | ||
800 | if ($cachedGroupIDs) { | |
801 | $clauses[] = '`civicrm_group_contact_cache-ACL`.group_id IN (' . join(', ', $cachedGroupIDs) . ')'; | |
802 | } | |
803 | } | |
804 | } | |
805 | ||
806 | if (!empty($clauses)) { | |
807 | $whereClause = ' ( ' . implode(' OR ', $clauses) . ' ) '; | |
808 | } | |
809 | ||
810 | // call the hook to get additional whereClauses | |
811 | CRM_Utils_Hook::aclWhereClause($type, $tables, $whereTables, $contactID, $whereClause); | |
812 | ||
813 | if (empty($whereClause)) { | |
814 | $whereClause = ' ( 0 ) '; | |
815 | } | |
816 | ||
817 | return $whereClause; | |
818 | } | |
819 | ||
820 | public static function group($type, | |
821 | $contactID = NULL, | |
822 | $tableName = 'civicrm_saved_search', | |
823 | $allGroups = NULL, | |
824 | $includedGroups = NULL | |
825 | ) { | |
826 | ||
827 | $acls = CRM_ACL_BAO_Cache::build($contactID); | |
828 | ||
b1f4e637 | 829 | $ids = array(); |
6a488035 TO |
830 | if (!empty($acls)) { |
831 | $aclKeys = array_keys($acls); | |
832 | $aclKeys = implode(',', $aclKeys); | |
833 | ||
557f8c17 ARW |
834 | $cacheKey = "$tableName-$aclKeys"; |
835 | $cache = CRM_Utils_Cache::singleton(); | |
836 | $ids = $cache->get($cacheKey); | |
837 | if (!$ids) { | |
838 | $query = " | |
6a488035 TO |
839 | SELECT a.operation, a.object_id |
840 | FROM civicrm_acl_cache c, civicrm_acl a | |
841 | WHERE c.acl_id = a.id | |
842 | AND a.is_active = 1 | |
843 | AND a.object_table = %1 | |
844 | AND a.id IN ( $aclKeys ) | |
845 | GROUP BY a.operation,a.object_id | |
846 | ORDER BY a.object_id | |
847 | "; | |
557f8c17 ARW |
848 | $params = array(1 => array($tableName, 'String')); |
849 | $dao = CRM_Core_DAO::executeQuery($query, $params); | |
850 | while ($dao->fetch()) { | |
851 | if ($dao->object_id) { | |
852 | if (self::matchType($type, $dao->operation)) { | |
853 | $ids[] = $dao->object_id; | |
854 | } | |
6a488035 | 855 | } |
557f8c17 ARW |
856 | else { |
857 | // this user has got the permission for all objects of this type | |
858 | // check if the type matches | |
859 | if (self::matchType($type, $dao->operation)) { | |
860 | foreach ($allGroups as $id => $dontCare) { | |
861 | $ids[] = $id; | |
862 | } | |
6a488035 | 863 | } |
557f8c17 | 864 | break; |
6a488035 | 865 | } |
6a488035 | 866 | } |
557f8c17 | 867 | $cache->set($cacheKey, $ids); |
6a488035 TO |
868 | } |
869 | } | |
870 | ||
b1f4e637 RN |
871 | if (empty($ids) && !empty($includedGroups) && |
872 | is_array($includedGroups) | |
873 | ) { | |
874 | $ids = $includedGroups; | |
875 | } | |
876 | ||
6a488035 TO |
877 | CRM_Utils_Hook::aclGroup($type, $contactID, $tableName, $allGroups, $ids); |
878 | ||
879 | return $ids; | |
880 | } | |
881 | ||
882 | static function matchType($type, $operation) { | |
883 | $typeCheck = FALSE; | |
884 | switch ($operation) { | |
885 | case 'All': | |
886 | $typeCheck = TRUE; | |
887 | break; | |
888 | ||
889 | case 'View': | |
890 | if ($type == CRM_ACL_API::VIEW) { | |
891 | $typeCheck = TRUE; | |
892 | } | |
893 | break; | |
894 | ||
895 | case 'Edit': | |
896 | if ($type == CRM_ACL_API::VIEW || $type == CRM_ACL_API::EDIT) { | |
897 | $typeCheck = TRUE; | |
898 | } | |
899 | break; | |
900 | ||
901 | case 'Create': | |
902 | if ($type == CRM_ACL_API::CREATE) { | |
903 | $typeCheck = TRUE; | |
904 | } | |
905 | break; | |
906 | ||
907 | case 'Delete': | |
908 | if ($type == CRM_ACL_API::DELETE) { | |
909 | $typeCheck = TRUE; | |
910 | } | |
911 | break; | |
912 | ||
913 | case 'Search': | |
914 | if ($type == CRM_ACL_API::SEARCH) { | |
915 | $typeCheck = TRUE; | |
916 | } | |
917 | break; | |
918 | } | |
919 | return $typeCheck; | |
920 | } | |
921 | ||
922 | /** | |
923 | * Function to delete ACL records | |
924 | * | |
925 | * @param int $aclId ID of the ACL record to be deleted. | |
926 | * | |
927 | * @access public | |
928 | * @static | |
929 | */ | |
930 | static function del($aclId) { | |
931 | // delete all entries from the acl cache | |
932 | CRM_ACL_BAO_Cache::resetCache(); | |
933 | ||
934 | $acl = new CRM_ACL_DAO_ACL(); | |
935 | $acl->id = $aclId; | |
936 | $acl->delete(); | |
937 | } | |
938 | } | |
939 |