Commit | Line | Data |
---|---|---|
6a488035 | 1 | <?php |
6a488035 TO |
2 | /* |
3 | +--------------------------------------------------------------------+ | |
06b69b18 | 4 | | CiviCRM version 4.5 | |
6a488035 | 5 | +--------------------------------------------------------------------+ |
06b69b18 | 6 | | Copyright CiviCRM LLC (c) 2004-2014 | |
6a488035 TO |
7 | +--------------------------------------------------------------------+ |
8 | | This file is a part of CiviCRM. | | |
9 | | | | |
10 | | CiviCRM is free software; you can copy, modify, and distribute it | | |
11 | | under the terms of the GNU Affero General Public License | | |
12 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | | |
13 | | | | |
14 | | CiviCRM is distributed in the hope that it will be useful, but | | |
15 | | WITHOUT ANY WARRANTY; without even the implied warranty of | | |
16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | |
17 | | See the GNU Affero General Public License for more details. | | |
18 | | | | |
19 | | You should have received a copy of the GNU Affero General Public | | |
20 | | License and the CiviCRM Licensing Exception along | | |
21 | | with this program; if not, contact CiviCRM LLC | | |
22 | | at info[AT]civicrm[DOT]org. If you have questions about the | | |
23 | | GNU Affero General Public License or the licensing of CiviCRM, | | |
24 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | | |
25 | +--------------------------------------------------------------------+ | |
26 | */ | |
27 | ||
28 | /** | |
29 | * | |
30 | * @package CRM | |
06b69b18 | 31 | * @copyright CiviCRM LLC (c) 2004-2014 |
6a488035 TO |
32 | * $Id$ |
33 | * | |
34 | */ | |
35 | ||
36 | /** | |
37 | * Access Control List | |
38 | */ | |
39 | class CRM_ACL_BAO_ACL extends CRM_ACL_DAO_ACL { | |
40 | static $_entityTable = NULL; | |
41 | static $_objectTable = NULL; | |
42 | static $_operation = NULL; | |
43 | ||
44 | static $_fieldKeys = NULL; | |
45 | ||
28518c90 EM |
46 | /** |
47 | * @return array|null | |
48 | */ | |
6a488035 TO |
49 | static function entityTable() { |
50 | if (!self::$_entityTable) { | |
51 | self::$_entityTable = array( | |
52 | 'civicrm_contact' => ts('Contact'), | |
53 | 'civicrm_acl_role' => ts('ACL Role'), | |
54 | ); | |
55 | } | |
56 | return self::$_entityTable; | |
57 | } | |
58 | ||
28518c90 EM |
59 | /** |
60 | * @return array|null | |
61 | */ | |
6a488035 TO |
62 | static function objectTable() { |
63 | if (!self::$_objectTable) { | |
64 | self::$_objectTable = array( | |
65 | 'civicrm_contact' => ts('Contact'), | |
66 | 'civicrm_group' => ts('Group'), | |
67 | 'civicrm_saved_search' => ts('Contact Group'), | |
68 | 'civicrm_admin' => ts('Administer'), | |
69 | 'civicrm_admin' => ts('Import'), | |
70 | ); | |
71 | } | |
72 | return self::$_objectTable; | |
73 | } | |
74 | ||
28518c90 EM |
75 | /** |
76 | * @return array|null | |
77 | */ | |
6a488035 TO |
78 | static function operation() { |
79 | if (!self::$_operation) { | |
80 | self::$_operation = array( | |
81 | 'View' => ts('View'), | |
82 | 'Edit' => ts('Edit'), | |
83 | 'Create' => ts('Create'), | |
84 | 'Delete' => ts('Delete'), | |
85 | 'Search' => ts('Search'), | |
86 | 'All' => ts('All'), | |
87 | ); | |
88 | } | |
89 | return self::$_operation; | |
90 | } | |
91 | ||
92 | /** | |
93 | * Construct a WHERE clause to handle permissions to $object_* | |
94 | * | |
77b97be7 | 95 | * @param $tables |
6a488035 TO |
96 | * @param string $operation - The operation being attempted |
97 | * @param string $object_table - The table of the object in question | |
77b97be7 EM |
98 | * @param int $object_id - The ID of the object in question |
99 | * @param int $acl_id - If it's a grant/revoke operation, the ACL ID | |
6a488035 TO |
100 | * @param boolean $acl_role - For grant operations, this flag determines if we're granting a single acl (false) or an entire group. |
101 | * | |
77b97be7 | 102 | * @internal param \ref $array $tables - Any tables that may be needed in the FROM |
6a488035 TO |
103 | * @return string - The WHERE clause, or 0 on failure |
104 | * @access public | |
105 | * @static | |
106 | */ | |
107 | public static function permissionClause(&$tables, $operation, | |
108 | $object_table = NULL, $object_id = NULL, | |
109 | $acl_id = NULL, $acl_role = FALSE | |
110 | ) { | |
111 | $dao = new CRM_ACL_DAO_ACL; | |
112 | ||
113 | $t = array( | |
114 | 'ACL' => self::getTableName(), | |
115 | 'ACLRole' => 'civicrm_acl_role', | |
116 | 'ACLEntityRole' => CRM_ACL_DAO_EntityRole::getTableName(), | |
117 | 'Contact' => CRM_Contact_DAO_Contact::getTableName(), | |
118 | 'Group' => CRM_Contact_DAO_Group::getTableName(), | |
119 | 'GroupContact' => CRM_Contact_DAO_GroupContact::getTableName(), | |
120 | ); | |
121 | ||
122 | $session = CRM_Core_Session::singleton(); | |
123 | $contact_id = $session->get('userID'); | |
124 | ||
125 | $where = " {$t['ACL']}.operation = '" . CRM_Utils_Type::escape($operation, 'String') . "'"; | |
126 | ||
127 | /* Include clause if we're looking for a specific table/id permission */ | |
128 | ||
129 | ||
130 | if (!empty($object_table)) { | |
131 | $where .= " AND ( {$t['ACL']}.object_table IS null | |
132 | OR ({$t['ACL']}.object_table = '" . CRM_Utils_Type::escape($object_table, 'String') . "'"; | |
133 | if (!empty($object_id)) { | |
134 | $where .= " AND ({$t['ACL']}.object_id IS null | |
135 | OR {$t['ACL']}.object_id = " . CRM_Utils_Type::escape($object_id, 'Integer') . ')'; | |
136 | } | |
137 | $where .= '))'; | |
138 | } | |
139 | ||
140 | /* Include clause if we're granting an ACL or ACL Role */ | |
141 | ||
142 | ||
143 | if (!empty($acl_id)) { | |
144 | $where .= " AND ({$t['ACL']}.acl_id IS null | |
145 | OR {$t['ACL']}.acl_id = " . CRM_Utils_Type::escape($acl_id, 'Integer') . ')'; | |
146 | if ($acl_role) { | |
147 | $where .= " AND {$t['ACL']}.acl_table = '{$t['ACLRole']}'"; | |
148 | } | |
149 | else { | |
150 | $where .= " AND {$t['ACL']}.acl_table = '{$t['ACL']}'"; | |
151 | } | |
152 | } | |
153 | ||
154 | $query = array(); | |
155 | ||
156 | /* Query for permissions granted to all contacts in the domain */ | |
157 | ||
158 | ||
159 | $query[] = "SELECT {$t['ACL']}.*, 0 as override | |
160 | FROM {$t['ACL']} | |
161 | ||
162 | WHERE {$t['ACL']}.entity_table = '{$t['Domain']}' | |
163 | AND ($where)"; | |
164 | ||
165 | /* Query for permissions granted to all contacts through an ACL group */ | |
166 | ||
167 | ||
168 | $query[] = "SELECT {$t['ACL']}.*, 0 as override | |
169 | FROM {$t['ACL']} | |
170 | ||
171 | INNER JOIN {$t['ACLEntityRole']} | |
172 | ON ({$t['ACL']}.entity_table = '{$t['ACLRole']}' | |
173 | AND {$t['ACL']}.entity_id = | |
174 | {$t['ACLEntityRole']}.acl_role_id) | |
175 | ||
176 | INNER JOIN {$t['ACLRole']} | |
177 | ON {$t['ACL']}.entity_id = | |
178 | {$t['ACLRole']}.id | |
179 | ||
180 | WHERE {$t['ACLEntityRole']}.entity_table = | |
181 | '{$t['Domain']}' | |
182 | AND {$t['ACLRole']}.is_active = 1 | |
183 | AND ($where)"; | |
184 | ||
185 | /* Query for permissions granted directly to the contact */ | |
186 | ||
187 | ||
188 | $query[] = "SELECT {$t['ACL']}.*, 1 as override | |
189 | FROM {$t['ACL']} | |
190 | ||
191 | INNER JOIN {$t['Contact']} | |
192 | ON ({$t['ACL']}.entity_table = '{$t['Contact']}' | |
193 | AND {$t['ACL']}.entity_id = {$t['Contact']}.id) | |
194 | ||
195 | WHERE {$t['Contact']}.id = $contact_id | |
196 | AND ($where)"; | |
197 | ||
198 | /* Query for permissions granted to the contact through an ACL group */ | |
199 | ||
200 | ||
201 | $query[] = "SELECT {$t['ACL']}.*, 1 as override | |
202 | FROM {$t['ACL']} | |
203 | ||
204 | INNER JOIN {$t['ACLEntityRole']} | |
205 | ON ({$t['ACL']}.entity_table = '{$t['ACLRole']}' | |
206 | AND {$t['ACL']}.entity_id = | |
207 | {$t['ACLEntityRole']}.acl_role_id) | |
208 | ||
209 | INNER JOIN {$t['ACLRole']} | |
210 | ON {$t['ACL']}.entity_id = {$t['ACLRole']}.id | |
211 | ||
212 | WHERE {$t['ACLEntityRole']}.entity_table = | |
213 | '{$t['Contact']}' | |
214 | AND {$t['ACLRole']}.is_active = 1 | |
215 | AND {$t['ACLEntityRole']}.entity_id = $contact_id | |
216 | AND ($where)"; | |
217 | ||
218 | /* Query for permissions granted to the contact through a group */ | |
219 | ||
220 | ||
221 | $query[] = "SELECT {$t['ACL']}.*, 0 as override | |
222 | FROM {$t['ACL']} | |
223 | ||
224 | INNER JOIN {$t['GroupContact']} | |
225 | ON ({$t['ACL']}.entity_table = '{$t['Group']}' | |
226 | AND {$t['ACL']}.entity_id = | |
227 | {$t['GroupContact']}.group_id) | |
228 | ||
229 | WHERE ($where) | |
230 | AND {$t['GroupContact']}.contact_id = $contact_id | |
231 | AND {$t['GroupContact']}.status = 'Added')"; | |
232 | ||
233 | ||
234 | /* Query for permissions granted through an ACL group to a Contact | |
235 | * group */ | |
236 | ||
237 | ||
238 | $query[] = "SELECT {$t['ACL']}.*, 0 as override | |
239 | FROM {$t['ACL']} | |
240 | ||
241 | INNER JOIN {$t['ACLEntityRole']} | |
242 | ON ({$t['ACL']}.entity_table = '{$t['ACLRole']}' | |
243 | AND {$t['ACL']}.entity_id = | |
244 | {$t['ACLEntityRole']}.acl_role_id) | |
245 | ||
246 | INNER JOIN {$t['ACLRole']} | |
247 | ON {$t['ACL']}.entity_id = {$t['ACLRole']}.id | |
248 | ||
249 | INNER JOIN {$t['GroupContact']} | |
250 | ON ({$t['ACLEntityRole']}.entity_table = | |
251 | '{$t['Group']}' | |
252 | AND {$t['ACLEntityRole']}.entity_id = | |
253 | {$t['GroupContact']}.group_id) | |
254 | ||
255 | WHERE ($where) | |
256 | AND {$t['ACLRole']}.is_active = 1 | |
257 | AND {$t['GroupContact']}.contact_id = $contact_id | |
258 | AND {$t['GroupContact']}.status = 'Added'"; | |
259 | ||
260 | $union = '(' . implode(') UNION DISTINCT (', $query) . ')'; | |
261 | ||
262 | $dao->query($union); | |
263 | ||
264 | $allow = array(0); | |
265 | $deny = array(0); | |
266 | $override = array(); | |
267 | ||
268 | while ($dao->fetch()) { | |
269 | /* Instant bypass for the following cases: | |
270 | * 1) the rule governs all tables | |
271 | * 2) the rule governs all objects in the table in question | |
272 | * 3) the rule governs the specific object we want | |
273 | */ | |
274 | ||
275 | ||
276 | if (empty($dao->object_table) || | |
277 | ($dao->object_table == $object_table | |
278 | && (empty($dao->object_id) | |
279 | || $dao->object_id == $object_id | |
280 | ) | |
281 | ) | |
282 | ) { | |
283 | $clause = 1; | |
284 | } | |
285 | else { | |
286 | /* Otherwise try to generate a clause for this rule */ | |
287 | ||
288 | ||
289 | $clause = self::getClause( | |
290 | $dao->object_table, $dao->object_id, $tables | |
291 | ); | |
292 | ||
293 | /* If the clause returned is null, then the rule is a blanket | |
294 | * (id is null) on a table other than the one we're interested | |
295 | * in. So skip it. */ | |
296 | ||
297 | ||
298 | if (empty($clause)) { | |
299 | continue; | |
300 | } | |
301 | } | |
302 | ||
303 | /* Now we figure out if this is an allow or deny rule, and possibly | |
304 | * a contact-level override */ | |
305 | ||
306 | ||
307 | if ($dao->deny) { | |
308 | $deny[] = $clause; | |
309 | } | |
310 | else { | |
311 | $allow[] = $clause; | |
312 | ||
313 | if ($dao->override) { | |
314 | $override[] = $clause; | |
315 | } | |
316 | } | |
317 | } | |
318 | ||
319 | $allows = '(' . implode(' OR ', $allow) . ')'; | |
320 | $denies = '(' . implode(' OR ', $deny) . ')'; | |
321 | if (!empty($override)) { | |
322 | $denies = '(NOT (' . implode(' OR ', $override) . ") AND $denies)"; | |
323 | } | |
324 | ||
325 | return "($allows AND NOT $denies)"; | |
326 | } | |
327 | ||
328 | /** | |
329 | * Given a table and id pair, return the filter clause | |
330 | * | |
331 | * @param string $table - The table owning the object | |
77b97be7 EM |
332 | * @param int $id - The ID of the object |
333 | * @param $tables | |
334 | * | |
335 | * @internal param \ref $array $tables - Tables that will be needed in the FROM | |
6a488035 TO |
336 | * |
337 | * @return string|null - WHERE-style clause to filter results, | |
77b97be7 | 338 | * or null if $table or $id is null |
6a488035 TO |
339 | * @access public |
340 | * @static | |
341 | */ | |
342 | public static function getClause($table, $id, &$tables) { | |
343 | $table = CRM_Utils_Type::escape($table, 'String'); | |
344 | $id = CRM_Utils_Type::escape($id, 'Integer'); | |
345 | $whereTables = array(); | |
346 | ||
347 | $ssTable = CRM_Contact_BAO_SavedSearch::getTableName(); | |
348 | ||
349 | if (empty($table)) { | |
350 | return NULL; | |
351 | } | |
352 | elseif ($table == $ssTable) { | |
353 | return CRM_Contact_BAO_SavedSearch::whereClause($id, $tables, $whereTables); | |
354 | } | |
355 | elseif (!empty($id)) { | |
356 | $tables[$table] = TRUE; | |
357 | return "$table.id = $id"; | |
358 | } | |
359 | return NULL; | |
360 | } | |
361 | ||
362 | /** | |
363 | * Construct an associative array of an ACL rule's properties | |
364 | * | |
7e1f3142 EM |
365 | * @param string $format sprintf format for array |
366 | * @param bool $hideEmpty only return elements that have a value set. | |
6a488035 TO |
367 | * |
368 | * @return array - Assoc. array of the ACL rule's properties | |
369 | * @access public | |
370 | */ | |
371 | function toArray($format = '%s', $hideEmpty = false) { | |
372 | $result = array(); | |
373 | ||
374 | if (!self::$_fieldKeys) { | |
375 | $fields = CRM_ACL_DAO_ACL::fields(); | |
376 | self::$_fieldKeys = array_keys($fields); | |
377 | } | |
378 | ||
379 | foreach (self::$_fieldKeys as $field) { | |
380 | $result[$field] = $this->$field; | |
381 | } | |
382 | return $result; | |
383 | } | |
384 | ||
385 | /** | |
386 | * Retrieve ACLs for a contact or group. Note that including a contact id | |
387 | * without a group id will return those ACL rules which are granted | |
388 | * directly to the contact, but not those granted to the contact through | |
389 | * any/all of his group memberships. | |
390 | * | |
391 | * @param int $contact_id - ID of a contact to search for | |
392 | * @param int $group_id - ID of a group to search for | |
393 | * @param boolean $aclRoles - Should we include ACL Roles | |
394 | * | |
395 | * @return array - Array of assoc. arrays of ACL rules | |
396 | * @access public | |
397 | * @static | |
398 | */ | |
399 | public static function &getACLs($contact_id = NULL, $group_id = NULL, $aclRoles = FALSE) { | |
400 | $results = array(); | |
401 | ||
402 | if (empty($contact_id)) { | |
403 | return $results; | |
404 | } | |
405 | ||
406 | $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer'); | |
407 | if ($group_id) { | |
408 | $group_id = CRM_Utils_Type::escape($group_id, 'Integer'); | |
409 | } | |
410 | ||
411 | $rule = new CRM_ACL_BAO_ACL(); | |
412 | ||
413 | ||
414 | $acl = self::getTableName(); | |
415 | $contact = CRM_Contact_BAO_Contact::getTableName(); | |
416 | $c2g = CRM_Contact_BAO_GroupContact::getTableName(); | |
417 | $group = CRM_Contact_BAO_Group::getTableName(); | |
418 | ||
419 | $query = " SELECT $acl.* | |
420 | FROM $acl "; | |
421 | ||
422 | if (!empty($group_id)) { | |
423 | $query .= " INNER JOIN $c2g | |
424 | ON $acl.entity_id = $c2g.group_id | |
425 | WHERE $acl.entity_table = '$group' | |
426 | AND $acl.is_active = 1 | |
427 | AND $c2g.group_id = $group_id"; | |
428 | ||
429 | if (!empty($contact_id)) { | |
430 | $query .= " AND $c2g.contact_id = $contact_id | |
431 | AND $c2g.status = 'Added'"; | |
432 | } | |
433 | } | |
434 | else { | |
435 | if (!empty($contact_id)) { | |
436 | $query .= " WHERE $acl.entity_table = '$contact' | |
437 | AND $acl.entity_id = $contact_id"; | |
438 | } | |
439 | } | |
440 | ||
441 | $rule->query($query); | |
442 | ||
443 | while ($rule->fetch()) { | |
444 | $results[$rule->id] = $rule->toArray(); | |
445 | } | |
446 | ||
447 | if ($aclRoles) { | |
448 | $results += self::getACLRoles($contact_id, $group_id); | |
449 | } | |
450 | ||
451 | return $results; | |
452 | } | |
453 | ||
454 | /** | |
455 | * Get all of the ACLs through ACL groups | |
456 | * | |
457 | * @param int $contact_id - ID of a contact to search for | |
458 | * @param int $group_id - ID of a group to search for | |
459 | * | |
460 | * @return array - Array of assoc. arrays of ACL rules | |
461 | * @access public | |
462 | * @static | |
463 | */ | |
464 | public static function &getACLRoles($contact_id = NULL, $group_id = NULL) { | |
465 | $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer'); | |
466 | if ($group_id) { | |
467 | $group_id = CRM_Utils_Type::escape($group_id, 'Integer'); | |
468 | } | |
469 | ||
470 | $rule = new CRM_ACL_BAO_ACL(); | |
471 | ||
472 | $acl = self::getTableName(); | |
473 | $aclRole = 'civicrm_acl_role'; | |
474 | $aclRoleJoin = CRM_ACL_DAO_EntityRole::getTableName(); | |
475 | $contact = CRM_Contact_BAO_Contact::getTableName(); | |
476 | $c2g = CRM_Contact_BAO_GroupContact::getTableName(); | |
477 | $group = CRM_Contact_BAO_Group::getTableName(); | |
478 | ||
479 | $query = " SELECT $acl.* | |
480 | FROM $acl | |
481 | INNER JOIN civicrm_option_group og | |
482 | ON og.name = 'acl_role' | |
483 | INNER JOIN civicrm_option_value ov | |
484 | ON $acl.entity_table = '$aclRole' | |
485 | AND ov.option_group_id = og.id | |
486 | AND $acl.entity_id = ov.value"; | |
487 | ||
488 | if (!empty($group_id)) { | |
489 | $query .= " INNER JOIN $c2g | |
490 | ON $acl.entity_id = $c2g.group_id | |
491 | WHERE $acl.entity_table = '$group' | |
492 | AND $acl.is_active = 1 | |
493 | AND $c2g.group_id = $group_id"; | |
494 | ||
495 | if (!empty($contact_id)) { | |
496 | $query .= " AND $c2g.contact_id = $contact_id | |
497 | AND $c2g.status = 'Added'"; | |
498 | } | |
499 | } | |
500 | else { | |
501 | if (!empty($contact_id)) { | |
502 | $query .= " WHERE $acl.entity_table = '$contact' | |
503 | AND $acl.is_active = 1 | |
504 | AND $acl.entity_id = $contact_id"; | |
505 | } | |
506 | } | |
507 | ||
508 | $results = array(); | |
509 | ||
510 | $rule->query($query); | |
511 | ||
512 | while ($rule->fetch()) { | |
a5611c8e | 513 | $results[$rule->id] = $rule->toArray(); |
6a488035 TO |
514 | } |
515 | ||
516 | return $results; | |
517 | } | |
518 | ||
519 | /** | |
520 | * Get all ACLs granted to a contact through all group memberships | |
521 | * | |
522 | * @param int $contact_id - The contact's ID | |
523 | * @param boolean $aclRoles - Include ACL Roles? | |
524 | * | |
525 | * @return array - Assoc array of ACL rules | |
526 | * @access public | |
527 | * @static | |
528 | */ | |
529 | public static function &getGroupACLs($contact_id, $aclRoles = FALSE) { | |
530 | $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer'); | |
531 | ||
532 | $rule = new CRM_ACL_BAO_ACL(); | |
533 | ||
534 | ||
535 | $acl = self::getTableName(); | |
536 | $c2g = CRM_Contact_BAO_GroupContact::getTableName(); | |
537 | $group = CRM_Contact_BAO_Group::getTableName(); | |
538 | $results = array(); | |
539 | ||
540 | if ($contact_id) { | |
541 | $query = " | |
542 | SELECT $acl.* | |
543 | FROM $acl | |
544 | INNER JOIN $c2g | |
545 | ON $acl.entity_id = $c2g.group_id | |
546 | WHERE $acl.entity_table = '$group' | |
547 | AND $c2g.contact_id = $contact_id | |
548 | AND $c2g.status = 'Added'"; | |
549 | ||
550 | $rule->query($query); | |
551 | ||
552 | while ($rule->fetch()) { | |
79380078 | 553 | $results[$rule->id] = $rule->toArray(); |
6a488035 TO |
554 | } |
555 | } | |
556 | ||
557 | if ($aclRoles) { | |
558 | $results += self::getGroupACLRoles($contact_id); | |
559 | } | |
560 | ||
561 | return $results; | |
562 | } | |
563 | ||
564 | /** | |
565 | * Get all of the ACLs for a contact through ACL groups owned by Contact | |
566 | * groups. | |
567 | * | |
568 | * @param int $contact_id - ID of a contact to search for | |
569 | * | |
570 | * @return array - Array of assoc. arrays of ACL rules | |
571 | * @access public | |
572 | * @static | |
573 | */ | |
574 | public static function &getGroupACLRoles($contact_id) { | |
575 | $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer'); | |
576 | ||
577 | $rule = new CRM_ACL_BAO_ACL(); | |
578 | ||
579 | $acl = self::getTableName(); | |
580 | $aclRole = 'civicrm_acl_role'; | |
581 | ||
582 | ||
583 | $aclER = CRM_ACL_DAO_EntityRole::getTableName(); | |
584 | $c2g = CRM_Contact_BAO_GroupContact::getTableName(); | |
585 | $group = CRM_Contact_BAO_Group::getTableName(); | |
586 | ||
587 | $query = " SELECT $acl.* | |
588 | FROM $acl | |
589 | INNER JOIN civicrm_option_group og | |
590 | ON og.name = 'acl_role' | |
591 | INNER JOIN civicrm_option_value ov | |
592 | ON $acl.entity_table = '$aclRole' | |
593 | AND ov.option_group_id = og.id | |
594 | AND $acl.entity_id = ov.value | |
595 | AND ov.is_active = 1 | |
596 | INNER JOIN $aclER | |
597 | ON $aclER.acl_role_id = $acl.entity_id | |
598 | AND $aclER.is_active = 1 | |
599 | INNER JOIN $c2g | |
600 | ON $aclER.entity_id = $c2g.group_id | |
601 | AND $aclER.entity_table = 'civicrm_group' | |
602 | WHERE $acl.entity_table = '$aclRole' | |
603 | AND $acl.is_active = 1 | |
604 | AND $c2g.contact_id = $contact_id | |
605 | AND $c2g.status = 'Added'"; | |
606 | ||
607 | $results = array(); | |
608 | ||
609 | $rule->query($query); | |
610 | ||
611 | while ($rule->fetch()) { | |
39eb89f4 | 612 | $results[$rule->id] = $rule->toArray(); |
6a488035 TO |
613 | } |
614 | ||
615 | // also get all acls for "Any Role" case | |
616 | // and authenticated User Role if present | |
617 | $roles = "0"; | |
618 | $session = CRM_Core_Session::singleton(); | |
619 | if ($session->get('ufID') > 0) { | |
620 | $roles .= ",2"; | |
621 | } | |
622 | ||
623 | $query = " | |
624 | SELECT $acl.* | |
625 | FROM $acl | |
626 | WHERE $acl.entity_id IN ( $roles ) | |
627 | AND $acl.entity_table = 'civicrm_acl_role' | |
628 | "; | |
629 | ||
630 | $rule->query($query); | |
631 | while ($rule->fetch()) { | |
632 | $results[$rule->id] = $rule->toArray(); | |
633 | } | |
634 | ||
635 | return $results; | |
636 | } | |
637 | ||
638 | /** | |
639 | * Get all ACLs owned by a given contact, including domain and group-level. | |
640 | * | |
641 | * @param int $contact_id - The contact ID | |
642 | * | |
643 | * @return array - Assoc array of ACL rules | |
644 | * @access public | |
645 | * @static | |
646 | */ | |
647 | public static function &getAllByContact($contact_id) { | |
648 | $result = array(); | |
649 | ||
650 | /* First, the contact-specific ACLs, including ACL Roles */ | |
651 | $result += self::getACLs($contact_id, NULL, TRUE); | |
652 | ||
653 | /* Then, all ACLs granted through group membership */ | |
654 | $result += self::getGroupACLs($contact_id, TRUE); | |
655 | ||
656 | return $result; | |
657 | } | |
658 | ||
28518c90 EM |
659 | /** |
660 | * @param $params | |
661 | * | |
662 | * @return CRM_ACL_DAO_ACL | |
663 | */ | |
6a488035 TO |
664 | static function create(&$params) { |
665 | $dao = new CRM_ACL_DAO_ACL(); | |
666 | $dao->copyValues($params); | |
667 | $dao->save(); | |
1fe97a01 | 668 | return $dao; |
6a488035 TO |
669 | } |
670 | ||
28518c90 EM |
671 | /** |
672 | * @param $params | |
673 | * @param $defaults | |
674 | */ | |
6a488035 TO |
675 | static function retrieve(&$params, &$defaults) { |
676 | CRM_Core_DAO::commonRetrieve('CRM_ACL_DAO_ACL', $params, $defaults); | |
677 | } | |
678 | ||
679 | /** | |
680 | * update the is_active flag in the db | |
681 | * | |
682 | * @param int $id id of the database record | |
683 | * @param boolean $is_active value we want to set the is_active field | |
684 | * | |
685 | * @return Object DAO object on sucess, null otherwise | |
686 | * @static | |
687 | */ | |
688 | static function setIsActive($id, $is_active) { | |
689 | // note this also resets any ACL cache | |
690 | CRM_Core_BAO_Cache::deleteGroup('contact fields'); | |
691 | ||
692 | return CRM_Core_DAO::setFieldValue('CRM_ACL_DAO_ACL', $id, 'is_active', $is_active); | |
693 | } | |
694 | ||
28518c90 EM |
695 | /** |
696 | * @param $str | |
697 | * @param $contactID | |
698 | * | |
699 | * @return bool | |
700 | */ | |
6a488035 TO |
701 | static function check($str, $contactID) { |
702 | ||
703 | $acls = CRM_ACL_BAO_Cache::build($contactID); | |
704 | ||
705 | $aclKeys = array_keys($acls); | |
706 | $aclKeys = implode(',', $aclKeys); | |
707 | ||
708 | if (empty($aclKeys)) { | |
709 | return FALSE; | |
710 | } | |
711 | ||
712 | ||
713 | $query = " | |
714 | SELECT count( a.id ) | |
715 | FROM civicrm_acl_cache c, civicrm_acl a | |
716 | WHERE c.acl_id = a.id | |
717 | AND a.is_active = 1 | |
718 | AND a.object_table = %1 | |
719 | AND a.id IN ( $aclKeys ) | |
720 | "; | |
721 | $params = array(1 => array($str, 'String')); | |
722 | ||
723 | $count = CRM_Core_DAO::singleValueQuery($query, $params); | |
724 | return ($count) ? TRUE : FALSE; | |
725 | } | |
726 | ||
28518c90 EM |
727 | /** |
728 | * @param $type | |
729 | * @param $tables | |
730 | * @param $whereTables | |
731 | * @param null $contactID | |
732 | * | |
733 | * @return null|string | |
734 | */ | |
6a488035 | 735 | public static function whereClause($type, &$tables, &$whereTables, $contactID = NULL) { |
6a488035 TO |
736 | $acls = CRM_ACL_BAO_Cache::build($contactID); |
737 | //CRM_Core_Error::debug( "a: $contactID", $acls ); | |
738 | ||
739 | $whereClause = NULL; | |
740 | $clauses = array(); | |
741 | ||
742 | if (!empty($acls)) { | |
743 | $aclKeys = array_keys($acls); | |
744 | $aclKeys = implode(',', $aclKeys); | |
745 | ||
746 | $query = " | |
747 | SELECT a.operation, a.object_id | |
748 | FROM civicrm_acl_cache c, civicrm_acl a | |
749 | WHERE c.acl_id = a.id | |
750 | AND a.is_active = 1 | |
751 | AND a.object_table = 'civicrm_saved_search' | |
752 | AND a.id IN ( $aclKeys ) | |
753 | ORDER BY a.object_id | |
754 | "; | |
755 | ||
756 | $dao = CRM_Core_DAO::executeQuery($query); | |
757 | ||
758 | // do an or of all the where clauses u see | |
759 | $ids = array(); | |
760 | while ($dao->fetch()) { | |
761 | // make sure operation matches the type TODO | |
762 | if (self::matchType($type, $dao->operation)) { | |
763 | if (!$dao->object_id) { | |
764 | $ids = array(); | |
765 | $whereClause = ' ( 1 ) '; | |
766 | break; | |
767 | } | |
768 | $ids[] = $dao->object_id; | |
769 | } | |
770 | } | |
771 | ||
772 | if (!empty($ids)) { | |
773 | $ids = implode(',', $ids); | |
774 | $query = " | |
775 | SELECT g.* | |
776 | FROM civicrm_group g | |
777 | WHERE g.id IN ( $ids ) | |
778 | AND g.is_active = 1 | |
779 | "; | |
780 | $dao = CRM_Core_DAO::executeQuery($query); | |
781 | $staticGroupIDs = array(); | |
782 | $cachedGroupIDs = array(); | |
783 | while ($dao->fetch()) { | |
784 | // currently operation is restrcited to VIEW/EDIT | |
785 | if ($dao->where_clause) { | |
786 | if ($dao->select_tables) { | |
787 | $tmpTables = array(); | |
788 | foreach (unserialize($dao->select_tables) as $tmpName => $tmpInfo) { | |
789 | if ($tmpName == '`civicrm_group_contact-' . $dao->id . '`') { | |
790 | $tmpName = '`civicrm_group_contact-ACL`'; | |
791 | $tmpInfo = str_replace('civicrm_group_contact-' . $dao->id, 'civicrm_group_contact-ACL', $tmpInfo); | |
792 | } | |
793 | elseif ($tmpName == '`civicrm_group_contact_cache_' . $dao->id . '`') { | |
794 | $tmpName = '`civicrm_group_contact_cache-ACL`'; | |
795 | $tmpInfo = str_replace('civicrm_group_contact_cache_' . $dao->id, 'civicrm_group_contact_cache-ACL', $tmpInfo); | |
796 | } | |
797 | $tmpTables[$tmpName] = $tmpInfo; | |
798 | } | |
799 | $tables = array_merge($tables, | |
800 | $tmpTables | |
801 | ); | |
802 | } | |
803 | if ($dao->where_tables) { | |
804 | $tmpTables = array(); | |
805 | foreach (unserialize($dao->where_tables) as $tmpName => $tmpInfo) { | |
806 | if ($tmpName == '`civicrm_group_contact-' . $dao->id . '`') { | |
807 | $tmpName = '`civicrm_group_contact-ACL`'; | |
808 | $tmpInfo = str_replace('civicrm_group_contact-' . $dao->id, 'civicrm_group_contact-ACL', $tmpInfo); | |
809 | $staticGroupIDs[] = $dao->id; | |
810 | } | |
811 | elseif ($tmpName == '`civicrm_group_contact_cache_' . $dao->id . '`') { | |
812 | $tmpName = '`civicrm_group_contact_cache-ACL`'; | |
813 | $tmpInfo = str_replace('civicrm_group_contact_cache_' . $dao->id, 'civicrm_group_contact_cache-ACL', $tmpInfo); | |
814 | $cachedGroupIDs[] = $dao->id; | |
815 | } | |
816 | $tmpTables[$tmpName] = $tmpInfo; | |
817 | } | |
818 | $whereTables = array_merge($whereTables, $tmpTables); | |
819 | } | |
820 | } | |
821 | ||
822 | if (($dao->saved_search_id || $dao->children || $dao->parents) && | |
823 | $dao->cache_date == NULL) { | |
824 | CRM_Contact_BAO_GroupContactCache::load($dao); | |
825 | } | |
826 | } | |
827 | ||
828 | if ($staticGroupIDs) { | |
829 | $clauses[] = '( `civicrm_group_contact-ACL`.group_id IN (' . join(', ', $staticGroupIDs) . ') AND `civicrm_group_contact-ACL`.status IN ("Added") )'; | |
830 | } | |
831 | ||
832 | if ($cachedGroupIDs) { | |
833 | $clauses[] = '`civicrm_group_contact_cache-ACL`.group_id IN (' . join(', ', $cachedGroupIDs) . ')'; | |
834 | } | |
835 | } | |
836 | } | |
837 | ||
838 | if (!empty($clauses)) { | |
839 | $whereClause = ' ( ' . implode(' OR ', $clauses) . ' ) '; | |
840 | } | |
841 | ||
842 | // call the hook to get additional whereClauses | |
843 | CRM_Utils_Hook::aclWhereClause($type, $tables, $whereTables, $contactID, $whereClause); | |
844 | ||
845 | if (empty($whereClause)) { | |
846 | $whereClause = ' ( 0 ) '; | |
847 | } | |
848 | ||
849 | return $whereClause; | |
850 | } | |
851 | ||
28518c90 EM |
852 | /** |
853 | * @param $type | |
854 | * @param null $contactID | |
855 | * @param string $tableName | |
856 | * @param null $allGroups | |
857 | * @param null $includedGroups | |
858 | * | |
859 | * @return array | |
860 | */ | |
6a488035 TO |
861 | public static function group($type, |
862 | $contactID = NULL, | |
863 | $tableName = 'civicrm_saved_search', | |
864 | $allGroups = NULL, | |
865 | $includedGroups = NULL | |
866 | ) { | |
867 | ||
868 | $acls = CRM_ACL_BAO_Cache::build($contactID); | |
869 | ||
b1f4e637 | 870 | $ids = array(); |
6a488035 TO |
871 | if (!empty($acls)) { |
872 | $aclKeys = array_keys($acls); | |
873 | $aclKeys = implode(',', $aclKeys); | |
874 | ||
557f8c17 ARW |
875 | $cacheKey = "$tableName-$aclKeys"; |
876 | $cache = CRM_Utils_Cache::singleton(); | |
877 | $ids = $cache->get($cacheKey); | |
878 | if (!$ids) { | |
879 | $query = " | |
6a488035 TO |
880 | SELECT a.operation, a.object_id |
881 | FROM civicrm_acl_cache c, civicrm_acl a | |
882 | WHERE c.acl_id = a.id | |
883 | AND a.is_active = 1 | |
884 | AND a.object_table = %1 | |
885 | AND a.id IN ( $aclKeys ) | |
886 | GROUP BY a.operation,a.object_id | |
887 | ORDER BY a.object_id | |
888 | "; | |
557f8c17 ARW |
889 | $params = array(1 => array($tableName, 'String')); |
890 | $dao = CRM_Core_DAO::executeQuery($query, $params); | |
891 | while ($dao->fetch()) { | |
892 | if ($dao->object_id) { | |
893 | if (self::matchType($type, $dao->operation)) { | |
894 | $ids[] = $dao->object_id; | |
895 | } | |
6a488035 | 896 | } |
557f8c17 ARW |
897 | else { |
898 | // this user has got the permission for all objects of this type | |
899 | // check if the type matches | |
900 | if (self::matchType($type, $dao->operation)) { | |
901 | foreach ($allGroups as $id => $dontCare) { | |
902 | $ids[] = $id; | |
903 | } | |
6a488035 | 904 | } |
557f8c17 | 905 | break; |
6a488035 | 906 | } |
6a488035 | 907 | } |
557f8c17 | 908 | $cache->set($cacheKey, $ids); |
6a488035 TO |
909 | } |
910 | } | |
911 | ||
b1f4e637 RN |
912 | if (empty($ids) && !empty($includedGroups) && |
913 | is_array($includedGroups) | |
914 | ) { | |
915 | $ids = $includedGroups; | |
916 | } | |
917 | ||
6a488035 TO |
918 | CRM_Utils_Hook::aclGroup($type, $contactID, $tableName, $allGroups, $ids); |
919 | ||
920 | return $ids; | |
921 | } | |
922 | ||
28518c90 EM |
923 | /** |
924 | * @param $type | |
925 | * @param $operation | |
926 | * | |
927 | * @return bool | |
928 | */ | |
6a488035 TO |
929 | static function matchType($type, $operation) { |
930 | $typeCheck = FALSE; | |
931 | switch ($operation) { | |
932 | case 'All': | |
933 | $typeCheck = TRUE; | |
934 | break; | |
935 | ||
936 | case 'View': | |
937 | if ($type == CRM_ACL_API::VIEW) { | |
938 | $typeCheck = TRUE; | |
939 | } | |
940 | break; | |
941 | ||
942 | case 'Edit': | |
943 | if ($type == CRM_ACL_API::VIEW || $type == CRM_ACL_API::EDIT) { | |
944 | $typeCheck = TRUE; | |
945 | } | |
946 | break; | |
947 | ||
948 | case 'Create': | |
949 | if ($type == CRM_ACL_API::CREATE) { | |
950 | $typeCheck = TRUE; | |
951 | } | |
952 | break; | |
953 | ||
954 | case 'Delete': | |
955 | if ($type == CRM_ACL_API::DELETE) { | |
956 | $typeCheck = TRUE; | |
957 | } | |
958 | break; | |
959 | ||
960 | case 'Search': | |
961 | if ($type == CRM_ACL_API::SEARCH) { | |
962 | $typeCheck = TRUE; | |
963 | } | |
964 | break; | |
965 | } | |
966 | return $typeCheck; | |
967 | } | |
968 | ||
969 | /** | |
970 | * Function to delete ACL records | |
971 | * | |
972 | * @param int $aclId ID of the ACL record to be deleted. | |
973 | * | |
974 | * @access public | |
975 | * @static | |
976 | */ | |
977 | static function del($aclId) { | |
978 | // delete all entries from the acl cache | |
979 | CRM_ACL_BAO_Cache::resetCache(); | |
980 | ||
981 | $acl = new CRM_ACL_DAO_ACL(); | |
982 | $acl->id = $aclId; | |
983 | $acl->delete(); | |
984 | } | |
985 | } | |
986 |