[civicrm-core.git] / CRM / Contact / BAO / Contact / Permission.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.5                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2014                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
*/

/**
 *
 * @package CRM
 * @copyright CiviCRM LLC (c) 2004-2014
 * $Id$
 *
 */
class CRM_Contact_BAO_Contact_Permission {

  /**
   * check if the logged in user has permissions for the operation type
   *
   * @param int $id contact id
   * @param int|string $type the type of operation (view|edit)
   *
   * @return boolean true if the user has permission, false otherwise
   * @access public
   * @static
   */
  static function allow($id, $type = CRM_Core_Permission::VIEW) {
    $tables = array();
    $whereTables = array();

    # FIXME: push this somewhere below, to not give this permission so many rights
    $isDeleted = (bool) CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $id, 'is_deleted');
    if (CRM_Core_Permission::check('access deleted contacts') && $isDeleted) {
      return TRUE;
    }

    // short circuit for admin rights here so we avoid unneeeded queries
    // some duplication of code, but we skip 3-5 queries
    if (CRM_Core_Permission::check('edit all contacts') ||
      ($type == CRM_ACL_API::VIEW && CRM_Core_Permission::check('view all contacts'))
    ) {
      return TRUE;
    }

    //check permission based on relationship, CRM-2963
    if (self::relationship($id)) {
      return TRUE;
    }

    $permission = CRM_ACL_API::whereClause($type, $tables, $whereTables);

    $from = CRM_Contact_BAO_Query::fromClause($whereTables);

    $query = "
SELECT count(DISTINCT contact_a.id)
       $from
WHERE contact_a.id = %1 AND $permission";
    $params = array(1 => array($id, 'Integer'));

    return (CRM_Core_DAO::singleValueQuery($query, $params) > 0) ? TRUE : FALSE;
  }

  /**
   * fill the acl contact cache for this contact id if empty
   *
   * @param $userID
   * @param int|string $type the type of operation (view|edit)
   * @param boolean $force should we force a recompute
   *
   * @internal param int $id contact id
   * @return void
   * @access public
   * @static
   */
  static function cache($userID, $type = CRM_Core_Permission::VIEW, $force = FALSE) {
    static $_processed = array();

    if ($type = CRM_Core_Permission::VIEW) {
      $operationClause = " operation IN ( 'Edit', 'View' ) ";
      $operation = 'View';
    }
    else {
      $operationClause = " operation = 'Edit' ";
      $operation = 'Edit';
    }

    if (!$force) {
      if (!empty($_processed[$userID])) {
        return;
      }

      // run a query to see if the cache is filled
      $sql = "
SELECT count(id)
FROM   civicrm_acl_contact_cache
WHERE  user_id = %1
AND    $operationClause
";
      $params = array(1 => array($userID, 'Integer'));
      $count = CRM_Core_DAO::singleValueQuery($sql, $params);
      if ($count > 0) {
        $_processed[$userID] = 1;
        return;
      }
    }

    $tables = array();
    $whereTables = array();

    $permission = CRM_ACL_API::whereClause($type, $tables, $whereTables, $userID);

    $from = CRM_Contact_BAO_Query::fromClause($whereTables);

    CRM_Core_DAO::executeQuery("
INSERT INTO civicrm_acl_contact_cache ( user_id, contact_id, operation )
SELECT      $userID as user_id, contact_a.id as contact_id, '$operation' as operation
         $from
WHERE    $permission
GROUP BY contact_a.id
ON DUPLICATE KEY UPDATE
         user_id=VALUES(user_id),
         contact_id=VALUES(contact_id),
         operation=VALUES(operation)"
    );

    CRM_Core_DAO::executeQuery('DELETE FROM civicrm_acl_contact_cache WHERE contact_id IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1)');
    $_processed[$userID] = 1;

    return;
  }

  /**
   * Function to check if there are any contacts in cache table
   *
   * @param string  $type      the type of operation (view|edit)
   * @param int     $contactID contact id
   *
   * @return boolean
   * @access public
   * @static
   */
  static function hasContactsInCache($type = CRM_Core_Permission::VIEW,
    $contactID = NULL
  ) {
    if (!$contactID) {
      $session = CRM_Core_Session::singleton();
      $contactID = $session->get('userID');
    }

    if ($type = CRM_Core_Permission::VIEW) {
      $operationClause = " operation IN ( 'Edit', 'View' ) ";
      $operation = 'View';
    }
    else {
      $operationClause = " operation = 'Edit' ";
      $operation = 'Edit';
    }

    // fill cache
    self::cache($contactID);

    $sql = "
SELECT id
FROM   civicrm_acl_contact_cache
WHERE  user_id = %1
AND    $operationClause LIMIT 1";

    $params = array(1 => array($contactID, 'Integer'));
    return (bool) CRM_Core_DAO::singleValueQuery($sql, $params);
  }

  static function cacheClause($contactAlias = 'contact_a', $contactID = NULL) {
    if (CRM_Core_Permission::check('view all contacts') ||
      CRM_Core_Permission::check('edit all contacts')
    ) {
      if (is_array($contactAlias)) {
        $wheres = array();
        foreach ($contactAlias as $alias) {
          // CRM-6181
          $wheres[] = "$alias.is_deleted = 0";
        }
        return array(NULL, '(' . implode(' AND ', $wheres) . ')');
      }
      else {
        // CRM-6181
        return array(NULL, "$contactAlias.is_deleted = 0");
      }
    }

    $session = CRM_Core_Session::singleton();
    $contactID = $session->get('userID');
    if (!$contactID) {
      $contactID = 0;
    }
    $contactID = CRM_Utils_Type::escape($contactID, 'Integer');

    self::cache($contactID);

    if (is_array($contactAlias) && !empty($contactAlias)) {
      //More than one contact alias
      $clauses = array();
      foreach ($contactAlias as $k => $alias) {
        $clauses[] = " INNER JOIN civicrm_acl_contact_cache aclContactCache_{$k} ON {$alias}.id = aclContactCache_{$k}.contact_id AND aclContactCache_{$k}.user_id = $contactID ";
      }

      $fromClause = implode(" ", $clauses);
      $whereClase = NULL;
    }
    else {
      $fromClause = " INNER JOIN civicrm_acl_contact_cache aclContactCache ON {$contactAlias}.id = aclContactCache.contact_id ";
      $whereClase = " aclContactCache.user_id = $contactID ";
    }

    return array($fromClause, $whereClase);
  }

  /**
   * Function to get the permission base on its relationship
   *
   * @param int $selectedContactId contact id of selected contact
   * @param int $contactId contact id of the current contact
   *
   * @return booleab true if logged in user has permission to view
   * selected contact record else false
   * @static
   */
  static function relationship($selectedContactID, $contactID = NULL) {
    $session = CRM_Core_Session::singleton();
    $config = CRM_Core_Config::singleton();
    if (!$contactID) {
      $contactID = $session->get('userID');
      if (!$contactID) {
        return FALSE;
      }
    }
    if ($contactID == $selectedContactID && CRM_Core_Permission::check('edit my contact')) {
      return TRUE;
    }
    else {
      if ($config->secondDegRelPermissions) {
        $query = "
SELECT firstdeg.id
FROM   civicrm_relationship firstdeg
LEFT JOIN civicrm_relationship seconddegaa
  on firstdeg.contact_id_a = seconddegaa.contact_id_b
  and seconddegaa.is_permission_b_a = 1
  and firstdeg.is_permission_b_a = 1
  and seconddegaa.is_active = 1
LEFT JOIN civicrm_relationship seconddegab
  on firstdeg.contact_id_a = seconddegab.contact_id_a
  and seconddegab.is_permission_a_b = 1
  and firstdeg.is_permission_b_a = 1
  and seconddegab.is_active = 1
LEFT JOIN civicrm_relationship seconddegba
  on firstdeg.contact_id_b = seconddegba.contact_id_b
  and seconddegba.is_permission_b_a = 1
  and firstdeg.is_permission_a_b = 1
  and seconddegba.is_active = 1
LEFT JOIN civicrm_relationship seconddegbb
  on firstdeg.contact_id_b = seconddegbb.contact_id_a
  and seconddegbb.is_permission_a_b = 1
  and firstdeg.is_permission_a_b = 1
  and seconddegbb.is_active = 1
WHERE
  (
    ( firstdeg.contact_id_a = %1 AND firstdeg.contact_id_b = %2 AND firstdeg.is_permission_a_b = 1 )
    OR ( firstdeg.contact_id_a = %2 AND firstdeg.contact_id_b = %1 AND firstdeg.is_permission_b_a = 1 )
    OR (
      firstdeg.contact_id_a = %1 AND seconddegba.contact_id_a = %2
      AND (seconddegba.contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
    )
    OR (
      firstdeg.contact_id_a = %1 AND seconddegbb.contact_id_b = %2
      AND (seconddegbb.contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
    )
    OR (
      firstdeg.contact_id_b = %1 AND seconddegab.contact_id_b = %2
      AND (seconddegab.contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
    )
    OR (
      firstdeg.contact_id_b = %1 AND seconddegaa.contact_id_a = %2      AND (seconddegaa.contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
    )
  )
  AND (firstdeg.contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
  AND (firstdeg.contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
  AND ( firstdeg.is_active = 1)
      ";
      }
      else {
        $query = "
SELECT id
FROM   civicrm_relationship
WHERE  (( contact_id_a = %1 AND contact_id_b = %2 AND is_permission_a_b = 1 ) OR
        ( contact_id_a = %2 AND contact_id_b = %1 AND is_permission_b_a = 1 )) AND
       (contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1)) AND
       (contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
  AND  ( civicrm_relationship.is_active = 1 )
";
      }
      $params = array(1 => array($contactID, 'Integer'),
        2 => array($selectedContactID, 'Integer'),
      );
      return CRM_Core_DAO::singleValueQuery($query, $params);
    }
  }


  static function validateOnlyChecksum($contactID, &$form, $redirect = TRUE) {
    // check if this is of the format cs=XXX
    if (!CRM_Contact_BAO_Contact_Utils::validChecksum($contactID,
        CRM_Utils_Request::retrieve('cs', 'String', $form, FALSE)
      )) {
      if ($redirect) {
        // also set a message in the UF framework
        $message = ts('You do not have permission to edit this contact record. Contact the site administrator if you need assistance.');
        CRM_Utils_System::setUFMessage($message);

        $config = CRM_Core_Config::singleton();
        CRM_Core_Error::statusBounce($message,
          $config->userFrameworkBaseURL
        );
        // does not come here, we redirect in the above statement
      }
      return FALSE;
    }

    // set appropriate AUTH source
    self::initChecksumAuthSrc(TRUE, $form);

    // so here the contact is posing as $contactID, lets set the logging contact ID variable
    // CRM-8965
    CRM_Core_DAO::executeQuery('SET @civicrm_user_id = %1',
      array(1 => array($contactID, 'Integer'))
    );

    return TRUE;
  }

  static function initChecksumAuthSrc($checkSumValidationResult = FALSE, $form = NULL) {
    $session = CRM_Core_Session::singleton();
    if ($checkSumValidationResult && $form && CRM_Utils_Request::retrieve('cs', 'String', $form, FALSE)) {
      // if result is already validated, and url has cs, set the flag.
      $session->set('authSrc', CRM_Core_Permission::AUTH_SRC_CHECKSUM);
    } else if (($session->get('authSrc') & CRM_Core_Permission::AUTH_SRC_CHECKSUM) == CRM_Core_Permission::AUTH_SRC_CHECKSUM) {
      // if checksum wasn't present in REQUEST OR checksum result validated as FALSE,
      // and flag was already set exactly as AUTH_SRC_CHECKSUM, unset it.
      $session->set('authSrc', CRM_Core_Permission::AUTH_SRC_UNKNOWN);
    }
  }

  static function validateChecksumContact($contactID, &$form, $redirect = TRUE) {
    if (!self::allow($contactID, CRM_Core_Permission::EDIT)) {
      // check if this is of the format cs=XXX
      return self::validateOnlyChecksum($contactID, $form, $redirect);
    }
    return TRUE;
  }
}
Commit	Line	Data
6a488035 TO	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
06b69b18	4	\| CiviCRM version 4.5 \|
6a488035	5	+--------------------------------------------------------------------+
06b69b18	6	\| Copyright CiviCRM LLC (c) 2004-2014 \|
6a488035 TO	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
	26	*/
	27
	28	/**
	29	*
	30	* @package CRM
06b69b18	31	* @copyright CiviCRM LLC (c) 2004-2014
6a488035 TO	32	* $Id$
	33	*
	34	*/
	35	class CRM_Contact_BAO_Contact_Permission {
	36
	37	/**
	38	* check if the logged in user has permissions for the operation type
	39	*
77b97be7 EM	40	* @param int $id contact id
77b97be7 EM	41	* @param int\|string $type the type of operation (view\|edit)
6a488035 TO	42	*
	43	* @return boolean true if the user has permission, false otherwise
	44	* @access public
	45	* @static
	46	*/
	47	static function allow($id, $type = CRM_Core_Permission::VIEW) {
	48	$tables = array();
	49	$whereTables = array();
	50
	51	# FIXME: push this somewhere below, to not give this permission so many rights
	52	$isDeleted = (bool) CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $id, 'is_deleted');
	53	if (CRM_Core_Permission::check('access deleted contacts') && $isDeleted) {
	54	return TRUE;
	55	}
	56
	57	// short circuit for admin rights here so we avoid unneeeded queries
	58	// some duplication of code, but we skip 3-5 queries
	59	if (CRM_Core_Permission::check('edit all contacts') \|\|
	60	($type == CRM_ACL_API::VIEW && CRM_Core_Permission::check('view all contacts'))
	61	) {
	62	return TRUE;
	63	}
	64
	65	//check permission based on relationship, CRM-2963
	66	if (self::relationship($id)) {
	67	return TRUE;
	68	}
	69
	70	$permission = CRM_ACL_API::whereClause($type, $tables, $whereTables);
	71
	72	$from = CRM_Contact_BAO_Query::fromClause($whereTables);
	73
	74	$query = "
	75	SELECT count(DISTINCT contact_a.id)
	76	$from
	77	WHERE contact_a.id = %1 AND $permission";
	78	$params = array(1 => array($id, 'Integer'));
	79
	80	return (CRM_Core_DAO::singleValueQuery($query, $params) > 0) ? TRUE : FALSE;
	81	}
	82
	83	/**
	84	* fill the acl contact cache for this contact id if empty
	85	*
dd244018 EM	86	* @param $userID
	87	* @param int\|string $type the type of operation (view\|edit)
	88	* @param boolean $force should we force a recompute
6a488035	89	*
dd244018	90	* @internal param int $id contact id
6a488035 TO	91	* @return void
	92	* @access public
	93	* @static
	94	*/
	95	static function cache($userID, $type = CRM_Core_Permission::VIEW, $force = FALSE) {
	96	static $_processed = array();
	97
	98	if ($type = CRM_Core_Permission::VIEW) {
	99	$operationClause = " operation IN ( 'Edit', 'View' ) ";
	100	$operation = 'View';
	101	}
	102	else {
	103	$operationClause = " operation = 'Edit' ";
	104	$operation = 'Edit';
	105	}
	106
	107	if (!$force) {
a7488080	108	if (!empty($_processed[$userID])) {
6a488035 TO	109	return;
	110	}
	111
	112	// run a query to see if the cache is filled
	113	$sql = "
	114	SELECT count(id)
	115	FROM civicrm_acl_contact_cache
	116	WHERE user_id = %1
	117	AND $operationClause
	118	";
	119	$params = array(1 => array($userID, 'Integer'));
	120	$count = CRM_Core_DAO::singleValueQuery($sql, $params);
	121	if ($count > 0) {
	122	$_processed[$userID] = 1;
	123	return;
	124	}
	125	}
	126
	127	$tables = array();
	128	$whereTables = array();
	129
	130	$permission = CRM_ACL_API::whereClause($type, $tables, $whereTables, $userID);
	131
	132	$from = CRM_Contact_BAO_Query::fromClause($whereTables);
	133
	134	CRM_Core_DAO::executeQuery("
	135	INSERT INTO civicrm_acl_contact_cache ( user_id, contact_id, operation )
	136	SELECT $userID as user_id, contact_a.id as contact_id, '$operation' as operation
	137	$from
	138	WHERE $permission
	139	GROUP BY contact_a.id
	140	ON DUPLICATE KEY UPDATE
	141	user_id=VALUES(user_id),
	142	contact_id=VALUES(contact_id),
	143	operation=VALUES(operation)"
	144	);
	145
	146	CRM_Core_DAO::executeQuery('DELETE FROM civicrm_acl_contact_cache WHERE contact_id IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1)');
	147	$_processed[$userID] = 1;
	148
	149	return;
	150	}
	151
	152	/**
	153	* Function to check if there are any contacts in cache table
	154	*
	155	* @param string $type the type of operation (view\|edit)
	156	* @param int $contactID contact id
	157	*
	158	* @return boolean
	159	* @access public
	160	* @static
	161	*/
	162	static function hasContactsInCache($type = CRM_Core_Permission::VIEW,
	163	$contactID = NULL
	164	) {
	165	if (!$contactID) {
	166	$session = CRM_Core_Session::singleton();
	167	$contactID = $session->get('userID');
	168	}
	169
	170	if ($type = CRM_Core_Permission::VIEW) {
	171	$operationClause = " operation IN ( 'Edit', 'View' ) ";
	172	$operation = 'View';
173	}
174	else {
175	$operationClause = " operation = 'Edit' ";
176	$operation = 'Edit';
177	}
178
179	// fill cache
180	self::cache($contactID);
181
182	$sql = "
183	SELECT id
184	FROM civicrm_acl_contact_cache
185	WHERE user_id = %1
186	AND $operationClause LIMIT 1";
187
188	$params = array(1 => array($contactID, 'Integer'));
189	return (bool) CRM_Core_DAO::singleValueQuery($sql, $params);
190	}
191
192	static function cacheClause($contactAlias = 'contact_a', $contactID = NULL) {
193	if (CRM_Core_Permission::check('view all contacts') \|\|
194	CRM_Core_Permission::check('edit all contacts')
195	) {
196	if (is_array($contactAlias)) {
197	$wheres = array();
198	foreach ($contactAlias as $alias) {
199	// CRM-6181
200	$wheres[] = "$alias.is_deleted = 0";
201	}
202	return array(NULL, '(' . implode(' AND ', $wheres) . ')');
203	}
204	else {
205	// CRM-6181
206	return array(NULL, "$contactAlias.is_deleted = 0");
207	}
208	}
209
210	$session = CRM_Core_Session::singleton();
211	$contactID = $session->get('userID');
212	if (!$contactID) {
213	$contactID = 0;
214	}
215	$contactID = CRM_Utils_Type::escape($contactID, 'Integer');
216
217	self::cache($contactID);
218
219	if (is_array($contactAlias) && !empty($contactAlias)) {
220	//More than one contact alias
221	$clauses = array();
222	foreach ($contactAlias as $k => $alias) {
223	$clauses[] = " INNER JOIN civicrm_acl_contact_cache aclContactCache_{$k} ON {$alias}.id = aclContactCache_{$k}.contact_id AND aclContactCache_{$k}.user_id = $contactID ";
224	}
225
226	$fromClause = implode(" ", $clauses);
227	$whereClase = NULL;
228	}
229	else {
230	$fromClause = " INNER JOIN civicrm_acl_contact_cache aclContactCache ON {$contactAlias}.id = aclContactCache.contact_id ";
231	$whereClase = " aclContactCache.user_id = $contactID ";
232	}
233
234	return array($fromClause, $whereClase);
235	}
236
237	/**
238	* Function to get the permission base on its relationship
239	*
240	* @param int $selectedContactId contact id of selected contact
241	* @param int $contactId contact id of the current contact
242	*
243	* @return booleab true if logged in user has permission to view
244	* selected contact record else false
245	* @static
246	*/
247	static function relationship($selectedContactID, $contactID = NULL) {
248	$session = CRM_Core_Session::singleton();
d5f1ee75	249	$config = CRM_Core_Config::singleton();
6a488035 TO	250	if (!$contactID) {
	251	$contactID = $session->get('userID');
	252	if (!$contactID) {
	253	return FALSE;
	254	}
	255	}
ad623fd4	256	if ($contactID == $selectedContactID && CRM_Core_Permission::check('edit my contact')) {
6a488035 TO	257	return TRUE;
	258	}
	259	else {
d5f1ee75 DG	260	if ($config->secondDegRelPermissions) {
	261	$query = "
	262	SELECT firstdeg.id
	263	FROM civicrm_relationship firstdeg
	264	LEFT JOIN civicrm_relationship seconddegaa
	265	on firstdeg.contact_id_a = seconddegaa.contact_id_b
	266	and seconddegaa.is_permission_b_a = 1
	267	and firstdeg.is_permission_b_a = 1
	268	and seconddegaa.is_active = 1
	269	LEFT JOIN civicrm_relationship seconddegab
	270	on firstdeg.contact_id_a = seconddegab.contact_id_a
	271	and seconddegab.is_permission_a_b = 1
	272	and firstdeg.is_permission_b_a = 1
	273	and seconddegab.is_active = 1
	274	LEFT JOIN civicrm_relationship seconddegba
	275	on firstdeg.contact_id_b = seconddegba.contact_id_b
	276	and seconddegba.is_permission_b_a = 1
	277	and firstdeg.is_permission_a_b = 1
	278	and seconddegba.is_active = 1
	279	LEFT JOIN civicrm_relationship seconddegbb
	280	on firstdeg.contact_id_b = seconddegbb.contact_id_a
	281	and seconddegbb.is_permission_a_b = 1
	282	and firstdeg.is_permission_a_b = 1
	283	and seconddegbb.is_active = 1
2efcf0c2	284	WHERE
d5f1ee75	285	(
2efcf0c2	286	( firstdeg.contact_id_a = %1 AND firstdeg.contact_id_b = %2 AND firstdeg.is_permission_a_b = 1 )
d5f1ee75	287	OR ( firstdeg.contact_id_a = %2 AND firstdeg.contact_id_b = %1 AND firstdeg.is_permission_b_a = 1 )
2efcf0c2	288	OR (
d5f1ee75	289	firstdeg.contact_id_a = %1 AND seconddegba.contact_id_a = %2
2efcf0c2	290	AND (seconddegba.contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
d5f1ee75	291	)
2efcf0c2	292	OR (
d5f1ee75	293	firstdeg.contact_id_a = %1 AND seconddegbb.contact_id_b = %2
2efcf0c2	294	AND (seconddegbb.contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
d5f1ee75	295	)
2efcf0c2	296	OR (
d5f1ee75	297	firstdeg.contact_id_b = %1 AND seconddegab.contact_id_b = %2
2efcf0c2	298	AND (seconddegab.contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
d5f1ee75	299	)
2efcf0c2	300	OR (
2efcf0c2	301	firstdeg.contact_id_b = %1 AND seconddegaa.contact_id_a = %2 AND (seconddegaa.contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
d5f1ee75	302	)
2efcf0c2	303	)
2efcf0c2	304	AND (firstdeg.contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
d5f1ee75 DG	305	AND (firstdeg.contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
	306	AND ( firstdeg.is_active = 1)
	307	";
	308	}
	309	else {
	310	$query = "
6a488035 TO	311	SELECT id
	312	FROM civicrm_relationship
	313	WHERE (( contact_id_a = %1 AND contact_id_b = %2 AND is_permission_a_b = 1 ) OR
	314	( contact_id_a = %2 AND contact_id_b = %1 AND is_permission_b_a = 1 )) AND
	315	(contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1)) AND
	316	(contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
	317	AND ( civicrm_relationship.is_active = 1 )
	318	";
d5f1ee75	319	}
6a488035 TO	320	$params = array(1 => array($contactID, 'Integer'),
	321	2 => array($selectedContactID, 'Integer'),
	322	);
	323	return CRM_Core_DAO::singleValueQuery($query, $params);
	324	}
	325	}
	326
	327
	328	static function validateOnlyChecksum($contactID, &$form, $redirect = TRUE) {
	329	// check if this is of the format cs=XXX
	330	if (!CRM_Contact_BAO_Contact_Utils::validChecksum($contactID,
	331	CRM_Utils_Request::retrieve('cs', 'String', $form, FALSE)
	332	)) {
	333	if ($redirect) {
	334	// also set a message in the UF framework
	335	$message = ts('You do not have permission to edit this contact record. Contact the site administrator if you need assistance.');
	336	CRM_Utils_System::setUFMessage($message);
	337
	338	$config = CRM_Core_Config::singleton();
	339	CRM_Core_Error::statusBounce($message,
	340	$config->userFrameworkBaseURL
	341	);
	342	// does not come here, we redirect in the above statement
	343	}
	344	return FALSE;
	345	}
	346
a9a1ea2c	347	// set appropriate AUTH source
e8f14831	348	self::initChecksumAuthSrc(TRUE, $form);
a9a1ea2c	349
6a488035 TO	350	// so here the contact is posing as $contactID, lets set the logging contact ID variable
	351	// CRM-8965
	352	CRM_Core_DAO::executeQuery('SET @civicrm_user_id = %1',
	353	array(1 => array($contactID, 'Integer'))
	354	);
77b97be7	355
6a488035 TO	356	return TRUE;
	357	}
	358
e8f14831	359	static function initChecksumAuthSrc($checkSumValidationResult = FALSE, $form = NULL) {
a9a1ea2c	360	$session = CRM_Core_Session::singleton();
e8f14831	361	if ($checkSumValidationResult && $form && CRM_Utils_Request::retrieve('cs', 'String', $form, FALSE)) {
a9a1ea2c DS	362	// if result is already validated, and url has cs, set the flag.
	363	$session->set('authSrc', CRM_Core_Permission::AUTH_SRC_CHECKSUM);
	364	} else if (($session->get('authSrc') & CRM_Core_Permission::AUTH_SRC_CHECKSUM) == CRM_Core_Permission::AUTH_SRC_CHECKSUM) {
77b97be7	365	// if checksum wasn't present in REQUEST OR checksum result validated as FALSE,
a9a1ea2c DS	366	// and flag was already set exactly as AUTH_SRC_CHECKSUM, unset it.
	367	$session->set('authSrc', CRM_Core_Permission::AUTH_SRC_UNKNOWN);
	368	}
	369	}
	370
6a488035 TO	371	static function validateChecksumContact($contactID, &$form, $redirect = TRUE) {
	372	if (!self::allow($contactID, CRM_Core_Permission::EDIT)) {
	373	// check if this is of the format cs=XXX
	374	return self::validateOnlyChecksum($contactID, $form, $redirect);
	375	}
	376	return TRUE;
	377	}
	378	}
	379