[civicrm-core.git] / CRM / Core / DAO / permissions.php

<?php

/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.6                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2014                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
*/

/**
 * Decide what permissions to check for an api call
 * The contact must have all of the returned permissions for the api call to be allowed
 *
 * @param $entity : (str) api entity
 * @param $action : (str) api action
 * @param $params : (array) api params
 *
 * @return array
 *   Array of permissions to check for this entity-action combo
 */
function _civicrm_api3_permissions($entity, $action, &$params) {
  $entity = _civicrm_api_get_entity_name_from_camel($entity);
  $action = strtolower($action);

  /**
   * @var array of permissions
   *
   * For each entity, we declare an array of permissions required for each action
   * The action is the array key, possible values:
   *  * create: applies to create (with no id in params)
   *  * update: applies to update, setvalue, create (with id in params)
   *  * get: applies to getcount, getsingle, getvalue and other gets
   *  * delete: applies to delete, replace
   *  * meta: applies to getfields, getoptions, getspec
   *  * default: catch-all for anything not declared
   *
   *  Note: some APIs declare other actions as well
   */
  $permissions = array();

  // These are the default permissions - if any entity does not declare permissions for a given action,
  // (or the entity does not declare permissions at all) - then the action will be used from here
  $permissions['default'] = array(
    // applies to getfields, getoptions, etc.
    'meta' => array('access CiviCRM'),
    // catch-all, applies to create, get, delete, etc.
    // If an entity declares it's own 'default' action it will override this one
    'default' => array('administer CiviCRM'),
  );

  $permissions['attachment'] = array(
    'default' => array('access CiviCRM', 'access AJAX API'),
  );

  // Contact permissions
  $permissions['contact'] = array(
    'create' => array(
      'access CiviCRM',
      'add contacts',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete contacts',
    ),
    // managed by query object
    'get' => array(),
    'update' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
    'getquick' => array(
      array('access CiviCRM', 'access AJAX API'),
    ),
  );

  // Contact-related data permissions.
  // CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
  $permissions['address'] = array(
    'get' => array(
      'access CiviCRM',
      'view all contacts',
    ),
    'default' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
  );
  $permissions['email'] = $permissions['address'];
  $permissions['phone'] = $permissions['address'];
  $permissions['website'] = $permissions['address'];
  $permissions['im'] = $permissions['address'];
  $permissions['loc_block'] = $permissions['address'];
  $permissions['entity_tag'] = $permissions['address'];
  $permissions['note'] = $permissions['address'];

  //relationship permissions
  $permissions['relationship'] = array(
    'get' => array(
      'access CiviCRM',
      'view all contacts',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete contacts',
    ),
    'default' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
  );

  // Activity permissions
  $permissions['activity'] = array(
    'delete' => array(
      'access CiviCRM',
      'delete activities',
    ),
    'default' => array(
      'access CiviCRM',
      'view all activities',
    ),
  );

  // Case permissions
  $permissions['case'] = array(
    'create' => array(
      'access CiviCRM',
      'add cases',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete in CiviCase',
    ),
    'default' => array(
      'access CiviCRM',
      'access all cases and activities',
    ),
  );

  // Financial permissions
  $permissions['contribution'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviContribute',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'completetransaction' => array(
      'edit contributions',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviContribute',
      'edit contributions',
    ),
  );
  $permissions['line_item'] = $permissions['contribution'];

  // Custom field permissions
  $permissions['custom_field'] = array(
    'default' => array(
      'administer CiviCRM',
      'access all custom data',
    ),
  );
  $permissions['custom_group'] = $permissions['custom_field'];

  // Event permissions
  $permissions['event'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit all events',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'delete in CiviEvent',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event info',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit all events',
    ),
  );

  // File permissions
  $permissions['file'] = array(
    'default' => array(
      'access CiviCRM',
      'access uploaded files',
    ),
  );
  $permissions['files_by_entity'] = $permissions['file'];

  // Group permissions
  $permissions['group'] = array(
    'get' => array(
      'access CiviCRM',
    ),
    'default' => array(
      'access CiviCRM',
      'edit groups',
    ),
  );
  $permissions['group_contact'] = $permissions['group'];
  $permissions['group_nesting'] = $permissions['group'];
  $permissions['group_organization'] = $permissions['group'];

  // CiviMail Permissions
  $permissions['mailing'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviMail',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMail',
      'delete in CiviMail',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviMail',
    ),
  );

  // Membership permissions
  $permissions['membership'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviMember',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMember',
      'delete in CiviMember',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
    ),
  );
  $permissions['membership_status'] = $permissions['membership'];
  $permissions['membership_type'] = $permissions['membership'];
  $permissions['membership_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMember',
      'delete in CiviMember',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviMember',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Participant permissions
  $permissions['participant'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'register for events',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event participants',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
    ),
  );
  $permissions['participant_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'register for events',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event participants',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Pledge permissions
  $permissions['pledge'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviPledge',
      'delete in CiviPledge',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviPledge',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
    ),
  );
  $permissions['pledge_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviPledge',
      'delete in CiviPledge',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviPledge',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Profile permissions
  $permissions['profile'] = array(
    'get' => array(), // the profile will take care of this
  );

  $permissions['uf_group'] = array(
    'get' => array(
      'access CiviCRM',
    ),
  );
  $permissions['uf_field'] = $permissions['uf_group'];
  $permissions['option_value'] = $permissions['uf_group'];
  $permissions['option_group'] = $permissions['option_value'];

  // Translate 'create' action to 'update' if id is set
  if ($action == 'create' && (!empty($params['id']) || !empty($params[$entity . '_id']))) {
    $action = 'update';
  }

  // let third parties modify the permissions
  CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);

  // Merge permissions for this entity with the defaults
  $perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];

  // Return exact match if permission for this action has been declared
  if (isset($perm[$action])) {
    return $perm[$action];
  }

  // Translate specific actions into their generic equivalents
  $snippet = substr($action, 0, 3);
  if ($action == 'replace' || $snippet == 'del') {
    // 'Replace' is a combination of get+create+update+delete; however, the permissions
    // on each of those will be tested separately at runtime. This is just a sniff-test
    // based on the heuristic that 'delete' tends to be the most closesly guarded
    // of the necessary permissions.
    $action = 'delete';
  }
  elseif ($action == 'setvalue' || $snippet == 'upd') {
    $action = 'update';
  }
  elseif ($action == 'getfields' || $action == 'getspec' || $action == 'getoptions') {
    $action = 'meta';
  }
  elseif ($snippet == 'get') {
    $action = 'get';
  }
  return isset($perm[$action]) ? $perm[$action] : $perm['default'];
}

# FIXME: not sure how to permission the following API 3 calls:
# contribution_transact (make online contributions)
# entity_tag_display
# group_contact_pending
# group_contact_update_status
# mailing_event_bounce
# mailing_event_click
# mailing_event_confirm
# mailing_event_forward
# mailing_event_open
# mailing_event_reply
# mailing_group_event_domain_unsubscribe
# mailing_group_event_resubscribe
# mailing_group_event_subscribe
# mailing_group_event_unsubscribe
# membership_status_calc
# survey_respondant_count
Commit	Line	Data
6a488035 TO	1	<?php
	2
	3	/*
	4	+--------------------------------------------------------------------+
39de6fd5	5	\| CiviCRM version 4.6 \|
6a488035	6	+--------------------------------------------------------------------+
06b69b18	7	\| Copyright CiviCRM LLC (c) 2004-2014 \|
6a488035 TO	8	+--------------------------------------------------------------------+
	9	\| This file is a part of CiviCRM. \|
	10	\| \|
	11	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	12	\| under the terms of the GNU Affero General Public License \|
	13	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	14	\| \|
	15	\| CiviCRM is distributed in the hope that it will be useful, but \|
	16	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	17	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	18	\| See the GNU Affero General Public License for more details. \|
	19	\| \|
	20	\| You should have received a copy of the GNU Affero General Public \|
	21	\| License and the CiviCRM Licensing Exception along \|
	22	\| with this program; if not, contact CiviCRM LLC \|
	23	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	24	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	25	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	26	+--------------------------------------------------------------------+
	27	*/
	28
	29	/**
082d771a CW	30	* Decide what permissions to check for an api call
082d771a CW	31	* The contact must have all of the returned permissions for the api call to be allowed
6a488035	32	*
353ffa53 TO	33	* @param $entity : (str) api entity
	34	* @param $action : (str) api action
	35	* @param $params : (array) api params
6a488035	36	*
a6c01b45	37	* @return array
16b10e64	38	* Array of permissions to check for this entity-action combo
6a488035	39	*/
6a488035	40	function _civicrm_api3_permissions($entity, $action, &$params) {
47e6af81	41	$entity = _civicrm_api_get_entity_name_from_camel($entity);
6a488035	42	$action = strtolower($action);
79089019 CW	43
	44	/**
	45	* @var array of permissions
	46	*
	47	* For each entity, we declare an array of permissions required for each action
	48	* The action is the array key, possible values:
	49	* * create: applies to create (with no id in params)
	50	* * update: applies to update, setvalue, create (with id in params)
	51	* * get: applies to getcount, getsingle, getvalue and other gets
	52	* * delete: applies to delete, replace
	53	* * meta: applies to getfields, getoptions, getspec
	54	* * default: catch-all for anything not declared
	55	*
	56	* Note: some APIs declare other actions as well
	57	*/
082d771a CW	58	$permissions = array();
082d771a CW	59
79089019 CW	60	// These are the default permissions - if any entity does not declare permissions for a given action,
	61	// (or the entity does not declare permissions at all) - then the action will be used from here
	62	$permissions['default'] = array(
	63	// applies to getfields, getoptions, etc.
	64	'meta' => array('access CiviCRM'),
	65	// catch-all, applies to create, get, delete, etc.
	66	// If an entity declares it's own 'default' action it will override this one
	67	'default' => array('administer CiviCRM'),
	68	);
	69
56154d36 TO	70	$permissions['attachment'] = array(
	71	'default' => array('access CiviCRM', 'access AJAX API'),
	72	);
	73
1593d73d CW	74	// Contact permissions
1593d73d CW	75	$permissions['contact'] = array(
082d771a CW	76	'create' => array(
	77	'access CiviCRM',
	78	'add contacts',
	79	),
	80	'delete' => array(
	81	'access CiviCRM',
	82	'delete contacts',
	83	),
1593d73d CW	84	// managed by query object
1593d73d CW	85	'get' => array(),
082d771a CW	86	'update' => array(
	87	'access CiviCRM',
	88	'edit all contacts',
	89	),
1593d73d	90	'getquick' => array(
60ec9f43	91	array('access CiviCRM', 'access AJAX API'),
1593d73d	92	),
082d771a	93	);
1593d73d	94
bcb09fd8 DG	95	// Contact-related data permissions.
bcb09fd8 DG	96	// CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
1593d73d CW	97	$permissions['address'] = array(
1593d73d CW	98	'get' => array(
082d771a	99	'access CiviCRM',
1593d73d	100	'view all contacts',
082d771a	101	),
1593d73d	102	'default' => array(
082d771a CW	103	'access CiviCRM',
	104	'edit all contacts',
	105	),
082d771a	106	);
1593d73d CW	107	$permissions['email'] = $permissions['address'];
	108	$permissions['phone'] = $permissions['address'];
	109	$permissions['website'] = $permissions['address'];
	110	$permissions['im'] = $permissions['address'];
	111	$permissions['loc_block'] = $permissions['address'];
bcb09fd8	112	$permissions['entity_tag'] = $permissions['address'];
1593d73d CW	113	$permissions['note'] = $permissions['address'];
1593d73d CW	114
2f0e8374 JJ	115	//relationship permissions
	116	$permissions['relationship'] = array(
	117	'get' => array(
	118	'access CiviCRM',
	119	'view all contacts',
	120	),
	121	'delete' => array(
	122	'access CiviCRM',
	123	'delete contacts',
	124	),
	125	'default' => array(
	126	'access CiviCRM',
	127	'edit all contacts',
	128	),
	129	);
d75f2f47	130
1593d73d CW	131	// Activity permissions
1593d73d CW	132	$permissions['activity'] = array(
082d771a CW	133	'delete' => array(
082d771a CW	134	'access CiviCRM',
1593d73d	135	'delete activities',
082d771a	136	),
1593d73d	137	'default' => array(
082d771a	138	'access CiviCRM',
1593d73d	139	'view all activities',
082d771a CW	140	),
082d771a CW	141	);
1593d73d CW	142
	143	// Case permissions
	144	$permissions['case'] = array(
082d771a	145	'create' => array(
082d771a	146	'access CiviCRM',
1593d73d	147	'add cases',
082d771a CW	148	),
082d771a CW	149	'delete' => array(
082d771a	150	'access CiviCRM',
1593d73d	151	'delete in CiviCase',
082d771a	152	),
1593d73d	153	'default' => array(
082d771a	154	'access CiviCRM',
1593d73d	155	'access all cases and activities',
082d771a CW	156	),
082d771a CW	157	);
1593d73d CW	158
	159	// Financial permissions
	160	$permissions['contribution'] = array(
	161	'get' => array(
082d771a	162	'access CiviCRM',
1593d73d	163	'access CiviContribute',
082d771a CW	164	),
082d771a CW	165	'delete' => array(
082d771a	166	'access CiviCRM',
1593d73d CW	167	'access CiviContribute',
1593d73d CW	168	'delete in CiviContribute',
082d771a	169	),
0efa8efe	170	'completetransaction' => array(
	171	'edit contributions',
	172	),
1593d73d	173	'default' => array(
082d771a	174	'access CiviCRM',
1593d73d CW	175	'access CiviContribute',
1593d73d CW	176	'edit contributions',
082d771a	177	),
1593d73d CW	178	);
	179	$permissions['line_item'] = $permissions['contribution'];
	180
	181	// Custom field permissions
	182	$permissions['custom_field'] = array(
	183	'default' => array(
082d771a	184	'administer CiviCRM',
082d771a CW	185	'access all custom data',
	186	),
	187	);
1593d73d CW	188	$permissions['custom_group'] = $permissions['custom_field'];
	189
	190	// Event permissions
082d771a CW	191	$permissions['event'] = array(
	192	'create' => array(
	193	'access CiviCRM',
	194	'access CiviEvent',
	195	'edit all events',
	196	),
	197	'delete' => array(
	198	'access CiviCRM',
	199	'access CiviEvent',
	200	'delete in CiviEvent',
	201	),
	202	'get' => array(
	203	'access CiviCRM',
	204	'access CiviEvent',
	205	'view event info',
	206	),
	207	'update' => array(
	208	'access CiviCRM',
	209	'access CiviEvent',
	210	'edit all events',
	211	),
	212	);
1593d73d CW	213
1593d73d CW	214	// File permissions
082d771a	215	$permissions['file'] = array(
1593d73d	216	'default' => array(
082d771a CW	217	'access CiviCRM',
	218	'access uploaded files',
	219	),
	220	);
1593d73d CW	221	$permissions['files_by_entity'] = $permissions['file'];
	222
	223	// Group permissions
082d771a	224	$permissions['group'] = array(
082d771a CW	225	'get' => array(
082d771a CW	226	'access CiviCRM',
082d771a	227	),
1593d73d	228	'default' => array(
082d771a	229	'access CiviCRM',
1593d73d	230	'edit groups',
082d771a CW	231	),
082d771a CW	232	);
1593d73d CW	233	$permissions['group_contact'] = $permissions['group'];
	234	$permissions['group_nesting'] = $permissions['group'];
	235	$permissions['group_organization'] = $permissions['group'];
	236
56154d36 TO	237	// CiviMail Permissions
	238	$permissions['mailing'] = array(
	239	'get' => array(
	240	'access CiviCRM',
	241	'access CiviMail',
	242	),
	243	'delete' => array(
	244	'access CiviCRM',
	245	'access CiviMail',
	246	'delete in CiviMail',
	247	),
	248	'default' => array(
	249	'access CiviCRM',
	250	'access CiviMail',
	251	),
	252	);
	253
1593d73d	254	// Membership permissions
082d771a	255	$permissions['membership'] = array(
1593d73d	256	'get' => array(
082d771a CW	257	'access CiviCRM',
082d771a CW	258	'access CiviMember',
082d771a CW	259	),
	260	'delete' => array(
	261	'access CiviCRM',
	262	'access CiviMember',
	263	'delete in CiviMember',
	264	),
1593d73d	265	'default' => array(
082d771a CW	266	'access CiviCRM',
	267	'access CiviMember',
	268	'edit memberships',
	269	),
	270	);
1593d73d CW	271	$permissions['membership_status'] = $permissions['membership'];
1593d73d CW	272	$permissions['membership_type'] = $permissions['membership'];
082d771a CW	273	$permissions['membership_payment'] = array(
	274	'create' => array(
	275	'access CiviCRM',
	276	'access CiviMember',
	277	'edit memberships',
	278	'access CiviContribute',
	279	'edit contributions',
	280	),
	281	'delete' => array(
	282	'access CiviCRM',
	283	'access CiviMember',
	284	'delete in CiviMember',
	285	'access CiviContribute',
	286	'delete in CiviContribute',
	287	),
	288	'get' => array(
	289	'access CiviCRM',
	290	'access CiviMember',
	291	'access CiviContribute',
	292	),
	293	'update' => array(
	294	'access CiviCRM',
	295	'access CiviMember',
	296	'edit memberships',
	297	'access CiviContribute',
	298	'edit contributions',
	299	),
	300	);
1593d73d CW	301
1593d73d CW	302	// Participant permissions
082d771a CW	303	$permissions['participant'] = array(
	304	'create' => array(
	305	'access CiviCRM',
	306	'access CiviEvent',
	307	'register for events',
	308	),
	309	'delete' => array(
	310	'access CiviCRM',
	311	'access CiviEvent',
	312	'edit event participants',
	313	),
	314	'get' => array(
	315	'access CiviCRM',
	316	'access CiviEvent',
	317	'view event participants',
	318	),
	319	'update' => array(
	320	'access CiviCRM',
	321	'access CiviEvent',
	322	'edit event participants',
	323	),
	324	);
	325	$permissions['participant_payment'] = array(
	326	'create' => array(
	327	'access CiviCRM',
	328	'access CiviEvent',
	329	'register for events',
	330	'access CiviContribute',
	331	'edit contributions',
	332	),
	333	'delete' => array(
	334	'access CiviCRM',
	335	'access CiviEvent',
	336	'edit event participants',
	337	'access CiviContribute',
	338	'delete in CiviContribute',
	339	),
	340	'get' => array(
	341	'access CiviCRM',
	342	'access CiviEvent',
	343	'view event participants',
	344	'access CiviContribute',
	345	),
	346	'update' => array(
	347	'access CiviCRM',
	348	'access CiviEvent',
	349	'edit event participants',
	350	'access CiviContribute',
	351	'edit contributions',
	352	),
	353	);
1593d73d CW	354
1593d73d CW	355	// Pledge permissions
082d771a CW	356	$permissions['pledge'] = array(
	357	'create' => array(
	358	'access CiviCRM',
	359	'access CiviPledge',
	360	'edit pledges',
	361	),
	362	'delete' => array(
	363	'access CiviCRM',
	364	'access CiviPledge',
	365	'delete in CiviPledge',
	366	),
	367	'get' => array(
	368	'access CiviCRM',
	369	'access CiviPledge',
	370	),
	371	'update' => array(
	372	'access CiviCRM',
	373	'access CiviPledge',
	374	'edit pledges',
	375	),
	376	);
	377	$permissions['pledge_payment'] = array(
	378	'create' => array(
	379	'access CiviCRM',
	380	'access CiviPledge',
	381	'edit pledges',
	382	'access CiviContribute',
	383	'edit contributions',
	384	),
	385	'delete' => array(
	386	'access CiviCRM',
	387	'access CiviPledge',
	388	'delete in CiviPledge',
	389	'access CiviContribute',
	390	'delete in CiviContribute',
	391	),
	392	'get' => array(
	393	'access CiviCRM',
	394	'access CiviPledge',
	395	'access CiviContribute',
	396	),
	397	'update' => array(
	398	'access CiviCRM',
	399	'access CiviPledge',
	400	'edit pledges',
	401	'access CiviContribute',
	402	'edit contributions',
	403	),
	404	);
1593d73d CW	405
1593d73d CW	406	// Profile permissions
c85e32fc	407	$permissions['profile'] = array(
	408	'get' => array(), // the profile will take care of this
	409	);
	410
1593d73d	411	$permissions['uf_group'] = array(
082d771a CW	412	'get' => array(
082d771a CW	413	'access CiviCRM',
6a488035 TO	414	),
6a488035 TO	415	);
1593d73d	416	$permissions['uf_field'] = $permissions['uf_group'];
abdff0f7 CW	417	$permissions['option_value'] = $permissions['uf_group'];
abdff0f7 CW	418	$permissions['option_group'] = $permissions['option_value'];
6a488035	419
79089019 CW	420	// Translate 'create' action to 'update' if id is set
	421	if ($action == 'create' && (!empty($params['id']) \|\| !empty($params[$entity . '_id']))) {
	422	$action = 'update';
	423	}
	424
6a488035 TO	425	// let third parties modify the permissions
	426	CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);
	427
79089019 CW	428	// Merge permissions for this entity with the defaults
	429	$perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];
	430
	431	// Return exact match if permission for this action has been declared
	432	if (isset($perm[$action])) {
	433	return $perm[$action];
	434	}
	435
	436	// Translate specific actions into their generic equivalents
	437	$snippet = substr($action, 0, 3);
	438	if ($action == 'replace' \|\| $snippet == 'del') {
d013d45c TO	439	// 'Replace' is a combination of get+create+update+delete; however, the permissions
	440	// on each of those will be tested separately at runtime. This is just a sniff-test
	441	// based on the heuristic that 'delete' tends to be the most closesly guarded
	442	// of the necessary permissions.
79089019 CW	443	$action = 'delete';
	444	}
	445	elseif ($action == 'setvalue' \|\| $snippet == 'upd') {
	446	$action = 'update';
	447	}
	448	elseif ($action == 'getfields' \|\| $action == 'getspec' \|\| $action == 'getoptions') {
	449	$action = 'meta';
	450	}
	451	elseif ($snippet == 'get') {
	452	$action = 'get';
	453	}
	454	return isset($perm[$action]) ? $perm[$action] : $perm['default'];
6a488035 TO	455	}
	456
	457	# FIXME: not sure how to permission the following API 3 calls:
	458	# contribution_transact (make online contributions)
	459	# entity_tag_display
	460	# group_contact_pending
	461	# group_contact_update_status
	462	# mailing_event_bounce
	463	# mailing_event_click
	464	# mailing_event_confirm
	465	# mailing_event_forward
	466	# mailing_event_open
	467	# mailing_event_reply
	468	# mailing_group_event_domain_unsubscribe
	469	# mailing_group_event_resubscribe
	470	# mailing_group_event_subscribe
	471	# mailing_group_event_unsubscribe
	472	# membership_status_calc
	473	# survey_respondant_count