[civicrm-core.git] / CRM / Core / DAO / permissions.php

<?php

/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.3                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2013                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
*/

/**
 * Decide what permissions to check for an api call
 * The contact must have all of the returned permissions for the api call to be allowed
 *
 * @param $entity: (str) api entity
 * @param $action: (str) api action
 * @param $params: (array) api params
 *
 * @return array of permissions to check for this entity-action combo
 */
function _civicrm_api3_permissions($entity, $action, &$params) {
  $entity = _civicrm_api_get_entity_name_from_camel($entity);
  $action = strtolower($action);

  /**
   * @var array of permissions
   *
   * For each entity, we declare an array of permissions required for each action
   * The action is the array key, possible values:
   *  * create: applies to create (with no id in params)
   *  * update: applies to update, setvalue, create (with id in params)
   *  * get: applies to getcount, getsingle, getvalue and other gets
   *  * delete: applies to delete, replace
   *  * meta: applies to getfields, getoptions, getspec
   *  * default: catch-all for anything not declared
   *
   *  Note: some APIs declare other actions as well
   */
  $permissions = array();

  // These are the default permissions - if any entity does not declare permissions for a given action,
  // (or the entity does not declare permissions at all) - then the action will be used from here
  $permissions['default'] = array(
    // applies to getfields, getoptions, etc.
    'meta' => array('access CiviCRM'),
    // catch-all, applies to create, get, delete, etc.
    // If an entity declares it's own 'default' action it will override this one
    'default' => array('administer CiviCRM'),
  );

  // Contact permissions
  $permissions['contact'] = array(
    'create' => array(
      'access CiviCRM',
      'add contacts',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete contacts',
    ),
    // managed by query object
    'get' => array(),
    'update' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
    'getquick' => array(
      'access CiviCRM',
    ),
  );

  // Contact-related data permissions
  $permissions['address'] = array(
    'get' => array(
      'access CiviCRM',
      'view all contacts',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete contacts',
    ),
    'default' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
  );
  $permissions['email'] = $permissions['address'];
  $permissions['phone'] = $permissions['address'];
  $permissions['website'] = $permissions['address'];
  $permissions['im'] = $permissions['address'];
  $permissions['loc_block'] = $permissions['address'];
  $permissions['entity_tag'] = $permissions['address'];
  $permissions['note'] = $permissions['address'];

  // Activity permissions
  $permissions['activity'] = array(
    'delete' => array(
      'access CiviCRM',
      'delete activities',
    ),
    'default' => array(
      'access CiviCRM',
      'view all activities',
    ),
  );

  // Case permissions
  $permissions['case'] = array(
    'create' => array(
      'access CiviCRM',
      'add cases',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete in CiviCase',
    ),
    'default' => array(
      'access CiviCRM',
      'access all cases and activities',
    ),
  );

  // Financial permissions
  $permissions['contribution'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviContribute',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviContribute',
      'edit contributions',
    ),
  );
  $permissions['line_item'] = $permissions['contribution'];

  // Custom field permissions
  $permissions['custom_field'] = array(
    'default' => array(
      'administer CiviCRM',
      'access all custom data',
    ),
  );
  $permissions['custom_group'] = $permissions['custom_field'];

  // Event permissions
  $permissions['event'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit all events',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'delete in CiviEvent',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event info',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit all events',
    ),
  );

  // File permissions
  $permissions['file'] = array(
    'default' => array(
      'access CiviCRM',
      'access uploaded files',
    ),
  );
  $permissions['files_by_entity'] = $permissions['file'];

  // Group permissions
  $permissions['group'] = array(
    'get' => array(
      'access CiviCRM',
    ),
    'default' => array(
      'access CiviCRM',
      'edit groups',
    ),
  );
  $permissions['group_contact'] = $permissions['group'];
  $permissions['group_nesting'] = $permissions['group'];
  $permissions['group_organization'] = $permissions['group'];

  // Membership permissions
  $permissions['membership'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviMember',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMember',
      'delete in CiviMember',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
    ),
  );
  $permissions['membership_status'] = $permissions['membership'];
  $permissions['membership_type'] = $permissions['membership'];
  $permissions['membership_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMember',
      'delete in CiviMember',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviMember',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Participant permissions
  $permissions['participant'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'register for events',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event participants',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
    ),
  );
  $permissions['participant_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'register for events',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event participants',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Pledge permissions
  $permissions['pledge'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviPledge',
      'delete in CiviPledge',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviPledge',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
    ),
  );
  $permissions['pledge_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviPledge',
      'delete in CiviPledge',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviPledge',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Profile permissions
  $permissions['uf_group'] = array(
    'get' => array(
      'access CiviCRM',
    ),
  );
  $permissions['uf_field'] = $permissions['uf_group'];

  // Translate 'create' action to 'update' if id is set
  if ($action == 'create' && (!empty($params['id']) || !empty($params[$entity . '_id']))) {
    $action = 'update';
  }

  // let third parties modify the permissions
  CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);

  // Merge permissions for this entity with the defaults
  $perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];

  // Return exact match if permission for this action has been declared
  if (isset($perm[$action])) {
    return $perm[$action];
  }

  // Translate specific actions into their generic equivalents
  $snippet = substr($action, 0, 3);
  if ($action == 'replace' || $snippet == 'del') {
    // 'Replace' is a combination of get+create+update+delete; however, the permissions
    // on each of those will be tested separately at runtime. This is just a sniff-test
    // based on the heuristic that 'delete' tends to be the most closesly guarded
    // of the necessary permissions.
    $action = 'delete';
  }
  elseif ($action == 'setvalue' || $snippet == 'upd') {
    $action = 'update';
  }
  elseif ($action == 'getfields' || $action == 'getspec' || $action == 'getoptions') {
    $action = 'meta';
  }
  elseif ($snippet == 'get') {
    $action = 'get';
  }
  return isset($perm[$action]) ? $perm[$action] : $perm['default'];
}

# FIXME: not sure how to permission the following API 3 calls:
# contribution_transact (make online contributions)
# entity_tag_display
# group_contact_pending
# group_contact_update_status
# mailing_event_bounce
# mailing_event_click
# mailing_event_confirm
# mailing_event_forward
# mailing_event_open
# mailing_event_reply
# mailing_group_event_domain_unsubscribe
# mailing_group_event_resubscribe
# mailing_group_event_subscribe
# mailing_group_event_unsubscribe
# membership_status_calc
# survey_respondant_count
Commit	Line	Data
6a488035 TO	1	<?php
	2
	3	/*
	4	+--------------------------------------------------------------------+
	5	\| CiviCRM version 4.3 \|
	6	+--------------------------------------------------------------------+
	7	\| Copyright CiviCRM LLC (c) 2004-2013 \|
	8	+--------------------------------------------------------------------+
	9	\| This file is a part of CiviCRM. \|
	10	\| \|
	11	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	12	\| under the terms of the GNU Affero General Public License \|
	13	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	14	\| \|
	15	\| CiviCRM is distributed in the hope that it will be useful, but \|
	16	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	17	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	18	\| See the GNU Affero General Public License for more details. \|
	19	\| \|
	20	\| You should have received a copy of the GNU Affero General Public \|
	21	\| License and the CiviCRM Licensing Exception along \|
	22	\| with this program; if not, contact CiviCRM LLC \|
	23	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	24	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	25	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	26	+--------------------------------------------------------------------+
	27	*/
	28
	29	/**
082d771a CW	30	* Decide what permissions to check for an api call
082d771a CW	31	* The contact must have all of the returned permissions for the api call to be allowed
6a488035	32	*
082d771a CW	33	* @param $entity: (str) api entity
	34	* @param $action: (str) api action
	35	* @param $params: (array) api params
6a488035	36	*
082d771a	37	* @return array of permissions to check for this entity-action combo
6a488035	38	*/
6a488035	39	function _civicrm_api3_permissions($entity, $action, &$params) {
47e6af81	40	$entity = _civicrm_api_get_entity_name_from_camel($entity);
6a488035	41	$action = strtolower($action);
79089019 CW	42
	43	/**
	44	* @var array of permissions
	45	*
	46	* For each entity, we declare an array of permissions required for each action
	47	* The action is the array key, possible values:
	48	* * create: applies to create (with no id in params)
	49	* * update: applies to update, setvalue, create (with id in params)
	50	* * get: applies to getcount, getsingle, getvalue and other gets
	51	* * delete: applies to delete, replace
	52	* * meta: applies to getfields, getoptions, getspec
	53	* * default: catch-all for anything not declared
	54	*
	55	* Note: some APIs declare other actions as well
	56	*/
082d771a CW	57	$permissions = array();
082d771a CW	58
79089019 CW	59	// These are the default permissions - if any entity does not declare permissions for a given action,
	60	// (or the entity does not declare permissions at all) - then the action will be used from here
	61	$permissions['default'] = array(
	62	// applies to getfields, getoptions, etc.
	63	'meta' => array('access CiviCRM'),
	64	// catch-all, applies to create, get, delete, etc.
	65	// If an entity declares it's own 'default' action it will override this one
	66	'default' => array('administer CiviCRM'),
	67	);
	68
1593d73d CW	69	// Contact permissions
1593d73d CW	70	$permissions['contact'] = array(
082d771a CW	71	'create' => array(
	72	'access CiviCRM',
	73	'add contacts',
	74	),
	75	'delete' => array(
	76	'access CiviCRM',
	77	'delete contacts',
	78	),
1593d73d CW	79	// managed by query object
1593d73d CW	80	'get' => array(),
082d771a CW	81	'update' => array(
	82	'access CiviCRM',
	83	'edit all contacts',
	84	),
1593d73d CW	85	'getquick' => array(
	86	'access CiviCRM',
	87	),
082d771a	88	);
1593d73d CW	89
	90	// Contact-related data permissions
	91	$permissions['address'] = array(
	92	'get' => array(
082d771a	93	'access CiviCRM',
1593d73d	94	'view all contacts',
082d771a CW	95	),
	96	'delete' => array(
	97	'access CiviCRM',
	98	'delete contacts',
	99	),
1593d73d	100	'default' => array(
082d771a CW	101	'access CiviCRM',
	102	'edit all contacts',
	103	),
082d771a	104	);
1593d73d CW	105	$permissions['email'] = $permissions['address'];
	106	$permissions['phone'] = $permissions['address'];
	107	$permissions['website'] = $permissions['address'];
	108	$permissions['im'] = $permissions['address'];
	109	$permissions['loc_block'] = $permissions['address'];
	110	$permissions['entity_tag'] = $permissions['address'];
	111	$permissions['note'] = $permissions['address'];
	112
	113	// Activity permissions
	114	$permissions['activity'] = array(
082d771a CW	115	'delete' => array(
082d771a CW	116	'access CiviCRM',
1593d73d	117	'delete activities',
082d771a	118	),
1593d73d	119	'default' => array(
082d771a	120	'access CiviCRM',
1593d73d	121	'view all activities',
082d771a CW	122	),
082d771a CW	123	);
1593d73d CW	124
	125	// Case permissions
	126	$permissions['case'] = array(
082d771a	127	'create' => array(
082d771a	128	'access CiviCRM',
1593d73d	129	'add cases',
082d771a CW	130	),
082d771a CW	131	'delete' => array(
082d771a	132	'access CiviCRM',
1593d73d	133	'delete in CiviCase',
082d771a	134	),
1593d73d	135	'default' => array(
082d771a	136	'access CiviCRM',
1593d73d	137	'access all cases and activities',
082d771a CW	138	),
082d771a CW	139	);
1593d73d CW	140
	141	// Financial permissions
	142	$permissions['contribution'] = array(
	143	'get' => array(
082d771a	144	'access CiviCRM',
1593d73d	145	'access CiviContribute',
082d771a CW	146	),
082d771a CW	147	'delete' => array(
082d771a	148	'access CiviCRM',
1593d73d CW	149	'access CiviContribute',
1593d73d CW	150	'delete in CiviContribute',
082d771a	151	),
1593d73d	152	'default' => array(
082d771a	153	'access CiviCRM',
1593d73d CW	154	'access CiviContribute',
1593d73d CW	155	'edit contributions',
082d771a	156	),
1593d73d CW	157	);
	158	$permissions['line_item'] = $permissions['contribution'];
	159
	160	// Custom field permissions
	161	$permissions['custom_field'] = array(
	162	'default' => array(
082d771a	163	'administer CiviCRM',
082d771a CW	164	'access all custom data',
	165	),
	166	);
1593d73d CW	167	$permissions['custom_group'] = $permissions['custom_field'];
	168
	169	// Event permissions
082d771a CW	170	$permissions['event'] = array(
	171	'create' => array(
	172	'access CiviCRM',
	173	'access CiviEvent',
	174	'edit all events',
	175	),
	176	'delete' => array(
	177	'access CiviCRM',
	178	'access CiviEvent',
	179	'delete in CiviEvent',
	180	),
	181	'get' => array(
	182	'access CiviCRM',
	183	'access CiviEvent',
	184	'view event info',
	185	),
	186	'update' => array(
	187	'access CiviCRM',
	188	'access CiviEvent',
	189	'edit all events',
	190	),
	191	);
1593d73d CW	192
1593d73d CW	193	// File permissions
082d771a	194	$permissions['file'] = array(
1593d73d	195	'default' => array(
082d771a CW	196	'access CiviCRM',
	197	'access uploaded files',
	198	),
	199	);
1593d73d CW	200	$permissions['files_by_entity'] = $permissions['file'];
	201
	202	// Group permissions
082d771a	203	$permissions['group'] = array(
082d771a CW	204	'get' => array(
082d771a CW	205	'access CiviCRM',
082d771a	206	),
1593d73d	207	'default' => array(
082d771a	208	'access CiviCRM',
1593d73d	209	'edit groups',
082d771a CW	210	),
082d771a CW	211	);
1593d73d CW	212	$permissions['group_contact'] = $permissions['group'];
	213	$permissions['group_nesting'] = $permissions['group'];
	214	$permissions['group_organization'] = $permissions['group'];
	215
	216	// Membership permissions
082d771a	217	$permissions['membership'] = array(
1593d73d	218	'get' => array(
082d771a CW	219	'access CiviCRM',
082d771a CW	220	'access CiviMember',
082d771a CW	221	),
	222	'delete' => array(
	223	'access CiviCRM',
	224	'access CiviMember',
	225	'delete in CiviMember',
	226	),
1593d73d	227	'default' => array(
082d771a CW	228	'access CiviCRM',
	229	'access CiviMember',
	230	'edit memberships',
	231	),
	232	);
1593d73d CW	233	$permissions['membership_status'] = $permissions['membership'];
1593d73d CW	234	$permissions['membership_type'] = $permissions['membership'];
082d771a CW	235	$permissions['membership_payment'] = array(
	236	'create' => array(
	237	'access CiviCRM',
	238	'access CiviMember',
	239	'edit memberships',
	240	'access CiviContribute',
	241	'edit contributions',
	242	),
	243	'delete' => array(
	244	'access CiviCRM',
	245	'access CiviMember',
	246	'delete in CiviMember',
	247	'access CiviContribute',
	248	'delete in CiviContribute',
	249	),
	250	'get' => array(
	251	'access CiviCRM',
	252	'access CiviMember',
	253	'access CiviContribute',
	254	),
	255	'update' => array(
	256	'access CiviCRM',
	257	'access CiviMember',
	258	'edit memberships',
	259	'access CiviContribute',
	260	'edit contributions',
	261	),
	262	);
1593d73d CW	263
1593d73d CW	264	// Participant permissions
082d771a CW	265	$permissions['participant'] = array(
	266	'create' => array(
	267	'access CiviCRM',
	268	'access CiviEvent',
	269	'register for events',
	270	),
	271	'delete' => array(
	272	'access CiviCRM',
	273	'access CiviEvent',
	274	'edit event participants',
	275	),
	276	'get' => array(
	277	'access CiviCRM',
	278	'access CiviEvent',
	279	'view event participants',
	280	),
	281	'update' => array(
	282	'access CiviCRM',
	283	'access CiviEvent',
	284	'edit event participants',
	285	),
	286	);
	287	$permissions['participant_payment'] = array(
	288	'create' => array(
	289	'access CiviCRM',
	290	'access CiviEvent',
	291	'register for events',
	292	'access CiviContribute',
	293	'edit contributions',
	294	),
	295	'delete' => array(
	296	'access CiviCRM',
	297	'access CiviEvent',
	298	'edit event participants',
	299	'access CiviContribute',
	300	'delete in CiviContribute',
	301	),
	302	'get' => array(
	303	'access CiviCRM',
	304	'access CiviEvent',
	305	'view event participants',
	306	'access CiviContribute',
	307	),
	308	'update' => array(
	309	'access CiviCRM',
	310	'access CiviEvent',
	311	'edit event participants',
	312	'access CiviContribute',
	313	'edit contributions',
	314	),
	315	);
1593d73d CW	316
1593d73d CW	317	// Pledge permissions
082d771a CW	318	$permissions['pledge'] = array(
	319	'create' => array(
	320	'access CiviCRM',
	321	'access CiviPledge',
	322	'edit pledges',
	323	),
	324	'delete' => array(
	325	'access CiviCRM',
	326	'access CiviPledge',
	327	'delete in CiviPledge',
	328	),
	329	'get' => array(
	330	'access CiviCRM',
	331	'access CiviPledge',
	332	),
	333	'update' => array(
	334	'access CiviCRM',
	335	'access CiviPledge',
	336	'edit pledges',
	337	),
	338	);
	339	$permissions['pledge_payment'] = array(
	340	'create' => array(
	341	'access CiviCRM',
	342	'access CiviPledge',
	343	'edit pledges',
	344	'access CiviContribute',
	345	'edit contributions',
	346	),
	347	'delete' => array(
	348	'access CiviCRM',
	349	'access CiviPledge',
	350	'delete in CiviPledge',
	351	'access CiviContribute',
	352	'delete in CiviContribute',
	353	),
	354	'get' => array(
	355	'access CiviCRM',
	356	'access CiviPledge',
	357	'access CiviContribute',
	358	),
	359	'update' => array(
	360	'access CiviCRM',
	361	'access CiviPledge',
	362	'edit pledges',
	363	'access CiviContribute',
	364	'edit contributions',
	365	),
	366	);
1593d73d CW	367
	368	// Profile permissions
	369	$permissions['uf_group'] = array(
082d771a CW	370	'get' => array(
082d771a CW	371	'access CiviCRM',
6a488035 TO	372	),
6a488035 TO	373	);
1593d73d	374	$permissions['uf_field'] = $permissions['uf_group'];
6a488035	375
79089019 CW	376	// Translate 'create' action to 'update' if id is set
	377	if ($action == 'create' && (!empty($params['id']) \|\| !empty($params[$entity . '_id']))) {
	378	$action = 'update';
	379	}
	380
6a488035 TO	381	// let third parties modify the permissions
	382	CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);
	383
79089019 CW	384	// Merge permissions for this entity with the defaults
	385	$perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];
	386
	387	// Return exact match if permission for this action has been declared
	388	if (isset($perm[$action])) {
	389	return $perm[$action];
	390	}
	391
	392	// Translate specific actions into their generic equivalents
	393	$snippet = substr($action, 0, 3);
	394	if ($action == 'replace' \|\| $snippet == 'del') {
d013d45c TO	395	// 'Replace' is a combination of get+create+update+delete; however, the permissions
	396	// on each of those will be tested separately at runtime. This is just a sniff-test
	397	// based on the heuristic that 'delete' tends to be the most closesly guarded
	398	// of the necessary permissions.
79089019 CW	399	$action = 'delete';
	400	}
	401	elseif ($action == 'setvalue' \|\| $snippet == 'upd') {
	402	$action = 'update';
	403	}
	404	elseif ($action == 'getfields' \|\| $action == 'getspec' \|\| $action == 'getoptions') {
	405	$action = 'meta';
	406	}
	407	elseif ($snippet == 'get') {
	408	$action = 'get';
	409	}
	410	return isset($perm[$action]) ? $perm[$action] : $perm['default'];
6a488035 TO	411	}
	412
	413	# FIXME: not sure how to permission the following API 3 calls:
	414	# contribution_transact (make online contributions)
	415	# entity_tag_display
	416	# group_contact_pending
	417	# group_contact_update_status
	418	# mailing_event_bounce
	419	# mailing_event_click
	420	# mailing_event_confirm
	421	# mailing_event_forward
	422	# mailing_event_open
	423	# mailing_event_reply
	424	# mailing_group_event_domain_unsubscribe
	425	# mailing_group_event_resubscribe
	426	# mailing_group_event_subscribe
	427	# mailing_group_event_unsubscribe
	428	# membership_status_calc
	429	# survey_respondant_count