[civicrm-core.git] / CRM / Core / DAO / permissions.php

<?php

/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.6                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2014                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
*/

/**
 * Decide what permissions to check for an api call
 * The contact must have all of the returned permissions for the api call to be allowed
 *
 * @param $entity: (str) api entity
 * @param $action: (str) api action
 * @param $params: (array) api params
 *
 * @return array of permissions to check for this entity-action combo
 */
function _civicrm_api3_permissions($entity, $action, &$params) {
  $entity = _civicrm_api_get_entity_name_from_camel($entity);
  $action = strtolower($action);

  /**
   * @var array of permissions
   *
   * For each entity, we declare an array of permissions required for each action
   * The action is the array key, possible values:
   *  * create: applies to create (with no id in params)
   *  * update: applies to update, setvalue, create (with id in params)
   *  * get: applies to getcount, getsingle, getvalue and other gets
   *  * delete: applies to delete, replace
   *  * meta: applies to getfields, getoptions, getspec
   *  * default: catch-all for anything not declared
   *
   *  Note: some APIs declare other actions as well
   */
  $permissions = array();

  // These are the default permissions - if any entity does not declare permissions for a given action,
  // (or the entity does not declare permissions at all) - then the action will be used from here
  $permissions['default'] = array(
    // applies to getfields, getoptions, etc.
    'meta' => array('access CiviCRM'),
    // catch-all, applies to create, get, delete, etc.
    // If an entity declares it's own 'default' action it will override this one
    'default' => array('administer CiviCRM'),
  );

  $permissions['attachment'] = array(
    'default' => array('access CiviCRM', 'access AJAX API'),
  );

  // Contact permissions
  $permissions['contact'] = array(
    'create' => array(
      'access CiviCRM',
      'add contacts',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete contacts',
    ),
    // managed by query object
    'get' => array(),
    'update' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
    'getquick' => array(
      array('access CiviCRM', 'access AJAX API'),
    ),
  );

  // Contact-related data permissions.
  // CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
  $permissions['address'] = array(
    'get' => array(
      'access CiviCRM',
      'view all contacts',
    ),
    'default' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
  );
  $permissions['email'] = $permissions['address'];
  $permissions['phone'] = $permissions['address'];
  $permissions['website'] = $permissions['address'];
  $permissions['im'] = $permissions['address'];
  $permissions['loc_block'] = $permissions['address'];
  $permissions['entity_tag'] = $permissions['address'];
  $permissions['note'] = $permissions['address'];

  //relationship permissions
  $permissions['relationship'] = array(
    'get' => array(
      'access CiviCRM',
      'view all contacts',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete contacts',
    ),
    'default' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
  );

  // Activity permissions
  $permissions['activity'] = array(
    'delete' => array(
      'access CiviCRM',
      'delete activities',
    ),
    'default' => array(
      'access CiviCRM',
      'view all activities',
    ),
  );

  // Case permissions
  $permissions['case'] = array(
    'create' => array(
      'access CiviCRM',
      'add cases',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete in CiviCase',
    ),
    'default' => array(
      'access CiviCRM',
      'access all cases and activities',
    ),
  );

  // Financial permissions
  $permissions['contribution'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviContribute',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'completetransaction' => array(
      'edit contributions',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviContribute',
      'edit contributions',
    ),
  );
  $permissions['line_item'] = $permissions['contribution'];

  // Custom field permissions
  $permissions['custom_field'] = array(
    'default' => array(
      'administer CiviCRM',
      'access all custom data',
    ),
  );
  $permissions['custom_group'] = $permissions['custom_field'];

  // Event permissions
  $permissions['event'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit all events',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'delete in CiviEvent',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event info',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit all events',
    ),
  );

  // File permissions
  $permissions['file'] = array(
    'default' => array(
      'access CiviCRM',
      'access uploaded files',
    ),
  );
  $permissions['files_by_entity'] = $permissions['file'];

  // Group permissions
  $permissions['group'] = array(
    'get' => array(
      'access CiviCRM',
    ),
    'default' => array(
      'access CiviCRM',
      'edit groups',
    ),
  );
  $permissions['group_contact'] = $permissions['group'];
  $permissions['group_nesting'] = $permissions['group'];
  $permissions['group_organization'] = $permissions['group'];

  // CiviMail Permissions
  $permissions['mailing'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviMail',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMail',
      'delete in CiviMail',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviMail',
    ),
  );

  // Membership permissions
  $permissions['membership'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviMember',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMember',
      'delete in CiviMember',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
    ),
  );
  $permissions['membership_status'] = $permissions['membership'];
  $permissions['membership_type'] = $permissions['membership'];
  $permissions['membership_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMember',
      'delete in CiviMember',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviMember',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Participant permissions
  $permissions['participant'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'register for events',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event participants',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
    ),
  );
  $permissions['participant_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'register for events',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event participants',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Pledge permissions
  $permissions['pledge'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviPledge',
      'delete in CiviPledge',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviPledge',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
    ),
  );
  $permissions['pledge_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviPledge',
      'delete in CiviPledge',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviPledge',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Profile permissions
  $permissions['profile'] = array(
    'get' => array(), // the profile will take care of this
  );

  $permissions['uf_group'] = array(
    'get' => array(
      'access CiviCRM',
    ),
  );
  $permissions['uf_field'] = $permissions['uf_group'];

  // Translate 'create' action to 'update' if id is set
  if ($action == 'create' && (!empty($params['id']) || !empty($params[$entity . '_id']))) {
    $action = 'update';
  }

  // let third parties modify the permissions
  CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);

  // Merge permissions for this entity with the defaults
  $perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];

  // Return exact match if permission for this action has been declared
  if (isset($perm[$action])) {
    return $perm[$action];
  }

  // Translate specific actions into their generic equivalents
  $snippet = substr($action, 0, 3);
  if ($action == 'replace' || $snippet == 'del') {
    // 'Replace' is a combination of get+create+update+delete; however, the permissions
    // on each of those will be tested separately at runtime. This is just a sniff-test
    // based on the heuristic that 'delete' tends to be the most closesly guarded
    // of the necessary permissions.
    $action = 'delete';
  }
  elseif ($action == 'setvalue' || $snippet == 'upd') {
    $action = 'update';
  }
  elseif ($action == 'getfields' || $action == 'getspec' || $action == 'getoptions') {
    $action = 'meta';
  }
  elseif ($snippet == 'get') {
    $action = 'get';
  }
  return isset($perm[$action]) ? $perm[$action] : $perm['default'];
}

# FIXME: not sure how to permission the following API 3 calls:
# contribution_transact (make online contributions)
# entity_tag_display
# group_contact_pending
# group_contact_update_status
# mailing_event_bounce
# mailing_event_click
# mailing_event_confirm
# mailing_event_forward
# mailing_event_open
# mailing_event_reply
# mailing_group_event_domain_unsubscribe
# mailing_group_event_resubscribe
# mailing_group_event_subscribe
# mailing_group_event_unsubscribe
# membership_status_calc
# survey_respondant_count
Commit	Line	Data
6a488035 TO	1	<?php
	2
	3	/*
	4	+--------------------------------------------------------------------+
39de6fd5	5	\| CiviCRM version 4.6 \|
6a488035	6	+--------------------------------------------------------------------+
06b69b18	7	\| Copyright CiviCRM LLC (c) 2004-2014 \|
6a488035 TO	8	+--------------------------------------------------------------------+
	9	\| This file is a part of CiviCRM. \|
	10	\| \|
	11	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	12	\| under the terms of the GNU Affero General Public License \|
	13	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	14	\| \|
	15	\| CiviCRM is distributed in the hope that it will be useful, but \|
	16	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	17	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	18	\| See the GNU Affero General Public License for more details. \|
	19	\| \|
	20	\| You should have received a copy of the GNU Affero General Public \|
	21	\| License and the CiviCRM Licensing Exception along \|
	22	\| with this program; if not, contact CiviCRM LLC \|
	23	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	24	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	25	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	26	+--------------------------------------------------------------------+
	27	*/
	28
	29	/**
082d771a CW	30	* Decide what permissions to check for an api call
082d771a CW	31	* The contact must have all of the returned permissions for the api call to be allowed
6a488035	32	*
082d771a CW	33	* @param $entity: (str) api entity
	34	* @param $action: (str) api action
	35	* @param $params: (array) api params
6a488035	36	*
082d771a	37	* @return array of permissions to check for this entity-action combo
6a488035	38	*/
6a488035	39	function _civicrm_api3_permissions($entity, $action, &$params) {
47e6af81	40	$entity = _civicrm_api_get_entity_name_from_camel($entity);
6a488035	41	$action = strtolower($action);
79089019 CW	42
	43	/**
	44	* @var array of permissions
	45	*
	46	* For each entity, we declare an array of permissions required for each action
	47	* The action is the array key, possible values:
	48	* * create: applies to create (with no id in params)
	49	* * update: applies to update, setvalue, create (with id in params)
	50	* * get: applies to getcount, getsingle, getvalue and other gets
	51	* * delete: applies to delete, replace
	52	* * meta: applies to getfields, getoptions, getspec
	53	* * default: catch-all for anything not declared
	54	*
	55	* Note: some APIs declare other actions as well
	56	*/
082d771a CW	57	$permissions = array();
082d771a CW	58
79089019 CW	59	// These are the default permissions - if any entity does not declare permissions for a given action,
	60	// (or the entity does not declare permissions at all) - then the action will be used from here
	61	$permissions['default'] = array(
	62	// applies to getfields, getoptions, etc.
	63	'meta' => array('access CiviCRM'),
	64	// catch-all, applies to create, get, delete, etc.
	65	// If an entity declares it's own 'default' action it will override this one
	66	'default' => array('administer CiviCRM'),
	67	);
	68
56154d36 TO	69	$permissions['attachment'] = array(
	70	'default' => array('access CiviCRM', 'access AJAX API'),
	71	);
	72
1593d73d CW	73	// Contact permissions
1593d73d CW	74	$permissions['contact'] = array(
082d771a CW	75	'create' => array(
	76	'access CiviCRM',
	77	'add contacts',
	78	),
	79	'delete' => array(
	80	'access CiviCRM',
	81	'delete contacts',
	82	),
1593d73d CW	83	// managed by query object
1593d73d CW	84	'get' => array(),
082d771a CW	85	'update' => array(
	86	'access CiviCRM',
	87	'edit all contacts',
	88	),
1593d73d	89	'getquick' => array(
60ec9f43	90	array('access CiviCRM', 'access AJAX API'),
1593d73d	91	),
082d771a	92	);
1593d73d	93
bcb09fd8 DG	94	// Contact-related data permissions.
bcb09fd8 DG	95	// CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
1593d73d CW	96	$permissions['address'] = array(
1593d73d CW	97	'get' => array(
082d771a	98	'access CiviCRM',
1593d73d	99	'view all contacts',
082d771a	100	),
1593d73d	101	'default' => array(
082d771a CW	102	'access CiviCRM',
	103	'edit all contacts',
	104	),
082d771a	105	);
1593d73d CW	106	$permissions['email'] = $permissions['address'];
	107	$permissions['phone'] = $permissions['address'];
	108	$permissions['website'] = $permissions['address'];
	109	$permissions['im'] = $permissions['address'];
	110	$permissions['loc_block'] = $permissions['address'];
bcb09fd8	111	$permissions['entity_tag'] = $permissions['address'];
1593d73d CW	112	$permissions['note'] = $permissions['address'];
1593d73d CW	113
2f0e8374 JJ	114	//relationship permissions
	115	$permissions['relationship'] = array(
	116	'get' => array(
	117	'access CiviCRM',
	118	'view all contacts',
	119	),
	120	'delete' => array(
	121	'access CiviCRM',
	122	'delete contacts',
	123	),
	124	'default' => array(
	125	'access CiviCRM',
	126	'edit all contacts',
	127	),
	128	);
d75f2f47	129
1593d73d CW	130	// Activity permissions
1593d73d CW	131	$permissions['activity'] = array(
082d771a CW	132	'delete' => array(
082d771a CW	133	'access CiviCRM',
1593d73d	134	'delete activities',
082d771a	135	),
1593d73d	136	'default' => array(
082d771a	137	'access CiviCRM',
1593d73d	138	'view all activities',
082d771a CW	139	),
082d771a CW	140	);
1593d73d CW	141
	142	// Case permissions
	143	$permissions['case'] = array(
082d771a	144	'create' => array(
082d771a	145	'access CiviCRM',
1593d73d	146	'add cases',
082d771a CW	147	),
082d771a CW	148	'delete' => array(
082d771a	149	'access CiviCRM',
1593d73d	150	'delete in CiviCase',
082d771a	151	),
1593d73d	152	'default' => array(
082d771a	153	'access CiviCRM',
1593d73d	154	'access all cases and activities',
082d771a CW	155	),
082d771a CW	156	);
1593d73d CW	157
	158	// Financial permissions
	159	$permissions['contribution'] = array(
	160	'get' => array(
082d771a	161	'access CiviCRM',
1593d73d	162	'access CiviContribute',
082d771a CW	163	),
082d771a CW	164	'delete' => array(
082d771a	165	'access CiviCRM',
1593d73d CW	166	'access CiviContribute',
1593d73d CW	167	'delete in CiviContribute',
082d771a	168	),
0efa8efe	169	'completetransaction' => array(
	170	'edit contributions',
	171	),
1593d73d	172	'default' => array(
082d771a	173	'access CiviCRM',
1593d73d CW	174	'access CiviContribute',
1593d73d CW	175	'edit contributions',
082d771a	176	),
1593d73d CW	177	);
	178	$permissions['line_item'] = $permissions['contribution'];
	179
	180	// Custom field permissions
	181	$permissions['custom_field'] = array(
	182	'default' => array(
082d771a	183	'administer CiviCRM',
082d771a CW	184	'access all custom data',
	185	),
	186	);
1593d73d CW	187	$permissions['custom_group'] = $permissions['custom_field'];
	188
	189	// Event permissions
082d771a CW	190	$permissions['event'] = array(
	191	'create' => array(
	192	'access CiviCRM',
	193	'access CiviEvent',
	194	'edit all events',
	195	),
	196	'delete' => array(
	197	'access CiviCRM',
	198	'access CiviEvent',
	199	'delete in CiviEvent',
	200	),
	201	'get' => array(
	202	'access CiviCRM',
	203	'access CiviEvent',
	204	'view event info',
	205	),
	206	'update' => array(
	207	'access CiviCRM',
	208	'access CiviEvent',
	209	'edit all events',
	210	),
	211	);
1593d73d CW	212
1593d73d CW	213	// File permissions
082d771a	214	$permissions['file'] = array(
1593d73d	215	'default' => array(
082d771a CW	216	'access CiviCRM',
	217	'access uploaded files',
	218	),
	219	);
1593d73d CW	220	$permissions['files_by_entity'] = $permissions['file'];
	221
	222	// Group permissions
082d771a	223	$permissions['group'] = array(
082d771a CW	224	'get' => array(
082d771a CW	225	'access CiviCRM',
082d771a	226	),
1593d73d	227	'default' => array(
082d771a	228	'access CiviCRM',
1593d73d	229	'edit groups',
082d771a CW	230	),
082d771a CW	231	);
1593d73d CW	232	$permissions['group_contact'] = $permissions['group'];
	233	$permissions['group_nesting'] = $permissions['group'];
	234	$permissions['group_organization'] = $permissions['group'];
	235
56154d36 TO	236	// CiviMail Permissions
	237	$permissions['mailing'] = array(
	238	'get' => array(
	239	'access CiviCRM',
	240	'access CiviMail',
	241	),
	242	'delete' => array(
	243	'access CiviCRM',
	244	'access CiviMail',
	245	'delete in CiviMail',
	246	),
	247	'default' => array(
	248	'access CiviCRM',
	249	'access CiviMail',
	250	),
	251	);
	252
1593d73d	253	// Membership permissions
082d771a	254	$permissions['membership'] = array(
1593d73d	255	'get' => array(
082d771a CW	256	'access CiviCRM',
082d771a CW	257	'access CiviMember',
082d771a CW	258	),
	259	'delete' => array(
	260	'access CiviCRM',
	261	'access CiviMember',
	262	'delete in CiviMember',
	263	),
1593d73d	264	'default' => array(
082d771a CW	265	'access CiviCRM',
	266	'access CiviMember',
	267	'edit memberships',
	268	),
	269	);
1593d73d CW	270	$permissions['membership_status'] = $permissions['membership'];
1593d73d CW	271	$permissions['membership_type'] = $permissions['membership'];
082d771a CW	272	$permissions['membership_payment'] = array(
	273	'create' => array(
	274	'access CiviCRM',
	275	'access CiviMember',
	276	'edit memberships',
	277	'access CiviContribute',
	278	'edit contributions',
	279	),
	280	'delete' => array(
	281	'access CiviCRM',
	282	'access CiviMember',
	283	'delete in CiviMember',
	284	'access CiviContribute',
	285	'delete in CiviContribute',
	286	),
	287	'get' => array(
	288	'access CiviCRM',
	289	'access CiviMember',
	290	'access CiviContribute',
	291	),
	292	'update' => array(
	293	'access CiviCRM',
	294	'access CiviMember',
	295	'edit memberships',
	296	'access CiviContribute',
	297	'edit contributions',
	298	),
	299	);
1593d73d CW	300
1593d73d CW	301	// Participant permissions
082d771a CW	302	$permissions['participant'] = array(
	303	'create' => array(
	304	'access CiviCRM',
	305	'access CiviEvent',
	306	'register for events',
	307	),
	308	'delete' => array(
	309	'access CiviCRM',
	310	'access CiviEvent',
	311	'edit event participants',
	312	),
	313	'get' => array(
	314	'access CiviCRM',
	315	'access CiviEvent',
	316	'view event participants',
	317	),
	318	'update' => array(
	319	'access CiviCRM',
	320	'access CiviEvent',
	321	'edit event participants',
	322	),
	323	);
	324	$permissions['participant_payment'] = array(
	325	'create' => array(
	326	'access CiviCRM',
	327	'access CiviEvent',
	328	'register for events',
	329	'access CiviContribute',
	330	'edit contributions',
	331	),
	332	'delete' => array(
	333	'access CiviCRM',
	334	'access CiviEvent',
	335	'edit event participants',
	336	'access CiviContribute',
	337	'delete in CiviContribute',
	338	),
	339	'get' => array(
	340	'access CiviCRM',
	341	'access CiviEvent',
	342	'view event participants',
	343	'access CiviContribute',
	344	),
	345	'update' => array(
	346	'access CiviCRM',
	347	'access CiviEvent',
	348	'edit event participants',
	349	'access CiviContribute',
	350	'edit contributions',
	351	),
	352	);
1593d73d CW	353
1593d73d CW	354	// Pledge permissions
082d771a CW	355	$permissions['pledge'] = array(
	356	'create' => array(
	357	'access CiviCRM',
	358	'access CiviPledge',
	359	'edit pledges',
	360	),
	361	'delete' => array(
	362	'access CiviCRM',
	363	'access CiviPledge',
	364	'delete in CiviPledge',
	365	),
	366	'get' => array(
	367	'access CiviCRM',
	368	'access CiviPledge',
	369	),
	370	'update' => array(
	371	'access CiviCRM',
	372	'access CiviPledge',
	373	'edit pledges',
	374	),
	375	);
	376	$permissions['pledge_payment'] = array(
	377	'create' => array(
	378	'access CiviCRM',
	379	'access CiviPledge',
	380	'edit pledges',
	381	'access CiviContribute',
	382	'edit contributions',
	383	),
	384	'delete' => array(
	385	'access CiviCRM',
	386	'access CiviPledge',
	387	'delete in CiviPledge',
	388	'access CiviContribute',
	389	'delete in CiviContribute',
	390	),
	391	'get' => array(
	392	'access CiviCRM',
	393	'access CiviPledge',
	394	'access CiviContribute',
	395	),
	396	'update' => array(
	397	'access CiviCRM',
	398	'access CiviPledge',
	399	'edit pledges',
	400	'access CiviContribute',
	401	'edit contributions',
	402	),
	403	);
1593d73d CW	404
1593d73d CW	405	// Profile permissions
c85e32fc	406	$permissions['profile'] = array(
	407	'get' => array(), // the profile will take care of this
	408	);
	409
1593d73d	410	$permissions['uf_group'] = array(
082d771a CW	411	'get' => array(
082d771a CW	412	'access CiviCRM',
6a488035 TO	413	),
6a488035 TO	414	);
1593d73d	415	$permissions['uf_field'] = $permissions['uf_group'];
6a488035	416
79089019 CW	417	// Translate 'create' action to 'update' if id is set
	418	if ($action == 'create' && (!empty($params['id']) \|\| !empty($params[$entity . '_id']))) {
	419	$action = 'update';
	420	}
	421
6a488035 TO	422	// let third parties modify the permissions
	423	CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);
	424
79089019 CW	425	// Merge permissions for this entity with the defaults
	426	$perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];
	427
	428	// Return exact match if permission for this action has been declared
	429	if (isset($perm[$action])) {
	430	return $perm[$action];
	431	}
	432
	433	// Translate specific actions into their generic equivalents
	434	$snippet = substr($action, 0, 3);
	435	if ($action == 'replace' \|\| $snippet == 'del') {
d013d45c TO	436	// 'Replace' is a combination of get+create+update+delete; however, the permissions
	437	// on each of those will be tested separately at runtime. This is just a sniff-test
	438	// based on the heuristic that 'delete' tends to be the most closesly guarded
	439	// of the necessary permissions.
79089019 CW	440	$action = 'delete';
	441	}
	442	elseif ($action == 'setvalue' \|\| $snippet == 'upd') {
	443	$action = 'update';
	444	}
	445	elseif ($action == 'getfields' \|\| $action == 'getspec' \|\| $action == 'getoptions') {
	446	$action = 'meta';
	447	}
	448	elseif ($snippet == 'get') {
	449	$action = 'get';
	450	}
	451	return isset($perm[$action]) ? $perm[$action] : $perm['default'];
6a488035 TO	452	}
	453
	454	# FIXME: not sure how to permission the following API 3 calls:
	455	# contribution_transact (make online contributions)
	456	# entity_tag_display
	457	# group_contact_pending
	458	# group_contact_update_status
	459	# mailing_event_bounce
	460	# mailing_event_click
	461	# mailing_event_confirm
	462	# mailing_event_forward
	463	# mailing_event_open
	464	# mailing_event_reply
	465	# mailing_group_event_domain_unsubscribe
	466	# mailing_group_event_resubscribe
	467	# mailing_group_event_subscribe
	468	# mailing_group_event_unsubscribe
	469	# membership_status_calc
	470	# survey_respondant_count