Commit | Line | Data |
---|---|---|
6a488035 | 1 | <?php |
6a488035 TO |
2 | /* |
3 | +--------------------------------------------------------------------+ | |
7e9e8871 | 4 | | CiviCRM version 4.7 | |
6a488035 | 5 | +--------------------------------------------------------------------+ |
0f03f337 | 6 | | Copyright CiviCRM LLC (c) 2004-2017 | |
6a488035 TO |
7 | +--------------------------------------------------------------------+ |
8 | | This file is a part of CiviCRM. | | |
9 | | | | |
10 | | CiviCRM is free software; you can copy, modify, and distribute it | | |
11 | | under the terms of the GNU Affero General Public License | | |
12 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | | |
13 | | | | |
14 | | CiviCRM is distributed in the hope that it will be useful, but | | |
15 | | WITHOUT ANY WARRANTY; without even the implied warranty of | | |
16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | |
17 | | See the GNU Affero General Public License for more details. | | |
18 | | | | |
19 | | You should have received a copy of the GNU Affero General Public | | |
20 | | License and the CiviCRM Licensing Exception along | | |
21 | | with this program; if not, contact CiviCRM LLC | | |
22 | | at info[AT]civicrm[DOT]org. If you have questions about the | | |
23 | | GNU Affero General Public License or the licensing of CiviCRM, | | |
24 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | | |
25 | +--------------------------------------------------------------------+ | |
d25dd0ee | 26 | */ |
6a488035 TO |
27 | |
28 | /** | |
082d771a | 29 | * Decide what permissions to check for an api call |
6a488035 | 30 | * |
353ffa53 TO |
31 | * @param $entity : (str) api entity |
32 | * @param $action : (str) api action | |
33 | * @param $params : (array) api params | |
6a488035 | 34 | * |
a6c01b45 | 35 | * @return array |
16b10e64 | 36 | * Array of permissions to check for this entity-action combo |
6a488035 | 37 | */ |
6a488035 | 38 | function _civicrm_api3_permissions($entity, $action, &$params) { |
4846df91 CW |
39 | // FIXME: Lowercase entity_names are nonstandard but difficult to fix here |
40 | // because this function invokes hook_civicrm_alterAPIPermissions | |
47e6af81 | 41 | $entity = _civicrm_api_get_entity_name_from_camel($entity); |
79089019 CW |
42 | |
43 | /** | |
44 | * @var array of permissions | |
45 | * | |
46 | * For each entity, we declare an array of permissions required for each action | |
47 | * The action is the array key, possible values: | |
48 | * * create: applies to create (with no id in params) | |
49 | * * update: applies to update, setvalue, create (with id in params) | |
50 | * * get: applies to getcount, getsingle, getvalue and other gets | |
51 | * * delete: applies to delete, replace | |
52 | * * meta: applies to getfields, getoptions, getspec | |
53 | * * default: catch-all for anything not declared | |
54 | * | |
55 | * Note: some APIs declare other actions as well | |
d9110788 CW |
56 | * |
57 | * Permissions should use arrays for AND and arrays of arrays for OR | |
58 | * @see CRM_Core_Permission::check for more documentation | |
79089019 | 59 | */ |
082d771a CW |
60 | $permissions = array(); |
61 | ||
79089019 CW |
62 | // These are the default permissions - if any entity does not declare permissions for a given action, |
63 | // (or the entity does not declare permissions at all) - then the action will be used from here | |
64 | $permissions['default'] = array( | |
65 | // applies to getfields, getoptions, etc. | |
66 | 'meta' => array('access CiviCRM'), | |
67 | // catch-all, applies to create, get, delete, etc. | |
68 | // If an entity declares it's own 'default' action it will override this one | |
69 | 'default' => array('administer CiviCRM'), | |
70 | ); | |
71 | ||
f8be71a6 | 72 | // Note: Additional permissions in DynamicFKAuthorization |
56154d36 | 73 | $permissions['attachment'] = array( |
f8be71a6 TO |
74 | 'default' => array( |
75 | array('access CiviCRM', 'access AJAX API'), | |
76 | ), | |
56154d36 TO |
77 | ); |
78 | ||
1593d73d CW |
79 | // Contact permissions |
80 | $permissions['contact'] = array( | |
082d771a CW |
81 | 'create' => array( |
82 | 'access CiviCRM', | |
83 | 'add contacts', | |
84 | ), | |
85 | 'delete' => array( | |
86 | 'access CiviCRM', | |
87 | 'delete contacts', | |
88 | ), | |
1593d73d CW |
89 | // managed by query object |
90 | 'get' => array(), | |
c16ed19b CW |
91 | // managed by _civicrm_api3_check_edit_permissions |
92 | 'update' => array(), | |
1593d73d | 93 | 'getquick' => array( |
60ec9f43 | 94 | array('access CiviCRM', 'access AJAX API'), |
1593d73d | 95 | ), |
082d771a | 96 | ); |
1593d73d | 97 | |
ec642959 JV |
98 | // CRM-16963 - Permissions for country. |
99 | $permissions['country'] = array( | |
100 | 'get' => array( | |
101 | 'access CiviCRM', | |
102 | ), | |
103 | 'default' => array( | |
104 | 'administer CiviCRM', | |
105 | ), | |
106 | ); | |
107 | ||
bcb09fd8 | 108 | // Contact-related data permissions. |
1593d73d | 109 | $permissions['address'] = array( |
20e41014 | 110 | // get is managed by BAO::addSelectWhereClause |
db83e3a3 CW |
111 | // create/delete are managed by _civicrm_api3_check_edit_permissions |
112 | 'default' => array(), | |
082d771a | 113 | ); |
1593d73d CW |
114 | $permissions['email'] = $permissions['address']; |
115 | $permissions['phone'] = $permissions['address']; | |
116 | $permissions['website'] = $permissions['address']; | |
117 | $permissions['im'] = $permissions['address']; | |
1c2ea456 | 118 | $permissions['open_i_d'] = $permissions['address']; |
db83e3a3 | 119 | |
c6835264 CW |
120 | // Also managed by ACLs - CRM-19448 |
121 | $permissions['entity_tag'] = array('default' => array()); | |
4dc78105 | 122 | $permissions['note'] = $permissions['entity_tag']; |
1593d73d | 123 | |
8087a331 CW |
124 | // Allow non-admins to get and create tags to support tagset widget |
125 | // Delete is still reserved for admins | |
126 | $permissions['tag'] = array( | |
127 | 'get' => array('access CiviCRM'), | |
128 | 'create' => array('access CiviCRM'), | |
129 | 'update' => array('access CiviCRM'), | |
130 | ); | |
131 | ||
2f0e8374 JJ |
132 | //relationship permissions |
133 | $permissions['relationship'] = array( | |
20e41014 | 134 | // get is managed by BAO::addSelectWhereClause |
4dc78105 | 135 | 'get' => array(), |
2f0e8374 JJ |
136 | 'delete' => array( |
137 | 'access CiviCRM', | |
27d33950 | 138 | 'edit all contacts', |
2f0e8374 JJ |
139 | ), |
140 | 'default' => array( | |
141 | 'access CiviCRM', | |
142 | 'edit all contacts', | |
143 | ), | |
144 | ); | |
d75f2f47 | 145 | |
da387e7b JV |
146 | // CRM-17741 - Permissions for RelationshipType. |
147 | $permissions['relationship_type'] = array( | |
148 | 'get' => array( | |
149 | 'access CiviCRM', | |
150 | ), | |
151 | 'default' => array( | |
152 | 'administer CiviCRM', | |
153 | ), | |
154 | ); | |
155 | ||
1593d73d CW |
156 | // Activity permissions |
157 | $permissions['activity'] = array( | |
082d771a CW |
158 | 'delete' => array( |
159 | 'access CiviCRM', | |
1593d73d | 160 | 'delete activities', |
082d771a | 161 | ), |
bbd2743b | 162 | 'get' => array( |
163 | 'access CiviCRM', | |
164 | // Note that view all activities is also required within the api | |
165 | // if the id is not passed in. Where the id is passed in the activity | |
166 | // specific check functions are used and tested. | |
167 | ), | |
1593d73d | 168 | 'default' => array( |
082d771a | 169 | 'access CiviCRM', |
1593d73d | 170 | 'view all activities', |
082d771a CW |
171 | ), |
172 | ); | |
1593d73d CW |
173 | |
174 | // Case permissions | |
175 | $permissions['case'] = array( | |
082d771a | 176 | 'create' => array( |
082d771a | 177 | 'access CiviCRM', |
1593d73d | 178 | 'add cases', |
082d771a CW |
179 | ), |
180 | 'delete' => array( | |
082d771a | 181 | 'access CiviCRM', |
1593d73d | 182 | 'delete in CiviCase', |
082d771a | 183 | ), |
1593d73d | 184 | 'default' => array( |
d9110788 CW |
185 | // At minimum the user needs one of the following. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause |
186 | array('access my cases and activities', 'access all cases and activities'), | |
082d771a CW |
187 | ), |
188 | ); | |
ff9340a4 | 189 | $permissions['case_contact'] = $permissions['case']; |
1593d73d | 190 | |
0c7d220d CW |
191 | $permissions['case_type'] = array( |
192 | 'default' => array('administer CiviCase'), | |
d9110788 CW |
193 | 'get' => array( |
194 | // nested array = OR | |
195 | array('access my cases and activities', 'access all cases and activities'), | |
196 | ), | |
0c7d220d CW |
197 | ); |
198 | ||
df2c4050 | 199 | // Campaign permissions |
200 | $permissions['campaign'] = array( | |
57a9f1a2 | 201 | 'get' => array('access CiviCRM'), |
49c5f909 CW |
202 | 'default' => array( |
203 | // nested array = OR | |
204 | array('administer CiviCampaign', 'manage campaign') | |
205 | ), | |
df2c4050 | 206 | ); |
207 | $permissions['survey'] = $permissions['campaign']; | |
208 | ||
1593d73d CW |
209 | // Financial permissions |
210 | $permissions['contribution'] = array( | |
211 | 'get' => array( | |
082d771a | 212 | 'access CiviCRM', |
1593d73d | 213 | 'access CiviContribute', |
082d771a CW |
214 | ), |
215 | 'delete' => array( | |
082d771a | 216 | 'access CiviCRM', |
1593d73d CW |
217 | 'access CiviContribute', |
218 | 'delete in CiviContribute', | |
082d771a | 219 | ), |
0efa8efe | 220 | 'completetransaction' => array( |
221 | 'edit contributions', | |
222 | ), | |
1593d73d | 223 | 'default' => array( |
082d771a | 224 | 'access CiviCRM', |
1593d73d CW |
225 | 'access CiviContribute', |
226 | 'edit contributions', | |
082d771a | 227 | ), |
1593d73d CW |
228 | ); |
229 | $permissions['line_item'] = $permissions['contribution']; | |
230 | ||
eba13f6d E |
231 | // Payment permissions |
232 | $permissions['payment'] = array( | |
233 | 'get' => array( | |
234 | 'access CiviCRM', | |
235 | 'access CiviContribute', | |
236 | ), | |
237 | 'delete' => array( | |
238 | 'access CiviCRM', | |
239 | 'access CiviContribute', | |
240 | 'delete in CiviContribute', | |
241 | ), | |
242 | 'cancel' => array( | |
243 | 'access CiviCRM', | |
244 | 'access CiviContribute', | |
245 | 'edit contributions', | |
246 | ), | |
247 | 'create' => array( | |
248 | 'access CiviCRM', | |
249 | 'access CiviContribute', | |
250 | 'edit contributions', | |
251 | ), | |
252 | 'default' => array( | |
253 | 'access CiviCRM', | |
254 | 'access CiviContribute', | |
255 | 'edit contributions', | |
256 | ), | |
257 | ); | |
258 | ||
1593d73d CW |
259 | // Custom field permissions |
260 | $permissions['custom_field'] = array( | |
261 | 'default' => array( | |
082d771a | 262 | 'administer CiviCRM', |
082d771a CW |
263 | 'access all custom data', |
264 | ), | |
265 | ); | |
1593d73d CW |
266 | $permissions['custom_group'] = $permissions['custom_field']; |
267 | ||
268 | // Event permissions | |
082d771a CW |
269 | $permissions['event'] = array( |
270 | 'create' => array( | |
271 | 'access CiviCRM', | |
272 | 'access CiviEvent', | |
273 | 'edit all events', | |
274 | ), | |
275 | 'delete' => array( | |
276 | 'access CiviCRM', | |
277 | 'access CiviEvent', | |
278 | 'delete in CiviEvent', | |
279 | ), | |
280 | 'get' => array( | |
281 | 'access CiviCRM', | |
282 | 'access CiviEvent', | |
283 | 'view event info', | |
284 | ), | |
285 | 'update' => array( | |
286 | 'access CiviCRM', | |
287 | 'access CiviEvent', | |
288 | 'edit all events', | |
289 | ), | |
290 | ); | |
4dc78105 CW |
291 | // Loc block is only used for events |
292 | $permissions['loc_block'] = $permissions['event']; | |
1593d73d | 293 | |
4f4052f6 CW |
294 | // Price sets are shared by several components, user needs access to at least one of them |
295 | $permissions['price_set'] = array( | |
296 | 'default' => array( | |
297 | array('access CiviEvent', 'access CiviContribute', 'access CiviMember'), | |
298 | ), | |
299 | 'get' => array( | |
300 | array('access CiviCRM', 'view event info', 'make online contributions'), | |
301 | ), | |
302 | ); | |
303 | ||
1593d73d | 304 | // File permissions |
082d771a | 305 | $permissions['file'] = array( |
1593d73d | 306 | 'default' => array( |
082d771a CW |
307 | 'access CiviCRM', |
308 | 'access uploaded files', | |
309 | ), | |
310 | ); | |
1593d73d CW |
311 | $permissions['files_by_entity'] = $permissions['file']; |
312 | ||
313 | // Group permissions | |
082d771a | 314 | $permissions['group'] = array( |
082d771a CW |
315 | 'get' => array( |
316 | 'access CiviCRM', | |
082d771a | 317 | ), |
1593d73d | 318 | 'default' => array( |
082d771a | 319 | 'access CiviCRM', |
1593d73d | 320 | 'edit groups', |
082d771a CW |
321 | ), |
322 | ); | |
5ab07c7c | 323 | |
1593d73d CW |
324 | $permissions['group_nesting'] = $permissions['group']; |
325 | $permissions['group_organization'] = $permissions['group']; | |
326 | ||
5ab07c7c | 327 | //Group Contact permission |
328 | $permissions['group_contact'] = array( | |
329 | 'get' => array( | |
330 | 'access CiviCRM', | |
331 | ), | |
332 | 'default' => array( | |
333 | 'access CiviCRM', | |
334 | 'edit all contacts', | |
335 | ), | |
336 | ); | |
337 | ||
56154d36 | 338 | // CiviMail Permissions |
360d6097 TO |
339 | $civiMailBasePerms = array( |
340 | // To get/preview/update, one must have least one of these perms: | |
341 | // Mailing API implementations enforce nuances of create/approve/schedule permissions. | |
342 | 'access CiviMail', | |
343 | 'create mailings', | |
344 | 'schedule mailings', | |
345 | 'approve mailings', | |
346 | ); | |
56154d36 TO |
347 | $permissions['mailing'] = array( |
348 | 'get' => array( | |
349 | 'access CiviCRM', | |
360d6097 | 350 | $civiMailBasePerms, |
56154d36 TO |
351 | ), |
352 | 'delete' => array( | |
353 | 'access CiviCRM', | |
360d6097 | 354 | $civiMailBasePerms, |
56154d36 TO |
355 | 'delete in CiviMail', |
356 | ), | |
360d6097 TO |
357 | 'submit' => array( |
358 | 'access CiviCRM', | |
359 | array('access CiviMail', 'schedule mailings'), | |
360 | ), | |
56154d36 TO |
361 | 'default' => array( |
362 | 'access CiviCRM', | |
360d6097 | 363 | $civiMailBasePerms, |
56154d36 TO |
364 | ), |
365 | ); | |
f8be71a6 TO |
366 | $permissions['mailing_group'] = $permissions['mailing']; |
367 | $permissions['mailing_job'] = $permissions['mailing']; | |
368 | $permissions['mailing_recipients'] = $permissions['mailing']; | |
56154d36 | 369 | |
19837ef2 TO |
370 | $permissions['mailing_a_b'] = array( |
371 | 'get' => array( | |
372 | 'access CiviCRM', | |
373 | 'access CiviMail', | |
374 | ), | |
375 | 'delete' => array( | |
376 | 'access CiviCRM', | |
377 | 'access CiviMail', | |
378 | 'delete in CiviMail', | |
379 | ), | |
380 | 'submit' => array( | |
381 | 'access CiviCRM', | |
382 | array('access CiviMail', 'schedule mailings'), | |
383 | ), | |
384 | 'default' => array( | |
385 | 'access CiviCRM', | |
386 | 'access CiviMail', | |
387 | ), | |
388 | ); | |
389 | ||
1593d73d | 390 | // Membership permissions |
082d771a | 391 | $permissions['membership'] = array( |
1593d73d | 392 | 'get' => array( |
082d771a CW |
393 | 'access CiviCRM', |
394 | 'access CiviMember', | |
082d771a CW |
395 | ), |
396 | 'delete' => array( | |
397 | 'access CiviCRM', | |
398 | 'access CiviMember', | |
399 | 'delete in CiviMember', | |
400 | ), | |
1593d73d | 401 | 'default' => array( |
082d771a CW |
402 | 'access CiviCRM', |
403 | 'access CiviMember', | |
404 | 'edit memberships', | |
405 | ), | |
406 | ); | |
1593d73d CW |
407 | $permissions['membership_status'] = $permissions['membership']; |
408 | $permissions['membership_type'] = $permissions['membership']; | |
082d771a CW |
409 | $permissions['membership_payment'] = array( |
410 | 'create' => array( | |
411 | 'access CiviCRM', | |
412 | 'access CiviMember', | |
413 | 'edit memberships', | |
414 | 'access CiviContribute', | |
415 | 'edit contributions', | |
416 | ), | |
417 | 'delete' => array( | |
418 | 'access CiviCRM', | |
419 | 'access CiviMember', | |
420 | 'delete in CiviMember', | |
421 | 'access CiviContribute', | |
422 | 'delete in CiviContribute', | |
423 | ), | |
424 | 'get' => array( | |
425 | 'access CiviCRM', | |
426 | 'access CiviMember', | |
427 | 'access CiviContribute', | |
428 | ), | |
429 | 'update' => array( | |
430 | 'access CiviCRM', | |
431 | 'access CiviMember', | |
432 | 'edit memberships', | |
433 | 'access CiviContribute', | |
434 | 'edit contributions', | |
435 | ), | |
436 | ); | |
1593d73d CW |
437 | |
438 | // Participant permissions | |
082d771a CW |
439 | $permissions['participant'] = array( |
440 | 'create' => array( | |
441 | 'access CiviCRM', | |
442 | 'access CiviEvent', | |
443 | 'register for events', | |
444 | ), | |
445 | 'delete' => array( | |
446 | 'access CiviCRM', | |
447 | 'access CiviEvent', | |
448 | 'edit event participants', | |
449 | ), | |
450 | 'get' => array( | |
451 | 'access CiviCRM', | |
452 | 'access CiviEvent', | |
453 | 'view event participants', | |
454 | ), | |
455 | 'update' => array( | |
456 | 'access CiviCRM', | |
457 | 'access CiviEvent', | |
458 | 'edit event participants', | |
459 | ), | |
460 | ); | |
461 | $permissions['participant_payment'] = array( | |
462 | 'create' => array( | |
463 | 'access CiviCRM', | |
464 | 'access CiviEvent', | |
465 | 'register for events', | |
466 | 'access CiviContribute', | |
467 | 'edit contributions', | |
468 | ), | |
469 | 'delete' => array( | |
470 | 'access CiviCRM', | |
471 | 'access CiviEvent', | |
472 | 'edit event participants', | |
473 | 'access CiviContribute', | |
474 | 'delete in CiviContribute', | |
475 | ), | |
476 | 'get' => array( | |
477 | 'access CiviCRM', | |
478 | 'access CiviEvent', | |
479 | 'view event participants', | |
480 | 'access CiviContribute', | |
481 | ), | |
482 | 'update' => array( | |
483 | 'access CiviCRM', | |
484 | 'access CiviEvent', | |
485 | 'edit event participants', | |
486 | 'access CiviContribute', | |
487 | 'edit contributions', | |
488 | ), | |
489 | ); | |
1593d73d CW |
490 | |
491 | // Pledge permissions | |
082d771a CW |
492 | $permissions['pledge'] = array( |
493 | 'create' => array( | |
494 | 'access CiviCRM', | |
495 | 'access CiviPledge', | |
496 | 'edit pledges', | |
497 | ), | |
498 | 'delete' => array( | |
499 | 'access CiviCRM', | |
500 | 'access CiviPledge', | |
501 | 'delete in CiviPledge', | |
502 | ), | |
503 | 'get' => array( | |
504 | 'access CiviCRM', | |
505 | 'access CiviPledge', | |
506 | ), | |
507 | 'update' => array( | |
508 | 'access CiviCRM', | |
509 | 'access CiviPledge', | |
510 | 'edit pledges', | |
511 | ), | |
512 | ); | |
e68f2900 WA |
513 | |
514 | //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission. | |
515 | $permissions['action_schedule'] = array( | |
516 | 'update' => array( | |
517 | array( | |
518 | 'access CiviCRM', | |
519 | 'edit all events', | |
520 | ), | |
521 | ), | |
522 | ); | |
523 | ||
082d771a CW |
524 | $permissions['pledge_payment'] = array( |
525 | 'create' => array( | |
526 | 'access CiviCRM', | |
527 | 'access CiviPledge', | |
528 | 'edit pledges', | |
529 | 'access CiviContribute', | |
530 | 'edit contributions', | |
531 | ), | |
532 | 'delete' => array( | |
533 | 'access CiviCRM', | |
534 | 'access CiviPledge', | |
535 | 'delete in CiviPledge', | |
536 | 'access CiviContribute', | |
537 | 'delete in CiviContribute', | |
538 | ), | |
539 | 'get' => array( | |
540 | 'access CiviCRM', | |
541 | 'access CiviPledge', | |
542 | 'access CiviContribute', | |
543 | ), | |
544 | 'update' => array( | |
545 | 'access CiviCRM', | |
546 | 'access CiviPledge', | |
547 | 'edit pledges', | |
548 | 'access CiviContribute', | |
549 | 'edit contributions', | |
550 | ), | |
551 | ); | |
1593d73d CW |
552 | |
553 | // Profile permissions | |
c85e32fc | 554 | $permissions['profile'] = array( |
555 | 'get' => array(), // the profile will take care of this | |
556 | ); | |
557 | ||
1593d73d | 558 | $permissions['uf_group'] = array( |
bcbb2167 | 559 | 'create' => array( |
837cab52 | 560 | 'access CiviCRM', |
380a8fc7 | 561 | array( |
562 | 'administer CiviCRM', | |
563 | 'manage event profiles', | |
564 | ), | |
bcbb2167 | 565 | ), |
082d771a CW |
566 | 'get' => array( |
567 | 'access CiviCRM', | |
6a488035 | 568 | ), |
bcbb2167 | 569 | 'update' => array( |
837cab52 | 570 | 'access CiviCRM', |
380a8fc7 | 571 | array( |
572 | 'administer CiviCRM', | |
573 | 'manage event profiles', | |
574 | ), | |
bcbb2167 | 575 | ), |
6a488035 | 576 | ); |
37375016 | 577 | $permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group']; |
380a8fc7 | 578 | $permissions['uf_field']['delete'] = array( |
837cab52 | 579 | 'access CiviCRM', |
380a8fc7 | 580 | array( |
581 | 'administer CiviCRM', | |
582 | 'manage event profiles', | |
583 | ), | |
584 | ); | |
abdff0f7 CW |
585 | $permissions['option_value'] = $permissions['uf_group']; |
586 | $permissions['option_group'] = $permissions['option_value']; | |
6a488035 | 587 | |
2e27d447 CW |
588 | $permissions['message_template'] = array( |
589 | 'get' => array('access CiviCRM'), | |
590 | 'create' => array('edit message templates'), | |
591 | 'update' => array('edit message templates'), | |
592 | ); | |
593 | ||
79089019 CW |
594 | // Translate 'create' action to 'update' if id is set |
595 | if ($action == 'create' && (!empty($params['id']) || !empty($params[$entity . '_id']))) { | |
596 | $action = 'update'; | |
597 | } | |
598 | ||
6a488035 TO |
599 | // let third parties modify the permissions |
600 | CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions); | |
601 | ||
79089019 CW |
602 | // Merge permissions for this entity with the defaults |
603 | $perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default']; | |
604 | ||
605 | // Return exact match if permission for this action has been declared | |
606 | if (isset($perm[$action])) { | |
607 | return $perm[$action]; | |
608 | } | |
609 | ||
610 | // Translate specific actions into their generic equivalents | |
611 | $snippet = substr($action, 0, 3); | |
612 | if ($action == 'replace' || $snippet == 'del') { | |
d013d45c TO |
613 | // 'Replace' is a combination of get+create+update+delete; however, the permissions |
614 | // on each of those will be tested separately at runtime. This is just a sniff-test | |
49c5f909 | 615 | // based on the heuristic that 'delete' tends to be the most closely guarded |
d013d45c | 616 | // of the necessary permissions. |
79089019 CW |
617 | $action = 'delete'; |
618 | } | |
619 | elseif ($action == 'setvalue' || $snippet == 'upd') { | |
620 | $action = 'update'; | |
621 | } | |
74803223 | 622 | elseif ($action == 'getfields' || $action == 'getfield' || $action == 'getspec' || $action == 'getoptions') { |
79089019 CW |
623 | $action = 'meta'; |
624 | } | |
625 | elseif ($snippet == 'get') { | |
626 | $action = 'get'; | |
627 | } | |
628 | return isset($perm[$action]) ? $perm[$action] : $perm['default']; | |
6a488035 TO |
629 | } |
630 | ||
631 | # FIXME: not sure how to permission the following API 3 calls: | |
632 | # contribution_transact (make online contributions) | |
633 | # entity_tag_display | |
634 | # group_contact_pending | |
635 | # group_contact_update_status | |
636 | # mailing_event_bounce | |
637 | # mailing_event_click | |
638 | # mailing_event_confirm | |
639 | # mailing_event_forward | |
640 | # mailing_event_open | |
641 | # mailing_event_reply | |
642 | # mailing_group_event_domain_unsubscribe | |
643 | # mailing_group_event_resubscribe | |
644 | # mailing_group_event_subscribe | |
645 | # mailing_group_event_unsubscribe | |
646 | # membership_status_calc | |
647 | # survey_respondant_count |