projects / civicrm-core.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #5613 from rohankatkar/CRM-16264
[civicrm-core.git] / CRM / Core / DAO / permissions.php
CommitLineData
6a488035 1<?php
6a488035
TO		 2/*
3 +--------------------------------------------------------------------+
39de6fd5 4 | CiviCRM version 4.6 |
6a488035 5 +--------------------------------------------------------------------+
e7112fa7 6 | Copyright CiviCRM LLC (c) 2004-2015 |
6a488035
TO		 7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
d25dd0ee 26 */
6a488035
TO		 27
28/**
082d771a
CW		 29 * Decide what permissions to check for an api call
30 * The contact must have all of the returned permissions for the api call to be allowed
6a488035 31 *
353ffa53
TO		 32 * @param $entity : (str) api entity
33 * @param $action : (str) api action
34 * @param $params : (array) api params
6a488035 35 *
a6c01b45 36 * @return array
16b10e64 37 * Array of permissions to check for this entity-action combo
6a488035 38 */
6a488035 39function _civicrm_api3_permissions($entity, $action, &$params) {
4846df91
CW		 40 // FIXME: Lowercase entity_names are nonstandard but difficult to fix here
41 // because this function invokes hook_civicrm_alterAPIPermissions
47e6af81 42 $entity = _civicrm_api_get_entity_name_from_camel($entity);
79089019
CW		 43
44 /**
45 * @var array of permissions
46 *
47 * For each entity, we declare an array of permissions required for each action
48 * The action is the array key, possible values:
49 * * create: applies to create (with no id in params)
50 * * update: applies to update, setvalue, create (with id in params)
51 * * get: applies to getcount, getsingle, getvalue and other gets
52 * * delete: applies to delete, replace
53 * * meta: applies to getfields, getoptions, getspec
54 * * default: catch-all for anything not declared
55 *
56 * Note: some APIs declare other actions as well
57 */
082d771a
CW		 58 $permissions = array();
59
79089019
CW		 60 // These are the default permissions - if any entity does not declare permissions for a given action,
61 // (or the entity does not declare permissions at all) - then the action will be used from here
62 $permissions['default'] = array(
63 // applies to getfields, getoptions, etc.
64 'meta' => array('access CiviCRM'),
65 // catch-all, applies to create, get, delete, etc.
66 // If an entity declares it's own 'default' action it will override this one
67 'default' => array('administer CiviCRM'),
68 );
69
f8be71a6 70 // Note: Additional permissions in DynamicFKAuthorization
56154d36 71 $permissions['attachment'] = array(
f8be71a6
TO		 72 'default' => array(
73 array('access CiviCRM', 'access AJAX API'),
74 ),
56154d36
TO		 75 );
76
1593d73d
CW		 77 // Contact permissions
78 $permissions['contact'] = array(
082d771a
CW		 79 'create' => array(
80 'access CiviCRM',
81 'add contacts',
82 ),
83 'delete' => array(
84 'access CiviCRM',
85 'delete contacts',
86 ),
1593d73d
CW		 87 // managed by query object
88 'get' => array(),
082d771a
CW		 89 'update' => array(
90 'access CiviCRM',
91 'edit all contacts',
92 ),
1593d73d 93 'getquick' => array(
60ec9f43 94 array('access CiviCRM', 'access AJAX API'),
1593d73d 95 ),
082d771a 96 );
1593d73d 97
bcb09fd8
DG		 98 // Contact-related data permissions.
99 // CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
1593d73d
CW		 100 $permissions['address'] = array(
101 'get' => array(
082d771a 102 'access CiviCRM',
1593d73d 103 'view all contacts',
082d771a 104 ),
1593d73d 105 'default' => array(
082d771a
CW		 106 'access CiviCRM',
107 'edit all contacts',
108 ),
082d771a 109 );
1593d73d
CW		 110 $permissions['email'] = $permissions['address'];
111 $permissions['phone'] = $permissions['address'];
112 $permissions['website'] = $permissions['address'];
113 $permissions['im'] = $permissions['address'];
114 $permissions['loc_block'] = $permissions['address'];
bcb09fd8 115 $permissions['entity_tag'] = $permissions['address'];
1593d73d
CW		 116 $permissions['note'] = $permissions['address'];
117
8087a331
CW		 118 // Allow non-admins to get and create tags to support tagset widget
119 // Delete is still reserved for admins
120 $permissions['tag'] = array(
121 'get' => array('access CiviCRM'),
122 'create' => array('access CiviCRM'),
123 'update' => array('access CiviCRM'),
124 );
125
2f0e8374
JJ		 126 //relationship permissions
127 $permissions['relationship'] = array(
128 'get' => array(
129 'access CiviCRM',
130 'view all contacts',
131 ),
132 'delete' => array(
133 'access CiviCRM',
134 'delete contacts',
135 ),
136 'default' => array(
137 'access CiviCRM',
138 'edit all contacts',
139 ),
140 );
d75f2f47 141
1593d73d
CW		 142 // Activity permissions
143 $permissions['activity'] = array(
082d771a
CW		 144 'delete' => array(
145 'access CiviCRM',
1593d73d 146 'delete activities',
082d771a 147 ),
1593d73d 148 'default' => array(
082d771a 149 'access CiviCRM',
1593d73d 150 'view all activities',
082d771a
CW		 151 ),
152 );
1593d73d
CW		 153
154 // Case permissions
155 $permissions['case'] = array(
082d771a 156 'create' => array(
082d771a 157 'access CiviCRM',
1593d73d 158 'add cases',
082d771a
CW		 159 ),
160 'delete' => array(
082d771a 161 'access CiviCRM',
1593d73d 162 'delete in CiviCase',
082d771a 163 ),
1593d73d 164 'default' => array(
082d771a 165 'access CiviCRM',
1593d73d 166 'access all cases and activities',
082d771a
CW		 167 ),
168 );
1593d73d
CW		 169
170 // Financial permissions
171 $permissions['contribution'] = array(
172 'get' => array(
082d771a 173 'access CiviCRM',
1593d73d 174 'access CiviContribute',
082d771a
CW		 175 ),
176 'delete' => array(
082d771a 177 'access CiviCRM',
1593d73d
CW		 178 'access CiviContribute',
179 'delete in CiviContribute',
082d771a 180 ),
0efa8efe 181 'completetransaction' => array(
182 'edit contributions',
183 ),
1593d73d 184 'default' => array(
082d771a 185 'access CiviCRM',
1593d73d
CW		 186 'access CiviContribute',
187 'edit contributions',
082d771a 188 ),
1593d73d
CW		 189 );
190 $permissions['line_item'] = $permissions['contribution'];
191
192 // Custom field permissions
193 $permissions['custom_field'] = array(
194 'default' => array(
082d771a 195 'administer CiviCRM',
082d771a
CW		 196 'access all custom data',
197 ),
198 );
1593d73d
CW		 199 $permissions['custom_group'] = $permissions['custom_field'];
200
201 // Event permissions
082d771a
CW		 202 $permissions['event'] = array(
203 'create' => array(
204 'access CiviCRM',
205 'access CiviEvent',
206 'edit all events',
207 ),
208 'delete' => array(
209 'access CiviCRM',
210 'access CiviEvent',
211 'delete in CiviEvent',
212 ),
213 'get' => array(
214 'access CiviCRM',
215 'access CiviEvent',
216 'view event info',
217 ),
218 'update' => array(
219 'access CiviCRM',
220 'access CiviEvent',
221 'edit all events',
222 ),
223 );
1593d73d
CW		 224
225 // File permissions
082d771a 226 $permissions['file'] = array(
1593d73d 227 'default' => array(
082d771a
CW		 228 'access CiviCRM',
229 'access uploaded files',
230 ),
231 );
1593d73d
CW		 232 $permissions['files_by_entity'] = $permissions['file'];
233
234 // Group permissions
082d771a 235 $permissions['group'] = array(
082d771a
CW		 236 'get' => array(
237 'access CiviCRM',
082d771a 238 ),
1593d73d 239 'default' => array(
082d771a 240 'access CiviCRM',
1593d73d 241 'edit groups',
082d771a
CW		 242 ),
243 );
1593d73d
CW		 244 $permissions['group_contact'] = $permissions['group'];
245 $permissions['group_nesting'] = $permissions['group'];
246 $permissions['group_organization'] = $permissions['group'];
247
56154d36 248 // CiviMail Permissions
360d6097
TO		 249 $civiMailBasePerms = array(
250 // To get/preview/update, one must have least one of these perms:
251 // Mailing API implementations enforce nuances of create/approve/schedule permissions.
252 'access CiviMail',
253 'create mailings',
254 'schedule mailings',
255 'approve mailings',
256 );
56154d36
TO		 257 $permissions['mailing'] = array(
258 'get' => array(
259 'access CiviCRM',
360d6097 260 $civiMailBasePerms,
56154d36
TO		 261 ),
262 'delete' => array(
263 'access CiviCRM',
360d6097 264 $civiMailBasePerms,
56154d36
TO		 265 'delete in CiviMail',
266 ),
360d6097
TO		 267 'submit' => array(
268 'access CiviCRM',
269 array('access CiviMail', 'schedule mailings'),
270 ),
56154d36
TO		 271 'default' => array(
272 'access CiviCRM',
360d6097 273 $civiMailBasePerms,
56154d36
TO		 274 ),
275 );
f8be71a6
TO		 276 $permissions['mailing_group'] = $permissions['mailing'];
277 $permissions['mailing_job'] = $permissions['mailing'];
278 $permissions['mailing_recipients'] = $permissions['mailing'];
56154d36 279
19837ef2
TO		 280 $permissions['mailing_a_b'] = array(
281 'get' => array(
282 'access CiviCRM',
283 'access CiviMail',
284 ),
285 'delete' => array(
286 'access CiviCRM',
287 'access CiviMail',
288 'delete in CiviMail',
289 ),
290 'submit' => array(
291 'access CiviCRM',
292 array('access CiviMail', 'schedule mailings'),
293 ),
294 'default' => array(
295 'access CiviCRM',
296 'access CiviMail',
297 ),
298 );
299
1593d73d 300 // Membership permissions
082d771a 301 $permissions['membership'] = array(
1593d73d 302 'get' => array(
082d771a
CW		 303 'access CiviCRM',
304 'access CiviMember',
082d771a
CW		 305 ),
306 'delete' => array(
307 'access CiviCRM',
308 'access CiviMember',
309 'delete in CiviMember',
310 ),
1593d73d 311 'default' => array(
082d771a
CW		 312 'access CiviCRM',
313 'access CiviMember',
314 'edit memberships',
315 ),
316 );
1593d73d
CW		 317 $permissions['membership_status'] = $permissions['membership'];
318 $permissions['membership_type'] = $permissions['membership'];
082d771a
CW		 319 $permissions['membership_payment'] = array(
320 'create' => array(
321 'access CiviCRM',
322 'access CiviMember',
323 'edit memberships',
324 'access CiviContribute',
325 'edit contributions',
326 ),
327 'delete' => array(
328 'access CiviCRM',
329 'access CiviMember',
330 'delete in CiviMember',
331 'access CiviContribute',
332 'delete in CiviContribute',
333 ),
334 'get' => array(
335 'access CiviCRM',
336 'access CiviMember',
337 'access CiviContribute',
338 ),
339 'update' => array(
340 'access CiviCRM',
341 'access CiviMember',
342 'edit memberships',
343 'access CiviContribute',
344 'edit contributions',
345 ),
346 );
1593d73d
CW		 347
348 // Participant permissions
082d771a
CW		 349 $permissions['participant'] = array(
350 'create' => array(
351 'access CiviCRM',
352 'access CiviEvent',
353 'register for events',
354 ),
355 'delete' => array(
356 'access CiviCRM',
357 'access CiviEvent',
358 'edit event participants',
359 ),
360 'get' => array(
361 'access CiviCRM',
362 'access CiviEvent',
363 'view event participants',
364 ),
365 'update' => array(
366 'access CiviCRM',
367 'access CiviEvent',
368 'edit event participants',
369 ),
370 );
371 $permissions['participant_payment'] = array(
372 'create' => array(
373 'access CiviCRM',
374 'access CiviEvent',
375 'register for events',
376 'access CiviContribute',
377 'edit contributions',
378 ),
379 'delete' => array(
380 'access CiviCRM',
381 'access CiviEvent',
382 'edit event participants',
383 'access CiviContribute',
384 'delete in CiviContribute',
385 ),
386 'get' => array(
387 'access CiviCRM',
388 'access CiviEvent',
389 'view event participants',
390 'access CiviContribute',
391 ),
392 'update' => array(
393 'access CiviCRM',
394 'access CiviEvent',
395 'edit event participants',
396 'access CiviContribute',
397 'edit contributions',
398 ),
399 );
1593d73d
CW		 400
401 // Pledge permissions
082d771a
CW		 402 $permissions['pledge'] = array(
403 'create' => array(
404 'access CiviCRM',
405 'access CiviPledge',
406 'edit pledges',
407 ),
408 'delete' => array(
409 'access CiviCRM',
410 'access CiviPledge',
411 'delete in CiviPledge',
412 ),
413 'get' => array(
414 'access CiviCRM',
415 'access CiviPledge',
416 ),
417 'update' => array(
418 'access CiviCRM',
419 'access CiviPledge',
420 'edit pledges',
421 ),
422 );
423 $permissions['pledge_payment'] = array(
424 'create' => array(
425 'access CiviCRM',
426 'access CiviPledge',
427 'edit pledges',
428 'access CiviContribute',
429 'edit contributions',
430 ),
431 'delete' => array(
432 'access CiviCRM',
433 'access CiviPledge',
434 'delete in CiviPledge',
435 'access CiviContribute',
436 'delete in CiviContribute',
437 ),
438 'get' => array(
439 'access CiviCRM',
440 'access CiviPledge',
441 'access CiviContribute',
442 ),
443 'update' => array(
444 'access CiviCRM',
445 'access CiviPledge',
446 'edit pledges',
447 'access CiviContribute',
448 'edit contributions',
449 ),
450 );
1593d73d
CW		 451
452 // Profile permissions
c85e32fc 453 $permissions['profile'] = array(
454 'get' => array(), // the profile will take care of this
455 );
456
1593d73d 457 $permissions['uf_group'] = array(
082d771a
CW		 458 'get' => array(
459 'access CiviCRM',
6a488035
TO		 460 ),
461 );
1593d73d 462 $permissions['uf_field'] = $permissions['uf_group'];
abdff0f7
CW		 463 $permissions['option_value'] = $permissions['uf_group'];
464 $permissions['option_group'] = $permissions['option_value'];
6a488035 465
79089019
CW		 466 // Translate 'create' action to 'update' if id is set
467 if ($action == 'create' && (!empty($params['id']) || !empty($params[$entity . '_id']))) {
468 $action = 'update';
469 }
470
6a488035
TO		 471 // let third parties modify the permissions
472 CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);
473
79089019
CW		 474 // Merge permissions for this entity with the defaults
475 $perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];
476
477 // Return exact match if permission for this action has been declared
478 if (isset($perm[$action])) {
479 return $perm[$action];
480 }
481
482 // Translate specific actions into their generic equivalents
483 $snippet = substr($action, 0, 3);
484 if ($action == 'replace' || $snippet == 'del') {
d013d45c
TO		 485 // 'Replace' is a combination of get+create+update+delete; however, the permissions
486 // on each of those will be tested separately at runtime. This is just a sniff-test
487 // based on the heuristic that 'delete' tends to be the most closesly guarded
488 // of the necessary permissions.
79089019
CW		 489 $action = 'delete';
490 }
491 elseif ($action == 'setvalue' || $snippet == 'upd') {
492 $action = 'update';
493 }
494 elseif ($action == 'getfields' || $action == 'getspec' || $action == 'getoptions') {
495 $action = 'meta';
496 }
497 elseif ($snippet == 'get') {
498 $action = 'get';
499 }
500 return isset($perm[$action]) ? $perm[$action] : $perm['default'];
6a488035
TO		 501}
502
503# FIXME: not sure how to permission the following API 3 calls:
504# contribution_transact (make online contributions)
505# entity_tag_display
506# group_contact_pending
507# group_contact_update_status
508# mailing_event_bounce
509# mailing_event_click
510# mailing_event_confirm
511# mailing_event_forward
512# mailing_event_open
513# mailing_event_reply
514# mailing_group_event_domain_unsubscribe
515# mailing_group_event_resubscribe
516# mailing_group_event_subscribe
517# mailing_group_event_unsubscribe
518# membership_status_calc
519# survey_respondant_count