[civicrm-core.git] / CRM / Core / DAO / permissions.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.6                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2014                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
 */

/**
 * Decide what permissions to check for an api call
 * The contact must have all of the returned permissions for the api call to be allowed
 *
 * @param $entity : (str) api entity
 * @param $action : (str) api action
 * @param $params : (array) api params
 *
 * @return array
 *   Array of permissions to check for this entity-action combo
 */
function _civicrm_api3_permissions($entity, $action, &$params) {
  // FIXME: Lowercase entity_names are nonstandard but difficult to fix here
  // because this function invokes hook_civicrm_alterAPIPermissions
  $entity = _civicrm_api_get_entity_name_from_camel($entity);

  /**
   * @var array of permissions
   *
   * For each entity, we declare an array of permissions required for each action
   * The action is the array key, possible values:
   *  * create: applies to create (with no id in params)
   *  * update: applies to update, setvalue, create (with id in params)
   *  * get: applies to getcount, getsingle, getvalue and other gets
   *  * delete: applies to delete, replace
   *  * meta: applies to getfields, getoptions, getspec
   *  * default: catch-all for anything not declared
   *
   *  Note: some APIs declare other actions as well
   */
  $permissions = array();

  // These are the default permissions - if any entity does not declare permissions for a given action,
  // (or the entity does not declare permissions at all) - then the action will be used from here
  $permissions['default'] = array(
    // applies to getfields, getoptions, etc.
    'meta' => array('access CiviCRM'),
    // catch-all, applies to create, get, delete, etc.
    // If an entity declares it's own 'default' action it will override this one
    'default' => array('administer CiviCRM'),
  );

  // Note: Additional permissions in DynamicFKAuthorization
  $permissions['attachment'] = array(
    'default' => array(
      array('access CiviCRM', 'access AJAX API'),
    ),
  );

  // Contact permissions
  $permissions['contact'] = array(
    'create' => array(
      'access CiviCRM',
      'add contacts',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete contacts',
    ),
    // managed by query object
    'get' => array(),
    'update' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
    'getquick' => array(
      array('access CiviCRM', 'access AJAX API'),
    ),
  );

  // Contact-related data permissions.
  // CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
  $permissions['address'] = array(
    'get' => array(
      'access CiviCRM',
      'view all contacts',
    ),
    'default' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
  );
  $permissions['email'] = $permissions['address'];
  $permissions['phone'] = $permissions['address'];
  $permissions['website'] = $permissions['address'];
  $permissions['im'] = $permissions['address'];
  $permissions['loc_block'] = $permissions['address'];
  $permissions['entity_tag'] = $permissions['address'];
  $permissions['note'] = $permissions['address'];

  //relationship permissions
  $permissions['relationship'] = array(
    'get' => array(
      'access CiviCRM',
      'view all contacts',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete contacts',
    ),
    'default' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
  );

  // Activity permissions
  $permissions['activity'] = array(
    'delete' => array(
      'access CiviCRM',
      'delete activities',
    ),
    'default' => array(
      'access CiviCRM',
      'view all activities',
    ),
  );

  // Case permissions
  $permissions['case'] = array(
    'create' => array(
      'access CiviCRM',
      'add cases',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete in CiviCase',
    ),
    'default' => array(
      'access CiviCRM',
      'access all cases and activities',
    ),
  );

  // Financial permissions
  $permissions['contribution'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviContribute',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'completetransaction' => array(
      'edit contributions',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviContribute',
      'edit contributions',
    ),
  );
  $permissions['line_item'] = $permissions['contribution'];

  // Custom field permissions
  $permissions['custom_field'] = array(
    'default' => array(
      'administer CiviCRM',
      'access all custom data',
    ),
  );
  $permissions['custom_group'] = $permissions['custom_field'];

  // Event permissions
  $permissions['event'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit all events',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'delete in CiviEvent',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event info',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit all events',
    ),
  );

  // File permissions
  $permissions['file'] = array(
    'default' => array(
      'access CiviCRM',
      'access uploaded files',
    ),
  );
  $permissions['files_by_entity'] = $permissions['file'];

  // Group permissions
  $permissions['group'] = array(
    'get' => array(
      'access CiviCRM',
    ),
    'default' => array(
      'access CiviCRM',
      'edit groups',
    ),
  );
  $permissions['group_contact'] = $permissions['group'];
  $permissions['group_nesting'] = $permissions['group'];
  $permissions['group_organization'] = $permissions['group'];

  // CiviMail Permissions
  $civiMailBasePerms = array(
    // To get/preview/update, one must have least one of these perms:
    // Mailing API implementations enforce nuances of create/approve/schedule permissions.
    'access CiviMail',
    'create mailings',
    'schedule mailings',
    'approve mailings',
  );
  $permissions['mailing'] = array(
    'get' => array(
      'access CiviCRM',
      $civiMailBasePerms,
    ),
    'delete' => array(
      'access CiviCRM',
      $civiMailBasePerms,
      'delete in CiviMail',
    ),
    'submit' => array(
      'access CiviCRM',
      array('access CiviMail', 'schedule mailings'),
    ),
    'default' => array(
      'access CiviCRM',
      $civiMailBasePerms,
    ),
  );
  $permissions['mailing_group'] = $permissions['mailing'];
  $permissions['mailing_job'] = $permissions['mailing'];
  $permissions['mailing_recipients'] = $permissions['mailing'];

  $permissions['mailing_a_b'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviMail',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMail',
      'delete in CiviMail',
    ),
    'submit' => array(
      'access CiviCRM',
      array('access CiviMail', 'schedule mailings'),
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviMail',
    ),
  );

  // Membership permissions
  $permissions['membership'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviMember',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMember',
      'delete in CiviMember',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
    ),
  );
  $permissions['membership_status'] = $permissions['membership'];
  $permissions['membership_type'] = $permissions['membership'];
  $permissions['membership_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMember',
      'delete in CiviMember',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviMember',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Participant permissions
  $permissions['participant'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'register for events',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event participants',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
    ),
  );
  $permissions['participant_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'register for events',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event participants',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Pledge permissions
  $permissions['pledge'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviPledge',
      'delete in CiviPledge',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviPledge',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
    ),
  );
  $permissions['pledge_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviPledge',
      'delete in CiviPledge',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviPledge',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Profile permissions
  $permissions['profile'] = array(
    'get' => array(), // the profile will take care of this
  );

  $permissions['uf_group'] = array(
    'get' => array(
      'access CiviCRM',
    ),
  );
  $permissions['uf_field'] = $permissions['uf_group'];
  $permissions['option_value'] = $permissions['uf_group'];
  $permissions['option_group'] = $permissions['option_value'];

  // Translate 'create' action to 'update' if id is set
  if ($action == 'create' && (!empty($params['id']) || !empty($params[$entity . '_id']))) {
    $action = 'update';
  }

  // let third parties modify the permissions
  CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);

  // Merge permissions for this entity with the defaults
  $perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];

  // Return exact match if permission for this action has been declared
  if (isset($perm[$action])) {
    return $perm[$action];
  }

  // Translate specific actions into their generic equivalents
  $snippet = substr($action, 0, 3);
  if ($action == 'replace' || $snippet == 'del') {
    // 'Replace' is a combination of get+create+update+delete; however, the permissions
    // on each of those will be tested separately at runtime. This is just a sniff-test
    // based on the heuristic that 'delete' tends to be the most closesly guarded
    // of the necessary permissions.
    $action = 'delete';
  }
  elseif ($action == 'setvalue' || $snippet == 'upd') {
    $action = 'update';
  }
  elseif ($action == 'getfields' || $action == 'getspec' || $action == 'getoptions') {
    $action = 'meta';
  }
  elseif ($snippet == 'get') {
    $action = 'get';
  }
  return isset($perm[$action]) ? $perm[$action] : $perm['default'];
}

# FIXME: not sure how to permission the following API 3 calls:
# contribution_transact (make online contributions)
# entity_tag_display
# group_contact_pending
# group_contact_update_status
# mailing_event_bounce
# mailing_event_click
# mailing_event_confirm
# mailing_event_forward
# mailing_event_open
# mailing_event_reply
# mailing_group_event_domain_unsubscribe
# mailing_group_event_resubscribe
# mailing_group_event_subscribe
# mailing_group_event_unsubscribe
# membership_status_calc
# survey_respondant_count
Commit	Line	Data
6a488035	1	<?php
6a488035 TO	2	/*
6a488035 TO	3	+--------------------------------------------------------------------+
39de6fd5	4	\| CiviCRM version 4.6 \|
6a488035	5	+--------------------------------------------------------------------+
06b69b18	6	\| Copyright CiviCRM LLC (c) 2004-2014 \|
6a488035 TO	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
d25dd0ee	26	*/
6a488035 TO	27
6a488035 TO	28	/**
082d771a CW	29	* Decide what permissions to check for an api call
082d771a CW	30	* The contact must have all of the returned permissions for the api call to be allowed
6a488035	31	*
353ffa53 TO	32	* @param $entity : (str) api entity
	33	* @param $action : (str) api action
	34	* @param $params : (array) api params
6a488035	35	*
a6c01b45	36	* @return array
16b10e64	37	* Array of permissions to check for this entity-action combo
6a488035	38	*/
6a488035	39	function _civicrm_api3_permissions($entity, $action, &$params) {
4846df91 CW	40	// FIXME: Lowercase entity_names are nonstandard but difficult to fix here
4846df91 CW	41	// because this function invokes hook_civicrm_alterAPIPermissions
47e6af81	42	$entity = _civicrm_api_get_entity_name_from_camel($entity);
79089019 CW	43
	44	/**
	45	* @var array of permissions
	46	*
	47	* For each entity, we declare an array of permissions required for each action
	48	* The action is the array key, possible values:
	49	* * create: applies to create (with no id in params)
	50	* * update: applies to update, setvalue, create (with id in params)
	51	* * get: applies to getcount, getsingle, getvalue and other gets
	52	* * delete: applies to delete, replace
	53	* * meta: applies to getfields, getoptions, getspec
	54	* * default: catch-all for anything not declared
	55	*
	56	* Note: some APIs declare other actions as well
	57	*/
082d771a CW	58	$permissions = array();
082d771a CW	59
79089019 CW	60	// These are the default permissions - if any entity does not declare permissions for a given action,
	61	// (or the entity does not declare permissions at all) - then the action will be used from here
	62	$permissions['default'] = array(
	63	// applies to getfields, getoptions, etc.
	64	'meta' => array('access CiviCRM'),
	65	// catch-all, applies to create, get, delete, etc.
	66	// If an entity declares it's own 'default' action it will override this one
	67	'default' => array('administer CiviCRM'),
	68	);
	69
f8be71a6	70	// Note: Additional permissions in DynamicFKAuthorization
56154d36	71	$permissions['attachment'] = array(
f8be71a6 TO	72	'default' => array(
	73	array('access CiviCRM', 'access AJAX API'),
	74	),
56154d36 TO	75	);
56154d36 TO	76
1593d73d CW	77	// Contact permissions
1593d73d CW	78	$permissions['contact'] = array(
082d771a CW	79	'create' => array(
	80	'access CiviCRM',
	81	'add contacts',
	82	),
	83	'delete' => array(
	84	'access CiviCRM',
	85	'delete contacts',
	86	),
1593d73d CW	87	// managed by query object
1593d73d CW	88	'get' => array(),
082d771a CW	89	'update' => array(
	90	'access CiviCRM',
	91	'edit all contacts',
	92	),
1593d73d	93	'getquick' => array(
60ec9f43	94	array('access CiviCRM', 'access AJAX API'),
1593d73d	95	),
082d771a	96	);
1593d73d	97
bcb09fd8 DG	98	// Contact-related data permissions.
bcb09fd8 DG	99	// CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
1593d73d CW	100	$permissions['address'] = array(
1593d73d CW	101	'get' => array(
082d771a	102	'access CiviCRM',
1593d73d	103	'view all contacts',
082d771a	104	),
1593d73d	105	'default' => array(
082d771a CW	106	'access CiviCRM',
	107	'edit all contacts',
	108	),
082d771a	109	);
1593d73d CW	110	$permissions['email'] = $permissions['address'];
	111	$permissions['phone'] = $permissions['address'];
	112	$permissions['website'] = $permissions['address'];
	113	$permissions['im'] = $permissions['address'];
	114	$permissions['loc_block'] = $permissions['address'];
bcb09fd8	115	$permissions['entity_tag'] = $permissions['address'];
1593d73d CW	116	$permissions['note'] = $permissions['address'];
1593d73d CW	117
2f0e8374 JJ	118	//relationship permissions
	119	$permissions['relationship'] = array(
	120	'get' => array(
	121	'access CiviCRM',
	122	'view all contacts',
	123	),
	124	'delete' => array(
	125	'access CiviCRM',
	126	'delete contacts',
	127	),
	128	'default' => array(
	129	'access CiviCRM',
	130	'edit all contacts',
	131	),
	132	);
d75f2f47	133
1593d73d CW	134	// Activity permissions
1593d73d CW	135	$permissions['activity'] = array(
082d771a CW	136	'delete' => array(
082d771a CW	137	'access CiviCRM',
1593d73d	138	'delete activities',
082d771a	139	),
1593d73d	140	'default' => array(
082d771a	141	'access CiviCRM',
1593d73d	142	'view all activities',
082d771a CW	143	),
082d771a CW	144	);
1593d73d CW	145
	146	// Case permissions
	147	$permissions['case'] = array(
082d771a	148	'create' => array(
082d771a	149	'access CiviCRM',
1593d73d	150	'add cases',
082d771a CW	151	),
082d771a CW	152	'delete' => array(
082d771a	153	'access CiviCRM',
1593d73d	154	'delete in CiviCase',
082d771a	155	),
1593d73d	156	'default' => array(
082d771a	157	'access CiviCRM',
1593d73d	158	'access all cases and activities',
082d771a CW	159	),
082d771a CW	160	);
1593d73d CW	161
	162	// Financial permissions
	163	$permissions['contribution'] = array(
	164	'get' => array(
082d771a	165	'access CiviCRM',
1593d73d	166	'access CiviContribute',
082d771a CW	167	),
082d771a CW	168	'delete' => array(
082d771a	169	'access CiviCRM',
1593d73d CW	170	'access CiviContribute',
1593d73d CW	171	'delete in CiviContribute',
082d771a	172	),
0efa8efe	173	'completetransaction' => array(
	174	'edit contributions',
	175	),
1593d73d	176	'default' => array(
082d771a	177	'access CiviCRM',
1593d73d CW	178	'access CiviContribute',
1593d73d CW	179	'edit contributions',
082d771a	180	),
1593d73d CW	181	);
	182	$permissions['line_item'] = $permissions['contribution'];
	183
	184	// Custom field permissions
	185	$permissions['custom_field'] = array(
	186	'default' => array(
082d771a	187	'administer CiviCRM',
082d771a CW	188	'access all custom data',
	189	),
	190	);
1593d73d CW	191	$permissions['custom_group'] = $permissions['custom_field'];
	192
	193	// Event permissions
082d771a CW	194	$permissions['event'] = array(
	195	'create' => array(
	196	'access CiviCRM',
	197	'access CiviEvent',
	198	'edit all events',
	199	),
	200	'delete' => array(
	201	'access CiviCRM',
	202	'access CiviEvent',
	203	'delete in CiviEvent',
	204	),
	205	'get' => array(
	206	'access CiviCRM',
	207	'access CiviEvent',
	208	'view event info',
	209	),
	210	'update' => array(
	211	'access CiviCRM',
	212	'access CiviEvent',
	213	'edit all events',
	214	),
	215	);
1593d73d CW	216
1593d73d CW	217	// File permissions
082d771a	218	$permissions['file'] = array(
1593d73d	219	'default' => array(
082d771a CW	220	'access CiviCRM',
	221	'access uploaded files',
	222	),
	223	);
1593d73d CW	224	$permissions['files_by_entity'] = $permissions['file'];
	225
	226	// Group permissions
082d771a	227	$permissions['group'] = array(
082d771a CW	228	'get' => array(
082d771a CW	229	'access CiviCRM',
082d771a	230	),
1593d73d	231	'default' => array(
082d771a	232	'access CiviCRM',
1593d73d	233	'edit groups',
082d771a CW	234	),
082d771a CW	235	);
1593d73d CW	236	$permissions['group_contact'] = $permissions['group'];
	237	$permissions['group_nesting'] = $permissions['group'];
	238	$permissions['group_organization'] = $permissions['group'];
	239
56154d36	240	// CiviMail Permissions
360d6097 TO	241	$civiMailBasePerms = array(
	242	// To get/preview/update, one must have least one of these perms:
	243	// Mailing API implementations enforce nuances of create/approve/schedule permissions.
	244	'access CiviMail',
	245	'create mailings',
	246	'schedule mailings',
	247	'approve mailings',
	248	);
56154d36 TO	249	$permissions['mailing'] = array(
	250	'get' => array(
	251	'access CiviCRM',
360d6097	252	$civiMailBasePerms,
56154d36 TO	253	),
	254	'delete' => array(
	255	'access CiviCRM',
360d6097	256	$civiMailBasePerms,
56154d36 TO	257	'delete in CiviMail',
56154d36 TO	258	),
360d6097 TO	259	'submit' => array(
	260	'access CiviCRM',
	261	array('access CiviMail', 'schedule mailings'),
	262	),
56154d36 TO	263	'default' => array(
56154d36 TO	264	'access CiviCRM',
360d6097	265	$civiMailBasePerms,
56154d36 TO	266	),
56154d36 TO	267	);
f8be71a6 TO	268	$permissions['mailing_group'] = $permissions['mailing'];
	269	$permissions['mailing_job'] = $permissions['mailing'];
	270	$permissions['mailing_recipients'] = $permissions['mailing'];
56154d36	271
19837ef2 TO	272	$permissions['mailing_a_b'] = array(
	273	'get' => array(
	274	'access CiviCRM',
	275	'access CiviMail',
	276	),
	277	'delete' => array(
	278	'access CiviCRM',
	279	'access CiviMail',
	280	'delete in CiviMail',
	281	),
	282	'submit' => array(
	283	'access CiviCRM',
	284	array('access CiviMail', 'schedule mailings'),
	285	),
	286	'default' => array(
	287	'access CiviCRM',
	288	'access CiviMail',
	289	),
	290	);
	291
1593d73d	292	// Membership permissions
082d771a	293	$permissions['membership'] = array(
1593d73d	294	'get' => array(
082d771a CW	295	'access CiviCRM',
082d771a CW	296	'access CiviMember',
082d771a CW	297	),
	298	'delete' => array(
	299	'access CiviCRM',
	300	'access CiviMember',
	301	'delete in CiviMember',
	302	),
1593d73d	303	'default' => array(
082d771a CW	304	'access CiviCRM',
	305	'access CiviMember',
	306	'edit memberships',
	307	),
	308	);
1593d73d CW	309	$permissions['membership_status'] = $permissions['membership'];
1593d73d CW	310	$permissions['membership_type'] = $permissions['membership'];
082d771a CW	311	$permissions['membership_payment'] = array(
	312	'create' => array(
	313	'access CiviCRM',
	314	'access CiviMember',
	315	'edit memberships',
	316	'access CiviContribute',
	317	'edit contributions',
	318	),
	319	'delete' => array(
	320	'access CiviCRM',
	321	'access CiviMember',
	322	'delete in CiviMember',
	323	'access CiviContribute',
	324	'delete in CiviContribute',
	325	),
	326	'get' => array(
	327	'access CiviCRM',
	328	'access CiviMember',
	329	'access CiviContribute',
	330	),
	331	'update' => array(
	332	'access CiviCRM',
	333	'access CiviMember',
	334	'edit memberships',
	335	'access CiviContribute',
	336	'edit contributions',
	337	),
	338	);
1593d73d CW	339
1593d73d CW	340	// Participant permissions
082d771a CW	341	$permissions['participant'] = array(
	342	'create' => array(
	343	'access CiviCRM',
	344	'access CiviEvent',
	345	'register for events',
	346	),
	347	'delete' => array(
	348	'access CiviCRM',
	349	'access CiviEvent',
	350	'edit event participants',
	351	),
	352	'get' => array(
	353	'access CiviCRM',
	354	'access CiviEvent',
	355	'view event participants',
	356	),
	357	'update' => array(
	358	'access CiviCRM',
	359	'access CiviEvent',
	360	'edit event participants',
	361	),
	362	);
	363	$permissions['participant_payment'] = array(
	364	'create' => array(
	365	'access CiviCRM',
	366	'access CiviEvent',
	367	'register for events',
	368	'access CiviContribute',
	369	'edit contributions',
	370	),
	371	'delete' => array(
	372	'access CiviCRM',
	373	'access CiviEvent',
	374	'edit event participants',
	375	'access CiviContribute',
	376	'delete in CiviContribute',
	377	),
	378	'get' => array(
	379	'access CiviCRM',
	380	'access CiviEvent',
	381	'view event participants',
	382	'access CiviContribute',
	383	),
	384	'update' => array(
	385	'access CiviCRM',
	386	'access CiviEvent',
	387	'edit event participants',
	388	'access CiviContribute',
	389	'edit contributions',
	390	),
	391	);
1593d73d CW	392
1593d73d CW	393	// Pledge permissions
082d771a CW	394	$permissions['pledge'] = array(
	395	'create' => array(
	396	'access CiviCRM',
	397	'access CiviPledge',
	398	'edit pledges',
	399	),
	400	'delete' => array(
	401	'access CiviCRM',
	402	'access CiviPledge',
	403	'delete in CiviPledge',
	404	),
	405	'get' => array(
	406	'access CiviCRM',
	407	'access CiviPledge',
	408	),
	409	'update' => array(
	410	'access CiviCRM',
	411	'access CiviPledge',
	412	'edit pledges',
	413	),
	414	);
	415	$permissions['pledge_payment'] = array(
	416	'create' => array(
	417	'access CiviCRM',
	418	'access CiviPledge',
	419	'edit pledges',
	420	'access CiviContribute',
	421	'edit contributions',
	422	),
	423	'delete' => array(
	424	'access CiviCRM',
	425	'access CiviPledge',
	426	'delete in CiviPledge',
	427	'access CiviContribute',
	428	'delete in CiviContribute',
	429	),
	430	'get' => array(
	431	'access CiviCRM',
	432	'access CiviPledge',
	433	'access CiviContribute',
	434	),
	435	'update' => array(
	436	'access CiviCRM',
	437	'access CiviPledge',
	438	'edit pledges',
	439	'access CiviContribute',
	440	'edit contributions',
	441	),
	442	);
1593d73d CW	443
1593d73d CW	444	// Profile permissions
c85e32fc	445	$permissions['profile'] = array(
	446	'get' => array(), // the profile will take care of this
	447	);
	448
1593d73d	449	$permissions['uf_group'] = array(
082d771a CW	450	'get' => array(
082d771a CW	451	'access CiviCRM',
6a488035 TO	452	),
6a488035 TO	453	);
1593d73d	454	$permissions['uf_field'] = $permissions['uf_group'];
abdff0f7 CW	455	$permissions['option_value'] = $permissions['uf_group'];
abdff0f7 CW	456	$permissions['option_group'] = $permissions['option_value'];
6a488035	457
79089019 CW	458	// Translate 'create' action to 'update' if id is set
	459	if ($action == 'create' && (!empty($params['id']) \|\| !empty($params[$entity . '_id']))) {
	460	$action = 'update';
	461	}
	462
6a488035 TO	463	// let third parties modify the permissions
	464	CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);
	465
79089019 CW	466	// Merge permissions for this entity with the defaults
	467	$perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];
	468
	469	// Return exact match if permission for this action has been declared
	470	if (isset($perm[$action])) {
	471	return $perm[$action];
	472	}
	473
	474	// Translate specific actions into their generic equivalents
	475	$snippet = substr($action, 0, 3);
	476	if ($action == 'replace' \|\| $snippet == 'del') {
d013d45c TO	477	// 'Replace' is a combination of get+create+update+delete; however, the permissions
	478	// on each of those will be tested separately at runtime. This is just a sniff-test
	479	// based on the heuristic that 'delete' tends to be the most closesly guarded
	480	// of the necessary permissions.
79089019 CW	481	$action = 'delete';
	482	}
	483	elseif ($action == 'setvalue' \|\| $snippet == 'upd') {
	484	$action = 'update';
	485	}
	486	elseif ($action == 'getfields' \|\| $action == 'getspec' \|\| $action == 'getoptions') {
	487	$action = 'meta';
	488	}
	489	elseif ($snippet == 'get') {
	490	$action = 'get';
	491	}
	492	return isset($perm[$action]) ? $perm[$action] : $perm['default'];
6a488035 TO	493	}
	494
	495	# FIXME: not sure how to permission the following API 3 calls:
	496	# contribution_transact (make online contributions)
	497	# entity_tag_display
	498	# group_contact_pending
	499	# group_contact_update_status
	500	# mailing_event_bounce
	501	# mailing_event_click
	502	# mailing_event_confirm
	503	# mailing_event_forward
	504	# mailing_event_open
	505	# mailing_event_reply
	506	# mailing_group_event_domain_unsubscribe
	507	# mailing_group_event_resubscribe
	508	# mailing_group_event_subscribe
	509	# mailing_group_event_unsubscribe
	510	# membership_status_calc
	511	# survey_respondant_count