[civicrm-core.git] / CRM / Core / DAO / permissions.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.7                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2015                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
 */

/**
 * Decide what permissions to check for an api call
 * The contact must have all of the returned permissions for the api call to be allowed
 *
 * @param $entity : (str) api entity
 * @param $action : (str) api action
 * @param $params : (array) api params
 *
 * @return array
 *   Array of permissions to check for this entity-action combo
 */
function _civicrm_api3_permissions($entity, $action, &$params) {
  // FIXME: Lowercase entity_names are nonstandard but difficult to fix here
  // because this function invokes hook_civicrm_alterAPIPermissions
  $entity = _civicrm_api_get_entity_name_from_camel($entity);

  /**
   * @var array of permissions
   *
   * For each entity, we declare an array of permissions required for each action
   * The action is the array key, possible values:
   *  * create: applies to create (with no id in params)
   *  * update: applies to update, setvalue, create (with id in params)
   *  * get: applies to getcount, getsingle, getvalue and other gets
   *  * delete: applies to delete, replace
   *  * meta: applies to getfields, getoptions, getspec
   *  * default: catch-all for anything not declared
   *
   *  Note: some APIs declare other actions as well
   */
  $permissions = array();

  // These are the default permissions - if any entity does not declare permissions for a given action,
  // (or the entity does not declare permissions at all) - then the action will be used from here
  $permissions['default'] = array(
    // applies to getfields, getoptions, etc.
    'meta' => array('access CiviCRM'),
    // catch-all, applies to create, get, delete, etc.
    // If an entity declares it's own 'default' action it will override this one
    'default' => array('administer CiviCRM'),
  );

  // Note: Additional permissions in DynamicFKAuthorization
  $permissions['attachment'] = array(
    'default' => array(
      array('access CiviCRM', 'access AJAX API'),
    ),
  );

  // Contact permissions
  $permissions['contact'] = array(
    'create' => array(
      'access CiviCRM',
      'add contacts',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete contacts',
    ),
    // managed by query object
    'get' => array(),
    'update' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
    'getquick' => array(
      array('access CiviCRM', 'access AJAX API'),
    ),
  );

  // CRM-16963 - Permissions for country.
  $permissions['country'] = array(
    'get' => array(
      'access CiviCRM',
    ),
    'default' => array(
      'administer CiviCRM',
    ),
  );

  // Contact-related data permissions.
  // CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
  $permissions['address'] = array(
    // get is managed by BAO::apiWhereClause
    'get' => array(),
    'default' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
  );
  $permissions['email'] = $permissions['address'];
  $permissions['phone'] = $permissions['address'];
  $permissions['website'] = $permissions['address'];
  $permissions['im'] = $permissions['address'];
  // @todo - implement CRM_Core_BAO_EntityTag::apiWhereClause and remove this heavy-handed restriction
  $permissions['entity_tag'] = array('get' => array('access CiviCRM', 'view all contacts')) + $permissions['address'];
  // @todo - ditto
  $permissions['note'] = $permissions['entity_tag'];

  // Allow non-admins to get and create tags to support tagset widget
  // Delete is still reserved for admins
  $permissions['tag'] = array(
    'get' => array('access CiviCRM'),
    'create' => array('access CiviCRM'),
    'update' => array('access CiviCRM'),
  );

  //relationship permissions
  $permissions['relationship'] = array(
    // get is managed by BAO::apiWhereClause
    'get' => array(),
    'delete' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
    'default' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
  );

  // CRM-17741 - Permissions for RelationshipType.
  $permissions['relationship_type'] = array(
    'get' => array(
      'access CiviCRM',
    ),
    'default' => array(
      'administer CiviCRM',
    ),
  );

  // Activity permissions
  $permissions['activity'] = array(
    'delete' => array(
      'access CiviCRM',
      'delete activities',
    ),
    'default' => array(
      'access CiviCRM',
      'view all activities',
    ),
  );

  // Case permissions
  $permissions['case'] = array(
    'create' => array(
      'access CiviCRM',
      'add cases',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete in CiviCase',
    ),
    'default' => array(
      // This is the minimum permission needed. Finer-grained access is controlled by CRM_Case_BAO_Case::apiWhereClause
      'access my cases and activities',
    ),
  );
  $permissions['case_contact'] = $permissions['case'];

  // Campaign permissions
  $permissions['campaign'] = array(
    'get' => array('access CiviCRM'),
    'create' => array(array('administer CiviCampaign', 'manage campaign')),
    'update' => array(array('administer CiviCampaign', 'manage campaign')),
    'delete' => array(array('administer CiviCampaign', 'manage campaign')),
  );
  $permissions['survey'] = $permissions['campaign'];

  // Financial permissions
  $permissions['contribution'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviContribute',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'completetransaction' => array(
      'edit contributions',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviContribute',
      'edit contributions',
    ),
  );
  $permissions['line_item'] = $permissions['contribution'];

  // Custom field permissions
  $permissions['custom_field'] = array(
    'default' => array(
      'administer CiviCRM',
      'access all custom data',
    ),
  );
  $permissions['custom_group'] = $permissions['custom_field'];

  // Event permissions
  $permissions['event'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit all events',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'delete in CiviEvent',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event info',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit all events',
    ),
  );
  // Loc block is only used for events
  $permissions['loc_block'] = $permissions['event'];

  // File permissions
  $permissions['file'] = array(
    'default' => array(
      'access CiviCRM',
      'access uploaded files',
    ),
  );
  $permissions['files_by_entity'] = $permissions['file'];

  // Group permissions
  $permissions['group'] = array(
    'get' => array(
      'access CiviCRM',
    ),
    'default' => array(
      'access CiviCRM',
      'edit groups',
    ),
  );

  $permissions['group_nesting'] = $permissions['group'];
  $permissions['group_organization'] = $permissions['group'];

  //Group Contact permission
  $permissions['group_contact'] = array(
    'get' => array(
      'access CiviCRM',
    ),
    'default' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
  );

  // CiviMail Permissions
  $civiMailBasePerms = array(
    // To get/preview/update, one must have least one of these perms:
    // Mailing API implementations enforce nuances of create/approve/schedule permissions.
    'access CiviMail',
    'create mailings',
    'schedule mailings',
    'approve mailings',
  );
  $permissions['mailing'] = array(
    'get' => array(
      'access CiviCRM',
      $civiMailBasePerms,
    ),
    'delete' => array(
      'access CiviCRM',
      $civiMailBasePerms,
      'delete in CiviMail',
    ),
    'submit' => array(
      'access CiviCRM',
      array('access CiviMail', 'schedule mailings'),
    ),
    'default' => array(
      'access CiviCRM',
      $civiMailBasePerms,
    ),
  );
  $permissions['mailing_group'] = $permissions['mailing'];
  $permissions['mailing_job'] = $permissions['mailing'];
  $permissions['mailing_recipients'] = $permissions['mailing'];

  $permissions['mailing_a_b'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviMail',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMail',
      'delete in CiviMail',
    ),
    'submit' => array(
      'access CiviCRM',
      array('access CiviMail', 'schedule mailings'),
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviMail',
    ),
  );

  // Membership permissions
  $permissions['membership'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviMember',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMember',
      'delete in CiviMember',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
    ),
  );
  $permissions['membership_status'] = $permissions['membership'];
  $permissions['membership_type'] = $permissions['membership'];
  $permissions['membership_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMember',
      'delete in CiviMember',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviMember',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Participant permissions
  $permissions['participant'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'register for events',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event participants',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
    ),
  );
  $permissions['participant_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'register for events',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event participants',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Pledge permissions
  $permissions['pledge'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviPledge',
      'delete in CiviPledge',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviPledge',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
    ),
  );

  //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission.
  $permissions['action_schedule'] = array(
    'update' => array(
      array(
        'access CiviCRM',
        'edit all events',
      ),
    ),
  );

  $permissions['pledge_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviPledge',
      'delete in CiviPledge',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviPledge',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Profile permissions
  $permissions['profile'] = array(
    'get' => array(), // the profile will take care of this
  );

  $permissions['uf_group'] = array(
    'create' => array(
      'access CiviCRM',
      array(
        'administer CiviCRM',
        'manage event profiles',
      ),
    ),
    'get' => array(
      'access CiviCRM',
    ),
    'update' => array(
      'access CiviCRM',
      array(
        'administer CiviCRM',
        'manage event profiles',
      ),
    ),
  );
  $permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group'];
  $permissions['uf_field']['delete'] = array(
    'access CiviCRM',
    array(
      'administer CiviCRM',
      'manage event profiles',
    ),
  );
  $permissions['option_value'] = $permissions['uf_group'];
  $permissions['option_group'] = $permissions['option_value'];

  $permissions['message_template'] = array(
    'get' => array('access CiviCRM'),
    'create' => array('edit message templates'),
    'update' => array('edit message templates'),
  );

  // Translate 'create' action to 'update' if id is set
  if ($action == 'create' && (!empty($params['id']) || !empty($params[$entity . '_id']))) {
    $action = 'update';
  }

  // let third parties modify the permissions
  CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);

  // Merge permissions for this entity with the defaults
  $perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];

  // Return exact match if permission for this action has been declared
  if (isset($perm[$action])) {
    return $perm[$action];
  }

  // Translate specific actions into their generic equivalents
  $snippet = substr($action, 0, 3);
  if ($action == 'replace' || $snippet == 'del') {
    // 'Replace' is a combination of get+create+update+delete; however, the permissions
    // on each of those will be tested separately at runtime. This is just a sniff-test
    // based on the heuristic that 'delete' tends to be the most closesly guarded
    // of the necessary permissions.
    $action = 'delete';
  }
  elseif ($action == 'setvalue' || $snippet == 'upd') {
    $action = 'update';
  }
  elseif ($action == 'getfields' || $action == 'getfield' || $action == 'getspec' || $action == 'getoptions') {
    $action = 'meta';
  }
  elseif ($snippet == 'get') {
    $action = 'get';
  }
  return isset($perm[$action]) ? $perm[$action] : $perm['default'];
}

# FIXME: not sure how to permission the following API 3 calls:
# contribution_transact (make online contributions)
# entity_tag_display
# group_contact_pending
# group_contact_update_status
# mailing_event_bounce
# mailing_event_click
# mailing_event_confirm
# mailing_event_forward
# mailing_event_open
# mailing_event_reply
# mailing_group_event_domain_unsubscribe
# mailing_group_event_resubscribe
# mailing_group_event_subscribe
# mailing_group_event_unsubscribe
# membership_status_calc
# survey_respondant_count
Commit	Line	Data
6a488035	1	<?php
6a488035 TO	2	/*
6a488035 TO	3	+--------------------------------------------------------------------+
7e9e8871	4	\| CiviCRM version 4.7 \|
6a488035	5	+--------------------------------------------------------------------+
e7112fa7	6	\| Copyright CiviCRM LLC (c) 2004-2015 \|
6a488035 TO	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
d25dd0ee	26	*/
6a488035 TO	27
6a488035 TO	28	/**
082d771a CW	29	* Decide what permissions to check for an api call
082d771a CW	30	* The contact must have all of the returned permissions for the api call to be allowed
6a488035	31	*
353ffa53 TO	32	* @param $entity : (str) api entity
	33	* @param $action : (str) api action
	34	* @param $params : (array) api params
6a488035	35	*
a6c01b45	36	* @return array
16b10e64	37	* Array of permissions to check for this entity-action combo
6a488035	38	*/
6a488035	39	function _civicrm_api3_permissions($entity, $action, &$params) {
4846df91 CW	40	// FIXME: Lowercase entity_names are nonstandard but difficult to fix here
4846df91 CW	41	// because this function invokes hook_civicrm_alterAPIPermissions
47e6af81	42	$entity = _civicrm_api_get_entity_name_from_camel($entity);
79089019 CW	43
	44	/**
	45	* @var array of permissions
	46	*
	47	* For each entity, we declare an array of permissions required for each action
	48	* The action is the array key, possible values:
	49	* * create: applies to create (with no id in params)
	50	* * update: applies to update, setvalue, create (with id in params)
	51	* * get: applies to getcount, getsingle, getvalue and other gets
	52	* * delete: applies to delete, replace
	53	* * meta: applies to getfields, getoptions, getspec
	54	* * default: catch-all for anything not declared
	55	*
	56	* Note: some APIs declare other actions as well
	57	*/
082d771a CW	58	$permissions = array();
082d771a CW	59
79089019 CW	60	// These are the default permissions - if any entity does not declare permissions for a given action,
	61	// (or the entity does not declare permissions at all) - then the action will be used from here
	62	$permissions['default'] = array(
	63	// applies to getfields, getoptions, etc.
	64	'meta' => array('access CiviCRM'),
	65	// catch-all, applies to create, get, delete, etc.
	66	// If an entity declares it's own 'default' action it will override this one
	67	'default' => array('administer CiviCRM'),
	68	);
	69
f8be71a6	70	// Note: Additional permissions in DynamicFKAuthorization
56154d36	71	$permissions['attachment'] = array(
f8be71a6 TO	72	'default' => array(
	73	array('access CiviCRM', 'access AJAX API'),
	74	),
56154d36 TO	75	);
56154d36 TO	76
1593d73d CW	77	// Contact permissions
1593d73d CW	78	$permissions['contact'] = array(
082d771a CW	79	'create' => array(
	80	'access CiviCRM',
	81	'add contacts',
	82	),
	83	'delete' => array(
	84	'access CiviCRM',
	85	'delete contacts',
	86	),
1593d73d CW	87	// managed by query object
1593d73d CW	88	'get' => array(),
082d771a CW	89	'update' => array(
	90	'access CiviCRM',
	91	'edit all contacts',
	92	),
1593d73d	93	'getquick' => array(
60ec9f43	94	array('access CiviCRM', 'access AJAX API'),
1593d73d	95	),
082d771a	96	);
1593d73d	97
ec642959 JV	98	// CRM-16963 - Permissions for country.
	99	$permissions['country'] = array(
	100	'get' => array(
	101	'access CiviCRM',
	102	),
	103	'default' => array(
	104	'administer CiviCRM',
	105	),
	106	);
	107
bcb09fd8 DG	108	// Contact-related data permissions.
bcb09fd8 DG	109	// CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
1593d73d	110	$permissions['address'] = array(
4dc78105 CW	111	// get is managed by BAO::apiWhereClause
4dc78105 CW	112	'get' => array(),
1593d73d	113	'default' => array(
082d771a CW	114	'access CiviCRM',
	115	'edit all contacts',
	116	),
082d771a	117	);
1593d73d CW	118	$permissions['email'] = $permissions['address'];
	119	$permissions['phone'] = $permissions['address'];
	120	$permissions['website'] = $permissions['address'];
	121	$permissions['im'] = $permissions['address'];
4dc78105 CW	122	// @todo - implement CRM_Core_BAO_EntityTag::apiWhereClause and remove this heavy-handed restriction
	123	$permissions['entity_tag'] = array('get' => array('access CiviCRM', 'view all contacts')) + $permissions['address'];
	124	// @todo - ditto
	125	$permissions['note'] = $permissions['entity_tag'];
1593d73d	126
8087a331 CW	127	// Allow non-admins to get and create tags to support tagset widget
	128	// Delete is still reserved for admins
	129	$permissions['tag'] = array(
	130	'get' => array('access CiviCRM'),
	131	'create' => array('access CiviCRM'),
	132	'update' => array('access CiviCRM'),
	133	);
	134
2f0e8374 JJ	135	//relationship permissions
2f0e8374 JJ	136	$permissions['relationship'] = array(
4dc78105 CW	137	// get is managed by BAO::apiWhereClause
4dc78105 CW	138	'get' => array(),
2f0e8374 JJ	139	'delete' => array(
2f0e8374 JJ	140	'access CiviCRM',
27d33950	141	'edit all contacts',
2f0e8374 JJ	142	),
	143	'default' => array(
	144	'access CiviCRM',
	145	'edit all contacts',
	146	),
	147	);
d75f2f47	148
da387e7b JV	149	// CRM-17741 - Permissions for RelationshipType.
	150	$permissions['relationship_type'] = array(
	151	'get' => array(
	152	'access CiviCRM',
	153	),
	154	'default' => array(
	155	'administer CiviCRM',
	156	),
	157	);
	158
1593d73d CW	159	// Activity permissions
1593d73d CW	160	$permissions['activity'] = array(
082d771a CW	161	'delete' => array(
082d771a CW	162	'access CiviCRM',
1593d73d	163	'delete activities',
082d771a	164	),
1593d73d	165	'default' => array(
082d771a	166	'access CiviCRM',
1593d73d	167	'view all activities',
082d771a CW	168	),
082d771a CW	169	);
1593d73d CW	170
	171	// Case permissions
	172	$permissions['case'] = array(
082d771a	173	'create' => array(
082d771a	174	'access CiviCRM',
1593d73d	175	'add cases',
082d771a CW	176	),
082d771a CW	177	'delete' => array(
082d771a	178	'access CiviCRM',
1593d73d	179	'delete in CiviCase',
082d771a	180	),
1593d73d	181	'default' => array(
174a1918 CW	182	// This is the minimum permission needed. Finer-grained access is controlled by CRM_Case_BAO_Case::apiWhereClause
174a1918 CW	183	'access my cases and activities',
082d771a CW	184	),
082d771a CW	185	);
ff9340a4	186	$permissions['case_contact'] = $permissions['case'];
1593d73d	187
df2c4050	188	// Campaign permissions
df2c4050	189	$permissions['campaign'] = array(
57a9f1a2	190	'get' => array('access CiviCRM'),
	191	'create' => array(array('administer CiviCampaign', 'manage campaign')),
	192	'update' => array(array('administer CiviCampaign', 'manage campaign')),
	193	'delete' => array(array('administer CiviCampaign', 'manage campaign')),
df2c4050	194	);
	195	$permissions['survey'] = $permissions['campaign'];
	196
1593d73d CW	197	// Financial permissions
	198	$permissions['contribution'] = array(
	199	'get' => array(
082d771a	200	'access CiviCRM',
1593d73d	201	'access CiviContribute',
082d771a CW	202	),
082d771a CW	203	'delete' => array(
082d771a	204	'access CiviCRM',
1593d73d CW	205	'access CiviContribute',
1593d73d CW	206	'delete in CiviContribute',
082d771a	207	),
0efa8efe	208	'completetransaction' => array(
	209	'edit contributions',
	210	),
1593d73d	211	'default' => array(
082d771a	212	'access CiviCRM',
1593d73d CW	213	'access CiviContribute',
1593d73d CW	214	'edit contributions',
082d771a	215	),
1593d73d CW	216	);
	217	$permissions['line_item'] = $permissions['contribution'];
	218
	219	// Custom field permissions
	220	$permissions['custom_field'] = array(
	221	'default' => array(
082d771a	222	'administer CiviCRM',
082d771a CW	223	'access all custom data',
	224	),
	225	);
1593d73d CW	226	$permissions['custom_group'] = $permissions['custom_field'];
	227
	228	// Event permissions
082d771a CW	229	$permissions['event'] = array(
	230	'create' => array(
	231	'access CiviCRM',
	232	'access CiviEvent',
	233	'edit all events',
	234	),
	235	'delete' => array(
	236	'access CiviCRM',
	237	'access CiviEvent',
	238	'delete in CiviEvent',
	239	),
	240	'get' => array(
	241	'access CiviCRM',
	242	'access CiviEvent',
	243	'view event info',
	244	),
	245	'update' => array(
	246	'access CiviCRM',
	247	'access CiviEvent',
	248	'edit all events',
	249	),
	250	);
4dc78105 CW	251	// Loc block is only used for events
4dc78105 CW	252	$permissions['loc_block'] = $permissions['event'];
1593d73d CW	253
1593d73d CW	254	// File permissions
082d771a	255	$permissions['file'] = array(
1593d73d	256	'default' => array(
082d771a CW	257	'access CiviCRM',
	258	'access uploaded files',
	259	),
	260	);
1593d73d CW	261	$permissions['files_by_entity'] = $permissions['file'];
	262
	263	// Group permissions
082d771a	264	$permissions['group'] = array(
082d771a CW	265	'get' => array(
082d771a CW	266	'access CiviCRM',
082d771a	267	),
1593d73d	268	'default' => array(
082d771a	269	'access CiviCRM',
1593d73d	270	'edit groups',
082d771a CW	271	),
082d771a CW	272	);
5ab07c7c	273
1593d73d CW	274	$permissions['group_nesting'] = $permissions['group'];
	275	$permissions['group_organization'] = $permissions['group'];
	276
5ab07c7c	277	//Group Contact permission
	278	$permissions['group_contact'] = array(
	279	'get' => array(
	280	'access CiviCRM',
	281	),
	282	'default' => array(
	283	'access CiviCRM',
	284	'edit all contacts',
	285	),
	286	);
	287
56154d36	288	// CiviMail Permissions
360d6097 TO	289	$civiMailBasePerms = array(
	290	// To get/preview/update, one must have least one of these perms:
	291	// Mailing API implementations enforce nuances of create/approve/schedule permissions.
	292	'access CiviMail',
	293	'create mailings',
	294	'schedule mailings',
	295	'approve mailings',
	296	);
56154d36 TO	297	$permissions['mailing'] = array(
	298	'get' => array(
	299	'access CiviCRM',
360d6097	300	$civiMailBasePerms,
56154d36 TO	301	),
	302	'delete' => array(
	303	'access CiviCRM',
360d6097	304	$civiMailBasePerms,
56154d36 TO	305	'delete in CiviMail',
56154d36 TO	306	),
360d6097 TO	307	'submit' => array(
	308	'access CiviCRM',
	309	array('access CiviMail', 'schedule mailings'),
	310	),
56154d36 TO	311	'default' => array(
56154d36 TO	312	'access CiviCRM',
360d6097	313	$civiMailBasePerms,
56154d36 TO	314	),
56154d36 TO	315	);
f8be71a6 TO	316	$permissions['mailing_group'] = $permissions['mailing'];
	317	$permissions['mailing_job'] = $permissions['mailing'];
	318	$permissions['mailing_recipients'] = $permissions['mailing'];
56154d36	319
19837ef2 TO	320	$permissions['mailing_a_b'] = array(
	321	'get' => array(
	322	'access CiviCRM',
	323	'access CiviMail',
	324	),
	325	'delete' => array(
	326	'access CiviCRM',
	327	'access CiviMail',
	328	'delete in CiviMail',
	329	),
	330	'submit' => array(
	331	'access CiviCRM',
	332	array('access CiviMail', 'schedule mailings'),
	333	),
	334	'default' => array(
	335	'access CiviCRM',
	336	'access CiviMail',
	337	),
	338	);
	339
1593d73d	340	// Membership permissions
082d771a	341	$permissions['membership'] = array(
1593d73d	342	'get' => array(
082d771a CW	343	'access CiviCRM',
082d771a CW	344	'access CiviMember',
082d771a CW	345	),
	346	'delete' => array(
	347	'access CiviCRM',
	348	'access CiviMember',
	349	'delete in CiviMember',
	350	),
1593d73d	351	'default' => array(
082d771a CW	352	'access CiviCRM',
	353	'access CiviMember',
	354	'edit memberships',
	355	),
	356	);
1593d73d CW	357	$permissions['membership_status'] = $permissions['membership'];
1593d73d CW	358	$permissions['membership_type'] = $permissions['membership'];
082d771a CW	359	$permissions['membership_payment'] = array(
	360	'create' => array(
	361	'access CiviCRM',
	362	'access CiviMember',
	363	'edit memberships',
	364	'access CiviContribute',
	365	'edit contributions',
	366	),
	367	'delete' => array(
	368	'access CiviCRM',
	369	'access CiviMember',
	370	'delete in CiviMember',
	371	'access CiviContribute',
	372	'delete in CiviContribute',
	373	),
	374	'get' => array(
	375	'access CiviCRM',
	376	'access CiviMember',
	377	'access CiviContribute',
	378	),
	379	'update' => array(
	380	'access CiviCRM',
	381	'access CiviMember',
	382	'edit memberships',
	383	'access CiviContribute',
	384	'edit contributions',
	385	),
	386	);
1593d73d CW	387
1593d73d CW	388	// Participant permissions
082d771a CW	389	$permissions['participant'] = array(
	390	'create' => array(
	391	'access CiviCRM',
	392	'access CiviEvent',
	393	'register for events',
	394	),
	395	'delete' => array(
	396	'access CiviCRM',
	397	'access CiviEvent',
	398	'edit event participants',
	399	),
	400	'get' => array(
	401	'access CiviCRM',
	402	'access CiviEvent',
	403	'view event participants',
	404	),
	405	'update' => array(
	406	'access CiviCRM',
	407	'access CiviEvent',
	408	'edit event participants',
	409	),
	410	);
	411	$permissions['participant_payment'] = array(
	412	'create' => array(
	413	'access CiviCRM',
	414	'access CiviEvent',
	415	'register for events',
	416	'access CiviContribute',
	417	'edit contributions',
	418	),
	419	'delete' => array(
	420	'access CiviCRM',
	421	'access CiviEvent',
	422	'edit event participants',
	423	'access CiviContribute',
	424	'delete in CiviContribute',
	425	),
	426	'get' => array(
	427	'access CiviCRM',
	428	'access CiviEvent',
	429	'view event participants',
	430	'access CiviContribute',
	431	),
	432	'update' => array(
	433	'access CiviCRM',
	434	'access CiviEvent',
	435	'edit event participants',
	436	'access CiviContribute',
	437	'edit contributions',
	438	),
	439	);
1593d73d CW	440
1593d73d CW	441	// Pledge permissions
082d771a CW	442	$permissions['pledge'] = array(
	443	'create' => array(
	444	'access CiviCRM',
	445	'access CiviPledge',
	446	'edit pledges',
	447	),
	448	'delete' => array(
	449	'access CiviCRM',
	450	'access CiviPledge',
	451	'delete in CiviPledge',
	452	),
	453	'get' => array(
	454	'access CiviCRM',
	455	'access CiviPledge',
	456	),
	457	'update' => array(
	458	'access CiviCRM',
	459	'access CiviPledge',
	460	'edit pledges',
	461	),
	462	);
e68f2900 WA	463
	464	//CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission.
	465	$permissions['action_schedule'] = array(
	466	'update' => array(
	467	array(
	468	'access CiviCRM',
	469	'edit all events',
	470	),
	471	),
	472	);
	473
082d771a CW	474	$permissions['pledge_payment'] = array(
	475	'create' => array(
	476	'access CiviCRM',
	477	'access CiviPledge',
	478	'edit pledges',
	479	'access CiviContribute',
	480	'edit contributions',
	481	),
	482	'delete' => array(
	483	'access CiviCRM',
	484	'access CiviPledge',
	485	'delete in CiviPledge',
	486	'access CiviContribute',
	487	'delete in CiviContribute',
	488	),
	489	'get' => array(
	490	'access CiviCRM',
	491	'access CiviPledge',
	492	'access CiviContribute',
	493	),
	494	'update' => array(
	495	'access CiviCRM',
	496	'access CiviPledge',
	497	'edit pledges',
	498	'access CiviContribute',
	499	'edit contributions',
	500	),
	501	);
1593d73d CW	502
1593d73d CW	503	// Profile permissions
c85e32fc	504	$permissions['profile'] = array(
	505	'get' => array(), // the profile will take care of this
	506	);
	507
1593d73d	508	$permissions['uf_group'] = array(
bcbb2167	509	'create' => array(
837cab52	510	'access CiviCRM',
380a8fc7	511	array(
	512	'administer CiviCRM',
	513	'manage event profiles',
	514	),
bcbb2167	515	),
082d771a CW	516	'get' => array(
082d771a CW	517	'access CiviCRM',
6a488035	518	),
bcbb2167	519	'update' => array(
837cab52	520	'access CiviCRM',
380a8fc7	521	array(
	522	'administer CiviCRM',
	523	'manage event profiles',
	524	),
bcbb2167	525	),
6a488035	526	);
37375016	527	$permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group'];
380a8fc7	528	$permissions['uf_field']['delete'] = array(
837cab52	529	'access CiviCRM',
380a8fc7	530	array(
	531	'administer CiviCRM',
	532	'manage event profiles',
	533	),
	534	);
abdff0f7 CW	535	$permissions['option_value'] = $permissions['uf_group'];
abdff0f7 CW	536	$permissions['option_group'] = $permissions['option_value'];
6a488035	537
2e27d447 CW	538	$permissions['message_template'] = array(
	539	'get' => array('access CiviCRM'),
	540	'create' => array('edit message templates'),
	541	'update' => array('edit message templates'),
	542	);
	543
79089019 CW	544	// Translate 'create' action to 'update' if id is set
	545	if ($action == 'create' && (!empty($params['id']) \|\| !empty($params[$entity . '_id']))) {
	546	$action = 'update';
	547	}
	548
6a488035 TO	549	// let third parties modify the permissions
	550	CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);
	551
79089019 CW	552	// Merge permissions for this entity with the defaults
	553	$perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];
	554
	555	// Return exact match if permission for this action has been declared
	556	if (isset($perm[$action])) {
	557	return $perm[$action];
	558	}
	559
	560	// Translate specific actions into their generic equivalents
	561	$snippet = substr($action, 0, 3);
	562	if ($action == 'replace' \|\| $snippet == 'del') {
d013d45c TO	563	// 'Replace' is a combination of get+create+update+delete; however, the permissions
	564	// on each of those will be tested separately at runtime. This is just a sniff-test
	565	// based on the heuristic that 'delete' tends to be the most closesly guarded
	566	// of the necessary permissions.
79089019 CW	567	$action = 'delete';
	568	}
	569	elseif ($action == 'setvalue' \|\| $snippet == 'upd') {
	570	$action = 'update';
	571	}
74803223	572	elseif ($action == 'getfields' \|\| $action == 'getfield' \|\| $action == 'getspec' \|\| $action == 'getoptions') {
79089019 CW	573	$action = 'meta';
	574	}
	575	elseif ($snippet == 'get') {
	576	$action = 'get';
	577	}
	578	return isset($perm[$action]) ? $perm[$action] : $perm['default'];
6a488035 TO	579	}
	580
	581	# FIXME: not sure how to permission the following API 3 calls:
	582	# contribution_transact (make online contributions)
	583	# entity_tag_display
	584	# group_contact_pending
	585	# group_contact_update_status
	586	# mailing_event_bounce
	587	# mailing_event_click
	588	# mailing_event_confirm
	589	# mailing_event_forward
	590	# mailing_event_open
	591	# mailing_event_reply
	592	# mailing_group_event_domain_unsubscribe
	593	# mailing_group_event_resubscribe
	594	# mailing_group_event_subscribe
	595	# mailing_group_event_unsubscribe
	596	# membership_status_calc
	597	# survey_respondant_count