[civicrm-core.git] / CRM / Core / Permission / DrupalBase.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.7                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2015                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
 */

/**
 *
 * @package CRM
 * @copyright CiviCRM LLC (c) 2004-2015
 * $Id$
 *
 */

/**
 *
 */
class CRM_Core_Permission_DrupalBase extends CRM_Core_Permission_Base {

  /**
   * Is this user someone with access for the entire system.
   *
   * @var boolean
   */
  protected $_viewAdminUser = FALSE;
  protected $_editAdminUser = FALSE;

  /**
   * Am in in view permission or edit permission?
   * @var boolean
   */
  protected $_viewPermission = FALSE;
  protected $_editPermission = FALSE;

  /**
   * The current set of permissioned groups for the user.
   *
   * @var array
   */
  protected $_viewPermissionedGroups;
  protected $_editPermissionedGroups;

  /**
   * Get all groups from database, filtered by permissions
   * for this user
   *
   * @param string $groupType
   *   Type of group(Access/Mailing).
   * @param bool $excludeHidden
   *   Exclude hidden groups.
   *
   *
   * @return array
   *   array reference of all groups.
   */
  public function group($groupType = NULL, $excludeHidden = TRUE) {
    if (!isset($this->_viewPermissionedGroups)) {
      $this->_viewPermissionedGroups = $this->_editPermissionedGroups = array();
    }

    $groupKey = $groupType ? $groupType : 'all';

    if (!isset($this->_viewPermissionedGroups[$groupKey])) {
      $this->_viewPermissionedGroups[$groupKey] = $this->_editPermissionedGroups[$groupKey] = array();

      $groups = CRM_Core_PseudoConstant::allGroup($groupType, $excludeHidden);

      if ($this->check('edit all contacts')) {
        // this is the most powerful permission, so we return
        // immediately rather than dilute it further
        $this->_editAdminUser = $this->_viewAdminUser = TRUE;
        $this->_editPermission = $this->_viewPermission = TRUE;
        $this->_editPermissionedGroups[$groupKey] = $groups;
        $this->_viewPermissionedGroups[$groupKey] = $groups;
        return $this->_viewPermissionedGroups[$groupKey];
      }
      elseif ($this->check('view all contacts')) {
        $this->_viewAdminUser = TRUE;
        $this->_viewPermission = TRUE;
        $this->_viewPermissionedGroups[$groupKey] = $groups;
      }

      $ids = CRM_ACL_API::group(CRM_Core_Permission::VIEW, NULL, 'civicrm_saved_search', $groups);
      if (!empty($ids)) {
        foreach (array_values($ids) as $id) {
          $title = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Group', $id, 'title');
          $this->_viewPermissionedGroups[$groupKey][$id] = $title;
          $this->_viewPermission = TRUE;
        }
      }

      $ids = CRM_ACL_API::group(CRM_Core_Permission::EDIT, NULL, 'civicrm_saved_search', $groups);
      if (!empty($ids)) {
        foreach (array_values($ids) as $id) {
          $title = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Group', $id, 'title');
          $this->_editPermissionedGroups[$groupKey][$id] = $title;
          $this->_viewPermissionedGroups[$groupKey][$id] = $title;
          $this->_editPermission = TRUE;
          $this->_viewPermission = TRUE;
        }
      }
    }

    return $this->_viewPermissionedGroups[$groupKey];
  }

  /**
   * Get group clause for this user. The group Clause filters the
   * list of groups that the user is permitted to see in a group listing.
   * For example it will filter both the list on the 'Manage Groups' page
   * and on the contact 'Groups' tab
   *
   * the aclGroup hook & configured ACLs contribute to this data.
   * If the contact is allowed to see all contacts the function will return  ( 1 )
   *
   * @todo the history of this function is that there was some confusion as to
   * whether it was filtering contacts or groups & some cruft may remain
   *
   * @param int $type
   *   The type of permission needed.
   * @param array $tables
   *   (reference) add the tables that are needed for the select clause.
   * @param array $whereTables
   *   (reference) add the tables that are needed for the where clause.
   *
   * @return string
   *   the clause to add to the query retrieving viewable groups
   */
  public function groupClause($type, &$tables, &$whereTables) {
    if (!isset($this->_viewPermissionedGroups)) {
      $this->group();
    }

    // we basically get all the groups here
    $groupKey = 'all';
    if ($type == CRM_Core_Permission::EDIT) {
      if ($this->_editAdminUser) {
        $clause = ' ( 1 ) ';
      }
      elseif (empty($this->_editPermissionedGroups[$groupKey])) {
        $clause = ' ( 0 ) ';
      }
      else {
        $clauses = array();
        $groups = implode(', ', $this->_editPermissionedGroups[$groupKey]);
        $clauses[] = ' ( civicrm_group_contact.group_id IN ( ' . implode(', ', array_keys($this->_editPermissionedGroups[$groupKey])) . " ) AND civicrm_group_contact.status = 'Added' ) ";
        $tables['civicrm_group_contact'] = 1;
        $whereTables['civicrm_group_contact'] = 1;

        // foreach group that is potentially a saved search, add the saved search clause
        foreach (array_keys($this->_editPermissionedGroups[$groupKey]) as $id) {
          $group = new CRM_Contact_DAO_Group();
          $group->id = $id;
          if ($group->find(TRUE) && $group->saved_search_id) {
            $clause = CRM_Contact_BAO_SavedSearch::whereClause($group->saved_search_id,
              $tables,
              $whereTables
            );
            if (trim($clause)) {
              $clauses[] = $clause;
            }
          }
        }
        $clause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
      }
    }
    else {
      if ($this->_viewAdminUser) {
        $clause = ' ( 1 ) ';
      }
      elseif (empty($this->_viewPermissionedGroups[$groupKey])) {
        $clause = ' ( 0 ) ';
      }
      else {
        $clauses = array();
        $groups = implode(', ', $this->_viewPermissionedGroups[$groupKey]);
        $clauses[] = ' civicrm_group.id IN (' . implode(', ', array_keys($this->_viewPermissionedGroups[$groupKey])) . " )  ";
        $tables['civicrm_group'] = 1;
        $whereTables['civicrm_group'] = 1;
        $clause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
      }
    }

    return $clause;
  }

  /**
   * Get the current permission of this user.
   *
   * @return string
   *   the permission of the user (edit or view or null)
   */
  public function getPermission() {
    $this->group();

    if ($this->_editPermission) {
      return CRM_Core_Permission::EDIT;
    }
    elseif ($this->_viewPermission) {
      return CRM_Core_Permission::VIEW;
    }
    return NULL;
  }

  /**
   * @param $uids
   *
   * @return string
   */
  public function getContactEmails($uids) {
    if (empty($uids)) {
      return '';
    }
    $uidString = implode(',', $uids);
    $sql = "
    SELECT     e.email
    FROM       civicrm_contact c
    INNER JOIN civicrm_email e     ON ( c.id = e.contact_id AND e.is_primary = 1 )
    INNER JOIN civicrm_uf_match uf ON ( c.id = uf.contact_id )
    WHERE      c.is_deceased = 0
    AND        c.is_deleted  = 0
    AND        uf.uf_id IN ( $uidString )
    ";

    $dao = CRM_Core_DAO::executeQuery($sql);

    $emails = array();
    while ($dao->fetch()) {
      $emails[] = $dao->email;
    }

    return implode(', ', $emails);
  }

  /**
   * Given a roles array, check for access requirements
   *
   * @param array $array
   *   The roles to check.
   *
   * @return bool
   *   true if yes, else false
   */
  public function checkGroupRole($array) {
    if (function_exists('user_load') && isset($array)) {
      $user = user_load($GLOBALS['user']->uid);
      //if giver roles found in user roles - return true
      foreach ($array as $key => $value) {
        if (in_array($value, $user->roles)) {
          return TRUE;
        }
      }
    }
    return FALSE;
  }

  /**
   * @inheritDoc
   */
  public function isModulePermissionSupported() {
    return TRUE;
  }

  /**
   * Get all the contact emails for users that have a specific permission.
   *
   * @param string $permissionName
   *   Name of the permission we are interested in.
   *
   * @return string
   *   a comma separated list of email addresses
   */
  public function permissionEmails($permissionName) {
    static $_cache = array();

    if (isset($_cache[$permissionName])) {
      return $_cache[$permissionName];
    }

    $uids = array();
    $sql = "
      SELECT {users}.uid, {role_permission}.permission
      FROM {users}
      JOIN {users_roles}
        ON {users}.uid = {users_roles}.uid
      JOIN {role_permission}
        ON {role_permission}.rid = {users_roles}.rid
      WHERE {role_permission}.permission = '{$permissionName}'
        AND {users}.status = 1
    ";

    $result = db_query($sql);
    foreach ($result as $record) {
      $uids[] = $record->uid;
    }

    $_cache[$permissionName] = self::getContactEmails($uids);
    return $_cache[$permissionName];
  }

  /**
   * @inheritDoc
   */
  public function upgradePermissions($permissions) {
    if (empty($permissions)) {
      throw new CRM_Core_Exception("Cannot upgrade permissions: permission list missing");
    }
    $query = db_delete('role_permission')
      ->condition('module', 'civicrm')
      ->condition('permission', array_keys($permissions), 'NOT IN');
    $query->execute();
  }

}
Commit	Line	Data
6a488035 TO	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
7e9e8871	4	\| CiviCRM version 4.7 \|
6a488035	5	+--------------------------------------------------------------------+
e7112fa7	6	\| Copyright CiviCRM LLC (c) 2004-2015 \|
6a488035 TO	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
d25dd0ee	26	*/
6a488035 TO	27
	28	/**
	29	*
	30	* @package CRM
e7112fa7	31	* @copyright CiviCRM LLC (c) 2004-2015
6a488035 TO	32	* $Id$
	33	*
	34	*/
	35
	36	/**
	37	*
	38	*/
	39	class CRM_Core_Permission_DrupalBase extends CRM_Core_Permission_Base {
42762e35 DL	40
42762e35 DL	41	/**
d09edf64	42	* Is this user someone with access for the entire system.
42762e35 DL	43	*
	44	* @var boolean
	45	*/
	46	protected $_viewAdminUser = FALSE;
	47	protected $_editAdminUser = FALSE;
	48
	49	/**
100fef9d	50	* Am in in view permission or edit permission?
42762e35 DL	51	* @var boolean
	52	*/
	53	protected $_viewPermission = FALSE;
	54	protected $_editPermission = FALSE;
	55
	56	/**
d09edf64	57	* The current set of permissioned groups for the user.
42762e35 DL	58	*
	59	* @var array
	60	*/
	61	protected $_viewPermissionedGroups;
	62	protected $_editPermissionedGroups;
	63
	64	/**
	65	* Get all groups from database, filtered by permissions
	66	* for this user
	67	*
6a0b768e TO	68	* @param string $groupType
	69	* Type of group(Access/Mailing).
	70	* @param bool $excludeHidden
	71	* Exclude hidden groups.
42762e35	72	*
42762e35	73	*
a6c01b45 CW	74	* @return array
a6c01b45 CW	75	* array reference of all groups.
42762e35 DL	76	*/
	77	public function group($groupType = NULL, $excludeHidden = TRUE) {
	78	if (!isset($this->_viewPermissionedGroups)) {
	79	$this->_viewPermissionedGroups = $this->_editPermissionedGroups = array();
	80	}
	81
	82	$groupKey = $groupType ? $groupType : 'all';
	83
	84	if (!isset($this->_viewPermissionedGroups[$groupKey])) {
	85	$this->_viewPermissionedGroups[$groupKey] = $this->_editPermissionedGroups[$groupKey] = array();
	86
	87	$groups = CRM_Core_PseudoConstant::allGroup($groupType, $excludeHidden);
	88
	89	if ($this->check('edit all contacts')) {
	90	// this is the most powerful permission, so we return
	91	// immediately rather than dilute it further
	92	$this->_editAdminUser = $this->_viewAdminUser = TRUE;
	93	$this->_editPermission = $this->_viewPermission = TRUE;
	94	$this->_editPermissionedGroups[$groupKey] = $groups;
	95	$this->_viewPermissionedGroups[$groupKey] = $groups;
	96	return $this->_viewPermissionedGroups[$groupKey];
	97	}
	98	elseif ($this->check('view all contacts')) {
	99	$this->_viewAdminUser = TRUE;
	100	$this->_viewPermission = TRUE;
	101	$this->_viewPermissionedGroups[$groupKey] = $groups;
	102	}
	103
42762e35 DL	104	$ids = CRM_ACL_API::group(CRM_Core_Permission::VIEW, NULL, 'civicrm_saved_search', $groups);
	105	if (!empty($ids)) {
	106	foreach (array_values($ids) as $id) {
	107	$title = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Group', $id, 'title');
	108	$this->_viewPermissionedGroups[$groupKey][$id] = $title;
	109	$this->_viewPermission = TRUE;
	110	}
	111	}
	112
	113	$ids = CRM_ACL_API::group(CRM_Core_Permission::EDIT, NULL, 'civicrm_saved_search', $groups);
	114	if (!empty($ids)) {
	115	foreach (array_values($ids) as $id) {
	116	$title = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Group', $id, 'title');
	117	$this->_editPermissionedGroups[$groupKey][$id] = $title;
	118	$this->_viewPermissionedGroups[$groupKey][$id] = $title;
	119	$this->_editPermission = TRUE;
	120	$this->_viewPermission = TRUE;
	121	}
	122	}
	123	}
	124
	125	return $this->_viewPermissionedGroups[$groupKey];
	126	}
	127
	128	/**
	129	* Get group clause for this user. The group Clause filters the
	130	* list of groups that the user is permitted to see in a group listing.
	131	* For example it will filter both the list on the 'Manage Groups' page
	132	* and on the contact 'Groups' tab
	133	*
	134	* the aclGroup hook & configured ACLs contribute to this data.
	135	* If the contact is allowed to see all contacts the function will return ( 1 )
	136	*
	137	* @todo the history of this function is that there was some confusion as to
	138	* whether it was filtering contacts or groups & some cruft may remain
	139	*
6a0b768e TO	140	* @param int $type
	141	* The type of permission needed.
	142	* @param array $tables
	143	* (reference) add the tables that are needed for the select clause.
	144	* @param array $whereTables
	145	* (reference) add the tables that are needed for the where clause.
42762e35	146	*
a6c01b45 CW	147	* @return string
a6c01b45 CW	148	* the clause to add to the query retrieving viewable groups
42762e35 DL	149	*/
	150	public function groupClause($type, &$tables, &$whereTables) {
	151	if (!isset($this->_viewPermissionedGroups)) {
	152	$this->group();
	153	}
	154
	155	// we basically get all the groups here
	156	$groupKey = 'all';
	157	if ($type == CRM_Core_Permission::EDIT) {
	158	if ($this->_editAdminUser) {
	159	$clause = ' ( 1 ) ';
	160	}
	161	elseif (empty($this->_editPermissionedGroups[$groupKey])) {
	162	$clause = ' ( 0 ) ';
	163	}
	164	else {
	165	$clauses = array();
	166	$groups = implode(', ', $this->_editPermissionedGroups[$groupKey]);
	167	$clauses[] = ' ( civicrm_group_contact.group_id IN ( ' . implode(', ', array_keys($this->_editPermissionedGroups[$groupKey])) . " ) AND civicrm_group_contact.status = 'Added' ) ";
	168	$tables['civicrm_group_contact'] = 1;
	169	$whereTables['civicrm_group_contact'] = 1;
	170
	171	// foreach group that is potentially a saved search, add the saved search clause
	172	foreach (array_keys($this->_editPermissionedGroups[$groupKey]) as $id) {
	173	$group = new CRM_Contact_DAO_Group();
	174	$group->id = $id;
	175	if ($group->find(TRUE) && $group->saved_search_id) {
	176	$clause = CRM_Contact_BAO_SavedSearch::whereClause($group->saved_search_id,
353ffa53 TO	177	$tables,
353ffa53 TO	178	$whereTables
42762e35 DL	179	);
	180	if (trim($clause)) {
	181	$clauses[] = $clause;
	182	}
	183	}
	184	}
	185	$clause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
	186	}
	187	}
	188	else {
	189	if ($this->_viewAdminUser) {
	190	$clause = ' ( 1 ) ';
	191	}
	192	elseif (empty($this->_viewPermissionedGroups[$groupKey])) {
	193	$clause = ' ( 0 ) ';
	194	}
	195	else {
	196	$clauses = array();
	197	$groups = implode(', ', $this->_viewPermissionedGroups[$groupKey]);
	198	$clauses[] = ' civicrm_group.id IN (' . implode(', ', array_keys($this->_viewPermissionedGroups[$groupKey])) . " ) ";
	199	$tables['civicrm_group'] = 1;
	200	$whereTables['civicrm_group'] = 1;
	201	$clause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
	202	}
	203	}
	204
	205	return $clause;
	206	}
	207
	208	/**
d09edf64	209	* Get the current permission of this user.
42762e35	210	*
a6c01b45 CW	211	* @return string
a6c01b45 CW	212	* the permission of the user (edit or view or null)
42762e35 DL	213	*/
	214	public function getPermission() {
	215	$this->group();
	216
	217	if ($this->_editPermission) {
	218	return CRM_Core_Permission::EDIT;
	219	}
	220	elseif ($this->_viewPermission) {
	221	return CRM_Core_Permission::VIEW;
	222	}
	223	return NULL;
	224	}
	225
a0ee3941 EM	226	/**
	227	* @param $uids
	228	*
	229	* @return string
	230	*/
00be9182	231	public function getContactEmails($uids) {
42762e35 DL	232	if (empty($uids)) {
	233	return '';
	234	}
	235	$uidString = implode(',', $uids);
	236	$sql = "
	237	SELECT e.email
	238	FROM civicrm_contact c
	239	INNER JOIN civicrm_email e ON ( c.id = e.contact_id AND e.is_primary = 1 )
	240	INNER JOIN civicrm_uf_match uf ON ( c.id = uf.contact_id )
	241	WHERE c.is_deceased = 0
	242	AND c.is_deleted = 0
	243	AND uf.uf_id IN ( $uidString )
	244	";
	245
	246	$dao = CRM_Core_DAO::executeQuery($sql);
	247
	248	$emails = array();
	249	while ($dao->fetch()) {
2aa397bc	250	$emails[] = $dao->email;
42762e35 DL	251	}
	252
	253	return implode(', ', $emails);
	254	}
68be1dfe EM	255
	256	/**
	257	* Given a roles array, check for access requirements
	258	*
6a0b768e TO	259	* @param array $array
6a0b768e TO	260	* The roles to check.
68be1dfe	261	*
c301f76e	262	* @return bool
a6c01b45	263	* true if yes, else false
68be1dfe	264	*/
00be9182	265	public function checkGroupRole($array) {
68be1dfe	266	if (function_exists('user_load') && isset($array)) {
481a74f4	267	$user = user_load($GLOBALS['user']->uid);
68be1dfe EM	268	//if giver roles found in user roles - return true
	269	foreach ($array as $key => $value) {
	270	if (in_array($value, $user->roles)) {
	271	return TRUE;
	272	}
	273	}
	274	}
	275	return FALSE;
	276	}
	277
	278	/**
e7c15cb6	279	* @inheritDoc
68be1dfe EM	280	*/
	281	public function isModulePermissionSupported() {
	282	return TRUE;
	283	}
	284
	285	/**
d09edf64	286	* Get all the contact emails for users that have a specific permission.
68be1dfe	287	*
6a0b768e TO	288	* @param string $permissionName
6a0b768e TO	289	* Name of the permission we are interested in.
68be1dfe	290	*
a6c01b45 CW	291	* @return string
a6c01b45 CW	292	* a comma separated list of email addresses
68be1dfe EM	293	*/
	294	public function permissionEmails($permissionName) {
	295	static $_cache = array();
	296
	297	if (isset($_cache[$permissionName])) {
	298	return $_cache[$permissionName];
	299	}
	300
	301	$uids = array();
	302	$sql = "
	303	SELECT {users}.uid, {role_permission}.permission
	304	FROM {users}
	305	JOIN {users_roles}
	306	ON {users}.uid = {users_roles}.uid
	307	JOIN {role_permission}
	308	ON {role_permission}.rid = {users_roles}.rid
	309	WHERE {role_permission}.permission = '{$permissionName}'
	310	AND {users}.status = 1
	311	";
	312
	313	$result = db_query($sql);
481a74f4	314	foreach ($result as $record) {
68be1dfe EM	315	$uids[] = $record->uid;
	316	}
	317
	318	$_cache[$permissionName] = self::getContactEmails($uids);
	319	return $_cache[$permissionName];
	320	}
	321
	322	/**
e7c15cb6	323	* @inheritDoc
68be1dfe	324	*/
00be9182	325	public function upgradePermissions($permissions) {
68be1dfe EM	326	if (empty($permissions)) {
	327	throw new CRM_Core_Exception("Cannot upgrade permissions: permission list missing");
	328	}
	329	$query = db_delete('role_permission')
	330	->condition('module', 'civicrm')
	331	->condition('permission', array_keys($permissions), 'NOT IN');
	332	$query->execute();
	333	}
96025800	334
232624b1	335	}