Commit | Line | Data |
---|---|---|
6a488035 TO |
1 | <?php |
2 | /* | |
3 | +--------------------------------------------------------------------+ | |
bc77d7c0 | 4 | | Copyright CiviCRM LLC. All rights reserved. | |
6a488035 | 5 | | | |
bc77d7c0 TO |
6 | | This work is published under the GNU AGPLv3 license with some | |
7 | | permitted exceptions and without any warranty. For full license | | |
8 | | and copyright information, see https://civicrm.org/licensing | | |
6a488035 | 9 | +--------------------------------------------------------------------+ |
d25dd0ee | 10 | */ |
6a488035 TO |
11 | |
12 | /** | |
13 | * | |
14 | * @package CRM | |
ca5cec67 | 15 | * @copyright CiviCRM LLC https://civicrm.org/licensing |
6a488035 TO |
16 | */ |
17 | ||
18 | /** | |
19 | * | |
20 | */ | |
21 | class CRM_Core_Permission_Joomla extends CRM_Core_Permission_Base { | |
518fa0ee | 22 | |
6a488035 | 23 | /** |
100fef9d | 24 | * Given a permission string, check for access requirements |
6a488035 | 25 | * |
6a0b768e TO |
26 | * @param string $str |
27 | * The permission to check. | |
18be3201 | 28 | * @param int $userId |
6a488035 | 29 | * |
c301f76e | 30 | * @return bool |
a6c01b45 | 31 | * true if yes, else false |
6a488035 | 32 | */ |
18be3201 | 33 | public function check($str, $userId = NULL) { |
6a488035 | 34 | $config = CRM_Core_Config::singleton(); |
18be3201 CW |
35 | // JFactory::getUser does strict type checking, so convert falesy values to NULL |
36 | if (!$userId) { | |
37 | $userId = NULL; | |
38 | } | |
6a488035 | 39 | |
cc222cb6 TO |
40 | $translated = $this->translateJoomlaPermission($str); |
41 | if ($translated === CRM_Core_Permission::ALWAYS_DENY_PERMISSION) { | |
42 | return FALSE; | |
43 | } | |
44 | if ($translated === CRM_Core_Permission::ALWAYS_ALLOW_PERMISSION) { | |
45 | return TRUE; | |
46 | } | |
47 | ||
6a488035 TO |
48 | // ensure that we are running in a joomla context |
49 | // we've not yet figured out how to bootstrap joomla, so we should | |
50 | // not execute hooks if joomla is not loaded | |
51 | if (defined('_JEXEC')) { | |
18be3201 | 52 | $user = JFactory::getUser($userId); |
906e5a45 | 53 | $api_key = CRM_Utils_Request::retrieve('api_key', 'String', $store, FALSE, NULL, 'REQUEST'); |
d37cd2a2 | 54 | |
a386d65b | 55 | // If we are coming from REST we don't have a user but we do have the api_key for a user. |
906e5a45 | 56 | if ($user->id === 0 && !is_null($api_key)) { |
a386d65b EW |
57 | // This is a codeblock copied from /Civicrm/Utils/REST |
58 | $uid = NULL; | |
59 | if (!$uid) { | |
518fa0ee | 60 | $store = NULL; |
d37cd2a2 | 61 | |
a386d65b | 62 | $contact_id = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $api_key, 'id', 'api_key'); |
d37cd2a2 | 63 | |
a386d65b EW |
64 | if ($contact_id) { |
65 | $uid = CRM_Core_BAO_UFMatch::getUFId($contact_id); | |
66 | } | |
67 | $user = JFactory::getUser($uid); | |
d37cd2a2 EW |
68 | |
69 | } | |
70 | } | |
71 | ||
c50bc0a1 | 72 | return $user->authorise($translated[0], $translated[1]); |
d37cd2a2 | 73 | |
6a488035 TO |
74 | } |
75 | else { | |
d37cd2a2 | 76 | |
a386d65b | 77 | return FALSE; |
6a488035 TO |
78 | } |
79 | } | |
80 | ||
e5db5646 FG |
81 | public function isModulePermissionSupported() { |
82 | return TRUE; | |
83 | } | |
84 | ||
cc222cb6 | 85 | /** |
77b97be7 EM |
86 | * @param $perm |
87 | * | |
88 | * @internal param string $name e.g. "administer CiviCRM", "cms:access user record", "Drupal:administer content", "Joomla:example.action:com_some_asset" | |
cc222cb6 TO |
89 | * @return ALWAYS_DENY_PERMISSION|ALWAYS_ALLOW_PERMISSION|array(0 => $joomlaAction, 1 => $joomlaAsset) |
90 | */ | |
00be9182 | 91 | public function translateJoomlaPermission($perm) { |
cc222cb6 TO |
92 | if ($perm === CRM_Core_Permission::ALWAYS_DENY_PERMISSION || $perm === CRM_Core_Permission::ALWAYS_ALLOW_PERMISSION) { |
93 | return $perm; | |
94 | } | |
95 | ||
96 | list ($civiPrefix, $name) = CRM_Utils_String::parsePrefix(':', $perm, NULL); | |
22e263ad | 97 | switch ($civiPrefix) { |
cc222cb6 TO |
98 | case 'Joomla': |
99 | return explode(':', $name); | |
2aa397bc | 100 | |
cc222cb6 TO |
101 | case 'cms': |
102 | // FIXME: This needn't be DENY, but we don't currently have any translations. | |
103 | return CRM_Core_Permission::ALWAYS_DENY_PERMISSION; | |
2aa397bc | 104 | |
cc222cb6 | 105 | case NULL: |
be2fb01f | 106 | return ['civicrm.' . CRM_Utils_String::munge(strtolower($name)), 'com_civicrm']; |
2aa397bc | 107 | |
cc222cb6 TO |
108 | default: |
109 | return CRM_Core_Permission::ALWAYS_DENY_PERMISSION; | |
110 | } | |
111 | } | |
112 | ||
6a488035 TO |
113 | /** |
114 | * Given a roles array, check for access requirements | |
115 | * | |
6a0b768e TO |
116 | * @param array $array |
117 | * The roles to check. | |
6a488035 | 118 | * |
c301f76e | 119 | * @return bool |
a6c01b45 | 120 | * true if yes, else false |
6a488035 | 121 | */ |
00be9182 | 122 | public function checkGroupRole($array) { |
6a488035 TO |
123 | return FALSE; |
124 | } | |
96025800 | 125 | |
e5db5646 FG |
126 | /** |
127 | * @inheritDoc | |
128 | */ | |
129 | public function upgradePermissions($permissions) { | |
be2fb01f | 130 | $translatedPerms = []; |
b415fb17 FG |
131 | |
132 | // Flipping the $permissions array gives us just the raw names of the | |
133 | // permissions. The descriptions, etc., are irrelevant for the purposes of | |
134 | // this method. | |
e5db5646 FG |
135 | foreach (array_flip($permissions) as $perm) { |
136 | $translated = $this->translateJoomlaPermission($perm); | |
137 | $translatedPerms[] = $translated[0]; | |
138 | } | |
139 | ||
140 | $associations = $this->getUserGroupPermsAssociations(); | |
b415fb17 | 141 | $cmsPermsHaveGoneStale = FALSE; |
e5db5646 FG |
142 | foreach (array_keys(get_object_vars($associations)) as $permName) { |
143 | if (!in_array($permName, $translatedPerms)) { | |
144 | unset($associations->$permName); | |
b415fb17 | 145 | $cmsPermsHaveGoneStale = TRUE; |
e5db5646 FG |
146 | } |
147 | } | |
148 | ||
b415fb17 | 149 | if ($cmsPermsHaveGoneStale) { |
e5db5646 FG |
150 | $this->updateGroupPermsAssociations($associations); |
151 | } | |
152 | } | |
153 | ||
154 | /** | |
155 | * Fetches the associations between user groups and CiviCRM permissions. | |
156 | * | |
b415fb17 | 157 | * @see https://docs.joomla.org/Selecting_data_using_JDatabase |
f746881c | 158 | * @return object |
e5db5646 FG |
159 | * Properties of the object are Joomla-fied permission names. |
160 | */ | |
161 | private function getUserGroupPermsAssociations() { | |
e5db5646 | 162 | $db = JFactory::getDbo(); |
f746881c | 163 | $query = $db->getQuery(TRUE); |
e5db5646 | 164 | |
e5db5646 | 165 | $query |
518fa0ee SL |
166 | ->select($db->quoteName('rules')) |
167 | ->from($db->quoteName('#__assets')) | |
168 | ->where($db->quoteName('name') . ' = ' . $db->quote('com_civicrm')); | |
e5db5646 | 169 | |
e5db5646 FG |
170 | $db->setQuery($query); |
171 | ||
76d556c7 FG |
172 | // Joomla gotcha: loadObject returns NULL in the case of no matches. |
173 | $result = $db->loadObject(); | |
be2fb01f | 174 | return $result ? json_decode($result->rules) : (object) []; |
e5db5646 FG |
175 | } |
176 | ||
177 | /** | |
178 | * Writes user-group/permissions associations back to Joomla. | |
179 | * | |
b415fb17 | 180 | * @see https://docs.joomla.org/Inserting,_Updating_and_Removing_data_using_JDatabase |
f746881c FG |
181 | * @param object $associations |
182 | * Same format as the return of | |
183 | * CRM_Core_Permission_Joomla->getUserGroupPermsAssociations(). | |
e5db5646 | 184 | */ |
a1f60f01 | 185 | private function updateGroupPermsAssociations($associations) { |
e5db5646 | 186 | $db = JFactory::getDbo(); |
f746881c | 187 | $query = $db->getQuery(TRUE); |
e5db5646 | 188 | |
e5db5646 | 189 | $query |
518fa0ee SL |
190 | ->update($db->quoteName('#__assets')) |
191 | ->set($db->quoteName('rules') . ' = ' . $db->quote(json_encode($associations))) | |
192 | ->where($db->quoteName('name') . ' = ' . $db->quote('com_civicrm')); | |
e5db5646 FG |
193 | |
194 | $db->setQuery($query)->execute(); | |
195 | } | |
196 | ||
6a488035 | 197 | } |