projects / civicrm-core.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #21578 from civicrm/5.42
[civicrm-core.git] / CRM / Core / Permission.php
CommitLineData
6a488035
TO		 1<?php
2/*
3 +--------------------------------------------------------------------+
bc77d7c0 4 | Copyright CiviCRM LLC. All rights reserved. |
6a488035 5 | |
bc77d7c0
TO		 6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
6a488035 9 +--------------------------------------------------------------------+
d25dd0ee 10 */
6a488035
TO		 11
12/**
13 *
14 * @package CRM
ca5cec67 15 * @copyright CiviCRM LLC https://civicrm.org/licensing
6a488035
TO		 16 */
17
18/**
19 * This is the basic permission class wrapper
20 */
21class CRM_Core_Permission {
22
23 /**
d09edf64 24 * Static strings used to compose permissions.
6a488035
TO		 25 *
26 * @const
27 * @var string
28 */
7da04cde 29 const EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
6a488035
TO		 30
31 /**
d09edf64 32 * The various type of permissions.
6a488035
TO		 33 *
34 * @var int
35 */
7da04cde 36 const EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
6a488035 37
085823c1 38 /**
d09edf64 39 * A placeholder permission which always fails.
085823c1
TO		 40 */
41 const ALWAYS_DENY_PERMISSION = "*always deny*";
42
43 /**
d09edf64 44 * A placeholder permission which always fails.
085823c1
TO		 45 */
46 const ALWAYS_ALLOW_PERMISSION = "*always allow*";
47
6dd18b98 48 /**
d09edf64 49 * Various authentication sources.
6dd18b98
DS		 50 *
51 * @var int
52 */
7da04cde 53 const AUTH_SRC_UNKNOWN = 0, AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;
6dd18b98 54
6a488035 55 /**
d09edf64 56 * Get the current permission of this user.
6a488035 57 *
a6c01b45
CW		 58 * @return string
59 * the permission of the user (edit or view or null)
6a488035
TO		 60 */
61 public static function getPermission() {
62 $config = CRM_Core_Config::singleton();
41f314b6 63 return $config->userPermissionClass->getPermission();
6a488035
TO		 64 }
65
66 /**
100fef9d 67 * Given a permission string or array, check for access requirements
6a488035 68 *
9b61e85d
CW		 69 * Ex 1: Must have 'access CiviCRM'
70 * (string) 'access CiviCRM'
60ec9f43 71 *
b6e769ac
JM		 72 * Ex 2: Must have 'access CiviCRM' and 'access AJAX API'
73 * ['access CiviCRM', 'access AJAX API']
60ec9f43 74 *
b6e769ac 75 * Ex 3: Must have 'access CiviCRM' or 'access AJAX API'
9b61e85d 76 * [
b6e769ac 77 * ['access CiviCRM', 'access AJAX API'],
9b61e85d 78 * ],
60ec9f43 79 *
b6e769ac 80 * Ex 4: Must have 'access CiviCRM' or 'access AJAX API' AND 'access CiviEvent'
9b61e85d 81 * [
b6e769ac 82 * ['access CiviCRM', 'access AJAX API'],
9b61e85d
CW		 83 * 'access CiviEvent',
84 * ],
60ec9f43 85 *
9b61e85d
CW		 86 * Note that in permissions.php this is keyed by the action eg.
87 * (access Civi || access AJAX) && (access CiviEvent || access CiviContribute)
88 * 'myaction' => [
b6e769ac 89 * ['access CiviCRM', 'access AJAX API'],
9b61e85d
CW		 90 * ['access CiviEvent', 'access CiviContribute']
91 * ],
60ec9f43 92 *
9b61e85d
CW		 93 * @param string|array $permissions
94 * The permission to check as an array or string -see examples.
60ec9f43 95 *
9b61e85d
CW		 96 * @param int $contactId
97 * Contact id to check permissions for. Defaults to current logged-in user.
6a488035 98 *
acb1052e 99 * @return bool
9b61e85d 100 * true if contact has permission(s), else false
6a488035 101 */
18be3201 102 public static function check($permissions, $contactId = NULL) {
60ec9f43 103 $permissions = (array) $permissions;
9b61e85d 104 $userId = CRM_Core_BAO_UFMatch::getUFId($contactId);
60ec9f43 105
18be3201 106 /** @var CRM_Core_Permission_Temp $tempPerm */
59735506
TO		 107 $tempPerm = CRM_Core_Config::singleton()->userPermissionTemp;
108
60ec9f43 109 foreach ($permissions as $permission) {
22e263ad 110 if (is_array($permission)) {
60ec9f43 111 foreach ($permission as $orPerm) {
18be3201 112 if (self::check($orPerm, $contactId)) {
60ec9f43 113 //one of our 'or' permissions has succeeded - stop checking this permission
b8a19656 114 return TRUE;
60ec9f43
E		 115 }
116 }
117 //none of our our conditions was met
118 return FALSE;
119 }
120 else {
3ae62cab 121 // This is an individual permission
755a1835 122 $impliedPermissions = self::getImpliedPermissionsFor($permission);
123 $impliedPermissions[] = $permission;
124 foreach ($impliedPermissions as $permissionOption) {
125 $granted = CRM_Core_Config::singleton()->userPermissionClass->check($permissionOption, $userId);
126 // Call the permission_check hook to permit dynamic escalation (CRM-19256)
127 CRM_Utils_Hook::permission_check($permissionOption, $granted, $contactId);
128 if ($granted) {
129 break;
130 }
131 }
132
59735506 133 if (
3ae62cab 134 !$granted
59735506
TO		 135 && !($tempPerm && $tempPerm->check($permission))
136 ) {
60ec9f43
E		 137 //one of our 'and' conditions has not been met
138 return FALSE;
139 }
140 }
141 }
142 return TRUE;
6a488035
TO		 143 }
144
dc92f2f8 145 /**
d09edf64 146 * Determine if any one of the permissions strings applies to current user.
dc92f2f8
TO		 147 *
148 * @param array $perms
149 * @return bool
150 */
151 public static function checkAnyPerm($perms) {
152 foreach ($perms as $perm) {
153 if (CRM_Core_Permission::check($perm)) {
154 return TRUE;
155 }
156 }
157 return FALSE;
158 }
159
6a488035
TO		 160 /**
161 * Given a group/role array, check for access requirements
162 *
6a0b768e
TO		 163 * @param array $array
164 * The group/role to check.
6a488035 165 *
acb1052e 166 * @return bool
a6c01b45 167 * true if yes, else false
6a488035 168 */
00be9182 169 public static function checkGroupRole($array) {
6a488035 170 $config = CRM_Core_Config::singleton();
41f314b6 171 return $config->userPermissionClass->checkGroupRole($array);
6a488035
TO		 172 }
173
174 /**
d09edf64 175 * Get the permissioned where clause for the user.
6a488035 176 *
6a0b768e
TO		 177 * @param int $type
178 * The type of permission needed.
179 * @param array $tables
180 * (reference ) add the tables that are needed for the select clause.
181 * @param array $whereTables
182 * (reference ) add the tables that are needed for the where clause.
6a488035 183 *
a6c01b45
CW		 184 * @return string
185 * the group where clause for this user
6a488035
TO		 186 */
187 public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
188 $config = CRM_Core_Config::singleton();
41f314b6 189 return $config->userPermissionClass->getPermissionedStaticGroupClause($type, $tables, $whereTables);
6a488035
TO		 190 }
191
192 /**
193 * Get all groups from database, filtered by permissions
194 * for this user
195 *
6a0b768e
TO		 196 * @param string $groupType
197 * Type of group(Access/Mailing).
3f8d2862
CW		 198 * @param bool $excludeHidden
199 * exclude hidden groups.
6a488035 200 *
6a488035 201 *
a6c01b45
CW		 202 * @return array
203 * array reference of all groups.
6a488035
TO		 204 */
205 public static function group($groupType, $excludeHidden = TRUE) {
206 $config = CRM_Core_Config::singleton();
41f314b6 207 return $config->userPermissionClass->group($groupType, $excludeHidden);
6a488035
TO		 208 }
209
a0ee3941 210 /**
317103ab 211 * @param int $userId
a0ee3941
EM		 212 * @return bool
213 */
317103ab 214 public static function customGroupAdmin($userId = NULL) {
6a488035
TO		 215 // check if user has all powerful permission
216 // or administer civicrm permission (CRM-1905)
317103ab 217 if (self::check('access all custom data', $userId)) {
6a488035
TO		 218 return TRUE;
219 }
220
634e1a1a 221 if (
317103ab 222 self::check('administer Multiple Organizations', $userId) &&
6a488035
TO		 223 self::isMultisiteEnabled()
224 ) {
225 return TRUE;
226 }
227
317103ab 228 if (self::check('administer CiviCRM data', $userId)) {
6a488035
TO		 229 return TRUE;
230 }
231
232 return FALSE;
233 }
234
a0ee3941
EM		 235 /**
236 * @param int $type
237 * @param bool $reset
317103ab 238 * @param int $userId
a0ee3941
EM		 239 *
240 * @return array
241 */
317103ab 242 public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE, $userId = NULL) {
41f314b6 243 $customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id',
be2fb01f
CW		 244 ['fresh' => $reset]);
245 $defaultGroups = [];
6a488035
TO		 246
247 // check if user has all powerful permission
248 // or administer civicrm permission (CRM-1905)
317103ab
CW		 249 if (self::customGroupAdmin($userId)) {
250 return array_keys($customGroups);
6a488035
TO		 251 }
252
317103ab 253 return CRM_ACL_API::group($type, $userId, 'civicrm_custom_group', $customGroups, $defaultGroups);
6a488035
TO		 254 }
255
a0ee3941
EM		 256 /**
257 * @param int $type
258 * @param null $prefix
259 * @param bool $reset
260 *
261 * @return string
262 */
00be9182 263 public static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
6a488035
TO		 264 if (self::customGroupAdmin()) {
265 return ' ( 1 ) ';
266 }
267
268 $groups = self::customGroup($type, $reset);
269 if (empty($groups)) {
270 return ' ( 0 ) ';
271 }
272 else {
273 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
274 }
275 }
276
a0ee3941 277 /**
100fef9d 278 * @param int $gid
a0ee3941
EM		 279 * @param int $type
280 *
281 * @return bool
282 */
6a488035
TO		 283 public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
284 if (empty($gid)) {
285 return TRUE;
286 }
287
288 $groups = self::ufGroup($type);
63d76404 289 return !empty($groups) && in_array($gid, $groups);
6a488035
TO		 290 }
291
a0ee3941
EM		 292 /**
293 * @param int $type
294 *
295 * @return array
296 */
6a488035 297 public static function ufGroup($type = CRM_Core_Permission::VIEW) {
ff4f7744 298 $ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
6a488035
TO		 299
300 $allGroups = array_keys($ufGroups);
301
302 // check if user has all powerful permission
303 if (self::check('profile listings and forms')) {
304 return $allGroups;
305 }
306
307 switch ($type) {
308 case CRM_Core_Permission::VIEW:
309 if (self::check('profile view')) {
310 return $allGroups;
311 }
312 break;
313
314 case CRM_Core_Permission::CREATE:
315 if (self::check('profile create')) {
316 return $allGroups;
317 }
318 break;
319
320 case CRM_Core_Permission::EDIT:
321 if (self::check('profile edit')) {
322 return $allGroups;
323 }
324 break;
325
326 case CRM_Core_Permission::SEARCH:
327 if (self::check('profile listings')) {
328 return $allGroups;
329 }
330 break;
331 }
332
333 return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
334 }
335
a0ee3941
EM		 336 /**
337 * @param int $type
338 * @param null $prefix
339 * @param bool $returnUFGroupIds
340 *
341 * @return array|string
342 */
00be9182 343 public static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
6a488035
TO		 344 $groups = self::ufGroup($type);
345 if ($returnUFGroupIds) {
346 return $groups;
347 }
348 elseif (empty($groups)) {
349 return ' ( 0 ) ';
350 }
351 else {
352 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
353 }
354 }
355
a0ee3941
EM		 356 /**
357 * @param int $type
100fef9d 358 * @param int $eventID
a0ee3941
EM		 359 * @param string $context
360 *
361 * @return array|null
362 */
e2d09ab4 363 public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL, $context = '') {
22e263ad
TO		 364 if (!empty($context)) {
365 if (CRM_Core_Permission::check($context)) {
e2d09ab4
EM		 366 return TRUE;
367 }
368 }
6a488035 369 $events = CRM_Event_PseudoConstant::event(NULL, TRUE);
be2fb01f 370 $includeEvents = [];
6a488035
TO		 371
372 // check if user has all powerful permission
373 if (self::check('register for events')) {
374 $includeEvents = array_keys($events);
375 }
376
377 if ($type == CRM_Core_Permission::VIEW &&
378 self::check('view event info')
379 ) {
380 $includeEvents = array_keys($events);
381 }
382
383 $permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
384 if (!$eventID) {
385 return $permissionedEvents;
386 }
41f314b6 387 if (!empty($permissionedEvents)) {
2efcf0c2 388 return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
41f314b6 389 }
dfa720e7 390 return NULL;
6a488035
TO		 391 }
392
a0ee3941
EM		 393 /**
394 * @param int $type
395 * @param null $prefix
396 *
397 * @return string
398 */
00be9182 399 public static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
6a488035
TO		 400 $events = self::event($type);
401 if (empty($events)) {
402 return ' ( 0 ) ';
403 }
404 else {
405 return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
406 }
407 }
408
a0ee3941 409 /**
44d17ec8
BS		 410 * Checks that component is enabled and optionally that user has basic perm.
411 *
412 * @param string $module
413 * Specifies the name of the CiviCRM component.
a0ee3941 414 * @param bool $checkPermission
44d17ec8
BS		 415 * Check not only that module is enabled, but that user has necessary
416 * permission.
417 * @param bool $requireAllCasesPermOnCiviCase
418 * Significant only if $module == CiviCase
419 * Require "access all cases and activities", not just
420 * "access my cases and activities".
a0ee3941
EM		 421 *
422 * @return bool
44d17ec8 423 * Access to specified $module is granted.
a0ee3941 424 */
44d17ec8 425 public static function access($module, $checkPermission = TRUE, $requireAllCasesPermOnCiviCase = FALSE) {
6a488035
TO		 426 $config = CRM_Core_Config::singleton();
427
428 if (!in_array($module, $config->enableComponents)) {
429 return FALSE;
430 }
431
432 if ($checkPermission) {
44d17ec8
BS		 433 switch ($module) {
434 case 'CiviCase':
435 $access_all_cases = CRM_Core_Permission::check("access all cases and activities");
436 $access_my_cases = CRM_Core_Permission::check("access my cases and activities");
437 return $access_all_cases || (!$requireAllCasesPermOnCiviCase && $access_my_cases);
438
439 case 'CiviCampaign':
440 return CRM_Core_Permission::check("administer $module");
441
442 default:
443 return CRM_Core_Permission::check("access $module");
6a488035
TO		 444 }
445 }
446
447 return TRUE;
448 }
449
450 /**
d09edf64 451 * Check permissions for delete and edit actions.
6a488035 452 *
6a0b768e
TO		 453 * @param string $module
454 * Component name.
455 * @param int $action
456 * Action to be check across component.
6a488035 457 *
77b97be7
EM		 458 *
459 * @return bool
460 */
00be9182 461 public static function checkActionPermission($module, $action) {
6a488035
TO		 462 //check delete related permissions.
463 if ($action & CRM_Core_Action::DELETE) {
464 $permissionName = "delete in $module";
465 }
466 else {
be2fb01f 467 $editPermissions = [
6a488035
TO		 468 'CiviEvent' => 'edit event participants',
469 'CiviMember' => 'edit memberships',
470 'CiviPledge' => 'edit pledges',
471 'CiviContribute' => 'edit contributions',
472 'CiviGrant' => 'edit grants',
473 'CiviMail' => 'access CiviMail',
474 'CiviAuction' => 'add auction items',
be2fb01f 475 ];
9c1bc317 476 $permissionName = $editPermissions[$module] ?? NULL;
6a488035
TO		 477 }
478
479 if ($module == 'CiviCase' && !$permissionName) {
480 return CRM_Case_BAO_Case::accessCiviCase();
481 }
482 else {
483 //check for permission.
484 return CRM_Core_Permission::check($permissionName);
485 }
486 }
487
a0ee3941
EM		 488 /**
489 * @param $args
490 * @param string $op
491 *
492 * @return bool
493 */
00be9182 494 public static function checkMenu(&$args, $op = 'and') {
6a488035
TO		 495 if (!is_array($args)) {
496 return $args;
497 }
498 foreach ($args as $str) {
499 $res = CRM_Core_Permission::check($str);
500 if ($op == 'or' && $res) {
501 return TRUE;
502 }
503 elseif ($op == 'and' && !$res) {
504 return FALSE;
505 }
506 }
507 return ($op == 'or') ? FALSE : TRUE;
508 }
509
a0ee3941
EM		 510 /**
511 * @param $item
512 *
513 * @return bool|mixed
514 * @throws Exception
515 */
00be9182 516 public static function checkMenuItem(&$item) {
6a488035
TO		 517 if (!array_key_exists('access_callback', $item)) {
518 CRM_Core_Error::backtrace();
79e11805 519 throw new CRM_Core_Exception('Missing Access Callback key in menu item');
6a488035
TO		 520 }
521
522 // if component_id is present, ensure it is enabled
3d31a5c6
TO		 523 if (isset($item['component_id']) && $item['component_id']) {
524 if (!isset(Civi::$statics[__CLASS__]['componentNameId'])) {
525 Civi::$statics[__CLASS__]['componentNameId'] = array_flip(CRM_Core_Component::getComponentIDs());
526 }
527 $componentName = Civi::$statics[__CLASS__]['componentNameId'][$item['component_id']];
528
6a488035 529 $config = CRM_Core_Config::singleton();
3d31a5c6 530 if (is_array($config->enableComponents) && in_array($componentName, $config->enableComponents)) {
6a488035
TO		 531 // continue with process
532 }
533 else {
534 return FALSE;
535 }
536 }
537
538 // the following is imitating drupal 6 code in includes/menu.inc
539 if (empty($item['access_callback']) ||
540 is_numeric($item['access_callback'])
541 ) {
596a8bdf 542 return (bool) $item['access_callback'];
6a488035
TO		 543 }
544
545 // check whether the following Ajax requests submitted the right key
546 // FIXME: this should be integrated into ACLs proper
547 if (CRM_Utils_Array::value('page_type', $item) == 3) {
548 if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
549 return FALSE;
550 }
551 }
552
553 // check if callback is for checkMenu, if so optimize it
554 if (is_array($item['access_callback']) &&
555 $item['access_callback'][0] == 'CRM_Core_Permission' &&
556 $item['access_callback'][1] == 'checkMenu'
557 ) {
558 $op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
559 return self::checkMenu($item['access_arguments'][0], $op);
560 }
561 else {
562 return call_user_func_array($item['access_callback'], $item['access_arguments']);
563 }
564 }
565
a0ee3941
EM		 566 /**
567 * @param bool $all
9476d8d1 568 * Include disabled components
221b21b4 569 * @param bool $descriptions
9476d8d1 570 * Whether to return descriptions
a0ee3941
EM		 571 *
572 * @return array
573 */
9476d8d1 574 public static function basicPermissions($all = FALSE, $descriptions = FALSE) {
be2fb01f 575 $cacheKey = implode('-', [$all, $descriptions]);
9476d8d1
CW		 576 if (empty(Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey])) {
577 Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey] = self::assembleBasicPermissions($all, $descriptions);
221b21b4 578 }
9476d8d1 579 return Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey];
221b21b4
AH		 580 }
581
582 /**
583 * @param bool $all
584 * @param bool $descriptions
585 * whether to return descriptions
586 *
587 * @return array
d2b6eac8 588 * @throws \CRM_Core_Exception
221b21b4 589 */
d2b6eac8 590 public static function assembleBasicPermissions($all = FALSE, $descriptions = FALSE): array {
591 $permissions = self::getCoreAndComponentPermissions($all);
221b21b4 592
b4d6a411 593 // Add any permissions defined in hook_civicrm_permission implementations.
1a1100ef 594 $module_permissions = CRM_Core_Config::singleton()->userPermissionClass->getAllModulePermissions(TRUE);
b4d6a411 595 $permissions = array_merge($permissions, $module_permissions);
8c282315 596 if (!$descriptions) {
597 foreach ($permissions as $name => $attr) {
598 $permissions[$name] = array_shift($attr);
599 }
600 }
6a488035
TO		 601 return $permissions;
602 }
603
a0ee3941
EM		 604 /**
605 * @return array
606 */
00be9182 607 public static function getAnonymousPermissionsWarnings() {
be2fb01f 608 static $permissions = [];
81bb85ea 609 if (empty($permissions)) {
be2fb01f 610 $permissions = [
21dfd5f5 611 'administer CiviCRM',
be2fb01f 612 ];
81bb85ea
AC		 613 $components = CRM_Core_Component::getComponents();
614 foreach ($components as $comp) {
615 if (!method_exists($comp, 'getAnonymousPermissionWarnings')) {
616 continue;
617 }
618 $permissions = array_merge($permissions, $comp->getAnonymousPermissionWarnings());
619 }
620 }
621 return $permissions;
622 }
623
a0ee3941
EM		 624 /**
625 * @param $anonymous_perms
626 *
627 * @return array
628 */
00be9182 629 public static function validateForPermissionWarnings($anonymous_perms) {
81bb85ea
AC		 630 return array_intersect($anonymous_perms, self::getAnonymousPermissionsWarnings());
631 }
632
a0ee3941 633 /**
6793d6a9 634 * Get core permissions.
221b21b4 635 *
a0ee3941
EM		 636 * @return array
637 */
8c282315 638 public static function getCorePermissions() {
6a488035 639 $prefix = ts('CiviCRM') . ': ';
be2fb01f
CW		 640 $permissions = [
641 'add contacts' => [
221b21b4
AH		 642 $prefix . ts('add contacts'),
643 ts('Create a new contact record in CiviCRM'),
be2fb01f
CW		 644 ],
645 'view all contacts' => [
221b21b4
AH		 646 $prefix . ts('view all contacts'),
647 ts('View ANY CONTACT in the CiviCRM database, export contact info and perform activities such as Send Email, Phone Call, etc.'),
be2fb01f
CW		 648 ],
649 'edit all contacts' => [
221b21b4
AH		 650 $prefix . ts('edit all contacts'),
651 ts('View, Edit and Delete ANY CONTACT in the CiviCRM database; Create and edit relationships, tags and other info about the contacts'),
be2fb01f
CW		 652 ],
653 'view my contact' => [
221b21b4 654 $prefix . ts('view my contact'),
be2fb01f
CW		 655 ],
656 'edit my contact' => [
221b21b4 657 $prefix . ts('edit my contact'),
be2fb01f
CW		 658 ],
659 'delete contacts' => [
221b21b4 660 $prefix . ts('delete contacts'),
be2fb01f
CW		 661 ],
662 'access deleted contacts' => [
221b21b4
AH		 663 $prefix . ts('access deleted contacts'),
664 ts('Access contacts in the trash'),
be2fb01f
CW		 665 ],
666 'import contacts' => [
221b21b4
AH		 667 $prefix . ts('import contacts'),
668 ts('Import contacts and activities'),
be2fb01f
CW		 669 ],
670 'import SQL datasource' => [
40bc3c68
TO		 671 $prefix . ts('import SQL datasource'),
672 ts('When importing, consume data directly from a SQL datasource'),
be2fb01f
CW		 673 ],
674 'edit groups' => [
221b21b4
AH		 675 $prefix . ts('edit groups'),
676 ts('Create new groups, edit group settings (e.g. group name, visibility...), delete groups'),
be2fb01f
CW		 677 ],
678 'administer CiviCRM' => [
221b21b4
AH		 679 $prefix . ts('administer CiviCRM'),
680 ts('Perform all tasks in the Administer CiviCRM control panel and Import Contacts'),
be2fb01f
CW		 681 ],
682 'skip IDS check' => [
221b21b4 683 $prefix . ts('skip IDS check'),
d9a37cbc 684 ts('Warning: Give to trusted roles only; this permission has security implications. IDS system is bypassed for users with this permission. Prevents false errors for admin users.'),
be2fb01f
CW		 685 ],
686 'access uploaded files' => [
221b21b4
AH		 687 $prefix . ts('access uploaded files'),
688 ts('View / download files including images and photos'),
be2fb01f
CW		 689 ],
690 'profile listings and forms' => [
221b21b4 691 $prefix . ts('profile listings and forms'),
d9a37cbc 692 ts('Warning: Give to trusted roles only; this permission has privacy implications. Add/edit data in online forms and access public searchable directories.'),
be2fb01f
CW		 693 ],
694 'profile listings' => [
221b21b4 695 $prefix . ts('profile listings'),
d9a37cbc 696 ts('Warning: Give to trusted roles only; this permission has privacy implications. Access public searchable directories.'),
be2fb01f
CW		 697 ],
698 'profile create' => [
221b21b4 699 $prefix . ts('profile create'),
d9a37cbc 700 ts('Add data in a profile form.'),
be2fb01f
CW		 701 ],
702 'profile edit' => [
221b21b4 703 $prefix . ts('profile edit'),
d9a37cbc 704 ts('Edit data in a profile form.'),
be2fb01f
CW		 705 ],
706 'profile view' => [
221b21b4 707 $prefix . ts('profile view'),
d9a37cbc 708 ts('View data in a profile.'),
be2fb01f
CW		 709 ],
710 'access all custom data' => [
221b21b4
AH		 711 $prefix . ts('access all custom data'),
712 ts('View all custom fields regardless of ACL rules'),
be2fb01f
CW		 713 ],
714 'view all activities' => [
221b21b4
AH		 715 $prefix . ts('view all activities'),
716 ts('View all activities (for visible contacts)'),
be2fb01f
CW		 717 ],
718 'delete activities' => [
221b21b4 719 $prefix . ts('Delete activities'),
be2fb01f
CW		 720 ],
721 'edit inbound email basic information' => [
ee90a98c
CR		 722 $prefix . ts('edit inbound email basic information'),
723 ts('Edit all inbound email activities (for visible contacts) basic information. Content editing not allowed.'),
be2fb01f
CW		 724 ],
725 'edit inbound email basic information and content' => [
ee90a98c
CR		 726 $prefix . ts('edit inbound email basic information and content'),
727 ts('Edit all inbound email activities (for visible contacts) basic information and content.'),
be2fb01f
CW		 728 ],
729 'access CiviCRM' => [
d9a37cbc
H		 730 $prefix . ts('access CiviCRM backend and API'),
731 ts('Master control for access to the main CiviCRM backend and API. Give to trusted roles only.'),
be2fb01f
CW		 732 ],
733 'access Contact Dashboard' => [
221b21b4
AH		 734 $prefix . ts('access Contact Dashboard'),
735 ts('View Contact Dashboard (for themselves and visible contacts)'),
be2fb01f
CW		 736 ],
737 'translate CiviCRM' => [
221b21b4
AH		 738 $prefix . ts('translate CiviCRM'),
739 ts('Allow User to enable multilingual'),
be2fb01f
CW		 740 ],
741 'manage tags' => [
eaaaef83
I		 742 $prefix . ts('manage tags'),
743 ts('Create and rename tags'),
be2fb01f
CW		 744 ],
745 'administer reserved groups' => [
221b21b4
AH		 746 $prefix . ts('administer reserved groups'),
747 ts('Edit and disable Reserved Groups (Needs Edit Groups)'),
be2fb01f
CW		 748 ],
749 'administer Tagsets' => [
221b21b4 750 $prefix . ts('administer Tagsets'),
be2fb01f
CW		 751 ],
752 'administer reserved tags' => [
221b21b4 753 $prefix . ts('administer reserved tags'),
be2fb01f
CW		 754 ],
755 'administer dedupe rules' => [
221b21b4
AH		 756 $prefix . ts('administer dedupe rules'),
757 ts('Create and edit rules, change the supervised and unsupervised rules'),
be2fb01f
CW		 758 ],
759 'merge duplicate contacts' => [
221b21b4
AH		 760 $prefix . ts('merge duplicate contacts'),
761 ts('Delete Contacts must also be granted in order for this to work.'),
be2fb01f
CW		 762 ],
763 'force merge duplicate contacts' => [
fd630ef9 764 $prefix . ts('force merge duplicate contacts'),
765 ts('Delete Contacts must also be granted in order for this to work.'),
be2fb01f
CW		 766 ],
767 'view debug output' => [
221b21b4
AH		 768 $prefix . ts('view debug output'),
769 ts('View results of debug and backtrace'),
be2fb01f 770 ],
02d451ab 771
be2fb01f 772 'view all notes' => [
221b21b4
AH		 773 $prefix . ts('view all notes'),
774 ts("View notes (for visible contacts) even if they're marked admin only"),
be2fb01f
CW		 775 ],
776 'add contact notes' => [
088101a4
O		 777 $prefix . ts('add contact notes'),
778 ts("Create notes for contacts"),
be2fb01f
CW		 779 ],
780 'access AJAX API' => [
221b21b4
AH		 781 $prefix . ts('access AJAX API'),
782 ts('Allow API access even if Access CiviCRM is not granted'),
be2fb01f
CW		 783 ],
784 'access contact reference fields' => [
221b21b4
AH		 785 $prefix . ts('access contact reference fields'),
786 ts('Allow entering data into contact reference fields'),
be2fb01f
CW		 787 ],
788 'create manual batch' => [
221b21b4
AH		 789 $prefix . ts('create manual batch'),
790 ts('Create an accounting batch (with Access to CiviContribute and View Own/All Manual Batches)'),
be2fb01f
CW		 791 ],
792 'edit own manual batches' => [
221b21b4
AH		 793 $prefix . ts('edit own manual batches'),
794 ts('Edit accounting batches created by user'),
be2fb01f
CW		 795 ],
796 'edit all manual batches' => [
221b21b4
AH		 797 $prefix . ts('edit all manual batches'),
798 ts('Edit all accounting batches'),
be2fb01f
CW		 799 ],
800 'close own manual batches' => [
47a98aef 801 $prefix . ts('close own manual batches'),
5ad18cc2 802 ts('Close accounting batches created by user (with Access to CiviContribute)'),
be2fb01f
CW		 803 ],
804 'close all manual batches' => [
47a98aef 805 $prefix . ts('close all manual batches'),
5ad18cc2 806 ts('Close all accounting batches (with Access to CiviContribute)'),
be2fb01f
CW		 807 ],
808 'reopen own manual batches' => [
47a98aef 809 $prefix . ts('reopen own manual batches'),
5ad18cc2 810 ts('Reopen accounting batches created by user (with Access to CiviContribute)'),
be2fb01f
CW		 811 ],
812 'reopen all manual batches' => [
47a98aef 813 $prefix . ts('reopen all manual batches'),
5ad18cc2 814 ts('Reopen all accounting batches (with Access to CiviContribute)'),
be2fb01f
CW		 815 ],
816 'view own manual batches' => [
221b21b4
AH		 817 $prefix . ts('view own manual batches'),
818 ts('View accounting batches created by user (with Access to CiviContribute)'),
be2fb01f
CW		 819 ],
820 'view all manual batches' => [
221b21b4
AH		 821 $prefix . ts('view all manual batches'),
822 ts('View all accounting batches (with Access to CiviContribute)'),
be2fb01f
CW		 823 ],
824 'delete own manual batches' => [
221b21b4
AH		 825 $prefix . ts('delete own manual batches'),
826 ts('Delete accounting batches created by user'),
be2fb01f
CW		 827 ],
828 'delete all manual batches' => [
221b21b4
AH		 829 $prefix . ts('delete all manual batches'),
830 ts('Delete all accounting batches'),
be2fb01f
CW		 831 ],
832 'export own manual batches' => [
221b21b4
AH		 833 $prefix . ts('export own manual batches'),
834 ts('Export accounting batches created by user'),
be2fb01f
CW		 835 ],
836 'export all manual batches' => [
221b21b4
AH		 837 $prefix . ts('export all manual batches'),
838 ts('Export all accounting batches'),
be2fb01f
CW		 839 ],
840 'administer payment processors' => [
221b21b4
AH		 841 $prefix . ts('administer payment processors'),
842 ts('Add, Update, or Disable Payment Processors'),
be2fb01f 843 ],
ebd92daf
TO		 844 'render templates' => [
845 $prefix . ts('render templates'),
846 ts('Render open-ended template content. (Additional constraints may apply to autoloaded records and specific notations.)'),
847 ],
be2fb01f 848 'edit message templates' => [
221b21b4 849 $prefix . ts('edit message templates'),
be2fb01f
CW		 850 ],
851 'edit system workflow message templates' => [
40a732a9 852 $prefix . ts('edit system workflow message templates'),
be2fb01f
CW		 853 ],
854 'edit user-driven message templates' => [
40a732a9 855 $prefix . ts('edit user-driven message templates'),
be2fb01f
CW		 856 ],
857 'view my invoices' => [
a664e7b3 858 $prefix . ts('view my invoices'),
dc6b437a 859 ts('Allow users to view/ download their own invoices'),
be2fb01f
CW		 860 ],
861 'edit api keys' => [
d4463076
TO		 862 $prefix . ts('edit api keys'),
863 ts('Edit API keys'),
be2fb01f
CW		 864 ],
865 'edit own api keys' => [
d4463076
TO		 866 $prefix . ts('edit own api keys'),
867 ts('Edit user\'s own API keys'),
be2fb01f
CW		 868 ],
869 'send SMS' => [
63483feb
MM		 870 $prefix . ts('send SMS'),
871 ts('Send an SMS'),
be2fb01f 872 ],
755a1835 873 'administer CiviCRM system' => [
874 'label' => $prefix . ts('administer CiviCRM System'),
4c85c7b6 875 'description' => ts('Perform all system administration tasks in CiviCRM'),
755a1835 876 ],
877 'administer CiviCRM data' => [
878 'label' => $prefix . ts('administer CiviCRM Data'),
4c85c7b6 879 'description' => ts('Permit altering all restricted data options'),
755a1835 880 ],
ea54c6e5 881 'all CiviCRM permissions and ACLs' => [
882 'label' => $prefix . ts('all CiviCRM permissions and ACLs'),
883 'description' => ts('Administer and use CiviCRM bypassing any other permission or ACL checks and enabling the creation of displays and forms that allow others to bypass checks. This permission should be given out with care'),
884 ],
be2fb01f 885 ];
ce6b4d9b 886 if (self::isMultisiteEnabled()) {
887 // This could arguably be moved to the multisite extension but
888 // within core it does permit editing group-organization records.
889 $permissions['administer Multiple Organizations'] = [
890 'label' => $prefix . ts('administer Multiple Organizations'),
891 'description' => ts('Administer multiple organizations. In practice this allows editing the group organization link'),
892 ];
893 }
6a488035
TO		 894 return $permissions;
895 }
896
755a1835 897 /**
898 * Get permissions implied by 'superset' permissions.
899 *
900 * @return array
901 */
ea54c6e5 902 public static function getImpliedAdminPermissions(): array {
755a1835 903 return [
ea54c6e5 904 'administer CiviCRM' => ['implied_permissions' => ['administer CiviCRM system', 'administer CiviCRM data']],
905 'administer CiviCRM data' => ['implied_permissions' => ['edit message templates', 'administer dedupe rules']],
906 'administer CiviCRM system' => ['implied_permissions' => ['edit system workflow message templates']],
755a1835 907 ];
908 }
909
910 /**
911 * Get any super-permissions that imply the given permission.
912 *
913 * @param string $permission
914 *
915 * @return array
916 */
ea54c6e5 917 public static function getImpliedPermissionsFor(string $permission): array {
709672c6 918 if (in_array($permission[0], ['@', '*'], TRUE)) {
919 // Special permissions like '*always deny*' - see DynamicFKAuthorizationTest.
920 // Also '@afform - see AfformUsageTest.
921 return [];
922 }
ea54c6e5 923 $implied = Civi::cache('metadata')->get('implied_permissions', []);
924 if (isset($implied[$permission])) {
925 return $implied[$permission];
926 }
709672c6 927 $implied[$permission] = ['all CiviCRM permissions and ACLs'];
928 foreach (self::getImpliedAdminPermissions() as $key => $details) {
ea54c6e5 929 if (in_array($permission, $details['implied_permissions'] ?? [], TRUE)) {
930 $implied[$permission][] = $key;
755a1835 931 }
932 }
ea54c6e5 933 Civi::cache('metadata')->set('implied_permissions', $implied);
934 return $implied[$permission];
755a1835 935 }
936
bf9a7c0f
ES		 937 /**
938 * For each entity provides an array of permissions required for each action
939 *
940 * The action is the array key, possible values:
941 * * create: applies to create (with no id in params)
942 * * update: applies to update, setvalue, create (with id in params)
943 * * get: applies to getcount, getsingle, getvalue and other gets
944 * * delete: applies to delete, replace
945 * * meta: applies to getfields, getoptions, getspec
946 * * default: catch-all for anything not declared
947 *
948 * Note: some APIs declare other actions as well
949 *
950 * Permissions should use arrays for AND and arrays of arrays for OR
1a5a2ade 951 * @see CRM_Core_Permission::check
bf9a7c0f
ES		 952 *
953 * @return array of permissions
954 */
955 public static function getEntityActionPermissions() {
be2fb01f 956 $permissions = [];
bf9a7c0f
ES		 957 // These are the default permissions - if any entity does not declare permissions for a given action,
958 // (or the entity does not declare permissions at all) - then the action will be used from here
be2fb01f 959 $permissions['default'] = [
bf9a7c0f 960 // applies to getfields, getoptions, etc.
be2fb01f 961 'meta' => ['access CiviCRM'],
bf9a7c0f
ES		 962 // catch-all, applies to create, get, delete, etc.
963 // If an entity declares it's own 'default' action it will override this one
be2fb01f
CW		 964 'default' => ['administer CiviCRM'],
965 ];
bf9a7c0f
ES		 966
967 // Note: Additional permissions in DynamicFKAuthorization
be2fb01f
CW		 968 $permissions['attachment'] = [
969 'default' => [
970 ['access CiviCRM', 'access AJAX API'],
971 ],
972 ];
bf9a7c0f
ES		 973
974 // Contact permissions
be2fb01f
CW		 975 $permissions['contact'] = [
976 'create' => [
bf9a7c0f
ES		 977 'access CiviCRM',
978 'add contacts',
be2fb01f
CW		 979 ],
980 'delete' => [
bf9a7c0f
ES		 981 'access CiviCRM',
982 'delete contacts',
be2fb01f 983 ],
bf9a7c0f 984 // managed by query object
be2fb01f 985 'get' => [],
bf9a7c0f 986 // managed by _civicrm_api3_check_edit_permissions
be2fb01f
CW		 987 'update' => [],
988 'getquick' => [
989 ['access CiviCRM', 'access AJAX API'],
990 ],
991 'duplicatecheck' => [
f257308b 992 'access CiviCRM',
be2fb01f 993 ],
9f8c8b7a 994 'merge' => ['merge duplicate contacts'],
be2fb01f 995 ];
bf9a7c0f 996
cc477693 997 $permissions['dedupe'] = [
998 'getduplicates' => ['access CiviCRM'],
3ea6ec7d 999 'getstatistics' => ['access CiviCRM'],
cc477693 1000 ];
1001
bf9a7c0f 1002 // CRM-16963 - Permissions for country.
be2fb01f
CW		 1003 $permissions['country'] = [
1004 'get' => [
bf9a7c0f 1005 'access CiviCRM',
be2fb01f
CW		 1006 ],
1007 'default' => [
bf9a7c0f 1008 'administer CiviCRM',
be2fb01f
CW		 1009 ],
1010 ];
bf9a7c0f
ES		 1011
1012 // Contact-related data permissions.
be2fb01f 1013 $permissions['address'] = [
bf9a7c0f
ES		 1014 // get is managed by BAO::addSelectWhereClause
1015 // create/delete are managed by _civicrm_api3_check_edit_permissions
be2fb01f
CW		 1016 'default' => [],
1017 ];
bf9a7c0f
ES		 1018 $permissions['email'] = $permissions['address'];
1019 $permissions['phone'] = $permissions['address'];
1020 $permissions['website'] = $permissions['address'];
1021 $permissions['im'] = $permissions['address'];
1022 $permissions['open_i_d'] = $permissions['address'];
1023
1024 // Also managed by ACLs - CRM-19448
be2fb01f 1025 $permissions['entity_tag'] = ['default' => []];
bf9a7c0f
ES		 1026 $permissions['note'] = $permissions['entity_tag'];
1027
1028 // Allow non-admins to get and create tags to support tagset widget
1029 // Delete is still reserved for admins
be2fb01f
CW		 1030 $permissions['tag'] = [
1031 'get' => ['access CiviCRM'],
1032 'create' => ['access CiviCRM'],
1033 'update' => ['access CiviCRM'],
1034 ];
bf9a7c0f
ES		 1035
1036 //relationship permissions
be2fb01f 1037 $permissions['relationship'] = [
bf9a7c0f 1038 // get is managed by BAO::addSelectWhereClause
be2fb01f
CW		 1039 'get' => [],
1040 'delete' => [
bf9a7c0f
ES		 1041 'access CiviCRM',
1042 'edit all contacts',
be2fb01f
CW		 1043 ],
1044 'default' => [
bf9a7c0f
ES		 1045 'access CiviCRM',
1046 'edit all contacts',
be2fb01f
CW		 1047 ],
1048 ];
bf9a7c0f
ES		 1049
1050 // CRM-17741 - Permissions for RelationshipType.
be2fb01f
CW		 1051 $permissions['relationship_type'] = [
1052 'get' => [
bf9a7c0f 1053 'access CiviCRM',
be2fb01f
CW		 1054 ],
1055 'default' => [
bf9a7c0f 1056 'administer CiviCRM',
be2fb01f
CW		 1057 ],
1058 ];
bf9a7c0f
ES		 1059
1060 // Activity permissions
be2fb01f
CW		 1061 $permissions['activity'] = [
1062 'delete' => [
bf9a7c0f
ES		 1063 'access CiviCRM',
1064 'delete activities',
be2fb01f
CW		 1065 ],
1066 'get' => [
bf9a7c0f
ES		 1067 'access CiviCRM',
1068 // Note that view all activities is also required within the api
1069 // if the id is not passed in. Where the id is passed in the activity
1070 // specific check functions are used and tested.
be2fb01f
CW		 1071 ],
1072 'default' => [
bf9a7c0f
ES		 1073 'access CiviCRM',
1074 'view all activities',
be2fb01f
CW		 1075 ],
1076 ];
cdacd6ab 1077 $permissions['activity_contact'] = $permissions['activity'];
bf9a7c0f
ES		 1078
1079 // Case permissions
be2fb01f
CW		 1080 $permissions['case'] = [
1081 'create' => [
bf9a7c0f
ES		 1082 'access CiviCRM',
1083 'add cases',
be2fb01f
CW		 1084 ],
1085 'delete' => [
bf9a7c0f
ES		 1086 'access CiviCRM',
1087 'delete in CiviCase',
be2fb01f
CW		 1088 ],
1089 'restore' => [
8572e6de 1090 'administer CiviCase',
be2fb01f
CW		 1091 ],
1092 'merge' => [
a6bc7218 1093 'administer CiviCase',
be2fb01f
CW		 1094 ],
1095 'default' => [
bf9a7c0f 1096 // At minimum the user needs one of the following. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause
be2fb01f
CW		 1097 ['access my cases and activities', 'access all cases and activities'],
1098 ],
1099 ];
bf9a7c0f 1100 $permissions['case_contact'] = $permissions['case'];
7b52581f 1101 $permissions['case_activity'] = $permissions['case'];
bf9a7c0f 1102
be2fb01f
CW		 1103 $permissions['case_type'] = [
1104 'default' => ['administer CiviCase'],
1105 'get' => [
bf9a7c0f 1106 // nested array = OR
be2fb01f
CW		 1107 ['access my cases and activities', 'access all cases and activities'],
1108 ],
1109 ];
bf9a7c0f
ES		 1110
1111 // Campaign permissions
be2fb01f
CW		 1112 $permissions['campaign'] = [
1113 'get' => ['access CiviCRM'],
1114 'default' => [
bf9a7c0f 1115 // nested array = OR
be2fb01f
CW		 1116 ['administer CiviCampaign', 'manage campaign'],
1117 ],
1118 ];
bf9a7c0f
ES		 1119 $permissions['survey'] = $permissions['campaign'];
1120
1121 // Financial permissions
be2fb01f
CW		 1122 $permissions['contribution'] = [
1123 'get' => [
bf9a7c0f
ES		 1124 'access CiviCRM',
1125 'access CiviContribute',
be2fb01f
CW		 1126 ],
1127 'delete' => [
bf9a7c0f
ES		 1128 'access CiviCRM',
1129 'access CiviContribute',
1130 'delete in CiviContribute',
be2fb01f
CW		 1131 ],
1132 'completetransaction' => [
bf9a7c0f 1133 'edit contributions',
be2fb01f
CW		 1134 ],
1135 'default' => [
bf9a7c0f
ES		 1136 'access CiviCRM',
1137 'access CiviContribute',
1138 'edit contributions',
be2fb01f
CW		 1139 ],
1140 ];
bf9a7c0f 1141 $permissions['line_item'] = $permissions['contribution'];
7e49aa93 1142 $permissions['product'] = $permissions['contribution'];
bf9a7c0f 1143
ee73f136
MD		 1144 $permissions['financial_item'] = $permissions['contribution'];
1145
bf9a7c0f 1146 // Payment permissions
be2fb01f
CW		 1147 $permissions['payment'] = [
1148 'get' => [
bf9a7c0f
ES		 1149 'access CiviCRM',
1150 'access CiviContribute',
be2fb01f
CW		 1151 ],
1152 'delete' => [
bf9a7c0f
ES		 1153 'access CiviCRM',
1154 'access CiviContribute',
1155 'delete in CiviContribute',
be2fb01f
CW		 1156 ],
1157 'cancel' => [
bf9a7c0f
ES		 1158 'access CiviCRM',
1159 'access CiviContribute',
1160 'edit contributions',
be2fb01f
CW		 1161 ],
1162 'create' => [
bf9a7c0f
ES		 1163 'access CiviCRM',
1164 'access CiviContribute',
1165 'edit contributions',
be2fb01f
CW		 1166 ],
1167 'default' => [
bf9a7c0f
ES		 1168 'access CiviCRM',
1169 'access CiviContribute',
1170 'edit contributions',
be2fb01f
CW		 1171 ],
1172 ];
e4124a88 1173 $permissions['contribution_recur'] = $permissions['payment'];
bf9a7c0f
ES		 1174
1175 // Custom field permissions
be2fb01f
CW		 1176 $permissions['custom_field'] = [
1177 'default' => [
bf9a7c0f
ES		 1178 'administer CiviCRM',
1179 'access all custom data',
be2fb01f
CW		 1180 ],
1181 ];
bf9a7c0f
ES		 1182 $permissions['custom_group'] = $permissions['custom_field'];
1183
1184 // Event permissions
be2fb01f
CW		 1185 $permissions['event'] = [
1186 'create' => [
bf9a7c0f
ES		 1187 'access CiviCRM',
1188 'access CiviEvent',
1189 'edit all events',
be2fb01f
CW		 1190 ],
1191 'delete' => [
bf9a7c0f
ES		 1192 'access CiviCRM',
1193 'access CiviEvent',
1194 'delete in CiviEvent',
be2fb01f
CW		 1195 ],
1196 'get' => [
bf9a7c0f
ES		 1197 'access CiviCRM',
1198 'access CiviEvent',
1199 'view event info',
be2fb01f
CW		 1200 ],
1201 'update' => [
bf9a7c0f
ES		 1202 'access CiviCRM',
1203 'access CiviEvent',
1204 'edit all events',
be2fb01f
CW		 1205 ],
1206 ];
170af518 1207 // Exception refers to dedupe_exception.
1208 $permissions['exception'] = [
1209 'default' => ['merge duplicate contacts'],
1210 ];
5654496c 1211
418ffc5b 1212 $permissions['job'] = [
1213 'process_batch_merge' => ['merge duplicate contacts'],
1214 ];
5654496c 1215 $permissions['rule_group']['get'] = [['merge duplicate contacts', 'administer CiviCRM']];
bf9a7c0f
ES		 1216 // Loc block is only used for events
1217 $permissions['loc_block'] = $permissions['event'];
1218
be2fb01f
CW		 1219 $permissions['state_province'] = [
1220 'get' => [
fc2d1728 1221 'access CiviCRM',
be2fb01f
CW		 1222 ],
1223 ];
fc2d1728 1224
bf9a7c0f 1225 // Price sets are shared by several components, user needs access to at least one of them
be2fb01f
CW		 1226 $permissions['price_set'] = [
1227 'default' => [
1228 ['access CiviEvent', 'access CiviContribute', 'access CiviMember'],
1229 ],
1230 'get' => [
1231 ['access CiviCRM', 'view event info', 'make online contributions'],
1232 ],
1233 ];
bf9a7c0f
ES		 1234
1235 // File permissions
be2fb01f
CW		 1236 $permissions['file'] = [
1237 'default' => [
bf9a7c0f
ES		 1238 'access CiviCRM',
1239 'access uploaded files',
be2fb01f
CW		 1240 ],
1241 ];
bf9a7c0f
ES		 1242 $permissions['files_by_entity'] = $permissions['file'];
1243
1244 // Group permissions
be2fb01f
CW		 1245 $permissions['group'] = [
1246 'get' => [
bf9a7c0f 1247 'access CiviCRM',
be2fb01f
CW		 1248 ],
1249 'default' => [
bf9a7c0f
ES		 1250 'access CiviCRM',
1251 'edit groups',
be2fb01f
CW		 1252 ],
1253 ];
bf9a7c0f
ES		 1254
1255 $permissions['group_nesting'] = $permissions['group'];
1256 $permissions['group_organization'] = $permissions['group'];
1257
1258 //Group Contact permission
be2fb01f
CW		 1259 $permissions['group_contact'] = [
1260 'get' => [
bf9a7c0f 1261 'access CiviCRM',
be2fb01f
CW		 1262 ],
1263 'default' => [
bf9a7c0f
ES		 1264 'access CiviCRM',
1265 'edit all contacts',
be2fb01f
CW		 1266 ],
1267 ];
bf9a7c0f
ES		 1268
1269 // CiviMail Permissions
be2fb01f 1270 $civiMailBasePerms = [
bf9a7c0f
ES		 1271 // To get/preview/update, one must have least one of these perms:
1272 // Mailing API implementations enforce nuances of create/approve/schedule permissions.
1273 'access CiviMail',
1274 'create mailings',
1275 'schedule mailings',
1276 'approve mailings',
be2fb01f
CW		 1277 ];
1278 $permissions['mailing'] = [
1279 'get' => [
bf9a7c0f
ES		 1280 'access CiviCRM',
1281 $civiMailBasePerms,
be2fb01f
CW		 1282 ],
1283 'delete' => [
bf9a7c0f
ES		 1284 'access CiviCRM',
1285 $civiMailBasePerms,
1286 'delete in CiviMail',
be2fb01f
CW		 1287 ],
1288 'submit' => [
bf9a7c0f 1289 'access CiviCRM',
be2fb01f
CW		 1290 ['access CiviMail', 'schedule mailings'],
1291 ],
1292 'default' => [
bf9a7c0f
ES		 1293 'access CiviCRM',
1294 $civiMailBasePerms,
be2fb01f
CW		 1295 ],
1296 ];
bf9a7c0f
ES		 1297 $permissions['mailing_group'] = $permissions['mailing'];
1298 $permissions['mailing_job'] = $permissions['mailing'];
1299 $permissions['mailing_recipients'] = $permissions['mailing'];
1300
be2fb01f
CW		 1301 $permissions['mailing_a_b'] = [
1302 'get' => [
bf9a7c0f
ES		 1303 'access CiviCRM',
1304 'access CiviMail',
be2fb01f
CW		 1305 ],
1306 'delete' => [
bf9a7c0f
ES		 1307 'access CiviCRM',
1308 'access CiviMail',
1309 'delete in CiviMail',
be2fb01f
CW		 1310 ],
1311 'submit' => [
bf9a7c0f 1312 'access CiviCRM',
be2fb01f
CW		 1313 ['access CiviMail', 'schedule mailings'],
1314 ],
1315 'default' => [
bf9a7c0f
ES		 1316 'access CiviCRM',
1317 'access CiviMail',
be2fb01f
CW		 1318 ],
1319 ];
bf9a7c0f
ES		 1320
1321 // Membership permissions
be2fb01f
CW		 1322 $permissions['membership'] = [
1323 'get' => [
bf9a7c0f
ES		 1324 'access CiviCRM',
1325 'access CiviMember',
be2fb01f
CW		 1326 ],
1327 'delete' => [
bf9a7c0f
ES		 1328 'access CiviCRM',
1329 'access CiviMember',
1330 'delete in CiviMember',
be2fb01f
CW		 1331 ],
1332 'default' => [
bf9a7c0f
ES		 1333 'access CiviCRM',
1334 'access CiviMember',
1335 'edit memberships',
be2fb01f
CW		 1336 ],
1337 ];
bf9a7c0f
ES		 1338 $permissions['membership_status'] = $permissions['membership'];
1339 $permissions['membership_type'] = $permissions['membership'];
be2fb01f
CW		 1340 $permissions['membership_payment'] = [
1341 'create' => [
bf9a7c0f
ES		 1342 'access CiviCRM',
1343 'access CiviMember',
1344 'edit memberships',
1345 'access CiviContribute',
1346 'edit contributions',
be2fb01f
CW		 1347 ],
1348 'delete' => [
bf9a7c0f
ES		 1349 'access CiviCRM',
1350 'access CiviMember',
1351 'delete in CiviMember',
1352 'access CiviContribute',
1353 'delete in CiviContribute',
be2fb01f
CW		 1354 ],
1355 'get' => [
bf9a7c0f
ES		 1356 'access CiviCRM',
1357 'access CiviMember',
1358 'access CiviContribute',
be2fb01f
CW		 1359 ],
1360 'update' => [
bf9a7c0f
ES		 1361 'access CiviCRM',
1362 'access CiviMember',
1363 'edit memberships',
1364 'access CiviContribute',
1365 'edit contributions',
be2fb01f
CW		 1366 ],
1367 ];
bf9a7c0f
ES		 1368
1369 // Participant permissions
be2fb01f
CW		 1370 $permissions['participant'] = [
1371 'create' => [
bf9a7c0f
ES		 1372 'access CiviCRM',
1373 'access CiviEvent',
1374 'register for events',
be2fb01f
CW		 1375 ],
1376 'delete' => [
bf9a7c0f
ES		 1377 'access CiviCRM',
1378 'access CiviEvent',
1379 'edit event participants',
be2fb01f
CW		 1380 ],
1381 'get' => [
bf9a7c0f
ES		 1382 'access CiviCRM',
1383 'access CiviEvent',
1384 'view event participants',
be2fb01f
CW		 1385 ],
1386 'update' => [
bf9a7c0f
ES		 1387 'access CiviCRM',
1388 'access CiviEvent',
1389 'edit event participants',
be2fb01f
CW		 1390 ],
1391 ];
1392 $permissions['participant_payment'] = [
1393 'create' => [
bf9a7c0f
ES		 1394 'access CiviCRM',
1395 'access CiviEvent',
1396 'register for events',
1397 'access CiviContribute',
1398 'edit contributions',
be2fb01f
CW		 1399 ],
1400 'delete' => [
bf9a7c0f
ES		 1401 'access CiviCRM',
1402 'access CiviEvent',
1403 'edit event participants',
1404 'access CiviContribute',
1405 'delete in CiviContribute',
be2fb01f
CW		 1406 ],
1407 'get' => [
bf9a7c0f
ES		 1408 'access CiviCRM',
1409 'access CiviEvent',
1410 'view event participants',
1411 'access CiviContribute',
be2fb01f
CW		 1412 ],
1413 'update' => [
bf9a7c0f
ES		 1414 'access CiviCRM',
1415 'access CiviEvent',
1416 'edit event participants',
1417 'access CiviContribute',
1418 'edit contributions',
be2fb01f
CW		 1419 ],
1420 ];
bf9a7c0f
ES		 1421
1422 // Pledge permissions
be2fb01f
CW		 1423 $permissions['pledge'] = [
1424 'create' => [
bf9a7c0f
ES		 1425 'access CiviCRM',
1426 'access CiviPledge',
1427 'edit pledges',
be2fb01f
CW		 1428 ],
1429 'delete' => [
bf9a7c0f
ES		 1430 'access CiviCRM',
1431 'access CiviPledge',
1432 'delete in CiviPledge',
be2fb01f
CW		 1433 ],
1434 'get' => [
bf9a7c0f
ES		 1435 'access CiviCRM',
1436 'access CiviPledge',
be2fb01f
CW		 1437 ],
1438 'update' => [
bf9a7c0f
ES		 1439 'access CiviCRM',
1440 'access CiviPledge',
1441 'edit pledges',
be2fb01f
CW		 1442 ],
1443 ];
bf9a7c0f
ES		 1444
1445 //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission.
be2fb01f
CW		 1446 $permissions['action_schedule'] = [
1447 'update' => [
1448 [
bf9a7c0f
ES		 1449 'access CiviCRM',
1450 'edit all events',
be2fb01f
CW		 1451 ],
1452 ],
1453 ];
bf9a7c0f 1454
be2fb01f
CW		 1455 $permissions['pledge_payment'] = [
1456 'create' => [
bf9a7c0f
ES		 1457 'access CiviCRM',
1458 'access CiviPledge',
1459 'edit pledges',
1460 'access CiviContribute',
1461 'edit contributions',
be2fb01f
CW		 1462 ],
1463 'delete' => [
bf9a7c0f
ES		 1464 'access CiviCRM',
1465 'access CiviPledge',
1466 'delete in CiviPledge',
1467 'access CiviContribute',
1468 'delete in CiviContribute',
be2fb01f
CW		 1469 ],
1470 'get' => [
bf9a7c0f
ES		 1471 'access CiviCRM',
1472 'access CiviPledge',
1473 'access CiviContribute',
be2fb01f
CW		 1474 ],
1475 'update' => [
bf9a7c0f
ES		 1476 'access CiviCRM',
1477 'access CiviPledge',
1478 'edit pledges',
1479 'access CiviContribute',
1480 'edit contributions',
be2fb01f
CW		 1481 ],
1482 ];
bf9a7c0f 1483
dfcf5ba2
CW		 1484 // Dashboard permissions
1485 $permissions['dashboard'] = [
1486 'get' => [
1487 'access CiviCRM',
1488 ],
1489 ];
1490 $permissions['dashboard_contact'] = [
1491 'default' => [
1492 'access CiviCRM',
1493 ],
1494 ];
1495
9ac56a77
CW		 1496 $permissions['saved_search'] = [
1497 'default' => ['administer CiviCRM data'],
1498 ];
1499
bf9a7c0f 1500 // Profile permissions
be2fb01f 1501 $permissions['profile'] = [
518fa0ee
SL		 1502 // the profile will take care of this
1503 'get' => [],
be2fb01f 1504 ];
bf9a7c0f 1505
be2fb01f
CW		 1506 $permissions['uf_group'] = [
1507 'create' => [
bf9a7c0f 1508 'access CiviCRM',
be2fb01f 1509 [
bf9a7c0f
ES		 1510 'administer CiviCRM',
1511 'manage event profiles',
be2fb01f
CW		 1512 ],
1513 ],
1514 'get' => [
bf9a7c0f 1515 'access CiviCRM',
be2fb01f
CW		 1516 ],
1517 'update' => [
bf9a7c0f 1518 'access CiviCRM',
be2fb01f 1519 [
bf9a7c0f
ES		 1520 'administer CiviCRM',
1521 'manage event profiles',
be2fb01f
CW		 1522 ],
1523 ],
1524 ];
bf9a7c0f 1525 $permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group'];
be2fb01f 1526 $permissions['uf_field']['delete'] = [
bf9a7c0f 1527 'access CiviCRM',
be2fb01f 1528 [
bf9a7c0f
ES		 1529 'administer CiviCRM',
1530 'manage event profiles',
be2fb01f
CW		 1531 ],
1532 ];
bf9a7c0f
ES		 1533 $permissions['option_value'] = $permissions['uf_group'];
1534 $permissions['option_group'] = $permissions['option_value'];
1535
be2fb01f
CW		 1536 $permissions['custom_value'] = [
1537 'gettree' => ['access CiviCRM'],
1538 ];
f26fa703 1539
be2fb01f
CW		 1540 $permissions['message_template'] = [
1541 'get' => ['access CiviCRM'],
1542 'create' => [['edit message templates', 'edit user-driven message templates', 'edit system workflow message templates']],
1543 'update' => [['edit message templates', 'edit user-driven message templates', 'edit system workflow message templates']],
1544 ];
4341efe4
JV		 1545
1546 $permissions['report_template']['update'] = 'save Report Criteria';
1547 $permissions['report_template']['create'] = 'save Report Criteria';
bf9a7c0f
ES		 1548 return $permissions;
1549 }
1550
1551 /**
1552 * Translate an unknown action to a canonical form.
1553 *
1554 * @param string $action
1555 *
1556 * @return string
1557 * the standardised action name
1558 */
1559 public static function getGenericAction($action) {
1560 $snippet = substr($action, 0, 3);
1561 if ($action == 'replace' || $snippet == 'del') {
1562 // 'Replace' is a combination of get+create+update+delete; however, the permissions
1563 // on each of those will be tested separately at runtime. This is just a sniff-test
1564 // based on the heuristic that 'delete' tends to be the most closely guarded
1565 // of the necessary permissions.
1566 $action = 'delete';
1567 }
1568 elseif ($action == 'setvalue' || $snippet == 'upd') {
1569 $action = 'update';
1570 }
1571 elseif ($action == 'getfields' || $action == 'getfield' || $action == 'getspec' || $action == 'getoptions') {
1572 $action = 'meta';
1573 }
1574 elseif ($snippet == 'get') {
1575 $action = 'get';
1576 }
1577 return $action;
1578 }
1579
6a488035 1580 /**
d09edf64 1581 * Validate user permission across.
6a488035
TO		 1582 * edit or view or with supportable acls.
1583 *
acb1052e
WA		 1584 * @return bool
1585 */
00be9182 1586 public static function giveMeAllACLs() {
6a488035
TO		 1587 if (CRM_Core_Permission::check('view all contacts') ||
1588 CRM_Core_Permission::check('edit all contacts')
1589 ) {
1590 return TRUE;
1591 }
1592
1593 $session = CRM_Core_Session::singleton();
1594 $contactID = $session->get('userID');
1595
6a488035
TO		 1596 //check for acl.
1597 $aclPermission = self::getPermission();
be2fb01f 1598 if (in_array($aclPermission, [
6a488035 1599 CRM_Core_Permission::EDIT,
41f314b6 1600 CRM_Core_Permission::VIEW,
be2fb01f 1601 ])
41f314b6 1602 ) {
6a488035
TO		 1603 return TRUE;
1604 }
1605
1606 // run acl where hook and see if the user is supplying an ACL clause
1607 // that is not false
be2fb01f 1608 $tables = $whereTables = [];
6a488035
TO		 1609 $where = NULL;
1610
1611 CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
1612 $tables, $whereTables,
1613 $contactID, $where
1614 );
1615 return empty($whereTables) ? FALSE : TRUE;
1616 }
1617
1618 /**
100fef9d 1619 * Get component name from given permission.
6a488035 1620 *
41f314b6 1621 * @param string $permission
6a488035 1622 *
76e7a76c
CW		 1623 * @return null|string
1624 * the name of component.
6a488035 1625 */
00be9182 1626 public static function getComponentName($permission) {
6a488035
TO		 1627 $componentName = NULL;
1628 $permission = trim($permission);
1629 if (empty($permission)) {
1630 return $componentName;
1631 }
1632
be2fb01f 1633 static $allCompPermissions = [];
6a488035
TO		 1634 if (empty($allCompPermissions)) {
1635 $components = CRM_Core_Component::getComponents();
1636 foreach ($components as $name => $comp) {
33777e4a
PJ		 1637 //get all permissions of each components unconditionally
1638 $allCompPermissions[$name] = $comp->getPermissions(TRUE);
6a488035
TO		 1639 }
1640 }
1641
1642 if (is_array($allCompPermissions)) {
1643 foreach ($allCompPermissions as $name => $permissions) {
b9021475 1644 if (array_key_exists($permission, $permissions)) {
6a488035
TO		 1645 $componentName = $name;
1646 break;
1647 }
1648 }
1649 }
1650
1651 return $componentName;
1652 }
1653
1654 /**
d09edf64 1655 * Get all the contact emails for users that have a specific permission.
6a488035 1656 *
6a0b768e
TO		 1657 * @param string $permissionName
1658 * Name of the permission we are interested in.
6a488035 1659 *
a6c01b45
CW		 1660 * @return string
1661 * a comma separated list of email addresses
6a488035
TO		 1662 */
1663 public static function permissionEmails($permissionName) {
1664 $config = CRM_Core_Config::singleton();
41f314b6 1665 return $config->userPermissionClass->permissionEmails($permissionName);
6a488035
TO		 1666 }
1667
1668 /**
d09edf64 1669 * Get all the contact emails for users that have a specific role.
6a488035 1670 *
6a0b768e
TO		 1671 * @param string $roleName
1672 * Name of the role we are interested in.
6a488035 1673 *
a6c01b45
CW		 1674 * @return string
1675 * a comma separated list of email addresses
6a488035
TO		 1676 */
1677 public static function roleEmails($roleName) {
1678 $config = CRM_Core_Config::singleton();
41f314b6 1679 return $config->userRoleClass->roleEmails($roleName);
6a488035
TO		 1680 }
1681
a0ee3941
EM		 1682 /**
1683 * @return bool
1684 */
00be9182 1685 public static function isMultisiteEnabled() {
63d76404 1686 return (bool) Civi::settings()->get('is_enabled');
6a488035 1687 }
96025800 1688
dc6b437a
GC		 1689 /**
1690 * Verify if the user has permission to get the invoice.
1691 *
1692 * @return bool
1693 * TRUE if the user has download all invoices permission or download my
1694 * invoices permission and the invoice author is the current user.
1695 */
1696 public static function checkDownloadInvoice() {
4cfd4f45 1697 $cid = CRM_Core_Session::getLoggedInContactID();
dc6b437a
GC		 1698 if (CRM_Core_Permission::check('access CiviContribute') ||
1699 (CRM_Core_Permission::check('view my invoices') && $_GET['cid'] == $cid)
1700 ) {
1701 return TRUE;
1702 }
1703 return FALSE;
1704 }
1705
b4d6a411 1706 /**
d2b6eac8 1707 * Get permissions for components.
1708 *
b4d6a411 1709 * @param bool $includeDisabled
1710 *
1711 * @return array
1712 * @throws \CRM_Core_Exception
1713 */
1714 protected static function getComponentPermissions(bool $includeDisabled): array {
1715 if (!$includeDisabled) {
1716 $components = CRM_Core_Component::getEnabledComponents();
1717 }
1718 else {
1719 $components = CRM_Core_Component::getComponents();
1720 }
1721
1722 $permissions = [];
1723 foreach ($components as $comp) {
1724 $perm = $comp->getPermissions($includeDisabled, TRUE);
1725 if ($perm) {
1726 $info = $comp->getInfo();
1727 foreach ($perm as $p => $attr) {
1728
1729 if (!is_array($attr)) {
1730 $attr = [$attr];
1731 }
1732
1733 $attr[0] = $info['translatedName'] . ': ' . $attr[0];
1734 $permissions[$p] = $attr;
1735 }
1736 }
1737 }
1738 return $permissions;
1739 }
1740
d2b6eac8 1741 /**
1742 * Get permissions for core functionality and for that of core components.
1743 *
1744 * @param bool $all
1745 *
1746 * @return array
1747 * @throws \CRM_Core_Exception
1748 */
1749 protected static function getCoreAndComponentPermissions(bool $all): array {
1750 $permissions = self::getCorePermissions();
1751 $permissions = array_merge($permissions, self::getComponentPermissions($all));
ea54c6e5 1752 $permissions['all CiviCRM permissions and ACLs']['implied_permissions'] = array_keys($permissions);
d2b6eac8 1753 return $permissions;
1754 }
1755
6a488035 1756}