[civicrm-core.git] / CRM / Core / Permission.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.4                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2013                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
*/

/**
 *
 * @package CRM
 * @copyright CiviCRM LLC (c) 2004-2013
 * $Id$
 *
 */

/**
 * This is the basic permission class wrapper
 */
class CRM_Core_Permission {

  /**
   * Static strings used to compose permissions
   *
   * @const
   * @var string
   */
  CONST EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';

  /**
   * The various type of permissions
   *
   * @var int
   */
  CONST EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;

  /**
   * A placeholder permission which always fails
   */
  const ALWAYS_DENY_PERMISSION = "*always deny*";

  /**
   * A placeholder permission which always fails
   */
  const ALWAYS_ALLOW_PERMISSION = "*always allow*";

  /**
   * Various authentication sources
   *
   * @var int
   */
  CONST AUTH_SRC_UNKNOWN = 0, AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;

  /**
   * get the current permission of this user
   *
   * @return string the permission of the user (edit or view or null)
   */
  public static function getPermission() {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->getPermission();
  }

  /**
   * given a permission string or array, check for access requirements
   * @param mixed $permissions the permission to check as an array or string -see examples
   *  arrays
   *
   *  Ex 1
   *
   *  Must have 'access CiviCRM'
   *  (string) 'access CiviCRM'
   *
   *
   *  Ex 2 Must have 'access CiviCRM' and 'access Ajax API'
   *   array('access CiviCRM', 'access Ajax API')
   *
   *  Ex 3 Must have 'access CiviCRM' or 'access Ajax API'
   *   array(
   *      array('access CiviCRM', 'access Ajax API'),
   *   ),
   *
   *  Ex 4 Must have 'access CiviCRM' or 'access Ajax API' AND 'access CiviEvent'
   *  array(
   *    array('access CiviCRM', 'access Ajax API'),
   *    'access CiviEvent',
   *   ),
   *
   *  Note that in permissions.php this is keyed by the action eg.
   *  (access Civi || access AJAX) && (access CiviEvent || access CiviContribute)
   *  'myaction' => array(
   *    array('access CiviCRM', 'access Ajax API'),
   *    array('access CiviEvent', 'access CiviContribute')
   *  ),
   *
   * @return boolean true if yes, else false
   * @static
   * @access public
   */
  static function check($permissions) {
    $permissions = (array) $permissions;

    foreach ($permissions as $permission) {
      if(is_array($permission)) {
        foreach ($permission as $orPerm) {
          if(self::check($orPerm)) {
            //one of our 'or' permissions has succeeded - stop checking this permission
            return TRUE;;
          }
        }
        //none of our our conditions was met
        return FALSE;
      }
      else {
        if(!CRM_Core_Config::singleton()->userPermissionClass->check($permission)) {
          //one of our 'and' conditions has not been met
          return FALSE;
        }
      }
    }
    return TRUE;
  }

  /**
   * Determine if any one of the permissions strings applies to current user
   *
   * @param array $perms
   * @return bool
   */
  public static function checkAnyPerm($perms) {
    foreach ($perms as $perm) {
      if (CRM_Core_Permission::check($perm)) {
        return TRUE;
      }
    }
    return FALSE;
  }

  /**
   * Given a group/role array, check for access requirements
   *
   * @param array $array the group/role to check
   *
   * @return boolean true if yes, else false
   * @static
   * @access public
   */
  static function checkGroupRole($array) {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->checkGroupRole($array);
  }

  /**
   * Get the permissioned where clause for the user
   *
   * @param int $type the type of permission needed
   * @param  array $tables (reference ) add the tables that are needed for the select clause
   * @param  array $whereTables (reference ) add the tables that are needed for the where clause
   *
   * @return string the group where clause for this user
   * @access public
   */
  public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->getPermissionedStaticGroupClause($type, $tables, $whereTables);
  }

  /**
   * Get all groups from database, filtered by permissions
   * for this user
   *
   * @param string $groupType     type of group(Access/Mailing)
   * @param boolen $excludeHidden exclude hidden groups.
   *
   * @access public
   * @static
   *
   * @return array - array reference of all groups.
   *
   */
  public static function group($groupType, $excludeHidden = TRUE) {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->group($groupType, $excludeHidden);
  }

  public static function customGroupAdmin() {
    $admin = FALSE;

    // check if user has all powerful permission
    // or administer civicrm permission (CRM-1905)
    if (self::check('access all custom data')) {
      return TRUE;
    }

    if (
      self::check('administer Multiple Organizations') &&
      self::isMultisiteEnabled()
    ) {
      return TRUE;
    }

    if (self::check('administer CiviCRM')) {
      return TRUE;
    }

    return FALSE;
  }

  public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
    $customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id',
      array('fresh' => $reset));
    $defaultGroups = array();

    // check if user has all powerful permission
    // or administer civicrm permission (CRM-1905)
    if (self::customGroupAdmin()) {
      $defaultGroups = array_keys($customGroups);
    }

    return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
  }

  static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
    if (self::customGroupAdmin()) {
      return ' ( 1 ) ';
    }

    $groups = self::customGroup($type, $reset);
    if (empty($groups)) {
      return ' ( 0 ) ';
    }
    else {
      return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
    }
  }

  public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
    if (empty($gid)) {
      return TRUE;
    }

    $groups = self::ufGroup($type);
    return in_array($gid, $groups) ? TRUE : FALSE;
  }

  public static function ufGroup($type = CRM_Core_Permission::VIEW) {
    $ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');

    $allGroups = array_keys($ufGroups);

    // check if user has all powerful permission
    if (self::check('profile listings and forms')) {
      return $allGroups;
    }

    switch ($type) {
      case CRM_Core_Permission::VIEW:
        if (self::check('profile view')) {
          return $allGroups;
        }
        break;

      case CRM_Core_Permission::CREATE:
        if (self::check('profile create')) {
          return $allGroups;
        }
        break;

      case CRM_Core_Permission::EDIT:
        if (self::check('profile edit')) {
          return $allGroups;
        }
        break;

      case CRM_Core_Permission::SEARCH:
        if (self::check('profile listings')) {
          return $allGroups;
        }
        break;
    }

    return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
  }

  static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
    $groups = self::ufGroup($type);
    if ($returnUFGroupIds) {
      return $groups;
    }
    elseif (empty($groups)) {
      return ' ( 0 ) ';
    }
    else {
      return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
    }
  }

  public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL) {
    $events = CRM_Event_PseudoConstant::event(NULL, TRUE);
    $includeEvents = array();

    // check if user has all powerful permission
    if (self::check('register for events')) {
      $includeEvents = array_keys($events);
    }

    if ($type == CRM_Core_Permission::VIEW &&
      self::check('view event info')
    ) {
      $includeEvents = array_keys($events);
    }

    $permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
    if (!$eventID) {
      return $permissionedEvents;
    }
    if (!empty($permissionedEvents)) {
      return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
    }
    else {
      return $eventID;
    }
  }

  static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
    $events = self::event($type);
    if (empty($events)) {
      return ' ( 0 ) ';
    }
    else {
      return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
    }
  }

  static function access($module, $checkPermission = TRUE) {
    $config = CRM_Core_Config::singleton();

    if (!in_array($module, $config->enableComponents)) {
      return FALSE;
    }

    if ($checkPermission) {
      if ($module == 'CiviCase') {
        return CRM_Case_BAO_Case::accessCiviCase();
      }
      else {
        return CRM_Core_Permission::check("access $module");
      }
    }

    return TRUE;
  }

  /**
   * check permissions for delete and edit actions
   *
   * @param string $module component name.
   * @param $action action to be check across component
   *
   **/
  static function checkActionPermission($module, $action) {
    //check delete related permissions.
    if ($action & CRM_Core_Action::DELETE) {
      $permissionName = "delete in $module";
    }
    else {
      $editPermissions = array(
        'CiviEvent' => 'edit event participants',
        'CiviMember' => 'edit memberships',
        'CiviPledge' => 'edit pledges',
        'CiviContribute' => 'edit contributions',
        'CiviGrant' => 'edit grants',
        'CiviMail' => 'access CiviMail',
        'CiviAuction' => 'add auction items',
      );
      $permissionName = CRM_Utils_Array::value($module, $editPermissions);
    }

    if ($module == 'CiviCase' && !$permissionName) {
      return CRM_Case_BAO_Case::accessCiviCase();
    }
    else {
      //check for permission.
      return CRM_Core_Permission::check($permissionName);
    }
  }

  static function checkMenu(&$args, $op = 'and') {
    if (!is_array($args)) {
      return $args;
    }
    foreach ($args as $str) {
      $res = CRM_Core_Permission::check($str);
      if ($op == 'or' && $res) {
        return TRUE;
      }
      elseif ($op == 'and' && !$res) {
        return FALSE;
      }
    }
    return ($op == 'or') ? FALSE : TRUE;
  }

  static function checkMenuItem(&$item) {
    if (!array_key_exists('access_callback', $item)) {
      CRM_Core_Error::backtrace();
      CRM_Core_Error::fatal();
    }

    // if component_id is present, ensure it is enabled
    if (isset($item['component_id']) &&
      $item['component_id']
    ) {
      $config = CRM_Core_Config::singleton();
      if (is_array($config->enableComponentIDs) &&
        in_array($item['component_id'], $config->enableComponentIDs)
      ) {
        // continue with process
      }
      else {
        return FALSE;
      }
    }

    // the following is imitating drupal 6 code in includes/menu.inc
    if (empty($item['access_callback']) ||
      is_numeric($item['access_callback'])
    ) {
      return (boolean ) $item['access_callback'];
    }

    // check whether the following Ajax requests submitted the right key
    // FIXME: this should be integrated into ACLs proper
    if (CRM_Utils_Array::value('page_type', $item) == 3) {
      if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
        return FALSE;
      }
    }

    // check if callback is for checkMenu, if so optimize it
    if (is_array($item['access_callback']) &&
      $item['access_callback'][0] == 'CRM_Core_Permission' &&
      $item['access_callback'][1] == 'checkMenu'
    ) {
      $op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
      return self::checkMenu($item['access_arguments'][0], $op);
    }
    else {
      return call_user_func_array($item['access_callback'], $item['access_arguments']);
    }
  }

  static function &basicPermissions($all = FALSE) {
    static $permissions = NULL;

    if (!$permissions) {
      $prefix = ts('CiviCRM') . ': ';
      $permissions = self::getCorePermissions();

      if (self::isMultisiteEnabled()) {
        $permissions['administer Multiple Organizations'] = $prefix . ts('administer Multiple Organizations');
      }

      $config = CRM_Core_Config::singleton();

      if (!$all) {
        $components = CRM_Core_Component::getEnabledComponents();
      }
      else {
        $components = CRM_Core_Component::getComponents();
      }

      foreach ($components as $comp) {
        $perm = $comp->getPermissions();
        if ($perm) {
          $info = $comp->getInfo();
          foreach ($perm as $p) {
            $permissions[$p] = $info['translatedName'] . ': ' . $p;
          }
        }
      }

      // Add any permissions defined in hook_civicrm_permission implementations.
      $config = CRM_Core_Config::singleton();
      $module_permissions = $config->userPermissionClass->getAllModulePermissions();
      $permissions = array_merge($permissions, $module_permissions);
    }

    return $permissions;
  }

  static function getCorePermissions() {
    $prefix = ts('CiviCRM') . ': ';
    $permissions = array(
      'add contacts' => $prefix . ts('add contacts'),
      'view all contacts' => $prefix . ts('view all contacts'),
      'edit all contacts' => $prefix . ts('edit all contacts'),
      'view my contact' => $prefix . ts('view my contact'),
      'edit my contact' => $prefix . ts('edit my contact'),
      'delete contacts' => $prefix . ts('delete contacts'),
      'access deleted contacts' => $prefix . ts('access deleted contacts'),
      'import contacts' => $prefix . ts('import contacts'),
      'edit groups' => $prefix . ts('edit groups'),
      'administer CiviCRM' => $prefix . ts('administer CiviCRM'),
      'skip IDS check' => $prefix . ts('skip IDS check'),
      'access uploaded files' => $prefix . ts('access uploaded files'),
      'profile listings and forms' => $prefix . ts('profile listings and forms'),
      'profile listings' => $prefix . ts('profile listings'),
      'profile create' => $prefix . ts('profile create'),
      'profile edit' => $prefix . ts('profile edit'),
      'profile view' => $prefix . ts('profile view'),
      'access all custom data' => $prefix . ts('access all custom data'),
      'view all activities' => $prefix . ts('view all activities'),
      'delete activities' => $prefix . ts('delete activities'),
      'access CiviCRM' => $prefix . ts('access CiviCRM'),
      'access Contact Dashboard' => $prefix . ts('access Contact Dashboard'),
      'translate CiviCRM' => $prefix . ts('translate CiviCRM'),
      'administer reserved groups' => $prefix . ts('administer reserved groups'),
      'administer Tagsets' => $prefix . ts('administer Tagsets'),
      'administer reserved tags' => $prefix . ts('administer reserved tags'),
      'administer dedupe rules' => $prefix . ts('administer dedupe rules'),
      'merge duplicate contacts' => $prefix . ts('merge duplicate contacts'),
      'view debug output' => $prefix . ts('view debug output'),
      'view all notes' => $prefix . ts('view all notes'),
      'access AJAX API' => $prefix . ts('access AJAX API'),
      'access contact reference fields' => $prefix . ts('access contact reference fields'),
      'create manual batch' => $prefix . ts('create manual batch'),
      'edit own manual batches' => $prefix . ts('edit own manual batches'),
      'edit all manual batches' => $prefix . ts('edit all manual batches'),
      'view own manual batches' => $prefix . ts('view own manual batches'),
      'view all manual batches' => $prefix . ts('view all manual batches'),
      'delete own manual batches' => $prefix . ts('delete own manual batches'),
      'delete all manual batches' => $prefix . ts('delete all manual batches'),
      'export own manual batches' => $prefix . ts('export own manual batches'),
      'export all manual batches' => $prefix . ts('export all manual batches'),
    );

    return $permissions;
  }

  /**
   * Validate user permission across
   * edit or view or with supportable acls.
   *
   * return boolean true/false.
   **/
  static function giveMeAllACLs() {
    if (CRM_Core_Permission::check('view all contacts') ||
      CRM_Core_Permission::check('edit all contacts')
    ) {
      return TRUE;
    }

    $session = CRM_Core_Session::singleton();
    $contactID = $session->get('userID');

    //check for acl.
    $aclPermission = self::getPermission();
    if (in_array($aclPermission, array(
      CRM_Core_Permission::EDIT,
      CRM_Core_Permission::VIEW,
    ))
    ) {
      return TRUE;
    }

    // run acl where hook and see if the user is supplying an ACL clause
    // that is not false
    $tables = $whereTables = array();
    $where = NULL;

    CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
      $tables, $whereTables,
      $contactID, $where
    );
    return empty($whereTables) ? FALSE : TRUE;
  }

  /**
   * Function to get component name from given permission.
   *
   * @param string $permission
   *
   * return string $componentName the name of component.
   * @static
   */
  static function getComponentName($permission) {
    $componentName = NULL;
    $permission = trim($permission);
    if (empty($permission)) {
      return $componentName;
    }

    static $allCompPermissions = array();
    if (empty($allCompPermissions)) {
      $components = CRM_Core_Component::getComponents();
      foreach ($components as $name => $comp) {
        //get all permissions of each components unconditionally
        $allCompPermissions[$name] = $comp->getPermissions(TRUE);
      }
    }

    if (is_array($allCompPermissions)) {
      foreach ($allCompPermissions as $name => $permissions) {
        if (in_array($permission, $permissions)) {
          $componentName = $name;
          break;
        }
      }
    }

    return $componentName;
  }

  /**
   * Get all the contact emails for users that have a specific permission
   *
   * @param string $permissionName name of the permission we are interested in
   *
   * @return string a comma separated list of email addresses
   */
  public static function permissionEmails($permissionName) {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->permissionEmails($permissionName);
  }

  /**
   * Get all the contact emails for users that have a specific role
   *
   * @param string $roleName name of the role we are interested in
   *
   * @return string a comma separated list of email addresses
   */
  public static function roleEmails($roleName) {
    $config = CRM_Core_Config::singleton();
    return $config->userRoleClass->roleEmails($roleName);
  }

  static function isMultisiteEnabled() {
    return CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::MULTISITE_PREFERENCES_NAME,
      'is_enabled'
    ) ? TRUE : FALSE;
  }
}
Commit	Line	Data
6a488035 TO	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
232624b1	4	\| CiviCRM version 4.4 \|
6a488035 TO	5	+--------------------------------------------------------------------+
	6	\| Copyright CiviCRM LLC (c) 2004-2013 \|
	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
	26	*/
	27
	28	/**
	29	*
	30	* @package CRM
	31	* @copyright CiviCRM LLC (c) 2004-2013
	32	* $Id$
	33	*
	34	*/
	35
	36	/**
	37	* This is the basic permission class wrapper
	38	*/
	39	class CRM_Core_Permission {
	40
	41	/**
	42	* Static strings used to compose permissions
	43	*
	44	* @const
	45	* @var string
	46	*/
	47	CONST EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
	48
	49	/**
	50	* The various type of permissions
	51	*
	52	* @var int
	53	*/
	54	CONST EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
	55
085823c1 TO	56	/**
	57	* A placeholder permission which always fails
	58	*/
	59	const ALWAYS_DENY_PERMISSION = "always deny";
	60
	61	/**
	62	* A placeholder permission which always fails
	63	*/
	64	const ALWAYS_ALLOW_PERMISSION = "always allow";
	65
6dd18b98 DS	66	/**
	67	* Various authentication sources
	68	*
	69	* @var int
	70	*/
e8f14831	71	CONST AUTH_SRC_UNKNOWN = 0, AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;
6dd18b98	72
6a488035 TO	73	/**
	74	* get the current permission of this user
	75	*
	76	* @return string the permission of the user (edit or view or null)
	77	*/
	78	public static function getPermission() {
	79	$config = CRM_Core_Config::singleton();
41f314b6	80	return $config->userPermissionClass->getPermission();
6a488035 TO	81	}
	82
	83	/**
60ec9f43 E	84	* given a permission string or array, check for access requirements
	85	* @param mixed $permissions the permission to check as an array or string -see examples
	86	* arrays
6a488035	87	*
60ec9f43 E	88	* Ex 1
	89	*
	90	* Must have 'access CiviCRM'
	91	* (string) 'access CiviCRM'
	92	*
	93	*
	94	* Ex 2 Must have 'access CiviCRM' and 'access Ajax API'
	95	* array('access CiviCRM', 'access Ajax API')
	96	*
	97	* Ex 3 Must have 'access CiviCRM' or 'access Ajax API'
	98	* array(
	99	* array('access CiviCRM', 'access Ajax API'),
	100	* ),
	101	*
	102	* Ex 4 Must have 'access CiviCRM' or 'access Ajax API' AND 'access CiviEvent'
	103	* array(
	104	* array('access CiviCRM', 'access Ajax API'),
	105	* 'access CiviEvent',
	106	* ),
	107	*
	108	* Note that in permissions.php this is keyed by the action eg.
	109	* (access Civi \|\| access AJAX) && (access CiviEvent \|\| access CiviContribute)
	110	* 'myaction' => array(
	111	* array('access CiviCRM', 'access Ajax API'),
	112	* array('access CiviEvent', 'access CiviContribute')
	113	* ),
6a488035 TO	114	*
	115	* @return boolean true if yes, else false
	116	* @static
	117	* @access public
	118	*/
60ec9f43 E	119	static function check($permissions) {
	120	$permissions = (array) $permissions;
	121
	122	foreach ($permissions as $permission) {
	123	if(is_array($permission)) {
	124	foreach ($permission as $orPerm) {
	125	if(self::check($orPerm)) {
	126	//one of our 'or' permissions has succeeded - stop checking this permission
	127	return TRUE;;
	128	}
	129	}
	130	//none of our our conditions was met
	131	return FALSE;
	132	}
	133	else {
	134	if(!CRM_Core_Config::singleton()->userPermissionClass->check($permission)) {
	135	//one of our 'and' conditions has not been met
	136	return FALSE;
	137	}
	138	}
	139	}
	140	return TRUE;
6a488035 TO	141	}
6a488035 TO	142
dc92f2f8 TO	143	/**
	144	* Determine if any one of the permissions strings applies to current user
	145	*
	146	* @param array $perms
	147	* @return bool
	148	*/
	149	public static function checkAnyPerm($perms) {
	150	foreach ($perms as $perm) {
	151	if (CRM_Core_Permission::check($perm)) {
	152	return TRUE;
	153	}
	154	}
	155	return FALSE;
	156	}
	157
6a488035 TO	158	/**
	159	* Given a group/role array, check for access requirements
	160	*
	161	* @param array $array the group/role to check
	162	*
	163	* @return boolean true if yes, else false
	164	* @static
	165	* @access public
	166	*/
	167	static function checkGroupRole($array) {
	168	$config = CRM_Core_Config::singleton();
41f314b6	169	return $config->userPermissionClass->checkGroupRole($array);
6a488035 TO	170	}
	171
	172	/**
	173	* Get the permissioned where clause for the user
	174	*
	175	* @param int $type the type of permission needed
	176	* @param array $tables (reference ) add the tables that are needed for the select clause
	177	* @param array $whereTables (reference ) add the tables that are needed for the where clause
	178	*
	179	* @return string the group where clause for this user
	180	* @access public
	181	*/
	182	public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
	183	$config = CRM_Core_Config::singleton();
41f314b6	184	return $config->userPermissionClass->getPermissionedStaticGroupClause($type, $tables, $whereTables);
6a488035 TO	185	}
	186
	187	/**
	188	* Get all groups from database, filtered by permissions
	189	* for this user
	190	*
	191	* @param string $groupType type of group(Access/Mailing)
	192	* @param boolen $excludeHidden exclude hidden groups.
	193	*
	194	* @access public
	195	* @static
	196	*
	197	* @return array - array reference of all groups.
	198	*
	199	*/
	200	public static function group($groupType, $excludeHidden = TRUE) {
	201	$config = CRM_Core_Config::singleton();
41f314b6	202	return $config->userPermissionClass->group($groupType, $excludeHidden);
6a488035 TO	203	}
	204
	205	public static function customGroupAdmin() {
	206	$admin = FALSE;
	207
	208	// check if user has all powerful permission
	209	// or administer civicrm permission (CRM-1905)
	210	if (self::check('access all custom data')) {
	211	return TRUE;
	212	}
	213
634e1a1a DL	214	if (
634e1a1a DL	215	self::check('administer Multiple Organizations') &&
6a488035 TO	216	self::isMultisiteEnabled()
	217	) {
	218	return TRUE;
	219	}
	220
	221	if (self::check('administer CiviCRM')) {
	222	return TRUE;
	223	}
	224
	225	return FALSE;
	226	}
	227
	228	public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
41f314b6	229	$customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id',
41f314b6	230	array('fresh' => $reset));
6a488035 TO	231	$defaultGroups = array();
	232
	233	// check if user has all powerful permission
	234	// or administer civicrm permission (CRM-1905)
	235	if (self::customGroupAdmin()) {
	236	$defaultGroups = array_keys($customGroups);
	237	}
	238
	239	return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
	240	}
	241
	242	static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
	243	if (self::customGroupAdmin()) {
	244	return ' ( 1 ) ';
	245	}
	246
	247	$groups = self::customGroup($type, $reset);
	248	if (empty($groups)) {
	249	return ' ( 0 ) ';
	250	}
	251	else {
	252	return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
	253	}
	254	}
	255
	256	public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
	257	if (empty($gid)) {
	258	return TRUE;
	259	}
	260
	261	$groups = self::ufGroup($type);
	262	return in_array($gid, $groups) ? TRUE : FALSE;
	263	}
	264
	265	public static function ufGroup($type = CRM_Core_Permission::VIEW) {
ff4f7744	266	$ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
6a488035 TO	267
	268	$allGroups = array_keys($ufGroups);
	269
	270	// check if user has all powerful permission
	271	if (self::check('profile listings and forms')) {
	272	return $allGroups;
	273	}
	274
	275	switch ($type) {
	276	case CRM_Core_Permission::VIEW:
	277	if (self::check('profile view')) {
	278	return $allGroups;
	279	}
	280	break;
	281
	282	case CRM_Core_Permission::CREATE:
	283	if (self::check('profile create')) {
	284	return $allGroups;
	285	}
	286	break;
	287
	288	case CRM_Core_Permission::EDIT:
	289	if (self::check('profile edit')) {
	290	return $allGroups;
	291	}
	292	break;
	293
	294	case CRM_Core_Permission::SEARCH:
	295	if (self::check('profile listings')) {
	296	return $allGroups;
	297	}
	298	break;
	299	}
	300
	301	return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
	302	}
	303
	304	static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
	305	$groups = self::ufGroup($type);
	306	if ($returnUFGroupIds) {
	307	return $groups;
	308	}
	309	elseif (empty($groups)) {
	310	return ' ( 0 ) ';
	311	}
	312	else {
	313	return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
	314	}
	315	}
	316
	317	public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL) {
	318	$events = CRM_Event_PseudoConstant::event(NULL, TRUE);
	319	$includeEvents = array();
	320
	321	// check if user has all powerful permission
	322	if (self::check('register for events')) {
	323	$includeEvents = array_keys($events);
	324	}
	325
	326	if ($type == CRM_Core_Permission::VIEW &&
	327	self::check('view event info')
	328	) {
	329	$includeEvents = array_keys($events);
	330	}
331
332	$permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
333	if (!$eventID) {
334	return $permissionedEvents;
335	}
41f314b6	336	if (!empty($permissionedEvents)) {
2efcf0c2	337	return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
41f314b6	338	}
41f314b6	339	else {
d551c85d DG	340	return $eventID;
d551c85d DG	341	}
6a488035 TO	342	}
	343
	344	static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
	345	$events = self::event($type);
	346	if (empty($events)) {
	347	return ' ( 0 ) ';
	348	}
	349	else {
	350	return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
	351	}
	352	}
	353
	354	static function access($module, $checkPermission = TRUE) {
	355	$config = CRM_Core_Config::singleton();
	356
	357	if (!in_array($module, $config->enableComponents)) {
	358	return FALSE;
	359	}
	360
	361	if ($checkPermission) {
	362	if ($module == 'CiviCase') {
	363	return CRM_Case_BAO_Case::accessCiviCase();
	364	}
	365	else {
	366	return CRM_Core_Permission::check("access $module");
	367	}
	368	}
	369
	370	return TRUE;
	371	}
	372
	373	/**
	374	* check permissions for delete and edit actions
	375	*
41f314b6	376	* @param string $module component name.
6a488035 TO	377	* @param $action action to be check across component
	378	*
	379	**/
	380	static function checkActionPermission($module, $action) {
	381	//check delete related permissions.
	382	if ($action & CRM_Core_Action::DELETE) {
	383	$permissionName = "delete in $module";
	384	}
	385	else {
	386	$editPermissions = array(
	387	'CiviEvent' => 'edit event participants',
	388	'CiviMember' => 'edit memberships',
	389	'CiviPledge' => 'edit pledges',
	390	'CiviContribute' => 'edit contributions',
	391	'CiviGrant' => 'edit grants',
	392	'CiviMail' => 'access CiviMail',
	393	'CiviAuction' => 'add auction items',
	394	);
	395	$permissionName = CRM_Utils_Array::value($module, $editPermissions);
	396	}
	397
	398	if ($module == 'CiviCase' && !$permissionName) {
	399	return CRM_Case_BAO_Case::accessCiviCase();
	400	}
	401	else {
	402	//check for permission.
	403	return CRM_Core_Permission::check($permissionName);
	404	}
	405	}
	406
	407	static function checkMenu(&$args, $op = 'and') {
	408	if (!is_array($args)) {
	409	return $args;
	410	}
	411	foreach ($args as $str) {
	412	$res = CRM_Core_Permission::check($str);
	413	if ($op == 'or' && $res) {
	414	return TRUE;
	415	}
	416	elseif ($op == 'and' && !$res) {
	417	return FALSE;
	418	}
	419	}
	420	return ($op == 'or') ? FALSE : TRUE;
	421	}
	422
	423	static function checkMenuItem(&$item) {
	424	if (!array_key_exists('access_callback', $item)) {
	425	CRM_Core_Error::backtrace();
	426	CRM_Core_Error::fatal();
	427	}
	428
	429	// if component_id is present, ensure it is enabled
	430	if (isset($item['component_id']) &&
	431	$item['component_id']
	432	) {
	433	$config = CRM_Core_Config::singleton();
	434	if (is_array($config->enableComponentIDs) &&
	435	in_array($item['component_id'], $config->enableComponentIDs)
	436	) {
	437	// continue with process
	438	}
	439	else {
	440	return FALSE;
441	}
442	}
443
444	// the following is imitating drupal 6 code in includes/menu.inc
445	if (empty($item['access_callback']) \|\|
446	is_numeric($item['access_callback'])
447	) {
448	return (boolean ) $item['access_callback'];
449	}
450
451	// check whether the following Ajax requests submitted the right key
452	// FIXME: this should be integrated into ACLs proper
453	if (CRM_Utils_Array::value('page_type', $item) == 3) {
454	if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
455	return FALSE;
456	}
457	}
458
459	// check if callback is for checkMenu, if so optimize it
460	if (is_array($item['access_callback']) &&
461	$item['access_callback'][0] == 'CRM_Core_Permission' &&
462	$item['access_callback'][1] == 'checkMenu'
463	) {
464	$op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
465	return self::checkMenu($item['access_arguments'][0], $op);
466	}
467	else {
468	return call_user_func_array($item['access_callback'], $item['access_arguments']);
469	}
470	}
471
472	static function &basicPermissions($all = FALSE) {
473	static $permissions = NULL;
474
475	if (!$permissions) {
476	$prefix = ts('CiviCRM') . ': ';
477	$permissions = self::getCorePermissions();
478
479	if (self::isMultisiteEnabled()) {
480	$permissions['administer Multiple Organizations'] = $prefix . ts('administer Multiple Organizations');
481	}
482
483	$config = CRM_Core_Config::singleton();
484
485	if (!$all) {
486	$components = CRM_Core_Component::getEnabledComponents();
487	}
488	else {
489	$components = CRM_Core_Component::getComponents();
490	}
491
492	foreach ($components as $comp) {
493	$perm = $comp->getPermissions();
494	if ($perm) {
495	$info = $comp->getInfo();
496	foreach ($perm as $p) {
497	$permissions[$p] = $info['translatedName'] . ': ' . $p;
498	}
499	}
500	}
501
502	// Add any permissions defined in hook_civicrm_permission implementations.
503	$config = CRM_Core_Config::singleton();
504	$module_permissions = $config->userPermissionClass->getAllModulePermissions();
505	$permissions = array_merge($permissions, $module_permissions);
506	}
507
508	return $permissions;
509	}
510
511	static function getCorePermissions() {
512	$prefix = ts('CiviCRM') . ': ';
513	$permissions = array(
514	'add contacts' => $prefix . ts('add contacts'),
515	'view all contacts' => $prefix . ts('view all contacts'),
516	'edit all contacts' => $prefix . ts('edit all contacts'),
aafd773a DL	517	'view my contact' => $prefix . ts('view my contact'),
aafd773a DL	518	'edit my contact' => $prefix . ts('edit my contact'),
6a488035 TO	519	'delete contacts' => $prefix . ts('delete contacts'),
	520	'access deleted contacts' => $prefix . ts('access deleted contacts'),
	521	'import contacts' => $prefix . ts('import contacts'),
	522	'edit groups' => $prefix . ts('edit groups'),
	523	'administer CiviCRM' => $prefix . ts('administer CiviCRM'),
634e1a1a	524	'skip IDS check' => $prefix . ts('skip IDS check'),
6a488035 TO	525	'access uploaded files' => $prefix . ts('access uploaded files'),
	526	'profile listings and forms' => $prefix . ts('profile listings and forms'),
	527	'profile listings' => $prefix . ts('profile listings'),
	528	'profile create' => $prefix . ts('profile create'),
	529	'profile edit' => $prefix . ts('profile edit'),
	530	'profile view' => $prefix . ts('profile view'),
	531	'access all custom data' => $prefix . ts('access all custom data'),
	532	'view all activities' => $prefix . ts('view all activities'),
	533	'delete activities' => $prefix . ts('delete activities'),
	534	'access CiviCRM' => $prefix . ts('access CiviCRM'),
	535	'access Contact Dashboard' => $prefix . ts('access Contact Dashboard'),
	536	'translate CiviCRM' => $prefix . ts('translate CiviCRM'),
	537	'administer reserved groups' => $prefix . ts('administer reserved groups'),
	538	'administer Tagsets' => $prefix . ts('administer Tagsets'),
	539	'administer reserved tags' => $prefix . ts('administer reserved tags'),
	540	'administer dedupe rules' => $prefix . ts('administer dedupe rules'),
	541	'merge duplicate contacts' => $prefix . ts('merge duplicate contacts'),
	542	'view debug output' => $prefix . ts('view debug output'),
	543	'view all notes' => $prefix . ts('view all notes'),
	544	'access AJAX API' => $prefix . ts('access AJAX API'),
	545	'access contact reference fields' => $prefix . ts('access contact reference fields'),
	546	'create manual batch' => $prefix . ts('create manual batch'),
	547	'edit own manual batches' => $prefix . ts('edit own manual batches'),
	548	'edit all manual batches' => $prefix . ts('edit all manual batches'),
	549	'view own manual batches' => $prefix . ts('view own manual batches'),
	550	'view all manual batches' => $prefix . ts('view all manual batches'),
	551	'delete own manual batches' => $prefix . ts('delete own manual batches'),
	552	'delete all manual batches' => $prefix . ts('delete all manual batches'),
	553	'export own manual batches' => $prefix . ts('export own manual batches'),
	554	'export all manual batches' => $prefix . ts('export all manual batches'),
	555	);
	556
	557	return $permissions;
	558	}
	559
	560	/**
	561	* Validate user permission across
	562	* edit or view or with supportable acls.
	563	*
	564	* return boolean true/false.
	565	**/
	566	static function giveMeAllACLs() {
	567	if (CRM_Core_Permission::check('view all contacts') \|\|
	568	CRM_Core_Permission::check('edit all contacts')
	569	) {
	570	return TRUE;
	571	}
	572
	573	$session = CRM_Core_Session::singleton();
	574	$contactID = $session->get('userID');
	575
6a488035 TO	576	//check for acl.
	577	$aclPermission = self::getPermission();
	578	if (in_array($aclPermission, array(
	579	CRM_Core_Permission::EDIT,
41f314b6	580	CRM_Core_Permission::VIEW,
	581	))
	582	) {
6a488035 TO	583	return TRUE;
	584	}
	585
	586	// run acl where hook and see if the user is supplying an ACL clause
	587	// that is not false
	588	$tables = $whereTables = array();
	589	$where = NULL;
	590
	591	CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
	592	$tables, $whereTables,
	593	$contactID, $where
	594	);
	595	return empty($whereTables) ? FALSE : TRUE;
	596	}
	597
	598	/**
	599	* Function to get component name from given permission.
	600	*
41f314b6	601	* @param string $permission
6a488035 TO	602	*
	603	* return string $componentName the name of component.
	604	* @static
	605	*/
	606	static function getComponentName($permission) {
	607	$componentName = NULL;
	608	$permission = trim($permission);
	609	if (empty($permission)) {
	610	return $componentName;
	611	}
	612
	613	static $allCompPermissions = array();
	614	if (empty($allCompPermissions)) {
	615	$components = CRM_Core_Component::getComponents();
	616	foreach ($components as $name => $comp) {
33777e4a PJ	617	//get all permissions of each components unconditionally
33777e4a PJ	618	$allCompPermissions[$name] = $comp->getPermissions(TRUE);
6a488035 TO	619	}
	620	}
	621
	622	if (is_array($allCompPermissions)) {
	623	foreach ($allCompPermissions as $name => $permissions) {
	624	if (in_array($permission, $permissions)) {
	625	$componentName = $name;
	626	break;
	627	}
	628	}
	629	}
	630
	631	return $componentName;
	632	}
	633
	634	/**
	635	* Get all the contact emails for users that have a specific permission
	636	*
	637	* @param string $permissionName name of the permission we are interested in
	638	*
	639	* @return string a comma separated list of email addresses
	640	*/
	641	public static function permissionEmails($permissionName) {
	642	$config = CRM_Core_Config::singleton();
41f314b6	643	return $config->userPermissionClass->permissionEmails($permissionName);
6a488035 TO	644	}
	645
	646	/**
	647	* Get all the contact emails for users that have a specific role
	648	*
	649	* @param string $roleName name of the role we are interested in
	650	*
	651	* @return string a comma separated list of email addresses
	652	*/
	653	public static function roleEmails($roleName) {
	654	$config = CRM_Core_Config::singleton();
41f314b6	655	return $config->userRoleClass->roleEmails($roleName);
6a488035 TO	656	}
	657
	658	static function isMultisiteEnabled() {
	659	return CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::MULTISITE_PREFERENCES_NAME,
	660	'is_enabled'
	661	) ? TRUE : FALSE;
	662	}
	663	}