projects / civicrm-core.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #15410 from herbdool/cloud-21
[civicrm-core.git] / CRM / Core / Permission.php
CommitLineData
6a488035
TO		 1<?php
2/*
3 +--------------------------------------------------------------------+
bc77d7c0 4 | Copyright CiviCRM LLC. All rights reserved. |
6a488035 5 | |
bc77d7c0
TO		 6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
6a488035 9 +--------------------------------------------------------------------+
d25dd0ee 10 */
6a488035
TO		 11
12/**
13 *
14 * @package CRM
ca5cec67 15 * @copyright CiviCRM LLC https://civicrm.org/licensing
6a488035
TO		 16 */
17
18/**
19 * This is the basic permission class wrapper
20 */
21class CRM_Core_Permission {
22
23 /**
d09edf64 24 * Static strings used to compose permissions.
6a488035
TO		 25 *
26 * @const
27 * @var string
28 */
7da04cde 29 const EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
6a488035
TO		 30
31 /**
d09edf64 32 * The various type of permissions.
6a488035
TO		 33 *
34 * @var int
35 */
7da04cde 36 const EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
6a488035 37
085823c1 38 /**
d09edf64 39 * A placeholder permission which always fails.
085823c1
TO		 40 */
41 const ALWAYS_DENY_PERMISSION = "*always deny*";
42
43 /**
d09edf64 44 * A placeholder permission which always fails.
085823c1
TO		 45 */
46 const ALWAYS_ALLOW_PERMISSION = "*always allow*";
47
6dd18b98 48 /**
d09edf64 49 * Various authentication sources.
6dd18b98
DS		 50 *
51 * @var int
52 */
7da04cde 53 const AUTH_SRC_UNKNOWN = 0, AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;
6dd18b98 54
6a488035 55 /**
d09edf64 56 * Get the current permission of this user.
6a488035 57 *
a6c01b45
CW		 58 * @return string
59 * the permission of the user (edit or view or null)
6a488035
TO		 60 */
61 public static function getPermission() {
62 $config = CRM_Core_Config::singleton();
41f314b6 63 return $config->userPermissionClass->getPermission();
6a488035
TO		 64 }
65
66 /**
100fef9d 67 * Given a permission string or array, check for access requirements
6a488035 68 *
9b61e85d
CW		 69 * Ex 1: Must have 'access CiviCRM'
70 * (string) 'access CiviCRM'
60ec9f43 71 *
9b61e85d
CW		 72 * Ex 2: Must have 'access CiviCRM' and 'access Ajax API'
73 * ['access CiviCRM', 'access Ajax API']
60ec9f43 74 *
9b61e85d
CW		 75 * Ex 3: Must have 'access CiviCRM' or 'access Ajax API'
76 * [
77 * ['access CiviCRM', 'access Ajax API'],
78 * ],
60ec9f43 79 *
9b61e85d
CW		 80 * Ex 4: Must have 'access CiviCRM' or 'access Ajax API' AND 'access CiviEvent'
81 * [
82 * ['access CiviCRM', 'access Ajax API'],
83 * 'access CiviEvent',
84 * ],
60ec9f43 85 *
9b61e85d
CW		 86 * Note that in permissions.php this is keyed by the action eg.
87 * (access Civi || access AJAX) && (access CiviEvent || access CiviContribute)
88 * 'myaction' => [
89 * ['access CiviCRM', 'access Ajax API'],
90 * ['access CiviEvent', 'access CiviContribute']
91 * ],
60ec9f43 92 *
9b61e85d
CW		 93 * @param string|array $permissions
94 * The permission to check as an array or string -see examples.
60ec9f43 95 *
9b61e85d
CW		 96 * @param int $contactId
97 * Contact id to check permissions for. Defaults to current logged-in user.
6a488035 98 *
acb1052e 99 * @return bool
9b61e85d 100 * true if contact has permission(s), else false
6a488035 101 */
18be3201 102 public static function check($permissions, $contactId = NULL) {
60ec9f43 103 $permissions = (array) $permissions;
9b61e85d 104 $userId = CRM_Core_BAO_UFMatch::getUFId($contactId);
60ec9f43 105
18be3201 106 /** @var CRM_Core_Permission_Temp $tempPerm */
59735506
TO		 107 $tempPerm = CRM_Core_Config::singleton()->userPermissionTemp;
108
60ec9f43 109 foreach ($permissions as $permission) {
22e263ad 110 if (is_array($permission)) {
60ec9f43 111 foreach ($permission as $orPerm) {
18be3201 112 if (self::check($orPerm, $contactId)) {
60ec9f43 113 //one of our 'or' permissions has succeeded - stop checking this permission
b8a19656 114 return TRUE;
60ec9f43
E		 115 }
116 }
117 //none of our our conditions was met
118 return FALSE;
119 }
120 else {
3ae62cab 121 // This is an individual permission
18be3201 122 $granted = CRM_Core_Config::singleton()->userPermissionClass->check($permission, $userId);
3ae62cab 123 // Call the permission_check hook to permit dynamic escalation (CRM-19256)
fa4dac9c 124 CRM_Utils_Hook::permission_check($permission, $granted, $contactId);
59735506 125 if (
3ae62cab 126 !$granted
59735506
TO		 127 && !($tempPerm && $tempPerm->check($permission))
128 ) {
60ec9f43
E		 129 //one of our 'and' conditions has not been met
130 return FALSE;
131 }
132 }
133 }
134 return TRUE;
6a488035
TO		 135 }
136
dc92f2f8 137 /**
d09edf64 138 * Determine if any one of the permissions strings applies to current user.
dc92f2f8
TO		 139 *
140 * @param array $perms
141 * @return bool
142 */
143 public static function checkAnyPerm($perms) {
144 foreach ($perms as $perm) {
145 if (CRM_Core_Permission::check($perm)) {
146 return TRUE;
147 }
148 }
149 return FALSE;
150 }
151
6a488035
TO		 152 /**
153 * Given a group/role array, check for access requirements
154 *
6a0b768e
TO		 155 * @param array $array
156 * The group/role to check.
6a488035 157 *
acb1052e 158 * @return bool
a6c01b45 159 * true if yes, else false
6a488035 160 */
00be9182 161 public static function checkGroupRole($array) {
6a488035 162 $config = CRM_Core_Config::singleton();
41f314b6 163 return $config->userPermissionClass->checkGroupRole($array);
6a488035
TO		 164 }
165
166 /**
d09edf64 167 * Get the permissioned where clause for the user.
6a488035 168 *
6a0b768e
TO		 169 * @param int $type
170 * The type of permission needed.
171 * @param array $tables
172 * (reference ) add the tables that are needed for the select clause.
173 * @param array $whereTables
174 * (reference ) add the tables that are needed for the where clause.
6a488035 175 *
a6c01b45
CW		 176 * @return string
177 * the group where clause for this user
6a488035
TO		 178 */
179 public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
180 $config = CRM_Core_Config::singleton();
41f314b6 181 return $config->userPermissionClass->getPermissionedStaticGroupClause($type, $tables, $whereTables);
6a488035
TO		 182 }
183
184 /**
185 * Get all groups from database, filtered by permissions
186 * for this user
187 *
6a0b768e
TO		 188 * @param string $groupType
189 * Type of group(Access/Mailing).
3f8d2862
CW		 190 * @param bool $excludeHidden
191 * exclude hidden groups.
6a488035 192 *
6a488035 193 *
a6c01b45
CW		 194 * @return array
195 * array reference of all groups.
6a488035
TO		 196 */
197 public static function group($groupType, $excludeHidden = TRUE) {
198 $config = CRM_Core_Config::singleton();
41f314b6 199 return $config->userPermissionClass->group($groupType, $excludeHidden);
6a488035
TO		 200 }
201
a0ee3941
EM		 202 /**
203 * @return bool
204 */
6a488035
TO		 205 public static function customGroupAdmin() {
206 $admin = FALSE;
207
208 // check if user has all powerful permission
209 // or administer civicrm permission (CRM-1905)
210 if (self::check('access all custom data')) {
211 return TRUE;
212 }
213
634e1a1a
DL		 214 if (
215 self::check('administer Multiple Organizations') &&
6a488035
TO		 216 self::isMultisiteEnabled()
217 ) {
218 return TRUE;
219 }
220
221 if (self::check('administer CiviCRM')) {
222 return TRUE;
223 }
224
225 return FALSE;
226 }
227
a0ee3941
EM		 228 /**
229 * @param int $type
230 * @param bool $reset
231 *
232 * @return array
233 */
6a488035 234 public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
41f314b6 235 $customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id',
be2fb01f
CW		 236 ['fresh' => $reset]);
237 $defaultGroups = [];
6a488035
TO		 238
239 // check if user has all powerful permission
240 // or administer civicrm permission (CRM-1905)
241 if (self::customGroupAdmin()) {
242 $defaultGroups = array_keys($customGroups);
243 }
244
245 return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
246 }
247
a0ee3941
EM		 248 /**
249 * @param int $type
250 * @param null $prefix
251 * @param bool $reset
252 *
253 * @return string
254 */
00be9182 255 public static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
6a488035
TO		 256 if (self::customGroupAdmin()) {
257 return ' ( 1 ) ';
258 }
259
260 $groups = self::customGroup($type, $reset);
261 if (empty($groups)) {
262 return ' ( 0 ) ';
263 }
264 else {
265 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
266 }
267 }
268
a0ee3941 269 /**
100fef9d 270 * @param int $gid
a0ee3941
EM		 271 * @param int $type
272 *
273 * @return bool
274 */
6a488035
TO		 275 public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
276 if (empty($gid)) {
277 return TRUE;
278 }
279
280 $groups = self::ufGroup($type);
684b0b22 281 return !empty($groups) && in_array($gid, $groups) ? TRUE : FALSE;
6a488035
TO		 282 }
283
a0ee3941
EM		 284 /**
285 * @param int $type
286 *
287 * @return array
288 */
6a488035 289 public static function ufGroup($type = CRM_Core_Permission::VIEW) {
ff4f7744 290 $ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
6a488035
TO		 291
292 $allGroups = array_keys($ufGroups);
293
294 // check if user has all powerful permission
295 if (self::check('profile listings and forms')) {
296 return $allGroups;
297 }
298
299 switch ($type) {
300 case CRM_Core_Permission::VIEW:
301 if (self::check('profile view')) {
302 return $allGroups;
303 }
304 break;
305
306 case CRM_Core_Permission::CREATE:
307 if (self::check('profile create')) {
308 return $allGroups;
309 }
310 break;
311
312 case CRM_Core_Permission::EDIT:
313 if (self::check('profile edit')) {
314 return $allGroups;
315 }
316 break;
317
318 case CRM_Core_Permission::SEARCH:
319 if (self::check('profile listings')) {
320 return $allGroups;
321 }
322 break;
323 }
324
325 return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
326 }
327
a0ee3941
EM		 328 /**
329 * @param int $type
330 * @param null $prefix
331 * @param bool $returnUFGroupIds
332 *
333 * @return array|string
334 */
00be9182 335 public static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
6a488035
TO		 336 $groups = self::ufGroup($type);
337 if ($returnUFGroupIds) {
338 return $groups;
339 }
340 elseif (empty($groups)) {
341 return ' ( 0 ) ';
342 }
343 else {
344 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
345 }
346 }
347
a0ee3941
EM		 348 /**
349 * @param int $type
100fef9d 350 * @param int $eventID
a0ee3941
EM		 351 * @param string $context
352 *
353 * @return array|null
354 */
e2d09ab4 355 public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL, $context = '') {
22e263ad
TO		 356 if (!empty($context)) {
357 if (CRM_Core_Permission::check($context)) {
e2d09ab4
EM		 358 return TRUE;
359 }
360 }
6a488035 361 $events = CRM_Event_PseudoConstant::event(NULL, TRUE);
be2fb01f 362 $includeEvents = [];
6a488035
TO		 363
364 // check if user has all powerful permission
365 if (self::check('register for events')) {
366 $includeEvents = array_keys($events);
367 }
368
369 if ($type == CRM_Core_Permission::VIEW &&
370 self::check('view event info')
371 ) {
372 $includeEvents = array_keys($events);
373 }
374
375 $permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
376 if (!$eventID) {
377 return $permissionedEvents;
378 }
41f314b6 379 if (!empty($permissionedEvents)) {
2efcf0c2 380 return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
41f314b6 381 }
dfa720e7 382 return NULL;
6a488035
TO		 383 }
384
a0ee3941
EM		 385 /**
386 * @param int $type
387 * @param null $prefix
388 *
389 * @return string
390 */
00be9182 391 public static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
6a488035
TO		 392 $events = self::event($type);
393 if (empty($events)) {
394 return ' ( 0 ) ';
395 }
396 else {
397 return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
398 }
399 }
400
a0ee3941 401 /**
44d17ec8
BS		 402 * Checks that component is enabled and optionally that user has basic perm.
403 *
404 * @param string $module
405 * Specifies the name of the CiviCRM component.
a0ee3941 406 * @param bool $checkPermission
44d17ec8
BS		 407 * Check not only that module is enabled, but that user has necessary
408 * permission.
409 * @param bool $requireAllCasesPermOnCiviCase
410 * Significant only if $module == CiviCase
411 * Require "access all cases and activities", not just
412 * "access my cases and activities".
a0ee3941
EM		 413 *
414 * @return bool
44d17ec8 415 * Access to specified $module is granted.
a0ee3941 416 */
44d17ec8 417 public static function access($module, $checkPermission = TRUE, $requireAllCasesPermOnCiviCase = FALSE) {
6a488035
TO		 418 $config = CRM_Core_Config::singleton();
419
420 if (!in_array($module, $config->enableComponents)) {
421 return FALSE;
422 }
423
424 if ($checkPermission) {
44d17ec8
BS		 425 switch ($module) {
426 case 'CiviCase':
427 $access_all_cases = CRM_Core_Permission::check("access all cases and activities");
428 $access_my_cases = CRM_Core_Permission::check("access my cases and activities");
429 return $access_all_cases || (!$requireAllCasesPermOnCiviCase && $access_my_cases);
430
431 case 'CiviCampaign':
432 return CRM_Core_Permission::check("administer $module");
433
434 default:
435 return CRM_Core_Permission::check("access $module");
6a488035
TO		 436 }
437 }
438
439 return TRUE;
440 }
441
442 /**
d09edf64 443 * Check permissions for delete and edit actions.
6a488035 444 *
6a0b768e
TO		 445 * @param string $module
446 * Component name.
447 * @param int $action
448 * Action to be check across component.
6a488035 449 *
77b97be7
EM		 450 *
451 * @return bool
452 */
00be9182 453 public static function checkActionPermission($module, $action) {
6a488035
TO		 454 //check delete related permissions.
455 if ($action & CRM_Core_Action::DELETE) {
456 $permissionName = "delete in $module";
457 }
458 else {
be2fb01f 459 $editPermissions = [
6a488035
TO		 460 'CiviEvent' => 'edit event participants',
461 'CiviMember' => 'edit memberships',
462 'CiviPledge' => 'edit pledges',
463 'CiviContribute' => 'edit contributions',
464 'CiviGrant' => 'edit grants',
465 'CiviMail' => 'access CiviMail',
466 'CiviAuction' => 'add auction items',
be2fb01f 467 ];
6a488035
TO		 468 $permissionName = CRM_Utils_Array::value($module, $editPermissions);
469 }
470
471 if ($module == 'CiviCase' && !$permissionName) {
472 return CRM_Case_BAO_Case::accessCiviCase();
473 }
474 else {
475 //check for permission.
476 return CRM_Core_Permission::check($permissionName);
477 }
478 }
479
a0ee3941
EM		 480 /**
481 * @param $args
482 * @param string $op
483 *
484 * @return bool
485 */
00be9182 486 public static function checkMenu(&$args, $op = 'and') {
6a488035
TO		 487 if (!is_array($args)) {
488 return $args;
489 }
490 foreach ($args as $str) {
491 $res = CRM_Core_Permission::check($str);
492 if ($op == 'or' && $res) {
493 return TRUE;
494 }
495 elseif ($op == 'and' && !$res) {
496 return FALSE;
497 }
498 }
499 return ($op == 'or') ? FALSE : TRUE;
500 }
501
a0ee3941
EM		 502 /**
503 * @param $item
504 *
505 * @return bool|mixed
506 * @throws Exception
507 */
00be9182 508 public static function checkMenuItem(&$item) {
6a488035
TO		 509 if (!array_key_exists('access_callback', $item)) {
510 CRM_Core_Error::backtrace();
511 CRM_Core_Error::fatal();
512 }
513
514 // if component_id is present, ensure it is enabled
3d31a5c6
TO		 515 if (isset($item['component_id']) && $item['component_id']) {
516 if (!isset(Civi::$statics[__CLASS__]['componentNameId'])) {
517 Civi::$statics[__CLASS__]['componentNameId'] = array_flip(CRM_Core_Component::getComponentIDs());
518 }
519 $componentName = Civi::$statics[__CLASS__]['componentNameId'][$item['component_id']];
520
6a488035 521 $config = CRM_Core_Config::singleton();
3d31a5c6 522 if (is_array($config->enableComponents) && in_array($componentName, $config->enableComponents)) {
6a488035
TO		 523 // continue with process
524 }
525 else {
526 return FALSE;
527 }
528 }
529
530 // the following is imitating drupal 6 code in includes/menu.inc
531 if (empty($item['access_callback']) ||
532 is_numeric($item['access_callback'])
533 ) {
534 return (boolean ) $item['access_callback'];
535 }
536
537 // check whether the following Ajax requests submitted the right key
538 // FIXME: this should be integrated into ACLs proper
539 if (CRM_Utils_Array::value('page_type', $item) == 3) {
540 if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
541 return FALSE;
542 }
543 }
544
545 // check if callback is for checkMenu, if so optimize it
546 if (is_array($item['access_callback']) &&
547 $item['access_callback'][0] == 'CRM_Core_Permission' &&
548 $item['access_callback'][1] == 'checkMenu'
549 ) {
550 $op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
551 return self::checkMenu($item['access_arguments'][0], $op);
552 }
553 else {
554 return call_user_func_array($item['access_callback'], $item['access_arguments']);
555 }
556 }
557
a0ee3941
EM		 558 /**
559 * @param bool $all
9476d8d1 560 * Include disabled components
221b21b4 561 * @param bool $descriptions
9476d8d1 562 * Whether to return descriptions
a0ee3941
EM		 563 *
564 * @return array
565 */
9476d8d1 566 public static function basicPermissions($all = FALSE, $descriptions = FALSE) {
be2fb01f 567 $cacheKey = implode('-', [$all, $descriptions]);
9476d8d1
CW		 568 if (empty(Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey])) {
569 Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey] = self::assembleBasicPermissions($all, $descriptions);
221b21b4 570 }
9476d8d1 571 return Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey];
221b21b4
AH		 572 }
573
574 /**
575 * @param bool $all
576 * @param bool $descriptions
577 * whether to return descriptions
578 *
579 * @return array
580 */
581 public static function assembleBasicPermissions($all = FALSE, $descriptions = FALSE) {
582 $config = CRM_Core_Config::singleton();
583 $prefix = ts('CiviCRM') . ': ';
584 $permissions = self::getCorePermissions($descriptions);
585
586 if (self::isMultisiteEnabled()) {
be2fb01f 587 $permissions['administer Multiple Organizations'] = [$prefix . ts('administer Multiple Organizations')];
221b21b4
AH		 588 }
589
8c282315 590 if (!$descriptions) {
591 foreach ($permissions as $name => $attr) {
592 $permissions[$name] = array_shift($attr);
593 }
594 }
221b21b4
AH		 595 if (!$all) {
596 $components = CRM_Core_Component::getEnabledComponents();
597 }
598 else {
599 $components = CRM_Core_Component::getComponents();
600 }
601
602 foreach ($components as $comp) {
d47b93bf 603 $perm = $comp->getPermissions($all, $descriptions);
221b21b4
AH		 604 if ($perm) {
605 $info = $comp->getInfo();
2666861c
KL		 606 foreach ($perm as $p => $attr) {
607
608 if (!is_array($attr)) {
be2fb01f 609 $attr = [$attr];
2666861c
KL		 610 }
611
612 $attr[0] = $info['translatedName'] . ': ' . $attr[0];
613
614 if ($descriptions) {
221b21b4
AH		 615 $permissions[$p] = $attr;
616 }
2666861c
KL		 617 else {
618 $permissions[$p] = $attr[0];
6a488035
TO		 619 }
620 }
621 }
6a488035
TO		 622 }
623
221b21b4 624 // Add any permissions defined in hook_civicrm_permission implementations.
f1db52b9 625 $module_permissions = $config->userPermissionClass->getAllModulePermissions($descriptions);
221b21b4 626 $permissions = array_merge($permissions, $module_permissions);
cb2f7dd1 627 CRM_Financial_BAO_FinancialType::permissionedFinancialTypes($permissions, $descriptions);
6a488035
TO		 628 return $permissions;
629 }
630
a0ee3941
EM		 631 /**
632 * @return array
633 */
00be9182 634 public static function getAnonymousPermissionsWarnings() {
be2fb01f 635 static $permissions = [];
81bb85ea 636 if (empty($permissions)) {
be2fb01f 637 $permissions = [
21dfd5f5 638 'administer CiviCRM',
be2fb01f 639 ];
81bb85ea
AC		 640 $components = CRM_Core_Component::getComponents();
641 foreach ($components as $comp) {
642 if (!method_exists($comp, 'getAnonymousPermissionWarnings')) {
643 continue;
644 }
645 $permissions = array_merge($permissions, $comp->getAnonymousPermissionWarnings());
646 }
647 }
648 return $permissions;
649 }
650
a0ee3941
EM		 651 /**
652 * @param $anonymous_perms
653 *
654 * @return array
655 */
00be9182 656 public static function validateForPermissionWarnings($anonymous_perms) {
81bb85ea
AC		 657 return array_intersect($anonymous_perms, self::getAnonymousPermissionsWarnings());
658 }
659
a0ee3941 660 /**
6793d6a9 661 * Get core permissions.
221b21b4 662 *
a0ee3941
EM		 663 * @return array
664 */
8c282315 665 public static function getCorePermissions() {
6a488035 666 $prefix = ts('CiviCRM') . ': ';
be2fb01f
CW		 667 $permissions = [
668 'add contacts' => [
221b21b4
AH		 669 $prefix . ts('add contacts'),
670 ts('Create a new contact record in CiviCRM'),
be2fb01f
CW		 671 ],
672 'view all contacts' => [
221b21b4
AH		 673 $prefix . ts('view all contacts'),
674 ts('View ANY CONTACT in the CiviCRM database, export contact info and perform activities such as Send Email, Phone Call, etc.'),
be2fb01f
CW		 675 ],
676 'edit all contacts' => [
221b21b4
AH		 677 $prefix . ts('edit all contacts'),
678 ts('View, Edit and Delete ANY CONTACT in the CiviCRM database; Create and edit relationships, tags and other info about the contacts'),
be2fb01f
CW		 679 ],
680 'view my contact' => [
221b21b4 681 $prefix . ts('view my contact'),
be2fb01f
CW		 682 ],
683 'edit my contact' => [
221b21b4 684 $prefix . ts('edit my contact'),
be2fb01f
CW		 685 ],
686 'delete contacts' => [
221b21b4 687 $prefix . ts('delete contacts'),
be2fb01f
CW		 688 ],
689 'access deleted contacts' => [
221b21b4
AH		 690 $prefix . ts('access deleted contacts'),
691 ts('Access contacts in the trash'),
be2fb01f
CW		 692 ],
693 'import contacts' => [
221b21b4
AH		 694 $prefix . ts('import contacts'),
695 ts('Import contacts and activities'),
be2fb01f
CW		 696 ],
697 'import SQL datasource' => [
40bc3c68
TO		 698 $prefix . ts('import SQL datasource'),
699 ts('When importing, consume data directly from a SQL datasource'),
be2fb01f
CW		 700 ],
701 'edit groups' => [
221b21b4
AH		 702 $prefix . ts('edit groups'),
703 ts('Create new groups, edit group settings (e.g. group name, visibility...), delete groups'),
be2fb01f
CW		 704 ],
705 'administer CiviCRM' => [
221b21b4
AH		 706 $prefix . ts('administer CiviCRM'),
707 ts('Perform all tasks in the Administer CiviCRM control panel and Import Contacts'),
be2fb01f
CW		 708 ],
709 'skip IDS check' => [
221b21b4 710 $prefix . ts('skip IDS check'),
d9a37cbc 711 ts('Warning: Give to trusted roles only; this permission has security implications. IDS system is bypassed for users with this permission. Prevents false errors for admin users.'),
be2fb01f
CW		 712 ],
713 'access uploaded files' => [
221b21b4
AH		 714 $prefix . ts('access uploaded files'),
715 ts('View / download files including images and photos'),
be2fb01f
CW		 716 ],
717 'profile listings and forms' => [
221b21b4 718 $prefix . ts('profile listings and forms'),
d9a37cbc 719 ts('Warning: Give to trusted roles only; this permission has privacy implications. Add/edit data in online forms and access public searchable directories.'),
be2fb01f
CW		 720 ],
721 'profile listings' => [
221b21b4 722 $prefix . ts('profile listings'),
d9a37cbc 723 ts('Warning: Give to trusted roles only; this permission has privacy implications. Access public searchable directories.'),
be2fb01f
CW		 724 ],
725 'profile create' => [
221b21b4 726 $prefix . ts('profile create'),
d9a37cbc 727 ts('Add data in a profile form.'),
be2fb01f
CW		 728 ],
729 'profile edit' => [
221b21b4 730 $prefix . ts('profile edit'),
d9a37cbc 731 ts('Edit data in a profile form.'),
be2fb01f
CW		 732 ],
733 'profile view' => [
221b21b4 734 $prefix . ts('profile view'),
d9a37cbc 735 ts('View data in a profile.'),
be2fb01f
CW		 736 ],
737 'access all custom data' => [
221b21b4
AH		 738 $prefix . ts('access all custom data'),
739 ts('View all custom fields regardless of ACL rules'),
be2fb01f
CW		 740 ],
741 'view all activities' => [
221b21b4
AH		 742 $prefix . ts('view all activities'),
743 ts('View all activities (for visible contacts)'),
be2fb01f
CW		 744 ],
745 'delete activities' => [
221b21b4 746 $prefix . ts('Delete activities'),
be2fb01f
CW		 747 ],
748 'edit inbound email basic information' => [
ee90a98c
CR		 749 $prefix . ts('edit inbound email basic information'),
750 ts('Edit all inbound email activities (for visible contacts) basic information. Content editing not allowed.'),
be2fb01f
CW		 751 ],
752 'edit inbound email basic information and content' => [
ee90a98c
CR		 753 $prefix . ts('edit inbound email basic information and content'),
754 ts('Edit all inbound email activities (for visible contacts) basic information and content.'),
be2fb01f
CW		 755 ],
756 'access CiviCRM' => [
d9a37cbc
H		 757 $prefix . ts('access CiviCRM backend and API'),
758 ts('Master control for access to the main CiviCRM backend and API. Give to trusted roles only.'),
be2fb01f
CW		 759 ],
760 'access Contact Dashboard' => [
221b21b4
AH		 761 $prefix . ts('access Contact Dashboard'),
762 ts('View Contact Dashboard (for themselves and visible contacts)'),
be2fb01f
CW		 763 ],
764 'translate CiviCRM' => [
221b21b4
AH		 765 $prefix . ts('translate CiviCRM'),
766 ts('Allow User to enable multilingual'),
be2fb01f
CW		 767 ],
768 'manage tags' => [
eaaaef83
I		 769 $prefix . ts('manage tags'),
770 ts('Create and rename tags'),
be2fb01f
CW		 771 ],
772 'administer reserved groups' => [
221b21b4
AH		 773 $prefix . ts('administer reserved groups'),
774 ts('Edit and disable Reserved Groups (Needs Edit Groups)'),
be2fb01f
CW		 775 ],
776 'administer Tagsets' => [
221b21b4 777 $prefix . ts('administer Tagsets'),
be2fb01f
CW		 778 ],
779 'administer reserved tags' => [
221b21b4 780 $prefix . ts('administer reserved tags'),
be2fb01f
CW		 781 ],
782 'administer dedupe rules' => [
221b21b4
AH		 783 $prefix . ts('administer dedupe rules'),
784 ts('Create and edit rules, change the supervised and unsupervised rules'),
be2fb01f
CW		 785 ],
786 'merge duplicate contacts' => [
221b21b4
AH		 787 $prefix . ts('merge duplicate contacts'),
788 ts('Delete Contacts must also be granted in order for this to work.'),
be2fb01f
CW		 789 ],
790 'force merge duplicate contacts' => [
fd630ef9 791 $prefix . ts('force merge duplicate contacts'),
792 ts('Delete Contacts must also be granted in order for this to work.'),
be2fb01f
CW		 793 ],
794 'view debug output' => [
221b21b4
AH		 795 $prefix . ts('view debug output'),
796 ts('View results of debug and backtrace'),
be2fb01f 797 ],
02d451ab 798
be2fb01f 799 'view all notes' => [
221b21b4
AH		 800 $prefix . ts('view all notes'),
801 ts("View notes (for visible contacts) even if they're marked admin only"),
be2fb01f
CW		 802 ],
803 'add contact notes' => [
088101a4
O		 804 $prefix . ts('add contact notes'),
805 ts("Create notes for contacts"),
be2fb01f
CW		 806 ],
807 'access AJAX API' => [
221b21b4
AH		 808 $prefix . ts('access AJAX API'),
809 ts('Allow API access even if Access CiviCRM is not granted'),
be2fb01f
CW		 810 ],
811 'access contact reference fields' => [
221b21b4
AH		 812 $prefix . ts('access contact reference fields'),
813 ts('Allow entering data into contact reference fields'),
be2fb01f
CW		 814 ],
815 'create manual batch' => [
221b21b4
AH		 816 $prefix . ts('create manual batch'),
817 ts('Create an accounting batch (with Access to CiviContribute and View Own/All Manual Batches)'),
be2fb01f
CW		 818 ],
819 'edit own manual batches' => [
221b21b4
AH		 820 $prefix . ts('edit own manual batches'),
821 ts('Edit accounting batches created by user'),
be2fb01f
CW		 822 ],
823 'edit all manual batches' => [
221b21b4
AH		 824 $prefix . ts('edit all manual batches'),
825 ts('Edit all accounting batches'),
be2fb01f
CW		 826 ],
827 'close own manual batches' => [
47a98aef 828 $prefix . ts('close own manual batches'),
5ad18cc2 829 ts('Close accounting batches created by user (with Access to CiviContribute)'),
be2fb01f
CW		 830 ],
831 'close all manual batches' => [
47a98aef 832 $prefix . ts('close all manual batches'),
5ad18cc2 833 ts('Close all accounting batches (with Access to CiviContribute)'),
be2fb01f
CW		 834 ],
835 'reopen own manual batches' => [
47a98aef 836 $prefix . ts('reopen own manual batches'),
5ad18cc2 837 ts('Reopen accounting batches created by user (with Access to CiviContribute)'),
be2fb01f
CW		 838 ],
839 'reopen all manual batches' => [
47a98aef 840 $prefix . ts('reopen all manual batches'),
5ad18cc2 841 ts('Reopen all accounting batches (with Access to CiviContribute)'),
be2fb01f
CW		 842 ],
843 'view own manual batches' => [
221b21b4
AH		 844 $prefix . ts('view own manual batches'),
845 ts('View accounting batches created by user (with Access to CiviContribute)'),
be2fb01f
CW		 846 ],
847 'view all manual batches' => [
221b21b4
AH		 848 $prefix . ts('view all manual batches'),
849 ts('View all accounting batches (with Access to CiviContribute)'),
be2fb01f
CW		 850 ],
851 'delete own manual batches' => [
221b21b4
AH		 852 $prefix . ts('delete own manual batches'),
853 ts('Delete accounting batches created by user'),
be2fb01f
CW		 854 ],
855 'delete all manual batches' => [
221b21b4
AH		 856 $prefix . ts('delete all manual batches'),
857 ts('Delete all accounting batches'),
be2fb01f
CW		 858 ],
859 'export own manual batches' => [
221b21b4
AH		 860 $prefix . ts('export own manual batches'),
861 ts('Export accounting batches created by user'),
be2fb01f
CW		 862 ],
863 'export all manual batches' => [
221b21b4
AH		 864 $prefix . ts('export all manual batches'),
865 ts('Export all accounting batches'),
be2fb01f
CW		 866 ],
867 'administer payment processors' => [
221b21b4
AH		 868 $prefix . ts('administer payment processors'),
869 ts('Add, Update, or Disable Payment Processors'),
be2fb01f
CW		 870 ],
871 'edit message templates' => [
221b21b4 872 $prefix . ts('edit message templates'),
be2fb01f
CW		 873 ],
874 'edit system workflow message templates' => [
40a732a9 875 $prefix . ts('edit system workflow message templates'),
be2fb01f
CW		 876 ],
877 'edit user-driven message templates' => [
40a732a9 878 $prefix . ts('edit user-driven message templates'),
be2fb01f
CW		 879 ],
880 'view my invoices' => [
a664e7b3 881 $prefix . ts('view my invoices'),
dc6b437a 882 ts('Allow users to view/ download their own invoices'),
be2fb01f
CW		 883 ],
884 'edit api keys' => [
d4463076
TO		 885 $prefix . ts('edit api keys'),
886 ts('Edit API keys'),
be2fb01f
CW		 887 ],
888 'edit own api keys' => [
d4463076
TO		 889 $prefix . ts('edit own api keys'),
890 ts('Edit user\'s own API keys'),
be2fb01f
CW		 891 ],
892 'send SMS' => [
63483feb
MM		 893 $prefix . ts('send SMS'),
894 ts('Send an SMS'),
be2fb01f
CW		 895 ],
896 ];
6a488035
TO		 897
898 return $permissions;
899 }
900
bf9a7c0f
ES		 901 /**
902 * For each entity provides an array of permissions required for each action
903 *
904 * The action is the array key, possible values:
905 * * create: applies to create (with no id in params)
906 * * update: applies to update, setvalue, create (with id in params)
907 * * get: applies to getcount, getsingle, getvalue and other gets
908 * * delete: applies to delete, replace
909 * * meta: applies to getfields, getoptions, getspec
910 * * default: catch-all for anything not declared
911 *
912 * Note: some APIs declare other actions as well
913 *
914 * Permissions should use arrays for AND and arrays of arrays for OR
1a5a2ade 915 * @see CRM_Core_Permission::check
bf9a7c0f
ES		 916 *
917 * @return array of permissions
918 */
919 public static function getEntityActionPermissions() {
be2fb01f 920 $permissions = [];
bf9a7c0f
ES		 921 // These are the default permissions - if any entity does not declare permissions for a given action,
922 // (or the entity does not declare permissions at all) - then the action will be used from here
be2fb01f 923 $permissions['default'] = [
bf9a7c0f 924 // applies to getfields, getoptions, etc.
be2fb01f 925 'meta' => ['access CiviCRM'],
bf9a7c0f
ES		 926 // catch-all, applies to create, get, delete, etc.
927 // If an entity declares it's own 'default' action it will override this one
be2fb01f
CW		 928 'default' => ['administer CiviCRM'],
929 ];
bf9a7c0f
ES		 930
931 // Note: Additional permissions in DynamicFKAuthorization
be2fb01f
CW		 932 $permissions['attachment'] = [
933 'default' => [
934 ['access CiviCRM', 'access AJAX API'],
935 ],
936 ];
bf9a7c0f
ES		 937
938 // Contact permissions
be2fb01f
CW		 939 $permissions['contact'] = [
940 'create' => [
bf9a7c0f
ES		 941 'access CiviCRM',
942 'add contacts',
be2fb01f
CW		 943 ],
944 'delete' => [
bf9a7c0f
ES		 945 'access CiviCRM',
946 'delete contacts',
be2fb01f 947 ],
bf9a7c0f 948 // managed by query object
be2fb01f 949 'get' => [],
bf9a7c0f 950 // managed by _civicrm_api3_check_edit_permissions
be2fb01f
CW		 951 'update' => [],
952 'getquick' => [
953 ['access CiviCRM', 'access AJAX API'],
954 ],
955 'duplicatecheck' => [
f257308b 956 'access CiviCRM',
be2fb01f 957 ],
9f8c8b7a 958 'merge' => ['merge duplicate contacts'],
be2fb01f 959 ];
bf9a7c0f 960
cc477693 961 $permissions['dedupe'] = [
962 'getduplicates' => ['access CiviCRM'],
3ea6ec7d 963 'getstatistics' => ['access CiviCRM'],
cc477693 964 ];
965
bf9a7c0f 966 // CRM-16963 - Permissions for country.
be2fb01f
CW		 967 $permissions['country'] = [
968 'get' => [
bf9a7c0f 969 'access CiviCRM',
be2fb01f
CW		 970 ],
971 'default' => [
bf9a7c0f 972 'administer CiviCRM',
be2fb01f
CW		 973 ],
974 ];
bf9a7c0f
ES		 975
976 // Contact-related data permissions.
be2fb01f 977 $permissions['address'] = [
bf9a7c0f
ES		 978 // get is managed by BAO::addSelectWhereClause
979 // create/delete are managed by _civicrm_api3_check_edit_permissions
be2fb01f
CW		 980 'default' => [],
981 ];
bf9a7c0f
ES		 982 $permissions['email'] = $permissions['address'];
983 $permissions['phone'] = $permissions['address'];
984 $permissions['website'] = $permissions['address'];
985 $permissions['im'] = $permissions['address'];
986 $permissions['open_i_d'] = $permissions['address'];
987
988 // Also managed by ACLs - CRM-19448
be2fb01f 989 $permissions['entity_tag'] = ['default' => []];
bf9a7c0f
ES		 990 $permissions['note'] = $permissions['entity_tag'];
991
992 // Allow non-admins to get and create tags to support tagset widget
993 // Delete is still reserved for admins
be2fb01f
CW		 994 $permissions['tag'] = [
995 'get' => ['access CiviCRM'],
996 'create' => ['access CiviCRM'],
997 'update' => ['access CiviCRM'],
998 ];
bf9a7c0f
ES		 999
1000 //relationship permissions
be2fb01f 1001 $permissions['relationship'] = [
bf9a7c0f 1002 // get is managed by BAO::addSelectWhereClause
be2fb01f
CW		 1003 'get' => [],
1004 'delete' => [
bf9a7c0f
ES		 1005 'access CiviCRM',
1006 'edit all contacts',
be2fb01f
CW		 1007 ],
1008 'default' => [
bf9a7c0f
ES		 1009 'access CiviCRM',
1010 'edit all contacts',
be2fb01f
CW		 1011 ],
1012 ];
bf9a7c0f
ES		 1013
1014 // CRM-17741 - Permissions for RelationshipType.
be2fb01f
CW		 1015 $permissions['relationship_type'] = [
1016 'get' => [
bf9a7c0f 1017 'access CiviCRM',
be2fb01f
CW		 1018 ],
1019 'default' => [
bf9a7c0f 1020 'administer CiviCRM',
be2fb01f
CW		 1021 ],
1022 ];
bf9a7c0f
ES		 1023
1024 // Activity permissions
be2fb01f
CW		 1025 $permissions['activity'] = [
1026 'delete' => [
bf9a7c0f
ES		 1027 'access CiviCRM',
1028 'delete activities',
be2fb01f
CW		 1029 ],
1030 'get' => [
bf9a7c0f
ES		 1031 'access CiviCRM',
1032 // Note that view all activities is also required within the api
1033 // if the id is not passed in. Where the id is passed in the activity
1034 // specific check functions are used and tested.
be2fb01f
CW		 1035 ],
1036 'default' => [
bf9a7c0f
ES		 1037 'access CiviCRM',
1038 'view all activities',
be2fb01f
CW		 1039 ],
1040 ];
cdacd6ab 1041 $permissions['activity_contact'] = $permissions['activity'];
bf9a7c0f
ES		 1042
1043 // Case permissions
be2fb01f
CW		 1044 $permissions['case'] = [
1045 'create' => [
bf9a7c0f
ES		 1046 'access CiviCRM',
1047 'add cases',
be2fb01f
CW		 1048 ],
1049 'delete' => [
bf9a7c0f
ES		 1050 'access CiviCRM',
1051 'delete in CiviCase',
be2fb01f
CW		 1052 ],
1053 'restore' => [
8572e6de 1054 'administer CiviCase',
be2fb01f
CW		 1055 ],
1056 'merge' => [
a6bc7218 1057 'administer CiviCase',
be2fb01f
CW		 1058 ],
1059 'default' => [
bf9a7c0f 1060 // At minimum the user needs one of the following. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause
be2fb01f
CW		 1061 ['access my cases and activities', 'access all cases and activities'],
1062 ],
1063 ];
bf9a7c0f
ES		 1064 $permissions['case_contact'] = $permissions['case'];
1065
be2fb01f
CW		 1066 $permissions['case_type'] = [
1067 'default' => ['administer CiviCase'],
1068 'get' => [
bf9a7c0f 1069 // nested array = OR
be2fb01f
CW		 1070 ['access my cases and activities', 'access all cases and activities'],
1071 ],
1072 ];
bf9a7c0f
ES		 1073
1074 // Campaign permissions
be2fb01f
CW		 1075 $permissions['campaign'] = [
1076 'get' => ['access CiviCRM'],
1077 'default' => [
bf9a7c0f 1078 // nested array = OR
be2fb01f
CW		 1079 ['administer CiviCampaign', 'manage campaign'],
1080 ],
1081 ];
bf9a7c0f
ES		 1082 $permissions['survey'] = $permissions['campaign'];
1083
1084 // Financial permissions
be2fb01f
CW		 1085 $permissions['contribution'] = [
1086 'get' => [
bf9a7c0f
ES		 1087 'access CiviCRM',
1088 'access CiviContribute',
be2fb01f
CW		 1089 ],
1090 'delete' => [
bf9a7c0f
ES		 1091 'access CiviCRM',
1092 'access CiviContribute',
1093 'delete in CiviContribute',
be2fb01f
CW		 1094 ],
1095 'completetransaction' => [
bf9a7c0f 1096 'edit contributions',
be2fb01f
CW		 1097 ],
1098 'default' => [
bf9a7c0f
ES		 1099 'access CiviCRM',
1100 'access CiviContribute',
1101 'edit contributions',
be2fb01f
CW		 1102 ],
1103 ];
bf9a7c0f
ES		 1104 $permissions['line_item'] = $permissions['contribution'];
1105
1106 // Payment permissions
be2fb01f
CW		 1107 $permissions['payment'] = [
1108 'get' => [
bf9a7c0f
ES		 1109 'access CiviCRM',
1110 'access CiviContribute',
be2fb01f
CW		 1111 ],
1112 'delete' => [
bf9a7c0f
ES		 1113 'access CiviCRM',
1114 'access CiviContribute',
1115 'delete in CiviContribute',
be2fb01f
CW		 1116 ],
1117 'cancel' => [
bf9a7c0f
ES		 1118 'access CiviCRM',
1119 'access CiviContribute',
1120 'edit contributions',
be2fb01f
CW		 1121 ],
1122 'create' => [
bf9a7c0f
ES		 1123 'access CiviCRM',
1124 'access CiviContribute',
1125 'edit contributions',
be2fb01f
CW		 1126 ],
1127 'default' => [
bf9a7c0f
ES		 1128 'access CiviCRM',
1129 'access CiviContribute',
1130 'edit contributions',
be2fb01f
CW		 1131 ],
1132 ];
e4124a88 1133 $permissions['contribution_recur'] = $permissions['payment'];
bf9a7c0f
ES		 1134
1135 // Custom field permissions
be2fb01f
CW		 1136 $permissions['custom_field'] = [
1137 'default' => [
bf9a7c0f
ES		 1138 'administer CiviCRM',
1139 'access all custom data',
be2fb01f
CW		 1140 ],
1141 ];
bf9a7c0f
ES		 1142 $permissions['custom_group'] = $permissions['custom_field'];
1143
1144 // Event permissions
be2fb01f
CW		 1145 $permissions['event'] = [
1146 'create' => [
bf9a7c0f
ES		 1147 'access CiviCRM',
1148 'access CiviEvent',
1149 'edit all events',
be2fb01f
CW		 1150 ],
1151 'delete' => [
bf9a7c0f
ES		 1152 'access CiviCRM',
1153 'access CiviEvent',
1154 'delete in CiviEvent',
be2fb01f
CW		 1155 ],
1156 'get' => [
bf9a7c0f
ES		 1157 'access CiviCRM',
1158 'access CiviEvent',
1159 'view event info',
be2fb01f
CW		 1160 ],
1161 'update' => [
bf9a7c0f
ES		 1162 'access CiviCRM',
1163 'access CiviEvent',
1164 'edit all events',
be2fb01f
CW		 1165 ],
1166 ];
170af518 1167 // Exception refers to dedupe_exception.
1168 $permissions['exception'] = [
1169 'default' => ['merge duplicate contacts'],
1170 ];
5654496c 1171
418ffc5b 1172 $permissions['job'] = [
1173 'process_batch_merge' => ['merge duplicate contacts'],
1174 ];
5654496c 1175 $permissions['rule_group']['get'] = [['merge duplicate contacts', 'administer CiviCRM']];
bf9a7c0f
ES		 1176 // Loc block is only used for events
1177 $permissions['loc_block'] = $permissions['event'];
1178
be2fb01f
CW		 1179 $permissions['state_province'] = [
1180 'get' => [
fc2d1728 1181 'access CiviCRM',
be2fb01f
CW		 1182 ],
1183 ];
fc2d1728 1184
bf9a7c0f 1185 // Price sets are shared by several components, user needs access to at least one of them
be2fb01f
CW		 1186 $permissions['price_set'] = [
1187 'default' => [
1188 ['access CiviEvent', 'access CiviContribute', 'access CiviMember'],
1189 ],
1190 'get' => [
1191 ['access CiviCRM', 'view event info', 'make online contributions'],
1192 ],
1193 ];
bf9a7c0f
ES		 1194
1195 // File permissions
be2fb01f
CW		 1196 $permissions['file'] = [
1197 'default' => [
bf9a7c0f
ES		 1198 'access CiviCRM',
1199 'access uploaded files',
be2fb01f
CW		 1200 ],
1201 ];
bf9a7c0f
ES		 1202 $permissions['files_by_entity'] = $permissions['file'];
1203
1204 // Group permissions
be2fb01f
CW		 1205 $permissions['group'] = [
1206 'get' => [
bf9a7c0f 1207 'access CiviCRM',
be2fb01f
CW		 1208 ],
1209 'default' => [
bf9a7c0f
ES		 1210 'access CiviCRM',
1211 'edit groups',
be2fb01f
CW		 1212 ],
1213 ];
bf9a7c0f
ES		 1214
1215 $permissions['group_nesting'] = $permissions['group'];
1216 $permissions['group_organization'] = $permissions['group'];
1217
1218 //Group Contact permission
be2fb01f
CW		 1219 $permissions['group_contact'] = [
1220 'get' => [
bf9a7c0f 1221 'access CiviCRM',
be2fb01f
CW		 1222 ],
1223 'default' => [
bf9a7c0f
ES		 1224 'access CiviCRM',
1225 'edit all contacts',
be2fb01f
CW		 1226 ],
1227 ];
bf9a7c0f
ES		 1228
1229 // CiviMail Permissions
be2fb01f 1230 $civiMailBasePerms = [
bf9a7c0f
ES		 1231 // To get/preview/update, one must have least one of these perms:
1232 // Mailing API implementations enforce nuances of create/approve/schedule permissions.
1233 'access CiviMail',
1234 'create mailings',
1235 'schedule mailings',
1236 'approve mailings',
be2fb01f
CW		 1237 ];
1238 $permissions['mailing'] = [
1239 'get' => [
bf9a7c0f
ES		 1240 'access CiviCRM',
1241 $civiMailBasePerms,
be2fb01f
CW		 1242 ],
1243 'delete' => [
bf9a7c0f
ES		 1244 'access CiviCRM',
1245 $civiMailBasePerms,
1246 'delete in CiviMail',
be2fb01f
CW		 1247 ],
1248 'submit' => [
bf9a7c0f 1249 'access CiviCRM',
be2fb01f
CW		 1250 ['access CiviMail', 'schedule mailings'],
1251 ],
1252 'default' => [
bf9a7c0f
ES		 1253 'access CiviCRM',
1254 $civiMailBasePerms,
be2fb01f
CW		 1255 ],
1256 ];
bf9a7c0f
ES		 1257 $permissions['mailing_group'] = $permissions['mailing'];
1258 $permissions['mailing_job'] = $permissions['mailing'];
1259 $permissions['mailing_recipients'] = $permissions['mailing'];
1260
be2fb01f
CW		 1261 $permissions['mailing_a_b'] = [
1262 'get' => [
bf9a7c0f
ES		 1263 'access CiviCRM',
1264 'access CiviMail',
be2fb01f
CW		 1265 ],
1266 'delete' => [
bf9a7c0f
ES		 1267 'access CiviCRM',
1268 'access CiviMail',
1269 'delete in CiviMail',
be2fb01f
CW		 1270 ],
1271 'submit' => [
bf9a7c0f 1272 'access CiviCRM',
be2fb01f
CW		 1273 ['access CiviMail', 'schedule mailings'],
1274 ],
1275 'default' => [
bf9a7c0f
ES		 1276 'access CiviCRM',
1277 'access CiviMail',
be2fb01f
CW		 1278 ],
1279 ];
bf9a7c0f
ES		 1280
1281 // Membership permissions
be2fb01f
CW		 1282 $permissions['membership'] = [
1283 'get' => [
bf9a7c0f
ES		 1284 'access CiviCRM',
1285 'access CiviMember',
be2fb01f
CW		 1286 ],
1287 'delete' => [
bf9a7c0f
ES		 1288 'access CiviCRM',
1289 'access CiviMember',
1290 'delete in CiviMember',
be2fb01f
CW		 1291 ],
1292 'default' => [
bf9a7c0f
ES		 1293 'access CiviCRM',
1294 'access CiviMember',
1295 'edit memberships',
be2fb01f
CW		 1296 ],
1297 ];
bf9a7c0f
ES		 1298 $permissions['membership_status'] = $permissions['membership'];
1299 $permissions['membership_type'] = $permissions['membership'];
be2fb01f
CW		 1300 $permissions['membership_payment'] = [
1301 'create' => [
bf9a7c0f
ES		 1302 'access CiviCRM',
1303 'access CiviMember',
1304 'edit memberships',
1305 'access CiviContribute',
1306 'edit contributions',
be2fb01f
CW		 1307 ],
1308 'delete' => [
bf9a7c0f
ES		 1309 'access CiviCRM',
1310 'access CiviMember',
1311 'delete in CiviMember',
1312 'access CiviContribute',
1313 'delete in CiviContribute',
be2fb01f
CW		 1314 ],
1315 'get' => [
bf9a7c0f
ES		 1316 'access CiviCRM',
1317 'access CiviMember',
1318 'access CiviContribute',
be2fb01f
CW		 1319 ],
1320 'update' => [
bf9a7c0f
ES		 1321 'access CiviCRM',
1322 'access CiviMember',
1323 'edit memberships',
1324 'access CiviContribute',
1325 'edit contributions',
be2fb01f
CW		 1326 ],
1327 ];
bf9a7c0f
ES		 1328
1329 // Participant permissions
be2fb01f
CW		 1330 $permissions['participant'] = [
1331 'create' => [
bf9a7c0f
ES		 1332 'access CiviCRM',
1333 'access CiviEvent',
1334 'register for events',
be2fb01f
CW		 1335 ],
1336 'delete' => [
bf9a7c0f
ES		 1337 'access CiviCRM',
1338 'access CiviEvent',
1339 'edit event participants',
be2fb01f
CW		 1340 ],
1341 'get' => [
bf9a7c0f
ES		 1342 'access CiviCRM',
1343 'access CiviEvent',
1344 'view event participants',
be2fb01f
CW		 1345 ],
1346 'update' => [
bf9a7c0f
ES		 1347 'access CiviCRM',
1348 'access CiviEvent',
1349 'edit event participants',
be2fb01f
CW		 1350 ],
1351 ];
1352 $permissions['participant_payment'] = [
1353 'create' => [
bf9a7c0f
ES		 1354 'access CiviCRM',
1355 'access CiviEvent',
1356 'register for events',
1357 'access CiviContribute',
1358 'edit contributions',
be2fb01f
CW		 1359 ],
1360 'delete' => [
bf9a7c0f
ES		 1361 'access CiviCRM',
1362 'access CiviEvent',
1363 'edit event participants',
1364 'access CiviContribute',
1365 'delete in CiviContribute',
be2fb01f
CW		 1366 ],
1367 'get' => [
bf9a7c0f
ES		 1368 'access CiviCRM',
1369 'access CiviEvent',
1370 'view event participants',
1371 'access CiviContribute',
be2fb01f
CW		 1372 ],
1373 'update' => [
bf9a7c0f
ES		 1374 'access CiviCRM',
1375 'access CiviEvent',
1376 'edit event participants',
1377 'access CiviContribute',
1378 'edit contributions',
be2fb01f
CW		 1379 ],
1380 ];
bf9a7c0f
ES		 1381
1382 // Pledge permissions
be2fb01f
CW		 1383 $permissions['pledge'] = [
1384 'create' => [
bf9a7c0f
ES		 1385 'access CiviCRM',
1386 'access CiviPledge',
1387 'edit pledges',
be2fb01f
CW		 1388 ],
1389 'delete' => [
bf9a7c0f
ES		 1390 'access CiviCRM',
1391 'access CiviPledge',
1392 'delete in CiviPledge',
be2fb01f
CW		 1393 ],
1394 'get' => [
bf9a7c0f
ES		 1395 'access CiviCRM',
1396 'access CiviPledge',
be2fb01f
CW		 1397 ],
1398 'update' => [
bf9a7c0f
ES		 1399 'access CiviCRM',
1400 'access CiviPledge',
1401 'edit pledges',
be2fb01f
CW		 1402 ],
1403 ];
bf9a7c0f
ES		 1404
1405 //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission.
be2fb01f
CW		 1406 $permissions['action_schedule'] = [
1407 'update' => [
1408 [
bf9a7c0f
ES		 1409 'access CiviCRM',
1410 'edit all events',
be2fb01f
CW		 1411 ],
1412 ],
1413 ];
bf9a7c0f 1414
be2fb01f
CW		 1415 $permissions['pledge_payment'] = [
1416 'create' => [
bf9a7c0f
ES		 1417 'access CiviCRM',
1418 'access CiviPledge',
1419 'edit pledges',
1420 'access CiviContribute',
1421 'edit contributions',
be2fb01f
CW		 1422 ],
1423 'delete' => [
bf9a7c0f
ES		 1424 'access CiviCRM',
1425 'access CiviPledge',
1426 'delete in CiviPledge',
1427 'access CiviContribute',
1428 'delete in CiviContribute',
be2fb01f
CW		 1429 ],
1430 'get' => [
bf9a7c0f
ES		 1431 'access CiviCRM',
1432 'access CiviPledge',
1433 'access CiviContribute',
be2fb01f
CW		 1434 ],
1435 'update' => [
bf9a7c0f
ES		 1436 'access CiviCRM',
1437 'access CiviPledge',
1438 'edit pledges',
1439 'access CiviContribute',
1440 'edit contributions',
be2fb01f
CW		 1441 ],
1442 ];
bf9a7c0f
ES		 1443
1444 // Profile permissions
be2fb01f 1445 $permissions['profile'] = [
518fa0ee
SL		 1446 // the profile will take care of this
1447 'get' => [],
be2fb01f 1448 ];
bf9a7c0f 1449
be2fb01f
CW		 1450 $permissions['uf_group'] = [
1451 'create' => [
bf9a7c0f 1452 'access CiviCRM',
be2fb01f 1453 [
bf9a7c0f
ES		 1454 'administer CiviCRM',
1455 'manage event profiles',
be2fb01f
CW		 1456 ],
1457 ],
1458 'get' => [
bf9a7c0f 1459 'access CiviCRM',
be2fb01f
CW		 1460 ],
1461 'update' => [
bf9a7c0f 1462 'access CiviCRM',
be2fb01f 1463 [
bf9a7c0f
ES		 1464 'administer CiviCRM',
1465 'manage event profiles',
be2fb01f
CW		 1466 ],
1467 ],
1468 ];
bf9a7c0f 1469 $permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group'];
be2fb01f 1470 $permissions['uf_field']['delete'] = [
bf9a7c0f 1471 'access CiviCRM',
be2fb01f 1472 [
bf9a7c0f
ES		 1473 'administer CiviCRM',
1474 'manage event profiles',
be2fb01f
CW		 1475 ],
1476 ];
bf9a7c0f
ES		 1477 $permissions['option_value'] = $permissions['uf_group'];
1478 $permissions['option_group'] = $permissions['option_value'];
1479
be2fb01f
CW		 1480 $permissions['custom_value'] = [
1481 'gettree' => ['access CiviCRM'],
1482 ];
f26fa703 1483
be2fb01f
CW		 1484 $permissions['message_template'] = [
1485 'get' => ['access CiviCRM'],
1486 'create' => [['edit message templates', 'edit user-driven message templates', 'edit system workflow message templates']],
1487 'update' => [['edit message templates', 'edit user-driven message templates', 'edit system workflow message templates']],
1488 ];
4341efe4
JV		 1489
1490 $permissions['report_template']['update'] = 'save Report Criteria';
1491 $permissions['report_template']['create'] = 'save Report Criteria';
bf9a7c0f
ES		 1492 return $permissions;
1493 }
1494
1495 /**
1496 * Translate an unknown action to a canonical form.
1497 *
1498 * @param string $action
1499 *
1500 * @return string
1501 * the standardised action name
1502 */
1503 public static function getGenericAction($action) {
1504 $snippet = substr($action, 0, 3);
1505 if ($action == 'replace' || $snippet == 'del') {
1506 // 'Replace' is a combination of get+create+update+delete; however, the permissions
1507 // on each of those will be tested separately at runtime. This is just a sniff-test
1508 // based on the heuristic that 'delete' tends to be the most closely guarded
1509 // of the necessary permissions.
1510 $action = 'delete';
1511 }
1512 elseif ($action == 'setvalue' || $snippet == 'upd') {
1513 $action = 'update';
1514 }
1515 elseif ($action == 'getfields' || $action == 'getfield' || $action == 'getspec' || $action == 'getoptions') {
1516 $action = 'meta';
1517 }
1518 elseif ($snippet == 'get') {
1519 $action = 'get';
1520 }
1521 return $action;
1522 }
1523
6a488035 1524 /**
d09edf64 1525 * Validate user permission across.
6a488035
TO		 1526 * edit or view or with supportable acls.
1527 *
acb1052e
WA		 1528 * @return bool
1529 */
00be9182 1530 public static function giveMeAllACLs() {
6a488035
TO		 1531 if (CRM_Core_Permission::check('view all contacts') ||
1532 CRM_Core_Permission::check('edit all contacts')
1533 ) {
1534 return TRUE;
1535 }
1536
1537 $session = CRM_Core_Session::singleton();
1538 $contactID = $session->get('userID');
1539
6a488035
TO		 1540 //check for acl.
1541 $aclPermission = self::getPermission();
be2fb01f 1542 if (in_array($aclPermission, [
6a488035 1543 CRM_Core_Permission::EDIT,
41f314b6 1544 CRM_Core_Permission::VIEW,
be2fb01f 1545 ])
41f314b6 1546 ) {
6a488035
TO		 1547 return TRUE;
1548 }
1549
1550 // run acl where hook and see if the user is supplying an ACL clause
1551 // that is not false
be2fb01f 1552 $tables = $whereTables = [];
6a488035
TO		 1553 $where = NULL;
1554
1555 CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
1556 $tables, $whereTables,
1557 $contactID, $where
1558 );
1559 return empty($whereTables) ? FALSE : TRUE;
1560 }
1561
1562 /**
100fef9d 1563 * Get component name from given permission.
6a488035 1564 *
41f314b6 1565 * @param string $permission
6a488035 1566 *
76e7a76c
CW		 1567 * @return null|string
1568 * the name of component.
6a488035 1569 */
00be9182 1570 public static function getComponentName($permission) {
6a488035
TO		 1571 $componentName = NULL;
1572 $permission = trim($permission);
1573 if (empty($permission)) {
1574 return $componentName;
1575 }
1576
be2fb01f 1577 static $allCompPermissions = [];
6a488035
TO		 1578 if (empty($allCompPermissions)) {
1579 $components = CRM_Core_Component::getComponents();
1580 foreach ($components as $name => $comp) {
33777e4a
PJ		 1581 //get all permissions of each components unconditionally
1582 $allCompPermissions[$name] = $comp->getPermissions(TRUE);
6a488035
TO		 1583 }
1584 }
1585
1586 if (is_array($allCompPermissions)) {
1587 foreach ($allCompPermissions as $name => $permissions) {
b9021475 1588 if (array_key_exists($permission, $permissions)) {
6a488035
TO		 1589 $componentName = $name;
1590 break;
1591 }
1592 }
1593 }
1594
1595 return $componentName;
1596 }
1597
1598 /**
d09edf64 1599 * Get all the contact emails for users that have a specific permission.
6a488035 1600 *
6a0b768e
TO		 1601 * @param string $permissionName
1602 * Name of the permission we are interested in.
6a488035 1603 *
a6c01b45
CW		 1604 * @return string
1605 * a comma separated list of email addresses
6a488035
TO		 1606 */
1607 public static function permissionEmails($permissionName) {
1608 $config = CRM_Core_Config::singleton();
41f314b6 1609 return $config->userPermissionClass->permissionEmails($permissionName);
6a488035
TO		 1610 }
1611
1612 /**
d09edf64 1613 * Get all the contact emails for users that have a specific role.
6a488035 1614 *
6a0b768e
TO		 1615 * @param string $roleName
1616 * Name of the role we are interested in.
6a488035 1617 *
a6c01b45
CW		 1618 * @return string
1619 * a comma separated list of email addresses
6a488035
TO		 1620 */
1621 public static function roleEmails($roleName) {
1622 $config = CRM_Core_Config::singleton();
41f314b6 1623 return $config->userRoleClass->roleEmails($roleName);
6a488035
TO		 1624 }
1625
a0ee3941
EM		 1626 /**
1627 * @return bool
1628 */
00be9182 1629 public static function isMultisiteEnabled() {
aaffa79f 1630 return Civi::settings()->get('is_enabled') ? TRUE : FALSE;
6a488035 1631 }
96025800 1632
dc6b437a
GC		 1633 /**
1634 * Verify if the user has permission to get the invoice.
1635 *
1636 * @return bool
1637 * TRUE if the user has download all invoices permission or download my
1638 * invoices permission and the invoice author is the current user.
1639 */
1640 public static function checkDownloadInvoice() {
4cfd4f45 1641 $cid = CRM_Core_Session::getLoggedInContactID();
dc6b437a
GC		 1642 if (CRM_Core_Permission::check('access CiviContribute') ||
1643 (CRM_Core_Permission::check('view my invoices') && $_GET['cid'] == $cid)
1644 ) {
1645 return TRUE;
1646 }
1647 return FALSE;
1648 }
1649
6a488035 1650}