[civicrm-core.git] / CRM / Core / Permission.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.3                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2013                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
*/

/**
 *
 * @package CRM
 * @copyright CiviCRM LLC (c) 2004-2013
 * $Id$
 *
 */

/**
 * This is the basic permission class wrapper
 */
class CRM_Core_Permission {

  /**
   * Static strings used to compose permissions
   *
   * @const
   * @var string
   */
  CONST EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';

  /**
   * The various type of permissions
   *
   * @var int
   */
  CONST EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;

  /**
   * get the current permission of this user
   *
   * @return string the permission of the user (edit or view or null)
   */
  public static function getPermission() {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->getPermission( );
  }

  /**
   * given a permission string, check for access requirements
   *
   * @param string $str the permission to check
   *
   * @return boolean true if yes, else false
   * @static
   * @access public
   */
  static function check($str) {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->check( $str );
  }

  /**
   * Given a group/role array, check for access requirements
   *
   * @param array $array the group/role to check
   *
   * @return boolean true if yes, else false
   * @static
   * @access public
   */
  static function checkGroupRole($array) {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->checkGroupRole( $array );
  }

  /**
   * Get the permissioned where clause for the user
   *
   * @param int $type the type of permission needed
   * @param  array $tables (reference ) add the tables that are needed for the select clause
   * @param  array $whereTables (reference ) add the tables that are needed for the where clause
   *
   * @return string the group where clause for this user
   * @access public
   */
  public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->getPermissionedStaticGroupClause( $type, $tables, $whereTables );
  }

  /**
   * Get all groups from database, filtered by permissions
   * for this user
   *
   * @param string $groupType     type of group(Access/Mailing)
   * @param boolen $excludeHidden exclude hidden groups.
   *
   * @access public
   * @static
   *
   * @return array - array reference of all groups.
   *
   */
  public static function group($groupType, $excludeHidden = TRUE) {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->group( $groupType, $excludeHidden );
  }

  public static function customGroupAdmin() {
    $admin = FALSE;

    // check if user has all powerful permission
    // or administer civicrm permission (CRM-1905)
    if (self::check('access all custom data')) {
      return TRUE;
    }

    if (self::check('administer Multiple Organizations') &&
      self::isMultisiteEnabled()
    ) {
      return TRUE;
    }

    if (self::check('administer CiviCRM')) {
      return TRUE;
    }

    return FALSE;
  }

  public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
    $customGroups = CRM_Core_PseudoConstant::customGroup($reset);
    $defaultGroups = array();

    // check if user has all powerful permission
    // or administer civicrm permission (CRM-1905)
    if (self::customGroupAdmin()) {
      $defaultGroups = array_keys($customGroups);
    }

    return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
  }

  static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
    if (self::customGroupAdmin()) {
      return ' ( 1 ) ';
    }

    $groups = self::customGroup($type, $reset);
    if (empty($groups)) {
      return ' ( 0 ) ';
    }
    else {
      return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
    }
  }

  public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
    if (empty($gid)) {
      return TRUE;
    }

    $groups = self::ufGroup($type);
    return in_array($gid, $groups) ? TRUE : FALSE;
  }

  public static function ufGroup($type = CRM_Core_Permission::VIEW) {
    $ufGroups = CRM_Core_PseudoConstant::ufGroup();

    $allGroups = array_keys($ufGroups);

    // check if user has all powerful permission
    if (self::check('profile listings and forms')) {
      return $allGroups;
    }

    switch ($type) {
      case CRM_Core_Permission::VIEW:
        if (self::check('profile view')) {
          return $allGroups;
        }
        break;

      case CRM_Core_Permission::CREATE:
        if (self::check('profile create')) {
          return $allGroups;
        }
        break;

      case CRM_Core_Permission::EDIT:
        if (self::check('profile edit')) {
          return $allGroups;
        }
        break;

      case CRM_Core_Permission::SEARCH:
        if (self::check('profile listings')) {
          return $allGroups;
        }
        break;
    }

    return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
  }

  static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
    $groups = self::ufGroup($type);
    if ($returnUFGroupIds) {
      return $groups;
    }
    elseif (empty($groups)) {
      return ' ( 0 ) ';
    }
    else {
      return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
    }
  }

  public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL) {
    $events = CRM_Event_PseudoConstant::event(NULL, TRUE);
    $includeEvents = array();

    // check if user has all powerful permission
    if (self::check('register for events')) {
      $includeEvents = array_keys($events);
    }

    if ($type == CRM_Core_Permission::VIEW &&
      self::check('view event info')
    ) {
      $includeEvents = array_keys($events);
    }

    $permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
    if (!$eventID) {
      return $permissionedEvents;
    }
    return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
  }

  static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
    $events = self::event($type);
    if (empty($events)) {
      return ' ( 0 ) ';
    }
    else {
      return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
    }
  }

  static function access($module, $checkPermission = TRUE) {
    $config = CRM_Core_Config::singleton();

    if (!in_array($module, $config->enableComponents)) {
      return FALSE;
    }

    if ($checkPermission) {
      if ($module == 'CiviCase') {
        return CRM_Case_BAO_Case::accessCiviCase();
      }
      else {
        return CRM_Core_Permission::check("access $module");
      }
    }

    return TRUE;
  }

  /**
   * check permissions for delete and edit actions
   *
   * @param string  $module component name.
   * @param $action action to be check across component
   *
   **/
  static function checkActionPermission($module, $action) {
    //check delete related permissions.
    if ($action & CRM_Core_Action::DELETE) {
      $permissionName = "delete in $module";
    }
    else {
      $editPermissions = array(
        'CiviEvent' => 'edit event participants',
        'CiviMember' => 'edit memberships',
        'CiviPledge' => 'edit pledges',
        'CiviContribute' => 'edit contributions',
        'CiviGrant' => 'edit grants',
        'CiviMail' => 'access CiviMail',
        'CiviAuction' => 'add auction items',
      );
      $permissionName = CRM_Utils_Array::value($module, $editPermissions);
    }

    if ($module == 'CiviCase' && !$permissionName) {
      return CRM_Case_BAO_Case::accessCiviCase();
    }
    else {
      //check for permission.
      return CRM_Core_Permission::check($permissionName);
    }
  }

  static function checkMenu(&$args, $op = 'and') {
    if (!is_array($args)) {
      return $args;
    }
    foreach ($args as $str) {
      $res = CRM_Core_Permission::check($str);
      if ($op == 'or' && $res) {
        return TRUE;
      }
      elseif ($op == 'and' && !$res) {
        return FALSE;
      }
    }
    return ($op == 'or') ? FALSE : TRUE;
  }

  static function checkMenuItem(&$item) {
    if (!array_key_exists('access_callback', $item)) {
      CRM_Core_Error::backtrace();
      CRM_Core_Error::fatal();
    }

    // if component_id is present, ensure it is enabled
    if (isset($item['component_id']) &&
      $item['component_id']
    ) {
      $config = CRM_Core_Config::singleton();
      if (is_array($config->enableComponentIDs) &&
        in_array($item['component_id'], $config->enableComponentIDs)
      ) {
        // continue with process
      }
      else {
        return FALSE;
      }
    }

    // the following is imitating drupal 6 code in includes/menu.inc
    if (empty($item['access_callback']) ||
      is_numeric($item['access_callback'])
    ) {
      return (boolean ) $item['access_callback'];
    }

    // check whether the following Ajax requests submitted the right key
    // FIXME: this should be integrated into ACLs proper
    if (CRM_Utils_Array::value('page_type', $item) == 3) {
      if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
        return FALSE;
      }
    }

    // check if callback is for checkMenu, if so optimize it
    if (is_array($item['access_callback']) &&
      $item['access_callback'][0] == 'CRM_Core_Permission' &&
      $item['access_callback'][1] == 'checkMenu'
    ) {
      $op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
      return self::checkMenu($item['access_arguments'][0], $op);
    }
    else {
      return call_user_func_array($item['access_callback'], $item['access_arguments']);
    }
  }

  static function &basicPermissions($all = FALSE) {
    static $permissions = NULL;

    if (!$permissions) {
      $prefix = ts('CiviCRM') . ': ';
      $permissions = self::getCorePermissions();

      if (self::isMultisiteEnabled()) {
        $permissions['administer Multiple Organizations'] = $prefix . ts('administer Multiple Organizations');
      }

      $config = CRM_Core_Config::singleton();

      if (!$all) {
        $components = CRM_Core_Component::getEnabledComponents();
      }
      else {
        $components = CRM_Core_Component::getComponents();
      }

      foreach ($components as $comp) {
        $perm = $comp->getPermissions();
        if ($perm) {
          $info = $comp->getInfo();
          foreach ($perm as $p) {
            $permissions[$p] = $info['translatedName'] . ': ' . $p;
          }
        }
      }

      // Add any permissions defined in hook_civicrm_permission implementations.
      $config = CRM_Core_Config::singleton();
      $module_permissions = $config->userPermissionClass->getAllModulePermissions();
      $permissions = array_merge($permissions, $module_permissions);
    }

    return $permissions;
  }

  static function getCorePermissions() {
    $prefix = ts('CiviCRM') . ': ';
    $permissions = array(
      'add contacts' => $prefix . ts('add contacts'),
      'view all contacts' => $prefix . ts('view all contacts'),
      'edit all contacts' => $prefix . ts('edit all contacts'),
      'delete contacts' => $prefix . ts('delete contacts'),
      'access deleted contacts' => $prefix . ts('access deleted contacts'),
      'import contacts' => $prefix . ts('import contacts'),
      'edit groups' => $prefix . ts('edit groups'),
      'administer CiviCRM' => $prefix . ts('administer CiviCRM'),
      'access uploaded files' => $prefix . ts('access uploaded files'),
      'profile listings and forms' => $prefix . ts('profile listings and forms'),
      'profile listings' => $prefix . ts('profile listings'),
      'profile create' => $prefix . ts('profile create'),
      'profile edit' => $prefix . ts('profile edit'),
      'profile view' => $prefix . ts('profile view'),
      'access all custom data' => $prefix . ts('access all custom data'),
      'view all activities' => $prefix . ts('view all activities'),
      'delete activities' => $prefix . ts('delete activities'),
      'access CiviCRM' => $prefix . ts('access CiviCRM'),
      'access Contact Dashboard' => $prefix . ts('access Contact Dashboard'),
      'translate CiviCRM' => $prefix . ts('translate CiviCRM'),
      'administer reserved groups' => $prefix . ts('administer reserved groups'),
      'administer Tagsets' => $prefix . ts('administer Tagsets'),
      'administer reserved tags' => $prefix . ts('administer reserved tags'),
      'administer dedupe rules' => $prefix . ts('administer dedupe rules'),
      'merge duplicate contacts' => $prefix . ts('merge duplicate contacts'),
      'view debug output' => $prefix . ts('view debug output'),
      'view all notes' => $prefix . ts('view all notes'),
      'access AJAX API' => $prefix . ts('access AJAX API'),
      'access contact reference fields' => $prefix . ts('access contact reference fields'),
      'create manual batch' => $prefix . ts('create manual batch'),
      'edit own manual batches' => $prefix . ts('edit own manual batches'),
      'edit all manual batches' => $prefix . ts('edit all manual batches'),
      'view own manual batches' => $prefix . ts('view own manual batches'),
      'view all manual batches' => $prefix . ts('view all manual batches'),
      'delete own manual batches' => $prefix . ts('delete own manual batches'),
      'delete all manual batches' => $prefix . ts('delete all manual batches'),
      'export own manual batches' => $prefix . ts('export own manual batches'),
      'export all manual batches' => $prefix . ts('export all manual batches'),
    );

    return $permissions;
  }

  /**
   * Validate user permission across
   * edit or view or with supportable acls.
   *
   * return boolean true/false.
   **/
  static function giveMeAllACLs() {
    if (CRM_Core_Permission::check('view all contacts') ||
      CRM_Core_Permission::check('edit all contacts')
    ) {
      return TRUE;
    }

    $session = CRM_Core_Session::singleton();
    $contactID = $session->get('userID');

    if (self::isMultisiteEnabled()) {
      // For multisite just check if there are contacts in acl_contact_cache table for now.
      // FixMe: so even if a user in multisite has very limited permission could still
      // see search / contact navigation options for example.
      return CRM_Contact_BAO_Contact_Permission::hasContactsInCache(CRM_Core_Permission::VIEW,
        $contactID
      );
    }

    //check for acl.
    $aclPermission = self::getPermission();
    if (in_array($aclPermission, array(
      CRM_Core_Permission::EDIT,
          CRM_Core_Permission::VIEW,
        ))) {
      return TRUE;
    }

    // run acl where hook and see if the user is supplying an ACL clause
    // that is not false
    $tables = $whereTables = array();
    $where = NULL;

    CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
      $tables, $whereTables,
      $contactID, $where
    );
    return empty($whereTables) ? FALSE : TRUE;
  }

  /**
   * Function to get component name from given permission.
   *
   * @param string  $permission
   *
   * return string $componentName the name of component.
   * @static
   */
  static function getComponentName($permission) {
    $componentName = NULL;
    $permission = trim($permission);
    if (empty($permission)) {
      return $componentName;
    }

    static $allCompPermissions = array();
    if (empty($allCompPermissions)) {
      $components = CRM_Core_Component::getComponents();
      foreach ($components as $name => $comp) {
        $allCompPermissions[$name] = $comp->getPermissions();
      }
    }

    if (is_array($allCompPermissions)) {
      foreach ($allCompPermissions as $name => $permissions) {
        if (in_array($permission, $permissions)) {
          $componentName = $name;
          break;
        }
      }
    }

    return $componentName;
  }

  /**
   * Get all the contact emails for users that have a specific permission
   *
   * @param string $permissionName name of the permission we are interested in
   *
   * @return string a comma separated list of email addresses
   */
  public static function permissionEmails($permissionName) {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->permissionEmails( $permissionName );
  }

  /**
   * Get all the contact emails for users that have a specific role
   *
   * @param string $roleName name of the role we are interested in
   *
   * @return string a comma separated list of email addresses
   */
  public static function roleEmails($roleName) {
    $config = CRM_Core_Config::singleton();
    return $config->userRoleClass->roleEmails( $roleName );
  }

  static function isMultisiteEnabled() {
    return CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::MULTISITE_PREFERENCES_NAME,
      'is_enabled'
    ) ? TRUE : FALSE;
  }
}
Commit	Line	Data
6a488035 TO	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
	4	\| CiviCRM version 4.3 \|
	5	+--------------------------------------------------------------------+
	6	\| Copyright CiviCRM LLC (c) 2004-2013 \|
	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
	26	*/
	27
	28	/**
	29	*
	30	* @package CRM
	31	* @copyright CiviCRM LLC (c) 2004-2013
	32	* $Id$
	33	*
	34	*/
	35
	36	/**
	37	* This is the basic permission class wrapper
	38	*/
	39	class CRM_Core_Permission {
	40
	41	/**
	42	* Static strings used to compose permissions
	43	*
	44	* @const
	45	* @var string
	46	*/
	47	CONST EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
	48
	49	/**
	50	* The various type of permissions
	51	*
	52	* @var int
	53	*/
	54	CONST EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
	55
	56	/**
	57	* get the current permission of this user
	58	*
	59	* @return string the permission of the user (edit or view or null)
	60	*/
	61	public static function getPermission() {
	62	$config = CRM_Core_Config::singleton();
	63	return $config->userPermissionClass->getPermission( );
	64	}
65
66	/**
67	* given a permission string, check for access requirements
68	*
69	* @param string $str the permission to check
70	*
71	* @return boolean true if yes, else false
72	* @static
73	* @access public
74	*/
75	static function check($str) {
76	$config = CRM_Core_Config::singleton();
77	return $config->userPermissionClass->check( $str );
78	}
79
80	/**
81	* Given a group/role array, check for access requirements
82	*
83	* @param array $array the group/role to check
84	*
85	* @return boolean true if yes, else false
86	* @static
87	* @access public
88	*/
89	static function checkGroupRole($array) {
90	$config = CRM_Core_Config::singleton();
91	return $config->userPermissionClass->checkGroupRole( $array );
92	}
93
94	/**
95	* Get the permissioned where clause for the user
96	*
97	* @param int $type the type of permission needed
98	* @param array $tables (reference ) add the tables that are needed for the select clause
99	* @param array $whereTables (reference ) add the tables that are needed for the where clause
100	*
101	* @return string the group where clause for this user
102	* @access public
103	*/
104	public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
105	$config = CRM_Core_Config::singleton();
106	return $config->userPermissionClass->getPermissionedStaticGroupClause( $type, $tables, $whereTables );
107	}
108
109	/**
110	* Get all groups from database, filtered by permissions
111	* for this user
112	*
113	* @param string $groupType type of group(Access/Mailing)
114	* @param boolen $excludeHidden exclude hidden groups.
115	*
116	* @access public
117	* @static
118	*
119	* @return array - array reference of all groups.
120	*
121	*/
122	public static function group($groupType, $excludeHidden = TRUE) {
123	$config = CRM_Core_Config::singleton();
124	return $config->userPermissionClass->group( $groupType, $excludeHidden );
125	}
126
127	public static function customGroupAdmin() {
128	$admin = FALSE;
129
130	// check if user has all powerful permission
131	// or administer civicrm permission (CRM-1905)
132	if (self::check('access all custom data')) {
133	return TRUE;
134	}
135
136	if (self::check('administer Multiple Organizations') &&
137	self::isMultisiteEnabled()
138	) {
139	return TRUE;
140	}
141
142	if (self::check('administer CiviCRM')) {
143	return TRUE;
144	}
145
146	return FALSE;
147	}
148
149	public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
150	$customGroups = CRM_Core_PseudoConstant::customGroup($reset);
151	$defaultGroups = array();
152
153	// check if user has all powerful permission
154	// or administer civicrm permission (CRM-1905)
155	if (self::customGroupAdmin()) {
156	$defaultGroups = array_keys($customGroups);
157	}
158
159	return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
160	}
161
162	static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
163	if (self::customGroupAdmin()) {
164	return ' ( 1 ) ';
165	}
166
167	$groups = self::customGroup($type, $reset);
168	if (empty($groups)) {
169	return ' ( 0 ) ';
170	}
171	else {
172	return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
173	}
174	}
175
176	public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
177	if (empty($gid)) {
178	return TRUE;
179	}
180
181	$groups = self::ufGroup($type);
182	return in_array($gid, $groups) ? TRUE : FALSE;
183	}
184
185	public static function ufGroup($type = CRM_Core_Permission::VIEW) {
186	$ufGroups = CRM_Core_PseudoConstant::ufGroup();
187
188	$allGroups = array_keys($ufGroups);
189
190	// check if user has all powerful permission
191	if (self::check('profile listings and forms')) {
192	return $allGroups;
193	}
194
195	switch ($type) {
196	case CRM_Core_Permission::VIEW:
197	if (self::check('profile view')) {
198	return $allGroups;
199	}
200	break;
201
202	case CRM_Core_Permission::CREATE:
203	if (self::check('profile create')) {
204	return $allGroups;
205	}
206	break;
207
208	case CRM_Core_Permission::EDIT:
209	if (self::check('profile edit')) {
210	return $allGroups;
211	}
212	break;
213
214	case CRM_Core_Permission::SEARCH:
215	if (self::check('profile listings')) {
216	return $allGroups;
217	}
218	break;
219	}
220
221	return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
222	}
223
224	static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
225	$groups = self::ufGroup($type);
226	if ($returnUFGroupIds) {
227	return $groups;
228	}
229	elseif (empty($groups)) {
230	return ' ( 0 ) ';
231	}
232	else {
233	return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
234	}
235	}
236
237	public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL) {
238	$events = CRM_Event_PseudoConstant::event(NULL, TRUE);
239	$includeEvents = array();
240
241	// check if user has all powerful permission
242	if (self::check('register for events')) {
243	$includeEvents = array_keys($events);
244	}
245
246	if ($type == CRM_Core_Permission::VIEW &&
247	self::check('view event info')
248	) {
249	$includeEvents = array_keys($events);
250	}
251
252	$permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
253	if (!$eventID) {
254	return $permissionedEvents;
255	}
256	return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
257	}
258
259	static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
260	$events = self::event($type);
261	if (empty($events)) {
262	return ' ( 0 ) ';
263	}
264	else {
265	return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
266	}
267	}
268
269	static function access($module, $checkPermission = TRUE) {
270	$config = CRM_Core_Config::singleton();
271
272	if (!in_array($module, $config->enableComponents)) {
273	return FALSE;
274	}
275
276	if ($checkPermission) {
277	if ($module == 'CiviCase') {
278	return CRM_Case_BAO_Case::accessCiviCase();
279	}
280	else {
281	return CRM_Core_Permission::check("access $module");
282	}
283	}
284
285	return TRUE;
286	}
287
288	/**
289	* check permissions for delete and edit actions
290	*
291	* @param string $module component name.
292	* @param $action action to be check across component
293	*
294	**/
295	static function checkActionPermission($module, $action) {
296	//check delete related permissions.
297	if ($action & CRM_Core_Action::DELETE) {
298	$permissionName = "delete in $module";
299	}
300	else {
301	$editPermissions = array(
302	'CiviEvent' => 'edit event participants',
303	'CiviMember' => 'edit memberships',
304	'CiviPledge' => 'edit pledges',
305	'CiviContribute' => 'edit contributions',
306	'CiviGrant' => 'edit grants',
307	'CiviMail' => 'access CiviMail',
308	'CiviAuction' => 'add auction items',
309	);
310	$permissionName = CRM_Utils_Array::value($module, $editPermissions);
311	}
312
313	if ($module == 'CiviCase' && !$permissionName) {
314	return CRM_Case_BAO_Case::accessCiviCase();
315	}
316	else {
317	//check for permission.
318	return CRM_Core_Permission::check($permissionName);
319	}
320	}
321
322	static function checkMenu(&$args, $op = 'and') {
323	if (!is_array($args)) {
324	return $args;
325	}
326	foreach ($args as $str) {
327	$res = CRM_Core_Permission::check($str);
328	if ($op == 'or' && $res) {
329	return TRUE;
330	}
331	elseif ($op == 'and' && !$res) {
332	return FALSE;
333	}
334	}
335	return ($op == 'or') ? FALSE : TRUE;
336	}
337
338	static function checkMenuItem(&$item) {
339	if (!array_key_exists('access_callback', $item)) {
340	CRM_Core_Error::backtrace();
341	CRM_Core_Error::fatal();
342	}
343
344	// if component_id is present, ensure it is enabled
345	if (isset($item['component_id']) &&
346	$item['component_id']
347	) {
348	$config = CRM_Core_Config::singleton();
349	if (is_array($config->enableComponentIDs) &&
350	in_array($item['component_id'], $config->enableComponentIDs)
351	) {
352	// continue with process
353	}
354	else {
355	return FALSE;
356	}
357	}
358
359	// the following is imitating drupal 6 code in includes/menu.inc
360	if (empty($item['access_callback']) \|\|
361	is_numeric($item['access_callback'])
362	) {
363	return (boolean ) $item['access_callback'];
364	}
365
366	// check whether the following Ajax requests submitted the right key
367	// FIXME: this should be integrated into ACLs proper
368	if (CRM_Utils_Array::value('page_type', $item) == 3) {
369	if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
370	return FALSE;
371	}
372	}
373
374	// check if callback is for checkMenu, if so optimize it
375	if (is_array($item['access_callback']) &&
376	$item['access_callback'][0] == 'CRM_Core_Permission' &&
377	$item['access_callback'][1] == 'checkMenu'
378	) {
379	$op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
380	return self::checkMenu($item['access_arguments'][0], $op);
381	}
382	else {
383	return call_user_func_array($item['access_callback'], $item['access_arguments']);
384	}
385	}
386
387	static function &basicPermissions($all = FALSE) {
388	static $permissions = NULL;
389
390	if (!$permissions) {
391	$prefix = ts('CiviCRM') . ': ';
392	$permissions = self::getCorePermissions();
393
394	if (self::isMultisiteEnabled()) {
395	$permissions['administer Multiple Organizations'] = $prefix . ts('administer Multiple Organizations');
396	}
397
398	$config = CRM_Core_Config::singleton();
399
400	if (!$all) {
401	$components = CRM_Core_Component::getEnabledComponents();
402	}
403	else {
404	$components = CRM_Core_Component::getComponents();
405	}
406
407	foreach ($components as $comp) {
408	$perm = $comp->getPermissions();
409	if ($perm) {
410	$info = $comp->getInfo();
411	foreach ($perm as $p) {
412	$permissions[$p] = $info['translatedName'] . ': ' . $p;
413	}
414	}
415	}
416
417	// Add any permissions defined in hook_civicrm_permission implementations.
418	$config = CRM_Core_Config::singleton();
419	$module_permissions = $config->userPermissionClass->getAllModulePermissions();
420	$permissions = array_merge($permissions, $module_permissions);
421	}
422
423	return $permissions;
424	}
425
426	static function getCorePermissions() {
427	$prefix = ts('CiviCRM') . ': ';
428	$permissions = array(
429	'add contacts' => $prefix . ts('add contacts'),
430	'view all contacts' => $prefix . ts('view all contacts'),
431	'edit all contacts' => $prefix . ts('edit all contacts'),
432	'delete contacts' => $prefix . ts('delete contacts'),
433	'access deleted contacts' => $prefix . ts('access deleted contacts'),
434	'import contacts' => $prefix . ts('import contacts'),
435	'edit groups' => $prefix . ts('edit groups'),
436	'administer CiviCRM' => $prefix . ts('administer CiviCRM'),
437	'access uploaded files' => $prefix . ts('access uploaded files'),
438	'profile listings and forms' => $prefix . ts('profile listings and forms'),
439	'profile listings' => $prefix . ts('profile listings'),
440	'profile create' => $prefix . ts('profile create'),
441	'profile edit' => $prefix . ts('profile edit'),
442	'profile view' => $prefix . ts('profile view'),
443	'access all custom data' => $prefix . ts('access all custom data'),
444	'view all activities' => $prefix . ts('view all activities'),
445	'delete activities' => $prefix . ts('delete activities'),
446	'access CiviCRM' => $prefix . ts('access CiviCRM'),
447	'access Contact Dashboard' => $prefix . ts('access Contact Dashboard'),
448	'translate CiviCRM' => $prefix . ts('translate CiviCRM'),
449	'administer reserved groups' => $prefix . ts('administer reserved groups'),
450	'administer Tagsets' => $prefix . ts('administer Tagsets'),
451	'administer reserved tags' => $prefix . ts('administer reserved tags'),
452	'administer dedupe rules' => $prefix . ts('administer dedupe rules'),
453	'merge duplicate contacts' => $prefix . ts('merge duplicate contacts'),
454	'view debug output' => $prefix . ts('view debug output'),
455	'view all notes' => $prefix . ts('view all notes'),
456	'access AJAX API' => $prefix . ts('access AJAX API'),
457	'access contact reference fields' => $prefix . ts('access contact reference fields'),
458	'create manual batch' => $prefix . ts('create manual batch'),
459	'edit own manual batches' => $prefix . ts('edit own manual batches'),
460	'edit all manual batches' => $prefix . ts('edit all manual batches'),
461	'view own manual batches' => $prefix . ts('view own manual batches'),
462	'view all manual batches' => $prefix . ts('view all manual batches'),
463	'delete own manual batches' => $prefix . ts('delete own manual batches'),
464	'delete all manual batches' => $prefix . ts('delete all manual batches'),
465	'export own manual batches' => $prefix . ts('export own manual batches'),
466	'export all manual batches' => $prefix . ts('export all manual batches'),
467	);
468
469	return $permissions;
470	}
471
472	/**
473	* Validate user permission across
474	* edit or view or with supportable acls.
475	*
476	* return boolean true/false.
477	**/
478	static function giveMeAllACLs() {
479	if (CRM_Core_Permission::check('view all contacts') \|\|
480	CRM_Core_Permission::check('edit all contacts')
481	) {
482	return TRUE;
483	}
484
485	$session = CRM_Core_Session::singleton();
486	$contactID = $session->get('userID');
487
488	if (self::isMultisiteEnabled()) {
489	// For multisite just check if there are contacts in acl_contact_cache table for now.
490	// FixMe: so even if a user in multisite has very limited permission could still
491	// see search / contact navigation options for example.
492	return CRM_Contact_BAO_Contact_Permission::hasContactsInCache(CRM_Core_Permission::VIEW,
493	$contactID
494	);
495	}
496
497	//check for acl.
498	$aclPermission = self::getPermission();
499	if (in_array($aclPermission, array(
500	CRM_Core_Permission::EDIT,
501	CRM_Core_Permission::VIEW,
502	))) {
503	return TRUE;
504	}
505
506	// run acl where hook and see if the user is supplying an ACL clause
507	// that is not false
508	$tables = $whereTables = array();
509	$where = NULL;
510
511	CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
512	$tables, $whereTables,
513	$contactID, $where
514	);
515	return empty($whereTables) ? FALSE : TRUE;
516	}
517
518	/**
519	* Function to get component name from given permission.
520	*
521	* @param string $permission
522	*
523	* return string $componentName the name of component.
524	* @static
525	*/
526	static function getComponentName($permission) {
527	$componentName = NULL;
528	$permission = trim($permission);
529	if (empty($permission)) {
530	return $componentName;
531	}
532
533	static $allCompPermissions = array();
534	if (empty($allCompPermissions)) {
535	$components = CRM_Core_Component::getComponents();
536	foreach ($components as $name => $comp) {
537	$allCompPermissions[$name] = $comp->getPermissions();
538	}
539	}
540
541	if (is_array($allCompPermissions)) {
542	foreach ($allCompPermissions as $name => $permissions) {
543	if (in_array($permission, $permissions)) {
544	$componentName = $name;
545	break;
546	}
547	}
548	}
549
550	return $componentName;
551	}
552
553	/**
554	* Get all the contact emails for users that have a specific permission
555	*
556	* @param string $permissionName name of the permission we are interested in
557	*
558	* @return string a comma separated list of email addresses
559	*/
560	public static function permissionEmails($permissionName) {
561	$config = CRM_Core_Config::singleton();
562	return $config->userPermissionClass->permissionEmails( $permissionName );
563	}
564
565	/**
566	* Get all the contact emails for users that have a specific role
567	*
568	* @param string $roleName name of the role we are interested in
569	*
570	* @return string a comma separated list of email addresses
571	*/
572	public static function roleEmails($roleName) {
573	$config = CRM_Core_Config::singleton();
574	return $config->userRoleClass->roleEmails( $roleName );
575	}
576
577	static function isMultisiteEnabled() {
578	return CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::MULTISITE_PREFERENCES_NAME,
579	'is_enabled'
580	) ? TRUE : FALSE;
581	}
582	}
583