projects / civicrm-core.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Use merge duplicate contacts as api permission for merging
[civicrm-core.git] / CRM / Core / Permission.php
CommitLineData
6a488035
TO		 1<?php
2/*
3 +--------------------------------------------------------------------+
fee14197 4 | CiviCRM version 5 |
6a488035 5 +--------------------------------------------------------------------+
6b83d5bd 6 | Copyright CiviCRM LLC (c) 2004-2019 |
6a488035
TO		 7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
d25dd0ee 26 */
6a488035
TO		 27
28/**
29 *
30 * @package CRM
6b83d5bd 31 * @copyright CiviCRM LLC (c) 2004-2019
6a488035
TO		 32 */
33
34/**
35 * This is the basic permission class wrapper
36 */
37class CRM_Core_Permission {
38
39 /**
d09edf64 40 * Static strings used to compose permissions.
6a488035
TO		 41 *
42 * @const
43 * @var string
44 */
7da04cde 45 const EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
6a488035
TO		 46
47 /**
d09edf64 48 * The various type of permissions.
6a488035
TO		 49 *
50 * @var int
51 */
7da04cde 52 const EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
6a488035 53
085823c1 54 /**
d09edf64 55 * A placeholder permission which always fails.
085823c1
TO		 56 */
57 const ALWAYS_DENY_PERMISSION = "*always deny*";
58
59 /**
d09edf64 60 * A placeholder permission which always fails.
085823c1
TO		 61 */
62 const ALWAYS_ALLOW_PERMISSION = "*always allow*";
63
6dd18b98 64 /**
d09edf64 65 * Various authentication sources.
6dd18b98
DS		 66 *
67 * @var int
68 */
7da04cde 69 const AUTH_SRC_UNKNOWN = 0, AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;
6dd18b98 70
6a488035 71 /**
d09edf64 72 * Get the current permission of this user.
6a488035 73 *
a6c01b45
CW		 74 * @return string
75 * the permission of the user (edit or view or null)
6a488035
TO		 76 */
77 public static function getPermission() {
78 $config = CRM_Core_Config::singleton();
41f314b6 79 return $config->userPermissionClass->getPermission();
6a488035
TO		 80 }
81
82 /**
100fef9d 83 * Given a permission string or array, check for access requirements
6a488035 84 *
9b61e85d
CW		 85 * Ex 1: Must have 'access CiviCRM'
86 * (string) 'access CiviCRM'
60ec9f43 87 *
9b61e85d
CW		 88 * Ex 2: Must have 'access CiviCRM' and 'access Ajax API'
89 * ['access CiviCRM', 'access Ajax API']
60ec9f43 90 *
9b61e85d
CW		 91 * Ex 3: Must have 'access CiviCRM' or 'access Ajax API'
92 * [
93 * ['access CiviCRM', 'access Ajax API'],
94 * ],
60ec9f43 95 *
9b61e85d
CW		 96 * Ex 4: Must have 'access CiviCRM' or 'access Ajax API' AND 'access CiviEvent'
97 * [
98 * ['access CiviCRM', 'access Ajax API'],
99 * 'access CiviEvent',
100 * ],
60ec9f43 101 *
9b61e85d
CW		 102 * Note that in permissions.php this is keyed by the action eg.
103 * (access Civi || access AJAX) && (access CiviEvent || access CiviContribute)
104 * 'myaction' => [
105 * ['access CiviCRM', 'access Ajax API'],
106 * ['access CiviEvent', 'access CiviContribute']
107 * ],
60ec9f43 108 *
9b61e85d
CW		 109 * @param string|array $permissions
110 * The permission to check as an array or string -see examples.
60ec9f43 111 *
9b61e85d
CW		 112 * @param int $contactId
113 * Contact id to check permissions for. Defaults to current logged-in user.
6a488035 114 *
acb1052e 115 * @return bool
9b61e85d 116 * true if contact has permission(s), else false
6a488035 117 */
18be3201 118 public static function check($permissions, $contactId = NULL) {
60ec9f43 119 $permissions = (array) $permissions;
9b61e85d 120 $userId = CRM_Core_BAO_UFMatch::getUFId($contactId);
60ec9f43 121
18be3201 122 /** @var CRM_Core_Permission_Temp $tempPerm */
59735506
TO		 123 $tempPerm = CRM_Core_Config::singleton()->userPermissionTemp;
124
60ec9f43 125 foreach ($permissions as $permission) {
22e263ad 126 if (is_array($permission)) {
60ec9f43 127 foreach ($permission as $orPerm) {
18be3201 128 if (self::check($orPerm, $contactId)) {
60ec9f43 129 //one of our 'or' permissions has succeeded - stop checking this permission
b8a19656 130 return TRUE;
60ec9f43
E		 131 }
132 }
133 //none of our our conditions was met
134 return FALSE;
135 }
136 else {
3ae62cab 137 // This is an individual permission
18be3201 138 $granted = CRM_Core_Config::singleton()->userPermissionClass->check($permission, $userId);
3ae62cab 139 // Call the permission_check hook to permit dynamic escalation (CRM-19256)
fa4dac9c 140 CRM_Utils_Hook::permission_check($permission, $granted, $contactId);
59735506 141 if (
3ae62cab 142 !$granted
59735506
TO		 143 && !($tempPerm && $tempPerm->check($permission))
144 ) {
60ec9f43
E		 145 //one of our 'and' conditions has not been met
146 return FALSE;
147 }
148 }
149 }
150 return TRUE;
6a488035
TO		 151 }
152
dc92f2f8 153 /**
d09edf64 154 * Determine if any one of the permissions strings applies to current user.
dc92f2f8
TO		 155 *
156 * @param array $perms
157 * @return bool
158 */
159 public static function checkAnyPerm($perms) {
160 foreach ($perms as $perm) {
161 if (CRM_Core_Permission::check($perm)) {
162 return TRUE;
163 }
164 }
165 return FALSE;
166 }
167
6a488035
TO		 168 /**
169 * Given a group/role array, check for access requirements
170 *
6a0b768e
TO		 171 * @param array $array
172 * The group/role to check.
6a488035 173 *
acb1052e 174 * @return bool
a6c01b45 175 * true if yes, else false
6a488035 176 */
00be9182 177 public static function checkGroupRole($array) {
6a488035 178 $config = CRM_Core_Config::singleton();
41f314b6 179 return $config->userPermissionClass->checkGroupRole($array);
6a488035
TO		 180 }
181
182 /**
d09edf64 183 * Get the permissioned where clause for the user.
6a488035 184 *
6a0b768e
TO		 185 * @param int $type
186 * The type of permission needed.
187 * @param array $tables
188 * (reference ) add the tables that are needed for the select clause.
189 * @param array $whereTables
190 * (reference ) add the tables that are needed for the where clause.
6a488035 191 *
a6c01b45
CW		 192 * @return string
193 * the group where clause for this user
6a488035
TO		 194 */
195 public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
196 $config = CRM_Core_Config::singleton();
41f314b6 197 return $config->userPermissionClass->getPermissionedStaticGroupClause($type, $tables, $whereTables);
6a488035
TO		 198 }
199
200 /**
201 * Get all groups from database, filtered by permissions
202 * for this user
203 *
6a0b768e
TO		 204 * @param string $groupType
205 * Type of group(Access/Mailing).
3f8d2862
CW		 206 * @param bool $excludeHidden
207 * exclude hidden groups.
6a488035 208 *
6a488035 209 *
a6c01b45
CW		 210 * @return array
211 * array reference of all groups.
6a488035
TO		 212 */
213 public static function group($groupType, $excludeHidden = TRUE) {
214 $config = CRM_Core_Config::singleton();
41f314b6 215 return $config->userPermissionClass->group($groupType, $excludeHidden);
6a488035
TO		 216 }
217
a0ee3941
EM		 218 /**
219 * @return bool
220 */
6a488035
TO		 221 public static function customGroupAdmin() {
222 $admin = FALSE;
223
224 // check if user has all powerful permission
225 // or administer civicrm permission (CRM-1905)
226 if (self::check('access all custom data')) {
227 return TRUE;
228 }
229
634e1a1a
DL		 230 if (
231 self::check('administer Multiple Organizations') &&
6a488035
TO		 232 self::isMultisiteEnabled()
233 ) {
234 return TRUE;
235 }
236
237 if (self::check('administer CiviCRM')) {
238 return TRUE;
239 }
240
241 return FALSE;
242 }
243
a0ee3941
EM		 244 /**
245 * @param int $type
246 * @param bool $reset
247 *
248 * @return array
249 */
6a488035 250 public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
41f314b6 251 $customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id',
be2fb01f
CW		 252 ['fresh' => $reset]);
253 $defaultGroups = [];
6a488035
TO		 254
255 // check if user has all powerful permission
256 // or administer civicrm permission (CRM-1905)
257 if (self::customGroupAdmin()) {
258 $defaultGroups = array_keys($customGroups);
259 }
260
261 return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
262 }
263
a0ee3941
EM		 264 /**
265 * @param int $type
266 * @param null $prefix
267 * @param bool $reset
268 *
269 * @return string
270 */
00be9182 271 public static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
6a488035
TO		 272 if (self::customGroupAdmin()) {
273 return ' ( 1 ) ';
274 }
275
276 $groups = self::customGroup($type, $reset);
277 if (empty($groups)) {
278 return ' ( 0 ) ';
279 }
280 else {
281 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
282 }
283 }
284
a0ee3941 285 /**
100fef9d 286 * @param int $gid
a0ee3941
EM		 287 * @param int $type
288 *
289 * @return bool
290 */
6a488035
TO		 291 public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
292 if (empty($gid)) {
293 return TRUE;
294 }
295
296 $groups = self::ufGroup($type);
684b0b22 297 return !empty($groups) && in_array($gid, $groups) ? TRUE : FALSE;
6a488035
TO		 298 }
299
a0ee3941
EM		 300 /**
301 * @param int $type
302 *
303 * @return array
304 */
6a488035 305 public static function ufGroup($type = CRM_Core_Permission::VIEW) {
ff4f7744 306 $ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
6a488035
TO		 307
308 $allGroups = array_keys($ufGroups);
309
310 // check if user has all powerful permission
311 if (self::check('profile listings and forms')) {
312 return $allGroups;
313 }
314
315 switch ($type) {
316 case CRM_Core_Permission::VIEW:
317 if (self::check('profile view')) {
318 return $allGroups;
319 }
320 break;
321
322 case CRM_Core_Permission::CREATE:
323 if (self::check('profile create')) {
324 return $allGroups;
325 }
326 break;
327
328 case CRM_Core_Permission::EDIT:
329 if (self::check('profile edit')) {
330 return $allGroups;
331 }
332 break;
333
334 case CRM_Core_Permission::SEARCH:
335 if (self::check('profile listings')) {
336 return $allGroups;
337 }
338 break;
339 }
340
341 return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
342 }
343
a0ee3941
EM		 344 /**
345 * @param int $type
346 * @param null $prefix
347 * @param bool $returnUFGroupIds
348 *
349 * @return array|string
350 */
00be9182 351 public static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
6a488035
TO		 352 $groups = self::ufGroup($type);
353 if ($returnUFGroupIds) {
354 return $groups;
355 }
356 elseif (empty($groups)) {
357 return ' ( 0 ) ';
358 }
359 else {
360 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
361 }
362 }
363
a0ee3941
EM		 364 /**
365 * @param int $type
100fef9d 366 * @param int $eventID
a0ee3941
EM		 367 * @param string $context
368 *
369 * @return array|null
370 */
e2d09ab4 371 public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL, $context = '') {
22e263ad
TO		 372 if (!empty($context)) {
373 if (CRM_Core_Permission::check($context)) {
e2d09ab4
EM		 374 return TRUE;
375 }
376 }
6a488035 377 $events = CRM_Event_PseudoConstant::event(NULL, TRUE);
be2fb01f 378 $includeEvents = [];
6a488035
TO		 379
380 // check if user has all powerful permission
381 if (self::check('register for events')) {
382 $includeEvents = array_keys($events);
383 }
384
385 if ($type == CRM_Core_Permission::VIEW &&
386 self::check('view event info')
387 ) {
388 $includeEvents = array_keys($events);
389 }
390
391 $permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
392 if (!$eventID) {
393 return $permissionedEvents;
394 }
41f314b6 395 if (!empty($permissionedEvents)) {
2efcf0c2 396 return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
41f314b6 397 }
dfa720e7 398 return NULL;
6a488035
TO		 399 }
400
a0ee3941
EM		 401 /**
402 * @param int $type
403 * @param null $prefix
404 *
405 * @return string
406 */
00be9182 407 public static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
6a488035
TO		 408 $events = self::event($type);
409 if (empty($events)) {
410 return ' ( 0 ) ';
411 }
412 else {
413 return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
414 }
415 }
416
a0ee3941 417 /**
44d17ec8
BS		 418 * Checks that component is enabled and optionally that user has basic perm.
419 *
420 * @param string $module
421 * Specifies the name of the CiviCRM component.
a0ee3941 422 * @param bool $checkPermission
44d17ec8
BS		 423 * Check not only that module is enabled, but that user has necessary
424 * permission.
425 * @param bool $requireAllCasesPermOnCiviCase
426 * Significant only if $module == CiviCase
427 * Require "access all cases and activities", not just
428 * "access my cases and activities".
a0ee3941
EM		 429 *
430 * @return bool
44d17ec8 431 * Access to specified $module is granted.
a0ee3941 432 */
44d17ec8 433 public static function access($module, $checkPermission = TRUE, $requireAllCasesPermOnCiviCase = FALSE) {
6a488035
TO		 434 $config = CRM_Core_Config::singleton();
435
436 if (!in_array($module, $config->enableComponents)) {
437 return FALSE;
438 }
439
440 if ($checkPermission) {
44d17ec8
BS		 441 switch ($module) {
442 case 'CiviCase':
443 $access_all_cases = CRM_Core_Permission::check("access all cases and activities");
444 $access_my_cases = CRM_Core_Permission::check("access my cases and activities");
445 return $access_all_cases || (!$requireAllCasesPermOnCiviCase && $access_my_cases);
446
447 case 'CiviCampaign':
448 return CRM_Core_Permission::check("administer $module");
449
450 default:
451 return CRM_Core_Permission::check("access $module");
6a488035
TO		 452 }
453 }
454
455 return TRUE;
456 }
457
458 /**
d09edf64 459 * Check permissions for delete and edit actions.
6a488035 460 *
6a0b768e
TO		 461 * @param string $module
462 * Component name.
463 * @param int $action
464 * Action to be check across component.
6a488035 465 *
77b97be7
EM		 466 *
467 * @return bool
468 */
00be9182 469 public static function checkActionPermission($module, $action) {
6a488035
TO		 470 //check delete related permissions.
471 if ($action & CRM_Core_Action::DELETE) {
472 $permissionName = "delete in $module";
473 }
474 else {
be2fb01f 475 $editPermissions = [
6a488035
TO		 476 'CiviEvent' => 'edit event participants',
477 'CiviMember' => 'edit memberships',
478 'CiviPledge' => 'edit pledges',
479 'CiviContribute' => 'edit contributions',
480 'CiviGrant' => 'edit grants',
481 'CiviMail' => 'access CiviMail',
482 'CiviAuction' => 'add auction items',
be2fb01f 483 ];
6a488035
TO		 484 $permissionName = CRM_Utils_Array::value($module, $editPermissions);
485 }
486
487 if ($module == 'CiviCase' && !$permissionName) {
488 return CRM_Case_BAO_Case::accessCiviCase();
489 }
490 else {
491 //check for permission.
492 return CRM_Core_Permission::check($permissionName);
493 }
494 }
495
a0ee3941
EM		 496 /**
497 * @param $args
498 * @param string $op
499 *
500 * @return bool
501 */
00be9182 502 public static function checkMenu(&$args, $op = 'and') {
6a488035
TO		 503 if (!is_array($args)) {
504 return $args;
505 }
506 foreach ($args as $str) {
507 $res = CRM_Core_Permission::check($str);
508 if ($op == 'or' && $res) {
509 return TRUE;
510 }
511 elseif ($op == 'and' && !$res) {
512 return FALSE;
513 }
514 }
515 return ($op == 'or') ? FALSE : TRUE;
516 }
517
a0ee3941
EM		 518 /**
519 * @param $item
520 *
521 * @return bool|mixed
522 * @throws Exception
523 */
00be9182 524 public static function checkMenuItem(&$item) {
6a488035
TO		 525 if (!array_key_exists('access_callback', $item)) {
526 CRM_Core_Error::backtrace();
527 CRM_Core_Error::fatal();
528 }
529
530 // if component_id is present, ensure it is enabled
3d31a5c6
TO		 531 if (isset($item['component_id']) && $item['component_id']) {
532 if (!isset(Civi::$statics[__CLASS__]['componentNameId'])) {
533 Civi::$statics[__CLASS__]['componentNameId'] = array_flip(CRM_Core_Component::getComponentIDs());
534 }
535 $componentName = Civi::$statics[__CLASS__]['componentNameId'][$item['component_id']];
536
6a488035 537 $config = CRM_Core_Config::singleton();
3d31a5c6 538 if (is_array($config->enableComponents) && in_array($componentName, $config->enableComponents)) {
6a488035
TO		 539 // continue with process
540 }
541 else {
542 return FALSE;
543 }
544 }
545
546 // the following is imitating drupal 6 code in includes/menu.inc
547 if (empty($item['access_callback']) ||
548 is_numeric($item['access_callback'])
549 ) {
550 return (boolean ) $item['access_callback'];
551 }
552
553 // check whether the following Ajax requests submitted the right key
554 // FIXME: this should be integrated into ACLs proper
555 if (CRM_Utils_Array::value('page_type', $item) == 3) {
556 if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
557 return FALSE;
558 }
559 }
560
561 // check if callback is for checkMenu, if so optimize it
562 if (is_array($item['access_callback']) &&
563 $item['access_callback'][0] == 'CRM_Core_Permission' &&
564 $item['access_callback'][1] == 'checkMenu'
565 ) {
566 $op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
567 return self::checkMenu($item['access_arguments'][0], $op);
568 }
569 else {
570 return call_user_func_array($item['access_callback'], $item['access_arguments']);
571 }
572 }
573
a0ee3941
EM		 574 /**
575 * @param bool $all
9476d8d1 576 * Include disabled components
221b21b4 577 * @param bool $descriptions
9476d8d1 578 * Whether to return descriptions
a0ee3941
EM		 579 *
580 * @return array
581 */
9476d8d1 582 public static function basicPermissions($all = FALSE, $descriptions = FALSE) {
be2fb01f 583 $cacheKey = implode('-', [$all, $descriptions]);
9476d8d1
CW		 584 if (empty(Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey])) {
585 Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey] = self::assembleBasicPermissions($all, $descriptions);
221b21b4 586 }
9476d8d1 587 return Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey];
221b21b4
AH		 588 }
589
590 /**
591 * @param bool $all
592 * @param bool $descriptions
593 * whether to return descriptions
594 *
595 * @return array
596 */
597 public static function assembleBasicPermissions($all = FALSE, $descriptions = FALSE) {
598 $config = CRM_Core_Config::singleton();
599 $prefix = ts('CiviCRM') . ': ';
600 $permissions = self::getCorePermissions($descriptions);
601
602 if (self::isMultisiteEnabled()) {
be2fb01f 603 $permissions['administer Multiple Organizations'] = [$prefix . ts('administer Multiple Organizations')];
221b21b4
AH		 604 }
605
8c282315 606 if (!$descriptions) {
607 foreach ($permissions as $name => $attr) {
608 $permissions[$name] = array_shift($attr);
609 }
610 }
221b21b4
AH		 611 if (!$all) {
612 $components = CRM_Core_Component::getEnabledComponents();
613 }
614 else {
615 $components = CRM_Core_Component::getComponents();
616 }
617
618 foreach ($components as $comp) {
d47b93bf 619 $perm = $comp->getPermissions($all, $descriptions);
221b21b4
AH		 620 if ($perm) {
621 $info = $comp->getInfo();
2666861c
KL		 622 foreach ($perm as $p => $attr) {
623
624 if (!is_array($attr)) {
be2fb01f 625 $attr = [$attr];
2666861c
KL		 626 }
627
628 $attr[0] = $info['translatedName'] . ': ' . $attr[0];
629
630 if ($descriptions) {
221b21b4
AH		 631 $permissions[$p] = $attr;
632 }
2666861c
KL		 633 else {
634 $permissions[$p] = $attr[0];
6a488035
TO		 635 }
636 }
637 }
6a488035
TO		 638 }
639
221b21b4 640 // Add any permissions defined in hook_civicrm_permission implementations.
f1db52b9 641 $module_permissions = $config->userPermissionClass->getAllModulePermissions($descriptions);
221b21b4 642 $permissions = array_merge($permissions, $module_permissions);
cb2f7dd1 643 CRM_Financial_BAO_FinancialType::permissionedFinancialTypes($permissions, $descriptions);
6a488035
TO		 644 return $permissions;
645 }
646
a0ee3941
EM		 647 /**
648 * @return array
649 */
00be9182 650 public static function getAnonymousPermissionsWarnings() {
be2fb01f 651 static $permissions = [];
81bb85ea 652 if (empty($permissions)) {
be2fb01f 653 $permissions = [
21dfd5f5 654 'administer CiviCRM',
be2fb01f 655 ];
81bb85ea
AC		 656 $components = CRM_Core_Component::getComponents();
657 foreach ($components as $comp) {
658 if (!method_exists($comp, 'getAnonymousPermissionWarnings')) {
659 continue;
660 }
661 $permissions = array_merge($permissions, $comp->getAnonymousPermissionWarnings());
662 }
663 }
664 return $permissions;
665 }
666
a0ee3941
EM		 667 /**
668 * @param $anonymous_perms
669 *
670 * @return array
671 */
00be9182 672 public static function validateForPermissionWarnings($anonymous_perms) {
81bb85ea
AC		 673 return array_intersect($anonymous_perms, self::getAnonymousPermissionsWarnings());
674 }
675
a0ee3941 676 /**
6793d6a9 677 * Get core permissions.
221b21b4 678 *
a0ee3941
EM		 679 * @return array
680 */
8c282315 681 public static function getCorePermissions() {
6a488035 682 $prefix = ts('CiviCRM') . ': ';
be2fb01f
CW		 683 $permissions = [
684 'add contacts' => [
221b21b4
AH		 685 $prefix . ts('add contacts'),
686 ts('Create a new contact record in CiviCRM'),
be2fb01f
CW		 687 ],
688 'view all contacts' => [
221b21b4
AH		 689 $prefix . ts('view all contacts'),
690 ts('View ANY CONTACT in the CiviCRM database, export contact info and perform activities such as Send Email, Phone Call, etc.'),
be2fb01f
CW		 691 ],
692 'edit all contacts' => [
221b21b4
AH		 693 $prefix . ts('edit all contacts'),
694 ts('View, Edit and Delete ANY CONTACT in the CiviCRM database; Create and edit relationships, tags and other info about the contacts'),
be2fb01f
CW		 695 ],
696 'view my contact' => [
221b21b4 697 $prefix . ts('view my contact'),
be2fb01f
CW		 698 ],
699 'edit my contact' => [
221b21b4 700 $prefix . ts('edit my contact'),
be2fb01f
CW		 701 ],
702 'delete contacts' => [
221b21b4 703 $prefix . ts('delete contacts'),
be2fb01f
CW		 704 ],
705 'access deleted contacts' => [
221b21b4
AH		 706 $prefix . ts('access deleted contacts'),
707 ts('Access contacts in the trash'),
be2fb01f
CW		 708 ],
709 'import contacts' => [
221b21b4
AH		 710 $prefix . ts('import contacts'),
711 ts('Import contacts and activities'),
be2fb01f
CW		 712 ],
713 'import SQL datasource' => [
40bc3c68
TO		 714 $prefix . ts('import SQL datasource'),
715 ts('When importing, consume data directly from a SQL datasource'),
be2fb01f
CW		 716 ],
717 'edit groups' => [
221b21b4
AH		 718 $prefix . ts('edit groups'),
719 ts('Create new groups, edit group settings (e.g. group name, visibility...), delete groups'),
be2fb01f
CW		 720 ],
721 'administer CiviCRM' => [
221b21b4
AH		 722 $prefix . ts('administer CiviCRM'),
723 ts('Perform all tasks in the Administer CiviCRM control panel and Import Contacts'),
be2fb01f
CW		 724 ],
725 'skip IDS check' => [
221b21b4 726 $prefix . ts('skip IDS check'),
d9a37cbc 727 ts('Warning: Give to trusted roles only; this permission has security implications. IDS system is bypassed for users with this permission. Prevents false errors for admin users.'),
be2fb01f
CW		 728 ],
729 'access uploaded files' => [
221b21b4
AH		 730 $prefix . ts('access uploaded files'),
731 ts('View / download files including images and photos'),
be2fb01f
CW		 732 ],
733 'profile listings and forms' => [
221b21b4 734 $prefix . ts('profile listings and forms'),
d9a37cbc 735 ts('Warning: Give to trusted roles only; this permission has privacy implications. Add/edit data in online forms and access public searchable directories.'),
be2fb01f
CW		 736 ],
737 'profile listings' => [
221b21b4 738 $prefix . ts('profile listings'),
d9a37cbc 739 ts('Warning: Give to trusted roles only; this permission has privacy implications. Access public searchable directories.'),
be2fb01f
CW		 740 ],
741 'profile create' => [
221b21b4 742 $prefix . ts('profile create'),
d9a37cbc 743 ts('Add data in a profile form.'),
be2fb01f
CW		 744 ],
745 'profile edit' => [
221b21b4 746 $prefix . ts('profile edit'),
d9a37cbc 747 ts('Edit data in a profile form.'),
be2fb01f
CW		 748 ],
749 'profile view' => [
221b21b4 750 $prefix . ts('profile view'),
d9a37cbc 751 ts('View data in a profile.'),
be2fb01f
CW		 752 ],
753 'access all custom data' => [
221b21b4
AH		 754 $prefix . ts('access all custom data'),
755 ts('View all custom fields regardless of ACL rules'),
be2fb01f
CW		 756 ],
757 'view all activities' => [
221b21b4
AH		 758 $prefix . ts('view all activities'),
759 ts('View all activities (for visible contacts)'),
be2fb01f
CW		 760 ],
761 'delete activities' => [
221b21b4 762 $prefix . ts('Delete activities'),
be2fb01f
CW		 763 ],
764 'edit inbound email basic information' => [
ee90a98c
CR		 765 $prefix . ts('edit inbound email basic information'),
766 ts('Edit all inbound email activities (for visible contacts) basic information. Content editing not allowed.'),
be2fb01f
CW		 767 ],
768 'edit inbound email basic information and content' => [
ee90a98c
CR		 769 $prefix . ts('edit inbound email basic information and content'),
770 ts('Edit all inbound email activities (for visible contacts) basic information and content.'),
be2fb01f
CW		 771 ],
772 'access CiviCRM' => [
d9a37cbc
H		 773 $prefix . ts('access CiviCRM backend and API'),
774 ts('Master control for access to the main CiviCRM backend and API. Give to trusted roles only.'),
be2fb01f
CW		 775 ],
776 'access Contact Dashboard' => [
221b21b4
AH		 777 $prefix . ts('access Contact Dashboard'),
778 ts('View Contact Dashboard (for themselves and visible contacts)'),
be2fb01f
CW		 779 ],
780 'translate CiviCRM' => [
221b21b4
AH		 781 $prefix . ts('translate CiviCRM'),
782 ts('Allow User to enable multilingual'),
be2fb01f
CW		 783 ],
784 'manage tags' => [
eaaaef83
I		 785 $prefix . ts('manage tags'),
786 ts('Create and rename tags'),
be2fb01f
CW		 787 ],
788 'administer reserved groups' => [
221b21b4
AH		 789 $prefix . ts('administer reserved groups'),
790 ts('Edit and disable Reserved Groups (Needs Edit Groups)'),
be2fb01f
CW		 791 ],
792 'administer Tagsets' => [
221b21b4 793 $prefix . ts('administer Tagsets'),
be2fb01f
CW		 794 ],
795 'administer reserved tags' => [
221b21b4 796 $prefix . ts('administer reserved tags'),
be2fb01f
CW		 797 ],
798 'administer dedupe rules' => [
221b21b4
AH		 799 $prefix . ts('administer dedupe rules'),
800 ts('Create and edit rules, change the supervised and unsupervised rules'),
be2fb01f
CW		 801 ],
802 'merge duplicate contacts' => [
221b21b4
AH		 803 $prefix . ts('merge duplicate contacts'),
804 ts('Delete Contacts must also be granted in order for this to work.'),
be2fb01f
CW		 805 ],
806 'force merge duplicate contacts' => [
fd630ef9 807 $prefix . ts('force merge duplicate contacts'),
808 ts('Delete Contacts must also be granted in order for this to work.'),
be2fb01f
CW		 809 ],
810 'view debug output' => [
221b21b4
AH		 811 $prefix . ts('view debug output'),
812 ts('View results of debug and backtrace'),
be2fb01f 813 ],
02d451ab 814
be2fb01f 815 'view all notes' => [
221b21b4
AH		 816 $prefix . ts('view all notes'),
817 ts("View notes (for visible contacts) even if they're marked admin only"),
be2fb01f
CW		 818 ],
819 'add contact notes' => [
088101a4
O		 820 $prefix . ts('add contact notes'),
821 ts("Create notes for contacts"),
be2fb01f
CW		 822 ],
823 'access AJAX API' => [
221b21b4
AH		 824 $prefix . ts('access AJAX API'),
825 ts('Allow API access even if Access CiviCRM is not granted'),
be2fb01f
CW		 826 ],
827 'access contact reference fields' => [
221b21b4
AH		 828 $prefix . ts('access contact reference fields'),
829 ts('Allow entering data into contact reference fields'),
be2fb01f
CW		 830 ],
831 'create manual batch' => [
221b21b4
AH		 832 $prefix . ts('create manual batch'),
833 ts('Create an accounting batch (with Access to CiviContribute and View Own/All Manual Batches)'),
be2fb01f
CW		 834 ],
835 'edit own manual batches' => [
221b21b4
AH		 836 $prefix . ts('edit own manual batches'),
837 ts('Edit accounting batches created by user'),
be2fb01f
CW		 838 ],
839 'edit all manual batches' => [
221b21b4
AH		 840 $prefix . ts('edit all manual batches'),
841 ts('Edit all accounting batches'),
be2fb01f
CW		 842 ],
843 'close own manual batches' => [
47a98aef 844 $prefix . ts('close own manual batches'),
5ad18cc2 845 ts('Close accounting batches created by user (with Access to CiviContribute)'),
be2fb01f
CW		 846 ],
847 'close all manual batches' => [
47a98aef 848 $prefix . ts('close all manual batches'),
5ad18cc2 849 ts('Close all accounting batches (with Access to CiviContribute)'),
be2fb01f
CW		 850 ],
851 'reopen own manual batches' => [
47a98aef 852 $prefix . ts('reopen own manual batches'),
5ad18cc2 853 ts('Reopen accounting batches created by user (with Access to CiviContribute)'),
be2fb01f
CW		 854 ],
855 'reopen all manual batches' => [
47a98aef 856 $prefix . ts('reopen all manual batches'),
5ad18cc2 857 ts('Reopen all accounting batches (with Access to CiviContribute)'),
be2fb01f
CW		 858 ],
859 'view own manual batches' => [
221b21b4
AH		 860 $prefix . ts('view own manual batches'),
861 ts('View accounting batches created by user (with Access to CiviContribute)'),
be2fb01f
CW		 862 ],
863 'view all manual batches' => [
221b21b4
AH		 864 $prefix . ts('view all manual batches'),
865 ts('View all accounting batches (with Access to CiviContribute)'),
be2fb01f
CW		 866 ],
867 'delete own manual batches' => [
221b21b4
AH		 868 $prefix . ts('delete own manual batches'),
869 ts('Delete accounting batches created by user'),
be2fb01f
CW		 870 ],
871 'delete all manual batches' => [
221b21b4
AH		 872 $prefix . ts('delete all manual batches'),
873 ts('Delete all accounting batches'),
be2fb01f
CW		 874 ],
875 'export own manual batches' => [
221b21b4
AH		 876 $prefix . ts('export own manual batches'),
877 ts('Export accounting batches created by user'),
be2fb01f
CW		 878 ],
879 'export all manual batches' => [
221b21b4
AH		 880 $prefix . ts('export all manual batches'),
881 ts('Export all accounting batches'),
be2fb01f
CW		 882 ],
883 'administer payment processors' => [
221b21b4
AH		 884 $prefix . ts('administer payment processors'),
885 ts('Add, Update, or Disable Payment Processors'),
be2fb01f
CW		 886 ],
887 'edit message templates' => [
221b21b4 888 $prefix . ts('edit message templates'),
be2fb01f
CW		 889 ],
890 'edit system workflow message templates' => [
40a732a9 891 $prefix . ts('edit system workflow message templates'),
be2fb01f
CW		 892 ],
893 'edit user-driven message templates' => [
40a732a9 894 $prefix . ts('edit user-driven message templates'),
be2fb01f
CW		 895 ],
896 'view my invoices' => [
a664e7b3 897 $prefix . ts('view my invoices'),
dc6b437a 898 ts('Allow users to view/ download their own invoices'),
be2fb01f
CW		 899 ],
900 'edit api keys' => [
d4463076
TO		 901 $prefix . ts('edit api keys'),
902 ts('Edit API keys'),
be2fb01f
CW		 903 ],
904 'edit own api keys' => [
d4463076
TO		 905 $prefix . ts('edit own api keys'),
906 ts('Edit user\'s own API keys'),
be2fb01f
CW		 907 ],
908 'send SMS' => [
63483feb
MM		 909 $prefix . ts('send SMS'),
910 ts('Send an SMS'),
be2fb01f
CW		 911 ],
912 ];
6a488035
TO		 913
914 return $permissions;
915 }
916
bf9a7c0f
ES		 917 /**
918 * For each entity provides an array of permissions required for each action
919 *
920 * The action is the array key, possible values:
921 * * create: applies to create (with no id in params)
922 * * update: applies to update, setvalue, create (with id in params)
923 * * get: applies to getcount, getsingle, getvalue and other gets
924 * * delete: applies to delete, replace
925 * * meta: applies to getfields, getoptions, getspec
926 * * default: catch-all for anything not declared
927 *
928 * Note: some APIs declare other actions as well
929 *
930 * Permissions should use arrays for AND and arrays of arrays for OR
1a5a2ade 931 * @see CRM_Core_Permission::check
bf9a7c0f
ES		 932 *
933 * @return array of permissions
934 */
935 public static function getEntityActionPermissions() {
be2fb01f 936 $permissions = [];
bf9a7c0f
ES		 937 // These are the default permissions - if any entity does not declare permissions for a given action,
938 // (or the entity does not declare permissions at all) - then the action will be used from here
be2fb01f 939 $permissions['default'] = [
bf9a7c0f 940 // applies to getfields, getoptions, etc.
be2fb01f 941 'meta' => ['access CiviCRM'],
bf9a7c0f
ES		 942 // catch-all, applies to create, get, delete, etc.
943 // If an entity declares it's own 'default' action it will override this one
be2fb01f
CW		 944 'default' => ['administer CiviCRM'],
945 ];
bf9a7c0f
ES		 946
947 // Note: Additional permissions in DynamicFKAuthorization
be2fb01f
CW		 948 $permissions['attachment'] = [
949 'default' => [
950 ['access CiviCRM', 'access AJAX API'],
951 ],
952 ];
bf9a7c0f
ES		 953
954 // Contact permissions
be2fb01f
CW		 955 $permissions['contact'] = [
956 'create' => [
bf9a7c0f
ES		 957 'access CiviCRM',
958 'add contacts',
be2fb01f
CW		 959 ],
960 'delete' => [
bf9a7c0f
ES		 961 'access CiviCRM',
962 'delete contacts',
be2fb01f 963 ],
bf9a7c0f 964 // managed by query object
be2fb01f 965 'get' => [],
bf9a7c0f 966 // managed by _civicrm_api3_check_edit_permissions
be2fb01f
CW		 967 'update' => [],
968 'getquick' => [
969 ['access CiviCRM', 'access AJAX API'],
970 ],
971 'duplicatecheck' => [
f257308b 972 'access CiviCRM',
be2fb01f 973 ],
9f8c8b7a 974 'merge' => ['merge duplicate contacts'],
be2fb01f 975 ];
bf9a7c0f 976
cc477693 977 $permissions['dedupe'] = [
978 'getduplicates' => ['access CiviCRM'],
979 ];
980
bf9a7c0f 981 // CRM-16963 - Permissions for country.
be2fb01f
CW		 982 $permissions['country'] = [
983 'get' => [
bf9a7c0f 984 'access CiviCRM',
be2fb01f
CW		 985 ],
986 'default' => [
bf9a7c0f 987 'administer CiviCRM',
be2fb01f
CW		 988 ],
989 ];
bf9a7c0f
ES		 990
991 // Contact-related data permissions.
be2fb01f 992 $permissions['address'] = [
bf9a7c0f
ES		 993 // get is managed by BAO::addSelectWhereClause
994 // create/delete are managed by _civicrm_api3_check_edit_permissions
be2fb01f
CW		 995 'default' => [],
996 ];
bf9a7c0f
ES		 997 $permissions['email'] = $permissions['address'];
998 $permissions['phone'] = $permissions['address'];
999 $permissions['website'] = $permissions['address'];
1000 $permissions['im'] = $permissions['address'];
1001 $permissions['open_i_d'] = $permissions['address'];
1002
1003 // Also managed by ACLs - CRM-19448
be2fb01f 1004 $permissions['entity_tag'] = ['default' => []];
bf9a7c0f
ES		 1005 $permissions['note'] = $permissions['entity_tag'];
1006
1007 // Allow non-admins to get and create tags to support tagset widget
1008 // Delete is still reserved for admins
be2fb01f
CW		 1009 $permissions['tag'] = [
1010 'get' => ['access CiviCRM'],
1011 'create' => ['access CiviCRM'],
1012 'update' => ['access CiviCRM'],
1013 ];
bf9a7c0f
ES		 1014
1015 //relationship permissions
be2fb01f 1016 $permissions['relationship'] = [
bf9a7c0f 1017 // get is managed by BAO::addSelectWhereClause
be2fb01f
CW		 1018 'get' => [],
1019 'delete' => [
bf9a7c0f
ES		 1020 'access CiviCRM',
1021 'edit all contacts',
be2fb01f
CW		 1022 ],
1023 'default' => [
bf9a7c0f
ES		 1024 'access CiviCRM',
1025 'edit all contacts',
be2fb01f
CW		 1026 ],
1027 ];
bf9a7c0f
ES		 1028
1029 // CRM-17741 - Permissions for RelationshipType.
be2fb01f
CW		 1030 $permissions['relationship_type'] = [
1031 'get' => [
bf9a7c0f 1032 'access CiviCRM',
be2fb01f
CW		 1033 ],
1034 'default' => [
bf9a7c0f 1035 'administer CiviCRM',
be2fb01f
CW		 1036 ],
1037 ];
bf9a7c0f
ES		 1038
1039 // Activity permissions
be2fb01f
CW		 1040 $permissions['activity'] = [
1041 'delete' => [
bf9a7c0f
ES		 1042 'access CiviCRM',
1043 'delete activities',
be2fb01f
CW		 1044 ],
1045 'get' => [
bf9a7c0f
ES		 1046 'access CiviCRM',
1047 // Note that view all activities is also required within the api
1048 // if the id is not passed in. Where the id is passed in the activity
1049 // specific check functions are used and tested.
be2fb01f
CW		 1050 ],
1051 'default' => [
bf9a7c0f
ES		 1052 'access CiviCRM',
1053 'view all activities',
be2fb01f
CW		 1054 ],
1055 ];
cdacd6ab 1056 $permissions['activity_contact'] = $permissions['activity'];
bf9a7c0f
ES		 1057
1058 // Case permissions
be2fb01f
CW		 1059 $permissions['case'] = [
1060 'create' => [
bf9a7c0f
ES		 1061 'access CiviCRM',
1062 'add cases',
be2fb01f
CW		 1063 ],
1064 'delete' => [
bf9a7c0f
ES		 1065 'access CiviCRM',
1066 'delete in CiviCase',
be2fb01f
CW		 1067 ],
1068 'restore' => [
8572e6de 1069 'administer CiviCase',
be2fb01f
CW		 1070 ],
1071 'merge' => [
a6bc7218 1072 'administer CiviCase',
be2fb01f
CW		 1073 ],
1074 'default' => [
bf9a7c0f 1075 // At minimum the user needs one of the following. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause
be2fb01f
CW		 1076 ['access my cases and activities', 'access all cases and activities'],
1077 ],
1078 ];
bf9a7c0f
ES		 1079 $permissions['case_contact'] = $permissions['case'];
1080
be2fb01f
CW		 1081 $permissions['case_type'] = [
1082 'default' => ['administer CiviCase'],
1083 'get' => [
bf9a7c0f 1084 // nested array = OR
be2fb01f
CW		 1085 ['access my cases and activities', 'access all cases and activities'],
1086 ],
1087 ];
bf9a7c0f
ES		 1088
1089 // Campaign permissions
be2fb01f
CW		 1090 $permissions['campaign'] = [
1091 'get' => ['access CiviCRM'],
1092 'default' => [
bf9a7c0f 1093 // nested array = OR
be2fb01f
CW		 1094 ['administer CiviCampaign', 'manage campaign'],
1095 ],
1096 ];
bf9a7c0f
ES		 1097 $permissions['survey'] = $permissions['campaign'];
1098
1099 // Financial permissions
be2fb01f
CW		 1100 $permissions['contribution'] = [
1101 'get' => [
bf9a7c0f
ES		 1102 'access CiviCRM',
1103 'access CiviContribute',
be2fb01f
CW		 1104 ],
1105 'delete' => [
bf9a7c0f
ES		 1106 'access CiviCRM',
1107 'access CiviContribute',
1108 'delete in CiviContribute',
be2fb01f
CW		 1109 ],
1110 'completetransaction' => [
bf9a7c0f 1111 'edit contributions',
be2fb01f
CW		 1112 ],
1113 'default' => [
bf9a7c0f
ES		 1114 'access CiviCRM',
1115 'access CiviContribute',
1116 'edit contributions',
be2fb01f
CW		 1117 ],
1118 ];
bf9a7c0f
ES		 1119 $permissions['line_item'] = $permissions['contribution'];
1120
1121 // Payment permissions
be2fb01f
CW		 1122 $permissions['payment'] = [
1123 'get' => [
bf9a7c0f
ES		 1124 'access CiviCRM',
1125 'access CiviContribute',
be2fb01f
CW		 1126 ],
1127 'delete' => [
bf9a7c0f
ES		 1128 'access CiviCRM',
1129 'access CiviContribute',
1130 'delete in CiviContribute',
be2fb01f
CW		 1131 ],
1132 'cancel' => [
bf9a7c0f
ES		 1133 'access CiviCRM',
1134 'access CiviContribute',
1135 'edit contributions',
be2fb01f
CW		 1136 ],
1137 'create' => [
bf9a7c0f
ES		 1138 'access CiviCRM',
1139 'access CiviContribute',
1140 'edit contributions',
be2fb01f
CW		 1141 ],
1142 'default' => [
bf9a7c0f
ES		 1143 'access CiviCRM',
1144 'access CiviContribute',
1145 'edit contributions',
be2fb01f
CW		 1146 ],
1147 ];
e4124a88 1148 $permissions['contribution_recur'] = $permissions['payment'];
bf9a7c0f
ES		 1149
1150 // Custom field permissions
be2fb01f
CW		 1151 $permissions['custom_field'] = [
1152 'default' => [
bf9a7c0f
ES		 1153 'administer CiviCRM',
1154 'access all custom data',
be2fb01f
CW		 1155 ],
1156 ];
bf9a7c0f
ES		 1157 $permissions['custom_group'] = $permissions['custom_field'];
1158
1159 // Event permissions
be2fb01f
CW		 1160 $permissions['event'] = [
1161 'create' => [
bf9a7c0f
ES		 1162 'access CiviCRM',
1163 'access CiviEvent',
1164 'edit all events',
be2fb01f
CW		 1165 ],
1166 'delete' => [
bf9a7c0f
ES		 1167 'access CiviCRM',
1168 'access CiviEvent',
1169 'delete in CiviEvent',
be2fb01f
CW		 1170 ],
1171 'get' => [
bf9a7c0f
ES		 1172 'access CiviCRM',
1173 'access CiviEvent',
1174 'view event info',
be2fb01f
CW		 1175 ],
1176 'update' => [
bf9a7c0f
ES		 1177 'access CiviCRM',
1178 'access CiviEvent',
1179 'edit all events',
be2fb01f
CW		 1180 ],
1181 ];
bf9a7c0f
ES		 1182 // Loc block is only used for events
1183 $permissions['loc_block'] = $permissions['event'];
1184
be2fb01f
CW		 1185 $permissions['state_province'] = [
1186 'get' => [
fc2d1728 1187 'access CiviCRM',
be2fb01f
CW		 1188 ],
1189 ];
fc2d1728 1190
bf9a7c0f 1191 // Price sets are shared by several components, user needs access to at least one of them
be2fb01f
CW		 1192 $permissions['price_set'] = [
1193 'default' => [
1194 ['access CiviEvent', 'access CiviContribute', 'access CiviMember'],
1195 ],
1196 'get' => [
1197 ['access CiviCRM', 'view event info', 'make online contributions'],
1198 ],
1199 ];
bf9a7c0f
ES		 1200
1201 // File permissions
be2fb01f
CW		 1202 $permissions['file'] = [
1203 'default' => [
bf9a7c0f
ES		 1204 'access CiviCRM',
1205 'access uploaded files',
be2fb01f
CW		 1206 ],
1207 ];
bf9a7c0f
ES		 1208 $permissions['files_by_entity'] = $permissions['file'];
1209
1210 // Group permissions
be2fb01f
CW		 1211 $permissions['group'] = [
1212 'get' => [
bf9a7c0f 1213 'access CiviCRM',
be2fb01f
CW		 1214 ],
1215 'default' => [
bf9a7c0f
ES		 1216 'access CiviCRM',
1217 'edit groups',
be2fb01f
CW		 1218 ],
1219 ];
bf9a7c0f
ES		 1220
1221 $permissions['group_nesting'] = $permissions['group'];
1222 $permissions['group_organization'] = $permissions['group'];
1223
1224 //Group Contact permission
be2fb01f
CW		 1225 $permissions['group_contact'] = [
1226 'get' => [
bf9a7c0f 1227 'access CiviCRM',
be2fb01f
CW		 1228 ],
1229 'default' => [
bf9a7c0f
ES		 1230 'access CiviCRM',
1231 'edit all contacts',
be2fb01f
CW		 1232 ],
1233 ];
bf9a7c0f
ES		 1234
1235 // CiviMail Permissions
be2fb01f 1236 $civiMailBasePerms = [
bf9a7c0f
ES		 1237 // To get/preview/update, one must have least one of these perms:
1238 // Mailing API implementations enforce nuances of create/approve/schedule permissions.
1239 'access CiviMail',
1240 'create mailings',
1241 'schedule mailings',
1242 'approve mailings',
be2fb01f
CW		 1243 ];
1244 $permissions['mailing'] = [
1245 'get' => [
bf9a7c0f
ES		 1246 'access CiviCRM',
1247 $civiMailBasePerms,
be2fb01f
CW		 1248 ],
1249 'delete' => [
bf9a7c0f
ES		 1250 'access CiviCRM',
1251 $civiMailBasePerms,
1252 'delete in CiviMail',
be2fb01f
CW		 1253 ],
1254 'submit' => [
bf9a7c0f 1255 'access CiviCRM',
be2fb01f
CW		 1256 ['access CiviMail', 'schedule mailings'],
1257 ],
1258 'default' => [
bf9a7c0f
ES		 1259 'access CiviCRM',
1260 $civiMailBasePerms,
be2fb01f
CW		 1261 ],
1262 ];
bf9a7c0f
ES		 1263 $permissions['mailing_group'] = $permissions['mailing'];
1264 $permissions['mailing_job'] = $permissions['mailing'];
1265 $permissions['mailing_recipients'] = $permissions['mailing'];
1266
be2fb01f
CW		 1267 $permissions['mailing_a_b'] = [
1268 'get' => [
bf9a7c0f
ES		 1269 'access CiviCRM',
1270 'access CiviMail',
be2fb01f
CW		 1271 ],
1272 'delete' => [
bf9a7c0f
ES		 1273 'access CiviCRM',
1274 'access CiviMail',
1275 'delete in CiviMail',
be2fb01f
CW		 1276 ],
1277 'submit' => [
bf9a7c0f 1278 'access CiviCRM',
be2fb01f
CW		 1279 ['access CiviMail', 'schedule mailings'],
1280 ],
1281 'default' => [
bf9a7c0f
ES		 1282 'access CiviCRM',
1283 'access CiviMail',
be2fb01f
CW		 1284 ],
1285 ];
bf9a7c0f
ES		 1286
1287 // Membership permissions
be2fb01f
CW		 1288 $permissions['membership'] = [
1289 'get' => [
bf9a7c0f
ES		 1290 'access CiviCRM',
1291 'access CiviMember',
be2fb01f
CW		 1292 ],
1293 'delete' => [
bf9a7c0f
ES		 1294 'access CiviCRM',
1295 'access CiviMember',
1296 'delete in CiviMember',
be2fb01f
CW		 1297 ],
1298 'default' => [
bf9a7c0f
ES		 1299 'access CiviCRM',
1300 'access CiviMember',
1301 'edit memberships',
be2fb01f
CW		 1302 ],
1303 ];
bf9a7c0f
ES		 1304 $permissions['membership_status'] = $permissions['membership'];
1305 $permissions['membership_type'] = $permissions['membership'];
be2fb01f
CW		 1306 $permissions['membership_payment'] = [
1307 'create' => [
bf9a7c0f
ES		 1308 'access CiviCRM',
1309 'access CiviMember',
1310 'edit memberships',
1311 'access CiviContribute',
1312 'edit contributions',
be2fb01f
CW		 1313 ],
1314 'delete' => [
bf9a7c0f
ES		 1315 'access CiviCRM',
1316 'access CiviMember',
1317 'delete in CiviMember',
1318 'access CiviContribute',
1319 'delete in CiviContribute',
be2fb01f
CW		 1320 ],
1321 'get' => [
bf9a7c0f
ES		 1322 'access CiviCRM',
1323 'access CiviMember',
1324 'access CiviContribute',
be2fb01f
CW		 1325 ],
1326 'update' => [
bf9a7c0f
ES		 1327 'access CiviCRM',
1328 'access CiviMember',
1329 'edit memberships',
1330 'access CiviContribute',
1331 'edit contributions',
be2fb01f
CW		 1332 ],
1333 ];
bf9a7c0f
ES		 1334
1335 // Participant permissions
be2fb01f
CW		 1336 $permissions['participant'] = [
1337 'create' => [
bf9a7c0f
ES		 1338 'access CiviCRM',
1339 'access CiviEvent',
1340 'register for events',
be2fb01f
CW		 1341 ],
1342 'delete' => [
bf9a7c0f
ES		 1343 'access CiviCRM',
1344 'access CiviEvent',
1345 'edit event participants',
be2fb01f
CW		 1346 ],
1347 'get' => [
bf9a7c0f
ES		 1348 'access CiviCRM',
1349 'access CiviEvent',
1350 'view event participants',
be2fb01f
CW		 1351 ],
1352 'update' => [
bf9a7c0f
ES		 1353 'access CiviCRM',
1354 'access CiviEvent',
1355 'edit event participants',
be2fb01f
CW		 1356 ],
1357 ];
1358 $permissions['participant_payment'] = [
1359 'create' => [
bf9a7c0f
ES		 1360 'access CiviCRM',
1361 'access CiviEvent',
1362 'register for events',
1363 'access CiviContribute',
1364 'edit contributions',
be2fb01f
CW		 1365 ],
1366 'delete' => [
bf9a7c0f
ES		 1367 'access CiviCRM',
1368 'access CiviEvent',
1369 'edit event participants',
1370 'access CiviContribute',
1371 'delete in CiviContribute',
be2fb01f
CW		 1372 ],
1373 'get' => [
bf9a7c0f
ES		 1374 'access CiviCRM',
1375 'access CiviEvent',
1376 'view event participants',
1377 'access CiviContribute',
be2fb01f
CW		 1378 ],
1379 'update' => [
bf9a7c0f
ES		 1380 'access CiviCRM',
1381 'access CiviEvent',
1382 'edit event participants',
1383 'access CiviContribute',
1384 'edit contributions',
be2fb01f
CW		 1385 ],
1386 ];
bf9a7c0f
ES		 1387
1388 // Pledge permissions
be2fb01f
CW		 1389 $permissions['pledge'] = [
1390 'create' => [
bf9a7c0f
ES		 1391 'access CiviCRM',
1392 'access CiviPledge',
1393 'edit pledges',
be2fb01f
CW		 1394 ],
1395 'delete' => [
bf9a7c0f
ES		 1396 'access CiviCRM',
1397 'access CiviPledge',
1398 'delete in CiviPledge',
be2fb01f
CW		 1399 ],
1400 'get' => [
bf9a7c0f
ES		 1401 'access CiviCRM',
1402 'access CiviPledge',
be2fb01f
CW		 1403 ],
1404 'update' => [
bf9a7c0f
ES		 1405 'access CiviCRM',
1406 'access CiviPledge',
1407 'edit pledges',
be2fb01f
CW		 1408 ],
1409 ];
bf9a7c0f
ES		 1410
1411 //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission.
be2fb01f
CW		 1412 $permissions['action_schedule'] = [
1413 'update' => [
1414 [
bf9a7c0f
ES		 1415 'access CiviCRM',
1416 'edit all events',
be2fb01f
CW		 1417 ],
1418 ],
1419 ];
bf9a7c0f 1420
be2fb01f
CW		 1421 $permissions['pledge_payment'] = [
1422 'create' => [
bf9a7c0f
ES		 1423 'access CiviCRM',
1424 'access CiviPledge',
1425 'edit pledges',
1426 'access CiviContribute',
1427 'edit contributions',
be2fb01f
CW		 1428 ],
1429 'delete' => [
bf9a7c0f
ES		 1430 'access CiviCRM',
1431 'access CiviPledge',
1432 'delete in CiviPledge',
1433 'access CiviContribute',
1434 'delete in CiviContribute',
be2fb01f
CW		 1435 ],
1436 'get' => [
bf9a7c0f
ES		 1437 'access CiviCRM',
1438 'access CiviPledge',
1439 'access CiviContribute',
be2fb01f
CW		 1440 ],
1441 'update' => [
bf9a7c0f
ES		 1442 'access CiviCRM',
1443 'access CiviPledge',
1444 'edit pledges',
1445 'access CiviContribute',
1446 'edit contributions',
be2fb01f
CW		 1447 ],
1448 ];
bf9a7c0f
ES		 1449
1450 // Profile permissions
be2fb01f 1451 $permissions['profile'] = [
518fa0ee
SL		 1452 // the profile will take care of this
1453 'get' => [],
be2fb01f 1454 ];
bf9a7c0f 1455
be2fb01f
CW		 1456 $permissions['uf_group'] = [
1457 'create' => [
bf9a7c0f 1458 'access CiviCRM',
be2fb01f 1459 [
bf9a7c0f
ES		 1460 'administer CiviCRM',
1461 'manage event profiles',
be2fb01f
CW		 1462 ],
1463 ],
1464 'get' => [
bf9a7c0f 1465 'access CiviCRM',
be2fb01f
CW		 1466 ],
1467 'update' => [
bf9a7c0f 1468 'access CiviCRM',
be2fb01f 1469 [
bf9a7c0f
ES		 1470 'administer CiviCRM',
1471 'manage event profiles',
be2fb01f
CW		 1472 ],
1473 ],
1474 ];
bf9a7c0f 1475 $permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group'];
be2fb01f 1476 $permissions['uf_field']['delete'] = [
bf9a7c0f 1477 'access CiviCRM',
be2fb01f 1478 [
bf9a7c0f
ES		 1479 'administer CiviCRM',
1480 'manage event profiles',
be2fb01f
CW		 1481 ],
1482 ];
bf9a7c0f
ES		 1483 $permissions['option_value'] = $permissions['uf_group'];
1484 $permissions['option_group'] = $permissions['option_value'];
1485
be2fb01f
CW		 1486 $permissions['custom_value'] = [
1487 'gettree' => ['access CiviCRM'],
1488 ];
f26fa703 1489
be2fb01f
CW		 1490 $permissions['message_template'] = [
1491 'get' => ['access CiviCRM'],
1492 'create' => [['edit message templates', 'edit user-driven message templates', 'edit system workflow message templates']],
1493 'update' => [['edit message templates', 'edit user-driven message templates', 'edit system workflow message templates']],
1494 ];
4341efe4
JV		 1495
1496 $permissions['report_template']['update'] = 'save Report Criteria';
1497 $permissions['report_template']['create'] = 'save Report Criteria';
bf9a7c0f
ES		 1498 return $permissions;
1499 }
1500
1501 /**
1502 * Translate an unknown action to a canonical form.
1503 *
1504 * @param string $action
1505 *
1506 * @return string
1507 * the standardised action name
1508 */
1509 public static function getGenericAction($action) {
1510 $snippet = substr($action, 0, 3);
1511 if ($action == 'replace' || $snippet == 'del') {
1512 // 'Replace' is a combination of get+create+update+delete; however, the permissions
1513 // on each of those will be tested separately at runtime. This is just a sniff-test
1514 // based on the heuristic that 'delete' tends to be the most closely guarded
1515 // of the necessary permissions.
1516 $action = 'delete';
1517 }
1518 elseif ($action == 'setvalue' || $snippet == 'upd') {
1519 $action = 'update';
1520 }
1521 elseif ($action == 'getfields' || $action == 'getfield' || $action == 'getspec' || $action == 'getoptions') {
1522 $action = 'meta';
1523 }
1524 elseif ($snippet == 'get') {
1525 $action = 'get';
1526 }
1527 return $action;
1528 }
1529
6a488035 1530 /**
d09edf64 1531 * Validate user permission across.
6a488035
TO		 1532 * edit or view or with supportable acls.
1533 *
acb1052e
WA		 1534 * @return bool
1535 */
00be9182 1536 public static function giveMeAllACLs() {
6a488035
TO		 1537 if (CRM_Core_Permission::check('view all contacts') ||
1538 CRM_Core_Permission::check('edit all contacts')
1539 ) {
1540 return TRUE;
1541 }
1542
1543 $session = CRM_Core_Session::singleton();
1544 $contactID = $session->get('userID');
1545
6a488035
TO		 1546 //check for acl.
1547 $aclPermission = self::getPermission();
be2fb01f 1548 if (in_array($aclPermission, [
6a488035 1549 CRM_Core_Permission::EDIT,
41f314b6 1550 CRM_Core_Permission::VIEW,
be2fb01f 1551 ])
41f314b6 1552 ) {
6a488035
TO		 1553 return TRUE;
1554 }
1555
1556 // run acl where hook and see if the user is supplying an ACL clause
1557 // that is not false
be2fb01f 1558 $tables = $whereTables = [];
6a488035
TO		 1559 $where = NULL;
1560
1561 CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
1562 $tables, $whereTables,
1563 $contactID, $where
1564 );
1565 return empty($whereTables) ? FALSE : TRUE;
1566 }
1567
1568 /**
100fef9d 1569 * Get component name from given permission.
6a488035 1570 *
41f314b6 1571 * @param string $permission
6a488035 1572 *
76e7a76c
CW		 1573 * @return null|string
1574 * the name of component.
6a488035 1575 */
00be9182 1576 public static function getComponentName($permission) {
6a488035
TO		 1577 $componentName = NULL;
1578 $permission = trim($permission);
1579 if (empty($permission)) {
1580 return $componentName;
1581 }
1582
be2fb01f 1583 static $allCompPermissions = [];
6a488035
TO		 1584 if (empty($allCompPermissions)) {
1585 $components = CRM_Core_Component::getComponents();
1586 foreach ($components as $name => $comp) {
33777e4a
PJ		 1587 //get all permissions of each components unconditionally
1588 $allCompPermissions[$name] = $comp->getPermissions(TRUE);
6a488035
TO		 1589 }
1590 }
1591
1592 if (is_array($allCompPermissions)) {
1593 foreach ($allCompPermissions as $name => $permissions) {
b9021475 1594 if (array_key_exists($permission, $permissions)) {
6a488035
TO		 1595 $componentName = $name;
1596 break;
1597 }
1598 }
1599 }
1600
1601 return $componentName;
1602 }
1603
1604 /**
d09edf64 1605 * Get all the contact emails for users that have a specific permission.
6a488035 1606 *
6a0b768e
TO		 1607 * @param string $permissionName
1608 * Name of the permission we are interested in.
6a488035 1609 *
a6c01b45
CW		 1610 * @return string
1611 * a comma separated list of email addresses
6a488035
TO		 1612 */
1613 public static function permissionEmails($permissionName) {
1614 $config = CRM_Core_Config::singleton();
41f314b6 1615 return $config->userPermissionClass->permissionEmails($permissionName);
6a488035
TO		 1616 }
1617
1618 /**
d09edf64 1619 * Get all the contact emails for users that have a specific role.
6a488035 1620 *
6a0b768e
TO		 1621 * @param string $roleName
1622 * Name of the role we are interested in.
6a488035 1623 *
a6c01b45
CW		 1624 * @return string
1625 * a comma separated list of email addresses
6a488035
TO		 1626 */
1627 public static function roleEmails($roleName) {
1628 $config = CRM_Core_Config::singleton();
41f314b6 1629 return $config->userRoleClass->roleEmails($roleName);
6a488035
TO		 1630 }
1631
a0ee3941
EM		 1632 /**
1633 * @return bool
1634 */
00be9182 1635 public static function isMultisiteEnabled() {
aaffa79f 1636 return Civi::settings()->get('is_enabled') ? TRUE : FALSE;
6a488035 1637 }
96025800 1638
dc6b437a
GC		 1639 /**
1640 * Verify if the user has permission to get the invoice.
1641 *
1642 * @return bool
1643 * TRUE if the user has download all invoices permission or download my
1644 * invoices permission and the invoice author is the current user.
1645 */
1646 public static function checkDownloadInvoice() {
4cfd4f45 1647 $cid = CRM_Core_Session::getLoggedInContactID();
dc6b437a
GC		 1648 if (CRM_Core_Permission::check('access CiviContribute') ||
1649 (CRM_Core_Permission::check('view my invoices') && $_GET['cid'] == $cid)
1650 ) {
1651 return TRUE;
1652 }
1653 return FALSE;
1654 }
1655
6a488035 1656}