[civicrm-core.git] / CRM / Core / Permission.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.4                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2013                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
*/

/**
 *
 * @package CRM
 * @copyright CiviCRM LLC (c) 2004-2013
 * $Id$
 *
 */

/**
 * This is the basic permission class wrapper
 */
class CRM_Core_Permission {

  /**
   * Static strings used to compose permissions
   *
   * @const
   * @var string
   */
  CONST EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';

  /**
   * The various type of permissions
   *
   * @var int
   */
  CONST EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;

  /**
   * A placeholder permission which always fails
   */
  const ALWAYS_DENY_PERMISSION = "*always deny*";

  /**
   * A placeholder permission which always fails
   */
  const ALWAYS_ALLOW_PERMISSION = "*always allow*";

  /**
   * get the current permission of this user
   *
   * @return string the permission of the user (edit or view or null)
   */
  public static function getPermission() {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->getPermission();
  }

  /**
   * given a permission string, check for access requirements
   *
   * @param string $str the permission to check
   *
   * @return boolean true if yes, else false
   * @static
   * @access public
   */
  static function check($str) {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->check($str);
  }

  /**
   * Determine if any one of the permissions strings applies to current user
   *
   * @param array $perms
   * @return bool
   */
  public static function checkAnyPerm($perms) {
    foreach ($perms as $perm) {
      if (CRM_Core_Permission::check($perm)) {
        return TRUE;
      }
    }
    return FALSE;
  }

  /**
   * Given a group/role array, check for access requirements
   *
   * @param array $array the group/role to check
   *
   * @return boolean true if yes, else false
   * @static
   * @access public
   */
  static function checkGroupRole($array) {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->checkGroupRole($array);
  }

  /**
   * Get the permissioned where clause for the user
   *
   * @param int $type the type of permission needed
   * @param  array $tables (reference ) add the tables that are needed for the select clause
   * @param  array $whereTables (reference ) add the tables that are needed for the where clause
   *
   * @return string the group where clause for this user
   * @access public
   */
  public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->getPermissionedStaticGroupClause($type, $tables, $whereTables);
  }

  /**
   * Get all groups from database, filtered by permissions
   * for this user
   *
   * @param string $groupType     type of group(Access/Mailing)
   * @param boolen $excludeHidden exclude hidden groups.
   *
   * @access public
   * @static
   *
   * @return array - array reference of all groups.
   *
   */
  public static function group($groupType, $excludeHidden = TRUE) {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->group($groupType, $excludeHidden);
  }

  public static function customGroupAdmin() {
    $admin = FALSE;

    // check if user has all powerful permission
    // or administer civicrm permission (CRM-1905)
    if (self::check('access all custom data')) {
      return TRUE;
    }

    if (
      self::check('administer Multiple Organizations') &&
      self::isMultisiteEnabled()
    ) {
      return TRUE;
    }

    if (self::check('administer CiviCRM')) {
      return TRUE;
    }

    return FALSE;
  }

  public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
    $customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id',
      array('fresh' => $reset));
    $defaultGroups = array();

    // check if user has all powerful permission
    // or administer civicrm permission (CRM-1905)
    if (self::customGroupAdmin()) {
      $defaultGroups = array_keys($customGroups);
    }

    return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
  }

  static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
    if (self::customGroupAdmin()) {
      return ' ( 1 ) ';
    }

    $groups = self::customGroup($type, $reset);
    if (empty($groups)) {
      return ' ( 0 ) ';
    }
    else {
      return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
    }
  }

  public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
    if (empty($gid)) {
      return TRUE;
    }

    $groups = self::ufGroup($type);
    return in_array($gid, $groups) ? TRUE : FALSE;
  }

  public static function ufGroup($type = CRM_Core_Permission::VIEW) {
    $ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');

    $allGroups = array_keys($ufGroups);

    // check if user has all powerful permission
    if (self::check('profile listings and forms')) {
      return $allGroups;
    }

    switch ($type) {
      case CRM_Core_Permission::VIEW:
        if (self::check('profile view')) {
          return $allGroups;
        }
        break;

      case CRM_Core_Permission::CREATE:
        if (self::check('profile create')) {
          return $allGroups;
        }
        break;

      case CRM_Core_Permission::EDIT:
        if (self::check('profile edit')) {
          return $allGroups;
        }
        break;

      case CRM_Core_Permission::SEARCH:
        if (self::check('profile listings')) {
          return $allGroups;
        }
        break;
    }

    return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
  }

  static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
    $groups = self::ufGroup($type);
    if ($returnUFGroupIds) {
      return $groups;
    }
    elseif (empty($groups)) {
      return ' ( 0 ) ';
    }
    else {
      return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
    }
  }

  public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL) {
    $events = CRM_Event_PseudoConstant::event(NULL, TRUE);
    $includeEvents = array();

    // check if user has all powerful permission
    if (self::check('register for events')) {
      $includeEvents = array_keys($events);
    }

    if ($type == CRM_Core_Permission::VIEW &&
      self::check('view event info')
    ) {
      $includeEvents = array_keys($events);
    }

    $permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
    if (!$eventID) {
      return $permissionedEvents;
    }
    if (!empty($permissionedEvents)) {
      return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
    }
    else {
      return $eventID;
    }
  }

  static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
    $events = self::event($type);
    if (empty($events)) {
      return ' ( 0 ) ';
    }
    else {
      return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
    }
  }

  static function access($module, $checkPermission = TRUE) {
    $config = CRM_Core_Config::singleton();

    if (!in_array($module, $config->enableComponents)) {
      return FALSE;
    }

    if ($checkPermission) {
      if ($module == 'CiviCase') {
        return CRM_Case_BAO_Case::accessCiviCase();
      }
      else {
        return CRM_Core_Permission::check("access $module");
      }
    }

    return TRUE;
  }

  /**
   * check permissions for delete and edit actions
   *
   * @param string $module component name.
   * @param $action action to be check across component
   *
   **/
  static function checkActionPermission($module, $action) {
    //check delete related permissions.
    if ($action & CRM_Core_Action::DELETE) {
      $permissionName = "delete in $module";
    }
    else {
      $editPermissions = array(
        'CiviEvent' => 'edit event participants',
        'CiviMember' => 'edit memberships',
        'CiviPledge' => 'edit pledges',
        'CiviContribute' => 'edit contributions',
        'CiviGrant' => 'edit grants',
        'CiviMail' => 'access CiviMail',
        'CiviAuction' => 'add auction items',
      );
      $permissionName = CRM_Utils_Array::value($module, $editPermissions);
    }

    if ($module == 'CiviCase' && !$permissionName) {
      return CRM_Case_BAO_Case::accessCiviCase();
    }
    else {
      //check for permission.
      return CRM_Core_Permission::check($permissionName);
    }
  }

  static function checkMenu(&$args, $op = 'and') {
    if (!is_array($args)) {
      return $args;
    }
    foreach ($args as $str) {
      $res = CRM_Core_Permission::check($str);
      if ($op == 'or' && $res) {
        return TRUE;
      }
      elseif ($op == 'and' && !$res) {
        return FALSE;
      }
    }
    return ($op == 'or') ? FALSE : TRUE;
  }

  static function checkMenuItem(&$item) {
    if (!array_key_exists('access_callback', $item)) {
      CRM_Core_Error::backtrace();
      CRM_Core_Error::fatal();
    }

    // if component_id is present, ensure it is enabled
    if (isset($item['component_id']) &&
      $item['component_id']
    ) {
      $config = CRM_Core_Config::singleton();
      if (is_array($config->enableComponentIDs) &&
        in_array($item['component_id'], $config->enableComponentIDs)
      ) {
        // continue with process
      }
      else {
        return FALSE;
      }
    }

    // the following is imitating drupal 6 code in includes/menu.inc
    if (empty($item['access_callback']) ||
      is_numeric($item['access_callback'])
    ) {
      return (boolean ) $item['access_callback'];
    }

    // check whether the following Ajax requests submitted the right key
    // FIXME: this should be integrated into ACLs proper
    if (CRM_Utils_Array::value('page_type', $item) == 3) {
      if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
        return FALSE;
      }
    }

    // check if callback is for checkMenu, if so optimize it
    if (is_array($item['access_callback']) &&
      $item['access_callback'][0] == 'CRM_Core_Permission' &&
      $item['access_callback'][1] == 'checkMenu'
    ) {
      $op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
      return self::checkMenu($item['access_arguments'][0], $op);
    }
    else {
      return call_user_func_array($item['access_callback'], $item['access_arguments']);
    }
  }

  static function &basicPermissions($all = FALSE) {
    static $permissions = NULL;

    if (!$permissions) {
      $prefix = ts('CiviCRM') . ': ';
      $permissions = self::getCorePermissions();

      if (self::isMultisiteEnabled()) {
        $permissions['administer Multiple Organizations'] = $prefix . ts('administer Multiple Organizations');
      }

      $config = CRM_Core_Config::singleton();

      if (!$all) {
        $components = CRM_Core_Component::getEnabledComponents();
      }
      else {
        $components = CRM_Core_Component::getComponents();
      }

      foreach ($components as $comp) {
        $perm = $comp->getPermissions();
        if ($perm) {
          $info = $comp->getInfo();
          foreach ($perm as $p) {
            $permissions[$p] = $info['translatedName'] . ': ' . $p;
          }
        }
      }

      // Add any permissions defined in hook_civicrm_permission implementations.
      $config = CRM_Core_Config::singleton();
      $module_permissions = $config->userPermissionClass->getAllModulePermissions();
      $permissions = array_merge($permissions, $module_permissions);
    }

    return $permissions;
  }

  static function getCorePermissions() {
    $prefix = ts('CiviCRM') . ': ';
    $permissions = array(
      'add contacts' => $prefix . ts('add contacts'),
      'view all contacts' => $prefix . ts('view all contacts'),
      'edit all contacts' => $prefix . ts('edit all contacts'),
      'view my contact' => $prefix . ts('view my contact'),
      'edit my contact' => $prefix . ts('edit my contact'),
      'delete contacts' => $prefix . ts('delete contacts'),
      'access deleted contacts' => $prefix . ts('access deleted contacts'),
      'import contacts' => $prefix . ts('import contacts'),
      'edit groups' => $prefix . ts('edit groups'),
      'administer CiviCRM' => $prefix . ts('administer CiviCRM'),
      'skip IDS check' => $prefix . ts('skip IDS check'),
      'access uploaded files' => $prefix . ts('access uploaded files'),
      'profile listings and forms' => $prefix . ts('profile listings and forms'),
      'profile listings' => $prefix . ts('profile listings'),
      'profile create' => $prefix . ts('profile create'),
      'profile edit' => $prefix . ts('profile edit'),
      'profile view' => $prefix . ts('profile view'),
      'access all custom data' => $prefix . ts('access all custom data'),
      'view all activities' => $prefix . ts('view all activities'),
      'delete activities' => $prefix . ts('delete activities'),
      'access CiviCRM' => $prefix . ts('access CiviCRM'),
      'access Contact Dashboard' => $prefix . ts('access Contact Dashboard'),
      'translate CiviCRM' => $prefix . ts('translate CiviCRM'),
      'administer reserved groups' => $prefix . ts('administer reserved groups'),
      'administer Tagsets' => $prefix . ts('administer Tagsets'),
      'administer reserved tags' => $prefix . ts('administer reserved tags'),
      'administer dedupe rules' => $prefix . ts('administer dedupe rules'),
      'merge duplicate contacts' => $prefix . ts('merge duplicate contacts'),
      'view debug output' => $prefix . ts('view debug output'),
      'view all notes' => $prefix . ts('view all notes'),
      'access AJAX API' => $prefix . ts('access AJAX API'),
      'access contact reference fields' => $prefix . ts('access contact reference fields'),
      'create manual batch' => $prefix . ts('create manual batch'),
      'edit own manual batches' => $prefix . ts('edit own manual batches'),
      'edit all manual batches' => $prefix . ts('edit all manual batches'),
      'view own manual batches' => $prefix . ts('view own manual batches'),
      'view all manual batches' => $prefix . ts('view all manual batches'),
      'delete own manual batches' => $prefix . ts('delete own manual batches'),
      'delete all manual batches' => $prefix . ts('delete all manual batches'),
      'export own manual batches' => $prefix . ts('export own manual batches'),
      'export all manual batches' => $prefix . ts('export all manual batches'),
    );

    return $permissions;
  }

  /**
   * Validate user permission across
   * edit or view or with supportable acls.
   *
   * return boolean true/false.
   **/
  static function giveMeAllACLs() {
    if (CRM_Core_Permission::check('view all contacts') ||
      CRM_Core_Permission::check('edit all contacts')
    ) {
      return TRUE;
    }

    $session = CRM_Core_Session::singleton();
    $contactID = $session->get('userID');

    //check for acl.
    $aclPermission = self::getPermission();
    if (in_array($aclPermission, array(
      CRM_Core_Permission::EDIT,
      CRM_Core_Permission::VIEW,
    ))
    ) {
      return TRUE;
    }

    // run acl where hook and see if the user is supplying an ACL clause
    // that is not false
    $tables = $whereTables = array();
    $where = NULL;

    CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
      $tables, $whereTables,
      $contactID, $where
    );
    return empty($whereTables) ? FALSE : TRUE;
  }

  /**
   * Function to get component name from given permission.
   *
   * @param string $permission
   *
   * return string $componentName the name of component.
   * @static
   */
  static function getComponentName($permission) {
    $componentName = NULL;
    $permission = trim($permission);
    if (empty($permission)) {
      return $componentName;
    }

    static $allCompPermissions = array();
    if (empty($allCompPermissions)) {
      $components = CRM_Core_Component::getComponents();
      foreach ($components as $name => $comp) {
        //get all permissions of each components unconditionally
        $allCompPermissions[$name] = $comp->getPermissions(TRUE);
      }
    }

    if (is_array($allCompPermissions)) {
      foreach ($allCompPermissions as $name => $permissions) {
        if (in_array($permission, $permissions)) {
          $componentName = $name;
          break;
        }
      }
    }

    return $componentName;
  }

  /**
   * Get all the contact emails for users that have a specific permission
   *
   * @param string $permissionName name of the permission we are interested in
   *
   * @return string a comma separated list of email addresses
   */
  public static function permissionEmails($permissionName) {
    $config = CRM_Core_Config::singleton();
    return $config->userPermissionClass->permissionEmails($permissionName);
  }

  /**
   * Get all the contact emails for users that have a specific role
   *
   * @param string $roleName name of the role we are interested in
   *
   * @return string a comma separated list of email addresses
   */
  public static function roleEmails($roleName) {
    $config = CRM_Core_Config::singleton();
    return $config->userRoleClass->roleEmails($roleName);
  }

  static function isMultisiteEnabled() {
    return CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::MULTISITE_PREFERENCES_NAME,
      'is_enabled'
    ) ? TRUE : FALSE;
  }
}
Commit	Line	Data
6a488035 TO	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
232624b1	4	\| CiviCRM version 4.4 \|
6a488035 TO	5	+--------------------------------------------------------------------+
	6	\| Copyright CiviCRM LLC (c) 2004-2013 \|
	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
	26	*/
	27
	28	/**
	29	*
	30	* @package CRM
	31	* @copyright CiviCRM LLC (c) 2004-2013
	32	* $Id$
	33	*
	34	*/
	35
	36	/**
	37	* This is the basic permission class wrapper
	38	*/
	39	class CRM_Core_Permission {
	40
	41	/**
	42	* Static strings used to compose permissions
	43	*
	44	* @const
	45	* @var string
	46	*/
	47	CONST EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
	48
	49	/**
	50	* The various type of permissions
	51	*
	52	* @var int
	53	*/
	54	CONST EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
	55
085823c1 TO	56	/**
	57	* A placeholder permission which always fails
	58	*/
	59	const ALWAYS_DENY_PERMISSION = "always deny";
	60
	61	/**
	62	* A placeholder permission which always fails
	63	*/
	64	const ALWAYS_ALLOW_PERMISSION = "always allow";
	65
6a488035 TO	66	/**
	67	* get the current permission of this user
	68	*
	69	* @return string the permission of the user (edit or view or null)
	70	*/
	71	public static function getPermission() {
	72	$config = CRM_Core_Config::singleton();
41f314b6	73	return $config->userPermissionClass->getPermission();
6a488035 TO	74	}
	75
	76	/**
	77	* given a permission string, check for access requirements
	78	*
	79	* @param string $str the permission to check
	80	*
	81	* @return boolean true if yes, else false
	82	* @static
	83	* @access public
	84	*/
	85	static function check($str) {
	86	$config = CRM_Core_Config::singleton();
41f314b6	87	return $config->userPermissionClass->check($str);
6a488035 TO	88	}
6a488035 TO	89
dc92f2f8 TO	90	/**
	91	* Determine if any one of the permissions strings applies to current user
	92	*
	93	* @param array $perms
	94	* @return bool
	95	*/
	96	public static function checkAnyPerm($perms) {
	97	foreach ($perms as $perm) {
	98	if (CRM_Core_Permission::check($perm)) {
	99	return TRUE;
	100	}
	101	}
	102	return FALSE;
	103	}
	104
6a488035 TO	105	/**
	106	* Given a group/role array, check for access requirements
	107	*
	108	* @param array $array the group/role to check
	109	*
	110	* @return boolean true if yes, else false
	111	* @static
	112	* @access public
	113	*/
	114	static function checkGroupRole($array) {
	115	$config = CRM_Core_Config::singleton();
41f314b6	116	return $config->userPermissionClass->checkGroupRole($array);
6a488035 TO	117	}
	118
	119	/**
	120	* Get the permissioned where clause for the user
	121	*
	122	* @param int $type the type of permission needed
	123	* @param array $tables (reference ) add the tables that are needed for the select clause
	124	* @param array $whereTables (reference ) add the tables that are needed for the where clause
	125	*
	126	* @return string the group where clause for this user
	127	* @access public
	128	*/
	129	public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
	130	$config = CRM_Core_Config::singleton();
41f314b6	131	return $config->userPermissionClass->getPermissionedStaticGroupClause($type, $tables, $whereTables);
6a488035 TO	132	}
	133
	134	/**
	135	* Get all groups from database, filtered by permissions
	136	* for this user
	137	*
	138	* @param string $groupType type of group(Access/Mailing)
	139	* @param boolen $excludeHidden exclude hidden groups.
	140	*
	141	* @access public
	142	* @static
	143	*
	144	* @return array - array reference of all groups.
	145	*
	146	*/
	147	public static function group($groupType, $excludeHidden = TRUE) {
	148	$config = CRM_Core_Config::singleton();
41f314b6	149	return $config->userPermissionClass->group($groupType, $excludeHidden);
6a488035 TO	150	}
	151
	152	public static function customGroupAdmin() {
	153	$admin = FALSE;
	154
	155	// check if user has all powerful permission
	156	// or administer civicrm permission (CRM-1905)
	157	if (self::check('access all custom data')) {
	158	return TRUE;
	159	}
	160
634e1a1a DL	161	if (
634e1a1a DL	162	self::check('administer Multiple Organizations') &&
6a488035 TO	163	self::isMultisiteEnabled()
	164	) {
	165	return TRUE;
	166	}
	167
	168	if (self::check('administer CiviCRM')) {
	169	return TRUE;
	170	}
	171
	172	return FALSE;
	173	}
	174
	175	public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
41f314b6	176	$customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id',
41f314b6	177	array('fresh' => $reset));
6a488035 TO	178	$defaultGroups = array();
	179
	180	// check if user has all powerful permission
	181	// or administer civicrm permission (CRM-1905)
	182	if (self::customGroupAdmin()) {
	183	$defaultGroups = array_keys($customGroups);
	184	}
	185
	186	return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
	187	}
	188
	189	static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
	190	if (self::customGroupAdmin()) {
	191	return ' ( 1 ) ';
	192	}
	193
	194	$groups = self::customGroup($type, $reset);
	195	if (empty($groups)) {
	196	return ' ( 0 ) ';
	197	}
	198	else {
	199	return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
	200	}
	201	}
	202
	203	public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
	204	if (empty($gid)) {
	205	return TRUE;
	206	}
	207
	208	$groups = self::ufGroup($type);
	209	return in_array($gid, $groups) ? TRUE : FALSE;
	210	}
	211
	212	public static function ufGroup($type = CRM_Core_Permission::VIEW) {
ff4f7744	213	$ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
6a488035 TO	214
	215	$allGroups = array_keys($ufGroups);
	216
	217	// check if user has all powerful permission
	218	if (self::check('profile listings and forms')) {
	219	return $allGroups;
	220	}
	221
	222	switch ($type) {
	223	case CRM_Core_Permission::VIEW:
	224	if (self::check('profile view')) {
	225	return $allGroups;
	226	}
	227	break;
	228
	229	case CRM_Core_Permission::CREATE:
	230	if (self::check('profile create')) {
	231	return $allGroups;
	232	}
	233	break;
	234
	235	case CRM_Core_Permission::EDIT:
	236	if (self::check('profile edit')) {
	237	return $allGroups;
	238	}
	239	break;
	240
	241	case CRM_Core_Permission::SEARCH:
	242	if (self::check('profile listings')) {
	243	return $allGroups;
	244	}
	245	break;
	246	}
	247
	248	return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
	249	}
	250
	251	static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
	252	$groups = self::ufGroup($type);
	253	if ($returnUFGroupIds) {
	254	return $groups;
	255	}
	256	elseif (empty($groups)) {
	257	return ' ( 0 ) ';
	258	}
	259	else {
	260	return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
	261	}
	262	}
	263
	264	public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL) {
	265	$events = CRM_Event_PseudoConstant::event(NULL, TRUE);
	266	$includeEvents = array();
	267
	268	// check if user has all powerful permission
	269	if (self::check('register for events')) {
	270	$includeEvents = array_keys($events);
	271	}
	272
	273	if ($type == CRM_Core_Permission::VIEW &&
	274	self::check('view event info')
	275	) {
	276	$includeEvents = array_keys($events);
	277	}
278
279	$permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
280	if (!$eventID) {
281	return $permissionedEvents;
282	}
41f314b6	283	if (!empty($permissionedEvents)) {
2efcf0c2	284	return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
41f314b6	285	}
41f314b6	286	else {
d551c85d DG	287	return $eventID;
d551c85d DG	288	}
6a488035 TO	289	}
	290
	291	static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
	292	$events = self::event($type);
	293	if (empty($events)) {
	294	return ' ( 0 ) ';
	295	}
	296	else {
	297	return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
	298	}
	299	}
	300
	301	static function access($module, $checkPermission = TRUE) {
	302	$config = CRM_Core_Config::singleton();
	303
	304	if (!in_array($module, $config->enableComponents)) {
	305	return FALSE;
	306	}
	307
	308	if ($checkPermission) {
	309	if ($module == 'CiviCase') {
	310	return CRM_Case_BAO_Case::accessCiviCase();
	311	}
	312	else {
	313	return CRM_Core_Permission::check("access $module");
	314	}
	315	}
	316
	317	return TRUE;
	318	}
	319
	320	/**
	321	* check permissions for delete and edit actions
	322	*
41f314b6	323	* @param string $module component name.
6a488035 TO	324	* @param $action action to be check across component
	325	*
	326	**/
	327	static function checkActionPermission($module, $action) {
	328	//check delete related permissions.
	329	if ($action & CRM_Core_Action::DELETE) {
	330	$permissionName = "delete in $module";
	331	}
	332	else {
	333	$editPermissions = array(
	334	'CiviEvent' => 'edit event participants',
	335	'CiviMember' => 'edit memberships',
	336	'CiviPledge' => 'edit pledges',
	337	'CiviContribute' => 'edit contributions',
	338	'CiviGrant' => 'edit grants',
	339	'CiviMail' => 'access CiviMail',
	340	'CiviAuction' => 'add auction items',
	341	);
	342	$permissionName = CRM_Utils_Array::value($module, $editPermissions);
	343	}
	344
	345	if ($module == 'CiviCase' && !$permissionName) {
	346	return CRM_Case_BAO_Case::accessCiviCase();
	347	}
	348	else {
	349	//check for permission.
	350	return CRM_Core_Permission::check($permissionName);
	351	}
	352	}
	353
	354	static function checkMenu(&$args, $op = 'and') {
	355	if (!is_array($args)) {
	356	return $args;
	357	}
	358	foreach ($args as $str) {
	359	$res = CRM_Core_Permission::check($str);
	360	if ($op == 'or' && $res) {
	361	return TRUE;
	362	}
	363	elseif ($op == 'and' && !$res) {
	364	return FALSE;
	365	}
	366	}
	367	return ($op == 'or') ? FALSE : TRUE;
	368	}
	369
	370	static function checkMenuItem(&$item) {
	371	if (!array_key_exists('access_callback', $item)) {
	372	CRM_Core_Error::backtrace();
	373	CRM_Core_Error::fatal();
	374	}
	375
	376	// if component_id is present, ensure it is enabled
	377	if (isset($item['component_id']) &&
	378	$item['component_id']
	379	) {
	380	$config = CRM_Core_Config::singleton();
	381	if (is_array($config->enableComponentIDs) &&
	382	in_array($item['component_id'], $config->enableComponentIDs)
	383	) {
	384	// continue with process
	385	}
	386	else {
	387	return FALSE;
388	}
389	}
390
391	// the following is imitating drupal 6 code in includes/menu.inc
392	if (empty($item['access_callback']) \|\|
393	is_numeric($item['access_callback'])
394	) {
395	return (boolean ) $item['access_callback'];
396	}
397
398	// check whether the following Ajax requests submitted the right key
399	// FIXME: this should be integrated into ACLs proper
400	if (CRM_Utils_Array::value('page_type', $item) == 3) {
401	if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
402	return FALSE;
403	}
404	}
405
406	// check if callback is for checkMenu, if so optimize it
407	if (is_array($item['access_callback']) &&
408	$item['access_callback'][0] == 'CRM_Core_Permission' &&
409	$item['access_callback'][1] == 'checkMenu'
410	) {
411	$op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
412	return self::checkMenu($item['access_arguments'][0], $op);
413	}
414	else {
415	return call_user_func_array($item['access_callback'], $item['access_arguments']);
416	}
417	}
418
419	static function &basicPermissions($all = FALSE) {
420	static $permissions = NULL;
421
422	if (!$permissions) {
423	$prefix = ts('CiviCRM') . ': ';
424	$permissions = self::getCorePermissions();
425
426	if (self::isMultisiteEnabled()) {
427	$permissions['administer Multiple Organizations'] = $prefix . ts('administer Multiple Organizations');
428	}
429
430	$config = CRM_Core_Config::singleton();
431
432	if (!$all) {
433	$components = CRM_Core_Component::getEnabledComponents();
434	}
435	else {
436	$components = CRM_Core_Component::getComponents();
437	}
438
439	foreach ($components as $comp) {
440	$perm = $comp->getPermissions();
441	if ($perm) {
442	$info = $comp->getInfo();
443	foreach ($perm as $p) {
444	$permissions[$p] = $info['translatedName'] . ': ' . $p;
445	}
446	}
447	}
448
449	// Add any permissions defined in hook_civicrm_permission implementations.
450	$config = CRM_Core_Config::singleton();
451	$module_permissions = $config->userPermissionClass->getAllModulePermissions();
452	$permissions = array_merge($permissions, $module_permissions);
453	}
454
455	return $permissions;
456	}
457
458	static function getCorePermissions() {
459	$prefix = ts('CiviCRM') . ': ';
460	$permissions = array(
461	'add contacts' => $prefix . ts('add contacts'),
462	'view all contacts' => $prefix . ts('view all contacts'),
463	'edit all contacts' => $prefix . ts('edit all contacts'),
aafd773a DL	464	'view my contact' => $prefix . ts('view my contact'),
aafd773a DL	465	'edit my contact' => $prefix . ts('edit my contact'),
6a488035 TO	466	'delete contacts' => $prefix . ts('delete contacts'),
	467	'access deleted contacts' => $prefix . ts('access deleted contacts'),
	468	'import contacts' => $prefix . ts('import contacts'),
	469	'edit groups' => $prefix . ts('edit groups'),
	470	'administer CiviCRM' => $prefix . ts('administer CiviCRM'),
634e1a1a	471	'skip IDS check' => $prefix . ts('skip IDS check'),
6a488035 TO	472	'access uploaded files' => $prefix . ts('access uploaded files'),
	473	'profile listings and forms' => $prefix . ts('profile listings and forms'),
	474	'profile listings' => $prefix . ts('profile listings'),
	475	'profile create' => $prefix . ts('profile create'),
	476	'profile edit' => $prefix . ts('profile edit'),
	477	'profile view' => $prefix . ts('profile view'),
	478	'access all custom data' => $prefix . ts('access all custom data'),
	479	'view all activities' => $prefix . ts('view all activities'),
	480	'delete activities' => $prefix . ts('delete activities'),
	481	'access CiviCRM' => $prefix . ts('access CiviCRM'),
	482	'access Contact Dashboard' => $prefix . ts('access Contact Dashboard'),
	483	'translate CiviCRM' => $prefix . ts('translate CiviCRM'),
	484	'administer reserved groups' => $prefix . ts('administer reserved groups'),
	485	'administer Tagsets' => $prefix . ts('administer Tagsets'),
	486	'administer reserved tags' => $prefix . ts('administer reserved tags'),
	487	'administer dedupe rules' => $prefix . ts('administer dedupe rules'),
	488	'merge duplicate contacts' => $prefix . ts('merge duplicate contacts'),
	489	'view debug output' => $prefix . ts('view debug output'),
	490	'view all notes' => $prefix . ts('view all notes'),
	491	'access AJAX API' => $prefix . ts('access AJAX API'),
	492	'access contact reference fields' => $prefix . ts('access contact reference fields'),
	493	'create manual batch' => $prefix . ts('create manual batch'),
	494	'edit own manual batches' => $prefix . ts('edit own manual batches'),
	495	'edit all manual batches' => $prefix . ts('edit all manual batches'),
	496	'view own manual batches' => $prefix . ts('view own manual batches'),
	497	'view all manual batches' => $prefix . ts('view all manual batches'),
	498	'delete own manual batches' => $prefix . ts('delete own manual batches'),
	499	'delete all manual batches' => $prefix . ts('delete all manual batches'),
	500	'export own manual batches' => $prefix . ts('export own manual batches'),
	501	'export all manual batches' => $prefix . ts('export all manual batches'),
	502	);
	503
	504	return $permissions;
	505	}
	506
	507	/**
	508	* Validate user permission across
	509	* edit or view or with supportable acls.
	510	*
	511	* return boolean true/false.
	512	**/
	513	static function giveMeAllACLs() {
	514	if (CRM_Core_Permission::check('view all contacts') \|\|
	515	CRM_Core_Permission::check('edit all contacts')
	516	) {
	517	return TRUE;
	518	}
	519
	520	$session = CRM_Core_Session::singleton();
	521	$contactID = $session->get('userID');
	522
6a488035 TO	523	//check for acl.
	524	$aclPermission = self::getPermission();
	525	if (in_array($aclPermission, array(
	526	CRM_Core_Permission::EDIT,
41f314b6	527	CRM_Core_Permission::VIEW,
	528	))
	529	) {
6a488035 TO	530	return TRUE;
	531	}
	532
	533	// run acl where hook and see if the user is supplying an ACL clause
	534	// that is not false
	535	$tables = $whereTables = array();
	536	$where = NULL;
	537
	538	CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
	539	$tables, $whereTables,
	540	$contactID, $where
	541	);
	542	return empty($whereTables) ? FALSE : TRUE;
	543	}
	544
	545	/**
	546	* Function to get component name from given permission.
	547	*
41f314b6	548	* @param string $permission
6a488035 TO	549	*
	550	* return string $componentName the name of component.
	551	* @static
	552	*/
	553	static function getComponentName($permission) {
	554	$componentName = NULL;
	555	$permission = trim($permission);
	556	if (empty($permission)) {
	557	return $componentName;
	558	}
	559
	560	static $allCompPermissions = array();
	561	if (empty($allCompPermissions)) {
	562	$components = CRM_Core_Component::getComponents();
	563	foreach ($components as $name => $comp) {
33777e4a PJ	564	//get all permissions of each components unconditionally
33777e4a PJ	565	$allCompPermissions[$name] = $comp->getPermissions(TRUE);
6a488035 TO	566	}
	567	}
	568
	569	if (is_array($allCompPermissions)) {
	570	foreach ($allCompPermissions as $name => $permissions) {
	571	if (in_array($permission, $permissions)) {
	572	$componentName = $name;
	573	break;
	574	}
	575	}
	576	}
	577
	578	return $componentName;
	579	}
	580
	581	/**
	582	* Get all the contact emails for users that have a specific permission
	583	*
	584	* @param string $permissionName name of the permission we are interested in
	585	*
	586	* @return string a comma separated list of email addresses
	587	*/
	588	public static function permissionEmails($permissionName) {
	589	$config = CRM_Core_Config::singleton();
41f314b6	590	return $config->userPermissionClass->permissionEmails($permissionName);
6a488035 TO	591	}
	592
	593	/**
	594	* Get all the contact emails for users that have a specific role
	595	*
	596	* @param string $roleName name of the role we are interested in
	597	*
	598	* @return string a comma separated list of email addresses
	599	*/
	600	public static function roleEmails($roleName) {
	601	$config = CRM_Core_Config::singleton();
41f314b6	602	return $config->userRoleClass->roleEmails($roleName);
6a488035 TO	603	}
	604
	605	static function isMultisiteEnabled() {
	606	return CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::MULTISITE_PREFERENCES_NAME,
	607	'is_enabled'
	608	) ? TRUE : FALSE;
	609	}
	610	}