projects / civicrm-core.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Cleanup deprecated CRM_Core_BAO_Settings calls CRM-17507
[civicrm-core.git] / CRM / Core / Permission.php
CommitLineData
6a488035
TO		 1<?php
2/*
3 +--------------------------------------------------------------------+
7e9e8871 4 | CiviCRM version 4.7 |
6a488035 5 +--------------------------------------------------------------------+
e7112fa7 6 | Copyright CiviCRM LLC (c) 2004-2015 |
6a488035
TO		 7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
d25dd0ee 26 */
6a488035
TO		 27
28/**
29 *
30 * @package CRM
e7112fa7 31 * @copyright CiviCRM LLC (c) 2004-2015
6a488035
TO		 32 * $Id$
33 *
34 */
35
36/**
37 * This is the basic permission class wrapper
38 */
39class CRM_Core_Permission {
40
41 /**
d09edf64 42 * Static strings used to compose permissions.
6a488035
TO		 43 *
44 * @const
45 * @var string
46 */
7da04cde 47 const EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
6a488035
TO		 48
49 /**
d09edf64 50 * The various type of permissions.
6a488035
TO		 51 *
52 * @var int
53 */
7da04cde 54 const EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
6a488035 55
085823c1 56 /**
d09edf64 57 * A placeholder permission which always fails.
085823c1
TO		 58 */
59 const ALWAYS_DENY_PERMISSION = "*always deny*";
60
61 /**
d09edf64 62 * A placeholder permission which always fails.
085823c1
TO		 63 */
64 const ALWAYS_ALLOW_PERMISSION = "*always allow*";
65
6dd18b98 66 /**
d09edf64 67 * Various authentication sources.
6dd18b98
DS		 68 *
69 * @var int
70 */
7da04cde 71 const AUTH_SRC_UNKNOWN = 0, AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;
6dd18b98 72
6a488035 73 /**
d09edf64 74 * Get the current permission of this user.
6a488035 75 *
a6c01b45
CW		 76 * @return string
77 * the permission of the user (edit or view or null)
6a488035
TO		 78 */
79 public static function getPermission() {
80 $config = CRM_Core_Config::singleton();
41f314b6 81 return $config->userPermissionClass->getPermission();
6a488035
TO		 82 }
83
84 /**
100fef9d 85 * Given a permission string or array, check for access requirements
6a0b768e
TO		 86 * @param mixed $permissions
87 * The permission to check as an array or string -see examples.
16b10e64 88 * arrays
6a488035 89 *
60ec9f43
E		 90 * Ex 1
91 *
92 * Must have 'access CiviCRM'
93 * (string) 'access CiviCRM'
94 *
95 *
96 * Ex 2 Must have 'access CiviCRM' and 'access Ajax API'
97 * array('access CiviCRM', 'access Ajax API')
98 *
99 * Ex 3 Must have 'access CiviCRM' or 'access Ajax API'
100 * array(
101 * array('access CiviCRM', 'access Ajax API'),
102 * ),
103 *
104 * Ex 4 Must have 'access CiviCRM' or 'access Ajax API' AND 'access CiviEvent'
105 * array(
106 * array('access CiviCRM', 'access Ajax API'),
107 * 'access CiviEvent',
108 * ),
109 *
110 * Note that in permissions.php this is keyed by the action eg.
111 * (access Civi || access AJAX) && (access CiviEvent || access CiviContribute)
112 * 'myaction' => array(
113 * array('access CiviCRM', 'access Ajax API'),
114 * array('access CiviEvent', 'access CiviContribute')
115 * ),
6a488035 116 *
acb1052e 117 * @return bool
a6c01b45 118 * true if yes, else false
6a488035 119 */
00be9182 120 public static function check($permissions) {
60ec9f43
E		 121 $permissions = (array) $permissions;
122
59735506
TO		 123 $tempPerm = CRM_Core_Config::singleton()->userPermissionTemp;
124
60ec9f43 125 foreach ($permissions as $permission) {
22e263ad 126 if (is_array($permission)) {
60ec9f43 127 foreach ($permission as $orPerm) {
22e263ad 128 if (self::check($orPerm)) {
60ec9f43
E		 129 //one of our 'or' permissions has succeeded - stop checking this permission
130 return TRUE;;
131 }
132 }
133 //none of our our conditions was met
134 return FALSE;
135 }
136 else {
59735506
TO		 137 if (
138 !CRM_Core_Config::singleton()->userPermissionClass->check($permission)
139 && !($tempPerm && $tempPerm->check($permission))
140 ) {
60ec9f43
E		 141 //one of our 'and' conditions has not been met
142 return FALSE;
143 }
144 }
145 }
146 return TRUE;
6a488035
TO		 147 }
148
dc92f2f8 149 /**
d09edf64 150 * Determine if any one of the permissions strings applies to current user.
dc92f2f8
TO		 151 *
152 * @param array $perms
153 * @return bool
154 */
155 public static function checkAnyPerm($perms) {
156 foreach ($perms as $perm) {
157 if (CRM_Core_Permission::check($perm)) {
158 return TRUE;
159 }
160 }
161 return FALSE;
162 }
163
6a488035
TO		 164 /**
165 * Given a group/role array, check for access requirements
166 *
6a0b768e
TO		 167 * @param array $array
168 * The group/role to check.
6a488035 169 *
acb1052e 170 * @return bool
a6c01b45 171 * true if yes, else false
6a488035 172 */
00be9182 173 public static function checkGroupRole($array) {
6a488035 174 $config = CRM_Core_Config::singleton();
41f314b6 175 return $config->userPermissionClass->checkGroupRole($array);
6a488035
TO		 176 }
177
178 /**
d09edf64 179 * Get the permissioned where clause for the user.
6a488035 180 *
6a0b768e
TO		 181 * @param int $type
182 * The type of permission needed.
183 * @param array $tables
184 * (reference ) add the tables that are needed for the select clause.
185 * @param array $whereTables
186 * (reference ) add the tables that are needed for the where clause.
6a488035 187 *
a6c01b45
CW		 188 * @return string
189 * the group where clause for this user
6a488035
TO		 190 */
191 public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
192 $config = CRM_Core_Config::singleton();
41f314b6 193 return $config->userPermissionClass->getPermissionedStaticGroupClause($type, $tables, $whereTables);
6a488035
TO		 194 }
195
196 /**
197 * Get all groups from database, filtered by permissions
198 * for this user
199 *
6a0b768e
TO		 200 * @param string $groupType
201 * Type of group(Access/Mailing).
3f8d2862
CW		 202 * @param bool $excludeHidden
203 * exclude hidden groups.
6a488035 204 *
6a488035 205 *
a6c01b45
CW		 206 * @return array
207 * array reference of all groups.
6a488035
TO		 208 */
209 public static function group($groupType, $excludeHidden = TRUE) {
210 $config = CRM_Core_Config::singleton();
41f314b6 211 return $config->userPermissionClass->group($groupType, $excludeHidden);
6a488035
TO		 212 }
213
a0ee3941
EM		 214 /**
215 * @return bool
216 */
6a488035
TO		 217 public static function customGroupAdmin() {
218 $admin = FALSE;
219
220 // check if user has all powerful permission
221 // or administer civicrm permission (CRM-1905)
222 if (self::check('access all custom data')) {
223 return TRUE;
224 }
225
634e1a1a
DL		 226 if (
227 self::check('administer Multiple Organizations') &&
6a488035
TO		 228 self::isMultisiteEnabled()
229 ) {
230 return TRUE;
231 }
232
233 if (self::check('administer CiviCRM')) {
234 return TRUE;
235 }
236
237 return FALSE;
238 }
239
a0ee3941
EM		 240 /**
241 * @param int $type
242 * @param bool $reset
243 *
244 * @return array
245 */
6a488035 246 public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
41f314b6 247 $customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id',
248 array('fresh' => $reset));
6a488035
TO		 249 $defaultGroups = array();
250
251 // check if user has all powerful permission
252 // or administer civicrm permission (CRM-1905)
253 if (self::customGroupAdmin()) {
254 $defaultGroups = array_keys($customGroups);
255 }
256
257 return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
258 }
259
a0ee3941
EM		 260 /**
261 * @param int $type
262 * @param null $prefix
263 * @param bool $reset
264 *
265 * @return string
266 */
00be9182 267 public static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
6a488035
TO		 268 if (self::customGroupAdmin()) {
269 return ' ( 1 ) ';
270 }
271
272 $groups = self::customGroup($type, $reset);
273 if (empty($groups)) {
274 return ' ( 0 ) ';
275 }
276 else {
277 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
278 }
279 }
280
a0ee3941 281 /**
100fef9d 282 * @param int $gid
a0ee3941
EM		 283 * @param int $type
284 *
285 * @return bool
286 */
6a488035
TO		 287 public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
288 if (empty($gid)) {
289 return TRUE;
290 }
291
292 $groups = self::ufGroup($type);
684b0b22 293 return !empty($groups) && in_array($gid, $groups) ? TRUE : FALSE;
6a488035
TO		 294 }
295
a0ee3941
EM		 296 /**
297 * @param int $type
298 *
299 * @return array
300 */
6a488035 301 public static function ufGroup($type = CRM_Core_Permission::VIEW) {
ff4f7744 302 $ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
6a488035
TO		 303
304 $allGroups = array_keys($ufGroups);
305
306 // check if user has all powerful permission
307 if (self::check('profile listings and forms')) {
308 return $allGroups;
309 }
310
311 switch ($type) {
312 case CRM_Core_Permission::VIEW:
313 if (self::check('profile view')) {
314 return $allGroups;
315 }
316 break;
317
318 case CRM_Core_Permission::CREATE:
319 if (self::check('profile create')) {
320 return $allGroups;
321 }
322 break;
323
324 case CRM_Core_Permission::EDIT:
325 if (self::check('profile edit')) {
326 return $allGroups;
327 }
328 break;
329
330 case CRM_Core_Permission::SEARCH:
331 if (self::check('profile listings')) {
332 return $allGroups;
333 }
334 break;
335 }
336
337 return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
338 }
339
a0ee3941
EM		 340 /**
341 * @param int $type
342 * @param null $prefix
343 * @param bool $returnUFGroupIds
344 *
345 * @return array|string
346 */
00be9182 347 public static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
6a488035
TO		 348 $groups = self::ufGroup($type);
349 if ($returnUFGroupIds) {
350 return $groups;
351 }
352 elseif (empty($groups)) {
353 return ' ( 0 ) ';
354 }
355 else {
356 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
357 }
358 }
359
a0ee3941
EM		 360 /**
361 * @param int $type
100fef9d 362 * @param int $eventID
a0ee3941
EM		 363 * @param string $context
364 *
365 * @return array|null
366 */
e2d09ab4 367 public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL, $context = '') {
22e263ad
TO		 368 if (!empty($context)) {
369 if (CRM_Core_Permission::check($context)) {
e2d09ab4
EM		 370 return TRUE;
371 }
372 }
6a488035
TO		 373 $events = CRM_Event_PseudoConstant::event(NULL, TRUE);
374 $includeEvents = array();
375
376 // check if user has all powerful permission
377 if (self::check('register for events')) {
378 $includeEvents = array_keys($events);
379 }
380
381 if ($type == CRM_Core_Permission::VIEW &&
382 self::check('view event info')
383 ) {
384 $includeEvents = array_keys($events);
385 }
386
387 $permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
388 if (!$eventID) {
389 return $permissionedEvents;
390 }
41f314b6 391 if (!empty($permissionedEvents)) {
2efcf0c2 392 return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
41f314b6 393 }
dfa720e7 394 return NULL;
6a488035
TO		 395 }
396
a0ee3941
EM		 397 /**
398 * @param int $type
399 * @param null $prefix
400 *
401 * @return string
402 */
00be9182 403 public static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
6a488035
TO		 404 $events = self::event($type);
405 if (empty($events)) {
406 return ' ( 0 ) ';
407 }
408 else {
409 return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
410 }
411 }
412
a0ee3941
EM		 413 /**
414 * @param $module
415 * @param bool $checkPermission
416 *
417 * @return bool
418 */
00be9182 419 public static function access($module, $checkPermission = TRUE) {
6a488035
TO		 420 $config = CRM_Core_Config::singleton();
421
422 if (!in_array($module, $config->enableComponents)) {
423 return FALSE;
424 }
425
426 if ($checkPermission) {
427 if ($module == 'CiviCase') {
428 return CRM_Case_BAO_Case::accessCiviCase();
429 }
430 else {
431 return CRM_Core_Permission::check("access $module");
432 }
433 }
434
435 return TRUE;
436 }
437
438 /**
d09edf64 439 * Check permissions for delete and edit actions.
6a488035 440 *
6a0b768e
TO		 441 * @param string $module
442 * Component name.
443 * @param int $action
444 * Action to be check across component.
6a488035 445 *
77b97be7
EM		 446 *
447 * @return bool
448 */
00be9182 449 public static function checkActionPermission($module, $action) {
6a488035
TO		 450 //check delete related permissions.
451 if ($action & CRM_Core_Action::DELETE) {
452 $permissionName = "delete in $module";
453 }
454 else {
455 $editPermissions = array(
456 'CiviEvent' => 'edit event participants',
457 'CiviMember' => 'edit memberships',
458 'CiviPledge' => 'edit pledges',
459 'CiviContribute' => 'edit contributions',
460 'CiviGrant' => 'edit grants',
461 'CiviMail' => 'access CiviMail',
462 'CiviAuction' => 'add auction items',
463 );
464 $permissionName = CRM_Utils_Array::value($module, $editPermissions);
465 }
466
467 if ($module == 'CiviCase' && !$permissionName) {
468 return CRM_Case_BAO_Case::accessCiviCase();
469 }
470 else {
471 //check for permission.
472 return CRM_Core_Permission::check($permissionName);
473 }
474 }
475
a0ee3941
EM		 476 /**
477 * @param $args
478 * @param string $op
479 *
480 * @return bool
481 */
00be9182 482 public static function checkMenu(&$args, $op = 'and') {
6a488035
TO		 483 if (!is_array($args)) {
484 return $args;
485 }
486 foreach ($args as $str) {
487 $res = CRM_Core_Permission::check($str);
488 if ($op == 'or' && $res) {
489 return TRUE;
490 }
491 elseif ($op == 'and' && !$res) {
492 return FALSE;
493 }
494 }
495 return ($op == 'or') ? FALSE : TRUE;
496 }
497
a0ee3941
EM		 498 /**
499 * @param $item
500 *
501 * @return bool|mixed
502 * @throws Exception
503 */
00be9182 504 public static function checkMenuItem(&$item) {
6a488035
TO		 505 if (!array_key_exists('access_callback', $item)) {
506 CRM_Core_Error::backtrace();
507 CRM_Core_Error::fatal();
508 }
509
510 // if component_id is present, ensure it is enabled
3d31a5c6
TO		 511 if (isset($item['component_id']) && $item['component_id']) {
512 if (!isset(Civi::$statics[__CLASS__]['componentNameId'])) {
513 Civi::$statics[__CLASS__]['componentNameId'] = array_flip(CRM_Core_Component::getComponentIDs());
514 }
515 $componentName = Civi::$statics[__CLASS__]['componentNameId'][$item['component_id']];
516
6a488035 517 $config = CRM_Core_Config::singleton();
3d31a5c6 518 if (is_array($config->enableComponents) && in_array($componentName, $config->enableComponents)) {
6a488035
TO		 519 // continue with process
520 }
521 else {
522 return FALSE;
523 }
524 }
525
526 // the following is imitating drupal 6 code in includes/menu.inc
527 if (empty($item['access_callback']) ||
528 is_numeric($item['access_callback'])
529 ) {
530 return (boolean ) $item['access_callback'];
531 }
532
533 // check whether the following Ajax requests submitted the right key
534 // FIXME: this should be integrated into ACLs proper
535 if (CRM_Utils_Array::value('page_type', $item) == 3) {
536 if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
537 return FALSE;
538 }
539 }
540
541 // check if callback is for checkMenu, if so optimize it
542 if (is_array($item['access_callback']) &&
543 $item['access_callback'][0] == 'CRM_Core_Permission' &&
544 $item['access_callback'][1] == 'checkMenu'
545 ) {
546 $op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
547 return self::checkMenu($item['access_arguments'][0], $op);
548 }
549 else {
550 return call_user_func_array($item['access_callback'], $item['access_arguments']);
551 }
552 }
553
a0ee3941
EM		 554 /**
555 * @param bool $all
221b21b4
AH		 556 * @param bool $descriptions
557 * whether to return descriptions
a0ee3941
EM		 558 *
559 * @return array
560 */
221b21b4
AH		 561 public static function &basicPermissions($all = FALSE, $descriptions = FALSE) {
562 if ($descriptions) {
563 static $permissionsDesc = NULL;
6a488035 564
221b21b4
AH		 565 if (!$permissionsDesc) {
566 $permissionsDesc = self::assembleBasicPermissions($all, $descriptions);
6a488035
TO		 567 }
568
221b21b4
AH		 569 return $permissionsDesc;
570 }
571 else {
572 static $permissions = NULL;
573
574 if (!$permissions) {
575 $permissions = self::assembleBasicPermissions($all, $descriptions);
6a488035
TO		 576 }
577
221b21b4
AH		 578 return $permissions;
579 }
580 }
581
582 /**
583 * @param bool $all
584 * @param bool $descriptions
585 * whether to return descriptions
586 *
587 * @return array
588 */
589 public static function assembleBasicPermissions($all = FALSE, $descriptions = FALSE) {
590 $config = CRM_Core_Config::singleton();
591 $prefix = ts('CiviCRM') . ': ';
592 $permissions = self::getCorePermissions($descriptions);
593
594 if (self::isMultisiteEnabled()) {
bcaa174b 595 $permissions['administer Multiple Organizations'] = array($prefix . ts('administer Multiple Organizations'));
221b21b4
AH		 596 }
597
8c282315 598 if (!$descriptions) {
599 foreach ($permissions as $name => $attr) {
600 $permissions[$name] = array_shift($attr);
601 }
602 }
221b21b4
AH		 603 if (!$all) {
604 $components = CRM_Core_Component::getEnabledComponents();
605 }
606 else {
607 $components = CRM_Core_Component::getComponents();
608 }
609
610 foreach ($components as $comp) {
611 $perm = $comp->getPermissions(FALSE, $descriptions);
612 if ($perm) {
613 $info = $comp->getInfo();
2666861c
KL		 614 foreach ($perm as $p => $attr) {
615
616 if (!is_array($attr)) {
617 $attr = array($attr);
618 }
619
620 $attr[0] = $info['translatedName'] . ': ' . $attr[0];
621
622 if ($descriptions) {
221b21b4
AH		 623 $permissions[$p] = $attr;
624 }
2666861c
KL		 625 else {
626 $permissions[$p] = $attr[0];
6a488035
TO		 627 }
628 }
629 }
6a488035
TO		 630 }
631
221b21b4 632 // Add any permissions defined in hook_civicrm_permission implementations.
f1db52b9 633 $module_permissions = $config->userPermissionClass->getAllModulePermissions($descriptions);
221b21b4 634 $permissions = array_merge($permissions, $module_permissions);
cb2f7dd1 635 CRM_Financial_BAO_FinancialType::permissionedFinancialTypes($permissions, $descriptions);
6a488035
TO		 636 return $permissions;
637 }
638
a0ee3941
EM		 639 /**
640 * @return array
641 */
00be9182 642 public static function getAnonymousPermissionsWarnings() {
81bb85ea
AC		 643 static $permissions = array();
644 if (empty($permissions)) {
645 $permissions = array(
21dfd5f5 646 'administer CiviCRM',
81bb85ea
AC		 647 );
648 $components = CRM_Core_Component::getComponents();
649 foreach ($components as $comp) {
650 if (!method_exists($comp, 'getAnonymousPermissionWarnings')) {
651 continue;
652 }
653 $permissions = array_merge($permissions, $comp->getAnonymousPermissionWarnings());
654 }
655 }
656 return $permissions;
657 }
658
a0ee3941
EM		 659 /**
660 * @param $anonymous_perms
661 *
662 * @return array
663 */
00be9182 664 public static function validateForPermissionWarnings($anonymous_perms) {
81bb85ea
AC		 665 return array_intersect($anonymous_perms, self::getAnonymousPermissionsWarnings());
666 }
667
a0ee3941 668 /**
6793d6a9 669 * Get core permissions.
221b21b4 670 *
a0ee3941
EM		 671 * @return array
672 */
8c282315 673 public static function getCorePermissions() {
6a488035
TO		 674 $prefix = ts('CiviCRM') . ': ';
675 $permissions = array(
221b21b4
AH		 676 'add contacts' => array(
677 $prefix . ts('add contacts'),
678 ts('Create a new contact record in CiviCRM'),
679 ),
680 'view all contacts' => array(
681 $prefix . ts('view all contacts'),
682 ts('View ANY CONTACT in the CiviCRM database, export contact info and perform activities such as Send Email, Phone Call, etc.'),
683 ),
684 'edit all contacts' => array(
685 $prefix . ts('edit all contacts'),
686 ts('View, Edit and Delete ANY CONTACT in the CiviCRM database; Create and edit relationships, tags and other info about the contacts'),
687 ),
688 'view my contact' => array(
689 $prefix . ts('view my contact'),
690 ),
691 'edit my contact' => array(
692 $prefix . ts('edit my contact'),
693 ),
694 'delete contacts' => array(
695 $prefix . ts('delete contacts'),
696 ),
697 'access deleted contacts' => array(
698 $prefix . ts('access deleted contacts'),
699 ts('Access contacts in the trash'),
700 ),
701 'import contacts' => array(
702 $prefix . ts('import contacts'),
703 ts('Import contacts and activities'),
704 ),
705 'edit groups' => array(
706 $prefix . ts('edit groups'),
707 ts('Create new groups, edit group settings (e.g. group name, visibility...), delete groups'),
708 ),
709 'administer CiviCRM' => array(
710 $prefix . ts('administer CiviCRM'),
711 ts('Perform all tasks in the Administer CiviCRM control panel and Import Contacts'),
712 ),
713 'skip IDS check' => array(
714 $prefix . ts('skip IDS check'),
715 ts('IDS system is bypassed for users with this permission. Prevents false errors for admin users.'),
716 ),
717 'access uploaded files' => array(
718 $prefix . ts('access uploaded files'),
719 ts('View / download files including images and photos'),
720 ),
721 'profile listings and forms' => array(
722 $prefix . ts('profile listings and forms'),
723 ts('Access the profile Search form and listings'),
724 ),
725 'profile listings' => array(
726 $prefix . ts('profile listings'),
727 ),
728 'profile create' => array(
729 $prefix . ts('profile create'),
730 ts('Use profiles in Create mode'),
731 ),
732 'profile edit' => array(
733 $prefix . ts('profile edit'),
734 ts('Use profiles in Edit mode'),
735 ),
736 'profile view' => array(
737 $prefix . ts('profile view'),
738 ),
739 'access all custom data' => array(
740 $prefix . ts('access all custom data'),
741 ts('View all custom fields regardless of ACL rules'),
742 ),
743 'view all activities' => array(
744 $prefix . ts('view all activities'),
745 ts('View all activities (for visible contacts)'),
746 ),
747 'delete activities' => array(
748 $prefix . ts('Delete activities'),
749 ),
750 'access CiviCRM' => array(
751 $prefix . ts('access CiviCRM'),
752 ts('Master control for access to the main CiviCRM backend and API'),
753 ),
754 'access Contact Dashboard' => array(
755 $prefix . ts('access Contact Dashboard'),
756 ts('View Contact Dashboard (for themselves and visible contacts)'),
757 ),
758 'translate CiviCRM' => array(
759 $prefix . ts('translate CiviCRM'),
760 ts('Allow User to enable multilingual'),
761 ),
762 'administer reserved groups' => array(
763 $prefix . ts('administer reserved groups'),
764 ts('Edit and disable Reserved Groups (Needs Edit Groups)'),
765 ),
766 'administer Tagsets' => array(
767 $prefix . ts('administer Tagsets'),
768 ),
769 'administer reserved tags' => array(
770 $prefix . ts('administer reserved tags'),
771 ),
772 'administer dedupe rules' => array(
773 $prefix . ts('administer dedupe rules'),
774 ts('Create and edit rules, change the supervised and unsupervised rules'),
775 ),
776 'merge duplicate contacts' => array(
777 $prefix . ts('merge duplicate contacts'),
778 ts('Delete Contacts must also be granted in order for this to work.'),
779 ),
fd630ef9 780 'force merge duplicate contacts' => array(
781 $prefix . ts('force merge duplicate contacts'),
782 ts('Delete Contacts must also be granted in order for this to work.'),
783 ),
221b21b4
AH		 784 'view debug output' => array(
785 $prefix . ts('view debug output'),
786 ts('View results of debug and backtrace'),
787 ),
02d451ab 788
221b21b4
AH		 789 'view all notes' => array(
790 $prefix . ts('view all notes'),
791 ts("View notes (for visible contacts) even if they're marked admin only"),
792 ),
793 'access AJAX API' => array(
794 $prefix . ts('access AJAX API'),
795 ts('Allow API access even if Access CiviCRM is not granted'),
796 ),
797 'access contact reference fields' => array(
798 $prefix . ts('access contact reference fields'),
799 ts('Allow entering data into contact reference fields'),
800 ),
801 'create manual batch' => array(
802 $prefix . ts('create manual batch'),
803 ts('Create an accounting batch (with Access to CiviContribute and View Own/All Manual Batches)'),
804 ),
805 'edit own manual batches' => array(
806 $prefix . ts('edit own manual batches'),
807 ts('Edit accounting batches created by user'),
808 ),
809 'edit all manual batches' => array(
810 $prefix . ts('edit all manual batches'),
811 ts('Edit all accounting batches'),
812 ),
813 'view own manual batches' => array(
814 $prefix . ts('view own manual batches'),
815 ts('View accounting batches created by user (with Access to CiviContribute)'),
816 ),
817 'view all manual batches' => array(
818 $prefix . ts('view all manual batches'),
819 ts('View all accounting batches (with Access to CiviContribute)'),
820 ),
821 'delete own manual batches' => array(
822 $prefix . ts('delete own manual batches'),
823 ts('Delete accounting batches created by user'),
824 ),
825 'delete all manual batches' => array(
826 $prefix . ts('delete all manual batches'),
827 ts('Delete all accounting batches'),
828 ),
829 'export own manual batches' => array(
830 $prefix . ts('export own manual batches'),
831 ts('Export accounting batches created by user'),
832 ),
833 'export all manual batches' => array(
834 $prefix . ts('export all manual batches'),
835 ts('Export all accounting batches'),
836 ),
837 'administer payment processors' => array(
838 $prefix . ts('administer payment processors'),
839 ts('Add, Update, or Disable Payment Processors'),
840 ),
841 'edit message templates' => array(
842 $prefix . ts('edit message templates'),
843 ),
dc6b437a 844 'view my invoices' => array(
a664e7b3 845 $prefix . ts('view my invoices'),
dc6b437a
GC		 846 ts('Allow users to view/ download their own invoices'),
847 ),
6a488035
TO		 848 );
849
850 return $permissions;
851 }
852
853 /**
d09edf64 854 * Validate user permission across.
6a488035
TO		 855 * edit or view or with supportable acls.
856 *
acb1052e
WA		 857 * @return bool
858 */
00be9182 859 public static function giveMeAllACLs() {
6a488035
TO		 860 if (CRM_Core_Permission::check('view all contacts') ||
861 CRM_Core_Permission::check('edit all contacts')
862 ) {
863 return TRUE;
864 }
865
866 $session = CRM_Core_Session::singleton();
867 $contactID = $session->get('userID');
868
6a488035
TO		 869 //check for acl.
870 $aclPermission = self::getPermission();
871 if (in_array($aclPermission, array(
872 CRM_Core_Permission::EDIT,
41f314b6 873 CRM_Core_Permission::VIEW,
874 ))
875 ) {
6a488035
TO		 876 return TRUE;
877 }
878
879 // run acl where hook and see if the user is supplying an ACL clause
880 // that is not false
881 $tables = $whereTables = array();
882 $where = NULL;
883
884 CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
885 $tables, $whereTables,
886 $contactID, $where
887 );
888 return empty($whereTables) ? FALSE : TRUE;
889 }
890
891 /**
100fef9d 892 * Get component name from given permission.
6a488035 893 *
41f314b6 894 * @param string $permission
6a488035 895 *
76e7a76c
CW		 896 * @return null|string
897 * the name of component.
6a488035 898 */
00be9182 899 public static function getComponentName($permission) {
6a488035
TO		 900 $componentName = NULL;
901 $permission = trim($permission);
902 if (empty($permission)) {
903 return $componentName;
904 }
905
906 static $allCompPermissions = array();
907 if (empty($allCompPermissions)) {
908 $components = CRM_Core_Component::getComponents();
909 foreach ($components as $name => $comp) {
33777e4a
PJ		 910 //get all permissions of each components unconditionally
911 $allCompPermissions[$name] = $comp->getPermissions(TRUE);
6a488035
TO		 912 }
913 }
914
915 if (is_array($allCompPermissions)) {
916 foreach ($allCompPermissions as $name => $permissions) {
b9021475 917 if (array_key_exists($permission, $permissions)) {
6a488035
TO		 918 $componentName = $name;
919 break;
920 }
921 }
922 }
923
924 return $componentName;
925 }
926
927 /**
d09edf64 928 * Get all the contact emails for users that have a specific permission.
6a488035 929 *
6a0b768e
TO		 930 * @param string $permissionName
931 * Name of the permission we are interested in.
6a488035 932 *
a6c01b45
CW		 933 * @return string
934 * a comma separated list of email addresses
6a488035
TO		 935 */
936 public static function permissionEmails($permissionName) {
937 $config = CRM_Core_Config::singleton();
41f314b6 938 return $config->userPermissionClass->permissionEmails($permissionName);
6a488035
TO		 939 }
940
941 /**
d09edf64 942 * Get all the contact emails for users that have a specific role.
6a488035 943 *
6a0b768e
TO		 944 * @param string $roleName
945 * Name of the role we are interested in.
6a488035 946 *
a6c01b45
CW		 947 * @return string
948 * a comma separated list of email addresses
6a488035
TO		 949 */
950 public static function roleEmails($roleName) {
951 $config = CRM_Core_Config::singleton();
41f314b6 952 return $config->userRoleClass->roleEmails($roleName);
6a488035
TO		 953 }
954
a0ee3941
EM		 955 /**
956 * @return bool
957 */
00be9182 958 public static function isMultisiteEnabled() {
aaffa79f 959 return Civi::settings()->get('is_enabled') ? TRUE : FALSE;
6a488035 960 }
96025800 961
dc6b437a
GC		 962 /**
963 * Verify if the user has permission to get the invoice.
964 *
965 * @return bool
966 * TRUE if the user has download all invoices permission or download my
967 * invoices permission and the invoice author is the current user.
968 */
969 public static function checkDownloadInvoice() {
970 global $user;
971 $cid = CRM_Core_BAO_UFMatch::getContactId($user->uid);
972 if (CRM_Core_Permission::check('access CiviContribute') ||
973 (CRM_Core_Permission::check('view my invoices') && $_GET['cid'] == $cid)
974 ) {
975 return TRUE;
976 }
977 return FALSE;
978 }
979
6a488035 980}