projects / civicrm-core.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #13967 from eileenmcnaughton/activity_token
[civicrm-core.git] / CRM / Core / Permission.php
CommitLineData
6a488035
TO		 1<?php
2/*
3 +--------------------------------------------------------------------+
fee14197 4 | CiviCRM version 5 |
6a488035 5 +--------------------------------------------------------------------+
6b83d5bd 6 | Copyright CiviCRM LLC (c) 2004-2019 |
6a488035
TO		 7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
d25dd0ee 26 */
6a488035
TO		 27
28/**
29 *
30 * @package CRM
6b83d5bd 31 * @copyright CiviCRM LLC (c) 2004-2019
6a488035
TO		 32 */
33
34/**
35 * This is the basic permission class wrapper
36 */
37class CRM_Core_Permission {
38
39 /**
d09edf64 40 * Static strings used to compose permissions.
6a488035
TO		 41 *
42 * @const
43 * @var string
44 */
7da04cde 45 const EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
6a488035
TO		 46
47 /**
d09edf64 48 * The various type of permissions.
6a488035
TO		 49 *
50 * @var int
51 */
7da04cde 52 const EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
6a488035 53
085823c1 54 /**
d09edf64 55 * A placeholder permission which always fails.
085823c1
TO		 56 */
57 const ALWAYS_DENY_PERMISSION = "*always deny*";
58
59 /**
d09edf64 60 * A placeholder permission which always fails.
085823c1
TO		 61 */
62 const ALWAYS_ALLOW_PERMISSION = "*always allow*";
63
6dd18b98 64 /**
d09edf64 65 * Various authentication sources.
6dd18b98
DS		 66 *
67 * @var int
68 */
7da04cde 69 const AUTH_SRC_UNKNOWN = 0, AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;
6dd18b98 70
6a488035 71 /**
d09edf64 72 * Get the current permission of this user.
6a488035 73 *
a6c01b45
CW		 74 * @return string
75 * the permission of the user (edit or view or null)
6a488035
TO		 76 */
77 public static function getPermission() {
78 $config = CRM_Core_Config::singleton();
41f314b6 79 return $config->userPermissionClass->getPermission();
6a488035
TO		 80 }
81
82 /**
100fef9d 83 * Given a permission string or array, check for access requirements
18be3201 84 * @param string|array $permissions
6a0b768e 85 * The permission to check as an array or string -see examples.
18be3201
CW		 86 *
87 * @param int $contactId
88 * Contact id to check permissions for. Defaults to current logged-in user.
6a488035 89 *
60ec9f43
E		 90 * Ex 1
91 *
92 * Must have 'access CiviCRM'
93 * (string) 'access CiviCRM'
94 *
95 *
96 * Ex 2 Must have 'access CiviCRM' and 'access Ajax API'
97 * array('access CiviCRM', 'access Ajax API')
98 *
99 * Ex 3 Must have 'access CiviCRM' or 'access Ajax API'
100 * array(
101 * array('access CiviCRM', 'access Ajax API'),
102 * ),
103 *
104 * Ex 4 Must have 'access CiviCRM' or 'access Ajax API' AND 'access CiviEvent'
105 * array(
106 * array('access CiviCRM', 'access Ajax API'),
107 * 'access CiviEvent',
108 * ),
109 *
110 * Note that in permissions.php this is keyed by the action eg.
111 * (access Civi || access AJAX) && (access CiviEvent || access CiviContribute)
112 * 'myaction' => array(
113 * array('access CiviCRM', 'access Ajax API'),
114 * array('access CiviEvent', 'access CiviContribute')
115 * ),
6a488035 116 *
acb1052e 117 * @return bool
a6c01b45 118 * true if yes, else false
6a488035 119 */
18be3201 120 public static function check($permissions, $contactId = NULL) {
60ec9f43 121 $permissions = (array) $permissions;
18be3201
CW		 122 $userId = NULL;
123 if ($contactId) {
124 $userId = CRM_Core_BAO_UFMatch::getUFId($contactId);
125 }
60ec9f43 126
18be3201 127 /** @var CRM_Core_Permission_Temp $tempPerm */
59735506
TO		 128 $tempPerm = CRM_Core_Config::singleton()->userPermissionTemp;
129
60ec9f43 130 foreach ($permissions as $permission) {
22e263ad 131 if (is_array($permission)) {
60ec9f43 132 foreach ($permission as $orPerm) {
18be3201 133 if (self::check($orPerm, $contactId)) {
60ec9f43 134 //one of our 'or' permissions has succeeded - stop checking this permission
b8a19656 135 return TRUE;
60ec9f43
E		 136 }
137 }
138 //none of our our conditions was met
139 return FALSE;
140 }
141 else {
3ae62cab 142 // This is an individual permission
18be3201 143 $granted = CRM_Core_Config::singleton()->userPermissionClass->check($permission, $userId);
3ae62cab 144 // Call the permission_check hook to permit dynamic escalation (CRM-19256)
fa4dac9c 145 CRM_Utils_Hook::permission_check($permission, $granted, $contactId);
59735506 146 if (
3ae62cab 147 !$granted
59735506
TO		 148 && !($tempPerm && $tempPerm->check($permission))
149 ) {
60ec9f43
E		 150 //one of our 'and' conditions has not been met
151 return FALSE;
152 }
153 }
154 }
155 return TRUE;
6a488035
TO		 156 }
157
dc92f2f8 158 /**
d09edf64 159 * Determine if any one of the permissions strings applies to current user.
dc92f2f8
TO		 160 *
161 * @param array $perms
162 * @return bool
163 */
164 public static function checkAnyPerm($perms) {
165 foreach ($perms as $perm) {
166 if (CRM_Core_Permission::check($perm)) {
167 return TRUE;
168 }
169 }
170 return FALSE;
171 }
172
6a488035
TO		 173 /**
174 * Given a group/role array, check for access requirements
175 *
6a0b768e
TO		 176 * @param array $array
177 * The group/role to check.
6a488035 178 *
acb1052e 179 * @return bool
a6c01b45 180 * true if yes, else false
6a488035 181 */
00be9182 182 public static function checkGroupRole($array) {
6a488035 183 $config = CRM_Core_Config::singleton();
41f314b6 184 return $config->userPermissionClass->checkGroupRole($array);
6a488035
TO		 185 }
186
187 /**
d09edf64 188 * Get the permissioned where clause for the user.
6a488035 189 *
6a0b768e
TO		 190 * @param int $type
191 * The type of permission needed.
192 * @param array $tables
193 * (reference ) add the tables that are needed for the select clause.
194 * @param array $whereTables
195 * (reference ) add the tables that are needed for the where clause.
6a488035 196 *
a6c01b45
CW		 197 * @return string
198 * the group where clause for this user
6a488035
TO		 199 */
200 public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
201 $config = CRM_Core_Config::singleton();
41f314b6 202 return $config->userPermissionClass->getPermissionedStaticGroupClause($type, $tables, $whereTables);
6a488035
TO		 203 }
204
205 /**
206 * Get all groups from database, filtered by permissions
207 * for this user
208 *
6a0b768e
TO		 209 * @param string $groupType
210 * Type of group(Access/Mailing).
3f8d2862
CW		 211 * @param bool $excludeHidden
212 * exclude hidden groups.
6a488035 213 *
6a488035 214 *
a6c01b45
CW		 215 * @return array
216 * array reference of all groups.
6a488035
TO		 217 */
218 public static function group($groupType, $excludeHidden = TRUE) {
219 $config = CRM_Core_Config::singleton();
41f314b6 220 return $config->userPermissionClass->group($groupType, $excludeHidden);
6a488035
TO		 221 }
222
a0ee3941
EM		 223 /**
224 * @return bool
225 */
6a488035
TO		 226 public static function customGroupAdmin() {
227 $admin = FALSE;
228
229 // check if user has all powerful permission
230 // or administer civicrm permission (CRM-1905)
231 if (self::check('access all custom data')) {
232 return TRUE;
233 }
234
634e1a1a
DL		 235 if (
236 self::check('administer Multiple Organizations') &&
6a488035
TO		 237 self::isMultisiteEnabled()
238 ) {
239 return TRUE;
240 }
241
242 if (self::check('administer CiviCRM')) {
243 return TRUE;
244 }
245
246 return FALSE;
247 }
248
a0ee3941
EM		 249 /**
250 * @param int $type
251 * @param bool $reset
252 *
253 * @return array
254 */
6a488035 255 public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
41f314b6 256 $customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id',
257 array('fresh' => $reset));
6a488035
TO		 258 $defaultGroups = array();
259
260 // check if user has all powerful permission
261 // or administer civicrm permission (CRM-1905)
262 if (self::customGroupAdmin()) {
263 $defaultGroups = array_keys($customGroups);
264 }
265
266 return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
267 }
268
a0ee3941
EM		 269 /**
270 * @param int $type
271 * @param null $prefix
272 * @param bool $reset
273 *
274 * @return string
275 */
00be9182 276 public static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
6a488035
TO		 277 if (self::customGroupAdmin()) {
278 return ' ( 1 ) ';
279 }
280
281 $groups = self::customGroup($type, $reset);
282 if (empty($groups)) {
283 return ' ( 0 ) ';
284 }
285 else {
286 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
287 }
288 }
289
a0ee3941 290 /**
100fef9d 291 * @param int $gid
a0ee3941
EM		 292 * @param int $type
293 *
294 * @return bool
295 */
6a488035
TO		 296 public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
297 if (empty($gid)) {
298 return TRUE;
299 }
300
301 $groups = self::ufGroup($type);
684b0b22 302 return !empty($groups) && in_array($gid, $groups) ? TRUE : FALSE;
6a488035
TO		 303 }
304
a0ee3941
EM		 305 /**
306 * @param int $type
307 *
308 * @return array
309 */
6a488035 310 public static function ufGroup($type = CRM_Core_Permission::VIEW) {
ff4f7744 311 $ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
6a488035
TO		 312
313 $allGroups = array_keys($ufGroups);
314
315 // check if user has all powerful permission
316 if (self::check('profile listings and forms')) {
317 return $allGroups;
318 }
319
320 switch ($type) {
321 case CRM_Core_Permission::VIEW:
322 if (self::check('profile view')) {
323 return $allGroups;
324 }
325 break;
326
327 case CRM_Core_Permission::CREATE:
328 if (self::check('profile create')) {
329 return $allGroups;
330 }
331 break;
332
333 case CRM_Core_Permission::EDIT:
334 if (self::check('profile edit')) {
335 return $allGroups;
336 }
337 break;
338
339 case CRM_Core_Permission::SEARCH:
340 if (self::check('profile listings')) {
341 return $allGroups;
342 }
343 break;
344 }
345
346 return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
347 }
348
a0ee3941
EM		 349 /**
350 * @param int $type
351 * @param null $prefix
352 * @param bool $returnUFGroupIds
353 *
354 * @return array|string
355 */
00be9182 356 public static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
6a488035
TO		 357 $groups = self::ufGroup($type);
358 if ($returnUFGroupIds) {
359 return $groups;
360 }
361 elseif (empty($groups)) {
362 return ' ( 0 ) ';
363 }
364 else {
365 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
366 }
367 }
368
a0ee3941
EM		 369 /**
370 * @param int $type
100fef9d 371 * @param int $eventID
a0ee3941
EM		 372 * @param string $context
373 *
374 * @return array|null
375 */
e2d09ab4 376 public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL, $context = '') {
22e263ad
TO		 377 if (!empty($context)) {
378 if (CRM_Core_Permission::check($context)) {
e2d09ab4
EM		 379 return TRUE;
380 }
381 }
6a488035
TO		 382 $events = CRM_Event_PseudoConstant::event(NULL, TRUE);
383 $includeEvents = array();
384
385 // check if user has all powerful permission
386 if (self::check('register for events')) {
387 $includeEvents = array_keys($events);
388 }
389
390 if ($type == CRM_Core_Permission::VIEW &&
391 self::check('view event info')
392 ) {
393 $includeEvents = array_keys($events);
394 }
395
396 $permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
397 if (!$eventID) {
398 return $permissionedEvents;
399 }
41f314b6 400 if (!empty($permissionedEvents)) {
2efcf0c2 401 return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
41f314b6 402 }
dfa720e7 403 return NULL;
6a488035
TO		 404 }
405
a0ee3941
EM		 406 /**
407 * @param int $type
408 * @param null $prefix
409 *
410 * @return string
411 */
00be9182 412 public static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
6a488035
TO		 413 $events = self::event($type);
414 if (empty($events)) {
415 return ' ( 0 ) ';
416 }
417 else {
418 return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
419 }
420 }
421
a0ee3941 422 /**
44d17ec8
BS		 423 * Checks that component is enabled and optionally that user has basic perm.
424 *
425 * @param string $module
426 * Specifies the name of the CiviCRM component.
a0ee3941 427 * @param bool $checkPermission
44d17ec8
BS		 428 * Check not only that module is enabled, but that user has necessary
429 * permission.
430 * @param bool $requireAllCasesPermOnCiviCase
431 * Significant only if $module == CiviCase
432 * Require "access all cases and activities", not just
433 * "access my cases and activities".
a0ee3941
EM		 434 *
435 * @return bool
44d17ec8 436 * Access to specified $module is granted.
a0ee3941 437 */
44d17ec8 438 public static function access($module, $checkPermission = TRUE, $requireAllCasesPermOnCiviCase = FALSE) {
6a488035
TO		 439 $config = CRM_Core_Config::singleton();
440
441 if (!in_array($module, $config->enableComponents)) {
442 return FALSE;
443 }
444
445 if ($checkPermission) {
44d17ec8
BS		 446 switch ($module) {
447 case 'CiviCase':
448 $access_all_cases = CRM_Core_Permission::check("access all cases and activities");
449 $access_my_cases = CRM_Core_Permission::check("access my cases and activities");
450 return $access_all_cases || (!$requireAllCasesPermOnCiviCase && $access_my_cases);
451
452 case 'CiviCampaign':
453 return CRM_Core_Permission::check("administer $module");
454
455 default:
456 return CRM_Core_Permission::check("access $module");
6a488035
TO		 457 }
458 }
459
460 return TRUE;
461 }
462
463 /**
d09edf64 464 * Check permissions for delete and edit actions.
6a488035 465 *
6a0b768e
TO		 466 * @param string $module
467 * Component name.
468 * @param int $action
469 * Action to be check across component.
6a488035 470 *
77b97be7
EM		 471 *
472 * @return bool
473 */
00be9182 474 public static function checkActionPermission($module, $action) {
6a488035
TO		 475 //check delete related permissions.
476 if ($action & CRM_Core_Action::DELETE) {
477 $permissionName = "delete in $module";
478 }
479 else {
480 $editPermissions = array(
481 'CiviEvent' => 'edit event participants',
482 'CiviMember' => 'edit memberships',
483 'CiviPledge' => 'edit pledges',
484 'CiviContribute' => 'edit contributions',
485 'CiviGrant' => 'edit grants',
486 'CiviMail' => 'access CiviMail',
487 'CiviAuction' => 'add auction items',
488 );
489 $permissionName = CRM_Utils_Array::value($module, $editPermissions);
490 }
491
492 if ($module == 'CiviCase' && !$permissionName) {
493 return CRM_Case_BAO_Case::accessCiviCase();
494 }
495 else {
496 //check for permission.
497 return CRM_Core_Permission::check($permissionName);
498 }
499 }
500
a0ee3941
EM		 501 /**
502 * @param $args
503 * @param string $op
504 *
505 * @return bool
506 */
00be9182 507 public static function checkMenu(&$args, $op = 'and') {
6a488035
TO		 508 if (!is_array($args)) {
509 return $args;
510 }
511 foreach ($args as $str) {
512 $res = CRM_Core_Permission::check($str);
513 if ($op == 'or' && $res) {
514 return TRUE;
515 }
516 elseif ($op == 'and' && !$res) {
517 return FALSE;
518 }
519 }
520 return ($op == 'or') ? FALSE : TRUE;
521 }
522
a0ee3941
EM		 523 /**
524 * @param $item
525 *
526 * @return bool|mixed
527 * @throws Exception
528 */
00be9182 529 public static function checkMenuItem(&$item) {
6a488035
TO		 530 if (!array_key_exists('access_callback', $item)) {
531 CRM_Core_Error::backtrace();
532 CRM_Core_Error::fatal();
533 }
534
535 // if component_id is present, ensure it is enabled
3d31a5c6
TO		 536 if (isset($item['component_id']) && $item['component_id']) {
537 if (!isset(Civi::$statics[__CLASS__]['componentNameId'])) {
538 Civi::$statics[__CLASS__]['componentNameId'] = array_flip(CRM_Core_Component::getComponentIDs());
539 }
540 $componentName = Civi::$statics[__CLASS__]['componentNameId'][$item['component_id']];
541
6a488035 542 $config = CRM_Core_Config::singleton();
3d31a5c6 543 if (is_array($config->enableComponents) && in_array($componentName, $config->enableComponents)) {
6a488035
TO		 544 // continue with process
545 }
546 else {
547 return FALSE;
548 }
549 }
550
551 // the following is imitating drupal 6 code in includes/menu.inc
552 if (empty($item['access_callback']) ||
553 is_numeric($item['access_callback'])
554 ) {
555 return (boolean ) $item['access_callback'];
556 }
557
558 // check whether the following Ajax requests submitted the right key
559 // FIXME: this should be integrated into ACLs proper
560 if (CRM_Utils_Array::value('page_type', $item) == 3) {
561 if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
562 return FALSE;
563 }
564 }
565
566 // check if callback is for checkMenu, if so optimize it
567 if (is_array($item['access_callback']) &&
568 $item['access_callback'][0] == 'CRM_Core_Permission' &&
569 $item['access_callback'][1] == 'checkMenu'
570 ) {
571 $op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
572 return self::checkMenu($item['access_arguments'][0], $op);
573 }
574 else {
575 return call_user_func_array($item['access_callback'], $item['access_arguments']);
576 }
577 }
578
a0ee3941
EM		 579 /**
580 * @param bool $all
9476d8d1 581 * Include disabled components
221b21b4 582 * @param bool $descriptions
9476d8d1 583 * Whether to return descriptions
a0ee3941
EM		 584 *
585 * @return array
586 */
9476d8d1
CW		 587 public static function basicPermissions($all = FALSE, $descriptions = FALSE) {
588 $cacheKey = implode('-', array($all, $descriptions));
589 if (empty(Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey])) {
590 Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey] = self::assembleBasicPermissions($all, $descriptions);
221b21b4 591 }
9476d8d1 592 return Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey];
221b21b4
AH		 593 }
594
595 /**
596 * @param bool $all
597 * @param bool $descriptions
598 * whether to return descriptions
599 *
600 * @return array
601 */
602 public static function assembleBasicPermissions($all = FALSE, $descriptions = FALSE) {
603 $config = CRM_Core_Config::singleton();
604 $prefix = ts('CiviCRM') . ': ';
605 $permissions = self::getCorePermissions($descriptions);
606
607 if (self::isMultisiteEnabled()) {
bcaa174b 608 $permissions['administer Multiple Organizations'] = array($prefix . ts('administer Multiple Organizations'));
221b21b4
AH		 609 }
610
8c282315 611 if (!$descriptions) {
612 foreach ($permissions as $name => $attr) {
613 $permissions[$name] = array_shift($attr);
614 }
615 }
221b21b4
AH		 616 if (!$all) {
617 $components = CRM_Core_Component::getEnabledComponents();
618 }
619 else {
620 $components = CRM_Core_Component::getComponents();
621 }
622
623 foreach ($components as $comp) {
624 $perm = $comp->getPermissions(FALSE, $descriptions);
625 if ($perm) {
626 $info = $comp->getInfo();
2666861c
KL		 627 foreach ($perm as $p => $attr) {
628
629 if (!is_array($attr)) {
630 $attr = array($attr);
631 }
632
633 $attr[0] = $info['translatedName'] . ': ' . $attr[0];
634
635 if ($descriptions) {
221b21b4
AH		 636 $permissions[$p] = $attr;
637 }
2666861c
KL		 638 else {
639 $permissions[$p] = $attr[0];
6a488035
TO		 640 }
641 }
642 }
6a488035
TO		 643 }
644
221b21b4 645 // Add any permissions defined in hook_civicrm_permission implementations.
f1db52b9 646 $module_permissions = $config->userPermissionClass->getAllModulePermissions($descriptions);
221b21b4 647 $permissions = array_merge($permissions, $module_permissions);
cb2f7dd1 648 CRM_Financial_BAO_FinancialType::permissionedFinancialTypes($permissions, $descriptions);
6a488035
TO		 649 return $permissions;
650 }
651
a0ee3941
EM		 652 /**
653 * @return array
654 */
00be9182 655 public static function getAnonymousPermissionsWarnings() {
81bb85ea
AC		 656 static $permissions = array();
657 if (empty($permissions)) {
658 $permissions = array(
21dfd5f5 659 'administer CiviCRM',
81bb85ea
AC		 660 );
661 $components = CRM_Core_Component::getComponents();
662 foreach ($components as $comp) {
663 if (!method_exists($comp, 'getAnonymousPermissionWarnings')) {
664 continue;
665 }
666 $permissions = array_merge($permissions, $comp->getAnonymousPermissionWarnings());
667 }
668 }
669 return $permissions;
670 }
671
a0ee3941
EM		 672 /**
673 * @param $anonymous_perms
674 *
675 * @return array
676 */
00be9182 677 public static function validateForPermissionWarnings($anonymous_perms) {
81bb85ea
AC		 678 return array_intersect($anonymous_perms, self::getAnonymousPermissionsWarnings());
679 }
680
a0ee3941 681 /**
6793d6a9 682 * Get core permissions.
221b21b4 683 *
a0ee3941
EM		 684 * @return array
685 */
8c282315 686 public static function getCorePermissions() {
6a488035
TO		 687 $prefix = ts('CiviCRM') . ': ';
688 $permissions = array(
221b21b4
AH		 689 'add contacts' => array(
690 $prefix . ts('add contacts'),
691 ts('Create a new contact record in CiviCRM'),
692 ),
693 'view all contacts' => array(
694 $prefix . ts('view all contacts'),
695 ts('View ANY CONTACT in the CiviCRM database, export contact info and perform activities such as Send Email, Phone Call, etc.'),
696 ),
697 'edit all contacts' => array(
698 $prefix . ts('edit all contacts'),
699 ts('View, Edit and Delete ANY CONTACT in the CiviCRM database; Create and edit relationships, tags and other info about the contacts'),
700 ),
701 'view my contact' => array(
702 $prefix . ts('view my contact'),
703 ),
704 'edit my contact' => array(
705 $prefix . ts('edit my contact'),
706 ),
707 'delete contacts' => array(
708 $prefix . ts('delete contacts'),
709 ),
710 'access deleted contacts' => array(
711 $prefix . ts('access deleted contacts'),
712 ts('Access contacts in the trash'),
713 ),
714 'import contacts' => array(
715 $prefix . ts('import contacts'),
716 ts('Import contacts and activities'),
717 ),
40bc3c68
TO		 718 'import SQL datasource' => array(
719 $prefix . ts('import SQL datasource'),
720 ts('When importing, consume data directly from a SQL datasource'),
721 ),
221b21b4
AH		 722 'edit groups' => array(
723 $prefix . ts('edit groups'),
724 ts('Create new groups, edit group settings (e.g. group name, visibility...), delete groups'),
725 ),
726 'administer CiviCRM' => array(
727 $prefix . ts('administer CiviCRM'),
728 ts('Perform all tasks in the Administer CiviCRM control panel and Import Contacts'),
729 ),
730 'skip IDS check' => array(
731 $prefix . ts('skip IDS check'),
d9a37cbc 732 ts('Warning: Give to trusted roles only; this permission has security implications. IDS system is bypassed for users with this permission. Prevents false errors for admin users.'),
221b21b4
AH		 733 ),
734 'access uploaded files' => array(
735 $prefix . ts('access uploaded files'),
736 ts('View / download files including images and photos'),
737 ),
738 'profile listings and forms' => array(
739 $prefix . ts('profile listings and forms'),
d9a37cbc 740 ts('Warning: Give to trusted roles only; this permission has privacy implications. Add/edit data in online forms and access public searchable directories.'),
221b21b4
AH		 741 ),
742 'profile listings' => array(
743 $prefix . ts('profile listings'),
d9a37cbc 744 ts('Warning: Give to trusted roles only; this permission has privacy implications. Access public searchable directories.'),
221b21b4
AH		 745 ),
746 'profile create' => array(
747 $prefix . ts('profile create'),
d9a37cbc 748 ts('Add data in a profile form.'),
221b21b4
AH		 749 ),
750 'profile edit' => array(
751 $prefix . ts('profile edit'),
d9a37cbc 752 ts('Edit data in a profile form.'),
221b21b4
AH		 753 ),
754 'profile view' => array(
755 $prefix . ts('profile view'),
d9a37cbc 756 ts('View data in a profile.'),
221b21b4
AH		 757 ),
758 'access all custom data' => array(
759 $prefix . ts('access all custom data'),
760 ts('View all custom fields regardless of ACL rules'),
761 ),
762 'view all activities' => array(
763 $prefix . ts('view all activities'),
764 ts('View all activities (for visible contacts)'),
765 ),
766 'delete activities' => array(
767 $prefix . ts('Delete activities'),
768 ),
ee90a98c
CR		 769 'edit inbound email basic information' => array(
770 $prefix . ts('edit inbound email basic information'),
771 ts('Edit all inbound email activities (for visible contacts) basic information. Content editing not allowed.'),
772 ),
773 'edit inbound email basic information and content' => array(
774 $prefix . ts('edit inbound email basic information and content'),
775 ts('Edit all inbound email activities (for visible contacts) basic information and content.'),
776 ),
221b21b4 777 'access CiviCRM' => array(
d9a37cbc
H		 778 $prefix . ts('access CiviCRM backend and API'),
779 ts('Master control for access to the main CiviCRM backend and API. Give to trusted roles only.'),
221b21b4
AH		 780 ),
781 'access Contact Dashboard' => array(
782 $prefix . ts('access Contact Dashboard'),
783 ts('View Contact Dashboard (for themselves and visible contacts)'),
784 ),
785 'translate CiviCRM' => array(
786 $prefix . ts('translate CiviCRM'),
787 ts('Allow User to enable multilingual'),
788 ),
eaaaef83
I		 789 'manage tags' => array(
790 $prefix . ts('manage tags'),
791 ts('Create and rename tags'),
792 ),
221b21b4
AH		 793 'administer reserved groups' => array(
794 $prefix . ts('administer reserved groups'),
795 ts('Edit and disable Reserved Groups (Needs Edit Groups)'),
796 ),
797 'administer Tagsets' => array(
798 $prefix . ts('administer Tagsets'),
799 ),
800 'administer reserved tags' => array(
801 $prefix . ts('administer reserved tags'),
802 ),
803 'administer dedupe rules' => array(
804 $prefix . ts('administer dedupe rules'),
805 ts('Create and edit rules, change the supervised and unsupervised rules'),
806 ),
807 'merge duplicate contacts' => array(
808 $prefix . ts('merge duplicate contacts'),
809 ts('Delete Contacts must also be granted in order for this to work.'),
810 ),
fd630ef9 811 'force merge duplicate contacts' => array(
812 $prefix . ts('force merge duplicate contacts'),
813 ts('Delete Contacts must also be granted in order for this to work.'),
814 ),
221b21b4
AH		 815 'view debug output' => array(
816 $prefix . ts('view debug output'),
817 ts('View results of debug and backtrace'),
818 ),
02d451ab 819
221b21b4
AH		 820 'view all notes' => array(
821 $prefix . ts('view all notes'),
822 ts("View notes (for visible contacts) even if they're marked admin only"),
823 ),
088101a4
O		 824 'add contact notes' => array(
825 $prefix . ts('add contact notes'),
826 ts("Create notes for contacts"),
827 ),
221b21b4
AH		 828 'access AJAX API' => array(
829 $prefix . ts('access AJAX API'),
830 ts('Allow API access even if Access CiviCRM is not granted'),
831 ),
832 'access contact reference fields' => array(
833 $prefix . ts('access contact reference fields'),
834 ts('Allow entering data into contact reference fields'),
835 ),
836 'create manual batch' => array(
837 $prefix . ts('create manual batch'),
838 ts('Create an accounting batch (with Access to CiviContribute and View Own/All Manual Batches)'),
839 ),
840 'edit own manual batches' => array(
841 $prefix . ts('edit own manual batches'),
842 ts('Edit accounting batches created by user'),
843 ),
844 'edit all manual batches' => array(
845 $prefix . ts('edit all manual batches'),
846 ts('Edit all accounting batches'),
847 ),
47a98aef
PN		 848 'close own manual batches' => array(
849 $prefix . ts('close own manual batches'),
5ad18cc2 850 ts('Close accounting batches created by user (with Access to CiviContribute)'),
47a98aef
PN		 851 ),
852 'close all manual batches' => array(
853 $prefix . ts('close all manual batches'),
5ad18cc2 854 ts('Close all accounting batches (with Access to CiviContribute)'),
47a98aef
PN		 855 ),
856 'reopen own manual batches' => array(
857 $prefix . ts('reopen own manual batches'),
5ad18cc2 858 ts('Reopen accounting batches created by user (with Access to CiviContribute)'),
47a98aef
PN		 859 ),
860 'reopen all manual batches' => array(
861 $prefix . ts('reopen all manual batches'),
5ad18cc2 862 ts('Reopen all accounting batches (with Access to CiviContribute)'),
47a98aef 863 ),
221b21b4
AH		 864 'view own manual batches' => array(
865 $prefix . ts('view own manual batches'),
866 ts('View accounting batches created by user (with Access to CiviContribute)'),
867 ),
868 'view all manual batches' => array(
869 $prefix . ts('view all manual batches'),
870 ts('View all accounting batches (with Access to CiviContribute)'),
871 ),
872 'delete own manual batches' => array(
873 $prefix . ts('delete own manual batches'),
874 ts('Delete accounting batches created by user'),
875 ),
876 'delete all manual batches' => array(
877 $prefix . ts('delete all manual batches'),
878 ts('Delete all accounting batches'),
879 ),
880 'export own manual batches' => array(
881 $prefix . ts('export own manual batches'),
882 ts('Export accounting batches created by user'),
883 ),
884 'export all manual batches' => array(
885 $prefix . ts('export all manual batches'),
886 ts('Export all accounting batches'),
887 ),
888 'administer payment processors' => array(
889 $prefix . ts('administer payment processors'),
890 ts('Add, Update, or Disable Payment Processors'),
891 ),
892 'edit message templates' => array(
893 $prefix . ts('edit message templates'),
894 ),
40a732a9
SA		 895 'edit system workflow message templates' => array(
896 $prefix . ts('edit system workflow message templates'),
897 ),
898 'edit user-driven message templates' => array(
899 $prefix . ts('edit user-driven message templates'),
900 ),
dc6b437a 901 'view my invoices' => array(
a664e7b3 902 $prefix . ts('view my invoices'),
dc6b437a
GC		 903 ts('Allow users to view/ download their own invoices'),
904 ),
d4463076
TO		 905 'edit api keys' => array(
906 $prefix . ts('edit api keys'),
907 ts('Edit API keys'),
908 ),
909 'edit own api keys' => array(
910 $prefix . ts('edit own api keys'),
911 ts('Edit user\'s own API keys'),
912 ),
63483feb
MM		 913 'send SMS' => array(
914 $prefix . ts('send SMS'),
915 ts('Send an SMS'),
916 ),
6a488035
TO		 917 );
918
919 return $permissions;
920 }
921
bf9a7c0f
ES		 922 /**
923 * For each entity provides an array of permissions required for each action
924 *
925 * The action is the array key, possible values:
926 * * create: applies to create (with no id in params)
927 * * update: applies to update, setvalue, create (with id in params)
928 * * get: applies to getcount, getsingle, getvalue and other gets
929 * * delete: applies to delete, replace
930 * * meta: applies to getfields, getoptions, getspec
931 * * default: catch-all for anything not declared
932 *
933 * Note: some APIs declare other actions as well
934 *
935 * Permissions should use arrays for AND and arrays of arrays for OR
1a5a2ade 936 * @see CRM_Core_Permission::check
bf9a7c0f
ES		 937 *
938 * @return array of permissions
939 */
940 public static function getEntityActionPermissions() {
941 $permissions = array();
942 // These are the default permissions - if any entity does not declare permissions for a given action,
943 // (or the entity does not declare permissions at all) - then the action will be used from here
944 $permissions['default'] = array(
945 // applies to getfields, getoptions, etc.
946 'meta' => array('access CiviCRM'),
947 // catch-all, applies to create, get, delete, etc.
948 // If an entity declares it's own 'default' action it will override this one
949 'default' => array('administer CiviCRM'),
950 );
951
952 // Note: Additional permissions in DynamicFKAuthorization
953 $permissions['attachment'] = array(
954 'default' => array(
955 array('access CiviCRM', 'access AJAX API'),
956 ),
957 );
958
959 // Contact permissions
960 $permissions['contact'] = array(
961 'create' => array(
962 'access CiviCRM',
963 'add contacts',
964 ),
965 'delete' => array(
966 'access CiviCRM',
967 'delete contacts',
968 ),
969 // managed by query object
970 'get' => array(),
971 // managed by _civicrm_api3_check_edit_permissions
972 'update' => array(),
973 'getquick' => array(
974 array('access CiviCRM', 'access AJAX API'),
975 ),
f257308b
PN		 976 'duplicatecheck' => array(
977 'access CiviCRM',
978 ),
bf9a7c0f
ES		 979 );
980
981 // CRM-16963 - Permissions for country.
982 $permissions['country'] = array(
983 'get' => array(
984 'access CiviCRM',
985 ),
986 'default' => array(
987 'administer CiviCRM',
988 ),
989 );
990
991 // Contact-related data permissions.
992 $permissions['address'] = array(
993 // get is managed by BAO::addSelectWhereClause
994 // create/delete are managed by _civicrm_api3_check_edit_permissions
995 'default' => array(),
996 );
997 $permissions['email'] = $permissions['address'];
998 $permissions['phone'] = $permissions['address'];
999 $permissions['website'] = $permissions['address'];
1000 $permissions['im'] = $permissions['address'];
1001 $permissions['open_i_d'] = $permissions['address'];
1002
1003 // Also managed by ACLs - CRM-19448
1004 $permissions['entity_tag'] = array('default' => array());
1005 $permissions['note'] = $permissions['entity_tag'];
1006
1007 // Allow non-admins to get and create tags to support tagset widget
1008 // Delete is still reserved for admins
1009 $permissions['tag'] = array(
1010 'get' => array('access CiviCRM'),
1011 'create' => array('access CiviCRM'),
1012 'update' => array('access CiviCRM'),
1013 );
1014
1015 //relationship permissions
1016 $permissions['relationship'] = array(
1017 // get is managed by BAO::addSelectWhereClause
1018 'get' => array(),
1019 'delete' => array(
1020 'access CiviCRM',
1021 'edit all contacts',
1022 ),
1023 'default' => array(
1024 'access CiviCRM',
1025 'edit all contacts',
1026 ),
1027 );
1028
1029 // CRM-17741 - Permissions for RelationshipType.
1030 $permissions['relationship_type'] = array(
1031 'get' => array(
1032 'access CiviCRM',
1033 ),
1034 'default' => array(
1035 'administer CiviCRM',
1036 ),
1037 );
1038
1039 // Activity permissions
1040 $permissions['activity'] = array(
1041 'delete' => array(
1042 'access CiviCRM',
1043 'delete activities',
1044 ),
1045 'get' => array(
1046 'access CiviCRM',
1047 // Note that view all activities is also required within the api
1048 // if the id is not passed in. Where the id is passed in the activity
1049 // specific check functions are used and tested.
1050 ),
1051 'default' => array(
1052 'access CiviCRM',
1053 'view all activities',
1054 ),
1055 );
cdacd6ab 1056 $permissions['activity_contact'] = $permissions['activity'];
bf9a7c0f
ES		 1057
1058 // Case permissions
1059 $permissions['case'] = array(
1060 'create' => array(
1061 'access CiviCRM',
1062 'add cases',
1063 ),
1064 'delete' => array(
1065 'access CiviCRM',
1066 'delete in CiviCase',
1067 ),
8572e6de
CW		 1068 'restore' => array(
1069 'administer CiviCase',
1070 ),
a6bc7218
CW		 1071 'merge' => array(
1072 'administer CiviCase',
1073 ),
bf9a7c0f
ES		 1074 'default' => array(
1075 // At minimum the user needs one of the following. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause
1076 array('access my cases and activities', 'access all cases and activities'),
1077 ),
1078 );
1079 $permissions['case_contact'] = $permissions['case'];
1080
1081 $permissions['case_type'] = array(
1082 'default' => array('administer CiviCase'),
1083 'get' => array(
1084 // nested array = OR
1085 array('access my cases and activities', 'access all cases and activities'),
1086 ),
1087 );
1088
1089 // Campaign permissions
1090 $permissions['campaign'] = array(
1091 'get' => array('access CiviCRM'),
1092 'default' => array(
1093 // nested array = OR
1094 array('administer CiviCampaign', 'manage campaign'),
1095 ),
1096 );
1097 $permissions['survey'] = $permissions['campaign'];
1098
1099 // Financial permissions
1100 $permissions['contribution'] = array(
1101 'get' => array(
1102 'access CiviCRM',
1103 'access CiviContribute',
1104 ),
1105 'delete' => array(
1106 'access CiviCRM',
1107 'access CiviContribute',
1108 'delete in CiviContribute',
1109 ),
1110 'completetransaction' => array(
1111 'edit contributions',
1112 ),
1113 'default' => array(
1114 'access CiviCRM',
1115 'access CiviContribute',
1116 'edit contributions',
1117 ),
1118 );
1119 $permissions['line_item'] = $permissions['contribution'];
1120
1121 // Payment permissions
1122 $permissions['payment'] = array(
1123 'get' => array(
1124 'access CiviCRM',
1125 'access CiviContribute',
1126 ),
1127 'delete' => array(
1128 'access CiviCRM',
1129 'access CiviContribute',
1130 'delete in CiviContribute',
1131 ),
1132 'cancel' => array(
1133 'access CiviCRM',
1134 'access CiviContribute',
1135 'edit contributions',
1136 ),
1137 'create' => array(
1138 'access CiviCRM',
1139 'access CiviContribute',
1140 'edit contributions',
1141 ),
1142 'default' => array(
1143 'access CiviCRM',
1144 'access CiviContribute',
1145 'edit contributions',
1146 ),
1147 );
e4124a88 1148 $permissions['contribution_recur'] = $permissions['payment'];
bf9a7c0f
ES		 1149
1150 // Custom field permissions
1151 $permissions['custom_field'] = array(
1152 'default' => array(
1153 'administer CiviCRM',
1154 'access all custom data',
1155 ),
1156 );
1157 $permissions['custom_group'] = $permissions['custom_field'];
1158
1159 // Event permissions
1160 $permissions['event'] = array(
1161 'create' => array(
1162 'access CiviCRM',
1163 'access CiviEvent',
1164 'edit all events',
1165 ),
1166 'delete' => array(
1167 'access CiviCRM',
1168 'access CiviEvent',
1169 'delete in CiviEvent',
1170 ),
1171 'get' => array(
1172 'access CiviCRM',
1173 'access CiviEvent',
1174 'view event info',
1175 ),
1176 'update' => array(
1177 'access CiviCRM',
1178 'access CiviEvent',
1179 'edit all events',
1180 ),
1181 );
1182 // Loc block is only used for events
1183 $permissions['loc_block'] = $permissions['event'];
1184
fc2d1728
J		 1185 $permissions['state_province'] = array(
1186 'get' => array(
1187 'access CiviCRM',
755a9e9b 1188 ),
fc2d1728
J		 1189 );
1190
bf9a7c0f
ES		 1191 // Price sets are shared by several components, user needs access to at least one of them
1192 $permissions['price_set'] = array(
1193 'default' => array(
1194 array('access CiviEvent', 'access CiviContribute', 'access CiviMember'),
1195 ),
1196 'get' => array(
1197 array('access CiviCRM', 'view event info', 'make online contributions'),
1198 ),
1199 );
1200
1201 // File permissions
1202 $permissions['file'] = array(
1203 'default' => array(
1204 'access CiviCRM',
1205 'access uploaded files',
1206 ),
1207 );
1208 $permissions['files_by_entity'] = $permissions['file'];
1209
1210 // Group permissions
1211 $permissions['group'] = array(
1212 'get' => array(
1213 'access CiviCRM',
1214 ),
1215 'default' => array(
1216 'access CiviCRM',
1217 'edit groups',
1218 ),
1219 );
1220
1221 $permissions['group_nesting'] = $permissions['group'];
1222 $permissions['group_organization'] = $permissions['group'];
1223
1224 //Group Contact permission
1225 $permissions['group_contact'] = array(
1226 'get' => array(
1227 'access CiviCRM',
1228 ),
1229 'default' => array(
1230 'access CiviCRM',
1231 'edit all contacts',
1232 ),
1233 );
1234
1235 // CiviMail Permissions
1236 $civiMailBasePerms = array(
1237 // To get/preview/update, one must have least one of these perms:
1238 // Mailing API implementations enforce nuances of create/approve/schedule permissions.
1239 'access CiviMail',
1240 'create mailings',
1241 'schedule mailings',
1242 'approve mailings',
1243 );
1244 $permissions['mailing'] = array(
1245 'get' => array(
1246 'access CiviCRM',
1247 $civiMailBasePerms,
1248 ),
1249 'delete' => array(
1250 'access CiviCRM',
1251 $civiMailBasePerms,
1252 'delete in CiviMail',
1253 ),
1254 'submit' => array(
1255 'access CiviCRM',
1256 array('access CiviMail', 'schedule mailings'),
1257 ),
1258 'default' => array(
1259 'access CiviCRM',
1260 $civiMailBasePerms,
1261 ),
1262 );
1263 $permissions['mailing_group'] = $permissions['mailing'];
1264 $permissions['mailing_job'] = $permissions['mailing'];
1265 $permissions['mailing_recipients'] = $permissions['mailing'];
1266
1267 $permissions['mailing_a_b'] = array(
1268 'get' => array(
1269 'access CiviCRM',
1270 'access CiviMail',
1271 ),
1272 'delete' => array(
1273 'access CiviCRM',
1274 'access CiviMail',
1275 'delete in CiviMail',
1276 ),
1277 'submit' => array(
1278 'access CiviCRM',
1279 array('access CiviMail', 'schedule mailings'),
1280 ),
1281 'default' => array(
1282 'access CiviCRM',
1283 'access CiviMail',
1284 ),
1285 );
1286
1287 // Membership permissions
1288 $permissions['membership'] = array(
1289 'get' => array(
1290 'access CiviCRM',
1291 'access CiviMember',
1292 ),
1293 'delete' => array(
1294 'access CiviCRM',
1295 'access CiviMember',
1296 'delete in CiviMember',
1297 ),
1298 'default' => array(
1299 'access CiviCRM',
1300 'access CiviMember',
1301 'edit memberships',
1302 ),
1303 );
1304 $permissions['membership_status'] = $permissions['membership'];
1305 $permissions['membership_type'] = $permissions['membership'];
1306 $permissions['membership_payment'] = array(
1307 'create' => array(
1308 'access CiviCRM',
1309 'access CiviMember',
1310 'edit memberships',
1311 'access CiviContribute',
1312 'edit contributions',
1313 ),
1314 'delete' => array(
1315 'access CiviCRM',
1316 'access CiviMember',
1317 'delete in CiviMember',
1318 'access CiviContribute',
1319 'delete in CiviContribute',
1320 ),
1321 'get' => array(
1322 'access CiviCRM',
1323 'access CiviMember',
1324 'access CiviContribute',
1325 ),
1326 'update' => array(
1327 'access CiviCRM',
1328 'access CiviMember',
1329 'edit memberships',
1330 'access CiviContribute',
1331 'edit contributions',
1332 ),
1333 );
1334
1335 // Participant permissions
1336 $permissions['participant'] = array(
1337 'create' => array(
1338 'access CiviCRM',
1339 'access CiviEvent',
1340 'register for events',
1341 ),
1342 'delete' => array(
1343 'access CiviCRM',
1344 'access CiviEvent',
1345 'edit event participants',
1346 ),
1347 'get' => array(
1348 'access CiviCRM',
1349 'access CiviEvent',
1350 'view event participants',
1351 ),
1352 'update' => array(
1353 'access CiviCRM',
1354 'access CiviEvent',
1355 'edit event participants',
1356 ),
1357 );
1358 $permissions['participant_payment'] = array(
1359 'create' => array(
1360 'access CiviCRM',
1361 'access CiviEvent',
1362 'register for events',
1363 'access CiviContribute',
1364 'edit contributions',
1365 ),
1366 'delete' => array(
1367 'access CiviCRM',
1368 'access CiviEvent',
1369 'edit event participants',
1370 'access CiviContribute',
1371 'delete in CiviContribute',
1372 ),
1373 'get' => array(
1374 'access CiviCRM',
1375 'access CiviEvent',
1376 'view event participants',
1377 'access CiviContribute',
1378 ),
1379 'update' => array(
1380 'access CiviCRM',
1381 'access CiviEvent',
1382 'edit event participants',
1383 'access CiviContribute',
1384 'edit contributions',
1385 ),
1386 );
1387
1388 // Pledge permissions
1389 $permissions['pledge'] = array(
1390 'create' => array(
1391 'access CiviCRM',
1392 'access CiviPledge',
1393 'edit pledges',
1394 ),
1395 'delete' => array(
1396 'access CiviCRM',
1397 'access CiviPledge',
1398 'delete in CiviPledge',
1399 ),
1400 'get' => array(
1401 'access CiviCRM',
1402 'access CiviPledge',
1403 ),
1404 'update' => array(
1405 'access CiviCRM',
1406 'access CiviPledge',
1407 'edit pledges',
1408 ),
1409 );
1410
1411 //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission.
1412 $permissions['action_schedule'] = array(
1413 'update' => array(
1414 array(
1415 'access CiviCRM',
1416 'edit all events',
1417 ),
1418 ),
1419 );
1420
1421 $permissions['pledge_payment'] = array(
1422 'create' => array(
1423 'access CiviCRM',
1424 'access CiviPledge',
1425 'edit pledges',
1426 'access CiviContribute',
1427 'edit contributions',
1428 ),
1429 'delete' => array(
1430 'access CiviCRM',
1431 'access CiviPledge',
1432 'delete in CiviPledge',
1433 'access CiviContribute',
1434 'delete in CiviContribute',
1435 ),
1436 'get' => array(
1437 'access CiviCRM',
1438 'access CiviPledge',
1439 'access CiviContribute',
1440 ),
1441 'update' => array(
1442 'access CiviCRM',
1443 'access CiviPledge',
1444 'edit pledges',
1445 'access CiviContribute',
1446 'edit contributions',
1447 ),
1448 );
1449
1450 // Profile permissions
1451 $permissions['profile'] = array(
1452 'get' => array(), // the profile will take care of this
1453 );
1454
1455 $permissions['uf_group'] = array(
1456 'create' => array(
1457 'access CiviCRM',
1458 array(
1459 'administer CiviCRM',
1460 'manage event profiles',
1461 ),
1462 ),
1463 'get' => array(
1464 'access CiviCRM',
1465 ),
1466 'update' => array(
1467 'access CiviCRM',
1468 array(
1469 'administer CiviCRM',
1470 'manage event profiles',
1471 ),
1472 ),
1473 );
1474 $permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group'];
1475 $permissions['uf_field']['delete'] = array(
1476 'access CiviCRM',
1477 array(
1478 'administer CiviCRM',
1479 'manage event profiles',
1480 ),
1481 );
1482 $permissions['option_value'] = $permissions['uf_group'];
1483 $permissions['option_group'] = $permissions['option_value'];
1484
f26fa703
CW		 1485 $permissions['custom_value'] = array(
1486 'gettree' => array('access CiviCRM'),
1487 );
1488
bf9a7c0f
ES		 1489 $permissions['message_template'] = array(
1490 'get' => array('access CiviCRM'),
781ed314
SL		 1491 'create' => array(array('edit message templates', 'edit user-driven message templates', 'edit system workflow message templates')),
1492 'update' => array(array('edit message templates', 'edit user-driven message templates', 'edit system workflow message templates')),
bf9a7c0f 1493 );
4341efe4
JV		 1494
1495 $permissions['report_template']['update'] = 'save Report Criteria';
1496 $permissions['report_template']['create'] = 'save Report Criteria';
bf9a7c0f
ES		 1497 return $permissions;
1498 }
1499
1500 /**
1501 * Translate an unknown action to a canonical form.
1502 *
1503 * @param string $action
1504 *
1505 * @return string
1506 * the standardised action name
1507 */
1508 public static function getGenericAction($action) {
1509 $snippet = substr($action, 0, 3);
1510 if ($action == 'replace' || $snippet == 'del') {
1511 // 'Replace' is a combination of get+create+update+delete; however, the permissions
1512 // on each of those will be tested separately at runtime. This is just a sniff-test
1513 // based on the heuristic that 'delete' tends to be the most closely guarded
1514 // of the necessary permissions.
1515 $action = 'delete';
1516 }
1517 elseif ($action == 'setvalue' || $snippet == 'upd') {
1518 $action = 'update';
1519 }
1520 elseif ($action == 'getfields' || $action == 'getfield' || $action == 'getspec' || $action == 'getoptions') {
1521 $action = 'meta';
1522 }
1523 elseif ($snippet == 'get') {
1524 $action = 'get';
1525 }
1526 return $action;
1527 }
1528
6a488035 1529 /**
d09edf64 1530 * Validate user permission across.
6a488035
TO		 1531 * edit or view or with supportable acls.
1532 *
acb1052e
WA		 1533 * @return bool
1534 */
00be9182 1535 public static function giveMeAllACLs() {
6a488035
TO		 1536 if (CRM_Core_Permission::check('view all contacts') ||
1537 CRM_Core_Permission::check('edit all contacts')
1538 ) {
1539 return TRUE;
1540 }
1541
1542 $session = CRM_Core_Session::singleton();
1543 $contactID = $session->get('userID');
1544
6a488035
TO		 1545 //check for acl.
1546 $aclPermission = self::getPermission();
1547 if (in_array($aclPermission, array(
1548 CRM_Core_Permission::EDIT,
41f314b6 1549 CRM_Core_Permission::VIEW,
1550 ))
1551 ) {
6a488035
TO		 1552 return TRUE;
1553 }
1554
1555 // run acl where hook and see if the user is supplying an ACL clause
1556 // that is not false
1557 $tables = $whereTables = array();
1558 $where = NULL;
1559
1560 CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
1561 $tables, $whereTables,
1562 $contactID, $where
1563 );
1564 return empty($whereTables) ? FALSE : TRUE;
1565 }
1566
1567 /**
100fef9d 1568 * Get component name from given permission.
6a488035 1569 *
41f314b6 1570 * @param string $permission
6a488035 1571 *
76e7a76c
CW		 1572 * @return null|string
1573 * the name of component.
6a488035 1574 */
00be9182 1575 public static function getComponentName($permission) {
6a488035
TO		 1576 $componentName = NULL;
1577 $permission = trim($permission);
1578 if (empty($permission)) {
1579 return $componentName;
1580 }
1581
1582 static $allCompPermissions = array();
1583 if (empty($allCompPermissions)) {
1584 $components = CRM_Core_Component::getComponents();
1585 foreach ($components as $name => $comp) {
33777e4a
PJ		 1586 //get all permissions of each components unconditionally
1587 $allCompPermissions[$name] = $comp->getPermissions(TRUE);
6a488035
TO		 1588 }
1589 }
1590
1591 if (is_array($allCompPermissions)) {
1592 foreach ($allCompPermissions as $name => $permissions) {
b9021475 1593 if (array_key_exists($permission, $permissions)) {
6a488035
TO		 1594 $componentName = $name;
1595 break;
1596 }
1597 }
1598 }
1599
1600 return $componentName;
1601 }
1602
1603 /**
d09edf64 1604 * Get all the contact emails for users that have a specific permission.
6a488035 1605 *
6a0b768e
TO		 1606 * @param string $permissionName
1607 * Name of the permission we are interested in.
6a488035 1608 *
a6c01b45
CW		 1609 * @return string
1610 * a comma separated list of email addresses
6a488035
TO		 1611 */
1612 public static function permissionEmails($permissionName) {
1613 $config = CRM_Core_Config::singleton();
41f314b6 1614 return $config->userPermissionClass->permissionEmails($permissionName);
6a488035
TO		 1615 }
1616
1617 /**
d09edf64 1618 * Get all the contact emails for users that have a specific role.
6a488035 1619 *
6a0b768e
TO		 1620 * @param string $roleName
1621 * Name of the role we are interested in.
6a488035 1622 *
a6c01b45
CW		 1623 * @return string
1624 * a comma separated list of email addresses
6a488035
TO		 1625 */
1626 public static function roleEmails($roleName) {
1627 $config = CRM_Core_Config::singleton();
41f314b6 1628 return $config->userRoleClass->roleEmails($roleName);
6a488035
TO		 1629 }
1630
a0ee3941
EM		 1631 /**
1632 * @return bool
1633 */
00be9182 1634 public static function isMultisiteEnabled() {
aaffa79f 1635 return Civi::settings()->get('is_enabled') ? TRUE : FALSE;
6a488035 1636 }
96025800 1637
dc6b437a
GC		 1638 /**
1639 * Verify if the user has permission to get the invoice.
1640 *
1641 * @return bool
1642 * TRUE if the user has download all invoices permission or download my
1643 * invoices permission and the invoice author is the current user.
1644 */
1645 public static function checkDownloadInvoice() {
4cfd4f45 1646 $cid = CRM_Core_Session::getLoggedInContactID();
dc6b437a
GC		 1647 if (CRM_Core_Permission::check('access CiviContribute') ||
1648 (CRM_Core_Permission::check('view my invoices') && $_GET['cid'] == $cid)
1649 ) {
1650 return TRUE;
1651 }
1652 return FALSE;
1653 }
1654
6a488035 1655}