[civicrm-core.git] / Civi / API / SelectQuery.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 5                                                  |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2019                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
 */
namespace Civi\API;
use Civi\API\Exception\UnauthorizedException;

/**
 * Query builder for civicrm_api_basic_get.
 *
 * Fetches an entity based on specified params for the "where" clause,
 * return properties for the "select" clause,
 * as well as limit and order.
 *
 * Automatically joins on custom fields to return or filter by them.
 *
 * Supports an additional sql fragment which the calling api can provide.
 *
 * @package Civi\API
 */
abstract class SelectQuery {

  const
    MAX_JOINS = 4,
    MAIN_TABLE_ALIAS = 'a';

  /**
   * @var string
   */
  protected $entity;
  public $select = [];
  public $where = [];
  public $orderBy = [];
  public $limit;
  public $offset;
  /**
   * @var array
   */
  protected $selectFields = [];
  /**
   * @var bool
   */
  public $isFillUniqueFields = FALSE;
  /**
   * @var \CRM_Utils_SQL_Select
   */
  protected $query;
  /**
   * @var array
   */
  protected $joins = [];
  /**
   * @var array
   */
  protected $apiFieldSpec;
  /**
   * @var array
   */
  protected $entityFieldNames;
  /**
   * @var array
   */
  protected $aclFields = [];
  /**
   * @var string|bool
   */
  protected $checkPermissions;

  protected $apiVersion;

  /**
   * @param string $entity
   * @param bool $checkPermissions
   */
  public function __construct($entity, $checkPermissions) {
    $this->entity = $entity;
    require_once 'api/v3/utils.php';
    $baoName = _civicrm_api3_get_BAO($entity);
    $bao = new $baoName();

    $this->entityFieldNames = _civicrm_api3_field_names(_civicrm_api3_build_fields_array($bao));
    $this->apiFieldSpec = $this->getFields();

    $this->query = \CRM_Utils_SQL_Select::from($bao->tableName() . ' ' . self::MAIN_TABLE_ALIAS);
    $bao->free();

    // Add ACLs first to avoid redundant subclauses
    $this->checkPermissions = $checkPermissions;
    $this->query->where($this->getAclClause(self::MAIN_TABLE_ALIAS, $baoName));
  }

  /**
   * Build & execute the query and return results array
   *
   * @return array|int
   * @throws \API_Exception
   * @throws \CRM_Core_Exception
   * @throws \Exception
   */
  public function run() {
    $this->buildSelectFields();

    $this->buildWhereClause();
    if (in_array('count_rows', $this->select)) {
      $this->query->select("count(*) as c");
    }
    else {
      foreach ($this->selectFields as $column => $alias) {
        $this->query->select("$column as `$alias`");
      }
      // Order by
      $this->buildOrderBy();
    }

    // Limit
    if (!empty($this->limit) || !empty($this->offset)) {
      $this->query->limit($this->limit, $this->offset);
    }

    $result_entities = [];
    $result_dao = \CRM_Core_DAO::executeQuery($this->query->toSQL());

    while ($result_dao->fetch()) {
      if (in_array('count_rows', $this->select)) {
        $result_dao->free();
        return (int) $result_dao->c;
      }
      $result_entities[$result_dao->id] = [];
      foreach ($this->selectFields as $column => $alias) {
        $returnName = $alias;
        $alias = str_replace('.', '_', $alias);
        if (property_exists($result_dao, $alias) && $result_dao->$alias != NULL) {
          $result_entities[$result_dao->id][$returnName] = $result_dao->$alias;
        }
        // Backward compatibility on fields names.
        if ($this->isFillUniqueFields && !empty($this->apiFieldSpec[$alias]['uniqueName'])) {
          $result_entities[$result_dao->id][$this->apiFieldSpec[$alias]['uniqueName']] = $result_dao->$alias;
        }
        foreach ($this->apiFieldSpec as $returnName => $spec) {
          if (empty($result_entities[$result_dao->id][$returnName]) && !empty($result_entities[$result_dao->id][$spec['name']])) {
            $result_entities[$result_dao->id][$returnName] = $result_entities[$result_dao->id][$spec['name']];
          }
        }
      };
    }
    $result_dao->free();
    return $result_entities;
  }

  /**
   * @param \CRM_Utils_SQL_Select $sqlFragment
   * @return SelectQuery
   */
  public function merge($sqlFragment) {
    $this->query->merge($sqlFragment);
    return $this;
  }

  /**
   * Joins onto an fk field
   *
   * Adds one or more joins to the query to make this field available for use in a clause.
   *
   * Enforces permissions at the api level and by appending the acl clause for that entity to the join.
   *
   * @param $fkFieldName
   * @param $side
   *
   * @return array|null
   *   Returns the table and field name for adding this field to a SELECT or WHERE clause
   * @throws \API_Exception
   * @throws \Civi\API\Exception\UnauthorizedException
   */
  protected function addFkField($fkFieldName, $side) {
    $stack = explode('.', $fkFieldName);
    if (count($stack) < 2) {
      return NULL;
    }
    $prev = self::MAIN_TABLE_ALIAS;
    foreach ($stack as $depth => $fieldName) {
      // Setup variables then skip the first level
      if (!$depth) {
        $fk = $fieldName;
        // We only join on core fields
        // @TODO: Custom contact ref fields could be supported too
        if (!in_array($fk, $this->entityFieldNames)) {
          return NULL;
        }
        $fkField = &$this->apiFieldSpec[$fk];
        continue;
      }
      // More than 4 joins deep seems excessive - DOS attack?
      if ($depth > self::MAX_JOINS) {
        throw new UnauthorizedException("Maximum number of joins exceeded in parameter $fkFieldName");
      }
      $subStack = array_slice($stack, 0, $depth);
      $this->getJoinInfo($fkField, $subStack);
      if (!isset($fkField['FKApiName']) || !isset($fkField['FKClassName'])) {
        // Join doesn't exist - might be another param with a dot in it for some reason, we'll just ignore it.
        return NULL;
      }
      // Ensure we have permission to access the other api
      if (!$this->checkPermissionToJoin($fkField['FKApiName'], $subStack)) {
        throw new UnauthorizedException("Authorization failed to join onto {$fkField['FKApiName']} api in parameter $fkFieldName");
      }
      if (!isset($fkField['FKApiSpec'])) {
        $fkField['FKApiSpec'] = \_civicrm_api_get_fields($fkField['FKApiName']);
      }
      $fieldInfo = \CRM_Utils_Array::value($fieldName, $fkField['FKApiSpec']);

      $keyColumn = \CRM_Utils_Array::value('FKKeyColumn', $fkField, 'id');
      if (!$fieldInfo || !isset($fkField['FKApiSpec'][$keyColumn])) {
        // Join doesn't exist - might be another param with a dot in it for some reason, we'll just ignore it.
        return NULL;
      }
      $fkTable = \CRM_Core_DAO_AllCoreTables::getTableForClass($fkField['FKClassName']);
      $tableAlias = implode('_to_', $subStack) . "_to_$fkTable";

      // Add acl condition
      $joinCondition = array_merge(
        ["$prev.$fk = $tableAlias.$keyColumn"],
        $this->getAclClause($tableAlias, \_civicrm_api3_get_BAO($fkField['FKApiName']), $subStack)
      );

      if (!empty($fkField['FKCondition'])) {
        $joinCondition[] = str_replace($fkTable, $tableAlias, $fkField['FKCondition']);
      }

      $this->join($side, $fkTable, $tableAlias, $joinCondition);

      if (strpos($fieldName, 'custom_') === 0) {
        list($tableAlias, $fieldName) = $this->addCustomField($fieldInfo, $side, $tableAlias);
      }

      // Get ready to recurse to the next level
      $fk = $fieldName;
      $fkField = &$fkField['FKApiSpec'][$fieldName];
      $prev = $tableAlias;
    }
    return [$tableAlias, $fieldName];
  }

  /**
   * Get join info for dynamically-joined fields (e.g. "entity_id", "option_group")
   *
   * @param $fkField
   * @param $stack
   */
  protected function getJoinInfo(&$fkField, $stack) {
    if ($fkField['name'] == 'entity_id') {
      $entityTableParam = substr(implode('.', $stack), 0, -2) . 'table';
      $entityTable = \CRM_Utils_Array::value($entityTableParam, $this->where);
      if ($entityTable && is_string($entityTable) && \CRM_Core_DAO_AllCoreTables::getClassForTable($entityTable)) {
        $fkField['FKClassName'] = \CRM_Core_DAO_AllCoreTables::getClassForTable($entityTable);
        $fkField['FKApiName'] = \CRM_Core_DAO_AllCoreTables::getBriefName($fkField['FKClassName']);
      }
    }
    if (!empty($fkField['pseudoconstant']['optionGroupName'])) {
      $fkField['FKClassName'] = 'CRM_Core_DAO_OptionValue';
      $fkField['FKApiName'] = 'OptionValue';
      $fkField['FKKeyColumn'] = 'value';
      $fkField['FKCondition'] = "civicrm_option_value.option_group_id = (SELECT id FROM civicrm_option_group WHERE name = '{$fkField['pseudoconstant']['optionGroupName']}')";
    }
  }

  /**
   * Joins onto a custom field
   *
   * Adds a join to the query to make this field available for use in a clause.
   *
   * @param array $customField
   * @param string $side
   * @param string $baseTable
   * @return array
   *   Returns the table and field name for adding this field to a SELECT or WHERE clause
   */
  protected function addCustomField($customField, $side, $baseTable = self::MAIN_TABLE_ALIAS) {
    $tableName = $customField["table_name"];
    $columnName = $customField["column_name"];
    $tableAlias = "{$baseTable}_to_$tableName";
    $this->join($side, $tableName, $tableAlias, ["`$tableAlias`.entity_id = `$baseTable`.id"]);
    return [$tableAlias, $columnName];
  }

  /**
   * Fetch a field from the getFields list
   *
   * @param string $fieldName
   * @return array|null
   */
  abstract protected function getField($fieldName);

  /**
   * Perform input validation on params that use the join syntax
   *
   * Arguably this should be done at the api wrapper level, but doing it here provides a bit more consistency
   * in that api permissions to perform the join are checked first.
   *
   * @param $fieldName
   * @param $value
   * @throws \Exception
   */
  protected function validateNestedInput($fieldName, &$value) {
    $stack = explode('.', $fieldName);
    $spec = $this->apiFieldSpec;
    $fieldName = array_pop($stack);
    foreach ($stack as $depth => $name) {
      $entity = $spec[$name]['FKApiName'];
      $spec = $spec[$name]['FKApiSpec'];
    }
    $params = [$fieldName => $value];
    \_civicrm_api3_validate_fields($entity, 'get', $params, $spec);
    $value = $params[$fieldName];
  }

  /**
   * Check permission to join onto another api entity
   *
   * @param string $entity
   * @param array $fieldStack
   *   The stack of fields leading up to this join
   * @return bool
   */
  protected function checkPermissionToJoin($entity, $fieldStack) {
    if (!$this->checkPermissions) {
      return TRUE;
    }
    // Build an array of params that relate to the joined entity
    $params = [
      'version' => 3,
      'return' => [],
      'check_permissions' => $this->checkPermissions,
    ];
    $prefix = implode('.', $fieldStack) . '.';
    $len = strlen($prefix);
    foreach ($this->select as $key => $ret) {
      if (strpos($key, $prefix) === 0) {
        $params['return'][substr($key, $len)] = $ret;
      }
    }
    foreach ($this->where as $key => $param) {
      if (strpos($key, $prefix) === 0) {
        $params[substr($key, $len)] = $param;
      }
    }

    return \Civi::service('civi_api_kernel')->runAuthorize($entity, 'get', $params);
  }

  /**
   * Get acl clause for an entity
   *
   * @param string $tableAlias
   * @param string $baoName
   * @param array $stack
   * @return array
   */
  protected function getAclClause($tableAlias, $baoName, $stack = []) {
    if (!$this->checkPermissions) {
      return [];
    }
    // Prevent (most) redundant acl sub clauses if they have already been applied to the main entity.
    // FIXME: Currently this only works 1 level deep, but tracking through multiple joins would increase complexity
    // and just doing it for the first join takes care of most acl clause deduping.
    if (count($stack) === 1 && in_array($stack[0], $this->aclFields)) {
      return [];
    }
    $clauses = $baoName::getSelectWhereClause($tableAlias);
    if (!$stack) {
      // Track field clauses added to the main entity
      $this->aclFields = array_keys($clauses);
    }
    return array_filter($clauses);
  }

  /**
   * Orders the query by one or more fields
   *
   * @throws \API_Exception
   * @throws \Civi\API\Exception\UnauthorizedException
   */
  protected function buildOrderBy() {
    $sortParams = is_string($this->orderBy) ? explode(',', $this->orderBy) : (array) $this->orderBy;
    foreach ($sortParams as $index => $item) {
      $item = trim($item);
      if ($item == '(1)') {
        continue;
      }
      $words = preg_split("/[\s]+/", $item);
      if ($words) {
        // Direction defaults to ASC unless DESC is specified
        $direction = strtoupper(\CRM_Utils_Array::value(1, $words, '')) == 'DESC' ? ' DESC' : '';
        $field = $this->getField($words[0]);
        if ($field) {
          $this->query->orderBy(self::MAIN_TABLE_ALIAS . '.' . $field['name'] . $direction, NULL, $index);
        }
        elseif (strpos($words[0], '.')) {
          $join = $this->addFkField($words[0], 'LEFT');
          if ($join) {
            $this->query->orderBy("`{$join[0]}`.`{$join[1]}`$direction", NULL, $index);
          }
        }
        else {
          throw new \API_Exception("Unknown field specified for sort. Cannot order by '$item'");
        }
      }
    }
  }

  /**
   * @param string $side
   * @param string $tableName
   * @param string $tableAlias
   * @param array $conditions
   */
  public function join($side, $tableName, $tableAlias, $conditions) {
    // INNER JOINs take precedence over LEFT JOINs
    if ($side != 'LEFT' || !isset($this->joins[$tableAlias])) {
      $this->joins[$tableAlias] = $side;
      $this->query->join($tableAlias, "$side JOIN `$tableName` `$tableAlias` ON " . implode(' AND ', $conditions));
    }
  }

  /**
   * Populate where clauses
   *
   * @throws \Civi\API\Exception\UnauthorizedException
   * @throws \Exception
   */
  abstract protected function buildWhereClause();

  /**
   * Populate $this->selectFields
   *
   * @throws \Civi\API\Exception\UnauthorizedException
   */
  protected function buildSelectFields() {
    $return_all_fields = (empty($this->select) || !is_array($this->select));
    $return = $return_all_fields ? $this->entityFieldNames : $this->select;
    if ($return_all_fields || in_array('custom', $this->select)) {
      foreach (array_keys($this->apiFieldSpec) as $fieldName) {
        if (strpos($fieldName, 'custom_') === 0) {
          $return[] = $fieldName;
        }
      }
    }

    // Always select the ID if the table has one.
    if (array_key_exists('id', $this->apiFieldSpec)) {
      $this->selectFields[self::MAIN_TABLE_ALIAS . ".id"] = "id";
    }

    // core return fields
    foreach ($return as $fieldName) {
      $field = $this->getField($fieldName);
      if ($field && in_array($field['name'], $this->entityFieldNames)) {
        $this->selectFields[self::MAIN_TABLE_ALIAS . ".{$field['name']}"] = $field['name'];
      }
      elseif (strpos($fieldName, '.')) {
        $fkField = $this->addFkField($fieldName, 'LEFT');
        if ($fkField) {
          $this->selectFields[implode('.', $fkField)] = $fieldName;
        }
      }
      elseif ($field && strpos($fieldName, 'custom_') === 0) {
        list($table_name, $column_name) = $this->addCustomField($field, 'LEFT');

        if ($field['data_type'] != 'ContactReference') {
          // 'ordinary' custom field. We will select the value as custom_XX.
          $this->selectFields["$table_name.$column_name"] = $fieldName;
        }
        else {
          // contact reference custom field. The ID will be stored in custom_XX_id.
          // custom_XX will contain the sort name of the contact.
          $this->query->join("c_$fieldName", "LEFT JOIN civicrm_contact c_$fieldName ON c_$fieldName.id = `$table_name`.`$column_name`");
          $this->selectFields["$table_name.$column_name"] = $fieldName . "_id";
          // We will call the contact table for the join c_XX.
          $this->selectFields["c_$fieldName.sort_name"] = $fieldName;
        }
      }
    }
  }

  /**
   * Load entity fields
   * @return array
   */
  abstract protected function getFields();

}
Commit	Line	Data
e47bcddb CW	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
fee14197	4	\| CiviCRM version 5 \|
e47bcddb	5	+--------------------------------------------------------------------+
6b83d5bd	6	\| Copyright CiviCRM LLC (c) 2004-2019 \|
e47bcddb CW	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
	26	*/
	27	namespace Civi\API;
ab039e22	28	use Civi\API\Exception\UnauthorizedException;
e47bcddb CW	29
	30	/**
	31	* Query builder for civicrm_api_basic_get.
	32	*
	33	* Fetches an entity based on specified params for the "where" clause,
	34	* return properties for the "select" clause,
	35	* as well as limit and order.
	36	*
	37	* Automatically joins on custom fields to return or filter by them.
	38	*
	39	* Supports an additional sql fragment which the calling api can provide.
	40	*
	41	* @package Civi\API
	42	*/
8bcc0d86	43	abstract class SelectQuery {
e47bcddb	44
6c051493 CW	45	const
	46	MAX_JOINS = 4,
	47	MAIN_TABLE_ALIAS = 'a';
5b46e216	48
e47bcddb CW	49	/**
	50	* @var string
	51	*/
	52	protected $entity;
c64f69d9 CW	53	public $select = [];
	54	public $where = [];
	55	public $orderBy = [];
8bcc0d86 CW	56	public $limit;
8bcc0d86 CW	57	public $offset;
e47bcddb CW	58	/**
	59	* @var array
	60	*/
c64f69d9	61	protected $selectFields = [];
e47bcddb CW	62	/**
	63	* @var bool
	64	*/
8bcc0d86	65	public $isFillUniqueFields = FALSE;
e47bcddb CW	66	/**
	67	* @var \CRM_Utils_SQL_Select
	68	*/
	69	protected $query;
2cfe873c CW	70	/**
	71	* @var array
	72	*/
c64f69d9	73	protected $joins = [];
e47bcddb CW	74	/**
	75	* @var array
	76	*/
	77	protected $apiFieldSpec;
	78	/**
	79	* @var array
	80	*/
	81	protected $entityFieldNames;
b53bcc5d CW	82	/**
	83	* @var array
	84	*/
c64f69d9	85	protected $aclFields = [];
d343069c CW	86	/**
	87	* @var string\|bool
	88	*/
8e8bf584	89	protected $checkPermissions;
8bcc0d86 CW	90
8bcc0d86 CW	91	protected $apiVersion;
e47bcddb CW	92
e47bcddb CW	93	/**
8bcc0d86	94	* @param string $entity
8e8bf584	95	* @param bool $checkPermissions
e47bcddb	96	*/
8e8bf584	97	public function __construct($entity, $checkPermissions) {
8bcc0d86 CW	98	$this->entity = $entity;
	99	require_once 'api/v3/utils.php';
	100	$baoName = _civicrm_api3_get_BAO($entity);
6c051493	101	$bao = new $baoName();
e47bcddb	102
6c051493	103	$this->entityFieldNames = _civicrm_api3_field_names(_civicrm_api3_build_fields_array($bao));
8bcc0d86	104	$this->apiFieldSpec = $this->getFields();
e47bcddb	105
6c051493 CW	106	$this->query = \CRM_Utils_SQL_Select::from($bao->tableName() . ' ' . self::MAIN_TABLE_ALIAS);
6c051493 CW	107	$bao->free();
b53bcc5d	108
6c051493	109	// Add ACLs first to avoid redundant subclauses
8e8bf584	110	$this->checkPermissions = $checkPermissions;
6c051493	111	$this->query->where($this->getAclClause(self::MAIN_TABLE_ALIAS, $baoName));
e47bcddb CW	112	}
e47bcddb CW	113
d343069c CW	114	/**
	115	* Build & execute the query and return results array
	116	*
066c4638	117	* @return array\|int
d343069c CW	118	* @throws \API_Exception
	119	* @throws \CRM_Core_Exception
	120	* @throws \Exception
	121	*/
e47bcddb	122	public function run() {
8bcc0d86	123	$this->buildSelectFields();
e47bcddb	124
8bcc0d86	125	$this->buildWhereClause();
258c92c6	126	if (in_array('count_rows', $this->select)) {
8bcc0d86	127	$this->query->select("count(*) as c");
e47bcddb	128	}
8bcc0d86 CW	129	else {
8bcc0d86 CW	130	foreach ($this->selectFields as $column => $alias) {
69aae315	131	$this->query->select("$column as `$alias`");
e47bcddb	132	}
8bcc0d86 CW	133	// Order by
8bcc0d86 CW	134	$this->buildOrderBy();
e47bcddb CW	135	}
e47bcddb CW	136
530c3791	137	// Limit
8bcc0d86 CW	138	if (!empty($this->limit) \|\| !empty($this->offset)) {
8bcc0d86 CW	139	$this->query->limit($this->limit, $this->offset);
e47bcddb CW	140	}
e47bcddb CW	141
c64f69d9	142	$result_entities = [];
e47bcddb CW	143	$result_dao = \CRM_Core_DAO::executeQuery($this->query->toSQL());
	144
	145	while ($result_dao->fetch()) {
258c92c6	146	if (in_array('count_rows', $this->select)) {
e47bcddb CW	147	$result_dao->free();
	148	return (int) $result_dao->c;
	149	}
c64f69d9	150	$result_entities[$result_dao->id] = [];
8bcc0d86	151	foreach ($this->selectFields as $column => $alias) {
69aae315 CW	152	$returnName = $alias;
69aae315 CW	153	$alias = str_replace('.', '_', $alias);
e47bcddb	154	if (property_exists($result_dao, $alias) && $result_dao->$alias != NULL) {
69aae315	155	$result_entities[$result_dao->id][$returnName] = $result_dao->$alias;
e47bcddb CW	156	}
e47bcddb CW	157	// Backward compatibility on fields names.
984f31ae CW	158	if ($this->isFillUniqueFields && !empty($this->apiFieldSpec[$alias]['uniqueName'])) {
984f31ae CW	159	$result_entities[$result_dao->id][$this->apiFieldSpec[$alias]['uniqueName']] = $result_dao->$alias;
e47bcddb CW	160	}
	161	foreach ($this->apiFieldSpec as $returnName => $spec) {
	162	if (empty($result_entities[$result_dao->id][$returnName]) && !empty($result_entities[$result_dao->id][$spec['name']])) {
	163	$result_entities[$result_dao->id][$returnName] = $result_entities[$result_dao->id][$spec['name']];
	164	}
	165	}
	166	};
	167	}
	168	$result_dao->free();
	169	return $result_entities;
	170	}
	171
	172	/**
	173	* @param \CRM_Utils_SQL_Select $sqlFragment
4b350175	174	* @return SelectQuery
e47bcddb CW	175	*/
	176	public function merge($sqlFragment) {
	177	$this->query->merge($sqlFragment);
	178	return $this;
	179	}
69aae315 CW	180
	181	/**
	182	* Joins onto an fk field
	183	*
	184	* Adds one or more joins to the query to make this field available for use in a clause.
	185	*
d343069c CW	186	* Enforces permissions at the api level and by appending the acl clause for that entity to the join.
d343069c CW	187	*
69aae315	188	* @param $fkFieldName
2cfe873c CW	189	* @param $side
2cfe873c CW	190	*
69aae315 CW	191	* @return array\|null
69aae315 CW	192	* Returns the table and field name for adding this field to a SELECT or WHERE clause
d343069c	193	* @throws \API_Exception
ab039e22	194	* @throws \Civi\API\Exception\UnauthorizedException
69aae315	195	*/
8bcc0d86	196	protected function addFkField($fkFieldName, $side) {
69aae315 CW	197	$stack = explode('.', $fkFieldName);
	198	if (count($stack) < 2) {
	199	return NULL;
	200	}
6c051493	201	$prev = self::MAIN_TABLE_ALIAS;
69aae315 CW	202	foreach ($stack as $depth => $fieldName) {
	203	// Setup variables then skip the first level
	204	if (!$depth) {
	205	$fk = $fieldName;
	206	// We only join on core fields
	207	// @TODO: Custom contact ref fields could be supported too
	208	if (!in_array($fk, $this->entityFieldNames)) {
	209	return NULL;
	210	}
	211	$fkField = &$this->apiFieldSpec[$fk];
	212	continue;
	213	}
4f7a32d8	214	// More than 4 joins deep seems excessive - DOS attack?
5b46e216	215	if ($depth > self::MAX_JOINS) {
3924e596	216	throw new UnauthorizedException("Maximum number of joins exceeded in parameter $fkFieldName");
4f7a32d8	217	}
466fce54 CW	218	$subStack = array_slice($stack, 0, $depth);
466fce54 CW	219	$this->getJoinInfo($fkField, $subStack);
2cfe873c	220	if (!isset($fkField['FKApiName']) \|\| !isset($fkField['FKClassName'])) {
ab039e22	221	// Join doesn't exist - might be another param with a dot in it for some reason, we'll just ignore it.
69aae315 CW	222	return NULL;
69aae315 CW	223	}
a762b380	224	// Ensure we have permission to access the other api
b53bcc5d	225	if (!$this->checkPermissionToJoin($fkField['FKApiName'], $subStack)) {
ab039e22	226	throw new UnauthorizedException("Authorization failed to join onto {$fkField['FKApiName']} api in parameter $fkFieldName");
a762b380	227	}
69aae315 CW	228	if (!isset($fkField['FKApiSpec'])) {
	229	$fkField['FKApiSpec'] = \_civicrm_api_get_fields($fkField['FKApiName']);
	230	}
	231	$fieldInfo = \CRM_Utils_Array::value($fieldName, $fkField['FKApiSpec']);
	232
9c846e15 CW	233	$keyColumn = \CRM_Utils_Array::value('FKKeyColumn', $fkField, 'id');
9c846e15 CW	234	if (!$fieldInfo \|\| !isset($fkField['FKApiSpec'][$keyColumn])) {
ab039e22	235	// Join doesn't exist - might be another param with a dot in it for some reason, we'll just ignore it.
69aae315 CW	236	return NULL;
	237	}
	238	$fkTable = \CRM_Core_DAO_AllCoreTables::getTableForClass($fkField['FKClassName']);
b53bcc5d	239	$tableAlias = implode('_to_', $subStack) . "_to_$fkTable";
69aae315	240
d343069c	241	// Add acl condition
2cfe873c	242	$joinCondition = array_merge(
c64f69d9	243	["$prev.$fk = $tableAlias.$keyColumn"],
2cfe873c CW	244	$this->getAclClause($tableAlias, \_civicrm_api3_get_BAO($fkField['FKApiName']), $subStack)
2cfe873c CW	245	);
d343069c	246
9c846e15 CW	247	if (!empty($fkField['FKCondition'])) {
	248	$joinCondition[] = str_replace($fkTable, $tableAlias, $fkField['FKCondition']);
	249	}
	250
2cfe873c	251	$this->join($side, $fkTable, $tableAlias, $joinCondition);
69aae315 CW	252
69aae315 CW	253	if (strpos($fieldName, 'custom_') === 0) {
2cfe873c	254	list($tableAlias, $fieldName) = $this->addCustomField($fieldInfo, $side, $tableAlias);
69aae315 CW	255	}
	256
	257	// Get ready to recurse to the next level
	258	$fk = $fieldName;
	259	$fkField = &$fkField['FKApiSpec'][$fieldName];
	260	$prev = $tableAlias;
	261	}
c64f69d9	262	return [$tableAlias, $fieldName];
69aae315 CW	263	}
69aae315 CW	264
466fce54	265	/**
9c846e15	266	* Get join info for dynamically-joined fields (e.g. "entity_id", "option_group")
466fce54 CW	267	*
	268	* @param $fkField
	269	* @param $stack
	270	*/
	271	protected function getJoinInfo(&$fkField, $stack) {
	272	if ($fkField['name'] == 'entity_id') {
	273	$entityTableParam = substr(implode('.', $stack), 0, -2) . 'table';
	274	$entityTable = \CRM_Utils_Array::value($entityTableParam, $this->where);
	275	if ($entityTable && is_string($entityTable) && \CRM_Core_DAO_AllCoreTables::getClassForTable($entityTable)) {
	276	$fkField['FKClassName'] = \CRM_Core_DAO_AllCoreTables::getClassForTable($entityTable);
	277	$fkField['FKApiName'] = \CRM_Core_DAO_AllCoreTables::getBriefName($fkField['FKClassName']);
	278	}
	279	}
9c846e15 CW	280	if (!empty($fkField['pseudoconstant']['optionGroupName'])) {
	281	$fkField['FKClassName'] = 'CRM_Core_DAO_OptionValue';
	282	$fkField['FKApiName'] = 'OptionValue';
	283	$fkField['FKKeyColumn'] = 'value';
	284	$fkField['FKCondition'] = "civicrm_option_value.option_group_id = (SELECT id FROM civicrm_option_group WHERE name = '{$fkField['pseudoconstant']['optionGroupName']}')";
	285	}
466fce54 CW	286	}
466fce54 CW	287
69aae315 CW	288	/**
	289	* Joins onto a custom field
	290	*
	291	* Adds a join to the query to make this field available for use in a clause.
	292	*
	293	* @param array $customField
2cfe873c	294	* @param string $side
69aae315 CW	295	* @param string $baseTable
	296	* @return array
	297	* Returns the table and field name for adding this field to a SELECT or WHERE clause
	298	*/
8bcc0d86	299	protected function addCustomField($customField, $side, $baseTable = self::MAIN_TABLE_ALIAS) {
69aae315 CW	300	$tableName = $customField["table_name"];
	301	$columnName = $customField["column_name"];
	302	$tableAlias = "{$baseTable}_to_$tableName";
c64f69d9 CW	303	$this->join($side, $tableName, $tableAlias, ["`$tableAlias`.entity_id = `$baseTable`.id"]);
c64f69d9 CW	304	return [$tableAlias, $columnName];
69aae315 CW	305	}
	306
	307	/**
	308	* Fetch a field from the getFields list
	309	*
69aae315 CW	310	* @param string $fieldName
	311	* @return array\|null
	312	*/
8bcc0d86	313	abstract protected function getField($fieldName);
69aae315	314
48488ea3	315	/**
2fa03859 CW	316	* Perform input validation on params that use the join syntax
	317	*
	318	* Arguably this should be done at the api wrapper level, but doing it here provides a bit more consistency
	319	* in that api permissions to perform the join are checked first.
48488ea3 CW	320	*
	321	* @param $fieldName
	322	* @param $value
	323	* @throws \Exception
	324	*/
8bcc0d86	325	protected function validateNestedInput($fieldName, &$value) {
48488ea3 CW	326	$stack = explode('.', $fieldName);
	327	$spec = $this->apiFieldSpec;
	328	$fieldName = array_pop($stack);
	329	foreach ($stack as $depth => $name) {
	330	$entity = $spec[$name]['FKApiName'];
	331	$spec = $spec[$name]['FKApiSpec'];
	332	}
c64f69d9	333	$params = [$fieldName => $value];
2fa03859 CW	334	\_civicrm_api3_validate_fields($entity, 'get', $params, $spec);
2fa03859 CW	335	$value = $params[$fieldName];
48488ea3 CW	336	}
48488ea3 CW	337
a762b380 CW	338	/**
	339	* Check permission to join onto another api entity
	340	*
	341	* @param string $entity
	342	* @param array $fieldStack
	343	* The stack of fields leading up to this join
	344	* @return bool
	345	*/
8bcc0d86	346	protected function checkPermissionToJoin($entity, $fieldStack) {
d343069c	347	if (!$this->checkPermissions) {
a762b380 CW	348	return TRUE;
	349	}
	350	// Build an array of params that relate to the joined entity
c64f69d9	351	$params = [
a762b380	352	'version' => 3,
c64f69d9	353	'return' => [],
d343069c	354	'check_permissions' => $this->checkPermissions,
c64f69d9	355	];
a762b380 CW	356	$prefix = implode('.', $fieldStack) . '.';
a762b380 CW	357	$len = strlen($prefix);
8bcc0d86	358	foreach ($this->select as $key => $ret) {
a762b380 CW	359	if (strpos($key, $prefix) === 0) {
	360	$params['return'][substr($key, $len)] = $ret;
	361	}
	362	}
8bcc0d86	363	foreach ($this->where as $key => $param) {
a762b380 CW	364	if (strpos($key, $prefix) === 0) {
	365	$params[substr($key, $len)] = $param;
	366	}
	367	}
	368
	369	return \Civi::service('civi_api_kernel')->runAuthorize($entity, 'get', $params);
	370	}
	371
188fd46b	372	/**
d343069c CW	373	* Get acl clause for an entity
	374	*
	375	* @param string $tableAlias
6c051493	376	* @param string $baoName
b53bcc5d	377	* @param array $stack
2cfe873c	378	* @return array
188fd46b	379	*/
c64f69d9	380	protected function getAclClause($tableAlias, $baoName, $stack = []) {
d343069c	381	if (!$this->checkPermissions) {
c64f69d9	382	return [];
d343069c	383	}
b53bcc5d CW	384	// Prevent (most) redundant acl sub clauses if they have already been applied to the main entity.
	385	// FIXME: Currently this only works 1 level deep, but tracking through multiple joins would increase complexity
	386	// and just doing it for the first join takes care of most acl clause deduping.
	387	if (count($stack) === 1 && in_array($stack[0], $this->aclFields)) {
c64f69d9	388	return [];
b53bcc5d	389	}
20e41014	390	$clauses = $baoName::getSelectWhereClause($tableAlias);
6c051493 CW	391	if (!$stack) {
	392	// Track field clauses added to the main entity
	393	$this->aclFields = array_keys($clauses);
b53bcc5d	394	}
2cfe873c	395	return array_filter($clauses);
188fd46b CW	396	}
188fd46b CW	397
530c3791 CW	398	/**
	399	* Orders the query by one or more fields
	400	*
530c3791 CW	401	* @throws \API_Exception
	402	* @throws \Civi\API\Exception\UnauthorizedException
	403	*/
8bcc0d86	404	protected function buildOrderBy() {
8bcc0d86	405	$sortParams = is_string($this->orderBy) ? explode(',', $this->orderBy) : (array) $this->orderBy;
4c6cc364 CW	406	foreach ($sortParams as $index => $item) {
	407	$item = trim($item);
	408	if ($item == '(1)') {
	409	continue;
	410	}
	411	$words = preg_split("/[\s]+/", $item);
530c3791 CW	412	if ($words) {
	413	// Direction defaults to ASC unless DESC is specified
	414	$direction = strtoupper(\CRM_Utils_Array::value(1, $words, '')) == 'DESC' ? ' DESC' : '';
	415	$field = $this->getField($words[0]);
	416	if ($field) {
4c6cc364	417	$this->query->orderBy(self::MAIN_TABLE_ALIAS . '.' . $field['name'] . $direction, NULL, $index);
530c3791 CW	418	}
530c3791 CW	419	elseif (strpos($words[0], '.')) {
2cfe873c	420	$join = $this->addFkField($words[0], 'LEFT');
530c3791	421	if ($join) {
4c6cc364	422	$this->query->orderBy("`{$join[0]}`.`{$join[1]}`$direction", NULL, $index);
530c3791 CW	423	}
	424	}
	425	else {
	426	throw new \API_Exception("Unknown field specified for sort. Cannot order by '$item'");
	427	}
	428	}
	429	}
530c3791 CW	430	}
530c3791 CW	431
2cfe873c CW	432	/**
	433	* @param string $side
	434	* @param string $tableName
	435	* @param string $tableAlias
	436	* @param array $conditions
	437	*/
	438	public function join($side, $tableName, $tableAlias, $conditions) {
	439	// INNER JOINs take precedence over LEFT JOINs
	440	if ($side != 'LEFT' \|\| !isset($this->joins[$tableAlias])) {
	441	$this->joins[$tableAlias] = $side;
	442	$this->query->join($tableAlias, "$side JOIN `$tableName` `$tableAlias` ON " . implode(' AND ', $conditions));
	443	}
	444	}
	445
8bcc0d86 CW	446	/**
	447	* Populate where clauses
	448	*
	449	* @throws \Civi\API\Exception\UnauthorizedException
	450	* @throws \Exception
	451	*/
	452	abstract protected function buildWhereClause();
	453
	454	/**
	455	* Populate $this->selectFields
	456	*
	457	* @throws \Civi\API\Exception\UnauthorizedException
	458	*/
	459	protected function buildSelectFields() {
	460	$return_all_fields = (empty($this->select) \|\| !is_array($this->select));
	461	$return = $return_all_fields ? $this->entityFieldNames : $this->select;
	462	if ($return_all_fields \|\| in_array('custom', $this->select)) {
	463	foreach (array_keys($this->apiFieldSpec) as $fieldName) {
	464	if (strpos($fieldName, 'custom_') === 0) {
	465	$return[] = $fieldName;
	466	}
	467	}
	468	}
	469
523c222f	470	// Always select the ID if the table has one.
	471	if (array_key_exists('id', $this->apiFieldSpec)) {
	472	$this->selectFields[self::MAIN_TABLE_ALIAS . ".id"] = "id";
	473	}
8bcc0d86 CW	474
	475	// core return fields
	476	foreach ($return as $fieldName) {
	477	$field = $this->getField($fieldName);
	478	if ($field && in_array($field['name'], $this->entityFieldNames)) {
	479	$this->selectFields[self::MAIN_TABLE_ALIAS . ".{$field['name']}"] = $field['name'];
	480	}
	481	elseif (strpos($fieldName, '.')) {
	482	$fkField = $this->addFkField($fieldName, 'LEFT');
	483	if ($fkField) {
	484	$this->selectFields[implode('.', $fkField)] = $fieldName;
	485	}
	486	}
	487	elseif ($field && strpos($fieldName, 'custom_') === 0) {
	488	list($table_name, $column_name) = $this->addCustomField($field, 'LEFT');
	489
	490	if ($field['data_type'] != 'ContactReference') {
	491	// 'ordinary' custom field. We will select the value as custom_XX.
	492	$this->selectFields["$table_name.$column_name"] = $fieldName;
	493	}
	494	else {
	495	// contact reference custom field. The ID will be stored in custom_XX_id.
	496	// custom_XX will contain the sort name of the contact.
	497	$this->query->join("c_$fieldName", "LEFT JOIN civicrm_contact c_$fieldName ON c_$fieldName.id = `$table_name`.`$column_name`");
	498	$this->selectFields["$table_name.$column_name"] = $fieldName . "_id";
	499	// We will call the contact table for the join c_XX.
	500	$this->selectFields["c_$fieldName.sort_name"] = $fieldName;
	501	}
	502	}
	503	}
	504	}
	505
	506	/**
	507	* Load entity fields
	508	* @return array
	509	*/
	510	abstract protected function getFields();
	511
e47bcddb	512	}