Commit | Line | Data |
---|---|---|
d0c9daa4 TO |
1 | <?php |
2 | /* | |
3 | +--------------------------------------------------------------------+ | |
fee14197 | 4 | | CiviCRM version 5 | |
d0c9daa4 | 5 | +--------------------------------------------------------------------+ |
6b83d5bd | 6 | | Copyright CiviCRM LLC (c) 2004-2019 | |
d0c9daa4 TO |
7 | +--------------------------------------------------------------------+ |
8 | | This file is a part of CiviCRM. | | |
9 | | | | |
10 | | CiviCRM is free software; you can copy, modify, and distribute it | | |
11 | | under the terms of the GNU Affero General Public License | | |
12 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | | |
13 | | | | |
14 | | CiviCRM is distributed in the hope that it will be useful, but | | |
15 | | WITHOUT ANY WARRANTY; without even the implied warranty of | | |
16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | |
17 | | See the GNU Affero General Public License for more details. | | |
18 | | | | |
19 | | You should have received a copy of the GNU Affero General Public | | |
20 | | License and the CiviCRM Licensing Exception along | | |
21 | | with this program; if not, contact CiviCRM LLC | | |
22 | | at info[AT]civicrm[DOT]org. If you have questions about the | | |
23 | | GNU Affero General Public License or the licensing of CiviCRM, | | |
24 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | | |
25 | +--------------------------------------------------------------------+ | |
d25dd0ee | 26 | */ |
d0c9daa4 TO |
27 | |
28 | namespace Civi\API\Subscriber; | |
46bcf597 | 29 | |
d0c9daa4 TO |
30 | use Civi\API\Events; |
31 | use Symfony\Component\EventDispatcher\EventSubscriberInterface; | |
32 | ||
33 | /** | |
8882ff5c TO |
34 | * For any API requests that correspond to a Doctrine entity |
35 | * ($apiRequest['doctrineClass']), check permissions specified in | |
36 | * Civi\API\Annotation\Permission. | |
d0c9daa4 TO |
37 | */ |
38 | class PermissionCheck implements EventSubscriberInterface { | |
6550386a EM |
39 | /** |
40 | * @return array | |
41 | */ | |
d0c9daa4 TO |
42 | public static function getSubscribedEvents() { |
43 | return array( | |
44 | Events::AUTHORIZE => array( | |
45 | array('onApiAuthorize', Events::W_LATE), | |
46 | ), | |
47 | ); | |
48 | } | |
49 | ||
6550386a EM |
50 | /** |
51 | * @param \Civi\API\Event\AuthorizeEvent $event | |
8882ff5c | 52 | * API authorization event. |
6550386a EM |
53 | * |
54 | * @throws \Civi\API\Exception\UnauthorizedException | |
55 | */ | |
d0c9daa4 TO |
56 | public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event) { |
57 | $apiRequest = $event->getApiRequest(); | |
58 | if ($apiRequest['version'] < 4) { | |
59 | // return early unless we’re told explicitly to do the permission check | |
60 | if (empty($apiRequest['params']['check_permissions']) or $apiRequest['params']['check_permissions'] == FALSE) { | |
61 | $event->authorize(); | |
62 | $event->stopPropagation(); | |
63 | return; | |
64 | } | |
65 | ||
66 | require_once 'CRM/Core/DAO/permissions.php'; | |
67 | $permissions = _civicrm_api3_permissions($apiRequest['entity'], $apiRequest['action'], $apiRequest['params']); | |
68 | ||
69 | // $params might’ve been reset by the alterAPIPermissions() hook | |
70 | if (isset($apiRequest['params']['check_permissions']) and $apiRequest['params']['check_permissions'] == FALSE) { | |
71 | $event->authorize(); | |
72 | $event->stopPropagation(); | |
73 | return; | |
74 | } | |
75 | ||
bc5585af | 76 | if (!\CRM_Core_Permission::check($permissions) and !self::checkACLPermission($apiRequest)) { |
d0c9daa4 | 77 | if (is_array($permissions)) { |
829072f0 MM |
78 | foreach ($permissions as &$permission) { |
79 | if (is_array($permission)) { | |
80 | $permission = '( ' . implode(' or ', $permission) . ' )'; | |
81 | } | |
82 | } | |
d0c9daa4 TO |
83 | $permissions = implode(' and ', $permissions); |
84 | } | |
8882ff5c TO |
85 | // FIXME: Generating the exception ourselves allows for detailed error |
86 | // but doesn't play well with multiple authz subscribers. | |
fedf821c | 87 | throw new \Civi\API\Exception\UnauthorizedException("API permission check failed for {$apiRequest['entity']}/{$apiRequest['action']} call; insufficient permission: require $permissions"); |
d0c9daa4 TO |
88 | } |
89 | ||
90 | $event->authorize(); | |
91 | $event->stopPropagation(); | |
92 | } | |
8bcc0d86 CW |
93 | elseif ($apiRequest['version'] == 4) { |
94 | if (!$apiRequest->getCheckPermissions()) { | |
95 | $event->authorize(); | |
96 | $event->stopPropagation(); | |
97 | } | |
98 | } | |
d0c9daa4 | 99 | } |
96025800 | 100 | |
bc5585af | 101 | /** |
c90c8245 | 102 | * Check API for ACL permission. |
103 | * | |
104 | * @param array $apiRequest | |
105 | * | |
106 | * @return bool | |
107 | */ | |
bc5585af | 108 | public function checkACLPermission($apiRequest) { |
a909a20c | 109 | switch ($apiRequest['entity']) { |
bc5585af | 110 | case 'UFGroup': |
111 | case 'UFField': | |
112 | $ufGroups = \CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id'); | |
113 | $aclCreate = \CRM_ACL_API::group(\CRM_Core_Permission::CREATE, NULL, 'civicrm_uf_group', $ufGroups); | |
114 | $aclEdit = \CRM_ACL_API::group(\CRM_Core_Permission::EDIT, NULL, 'civicrm_uf_group', $ufGroups); | |
115 | $ufGroupId = $apiRequest['entity'] == 'UFGroup' ? $apiRequest['params']['id'] : $apiRequest['params']['uf_group_id']; | |
116 | if (in_array($ufGroupId, $aclEdit) or $aclCreate) { | |
117 | return TRUE; | |
118 | } | |
119 | break; | |
e68f2900 WA |
120 | |
121 | //CRM-16777: Disable schedule reminder with ACLs. | |
122 | case 'ActionSchedule': | |
123 | $events = \CRM_Event_BAO_Event::getEvents(); | |
124 | $aclEdit = \CRM_ACL_API::group(\CRM_Core_Permission::EDIT, NULL, 'civicrm_event', $events); | |
0a63dad5 | 125 | $param = array('id' => $apiRequest['params']['id']); |
e68f2900 WA |
126 | $eventId = \CRM_Core_BAO_ActionSchedule::retrieve($param, $value = array()); |
127 | if (in_array($eventId->entity_value, $aclEdit)) { | |
128 | return TRUE; | |
129 | } | |
130 | break; | |
bc5585af | 131 | } |
132 | ||
133 | return FALSE; | |
134 | } | |
135 | ||
6550386a | 136 | } |