[civicrm-core.git] / Civi / API / Subscriber / PermissionCheck.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 5                                                  |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2019                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
 */

namespace Civi\API\Subscriber;

use Civi\API\Events;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;

/**
 * For any API requests that correspond to a Doctrine entity
 * ($apiRequest['doctrineClass']), check permissions specified in
 * Civi\API\Annotation\Permission.
 */
class PermissionCheck implements EventSubscriberInterface {

  /**
   * @return array
   */
  public static function getSubscribedEvents() {
    return [
      Events::AUTHORIZE => [
        ['onApiAuthorize', Events::W_LATE],
      ],
    ];
  }

  /**
   * @param \Civi\API\Event\AuthorizeEvent $event
   *   API authorization event.
   *
   * @throws \Civi\API\Exception\UnauthorizedException
   */
  public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event) {
    $apiRequest = $event->getApiRequest();
    if ($apiRequest['version'] < 4) {
      // return early unless we’re told explicitly to do the permission check
      if (empty($apiRequest['params']['check_permissions']) or $apiRequest['params']['check_permissions'] == FALSE) {
        $event->authorize();
        $event->stopPropagation();
        return;
      }

      require_once 'CRM/Core/DAO/permissions.php';
      $permissions = _civicrm_api3_permissions($apiRequest['entity'], $apiRequest['action'], $apiRequest['params']);

      // $params might’ve been reset by the alterAPIPermissions() hook
      if (isset($apiRequest['params']['check_permissions']) and $apiRequest['params']['check_permissions'] == FALSE) {
        $event->authorize();
        $event->stopPropagation();
        return;
      }

      if (!\CRM_Core_Permission::check($permissions) and !self::checkACLPermission($apiRequest)) {
        if (is_array($permissions)) {
          foreach ($permissions as &$permission) {
            if (is_array($permission)) {
              $permission = '( ' . implode(' or ', $permission) . ' )';
            }
          }
          $permissions = implode(' and ', $permissions);
        }
        // FIXME: Generating the exception ourselves allows for detailed error
        // but doesn't play well with multiple authz subscribers.
        throw new \Civi\API\Exception\UnauthorizedException("API permission check failed for {$apiRequest['entity']}/{$apiRequest['action']} call; insufficient permission: require $permissions");
      }

      $event->authorize();
      $event->stopPropagation();
    }
    elseif ($apiRequest['version'] == 4) {
      if (!$apiRequest->getCheckPermissions()) {
        $event->authorize();
        $event->stopPropagation();
      }
    }
  }

  /**
   * Check API for ACL permission.
   *
   * @param array $apiRequest
   *
   * @return bool
   */
  public function checkACLPermission($apiRequest) {
    switch ($apiRequest['entity']) {
      case 'UFGroup':
      case 'UFField':
        $ufGroups = \CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
        $aclCreate = \CRM_ACL_API::group(\CRM_Core_Permission::CREATE, NULL, 'civicrm_uf_group', $ufGroups);
        $aclEdit = \CRM_ACL_API::group(\CRM_Core_Permission::EDIT, NULL, 'civicrm_uf_group', $ufGroups);
        $ufGroupId = $apiRequest['entity'] == 'UFGroup' ? $apiRequest['params']['id'] : $apiRequest['params']['uf_group_id'];
        if (in_array($ufGroupId, $aclEdit) or $aclCreate) {
          return TRUE;
        }
        break;

      //CRM-16777: Disable schedule reminder with ACLs.
      case 'ActionSchedule':
        $events = \CRM_Event_BAO_Event::getEvents();
        $aclEdit = \CRM_ACL_API::group(\CRM_Core_Permission::EDIT, NULL, 'civicrm_event', $events);
        $param = ['id' => $apiRequest['params']['id']];
        $eventId = \CRM_Core_BAO_ActionSchedule::retrieve($param, $value = []);
        if (in_array($eventId->entity_value, $aclEdit)) {
          return TRUE;
        }
        break;
    }

    return FALSE;
  }

}
Commit	Line	Data
d0c9daa4 TO	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
fee14197	4	\| CiviCRM version 5 \|
d0c9daa4	5	+--------------------------------------------------------------------+
6b83d5bd	6	\| Copyright CiviCRM LLC (c) 2004-2019 \|
d0c9daa4 TO	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
d25dd0ee	26	*/
d0c9daa4 TO	27
d0c9daa4 TO	28	namespace Civi\API\Subscriber;
46bcf597	29
d0c9daa4 TO	30	use Civi\API\Events;
	31	use Symfony\Component\EventDispatcher\EventSubscriberInterface;
	32
	33	/**
8882ff5c TO	34	* For any API requests that correspond to a Doctrine entity
	35	* ($apiRequest['doctrineClass']), check permissions specified in
	36	* Civi\API\Annotation\Permission.
d0c9daa4 TO	37	*/
d0c9daa4 TO	38	class PermissionCheck implements EventSubscriberInterface {
34f3bbd9	39
6550386a EM	40	/**
	41	* @return array
	42	*/
d0c9daa4	43	public static function getSubscribedEvents() {
c64f69d9 CW	44	return [
	45	Events::AUTHORIZE => [
	46	['onApiAuthorize', Events::W_LATE],
	47	],
	48	];
d0c9daa4 TO	49	}
d0c9daa4 TO	50
6550386a EM	51	/**
6550386a EM	52	* @param \Civi\API\Event\AuthorizeEvent $event
8882ff5c	53	* API authorization event.
6550386a EM	54	*
	55	* @throws \Civi\API\Exception\UnauthorizedException
	56	*/
d0c9daa4 TO	57	public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event) {
	58	$apiRequest = $event->getApiRequest();
	59	if ($apiRequest['version'] < 4) {
	60	// return early unless we’re told explicitly to do the permission check
	61	if (empty($apiRequest['params']['check_permissions']) or $apiRequest['params']['check_permissions'] == FALSE) {
	62	$event->authorize();
	63	$event->stopPropagation();
	64	return;
	65	}
	66
	67	require_once 'CRM/Core/DAO/permissions.php';
	68	$permissions = _civicrm_api3_permissions($apiRequest['entity'], $apiRequest['action'], $apiRequest['params']);
	69
	70	// $params might’ve been reset by the alterAPIPermissions() hook
	71	if (isset($apiRequest['params']['check_permissions']) and $apiRequest['params']['check_permissions'] == FALSE) {
	72	$event->authorize();
	73	$event->stopPropagation();
	74	return;
	75	}
	76
bc5585af	77	if (!\CRM_Core_Permission::check($permissions) and !self::checkACLPermission($apiRequest)) {
d0c9daa4	78	if (is_array($permissions)) {
829072f0 MM	79	foreach ($permissions as &$permission) {
	80	if (is_array($permission)) {
	81	$permission = '( ' . implode(' or ', $permission) . ' )';
	82	}
	83	}
d0c9daa4 TO	84	$permissions = implode(' and ', $permissions);
d0c9daa4 TO	85	}
8882ff5c TO	86	// FIXME: Generating the exception ourselves allows for detailed error
8882ff5c TO	87	// but doesn't play well with multiple authz subscribers.
fedf821c	88	throw new \Civi\API\Exception\UnauthorizedException("API permission check failed for {$apiRequest['entity']}/{$apiRequest['action']} call; insufficient permission: require $permissions");
d0c9daa4 TO	89	}
	90
	91	$event->authorize();
	92	$event->stopPropagation();
	93	}
8bcc0d86 CW	94	elseif ($apiRequest['version'] == 4) {
	95	if (!$apiRequest->getCheckPermissions()) {
	96	$event->authorize();
	97	$event->stopPropagation();
	98	}
	99	}
d0c9daa4	100	}
96025800	101
bc5585af	102	/**
c90c8245	103	* Check API for ACL permission.
	104	*
	105	* @param array $apiRequest
	106	*
	107	* @return bool
	108	*/
bc5585af	109	public function checkACLPermission($apiRequest) {
a909a20c	110	switch ($apiRequest['entity']) {
bc5585af	111	case 'UFGroup':
	112	case 'UFField':
	113	$ufGroups = \CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
	114	$aclCreate = \CRM_ACL_API::group(\CRM_Core_Permission::CREATE, NULL, 'civicrm_uf_group', $ufGroups);
	115	$aclEdit = \CRM_ACL_API::group(\CRM_Core_Permission::EDIT, NULL, 'civicrm_uf_group', $ufGroups);
	116	$ufGroupId = $apiRequest['entity'] == 'UFGroup' ? $apiRequest['params']['id'] : $apiRequest['params']['uf_group_id'];
	117	if (in_array($ufGroupId, $aclEdit) or $aclCreate) {
	118	return TRUE;
	119	}
	120	break;
e68f2900 WA	121
	122	//CRM-16777: Disable schedule reminder with ACLs.
	123	case 'ActionSchedule':
	124	$events = \CRM_Event_BAO_Event::getEvents();
	125	$aclEdit = \CRM_ACL_API::group(\CRM_Core_Permission::EDIT, NULL, 'civicrm_event', $events);
c64f69d9 CW	126	$param = ['id' => $apiRequest['params']['id']];
c64f69d9 CW	127	$eventId = \CRM_Core_BAO_ActionSchedule::retrieve($param, $value = []);
e68f2900 WA	128	if (in_array($eventId->entity_value, $aclEdit)) {
	129	return TRUE;
	130	}
	131	break;
bc5585af	132	}
	133
	134	return FALSE;
	135	}
	136
6550386a	137	}