[civicrm-core.git] / ext / financialacls / financialacls.php

<?php

require_once 'financialacls.civix.php';
// phpcs:disable
use Civi\Api4\EntityFinancialAccount;
use Civi\Api4\MembershipType;
use CRM_Financialacls_ExtensionUtil as E;
// phpcs:enable

/**
 * Implements hook_civicrm_config().
 *
 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_config/
 */
function financialacls_civicrm_config(&$config) {
  _financialacls_civix_civicrm_config($config);
}

/**
 * @param \Symfony\Component\DependencyInjection\ContainerBuilder $container
 */
function financialacls_civicrm_container($container) {
  $dispatcherDefn = $container->getDefinition('dispatcher');
  $container->addResource(new \Symfony\Component\Config\Resource\FileResource(__FILE__));
  $dispatcherDefn->addMethodCall('addListener', ['civi.api4.authorizeRecord::Contribution', '_financialacls_civi_api4_authorizeContribution']);
}

/**
 * Implements hook_civicrm_install().
 *
 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_install
 */
function financialacls_civicrm_install() {
  _financialacls_civix_civicrm_install();
}

/**
 * Implements hook_civicrm_postInstall().
 *
 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_postInstall
 */
function financialacls_civicrm_postInstall() {
  _financialacls_civix_civicrm_postInstall();
}

/**
 * Implements hook_civicrm_uninstall().
 *
 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_uninstall
 */
function financialacls_civicrm_uninstall() {
  _financialacls_civix_civicrm_uninstall();
}

/**
 * Implements hook_civicrm_enable().
 *
 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_enable
 */
function financialacls_civicrm_enable() {
  _financialacls_civix_civicrm_enable();
}

/**
 * Implements hook_civicrm_disable().
 *
 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_disable
 */
function financialacls_civicrm_disable() {
  _financialacls_civix_civicrm_disable();
}

/**
 * Implements hook_civicrm_upgrade().
 *
 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_upgrade
 */
function financialacls_civicrm_upgrade($op, CRM_Queue_Queue $queue = NULL) {
  return _financialacls_civix_civicrm_upgrade($op, $queue);
}

/**
 * Implements hook_civicrm_entityTypes().
 *
 * Declare entity types provided by this module.
 *
 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_entityTypes
 */
function financialacls_civicrm_entityTypes(&$entityTypes) {
  _financialacls_civix_civicrm_entityTypes($entityTypes);
}

/**
 * Intervene to prevent deletion, where permissions block it.
 *
 * @param string $op
 * @param string $objectName
 * @param int|null $id
 * @param array $params
 *
 * @throws \API_Exception
 * @throws \CRM_Core_Exception
 */
function financialacls_civicrm_pre($op, $objectName, $id, &$params) {
  if (!financialacls_is_acl_limiting_enabled()) {
    return;
  }
  if ($objectName === 'LineItem' && !empty($params['check_permissions'])) {
    $operationMap = ['delete' => CRM_Core_Action::DELETE, 'edit' => CRM_Core_Action::UPDATE, 'create' => CRM_Core_Action::ADD];
    CRM_Financial_BAO_FinancialType::getAvailableFinancialTypes($types, $operationMap[$op]);
    if (empty($params['financial_type_id'])) {
      $params['financial_type_id'] = CRM_Core_DAO::getFieldValue('CRM_Price_DAO_LineItem', $params['id'], 'financial_type_id');
    }
    if (!array_key_exists($params['financial_type_id'], $types)) {
      throw new API_Exception('You do not have permission to ' . $op . ' this line item');
    }
  }
  if ($objectName === 'FinancialType' && !empty($params['id']) && !empty($params['name'])) {
    $prevName = CRM_Core_DAO::getFieldValue('CRM_Financial_DAO_FinancialType', $params['id']);
    if ($prevName !== $params['name']) {
      CRM_Core_Session::setStatus(ts("Changing the name of a Financial Type will result in losing the current permissions associated with that Financial Type.
            Before making this change you should likely note the existing permissions at Administer > Users and Permissions > Permissions (Access Control),
            then clicking the Access Control link for your Content Management System, then noting down the permissions for 'CiviCRM: {financial type name} view', etc.
            Then after making the change of name, reset the permissions to the way they were."), ts('Warning'), 'warning');
    }
  }
}

/**
 * Implements hook_civicrm_selectWhereClause().
 *
 * @link http://wiki.civicrm.org/confluence/display/CRMDOC/hook_civicrm_selectWhereClause
 */
function financialacls_civicrm_selectWhereClause($entity, &$clauses) {
  if (!financialacls_is_acl_limiting_enabled()) {
    return;
  }

  switch ($entity) {
    case 'LineItem':
    case 'MembershipType':
    case 'ContributionRecur':
    case 'Contribution':
      $clauses['financial_type_id'] = _financialacls_civicrm_get_type_clause();
      break;

    case 'Membership':
      $clauses['membership_type_id'] = _financialacls_civicrm_get_membership_type_clause();
      break;

    case 'FinancialType':
      $clauses['id'] = _financialacls_civicrm_get_type_clause();
      break;

    case 'FinancialAccount':
      $clauses['id'] = _financialacls_civicrm_get_accounts_clause();
      break;

  }

}

/**
 * Get the clause to limit available types.
 *
 * @return string
 */
function _financialacls_civicrm_get_accounts_clause(): string {
  if (!isset(Civi::$statics['financial_acls'][__FUNCTION__][CRM_Core_Session::getLoggedInContactID()])) {
    try {
      $clause = '= 0';
      Civi::$statics['financial_acls'][__FUNCTION__][CRM_Core_Session::getLoggedInContactID()] = &$clause;
      $accounts = (array) EntityFinancialAccount::get()
        ->addWhere('account_relationship:name', '=', 'Income Account is')
        ->addWhere('entity_table', '=', 'civicrm_financial_type')
        ->addSelect('entity_id', 'financial_account_id')
        ->addJoin('FinancialType AS financial_type', 'LEFT', [
          'entity_id',
          '=',
          'financial_type.id',
        ])
        ->execute()->indexBy('financial_account_id');
      if (!empty($accounts)) {
        $clause = 'IN (' . implode(',', array_keys($accounts)) . ')';
      }
    }
    catch (\API_Exception $e) {
      // We've already set it to 0 so we can quietly handle this.
    }
  }
  return Civi::$statics['financial_acls'][__FUNCTION__][CRM_Core_Session::getLoggedInContactID()];
}

/**
 * Get the clause to limit available types.
 *
 * @return string
 */
function _financialacls_civicrm_get_type_clause(): string {
  return 'IN (' . implode(',', _financialacls_civicrm_get_accessible_financial_types()) . ')';
}

/**
 * Get an array of the ids of accessible financial types.
 *
 * If none then it will be [0]
 *
 * @return int[]
 */
function _financialacls_civicrm_get_accessible_financial_types(): array {
  $types = [];
  CRM_Financial_BAO_FinancialType::getAvailableFinancialTypes($types);
  if (empty($types)) {
    $types = [0];
  }
  return array_keys($types);
}

/**
 * Get the clause to limit available membership types.
 *
 * @return string
 *
 * @throws \API_Exception
 */
function _financialacls_civicrm_get_membership_type_clause(): string {
  $financialTypes = _financialacls_civicrm_get_accessible_financial_types();
  if ($financialTypes === [0]) {
    return 0;
  }
  $membershipTypes = (array) MembershipType::get(FALSE)
    ->addWhere('financial_type_id', 'IN', $financialTypes)->execute()->indexBy('id');
  return empty($membershipTypes) ? '= 0' : ('IN (' . implode(',', array_keys($membershipTypes)) . ')');
}

/**
 * Remove unpermitted options.
 *
 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_buildAmount
 *
 * @param string $component
 * @param \CRM_Core_Form $form
 * @param array $feeBlock
 */
function financialacls_civicrm_buildAmount($component, $form, &$feeBlock) {
  if (!financialacls_is_acl_limiting_enabled()) {
    return;
  }

  foreach ($feeBlock as $key => $value) {
    foreach ($value['options'] as $k => $options) {
      if (!CRM_Core_Permission::check('add contributions of type ' . CRM_Contribute_PseudoConstant::financialType($options['financial_type_id']))) {
        unset($feeBlock[$key]['options'][$k]);
      }
    }
    if (empty($feeBlock[$key]['options'])) {
      unset($feeBlock[$key]);
    }
  }
}

/**
 * Remove unpermitted membership types from selection availability..
 *
 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_membershipTypeValues
 *
 * @param \CRM_Core_Form $form
 * @param array $membershipTypeValues
 */
function financialacls_civicrm_membershipTypeValues($form, &$membershipTypeValues) {
  if (!financialacls_is_acl_limiting_enabled()) {
    return;
  }
  $financialTypes = NULL;
  $financialTypes = CRM_Financial_BAO_FinancialType::getAvailableFinancialTypes($financialTypes, CRM_Core_Action::ADD);
  foreach ($membershipTypeValues as $id => $type) {
    if (!isset($financialTypes[$type['financial_type_id']])) {
      unset($membershipTypeValues[$id]);
    }
  }
}

/**
 * Add permissions.
 *
 * @see https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_permission/
 *
 * @param array $permissions
 */
function financialacls_civicrm_permission(&$permissions) {
  if (!financialacls_is_acl_limiting_enabled()) {
    return;
  }
  $actions = [
    'add' => ts('add'),
    'view' => ts('view'),
    'edit' => ts('edit'),
    'delete' => ts('delete'),
  ];
  $financialTypes = \CRM_Contribute_BAO_Contribution::buildOptions('financial_type_id', 'validate');
  foreach ($financialTypes as $id => $type) {
    foreach ($actions as $action => $action_ts) {
      $permissions[$action . ' contributions of type ' . $type] = [
        ts("CiviCRM: %1 contributions of type %2", [1 => $action_ts, 2 => $type]),
        ts('%1 contributions of type %2', [1 => $action_ts, 2 => $type]),
      ];
    }
  }
  $permissions['administer CiviCRM Financial Types'] = [
    ts('CiviCRM: administer CiviCRM Financial Types'),
    ts('Administer access to Financial Types'),
  ];
}

/**
 * Listener for 'civi.api4.authorizeRecord::Contribution'
 *
 * @param \Civi\Api4\Event\AuthorizeRecordEvent $e
 * @throws \CRM_Core_Exception
 */
function _financialacls_civi_api4_authorizeContribution(\Civi\Api4\Event\AuthorizeRecordEvent $e) {
  if (!financialacls_is_acl_limiting_enabled()) {
    return;
  }
  if ($e->getEntityName() === 'Contribution') {
    $contributionID = $e->getRecord()['id'] ?? NULL;
    $financialTypeID = $e->getRecord()['financial_type_id'] ?? CRM_Core_DAO::getFieldValue('CRM_Contribute_DAO_Contribution', $contributionID, 'financial_type_id');
    if (!CRM_Core_Permission::check(_financialacls_getRequiredPermission($financialTypeID, $e->getActionName()), $e->getUserID())) {
      $e->setAuthorized(FALSE);
    }
    if ($e->getActionName() === 'delete') {
      // First check contribution financial type
      // Now check permissioned line items & permissioned contribution
      if (!CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($contributionID, 'delete', FALSE, $e->getUserID())
      ) {
        $e->setAuthorized(FALSE);
      }
    }
  }
}

/**
 * Get the permission required to perform this action on this financial type.
 *
 * @param int $financialTypeID
 * @param string $action
 *
 * @return string
 */
function _financialacls_getRequiredPermission(int $financialTypeID, string $action): string {
  $financialType = CRM_Core_PseudoConstant::getName('CRM_Contribute_DAO_Contribution', 'financial_type_id', $financialTypeID);
  $actionMap = [
    'create' => 'add',
    'update' => 'edit',
    'delete' => 'delete',
  ];
  return $actionMap[$action] . ' contributions of type ' . $financialType;
}

/**
 * Remove unpermitted financial types from field Options in search context.
 *
 * Search context is described as
 * 'search' => "search: searchable options are returned; labels are translated.",
 * So this is appropriate to removing the options from search screens.
 *
 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_fieldOptions
 *
 * @param string $entity
 * @param string $field
 * @param array $options
 * @param array $params
 */
function financialacls_civicrm_fieldOptions($entity, $field, &$options, $params) {
  if (!financialacls_is_acl_limiting_enabled()) {
    return;
  }
  if (in_array($entity, ['Contribution', 'ContributionRecur'], TRUE) && $field === 'financial_type_id' && $params['context'] === 'search') {
    $action = CRM_Core_Action::VIEW;
    // At this stage we are only considering the view action. Code from
    // CRM_Financial_BAO_FinancialType::getAvailableFinancialTypes().
    $actions = [
      CRM_Core_Action::VIEW => 'view',
      CRM_Core_Action::UPDATE => 'edit',
      CRM_Core_Action::ADD => 'add',
      CRM_Core_Action::DELETE => 'delete',
    ];
    $cacheKey = 'available_types_' . $action;
    if (!isset(\Civi::$statics['CRM_Financial_BAO_FinancialType'][$cacheKey])) {
      foreach ($options as $finTypeId => $type) {
        if (!CRM_Core_Permission::check($actions[$action] . ' contributions of type ' . $type)) {
          unset($options[$finTypeId]);
        }
      }
      \Civi::$statics['CRM_Financial_BAO_FinancialType'][$cacheKey] = $options;
    }
    $options = \Civi::$statics['CRM_Financial_BAO_FinancialType'][$cacheKey];
  }
}

/**
 * Is financial acl limiting enabled.
 *
 * Once this extension is detangled enough to be optional this will go
 * and the status of the extension rather than the setting will dictate.
 *
 * @return bool
 */
function financialacls_is_acl_limiting_enabled(): bool {
  return (bool) Civi::settings()->get('acl_financial_type');
}

/**
 * Clear the statics cache when the setting is enabled or disabled.
 *
 * Note the setting will eventually disappear in favour of whether
 * the extension is enabled or disabled.
 */
function financialacls_toggle() {
  unset(\Civi::$statics['CRM_Financial_BAO_FinancialType']);
}

// --- Functions below this ship commented out. Uncomment as required. ---

/**
 * Implements hook_civicrm_preProcess().
 *
 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_preProcess
 */
//function financialacls_civicrm_preProcess($formName, &$form) {
//
//}

/**
 * Require financial acl permissions for financial screens.
 *
 * @param array $menu
 */
function financialacls_civicrm_alterMenu(array &$menu): void {
  if (!financialacls_is_acl_limiting_enabled()) {
    return;
  }
  $menu['civicrm/admin/financial/financialType']['access_arguments'] = [['administer CiviCRM Financial Types']];
}

/**
 * Implements hook_civicrm_navigationMenu().
 *
 * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_navigationMenu
 */
//function financialacls_civicrm_navigationMenu(&$menu) {
//  _financialacls_civix_insert_navigation_menu($menu, 'Mailings', array(
//    'label' => E::ts('New subliminal message'),
//    'name' => 'mailing_subliminal_message',
//    'url' => 'civicrm/mailing/subliminal',
//    'permission' => 'access CiviMail',
//    'operator' => 'OR',
//    'separator' => 0,
//  ));
//  _financialacls_civix_navigationMenu($menu);
//}
Commit	Line	Data
e7339d59	1	<?php
	2
	3	require_once 'financialacls.civix.php';
	4	// phpcs:disable
87e130bb	5	use Civi\Api4\EntityFinancialAccount;
56f5e9db	6	use Civi\Api4\MembershipType;
e7339d59	7	use CRM_Financialacls_ExtensionUtil as E;
	8	// phpcs:enable
	9
	10	/**
	11	* Implements hook_civicrm_config().
	12	*
	13	* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_config/
	14	*/
	15	function financialacls_civicrm_config(&$config) {
	16	_financialacls_civix_civicrm_config($config);
	17	}
	18
af4cccf7 TO	19	/**
	20	* @param \Symfony\Component\DependencyInjection\ContainerBuilder $container
	21	*/
	22	function financialacls_civicrm_container($container) {
	23	$dispatcherDefn = $container->getDefinition('dispatcher');
	24	$container->addResource(new \Symfony\Component\Config\Resource\FileResource(__FILE__));
	25	$dispatcherDefn->addMethodCall('addListener', ['civi.api4.authorizeRecord::Contribution', '_financialacls_civi_api4_authorizeContribution']);
	26	}
	27
e7339d59	28	/**
	29	* Implements hook_civicrm_install().
	30	*
	31	* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_install
	32	*/
	33	function financialacls_civicrm_install() {
	34	_financialacls_civix_civicrm_install();
	35	}
	36
	37	/**
	38	* Implements hook_civicrm_postInstall().
	39	*
	40	* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_postInstall
	41	*/
	42	function financialacls_civicrm_postInstall() {
	43	_financialacls_civix_civicrm_postInstall();
	44	}
	45
	46	/**
	47	* Implements hook_civicrm_uninstall().
	48	*
	49	* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_uninstall
	50	*/
	51	function financialacls_civicrm_uninstall() {
	52	_financialacls_civix_civicrm_uninstall();
	53	}
	54
	55	/**
	56	* Implements hook_civicrm_enable().
	57	*
	58	* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_enable
	59	*/
	60	function financialacls_civicrm_enable() {
	61	_financialacls_civix_civicrm_enable();
	62	}
	63
	64	/**
	65	* Implements hook_civicrm_disable().
	66	*
	67	* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_disable
	68	*/
	69	function financialacls_civicrm_disable() {
	70	_financialacls_civix_civicrm_disable();
	71	}
	72
	73	/**
	74	* Implements hook_civicrm_upgrade().
	75	*
	76	* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_upgrade
	77	*/
	78	function financialacls_civicrm_upgrade($op, CRM_Queue_Queue $queue = NULL) {
	79	return _financialacls_civix_civicrm_upgrade($op, $queue);
	80	}
	81
e7339d59	82	/**
	83	* Implements hook_civicrm_entityTypes().
	84	*
	85	* Declare entity types provided by this module.
	86	*
	87	* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_entityTypes
	88	*/
	89	function financialacls_civicrm_entityTypes(&$entityTypes) {
	90	_financialacls_civix_civicrm_entityTypes($entityTypes);
	91	}
	92
b82fb202	93	/**
	94	* Intervene to prevent deletion, where permissions block it.
	95	*
aeee327d	96	* @param string $op
b82fb202	97	* @param string $objectName
	98	* @param int\|null $id
	99	* @param array $params
	100	*
	101	* @throws \API_Exception
	102	* @throws \CRM_Core_Exception
	103	*/
	104	function financialacls_civicrm_pre($op, $objectName, $id, &$params) {
34509ae3	105	if (!financialacls_is_acl_limiting_enabled()) {
	106	return;
	107	}
aeee327d	108	if ($objectName === 'LineItem' && !empty($params['check_permissions'])) {
34509ae3	109	$operationMap = ['delete' => CRM_Core_Action::DELETE, 'edit' => CRM_Core_Action::UPDATE, 'create' => CRM_Core_Action::ADD];
	110	CRM_Financial_BAO_FinancialType::getAvailableFinancialTypes($types, $operationMap[$op]);
	111	if (empty($params['financial_type_id'])) {
	112	$params['financial_type_id'] = CRM_Core_DAO::getFieldValue('CRM_Price_DAO_LineItem', $params['id'], 'financial_type_id');
	113	}
c3f7ab62	114	if (!array_key_exists($params['financial_type_id'], $types)) {
34509ae3	115	throw new API_Exception('You do not have permission to ' . $op . ' this line item');
b82fb202	116	}
b82fb202	117	}
d646594f	118	if ($objectName === 'FinancialType' && !empty($params['id']) && !empty($params['name'])) {
	119	$prevName = CRM_Core_DAO::getFieldValue('CRM_Financial_DAO_FinancialType', $params['id']);
	120	if ($prevName !== $params['name']) {
	121	CRM_Core_Session::setStatus(ts("Changing the name of a Financial Type will result in losing the current permissions associated with that Financial Type.
	122	Before making this change you should likely note the existing permissions at Administer > Users and Permissions > Permissions (Access Control),
	123	then clicking the Access Control link for your Content Management System, then noting down the permissions for 'CiviCRM: {financial type name} view', etc.
	124	Then after making the change of name, reset the permissions to the way they were."), ts('Warning'), 'warning');
	125	}
	126	}
b82fb202	127	}
b82fb202	128
28188a1e	129	/**
	130	* Implements hook_civicrm_selectWhereClause().
	131	*
	132	* @link http://wiki.civicrm.org/confluence/display/CRMDOC/hook_civicrm_selectWhereClause
	133	*/
	134	function financialacls_civicrm_selectWhereClause($entity, &$clauses) {
34509ae3	135	if (!financialacls_is_acl_limiting_enabled()) {
	136	return;
	137	}
2dc76e8d MW	138
	139	switch ($entity) {
	140	case 'LineItem':
	141	case 'MembershipType':
f4a72e8d	142	case 'ContributionRecur':
00d50ac2	143	case 'Contribution':
87e130bb EM	144	$clauses['financial_type_id'] = _financialacls_civicrm_get_type_clause();
	145	break;
	146
56f5e9db EM	147	case 'Membership':
	148	$clauses['membership_type_id'] = _financialacls_civicrm_get_membership_type_clause();
	149	break;
	150
87e130bb EM	151	case 'FinancialType':
	152	$clauses['id'] = _financialacls_civicrm_get_type_clause();
	153	break;
	154
	155	case 'FinancialAccount':
	156	$clauses['id'] = _financialacls_civicrm_get_accounts_clause();
2dc76e8d MW	157	break;
2dc76e8d MW	158
28188a1e	159	}
	160
	161	}
	162
87e130bb EM	163	/**
	164	* Get the clause to limit available types.
	165	*
	166	* @return string
	167	*/
	168	function _financialacls_civicrm_get_accounts_clause(): string {
	169	if (!isset(Civi::$statics['financial_acls'][__FUNCTION__][CRM_Core_Session::getLoggedInContactID()])) {
	170	try {
	171	$clause = '= 0';
	172	Civi::$statics['financial_acls'][__FUNCTION__][CRM_Core_Session::getLoggedInContactID()] = &$clause;
	173	$accounts = (array) EntityFinancialAccount::get()
	174	->addWhere('account_relationship:name', '=', 'Income Account is')
	175	->addWhere('entity_table', '=', 'civicrm_financial_type')
	176	->addSelect('entity_id', 'financial_account_id')
	177	->addJoin('FinancialType AS financial_type', 'LEFT', [
	178	'entity_id',
	179	'=',
	180	'financial_type.id',
	181	])
	182	->execute()->indexBy('financial_account_id');
	183	if (!empty($accounts)) {
	184	$clause = 'IN (' . implode(',', array_keys($accounts)) . ')';
	185	}
	186	}
	187	catch (\API_Exception $e) {
	188	// We've already set it to 0 so we can quietly handle this.
	189	}
	190	}
	191	return Civi::$statics['financial_acls'][__FUNCTION__][CRM_Core_Session::getLoggedInContactID()];
	192	}
	193
	194	/**
	195	* Get the clause to limit available types.
	196	*
	197	* @return string
	198	*/
	199	function _financialacls_civicrm_get_type_clause(): string {
56f5e9db EM	200	return 'IN (' . implode(',', _financialacls_civicrm_get_accessible_financial_types()) . ')';
	201	}
	202
	203	/**
	204	* Get an array of the ids of accessible financial types.
	205	*
	206	* If none then it will be [0]
	207	*
	208	* @return int[]
	209	*/
	210	function _financialacls_civicrm_get_accessible_financial_types(): array {
87e130bb EM	211	$types = [];
87e130bb EM	212	CRM_Financial_BAO_FinancialType::getAvailableFinancialTypes($types);
56f5e9db EM	213	if (empty($types)) {
	214	$types = [0];
	215	}
	216	return array_keys($types);
	217	}
	218
	219	/**
	220	* Get the clause to limit available membership types.
	221	*
	222	* @return string
	223	*
	224	* @throws \API_Exception
	225	*/
	226	function _financialacls_civicrm_get_membership_type_clause(): string {
	227	$financialTypes = _financialacls_civicrm_get_accessible_financial_types();
	228	if ($financialTypes === [0]) {
	229	return 0;
87e130bb	230	}
56f5e9db EM	231	$membershipTypes = (array) MembershipType::get(FALSE)
	232	->addWhere('financial_type_id', 'IN', $financialTypes)->execute()->indexBy('id');
	233	return empty($membershipTypes) ? '= 0' : ('IN (' . implode(',', array_keys($membershipTypes)) . ')');
87e130bb EM	234	}
87e130bb EM	235
07d89c14	236	/**
34509ae3	237	* Remove unpermitted options.
07d89c14	238	*
	239	* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_buildAmount
	240	*
	241	* @param string $component
	242	* @param \CRM_Core_Form $form
	243	* @param array $feeBlock
	244	*/
	245	function financialacls_civicrm_buildAmount($component, $form, &$feeBlock) {
34509ae3	246	if (!financialacls_is_acl_limiting_enabled()) {
	247	return;
	248	}
	249
	250	foreach ($feeBlock as $key => $value) {
	251	foreach ($value['options'] as $k => $options) {
	252	if (!CRM_Core_Permission::check('add contributions of type ' . CRM_Contribute_PseudoConstant::financialType($options['financial_type_id']))) {
	253	unset($feeBlock[$key]['options'][$k]);
07d89c14	254	}
07d89c14	255	}
34509ae3	256	if (empty($feeBlock[$key]['options'])) {
	257	unset($feeBlock[$key]);
	258	}
07d89c14	259	}
	260	}
	261
e9eed3db	262	/**
	263	* Remove unpermitted membership types from selection availability..
	264	*
	265	* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_membershipTypeValues
	266	*
	267	* @param \CRM_Core_Form $form
	268	* @param array $membershipTypeValues
	269	*/
	270	function financialacls_civicrm_membershipTypeValues($form, &$membershipTypeValues) {
34509ae3	271	if (!financialacls_is_acl_limiting_enabled()) {
	272	return;
	273	}
e9eed3db	274	$financialTypes = NULL;
	275	$financialTypes = CRM_Financial_BAO_FinancialType::getAvailableFinancialTypes($financialTypes, CRM_Core_Action::ADD);
	276	foreach ($membershipTypeValues as $id => $type) {
	277	if (!isset($financialTypes[$type['financial_type_id']])) {
	278	unset($membershipTypeValues[$id]);
	279	}
	280	}
	281	}
	282
4e0bf3e8	283	/**
	284	* Add permissions.
	285	*
	286	* @see https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_permission/
	287	*
	288	* @param array $permissions
	289	*/
	290	function financialacls_civicrm_permission(&$permissions) {
	291	if (!financialacls_is_acl_limiting_enabled()) {
	292	return;
	293	}
	294	$actions = [
	295	'add' => ts('add'),
	296	'view' => ts('view'),
	297	'edit' => ts('edit'),
	298	'delete' => ts('delete'),
	299	];
	300	$financialTypes = \CRM_Contribute_BAO_Contribution::buildOptions('financial_type_id', 'validate');
	301	foreach ($financialTypes as $id => $type) {
	302	foreach ($actions as $action => $action_ts) {
	303	$permissions[$action . ' contributions of type ' . $type] = [
	304	ts("CiviCRM: %1 contributions of type %2", [1 => $action_ts, 2 => $type]),
	305	ts('%1 contributions of type %2', [1 => $action_ts, 2 => $type]),
	306	];
	307	}
	308	}
	309	$permissions['administer CiviCRM Financial Types'] = [
	310	ts('CiviCRM: administer CiviCRM Financial Types'),
	311	ts('Administer access to Financial Types'),
	312	];
	313	}
	314
9cef6066	315	/**
af4cccf7	316	* Listener for 'civi.api4.authorizeRecord::Contribution'
9cef6066	317	*
af4cccf7	318	* @param \Civi\Api4\Event\AuthorizeRecordEvent $e
9cef6066	319	* @throws \CRM_Core_Exception
9cef6066	320	*/
af4cccf7	321	function _financialacls_civi_api4_authorizeContribution(\Civi\Api4\Event\AuthorizeRecordEvent $e) {
9cef6066	322	if (!financialacls_is_acl_limiting_enabled()) {
	323	return;
	324	}
0552d667 EM	325	if ($e->getEntityName() === 'Contribution') {
	326	$contributionID = $e->getRecord()['id'] ?? NULL;
	327	$financialTypeID = $e->getRecord()['financial_type_id'] ?? CRM_Core_DAO::getFieldValue('CRM_Contribute_DAO_Contribution', $contributionID, 'financial_type_id');
	328	if (!CRM_Core_Permission::check(_financialacls_getRequiredPermission($financialTypeID, $e->getActionName()), $e->getUserID())) {
af4cccf7	329	$e->setAuthorized(FALSE);
9cef6066	330	}
0552d667 EM	331	if ($e->getActionName() === 'delete') {
	332	// First check contribution financial type
	333	// Now check permissioned line items & permissioned contribution
	334	if (!CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($contributionID, 'delete', FALSE, $e->getUserID())
	335	) {
	336	$e->setAuthorized(FALSE);
	337	}
	338	}
9cef6066	339	}
	340	}
	341
0552d667 EM	342	/**
	343	* Get the permission required to perform this action on this financial type.
	344	*
	345	* @param int $financialTypeID
	346	* @param string $action
	347	*
	348	* @return string
	349	*/
	350	function _financialacls_getRequiredPermission(int $financialTypeID, string $action): string {
	351	$financialType = CRM_Core_PseudoConstant::getName('CRM_Contribute_DAO_Contribution', 'financial_type_id', $financialTypeID);
	352	$actionMap = [
	353	'create' => 'add',
	354	'update' => 'edit',
	355	'delete' => 'delete',
	356	];
	357	return $actionMap[$action] . ' contributions of type ' . $financialType;
	358	}
	359
51d1f926	360	/**
	361	* Remove unpermitted financial types from field Options in search context.
	362	*
	363	* Search context is described as
	364	* 'search' => "search: searchable options are returned; labels are translated.",
	365	* So this is appropriate to removing the options from search screens.
	366	*
	367	* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_fieldOptions
	368	*
	369	* @param string $entity
	370	* @param string $field
	371	* @param array $options
	372	* @param array $params
	373	*/
	374	function financialacls_civicrm_fieldOptions($entity, $field, &$options, $params) {
34509ae3	375	if (!financialacls_is_acl_limiting_enabled()) {
	376	return;
	377	}
f4a72e8d	378	if (in_array($entity, ['Contribution', 'ContributionRecur'], TRUE) && $field === 'financial_type_id' && $params['context'] === 'search') {
51d1f926	379	$action = CRM_Core_Action::VIEW;
	380	// At this stage we are only considering the view action. Code from
	381	// CRM_Financial_BAO_FinancialType::getAvailableFinancialTypes().
	382	$actions = [
	383	CRM_Core_Action::VIEW => 'view',
	384	CRM_Core_Action::UPDATE => 'edit',
	385	CRM_Core_Action::ADD => 'add',
	386	CRM_Core_Action::DELETE => 'delete',
	387	];
	388	$cacheKey = 'available_types_' . $action;
	389	if (!isset(\Civi::$statics['CRM_Financial_BAO_FinancialType'][$cacheKey])) {
	390	foreach ($options as $finTypeId => $type) {
	391	if (!CRM_Core_Permission::check($actions[$action] . ' contributions of type ' . $type)) {
	392	unset($options[$finTypeId]);
	393	}
	394	}
	395	\Civi::$statics['CRM_Financial_BAO_FinancialType'][$cacheKey] = $options;
	396	}
	397	$options = \Civi::$statics['CRM_Financial_BAO_FinancialType'][$cacheKey];
	398	}
	399	}
	400
34509ae3	401	/**
	402	* Is financial acl limiting enabled.
	403	*
	404	* Once this extension is detangled enough to be optional this will go
	405	* and the status of the extension rather than the setting will dictate.
	406	*
	407	* @return bool
	408	*/
d646594f	409	function financialacls_is_acl_limiting_enabled(): bool {
34509ae3	410	return (bool) Civi::settings()->get('acl_financial_type');
	411	}
	412
a572646e EM	413	/**
	414	* Clear the statics cache when the setting is enabled or disabled.
	415	*
	416	* Note the setting will eventually disappear in favour of whether
	417	* the extension is enabled or disabled.
	418	*/
	419	function financialacls_toggle() {
	420	unset(\Civi::$statics['CRM_Financial_BAO_FinancialType']);
	421	}
	422
e7339d59	423	// --- Functions below this ship commented out. Uncomment as required. ---
	424
	425	/**
	426	* Implements hook_civicrm_preProcess().
	427	*
	428	* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_preProcess
	429	*/
	430	//function financialacls_civicrm_preProcess($formName, &$form) {
	431	//
	432	//}
	433
d017acf3 EM	434	/**
	435	* Require financial acl permissions for financial screens.
	436	*
	437	* @param array $menu
	438	*/
	439	function financialacls_civicrm_alterMenu(array &$menu): void {
e58bbf77 EM	440	if (!financialacls_is_acl_limiting_enabled()) {
	441	return;
	442	}
d017acf3 EM	443	$menu['civicrm/admin/financial/financialType']['access_arguments'] = [['administer CiviCRM Financial Types']];
	444	}
	445
e7339d59	446	/**
	447	* Implements hook_civicrm_navigationMenu().
	448	*
	449	* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_navigationMenu
	450	*/
	451	//function financialacls_civicrm_navigationMenu(&$menu) {
	452	// _financialacls_civix_insert_navigation_menu($menu, 'Mailings', array(
	453	// 'label' => E::ts('New subliminal message'),
	454	// 'name' => 'mailing_subliminal_message',
	455	// 'url' => 'civicrm/mailing/subliminal',
	456	// 'permission' => 'access CiviMail',
	457	// 'operator' => 'OR',
	458	// 'separator' => 0,
	459	// ));
	460	// _financialacls_civix_navigationMenu($menu);
	461	//}