| 1 | <?php |
| 2 | /* |
| 3 | +--------------------------------------------------------------------+ |
| 4 | | Copyright CiviCRM LLC. All rights reserved. | |
| 5 | | | |
| 6 | | This work is published under the GNU AGPLv3 license with some | |
| 7 | | permitted exceptions and without any warranty. For full license | |
| 8 | | and copyright information, see https://civicrm.org/licensing | |
| 9 | +--------------------------------------------------------------------+ |
| 10 | */ |
| 11 | |
| 12 | /** |
| 13 | * |
| 14 | * @package CRM |
| 15 | * @copyright CiviCRM LLC https://civicrm.org/licensing |
| 16 | */ |
| 17 | |
| 18 | /** |
| 19 | * Access Control List |
| 20 | */ |
| 21 | class CRM_ACL_BAO_ACL extends CRM_ACL_DAO_ACL { |
| 22 | /** |
| 23 | * @var string |
| 24 | */ |
| 25 | public static $_entityTable = NULL; |
| 26 | public static $_objectTable = NULL; |
| 27 | public static $_operation = NULL; |
| 28 | |
| 29 | public static $_fieldKeys = NULL; |
| 30 | |
| 31 | /** |
| 32 | * Available operations for pseudoconstant. |
| 33 | * |
| 34 | * @return array |
| 35 | */ |
| 36 | public static function operation() { |
| 37 | if (!self::$_operation) { |
| 38 | self::$_operation = [ |
| 39 | 'View' => ts('View'), |
| 40 | 'Edit' => ts('Edit'), |
| 41 | 'Create' => ts('Create'), |
| 42 | 'Delete' => ts('Delete'), |
| 43 | 'Search' => ts('Search'), |
| 44 | 'All' => ts('All'), |
| 45 | ]; |
| 46 | } |
| 47 | return self::$_operation; |
| 48 | } |
| 49 | |
| 50 | /** |
| 51 | * Construct an associative array of an ACL rule's properties |
| 52 | * |
| 53 | * @param string $format |
| 54 | * Sprintf format for array. |
| 55 | * @param bool $hideEmpty |
| 56 | * Only return elements that have a value set. |
| 57 | * |
| 58 | * @return array |
| 59 | * Assoc. array of the ACL rule's properties |
| 60 | */ |
| 61 | public function toArray($format = '%s', $hideEmpty = FALSE) { |
| 62 | $result = []; |
| 63 | |
| 64 | if (!self::$_fieldKeys) { |
| 65 | $fields = CRM_ACL_DAO_ACL::fields(); |
| 66 | self::$_fieldKeys = array_keys($fields); |
| 67 | } |
| 68 | |
| 69 | foreach (self::$_fieldKeys as $field) { |
| 70 | $result[$field] = $this->$field; |
| 71 | } |
| 72 | return $result; |
| 73 | } |
| 74 | |
| 75 | /** |
| 76 | * Retrieve ACLs for a contact or group. Note that including a contact id |
| 77 | * without a group id will return those ACL rules which are granted |
| 78 | * directly to the contact, but not those granted to the contact through |
| 79 | * any/all of his group memberships. |
| 80 | * |
| 81 | * @param int $contact_id |
| 82 | * ID of a contact to search for. |
| 83 | * |
| 84 | * @return array |
| 85 | * Array of assoc. arrays of ACL rules |
| 86 | * |
| 87 | * @throws \CRM_Core_Exception |
| 88 | */ |
| 89 | protected static function getACLs(int $contact_id) { |
| 90 | $results = []; |
| 91 | |
| 92 | $rule = new CRM_ACL_BAO_ACL(); |
| 93 | |
| 94 | $contact = CRM_Contact_BAO_Contact::getTableName(); |
| 95 | |
| 96 | $query = " SELECT acl.* |
| 97 | FROM civicrm_acl acl |
| 98 | WHERE acl.entity_table = '$contact' |
| 99 | AND acl.entity_id = $contact_id"; |
| 100 | |
| 101 | $rule->query($query); |
| 102 | |
| 103 | while ($rule->fetch()) { |
| 104 | $results[$rule->id] = $rule->toArray(); |
| 105 | } |
| 106 | |
| 107 | $results += self::getACLRoles($contact_id); |
| 108 | |
| 109 | return $results; |
| 110 | } |
| 111 | |
| 112 | /** |
| 113 | * Get all of the ACLs through ACL groups. |
| 114 | * |
| 115 | * @param int $contact_id |
| 116 | * ID of a contact to search for. |
| 117 | * |
| 118 | * @return array |
| 119 | * Array of assoc. arrays of ACL rules |
| 120 | * |
| 121 | * @throws \CRM_Core_Exception |
| 122 | */ |
| 123 | protected static function getACLRoles($contact_id = NULL) { |
| 124 | $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer'); |
| 125 | |
| 126 | $rule = new CRM_ACL_BAO_ACL(); |
| 127 | |
| 128 | $contact = CRM_Contact_BAO_Contact::getTableName(); |
| 129 | |
| 130 | $query = 'SELECT acl.* FROM civicrm_acl acl'; |
| 131 | $where = ['acl.entity_table = "civicrm_acl_role" AND acl.entity_id IN (' . implode(',', array_keys(CRM_Core_OptionGroup::values('acl_role'))) . ')']; |
| 132 | |
| 133 | if (!empty($contact_id)) { |
| 134 | $where[] = " acl.entity_table = '$contact' AND acl.is_active = 1 AND acl.entity_id = $contact_id"; |
| 135 | } |
| 136 | |
| 137 | $results = []; |
| 138 | |
| 139 | $rule->query($query . ' WHERE ' . implode(' AND ', $where)); |
| 140 | |
| 141 | while ($rule->fetch()) { |
| 142 | $results[$rule->id] = $rule->toArray(); |
| 143 | } |
| 144 | |
| 145 | return $results; |
| 146 | } |
| 147 | |
| 148 | /** |
| 149 | * Get all ACLs granted to a contact through all group memberships. |
| 150 | * |
| 151 | * @param int $contact_id |
| 152 | * The contact's ID. |
| 153 | * @param bool $aclRoles |
| 154 | * Include ACL Roles?. |
| 155 | * |
| 156 | * @return array |
| 157 | * Assoc array of ACL rules |
| 158 | * @throws \CRM_Core_Exception |
| 159 | */ |
| 160 | protected static function getGroupACLs($contact_id, $aclRoles = FALSE) { |
| 161 | $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer'); |
| 162 | |
| 163 | $rule = new CRM_ACL_BAO_ACL(); |
| 164 | |
| 165 | $c2g = CRM_Contact_BAO_GroupContact::getTableName(); |
| 166 | $group = CRM_Contact_BAO_Group::getTableName(); |
| 167 | $results = []; |
| 168 | |
| 169 | if ($contact_id) { |
| 170 | $query = " |
| 171 | SELECT acl.* |
| 172 | FROM civicrm_acl acl |
| 173 | INNER JOIN $c2g group_contact |
| 174 | ON acl.entity_id = group_contact.group_id |
| 175 | WHERE acl.entity_table = '$group' |
| 176 | AND group_contact.contact_id = $contact_id |
| 177 | AND group_contact.status = 'Added'"; |
| 178 | |
| 179 | $rule->query($query); |
| 180 | |
| 181 | while ($rule->fetch()) { |
| 182 | $results[$rule->id] = $rule->toArray(); |
| 183 | } |
| 184 | } |
| 185 | |
| 186 | if ($aclRoles) { |
| 187 | $results += self::getGroupACLRoles($contact_id); |
| 188 | } |
| 189 | |
| 190 | return $results; |
| 191 | } |
| 192 | |
| 193 | /** |
| 194 | * Get all of the ACLs for a contact through ACL groups owned by Contact. |
| 195 | * groups. |
| 196 | * |
| 197 | * @param int $contact_id |
| 198 | * ID of a contact to search for. |
| 199 | * |
| 200 | * @return array |
| 201 | * Array of assoc. arrays of ACL rules |
| 202 | * @throws \CRM_Core_Exception |
| 203 | */ |
| 204 | protected static function getGroupACLRoles($contact_id) { |
| 205 | $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer'); |
| 206 | |
| 207 | $query = " SELECT acl.* |
| 208 | FROM civicrm_acl acl |
| 209 | INNER JOIN civicrm_option_group og |
| 210 | ON og.name = 'acl_role' |
| 211 | INNER JOIN civicrm_option_value ov |
| 212 | ON acl.entity_table = 'civicrm_acl_role' |
| 213 | AND ov.option_group_id = og.id |
| 214 | AND acl.entity_id = ov.value |
| 215 | AND ov.is_active = 1 |
| 216 | INNER JOIN civicrm_acl_entity_role acl_entity_role |
| 217 | ON acl_entity_role.acl_role_id = acl.entity_id |
| 218 | AND acl_entity_role.is_active = 1 |
| 219 | INNER JOIN civicrm_group_contact group_contact |
| 220 | ON acl_entity_role.entity_id = group_contact.group_id |
| 221 | AND acl_entity_role.entity_table = 'civicrm_group' |
| 222 | WHERE acl.entity_table = 'civicrm_acl_role' |
| 223 | AND acl.is_active = 1 |
| 224 | AND group_contact.contact_id = $contact_id |
| 225 | AND group_contact.status = 'Added'"; |
| 226 | |
| 227 | $results = []; |
| 228 | |
| 229 | $rule = CRM_Core_DAO::executeQuery($query); |
| 230 | |
| 231 | while ($rule->fetch()) { |
| 232 | $results[$rule->id] = $rule->toArray(); |
| 233 | } |
| 234 | |
| 235 | // also get all acls for "Any Role" case |
| 236 | // and authenticated User Role if present |
| 237 | $roles = "0"; |
| 238 | $session = CRM_Core_Session::singleton(); |
| 239 | if ($session->get('ufID') > 0) { |
| 240 | $roles .= ",2"; |
| 241 | } |
| 242 | |
| 243 | $query = " |
| 244 | SELECT acl.* |
| 245 | FROM civicrm_acl acl |
| 246 | WHERE acl.entity_id IN ( $roles ) |
| 247 | AND acl.entity_table = 'civicrm_acl_role' |
| 248 | "; |
| 249 | |
| 250 | $rule = CRM_Core_DAO::executeQuery($query); |
| 251 | while ($rule->fetch()) { |
| 252 | $results[$rule->id] = $rule->toArray(); |
| 253 | } |
| 254 | |
| 255 | return $results; |
| 256 | } |
| 257 | |
| 258 | /** |
| 259 | * Get all ACLs owned by a given contact, including domain and group-level. |
| 260 | * |
| 261 | * @param int $contact_id |
| 262 | * The contact ID. |
| 263 | * |
| 264 | * @return array |
| 265 | * Assoc array of ACL rules |
| 266 | * |
| 267 | * @throws \CRM_Core_Exception |
| 268 | */ |
| 269 | public static function getAllByContact($contact_id) { |
| 270 | $result = []; |
| 271 | |
| 272 | /* First, the contact-specific ACLs, including ACL Roles */ |
| 273 | if ($contact_id) { |
| 274 | $result += self::getACLs((int) $contact_id); |
| 275 | } |
| 276 | |
| 277 | /* Then, all ACLs granted through group membership */ |
| 278 | $result += self::getGroupACLs($contact_id, TRUE); |
| 279 | |
| 280 | return $result; |
| 281 | } |
| 282 | |
| 283 | /** |
| 284 | * @param array $params |
| 285 | * |
| 286 | * @return CRM_ACL_DAO_ACL |
| 287 | */ |
| 288 | public static function create($params) { |
| 289 | $dao = new CRM_ACL_DAO_ACL(); |
| 290 | $dao->copyValues($params); |
| 291 | $dao->save(); |
| 292 | return $dao; |
| 293 | } |
| 294 | |
| 295 | /** |
| 296 | * @param array $params |
| 297 | * @param array $defaults |
| 298 | */ |
| 299 | public static function retrieve(&$params, &$defaults) { |
| 300 | CRM_Core_DAO::commonRetrieve('CRM_ACL_DAO_ACL', $params, $defaults); |
| 301 | } |
| 302 | |
| 303 | /** |
| 304 | * Update the is_active flag in the db. |
| 305 | * |
| 306 | * @param int $id |
| 307 | * Id of the database record. |
| 308 | * @param bool $is_active |
| 309 | * Value we want to set the is_active field. |
| 310 | * |
| 311 | * @return bool |
| 312 | * true if we found and updated the object, else false |
| 313 | */ |
| 314 | public static function setIsActive($id, $is_active) { |
| 315 | Civi::cache('fields')->flush(); |
| 316 | // reset ACL and system caches. |
| 317 | CRM_Core_BAO_Cache::resetCaches(); |
| 318 | |
| 319 | return CRM_Core_DAO::setFieldValue('CRM_ACL_DAO_ACL', $id, 'is_active', $is_active); |
| 320 | } |
| 321 | |
| 322 | /** |
| 323 | * @param $str |
| 324 | * @param int $contactID |
| 325 | * |
| 326 | * @return bool |
| 327 | */ |
| 328 | public static function check($str, $contactID) { |
| 329 | |
| 330 | $acls = CRM_ACL_BAO_Cache::build($contactID); |
| 331 | |
| 332 | $aclKeys = array_keys($acls); |
| 333 | $aclKeys = implode(',', $aclKeys); |
| 334 | |
| 335 | if (empty($aclKeys)) { |
| 336 | return FALSE; |
| 337 | } |
| 338 | |
| 339 | $query = " |
| 340 | SELECT count( a.id ) |
| 341 | FROM civicrm_acl_cache c, civicrm_acl a |
| 342 | WHERE c.acl_id = a.id |
| 343 | AND a.is_active = 1 |
| 344 | AND a.object_table = %1 |
| 345 | AND a.id IN ( $aclKeys ) |
| 346 | "; |
| 347 | $params = [1 => [$str, 'String']]; |
| 348 | |
| 349 | $count = CRM_Core_DAO::singleValueQuery($query, $params); |
| 350 | return (bool) $count; |
| 351 | } |
| 352 | |
| 353 | /** |
| 354 | * @param $type |
| 355 | * @param $tables |
| 356 | * @param $whereTables |
| 357 | * @param int $contactID |
| 358 | * |
| 359 | * @return null|string |
| 360 | */ |
| 361 | public static function whereClause($type, &$tables, &$whereTables, $contactID = NULL) { |
| 362 | $acls = CRM_ACL_BAO_Cache::build($contactID); |
| 363 | |
| 364 | $whereClause = NULL; |
| 365 | $clauses = []; |
| 366 | |
| 367 | if (!empty($acls)) { |
| 368 | $aclKeys = array_keys($acls); |
| 369 | $aclKeys = implode(',', $aclKeys); |
| 370 | |
| 371 | $query = " |
| 372 | SELECT a.operation, a.object_id |
| 373 | FROM civicrm_acl_cache c, civicrm_acl a |
| 374 | WHERE c.acl_id = a.id |
| 375 | AND a.is_active = 1 |
| 376 | AND a.object_table = 'civicrm_saved_search' |
| 377 | AND a.id IN ( $aclKeys ) |
| 378 | ORDER BY a.object_id |
| 379 | "; |
| 380 | |
| 381 | $dao = CRM_Core_DAO::executeQuery($query); |
| 382 | |
| 383 | // do an or of all the where clauses u see |
| 384 | $ids = []; |
| 385 | while ($dao->fetch()) { |
| 386 | // make sure operation matches the type TODO |
| 387 | if (self::matchType($type, $dao->operation)) { |
| 388 | if (!$dao->object_id) { |
| 389 | $ids = []; |
| 390 | $whereClause = ' ( 1 ) '; |
| 391 | break; |
| 392 | } |
| 393 | $ids[] = $dao->object_id; |
| 394 | } |
| 395 | } |
| 396 | |
| 397 | if (!empty($ids)) { |
| 398 | $ids = implode(',', $ids); |
| 399 | $query = " |
| 400 | SELECT g.* |
| 401 | FROM civicrm_group g |
| 402 | WHERE g.id IN ( $ids ) |
| 403 | AND g.is_active = 1 |
| 404 | "; |
| 405 | $dao = CRM_Core_DAO::executeQuery($query); |
| 406 | $groupIDs = []; |
| 407 | $groupContactCacheClause = FALSE; |
| 408 | while ($dao->fetch()) { |
| 409 | $groupIDs[] = $dao->id; |
| 410 | |
| 411 | if (($dao->saved_search_id || $dao->children || $dao->parents)) { |
| 412 | if ($dao->cache_date == NULL) { |
| 413 | CRM_Contact_BAO_GroupContactCache::load($dao); |
| 414 | } |
| 415 | $groupContactCacheClause = " UNION SELECT contact_id FROM civicrm_group_contact_cache WHERE group_id IN (" . implode(', ', $groupIDs) . ")"; |
| 416 | } |
| 417 | |
| 418 | } |
| 419 | |
| 420 | if ($groupIDs) { |
| 421 | $clauses[] = "( |
| 422 | `contact_a`.id IN ( |
| 423 | SELECT contact_id FROM civicrm_group_contact WHERE group_id IN (" . implode(', ', $groupIDs) . ") AND status = 'Added' |
| 424 | $groupContactCacheClause |
| 425 | ) |
| 426 | )"; |
| 427 | } |
| 428 | } |
| 429 | } |
| 430 | |
| 431 | if (!empty($clauses)) { |
| 432 | $whereClause = ' ( ' . implode(' OR ', $clauses) . ' ) '; |
| 433 | } |
| 434 | |
| 435 | // call the hook to get additional whereClauses |
| 436 | CRM_Utils_Hook::aclWhereClause($type, $tables, $whereTables, $contactID, $whereClause); |
| 437 | |
| 438 | if (empty($whereClause)) { |
| 439 | $whereClause = ' ( 0 ) '; |
| 440 | } |
| 441 | |
| 442 | return $whereClause; |
| 443 | } |
| 444 | |
| 445 | /** |
| 446 | * @param int $type |
| 447 | * @param int $contactID |
| 448 | * @param string $tableName |
| 449 | * @param null $allGroups |
| 450 | * @param null $includedGroups |
| 451 | * |
| 452 | * @return array |
| 453 | */ |
| 454 | public static function group( |
| 455 | $type, |
| 456 | $contactID = NULL, |
| 457 | $tableName = 'civicrm_saved_search', |
| 458 | $allGroups = NULL, |
| 459 | $includedGroups = NULL |
| 460 | ) { |
| 461 | $userCacheKey = "{$contactID}_{$type}_{$tableName}_" . CRM_Core_Config::domainID() . '_' . md5(implode(',', array_merge((array) $allGroups, (array) $includedGroups))); |
| 462 | if (empty(Civi::$statics[__CLASS__]['permissioned_groups'])) { |
| 463 | Civi::$statics[__CLASS__]['permissioned_groups'] = []; |
| 464 | } |
| 465 | if (!empty(Civi::$statics[__CLASS__]['permissioned_groups'][$userCacheKey])) { |
| 466 | return Civi::$statics[__CLASS__]['permissioned_groups'][$userCacheKey]; |
| 467 | } |
| 468 | |
| 469 | if ($allGroups == NULL) { |
| 470 | $allGroups = CRM_Contact_BAO_Contact::buildOptions('group_id', 'get'); |
| 471 | } |
| 472 | |
| 473 | $acls = CRM_ACL_BAO_Cache::build($contactID); |
| 474 | |
| 475 | $ids = []; |
| 476 | if (!empty($acls)) { |
| 477 | $aclKeys = array_keys($acls); |
| 478 | $aclKeys = implode(',', $aclKeys); |
| 479 | |
| 480 | $cacheKey = CRM_Utils_Cache::cleanKey("$tableName-$aclKeys"); |
| 481 | $cache = CRM_Utils_Cache::singleton(); |
| 482 | $ids = $cache->get($cacheKey); |
| 483 | if (!$ids) { |
| 484 | $ids = []; |
| 485 | $query = " |
| 486 | SELECT a.operation, a.object_id |
| 487 | FROM civicrm_acl_cache c, civicrm_acl a |
| 488 | WHERE c.acl_id = a.id |
| 489 | AND a.is_active = 1 |
| 490 | AND a.object_table = %1 |
| 491 | AND a.id IN ( $aclKeys ) |
| 492 | GROUP BY a.operation,a.object_id |
| 493 | ORDER BY a.object_id |
| 494 | "; |
| 495 | $params = [1 => [$tableName, 'String']]; |
| 496 | $dao = CRM_Core_DAO::executeQuery($query, $params); |
| 497 | while ($dao->fetch()) { |
| 498 | if ($dao->object_id) { |
| 499 | if (self::matchType($type, $dao->operation)) { |
| 500 | $ids[] = $dao->object_id; |
| 501 | } |
| 502 | } |
| 503 | else { |
| 504 | // this user has got the permission for all objects of this type |
| 505 | // check if the type matches |
| 506 | if (self::matchType($type, $dao->operation)) { |
| 507 | foreach ($allGroups as $id => $dontCare) { |
| 508 | $ids[] = $id; |
| 509 | } |
| 510 | } |
| 511 | break; |
| 512 | } |
| 513 | } |
| 514 | $cache->set($cacheKey, $ids); |
| 515 | } |
| 516 | } |
| 517 | |
| 518 | if (empty($ids) && !empty($includedGroups) && |
| 519 | is_array($includedGroups) |
| 520 | ) { |
| 521 | $ids = $includedGroups; |
| 522 | } |
| 523 | if ($contactID) { |
| 524 | $groupWhere = ''; |
| 525 | if (!empty($allGroups)) { |
| 526 | $groupWhere = " AND id IN (" . implode(',', array_keys($allGroups)) . ")"; |
| 527 | } |
| 528 | // Contacts create hidden groups from search results. They should be able to retrieve their own. |
| 529 | $ownHiddenGroupsList = CRM_Core_DAO::singleValueQuery(" |
| 530 | SELECT GROUP_CONCAT(id) FROM civicrm_group WHERE is_hidden =1 AND created_id = $contactID |
| 531 | $groupWhere |
| 532 | "); |
| 533 | if ($ownHiddenGroupsList) { |
| 534 | $ownHiddenGroups = explode(',', $ownHiddenGroupsList); |
| 535 | $ids = array_merge((array) $ids, $ownHiddenGroups); |
| 536 | } |
| 537 | |
| 538 | } |
| 539 | |
| 540 | CRM_Utils_Hook::aclGroup($type, $contactID, $tableName, $allGroups, $ids); |
| 541 | Civi::$statics[__CLASS__]['permissioned_groups'][$userCacheKey] = $ids; |
| 542 | return $ids; |
| 543 | } |
| 544 | |
| 545 | /** |
| 546 | * @param int $type |
| 547 | * @param $operation |
| 548 | * |
| 549 | * @return bool |
| 550 | */ |
| 551 | protected static function matchType($type, $operation) { |
| 552 | $typeCheck = FALSE; |
| 553 | switch ($operation) { |
| 554 | case 'All': |
| 555 | $typeCheck = TRUE; |
| 556 | break; |
| 557 | |
| 558 | case 'View': |
| 559 | if ($type == CRM_ACL_API::VIEW) { |
| 560 | $typeCheck = TRUE; |
| 561 | } |
| 562 | break; |
| 563 | |
| 564 | case 'Edit': |
| 565 | if ($type == CRM_ACL_API::VIEW || $type == CRM_ACL_API::EDIT) { |
| 566 | $typeCheck = TRUE; |
| 567 | } |
| 568 | break; |
| 569 | |
| 570 | case 'Create': |
| 571 | if ($type == CRM_ACL_API::CREATE) { |
| 572 | $typeCheck = TRUE; |
| 573 | } |
| 574 | break; |
| 575 | |
| 576 | case 'Delete': |
| 577 | if ($type == CRM_ACL_API::DELETE) { |
| 578 | $typeCheck = TRUE; |
| 579 | } |
| 580 | break; |
| 581 | |
| 582 | case 'Search': |
| 583 | if ($type == CRM_ACL_API::SEARCH) { |
| 584 | $typeCheck = TRUE; |
| 585 | } |
| 586 | break; |
| 587 | } |
| 588 | return $typeCheck; |
| 589 | } |
| 590 | |
| 591 | /** |
| 592 | * Delete ACL records. |
| 593 | * |
| 594 | * @param int $aclId |
| 595 | * ID of the ACL record to be deleted. |
| 596 | * |
| 597 | */ |
| 598 | public static function del($aclId) { |
| 599 | // delete all entries from the acl cache |
| 600 | CRM_ACL_BAO_Cache::resetCache(); |
| 601 | |
| 602 | $acl = new CRM_ACL_DAO_ACL(); |
| 603 | $acl->id = $aclId; |
| 604 | $acl->delete(); |
| 605 | } |
| 606 | |
| 607 | } |