[civicrm-core.git] / CRM / Core / DAO / permissions.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.7                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2015                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
 */

/**
 * Decide what permissions to check for an api call
 * The contact must have all of the returned permissions for the api call to be allowed
 *
 * @param $entity : (str) api entity
 * @param $action : (str) api action
 * @param $params : (array) api params
 *
 * @return array
 *   Array of permissions to check for this entity-action combo
 */
function _civicrm_api3_permissions($entity, $action, &$params) {
  // FIXME: Lowercase entity_names are nonstandard but difficult to fix here
  // because this function invokes hook_civicrm_alterAPIPermissions
  $entity = _civicrm_api_get_entity_name_from_camel($entity);

  /**
   * @var array of permissions
   *
   * For each entity, we declare an array of permissions required for each action
   * The action is the array key, possible values:
   *  * create: applies to create (with no id in params)
   *  * update: applies to update, setvalue, create (with id in params)
   *  * get: applies to getcount, getsingle, getvalue and other gets
   *  * delete: applies to delete, replace
   *  * meta: applies to getfields, getoptions, getspec
   *  * default: catch-all for anything not declared
   *
   *  Note: some APIs declare other actions as well
   */
  $permissions = array();

  // These are the default permissions - if any entity does not declare permissions for a given action,
  // (or the entity does not declare permissions at all) - then the action will be used from here
  $permissions['default'] = array(
    // applies to getfields, getoptions, etc.
    'meta' => array('access CiviCRM'),
    // catch-all, applies to create, get, delete, etc.
    // If an entity declares it's own 'default' action it will override this one
    'default' => array('administer CiviCRM'),
  );

  // Note: Additional permissions in DynamicFKAuthorization
  $permissions['attachment'] = array(
    'default' => array(
      array('access CiviCRM', 'access AJAX API'),
    ),
  );

  // Contact permissions
  $permissions['contact'] = array(
    'create' => array(
      'access CiviCRM',
      'add contacts',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete contacts',
    ),
    // managed by query object
    'get' => array(),
    'update' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
    'getquick' => array(
      array('access CiviCRM', 'access AJAX API'),
    ),
  );

  // CRM-16963 - Permissions for country.
  $permissions['country'] = array(
    'get' => array(
      'access CiviCRM',
    ),
    'default' => array(
      'administer CiviCRM',
    ),
  );

  // Contact-related data permissions.
  // CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
  $permissions['address'] = array(
    'get' => array(
      'access CiviCRM',
      'view all contacts',
    ),
    'default' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
  );
  $permissions['email'] = $permissions['address'];
  $permissions['phone'] = $permissions['address'];
  $permissions['website'] = $permissions['address'];
  $permissions['im'] = $permissions['address'];
  $permissions['loc_block'] = $permissions['address'];
  $permissions['entity_tag'] = $permissions['address'];
  $permissions['note'] = $permissions['address'];

  // Allow non-admins to get and create tags to support tagset widget
  // Delete is still reserved for admins
  $permissions['tag'] = array(
    'get' => array('access CiviCRM'),
    'create' => array('access CiviCRM'),
    'update' => array('access CiviCRM'),
  );

  //relationship permissions
  $permissions['relationship'] = array(
    'get' => array(
      'access CiviCRM',
      'view all contacts',
    ),
    'delete' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
    'default' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
  );

  // Activity permissions
  $permissions['activity'] = array(
    'delete' => array(
      'access CiviCRM',
      'delete activities',
    ),
    'default' => array(
      'access CiviCRM',
      'view all activities',
    ),
  );

  // Case permissions
  $permissions['case'] = array(
    'create' => array(
      'access CiviCRM',
      'add cases',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete in CiviCase',
    ),
    'default' => array(
      'access CiviCRM',
      'access all cases and activities',
    ),
  );

  // Campaign permissions
  $permissions['campaign'] = array(
    'get' => array('access CiviCRM'),
    'create' => array(array('administer CiviCampaign', 'manage campaign')),
    'update' => array(array('administer CiviCampaign', 'manage campaign')),
    'delete' => array(array('administer CiviCampaign', 'manage campaign')),
  );
  $permissions['survey'] = $permissions['campaign'];

  // Financial permissions
  $permissions['contribution'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviContribute',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'completetransaction' => array(
      'edit contributions',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviContribute',
      'edit contributions',
    ),
  );
  $permissions['line_item'] = $permissions['contribution'];

  // Custom field permissions
  $permissions['custom_field'] = array(
    'default' => array(
      'administer CiviCRM',
      'access all custom data',
    ),
  );
  $permissions['custom_group'] = $permissions['custom_field'];

  // Event permissions
  $permissions['event'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit all events',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'delete in CiviEvent',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event info',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit all events',
    ),
  );

  // File permissions
  $permissions['file'] = array(
    'default' => array(
      'access CiviCRM',
      'access uploaded files',
    ),
  );
  $permissions['files_by_entity'] = $permissions['file'];

  // Group permissions
  $permissions['group'] = array(
    'get' => array(
      'access CiviCRM',
    ),
    'default' => array(
      'access CiviCRM',
      'edit groups',
    ),
  );

  $permissions['group_nesting'] = $permissions['group'];
  $permissions['group_organization'] = $permissions['group'];

  //Group Contact permission
  $permissions['group_contact'] = array(
    'get' => array(
      'access CiviCRM',
    ),
    'default' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
  );

  // CiviMail Permissions
  $civiMailBasePerms = array(
    // To get/preview/update, one must have least one of these perms:
    // Mailing API implementations enforce nuances of create/approve/schedule permissions.
    'access CiviMail',
    'create mailings',
    'schedule mailings',
    'approve mailings',
  );
  $permissions['mailing'] = array(
    'get' => array(
      'access CiviCRM',
      $civiMailBasePerms,
    ),
    'delete' => array(
      'access CiviCRM',
      $civiMailBasePerms,
      'delete in CiviMail',
    ),
    'submit' => array(
      'access CiviCRM',
      array('access CiviMail', 'schedule mailings'),
    ),
    'default' => array(
      'access CiviCRM',
      $civiMailBasePerms,
    ),
  );
  $permissions['mailing_group'] = $permissions['mailing'];
  $permissions['mailing_job'] = $permissions['mailing'];
  $permissions['mailing_recipients'] = $permissions['mailing'];

  $permissions['mailing_a_b'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviMail',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMail',
      'delete in CiviMail',
    ),
    'submit' => array(
      'access CiviCRM',
      array('access CiviMail', 'schedule mailings'),
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviMail',
    ),
  );

  // Membership permissions
  $permissions['membership'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviMember',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMember',
      'delete in CiviMember',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
    ),
  );
  $permissions['membership_status'] = $permissions['membership'];
  $permissions['membership_type'] = $permissions['membership'];
  $permissions['membership_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMember',
      'delete in CiviMember',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviMember',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Participant permissions
  $permissions['participant'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'register for events',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event participants',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
    ),
  );
  $permissions['participant_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'register for events',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event participants',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Pledge permissions
  $permissions['pledge'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviPledge',
      'delete in CiviPledge',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviPledge',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
    ),
  );

  //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission.
  $permissions['action_schedule'] = array(
    'update' => array(
      array(
        'access CiviCRM',
        'edit all events',
      ),
    ),
  );

  $permissions['pledge_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviPledge',
      'delete in CiviPledge',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviPledge',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Profile permissions
  $permissions['profile'] = array(
    'get' => array(), // the profile will take care of this
  );

  $permissions['uf_group'] = array(
    'create' => array(
      'access CiviCRM',
      array(
        'administer CiviCRM',
        'manage event profiles',
      ),
    ),
    'get' => array(
      'access CiviCRM',
    ),
    'update' => array(
      'access CiviCRM',
      array(
        'administer CiviCRM',
        'manage event profiles',
      ),
    ),
  );
  $permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group'];
  $permissions['uf_field']['delete'] = array(
    'access CiviCRM',
    array(
      'administer CiviCRM',
      'manage event profiles',
    ),
  );
  $permissions['option_value'] = $permissions['uf_group'];
  $permissions['option_group'] = $permissions['option_value'];

  $permissions['message_template'] = array(
    'get' => array('access CiviCRM'),
    'create' => array('edit message templates'),
    'update' => array('edit message templates'),
  );

  // Translate 'create' action to 'update' if id is set
  if ($action == 'create' && (!empty($params['id']) || !empty($params[$entity . '_id']))) {
    $action = 'update';
  }

  // let third parties modify the permissions
  CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);

  // Merge permissions for this entity with the defaults
  $perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];

  // Return exact match if permission for this action has been declared
  if (isset($perm[$action])) {
    return $perm[$action];
  }

  // Translate specific actions into their generic equivalents
  $snippet = substr($action, 0, 3);
  if ($action == 'replace' || $snippet == 'del') {
    // 'Replace' is a combination of get+create+update+delete; however, the permissions
    // on each of those will be tested separately at runtime. This is just a sniff-test
    // based on the heuristic that 'delete' tends to be the most closesly guarded
    // of the necessary permissions.
    $action = 'delete';
  }
  elseif ($action == 'setvalue' || $snippet == 'upd') {
    $action = 'update';
  }
  elseif ($action == 'getfields' || $action == 'getspec' || $action == 'getoptions') {
    $action = 'meta';
  }
  elseif ($snippet == 'get') {
    $action = 'get';
  }
  return isset($perm[$action]) ? $perm[$action] : $perm['default'];
}

# FIXME: not sure how to permission the following API 3 calls:
# contribution_transact (make online contributions)
# entity_tag_display
# group_contact_pending
# group_contact_update_status
# mailing_event_bounce
# mailing_event_click
# mailing_event_confirm
# mailing_event_forward
# mailing_event_open
# mailing_event_reply
# mailing_group_event_domain_unsubscribe
# mailing_group_event_resubscribe
# mailing_group_event_subscribe
# mailing_group_event_unsubscribe
# membership_status_calc
# survey_respondant_count
Commit	Line	Data
	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
	4	\| CiviCRM version 4.7 \|
	5	+--------------------------------------------------------------------+
	6	\| Copyright CiviCRM LLC (c) 2004-2015 \|
	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
	26	*/
	27
	28	/**
	29	* Decide what permissions to check for an api call
	30	* The contact must have all of the returned permissions for the api call to be allowed
	31	*
	32	* @param $entity : (str) api entity
	33	* @param $action : (str) api action
	34	* @param $params : (array) api params
	35	*
	36	* @return array
	37	* Array of permissions to check for this entity-action combo
	38	*/
	39	function _civicrm_api3_permissions($entity, $action, &$params) {
	40	// FIXME: Lowercase entity_names are nonstandard but difficult to fix here
	41	// because this function invokes hook_civicrm_alterAPIPermissions
	42	$entity = _civicrm_api_get_entity_name_from_camel($entity);
	43
	44	/**
	45	* @var array of permissions
	46	*
	47	* For each entity, we declare an array of permissions required for each action
	48	* The action is the array key, possible values:
	49	* * create: applies to create (with no id in params)
	50	* * update: applies to update, setvalue, create (with id in params)
	51	* * get: applies to getcount, getsingle, getvalue and other gets
	52	* * delete: applies to delete, replace
	53	* * meta: applies to getfields, getoptions, getspec
	54	* * default: catch-all for anything not declared
	55	*
	56	* Note: some APIs declare other actions as well
	57	*/
	58	$permissions = array();
	59
	60	// These are the default permissions - if any entity does not declare permissions for a given action,
	61	// (or the entity does not declare permissions at all) - then the action will be used from here
	62	$permissions['default'] = array(
	63	// applies to getfields, getoptions, etc.
	64	'meta' => array('access CiviCRM'),
	65	// catch-all, applies to create, get, delete, etc.
	66	// If an entity declares it's own 'default' action it will override this one
	67	'default' => array('administer CiviCRM'),
	68	);
	69
	70	// Note: Additional permissions in DynamicFKAuthorization
	71	$permissions['attachment'] = array(
	72	'default' => array(
	73	array('access CiviCRM', 'access AJAX API'),
	74	),
	75	);
	76
	77	// Contact permissions
	78	$permissions['contact'] = array(
	79	'create' => array(
	80	'access CiviCRM',
	81	'add contacts',
	82	),
	83	'delete' => array(
	84	'access CiviCRM',
	85	'delete contacts',
	86	),
	87	// managed by query object
	88	'get' => array(),
	89	'update' => array(
	90	'access CiviCRM',
	91	'edit all contacts',
	92	),
	93	'getquick' => array(
	94	array('access CiviCRM', 'access AJAX API'),
	95	),
	96	);
	97
	98	// CRM-16963 - Permissions for country.
	99	$permissions['country'] = array(
	100	'get' => array(
	101	'access CiviCRM',
	102	),
	103	'default' => array(
	104	'administer CiviCRM',
	105	),
	106	);
	107
	108	// Contact-related data permissions.
	109	// CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
	110	$permissions['address'] = array(
	111	'get' => array(
	112	'access CiviCRM',
	113	'view all contacts',
	114	),
	115	'default' => array(
	116	'access CiviCRM',
	117	'edit all contacts',
	118	),
	119	);
	120	$permissions['email'] = $permissions['address'];
	121	$permissions['phone'] = $permissions['address'];
	122	$permissions['website'] = $permissions['address'];
	123	$permissions['im'] = $permissions['address'];
	124	$permissions['loc_block'] = $permissions['address'];
	125	$permissions['entity_tag'] = $permissions['address'];
	126	$permissions['note'] = $permissions['address'];
	127
	128	// Allow non-admins to get and create tags to support tagset widget
	129	// Delete is still reserved for admins
	130	$permissions['tag'] = array(
	131	'get' => array('access CiviCRM'),
	132	'create' => array('access CiviCRM'),
	133	'update' => array('access CiviCRM'),
	134	);
	135
	136	//relationship permissions
	137	$permissions['relationship'] = array(
	138	'get' => array(
	139	'access CiviCRM',
	140	'view all contacts',
	141	),
	142	'delete' => array(
	143	'access CiviCRM',
	144	'edit all contacts',
	145	),
	146	'default' => array(
	147	'access CiviCRM',
	148	'edit all contacts',
	149	),
	150	);
	151
	152	// Activity permissions
	153	$permissions['activity'] = array(
	154	'delete' => array(
	155	'access CiviCRM',
	156	'delete activities',
	157	),
	158	'default' => array(
	159	'access CiviCRM',
	160	'view all activities',
	161	),
	162	);
	163
	164	// Case permissions
	165	$permissions['case'] = array(
	166	'create' => array(
	167	'access CiviCRM',
	168	'add cases',
	169	),
	170	'delete' => array(
	171	'access CiviCRM',
	172	'delete in CiviCase',
	173	),
	174	'default' => array(
	175	'access CiviCRM',
	176	'access all cases and activities',
	177	),
	178	);
	179
	180	// Campaign permissions
	181	$permissions['campaign'] = array(
	182	'get' => array('access CiviCRM'),
	183	'create' => array(array('administer CiviCampaign', 'manage campaign')),
	184	'update' => array(array('administer CiviCampaign', 'manage campaign')),
	185	'delete' => array(array('administer CiviCampaign', 'manage campaign')),
	186	);
	187	$permissions['survey'] = $permissions['campaign'];
	188
	189	// Financial permissions
	190	$permissions['contribution'] = array(
	191	'get' => array(
	192	'access CiviCRM',
	193	'access CiviContribute',
	194	),
	195	'delete' => array(
	196	'access CiviCRM',
	197	'access CiviContribute',
	198	'delete in CiviContribute',
	199	),
	200	'completetransaction' => array(
	201	'edit contributions',
	202	),
	203	'default' => array(
	204	'access CiviCRM',
	205	'access CiviContribute',
	206	'edit contributions',
	207	),
	208	);
	209	$permissions['line_item'] = $permissions['contribution'];
	210
	211	// Custom field permissions
	212	$permissions['custom_field'] = array(
	213	'default' => array(
	214	'administer CiviCRM',
	215	'access all custom data',
	216	),
	217	);
	218	$permissions['custom_group'] = $permissions['custom_field'];
	219
	220	// Event permissions
	221	$permissions['event'] = array(
	222	'create' => array(
	223	'access CiviCRM',
	224	'access CiviEvent',
	225	'edit all events',
	226	),
	227	'delete' => array(
	228	'access CiviCRM',
	229	'access CiviEvent',
	230	'delete in CiviEvent',
	231	),
	232	'get' => array(
	233	'access CiviCRM',
	234	'access CiviEvent',
	235	'view event info',
	236	),
	237	'update' => array(
	238	'access CiviCRM',
	239	'access CiviEvent',
	240	'edit all events',
	241	),
	242	);
	243
	244	// File permissions
	245	$permissions['file'] = array(
	246	'default' => array(
	247	'access CiviCRM',
	248	'access uploaded files',
	249	),
	250	);
	251	$permissions['files_by_entity'] = $permissions['file'];
	252
	253	// Group permissions
	254	$permissions['group'] = array(
	255	'get' => array(
	256	'access CiviCRM',
	257	),
	258	'default' => array(
	259	'access CiviCRM',
	260	'edit groups',
	261	),
	262	);
	263
	264	$permissions['group_nesting'] = $permissions['group'];
	265	$permissions['group_organization'] = $permissions['group'];
	266
	267	//Group Contact permission
	268	$permissions['group_contact'] = array(
	269	'get' => array(
	270	'access CiviCRM',
	271	),
	272	'default' => array(
	273	'access CiviCRM',
	274	'edit all contacts',
	275	),
	276	);
	277
	278	// CiviMail Permissions
	279	$civiMailBasePerms = array(
	280	// To get/preview/update, one must have least one of these perms:
	281	// Mailing API implementations enforce nuances of create/approve/schedule permissions.
	282	'access CiviMail',
	283	'create mailings',
	284	'schedule mailings',
	285	'approve mailings',
	286	);
	287	$permissions['mailing'] = array(
	288	'get' => array(
	289	'access CiviCRM',
	290	$civiMailBasePerms,
	291	),
	292	'delete' => array(
	293	'access CiviCRM',
	294	$civiMailBasePerms,
	295	'delete in CiviMail',
	296	),
	297	'submit' => array(
	298	'access CiviCRM',
	299	array('access CiviMail', 'schedule mailings'),
	300	),
	301	'default' => array(
	302	'access CiviCRM',
	303	$civiMailBasePerms,
	304	),
	305	);
	306	$permissions['mailing_group'] = $permissions['mailing'];
	307	$permissions['mailing_job'] = $permissions['mailing'];
	308	$permissions['mailing_recipients'] = $permissions['mailing'];
	309
	310	$permissions['mailing_a_b'] = array(
	311	'get' => array(
	312	'access CiviCRM',
	313	'access CiviMail',
	314	),
	315	'delete' => array(
	316	'access CiviCRM',
	317	'access CiviMail',
	318	'delete in CiviMail',
	319	),
	320	'submit' => array(
	321	'access CiviCRM',
	322	array('access CiviMail', 'schedule mailings'),
	323	),
	324	'default' => array(
	325	'access CiviCRM',
	326	'access CiviMail',
	327	),
	328	);
	329
	330	// Membership permissions
	331	$permissions['membership'] = array(
	332	'get' => array(
	333	'access CiviCRM',
	334	'access CiviMember',
	335	),
	336	'delete' => array(
	337	'access CiviCRM',
	338	'access CiviMember',
	339	'delete in CiviMember',
	340	),
	341	'default' => array(
	342	'access CiviCRM',
	343	'access CiviMember',
	344	'edit memberships',
	345	),
	346	);
	347	$permissions['membership_status'] = $permissions['membership'];
	348	$permissions['membership_type'] = $permissions['membership'];
	349	$permissions['membership_payment'] = array(
	350	'create' => array(
	351	'access CiviCRM',
	352	'access CiviMember',
	353	'edit memberships',
	354	'access CiviContribute',
	355	'edit contributions',
	356	),
	357	'delete' => array(
	358	'access CiviCRM',
	359	'access CiviMember',
	360	'delete in CiviMember',
	361	'access CiviContribute',
	362	'delete in CiviContribute',
	363	),
	364	'get' => array(
	365	'access CiviCRM',
	366	'access CiviMember',
	367	'access CiviContribute',
	368	),
	369	'update' => array(
	370	'access CiviCRM',
	371	'access CiviMember',
	372	'edit memberships',
	373	'access CiviContribute',
	374	'edit contributions',
	375	),
	376	);
	377
	378	// Participant permissions
	379	$permissions['participant'] = array(
	380	'create' => array(
	381	'access CiviCRM',
	382	'access CiviEvent',
	383	'register for events',
	384	),
	385	'delete' => array(
	386	'access CiviCRM',
	387	'access CiviEvent',
	388	'edit event participants',
	389	),
	390	'get' => array(
	391	'access CiviCRM',
	392	'access CiviEvent',
	393	'view event participants',
	394	),
	395	'update' => array(
	396	'access CiviCRM',
	397	'access CiviEvent',
	398	'edit event participants',
	399	),
	400	);
	401	$permissions['participant_payment'] = array(
	402	'create' => array(
	403	'access CiviCRM',
	404	'access CiviEvent',
	405	'register for events',
	406	'access CiviContribute',
	407	'edit contributions',
	408	),
	409	'delete' => array(
	410	'access CiviCRM',
	411	'access CiviEvent',
	412	'edit event participants',
	413	'access CiviContribute',
	414	'delete in CiviContribute',
	415	),
	416	'get' => array(
	417	'access CiviCRM',
	418	'access CiviEvent',
	419	'view event participants',
	420	'access CiviContribute',
	421	),
	422	'update' => array(
	423	'access CiviCRM',
	424	'access CiviEvent',
	425	'edit event participants',
	426	'access CiviContribute',
	427	'edit contributions',
	428	),
	429	);
	430
	431	// Pledge permissions
	432	$permissions['pledge'] = array(
	433	'create' => array(
	434	'access CiviCRM',
	435	'access CiviPledge',
	436	'edit pledges',
	437	),
	438	'delete' => array(
	439	'access CiviCRM',
	440	'access CiviPledge',
	441	'delete in CiviPledge',
	442	),
	443	'get' => array(
	444	'access CiviCRM',
	445	'access CiviPledge',
	446	),
	447	'update' => array(
	448	'access CiviCRM',
	449	'access CiviPledge',
	450	'edit pledges',
	451	),
	452	);
	453
	454	//CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission.
	455	$permissions['action_schedule'] = array(
	456	'update' => array(
	457	array(
	458	'access CiviCRM',
	459	'edit all events',
	460	),
	461	),
	462	);
	463
	464	$permissions['pledge_payment'] = array(
	465	'create' => array(
	466	'access CiviCRM',
	467	'access CiviPledge',
	468	'edit pledges',
	469	'access CiviContribute',
	470	'edit contributions',
	471	),
	472	'delete' => array(
	473	'access CiviCRM',
	474	'access CiviPledge',
	475	'delete in CiviPledge',
	476	'access CiviContribute',
	477	'delete in CiviContribute',
	478	),
	479	'get' => array(
	480	'access CiviCRM',
	481	'access CiviPledge',
	482	'access CiviContribute',
	483	),
	484	'update' => array(
	485	'access CiviCRM',
	486	'access CiviPledge',
	487	'edit pledges',
	488	'access CiviContribute',
	489	'edit contributions',
	490	),
	491	);
	492
	493	// Profile permissions
	494	$permissions['profile'] = array(
	495	'get' => array(), // the profile will take care of this
	496	);
	497
	498	$permissions['uf_group'] = array(
	499	'create' => array(
	500	'access CiviCRM',
	501	array(
	502	'administer CiviCRM',
	503	'manage event profiles',
	504	),
	505	),
	506	'get' => array(
	507	'access CiviCRM',
	508	),
	509	'update' => array(
	510	'access CiviCRM',
	511	array(
	512	'administer CiviCRM',
	513	'manage event profiles',
	514	),
	515	),
	516	);
	517	$permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group'];
	518	$permissions['uf_field']['delete'] = array(
	519	'access CiviCRM',
	520	array(
	521	'administer CiviCRM',
	522	'manage event profiles',
	523	),
	524	);
	525	$permissions['option_value'] = $permissions['uf_group'];
	526	$permissions['option_group'] = $permissions['option_value'];
	527
	528	$permissions['message_template'] = array(
	529	'get' => array('access CiviCRM'),
	530	'create' => array('edit message templates'),
	531	'update' => array('edit message templates'),
	532	);
	533
	534	// Translate 'create' action to 'update' if id is set
	535	if ($action == 'create' && (!empty($params['id']) \|\| !empty($params[$entity . '_id']))) {
	536	$action = 'update';
	537	}
	538
	539	// let third parties modify the permissions
	540	CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);
	541
	542	// Merge permissions for this entity with the defaults
	543	$perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];
	544
	545	// Return exact match if permission for this action has been declared
	546	if (isset($perm[$action])) {
	547	return $perm[$action];
	548	}
	549
	550	// Translate specific actions into their generic equivalents
	551	$snippet = substr($action, 0, 3);
	552	if ($action == 'replace' \|\| $snippet == 'del') {
	553	// 'Replace' is a combination of get+create+update+delete; however, the permissions
	554	// on each of those will be tested separately at runtime. This is just a sniff-test
	555	// based on the heuristic that 'delete' tends to be the most closesly guarded
	556	// of the necessary permissions.
	557	$action = 'delete';
	558	}
	559	elseif ($action == 'setvalue' \|\| $snippet == 'upd') {
	560	$action = 'update';
	561	}
	562	elseif ($action == 'getfields' \|\| $action == 'getspec' \|\| $action == 'getoptions') {
	563	$action = 'meta';
	564	}
	565	elseif ($snippet == 'get') {
	566	$action = 'get';
	567	}
	568	return isset($perm[$action]) ? $perm[$action] : $perm['default'];
	569	}
	570
	571	# FIXME: not sure how to permission the following API 3 calls:
	572	# contribution_transact (make online contributions)
	573	# entity_tag_display
	574	# group_contact_pending
	575	# group_contact_update_status
	576	# mailing_event_bounce
	577	# mailing_event_click
	578	# mailing_event_confirm
	579	# mailing_event_forward
	580	# mailing_event_open
	581	# mailing_event_reply
	582	# mailing_group_event_domain_unsubscribe
	583	# mailing_group_event_resubscribe
	584	# mailing_group_event_subscribe
	585	# mailing_group_event_unsubscribe
	586	# membership_status_calc
	587	# survey_respondant_count