projects / civicrm-core.git / blob
? search:


c5ae1243cbf243bde82a2eef78f9ee166b3c8e1f
[civicrm-core.git] / CRM / ACL / API.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.7 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2017 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27
28 /**
29 *
30 * @package CRM
31 * @copyright CiviCRM LLC (c) 2004-2017
32 */
33 class CRM_ACL_API {
34
35 /**
36 * The various type of permissions.
37 *
38 * @var int
39 */
40 const EDIT = 1;
41 const VIEW = 2;
42 const DELETE = 3;
43 const CREATE = 4;
44 const SEARCH = 5;
45 const ALL = 6;
46
47 /**
48 * Given a permission string, check for access requirements
49 *
50 * @param string $str
51 * The permission to check.
52 * @param int $contactID
53 * The contactID for whom the check is made.
54 *
55 * @return bool
56 * true if yes, else false
57 */
58 public static function check($str, $contactID = NULL) {
59 if ($contactID == NULL) {
60 $contactID = CRM_Core_Session::getLoggedInContactID();
61 }
62
63 if (!$contactID) {
64 // anonymous user
65 $contactID = 0;
66 }
67
68 return CRM_ACL_BAO_ACL::check($str, $contactID);
69 }
70
71 /**
72 * Get the permissioned where clause for the user.
73 *
74 * @param int $type
75 * The type of permission needed.
76 * @param array $tables
77 * (reference ) add the tables that are needed for the select clause.
78 * @param array $whereTables
79 * (reference ) add the tables that are needed for the where clause.
80 * @param int $contactID
81 * The contactID for whom the check is made.
82 * @param bool $onlyDeleted
83 * Whether to include only deleted contacts.
84 * @param bool $skipDeleteClause
85 * Don't add delete clause if this is true,.
86 * this means it is handled by generating query
87 * @param bool $skipOwnContactClause
88 * Do not add 'OR contact_id = $userID' to the where clause.
89 * This is a hideously inefficient query and should be avoided
90 * wherever possible.
91 *
92 * @return string
93 * the group where clause for this user
94 */
95 public static function whereClause(
96 $type,
97 &$tables,
98 &$whereTables,
99 $contactID = NULL,
100 $onlyDeleted = FALSE,
101 $skipDeleteClause = FALSE,
102 $skipOwnContactClause = FALSE
103 ) {
104 // the default value which is valid for the final AND
105 $deleteClause = ' ( 1 ) ';
106 if (!$skipDeleteClause) {
107 if (CRM_Core_Permission::check('access deleted contacts') and $onlyDeleted) {
108 $deleteClause = '(contact_a.is_deleted)';
109 }
110 else {
111 // CRM-6181
112 $deleteClause = '(contact_a.is_deleted = 0)';
113 }
114 }
115
116 // first see if the contact has edit / view all contacts
117 if (CRM_Core_Permission::check('edit all contacts') ||
118 ($type == self::VIEW && CRM_Core_Permission::check('view all contacts'))
119 ) {
120 return $deleteClause;
121 }
122
123 if (!$contactID) {
124 $contactID = CRM_Core_Session::getLoggedInContactID();
125 }
126 $contactID = (int) $contactID;
127
128 $where = implode(' AND ',
129 array(
130 CRM_ACL_BAO_ACL::whereClause($type,
131 $tables,
132 $whereTables,
133 $contactID
134 ),
135 $deleteClause,
136 )
137 );
138
139 // Add permission on self if we really hate our server or have hardly any contacts.
140 if (!$skipOwnContactClause && $contactID && (CRM_Core_Permission::check('edit my contact') ||
141 $type == self::VIEW && CRM_Core_Permission::check('view my contact'))
142 ) {
143 $where = "(contact_a.id = $contactID OR ($where))";
144 }
145 return $where;
146 }
147
148 /**
149 * Get all the groups the user has access to for the given operation.
150 *
151 * @param int $type
152 * The type of permission needed.
153 * @param int $contactID
154 * The contactID for whom the check is made.
155 *
156 * @param string $tableName
157 * @param null $allGroups
158 * @param null $includedGroups
159 *
160 * @return array
161 * the ids of the groups for which the user has permissions
162 */
163 public static function group(
164 $type,
165 $contactID = NULL,
166 $tableName = 'civicrm_saved_search',
167 $allGroups = NULL,
168 $includedGroups = NULL
169 ) {
170 if ($contactID == NULL) {
171 $contactID = CRM_Core_Session::getLoggedInContactID();
172 }
173
174 if (!$contactID) {
175 // anonymous user
176 $contactID = 0;
177 }
178
179 return CRM_ACL_BAO_ACL::group($type, $contactID, $tableName, $allGroups, $includedGroups);
180 }
181
182 /**
183 * Check if the user has access to this group for operation $type
184 *
185 * @param int $type
186 * The type of permission needed.
187 * @param int $groupID
188 * @param int $contactID
189 * The contactID for whom the check is made.
190 * @param string $tableName
191 * @param null $allGroups
192 * @param null $includedGroups
193 * @param bool $flush
194 *
195 * @return array
196 * the ids of the groups for which the user has permissions
197 */
198 public static function groupPermission(
199 $type,
200 $groupID,
201 $contactID = NULL,
202 $tableName = 'civicrm_saved_search',
203 $allGroups = NULL,
204 $includedGroups = NULL,
205 $flush = FALSE
206 ) {
207
208 static $cache = array();
209 $groups = array();
210 //@todo this is pretty hacky!!!
211 //adding a way for unit tests to flush the cache
212 if ($flush) {
213 $cache = array();
214 return NULL;
215 }
216 if (!$contactID) {
217 $session = CRM_Core_Session::singleton();
218 $contactID = NULL;
219 if ($session->get('userID')) {
220 $contactID = $session->get('userID');
221 }
222 }
223
224 $key = "{$tableName}_{$type}_{$contactID}";
225 if (array_key_exists($key, $cache)) {
226 $groups = &$cache[$key];
227 }
228 else {
229 $groups = self::group($type, $contactID, $tableName, $allGroups, $includedGroups);
230 $cache[$key] = $groups;
231 }
232 if (empty($groups)) {
233 return FALSE;
234 }
235
236 return in_array($groupID, $groups) ? TRUE : FALSE;
237 }
238
239 }