CRM/ACL/API.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | CiviCRM version 5                                                  |
   5  +--------------------------------------------------------------------+
   6  | Copyright CiviCRM LLC (c) 2004-2019                                |
   7  +--------------------------------------------------------------------+
   8  | This file is a part of CiviCRM.                                    |
   9  |                                                                    |
  10  | CiviCRM is free software; you can copy, modify, and distribute it  |
  11  | under the terms of the GNU Affero General Public License           |
  12  | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
  13  |                                                                    |
  14  | CiviCRM is distributed in the hope that it will be useful, but     |
  15  | WITHOUT ANY WARRANTY; without even the implied warranty of         |
  16  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
  17  | See the GNU Affero General Public License for more details.        |
  18  |                                                                    |
  19  | You should have received a copy of the GNU Affero General Public   |
  20  | License and the CiviCRM Licensing Exception along                  |
  21  | with this program; if not, contact CiviCRM LLC                     |
  22  | at info[AT]civicrm[DOT]org. If you have questions about the        |
  23  | GNU Affero General Public License or the licensing of CiviCRM,     |
  24  | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
  25  +--------------------------------------------------------------------+
  26  */
  27
  28 /**
  29  *
  30  * @package CRM
  31  * @copyright CiviCRM LLC (c) 2004-2019
  32  */
  33 class CRM_ACL_API {
  34
  35   /**
  36    * The various type of permissions.
  37    *
  38    * @var int
  39    */
  40   const EDIT = 1;
  41   const VIEW = 2;
  42   const DELETE = 3;
  43   const CREATE = 4;
  44   const SEARCH = 5;
  45   const ALL = 6;
  46
  47   /**
  48    * Given a permission string, check for access requirements
  49    *
  50    * @param string $str
  51    *   The permission to check.
  52    * @param int $contactID
  53    *   The contactID for whom the check is made.
  54    *
  55    * @return bool
  56    *   true if yes, else false
  57    */
  58   public static function check($str, $contactID = NULL) {
  59     if ($contactID == NULL) {
  60       $contactID = CRM_Core_Session::getLoggedInContactID();
  61     }
  62
  63     if (!$contactID) {
  64       // anonymous user
  65       $contactID = 0;
  66     }
  67
  68     return CRM_ACL_BAO_ACL::check($str, $contactID);
  69   }
  70
  71   /**
  72    * Get the permissioned where clause for the user.
  73    *
  74    * @param int $type
  75    *   The type of permission needed.
  76    * @param array $tables
  77    *   (reference ) add the tables that are needed for the select clause.
  78    * @param array $whereTables
  79    *   (reference ) add the tables that are needed for the where clause.
  80    * @param int $contactID
  81    *   The contactID for whom the check is made.
  82    * @param bool $onlyDeleted
  83    *   Whether to include only deleted contacts.
  84    * @param bool $skipDeleteClause
  85    *   Don't add delete clause if this is true,.
  86    *   this means it is handled by generating query
  87    * @param bool $skipOwnContactClause
  88    *   Do not add 'OR contact_id = $userID' to the where clause.
  89    *   This is a hideously inefficient query and should be avoided
  90    *   wherever possible.
  91    *
  92    * @return string
  93    *   the group where clause for this user
  94    */
  95   public static function whereClause(
  96     $type,
  97     &$tables,
  98     &$whereTables,
  99     $contactID = NULL,
 100     $onlyDeleted = FALSE,
 101     $skipDeleteClause = FALSE,
 102     $skipOwnContactClause = FALSE
 103   ) {
 104     // the default value which is valid for the final AND
 105     $deleteClause = ' ( 1 ) ';
 106     if (!$skipDeleteClause) {
 107       if (CRM_Core_Permission::check('access deleted contacts') and $onlyDeleted) {
 108         $deleteClause = '(contact_a.is_deleted)';
 109       }
 110       else {
 111         // CRM-6181
 112         $deleteClause = '(contact_a.is_deleted = 0)';
 113       }
 114     }
 115
 116     if (!$contactID) {
 117       $contactID = CRM_Core_Session::getLoggedInContactID();
 118     }
 119     $contactID = (int) $contactID;
 120
 121     // first see if the contact has edit / view all permission
 122     if (CRM_Core_Permission::check('edit all contacts', $contactID) ||
 123       ($type == self::VIEW && CRM_Core_Permission::check('view all contacts', $contactID))
 124     ) {
 125       return $deleteClause;
 126     }
 127
 128     $whereClause = CRM_ACL_BAO_ACL::whereClause($type,
 129       $tables,
 130       $whereTables,
 131       $contactID
 132     );
 133     $where = implode(' AND ', [$whereClause, $deleteClause]);
 134
 135     // Add permission on self if we really hate our server or have hardly any contacts.
 136     if (!$skipOwnContactClause && $contactID && (CRM_Core_Permission::check('edit my contact') ||
 137         $type == self::VIEW && CRM_Core_Permission::check('view my contact'))
 138     ) {
 139       $where = "(contact_a.id = $contactID OR ($where))";
 140     }
 141     return $where;
 142   }
 143
 144   /**
 145    * Get all the groups the user has access to for the given operation.
 146    *
 147    * @param int $type
 148    *   The type of permission needed.
 149    * @param int $contactID
 150    *   The contactID for whom the check is made.
 151    *
 152    * @param string $tableName
 153    * @param null $allGroups
 154    * @param null $includedGroups
 155    *
 156    * @return array
 157    *   the ids of the groups for which the user has permissions
 158    */
 159   public static function group(
 160     $type,
 161     $contactID = NULL,
 162     $tableName = 'civicrm_saved_search',
 163     $allGroups = NULL,
 164     $includedGroups = NULL
 165   ) {
 166     if ($contactID == NULL) {
 167       $contactID = CRM_Core_Session::getLoggedInContactID();
 168     }
 169
 170     if (!$contactID) {
 171       // anonymous user
 172       $contactID = 0;
 173     }
 174
 175     return CRM_ACL_BAO_ACL::group($type, $contactID, $tableName, $allGroups, $includedGroups);
 176   }
 177
 178   /**
 179    * Check if the user has access to this group for operation $type
 180    *
 181    * @param int $type
 182    *   The type of permission needed.
 183    * @param int $groupID
 184    * @param int $contactID
 185    *   The contactID for whom the check is made.
 186    * @param string $tableName
 187    * @param null $allGroups
 188    * @param null $includedGroups
 189    *
 190    * @return bool
 191    */
 192   public static function groupPermission(
 193     $type,
 194     $groupID,
 195     $contactID = NULL,
 196     $tableName = 'civicrm_saved_search',
 197     $allGroups = NULL,
 198     $includedGroups = NULL
 199   ) {
 200
 201     if (!isset(Civi::$statics[__CLASS__]) || !isset(Civi::$statics[__CLASS__]['group_permission'])) {
 202       Civi::$statics[__CLASS__]['group_permission'] = [];
 203     }
 204
 205     if (!$contactID) {
 206       $contactID = CRM_Core_Session::singleton()->getLoggedInContactID();
 207     }
 208
 209     $key = "{$tableName}_{$type}_{$contactID}";
 210     if (!array_key_exists($key, Civi::$statics[__CLASS__]['group_permission'])) {
 211       Civi::$statics[__CLASS__]['group_permission'][$key] = self::group($type, $contactID, $tableName, $allGroups, $includedGroups);
 212     }
 213
 214     return in_array($groupID, Civi::$statics[__CLASS__]['group_permission'][$key]);
 215   }
 216
 217 }