3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
15 * @copyright CiviCRM LLC https://civicrm.org/licensing
21 class CRM_ACL_BAO_ACL
extends CRM_ACL_DAO_ACL
{
25 public static $_entityTable = NULL;
26 public static $_objectTable = NULL;
27 public static $_operation = NULL;
29 public static $_fieldKeys = NULL;
32 * Available operations for pseudoconstant.
36 public static function operation() {
37 if (!self
::$_operation) {
41 'Create' => ts('Create'),
42 'Delete' => ts('Delete'),
43 'Search' => ts('Search'),
47 return self
::$_operation;
51 * Construct an associative array of an ACL rule's properties
53 * @param string $format
54 * Sprintf format for array.
55 * @param bool $hideEmpty
56 * Only return elements that have a value set.
59 * Assoc. array of the ACL rule's properties
61 public function toArray($format = '%s', $hideEmpty = FALSE) {
64 if (!self
::$_fieldKeys) {
65 $fields = CRM_ACL_DAO_ACL
::fields();
66 self
::$_fieldKeys = array_keys($fields);
69 foreach (self
::$_fieldKeys as $field) {
70 $result[$field] = $this->$field;
76 * Retrieve ACLs for a contact or group. Note that including a contact id
77 * without a group id will return those ACL rules which are granted
78 * directly to the contact, but not those granted to the contact through
79 * any/all of his group memberships.
81 * @param int $contact_id
82 * ID of a contact to search for.
85 * Array of assoc. arrays of ACL rules
87 * @throws \CRM_Core_Exception
89 protected static function getACLs(int $contact_id) {
92 $rule = new CRM_ACL_BAO_ACL();
94 $contact = CRM_Contact_BAO_Contact
::getTableName();
96 $query = " SELECT acl.*
98 WHERE acl.entity_table = '$contact'
99 AND acl.entity_id = $contact_id";
101 $rule->query($query);
103 while ($rule->fetch()) {
104 $results[$rule->id
] = $rule->toArray();
107 $results +
= self
::getACLRoles($contact_id);
113 * Get all of the ACLs through ACL groups.
115 * @param int $contact_id
116 * ID of a contact to search for.
119 * Array of assoc. arrays of ACL rules
121 * @throws \CRM_Core_Exception
123 protected static function getACLRoles($contact_id = NULL) {
124 $contact_id = CRM_Utils_Type
::escape($contact_id, 'Integer');
126 $rule = new CRM_ACL_BAO_ACL();
128 $contact = CRM_Contact_BAO_Contact
::getTableName();
130 $query = 'SELECT acl.* FROM civicrm_acl acl';
131 $where = ['acl.entity_table = "civicrm_acl_role" AND acl.entity_id IN (' . implode(',', array_keys(CRM_Core_OptionGroup
::values('acl_role'))) . ')'];
133 if (!empty($contact_id)) {
134 $where[] = " acl.entity_table = '$contact' AND acl.is_active = 1 AND acl.entity_id = $contact_id";
139 $rule->query($query . ' WHERE ' . implode(' AND ', $where));
141 while ($rule->fetch()) {
142 $results[$rule->id
] = $rule->toArray();
149 * Get all ACLs granted to a contact through all group memberships.
151 * @param int $contact_id
153 * @param bool $aclRoles
154 * Include ACL Roles?.
157 * Assoc array of ACL rules
158 * @throws \CRM_Core_Exception
160 protected static function getGroupACLs($contact_id, $aclRoles = FALSE) {
161 $contact_id = CRM_Utils_Type
::escape($contact_id, 'Integer');
163 $rule = new CRM_ACL_BAO_ACL();
165 $c2g = CRM_Contact_BAO_GroupContact
::getTableName();
166 $group = CRM_Contact_BAO_Group
::getTableName();
173 INNER JOIN $c2g group_contact
174 ON acl.entity_id = group_contact.group_id
175 WHERE acl.entity_table = '$group'
176 AND group_contact.contact_id = $contact_id
177 AND group_contact.status = 'Added'";
179 $rule->query($query);
181 while ($rule->fetch()) {
182 $results[$rule->id
] = $rule->toArray();
187 $results +
= self
::getGroupACLRoles($contact_id);
194 * Get all of the ACLs for a contact through ACL groups owned by Contact.
197 * @param int $contact_id
198 * ID of a contact to search for.
201 * Array of assoc. arrays of ACL rules
202 * @throws \CRM_Core_Exception
204 protected static function getGroupACLRoles($contact_id) {
205 $contact_id = CRM_Utils_Type
::escape($contact_id, 'Integer');
207 $query = " SELECT acl.*
209 INNER JOIN civicrm_option_group og
210 ON og.name = 'acl_role'
211 INNER JOIN civicrm_option_value ov
212 ON acl.entity_table = 'civicrm_acl_role'
213 AND ov.option_group_id = og.id
214 AND acl.entity_id = ov.value
216 INNER JOIN civicrm_acl_entity_role acl_entity_role
217 ON acl_entity_role.acl_role_id = acl.entity_id
218 AND acl_entity_role.is_active = 1
219 INNER JOIN civicrm_group_contact group_contact
220 ON acl_entity_role.entity_id = group_contact.group_id
221 AND acl_entity_role.entity_table = 'civicrm_group'
222 WHERE acl.entity_table = 'civicrm_acl_role'
223 AND acl.is_active = 1
224 AND group_contact.contact_id = $contact_id
225 AND group_contact.status = 'Added'";
229 $rule = CRM_Core_DAO
::executeQuery($query);
231 while ($rule->fetch()) {
232 $results[$rule->id
] = $rule->toArray();
235 // also get all acls for "Any Role" case
236 // and authenticated User Role if present
238 $session = CRM_Core_Session
::singleton();
239 if ($session->get('ufID') > 0) {
246 WHERE acl.entity_id IN ( $roles )
247 AND acl.entity_table = 'civicrm_acl_role'
250 $rule = CRM_Core_DAO
::executeQuery($query);
251 while ($rule->fetch()) {
252 $results[$rule->id
] = $rule->toArray();
259 * Get all ACLs owned by a given contact, including domain and group-level.
261 * @param int $contact_id
265 * Assoc array of ACL rules
267 * @throws \CRM_Core_Exception
269 public static function getAllByContact($contact_id) {
272 /* First, the contact-specific ACLs, including ACL Roles */
274 $result +
= self
::getACLs((int) $contact_id);
277 /* Then, all ACLs granted through group membership */
278 $result +
= self
::getGroupACLs($contact_id, TRUE);
284 * @param array $params
286 * @return CRM_ACL_DAO_ACL
288 public static function create($params) {
289 $dao = new CRM_ACL_DAO_ACL();
290 $dao->copyValues($params);
296 * @param array $params
297 * @param array $defaults
299 public static function retrieve(&$params, &$defaults) {
300 CRM_Core_DAO
::commonRetrieve('CRM_ACL_DAO_ACL', $params, $defaults);
304 * Update the is_active flag in the db.
307 * Id of the database record.
308 * @param bool $is_active
309 * Value we want to set the is_active field.
312 * true if we found and updated the object, else false
314 public static function setIsActive($id, $is_active) {
315 Civi
::cache('fields')->flush();
316 // reset ACL and system caches.
317 CRM_Core_BAO_Cache
::resetCaches();
319 return CRM_Core_DAO
::setFieldValue('CRM_ACL_DAO_ACL', $id, 'is_active', $is_active);
324 * @param int $contactID
328 public static function check($str, $contactID) {
330 $acls = CRM_ACL_BAO_Cache
::build($contactID);
332 $aclKeys = array_keys($acls);
333 $aclKeys = implode(',', $aclKeys);
335 if (empty($aclKeys)) {
341 FROM civicrm_acl_cache c, civicrm_acl a
342 WHERE c.acl_id = a.id
344 AND a.object_table = %1
345 AND a.id IN ( $aclKeys )
347 $params = [1 => [$str, 'String']];
349 $count = CRM_Core_DAO
::singleValueQuery($query, $params);
350 return (bool) $count;
356 * @param $whereTables
357 * @param int $contactID
359 * @return null|string
361 public static function whereClause($type, &$tables, &$whereTables, $contactID = NULL) {
362 $acls = CRM_ACL_BAO_Cache
::build($contactID);
368 $aclKeys = array_keys($acls);
369 $aclKeys = implode(',', $aclKeys);
372 SELECT a.operation, a.object_id
373 FROM civicrm_acl_cache c, civicrm_acl a
374 WHERE c.acl_id = a.id
376 AND a.object_table = 'civicrm_saved_search'
377 AND a.id IN ( $aclKeys )
381 $dao = CRM_Core_DAO
::executeQuery($query);
383 // do an or of all the where clauses u see
385 while ($dao->fetch()) {
386 // make sure operation matches the type TODO
387 if (self
::matchType($type, $dao->operation
)) {
388 if (!$dao->object_id
) {
390 $whereClause = ' ( 1 ) ';
393 $ids[] = $dao->object_id
;
398 $ids = implode(',', $ids);
402 WHERE g.id IN ( $ids )
405 $dao = CRM_Core_DAO
::executeQuery($query);
407 $groupContactCacheClause = FALSE;
408 while ($dao->fetch()) {
409 $groupIDs[] = $dao->id
;
411 if (($dao->saved_search_id ||
$dao->children ||
$dao->parents
)) {
412 if ($dao->cache_date
== NULL) {
413 CRM_Contact_BAO_GroupContactCache
::load($dao);
415 $groupContactCacheClause = " UNION SELECT contact_id FROM civicrm_group_contact_cache WHERE group_id IN (" . implode(', ', $groupIDs) . ")";
423 SELECT contact_id FROM civicrm_group_contact WHERE group_id IN (" . implode(', ', $groupIDs) . ") AND status = 'Added'
424 $groupContactCacheClause
431 if (!empty($clauses)) {
432 $whereClause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
435 // call the hook to get additional whereClauses
436 CRM_Utils_Hook
::aclWhereClause($type, $tables, $whereTables, $contactID, $whereClause);
438 if (empty($whereClause)) {
439 $whereClause = ' ( 0 ) ';
447 * @param int $contactID
448 * @param string $tableName
449 * @param null $allGroups
450 * @param null $includedGroups
454 public static function group(
457 $tableName = 'civicrm_saved_search',
459 $includedGroups = NULL
461 $userCacheKey = "{$contactID}_{$type}_{$tableName}_" . CRM_Core_Config
::domainID() . '_' . md5(implode(',', array_merge((array) $allGroups, (array) $includedGroups)));
462 if (empty(Civi
::$statics[__CLASS__
]['permissioned_groups'])) {
463 Civi
::$statics[__CLASS__
]['permissioned_groups'] = [];
465 if (!empty(Civi
::$statics[__CLASS__
]['permissioned_groups'][$userCacheKey])) {
466 return Civi
::$statics[__CLASS__
]['permissioned_groups'][$userCacheKey];
469 if ($allGroups == NULL) {
470 $allGroups = CRM_Contact_BAO_Contact
::buildOptions('group_id', 'get');
473 $acls = CRM_ACL_BAO_Cache
::build($contactID);
477 $aclKeys = array_keys($acls);
478 $aclKeys = implode(',', $aclKeys);
480 $cacheKey = CRM_Utils_Cache
::cleanKey("$type-$tableName-$aclKeys");
481 $cache = CRM_Utils_Cache
::singleton();
482 $ids = $cache->get($cacheKey);
483 if (!is_array($ids)) {
486 SELECT a.operation, a.object_id
487 FROM civicrm_acl_cache c, civicrm_acl a
488 WHERE c.acl_id = a.id
490 AND a.object_table = %1
491 AND a.id IN ( $aclKeys )
492 GROUP BY a.operation,a.object_id
495 $params = [1 => [$tableName, 'String']];
496 $dao = CRM_Core_DAO
::executeQuery($query, $params);
497 while ($dao->fetch()) {
498 if ($dao->object_id
) {
499 if (self
::matchType($type, $dao->operation
)) {
500 $ids[] = $dao->object_id
;
504 // this user has got the permission for all objects of this type
505 // check if the type matches
506 if (self
::matchType($type, $dao->operation
)) {
507 foreach ($allGroups as $id => $dontCare) {
514 $cache->set($cacheKey, $ids);
518 if (empty($ids) && !empty($includedGroups) &&
519 is_array($includedGroups)
521 $ids = $includedGroups;
525 if (!empty($allGroups)) {
526 $groupWhere = " AND id IN (" . implode(',', array_keys($allGroups)) . ")";
528 // Contacts create hidden groups from search results. They should be able to retrieve their own.
529 $ownHiddenGroupsList = CRM_Core_DAO
::singleValueQuery("
530 SELECT GROUP_CONCAT(id) FROM civicrm_group WHERE is_hidden =1 AND created_id = $contactID
533 if ($ownHiddenGroupsList) {
534 $ownHiddenGroups = explode(',', $ownHiddenGroupsList);
535 $ids = array_merge((array) $ids, $ownHiddenGroups);
540 CRM_Utils_Hook
::aclGroup($type, $contactID, $tableName, $allGroups, $ids);
541 Civi
::$statics[__CLASS__
]['permissioned_groups'][$userCacheKey] = $ids;
551 protected static function matchType($type, $operation) {
553 switch ($operation) {
559 if ($type == CRM_ACL_API
::VIEW
) {
565 if ($type == CRM_ACL_API
::VIEW ||
$type == CRM_ACL_API
::EDIT
) {
571 if ($type == CRM_ACL_API
::CREATE
) {
577 if ($type == CRM_ACL_API
::DELETE
) {
583 if ($type == CRM_ACL_API
::SEARCH
) {
592 * Delete ACL records.
595 * ID of the ACL record to be deleted.
598 public static function del($aclId) {
599 // delete all entries from the acl cache
600 CRM_ACL_BAO_Cache
::resetCache();
602 $acl = new CRM_ACL_DAO_ACL();