[REF] Simplify obtuse boolean expressions
[civicrm-core.git] / CRM / ACL / BAO / ACL.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
5 | |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
10 */
11
12 /**
13 *
14 * @package CRM
15 * @copyright CiviCRM LLC https://civicrm.org/licensing
16 */
17
18 /**
19 * Access Control List
20 */
21 class CRM_ACL_BAO_ACL extends CRM_ACL_DAO_ACL {
22 /**
23 * @var string
24 */
25 public static $_entityTable = NULL;
26 public static $_objectTable = NULL;
27 public static $_operation = NULL;
28
29 public static $_fieldKeys = NULL;
30
31 /**
32 * Get ACL entity table.
33 *
34 * @return array|null
35 */
36 public static function entityTable() {
37 CRM_Core_Error::deprecatedFunctionWarning('unused function to be removed');
38 if (!self::$_entityTable) {
39 self::$_entityTable = [
40 'civicrm_contact' => ts('Contact'),
41 'civicrm_acl_role' => ts('ACL Role'),
42 ];
43 }
44 return self::$_entityTable;
45 }
46
47 /**
48 * @return array|null
49 */
50 public static function objectTable() {
51 CRM_Core_Error::deprecatedFunctionWarning('unused function to be removed');
52 if (!self::$_objectTable) {
53 self::$_objectTable = [
54 'civicrm_contact' => ts('Contact'),
55 'civicrm_group' => ts('Group'),
56 'civicrm_saved_search' => ts('Contact Group'),
57 'civicrm_admin' => ts('Import'),
58 ];
59 }
60 return self::$_objectTable;
61 }
62
63 /**
64 * Available operations for pseudoconstant.
65 *
66 * @return array
67 */
68 public static function operation() {
69 if (!self::$_operation) {
70 self::$_operation = [
71 'View' => ts('View'),
72 'Edit' => ts('Edit'),
73 'Create' => ts('Create'),
74 'Delete' => ts('Delete'),
75 'Search' => ts('Search'),
76 'All' => ts('All'),
77 ];
78 }
79 return self::$_operation;
80 }
81
82 /**
83 * Given a table and id pair, return the filter clause
84 *
85 * @param string $table
86 * The table owning the object.
87 * @param int $id
88 * The ID of the object.
89 * @param array $tables
90 * Tables that will be needed in the FROM.
91 *
92 * @return string|null
93 * WHERE-style clause to filter results,
94 * or null if $table or $id is null
95 *
96 * @throws \CRM_Core_Exception
97 */
98 public static function getClause($table, $id, &$tables) {
99 CRM_Core_Error::deprecatedFunctionWarning('unused function to be removed');
100 $table = CRM_Utils_Type::escape($table, 'String');
101 $id = CRM_Utils_Type::escape($id, 'Integer');
102 $whereTables = [];
103
104 $ssTable = CRM_Contact_BAO_SavedSearch::getTableName();
105
106 if (empty($table)) {
107 return NULL;
108 }
109 elseif ($table == $ssTable) {
110 return CRM_Contact_BAO_SavedSearch::whereClause($id, $tables, $whereTables);
111 }
112 elseif (!empty($id)) {
113 $tables[$table] = TRUE;
114 return "$table.id = $id";
115 }
116 return NULL;
117 }
118
119 /**
120 * Construct an associative array of an ACL rule's properties
121 *
122 * @param string $format
123 * Sprintf format for array.
124 * @param bool $hideEmpty
125 * Only return elements that have a value set.
126 *
127 * @return array
128 * Assoc. array of the ACL rule's properties
129 */
130 public function toArray($format = '%s', $hideEmpty = FALSE) {
131 $result = [];
132
133 if (!self::$_fieldKeys) {
134 $fields = CRM_ACL_DAO_ACL::fields();
135 self::$_fieldKeys = array_keys($fields);
136 }
137
138 foreach (self::$_fieldKeys as $field) {
139 $result[$field] = $this->$field;
140 }
141 return $result;
142 }
143
144 /**
145 * Retrieve ACLs for a contact or group. Note that including a contact id
146 * without a group id will return those ACL rules which are granted
147 * directly to the contact, but not those granted to the contact through
148 * any/all of his group memberships.
149 *
150 * @param int $contact_id
151 * ID of a contact to search for.
152 *
153 * @return array
154 * Array of assoc. arrays of ACL rules
155 *
156 * @throws \CRM_Core_Exception
157 */
158 protected static function getACLs(int $contact_id) {
159 $results = [];
160
161 $rule = new CRM_ACL_BAO_ACL();
162
163 $contact = CRM_Contact_BAO_Contact::getTableName();
164
165 $query = " SELECT acl.*
166 FROM civicrm_acl acl
167 WHERE acl.entity_table = '$contact'
168 AND acl.entity_id = $contact_id";
169
170 $rule->query($query);
171
172 while ($rule->fetch()) {
173 $results[$rule->id] = $rule->toArray();
174 }
175
176 $results += self::getACLRoles($contact_id);
177
178 return $results;
179 }
180
181 /**
182 * Get all of the ACLs through ACL groups.
183 *
184 * @param int $contact_id
185 * ID of a contact to search for.
186 *
187 * @return array
188 * Array of assoc. arrays of ACL rules
189 *
190 * @throws \CRM_Core_Exception
191 */
192 protected static function getACLRoles($contact_id = NULL) {
193 $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer');
194
195 $rule = new CRM_ACL_BAO_ACL();
196
197 $contact = CRM_Contact_BAO_Contact::getTableName();
198
199 $query = 'SELECT acl.* FROM civicrm_acl acl';
200 $where = ['acl.entity_table = "civicrm_acl_role" AND acl.entity_id IN (' . implode(',', array_keys(CRM_Core_OptionGroup::values('acl_role'))) . ')'];
201
202 if (!empty($contact_id)) {
203 $where[] = " acl.entity_table = '$contact' AND acl.is_active = 1 AND acl.entity_id = $contact_id";
204 }
205
206 $results = [];
207
208 $rule->query($query . ' WHERE ' . implode(' AND ', $where));
209
210 while ($rule->fetch()) {
211 $results[$rule->id] = $rule->toArray();
212 }
213
214 return $results;
215 }
216
217 /**
218 * Get all ACLs granted to a contact through all group memberships.
219 *
220 * @param int $contact_id
221 * The contact's ID.
222 * @param bool $aclRoles
223 * Include ACL Roles?.
224 *
225 * @return array
226 * Assoc array of ACL rules
227 * @throws \CRM_Core_Exception
228 */
229 protected static function getGroupACLs($contact_id, $aclRoles = FALSE) {
230 $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer');
231
232 $rule = new CRM_ACL_BAO_ACL();
233
234 $c2g = CRM_Contact_BAO_GroupContact::getTableName();
235 $group = CRM_Contact_BAO_Group::getTableName();
236 $results = [];
237
238 if ($contact_id) {
239 $query = "
240 SELECT acl.*
241 FROM civicrm_acl acl
242 INNER JOIN $c2g group_contact
243 ON acl.entity_id = group_contact.group_id
244 WHERE acl.entity_table = '$group'
245 AND group_contact.contact_id = $contact_id
246 AND group_contact.status = 'Added'";
247
248 $rule->query($query);
249
250 while ($rule->fetch()) {
251 $results[$rule->id] = $rule->toArray();
252 }
253 }
254
255 if ($aclRoles) {
256 $results += self::getGroupACLRoles($contact_id);
257 }
258
259 return $results;
260 }
261
262 /**
263 * Get all of the ACLs for a contact through ACL groups owned by Contact.
264 * groups.
265 *
266 * @param int $contact_id
267 * ID of a contact to search for.
268 *
269 * @return array
270 * Array of assoc. arrays of ACL rules
271 * @throws \CRM_Core_Exception
272 */
273 protected static function getGroupACLRoles($contact_id) {
274 $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer');
275
276 $rule = new CRM_ACL_BAO_ACL();
277
278 $aclRole = 'civicrm_acl_role';
279
280 $aclER = CRM_ACL_DAO_EntityRole::getTableName();
281 $c2g = CRM_Contact_BAO_GroupContact::getTableName();
282
283 $query = " SELECT acl.*
284 FROM civicrm_acl acl
285 INNER JOIN civicrm_option_group og
286 ON og.name = 'acl_role'
287 INNER JOIN civicrm_option_value ov
288 ON acl.entity_table = '$aclRole'
289 AND ov.option_group_id = og.id
290 AND acl.entity_id = ov.value
291 AND ov.is_active = 1
292 INNER JOIN $aclER
293 ON $aclER.acl_role_id = acl.entity_id
294 AND $aclER.is_active = 1
295 INNER JOIN $c2g
296 ON $aclER.entity_id = $c2g.group_id
297 AND $aclER.entity_table = 'civicrm_group'
298 WHERE acl.entity_table = '$aclRole'
299 AND acl.is_active = 1
300 AND $c2g.contact_id = $contact_id
301 AND $c2g.status = 'Added'";
302
303 $results = [];
304
305 $rule->query($query);
306
307 while ($rule->fetch()) {
308 $results[$rule->id] = $rule->toArray();
309 }
310
311 // also get all acls for "Any Role" case
312 // and authenticated User Role if present
313 $roles = "0";
314 $session = CRM_Core_Session::singleton();
315 if ($session->get('ufID') > 0) {
316 $roles .= ",2";
317 }
318
319 $query = "
320 SELECT acl.*
321 FROM civicrm_acl acl
322 WHERE acl.entity_id IN ( $roles )
323 AND acl.entity_table = 'civicrm_acl_role'
324 ";
325
326 $rule->query($query);
327 while ($rule->fetch()) {
328 $results[$rule->id] = $rule->toArray();
329 }
330
331 return $results;
332 }
333
334 /**
335 * Get all ACLs owned by a given contact, including domain and group-level.
336 *
337 * @param int $contact_id
338 * The contact ID.
339 *
340 * @return array
341 * Assoc array of ACL rules
342 *
343 * @throws \CRM_Core_Exception
344 */
345 public static function getAllByContact($contact_id) {
346 $result = [];
347
348 /* First, the contact-specific ACLs, including ACL Roles */
349 if ($contact_id) {
350 $result += self::getACLs((int) $contact_id);
351 }
352
353 /* Then, all ACLs granted through group membership */
354 $result += self::getGroupACLs($contact_id, TRUE);
355
356 return $result;
357 }
358
359 /**
360 * @param array $params
361 *
362 * @return CRM_ACL_DAO_ACL
363 */
364 public static function create($params) {
365 $dao = new CRM_ACL_DAO_ACL();
366 $dao->copyValues($params);
367 $dao->save();
368 return $dao;
369 }
370
371 /**
372 * @param array $params
373 * @param array $defaults
374 */
375 public static function retrieve(&$params, &$defaults) {
376 CRM_Core_DAO::commonRetrieve('CRM_ACL_DAO_ACL', $params, $defaults);
377 }
378
379 /**
380 * Update the is_active flag in the db.
381 *
382 * @param int $id
383 * Id of the database record.
384 * @param bool $is_active
385 * Value we want to set the is_active field.
386 *
387 * @return bool
388 * true if we found and updated the object, else false
389 */
390 public static function setIsActive($id, $is_active) {
391 Civi::cache('fields')->flush();
392 // reset ACL and system caches.
393 CRM_Core_BAO_Cache::resetCaches();
394
395 return CRM_Core_DAO::setFieldValue('CRM_ACL_DAO_ACL', $id, 'is_active', $is_active);
396 }
397
398 /**
399 * @param $str
400 * @param int $contactID
401 *
402 * @return bool
403 */
404 public static function check($str, $contactID) {
405
406 $acls = CRM_ACL_BAO_Cache::build($contactID);
407
408 $aclKeys = array_keys($acls);
409 $aclKeys = implode(',', $aclKeys);
410
411 if (empty($aclKeys)) {
412 return FALSE;
413 }
414
415 $query = "
416 SELECT count( a.id )
417 FROM civicrm_acl_cache c, civicrm_acl a
418 WHERE c.acl_id = a.id
419 AND a.is_active = 1
420 AND a.object_table = %1
421 AND a.id IN ( $aclKeys )
422 ";
423 $params = [1 => [$str, 'String']];
424
425 $count = CRM_Core_DAO::singleValueQuery($query, $params);
426 return (bool) $count;
427 }
428
429 /**
430 * @param $type
431 * @param $tables
432 * @param $whereTables
433 * @param int $contactID
434 *
435 * @return null|string
436 */
437 public static function whereClause($type, &$tables, &$whereTables, $contactID = NULL) {
438 $acls = CRM_ACL_BAO_Cache::build($contactID);
439
440 $whereClause = NULL;
441 $clauses = [];
442
443 if (!empty($acls)) {
444 $aclKeys = array_keys($acls);
445 $aclKeys = implode(',', $aclKeys);
446
447 $query = "
448 SELECT a.operation, a.object_id
449 FROM civicrm_acl_cache c, civicrm_acl a
450 WHERE c.acl_id = a.id
451 AND a.is_active = 1
452 AND a.object_table = 'civicrm_saved_search'
453 AND a.id IN ( $aclKeys )
454 ORDER BY a.object_id
455 ";
456
457 $dao = CRM_Core_DAO::executeQuery($query);
458
459 // do an or of all the where clauses u see
460 $ids = [];
461 while ($dao->fetch()) {
462 // make sure operation matches the type TODO
463 if (self::matchType($type, $dao->operation)) {
464 if (!$dao->object_id) {
465 $ids = [];
466 $whereClause = ' ( 1 ) ';
467 break;
468 }
469 $ids[] = $dao->object_id;
470 }
471 }
472
473 if (!empty($ids)) {
474 $ids = implode(',', $ids);
475 $query = "
476 SELECT g.*
477 FROM civicrm_group g
478 WHERE g.id IN ( $ids )
479 AND g.is_active = 1
480 ";
481 $dao = CRM_Core_DAO::executeQuery($query);
482 $groupIDs = [];
483 $groupContactCacheClause = FALSE;
484 while ($dao->fetch()) {
485 $groupIDs[] = $dao->id;
486
487 if (($dao->saved_search_id || $dao->children || $dao->parents)) {
488 if ($dao->cache_date == NULL) {
489 CRM_Contact_BAO_GroupContactCache::load($dao);
490 }
491 $groupContactCacheClause = " UNION SELECT contact_id FROM civicrm_group_contact_cache WHERE group_id IN (" . implode(', ', $groupIDs) . ")";
492 }
493
494 }
495
496 if ($groupIDs) {
497 $clauses[] = "(
498 `contact_a`.id IN (
499 SELECT contact_id FROM civicrm_group_contact WHERE group_id IN (" . implode(', ', $groupIDs) . ") AND status = 'Added'
500 $groupContactCacheClause
501 )
502 )";
503 }
504 }
505 }
506
507 if (!empty($clauses)) {
508 $whereClause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
509 }
510
511 // call the hook to get additional whereClauses
512 CRM_Utils_Hook::aclWhereClause($type, $tables, $whereTables, $contactID, $whereClause);
513
514 if (empty($whereClause)) {
515 $whereClause = ' ( 0 ) ';
516 }
517
518 return $whereClause;
519 }
520
521 /**
522 * @param int $type
523 * @param int $contactID
524 * @param string $tableName
525 * @param null $allGroups
526 * @param null $includedGroups
527 *
528 * @return array
529 */
530 public static function group(
531 $type,
532 $contactID = NULL,
533 $tableName = 'civicrm_saved_search',
534 $allGroups = NULL,
535 $includedGroups = NULL
536 ) {
537 $userCacheKey = "{$contactID}_{$type}_{$tableName}_" . CRM_Core_Config::domainID() . '_' . md5(implode(',', array_merge((array) $allGroups, (array) $includedGroups)));
538 if (empty(Civi::$statics[__CLASS__]['permissioned_groups'])) {
539 Civi::$statics[__CLASS__]['permissioned_groups'] = [];
540 }
541 if (!empty(Civi::$statics[__CLASS__]['permissioned_groups'][$userCacheKey])) {
542 return Civi::$statics[__CLASS__]['permissioned_groups'][$userCacheKey];
543 }
544
545 if ($allGroups == NULL) {
546 $allGroups = CRM_Contact_BAO_Contact::buildOptions('group_id', NULL, ['onlyActive' => FALSE]);
547 }
548
549 $acls = CRM_ACL_BAO_Cache::build($contactID);
550
551 $ids = [];
552 if (!empty($acls)) {
553 $aclKeys = array_keys($acls);
554 $aclKeys = implode(',', $aclKeys);
555
556 $cacheKey = CRM_Utils_Cache::cleanKey("$tableName-$aclKeys");
557 $cache = CRM_Utils_Cache::singleton();
558 $ids = $cache->get($cacheKey);
559 if (!$ids) {
560 $ids = [];
561 $query = "
562 SELECT a.operation, a.object_id
563 FROM civicrm_acl_cache c, civicrm_acl a
564 WHERE c.acl_id = a.id
565 AND a.is_active = 1
566 AND a.object_table = %1
567 AND a.id IN ( $aclKeys )
568 GROUP BY a.operation,a.object_id
569 ORDER BY a.object_id
570 ";
571 $params = [1 => [$tableName, 'String']];
572 $dao = CRM_Core_DAO::executeQuery($query, $params);
573 while ($dao->fetch()) {
574 if ($dao->object_id) {
575 if (self::matchType($type, $dao->operation)) {
576 $ids[] = $dao->object_id;
577 }
578 }
579 else {
580 // this user has got the permission for all objects of this type
581 // check if the type matches
582 if (self::matchType($type, $dao->operation)) {
583 foreach ($allGroups as $id => $dontCare) {
584 $ids[] = $id;
585 }
586 }
587 break;
588 }
589 }
590 $cache->set($cacheKey, $ids);
591 }
592 }
593
594 if (empty($ids) && !empty($includedGroups) &&
595 is_array($includedGroups)
596 ) {
597 $ids = $includedGroups;
598 }
599 if ($contactID) {
600 $groupWhere = '';
601 if (!empty($allGroups)) {
602 $groupWhere = " AND id IN (" . implode(',', array_keys($allGroups)) . ")";
603 }
604 // Contacts create hidden groups from search results. They should be able to retrieve their own.
605 $ownHiddenGroupsList = CRM_Core_DAO::singleValueQuery("
606 SELECT GROUP_CONCAT(id) FROM civicrm_group WHERE is_hidden =1 AND created_id = $contactID
607 $groupWhere
608 ");
609 if ($ownHiddenGroupsList) {
610 $ownHiddenGroups = explode(',', $ownHiddenGroupsList);
611 $ids = array_merge((array) $ids, $ownHiddenGroups);
612 }
613
614 }
615
616 CRM_Utils_Hook::aclGroup($type, $contactID, $tableName, $allGroups, $ids);
617 Civi::$statics[__CLASS__]['permissioned_groups'][$userCacheKey] = $ids;
618 return $ids;
619 }
620
621 /**
622 * @param int $type
623 * @param $operation
624 *
625 * @return bool
626 */
627 protected static function matchType($type, $operation) {
628 $typeCheck = FALSE;
629 switch ($operation) {
630 case 'All':
631 $typeCheck = TRUE;
632 break;
633
634 case 'View':
635 if ($type == CRM_ACL_API::VIEW) {
636 $typeCheck = TRUE;
637 }
638 break;
639
640 case 'Edit':
641 if ($type == CRM_ACL_API::VIEW || $type == CRM_ACL_API::EDIT) {
642 $typeCheck = TRUE;
643 }
644 break;
645
646 case 'Create':
647 if ($type == CRM_ACL_API::CREATE) {
648 $typeCheck = TRUE;
649 }
650 break;
651
652 case 'Delete':
653 if ($type == CRM_ACL_API::DELETE) {
654 $typeCheck = TRUE;
655 }
656 break;
657
658 case 'Search':
659 if ($type == CRM_ACL_API::SEARCH) {
660 $typeCheck = TRUE;
661 }
662 break;
663 }
664 return $typeCheck;
665 }
666
667 /**
668 * Delete ACL records.
669 *
670 * @param int $aclId
671 * ID of the ACL record to be deleted.
672 *
673 */
674 public static function del($aclId) {
675 // delete all entries from the acl cache
676 CRM_ACL_BAO_Cache::resetCache();
677
678 $acl = new CRM_ACL_DAO_ACL();
679 $acl->id = $aclId;
680 $acl->delete();
681 }
682
683 }