3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
15 * @copyright CiviCRM LLC https://civicrm.org/licensing
21 class CRM_ACL_BAO_ACL
extends CRM_ACL_DAO_ACL
{
25 public static $_entityTable = NULL;
26 public static $_objectTable = NULL;
27 public static $_operation = NULL;
29 public static $_fieldKeys = NULL;
32 * Get ACL entity table.
36 public static function entityTable() {
37 CRM_Core_Error
::deprecatedFunctionWarning('unused function to be removed');
38 if (!self
::$_entityTable) {
39 self
::$_entityTable = [
40 'civicrm_contact' => ts('Contact'),
41 'civicrm_acl_role' => ts('ACL Role'),
44 return self
::$_entityTable;
50 public static function objectTable() {
51 CRM_Core_Error
::deprecatedFunctionWarning('unused function to be removed');
52 if (!self
::$_objectTable) {
53 self
::$_objectTable = [
54 'civicrm_contact' => ts('Contact'),
55 'civicrm_group' => ts('Group'),
56 'civicrm_saved_search' => ts('Contact Group'),
57 'civicrm_admin' => ts('Import'),
60 return self
::$_objectTable;
64 * Available operations for pseudoconstant.
68 public static function operation() {
69 if (!self
::$_operation) {
73 'Create' => ts('Create'),
74 'Delete' => ts('Delete'),
75 'Search' => ts('Search'),
79 return self
::$_operation;
83 * Given a table and id pair, return the filter clause
85 * @param string $table
86 * The table owning the object.
88 * The ID of the object.
89 * @param array $tables
90 * Tables that will be needed in the FROM.
93 * WHERE-style clause to filter results,
94 * or null if $table or $id is null
96 * @throws \CRM_Core_Exception
98 public static function getClause($table, $id, &$tables) {
99 CRM_Core_Error
::deprecatedFunctionWarning('unused function to be removed');
100 $table = CRM_Utils_Type
::escape($table, 'String');
101 $id = CRM_Utils_Type
::escape($id, 'Integer');
104 $ssTable = CRM_Contact_BAO_SavedSearch
::getTableName();
109 elseif ($table == $ssTable) {
110 return CRM_Contact_BAO_SavedSearch
::whereClause($id, $tables, $whereTables);
112 elseif (!empty($id)) {
113 $tables[$table] = TRUE;
114 return "$table.id = $id";
120 * Construct an associative array of an ACL rule's properties
122 * @param string $format
123 * Sprintf format for array.
124 * @param bool $hideEmpty
125 * Only return elements that have a value set.
128 * Assoc. array of the ACL rule's properties
130 public function toArray($format = '%s', $hideEmpty = FALSE) {
133 if (!self
::$_fieldKeys) {
134 $fields = CRM_ACL_DAO_ACL
::fields();
135 self
::$_fieldKeys = array_keys($fields);
138 foreach (self
::$_fieldKeys as $field) {
139 $result[$field] = $this->$field;
145 * Retrieve ACLs for a contact or group. Note that including a contact id
146 * without a group id will return those ACL rules which are granted
147 * directly to the contact, but not those granted to the contact through
148 * any/all of his group memberships.
150 * @param int $contact_id
151 * ID of a contact to search for.
154 * Array of assoc. arrays of ACL rules
156 * @throws \CRM_Core_Exception
158 protected static function getACLs($contact_id = NULL) {
161 if (empty($contact_id)) {
165 $contact_id = CRM_Utils_Type
::escape($contact_id, 'Integer');
167 $rule = new CRM_ACL_BAO_ACL();
169 $acl = self
::getTableName();
170 $contact = CRM_Contact_BAO_Contact
::getTableName();
172 $query = " SELECT acl.*
175 if (!empty($contact_id)) {
176 $query .= " WHERE acl.entity_table = '$contact'
177 AND acl.entity_id = $contact_id";
180 $rule->query($query);
182 while ($rule->fetch()) {
183 $results[$rule->id
] = $rule->toArray();
186 $results +
= self
::getACLRoles($contact_id);
192 * Get all of the ACLs through ACL groups.
194 * @param int $contact_id
195 * ID of a contact to search for.
198 * Array of assoc. arrays of ACL rules
200 * @throws \CRM_Core_Exception
202 protected static function getACLRoles($contact_id = NULL) {
203 $contact_id = CRM_Utils_Type
::escape($contact_id, 'Integer');
205 $rule = new CRM_ACL_BAO_ACL();
207 $contact = CRM_Contact_BAO_Contact
::getTableName();
209 $query = 'SELECT acl.* FROM civicrm_acl acl';
210 $where = ['acl.entity_table = "civicrm_acl_role" AND acl.entity_id IN (' . implode(',', array_keys(CRM_Core_OptionGroup
::values('acl_role'))) . ')'];
212 if (!empty($contact_id)) {
213 $where[] = " acl.entity_table = '$contact' AND acl.is_active = 1 AND acl.entity_id = $contact_id";
218 $rule->query($query . ' WHERE ' . implode(' AND ', $where));
220 while ($rule->fetch()) {
221 $results[$rule->id
] = $rule->toArray();
228 * Get all ACLs granted to a contact through all group memberships.
230 * @param int $contact_id
232 * @param bool $aclRoles
233 * Include ACL Roles?.
236 * Assoc array of ACL rules
237 * @throws \CRM_Core_Exception
239 protected static function getGroupACLs($contact_id, $aclRoles = FALSE) {
240 $contact_id = CRM_Utils_Type
::escape($contact_id, 'Integer');
242 $rule = new CRM_ACL_BAO_ACL();
244 $acl = self
::getTableName();
245 $c2g = CRM_Contact_BAO_GroupContact
::getTableName();
246 $group = CRM_Contact_BAO_Group
::getTableName();
253 INNER JOIN $c2g group_contact
254 ON acl.entity_id = group_contact.group_id
255 WHERE acl.entity_table = '$group'
256 AND group_contact.contact_id = $contact_id
257 AND group_contact.status = 'Added'";
259 $rule->query($query);
261 while ($rule->fetch()) {
262 $results[$rule->id
] = $rule->toArray();
267 $results +
= self
::getGroupACLRoles($contact_id);
274 * Get all of the ACLs for a contact through ACL groups owned by Contact.
277 * @param int $contact_id
278 * ID of a contact to search for.
281 * Array of assoc. arrays of ACL rules
282 * @throws \CRM_Core_Exception
284 protected static function getGroupACLRoles($contact_id) {
285 $contact_id = CRM_Utils_Type
::escape($contact_id, 'Integer');
287 $rule = new CRM_ACL_BAO_ACL();
289 $acl = self
::getTableName();
290 $aclRole = 'civicrm_acl_role';
292 $aclER = CRM_ACL_DAO_EntityRole
::getTableName();
293 $c2g = CRM_Contact_BAO_GroupContact
::getTableName();
295 $query = " SELECT acl.*
297 INNER JOIN civicrm_option_group og
298 ON og.name = 'acl_role'
299 INNER JOIN civicrm_option_value ov
300 ON acl.entity_table = '$aclRole'
301 AND ov.option_group_id = og.id
302 AND acl.entity_id = ov.value
305 ON $aclER.acl_role_id = acl.entity_id
306 AND $aclER.is_active = 1
308 ON $aclER.entity_id = $c2g.group_id
309 AND $aclER.entity_table = 'civicrm_group'
310 WHERE acl.entity_table = '$aclRole'
311 AND acl.is_active = 1
312 AND $c2g.contact_id = $contact_id
313 AND $c2g.status = 'Added'";
317 $rule->query($query);
319 while ($rule->fetch()) {
320 $results[$rule->id
] = $rule->toArray();
323 // also get all acls for "Any Role" case
324 // and authenticated User Role if present
326 $session = CRM_Core_Session
::singleton();
327 if ($session->get('ufID') > 0) {
334 WHERE acl.entity_id IN ( $roles )
335 AND acl.entity_table = 'civicrm_acl_role'
338 $rule->query($query);
339 while ($rule->fetch()) {
340 $results[$rule->id
] = $rule->toArray();
347 * Get all ACLs owned by a given contact, including domain and group-level.
349 * @param int $contact_id
353 * Assoc array of ACL rules
355 * @throws \CRM_Core_Exception
357 public static function getAllByContact($contact_id) {
360 /* First, the contact-specific ACLs, including ACL Roles */
361 $result +
= self
::getACLs($contact_id);
363 /* Then, all ACLs granted through group membership */
364 $result +
= self
::getGroupACLs($contact_id, TRUE);
370 * @param array $params
372 * @return CRM_ACL_DAO_ACL
374 public static function create($params) {
375 $dao = new CRM_ACL_DAO_ACL();
376 $dao->copyValues($params);
382 * @param array $params
383 * @param array $defaults
385 public static function retrieve(&$params, &$defaults) {
386 CRM_Core_DAO
::commonRetrieve('CRM_ACL_DAO_ACL', $params, $defaults);
390 * Update the is_active flag in the db.
393 * Id of the database record.
394 * @param bool $is_active
395 * Value we want to set the is_active field.
398 * true if we found and updated the object, else false
400 public static function setIsActive($id, $is_active) {
401 Civi
::cache('fields')->flush();
402 // reset ACL and system caches.
403 CRM_Core_BAO_Cache
::resetCaches();
405 return CRM_Core_DAO
::setFieldValue('CRM_ACL_DAO_ACL', $id, 'is_active', $is_active);
410 * @param int $contactID
414 public static function check($str, $contactID) {
416 $acls = CRM_ACL_BAO_Cache
::build($contactID);
418 $aclKeys = array_keys($acls);
419 $aclKeys = implode(',', $aclKeys);
421 if (empty($aclKeys)) {
427 FROM civicrm_acl_cache c, civicrm_acl a
428 WHERE c.acl_id = a.id
430 AND a.object_table = %1
431 AND a.id IN ( $aclKeys )
433 $params = [1 => [$str, 'String']];
435 $count = CRM_Core_DAO
::singleValueQuery($query, $params);
436 return ($count) ?
TRUE : FALSE;
442 * @param $whereTables
443 * @param int $contactID
445 * @return null|string
447 public static function whereClause($type, &$tables, &$whereTables, $contactID = NULL) {
448 $acls = CRM_ACL_BAO_Cache
::build($contactID);
454 $aclKeys = array_keys($acls);
455 $aclKeys = implode(',', $aclKeys);
458 SELECT a.operation, a.object_id
459 FROM civicrm_acl_cache c, civicrm_acl a
460 WHERE c.acl_id = a.id
462 AND a.object_table = 'civicrm_saved_search'
463 AND a.id IN ( $aclKeys )
467 $dao = CRM_Core_DAO
::executeQuery($query);
469 // do an or of all the where clauses u see
471 while ($dao->fetch()) {
472 // make sure operation matches the type TODO
473 if (self
::matchType($type, $dao->operation
)) {
474 if (!$dao->object_id
) {
476 $whereClause = ' ( 1 ) ';
479 $ids[] = $dao->object_id
;
484 $ids = implode(',', $ids);
488 WHERE g.id IN ( $ids )
491 $dao = CRM_Core_DAO
::executeQuery($query);
493 $groupContactCacheClause = FALSE;
494 while ($dao->fetch()) {
495 $groupIDs[] = $dao->id
;
497 if (($dao->saved_search_id ||
$dao->children ||
$dao->parents
)) {
498 if ($dao->cache_date
== NULL) {
499 CRM_Contact_BAO_GroupContactCache
::load($dao);
501 $groupContactCacheClause = " UNION SELECT contact_id FROM civicrm_group_contact_cache WHERE group_id IN (" . implode(', ', $groupIDs) . ")";
509 SELECT contact_id FROM civicrm_group_contact WHERE group_id IN (" . implode(', ', $groupIDs) . ") AND status = 'Added'
510 $groupContactCacheClause
517 if (!empty($clauses)) {
518 $whereClause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
521 // call the hook to get additional whereClauses
522 CRM_Utils_Hook
::aclWhereClause($type, $tables, $whereTables, $contactID, $whereClause);
524 if (empty($whereClause)) {
525 $whereClause = ' ( 0 ) ';
533 * @param int $contactID
534 * @param string $tableName
535 * @param null $allGroups
536 * @param null $includedGroups
540 public static function group(
543 $tableName = 'civicrm_saved_search',
545 $includedGroups = NULL
547 $userCacheKey = "{$contactID}_{$type}_{$tableName}_" . CRM_Core_Config
::domainID() . '_' . md5(implode(',', array_merge((array) $allGroups, (array) $includedGroups)));
548 if (empty(Civi
::$statics[__CLASS__
]['permissioned_groups'])) {
549 Civi
::$statics[__CLASS__
]['permissioned_groups'] = [];
551 if (!empty(Civi
::$statics[__CLASS__
]['permissioned_groups'][$userCacheKey])) {
552 return Civi
::$statics[__CLASS__
]['permissioned_groups'][$userCacheKey];
555 if ($allGroups == NULL) {
556 $allGroups = CRM_Contact_BAO_Contact
::buildOptions('group_id', NULL, ['onlyActive' => FALSE]);
559 $acls = CRM_ACL_BAO_Cache
::build($contactID);
563 $aclKeys = array_keys($acls);
564 $aclKeys = implode(',', $aclKeys);
566 $cacheKey = CRM_Utils_Cache
::cleanKey("$tableName-$aclKeys");
567 $cache = CRM_Utils_Cache
::singleton();
568 $ids = $cache->get($cacheKey);
572 SELECT a.operation, a.object_id
573 FROM civicrm_acl_cache c, civicrm_acl a
574 WHERE c.acl_id = a.id
576 AND a.object_table = %1
577 AND a.id IN ( $aclKeys )
578 GROUP BY a.operation,a.object_id
581 $params = [1 => [$tableName, 'String']];
582 $dao = CRM_Core_DAO
::executeQuery($query, $params);
583 while ($dao->fetch()) {
584 if ($dao->object_id
) {
585 if (self
::matchType($type, $dao->operation
)) {
586 $ids[] = $dao->object_id
;
590 // this user has got the permission for all objects of this type
591 // check if the type matches
592 if (self
::matchType($type, $dao->operation
)) {
593 foreach ($allGroups as $id => $dontCare) {
600 $cache->set($cacheKey, $ids);
604 if (empty($ids) && !empty($includedGroups) &&
605 is_array($includedGroups)
607 $ids = $includedGroups;
611 if (!empty($allGroups)) {
612 $groupWhere = " AND id IN (" . implode(',', array_keys($allGroups)) . ")";
614 // Contacts create hidden groups from search results. They should be able to retrieve their own.
615 $ownHiddenGroupsList = CRM_Core_DAO
::singleValueQuery("
616 SELECT GROUP_CONCAT(id) FROM civicrm_group WHERE is_hidden =1 AND created_id = $contactID
619 if ($ownHiddenGroupsList) {
620 $ownHiddenGroups = explode(',', $ownHiddenGroupsList);
621 $ids = array_merge((array) $ids, $ownHiddenGroups);
626 CRM_Utils_Hook
::aclGroup($type, $contactID, $tableName, $allGroups, $ids);
627 Civi
::$statics[__CLASS__
]['permissioned_groups'][$userCacheKey] = $ids;
637 protected static function matchType($type, $operation) {
639 switch ($operation) {
645 if ($type == CRM_ACL_API
::VIEW
) {
651 if ($type == CRM_ACL_API
::VIEW ||
$type == CRM_ACL_API
::EDIT
) {
657 if ($type == CRM_ACL_API
::CREATE
) {
663 if ($type == CRM_ACL_API
::DELETE
) {
669 if ($type == CRM_ACL_API
::SEARCH
) {
678 * Delete ACL records.
681 * ID of the ACL record to be deleted.
684 public static function del($aclId) {
685 // delete all entries from the acl cache
686 CRM_ACL_BAO_Cache
::resetCache();
688 $acl = new CRM_ACL_DAO_ACL();