projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Ensure ACL and other caches are reset as well when flushing ACL Cache
[civicrm-core.git] / CRM / ACL / BAO / ACL.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 5 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2019 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27
28 /**
29 *
30 * @package CRM
31 * @copyright CiviCRM LLC (c) 2004-2019
32 */
33
34 /**
35 * Access Control List
36 */
37 class CRM_ACL_BAO_ACL extends CRM_ACL_DAO_ACL {
38 /**
39 * @var string
40 */
41 public static $_entityTable = NULL;
42 public static $_objectTable = NULL;
43 public static $_operation = NULL;
44
45 public static $_fieldKeys = NULL;
46
47 /**
48 * Get ACL entity table.
49 *
50 * @return array|null
51 */
52 public static function entityTable() {
53 if (!self::$_entityTable) {
54 self::$_entityTable = [
55 'civicrm_contact' => ts('Contact'),
56 'civicrm_acl_role' => ts('ACL Role'),
57 ];
58 }
59 return self::$_entityTable;
60 }
61
62 /**
63 * @return array|null
64 */
65 public static function objectTable() {
66 if (!self::$_objectTable) {
67 self::$_objectTable = [
68 'civicrm_contact' => ts('Contact'),
69 'civicrm_group' => ts('Group'),
70 'civicrm_saved_search' => ts('Contact Group'),
71 'civicrm_admin' => ts('Import'),
72 ];
73 }
74 return self::$_objectTable;
75 }
76
77 /**
78 * @return array|null
79 */
80 public static function operation() {
81 if (!self::$_operation) {
82 self::$_operation = [
83 'View' => ts('View'),
84 'Edit' => ts('Edit'),
85 'Create' => ts('Create'),
86 'Delete' => ts('Delete'),
87 'Search' => ts('Search'),
88 'All' => ts('All'),
89 ];
90 }
91 return self::$_operation;
92 }
93
94 /**
95 * Construct a WHERE clause to handle permissions to $object_*
96 *
97 * @deprecated
98 *
99 * @param array $tables
100 * Any tables that may be needed in the FROM.
101 * @param string $operation
102 * The operation being attempted.
103 * @param string $object_table
104 * The table of the object in question.
105 * @param int $object_id
106 * The ID of the object in question.
107 * @param int $acl_id
108 * If it's a grant/revoke operation, the ACL ID.
109 * @param bool $acl_role
110 * For grant operations, this flag determines if we're granting a single acl (false) or an entire group.
111 *
112 * @return string
113 * The WHERE clause, or 0 on failure
114 */
115 public static function permissionClause(
116 &$tables, $operation,
117 $object_table = NULL, $object_id = NULL,
118 $acl_id = NULL, $acl_role = FALSE
119 ) {
120 CRM_Core_Error::deprecatedFunctionWarning('unknown - this is really old & not used in core');
121 $dao = new CRM_ACL_DAO_ACL();
122
123 $t = [
124 'ACL' => self::getTableName(),
125 'ACLRole' => 'civicrm_acl_role',
126 'ACLEntityRole' => CRM_ACL_DAO_EntityRole::getTableName(),
127 'Contact' => CRM_Contact_DAO_Contact::getTableName(),
128 'Group' => CRM_Contact_DAO_Group::getTableName(),
129 'GroupContact' => CRM_Contact_DAO_GroupContact::getTableName(),
130 ];
131
132 $contact_id = CRM_Core_Session::getLoggedInContactID();
133
134 $where = " {$t['ACL']}.operation = '" . CRM_Utils_Type::escape($operation, 'String') . "'";
135
136 /* Include clause if we're looking for a specific table/id permission */
137
138 if (!empty($object_table)) {
139 $where .= " AND ( {$t['ACL']}.object_table IS null
140 OR ({$t['ACL']}.object_table = '" . CRM_Utils_Type::escape($object_table, 'String') . "'";
141 if (!empty($object_id)) {
142 $where .= " AND ({$t['ACL']}.object_id IS null
143 OR {$t['ACL']}.object_id = " . CRM_Utils_Type::escape($object_id, 'Integer') . ')';
144 }
145 $where .= '))';
146 }
147
148 /* Include clause if we're granting an ACL or ACL Role */
149
150 if (!empty($acl_id)) {
151 $where .= " AND ({$t['ACL']}.acl_id IS null
152 OR {$t['ACL']}.acl_id = " . CRM_Utils_Type::escape($acl_id, 'Integer') . ')';
153 if ($acl_role) {
154 $where .= " AND {$t['ACL']}.acl_table = '{$t['ACLRole']}'";
155 }
156 else {
157 $where .= " AND {$t['ACL']}.acl_table = '{$t['ACL']}'";
158 }
159 }
160
161 $query = [];
162
163 /* Query for permissions granted to all contacts in the domain */
164
165 $query[] = "SELECT {$t['ACL']}.*, 0 as override
166 FROM {$t['ACL']}
167
168 WHERE {$t['ACL']}.entity_table = '{$t['Domain']}'
169 AND ($where)";
170
171 /* Query for permissions granted to all contacts through an ACL group */
172
173 $query[] = "SELECT {$t['ACL']}.*, 0 as override
174 FROM {$t['ACL']}
175
176 INNER JOIN {$t['ACLEntityRole']}
177 ON ({$t['ACL']}.entity_table = '{$t['ACLRole']}'
178 AND {$t['ACL']}.entity_id =
179 {$t['ACLEntityRole']}.acl_role_id)
180
181 INNER JOIN {$t['ACLRole']}
182 ON {$t['ACL']}.entity_id =
183 {$t['ACLRole']}.id
184
185 WHERE {$t['ACLEntityRole']}.entity_table =
186 '{$t['Domain']}'
187 AND {$t['ACLRole']}.is_active = 1
188 AND ($where)";
189
190 /* Query for permissions granted directly to the contact */
191
192 $query[] = "SELECT {$t['ACL']}.*, 1 as override
193 FROM {$t['ACL']}
194
195 INNER JOIN {$t['Contact']}
196 ON ({$t['ACL']}.entity_table = '{$t['Contact']}'
197 AND {$t['ACL']}.entity_id = {$t['Contact']}.id)
198
199 WHERE {$t['Contact']}.id = $contact_id
200 AND ($where)";
201
202 /* Query for permissions granted to the contact through an ACL group */
203
204 $query[] = "SELECT {$t['ACL']}.*, 1 as override
205 FROM {$t['ACL']}
206
207 INNER JOIN {$t['ACLEntityRole']}
208 ON ({$t['ACL']}.entity_table = '{$t['ACLRole']}'
209 AND {$t['ACL']}.entity_id =
210 {$t['ACLEntityRole']}.acl_role_id)
211
212 INNER JOIN {$t['ACLRole']}
213 ON {$t['ACL']}.entity_id = {$t['ACLRole']}.id
214
215 WHERE {$t['ACLEntityRole']}.entity_table =
216 '{$t['Contact']}'
217 AND {$t['ACLRole']}.is_active = 1
218 AND {$t['ACLEntityRole']}.entity_id = $contact_id
219 AND ($where)";
220
221 /* Query for permissions granted to the contact through a group */
222
223 $query[] = "SELECT {$t['ACL']}.*, 0 as override
224 FROM {$t['ACL']}
225
226 INNER JOIN {$t['GroupContact']}
227 ON ({$t['ACL']}.entity_table = '{$t['Group']}'
228 AND {$t['ACL']}.entity_id =
229 {$t['GroupContact']}.group_id)
230
231 WHERE ($where)
232 AND {$t['GroupContact']}.contact_id = $contact_id
233 AND {$t['GroupContact']}.status = 'Added')";
234
235 /* Query for permissions granted through an ACL group to a Contact
236 * group */
237
238 $query[] = "SELECT {$t['ACL']}.*, 0 as override
239 FROM {$t['ACL']}
240
241 INNER JOIN {$t['ACLEntityRole']}
242 ON ({$t['ACL']}.entity_table = '{$t['ACLRole']}'
243 AND {$t['ACL']}.entity_id =
244 {$t['ACLEntityRole']}.acl_role_id)
245
246 INNER JOIN {$t['ACLRole']}
247 ON {$t['ACL']}.entity_id = {$t['ACLRole']}.id
248
249 INNER JOIN {$t['GroupContact']}
250 ON ({$t['ACLEntityRole']}.entity_table =
251 '{$t['Group']}'
252 AND {$t['ACLEntityRole']}.entity_id =
253 {$t['GroupContact']}.group_id)
254
255 WHERE ($where)
256 AND {$t['ACLRole']}.is_active = 1
257 AND {$t['GroupContact']}.contact_id = $contact_id
258 AND {$t['GroupContact']}.status = 'Added'";
259
260 $union = '(' . implode(') UNION DISTINCT (', $query) . ')';
261
262 $dao->query($union);
263
264 $allow = [0];
265 $deny = [0];
266 $override = [];
267
268 while ($dao->fetch()) {
269 /* Instant bypass for the following cases:
270 * 1) the rule governs all tables
271 * 2) the rule governs all objects in the table in question
272 * 3) the rule governs the specific object we want
273 */
274
275 if (empty($dao->object_table) ||
276 ($dao->object_table == $object_table
277 && (empty($dao->object_id)
278 || $dao->object_id == $object_id
279 )
280 )
281 ) {
282 $clause = 1;
283 }
284 else {
285 /* Otherwise try to generate a clause for this rule */
286
287 $clause = self::getClause(
288 $dao->object_table, $dao->object_id, $tables
289 );
290
291 /* If the clause returned is null, then the rule is a blanket
292 * (id is null) on a table other than the one we're interested
293 * in. So skip it. */
294
295 if (empty($clause)) {
296 continue;
297 }
298 }
299
300 /* Now we figure out if this is an allow or deny rule, and possibly
301 * a contact-level override */
302
303 if ($dao->deny) {
304 $deny[] = $clause;
305 }
306 else {
307 $allow[] = $clause;
308
309 if ($dao->override) {
310 $override[] = $clause;
311 }
312 }
313 }
314
315 $allows = '(' . implode(' OR ', $allow) . ')';
316 $denies = '(' . implode(' OR ', $deny) . ')';
317 if (!empty($override)) {
318 $denies = '(NOT (' . implode(' OR ', $override) . ") AND $denies)";
319 }
320
321 return "($allows AND NOT $denies)";
322 }
323
324 /**
325 * Given a table and id pair, return the filter clause
326 *
327 * @param string $table
328 * The table owning the object.
329 * @param int $id
330 * The ID of the object.
331 * @param array $tables
332 * Tables that will be needed in the FROM.
333 *
334 * @return string|null
335 * WHERE-style clause to filter results,
336 * or null if $table or $id is null
337 */
338 public static function getClause($table, $id, &$tables) {
339 $table = CRM_Utils_Type::escape($table, 'String');
340 $id = CRM_Utils_Type::escape($id, 'Integer');
341 $whereTables = [];
342
343 $ssTable = CRM_Contact_BAO_SavedSearch::getTableName();
344
345 if (empty($table)) {
346 return NULL;
347 }
348 elseif ($table == $ssTable) {
349 return CRM_Contact_BAO_SavedSearch::whereClause($id, $tables, $whereTables);
350 }
351 elseif (!empty($id)) {
352 $tables[$table] = TRUE;
353 return "$table.id = $id";
354 }
355 return NULL;
356 }
357
358 /**
359 * Construct an associative array of an ACL rule's properties
360 *
361 * @param string $format
362 * Sprintf format for array.
363 * @param bool $hideEmpty
364 * Only return elements that have a value set.
365 *
366 * @return array
367 * Assoc. array of the ACL rule's properties
368 */
369 public function toArray($format = '%s', $hideEmpty = FALSE) {
370 $result = [];
371
372 if (!self::$_fieldKeys) {
373 $fields = CRM_ACL_DAO_ACL::fields();
374 self::$_fieldKeys = array_keys($fields);
375 }
376
377 foreach (self::$_fieldKeys as $field) {
378 $result[$field] = $this->$field;
379 }
380 return $result;
381 }
382
383 /**
384 * Retrieve ACLs for a contact or group. Note that including a contact id
385 * without a group id will return those ACL rules which are granted
386 * directly to the contact, but not those granted to the contact through
387 * any/all of his group memberships.
388 *
389 * @param int $contact_id
390 * ID of a contact to search for.
391 * @param int $group_id
392 * ID of a group to search for.
393 * @param bool $aclRoles
394 * Should we include ACL Roles.
395 *
396 * @return array
397 * Array of assoc. arrays of ACL rules
398 */
399 public static function &getACLs($contact_id = NULL, $group_id = NULL, $aclRoles = FALSE) {
400 $results = [];
401
402 if (empty($contact_id)) {
403 return $results;
404 }
405
406 $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer');
407 if ($group_id) {
408 $group_id = CRM_Utils_Type::escape($group_id, 'Integer');
409 }
410
411 $rule = new CRM_ACL_BAO_ACL();
412
413 $acl = self::getTableName();
414 $contact = CRM_Contact_BAO_Contact::getTableName();
415 $c2g = CRM_Contact_BAO_GroupContact::getTableName();
416 $group = CRM_Contact_BAO_Group::getTableName();
417
418 $query = " SELECT $acl.*
419 FROM $acl ";
420
421 if (!empty($group_id)) {
422 $query .= " INNER JOIN $c2g
423 ON $acl.entity_id = $c2g.group_id
424 WHERE $acl.entity_table = '$group'
425 AND $acl.is_active = 1
426 AND $c2g.group_id = $group_id";
427
428 if (!empty($contact_id)) {
429 $query .= " AND $c2g.contact_id = $contact_id
430 AND $c2g.status = 'Added'";
431 }
432 }
433 else {
434 if (!empty($contact_id)) {
435 $query .= " WHERE $acl.entity_table = '$contact'
436 AND $acl.entity_id = $contact_id";
437 }
438 }
439
440 $rule->query($query);
441
442 while ($rule->fetch()) {
443 $results[$rule->id] = $rule->toArray();
444 }
445
446 if ($aclRoles) {
447 $results += self::getACLRoles($contact_id, $group_id);
448 }
449
450 return $results;
451 }
452
453 /**
454 * Get all of the ACLs through ACL groups.
455 *
456 * @param int $contact_id
457 * ID of a contact to search for.
458 * @param int $group_id
459 * ID of a group to search for.
460 *
461 * @return array
462 * Array of assoc. arrays of ACL rules
463 */
464 public static function &getACLRoles($contact_id = NULL, $group_id = NULL) {
465 $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer');
466 if ($group_id) {
467 $group_id = CRM_Utils_Type::escape($group_id, 'Integer');
468 }
469
470 $rule = new CRM_ACL_BAO_ACL();
471
472 $acl = self::getTableName();
473 $aclRole = 'civicrm_acl_role';
474 $aclRoleJoin = CRM_ACL_DAO_EntityRole::getTableName();
475 $contact = CRM_Contact_BAO_Contact::getTableName();
476 $c2g = CRM_Contact_BAO_GroupContact::getTableName();
477 $group = CRM_Contact_BAO_Group::getTableName();
478
479 $query = " SELECT $acl.*
480 FROM $acl
481 INNER JOIN civicrm_option_group og
482 ON og.name = 'acl_role'
483 INNER JOIN civicrm_option_value ov
484 ON $acl.entity_table = '$aclRole'
485 AND ov.option_group_id = og.id
486 AND $acl.entity_id = ov.value";
487
488 if (!empty($group_id)) {
489 $query .= " INNER JOIN $c2g
490 ON $acl.entity_id = $c2g.group_id
491 WHERE $acl.entity_table = '$group'
492 AND $acl.is_active = 1
493 AND $c2g.group_id = $group_id";
494
495 if (!empty($contact_id)) {
496 $query .= " AND $c2g.contact_id = $contact_id
497 AND $c2g.status = 'Added'";
498 }
499 }
500 else {
501 if (!empty($contact_id)) {
502 $query .= " WHERE $acl.entity_table = '$contact'
503 AND $acl.is_active = 1
504 AND $acl.entity_id = $contact_id";
505 }
506 }
507
508 $results = [];
509
510 $rule->query($query);
511
512 while ($rule->fetch()) {
513 $results[$rule->id] = $rule->toArray();
514 }
515
516 return $results;
517 }
518
519 /**
520 * Get all ACLs granted to a contact through all group memberships.
521 *
522 * @param int $contact_id
523 * The contact's ID.
524 * @param bool $aclRoles
525 * Include ACL Roles?.
526 *
527 * @return array
528 * Assoc array of ACL rules
529 */
530 public static function &getGroupACLs($contact_id, $aclRoles = FALSE) {
531 $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer');
532
533 $rule = new CRM_ACL_BAO_ACL();
534
535 $acl = self::getTableName();
536 $c2g = CRM_Contact_BAO_GroupContact::getTableName();
537 $group = CRM_Contact_BAO_Group::getTableName();
538 $results = [];
539
540 if ($contact_id) {
541 $query = "
542 SELECT $acl.*
543 FROM $acl
544 INNER JOIN $c2g
545 ON $acl.entity_id = $c2g.group_id
546 WHERE $acl.entity_table = '$group'
547 AND $c2g.contact_id = $contact_id
548 AND $c2g.status = 'Added'";
549
550 $rule->query($query);
551
552 while ($rule->fetch()) {
553 $results[$rule->id] = $rule->toArray();
554 }
555 }
556
557 if ($aclRoles) {
558 $results += self::getGroupACLRoles($contact_id);
559 }
560
561 return $results;
562 }
563
564 /**
565 * Get all of the ACLs for a contact through ACL groups owned by Contact.
566 * groups.
567 *
568 * @param int $contact_id
569 * ID of a contact to search for.
570 *
571 * @return array
572 * Array of assoc. arrays of ACL rules
573 */
574 public static function &getGroupACLRoles($contact_id) {
575 $contact_id = CRM_Utils_Type::escape($contact_id, 'Integer');
576
577 $rule = new CRM_ACL_BAO_ACL();
578
579 $acl = self::getTableName();
580 $aclRole = 'civicrm_acl_role';
581
582 $aclER = CRM_ACL_DAO_EntityRole::getTableName();
583 $c2g = CRM_Contact_BAO_GroupContact::getTableName();
584 $group = CRM_Contact_BAO_Group::getTableName();
585
586 $query = " SELECT $acl.*
587 FROM $acl
588 INNER JOIN civicrm_option_group og
589 ON og.name = 'acl_role'
590 INNER JOIN civicrm_option_value ov
591 ON $acl.entity_table = '$aclRole'
592 AND ov.option_group_id = og.id
593 AND $acl.entity_id = ov.value
594 AND ov.is_active = 1
595 INNER JOIN $aclER
596 ON $aclER.acl_role_id = $acl.entity_id
597 AND $aclER.is_active = 1
598 INNER JOIN $c2g
599 ON $aclER.entity_id = $c2g.group_id
600 AND $aclER.entity_table = 'civicrm_group'
601 WHERE $acl.entity_table = '$aclRole'
602 AND $acl.is_active = 1
603 AND $c2g.contact_id = $contact_id
604 AND $c2g.status = 'Added'";
605
606 $results = [];
607
608 $rule->query($query);
609
610 while ($rule->fetch()) {
611 $results[$rule->id] = $rule->toArray();
612 }
613
614 // also get all acls for "Any Role" case
615 // and authenticated User Role if present
616 $roles = "0";
617 $session = CRM_Core_Session::singleton();
618 if ($session->get('ufID') > 0) {
619 $roles .= ",2";
620 }
621
622 $query = "
623 SELECT $acl.*
624 FROM $acl
625 WHERE $acl.entity_id IN ( $roles )
626 AND $acl.entity_table = 'civicrm_acl_role'
627 ";
628
629 $rule->query($query);
630 while ($rule->fetch()) {
631 $results[$rule->id] = $rule->toArray();
632 }
633
634 return $results;
635 }
636
637 /**
638 * Get all ACLs owned by a given contact, including domain and group-level.
639 *
640 * @param int $contact_id
641 * The contact ID.
642 *
643 * @return array
644 * Assoc array of ACL rules
645 */
646 public static function &getAllByContact($contact_id) {
647 $result = [];
648
649 /* First, the contact-specific ACLs, including ACL Roles */
650 $result += self::getACLs($contact_id, NULL, TRUE);
651
652 /* Then, all ACLs granted through group membership */
653 $result += self::getGroupACLs($contact_id, TRUE);
654
655 return $result;
656 }
657
658 /**
659 * @param array $params
660 *
661 * @return CRM_ACL_DAO_ACL
662 */
663 public static function create(&$params) {
664 $dao = new CRM_ACL_DAO_ACL();
665 $dao->copyValues($params);
666 $dao->save();
667 return $dao;
668 }
669
670 /**
671 * @param array $params
672 * @param $defaults
673 */
674 public static function retrieve(&$params, &$defaults) {
675 CRM_Core_DAO::commonRetrieve('CRM_ACL_DAO_ACL', $params, $defaults);
676 }
677
678 /**
679 * Update the is_active flag in the db.
680 *
681 * @param int $id
682 * Id of the database record.
683 * @param bool $is_active
684 * Value we want to set the is_active field.
685 *
686 * @return bool
687 * true if we found and updated the object, else false
688 */
689 public static function setIsActive($id, $is_active) {
690 Civi::cache('fields')->flush();
691 // also reset ACL Cache
692 CRM_ACL_BAO_Cache::resetCache();
693 // also reset memory cache if any
694 CRM_Utils_System::flushCache();
695
696 return CRM_Core_DAO::setFieldValue('CRM_ACL_DAO_ACL', $id, 'is_active', $is_active);
697 }
698
699 /**
700 * @param $str
701 * @param int $contactID
702 *
703 * @return bool
704 */
705 public static function check($str, $contactID) {
706
707 $acls = CRM_ACL_BAO_Cache::build($contactID);
708
709 $aclKeys = array_keys($acls);
710 $aclKeys = implode(',', $aclKeys);
711
712 if (empty($aclKeys)) {
713 return FALSE;
714 }
715
716 $query = "
717 SELECT count( a.id )
718 FROM civicrm_acl_cache c, civicrm_acl a
719 WHERE c.acl_id = a.id
720 AND a.is_active = 1
721 AND a.object_table = %1
722 AND a.id IN ( $aclKeys )
723 ";
724 $params = [1 => [$str, 'String']];
725
726 $count = CRM_Core_DAO::singleValueQuery($query, $params);
727 return ($count) ? TRUE : FALSE;
728 }
729
730 /**
731 * @param $type
732 * @param $tables
733 * @param $whereTables
734 * @param int $contactID
735 *
736 * @return null|string
737 */
738 public static function whereClause($type, &$tables, &$whereTables, $contactID = NULL) {
739 $acls = CRM_ACL_BAO_Cache::build($contactID);
740
741 $whereClause = NULL;
742 $clauses = [];
743
744 if (!empty($acls)) {
745 $aclKeys = array_keys($acls);
746 $aclKeys = implode(',', $aclKeys);
747
748 $query = "
749 SELECT a.operation, a.object_id
750 FROM civicrm_acl_cache c, civicrm_acl a
751 WHERE c.acl_id = a.id
752 AND a.is_active = 1
753 AND a.object_table = 'civicrm_saved_search'
754 AND a.id IN ( $aclKeys )
755 ORDER BY a.object_id
756 ";
757
758 $dao = CRM_Core_DAO::executeQuery($query);
759
760 // do an or of all the where clauses u see
761 $ids = [];
762 while ($dao->fetch()) {
763 // make sure operation matches the type TODO
764 if (self::matchType($type, $dao->operation)) {
765 if (!$dao->object_id) {
766 $ids = [];
767 $whereClause = ' ( 1 ) ';
768 break;
769 }
770 $ids[] = $dao->object_id;
771 }
772 }
773
774 if (!empty($ids)) {
775 $ids = implode(',', $ids);
776 $query = "
777 SELECT g.*
778 FROM civicrm_group g
779 WHERE g.id IN ( $ids )
780 AND g.is_active = 1
781 ";
782 $dao = CRM_Core_DAO::executeQuery($query);
783 $groupIDs = [];
784 $groupContactCacheClause = FALSE;
785 while ($dao->fetch()) {
786 $groupIDs[] = $dao->id;
787
788 if (($dao->saved_search_id || $dao->children || $dao->parents)) {
789 if ($dao->cache_date == NULL) {
790 CRM_Contact_BAO_GroupContactCache::load($dao);
791 }
792 $groupContactCacheClause = " UNION SELECT contact_id FROM civicrm_group_contact_cache WHERE group_id IN (" . implode(', ', $groupIDs) . ")";
793 }
794
795 }
796
797 if ($groupIDs) {
798 $clauses[] = "(
799 `contact_a`.id IN (
800 SELECT contact_id FROM civicrm_group_contact WHERE group_id IN (" . implode(', ', $groupIDs) . ") AND status = 'Added'
801 $groupContactCacheClause
802 )
803 )";
804 }
805 }
806 }
807
808 if (!empty($clauses)) {
809 $whereClause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
810 }
811
812 // call the hook to get additional whereClauses
813 CRM_Utils_Hook::aclWhereClause($type, $tables, $whereTables, $contactID, $whereClause);
814
815 if (empty($whereClause)) {
816 $whereClause = ' ( 0 ) ';
817 }
818
819 return $whereClause;
820 }
821
822 /**
823 * @param int $type
824 * @param int $contactID
825 * @param string $tableName
826 * @param null $allGroups
827 * @param null $includedGroups
828 *
829 * @return array
830 */
831 public static function group(
832 $type,
833 $contactID = NULL,
834 $tableName = 'civicrm_saved_search',
835 $allGroups = NULL,
836 $includedGroups = NULL
837 ) {
838 $userCacheKey = "{$contactID}_{$type}_{$tableName}_" . CRM_Core_Config::domainID() . '_' . md5(implode(',', array_merge((array) $allGroups, (array) $includedGroups)));
839 if (empty(Civi::$statics[__CLASS__]['permissioned_groups'])) {
840 Civi::$statics[__CLASS__]['permissioned_groups'] = [];
841 }
842 if (!empty(Civi::$statics[__CLASS__]['permissioned_groups'][$userCacheKey])) {
843 return Civi::$statics[__CLASS__]['permissioned_groups'][$userCacheKey];
844 }
845
846 if ($allGroups == NULL) {
847 $allGroups = CRM_Contact_BAO_Contact::buildOptions('group_id', NULL, ['onlyActive' => FALSE]);
848 }
849
850 $acls = CRM_ACL_BAO_Cache::build($contactID);
851
852 $ids = [];
853 if (!empty($acls)) {
854 $aclKeys = array_keys($acls);
855 $aclKeys = implode(',', $aclKeys);
856
857 $cacheKey = CRM_Utils_Cache::cleanKey("$tableName-$aclKeys");
858 $cache = CRM_Utils_Cache::singleton();
859 $ids = $cache->get($cacheKey);
860 if (!$ids) {
861 $ids = [];
862 $query = "
863 SELECT a.operation, a.object_id
864 FROM civicrm_acl_cache c, civicrm_acl a
865 WHERE c.acl_id = a.id
866 AND a.is_active = 1
867 AND a.object_table = %1
868 AND a.id IN ( $aclKeys )
869 GROUP BY a.operation,a.object_id
870 ORDER BY a.object_id
871 ";
872 $params = [1 => [$tableName, 'String']];
873 $dao = CRM_Core_DAO::executeQuery($query, $params);
874 while ($dao->fetch()) {
875 if ($dao->object_id) {
876 if (self::matchType($type, $dao->operation)) {
877 $ids[] = $dao->object_id;
878 }
879 }
880 else {
881 // this user has got the permission for all objects of this type
882 // check if the type matches
883 if (self::matchType($type, $dao->operation)) {
884 foreach ($allGroups as $id => $dontCare) {
885 $ids[] = $id;
886 }
887 }
888 break;
889 }
890 }
891 $cache->set($cacheKey, $ids);
892 }
893 }
894
895 if (empty($ids) && !empty($includedGroups) &&
896 is_array($includedGroups)
897 ) {
898 $ids = $includedGroups;
899 }
900 if ($contactID) {
901 $groupWhere = '';
902 if (!empty($allGroups)) {
903 $groupWhere = " AND id IN (" . implode(',', array_keys($allGroups)) . ")";
904 }
905 // Contacts create hidden groups from search results. They should be able to retrieve their own.
906 $ownHiddenGroupsList = CRM_Core_DAO::singleValueQuery("
907 SELECT GROUP_CONCAT(id) FROM civicrm_group WHERE is_hidden =1 AND created_id = $contactID
908 $groupWhere
909 ");
910 if ($ownHiddenGroupsList) {
911 $ownHiddenGroups = explode(',', $ownHiddenGroupsList);
912 $ids = array_merge((array) $ids, $ownHiddenGroups);
913 }
914
915 }
916
917 CRM_Utils_Hook::aclGroup($type, $contactID, $tableName, $allGroups, $ids);
918 Civi::$statics[__CLASS__]['permissioned_groups'][$userCacheKey] = $ids;
919 return $ids;
920 }
921
922 /**
923 * @param int $type
924 * @param $operation
925 *
926 * @return bool
927 */
928 public static function matchType($type, $operation) {
929 $typeCheck = FALSE;
930 switch ($operation) {
931 case 'All':
932 $typeCheck = TRUE;
933 break;
934
935 case 'View':
936 if ($type == CRM_ACL_API::VIEW) {
937 $typeCheck = TRUE;
938 }
939 break;
940
941 case 'Edit':
942 if ($type == CRM_ACL_API::VIEW || $type == CRM_ACL_API::EDIT) {
943 $typeCheck = TRUE;
944 }
945 break;
946
947 case 'Create':
948 if ($type == CRM_ACL_API::CREATE) {
949 $typeCheck = TRUE;
950 }
951 break;
952
953 case 'Delete':
954 if ($type == CRM_ACL_API::DELETE) {
955 $typeCheck = TRUE;
956 }
957 break;
958
959 case 'Search':
960 if ($type == CRM_ACL_API::SEARCH) {
961 $typeCheck = TRUE;
962 }
963 break;
964 }
965 return $typeCheck;
966 }
967
968 /**
969 * Delete ACL records.
970 *
971 * @param int $aclId
972 * ID of the ACL record to be deleted.
973 *
974 */
975 public static function del($aclId) {
976 // delete all entries from the acl cache
977 CRM_ACL_BAO_Cache::resetCache();
978
979 $acl = new CRM_ACL_DAO_ACL();
980 $acl->id = $aclId;
981 $acl->delete();
982 }
983
984 }