projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
bulk comment fix
[civicrm-core.git] / CRM / Contact / BAO / Contact / Permission.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.5 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2014 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27
28 /**
29 *
30 * @package CRM
31 * @copyright CiviCRM LLC (c) 2004-2014
32 * $Id$
33 *
34 */
35 class CRM_Contact_BAO_Contact_Permission {
36
37 /**
38 * check if the logged in user has permissions for the operation type
39 *
40 * @param int $id contact id
41 * @param int|string $type the type of operation (view|edit)
42 *
43 * @return boolean true if the user has permission, false otherwise
44 * @access public
45 * @static
46 */
47 static function allow($id, $type = CRM_Core_Permission::VIEW) {
48 $tables = array();
49 $whereTables = array();
50
51 # FIXME: push this somewhere below, to not give this permission so many rights
52 $isDeleted = (bool) CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $id, 'is_deleted');
53 if (CRM_Core_Permission::check('access deleted contacts') && $isDeleted) {
54 return TRUE;
55 }
56
57 // short circuit for admin rights here so we avoid unneeeded queries
58 // some duplication of code, but we skip 3-5 queries
59 if (CRM_Core_Permission::check('edit all contacts') ||
60 ($type == CRM_ACL_API::VIEW && CRM_Core_Permission::check('view all contacts'))
61 ) {
62 return TRUE;
63 }
64
65 //check permission based on relationship, CRM-2963
66 if (self::relationship($id)) {
67 return TRUE;
68 }
69
70 $permission = CRM_ACL_API::whereClause($type, $tables, $whereTables);
71
72 $from = CRM_Contact_BAO_Query::fromClause($whereTables);
73
74 $query = "
75 SELECT count(DISTINCT contact_a.id)
76 $from
77 WHERE contact_a.id = %1 AND $permission";
78 $params = array(1 => array($id, 'Integer'));
79
80 return (CRM_Core_DAO::singleValueQuery($query, $params) > 0) ? TRUE : FALSE;
81 }
82
83 /**
84 * fill the acl contact cache for this contact id if empty
85 *
86 * @param $userID
87 * @param int|string $type the type of operation (view|edit)
88 * @param boolean $force should we force a recompute
89 *
90 * @internal param int $id contact id
91 * @return void
92 * @access public
93 * @static
94 */
95 static function cache($userID, $type = CRM_Core_Permission::VIEW, $force = FALSE) {
96 static $_processed = array();
97
98 if ($type = CRM_Core_Permission::VIEW) {
99 $operationClause = " operation IN ( 'Edit', 'View' ) ";
100 $operation = 'View';
101 }
102 else {
103 $operationClause = " operation = 'Edit' ";
104 $operation = 'Edit';
105 }
106
107 if (!$force) {
108 if (!empty($_processed[$userID])) {
109 return;
110 }
111
112 // run a query to see if the cache is filled
113 $sql = "
114 SELECT count(id)
115 FROM civicrm_acl_contact_cache
116 WHERE user_id = %1
117 AND $operationClause
118 ";
119 $params = array(1 => array($userID, 'Integer'));
120 $count = CRM_Core_DAO::singleValueQuery($sql, $params);
121 if ($count > 0) {
122 $_processed[$userID] = 1;
123 return;
124 }
125 }
126
127 $tables = array();
128 $whereTables = array();
129
130 $permission = CRM_ACL_API::whereClause($type, $tables, $whereTables, $userID);
131
132 $from = CRM_Contact_BAO_Query::fromClause($whereTables);
133
134 CRM_Core_DAO::executeQuery("
135 INSERT INTO civicrm_acl_contact_cache ( user_id, contact_id, operation )
136 SELECT $userID as user_id, contact_a.id as contact_id, '$operation' as operation
137 $from
138 WHERE $permission
139 GROUP BY contact_a.id
140 ON DUPLICATE KEY UPDATE
141 user_id=VALUES(user_id),
142 contact_id=VALUES(contact_id),
143 operation=VALUES(operation)"
144 );
145
146 CRM_Core_DAO::executeQuery('DELETE FROM civicrm_acl_contact_cache WHERE contact_id IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1)');
147 $_processed[$userID] = 1;
148
149 return;
150 }
151
152 /**
153 * Function to check if there are any contacts in cache table
154 *
155 * @param string $type the type of operation (view|edit)
156 * @param int $contactID contact id
157 *
158 * @return boolean
159 * @access public
160 * @static
161 */
162 static function hasContactsInCache($type = CRM_Core_Permission::VIEW,
163 $contactID = NULL
164 ) {
165 if (!$contactID) {
166 $session = CRM_Core_Session::singleton();
167 $contactID = $session->get('userID');
168 }
169
170 if ($type = CRM_Core_Permission::VIEW) {
171 $operationClause = " operation IN ( 'Edit', 'View' ) ";
172 $operation = 'View';
173 }
174 else {
175 $operationClause = " operation = 'Edit' ";
176 $operation = 'Edit';
177 }
178
179 // fill cache
180 self::cache($contactID);
181
182 $sql = "
183 SELECT id
184 FROM civicrm_acl_contact_cache
185 WHERE user_id = %1
186 AND $operationClause LIMIT 1";
187
188 $params = array(1 => array($contactID, 'Integer'));
189 return (bool) CRM_Core_DAO::singleValueQuery($sql, $params);
190 }
191
192 static function cacheClause($contactAlias = 'contact_a', $contactID = NULL) {
193 if (CRM_Core_Permission::check('view all contacts') ||
194 CRM_Core_Permission::check('edit all contacts')
195 ) {
196 if (is_array($contactAlias)) {
197 $wheres = array();
198 foreach ($contactAlias as $alias) {
199 // CRM-6181
200 $wheres[] = "$alias.is_deleted = 0";
201 }
202 return array(NULL, '(' . implode(' AND ', $wheres) . ')');
203 }
204 else {
205 // CRM-6181
206 return array(NULL, "$contactAlias.is_deleted = 0");
207 }
208 }
209
210 $session = CRM_Core_Session::singleton();
211 $contactID = $session->get('userID');
212 if (!$contactID) {
213 $contactID = 0;
214 }
215 $contactID = CRM_Utils_Type::escape($contactID, 'Integer');
216
217 self::cache($contactID);
218
219 if (is_array($contactAlias) && !empty($contactAlias)) {
220 //More than one contact alias
221 $clauses = array();
222 foreach ($contactAlias as $k => $alias) {
223 $clauses[] = " INNER JOIN civicrm_acl_contact_cache aclContactCache_{$k} ON {$alias}.id = aclContactCache_{$k}.contact_id AND aclContactCache_{$k}.user_id = $contactID ";
224 }
225
226 $fromClause = implode(" ", $clauses);
227 $whereClase = NULL;
228 }
229 else {
230 $fromClause = " INNER JOIN civicrm_acl_contact_cache aclContactCache ON {$contactAlias}.id = aclContactCache.contact_id ";
231 $whereClase = " aclContactCache.user_id = $contactID ";
232 }
233
234 return array($fromClause, $whereClase);
235 }
236
237 /**
238 * Function to get the permission base on its relationship
239 *
240 * @param $selectedContactID
241 * @param null $contactID
242 *
243 * @internal param int $selectedContactId contact id of selected contact
244 * @internal param int $contactId contact id of the current contact
245 *
246 * @return booleab true if logged in user has permission to view
247 * selected contact record else false
248 * @static
249 */
250 static function relationship($selectedContactID, $contactID = NULL) {
251 $session = CRM_Core_Session::singleton();
252 $config = CRM_Core_Config::singleton();
253 if (!$contactID) {
254 $contactID = $session->get('userID');
255 if (!$contactID) {
256 return FALSE;
257 }
258 }
259 if ($contactID == $selectedContactID && CRM_Core_Permission::check('edit my contact')) {
260 return TRUE;
261 }
262 else {
263 if ($config->secondDegRelPermissions) {
264 $query = "
265 SELECT firstdeg.id
266 FROM civicrm_relationship firstdeg
267 LEFT JOIN civicrm_relationship seconddegaa
268 on firstdeg.contact_id_a = seconddegaa.contact_id_b
269 and seconddegaa.is_permission_b_a = 1
270 and firstdeg.is_permission_b_a = 1
271 and seconddegaa.is_active = 1
272 LEFT JOIN civicrm_relationship seconddegab
273 on firstdeg.contact_id_a = seconddegab.contact_id_a
274 and seconddegab.is_permission_a_b = 1
275 and firstdeg.is_permission_b_a = 1
276 and seconddegab.is_active = 1
277 LEFT JOIN civicrm_relationship seconddegba
278 on firstdeg.contact_id_b = seconddegba.contact_id_b
279 and seconddegba.is_permission_b_a = 1
280 and firstdeg.is_permission_a_b = 1
281 and seconddegba.is_active = 1
282 LEFT JOIN civicrm_relationship seconddegbb
283 on firstdeg.contact_id_b = seconddegbb.contact_id_a
284 and seconddegbb.is_permission_a_b = 1
285 and firstdeg.is_permission_a_b = 1
286 and seconddegbb.is_active = 1
287 WHERE
288 (
289 ( firstdeg.contact_id_a = %1 AND firstdeg.contact_id_b = %2 AND firstdeg.is_permission_a_b = 1 )
290 OR ( firstdeg.contact_id_a = %2 AND firstdeg.contact_id_b = %1 AND firstdeg.is_permission_b_a = 1 )
291 OR (
292 firstdeg.contact_id_a = %1 AND seconddegba.contact_id_a = %2
293 AND (seconddegba.contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
294 )
295 OR (
296 firstdeg.contact_id_a = %1 AND seconddegbb.contact_id_b = %2
297 AND (seconddegbb.contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
298 )
299 OR (
300 firstdeg.contact_id_b = %1 AND seconddegab.contact_id_b = %2
301 AND (seconddegab.contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
302 )
303 OR (
304 firstdeg.contact_id_b = %1 AND seconddegaa.contact_id_a = %2 AND (seconddegaa.contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
305 )
306 )
307 AND (firstdeg.contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
308 AND (firstdeg.contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
309 AND ( firstdeg.is_active = 1)
310 ";
311 }
312 else {
313 $query = "
314 SELECT id
315 FROM civicrm_relationship
316 WHERE (( contact_id_a = %1 AND contact_id_b = %2 AND is_permission_a_b = 1 ) OR
317 ( contact_id_a = %2 AND contact_id_b = %1 AND is_permission_b_a = 1 )) AND
318 (contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1)) AND
319 (contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
320 AND ( civicrm_relationship.is_active = 1 )
321 ";
322 }
323 $params = array(1 => array($contactID, 'Integer'),
324 2 => array($selectedContactID, 'Integer'),
325 );
326 return CRM_Core_DAO::singleValueQuery($query, $params);
327 }
328 }
329
330
331 static function validateOnlyChecksum($contactID, &$form, $redirect = TRUE) {
332 // check if this is of the format cs=XXX
333 if (!CRM_Contact_BAO_Contact_Utils::validChecksum($contactID,
334 CRM_Utils_Request::retrieve('cs', 'String', $form, FALSE)
335 )) {
336 if ($redirect) {
337 // also set a message in the UF framework
338 $message = ts('You do not have permission to edit this contact record. Contact the site administrator if you need assistance.');
339 CRM_Utils_System::setUFMessage($message);
340
341 $config = CRM_Core_Config::singleton();
342 CRM_Core_Error::statusBounce($message,
343 $config->userFrameworkBaseURL
344 );
345 // does not come here, we redirect in the above statement
346 }
347 return FALSE;
348 }
349
350 // set appropriate AUTH source
351 self::initChecksumAuthSrc(TRUE, $form);
352
353 // so here the contact is posing as $contactID, lets set the logging contact ID variable
354 // CRM-8965
355 CRM_Core_DAO::executeQuery('SET @civicrm_user_id = %1',
356 array(1 => array($contactID, 'Integer'))
357 );
358
359 return TRUE;
360 }
361
362 static function initChecksumAuthSrc($checkSumValidationResult = FALSE, $form = NULL) {
363 $session = CRM_Core_Session::singleton();
364 if ($checkSumValidationResult && $form && CRM_Utils_Request::retrieve('cs', 'String', $form, FALSE)) {
365 // if result is already validated, and url has cs, set the flag.
366 $session->set('authSrc', CRM_Core_Permission::AUTH_SRC_CHECKSUM);
367 } else if (($session->get('authSrc') & CRM_Core_Permission::AUTH_SRC_CHECKSUM) == CRM_Core_Permission::AUTH_SRC_CHECKSUM) {
368 // if checksum wasn't present in REQUEST OR checksum result validated as FALSE,
369 // and flag was already set exactly as AUTH_SRC_CHECKSUM, unset it.
370 $session->set('authSrc', CRM_Core_Permission::AUTH_SRC_UNKNOWN);
371 }
372 }
373
374 static function validateChecksumContact($contactID, &$form, $redirect = TRUE) {
375 if (!self::allow($contactID, CRM_Core_Permission::EDIT)) {
376 // check if this is of the format cs=XXX
377 return self::validateOnlyChecksum($contactID, $form, $redirect);
378 }
379 return TRUE;
380 }
381 }
382