projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #6732 from pradpnayak/CRM-17209
[civicrm-core.git] / CRM / Contact / BAO / Contact / Permission.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.6 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2015 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27
28 /**
29 *
30 * @package CRM
31 * @copyright CiviCRM LLC (c) 2004-2015
32 * $Id$
33 *
34 */
35 class CRM_Contact_BAO_Contact_Permission {
36
37 /**
38 * Check if the logged in user has permissions for the operation type.
39 *
40 * @param int $id
41 * Contact id.
42 * @param int|string $type the type of operation (view|edit)
43 *
44 * @return bool
45 * true if the user has permission, false otherwise
46 */
47 public static function allow($id, $type = CRM_Core_Permission::VIEW) {
48 $tables = array();
49 $whereTables = array();
50
51 # FIXME: push this somewhere below, to not give this permission so many rights
52 $isDeleted = (bool) CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $id, 'is_deleted');
53 if (CRM_Core_Permission::check('access deleted contacts') && $isDeleted) {
54 return TRUE;
55 }
56
57 // short circuit for admin rights here so we avoid unneeeded queries
58 // some duplication of code, but we skip 3-5 queries
59 if (CRM_Core_Permission::check('edit all contacts') ||
60 ($type == CRM_ACL_API::VIEW && CRM_Core_Permission::check('view all contacts'))
61 ) {
62 return TRUE;
63 }
64
65 //check permission based on relationship, CRM-2963
66 if (self::relationship($id)) {
67 return TRUE;
68 }
69
70 $permission = CRM_ACL_API::whereClause($type, $tables, $whereTables);
71
72 $from = CRM_Contact_BAO_Query::fromClause($whereTables);
73
74 $query = "
75 SELECT count(DISTINCT contact_a.id)
76 $from
77 WHERE contact_a.id = %1 AND $permission";
78 $params = array(1 => array($id, 'Integer'));
79
80 return (CRM_Core_DAO::singleValueQuery($query, $params) > 0) ? TRUE : FALSE;
81 }
82
83 /**
84 * Fill the acl contact cache for this contact id if empty.
85 *
86 * @param int $userID
87 * @param int|string $type the type of operation (view|edit)
88 * @param bool $force
89 * Should we force a recompute.
90 *
91 * @return void
92 */
93 public static function cache($userID, $type = CRM_Core_Permission::VIEW, $force = FALSE) {
94 static $_processed = array();
95
96 if ($type = CRM_Core_Permission::VIEW) {
97 $operationClause = " operation IN ( 'Edit', 'View' ) ";
98 $operation = 'View';
99 }
100 else {
101 $operationClause = " operation = 'Edit' ";
102 $operation = 'Edit';
103 }
104
105 if (!$force) {
106 if (!empty($_processed[$userID])) {
107 return;
108 }
109
110 // run a query to see if the cache is filled
111 $sql = "
112 SELECT count(id)
113 FROM civicrm_acl_contact_cache
114 WHERE user_id = %1
115 AND $operationClause
116 ";
117 $params = array(1 => array($userID, 'Integer'));
118 $count = CRM_Core_DAO::singleValueQuery($sql, $params);
119 if ($count > 0) {
120 $_processed[$userID] = 1;
121 return;
122 }
123 }
124
125 $tables = array();
126 $whereTables = array();
127
128 $permission = CRM_ACL_API::whereClause($type, $tables, $whereTables, $userID);
129
130 $from = CRM_Contact_BAO_Query::fromClause($whereTables);
131
132 CRM_Core_DAO::executeQuery("
133 INSERT INTO civicrm_acl_contact_cache ( user_id, contact_id, operation )
134 SELECT $userID as user_id, contact_a.id as contact_id, '$operation' as operation
135 $from
136 WHERE $permission
137 GROUP BY contact_a.id
138 ON DUPLICATE KEY UPDATE
139 user_id=VALUES(user_id),
140 contact_id=VALUES(contact_id),
141 operation=VALUES(operation)"
142 );
143
144 CRM_Core_DAO::executeQuery('DELETE FROM civicrm_acl_contact_cache WHERE contact_id IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1)');
145 $_processed[$userID] = 1;
146 }
147
148 /**
149 * Check if there are any contacts in cache table.
150 *
151 * @param int|string $type the type of operation (view|edit)
152 * @param int $contactID
153 * Contact id.
154 *
155 * @return bool
156 */
157 public static function hasContactsInCache(
158 $type = CRM_Core_Permission::VIEW,
159 $contactID = NULL
160 ) {
161 if (!$contactID) {
162 $session = CRM_Core_Session::singleton();
163 $contactID = $session->get('userID');
164 }
165
166 if ($type = CRM_Core_Permission::VIEW) {
167 $operationClause = " operation IN ( 'Edit', 'View' ) ";
168 $operation = 'View';
169 }
170 else {
171 $operationClause = " operation = 'Edit' ";
172 $operation = 'Edit';
173 }
174
175 // fill cache
176 self::cache($contactID);
177
178 $sql = "
179 SELECT id
180 FROM civicrm_acl_contact_cache
181 WHERE user_id = %1
182 AND $operationClause LIMIT 1";
183
184 $params = array(1 => array($contactID, 'Integer'));
185 return (bool) CRM_Core_DAO::singleValueQuery($sql, $params);
186 }
187
188 /**
189 * @param string $contactAlias
190 * @param int $contactID
191 *
192 * @return array
193 */
194 public static function cacheClause($contactAlias = 'contact_a', $contactID = NULL) {
195 if (CRM_Core_Permission::check('view all contacts') ||
196 CRM_Core_Permission::check('edit all contacts')
197 ) {
198 if (is_array($contactAlias)) {
199 $wheres = array();
200 foreach ($contactAlias as $alias) {
201 // CRM-6181
202 $wheres[] = "$alias.is_deleted = 0";
203 }
204 return array(NULL, '(' . implode(' AND ', $wheres) . ')');
205 }
206 else {
207 // CRM-6181
208 return array(NULL, "$contactAlias.is_deleted = 0");
209 }
210 }
211
212 $session = CRM_Core_Session::singleton();
213 $contactID = $session->get('userID');
214 if (!$contactID) {
215 $contactID = 0;
216 }
217 $contactID = CRM_Utils_Type::escape($contactID, 'Integer');
218
219 self::cache($contactID);
220
221 if (is_array($contactAlias) && !empty($contactAlias)) {
222 //More than one contact alias
223 $clauses = array();
224 foreach ($contactAlias as $k => $alias) {
225 $clauses[] = " INNER JOIN civicrm_acl_contact_cache aclContactCache_{$k} ON {$alias}.id = aclContactCache_{$k}.contact_id AND aclContactCache_{$k}.user_id = $contactID ";
226 }
227
228 $fromClause = implode(" ", $clauses);
229 $whereClase = NULL;
230 }
231 else {
232 $fromClause = " INNER JOIN civicrm_acl_contact_cache aclContactCache ON {$contactAlias}.id = aclContactCache.contact_id ";
233 $whereClase = " aclContactCache.user_id = $contactID AND $contactAlias.is_deleted = 0";
234 }
235
236 return array($fromClause, $whereClase);
237 }
238
239 /**
240 * Get the permission base on its relationship.
241 *
242 * @param int $selectedContactID
243 * Contact id of selected contact.
244 * @param int $contactID
245 * Contact id of the current contact.
246 *
247 * @return bool
248 * true if logged in user has permission to view
249 * selected contact record else false
250 */
251 public static function relationship($selectedContactID, $contactID = NULL) {
252 $session = CRM_Core_Session::singleton();
253 $config = CRM_Core_Config::singleton();
254 if (!$contactID) {
255 $contactID = $session->get('userID');
256 if (!$contactID) {
257 return FALSE;
258 }
259 }
260 if ($contactID == $selectedContactID &&
261 (CRM_Core_Permission::check('edit my contact') || CRM_Core_Permission::check('view my contact'))
262 ) {
263 return TRUE;
264 }
265 else {
266 if ($config->secondDegRelPermissions) {
267 $query = "
268 SELECT firstdeg.id
269 FROM civicrm_relationship firstdeg
270 LEFT JOIN civicrm_relationship seconddegaa
271 on firstdeg.contact_id_a = seconddegaa.contact_id_b
272 and seconddegaa.is_permission_b_a = 1
273 and firstdeg.is_permission_b_a = 1
274 and seconddegaa.is_active = 1
275 LEFT JOIN civicrm_relationship seconddegab
276 on firstdeg.contact_id_a = seconddegab.contact_id_a
277 and seconddegab.is_permission_a_b = 1
278 and firstdeg.is_permission_b_a = 1
279 and seconddegab.is_active = 1
280 LEFT JOIN civicrm_relationship seconddegba
281 on firstdeg.contact_id_b = seconddegba.contact_id_b
282 and seconddegba.is_permission_b_a = 1
283 and firstdeg.is_permission_a_b = 1
284 and seconddegba.is_active = 1
285 LEFT JOIN civicrm_relationship seconddegbb
286 on firstdeg.contact_id_b = seconddegbb.contact_id_a
287 and seconddegbb.is_permission_a_b = 1
288 and firstdeg.is_permission_a_b = 1
289 and seconddegbb.is_active = 1
290 WHERE
291 (
292 ( firstdeg.contact_id_a = %1 AND firstdeg.contact_id_b = %2 AND firstdeg.is_permission_a_b = 1 )
293 OR ( firstdeg.contact_id_a = %2 AND firstdeg.contact_id_b = %1 AND firstdeg.is_permission_b_a = 1 )
294 OR (
295 firstdeg.contact_id_a = %1 AND seconddegba.contact_id_a = %2
296 AND (seconddegba.contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
297 )
298 OR (
299 firstdeg.contact_id_a = %1 AND seconddegbb.contact_id_b = %2
300 AND (seconddegbb.contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
301 )
302 OR (
303 firstdeg.contact_id_b = %1 AND seconddegab.contact_id_b = %2
304 AND (seconddegab.contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
305 )
306 OR (
307 firstdeg.contact_id_b = %1 AND seconddegaa.contact_id_a = %2 AND (seconddegaa.contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
308 )
309 )
310 AND (firstdeg.contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
311 AND (firstdeg.contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
312 AND ( firstdeg.is_active = 1)
313 ";
314 }
315 else {
316 $query = "
317 SELECT id
318 FROM civicrm_relationship
319 WHERE (( contact_id_a = %1 AND contact_id_b = %2 AND is_permission_a_b = 1 ) OR
320 ( contact_id_a = %2 AND contact_id_b = %1 AND is_permission_b_a = 1 )) AND
321 (contact_id_a NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1)) AND
322 (contact_id_b NOT IN (SELECT id FROM civicrm_contact WHERE is_deleted = 1))
323 AND ( civicrm_relationship.is_active = 1 )
324 ";
325 }
326 $params = array(
327 1 => array($contactID, 'Integer'),
328 2 => array($selectedContactID, 'Integer'),
329 );
330 return CRM_Core_DAO::singleValueQuery($query, $params);
331 }
332 }
333
334
335 /**
336 * @param int $contactID
337 * @param CRM_Core_Form $form
338 * @param bool $redirect
339 *
340 * @return bool
341 */
342 public static function validateOnlyChecksum($contactID, &$form, $redirect = TRUE) {
343 // check if this is of the format cs=XXX
344 if (!CRM_Contact_BAO_Contact_Utils::validChecksum($contactID,
345 CRM_Utils_Request::retrieve('cs', 'String', $form, FALSE)
346 )
347 ) {
348 if ($redirect) {
349 // also set a message in the UF framework
350 $message = ts('You do not have permission to edit this contact record. Contact the site administrator if you need assistance.');
351 CRM_Utils_System::setUFMessage($message);
352
353 $config = CRM_Core_Config::singleton();
354 CRM_Core_Error::statusBounce($message,
355 $config->userFrameworkBaseURL
356 );
357 // does not come here, we redirect in the above statement
358 }
359 return FALSE;
360 }
361
362 // set appropriate AUTH source
363 self::initChecksumAuthSrc(TRUE, $form);
364
365 // so here the contact is posing as $contactID, lets set the logging contact ID variable
366 // CRM-8965
367 CRM_Core_DAO::executeQuery('SET @civicrm_user_id = %1',
368 array(1 => array($contactID, 'Integer'))
369 );
370
371 return TRUE;
372 }
373
374 /**
375 * @param bool $checkSumValidationResult
376 * @param null $form
377 */
378 public static function initChecksumAuthSrc($checkSumValidationResult = FALSE, $form = NULL) {
379 $session = CRM_Core_Session::singleton();
380 if ($checkSumValidationResult && $form && CRM_Utils_Request::retrieve('cs', 'String', $form, FALSE)) {
381 // if result is already validated, and url has cs, set the flag.
382 $session->set('authSrc', CRM_Core_Permission::AUTH_SRC_CHECKSUM);
383 }
384 elseif (($session->get('authSrc') & CRM_Core_Permission::AUTH_SRC_CHECKSUM) == CRM_Core_Permission::AUTH_SRC_CHECKSUM) {
385 // if checksum wasn't present in REQUEST OR checksum result validated as FALSE,
386 // and flag was already set exactly as AUTH_SRC_CHECKSUM, unset it.
387 $session->set('authSrc', CRM_Core_Permission::AUTH_SRC_UNKNOWN);
388 }
389 }
390
391 /**
392 * @param int $contactID
393 * @param CRM_Core_Form $form
394 * @param bool $redirect
395 *
396 * @return bool
397 */
398 public static function validateChecksumContact($contactID, &$form, $redirect = TRUE) {
399 if (!self::allow($contactID, CRM_Core_Permission::EDIT)) {
400 // check if this is of the format cs=XXX
401 return self::validateOnlyChecksum($contactID, $form, $redirect);
402 }
403 return TRUE;
404 }
405
406 }