projects / civicrm-core.git / blob
? search:


22f44500342915da69a8b176d2424abade865e65
[civicrm-core.git] / CRM / Core / DAO / permissions.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.6 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2014 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27
28 /**
29 * Decide what permissions to check for an api call
30 * The contact must have all of the returned permissions for the api call to be allowed
31 *
32 * @param $entity : (str) api entity
33 * @param $action : (str) api action
34 * @param $params : (array) api params
35 *
36 * @return array
37 * Array of permissions to check for this entity-action combo
38 */
39 function _civicrm_api3_permissions($entity, $action, &$params) {
40 $entity = _civicrm_api_get_entity_name_from_camel($entity);
41 $action = strtolower($action);
42
43 /**
44 * @var array of permissions
45 *
46 * For each entity, we declare an array of permissions required for each action
47 * The action is the array key, possible values:
48 * * create: applies to create (with no id in params)
49 * * update: applies to update, setvalue, create (with id in params)
50 * * get: applies to getcount, getsingle, getvalue and other gets
51 * * delete: applies to delete, replace
52 * * meta: applies to getfields, getoptions, getspec
53 * * default: catch-all for anything not declared
54 *
55 * Note: some APIs declare other actions as well
56 */
57 $permissions = array();
58
59 // These are the default permissions - if any entity does not declare permissions for a given action,
60 // (or the entity does not declare permissions at all) - then the action will be used from here
61 $permissions['default'] = array(
62 // applies to getfields, getoptions, etc.
63 'meta' => array('access CiviCRM'),
64 // catch-all, applies to create, get, delete, etc.
65 // If an entity declares it's own 'default' action it will override this one
66 'default' => array('administer CiviCRM'),
67 );
68
69 $permissions['attachment'] = array(
70 'default' => array('access CiviCRM', 'access AJAX API'),
71 );
72
73 // Contact permissions
74 $permissions['contact'] = array(
75 'create' => array(
76 'access CiviCRM',
77 'add contacts',
78 ),
79 'delete' => array(
80 'access CiviCRM',
81 'delete contacts',
82 ),
83 // managed by query object
84 'get' => array(),
85 'update' => array(
86 'access CiviCRM',
87 'edit all contacts',
88 ),
89 'getquick' => array(
90 array('access CiviCRM', 'access AJAX API'),
91 ),
92 );
93
94 // Contact-related data permissions.
95 // CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
96 $permissions['address'] = array(
97 'get' => array(
98 'access CiviCRM',
99 'view all contacts',
100 ),
101 'default' => array(
102 'access CiviCRM',
103 'edit all contacts',
104 ),
105 );
106 $permissions['email'] = $permissions['address'];
107 $permissions['phone'] = $permissions['address'];
108 $permissions['website'] = $permissions['address'];
109 $permissions['im'] = $permissions['address'];
110 $permissions['loc_block'] = $permissions['address'];
111 $permissions['entity_tag'] = $permissions['address'];
112 $permissions['note'] = $permissions['address'];
113
114 //relationship permissions
115 $permissions['relationship'] = array(
116 'get' => array(
117 'access CiviCRM',
118 'view all contacts',
119 ),
120 'delete' => array(
121 'access CiviCRM',
122 'delete contacts',
123 ),
124 'default' => array(
125 'access CiviCRM',
126 'edit all contacts',
127 ),
128 );
129
130 // Activity permissions
131 $permissions['activity'] = array(
132 'delete' => array(
133 'access CiviCRM',
134 'delete activities',
135 ),
136 'default' => array(
137 'access CiviCRM',
138 'view all activities',
139 ),
140 );
141
142 // Case permissions
143 $permissions['case'] = array(
144 'create' => array(
145 'access CiviCRM',
146 'add cases',
147 ),
148 'delete' => array(
149 'access CiviCRM',
150 'delete in CiviCase',
151 ),
152 'default' => array(
153 'access CiviCRM',
154 'access all cases and activities',
155 ),
156 );
157
158 // Financial permissions
159 $permissions['contribution'] = array(
160 'get' => array(
161 'access CiviCRM',
162 'access CiviContribute',
163 ),
164 'delete' => array(
165 'access CiviCRM',
166 'access CiviContribute',
167 'delete in CiviContribute',
168 ),
169 'completetransaction' => array(
170 'edit contributions',
171 ),
172 'default' => array(
173 'access CiviCRM',
174 'access CiviContribute',
175 'edit contributions',
176 ),
177 );
178 $permissions['line_item'] = $permissions['contribution'];
179
180 // Custom field permissions
181 $permissions['custom_field'] = array(
182 'default' => array(
183 'administer CiviCRM',
184 'access all custom data',
185 ),
186 );
187 $permissions['custom_group'] = $permissions['custom_field'];
188
189 // Event permissions
190 $permissions['event'] = array(
191 'create' => array(
192 'access CiviCRM',
193 'access CiviEvent',
194 'edit all events',
195 ),
196 'delete' => array(
197 'access CiviCRM',
198 'access CiviEvent',
199 'delete in CiviEvent',
200 ),
201 'get' => array(
202 'access CiviCRM',
203 'access CiviEvent',
204 'view event info',
205 ),
206 'update' => array(
207 'access CiviCRM',
208 'access CiviEvent',
209 'edit all events',
210 ),
211 );
212
213 // File permissions
214 $permissions['file'] = array(
215 'default' => array(
216 'access CiviCRM',
217 'access uploaded files',
218 ),
219 );
220 $permissions['files_by_entity'] = $permissions['file'];
221
222 // Group permissions
223 $permissions['group'] = array(
224 'get' => array(
225 'access CiviCRM',
226 ),
227 'default' => array(
228 'access CiviCRM',
229 'edit groups',
230 ),
231 );
232 $permissions['group_contact'] = $permissions['group'];
233 $permissions['group_nesting'] = $permissions['group'];
234 $permissions['group_organization'] = $permissions['group'];
235
236 // CiviMail Permissions
237 $permissions['mailing'] = array(
238 'get' => array(
239 'access CiviCRM',
240 'access CiviMail',
241 ),
242 'delete' => array(
243 'access CiviCRM',
244 'access CiviMail',
245 'delete in CiviMail',
246 ),
247 'default' => array(
248 'access CiviCRM',
249 'access CiviMail',
250 ),
251 );
252
253 // Membership permissions
254 $permissions['membership'] = array(
255 'get' => array(
256 'access CiviCRM',
257 'access CiviMember',
258 ),
259 'delete' => array(
260 'access CiviCRM',
261 'access CiviMember',
262 'delete in CiviMember',
263 ),
264 'default' => array(
265 'access CiviCRM',
266 'access CiviMember',
267 'edit memberships',
268 ),
269 );
270 $permissions['membership_status'] = $permissions['membership'];
271 $permissions['membership_type'] = $permissions['membership'];
272 $permissions['membership_payment'] = array(
273 'create' => array(
274 'access CiviCRM',
275 'access CiviMember',
276 'edit memberships',
277 'access CiviContribute',
278 'edit contributions',
279 ),
280 'delete' => array(
281 'access CiviCRM',
282 'access CiviMember',
283 'delete in CiviMember',
284 'access CiviContribute',
285 'delete in CiviContribute',
286 ),
287 'get' => array(
288 'access CiviCRM',
289 'access CiviMember',
290 'access CiviContribute',
291 ),
292 'update' => array(
293 'access CiviCRM',
294 'access CiviMember',
295 'edit memberships',
296 'access CiviContribute',
297 'edit contributions',
298 ),
299 );
300
301 // Participant permissions
302 $permissions['participant'] = array(
303 'create' => array(
304 'access CiviCRM',
305 'access CiviEvent',
306 'register for events',
307 ),
308 'delete' => array(
309 'access CiviCRM',
310 'access CiviEvent',
311 'edit event participants',
312 ),
313 'get' => array(
314 'access CiviCRM',
315 'access CiviEvent',
316 'view event participants',
317 ),
318 'update' => array(
319 'access CiviCRM',
320 'access CiviEvent',
321 'edit event participants',
322 ),
323 );
324 $permissions['participant_payment'] = array(
325 'create' => array(
326 'access CiviCRM',
327 'access CiviEvent',
328 'register for events',
329 'access CiviContribute',
330 'edit contributions',
331 ),
332 'delete' => array(
333 'access CiviCRM',
334 'access CiviEvent',
335 'edit event participants',
336 'access CiviContribute',
337 'delete in CiviContribute',
338 ),
339 'get' => array(
340 'access CiviCRM',
341 'access CiviEvent',
342 'view event participants',
343 'access CiviContribute',
344 ),
345 'update' => array(
346 'access CiviCRM',
347 'access CiviEvent',
348 'edit event participants',
349 'access CiviContribute',
350 'edit contributions',
351 ),
352 );
353
354 // Pledge permissions
355 $permissions['pledge'] = array(
356 'create' => array(
357 'access CiviCRM',
358 'access CiviPledge',
359 'edit pledges',
360 ),
361 'delete' => array(
362 'access CiviCRM',
363 'access CiviPledge',
364 'delete in CiviPledge',
365 ),
366 'get' => array(
367 'access CiviCRM',
368 'access CiviPledge',
369 ),
370 'update' => array(
371 'access CiviCRM',
372 'access CiviPledge',
373 'edit pledges',
374 ),
375 );
376 $permissions['pledge_payment'] = array(
377 'create' => array(
378 'access CiviCRM',
379 'access CiviPledge',
380 'edit pledges',
381 'access CiviContribute',
382 'edit contributions',
383 ),
384 'delete' => array(
385 'access CiviCRM',
386 'access CiviPledge',
387 'delete in CiviPledge',
388 'access CiviContribute',
389 'delete in CiviContribute',
390 ),
391 'get' => array(
392 'access CiviCRM',
393 'access CiviPledge',
394 'access CiviContribute',
395 ),
396 'update' => array(
397 'access CiviCRM',
398 'access CiviPledge',
399 'edit pledges',
400 'access CiviContribute',
401 'edit contributions',
402 ),
403 );
404
405 // Profile permissions
406 $permissions['profile'] = array(
407 'get' => array(), // the profile will take care of this
408 );
409
410 $permissions['uf_group'] = array(
411 'get' => array(
412 'access CiviCRM',
413 ),
414 );
415 $permissions['uf_field'] = $permissions['uf_group'];
416 $permissions['option_value'] = $permissions['uf_group'];
417 $permissions['option_group'] = $permissions['option_value'];
418
419 // Translate 'create' action to 'update' if id is set
420 if ($action == 'create' && (!empty($params['id']) || !empty($params[$entity . '_id']))) {
421 $action = 'update';
422 }
423
424 // let third parties modify the permissions
425 CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);
426
427 // Merge permissions for this entity with the defaults
428 $perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];
429
430 // Return exact match if permission for this action has been declared
431 if (isset($perm[$action])) {
432 return $perm[$action];
433 }
434
435 // Translate specific actions into their generic equivalents
436 $snippet = substr($action, 0, 3);
437 if ($action == 'replace' || $snippet == 'del') {
438 // 'Replace' is a combination of get+create+update+delete; however, the permissions
439 // on each of those will be tested separately at runtime. This is just a sniff-test
440 // based on the heuristic that 'delete' tends to be the most closesly guarded
441 // of the necessary permissions.
442 $action = 'delete';
443 }
444 elseif ($action == 'setvalue' || $snippet == 'upd') {
445 $action = 'update';
446 }
447 elseif ($action == 'getfields' || $action == 'getspec' || $action == 'getoptions') {
448 $action = 'meta';
449 }
450 elseif ($snippet == 'get') {
451 $action = 'get';
452 }
453 return isset($perm[$action]) ? $perm[$action] : $perm['default'];
454 }
455
456 # FIXME: not sure how to permission the following API 3 calls:
457 # contribution_transact (make online contributions)
458 # entity_tag_display
459 # group_contact_pending
460 # group_contact_update_status
461 # mailing_event_bounce
462 # mailing_event_click
463 # mailing_event_confirm
464 # mailing_event_forward
465 # mailing_event_open
466 # mailing_event_reply
467 # mailing_group_event_domain_unsubscribe
468 # mailing_group_event_resubscribe
469 # mailing_group_event_subscribe
470 # mailing_group_event_unsubscribe
471 # membership_status_calc
472 # survey_respondant_count