4 +--------------------------------------------------------------------+
5 | CiviCRM version 4.3 |
6 +--------------------------------------------------------------------+
7 | Copyright CiviCRM LLC (c) 2004-2013 |
8 +--------------------------------------------------------------------+
9 | This file is a part of CiviCRM. |
11 | CiviCRM is free software; you can copy, modify, and distribute it |
12 | under the terms of the GNU Affero General Public License |
13 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
15 | CiviCRM is distributed in the hope that it will be useful, but |
16 | WITHOUT ANY WARRANTY; without even the implied warranty of |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
18 | See the GNU Affero General Public License for more details. |
20 | You should have received a copy of the GNU Affero General Public |
21 | License and the CiviCRM Licensing Exception along |
22 | with this program; if not, contact CiviCRM LLC |
23 | at info[AT]civicrm[DOT]org. If you have questions about the |
24 | GNU Affero General Public License or the licensing of CiviCRM, |
25 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
26 +--------------------------------------------------------------------+
30 * Decide what permissions to check for an api call
31 * The contact must have all of the returned permissions for the api call to be allowed
33 * @param $entity: (str) api entity
34 * @param $action: (str) api action
35 * @param $params: (array) api params
37 * @return array of permissions to check for this entity-action combo
39 function _civicrm_api3_permissions($entity, $action, &$params) {
40 $entity = _civicrm_api_get_entity_name_from_camel($entity);
41 $action = strtolower($action);
44 * @var array of permissions
46 * For each entity, we declare an array of permissions required for each action
47 * The action is the array key, possible values:
48 * * create: applies to create (with no id in params)
49 * * update: applies to update, setvalue, create (with id in params)
50 * * get: applies to getcount, getsingle, getvalue and other gets
51 * * delete: applies to delete, replace
52 * * meta: applies to getfields, getoptions, getspec
53 * * default: catch-all for anything not declared
55 * Note: some APIs declare other actions as well
57 $permissions = array();
59 // These are the default permissions - if any entity does not declare permissions for a given action,
60 // (or the entity does not declare permissions at all) - then the action will be used from here
61 $permissions['default'] = array(
62 // applies to getfields, getoptions, etc.
63 'meta' => array('access CiviCRM'),
64 // catch-all, applies to create, get, delete, etc.
65 // If an entity declares it's own 'default' action it will override this one
66 'default' => array('administer CiviCRM'),
69 $permissions['activity'] = array(
76 'view all activities',
79 $permissions['address'] = array(
97 $permissions['contact'] = array(
106 // managed by query object
112 'getquick' => array('access CiviCRM'),
114 $permissions['contribution'] = array(
117 'access CiviContribute',
118 'edit contributions',
122 'access CiviContribute',
123 'delete in CiviContribute',
127 'access CiviContribute',
131 'access CiviContribute',
132 'edit contributions',
135 $permissions['custom_field'] = array(
137 'administer CiviCRM',
139 'access all custom data',
142 'administer CiviCRM',
144 'access all custom data',
147 'administer CiviCRM',
149 'access all custom data',
152 'administer CiviCRM',
154 'access all custom data',
157 $permissions['custom_group'] = array(
159 'administer CiviCRM',
161 'access all custom data',
164 'administer CiviCRM',
166 'access all custom data',
169 'administer CiviCRM',
171 'access all custom data',
174 'administer CiviCRM',
176 'access all custom data',
179 $permissions['email'] = array(
197 $permissions['event'] = array(
206 'delete in CiviEvent',
219 $permissions['file'] = array(
222 'access uploaded files',
226 'access uploaded files',
230 'access uploaded files',
234 'access uploaded files',
237 $permissions['files_by_entity'] = array(
240 'access uploaded files',
244 'access uploaded files',
248 'access uploaded files',
252 'access uploaded files',
255 $permissions['group'] = array(
269 $permissions['group_contact'] = array(
283 $permissions['group_nesting'] = array(
297 $permissions['group_organization'] = array(
311 $permissions['location'] = array(
329 $permissions['membership'] = array(
338 'delete in CiviMember',
350 $permissions['membership_payment'] = array(
355 'access CiviContribute',
356 'edit contributions',
361 'delete in CiviMember',
362 'access CiviContribute',
363 'delete in CiviContribute',
368 'access CiviContribute',
374 'access CiviContribute',
375 'edit contributions',
378 $permissions['membership_status'] = array(
387 'delete in CiviMember',
399 $permissions['membership_type'] = array(
408 'delete in CiviMember',
420 $permissions['note'] = array(
438 $permissions['participant'] = array(
442 'register for events',
447 'edit event participants',
452 'view event participants',
457 'edit event participants',
460 $permissions['participant_payment'] = array(
464 'register for events',
465 'access CiviContribute',
466 'edit contributions',
471 'edit event participants',
472 'access CiviContribute',
473 'delete in CiviContribute',
478 'view event participants',
479 'access CiviContribute',
484 'edit event participants',
485 'access CiviContribute',
486 'edit contributions',
489 $permissions['phone'] = array(
507 $permissions['pledge'] = array(
516 'delete in CiviPledge',
528 $permissions['pledge_payment'] = array(
533 'access CiviContribute',
534 'edit contributions',
539 'delete in CiviPledge',
540 'access CiviContribute',
541 'delete in CiviContribute',
546 'access CiviContribute',
552 'access CiviContribute',
553 'edit contributions',
556 $permissions['system'] = array(
557 'flush' => array('administer CiviCRM'),
559 $permissions['website'] = array(
578 // Translate 'create' action to 'update' if id is set
579 if ($action == 'create' && (!empty($params['id']) ||
!empty($params[$entity . '_id']))) {
583 // let third parties modify the permissions
584 CRM_Utils_Hook
::alterAPIPermissions($entity, $action, $params, $permissions);
586 // Merge permissions for this entity with the defaults
587 $perm = CRM_Utils_Array
::value($entity, $permissions, array()) +
$permissions['default'];
589 // Return exact match if permission for this action has been declared
590 if (isset($perm[$action])) {
591 return $perm[$action];
594 // Translate specific actions into their generic equivalents
595 $snippet = substr($action, 0, 3);
596 if ($action == 'replace' ||
$snippet == 'del') {
599 elseif ($action == 'setvalue' ||
$snippet == 'upd') {
602 elseif ($action == 'getfields' ||
$action == 'getspec' ||
$action == 'getoptions') {
605 elseif ($snippet == 'get') {
608 return isset($perm[$action]) ?
$perm[$action] : $perm['default'];
611 # FIXME: not sure how to permission the following API 3 calls:
612 # contribution_transact (make online contributions)
614 # group_contact_pending
615 # group_contact_update_status
616 # mailing_event_bounce
617 # mailing_event_click
618 # mailing_event_confirm
619 # mailing_event_forward
621 # mailing_event_reply
622 # mailing_group_event_domain_unsubscribe
623 # mailing_group_event_resubscribe
624 # mailing_group_event_subscribe
625 # mailing_group_event_unsubscribe
626 # membership_status_calc
627 # survey_respondant_count