projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Select2 style fixes for public pages
[civicrm-core.git] / CRM / Core / DAO / permissions.php
1 <?php
2
3 /*
4 +--------------------------------------------------------------------+
5 | CiviCRM version 4.5 |
6 +--------------------------------------------------------------------+
7 | Copyright CiviCRM LLC (c) 2004-2014 |
8 +--------------------------------------------------------------------+
9 | This file is a part of CiviCRM. |
10 | |
11 | CiviCRM is free software; you can copy, modify, and distribute it |
12 | under the terms of the GNU Affero General Public License |
13 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | |
15 | CiviCRM is distributed in the hope that it will be useful, but |
16 | WITHOUT ANY WARRANTY; without even the implied warranty of |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
18 | See the GNU Affero General Public License for more details. |
19 | |
20 | You should have received a copy of the GNU Affero General Public |
21 | License and the CiviCRM Licensing Exception along |
22 | with this program; if not, contact CiviCRM LLC |
23 | at info[AT]civicrm[DOT]org. If you have questions about the |
24 | GNU Affero General Public License or the licensing of CiviCRM, |
25 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
26 +--------------------------------------------------------------------+
27 */
28
29 /**
30 * Decide what permissions to check for an api call
31 * The contact must have all of the returned permissions for the api call to be allowed
32 *
33 * @param $entity: (str) api entity
34 * @param $action: (str) api action
35 * @param $params: (array) api params
36 *
37 * @return array of permissions to check for this entity-action combo
38 */
39 function _civicrm_api3_permissions($entity, $action, &$params) {
40 $entity = _civicrm_api_get_entity_name_from_camel($entity);
41 $action = strtolower($action);
42
43 /**
44 * @var array of permissions
45 *
46 * For each entity, we declare an array of permissions required for each action
47 * The action is the array key, possible values:
48 * * create: applies to create (with no id in params)
49 * * update: applies to update, setvalue, create (with id in params)
50 * * get: applies to getcount, getsingle, getvalue and other gets
51 * * delete: applies to delete, replace
52 * * meta: applies to getfields, getoptions, getspec
53 * * default: catch-all for anything not declared
54 *
55 * Note: some APIs declare other actions as well
56 */
57 $permissions = array();
58
59 // These are the default permissions - if any entity does not declare permissions for a given action,
60 // (or the entity does not declare permissions at all) - then the action will be used from here
61 $permissions['default'] = array(
62 // applies to getfields, getoptions, etc.
63 'meta' => array('access CiviCRM'),
64 // catch-all, applies to create, get, delete, etc.
65 // If an entity declares it's own 'default' action it will override this one
66 'default' => array('administer CiviCRM'),
67 );
68
69 // Contact permissions
70 $permissions['contact'] = array(
71 'create' => array(
72 'access CiviCRM',
73 'add contacts',
74 ),
75 'delete' => array(
76 'access CiviCRM',
77 'delete contacts',
78 ),
79 // managed by query object
80 'get' => array(),
81 'update' => array(
82 'access CiviCRM',
83 'edit all contacts',
84 ),
85 'getquick' => array(
86 array('access CiviCRM', 'access AJAX API'),
87 ),
88 );
89
90 // Contact-related data permissions.
91 // CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
92 $permissions['address'] = array(
93 'get' => array(
94 'access CiviCRM',
95 'view all contacts',
96 ),
97 'default' => array(
98 'access CiviCRM',
99 'edit all contacts',
100 ),
101 );
102 $permissions['email'] = $permissions['address'];
103 $permissions['phone'] = $permissions['address'];
104 $permissions['website'] = $permissions['address'];
105 $permissions['im'] = $permissions['address'];
106 $permissions['loc_block'] = $permissions['address'];
107 $permissions['entity_tag'] = $permissions['address'];
108 $permissions['note'] = $permissions['address'];
109
110 //relationship permissions
111 $permissions['relationship'] = array(
112 'get' => array(
113 'access CiviCRM',
114 'view all contacts',
115 ),
116 'delete' => array(
117 'access CiviCRM',
118 'delete contacts',
119 ),
120 'default' => array(
121 'access CiviCRM',
122 'edit all contacts',
123 ),
124 );
125
126 // Activity permissions
127 $permissions['activity'] = array(
128 'delete' => array(
129 'access CiviCRM',
130 'delete activities',
131 ),
132 'default' => array(
133 'access CiviCRM',
134 'view all activities',
135 ),
136 );
137
138 // Case permissions
139 $permissions['case'] = array(
140 'create' => array(
141 'access CiviCRM',
142 'add cases',
143 ),
144 'delete' => array(
145 'access CiviCRM',
146 'delete in CiviCase',
147 ),
148 'default' => array(
149 'access CiviCRM',
150 'access all cases and activities',
151 ),
152 );
153
154 // Financial permissions
155 $permissions['contribution'] = array(
156 'get' => array(
157 'access CiviCRM',
158 'access CiviContribute',
159 ),
160 'delete' => array(
161 'access CiviCRM',
162 'access CiviContribute',
163 'delete in CiviContribute',
164 ),
165 'completetransaction' => array(
166 'edit contributions',
167 ),
168 'default' => array(
169 'access CiviCRM',
170 'access CiviContribute',
171 'edit contributions',
172 ),
173 );
174 $permissions['line_item'] = $permissions['contribution'];
175
176 // Custom field permissions
177 $permissions['custom_field'] = array(
178 'default' => array(
179 'administer CiviCRM',
180 'access all custom data',
181 ),
182 );
183 $permissions['custom_group'] = $permissions['custom_field'];
184
185 // Event permissions
186 $permissions['event'] = array(
187 'create' => array(
188 'access CiviCRM',
189 'access CiviEvent',
190 'edit all events',
191 ),
192 'delete' => array(
193 'access CiviCRM',
194 'access CiviEvent',
195 'delete in CiviEvent',
196 ),
197 'get' => array(
198 'access CiviCRM',
199 'access CiviEvent',
200 'view event info',
201 ),
202 'update' => array(
203 'access CiviCRM',
204 'access CiviEvent',
205 'edit all events',
206 ),
207 );
208
209 // File permissions
210 $permissions['file'] = array(
211 'default' => array(
212 'access CiviCRM',
213 'access uploaded files',
214 ),
215 );
216 $permissions['files_by_entity'] = $permissions['file'];
217
218 // Group permissions
219 $permissions['group'] = array(
220 'get' => array(
221 'access CiviCRM',
222 ),
223 'default' => array(
224 'access CiviCRM',
225 'edit groups',
226 ),
227 );
228 $permissions['group_contact'] = $permissions['group'];
229 $permissions['group_nesting'] = $permissions['group'];
230 $permissions['group_organization'] = $permissions['group'];
231
232 // Membership permissions
233 $permissions['membership'] = array(
234 'get' => array(
235 'access CiviCRM',
236 'access CiviMember',
237 ),
238 'delete' => array(
239 'access CiviCRM',
240 'access CiviMember',
241 'delete in CiviMember',
242 ),
243 'default' => array(
244 'access CiviCRM',
245 'access CiviMember',
246 'edit memberships',
247 ),
248 );
249 $permissions['membership_status'] = $permissions['membership'];
250 $permissions['membership_type'] = $permissions['membership'];
251 $permissions['membership_payment'] = array(
252 'create' => array(
253 'access CiviCRM',
254 'access CiviMember',
255 'edit memberships',
256 'access CiviContribute',
257 'edit contributions',
258 ),
259 'delete' => array(
260 'access CiviCRM',
261 'access CiviMember',
262 'delete in CiviMember',
263 'access CiviContribute',
264 'delete in CiviContribute',
265 ),
266 'get' => array(
267 'access CiviCRM',
268 'access CiviMember',
269 'access CiviContribute',
270 ),
271 'update' => array(
272 'access CiviCRM',
273 'access CiviMember',
274 'edit memberships',
275 'access CiviContribute',
276 'edit contributions',
277 ),
278 );
279
280 // Participant permissions
281 $permissions['participant'] = array(
282 'create' => array(
283 'access CiviCRM',
284 'access CiviEvent',
285 'register for events',
286 ),
287 'delete' => array(
288 'access CiviCRM',
289 'access CiviEvent',
290 'edit event participants',
291 ),
292 'get' => array(
293 'access CiviCRM',
294 'access CiviEvent',
295 'view event participants',
296 ),
297 'update' => array(
298 'access CiviCRM',
299 'access CiviEvent',
300 'edit event participants',
301 ),
302 );
303 $permissions['participant_payment'] = array(
304 'create' => array(
305 'access CiviCRM',
306 'access CiviEvent',
307 'register for events',
308 'access CiviContribute',
309 'edit contributions',
310 ),
311 'delete' => array(
312 'access CiviCRM',
313 'access CiviEvent',
314 'edit event participants',
315 'access CiviContribute',
316 'delete in CiviContribute',
317 ),
318 'get' => array(
319 'access CiviCRM',
320 'access CiviEvent',
321 'view event participants',
322 'access CiviContribute',
323 ),
324 'update' => array(
325 'access CiviCRM',
326 'access CiviEvent',
327 'edit event participants',
328 'access CiviContribute',
329 'edit contributions',
330 ),
331 );
332
333 // Pledge permissions
334 $permissions['pledge'] = array(
335 'create' => array(
336 'access CiviCRM',
337 'access CiviPledge',
338 'edit pledges',
339 ),
340 'delete' => array(
341 'access CiviCRM',
342 'access CiviPledge',
343 'delete in CiviPledge',
344 ),
345 'get' => array(
346 'access CiviCRM',
347 'access CiviPledge',
348 ),
349 'update' => array(
350 'access CiviCRM',
351 'access CiviPledge',
352 'edit pledges',
353 ),
354 );
355 $permissions['pledge_payment'] = array(
356 'create' => array(
357 'access CiviCRM',
358 'access CiviPledge',
359 'edit pledges',
360 'access CiviContribute',
361 'edit contributions',
362 ),
363 'delete' => array(
364 'access CiviCRM',
365 'access CiviPledge',
366 'delete in CiviPledge',
367 'access CiviContribute',
368 'delete in CiviContribute',
369 ),
370 'get' => array(
371 'access CiviCRM',
372 'access CiviPledge',
373 'access CiviContribute',
374 ),
375 'update' => array(
376 'access CiviCRM',
377 'access CiviPledge',
378 'edit pledges',
379 'access CiviContribute',
380 'edit contributions',
381 ),
382 );
383
384 // Profile permissions
385 $permissions['profile'] = array(
386 'get' => array(), // the profile will take care of this
387 );
388
389 $permissions['uf_group'] = array(
390 'get' => array(
391 'access CiviCRM',
392 ),
393 );
394 $permissions['uf_field'] = $permissions['uf_group'];
395
396 // Translate 'create' action to 'update' if id is set
397 if ($action == 'create' && (!empty($params['id']) || !empty($params[$entity . '_id']))) {
398 $action = 'update';
399 }
400
401 // let third parties modify the permissions
402 CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);
403
404 // Merge permissions for this entity with the defaults
405 $perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];
406
407 // Return exact match if permission for this action has been declared
408 if (isset($perm[$action])) {
409 return $perm[$action];
410 }
411
412 // Translate specific actions into their generic equivalents
413 $snippet = substr($action, 0, 3);
414 if ($action == 'replace' || $snippet == 'del') {
415 // 'Replace' is a combination of get+create+update+delete; however, the permissions
416 // on each of those will be tested separately at runtime. This is just a sniff-test
417 // based on the heuristic that 'delete' tends to be the most closesly guarded
418 // of the necessary permissions.
419 $action = 'delete';
420 }
421 elseif ($action == 'setvalue' || $snippet == 'upd') {
422 $action = 'update';
423 }
424 elseif ($action == 'getfields' || $action == 'getspec' || $action == 'getoptions') {
425 $action = 'meta';
426 }
427 elseif ($snippet == 'get') {
428 $action = 'get';
429 }
430 return isset($perm[$action]) ? $perm[$action] : $perm['default'];
431 }
432
433 # FIXME: not sure how to permission the following API 3 calls:
434 # contribution_transact (make online contributions)
435 # entity_tag_display
436 # group_contact_pending
437 # group_contact_update_status
438 # mailing_event_bounce
439 # mailing_event_click
440 # mailing_event_confirm
441 # mailing_event_forward
442 # mailing_event_open
443 # mailing_event_reply
444 # mailing_group_event_domain_unsubscribe
445 # mailing_group_event_resubscribe
446 # mailing_group_event_subscribe
447 # mailing_group_event_unsubscribe
448 # membership_status_calc
449 # survey_respondant_count