03bbfe0ad9d91d6c06764fe116e5d2db4a2fe206
3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.7 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2015 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
29 * Decide what permissions to check for an api call
30 * The contact must have all of the returned permissions for the api call to be allowed
32 * @param $entity : (str) api entity
33 * @param $action : (str) api action
34 * @param $params : (array) api params
37 * Array of permissions to check for this entity-action combo
39 function _civicrm_api3_permissions($entity, $action, &$params) {
40 // FIXME: Lowercase entity_names are nonstandard but difficult to fix here
41 // because this function invokes hook_civicrm_alterAPIPermissions
42 $entity = _civicrm_api_get_entity_name_from_camel($entity);
45 * @var array of permissions
47 * For each entity, we declare an array of permissions required for each action
48 * The action is the array key, possible values:
49 * * create: applies to create (with no id in params)
50 * * update: applies to update, setvalue, create (with id in params)
51 * * get: applies to getcount, getsingle, getvalue and other gets
52 * * delete: applies to delete, replace
53 * * meta: applies to getfields, getoptions, getspec
54 * * default: catch-all for anything not declared
56 * Note: some APIs declare other actions as well
58 $permissions = array();
60 // These are the default permissions - if any entity does not declare permissions for a given action,
61 // (or the entity does not declare permissions at all) - then the action will be used from here
62 $permissions['default'] = array(
63 // applies to getfields, getoptions, etc.
64 'meta' => array('access CiviCRM'),
65 // catch-all, applies to create, get, delete, etc.
66 // If an entity declares it's own 'default' action it will override this one
67 'default' => array('administer CiviCRM'),
70 // Note: Additional permissions in DynamicFKAuthorization
71 $permissions['attachment'] = array(
73 array('access CiviCRM', 'access AJAX API'),
77 // Contact permissions
78 $permissions['contact'] = array(
87 // managed by query object
94 array('access CiviCRM', 'access AJAX API'),
98 // CRM-16963 - Permissions for country.
99 $permissions['country'] = array(
104 'administer CiviCRM',
108 // Contact-related data permissions.
109 // CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
110 $permissions['address'] = array(
120 $permissions['email'] = $permissions['address'];
121 $permissions['phone'] = $permissions['address'];
122 $permissions['website'] = $permissions['address'];
123 $permissions['im'] = $permissions['address'];
124 $permissions['loc_block'] = $permissions['address'];
125 $permissions['entity_tag'] = $permissions['address'];
126 $permissions['note'] = $permissions['address'];
128 // Allow non-admins to get and create tags to support tagset widget
129 // Delete is still reserved for admins
130 $permissions['tag'] = array(
131 'get' => array('access CiviCRM'),
132 'create' => array('access CiviCRM'),
133 'update' => array('access CiviCRM'),
136 //relationship permissions
137 $permissions['relationship'] = array(
152 // Activity permissions
153 $permissions['activity'] = array(
160 'view all activities',
165 $permissions['case'] = array(
172 'delete in CiviCase',
176 'access all cases and activities',
180 // Campaign permissions
181 $permissions['campaign'] = array(
182 'get' => array('access CiviCRM'),
183 'create' => array(array('administer CiviCampaign', 'manage campaign')),
184 'update' => array(array('administer CiviCampaign', 'manage campaign')),
185 'delete' => array(array('administer CiviCampaign', 'manage campaign')),
187 $permissions['survey'] = $permissions['campaign'];
189 // Financial permissions
190 $permissions['contribution'] = array(
193 'access CiviContribute',
197 'access CiviContribute',
198 'delete in CiviContribute',
200 'completetransaction' => array(
201 'edit contributions',
205 'access CiviContribute',
206 'edit contributions',
209 $permissions['line_item'] = $permissions['contribution'];
211 // Custom field permissions
212 $permissions['custom_field'] = array(
214 'administer CiviCRM',
215 'access all custom data',
218 $permissions['custom_group'] = $permissions['custom_field'];
221 $permissions['event'] = array(
230 'delete in CiviEvent',
245 $permissions['file'] = array(
248 'access uploaded files',
251 $permissions['files_by_entity'] = $permissions['file'];
254 $permissions['group'] = array(
264 $permissions['group_nesting'] = $permissions['group'];
265 $permissions['group_organization'] = $permissions['group'];
267 //Group Contact permission
268 $permissions['group_contact'] = array(
278 // CiviMail Permissions
279 $civiMailBasePerms = array(
280 // To get/preview/update, one must have least one of these perms:
281 // Mailing API implementations enforce nuances of create/approve/schedule permissions.
287 $permissions['mailing'] = array(
295 'delete in CiviMail',
299 array('access CiviMail', 'schedule mailings'),
306 $permissions['mailing_group'] = $permissions['mailing'];
307 $permissions['mailing_job'] = $permissions['mailing'];
308 $permissions['mailing_recipients'] = $permissions['mailing'];
310 $permissions['mailing_a_b'] = array(
318 'delete in CiviMail',
322 array('access CiviMail', 'schedule mailings'),
330 // Membership permissions
331 $permissions['membership'] = array(
339 'delete in CiviMember',
347 $permissions['membership_status'] = $permissions['membership'];
348 $permissions['membership_type'] = $permissions['membership'];
349 $permissions['membership_payment'] = array(
354 'access CiviContribute',
355 'edit contributions',
360 'delete in CiviMember',
361 'access CiviContribute',
362 'delete in CiviContribute',
367 'access CiviContribute',
373 'access CiviContribute',
374 'edit contributions',
378 // Participant permissions
379 $permissions['participant'] = array(
383 'register for events',
388 'edit event participants',
393 'view event participants',
398 'edit event participants',
401 $permissions['participant_payment'] = array(
405 'register for events',
406 'access CiviContribute',
407 'edit contributions',
412 'edit event participants',
413 'access CiviContribute',
414 'delete in CiviContribute',
419 'view event participants',
420 'access CiviContribute',
425 'edit event participants',
426 'access CiviContribute',
427 'edit contributions',
431 // Pledge permissions
432 $permissions['pledge'] = array(
441 'delete in CiviPledge',
454 //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission.
455 $permissions['action_schedule'] = array(
464 $permissions['pledge_payment'] = array(
469 'access CiviContribute',
470 'edit contributions',
475 'delete in CiviPledge',
476 'access CiviContribute',
477 'delete in CiviContribute',
482 'access CiviContribute',
488 'access CiviContribute',
489 'edit contributions',
493 // Profile permissions
494 $permissions['profile'] = array(
495 'get' => array(), // the profile will take care of this
498 $permissions['uf_group'] = array(
502 'administer CiviCRM',
503 'manage event profiles',
512 'administer CiviCRM',
513 'manage event profiles',
517 $permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group'];
518 $permissions['uf_field']['delete'] = array(
521 'administer CiviCRM',
522 'manage event profiles',
525 $permissions['option_value'] = $permissions['uf_group'];
526 $permissions['option_group'] = $permissions['option_value'];
528 $permissions['message_template'] = array(
529 'get' => array('access CiviCRM'),
530 'create' => array('edit message templates'),
531 'update' => array('edit message templates'),
534 // Translate 'create' action to 'update' if id is set
535 if ($action == 'create' && (!empty($params['id']) ||
!empty($params[$entity . '_id']))) {
539 // let third parties modify the permissions
540 CRM_Utils_Hook
::alterAPIPermissions($entity, $action, $params, $permissions);
542 // Merge permissions for this entity with the defaults
543 $perm = CRM_Utils_Array
::value($entity, $permissions, array()) +
$permissions['default'];
545 // Return exact match if permission for this action has been declared
546 if (isset($perm[$action])) {
547 return $perm[$action];
550 // Translate specific actions into their generic equivalents
551 $snippet = substr($action, 0, 3);
552 if ($action == 'replace' ||
$snippet == 'del') {
553 // 'Replace' is a combination of get+create+update+delete; however, the permissions
554 // on each of those will be tested separately at runtime. This is just a sniff-test
555 // based on the heuristic that 'delete' tends to be the most closesly guarded
556 // of the necessary permissions.
559 elseif ($action == 'setvalue' ||
$snippet == 'upd') {
562 elseif ($action == 'getfields' ||
$action == 'getspec' ||
$action == 'getoptions') {
565 elseif ($snippet == 'get') {
568 return isset($perm[$action]) ?
$perm[$action] : $perm['default'];
571 # FIXME: not sure how to permission the following API 3 calls:
572 # contribution_transact (make online contributions)
574 # group_contact_pending
575 # group_contact_update_status
576 # mailing_event_bounce
577 # mailing_event_click
578 # mailing_event_confirm
579 # mailing_event_forward
581 # mailing_event_reply
582 # mailing_group_event_domain_unsubscribe
583 # mailing_group_event_resubscribe
584 # mailing_group_event_subscribe
585 # mailing_group_event_unsubscribe
586 # membership_status_calc
587 # survey_respondant_count