CRM/Core/Permission/Base.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | Copyright CiviCRM LLC. All rights reserved.                        |
   5  |                                                                    |
   6  | This work is published under the GNU AGPLv3 license with some      |
   7  | permitted exceptions and without any warranty. For full license    |
   8  | and copyright information, see https://civicrm.org/licensing       |
   9  +--------------------------------------------------------------------+
  10  */
  11
  12 /**
  13  *
  14  * @package CRM
  15  * @copyright CiviCRM LLC https://civicrm.org/licensing
  16  */
  17
  18 /**
  19  *
  20  */
  21 class CRM_Core_Permission_Base {
  22
  23   /**
  24    * permission mapping to stub check() calls
  25    * @var array
  26    */
  27   public $permissions = NULL;
  28
  29   /**
  30    * Is this user someone with access for the entire system.
  31    *
  32    * @var bool
  33    */
  34   protected $_viewAdminUser = FALSE;
  35   protected $_editAdminUser = FALSE;
  36
  37   /**
  38    * Am in in view permission or edit permission?
  39    *
  40    * @var bool
  41    */
  42   protected $_viewPermission = FALSE;
  43   protected $_editPermission = FALSE;
  44
  45   /**
  46    * Translate permission.
  47    *
  48    * @param string $perm
  49    *   Permission string e.g "administer CiviCRM", "cms:access user record", "Drupal:administer content",
  50    *   "Joomla:action:com_asset"
  51    *
  52    * @param string $nativePrefix
  53    * @param array $map
  54    *   Array($portableName => $nativeName).
  55    *
  56    * @return NULL|string
  57    *   a permission name
  58    */
  59   public function translatePermission($perm, $nativePrefix, $map) {
  60     list ($civiPrefix, $name) = CRM_Utils_String::parsePrefix(':', $perm, NULL);
  61     switch ($civiPrefix) {
  62       case $nativePrefix:
  63         return $name;
  64
  65       // pass through
  66       case 'cms':
  67         return CRM_Utils_Array::value($name, $map, CRM_Core_Permission::ALWAYS_DENY_PERMISSION);
  68
  69       case NULL:
  70         return $name;
  71
  72       default:
  73         return CRM_Core_Permission::ALWAYS_DENY_PERMISSION;
  74     }
  75   }
  76
  77   /**
  78    * Get the current permission of this user.
  79    *
  80    * @return string
  81    *   the permission of the user (edit or view or null)
  82    */
  83   public function getPermission() {
  84     $this->group();
  85
  86     if ($this->_editPermission) {
  87       return CRM_Core_Permission::EDIT;
  88     }
  89     elseif ($this->_viewPermission) {
  90       return CRM_Core_Permission::VIEW;
  91     }
  92     return NULL;
  93   }
  94
  95   /**
  96    * Get the permissioned where clause for the user.
  97    *
  98    * @param int $type
  99    *   The type of permission needed.
 100    * @param array $tables
 101    *   (reference ) add the tables that are needed for the select clause.
 102    * @param array $whereTables
 103    *   (reference ) add the tables that are needed for the where clause.
 104    *
 105    * @return string
 106    *   the group where clause for this user
 107    */
 108   public function whereClause($type, &$tables, &$whereTables) {
 109     return '( 1 )';
 110   }
 111
 112   /**
 113    * Get the permissioned where clause for the user when trying to see groups.
 114    *
 115    * @param int $type
 116    *   The type of permission needed.
 117    * @param array $tables
 118    *   (reference ) add the tables that are needed for the select clause.
 119    * @param array $whereTables
 120    *   (reference ) add the tables that are needed for the where clause.
 121    *
 122    * @return string
 123    *   the group where clause for this user
 124    */
 125   public function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
 126     $this->group();
 127     return $this->groupClause($type, $tables, $whereTables);
 128   }
 129
 130   /**
 131    * Get all groups from database, filtered by permissions
 132    * for this user
 133    *
 134    * @param string $groupType
 135    *   Type of group(Access/Mailing).
 136    * @param bool $excludeHidden
 137    *   exclude hidden groups.
 138    *
 139    *
 140    * @return array
 141    *   array reference of all groups.
 142    */
 143   public function group($groupType = NULL, $excludeHidden = TRUE) {
 144     $userId = CRM_Core_Session::getLoggedInContactID();
 145     $domainId = CRM_Core_Config::domainID();
 146     if (!isset(Civi::$statics[__CLASS__]['viewPermissionedGroups_' . $domainId . '_' . $userId])) {
 147       Civi::$statics[__CLASS__]['viewPermissionedGroups_' . $domainId . '_' . $userId] = Civi::$statics[__CLASS__]['editPermissionedGroups_' . $domainId . '_' . $userId] = [];
 148     }
 149
 150     $groupKey = $groupType ? $groupType : 'all';
 151
 152     if (!isset(Civi::$statics[__CLASS__]['viewPermissionedGroups_' . $domainId . '_' . $userId][$groupKey])) {
 153       Civi::$statics[__CLASS__]['viewPermissionedGroups_' . $domainId . '_' . $userId][$groupKey] = Civi::$statics[__CLASS__]['editPermissionedGroups_' . $domainId . '_' . $userId][$groupKey] = [];
 154
 155       $groups = CRM_Core_PseudoConstant::allGroup($groupType, $excludeHidden);
 156
 157       if ($this->check('edit all contacts')) {
 158         // this is the most powerful permission, so we return
 159         // immediately rather than dilute it further
 160         $this->_editAdminUser = $this->_viewAdminUser = TRUE;
 161         $this->_editPermission = $this->_viewPermission = TRUE;
 162         Civi::$statics[__CLASS__]['editPermissionedGroups_' . $domainId . '_' . $userId][$groupKey] = $groups;
 163         Civi::$statics[__CLASS__]['viewPermissionedGroups_' . $domainId . '_' . $userId][$groupKey] = $groups;
 164         return Civi::$statics[__CLASS__]['viewPermissionedGroups_' . $domainId . '_' . $userId][$groupKey];
 165       }
 166       elseif ($this->check('view all contacts')) {
 167         $this->_viewAdminUser = TRUE;
 168         $this->_viewPermission = TRUE;
 169         Civi::$statics[__CLASS__]['viewPermissionedGroups_' . $domainId . '_' . $userId][$groupKey] = $groups;
 170       }
 171
 172       $ids = CRM_ACL_API::group(CRM_Core_Permission::VIEW, NULL, 'civicrm_saved_search', $groups);
 173       if (!empty($ids)) {
 174         foreach (array_values($ids) as $id) {
 175           $title = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Group', $id, 'title');
 176           Civi::$statics[__CLASS__]['viewPermissionedGroups_' . $domainId . '_' . $userId][$groupKey][$id] = $title;
 177           $this->_viewPermission = TRUE;
 178         }
 179       }
 180
 181       $ids = CRM_ACL_API::group(CRM_Core_Permission::EDIT, NULL, 'civicrm_saved_search', $groups);
 182       if (!empty($ids)) {
 183         foreach (array_values($ids) as $id) {
 184           $title = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Group', $id, 'title');
 185           Civi::$statics[__CLASS__]['editPermissionedGroups_' . $domainId . '_' . $userId][$groupKey][$id] = $title;
 186           Civi::$statics[__CLASS__]['viewPermissionedGroups_' . $domainId . '_' . $userId][$groupKey][$id] = $title;
 187           $this->_editPermission = TRUE;
 188           $this->_viewPermission = TRUE;
 189         }
 190       }
 191     }
 192
 193     return Civi::$statics[__CLASS__]['viewPermissionedGroups_' . $domainId . '_' . $userId][$groupKey];
 194   }
 195
 196   /**
 197    * Get group clause for this user.
 198    *
 199    * @param int $type
 200    *   The type of permission needed.
 201    * @param array $tables
 202    *   (reference ) add the tables that are needed for the select clause.
 203    * @param array $whereTables
 204    *   (reference ) add the tables that are needed for the where clause.
 205    *
 206    * @return string
 207    *   the group where clause for this user
 208    */
 209   public function groupClause($type, &$tables, &$whereTables) {
 210     $userId = CRM_Core_Session::getLoggedInContactID();
 211     $domainId = CRM_Core_Config::domainID();
 212     if (!isset(Civi::$statics[__CLASS__]['viewPermissionedGroups_' . $domainId . '_' . $userId])) {
 213       $this->group();
 214     }
 215
 216     // we basically get all the groups here
 217     $groupKey = 'all';
 218     if ($type == CRM_Core_Permission::EDIT) {
 219       if ($this->_editAdminUser) {
 220         $clause = ' ( 1 ) ';
 221       }
 222       elseif (empty(Civi::$statics[__CLASS__]['editPermissionedGroups_' . $domainId . '_' . $userId][$groupKey])) {
 223         $clause = ' ( 0 ) ';
 224       }
 225       else {
 226         $clauses = [];
 227         $groups = implode(', ', Civi::$statics[__CLASS__]['editPermissionedGroups_' . $domainId . '_' . $userId][$groupKey]);
 228         $clauses[] = ' ( civicrm_group_contact.group_id IN ( ' . implode(', ', array_keys(Civi::$statics[__CLASS__]['editPermissionedGroups_' . $domainId . '_' . $userId][$groupKey])) . " ) AND civicrm_group_contact.status = 'Added' ) ";
 229         $tables['civicrm_group_contact'] = 1;
 230         $whereTables['civicrm_group_contact'] = 1;
 231
 232         // foreach group that is potentially a saved search, add the saved search clause
 233         foreach (array_keys(Civi::$statics[__CLASS__]['editPermissionedGroups_' . $domainId . '_' . $userId][$groupKey]) as $id) {
 234           $group = new CRM_Contact_DAO_Group();
 235           $group->id = $id;
 236           if ($group->find(TRUE) && $group->saved_search_id) {
 237             $clause = CRM_Contact_BAO_SavedSearch::whereClause($group->saved_search_id,
 238               $tables,
 239               $whereTables
 240             );
 241             if (trim($clause)) {
 242               $clauses[] = $clause;
 243             }
 244           }
 245         }
 246         $clause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
 247       }
 248     }
 249     else {
 250       if ($this->_viewAdminUser) {
 251         $clause = ' ( 1 ) ';
 252       }
 253       elseif (empty(Civi::$statics[__CLASS__]['viewPermissionedGroups_' . $domainId . '_' . $userId][$groupKey])) {
 254         $clause = ' ( 0 ) ';
 255       }
 256       else {
 257         $clauses = [];
 258         $groups = implode(', ', Civi::$statics[__CLASS__]['viewPermissionedGroups_' . $domainId . '_' . $userId][$groupKey]);
 259         $clauses[] = ' civicrm_group.id IN (' . implode(', ', array_keys(Civi::$statics[__CLASS__]['viewPermissionedGroups_' . $domainId . '_' . $userId][$groupKey])) . " )  ";
 260         $tables['civicrm_group'] = 1;
 261         $whereTables['civicrm_group'] = 1;
 262         $clause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
 263       }
 264     }
 265     return $clause;
 266   }
 267
 268   /**
 269    * Given a permission string, check for access requirements
 270    *
 271    * @param string $str
 272    *   The permission to check.
 273    * @param int $userId
 274    *
 275    */
 276   public function check($str, $userId = NULL) {
 277     //no default behaviour
 278   }
 279
 280   /**
 281    * Given a roles array, check for access requirements
 282    *
 283    * @param array $array
 284    *   The roles to check.
 285    *
 286    * @return bool
 287    *   true if yes, else false
 288    */
 289   public function checkGroupRole($array) {
 290     return FALSE;
 291   }
 292
 293   /**
 294    * Get the palette of available permissions in the CMS's user-management system.
 295    *
 296    * @return array
 297    *   List of permissions, keyed by symbolic name. Each item may have fields:
 298    *     - title: string
 299    *     - description: string
 300    *
 301    *   The permission-name should correspond to the Civi notation used by
 302    *   'CRM_Core_Permission::check()'. For CMS-specific permissions, these are
 303    *   translated names (eg "WordPress:list_users" or "Drupal:post comments").
 304    *
 305    *   The list should include *only* CMS permissions. Exclude Civi-native permissions.
 306    *
 307    * @see \CRM_Core_Permission_Base::translatePermission()
 308    */
 309   public function getAvailablePermissions() {
 310     return [];
 311   }
 312
 313   /**
 314    * Get all the contact emails for users that have a specific permission.
 315    *
 316    * @param string $permissionName
 317    *   Name of the permission we are interested in.
 318    *
 319    * @throws CRM_Core_Exception.
 320    */
 321   public function permissionEmails($permissionName) {
 322     throw new CRM_Core_Exception("this function only works in Drupal 6 at the moment");
 323   }
 324
 325   /**
 326    * Get all the contact emails for users that have a specific role.
 327    *
 328    * @param string $roleName
 329    *   Name of the role we are interested in.
 330    *
 331    * @throws CRM_Core_Exception.
 332    */
 333   public function roleEmails($roleName) {
 334     throw new CRM_Core_Exception("this function only works in Drupal 6 at the moment");
 335   }
 336
 337   /**
 338    * Determine whether the permission store allows us to store
 339    * a list of permissions generated dynamically (eg by
 340    * hook_civicrm_permissions.)
 341    *
 342    * @return bool
 343    */
 344   public function isModulePermissionSupported() {
 345     return FALSE;
 346   }
 347
 348   /**
 349    * Ensure that the CMS supports all the permissions defined by CiviCRM
 350    * and its extensions. If there are stale permissions, they should be
 351    * deleted. This is useful during module upgrade when the newer module
 352    * version has removed permission that were defined in the older version.
 353    *
 354    * @param array $permissions
 355    *   Same format as CRM_Core_Permission::getCorePermissions().
 356    *
 357    * @throws CRM_Core_Exception
 358    * @see CRM_Core_Permission::getCorePermissions
 359    */
 360   public function upgradePermissions($permissions) {
 361     throw new CRM_Core_Exception("Unimplemented method: CRM_Core_Permission_*::upgradePermissions");
 362   }
 363
 364   /**
 365    * Get the permissions defined in the hook_civicrm_permission implementation
 366    * of the given module.
 367    *
 368    * Note: At time of writing, this is only used with native extension-modules, so
 369    * there's one, predictable calling convention (regardless of CMS).
 370    *
 371    * @param $module
 372    *
 373    * @return array
 374    *   Array of permissions, in the same format as CRM_Core_Permission::getCorePermissions().
 375    * @see CRM_Core_Permission::getCorePermissions
 376    */
 377   public static function getModulePermissions($module) {
 378     $return_permissions = [];
 379     $fn_name = "{$module}_civicrm_permission";
 380     if (function_exists($fn_name)) {
 381       $module_permissions = [];
 382       $fn_name($module_permissions);
 383       $return_permissions = $module_permissions;
 384     }
 385     return $return_permissions;
 386   }
 387
 388   /**
 389    * Get the permissions defined in the hook_civicrm_permission implementation
 390    * in all enabled CiviCRM module extensions.
 391    *
 392    * @param bool $descriptions
 393    *
 394    * @return array
 395    *   Array of permissions, in the same format as CRM_Core_Permission::getCorePermissions().
 396    */
 397   public function getAllModulePermissions($descriptions = FALSE) {
 398     // Passing in false here is to be deprecated.
 399     $permissions = [];
 400     CRM_Utils_Hook::permission($permissions);
 401
 402     if ($descriptions) {
 403       foreach ($permissions as $permission => $label) {
 404         $permissions[$permission] = (is_array($label)) ? $label : [$label];
 405       }
 406     }
 407     else {
 408       foreach ($permissions as $permission => $label) {
 409         $permissions[$permission] = (is_array($label)) ? array_shift($label) : $label;
 410       }
 411     }
 412     return $permissions;
 413   }
 414
 415 }