CRM/Core/Permission/Drupal.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | Copyright CiviCRM LLC. All rights reserved.                        |
   5  |                                                                    |
   6  | This work is published under the GNU AGPLv3 license with some      |
   7  | permitted exceptions and without any warranty. For full license    |
   8  | and copyright information, see https://civicrm.org/licensing       |
   9  +--------------------------------------------------------------------+
  10  */
  11
  12 /**
  13  *
  14  * @package CRM
  15  * @copyright CiviCRM LLC https://civicrm.org/licensing
  16  */
  17
  18 /**
  19  *
  20  */
  21 class CRM_Core_Permission_Drupal extends CRM_Core_Permission_DrupalBase {
  22
  23   /**
  24    * Is this user someone with access for the entire system.
  25    *
  26    * @var bool
  27    */
  28   protected $_viewAdminUser = FALSE;
  29   protected $_editAdminUser = FALSE;
  30
  31   /**
  32    * Am in in view permission or edit permission?
  33    * @var bool
  34    */
  35   protected $_viewPermission = FALSE;
  36   protected $_editPermission = FALSE;
  37
  38   /**
  39    * The current set of permissioned groups for the user.
  40    *
  41    * @var array
  42    */
  43   protected $_viewPermissionedGroups;
  44   protected $_editPermissionedGroups;
  45
  46   /**
  47    * Given a permission string, check for access requirements
  48    *
  49    * @param string $str
  50    *   The permission to check.
  51    *
  52    * @param int $userId
  53    *
  54    * @return bool
  55    *   true if yes, else false
  56    */
  57   public function check($str, $userId = NULL) {
  58     $str = $this->translatePermission($str, 'Drupal', [
  59       'view user account' => 'access user profiles',
  60       'administer users' => 'administer users',
  61     ]);
  62     if ($str == CRM_Core_Permission::ALWAYS_DENY_PERMISSION) {
  63       return FALSE;
  64     }
  65     if ($str == CRM_Core_Permission::ALWAYS_ALLOW_PERMISSION) {
  66       return TRUE;
  67     }
  68     if (function_exists('user_access')) {
  69       $account = NULL;
  70       if ($userId) {
  71         $account = user_load($userId);
  72       }
  73       return user_access($str, $account);
  74     }
  75     return TRUE;
  76   }
  77
  78   /**
  79    * Given a roles array, check for access requirements
  80    *
  81    * @param array $array
  82    *   The roles to check.
  83    *
  84    * @return bool
  85    *   true if yes, else false
  86    */
  87   public function checkGroupRole($array) {
  88     if (function_exists('user_load') && isset($array)) {
  89       $user = user_load($GLOBALS['user']->uid);
  90       //if giver roles found in user roles - return true
  91       foreach ($array as $key => $value) {
  92         if (in_array($value, $user->roles)) {
  93           return TRUE;
  94         }
  95       }
  96     }
  97     return FALSE;
  98   }
  99
 100   /**
 101    * @inheritDoc
 102    */
 103   public function getAvailablePermissions() {
 104     // We want to list *only* Drupal perms, so we'll *skip* Civi perms.
 105     $allCorePerms = \CRM_Core_Permission::basicPermissions(TRUE);
 106
 107     $permissions = [];
 108     $modules = system_get_info('module');
 109     foreach ($modules as $moduleName => $module) {
 110       $prefix = isset($module['name']) ? ($module['name'] . ': ') : '';
 111       foreach (module_invoke($moduleName, 'permission') ?? [] as $permName => $perm) {
 112         if (isset($allCorePerms[$permName])) {
 113           continue;
 114         }
 115
 116         $permissions["Drupal:$permName"] = [
 117           'title' => $prefix . strip_tags($perm['title']),
 118           'description' => $perm['description'] ?? NULL,
 119         ];
 120       }
 121     }
 122     return $permissions;
 123   }
 124
 125   /**
 126    * @inheritDoc
 127    */
 128   public function isModulePermissionSupported() {
 129     return TRUE;
 130   }
 131
 132   /**
 133    * @inheritDoc
 134    */
 135   public function upgradePermissions($permissions) {
 136     if (empty($permissions)) {
 137       throw new CRM_Core_Exception("Cannot upgrade permissions: permission list missing");
 138     }
 139     $query = db_delete('role_permission')
 140       ->condition('module', 'civicrm')
 141       ->condition('permission', array_keys($permissions), 'NOT IN');
 142     $query->execute();
 143   }
 144
 145   /**
 146    * Get all the contact emails for users that have a specific permission.
 147    *
 148    * @param string $permissionName
 149    *   Name of the permission we are interested in.
 150    *
 151    * @return string
 152    *   a comma separated list of email addresses
 153    */
 154   public function permissionEmails($permissionName) {
 155     static $_cache = [];
 156
 157     if (isset($_cache[$permissionName])) {
 158       return $_cache[$permissionName];
 159     }
 160
 161     $uids = [];
 162     $sql = "
 163       SELECT {users}.uid, {role_permission}.permission
 164       FROM {users}
 165       JOIN {users_roles}
 166         ON {users}.uid = {users_roles}.uid
 167       JOIN {role_permission}
 168         ON {role_permission}.rid = {users_roles}.rid
 169       WHERE {role_permission}.permission = '{$permissionName}'
 170         AND {users}.status = 1
 171     ";
 172
 173     $result = db_query($sql);
 174     foreach ($result as $record) {
 175       $uids[] = $record->uid;
 176     }
 177
 178     $_cache[$permissionName] = self::getContactEmails($uids);
 179     return $_cache[$permissionName];
 180   }
 181
 182 }