projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
(NFC) (dev/core#878) Simplify copyright header (templates/*)
[civicrm-core.git] / CRM / Core / Permission / DrupalBase.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 5 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2020 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27
28 /**
29 *
30 * @package CRM
31 * @copyright CiviCRM LLC https://civicrm.org/licensing
32 * $Id$
33 *
34 */
35
36 /**
37 *
38 */
39 class CRM_Core_Permission_DrupalBase extends CRM_Core_Permission_Base {
40
41 /**
42 * Is this user someone with access for the entire system.
43 *
44 * @var bool
45 */
46 protected $_viewAdminUser = FALSE;
47 protected $_editAdminUser = FALSE;
48
49 /**
50 * Am in in view permission or edit permission?
51 *
52 * @var bool
53 */
54 protected $_viewPermission = FALSE;
55 protected $_editPermission = FALSE;
56
57 /**
58 * The current set of permissioned groups for the user.
59 *
60 * @var array
61 */
62 protected $_viewPermissionedGroups;
63 protected $_editPermissionedGroups;
64
65 /**
66 * Get all groups from database, filtered by permissions
67 * for this user
68 *
69 * @param string $groupType
70 * Type of group(Access/Mailing).
71 * @param bool $excludeHidden
72 * Exclude hidden groups.
73 *
74 *
75 * @return array
76 * array reference of all groups.
77 */
78 public function group($groupType = NULL, $excludeHidden = TRUE) {
79 if (!isset($this->_viewPermissionedGroups)) {
80 $this->_viewPermissionedGroups = $this->_editPermissionedGroups = [];
81 }
82
83 $groupKey = $groupType ? $groupType : 'all';
84
85 if (!isset($this->_viewPermissionedGroups[$groupKey])) {
86 $this->_viewPermissionedGroups[$groupKey] = $this->_editPermissionedGroups[$groupKey] = [];
87
88 $groups = CRM_Core_PseudoConstant::allGroup($groupType, $excludeHidden);
89
90 if ($this->check('edit all contacts')) {
91 // this is the most powerful permission, so we return
92 // immediately rather than dilute it further
93 $this->_editAdminUser = $this->_viewAdminUser = TRUE;
94 $this->_editPermission = $this->_viewPermission = TRUE;
95 $this->_editPermissionedGroups[$groupKey] = $groups;
96 $this->_viewPermissionedGroups[$groupKey] = $groups;
97 return $this->_viewPermissionedGroups[$groupKey];
98 }
99 elseif ($this->check('view all contacts')) {
100 $this->_viewAdminUser = TRUE;
101 $this->_viewPermission = TRUE;
102 $this->_viewPermissionedGroups[$groupKey] = $groups;
103 }
104
105 $ids = CRM_ACL_API::group(CRM_Core_Permission::VIEW, NULL, 'civicrm_saved_search', $groups);
106 if (!empty($ids)) {
107 foreach (array_values($ids) as $id) {
108 $title = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Group', $id, 'title');
109 $this->_viewPermissionedGroups[$groupKey][$id] = $title;
110 $this->_viewPermission = TRUE;
111 }
112 }
113
114 $ids = CRM_ACL_API::group(CRM_Core_Permission::EDIT, NULL, 'civicrm_saved_search', $groups);
115 if (!empty($ids)) {
116 foreach (array_values($ids) as $id) {
117 $title = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Group', $id, 'title');
118 $this->_editPermissionedGroups[$groupKey][$id] = $title;
119 $this->_viewPermissionedGroups[$groupKey][$id] = $title;
120 $this->_editPermission = TRUE;
121 $this->_viewPermission = TRUE;
122 }
123 }
124 }
125
126 return $this->_viewPermissionedGroups[$groupKey];
127 }
128
129 /**
130 * Get group clause for this user. The group Clause filters the
131 * list of groups that the user is permitted to see in a group listing.
132 * For example it will filter both the list on the 'Manage Groups' page
133 * and on the contact 'Groups' tab
134 *
135 * the aclGroup hook & configured ACLs contribute to this data.
136 * If the contact is allowed to see all contacts the function will return ( 1 )
137 *
138 * @todo the history of this function is that there was some confusion as to
139 * whether it was filtering contacts or groups & some cruft may remain
140 *
141 * @param int $type
142 * The type of permission needed.
143 * @param array $tables
144 * (reference) add the tables that are needed for the select clause.
145 * @param array $whereTables
146 * (reference) add the tables that are needed for the where clause.
147 *
148 * @return string
149 * the clause to add to the query retrieving viewable groups
150 */
151 public function groupClause($type, &$tables, &$whereTables) {
152 if (!isset($this->_viewPermissionedGroups)) {
153 $this->group();
154 }
155
156 // we basically get all the groups here
157 $groupKey = 'all';
158 if ($type == CRM_Core_Permission::EDIT) {
159 if ($this->_editAdminUser) {
160 $clause = ' ( 1 ) ';
161 }
162 elseif (empty($this->_editPermissionedGroups[$groupKey])) {
163 $clause = ' ( 0 ) ';
164 }
165 else {
166 $clauses = [];
167 $groups = implode(', ', $this->_editPermissionedGroups[$groupKey]);
168 $clauses[] = ' ( civicrm_group_contact.group_id IN ( ' . implode(', ', array_keys($this->_editPermissionedGroups[$groupKey])) . " ) AND civicrm_group_contact.status = 'Added' ) ";
169 $tables['civicrm_group_contact'] = 1;
170 $whereTables['civicrm_group_contact'] = 1;
171
172 // foreach group that is potentially a saved search, add the saved search clause
173 foreach (array_keys($this->_editPermissionedGroups[$groupKey]) as $id) {
174 $group = new CRM_Contact_DAO_Group();
175 $group->id = $id;
176 if ($group->find(TRUE) && $group->saved_search_id) {
177 $clause = CRM_Contact_BAO_SavedSearch::whereClause($group->saved_search_id,
178 $tables,
179 $whereTables
180 );
181 if (trim($clause)) {
182 $clauses[] = $clause;
183 }
184 }
185 }
186 $clause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
187 }
188 }
189 else {
190 if ($this->_viewAdminUser) {
191 $clause = ' ( 1 ) ';
192 }
193 elseif (empty($this->_viewPermissionedGroups[$groupKey])) {
194 $clause = ' ( 0 ) ';
195 }
196 else {
197 $clauses = [];
198 $groups = implode(', ', $this->_viewPermissionedGroups[$groupKey]);
199 $clauses[] = ' civicrm_group.id IN (' . implode(', ', array_keys($this->_viewPermissionedGroups[$groupKey])) . " ) ";
200 $tables['civicrm_group'] = 1;
201 $whereTables['civicrm_group'] = 1;
202 $clause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
203 }
204 }
205
206 return $clause;
207 }
208
209 /**
210 * Get the current permission of this user.
211 *
212 * @return string
213 * the permission of the user (edit or view or null)
214 */
215 public function getPermission() {
216 $this->group();
217
218 if ($this->_editPermission) {
219 return CRM_Core_Permission::EDIT;
220 }
221 elseif ($this->_viewPermission) {
222 return CRM_Core_Permission::VIEW;
223 }
224 return NULL;
225 }
226
227 /**
228 * @param $uids
229 *
230 * @return string
231 */
232 public function getContactEmails($uids) {
233 if (empty($uids)) {
234 return '';
235 }
236 $uidString = implode(',', $uids);
237 $sql = "
238 SELECT e.email
239 FROM civicrm_contact c
240 INNER JOIN civicrm_email e ON ( c.id = e.contact_id AND e.is_primary = 1 )
241 INNER JOIN civicrm_uf_match uf ON ( c.id = uf.contact_id )
242 WHERE c.is_deceased = 0
243 AND c.is_deleted = 0
244 AND uf.uf_id IN ( $uidString )
245 ";
246
247 $dao = CRM_Core_DAO::executeQuery($sql);
248
249 $emails = [];
250 while ($dao->fetch()) {
251 $emails[] = $dao->email;
252 }
253
254 return implode(', ', $emails);
255 }
256
257 /**
258 * Given a roles array, check for access requirements
259 *
260 * @param array $array
261 * The roles to check.
262 *
263 * @return bool
264 * true if yes, else false
265 */
266 public function checkGroupRole($array) {
267 if (function_exists('user_load') && isset($array)) {
268 $user = user_load($GLOBALS['user']->uid);
269 //if giver roles found in user roles - return true
270 foreach ($array as $key => $value) {
271 if (in_array($value, $user->roles)) {
272 return TRUE;
273 }
274 }
275 }
276 return FALSE;
277 }
278
279 /**
280 * @inheritDoc
281 */
282 public function isModulePermissionSupported() {
283 return TRUE;
284 }
285
286 /**
287 * Get all the contact emails for users that have a specific permission.
288 *
289 * @param string $permissionName
290 * Name of the permission we are interested in.
291 *
292 * @return string
293 * a comma separated list of email addresses
294 */
295 public function permissionEmails($permissionName) {
296 static $_cache = [];
297
298 if (isset($_cache[$permissionName])) {
299 return $_cache[$permissionName];
300 }
301
302 $uids = [];
303 $sql = "
304 SELECT {users}.uid, {role_permission}.permission
305 FROM {users}
306 JOIN {users_roles}
307 ON {users}.uid = {users_roles}.uid
308 JOIN {role_permission}
309 ON {role_permission}.rid = {users_roles}.rid
310 WHERE {role_permission}.permission = '{$permissionName}'
311 AND {users}.status = 1
312 ";
313
314 $result = db_query($sql);
315 foreach ($result as $record) {
316 $uids[] = $record->uid;
317 }
318
319 $_cache[$permissionName] = self::getContactEmails($uids);
320 return $_cache[$permissionName];
321 }
322
323 /**
324 * @inheritDoc
325 */
326 public function upgradePermissions($permissions) {
327 if (empty($permissions)) {
328 throw new CRM_Core_Exception("Cannot upgrade permissions: permission list missing");
329 }
330 $query = db_delete('role_permission')
331 ->condition('module', 'civicrm')
332 ->condition('permission', array_keys($permissions), 'NOT IN');
333 $query->execute();
334 }
335
336 }