projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #17742 from MiyaNoctem/dev-core-1854-fix-resetting-overridden...
[civicrm-core.git] / CRM / Core / Permission / DrupalBase.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
5 | |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
10 */
11
12 /**
13 *
14 * @package CRM
15 * @copyright CiviCRM LLC https://civicrm.org/licensing
16 */
17
18 /**
19 *
20 */
21 class CRM_Core_Permission_DrupalBase extends CRM_Core_Permission_Base {
22
23 /**
24 * Is this user someone with access for the entire system.
25 *
26 * @var bool
27 */
28 protected $_viewAdminUser = FALSE;
29 protected $_editAdminUser = FALSE;
30
31 /**
32 * Am in in view permission or edit permission?
33 *
34 * @var bool
35 */
36 protected $_viewPermission = FALSE;
37 protected $_editPermission = FALSE;
38
39 /**
40 * The current set of permissioned groups for the user.
41 *
42 * @var array
43 */
44 protected $_viewPermissionedGroups;
45 protected $_editPermissionedGroups;
46
47 /**
48 * Get all groups from database, filtered by permissions
49 * for this user
50 *
51 * @param string $groupType
52 * Type of group(Access/Mailing).
53 * @param bool $excludeHidden
54 * Exclude hidden groups.
55 *
56 *
57 * @return array
58 * array reference of all groups.
59 */
60 public function group($groupType = NULL, $excludeHidden = TRUE) {
61 if (!isset($this->_viewPermissionedGroups)) {
62 $this->_viewPermissionedGroups = $this->_editPermissionedGroups = [];
63 }
64
65 $groupKey = $groupType ? $groupType : 'all';
66
67 if (!isset($this->_viewPermissionedGroups[$groupKey])) {
68 $this->_viewPermissionedGroups[$groupKey] = $this->_editPermissionedGroups[$groupKey] = [];
69
70 $groups = CRM_Core_PseudoConstant::allGroup($groupType, $excludeHidden);
71
72 if ($this->check('edit all contacts')) {
73 // this is the most powerful permission, so we return
74 // immediately rather than dilute it further
75 $this->_editAdminUser = $this->_viewAdminUser = TRUE;
76 $this->_editPermission = $this->_viewPermission = TRUE;
77 $this->_editPermissionedGroups[$groupKey] = $groups;
78 $this->_viewPermissionedGroups[$groupKey] = $groups;
79 return $this->_viewPermissionedGroups[$groupKey];
80 }
81 elseif ($this->check('view all contacts')) {
82 $this->_viewAdminUser = TRUE;
83 $this->_viewPermission = TRUE;
84 $this->_viewPermissionedGroups[$groupKey] = $groups;
85 }
86
87 $ids = CRM_ACL_API::group(CRM_Core_Permission::VIEW, NULL, 'civicrm_saved_search', $groups);
88 if (!empty($ids)) {
89 foreach (array_values($ids) as $id) {
90 $title = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Group', $id, 'title');
91 $this->_viewPermissionedGroups[$groupKey][$id] = $title;
92 $this->_viewPermission = TRUE;
93 }
94 }
95
96 $ids = CRM_ACL_API::group(CRM_Core_Permission::EDIT, NULL, 'civicrm_saved_search', $groups);
97 if (!empty($ids)) {
98 foreach (array_values($ids) as $id) {
99 $title = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Group', $id, 'title');
100 $this->_editPermissionedGroups[$groupKey][$id] = $title;
101 $this->_viewPermissionedGroups[$groupKey][$id] = $title;
102 $this->_editPermission = TRUE;
103 $this->_viewPermission = TRUE;
104 }
105 }
106 }
107
108 return $this->_viewPermissionedGroups[$groupKey];
109 }
110
111 /**
112 * Get group clause for this user. The group Clause filters the
113 * list of groups that the user is permitted to see in a group listing.
114 * For example it will filter both the list on the 'Manage Groups' page
115 * and on the contact 'Groups' tab
116 *
117 * the aclGroup hook & configured ACLs contribute to this data.
118 * If the contact is allowed to see all contacts the function will return ( 1 )
119 *
120 * @todo the history of this function is that there was some confusion as to
121 * whether it was filtering contacts or groups & some cruft may remain
122 *
123 * @param int $type
124 * The type of permission needed.
125 * @param array $tables
126 * (reference) add the tables that are needed for the select clause.
127 * @param array $whereTables
128 * (reference) add the tables that are needed for the where clause.
129 *
130 * @return string
131 * the clause to add to the query retrieving viewable groups
132 */
133 public function groupClause($type, &$tables, &$whereTables) {
134 if (!isset($this->_viewPermissionedGroups)) {
135 $this->group();
136 }
137
138 // we basically get all the groups here
139 $groupKey = 'all';
140 if ($type == CRM_Core_Permission::EDIT) {
141 if ($this->_editAdminUser) {
142 $clause = ' ( 1 ) ';
143 }
144 elseif (empty($this->_editPermissionedGroups[$groupKey])) {
145 $clause = ' ( 0 ) ';
146 }
147 else {
148 $clauses = [];
149 $groups = implode(', ', $this->_editPermissionedGroups[$groupKey]);
150 $clauses[] = ' ( civicrm_group_contact.group_id IN ( ' . implode(', ', array_keys($this->_editPermissionedGroups[$groupKey])) . " ) AND civicrm_group_contact.status = 'Added' ) ";
151 $tables['civicrm_group_contact'] = 1;
152 $whereTables['civicrm_group_contact'] = 1;
153
154 // foreach group that is potentially a saved search, add the saved search clause
155 foreach (array_keys($this->_editPermissionedGroups[$groupKey]) as $id) {
156 $group = new CRM_Contact_DAO_Group();
157 $group->id = $id;
158 if ($group->find(TRUE) && $group->saved_search_id) {
159 $clause = CRM_Contact_BAO_SavedSearch::whereClause($group->saved_search_id,
160 $tables,
161 $whereTables
162 );
163 if (trim($clause)) {
164 $clauses[] = $clause;
165 }
166 }
167 }
168 $clause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
169 }
170 }
171 else {
172 if ($this->_viewAdminUser) {
173 $clause = ' ( 1 ) ';
174 }
175 elseif (empty($this->_viewPermissionedGroups[$groupKey])) {
176 $clause = ' ( 0 ) ';
177 }
178 else {
179 $clauses = [];
180 $groups = implode(', ', $this->_viewPermissionedGroups[$groupKey]);
181 $clauses[] = ' civicrm_group.id IN (' . implode(', ', array_keys($this->_viewPermissionedGroups[$groupKey])) . " ) ";
182 $tables['civicrm_group'] = 1;
183 $whereTables['civicrm_group'] = 1;
184 $clause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
185 }
186 }
187
188 return $clause;
189 }
190
191 /**
192 * Get the current permission of this user.
193 *
194 * @return string
195 * the permission of the user (edit or view or null)
196 */
197 public function getPermission() {
198 $this->group();
199
200 if ($this->_editPermission) {
201 return CRM_Core_Permission::EDIT;
202 }
203 elseif ($this->_viewPermission) {
204 return CRM_Core_Permission::VIEW;
205 }
206 return NULL;
207 }
208
209 /**
210 * @param $uids
211 *
212 * @return string
213 */
214 public function getContactEmails($uids) {
215 if (empty($uids)) {
216 return '';
217 }
218 $uidString = implode(',', $uids);
219 $sql = "
220 SELECT e.email
221 FROM civicrm_contact c
222 INNER JOIN civicrm_email e ON ( c.id = e.contact_id AND e.is_primary = 1 )
223 INNER JOIN civicrm_uf_match uf ON ( c.id = uf.contact_id )
224 WHERE c.is_deceased = 0
225 AND c.is_deleted = 0
226 AND uf.uf_id IN ( $uidString )
227 ";
228
229 $dao = CRM_Core_DAO::executeQuery($sql);
230
231 $emails = [];
232 while ($dao->fetch()) {
233 $emails[] = $dao->email;
234 }
235
236 return implode(', ', $emails);
237 }
238
239 /**
240 * Given a roles array, check for access requirements
241 *
242 * @param array $array
243 * The roles to check.
244 *
245 * @return bool
246 * true if yes, else false
247 */
248 public function checkGroupRole($array) {
249 if (function_exists('user_load') && isset($array)) {
250 $user = user_load($GLOBALS['user']->uid);
251 //if giver roles found in user roles - return true
252 foreach ($array as $key => $value) {
253 if (in_array($value, $user->roles)) {
254 return TRUE;
255 }
256 }
257 }
258 return FALSE;
259 }
260
261 /**
262 * @inheritDoc
263 */
264 public function isModulePermissionSupported() {
265 return TRUE;
266 }
267
268 /**
269 * Get all the contact emails for users that have a specific permission.
270 *
271 * @param string $permissionName
272 * Name of the permission we are interested in.
273 *
274 * @return string
275 * a comma separated list of email addresses
276 */
277 public function permissionEmails($permissionName) {
278 static $_cache = [];
279
280 if (isset($_cache[$permissionName])) {
281 return $_cache[$permissionName];
282 }
283
284 $uids = [];
285 $sql = "
286 SELECT {users}.uid, {role_permission}.permission
287 FROM {users}
288 JOIN {users_roles}
289 ON {users}.uid = {users_roles}.uid
290 JOIN {role_permission}
291 ON {role_permission}.rid = {users_roles}.rid
292 WHERE {role_permission}.permission = '{$permissionName}'
293 AND {users}.status = 1
294 ";
295
296 $result = db_query($sql);
297 foreach ($result as $record) {
298 $uids[] = $record->uid;
299 }
300
301 $_cache[$permissionName] = self::getContactEmails($uids);
302 return $_cache[$permissionName];
303 }
304
305 /**
306 * @inheritDoc
307 */
308 public function upgradePermissions($permissions) {
309 if (empty($permissions)) {
310 throw new CRM_Core_Exception("Cannot upgrade permissions: permission list missing");
311 }
312 $query = db_delete('role_permission')
313 ->condition('module', 'civicrm')
314 ->condition('permission', array_keys($permissions), 'NOT IN');
315 $query->execute();
316 }
317
318 }