3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
15 * @copyright CiviCRM LLC https://civicrm.org/licensing
23 class CRM_Core_Permission_DrupalBase
extends CRM_Core_Permission_Base
{
26 * Is this user someone with access for the entire system.
30 protected $_viewAdminUser = FALSE;
31 protected $_editAdminUser = FALSE;
34 * Am in in view permission or edit permission?
38 protected $_viewPermission = FALSE;
39 protected $_editPermission = FALSE;
42 * The current set of permissioned groups for the user.
46 protected $_viewPermissionedGroups;
47 protected $_editPermissionedGroups;
50 * Get all groups from database, filtered by permissions
53 * @param string $groupType
54 * Type of group(Access/Mailing).
55 * @param bool $excludeHidden
56 * Exclude hidden groups.
60 * array reference of all groups.
62 public function group($groupType = NULL, $excludeHidden = TRUE) {
63 if (!isset($this->_viewPermissionedGroups
)) {
64 $this->_viewPermissionedGroups
= $this->_editPermissionedGroups
= [];
67 $groupKey = $groupType ?
$groupType : 'all';
69 if (!isset($this->_viewPermissionedGroups
[$groupKey])) {
70 $this->_viewPermissionedGroups
[$groupKey] = $this->_editPermissionedGroups
[$groupKey] = [];
72 $groups = CRM_Core_PseudoConstant
::allGroup($groupType, $excludeHidden);
74 if ($this->check('edit all contacts')) {
75 // this is the most powerful permission, so we return
76 // immediately rather than dilute it further
77 $this->_editAdminUser
= $this->_viewAdminUser
= TRUE;
78 $this->_editPermission
= $this->_viewPermission
= TRUE;
79 $this->_editPermissionedGroups
[$groupKey] = $groups;
80 $this->_viewPermissionedGroups
[$groupKey] = $groups;
81 return $this->_viewPermissionedGroups
[$groupKey];
83 elseif ($this->check('view all contacts')) {
84 $this->_viewAdminUser
= TRUE;
85 $this->_viewPermission
= TRUE;
86 $this->_viewPermissionedGroups
[$groupKey] = $groups;
89 $ids = CRM_ACL_API
::group(CRM_Core_Permission
::VIEW
, NULL, 'civicrm_saved_search', $groups);
91 foreach (array_values($ids) as $id) {
92 $title = CRM_Core_DAO
::getFieldValue('CRM_Contact_DAO_Group', $id, 'title');
93 $this->_viewPermissionedGroups
[$groupKey][$id] = $title;
94 $this->_viewPermission
= TRUE;
98 $ids = CRM_ACL_API
::group(CRM_Core_Permission
::EDIT
, NULL, 'civicrm_saved_search', $groups);
100 foreach (array_values($ids) as $id) {
101 $title = CRM_Core_DAO
::getFieldValue('CRM_Contact_DAO_Group', $id, 'title');
102 $this->_editPermissionedGroups
[$groupKey][$id] = $title;
103 $this->_viewPermissionedGroups
[$groupKey][$id] = $title;
104 $this->_editPermission
= TRUE;
105 $this->_viewPermission
= TRUE;
110 return $this->_viewPermissionedGroups
[$groupKey];
114 * Get group clause for this user. The group Clause filters the
115 * list of groups that the user is permitted to see in a group listing.
116 * For example it will filter both the list on the 'Manage Groups' page
117 * and on the contact 'Groups' tab
119 * the aclGroup hook & configured ACLs contribute to this data.
120 * If the contact is allowed to see all contacts the function will return ( 1 )
122 * @todo the history of this function is that there was some confusion as to
123 * whether it was filtering contacts or groups & some cruft may remain
126 * The type of permission needed.
127 * @param array $tables
128 * (reference) add the tables that are needed for the select clause.
129 * @param array $whereTables
130 * (reference) add the tables that are needed for the where clause.
133 * the clause to add to the query retrieving viewable groups
135 public function groupClause($type, &$tables, &$whereTables) {
136 if (!isset($this->_viewPermissionedGroups
)) {
140 // we basically get all the groups here
142 if ($type == CRM_Core_Permission
::EDIT
) {
143 if ($this->_editAdminUser
) {
146 elseif (empty($this->_editPermissionedGroups
[$groupKey])) {
151 $groups = implode(', ', $this->_editPermissionedGroups
[$groupKey]);
152 $clauses[] = ' ( civicrm_group_contact.group_id IN ( ' . implode(', ', array_keys($this->_editPermissionedGroups
[$groupKey])) . " ) AND civicrm_group_contact.status = 'Added' ) ";
153 $tables['civicrm_group_contact'] = 1;
154 $whereTables['civicrm_group_contact'] = 1;
156 // foreach group that is potentially a saved search, add the saved search clause
157 foreach (array_keys($this->_editPermissionedGroups
[$groupKey]) as $id) {
158 $group = new CRM_Contact_DAO_Group();
160 if ($group->find(TRUE) && $group->saved_search_id
) {
161 $clause = CRM_Contact_BAO_SavedSearch
::whereClause($group->saved_search_id
,
166 $clauses[] = $clause;
170 $clause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
174 if ($this->_viewAdminUser
) {
177 elseif (empty($this->_viewPermissionedGroups
[$groupKey])) {
182 $groups = implode(', ', $this->_viewPermissionedGroups
[$groupKey]);
183 $clauses[] = ' civicrm_group.id IN (' . implode(', ', array_keys($this->_viewPermissionedGroups
[$groupKey])) . " ) ";
184 $tables['civicrm_group'] = 1;
185 $whereTables['civicrm_group'] = 1;
186 $clause = ' ( ' . implode(' OR ', $clauses) . ' ) ';
194 * Get the current permission of this user.
197 * the permission of the user (edit or view or null)
199 public function getPermission() {
202 if ($this->_editPermission
) {
203 return CRM_Core_Permission
::EDIT
;
205 elseif ($this->_viewPermission
) {
206 return CRM_Core_Permission
::VIEW
;
216 public function getContactEmails($uids) {
220 $uidString = implode(',', $uids);
223 FROM civicrm_contact c
224 INNER JOIN civicrm_email e ON ( c.id = e.contact_id AND e.is_primary = 1 )
225 INNER JOIN civicrm_uf_match uf ON ( c.id = uf.contact_id )
226 WHERE c.is_deceased = 0
228 AND uf.uf_id IN ( $uidString )
231 $dao = CRM_Core_DAO
::executeQuery($sql);
234 while ($dao->fetch()) {
235 $emails[] = $dao->email
;
238 return implode(', ', $emails);
242 * Given a roles array, check for access requirements
244 * @param array $array
245 * The roles to check.
248 * true if yes, else false
250 public function checkGroupRole($array) {
251 if (function_exists('user_load') && isset($array)) {
252 $user = user_load($GLOBALS['user']->uid
);
253 //if giver roles found in user roles - return true
254 foreach ($array as $key => $value) {
255 if (in_array($value, $user->roles
)) {
266 public function isModulePermissionSupported() {
271 * Get all the contact emails for users that have a specific permission.
273 * @param string $permissionName
274 * Name of the permission we are interested in.
277 * a comma separated list of email addresses
279 public function permissionEmails($permissionName) {
282 if (isset($_cache[$permissionName])) {
283 return $_cache[$permissionName];
288 SELECT {users}.uid, {role_permission}.permission
291 ON {users}.uid = {users_roles}.uid
292 JOIN {role_permission}
293 ON {role_permission}.rid = {users_roles}.rid
294 WHERE {role_permission}.permission = '{$permissionName}'
295 AND {users}.status = 1
298 $result = db_query($sql);
299 foreach ($result as $record) {
300 $uids[] = $record->uid
;
303 $_cache[$permissionName] = self
::getContactEmails($uids);
304 return $_cache[$permissionName];
310 public function upgradePermissions($permissions) {
311 if (empty($permissions)) {
312 throw new CRM_Core_Exception("Cannot upgrade permissions: permission list missing");
314 $query = db_delete('role_permission')
315 ->condition('module', 'civicrm')
316 ->condition('permission', array_keys($permissions), 'NOT IN');