CRM/Core/Permission/Joomla.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | CiviCRM version 4.7                                                |
   5  +--------------------------------------------------------------------+
   6  | Copyright CiviCRM LLC (c) 2004-2017                                |
   7  +--------------------------------------------------------------------+
   8  | This file is a part of CiviCRM.                                    |
   9  |                                                                    |
  10  | CiviCRM is free software; you can copy, modify, and distribute it  |
  11  | under the terms of the GNU Affero General Public License           |
  12  | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
  13  |                                                                    |
  14  | CiviCRM is distributed in the hope that it will be useful, but     |
  15  | WITHOUT ANY WARRANTY; without even the implied warranty of         |
  16  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
  17  | See the GNU Affero General Public License for more details.        |
  18  |                                                                    |
  19  | You should have received a copy of the GNU Affero General Public   |
  20  | License and the CiviCRM Licensing Exception along                  |
  21  | with this program; if not, contact CiviCRM LLC                     |
  22  | at info[AT]civicrm[DOT]org. If you have questions about the        |
  23  | GNU Affero General Public License or the licensing of CiviCRM,     |
  24  | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
  25  +--------------------------------------------------------------------+
  26  */
  27
  28 /**
  29  *
  30  * @package CRM
  31  * @copyright CiviCRM LLC (c) 2004-2017
  32  * $Id$
  33  *
  34  */
  35
  36 /**
  37  *
  38  */
  39 class CRM_Core_Permission_Joomla extends CRM_Core_Permission_Base {
  40   /**
  41    * Given a permission string, check for access requirements
  42    *
  43    * @param string $str
  44    *   The permission to check.
  45    *
  46    * @return bool
  47    *   true if yes, else false
  48    */
  49   public function check($str) {
  50     $config = CRM_Core_Config::singleton();
  51
  52     $translated = $this->translateJoomlaPermission($str);
  53     if ($translated === CRM_Core_Permission::ALWAYS_DENY_PERMISSION) {
  54       return FALSE;
  55     }
  56     if ($translated === CRM_Core_Permission::ALWAYS_ALLOW_PERMISSION) {
  57       return TRUE;
  58     }
  59
  60     // ensure that we are running in a joomla context
  61     // we've not yet figured out how to bootstrap joomla, so we should
  62     // not execute hooks if joomla is not loaded
  63     if (defined('_JEXEC')) {
  64       $user = JFactory::getUser();
  65       $api_key    = CRM_Utils_Request::retrieve('api_key', 'String', $store, FALSE, NULL, 'REQUEST');
  66
  67       // If we are coming from REST we don't have a user but we do have the api_key for a user.
  68       if ($user->id === 0 && !is_null($api_key)) {
  69         // This is a codeblock copied from /Civicrm/Utils/REST
  70         $uid = NULL;
  71         if (!$uid) {
  72           $store      = NULL;
  73
  74           $contact_id = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $api_key, 'id', 'api_key');
  75
  76           if ($contact_id) {
  77             $uid = CRM_Core_BAO_UFMatch::getUFId($contact_id);
  78           }
  79           $user = JFactory::getUser($uid);
  80
  81         }
  82       }
  83
  84       return $user->authorise($translated[0], $translated[1]);
  85
  86     }
  87     else {
  88
  89       return FALSE;
  90     }
  91   }
  92
  93   public function isModulePermissionSupported() {
  94     return TRUE;
  95   }
  96
  97   /**
  98    * @param $perm
  99    *
 100    * @internal param string $name e.g. "administer CiviCRM", "cms:access user record", "Drupal:administer content", "Joomla:example.action:com_some_asset"
 101    * @return ALWAYS_DENY_PERMISSION|ALWAYS_ALLOW_PERMISSION|array(0 => $joomlaAction, 1 => $joomlaAsset)
 102    */
 103   public function translateJoomlaPermission($perm) {
 104     if ($perm === CRM_Core_Permission::ALWAYS_DENY_PERMISSION || $perm === CRM_Core_Permission::ALWAYS_ALLOW_PERMISSION) {
 105       return $perm;
 106     }
 107
 108     list ($civiPrefix, $name) = CRM_Utils_String::parsePrefix(':', $perm, NULL);
 109     switch ($civiPrefix) {
 110       case 'Joomla':
 111         return explode(':', $name);
 112
 113       case 'cms':
 114         // FIXME: This needn't be DENY, but we don't currently have any translations.
 115         return CRM_Core_Permission::ALWAYS_DENY_PERMISSION;
 116
 117       case NULL:
 118         return array('civicrm.' . CRM_Utils_String::munge(strtolower($name)), 'com_civicrm');
 119
 120       default:
 121         return CRM_Core_Permission::ALWAYS_DENY_PERMISSION;
 122     }
 123   }
 124
 125   /**
 126    * Given a roles array, check for access requirements
 127    *
 128    * @param array $array
 129    *   The roles to check.
 130    *
 131    * @return bool
 132    *   true if yes, else false
 133    */
 134   public function checkGroupRole($array) {
 135     return FALSE;
 136   }
 137
 138   /**
 139    * @inheritDoc
 140    */
 141   public function upgradePermissions($permissions) {
 142     $translatedPerms = array();
 143
 144     // Flipping the $permissions array gives us just the raw names of the
 145     // permissions. The descriptions, etc., are irrelevant for the purposes of
 146     // this method.
 147     foreach (array_flip($permissions) as $perm) {
 148       $translated = $this->translateJoomlaPermission($perm);
 149       $translatedPerms[] = $translated[0];
 150     }
 151
 152     $associations = $this->getUserGroupPermsAssociations();
 153     $cmsPermsHaveGoneStale = FALSE;
 154     foreach (array_keys(get_object_vars($associations)) as $permName) {
 155       if (!in_array($permName, $translatedPerms)) {
 156         unset($associations->$permName);
 157         $cmsPermsHaveGoneStale = TRUE;
 158       }
 159     }
 160
 161     if ($cmsPermsHaveGoneStale) {
 162       $this->updateGroupPermsAssociations($associations);
 163     }
 164   }
 165
 166   /**
 167    * Fetches the associations between user groups and CiviCRM permissions.
 168    *
 169    * @see https://docs.joomla.org/Selecting_data_using_JDatabase
 170    * @return object
 171    *   Properties of the object are Joomla-fied permission names.
 172    */
 173   private function getUserGroupPermsAssociations() {
 174     $db = JFactory::getDbo();
 175     $query = $db->getQuery(TRUE);
 176
 177     $query
 178         ->select($db->quoteName('rules'))
 179         ->from($db->quoteName('#__assets'))
 180         ->where($db->quoteName('name') . ' = ' . $db->quote('com_civicrm'));
 181
 182     $db->setQuery($query);
 183
 184     // Joomla gotcha: loadObject returns NULL in the case of no matches.
 185     $result = $db->loadObject();
 186     return $result ? json_decode($result->rules) : (object) array();
 187   }
 188
 189   /**
 190    * Writes user-group/permissions associations back to Joomla.
 191    *
 192    * @see https://docs.joomla.org/Inserting,_Updating_and_Removing_data_using_JDatabase
 193    * @param object $associations
 194    *   Same format as the return of
 195    *   CRM_Core_Permission_Joomla->getUserGroupPermsAssociations().
 196    */
 197   private function updateGroupPermsAssociations($associations) {
 198     $db = JFactory::getDbo();
 199     $query = $db->getQuery(TRUE);
 200
 201     $query
 202         ->update($db->quoteName('#__assets'))
 203         ->set($db->quoteName('rules') . ' = ' . $db->quote(json_encode($associations)))
 204         ->where($db->quoteName('name') . ' = ' . $db->quote('com_civicrm'));
 205
 206     $db->setQuery($query)->execute();
 207   }
 208
 209 }