CRM/Core/Permission/Joomla.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | Copyright CiviCRM LLC. All rights reserved.                        |
   5  |                                                                    |
   6  | This work is published under the GNU AGPLv3 license with some      |
   7  | permitted exceptions and without any warranty. For full license    |
   8  | and copyright information, see https://civicrm.org/licensing       |
   9  +--------------------------------------------------------------------+
  10  */
  11
  12 /**
  13  *
  14  * @package CRM
  15  * @copyright CiviCRM LLC https://civicrm.org/licensing
  16  */
  17
  18 /**
  19  *
  20  */
  21 class CRM_Core_Permission_Joomla extends CRM_Core_Permission_Base {
  22
  23   /**
  24    * Given a permission string, check for access requirements
  25    *
  26    * @param string $str
  27    *   The permission to check.
  28    * @param int $userId
  29    *
  30    * @return bool
  31    *   true if yes, else false
  32    */
  33   public function check($str, $userId = NULL) {
  34     $config = CRM_Core_Config::singleton();
  35     // JFactory::getUser does strict type checking, so convert falesy values to NULL
  36     if ($userId === 0 || $userId === '0') {
  37       $userId = 0;
  38     }
  39     elseif (!$userId) {
  40       $userId = NULL;
  41     }
  42
  43     $translated = $this->translateJoomlaPermission($str);
  44     if ($translated === CRM_Core_Permission::ALWAYS_DENY_PERMISSION) {
  45       return FALSE;
  46     }
  47     if ($translated === CRM_Core_Permission::ALWAYS_ALLOW_PERMISSION) {
  48       return TRUE;
  49     }
  50
  51     // ensure that we are running in a joomla context
  52     // we've not yet figured out how to bootstrap joomla, so we should
  53     // not execute hooks if joomla is not loaded
  54     if (defined('_JEXEC')) {
  55       $user = JFactory::getUser($userId);
  56       $api_key    = CRM_Utils_Request::retrieve('api_key', 'String', $store, FALSE, NULL, 'REQUEST');
  57
  58       // If we are coming from REST we don't have a user but we do have the api_key for a user.
  59       if ($user->id === 0 && !is_null($api_key)) {
  60         // This is a codeblock copied from /Civicrm/Utils/REST
  61         $uid = NULL;
  62         if (!$uid) {
  63           $store = NULL;
  64
  65           $contact_id = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $api_key, 'id', 'api_key');
  66
  67           if ($contact_id) {
  68             $uid = CRM_Core_BAO_UFMatch::getUFId($contact_id);
  69           }
  70           $user = JFactory::getUser($uid);
  71
  72         }
  73       }
  74
  75       return $user->authorise($translated[0], $translated[1]);
  76
  77     }
  78     else {
  79
  80       return FALSE;
  81     }
  82   }
  83
  84   public function isModulePermissionSupported() {
  85     return TRUE;
  86   }
  87
  88   /**
  89    * @param $perm
  90    *
  91    * @internal param string $name e.g. "administer CiviCRM", "cms:access user record", "Drupal:administer content", "Joomla:example.action:com_some_asset"
  92    * @return ALWAYS_DENY_PERMISSION|ALWAYS_ALLOW_PERMISSION|array(0 => $joomlaAction, 1 => $joomlaAsset)
  93    */
  94   public function translateJoomlaPermission($perm) {
  95     if ($perm === CRM_Core_Permission::ALWAYS_DENY_PERMISSION || $perm === CRM_Core_Permission::ALWAYS_ALLOW_PERMISSION) {
  96       return $perm;
  97     }
  98
  99     list ($civiPrefix, $name) = CRM_Utils_String::parsePrefix(':', $perm, NULL);
 100     switch ($civiPrefix) {
 101       case 'Joomla':
 102         return explode(':', $name);
 103
 104       case 'cms':
 105         // FIXME: This needn't be DENY, but we don't currently have any translations.
 106         return CRM_Core_Permission::ALWAYS_DENY_PERMISSION;
 107
 108       case NULL:
 109         return ['civicrm.' . CRM_Utils_String::munge(strtolower($name)), 'com_civicrm'];
 110
 111       default:
 112         return CRM_Core_Permission::ALWAYS_DENY_PERMISSION;
 113     }
 114   }
 115
 116   /**
 117    * Given a roles array, check for access requirements
 118    *
 119    * @param array $array
 120    *   The roles to check.
 121    *
 122    * @return bool
 123    *   true if yes, else false
 124    */
 125   public function checkGroupRole($array) {
 126     return FALSE;
 127   }
 128
 129   /**
 130    * @inheritDoc
 131    */
 132   public function upgradePermissions($permissions) {
 133     $translatedPerms = [];
 134
 135     // Flipping the $permissions array gives us just the raw names of the
 136     // permissions. The descriptions, etc., are irrelevant for the purposes of
 137     // this method.
 138     foreach (array_flip($permissions) as $perm) {
 139       $translated = $this->translateJoomlaPermission($perm);
 140       $translatedPerms[] = $translated[0];
 141     }
 142
 143     $associations = $this->getUserGroupPermsAssociations();
 144     $cmsPermsHaveGoneStale = FALSE;
 145     foreach (array_keys(get_object_vars($associations)) as $permName) {
 146       if (!in_array($permName, $translatedPerms)) {
 147         unset($associations->$permName);
 148         $cmsPermsHaveGoneStale = TRUE;
 149       }
 150     }
 151
 152     if ($cmsPermsHaveGoneStale) {
 153       $this->updateGroupPermsAssociations($associations);
 154     }
 155   }
 156
 157   /**
 158    * Fetches the associations between user groups and CiviCRM permissions.
 159    *
 160    * @see https://docs.joomla.org/Selecting_data_using_JDatabase
 161    * @return object
 162    *   Properties of the object are Joomla-fied permission names.
 163    */
 164   private function getUserGroupPermsAssociations() {
 165     $db = JFactory::getDbo();
 166     $query = $db->getQuery(TRUE);
 167
 168     $query
 169       ->select($db->quoteName('rules'))
 170       ->from($db->quoteName('#__assets'))
 171       ->where($db->quoteName('name') . ' = ' . $db->quote('com_civicrm'));
 172
 173     $db->setQuery($query);
 174
 175     // Joomla gotcha: loadObject returns NULL in the case of no matches.
 176     $result = $db->loadObject();
 177     return $result ? json_decode($result->rules) : (object) [];
 178   }
 179
 180   /**
 181    * Writes user-group/permissions associations back to Joomla.
 182    *
 183    * @see https://docs.joomla.org/Inserting,_Updating_and_Removing_data_using_JDatabase
 184    * @param object $associations
 185    *   Same format as the return of
 186    *   CRM_Core_Permission_Joomla->getUserGroupPermsAssociations().
 187    */
 188   private function updateGroupPermsAssociations($associations) {
 189     $db = JFactory::getDbo();
 190     $query = $db->getQuery(TRUE);
 191
 192     $query
 193       ->update($db->quoteName('#__assets'))
 194       ->set($db->quoteName('rules') . ' = ' . $db->quote(json_encode($associations)))
 195       ->where($db->quoteName('name') . ' = ' . $db->quote('com_civicrm'));
 196
 197     $db->setQuery($query)->execute();
 198   }
 199
 200 }