projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Search Builder - Enhance UI with Select2 and EntityRef
[civicrm-core.git] / CRM / Core / Permission.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
5 | |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
10 */
11
12 /**
13 *
14 * @package CRM
15 * @copyright CiviCRM LLC https://civicrm.org/licensing
16 */
17
18 /**
19 * This is the basic permission class wrapper
20 */
21 class CRM_Core_Permission {
22
23 /**
24 * Static strings used to compose permissions.
25 *
26 * @const
27 * @var string
28 */
29 const EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
30
31 /**
32 * The various type of permissions.
33 *
34 * @var int
35 */
36 const EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
37
38 /**
39 * A placeholder permission which always fails.
40 */
41 const ALWAYS_DENY_PERMISSION = "*always deny*";
42
43 /**
44 * A placeholder permission which always fails.
45 */
46 const ALWAYS_ALLOW_PERMISSION = "*always allow*";
47
48 /**
49 * Various authentication sources.
50 *
51 * @var int
52 */
53 const AUTH_SRC_UNKNOWN = 0, AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;
54
55 /**
56 * Get the current permission of this user.
57 *
58 * @return string
59 * the permission of the user (edit or view or null)
60 */
61 public static function getPermission() {
62 $config = CRM_Core_Config::singleton();
63 return $config->userPermissionClass->getPermission();
64 }
65
66 /**
67 * Given a permission string or array, check for access requirements
68 *
69 * Ex 1: Must have 'access CiviCRM'
70 * (string) 'access CiviCRM'
71 *
72 * Ex 2: Must have 'access CiviCRM' and 'access Ajax API'
73 * ['access CiviCRM', 'access Ajax API']
74 *
75 * Ex 3: Must have 'access CiviCRM' or 'access Ajax API'
76 * [
77 * ['access CiviCRM', 'access Ajax API'],
78 * ],
79 *
80 * Ex 4: Must have 'access CiviCRM' or 'access Ajax API' AND 'access CiviEvent'
81 * [
82 * ['access CiviCRM', 'access Ajax API'],
83 * 'access CiviEvent',
84 * ],
85 *
86 * Note that in permissions.php this is keyed by the action eg.
87 * (access Civi || access AJAX) && (access CiviEvent || access CiviContribute)
88 * 'myaction' => [
89 * ['access CiviCRM', 'access Ajax API'],
90 * ['access CiviEvent', 'access CiviContribute']
91 * ],
92 *
93 * @param string|array $permissions
94 * The permission to check as an array or string -see examples.
95 *
96 * @param int $contactId
97 * Contact id to check permissions for. Defaults to current logged-in user.
98 *
99 * @return bool
100 * true if contact has permission(s), else false
101 */
102 public static function check($permissions, $contactId = NULL) {
103 $permissions = (array) $permissions;
104 $userId = CRM_Core_BAO_UFMatch::getUFId($contactId);
105
106 /** @var CRM_Core_Permission_Temp $tempPerm */
107 $tempPerm = CRM_Core_Config::singleton()->userPermissionTemp;
108
109 foreach ($permissions as $permission) {
110 if (is_array($permission)) {
111 foreach ($permission as $orPerm) {
112 if (self::check($orPerm, $contactId)) {
113 //one of our 'or' permissions has succeeded - stop checking this permission
114 return TRUE;
115 }
116 }
117 //none of our our conditions was met
118 return FALSE;
119 }
120 else {
121 // This is an individual permission
122 $impliedPermissions = self::getImpliedPermissionsFor($permission);
123 $impliedPermissions[] = $permission;
124 foreach ($impliedPermissions as $permissionOption) {
125 $granted = CRM_Core_Config::singleton()->userPermissionClass->check($permissionOption, $userId);
126 // Call the permission_check hook to permit dynamic escalation (CRM-19256)
127 CRM_Utils_Hook::permission_check($permissionOption, $granted, $contactId);
128 if ($granted) {
129 break;
130 }
131 }
132
133 if (
134 !$granted
135 && !($tempPerm && $tempPerm->check($permission))
136 ) {
137 //one of our 'and' conditions has not been met
138 return FALSE;
139 }
140 }
141 }
142 return TRUE;
143 }
144
145 /**
146 * Determine if any one of the permissions strings applies to current user.
147 *
148 * @param array $perms
149 * @return bool
150 */
151 public static function checkAnyPerm($perms) {
152 foreach ($perms as $perm) {
153 if (CRM_Core_Permission::check($perm)) {
154 return TRUE;
155 }
156 }
157 return FALSE;
158 }
159
160 /**
161 * Given a group/role array, check for access requirements
162 *
163 * @param array $array
164 * The group/role to check.
165 *
166 * @return bool
167 * true if yes, else false
168 */
169 public static function checkGroupRole($array) {
170 $config = CRM_Core_Config::singleton();
171 return $config->userPermissionClass->checkGroupRole($array);
172 }
173
174 /**
175 * Get the permissioned where clause for the user.
176 *
177 * @param int $type
178 * The type of permission needed.
179 * @param array $tables
180 * (reference ) add the tables that are needed for the select clause.
181 * @param array $whereTables
182 * (reference ) add the tables that are needed for the where clause.
183 *
184 * @return string
185 * the group where clause for this user
186 */
187 public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
188 $config = CRM_Core_Config::singleton();
189 return $config->userPermissionClass->getPermissionedStaticGroupClause($type, $tables, $whereTables);
190 }
191
192 /**
193 * Get all groups from database, filtered by permissions
194 * for this user
195 *
196 * @param string $groupType
197 * Type of group(Access/Mailing).
198 * @param bool $excludeHidden
199 * exclude hidden groups.
200 *
201 *
202 * @return array
203 * array reference of all groups.
204 */
205 public static function group($groupType, $excludeHidden = TRUE) {
206 $config = CRM_Core_Config::singleton();
207 return $config->userPermissionClass->group($groupType, $excludeHidden);
208 }
209
210 /**
211 * @return bool
212 */
213 public static function customGroupAdmin() {
214 $admin = FALSE;
215
216 // check if user has all powerful permission
217 // or administer civicrm permission (CRM-1905)
218 if (self::check('access all custom data')) {
219 return TRUE;
220 }
221
222 if (
223 self::check('administer Multiple Organizations') &&
224 self::isMultisiteEnabled()
225 ) {
226 return TRUE;
227 }
228
229 if (self::check('administer CiviCRM')) {
230 return TRUE;
231 }
232
233 return FALSE;
234 }
235
236 /**
237 * @param int $type
238 * @param bool $reset
239 *
240 * @return array
241 */
242 public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
243 $customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id',
244 ['fresh' => $reset]);
245 $defaultGroups = [];
246
247 // check if user has all powerful permission
248 // or administer civicrm permission (CRM-1905)
249 if (self::customGroupAdmin()) {
250 $defaultGroups = array_keys($customGroups);
251 }
252
253 return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
254 }
255
256 /**
257 * @param int $type
258 * @param null $prefix
259 * @param bool $reset
260 *
261 * @return string
262 */
263 public static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
264 if (self::customGroupAdmin()) {
265 return ' ( 1 ) ';
266 }
267
268 $groups = self::customGroup($type, $reset);
269 if (empty($groups)) {
270 return ' ( 0 ) ';
271 }
272 else {
273 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
274 }
275 }
276
277 /**
278 * @param int $gid
279 * @param int $type
280 *
281 * @return bool
282 */
283 public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
284 if (empty($gid)) {
285 return TRUE;
286 }
287
288 $groups = self::ufGroup($type);
289 return !empty($groups) && in_array($gid, $groups);
290 }
291
292 /**
293 * @param int $type
294 *
295 * @return array
296 */
297 public static function ufGroup($type = CRM_Core_Permission::VIEW) {
298 $ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
299
300 $allGroups = array_keys($ufGroups);
301
302 // check if user has all powerful permission
303 if (self::check('profile listings and forms')) {
304 return $allGroups;
305 }
306
307 switch ($type) {
308 case CRM_Core_Permission::VIEW:
309 if (self::check('profile view')) {
310 return $allGroups;
311 }
312 break;
313
314 case CRM_Core_Permission::CREATE:
315 if (self::check('profile create')) {
316 return $allGroups;
317 }
318 break;
319
320 case CRM_Core_Permission::EDIT:
321 if (self::check('profile edit')) {
322 return $allGroups;
323 }
324 break;
325
326 case CRM_Core_Permission::SEARCH:
327 if (self::check('profile listings')) {
328 return $allGroups;
329 }
330 break;
331 }
332
333 return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
334 }
335
336 /**
337 * @param int $type
338 * @param null $prefix
339 * @param bool $returnUFGroupIds
340 *
341 * @return array|string
342 */
343 public static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
344 $groups = self::ufGroup($type);
345 if ($returnUFGroupIds) {
346 return $groups;
347 }
348 elseif (empty($groups)) {
349 return ' ( 0 ) ';
350 }
351 else {
352 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
353 }
354 }
355
356 /**
357 * @param int $type
358 * @param int $eventID
359 * @param string $context
360 *
361 * @return array|null
362 */
363 public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL, $context = '') {
364 if (!empty($context)) {
365 if (CRM_Core_Permission::check($context)) {
366 return TRUE;
367 }
368 }
369 $events = CRM_Event_PseudoConstant::event(NULL, TRUE);
370 $includeEvents = [];
371
372 // check if user has all powerful permission
373 if (self::check('register for events')) {
374 $includeEvents = array_keys($events);
375 }
376
377 if ($type == CRM_Core_Permission::VIEW &&
378 self::check('view event info')
379 ) {
380 $includeEvents = array_keys($events);
381 }
382
383 $permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
384 if (!$eventID) {
385 return $permissionedEvents;
386 }
387 if (!empty($permissionedEvents)) {
388 return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
389 }
390 return NULL;
391 }
392
393 /**
394 * @param int $type
395 * @param null $prefix
396 *
397 * @return string
398 */
399 public static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
400 $events = self::event($type);
401 if (empty($events)) {
402 return ' ( 0 ) ';
403 }
404 else {
405 return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
406 }
407 }
408
409 /**
410 * Checks that component is enabled and optionally that user has basic perm.
411 *
412 * @param string $module
413 * Specifies the name of the CiviCRM component.
414 * @param bool $checkPermission
415 * Check not only that module is enabled, but that user has necessary
416 * permission.
417 * @param bool $requireAllCasesPermOnCiviCase
418 * Significant only if $module == CiviCase
419 * Require "access all cases and activities", not just
420 * "access my cases and activities".
421 *
422 * @return bool
423 * Access to specified $module is granted.
424 */
425 public static function access($module, $checkPermission = TRUE, $requireAllCasesPermOnCiviCase = FALSE) {
426 $config = CRM_Core_Config::singleton();
427
428 if (!in_array($module, $config->enableComponents)) {
429 return FALSE;
430 }
431
432 if ($checkPermission) {
433 switch ($module) {
434 case 'CiviCase':
435 $access_all_cases = CRM_Core_Permission::check("access all cases and activities");
436 $access_my_cases = CRM_Core_Permission::check("access my cases and activities");
437 return $access_all_cases || (!$requireAllCasesPermOnCiviCase && $access_my_cases);
438
439 case 'CiviCampaign':
440 return CRM_Core_Permission::check("administer $module");
441
442 default:
443 return CRM_Core_Permission::check("access $module");
444 }
445 }
446
447 return TRUE;
448 }
449
450 /**
451 * Check permissions for delete and edit actions.
452 *
453 * @param string $module
454 * Component name.
455 * @param int $action
456 * Action to be check across component.
457 *
458 *
459 * @return bool
460 */
461 public static function checkActionPermission($module, $action) {
462 //check delete related permissions.
463 if ($action & CRM_Core_Action::DELETE) {
464 $permissionName = "delete in $module";
465 }
466 else {
467 $editPermissions = [
468 'CiviEvent' => 'edit event participants',
469 'CiviMember' => 'edit memberships',
470 'CiviPledge' => 'edit pledges',
471 'CiviContribute' => 'edit contributions',
472 'CiviGrant' => 'edit grants',
473 'CiviMail' => 'access CiviMail',
474 'CiviAuction' => 'add auction items',
475 ];
476 $permissionName = $editPermissions[$module] ?? NULL;
477 }
478
479 if ($module == 'CiviCase' && !$permissionName) {
480 return CRM_Case_BAO_Case::accessCiviCase();
481 }
482 else {
483 //check for permission.
484 return CRM_Core_Permission::check($permissionName);
485 }
486 }
487
488 /**
489 * @param $args
490 * @param string $op
491 *
492 * @return bool
493 */
494 public static function checkMenu(&$args, $op = 'and') {
495 if (!is_array($args)) {
496 return $args;
497 }
498 foreach ($args as $str) {
499 $res = CRM_Core_Permission::check($str);
500 if ($op == 'or' && $res) {
501 return TRUE;
502 }
503 elseif ($op == 'and' && !$res) {
504 return FALSE;
505 }
506 }
507 return ($op == 'or') ? FALSE : TRUE;
508 }
509
510 /**
511 * @param $item
512 *
513 * @return bool|mixed
514 * @throws Exception
515 */
516 public static function checkMenuItem(&$item) {
517 if (!array_key_exists('access_callback', $item)) {
518 CRM_Core_Error::backtrace();
519 throw new CRM_Core_Exception('Missing Access Callback key in menu item');
520 }
521
522 // if component_id is present, ensure it is enabled
523 if (isset($item['component_id']) && $item['component_id']) {
524 if (!isset(Civi::$statics[__CLASS__]['componentNameId'])) {
525 Civi::$statics[__CLASS__]['componentNameId'] = array_flip(CRM_Core_Component::getComponentIDs());
526 }
527 $componentName = Civi::$statics[__CLASS__]['componentNameId'][$item['component_id']];
528
529 $config = CRM_Core_Config::singleton();
530 if (is_array($config->enableComponents) && in_array($componentName, $config->enableComponents)) {
531 // continue with process
532 }
533 else {
534 return FALSE;
535 }
536 }
537
538 // the following is imitating drupal 6 code in includes/menu.inc
539 if (empty($item['access_callback']) ||
540 is_numeric($item['access_callback'])
541 ) {
542 return (bool) $item['access_callback'];
543 }
544
545 // check whether the following Ajax requests submitted the right key
546 // FIXME: this should be integrated into ACLs proper
547 if (CRM_Utils_Array::value('page_type', $item) == 3) {
548 if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
549 return FALSE;
550 }
551 }
552
553 // check if callback is for checkMenu, if so optimize it
554 if (is_array($item['access_callback']) &&
555 $item['access_callback'][0] == 'CRM_Core_Permission' &&
556 $item['access_callback'][1] == 'checkMenu'
557 ) {
558 $op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
559 return self::checkMenu($item['access_arguments'][0], $op);
560 }
561 else {
562 return call_user_func_array($item['access_callback'], $item['access_arguments']);
563 }
564 }
565
566 /**
567 * @param bool $all
568 * Include disabled components
569 * @param bool $descriptions
570 * Whether to return descriptions
571 *
572 * @return array
573 */
574 public static function basicPermissions($all = FALSE, $descriptions = FALSE) {
575 $cacheKey = implode('-', [$all, $descriptions]);
576 if (empty(Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey])) {
577 Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey] = self::assembleBasicPermissions($all, $descriptions);
578 }
579 return Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey];
580 }
581
582 /**
583 * @param bool $all
584 * @param bool $descriptions
585 * whether to return descriptions
586 *
587 * @return array
588 */
589 public static function assembleBasicPermissions($all = FALSE, $descriptions = FALSE) {
590 $config = CRM_Core_Config::singleton();
591 $prefix = ts('CiviCRM') . ': ';
592 $permissions = self::getCorePermissions($descriptions);
593
594 if (self::isMultisiteEnabled()) {
595 $permissions['administer Multiple Organizations'] = [$prefix . ts('administer Multiple Organizations')];
596 }
597
598 if (!$descriptions) {
599 foreach ($permissions as $name => $attr) {
600 $permissions[$name] = array_shift($attr);
601 }
602 }
603 if (!$all) {
604 $components = CRM_Core_Component::getEnabledComponents();
605 }
606 else {
607 $components = CRM_Core_Component::getComponents();
608 }
609
610 foreach ($components as $comp) {
611 $perm = $comp->getPermissions($all, $descriptions);
612 if ($perm) {
613 $info = $comp->getInfo();
614 foreach ($perm as $p => $attr) {
615
616 if (!is_array($attr)) {
617 $attr = [$attr];
618 }
619
620 $attr[0] = $info['translatedName'] . ': ' . $attr[0];
621
622 if ($descriptions) {
623 $permissions[$p] = $attr;
624 }
625 else {
626 $permissions[$p] = $attr[0];
627 }
628 }
629 }
630 }
631
632 // Add any permissions defined in hook_civicrm_permission implementations.
633 $module_permissions = $config->userPermissionClass->getAllModulePermissions($descriptions);
634 $permissions = array_merge($permissions, $module_permissions);
635 CRM_Financial_BAO_FinancialType::permissionedFinancialTypes($permissions, $descriptions);
636 return $permissions;
637 }
638
639 /**
640 * @return array
641 */
642 public static function getAnonymousPermissionsWarnings() {
643 static $permissions = [];
644 if (empty($permissions)) {
645 $permissions = [
646 'administer CiviCRM',
647 ];
648 $components = CRM_Core_Component::getComponents();
649 foreach ($components as $comp) {
650 if (!method_exists($comp, 'getAnonymousPermissionWarnings')) {
651 continue;
652 }
653 $permissions = array_merge($permissions, $comp->getAnonymousPermissionWarnings());
654 }
655 }
656 return $permissions;
657 }
658
659 /**
660 * @param $anonymous_perms
661 *
662 * @return array
663 */
664 public static function validateForPermissionWarnings($anonymous_perms) {
665 return array_intersect($anonymous_perms, self::getAnonymousPermissionsWarnings());
666 }
667
668 /**
669 * Get core permissions.
670 *
671 * @return array
672 */
673 public static function getCorePermissions() {
674 $prefix = ts('CiviCRM') . ': ';
675 $permissions = [
676 'add contacts' => [
677 $prefix . ts('add contacts'),
678 ts('Create a new contact record in CiviCRM'),
679 ],
680 'view all contacts' => [
681 $prefix . ts('view all contacts'),
682 ts('View ANY CONTACT in the CiviCRM database, export contact info and perform activities such as Send Email, Phone Call, etc.'),
683 ],
684 'edit all contacts' => [
685 $prefix . ts('edit all contacts'),
686 ts('View, Edit and Delete ANY CONTACT in the CiviCRM database; Create and edit relationships, tags and other info about the contacts'),
687 ],
688 'view my contact' => [
689 $prefix . ts('view my contact'),
690 ],
691 'edit my contact' => [
692 $prefix . ts('edit my contact'),
693 ],
694 'delete contacts' => [
695 $prefix . ts('delete contacts'),
696 ],
697 'access deleted contacts' => [
698 $prefix . ts('access deleted contacts'),
699 ts('Access contacts in the trash'),
700 ],
701 'import contacts' => [
702 $prefix . ts('import contacts'),
703 ts('Import contacts and activities'),
704 ],
705 'import SQL datasource' => [
706 $prefix . ts('import SQL datasource'),
707 ts('When importing, consume data directly from a SQL datasource'),
708 ],
709 'edit groups' => [
710 $prefix . ts('edit groups'),
711 ts('Create new groups, edit group settings (e.g. group name, visibility...), delete groups'),
712 ],
713 'administer CiviCRM' => [
714 $prefix . ts('administer CiviCRM'),
715 ts('Perform all tasks in the Administer CiviCRM control panel and Import Contacts'),
716 ],
717 'skip IDS check' => [
718 $prefix . ts('skip IDS check'),
719 ts('Warning: Give to trusted roles only; this permission has security implications. IDS system is bypassed for users with this permission. Prevents false errors for admin users.'),
720 ],
721 'access uploaded files' => [
722 $prefix . ts('access uploaded files'),
723 ts('View / download files including images and photos'),
724 ],
725 'profile listings and forms' => [
726 $prefix . ts('profile listings and forms'),
727 ts('Warning: Give to trusted roles only; this permission has privacy implications. Add/edit data in online forms and access public searchable directories.'),
728 ],
729 'profile listings' => [
730 $prefix . ts('profile listings'),
731 ts('Warning: Give to trusted roles only; this permission has privacy implications. Access public searchable directories.'),
732 ],
733 'profile create' => [
734 $prefix . ts('profile create'),
735 ts('Add data in a profile form.'),
736 ],
737 'profile edit' => [
738 $prefix . ts('profile edit'),
739 ts('Edit data in a profile form.'),
740 ],
741 'profile view' => [
742 $prefix . ts('profile view'),
743 ts('View data in a profile.'),
744 ],
745 'access all custom data' => [
746 $prefix . ts('access all custom data'),
747 ts('View all custom fields regardless of ACL rules'),
748 ],
749 'view all activities' => [
750 $prefix . ts('view all activities'),
751 ts('View all activities (for visible contacts)'),
752 ],
753 'delete activities' => [
754 $prefix . ts('Delete activities'),
755 ],
756 'edit inbound email basic information' => [
757 $prefix . ts('edit inbound email basic information'),
758 ts('Edit all inbound email activities (for visible contacts) basic information. Content editing not allowed.'),
759 ],
760 'edit inbound email basic information and content' => [
761 $prefix . ts('edit inbound email basic information and content'),
762 ts('Edit all inbound email activities (for visible contacts) basic information and content.'),
763 ],
764 'access CiviCRM' => [
765 $prefix . ts('access CiviCRM backend and API'),
766 ts('Master control for access to the main CiviCRM backend and API. Give to trusted roles only.'),
767 ],
768 'access Contact Dashboard' => [
769 $prefix . ts('access Contact Dashboard'),
770 ts('View Contact Dashboard (for themselves and visible contacts)'),
771 ],
772 'translate CiviCRM' => [
773 $prefix . ts('translate CiviCRM'),
774 ts('Allow User to enable multilingual'),
775 ],
776 'manage tags' => [
777 $prefix . ts('manage tags'),
778 ts('Create and rename tags'),
779 ],
780 'administer reserved groups' => [
781 $prefix . ts('administer reserved groups'),
782 ts('Edit and disable Reserved Groups (Needs Edit Groups)'),
783 ],
784 'administer Tagsets' => [
785 $prefix . ts('administer Tagsets'),
786 ],
787 'administer reserved tags' => [
788 $prefix . ts('administer reserved tags'),
789 ],
790 'administer dedupe rules' => [
791 $prefix . ts('administer dedupe rules'),
792 ts('Create and edit rules, change the supervised and unsupervised rules'),
793 ],
794 'merge duplicate contacts' => [
795 $prefix . ts('merge duplicate contacts'),
796 ts('Delete Contacts must also be granted in order for this to work.'),
797 ],
798 'force merge duplicate contacts' => [
799 $prefix . ts('force merge duplicate contacts'),
800 ts('Delete Contacts must also be granted in order for this to work.'),
801 ],
802 'view debug output' => [
803 $prefix . ts('view debug output'),
804 ts('View results of debug and backtrace'),
805 ],
806
807 'view all notes' => [
808 $prefix . ts('view all notes'),
809 ts("View notes (for visible contacts) even if they're marked admin only"),
810 ],
811 'add contact notes' => [
812 $prefix . ts('add contact notes'),
813 ts("Create notes for contacts"),
814 ],
815 'access AJAX API' => [
816 $prefix . ts('access AJAX API'),
817 ts('Allow API access even if Access CiviCRM is not granted'),
818 ],
819 'access contact reference fields' => [
820 $prefix . ts('access contact reference fields'),
821 ts('Allow entering data into contact reference fields'),
822 ],
823 'create manual batch' => [
824 $prefix . ts('create manual batch'),
825 ts('Create an accounting batch (with Access to CiviContribute and View Own/All Manual Batches)'),
826 ],
827 'edit own manual batches' => [
828 $prefix . ts('edit own manual batches'),
829 ts('Edit accounting batches created by user'),
830 ],
831 'edit all manual batches' => [
832 $prefix . ts('edit all manual batches'),
833 ts('Edit all accounting batches'),
834 ],
835 'close own manual batches' => [
836 $prefix . ts('close own manual batches'),
837 ts('Close accounting batches created by user (with Access to CiviContribute)'),
838 ],
839 'close all manual batches' => [
840 $prefix . ts('close all manual batches'),
841 ts('Close all accounting batches (with Access to CiviContribute)'),
842 ],
843 'reopen own manual batches' => [
844 $prefix . ts('reopen own manual batches'),
845 ts('Reopen accounting batches created by user (with Access to CiviContribute)'),
846 ],
847 'reopen all manual batches' => [
848 $prefix . ts('reopen all manual batches'),
849 ts('Reopen all accounting batches (with Access to CiviContribute)'),
850 ],
851 'view own manual batches' => [
852 $prefix . ts('view own manual batches'),
853 ts('View accounting batches created by user (with Access to CiviContribute)'),
854 ],
855 'view all manual batches' => [
856 $prefix . ts('view all manual batches'),
857 ts('View all accounting batches (with Access to CiviContribute)'),
858 ],
859 'delete own manual batches' => [
860 $prefix . ts('delete own manual batches'),
861 ts('Delete accounting batches created by user'),
862 ],
863 'delete all manual batches' => [
864 $prefix . ts('delete all manual batches'),
865 ts('Delete all accounting batches'),
866 ],
867 'export own manual batches' => [
868 $prefix . ts('export own manual batches'),
869 ts('Export accounting batches created by user'),
870 ],
871 'export all manual batches' => [
872 $prefix . ts('export all manual batches'),
873 ts('Export all accounting batches'),
874 ],
875 'administer payment processors' => [
876 $prefix . ts('administer payment processors'),
877 ts('Add, Update, or Disable Payment Processors'),
878 ],
879 'edit message templates' => [
880 $prefix . ts('edit message templates'),
881 ],
882 'edit system workflow message templates' => [
883 $prefix . ts('edit system workflow message templates'),
884 ],
885 'edit user-driven message templates' => [
886 $prefix . ts('edit user-driven message templates'),
887 ],
888 'view my invoices' => [
889 $prefix . ts('view my invoices'),
890 ts('Allow users to view/ download their own invoices'),
891 ],
892 'edit api keys' => [
893 $prefix . ts('edit api keys'),
894 ts('Edit API keys'),
895 ],
896 'edit own api keys' => [
897 $prefix . ts('edit own api keys'),
898 ts('Edit user\'s own API keys'),
899 ],
900 'send SMS' => [
901 $prefix . ts('send SMS'),
902 ts('Send an SMS'),
903 ],
904 'administer CiviCRM system' => [
905 'label' => $prefix . ts('administer CiviCRM System'),
906 'description' => ts('Perform all system administration tasks in CiviCRM'),
907 ],
908 'administer CiviCRM data' => [
909 'label' => $prefix . ts('administer CiviCRM Data'),
910 'description' => ts('Permit altering all restricted data options'),
911 ],
912 ];
913 foreach (self::getImpliedPermissions() as $name => $includes) {
914 foreach ($includes as $permission) {
915 $permissions[$name][] = $permissions[$permission];
916 }
917 }
918 return $permissions;
919 }
920
921 /**
922 * Get permissions implied by 'superset' permissions.
923 *
924 * @return array
925 */
926 public static function getImpliedPermissions() {
927 return [
928 'administer CiviCRM' => ['administer CiviCRM system', 'administer CiviCRM data'],
929 'administer CiviCRM data' => ['edit message templates', 'administer dedupe rules'],
930 'administer CiviCRM system' => ['edit system workflow message templates'],
931 ];
932 }
933
934 /**
935 * Get any super-permissions that imply the given permission.
936 *
937 * @param string $permission
938 *
939 * @return array
940 */
941 public static function getImpliedPermissionsFor(string $permission) {
942 $return = [];
943 foreach (self::getImpliedPermissions() as $superPermission => $components) {
944 if (in_array($permission, $components, TRUE)) {
945 $return[$superPermission] = $superPermission;
946 }
947 }
948 return $return;
949 }
950
951 /**
952 * For each entity provides an array of permissions required for each action
953 *
954 * The action is the array key, possible values:
955 * * create: applies to create (with no id in params)
956 * * update: applies to update, setvalue, create (with id in params)
957 * * get: applies to getcount, getsingle, getvalue and other gets
958 * * delete: applies to delete, replace
959 * * meta: applies to getfields, getoptions, getspec
960 * * default: catch-all for anything not declared
961 *
962 * Note: some APIs declare other actions as well
963 *
964 * Permissions should use arrays for AND and arrays of arrays for OR
965 * @see CRM_Core_Permission::check
966 *
967 * @return array of permissions
968 */
969 public static function getEntityActionPermissions() {
970 $permissions = [];
971 // These are the default permissions - if any entity does not declare permissions for a given action,
972 // (or the entity does not declare permissions at all) - then the action will be used from here
973 $permissions['default'] = [
974 // applies to getfields, getoptions, etc.
975 'meta' => ['access CiviCRM'],
976 // catch-all, applies to create, get, delete, etc.
977 // If an entity declares it's own 'default' action it will override this one
978 'default' => ['administer CiviCRM'],
979 ];
980
981 // Note: Additional permissions in DynamicFKAuthorization
982 $permissions['attachment'] = [
983 'default' => [
984 ['access CiviCRM', 'access AJAX API'],
985 ],
986 ];
987
988 // Contact permissions
989 $permissions['contact'] = [
990 'create' => [
991 'access CiviCRM',
992 'add contacts',
993 ],
994 'delete' => [
995 'access CiviCRM',
996 'delete contacts',
997 ],
998 // managed by query object
999 'get' => [],
1000 // managed by _civicrm_api3_check_edit_permissions
1001 'update' => [],
1002 'getquick' => [
1003 ['access CiviCRM', 'access AJAX API'],
1004 ],
1005 'duplicatecheck' => [
1006 'access CiviCRM',
1007 ],
1008 'merge' => ['merge duplicate contacts'],
1009 ];
1010
1011 $permissions['dedupe'] = [
1012 'getduplicates' => ['access CiviCRM'],
1013 'getstatistics' => ['access CiviCRM'],
1014 ];
1015
1016 // CRM-16963 - Permissions for country.
1017 $permissions['country'] = [
1018 'get' => [
1019 'access CiviCRM',
1020 ],
1021 'default' => [
1022 'administer CiviCRM',
1023 ],
1024 ];
1025
1026 // Contact-related data permissions.
1027 $permissions['address'] = [
1028 // get is managed by BAO::addSelectWhereClause
1029 // create/delete are managed by _civicrm_api3_check_edit_permissions
1030 'default' => [],
1031 ];
1032 $permissions['email'] = $permissions['address'];
1033 $permissions['phone'] = $permissions['address'];
1034 $permissions['website'] = $permissions['address'];
1035 $permissions['im'] = $permissions['address'];
1036 $permissions['open_i_d'] = $permissions['address'];
1037
1038 // Also managed by ACLs - CRM-19448
1039 $permissions['entity_tag'] = ['default' => []];
1040 $permissions['note'] = $permissions['entity_tag'];
1041
1042 // Allow non-admins to get and create tags to support tagset widget
1043 // Delete is still reserved for admins
1044 $permissions['tag'] = [
1045 'get' => ['access CiviCRM'],
1046 'create' => ['access CiviCRM'],
1047 'update' => ['access CiviCRM'],
1048 ];
1049
1050 //relationship permissions
1051 $permissions['relationship'] = [
1052 // get is managed by BAO::addSelectWhereClause
1053 'get' => [],
1054 'delete' => [
1055 'access CiviCRM',
1056 'edit all contacts',
1057 ],
1058 'default' => [
1059 'access CiviCRM',
1060 'edit all contacts',
1061 ],
1062 ];
1063
1064 // CRM-17741 - Permissions for RelationshipType.
1065 $permissions['relationship_type'] = [
1066 'get' => [
1067 'access CiviCRM',
1068 ],
1069 'default' => [
1070 'administer CiviCRM',
1071 ],
1072 ];
1073
1074 // Activity permissions
1075 $permissions['activity'] = [
1076 'delete' => [
1077 'access CiviCRM',
1078 'delete activities',
1079 ],
1080 'get' => [
1081 'access CiviCRM',
1082 // Note that view all activities is also required within the api
1083 // if the id is not passed in. Where the id is passed in the activity
1084 // specific check functions are used and tested.
1085 ],
1086 'default' => [
1087 'access CiviCRM',
1088 'view all activities',
1089 ],
1090 ];
1091 $permissions['activity_contact'] = $permissions['activity'];
1092
1093 // Case permissions
1094 $permissions['case'] = [
1095 'create' => [
1096 'access CiviCRM',
1097 'add cases',
1098 ],
1099 'delete' => [
1100 'access CiviCRM',
1101 'delete in CiviCase',
1102 ],
1103 'restore' => [
1104 'administer CiviCase',
1105 ],
1106 'merge' => [
1107 'administer CiviCase',
1108 ],
1109 'default' => [
1110 // At minimum the user needs one of the following. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause
1111 ['access my cases and activities', 'access all cases and activities'],
1112 ],
1113 ];
1114 $permissions['case_contact'] = $permissions['case'];
1115
1116 $permissions['case_type'] = [
1117 'default' => ['administer CiviCase'],
1118 'get' => [
1119 // nested array = OR
1120 ['access my cases and activities', 'access all cases and activities'],
1121 ],
1122 ];
1123
1124 // Campaign permissions
1125 $permissions['campaign'] = [
1126 'get' => ['access CiviCRM'],
1127 'default' => [
1128 // nested array = OR
1129 ['administer CiviCampaign', 'manage campaign'],
1130 ],
1131 ];
1132 $permissions['survey'] = $permissions['campaign'];
1133
1134 // Financial permissions
1135 $permissions['contribution'] = [
1136 'get' => [
1137 'access CiviCRM',
1138 'access CiviContribute',
1139 ],
1140 'delete' => [
1141 'access CiviCRM',
1142 'access CiviContribute',
1143 'delete in CiviContribute',
1144 ],
1145 'completetransaction' => [
1146 'edit contributions',
1147 ],
1148 'default' => [
1149 'access CiviCRM',
1150 'access CiviContribute',
1151 'edit contributions',
1152 ],
1153 ];
1154 $permissions['line_item'] = $permissions['contribution'];
1155
1156 // Payment permissions
1157 $permissions['payment'] = [
1158 'get' => [
1159 'access CiviCRM',
1160 'access CiviContribute',
1161 ],
1162 'delete' => [
1163 'access CiviCRM',
1164 'access CiviContribute',
1165 'delete in CiviContribute',
1166 ],
1167 'cancel' => [
1168 'access CiviCRM',
1169 'access CiviContribute',
1170 'edit contributions',
1171 ],
1172 'create' => [
1173 'access CiviCRM',
1174 'access CiviContribute',
1175 'edit contributions',
1176 ],
1177 'default' => [
1178 'access CiviCRM',
1179 'access CiviContribute',
1180 'edit contributions',
1181 ],
1182 ];
1183 $permissions['contribution_recur'] = $permissions['payment'];
1184
1185 // Custom field permissions
1186 $permissions['custom_field'] = [
1187 'default' => [
1188 'administer CiviCRM',
1189 'access all custom data',
1190 ],
1191 ];
1192 $permissions['custom_group'] = $permissions['custom_field'];
1193
1194 // Event permissions
1195 $permissions['event'] = [
1196 'create' => [
1197 'access CiviCRM',
1198 'access CiviEvent',
1199 'edit all events',
1200 ],
1201 'delete' => [
1202 'access CiviCRM',
1203 'access CiviEvent',
1204 'delete in CiviEvent',
1205 ],
1206 'get' => [
1207 'access CiviCRM',
1208 'access CiviEvent',
1209 'view event info',
1210 ],
1211 'update' => [
1212 'access CiviCRM',
1213 'access CiviEvent',
1214 'edit all events',
1215 ],
1216 ];
1217 // Exception refers to dedupe_exception.
1218 $permissions['exception'] = [
1219 'default' => ['merge duplicate contacts'],
1220 ];
1221
1222 $permissions['job'] = [
1223 'process_batch_merge' => ['merge duplicate contacts'],
1224 ];
1225 $permissions['rule_group']['get'] = [['merge duplicate contacts', 'administer CiviCRM']];
1226 // Loc block is only used for events
1227 $permissions['loc_block'] = $permissions['event'];
1228
1229 $permissions['state_province'] = [
1230 'get' => [
1231 'access CiviCRM',
1232 ],
1233 ];
1234
1235 // Price sets are shared by several components, user needs access to at least one of them
1236 $permissions['price_set'] = [
1237 'default' => [
1238 ['access CiviEvent', 'access CiviContribute', 'access CiviMember'],
1239 ],
1240 'get' => [
1241 ['access CiviCRM', 'view event info', 'make online contributions'],
1242 ],
1243 ];
1244
1245 // File permissions
1246 $permissions['file'] = [
1247 'default' => [
1248 'access CiviCRM',
1249 'access uploaded files',
1250 ],
1251 ];
1252 $permissions['files_by_entity'] = $permissions['file'];
1253
1254 // Group permissions
1255 $permissions['group'] = [
1256 'get' => [
1257 'access CiviCRM',
1258 ],
1259 'default' => [
1260 'access CiviCRM',
1261 'edit groups',
1262 ],
1263 ];
1264
1265 $permissions['group_nesting'] = $permissions['group'];
1266 $permissions['group_organization'] = $permissions['group'];
1267
1268 //Group Contact permission
1269 $permissions['group_contact'] = [
1270 'get' => [
1271 'access CiviCRM',
1272 ],
1273 'default' => [
1274 'access CiviCRM',
1275 'edit all contacts',
1276 ],
1277 ];
1278
1279 // CiviMail Permissions
1280 $civiMailBasePerms = [
1281 // To get/preview/update, one must have least one of these perms:
1282 // Mailing API implementations enforce nuances of create/approve/schedule permissions.
1283 'access CiviMail',
1284 'create mailings',
1285 'schedule mailings',
1286 'approve mailings',
1287 ];
1288 $permissions['mailing'] = [
1289 'get' => [
1290 'access CiviCRM',
1291 $civiMailBasePerms,
1292 ],
1293 'delete' => [
1294 'access CiviCRM',
1295 $civiMailBasePerms,
1296 'delete in CiviMail',
1297 ],
1298 'submit' => [
1299 'access CiviCRM',
1300 ['access CiviMail', 'schedule mailings'],
1301 ],
1302 'default' => [
1303 'access CiviCRM',
1304 $civiMailBasePerms,
1305 ],
1306 ];
1307 $permissions['mailing_group'] = $permissions['mailing'];
1308 $permissions['mailing_job'] = $permissions['mailing'];
1309 $permissions['mailing_recipients'] = $permissions['mailing'];
1310
1311 $permissions['mailing_a_b'] = [
1312 'get' => [
1313 'access CiviCRM',
1314 'access CiviMail',
1315 ],
1316 'delete' => [
1317 'access CiviCRM',
1318 'access CiviMail',
1319 'delete in CiviMail',
1320 ],
1321 'submit' => [
1322 'access CiviCRM',
1323 ['access CiviMail', 'schedule mailings'],
1324 ],
1325 'default' => [
1326 'access CiviCRM',
1327 'access CiviMail',
1328 ],
1329 ];
1330
1331 // Membership permissions
1332 $permissions['membership'] = [
1333 'get' => [
1334 'access CiviCRM',
1335 'access CiviMember',
1336 ],
1337 'delete' => [
1338 'access CiviCRM',
1339 'access CiviMember',
1340 'delete in CiviMember',
1341 ],
1342 'default' => [
1343 'access CiviCRM',
1344 'access CiviMember',
1345 'edit memberships',
1346 ],
1347 ];
1348 $permissions['membership_status'] = $permissions['membership'];
1349 $permissions['membership_type'] = $permissions['membership'];
1350 $permissions['membership_payment'] = [
1351 'create' => [
1352 'access CiviCRM',
1353 'access CiviMember',
1354 'edit memberships',
1355 'access CiviContribute',
1356 'edit contributions',
1357 ],
1358 'delete' => [
1359 'access CiviCRM',
1360 'access CiviMember',
1361 'delete in CiviMember',
1362 'access CiviContribute',
1363 'delete in CiviContribute',
1364 ],
1365 'get' => [
1366 'access CiviCRM',
1367 'access CiviMember',
1368 'access CiviContribute',
1369 ],
1370 'update' => [
1371 'access CiviCRM',
1372 'access CiviMember',
1373 'edit memberships',
1374 'access CiviContribute',
1375 'edit contributions',
1376 ],
1377 ];
1378
1379 // Participant permissions
1380 $permissions['participant'] = [
1381 'create' => [
1382 'access CiviCRM',
1383 'access CiviEvent',
1384 'register for events',
1385 ],
1386 'delete' => [
1387 'access CiviCRM',
1388 'access CiviEvent',
1389 'edit event participants',
1390 ],
1391 'get' => [
1392 'access CiviCRM',
1393 'access CiviEvent',
1394 'view event participants',
1395 ],
1396 'update' => [
1397 'access CiviCRM',
1398 'access CiviEvent',
1399 'edit event participants',
1400 ],
1401 ];
1402 $permissions['participant_payment'] = [
1403 'create' => [
1404 'access CiviCRM',
1405 'access CiviEvent',
1406 'register for events',
1407 'access CiviContribute',
1408 'edit contributions',
1409 ],
1410 'delete' => [
1411 'access CiviCRM',
1412 'access CiviEvent',
1413 'edit event participants',
1414 'access CiviContribute',
1415 'delete in CiviContribute',
1416 ],
1417 'get' => [
1418 'access CiviCRM',
1419 'access CiviEvent',
1420 'view event participants',
1421 'access CiviContribute',
1422 ],
1423 'update' => [
1424 'access CiviCRM',
1425 'access CiviEvent',
1426 'edit event participants',
1427 'access CiviContribute',
1428 'edit contributions',
1429 ],
1430 ];
1431
1432 // Pledge permissions
1433 $permissions['pledge'] = [
1434 'create' => [
1435 'access CiviCRM',
1436 'access CiviPledge',
1437 'edit pledges',
1438 ],
1439 'delete' => [
1440 'access CiviCRM',
1441 'access CiviPledge',
1442 'delete in CiviPledge',
1443 ],
1444 'get' => [
1445 'access CiviCRM',
1446 'access CiviPledge',
1447 ],
1448 'update' => [
1449 'access CiviCRM',
1450 'access CiviPledge',
1451 'edit pledges',
1452 ],
1453 ];
1454
1455 //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission.
1456 $permissions['action_schedule'] = [
1457 'update' => [
1458 [
1459 'access CiviCRM',
1460 'edit all events',
1461 ],
1462 ],
1463 ];
1464
1465 $permissions['pledge_payment'] = [
1466 'create' => [
1467 'access CiviCRM',
1468 'access CiviPledge',
1469 'edit pledges',
1470 'access CiviContribute',
1471 'edit contributions',
1472 ],
1473 'delete' => [
1474 'access CiviCRM',
1475 'access CiviPledge',
1476 'delete in CiviPledge',
1477 'access CiviContribute',
1478 'delete in CiviContribute',
1479 ],
1480 'get' => [
1481 'access CiviCRM',
1482 'access CiviPledge',
1483 'access CiviContribute',
1484 ],
1485 'update' => [
1486 'access CiviCRM',
1487 'access CiviPledge',
1488 'edit pledges',
1489 'access CiviContribute',
1490 'edit contributions',
1491 ],
1492 ];
1493
1494 // Dashboard permissions
1495 $permissions['dashboard'] = [
1496 'get' => [
1497 'access CiviCRM',
1498 ],
1499 ];
1500 $permissions['dashboard_contact'] = [
1501 'default' => [
1502 'access CiviCRM',
1503 ],
1504 ];
1505
1506 // Profile permissions
1507 $permissions['profile'] = [
1508 // the profile will take care of this
1509 'get' => [],
1510 ];
1511
1512 $permissions['uf_group'] = [
1513 'create' => [
1514 'access CiviCRM',
1515 [
1516 'administer CiviCRM',
1517 'manage event profiles',
1518 ],
1519 ],
1520 'get' => [
1521 'access CiviCRM',
1522 ],
1523 'update' => [
1524 'access CiviCRM',
1525 [
1526 'administer CiviCRM',
1527 'manage event profiles',
1528 ],
1529 ],
1530 ];
1531 $permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group'];
1532 $permissions['uf_field']['delete'] = [
1533 'access CiviCRM',
1534 [
1535 'administer CiviCRM',
1536 'manage event profiles',
1537 ],
1538 ];
1539 $permissions['option_value'] = $permissions['uf_group'];
1540 $permissions['option_group'] = $permissions['option_value'];
1541
1542 $permissions['custom_value'] = [
1543 'gettree' => ['access CiviCRM'],
1544 ];
1545
1546 $permissions['message_template'] = [
1547 'get' => ['access CiviCRM'],
1548 'create' => [['edit message templates', 'edit user-driven message templates', 'edit system workflow message templates']],
1549 'update' => [['edit message templates', 'edit user-driven message templates', 'edit system workflow message templates']],
1550 ];
1551
1552 $permissions['report_template']['update'] = 'save Report Criteria';
1553 $permissions['report_template']['create'] = 'save Report Criteria';
1554 return $permissions;
1555 }
1556
1557 /**
1558 * Translate an unknown action to a canonical form.
1559 *
1560 * @param string $action
1561 *
1562 * @return string
1563 * the standardised action name
1564 */
1565 public static function getGenericAction($action) {
1566 $snippet = substr($action, 0, 3);
1567 if ($action == 'replace' || $snippet == 'del') {
1568 // 'Replace' is a combination of get+create+update+delete; however, the permissions
1569 // on each of those will be tested separately at runtime. This is just a sniff-test
1570 // based on the heuristic that 'delete' tends to be the most closely guarded
1571 // of the necessary permissions.
1572 $action = 'delete';
1573 }
1574 elseif ($action == 'setvalue' || $snippet == 'upd') {
1575 $action = 'update';
1576 }
1577 elseif ($action == 'getfields' || $action == 'getfield' || $action == 'getspec' || $action == 'getoptions') {
1578 $action = 'meta';
1579 }
1580 elseif ($snippet == 'get') {
1581 $action = 'get';
1582 }
1583 return $action;
1584 }
1585
1586 /**
1587 * Validate user permission across.
1588 * edit or view or with supportable acls.
1589 *
1590 * @return bool
1591 */
1592 public static function giveMeAllACLs() {
1593 if (CRM_Core_Permission::check('view all contacts') ||
1594 CRM_Core_Permission::check('edit all contacts')
1595 ) {
1596 return TRUE;
1597 }
1598
1599 $session = CRM_Core_Session::singleton();
1600 $contactID = $session->get('userID');
1601
1602 //check for acl.
1603 $aclPermission = self::getPermission();
1604 if (in_array($aclPermission, [
1605 CRM_Core_Permission::EDIT,
1606 CRM_Core_Permission::VIEW,
1607 ])
1608 ) {
1609 return TRUE;
1610 }
1611
1612 // run acl where hook and see if the user is supplying an ACL clause
1613 // that is not false
1614 $tables = $whereTables = [];
1615 $where = NULL;
1616
1617 CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
1618 $tables, $whereTables,
1619 $contactID, $where
1620 );
1621 return empty($whereTables) ? FALSE : TRUE;
1622 }
1623
1624 /**
1625 * Get component name from given permission.
1626 *
1627 * @param string $permission
1628 *
1629 * @return null|string
1630 * the name of component.
1631 */
1632 public static function getComponentName($permission) {
1633 $componentName = NULL;
1634 $permission = trim($permission);
1635 if (empty($permission)) {
1636 return $componentName;
1637 }
1638
1639 static $allCompPermissions = [];
1640 if (empty($allCompPermissions)) {
1641 $components = CRM_Core_Component::getComponents();
1642 foreach ($components as $name => $comp) {
1643 //get all permissions of each components unconditionally
1644 $allCompPermissions[$name] = $comp->getPermissions(TRUE);
1645 }
1646 }
1647
1648 if (is_array($allCompPermissions)) {
1649 foreach ($allCompPermissions as $name => $permissions) {
1650 if (array_key_exists($permission, $permissions)) {
1651 $componentName = $name;
1652 break;
1653 }
1654 }
1655 }
1656
1657 return $componentName;
1658 }
1659
1660 /**
1661 * Get all the contact emails for users that have a specific permission.
1662 *
1663 * @param string $permissionName
1664 * Name of the permission we are interested in.
1665 *
1666 * @return string
1667 * a comma separated list of email addresses
1668 */
1669 public static function permissionEmails($permissionName) {
1670 $config = CRM_Core_Config::singleton();
1671 return $config->userPermissionClass->permissionEmails($permissionName);
1672 }
1673
1674 /**
1675 * Get all the contact emails for users that have a specific role.
1676 *
1677 * @param string $roleName
1678 * Name of the role we are interested in.
1679 *
1680 * @return string
1681 * a comma separated list of email addresses
1682 */
1683 public static function roleEmails($roleName) {
1684 $config = CRM_Core_Config::singleton();
1685 return $config->userRoleClass->roleEmails($roleName);
1686 }
1687
1688 /**
1689 * @return bool
1690 */
1691 public static function isMultisiteEnabled() {
1692 return (bool) Civi::settings()->get('is_enabled');
1693 }
1694
1695 /**
1696 * Verify if the user has permission to get the invoice.
1697 *
1698 * @return bool
1699 * TRUE if the user has download all invoices permission or download my
1700 * invoices permission and the invoice author is the current user.
1701 */
1702 public static function checkDownloadInvoice() {
1703 $cid = CRM_Core_Session::getLoggedInContactID();
1704 if (CRM_Core_Permission::check('access CiviContribute') ||
1705 (CRM_Core_Permission::check('view my invoices') && $_GET['cid'] == $cid)
1706 ) {
1707 return TRUE;
1708 }
1709 return FALSE;
1710 }
1711
1712 }