3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.3 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2013 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
31 * @copyright CiviCRM LLC (c) 2004-2013
37 * This is the basic permission class wrapper
39 class CRM_Core_Permission
{
42 * Static strings used to compose permissions
47 CONST EDIT_GROUPS
= 'edit contacts in ', VIEW_GROUPS
= 'view contacts in ';
50 * The various type of permissions
54 CONST EDIT
= 1, VIEW
= 2, DELETE
= 3, CREATE
= 4, SEARCH
= 5, ALL
= 6, ADMIN
= 7;
57 * get the current permission of this user
59 * @return string the permission of the user (edit or view or null)
61 public static function getPermission() {
62 $config = CRM_Core_Config
::singleton();
63 return $config->userPermissionClass
->getPermission( );
67 * given a permission string, check for access requirements
69 * @param string $str the permission to check
71 * @return boolean true if yes, else false
75 static function check($str) {
76 $config = CRM_Core_Config
::singleton();
77 return $config->userPermissionClass
->check( $str );
81 * Given a group/role array, check for access requirements
83 * @param array $array the group/role to check
85 * @return boolean true if yes, else false
89 static function checkGroupRole($array) {
90 $config = CRM_Core_Config
::singleton();
91 return $config->userPermissionClass
->checkGroupRole( $array );
95 * Get the permissioned where clause for the user
97 * @param int $type the type of permission needed
98 * @param array $tables (reference ) add the tables that are needed for the select clause
99 * @param array $whereTables (reference ) add the tables that are needed for the where clause
101 * @return string the group where clause for this user
104 public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
105 $config = CRM_Core_Config
::singleton();
106 return $config->userPermissionClass
->getPermissionedStaticGroupClause( $type, $tables, $whereTables );
110 * Get all groups from database, filtered by permissions
113 * @param string $groupType type of group(Access/Mailing)
114 * @param boolen $excludeHidden exclude hidden groups.
119 * @return array - array reference of all groups.
122 public static function group($groupType, $excludeHidden = TRUE) {
123 $config = CRM_Core_Config
::singleton();
124 return $config->userPermissionClass
->group( $groupType, $excludeHidden );
127 public static function customGroupAdmin() {
130 // check if user has all powerful permission
131 // or administer civicrm permission (CRM-1905)
132 if (self
::check('access all custom data')) {
136 if (self
::check('administer Multiple Organizations') &&
137 self
::isMultisiteEnabled()
142 if (self
::check('administer CiviCRM')) {
149 public static function customGroup($type = CRM_Core_Permission
::VIEW
, $reset = FALSE) {
150 $customGroups = CRM_Core_PseudoConstant
::customGroup($reset);
151 $defaultGroups = array();
153 // check if user has all powerful permission
154 // or administer civicrm permission (CRM-1905)
155 if (self
::customGroupAdmin()) {
156 $defaultGroups = array_keys($customGroups);
159 return CRM_ACL_API
::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
162 static function customGroupClause($type = CRM_Core_Permission
::VIEW
, $prefix = NULL, $reset = FALSE) {
163 if (self
::customGroupAdmin()) {
167 $groups = self
::customGroup($type, $reset);
168 if (empty($groups)) {
172 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
176 public static function ufGroupValid($gid, $type = CRM_Core_Permission
::VIEW
) {
181 $groups = self
::ufGroup($type);
182 return in_array($gid, $groups) ?
TRUE : FALSE;
185 public static function ufGroup($type = CRM_Core_Permission
::VIEW
) {
186 $ufGroups = CRM_Core_PseudoConstant
::ufGroup();
188 $allGroups = array_keys($ufGroups);
190 // check if user has all powerful permission
191 if (self
::check('profile listings and forms')) {
196 case CRM_Core_Permission
::VIEW
:
197 if (self
::check('profile view')) {
202 case CRM_Core_Permission
::CREATE
:
203 if (self
::check('profile create')) {
208 case CRM_Core_Permission
::EDIT
:
209 if (self
::check('profile edit')) {
214 case CRM_Core_Permission
::SEARCH
:
215 if (self
::check('profile listings')) {
221 return CRM_ACL_API
::group($type, NULL, 'civicrm_uf_group', $ufGroups);
224 static function ufGroupClause($type = CRM_Core_Permission
::VIEW
, $prefix = NULL, $returnUFGroupIds = FALSE) {
225 $groups = self
::ufGroup($type);
226 if ($returnUFGroupIds) {
229 elseif (empty($groups)) {
233 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
237 public static function event($type = CRM_Core_Permission
::VIEW
, $eventID = NULL) {
238 $events = CRM_Event_PseudoConstant
::event(NULL, TRUE);
239 $includeEvents = array();
241 // check if user has all powerful permission
242 if (self
::check('register for events')) {
243 $includeEvents = array_keys($events);
246 if ($type == CRM_Core_Permission
::VIEW
&&
247 self
::check('view event info')
249 $includeEvents = array_keys($events);
252 $permissionedEvents = CRM_ACL_API
::group($type, NULL, 'civicrm_event', $events, $includeEvents);
254 return $permissionedEvents;
256 return array_search($eventID, $permissionedEvents) === FALSE ?
NULL : $eventID;
259 static function eventClause($type = CRM_Core_Permission
::VIEW
, $prefix = NULL) {
260 $events = self
::event($type);
261 if (empty($events)) {
265 return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
269 static function access($module, $checkPermission = TRUE) {
270 $config = CRM_Core_Config
::singleton();
272 if (!in_array($module, $config->enableComponents
)) {
276 if ($checkPermission) {
277 if ($module == 'CiviCase') {
278 return CRM_Case_BAO_Case
::accessCiviCase();
281 return CRM_Core_Permission
::check("access $module");
289 * check permissions for delete and edit actions
291 * @param string $module component name.
292 * @param $action action to be check across component
295 static function checkActionPermission($module, $action) {
296 //check delete related permissions.
297 if ($action & CRM_Core_Action
::DELETE
) {
298 $permissionName = "delete in $module";
301 $editPermissions = array(
302 'CiviEvent' => 'edit event participants',
303 'CiviMember' => 'edit memberships',
304 'CiviPledge' => 'edit pledges',
305 'CiviContribute' => 'edit contributions',
306 'CiviGrant' => 'edit grants',
307 'CiviMail' => 'access CiviMail',
308 'CiviAuction' => 'add auction items',
310 $permissionName = CRM_Utils_Array
::value($module, $editPermissions);
313 if ($module == 'CiviCase' && !$permissionName) {
314 return CRM_Case_BAO_Case
::accessCiviCase();
317 //check for permission.
318 return CRM_Core_Permission
::check($permissionName);
322 static function checkMenu(&$args, $op = 'and') {
323 if (!is_array($args)) {
326 foreach ($args as $str) {
327 $res = CRM_Core_Permission
::check($str);
328 if ($op == 'or' && $res) {
331 elseif ($op == 'and' && !$res) {
335 return ($op == 'or') ?
FALSE : TRUE;
338 static function checkMenuItem(&$item) {
339 if (!array_key_exists('access_callback', $item)) {
340 CRM_Core_Error
::backtrace();
341 CRM_Core_Error
::fatal();
344 // if component_id is present, ensure it is enabled
345 if (isset($item['component_id']) &&
346 $item['component_id']
348 $config = CRM_Core_Config
::singleton();
349 if (is_array($config->enableComponentIDs
) &&
350 in_array($item['component_id'], $config->enableComponentIDs
)
352 // continue with process
359 // the following is imitating drupal 6 code in includes/menu.inc
360 if (empty($item['access_callback']) ||
361 is_numeric($item['access_callback'])
363 return (boolean
) $item['access_callback'];
366 // check whether the following Ajax requests submitted the right key
367 // FIXME: this should be integrated into ACLs proper
368 if (CRM_Utils_Array
::value('page_type', $item) == 3) {
369 if (!CRM_Core_Key
::validate($_REQUEST['key'], $item['path'])) {
374 // check if callback is for checkMenu, if so optimize it
375 if (is_array($item['access_callback']) &&
376 $item['access_callback'][0] == 'CRM_Core_Permission' &&
377 $item['access_callback'][1] == 'checkMenu'
379 $op = CRM_Utils_Array
::value(1, $item['access_arguments'], 'and');
380 return self
::checkMenu($item['access_arguments'][0], $op);
383 return call_user_func_array($item['access_callback'], $item['access_arguments']);
387 static function &basicPermissions($all = FALSE) {
388 static $permissions = NULL;
391 $prefix = ts('CiviCRM') . ': ';
392 $permissions = self
::getCorePermissions();
394 if (self
::isMultisiteEnabled()) {
395 $permissions['administer Multiple Organizations'] = $prefix . ts('administer Multiple Organizations');
398 $config = CRM_Core_Config
::singleton();
401 $components = CRM_Core_Component
::getEnabledComponents();
404 $components = CRM_Core_Component
::getComponents();
407 foreach ($components as $comp) {
408 $perm = $comp->getPermissions();
410 $info = $comp->getInfo();
411 foreach ($perm as $p) {
412 $permissions[$p] = $info['translatedName'] . ': ' . $p;
417 // Add any permissions defined in hook_civicrm_permission implementations.
418 $config = CRM_Core_Config
::singleton();
419 $module_permissions = $config->userPermissionClass
->getAllModulePermissions();
420 $permissions = array_merge($permissions, $module_permissions);
426 static function getCorePermissions() {
427 $prefix = ts('CiviCRM') . ': ';
428 $permissions = array(
429 'add contacts' => $prefix . ts('add contacts'),
430 'view all contacts' => $prefix . ts('view all contacts'),
431 'edit all contacts' => $prefix . ts('edit all contacts'),
432 'delete contacts' => $prefix . ts('delete contacts'),
433 'access deleted contacts' => $prefix . ts('access deleted contacts'),
434 'import contacts' => $prefix . ts('import contacts'),
435 'edit groups' => $prefix . ts('edit groups'),
436 'administer CiviCRM' => $prefix . ts('administer CiviCRM'),
437 'access uploaded files' => $prefix . ts('access uploaded files'),
438 'profile listings and forms' => $prefix . ts('profile listings and forms'),
439 'profile listings' => $prefix . ts('profile listings'),
440 'profile create' => $prefix . ts('profile create'),
441 'profile edit' => $prefix . ts('profile edit'),
442 'profile view' => $prefix . ts('profile view'),
443 'access all custom data' => $prefix . ts('access all custom data'),
444 'view all activities' => $prefix . ts('view all activities'),
445 'delete activities' => $prefix . ts('delete activities'),
446 'access CiviCRM' => $prefix . ts('access CiviCRM'),
447 'access Contact Dashboard' => $prefix . ts('access Contact Dashboard'),
448 'translate CiviCRM' => $prefix . ts('translate CiviCRM'),
449 'administer reserved groups' => $prefix . ts('administer reserved groups'),
450 'administer Tagsets' => $prefix . ts('administer Tagsets'),
451 'administer reserved tags' => $prefix . ts('administer reserved tags'),
452 'administer dedupe rules' => $prefix . ts('administer dedupe rules'),
453 'merge duplicate contacts' => $prefix . ts('merge duplicate contacts'),
454 'view debug output' => $prefix . ts('view debug output'),
455 'view all notes' => $prefix . ts('view all notes'),
456 'access AJAX API' => $prefix . ts('access AJAX API'),
457 'access contact reference fields' => $prefix . ts('access contact reference fields'),
458 'create manual batch' => $prefix . ts('create manual batch'),
459 'edit own manual batches' => $prefix . ts('edit own manual batches'),
460 'edit all manual batches' => $prefix . ts('edit all manual batches'),
461 'view own manual batches' => $prefix . ts('view own manual batches'),
462 'view all manual batches' => $prefix . ts('view all manual batches'),
463 'delete own manual batches' => $prefix . ts('delete own manual batches'),
464 'delete all manual batches' => $prefix . ts('delete all manual batches'),
465 'export own manual batches' => $prefix . ts('export own manual batches'),
466 'export all manual batches' => $prefix . ts('export all manual batches'),
473 * Validate user permission across
474 * edit or view or with supportable acls.
476 * return boolean true/false.
478 static function giveMeAllACLs() {
479 if (CRM_Core_Permission
::check('view all contacts') ||
480 CRM_Core_Permission
::check('edit all contacts')
485 $session = CRM_Core_Session
::singleton();
486 $contactID = $session->get('userID');
488 if (self
::isMultisiteEnabled()) {
489 // For multisite just check if there are contacts in acl_contact_cache table for now.
490 // FixMe: so even if a user in multisite has very limited permission could still
491 // see search / contact navigation options for example.
492 return CRM_Contact_BAO_Contact_Permission
::hasContactsInCache(CRM_Core_Permission
::VIEW
,
498 $aclPermission = self
::getPermission();
499 if (in_array($aclPermission, array(
500 CRM_Core_Permission
::EDIT
,
501 CRM_Core_Permission
::VIEW
,
506 // run acl where hook and see if the user is supplying an ACL clause
508 $tables = $whereTables = array();
511 CRM_Utils_Hook
::aclWhereClause(CRM_Core_Permission
::VIEW
,
512 $tables, $whereTables,
515 return empty($whereTables) ?
FALSE : TRUE;
519 * Function to get component name from given permission.
521 * @param string $permission
523 * return string $componentName the name of component.
526 static function getComponentName($permission) {
527 $componentName = NULL;
528 $permission = trim($permission);
529 if (empty($permission)) {
530 return $componentName;
533 static $allCompPermissions = array();
534 if (empty($allCompPermissions)) {
535 $components = CRM_Core_Component
::getComponents();
536 foreach ($components as $name => $comp) {
537 $allCompPermissions[$name] = $comp->getPermissions();
541 if (is_array($allCompPermissions)) {
542 foreach ($allCompPermissions as $name => $permissions) {
543 if (in_array($permission, $permissions)) {
544 $componentName = $name;
550 return $componentName;
554 * Get all the contact emails for users that have a specific permission
556 * @param string $permissionName name of the permission we are interested in
558 * @return string a comma separated list of email addresses
560 public static function permissionEmails($permissionName) {
561 $config = CRM_Core_Config
::singleton();
562 return $config->userPermissionClass
->permissionEmails( $permissionName );
566 * Get all the contact emails for users that have a specific role
568 * @param string $roleName name of the role we are interested in
570 * @return string a comma separated list of email addresses
572 public static function roleEmails($roleName) {
573 $config = CRM_Core_Config
::singleton();
574 return $config->userRoleClass
->roleEmails( $roleName );
577 static function isMultisiteEnabled() {
578 return CRM_Core_BAO_Setting
::getItem(CRM_Core_BAO_Setting
::MULTISITE_PREFERENCES_NAME
,