projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Revert "Merge pull request #1371 from drumm/CRM-12930-smarty-safe-mode"
[civicrm-core.git] / CRM / Core / Permission.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.3 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2013 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27
28 /**
29 *
30 * @package CRM
31 * @copyright CiviCRM LLC (c) 2004-2013
32 * $Id$
33 *
34 */
35
36 /**
37 * This is the basic permission class wrapper
38 */
39 class CRM_Core_Permission {
40
41 /**
42 * Static strings used to compose permissions
43 *
44 * @const
45 * @var string
46 */
47 CONST EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
48
49 /**
50 * The various type of permissions
51 *
52 * @var int
53 */
54 CONST EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
55
56 /**
57 * A placeholder permission which always fails
58 */
59 const ALWAYS_DENY_PERMISSION = "*always deny*";
60
61 /**
62 * A placeholder permission which always fails
63 */
64 const ALWAYS_ALLOW_PERMISSION = "*always allow*";
65
66 /**
67 * get the current permission of this user
68 *
69 * @return string the permission of the user (edit or view or null)
70 */
71 public static function getPermission() {
72 $config = CRM_Core_Config::singleton();
73 return $config->userPermissionClass->getPermission( );
74 }
75
76 /**
77 * given a permission string, check for access requirements
78 *
79 * @param string $str the permission to check
80 *
81 * @return boolean true if yes, else false
82 * @static
83 * @access public
84 */
85 static function check($str) {
86 $config = CRM_Core_Config::singleton();
87 return $config->userPermissionClass->check( $str );
88 }
89
90 /**
91 * Determine if any one of the permissions strings applies to current user
92 *
93 * @param array $perms
94 * @return bool
95 */
96 public static function checkAnyPerm($perms) {
97 foreach ($perms as $perm) {
98 if (CRM_Core_Permission::check($perm)) {
99 return TRUE;
100 }
101 }
102 return FALSE;
103 }
104
105 /**
106 * Given a group/role array, check for access requirements
107 *
108 * @param array $array the group/role to check
109 *
110 * @return boolean true if yes, else false
111 * @static
112 * @access public
113 */
114 static function checkGroupRole($array) {
115 $config = CRM_Core_Config::singleton();
116 return $config->userPermissionClass->checkGroupRole( $array );
117 }
118
119 /**
120 * Get the permissioned where clause for the user
121 *
122 * @param int $type the type of permission needed
123 * @param array $tables (reference ) add the tables that are needed for the select clause
124 * @param array $whereTables (reference ) add the tables that are needed for the where clause
125 *
126 * @return string the group where clause for this user
127 * @access public
128 */
129 public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
130 $config = CRM_Core_Config::singleton();
131 return $config->userPermissionClass->getPermissionedStaticGroupClause( $type, $tables, $whereTables );
132 }
133
134 /**
135 * Get all groups from database, filtered by permissions
136 * for this user
137 *
138 * @param string $groupType type of group(Access/Mailing)
139 * @param boolen $excludeHidden exclude hidden groups.
140 *
141 * @access public
142 * @static
143 *
144 * @return array - array reference of all groups.
145 *
146 */
147 public static function group($groupType, $excludeHidden = TRUE) {
148 $config = CRM_Core_Config::singleton();
149 return $config->userPermissionClass->group( $groupType, $excludeHidden );
150 }
151
152 public static function customGroupAdmin() {
153 $admin = FALSE;
154
155 // check if user has all powerful permission
156 // or administer civicrm permission (CRM-1905)
157 if (self::check('access all custom data')) {
158 return TRUE;
159 }
160
161 if (
162 self::check('administer Multiple Organizations') &&
163 self::isMultisiteEnabled()
164 ) {
165 return TRUE;
166 }
167
168 if (self::check('administer CiviCRM')) {
169 return TRUE;
170 }
171
172 return FALSE;
173 }
174
175 public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
176 $customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id', array('fresh' => $reset));
177 $defaultGroups = array();
178
179 // check if user has all powerful permission
180 // or administer civicrm permission (CRM-1905)
181 if (self::customGroupAdmin()) {
182 $defaultGroups = array_keys($customGroups);
183 }
184
185 return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
186 }
187
188 static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
189 if (self::customGroupAdmin()) {
190 return ' ( 1 ) ';
191 }
192
193 $groups = self::customGroup($type, $reset);
194 if (empty($groups)) {
195 return ' ( 0 ) ';
196 }
197 else {
198 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
199 }
200 }
201
202 public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
203 if (empty($gid)) {
204 return TRUE;
205 }
206
207 $groups = self::ufGroup($type);
208 return in_array($gid, $groups) ? TRUE : FALSE;
209 }
210
211 public static function ufGroup($type = CRM_Core_Permission::VIEW) {
212 $ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
213
214 $allGroups = array_keys($ufGroups);
215
216 // check if user has all powerful permission
217 if (self::check('profile listings and forms')) {
218 return $allGroups;
219 }
220
221 switch ($type) {
222 case CRM_Core_Permission::VIEW:
223 if (self::check('profile view')) {
224 return $allGroups;
225 }
226 break;
227
228 case CRM_Core_Permission::CREATE:
229 if (self::check('profile create')) {
230 return $allGroups;
231 }
232 break;
233
234 case CRM_Core_Permission::EDIT:
235 if (self::check('profile edit')) {
236 return $allGroups;
237 }
238 break;
239
240 case CRM_Core_Permission::SEARCH:
241 if (self::check('profile listings')) {
242 return $allGroups;
243 }
244 break;
245 }
246
247 return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
248 }
249
250 static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
251 $groups = self::ufGroup($type);
252 if ($returnUFGroupIds) {
253 return $groups;
254 }
255 elseif (empty($groups)) {
256 return ' ( 0 ) ';
257 }
258 else {
259 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
260 }
261 }
262
263 public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL) {
264 $events = CRM_Event_PseudoConstant::event(NULL, TRUE);
265 $includeEvents = array();
266
267 // check if user has all powerful permission
268 if (self::check('register for events')) {
269 $includeEvents = array_keys($events);
270 }
271
272 if ($type == CRM_Core_Permission::VIEW &&
273 self::check('view event info')
274 ) {
275 $includeEvents = array_keys($events);
276 }
277
278 $permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
279 if (!$eventID) {
280 return $permissionedEvents;
281 }
282 if (!empty($permissionedEvents)){
283 return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
284 } else {
285 return $eventID;
286 }
287 }
288
289 static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
290 $events = self::event($type);
291 if (empty($events)) {
292 return ' ( 0 ) ';
293 }
294 else {
295 return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
296 }
297 }
298
299 static function access($module, $checkPermission = TRUE) {
300 $config = CRM_Core_Config::singleton();
301
302 if (!in_array($module, $config->enableComponents)) {
303 return FALSE;
304 }
305
306 if ($checkPermission) {
307 if ($module == 'CiviCase') {
308 return CRM_Case_BAO_Case::accessCiviCase();
309 }
310 else {
311 return CRM_Core_Permission::check("access $module");
312 }
313 }
314
315 return TRUE;
316 }
317
318 /**
319 * check permissions for delete and edit actions
320 *
321 * @param string $module component name.
322 * @param $action action to be check across component
323 *
324 **/
325 static function checkActionPermission($module, $action) {
326 //check delete related permissions.
327 if ($action & CRM_Core_Action::DELETE) {
328 $permissionName = "delete in $module";
329 }
330 else {
331 $editPermissions = array(
332 'CiviEvent' => 'edit event participants',
333 'CiviMember' => 'edit memberships',
334 'CiviPledge' => 'edit pledges',
335 'CiviContribute' => 'edit contributions',
336 'CiviGrant' => 'edit grants',
337 'CiviMail' => 'access CiviMail',
338 'CiviAuction' => 'add auction items',
339 );
340 $permissionName = CRM_Utils_Array::value($module, $editPermissions);
341 }
342
343 if ($module == 'CiviCase' && !$permissionName) {
344 return CRM_Case_BAO_Case::accessCiviCase();
345 }
346 else {
347 //check for permission.
348 return CRM_Core_Permission::check($permissionName);
349 }
350 }
351
352 static function checkMenu(&$args, $op = 'and') {
353 if (!is_array($args)) {
354 return $args;
355 }
356 foreach ($args as $str) {
357 $res = CRM_Core_Permission::check($str);
358 if ($op == 'or' && $res) {
359 return TRUE;
360 }
361 elseif ($op == 'and' && !$res) {
362 return FALSE;
363 }
364 }
365 return ($op == 'or') ? FALSE : TRUE;
366 }
367
368 static function checkMenuItem(&$item) {
369 if (!array_key_exists('access_callback', $item)) {
370 CRM_Core_Error::backtrace();
371 CRM_Core_Error::fatal();
372 }
373
374 // if component_id is present, ensure it is enabled
375 if (isset($item['component_id']) &&
376 $item['component_id']
377 ) {
378 $config = CRM_Core_Config::singleton();
379 if (is_array($config->enableComponentIDs) &&
380 in_array($item['component_id'], $config->enableComponentIDs)
381 ) {
382 // continue with process
383 }
384 else {
385 return FALSE;
386 }
387 }
388
389 // the following is imitating drupal 6 code in includes/menu.inc
390 if (empty($item['access_callback']) ||
391 is_numeric($item['access_callback'])
392 ) {
393 return (boolean ) $item['access_callback'];
394 }
395
396 // check whether the following Ajax requests submitted the right key
397 // FIXME: this should be integrated into ACLs proper
398 if (CRM_Utils_Array::value('page_type', $item) == 3) {
399 if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
400 return FALSE;
401 }
402 }
403
404 // check if callback is for checkMenu, if so optimize it
405 if (is_array($item['access_callback']) &&
406 $item['access_callback'][0] == 'CRM_Core_Permission' &&
407 $item['access_callback'][1] == 'checkMenu'
408 ) {
409 $op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
410 return self::checkMenu($item['access_arguments'][0], $op);
411 }
412 else {
413 return call_user_func_array($item['access_callback'], $item['access_arguments']);
414 }
415 }
416
417 static function &basicPermissions($all = FALSE) {
418 static $permissions = NULL;
419
420 if (!$permissions) {
421 $prefix = ts('CiviCRM') . ': ';
422 $permissions = self::getCorePermissions();
423
424 if (self::isMultisiteEnabled()) {
425 $permissions['administer Multiple Organizations'] = $prefix . ts('administer Multiple Organizations');
426 }
427
428 $config = CRM_Core_Config::singleton();
429
430 if (!$all) {
431 $components = CRM_Core_Component::getEnabledComponents();
432 }
433 else {
434 $components = CRM_Core_Component::getComponents();
435 }
436
437 foreach ($components as $comp) {
438 $perm = $comp->getPermissions();
439 if ($perm) {
440 $info = $comp->getInfo();
441 foreach ($perm as $p) {
442 $permissions[$p] = $info['translatedName'] . ': ' . $p;
443 }
444 }
445 }
446
447 // Add any permissions defined in hook_civicrm_permission implementations.
448 $config = CRM_Core_Config::singleton();
449 $module_permissions = $config->userPermissionClass->getAllModulePermissions();
450 $permissions = array_merge($permissions, $module_permissions);
451 }
452
453 return $permissions;
454 }
455
456 static function getCorePermissions() {
457 $prefix = ts('CiviCRM') . ': ';
458 $permissions = array(
459 'add contacts' => $prefix . ts('add contacts'),
460 'view all contacts' => $prefix . ts('view all contacts'),
461 'edit all contacts' => $prefix . ts('edit all contacts'),
462 'view my contact' => $prefix . ts('view my contact'),
463 'edit my contact' => $prefix . ts('edit my contact'),
464 'delete contacts' => $prefix . ts('delete contacts'),
465 'access deleted contacts' => $prefix . ts('access deleted contacts'),
466 'import contacts' => $prefix . ts('import contacts'),
467 'edit groups' => $prefix . ts('edit groups'),
468 'administer CiviCRM' => $prefix . ts('administer CiviCRM'),
469 'skip IDS check' => $prefix . ts('skip IDS check'),
470 'access uploaded files' => $prefix . ts('access uploaded files'),
471 'profile listings and forms' => $prefix . ts('profile listings and forms'),
472 'profile listings' => $prefix . ts('profile listings'),
473 'profile create' => $prefix . ts('profile create'),
474 'profile edit' => $prefix . ts('profile edit'),
475 'profile view' => $prefix . ts('profile view'),
476 'access all custom data' => $prefix . ts('access all custom data'),
477 'view all activities' => $prefix . ts('view all activities'),
478 'delete activities' => $prefix . ts('delete activities'),
479 'access CiviCRM' => $prefix . ts('access CiviCRM'),
480 'access Contact Dashboard' => $prefix . ts('access Contact Dashboard'),
481 'translate CiviCRM' => $prefix . ts('translate CiviCRM'),
482 'administer reserved groups' => $prefix . ts('administer reserved groups'),
483 'administer Tagsets' => $prefix . ts('administer Tagsets'),
484 'administer reserved tags' => $prefix . ts('administer reserved tags'),
485 'administer dedupe rules' => $prefix . ts('administer dedupe rules'),
486 'merge duplicate contacts' => $prefix . ts('merge duplicate contacts'),
487 'view debug output' => $prefix . ts('view debug output'),
488 'view all notes' => $prefix . ts('view all notes'),
489 'access AJAX API' => $prefix . ts('access AJAX API'),
490 'access contact reference fields' => $prefix . ts('access contact reference fields'),
491 'create manual batch' => $prefix . ts('create manual batch'),
492 'edit own manual batches' => $prefix . ts('edit own manual batches'),
493 'edit all manual batches' => $prefix . ts('edit all manual batches'),
494 'view own manual batches' => $prefix . ts('view own manual batches'),
495 'view all manual batches' => $prefix . ts('view all manual batches'),
496 'delete own manual batches' => $prefix . ts('delete own manual batches'),
497 'delete all manual batches' => $prefix . ts('delete all manual batches'),
498 'export own manual batches' => $prefix . ts('export own manual batches'),
499 'export all manual batches' => $prefix . ts('export all manual batches'),
500 );
501
502 return $permissions;
503 }
504
505 /**
506 * Validate user permission across
507 * edit or view or with supportable acls.
508 *
509 * return boolean true/false.
510 **/
511 static function giveMeAllACLs() {
512 if (CRM_Core_Permission::check('view all contacts') ||
513 CRM_Core_Permission::check('edit all contacts')
514 ) {
515 return TRUE;
516 }
517
518 $session = CRM_Core_Session::singleton();
519 $contactID = $session->get('userID');
520
521 //check for acl.
522 $aclPermission = self::getPermission();
523 if (in_array($aclPermission, array(
524 CRM_Core_Permission::EDIT,
525 CRM_Core_Permission::VIEW,
526 ))) {
527 return TRUE;
528 }
529
530 // run acl where hook and see if the user is supplying an ACL clause
531 // that is not false
532 $tables = $whereTables = array();
533 $where = NULL;
534
535 CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
536 $tables, $whereTables,
537 $contactID, $where
538 );
539 return empty($whereTables) ? FALSE : TRUE;
540 }
541
542 /**
543 * Function to get component name from given permission.
544 *
545 * @param string $permission
546 *
547 * return string $componentName the name of component.
548 * @static
549 */
550 static function getComponentName($permission) {
551 $componentName = NULL;
552 $permission = trim($permission);
553 if (empty($permission)) {
554 return $componentName;
555 }
556
557 static $allCompPermissions = array();
558 if (empty($allCompPermissions)) {
559 $components = CRM_Core_Component::getComponents();
560 foreach ($components as $name => $comp) {
561 //get all permissions of each components unconditionally
562 $allCompPermissions[$name] = $comp->getPermissions(TRUE);
563 }
564 }
565
566 if (is_array($allCompPermissions)) {
567 foreach ($allCompPermissions as $name => $permissions) {
568 if (in_array($permission, $permissions)) {
569 $componentName = $name;
570 break;
571 }
572 }
573 }
574
575 return $componentName;
576 }
577
578 /**
579 * Get all the contact emails for users that have a specific permission
580 *
581 * @param string $permissionName name of the permission we are interested in
582 *
583 * @return string a comma separated list of email addresses
584 */
585 public static function permissionEmails($permissionName) {
586 $config = CRM_Core_Config::singleton();
587 return $config->userPermissionClass->permissionEmails( $permissionName );
588 }
589
590 /**
591 * Get all the contact emails for users that have a specific role
592 *
593 * @param string $roleName name of the role we are interested in
594 *
595 * @return string a comma separated list of email addresses
596 */
597 public static function roleEmails($roleName) {
598 $config = CRM_Core_Config::singleton();
599 return $config->userRoleClass->roleEmails( $roleName );
600 }
601
602 static function isMultisiteEnabled() {
603 return CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::MULTISITE_PREFERENCES_NAME,
604 'is_enabled'
605 ) ? TRUE : FALSE;
606 }
607 }
608