projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Move household relationship types to the processor
[civicrm-core.git] / CRM / Core / Permission.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 5 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2018 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27
28 /**
29 *
30 * @package CRM
31 * @copyright CiviCRM LLC (c) 2004-2018
32 * $Id$
33 *
34 */
35
36 /**
37 * This is the basic permission class wrapper
38 */
39 class CRM_Core_Permission {
40
41 /**
42 * Static strings used to compose permissions.
43 *
44 * @const
45 * @var string
46 */
47 const EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
48
49 /**
50 * The various type of permissions.
51 *
52 * @var int
53 */
54 const EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
55
56 /**
57 * A placeholder permission which always fails.
58 */
59 const ALWAYS_DENY_PERMISSION = "*always deny*";
60
61 /**
62 * A placeholder permission which always fails.
63 */
64 const ALWAYS_ALLOW_PERMISSION = "*always allow*";
65
66 /**
67 * Various authentication sources.
68 *
69 * @var int
70 */
71 const AUTH_SRC_UNKNOWN = 0, AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;
72
73 /**
74 * Get the current permission of this user.
75 *
76 * @return string
77 * the permission of the user (edit or view or null)
78 */
79 public static function getPermission() {
80 $config = CRM_Core_Config::singleton();
81 return $config->userPermissionClass->getPermission();
82 }
83
84 /**
85 * Given a permission string or array, check for access requirements
86 * @param mixed $permissions
87 * The permission to check as an array or string -see examples.
88 * arrays
89 *
90 * Ex 1
91 *
92 * Must have 'access CiviCRM'
93 * (string) 'access CiviCRM'
94 *
95 *
96 * Ex 2 Must have 'access CiviCRM' and 'access Ajax API'
97 * array('access CiviCRM', 'access Ajax API')
98 *
99 * Ex 3 Must have 'access CiviCRM' or 'access Ajax API'
100 * array(
101 * array('access CiviCRM', 'access Ajax API'),
102 * ),
103 *
104 * Ex 4 Must have 'access CiviCRM' or 'access Ajax API' AND 'access CiviEvent'
105 * array(
106 * array('access CiviCRM', 'access Ajax API'),
107 * 'access CiviEvent',
108 * ),
109 *
110 * Note that in permissions.php this is keyed by the action eg.
111 * (access Civi || access AJAX) && (access CiviEvent || access CiviContribute)
112 * 'myaction' => array(
113 * array('access CiviCRM', 'access Ajax API'),
114 * array('access CiviEvent', 'access CiviContribute')
115 * ),
116 *
117 * @return bool
118 * true if yes, else false
119 */
120 public static function check($permissions) {
121 $permissions = (array) $permissions;
122
123 $tempPerm = CRM_Core_Config::singleton()->userPermissionTemp;
124
125 foreach ($permissions as $permission) {
126 if (is_array($permission)) {
127 foreach ($permission as $orPerm) {
128 if (self::check($orPerm)) {
129 //one of our 'or' permissions has succeeded - stop checking this permission
130 return TRUE;
131 }
132 }
133 //none of our our conditions was met
134 return FALSE;
135 }
136 else {
137 // This is an individual permission
138 $granted = CRM_Core_Config::singleton()->userPermissionClass->check($permission);
139 // Call the permission_check hook to permit dynamic escalation (CRM-19256)
140 CRM_Utils_Hook::permission_check($permission, $granted);
141 if (
142 !$granted
143 && !($tempPerm && $tempPerm->check($permission))
144 ) {
145 //one of our 'and' conditions has not been met
146 return FALSE;
147 }
148 }
149 }
150 return TRUE;
151 }
152
153 /**
154 * Determine if any one of the permissions strings applies to current user.
155 *
156 * @param array $perms
157 * @return bool
158 */
159 public static function checkAnyPerm($perms) {
160 foreach ($perms as $perm) {
161 if (CRM_Core_Permission::check($perm)) {
162 return TRUE;
163 }
164 }
165 return FALSE;
166 }
167
168 /**
169 * Given a group/role array, check for access requirements
170 *
171 * @param array $array
172 * The group/role to check.
173 *
174 * @return bool
175 * true if yes, else false
176 */
177 public static function checkGroupRole($array) {
178 $config = CRM_Core_Config::singleton();
179 return $config->userPermissionClass->checkGroupRole($array);
180 }
181
182 /**
183 * Get the permissioned where clause for the user.
184 *
185 * @param int $type
186 * The type of permission needed.
187 * @param array $tables
188 * (reference ) add the tables that are needed for the select clause.
189 * @param array $whereTables
190 * (reference ) add the tables that are needed for the where clause.
191 *
192 * @return string
193 * the group where clause for this user
194 */
195 public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
196 $config = CRM_Core_Config::singleton();
197 return $config->userPermissionClass->getPermissionedStaticGroupClause($type, $tables, $whereTables);
198 }
199
200 /**
201 * Get all groups from database, filtered by permissions
202 * for this user
203 *
204 * @param string $groupType
205 * Type of group(Access/Mailing).
206 * @param bool $excludeHidden
207 * exclude hidden groups.
208 *
209 *
210 * @return array
211 * array reference of all groups.
212 */
213 public static function group($groupType, $excludeHidden = TRUE) {
214 $config = CRM_Core_Config::singleton();
215 return $config->userPermissionClass->group($groupType, $excludeHidden);
216 }
217
218 /**
219 * @return bool
220 */
221 public static function customGroupAdmin() {
222 $admin = FALSE;
223
224 // check if user has all powerful permission
225 // or administer civicrm permission (CRM-1905)
226 if (self::check('access all custom data')) {
227 return TRUE;
228 }
229
230 if (
231 self::check('administer Multiple Organizations') &&
232 self::isMultisiteEnabled()
233 ) {
234 return TRUE;
235 }
236
237 if (self::check('administer CiviCRM')) {
238 return TRUE;
239 }
240
241 return FALSE;
242 }
243
244 /**
245 * @param int $type
246 * @param bool $reset
247 *
248 * @return array
249 */
250 public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
251 $customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id',
252 array('fresh' => $reset));
253 $defaultGroups = array();
254
255 // check if user has all powerful permission
256 // or administer civicrm permission (CRM-1905)
257 if (self::customGroupAdmin()) {
258 $defaultGroups = array_keys($customGroups);
259 }
260
261 return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
262 }
263
264 /**
265 * @param int $type
266 * @param null $prefix
267 * @param bool $reset
268 *
269 * @return string
270 */
271 public static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
272 if (self::customGroupAdmin()) {
273 return ' ( 1 ) ';
274 }
275
276 $groups = self::customGroup($type, $reset);
277 if (empty($groups)) {
278 return ' ( 0 ) ';
279 }
280 else {
281 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
282 }
283 }
284
285 /**
286 * @param int $gid
287 * @param int $type
288 *
289 * @return bool
290 */
291 public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
292 if (empty($gid)) {
293 return TRUE;
294 }
295
296 $groups = self::ufGroup($type);
297 return !empty($groups) && in_array($gid, $groups) ? TRUE : FALSE;
298 }
299
300 /**
301 * @param int $type
302 *
303 * @return array
304 */
305 public static function ufGroup($type = CRM_Core_Permission::VIEW) {
306 $ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
307
308 $allGroups = array_keys($ufGroups);
309
310 // check if user has all powerful permission
311 if (self::check('profile listings and forms')) {
312 return $allGroups;
313 }
314
315 switch ($type) {
316 case CRM_Core_Permission::VIEW:
317 if (self::check('profile view')) {
318 return $allGroups;
319 }
320 break;
321
322 case CRM_Core_Permission::CREATE:
323 if (self::check('profile create')) {
324 return $allGroups;
325 }
326 break;
327
328 case CRM_Core_Permission::EDIT:
329 if (self::check('profile edit')) {
330 return $allGroups;
331 }
332 break;
333
334 case CRM_Core_Permission::SEARCH:
335 if (self::check('profile listings')) {
336 return $allGroups;
337 }
338 break;
339 }
340
341 return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
342 }
343
344 /**
345 * @param int $type
346 * @param null $prefix
347 * @param bool $returnUFGroupIds
348 *
349 * @return array|string
350 */
351 public static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
352 $groups = self::ufGroup($type);
353 if ($returnUFGroupIds) {
354 return $groups;
355 }
356 elseif (empty($groups)) {
357 return ' ( 0 ) ';
358 }
359 else {
360 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
361 }
362 }
363
364 /**
365 * @param int $type
366 * @param int $eventID
367 * @param string $context
368 *
369 * @return array|null
370 */
371 public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL, $context = '') {
372 if (!empty($context)) {
373 if (CRM_Core_Permission::check($context)) {
374 return TRUE;
375 }
376 }
377 $events = CRM_Event_PseudoConstant::event(NULL, TRUE);
378 $includeEvents = array();
379
380 // check if user has all powerful permission
381 if (self::check('register for events')) {
382 $includeEvents = array_keys($events);
383 }
384
385 if ($type == CRM_Core_Permission::VIEW &&
386 self::check('view event info')
387 ) {
388 $includeEvents = array_keys($events);
389 }
390
391 $permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
392 if (!$eventID) {
393 return $permissionedEvents;
394 }
395 if (!empty($permissionedEvents)) {
396 return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
397 }
398 return NULL;
399 }
400
401 /**
402 * @param int $type
403 * @param null $prefix
404 *
405 * @return string
406 */
407 public static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
408 $events = self::event($type);
409 if (empty($events)) {
410 return ' ( 0 ) ';
411 }
412 else {
413 return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
414 }
415 }
416
417 /**
418 * Checks that component is enabled and optionally that user has basic perm.
419 *
420 * @param string $module
421 * Specifies the name of the CiviCRM component.
422 * @param bool $checkPermission
423 * Check not only that module is enabled, but that user has necessary
424 * permission.
425 * @param bool $requireAllCasesPermOnCiviCase
426 * Significant only if $module == CiviCase
427 * Require "access all cases and activities", not just
428 * "access my cases and activities".
429 *
430 * @return bool
431 * Access to specified $module is granted.
432 */
433 public static function access($module, $checkPermission = TRUE, $requireAllCasesPermOnCiviCase = FALSE) {
434 $config = CRM_Core_Config::singleton();
435
436 if (!in_array($module, $config->enableComponents)) {
437 return FALSE;
438 }
439
440 if ($checkPermission) {
441 switch ($module) {
442 case 'CiviCase':
443 $access_all_cases = CRM_Core_Permission::check("access all cases and activities");
444 $access_my_cases = CRM_Core_Permission::check("access my cases and activities");
445 return $access_all_cases || (!$requireAllCasesPermOnCiviCase && $access_my_cases);
446
447 case 'CiviCampaign':
448 return CRM_Core_Permission::check("administer $module");
449
450 default:
451 return CRM_Core_Permission::check("access $module");
452 }
453 }
454
455 return TRUE;
456 }
457
458 /**
459 * Check permissions for delete and edit actions.
460 *
461 * @param string $module
462 * Component name.
463 * @param int $action
464 * Action to be check across component.
465 *
466 *
467 * @return bool
468 */
469 public static function checkActionPermission($module, $action) {
470 //check delete related permissions.
471 if ($action & CRM_Core_Action::DELETE) {
472 $permissionName = "delete in $module";
473 }
474 else {
475 $editPermissions = array(
476 'CiviEvent' => 'edit event participants',
477 'CiviMember' => 'edit memberships',
478 'CiviPledge' => 'edit pledges',
479 'CiviContribute' => 'edit contributions',
480 'CiviGrant' => 'edit grants',
481 'CiviMail' => 'access CiviMail',
482 'CiviAuction' => 'add auction items',
483 );
484 $permissionName = CRM_Utils_Array::value($module, $editPermissions);
485 }
486
487 if ($module == 'CiviCase' && !$permissionName) {
488 return CRM_Case_BAO_Case::accessCiviCase();
489 }
490 else {
491 //check for permission.
492 return CRM_Core_Permission::check($permissionName);
493 }
494 }
495
496 /**
497 * @param $args
498 * @param string $op
499 *
500 * @return bool
501 */
502 public static function checkMenu(&$args, $op = 'and') {
503 if (!is_array($args)) {
504 return $args;
505 }
506 foreach ($args as $str) {
507 $res = CRM_Core_Permission::check($str);
508 if ($op == 'or' && $res) {
509 return TRUE;
510 }
511 elseif ($op == 'and' && !$res) {
512 return FALSE;
513 }
514 }
515 return ($op == 'or') ? FALSE : TRUE;
516 }
517
518 /**
519 * @param $item
520 *
521 * @return bool|mixed
522 * @throws Exception
523 */
524 public static function checkMenuItem(&$item) {
525 if (!array_key_exists('access_callback', $item)) {
526 CRM_Core_Error::backtrace();
527 CRM_Core_Error::fatal();
528 }
529
530 // if component_id is present, ensure it is enabled
531 if (isset($item['component_id']) && $item['component_id']) {
532 if (!isset(Civi::$statics[__CLASS__]['componentNameId'])) {
533 Civi::$statics[__CLASS__]['componentNameId'] = array_flip(CRM_Core_Component::getComponentIDs());
534 }
535 $componentName = Civi::$statics[__CLASS__]['componentNameId'][$item['component_id']];
536
537 $config = CRM_Core_Config::singleton();
538 if (is_array($config->enableComponents) && in_array($componentName, $config->enableComponents)) {
539 // continue with process
540 }
541 else {
542 return FALSE;
543 }
544 }
545
546 // the following is imitating drupal 6 code in includes/menu.inc
547 if (empty($item['access_callback']) ||
548 is_numeric($item['access_callback'])
549 ) {
550 return (boolean ) $item['access_callback'];
551 }
552
553 // check whether the following Ajax requests submitted the right key
554 // FIXME: this should be integrated into ACLs proper
555 if (CRM_Utils_Array::value('page_type', $item) == 3) {
556 if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
557 return FALSE;
558 }
559 }
560
561 // check if callback is for checkMenu, if so optimize it
562 if (is_array($item['access_callback']) &&
563 $item['access_callback'][0] == 'CRM_Core_Permission' &&
564 $item['access_callback'][1] == 'checkMenu'
565 ) {
566 $op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
567 return self::checkMenu($item['access_arguments'][0], $op);
568 }
569 else {
570 return call_user_func_array($item['access_callback'], $item['access_arguments']);
571 }
572 }
573
574 /**
575 * @param bool $all
576 * Include disabled components
577 * @param bool $descriptions
578 * Whether to return descriptions
579 *
580 * @return array
581 */
582 public static function basicPermissions($all = FALSE, $descriptions = FALSE) {
583 $cacheKey = implode('-', array($all, $descriptions));
584 if (empty(Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey])) {
585 Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey] = self::assembleBasicPermissions($all, $descriptions);
586 }
587 return Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey];
588 }
589
590 /**
591 * @param bool $all
592 * @param bool $descriptions
593 * whether to return descriptions
594 *
595 * @return array
596 */
597 public static function assembleBasicPermissions($all = FALSE, $descriptions = FALSE) {
598 $config = CRM_Core_Config::singleton();
599 $prefix = ts('CiviCRM') . ': ';
600 $permissions = self::getCorePermissions($descriptions);
601
602 if (self::isMultisiteEnabled()) {
603 $permissions['administer Multiple Organizations'] = array($prefix . ts('administer Multiple Organizations'));
604 }
605
606 if (!$descriptions) {
607 foreach ($permissions as $name => $attr) {
608 $permissions[$name] = array_shift($attr);
609 }
610 }
611 if (!$all) {
612 $components = CRM_Core_Component::getEnabledComponents();
613 }
614 else {
615 $components = CRM_Core_Component::getComponents();
616 }
617
618 foreach ($components as $comp) {
619 $perm = $comp->getPermissions(FALSE, $descriptions);
620 if ($perm) {
621 $info = $comp->getInfo();
622 foreach ($perm as $p => $attr) {
623
624 if (!is_array($attr)) {
625 $attr = array($attr);
626 }
627
628 $attr[0] = $info['translatedName'] . ': ' . $attr[0];
629
630 if ($descriptions) {
631 $permissions[$p] = $attr;
632 }
633 else {
634 $permissions[$p] = $attr[0];
635 }
636 }
637 }
638 }
639
640 // Add any permissions defined in hook_civicrm_permission implementations.
641 $module_permissions = $config->userPermissionClass->getAllModulePermissions($descriptions);
642 $permissions = array_merge($permissions, $module_permissions);
643 CRM_Financial_BAO_FinancialType::permissionedFinancialTypes($permissions, $descriptions);
644 return $permissions;
645 }
646
647 /**
648 * @return array
649 */
650 public static function getAnonymousPermissionsWarnings() {
651 static $permissions = array();
652 if (empty($permissions)) {
653 $permissions = array(
654 'administer CiviCRM',
655 );
656 $components = CRM_Core_Component::getComponents();
657 foreach ($components as $comp) {
658 if (!method_exists($comp, 'getAnonymousPermissionWarnings')) {
659 continue;
660 }
661 $permissions = array_merge($permissions, $comp->getAnonymousPermissionWarnings());
662 }
663 }
664 return $permissions;
665 }
666
667 /**
668 * @param $anonymous_perms
669 *
670 * @return array
671 */
672 public static function validateForPermissionWarnings($anonymous_perms) {
673 return array_intersect($anonymous_perms, self::getAnonymousPermissionsWarnings());
674 }
675
676 /**
677 * Get core permissions.
678 *
679 * @return array
680 */
681 public static function getCorePermissions() {
682 $prefix = ts('CiviCRM') . ': ';
683 $permissions = array(
684 'add contacts' => array(
685 $prefix . ts('add contacts'),
686 ts('Create a new contact record in CiviCRM'),
687 ),
688 'view all contacts' => array(
689 $prefix . ts('view all contacts'),
690 ts('View ANY CONTACT in the CiviCRM database, export contact info and perform activities such as Send Email, Phone Call, etc.'),
691 ),
692 'edit all contacts' => array(
693 $prefix . ts('edit all contacts'),
694 ts('View, Edit and Delete ANY CONTACT in the CiviCRM database; Create and edit relationships, tags and other info about the contacts'),
695 ),
696 'view my contact' => array(
697 $prefix . ts('view my contact'),
698 ),
699 'edit my contact' => array(
700 $prefix . ts('edit my contact'),
701 ),
702 'delete contacts' => array(
703 $prefix . ts('delete contacts'),
704 ),
705 'access deleted contacts' => array(
706 $prefix . ts('access deleted contacts'),
707 ts('Access contacts in the trash'),
708 ),
709 'import contacts' => array(
710 $prefix . ts('import contacts'),
711 ts('Import contacts and activities'),
712 ),
713 'import SQL datasource' => array(
714 $prefix . ts('import SQL datasource'),
715 ts('When importing, consume data directly from a SQL datasource'),
716 ),
717 'edit groups' => array(
718 $prefix . ts('edit groups'),
719 ts('Create new groups, edit group settings (e.g. group name, visibility...), delete groups'),
720 ),
721 'administer CiviCRM' => array(
722 $prefix . ts('administer CiviCRM'),
723 ts('Perform all tasks in the Administer CiviCRM control panel and Import Contacts'),
724 ),
725 'skip IDS check' => array(
726 $prefix . ts('skip IDS check'),
727 ts('Warning: Give to trusted roles only; this permission has security implications. IDS system is bypassed for users with this permission. Prevents false errors for admin users.'),
728 ),
729 'access uploaded files' => array(
730 $prefix . ts('access uploaded files'),
731 ts('View / download files including images and photos'),
732 ),
733 'profile listings and forms' => array(
734 $prefix . ts('profile listings and forms'),
735 ts('Warning: Give to trusted roles only; this permission has privacy implications. Add/edit data in online forms and access public searchable directories.'),
736 ),
737 'profile listings' => array(
738 $prefix . ts('profile listings'),
739 ts('Warning: Give to trusted roles only; this permission has privacy implications. Access public searchable directories.'),
740 ),
741 'profile create' => array(
742 $prefix . ts('profile create'),
743 ts('Add data in a profile form.'),
744 ),
745 'profile edit' => array(
746 $prefix . ts('profile edit'),
747 ts('Edit data in a profile form.'),
748 ),
749 'profile view' => array(
750 $prefix . ts('profile view'),
751 ts('View data in a profile.'),
752 ),
753 'access all custom data' => array(
754 $prefix . ts('access all custom data'),
755 ts('View all custom fields regardless of ACL rules'),
756 ),
757 'view all activities' => array(
758 $prefix . ts('view all activities'),
759 ts('View all activities (for visible contacts)'),
760 ),
761 'delete activities' => array(
762 $prefix . ts('Delete activities'),
763 ),
764 'edit inbound email basic information' => array(
765 $prefix . ts('edit inbound email basic information'),
766 ts('Edit all inbound email activities (for visible contacts) basic information. Content editing not allowed.'),
767 ),
768 'edit inbound email basic information and content' => array(
769 $prefix . ts('edit inbound email basic information and content'),
770 ts('Edit all inbound email activities (for visible contacts) basic information and content.'),
771 ),
772 'access CiviCRM' => array(
773 $prefix . ts('access CiviCRM backend and API'),
774 ts('Master control for access to the main CiviCRM backend and API. Give to trusted roles only.'),
775 ),
776 'access Contact Dashboard' => array(
777 $prefix . ts('access Contact Dashboard'),
778 ts('View Contact Dashboard (for themselves and visible contacts)'),
779 ),
780 'translate CiviCRM' => array(
781 $prefix . ts('translate CiviCRM'),
782 ts('Allow User to enable multilingual'),
783 ),
784 'manage tags' => array(
785 $prefix . ts('manage tags'),
786 ts('Create and rename tags'),
787 ),
788 'administer reserved groups' => array(
789 $prefix . ts('administer reserved groups'),
790 ts('Edit and disable Reserved Groups (Needs Edit Groups)'),
791 ),
792 'administer Tagsets' => array(
793 $prefix . ts('administer Tagsets'),
794 ),
795 'administer reserved tags' => array(
796 $prefix . ts('administer reserved tags'),
797 ),
798 'administer dedupe rules' => array(
799 $prefix . ts('administer dedupe rules'),
800 ts('Create and edit rules, change the supervised and unsupervised rules'),
801 ),
802 'merge duplicate contacts' => array(
803 $prefix . ts('merge duplicate contacts'),
804 ts('Delete Contacts must also be granted in order for this to work.'),
805 ),
806 'force merge duplicate contacts' => array(
807 $prefix . ts('force merge duplicate contacts'),
808 ts('Delete Contacts must also be granted in order for this to work.'),
809 ),
810 'view debug output' => array(
811 $prefix . ts('view debug output'),
812 ts('View results of debug and backtrace'),
813 ),
814
815 'view all notes' => array(
816 $prefix . ts('view all notes'),
817 ts("View notes (for visible contacts) even if they're marked admin only"),
818 ),
819 'add contact notes' => array(
820 $prefix . ts('add contact notes'),
821 ts("Create notes for contacts"),
822 ),
823 'access AJAX API' => array(
824 $prefix . ts('access AJAX API'),
825 ts('Allow API access even if Access CiviCRM is not granted'),
826 ),
827 'access contact reference fields' => array(
828 $prefix . ts('access contact reference fields'),
829 ts('Allow entering data into contact reference fields'),
830 ),
831 'create manual batch' => array(
832 $prefix . ts('create manual batch'),
833 ts('Create an accounting batch (with Access to CiviContribute and View Own/All Manual Batches)'),
834 ),
835 'edit own manual batches' => array(
836 $prefix . ts('edit own manual batches'),
837 ts('Edit accounting batches created by user'),
838 ),
839 'edit all manual batches' => array(
840 $prefix . ts('edit all manual batches'),
841 ts('Edit all accounting batches'),
842 ),
843 'close own manual batches' => array(
844 $prefix . ts('close own manual batches'),
845 ts('Close accounting batches created by user (with Access to CiviContribute)'),
846 ),
847 'close all manual batches' => array(
848 $prefix . ts('close all manual batches'),
849 ts('Close all accounting batches (with Access to CiviContribute)'),
850 ),
851 'reopen own manual batches' => array(
852 $prefix . ts('reopen own manual batches'),
853 ts('Reopen accounting batches created by user (with Access to CiviContribute)'),
854 ),
855 'reopen all manual batches' => array(
856 $prefix . ts('reopen all manual batches'),
857 ts('Reopen all accounting batches (with Access to CiviContribute)'),
858 ),
859 'view own manual batches' => array(
860 $prefix . ts('view own manual batches'),
861 ts('View accounting batches created by user (with Access to CiviContribute)'),
862 ),
863 'view all manual batches' => array(
864 $prefix . ts('view all manual batches'),
865 ts('View all accounting batches (with Access to CiviContribute)'),
866 ),
867 'delete own manual batches' => array(
868 $prefix . ts('delete own manual batches'),
869 ts('Delete accounting batches created by user'),
870 ),
871 'delete all manual batches' => array(
872 $prefix . ts('delete all manual batches'),
873 ts('Delete all accounting batches'),
874 ),
875 'export own manual batches' => array(
876 $prefix . ts('export own manual batches'),
877 ts('Export accounting batches created by user'),
878 ),
879 'export all manual batches' => array(
880 $prefix . ts('export all manual batches'),
881 ts('Export all accounting batches'),
882 ),
883 'administer payment processors' => array(
884 $prefix . ts('administer payment processors'),
885 ts('Add, Update, or Disable Payment Processors'),
886 ),
887 'edit message templates' => array(
888 $prefix . ts('edit message templates'),
889 ),
890 'edit system workflow message templates' => array(
891 $prefix . ts('edit system workflow message templates'),
892 ),
893 'edit user-driven message templates' => array(
894 $prefix . ts('edit user-driven message templates'),
895 ),
896 'view my invoices' => array(
897 $prefix . ts('view my invoices'),
898 ts('Allow users to view/ download their own invoices'),
899 ),
900 'edit api keys' => array(
901 $prefix . ts('edit api keys'),
902 ts('Edit API keys'),
903 ),
904 'edit own api keys' => array(
905 $prefix . ts('edit own api keys'),
906 ts('Edit user\'s own API keys'),
907 ),
908 'send SMS' => array(
909 $prefix . ts('send SMS'),
910 ts('Send an SMS'),
911 ),
912 );
913
914 return $permissions;
915 }
916
917 /**
918 * For each entity provides an array of permissions required for each action
919 *
920 * The action is the array key, possible values:
921 * * create: applies to create (with no id in params)
922 * * update: applies to update, setvalue, create (with id in params)
923 * * get: applies to getcount, getsingle, getvalue and other gets
924 * * delete: applies to delete, replace
925 * * meta: applies to getfields, getoptions, getspec
926 * * default: catch-all for anything not declared
927 *
928 * Note: some APIs declare other actions as well
929 *
930 * Permissions should use arrays for AND and arrays of arrays for OR
931 * @see CRM_Core_Permission::check
932 *
933 * @return array of permissions
934 */
935 public static function getEntityActionPermissions() {
936 $permissions = array();
937 // These are the default permissions - if any entity does not declare permissions for a given action,
938 // (or the entity does not declare permissions at all) - then the action will be used from here
939 $permissions['default'] = array(
940 // applies to getfields, getoptions, etc.
941 'meta' => array('access CiviCRM'),
942 // catch-all, applies to create, get, delete, etc.
943 // If an entity declares it's own 'default' action it will override this one
944 'default' => array('administer CiviCRM'),
945 );
946
947 // Note: Additional permissions in DynamicFKAuthorization
948 $permissions['attachment'] = array(
949 'default' => array(
950 array('access CiviCRM', 'access AJAX API'),
951 ),
952 );
953
954 // Contact permissions
955 $permissions['contact'] = array(
956 'create' => array(
957 'access CiviCRM',
958 'add contacts',
959 ),
960 'delete' => array(
961 'access CiviCRM',
962 'delete contacts',
963 ),
964 // managed by query object
965 'get' => array(),
966 // managed by _civicrm_api3_check_edit_permissions
967 'update' => array(),
968 'getquick' => array(
969 array('access CiviCRM', 'access AJAX API'),
970 ),
971 );
972
973 // CRM-16963 - Permissions for country.
974 $permissions['country'] = array(
975 'get' => array(
976 'access CiviCRM',
977 ),
978 'default' => array(
979 'administer CiviCRM',
980 ),
981 );
982
983 // Contact-related data permissions.
984 $permissions['address'] = array(
985 // get is managed by BAO::addSelectWhereClause
986 // create/delete are managed by _civicrm_api3_check_edit_permissions
987 'default' => array(),
988 );
989 $permissions['email'] = $permissions['address'];
990 $permissions['phone'] = $permissions['address'];
991 $permissions['website'] = $permissions['address'];
992 $permissions['im'] = $permissions['address'];
993 $permissions['open_i_d'] = $permissions['address'];
994
995 // Also managed by ACLs - CRM-19448
996 $permissions['entity_tag'] = array('default' => array());
997 $permissions['note'] = $permissions['entity_tag'];
998
999 // Allow non-admins to get and create tags to support tagset widget
1000 // Delete is still reserved for admins
1001 $permissions['tag'] = array(
1002 'get' => array('access CiviCRM'),
1003 'create' => array('access CiviCRM'),
1004 'update' => array('access CiviCRM'),
1005 );
1006
1007 //relationship permissions
1008 $permissions['relationship'] = array(
1009 // get is managed by BAO::addSelectWhereClause
1010 'get' => array(),
1011 'delete' => array(
1012 'access CiviCRM',
1013 'edit all contacts',
1014 ),
1015 'default' => array(
1016 'access CiviCRM',
1017 'edit all contacts',
1018 ),
1019 );
1020
1021 // CRM-17741 - Permissions for RelationshipType.
1022 $permissions['relationship_type'] = array(
1023 'get' => array(
1024 'access CiviCRM',
1025 ),
1026 'default' => array(
1027 'administer CiviCRM',
1028 ),
1029 );
1030
1031 // Activity permissions
1032 $permissions['activity'] = array(
1033 'delete' => array(
1034 'access CiviCRM',
1035 'delete activities',
1036 ),
1037 'get' => array(
1038 'access CiviCRM',
1039 // Note that view all activities is also required within the api
1040 // if the id is not passed in. Where the id is passed in the activity
1041 // specific check functions are used and tested.
1042 ),
1043 'default' => array(
1044 'access CiviCRM',
1045 'view all activities',
1046 ),
1047 );
1048
1049 // Case permissions
1050 $permissions['case'] = array(
1051 'create' => array(
1052 'access CiviCRM',
1053 'add cases',
1054 ),
1055 'delete' => array(
1056 'access CiviCRM',
1057 'delete in CiviCase',
1058 ),
1059 'restore' => array(
1060 'administer CiviCase',
1061 ),
1062 'merge' => array(
1063 'administer CiviCase',
1064 ),
1065 'default' => array(
1066 // At minimum the user needs one of the following. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause
1067 array('access my cases and activities', 'access all cases and activities'),
1068 ),
1069 );
1070 $permissions['case_contact'] = $permissions['case'];
1071
1072 $permissions['case_type'] = array(
1073 'default' => array('administer CiviCase'),
1074 'get' => array(
1075 // nested array = OR
1076 array('access my cases and activities', 'access all cases and activities'),
1077 ),
1078 );
1079
1080 // Campaign permissions
1081 $permissions['campaign'] = array(
1082 'get' => array('access CiviCRM'),
1083 'default' => array(
1084 // nested array = OR
1085 array('administer CiviCampaign', 'manage campaign'),
1086 ),
1087 );
1088 $permissions['survey'] = $permissions['campaign'];
1089
1090 // Financial permissions
1091 $permissions['contribution'] = array(
1092 'get' => array(
1093 'access CiviCRM',
1094 'access CiviContribute',
1095 ),
1096 'delete' => array(
1097 'access CiviCRM',
1098 'access CiviContribute',
1099 'delete in CiviContribute',
1100 ),
1101 'completetransaction' => array(
1102 'edit contributions',
1103 ),
1104 'default' => array(
1105 'access CiviCRM',
1106 'access CiviContribute',
1107 'edit contributions',
1108 ),
1109 );
1110 $permissions['line_item'] = $permissions['contribution'];
1111
1112 // Payment permissions
1113 $permissions['payment'] = array(
1114 'get' => array(
1115 'access CiviCRM',
1116 'access CiviContribute',
1117 ),
1118 'delete' => array(
1119 'access CiviCRM',
1120 'access CiviContribute',
1121 'delete in CiviContribute',
1122 ),
1123 'cancel' => array(
1124 'access CiviCRM',
1125 'access CiviContribute',
1126 'edit contributions',
1127 ),
1128 'create' => array(
1129 'access CiviCRM',
1130 'access CiviContribute',
1131 'edit contributions',
1132 ),
1133 'default' => array(
1134 'access CiviCRM',
1135 'access CiviContribute',
1136 'edit contributions',
1137 ),
1138 );
1139 $permissions['contribution_recur'] = $permissions['payment'];
1140
1141 // Custom field permissions
1142 $permissions['custom_field'] = array(
1143 'default' => array(
1144 'administer CiviCRM',
1145 'access all custom data',
1146 ),
1147 );
1148 $permissions['custom_group'] = $permissions['custom_field'];
1149
1150 // Event permissions
1151 $permissions['event'] = array(
1152 'create' => array(
1153 'access CiviCRM',
1154 'access CiviEvent',
1155 'edit all events',
1156 ),
1157 'delete' => array(
1158 'access CiviCRM',
1159 'access CiviEvent',
1160 'delete in CiviEvent',
1161 ),
1162 'get' => array(
1163 'access CiviCRM',
1164 'access CiviEvent',
1165 'view event info',
1166 ),
1167 'update' => array(
1168 'access CiviCRM',
1169 'access CiviEvent',
1170 'edit all events',
1171 ),
1172 );
1173 // Loc block is only used for events
1174 $permissions['loc_block'] = $permissions['event'];
1175
1176 $permissions['state_province'] = array(
1177 'get' => array(
1178 'access CiviCRM',
1179 ),
1180 );
1181
1182 // Price sets are shared by several components, user needs access to at least one of them
1183 $permissions['price_set'] = array(
1184 'default' => array(
1185 array('access CiviEvent', 'access CiviContribute', 'access CiviMember'),
1186 ),
1187 'get' => array(
1188 array('access CiviCRM', 'view event info', 'make online contributions'),
1189 ),
1190 );
1191
1192 // File permissions
1193 $permissions['file'] = array(
1194 'default' => array(
1195 'access CiviCRM',
1196 'access uploaded files',
1197 ),
1198 );
1199 $permissions['files_by_entity'] = $permissions['file'];
1200
1201 // Group permissions
1202 $permissions['group'] = array(
1203 'get' => array(
1204 'access CiviCRM',
1205 ),
1206 'default' => array(
1207 'access CiviCRM',
1208 'edit groups',
1209 ),
1210 );
1211
1212 $permissions['group_nesting'] = $permissions['group'];
1213 $permissions['group_organization'] = $permissions['group'];
1214
1215 //Group Contact permission
1216 $permissions['group_contact'] = array(
1217 'get' => array(
1218 'access CiviCRM',
1219 ),
1220 'default' => array(
1221 'access CiviCRM',
1222 'edit all contacts',
1223 ),
1224 );
1225
1226 // CiviMail Permissions
1227 $civiMailBasePerms = array(
1228 // To get/preview/update, one must have least one of these perms:
1229 // Mailing API implementations enforce nuances of create/approve/schedule permissions.
1230 'access CiviMail',
1231 'create mailings',
1232 'schedule mailings',
1233 'approve mailings',
1234 );
1235 $permissions['mailing'] = array(
1236 'get' => array(
1237 'access CiviCRM',
1238 $civiMailBasePerms,
1239 ),
1240 'delete' => array(
1241 'access CiviCRM',
1242 $civiMailBasePerms,
1243 'delete in CiviMail',
1244 ),
1245 'submit' => array(
1246 'access CiviCRM',
1247 array('access CiviMail', 'schedule mailings'),
1248 ),
1249 'default' => array(
1250 'access CiviCRM',
1251 $civiMailBasePerms,
1252 ),
1253 );
1254 $permissions['mailing_group'] = $permissions['mailing'];
1255 $permissions['mailing_job'] = $permissions['mailing'];
1256 $permissions['mailing_recipients'] = $permissions['mailing'];
1257
1258 $permissions['mailing_a_b'] = array(
1259 'get' => array(
1260 'access CiviCRM',
1261 'access CiviMail',
1262 ),
1263 'delete' => array(
1264 'access CiviCRM',
1265 'access CiviMail',
1266 'delete in CiviMail',
1267 ),
1268 'submit' => array(
1269 'access CiviCRM',
1270 array('access CiviMail', 'schedule mailings'),
1271 ),
1272 'default' => array(
1273 'access CiviCRM',
1274 'access CiviMail',
1275 ),
1276 );
1277
1278 // Membership permissions
1279 $permissions['membership'] = array(
1280 'get' => array(
1281 'access CiviCRM',
1282 'access CiviMember',
1283 ),
1284 'delete' => array(
1285 'access CiviCRM',
1286 'access CiviMember',
1287 'delete in CiviMember',
1288 ),
1289 'default' => array(
1290 'access CiviCRM',
1291 'access CiviMember',
1292 'edit memberships',
1293 ),
1294 );
1295 $permissions['membership_status'] = $permissions['membership'];
1296 $permissions['membership_type'] = $permissions['membership'];
1297 $permissions['membership_payment'] = array(
1298 'create' => array(
1299 'access CiviCRM',
1300 'access CiviMember',
1301 'edit memberships',
1302 'access CiviContribute',
1303 'edit contributions',
1304 ),
1305 'delete' => array(
1306 'access CiviCRM',
1307 'access CiviMember',
1308 'delete in CiviMember',
1309 'access CiviContribute',
1310 'delete in CiviContribute',
1311 ),
1312 'get' => array(
1313 'access CiviCRM',
1314 'access CiviMember',
1315 'access CiviContribute',
1316 ),
1317 'update' => array(
1318 'access CiviCRM',
1319 'access CiviMember',
1320 'edit memberships',
1321 'access CiviContribute',
1322 'edit contributions',
1323 ),
1324 );
1325
1326 // Participant permissions
1327 $permissions['participant'] = array(
1328 'create' => array(
1329 'access CiviCRM',
1330 'access CiviEvent',
1331 'register for events',
1332 ),
1333 'delete' => array(
1334 'access CiviCRM',
1335 'access CiviEvent',
1336 'edit event participants',
1337 ),
1338 'get' => array(
1339 'access CiviCRM',
1340 'access CiviEvent',
1341 'view event participants',
1342 ),
1343 'update' => array(
1344 'access CiviCRM',
1345 'access CiviEvent',
1346 'edit event participants',
1347 ),
1348 );
1349 $permissions['participant_payment'] = array(
1350 'create' => array(
1351 'access CiviCRM',
1352 'access CiviEvent',
1353 'register for events',
1354 'access CiviContribute',
1355 'edit contributions',
1356 ),
1357 'delete' => array(
1358 'access CiviCRM',
1359 'access CiviEvent',
1360 'edit event participants',
1361 'access CiviContribute',
1362 'delete in CiviContribute',
1363 ),
1364 'get' => array(
1365 'access CiviCRM',
1366 'access CiviEvent',
1367 'view event participants',
1368 'access CiviContribute',
1369 ),
1370 'update' => array(
1371 'access CiviCRM',
1372 'access CiviEvent',
1373 'edit event participants',
1374 'access CiviContribute',
1375 'edit contributions',
1376 ),
1377 );
1378
1379 // Pledge permissions
1380 $permissions['pledge'] = array(
1381 'create' => array(
1382 'access CiviCRM',
1383 'access CiviPledge',
1384 'edit pledges',
1385 ),
1386 'delete' => array(
1387 'access CiviCRM',
1388 'access CiviPledge',
1389 'delete in CiviPledge',
1390 ),
1391 'get' => array(
1392 'access CiviCRM',
1393 'access CiviPledge',
1394 ),
1395 'update' => array(
1396 'access CiviCRM',
1397 'access CiviPledge',
1398 'edit pledges',
1399 ),
1400 );
1401
1402 //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission.
1403 $permissions['action_schedule'] = array(
1404 'update' => array(
1405 array(
1406 'access CiviCRM',
1407 'edit all events',
1408 ),
1409 ),
1410 );
1411
1412 $permissions['pledge_payment'] = array(
1413 'create' => array(
1414 'access CiviCRM',
1415 'access CiviPledge',
1416 'edit pledges',
1417 'access CiviContribute',
1418 'edit contributions',
1419 ),
1420 'delete' => array(
1421 'access CiviCRM',
1422 'access CiviPledge',
1423 'delete in CiviPledge',
1424 'access CiviContribute',
1425 'delete in CiviContribute',
1426 ),
1427 'get' => array(
1428 'access CiviCRM',
1429 'access CiviPledge',
1430 'access CiviContribute',
1431 ),
1432 'update' => array(
1433 'access CiviCRM',
1434 'access CiviPledge',
1435 'edit pledges',
1436 'access CiviContribute',
1437 'edit contributions',
1438 ),
1439 );
1440
1441 // Profile permissions
1442 $permissions['profile'] = array(
1443 'get' => array(), // the profile will take care of this
1444 );
1445
1446 $permissions['uf_group'] = array(
1447 'create' => array(
1448 'access CiviCRM',
1449 array(
1450 'administer CiviCRM',
1451 'manage event profiles',
1452 ),
1453 ),
1454 'get' => array(
1455 'access CiviCRM',
1456 ),
1457 'update' => array(
1458 'access CiviCRM',
1459 array(
1460 'administer CiviCRM',
1461 'manage event profiles',
1462 ),
1463 ),
1464 );
1465 $permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group'];
1466 $permissions['uf_field']['delete'] = array(
1467 'access CiviCRM',
1468 array(
1469 'administer CiviCRM',
1470 'manage event profiles',
1471 ),
1472 );
1473 $permissions['option_value'] = $permissions['uf_group'];
1474 $permissions['option_group'] = $permissions['option_value'];
1475
1476 $permissions['custom_value'] = array(
1477 'gettree' => array('access CiviCRM'),
1478 );
1479
1480 $permissions['message_template'] = array(
1481 'get' => array('access CiviCRM'),
1482 'create' => array('edit message templates', 'edit user-driven message templates', 'edit system workflow message templates'),
1483 'update' => array('edit message templates', 'edit user-driven message templates', 'edit system workflow message templates'),
1484 );
1485
1486 $permissions['report_template']['update'] = 'save Report Criteria';
1487 $permissions['report_template']['create'] = 'save Report Criteria';
1488 return $permissions;
1489 }
1490
1491 /**
1492 * Translate an unknown action to a canonical form.
1493 *
1494 * @param string $action
1495 *
1496 * @return string
1497 * the standardised action name
1498 */
1499 public static function getGenericAction($action) {
1500 $snippet = substr($action, 0, 3);
1501 if ($action == 'replace' || $snippet == 'del') {
1502 // 'Replace' is a combination of get+create+update+delete; however, the permissions
1503 // on each of those will be tested separately at runtime. This is just a sniff-test
1504 // based on the heuristic that 'delete' tends to be the most closely guarded
1505 // of the necessary permissions.
1506 $action = 'delete';
1507 }
1508 elseif ($action == 'setvalue' || $snippet == 'upd') {
1509 $action = 'update';
1510 }
1511 elseif ($action == 'getfields' || $action == 'getfield' || $action == 'getspec' || $action == 'getoptions') {
1512 $action = 'meta';
1513 }
1514 elseif ($snippet == 'get') {
1515 $action = 'get';
1516 }
1517 return $action;
1518 }
1519
1520 /**
1521 * Validate user permission across.
1522 * edit or view or with supportable acls.
1523 *
1524 * @return bool
1525 */
1526 public static function giveMeAllACLs() {
1527 if (CRM_Core_Permission::check('view all contacts') ||
1528 CRM_Core_Permission::check('edit all contacts')
1529 ) {
1530 return TRUE;
1531 }
1532
1533 $session = CRM_Core_Session::singleton();
1534 $contactID = $session->get('userID');
1535
1536 //check for acl.
1537 $aclPermission = self::getPermission();
1538 if (in_array($aclPermission, array(
1539 CRM_Core_Permission::EDIT,
1540 CRM_Core_Permission::VIEW,
1541 ))
1542 ) {
1543 return TRUE;
1544 }
1545
1546 // run acl where hook and see if the user is supplying an ACL clause
1547 // that is not false
1548 $tables = $whereTables = array();
1549 $where = NULL;
1550
1551 CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
1552 $tables, $whereTables,
1553 $contactID, $where
1554 );
1555 return empty($whereTables) ? FALSE : TRUE;
1556 }
1557
1558 /**
1559 * Get component name from given permission.
1560 *
1561 * @param string $permission
1562 *
1563 * @return null|string
1564 * the name of component.
1565 */
1566 public static function getComponentName($permission) {
1567 $componentName = NULL;
1568 $permission = trim($permission);
1569 if (empty($permission)) {
1570 return $componentName;
1571 }
1572
1573 static $allCompPermissions = array();
1574 if (empty($allCompPermissions)) {
1575 $components = CRM_Core_Component::getComponents();
1576 foreach ($components as $name => $comp) {
1577 //get all permissions of each components unconditionally
1578 $allCompPermissions[$name] = $comp->getPermissions(TRUE);
1579 }
1580 }
1581
1582 if (is_array($allCompPermissions)) {
1583 foreach ($allCompPermissions as $name => $permissions) {
1584 if (array_key_exists($permission, $permissions)) {
1585 $componentName = $name;
1586 break;
1587 }
1588 }
1589 }
1590
1591 return $componentName;
1592 }
1593
1594 /**
1595 * Get all the contact emails for users that have a specific permission.
1596 *
1597 * @param string $permissionName
1598 * Name of the permission we are interested in.
1599 *
1600 * @return string
1601 * a comma separated list of email addresses
1602 */
1603 public static function permissionEmails($permissionName) {
1604 $config = CRM_Core_Config::singleton();
1605 return $config->userPermissionClass->permissionEmails($permissionName);
1606 }
1607
1608 /**
1609 * Get all the contact emails for users that have a specific role.
1610 *
1611 * @param string $roleName
1612 * Name of the role we are interested in.
1613 *
1614 * @return string
1615 * a comma separated list of email addresses
1616 */
1617 public static function roleEmails($roleName) {
1618 $config = CRM_Core_Config::singleton();
1619 return $config->userRoleClass->roleEmails($roleName);
1620 }
1621
1622 /**
1623 * @return bool
1624 */
1625 public static function isMultisiteEnabled() {
1626 return Civi::settings()->get('is_enabled') ? TRUE : FALSE;
1627 }
1628
1629 /**
1630 * Verify if the user has permission to get the invoice.
1631 *
1632 * @return bool
1633 * TRUE if the user has download all invoices permission or download my
1634 * invoices permission and the invoice author is the current user.
1635 */
1636 public static function checkDownloadInvoice() {
1637 $cid = CRM_Core_Session::getLoggedInContactID();
1638 if (CRM_Core_Permission::check('access CiviContribute') ||
1639 (CRM_Core_Permission::check('view my invoices') && $_GET['cid'] == $cid)
1640 ) {
1641 return TRUE;
1642 }
1643 return FALSE;
1644 }
1645
1646 }