projects / civicrm-core.git / blob
? search:


edce29ae2f7eba2125d1bc2c5d80cb98b5b92120
[civicrm-core.git] / CRM / Core / Permission.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
5 | |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
10 */
11
12 /**
13 *
14 * @package CRM
15 * @copyright CiviCRM LLC https://civicrm.org/licensing
16 */
17
18 /**
19 * This is the basic permission class wrapper
20 */
21 class CRM_Core_Permission {
22
23 /**
24 * Static strings used to compose permissions.
25 *
26 * @const
27 * @var string
28 */
29 const EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
30
31 /**
32 * The various type of permissions.
33 *
34 * @var int
35 */
36 const EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
37
38 /**
39 * A placeholder permission which always fails.
40 */
41 const ALWAYS_DENY_PERMISSION = "*always deny*";
42
43 /**
44 * A placeholder permission which always fails.
45 */
46 const ALWAYS_ALLOW_PERMISSION = "*always allow*";
47
48 /**
49 * Various authentication sources.
50 *
51 * @var int
52 */
53 const AUTH_SRC_UNKNOWN = 0, AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;
54
55 /**
56 * Get the current permission of this user.
57 *
58 * @return string
59 * the permission of the user (edit or view or null)
60 */
61 public static function getPermission() {
62 $config = CRM_Core_Config::singleton();
63 return $config->userPermissionClass->getPermission();
64 }
65
66 /**
67 * Given a permission string or array, check for access requirements
68 *
69 * Ex 1: Must have 'access CiviCRM'
70 * (string) 'access CiviCRM'
71 *
72 * Ex 2: Must have 'access CiviCRM' and 'access Ajax API'
73 * ['access CiviCRM', 'access Ajax API']
74 *
75 * Ex 3: Must have 'access CiviCRM' or 'access Ajax API'
76 * [
77 * ['access CiviCRM', 'access Ajax API'],
78 * ],
79 *
80 * Ex 4: Must have 'access CiviCRM' or 'access Ajax API' AND 'access CiviEvent'
81 * [
82 * ['access CiviCRM', 'access Ajax API'],
83 * 'access CiviEvent',
84 * ],
85 *
86 * Note that in permissions.php this is keyed by the action eg.
87 * (access Civi || access AJAX) && (access CiviEvent || access CiviContribute)
88 * 'myaction' => [
89 * ['access CiviCRM', 'access Ajax API'],
90 * ['access CiviEvent', 'access CiviContribute']
91 * ],
92 *
93 * @param string|array $permissions
94 * The permission to check as an array or string -see examples.
95 *
96 * @param int $contactId
97 * Contact id to check permissions for. Defaults to current logged-in user.
98 *
99 * @return bool
100 * true if contact has permission(s), else false
101 */
102 public static function check($permissions, $contactId = NULL) {
103 $permissions = (array) $permissions;
104 $userId = CRM_Core_BAO_UFMatch::getUFId($contactId);
105
106 /** @var CRM_Core_Permission_Temp $tempPerm */
107 $tempPerm = CRM_Core_Config::singleton()->userPermissionTemp;
108
109 foreach ($permissions as $permission) {
110 if (is_array($permission)) {
111 foreach ($permission as $orPerm) {
112 if (self::check($orPerm, $contactId)) {
113 //one of our 'or' permissions has succeeded - stop checking this permission
114 return TRUE;
115 }
116 }
117 //none of our our conditions was met
118 return FALSE;
119 }
120 else {
121 // This is an individual permission
122 $impliedPermissions = self::getImpliedPermissionsFor($permission);
123 $impliedPermissions[] = $permission;
124 foreach ($impliedPermissions as $permissionOption) {
125 $granted = CRM_Core_Config::singleton()->userPermissionClass->check($permissionOption, $userId);
126 // Call the permission_check hook to permit dynamic escalation (CRM-19256)
127 CRM_Utils_Hook::permission_check($permissionOption, $granted, $contactId);
128 if ($granted) {
129 break;
130 }
131 }
132
133 if (
134 !$granted
135 && !($tempPerm && $tempPerm->check($permission))
136 ) {
137 //one of our 'and' conditions has not been met
138 return FALSE;
139 }
140 }
141 }
142 return TRUE;
143 }
144
145 /**
146 * Determine if any one of the permissions strings applies to current user.
147 *
148 * @param array $perms
149 * @return bool
150 */
151 public static function checkAnyPerm($perms) {
152 foreach ($perms as $perm) {
153 if (CRM_Core_Permission::check($perm)) {
154 return TRUE;
155 }
156 }
157 return FALSE;
158 }
159
160 /**
161 * Given a group/role array, check for access requirements
162 *
163 * @param array $array
164 * The group/role to check.
165 *
166 * @return bool
167 * true if yes, else false
168 */
169 public static function checkGroupRole($array) {
170 $config = CRM_Core_Config::singleton();
171 return $config->userPermissionClass->checkGroupRole($array);
172 }
173
174 /**
175 * Get the permissioned where clause for the user.
176 *
177 * @param int $type
178 * The type of permission needed.
179 * @param array $tables
180 * (reference ) add the tables that are needed for the select clause.
181 * @param array $whereTables
182 * (reference ) add the tables that are needed for the where clause.
183 *
184 * @return string
185 * the group where clause for this user
186 */
187 public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
188 $config = CRM_Core_Config::singleton();
189 return $config->userPermissionClass->getPermissionedStaticGroupClause($type, $tables, $whereTables);
190 }
191
192 /**
193 * Get all groups from database, filtered by permissions
194 * for this user
195 *
196 * @param string $groupType
197 * Type of group(Access/Mailing).
198 * @param bool $excludeHidden
199 * exclude hidden groups.
200 *
201 *
202 * @return array
203 * array reference of all groups.
204 */
205 public static function group($groupType, $excludeHidden = TRUE) {
206 $config = CRM_Core_Config::singleton();
207 return $config->userPermissionClass->group($groupType, $excludeHidden);
208 }
209
210 /**
211 * @return bool
212 */
213 public static function customGroupAdmin() {
214 $admin = FALSE;
215
216 // check if user has all powerful permission
217 // or administer civicrm permission (CRM-1905)
218 if (self::check('access all custom data')) {
219 return TRUE;
220 }
221
222 if (
223 self::check('administer Multiple Organizations') &&
224 self::isMultisiteEnabled()
225 ) {
226 return TRUE;
227 }
228
229 if (self::check('administer CiviCRM')) {
230 return TRUE;
231 }
232
233 return FALSE;
234 }
235
236 /**
237 * @param int $type
238 * @param bool $reset
239 *
240 * @return array
241 */
242 public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
243 $customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id',
244 ['fresh' => $reset]);
245 $defaultGroups = [];
246
247 // check if user has all powerful permission
248 // or administer civicrm permission (CRM-1905)
249 if (self::customGroupAdmin()) {
250 $defaultGroups = array_keys($customGroups);
251 }
252
253 return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
254 }
255
256 /**
257 * @param int $type
258 * @param null $prefix
259 * @param bool $reset
260 *
261 * @return string
262 */
263 public static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
264 if (self::customGroupAdmin()) {
265 return ' ( 1 ) ';
266 }
267
268 $groups = self::customGroup($type, $reset);
269 if (empty($groups)) {
270 return ' ( 0 ) ';
271 }
272 else {
273 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
274 }
275 }
276
277 /**
278 * @param int $gid
279 * @param int $type
280 *
281 * @return bool
282 */
283 public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
284 if (empty($gid)) {
285 return TRUE;
286 }
287
288 $groups = self::ufGroup($type);
289 return !empty($groups) && in_array($gid, $groups);
290 }
291
292 /**
293 * @param int $type
294 *
295 * @return array
296 */
297 public static function ufGroup($type = CRM_Core_Permission::VIEW) {
298 $ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
299
300 $allGroups = array_keys($ufGroups);
301
302 // check if user has all powerful permission
303 if (self::check('profile listings and forms')) {
304 return $allGroups;
305 }
306
307 switch ($type) {
308 case CRM_Core_Permission::VIEW:
309 if (self::check('profile view')) {
310 return $allGroups;
311 }
312 break;
313
314 case CRM_Core_Permission::CREATE:
315 if (self::check('profile create')) {
316 return $allGroups;
317 }
318 break;
319
320 case CRM_Core_Permission::EDIT:
321 if (self::check('profile edit')) {
322 return $allGroups;
323 }
324 break;
325
326 case CRM_Core_Permission::SEARCH:
327 if (self::check('profile listings')) {
328 return $allGroups;
329 }
330 break;
331 }
332
333 return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
334 }
335
336 /**
337 * @param int $type
338 * @param null $prefix
339 * @param bool $returnUFGroupIds
340 *
341 * @return array|string
342 */
343 public static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
344 $groups = self::ufGroup($type);
345 if ($returnUFGroupIds) {
346 return $groups;
347 }
348 elseif (empty($groups)) {
349 return ' ( 0 ) ';
350 }
351 else {
352 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
353 }
354 }
355
356 /**
357 * @param int $type
358 * @param int $eventID
359 * @param string $context
360 *
361 * @return array|null
362 */
363 public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL, $context = '') {
364 if (!empty($context)) {
365 if (CRM_Core_Permission::check($context)) {
366 return TRUE;
367 }
368 }
369 $events = CRM_Event_PseudoConstant::event(NULL, TRUE);
370 $includeEvents = [];
371
372 // check if user has all powerful permission
373 if (self::check('register for events')) {
374 $includeEvents = array_keys($events);
375 }
376
377 if ($type == CRM_Core_Permission::VIEW &&
378 self::check('view event info')
379 ) {
380 $includeEvents = array_keys($events);
381 }
382
383 $permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
384 if (!$eventID) {
385 return $permissionedEvents;
386 }
387 if (!empty($permissionedEvents)) {
388 return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
389 }
390 return NULL;
391 }
392
393 /**
394 * @param int $type
395 * @param null $prefix
396 *
397 * @return string
398 */
399 public static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
400 $events = self::event($type);
401 if (empty($events)) {
402 return ' ( 0 ) ';
403 }
404 else {
405 return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
406 }
407 }
408
409 /**
410 * Checks that component is enabled and optionally that user has basic perm.
411 *
412 * @param string $module
413 * Specifies the name of the CiviCRM component.
414 * @param bool $checkPermission
415 * Check not only that module is enabled, but that user has necessary
416 * permission.
417 * @param bool $requireAllCasesPermOnCiviCase
418 * Significant only if $module == CiviCase
419 * Require "access all cases and activities", not just
420 * "access my cases and activities".
421 *
422 * @return bool
423 * Access to specified $module is granted.
424 */
425 public static function access($module, $checkPermission = TRUE, $requireAllCasesPermOnCiviCase = FALSE) {
426 $config = CRM_Core_Config::singleton();
427
428 if (!in_array($module, $config->enableComponents)) {
429 return FALSE;
430 }
431
432 if ($checkPermission) {
433 switch ($module) {
434 case 'CiviCase':
435 $access_all_cases = CRM_Core_Permission::check("access all cases and activities");
436 $access_my_cases = CRM_Core_Permission::check("access my cases and activities");
437 return $access_all_cases || (!$requireAllCasesPermOnCiviCase && $access_my_cases);
438
439 case 'CiviCampaign':
440 return CRM_Core_Permission::check("administer $module");
441
442 default:
443 return CRM_Core_Permission::check("access $module");
444 }
445 }
446
447 return TRUE;
448 }
449
450 /**
451 * Check permissions for delete and edit actions.
452 *
453 * @param string $module
454 * Component name.
455 * @param int $action
456 * Action to be check across component.
457 *
458 *
459 * @return bool
460 */
461 public static function checkActionPermission($module, $action) {
462 //check delete related permissions.
463 if ($action & CRM_Core_Action::DELETE) {
464 $permissionName = "delete in $module";
465 }
466 else {
467 $editPermissions = [
468 'CiviEvent' => 'edit event participants',
469 'CiviMember' => 'edit memberships',
470 'CiviPledge' => 'edit pledges',
471 'CiviContribute' => 'edit contributions',
472 'CiviGrant' => 'edit grants',
473 'CiviMail' => 'access CiviMail',
474 'CiviAuction' => 'add auction items',
475 ];
476 $permissionName = $editPermissions[$module] ?? NULL;
477 }
478
479 if ($module == 'CiviCase' && !$permissionName) {
480 return CRM_Case_BAO_Case::accessCiviCase();
481 }
482 else {
483 //check for permission.
484 return CRM_Core_Permission::check($permissionName);
485 }
486 }
487
488 /**
489 * @param $args
490 * @param string $op
491 *
492 * @return bool
493 */
494 public static function checkMenu(&$args, $op = 'and') {
495 if (!is_array($args)) {
496 return $args;
497 }
498 foreach ($args as $str) {
499 $res = CRM_Core_Permission::check($str);
500 if ($op == 'or' && $res) {
501 return TRUE;
502 }
503 elseif ($op == 'and' && !$res) {
504 return FALSE;
505 }
506 }
507 return ($op == 'or') ? FALSE : TRUE;
508 }
509
510 /**
511 * @param $item
512 *
513 * @return bool|mixed
514 * @throws Exception
515 */
516 public static function checkMenuItem(&$item) {
517 if (!array_key_exists('access_callback', $item)) {
518 CRM_Core_Error::backtrace();
519 throw new CRM_Core_Exception('Missing Access Callback key in menu item');
520 }
521
522 // if component_id is present, ensure it is enabled
523 if (isset($item['component_id']) && $item['component_id']) {
524 if (!isset(Civi::$statics[__CLASS__]['componentNameId'])) {
525 Civi::$statics[__CLASS__]['componentNameId'] = array_flip(CRM_Core_Component::getComponentIDs());
526 }
527 $componentName = Civi::$statics[__CLASS__]['componentNameId'][$item['component_id']];
528
529 $config = CRM_Core_Config::singleton();
530 if (is_array($config->enableComponents) && in_array($componentName, $config->enableComponents)) {
531 // continue with process
532 }
533 else {
534 return FALSE;
535 }
536 }
537
538 // the following is imitating drupal 6 code in includes/menu.inc
539 if (empty($item['access_callback']) ||
540 is_numeric($item['access_callback'])
541 ) {
542 return (bool) $item['access_callback'];
543 }
544
545 // check whether the following Ajax requests submitted the right key
546 // FIXME: this should be integrated into ACLs proper
547 if (CRM_Utils_Array::value('page_type', $item) == 3) {
548 if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
549 return FALSE;
550 }
551 }
552
553 // check if callback is for checkMenu, if so optimize it
554 if (is_array($item['access_callback']) &&
555 $item['access_callback'][0] == 'CRM_Core_Permission' &&
556 $item['access_callback'][1] == 'checkMenu'
557 ) {
558 $op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
559 return self::checkMenu($item['access_arguments'][0], $op);
560 }
561 else {
562 return call_user_func_array($item['access_callback'], $item['access_arguments']);
563 }
564 }
565
566 /**
567 * @param bool $all
568 * Include disabled components
569 * @param bool $descriptions
570 * Whether to return descriptions
571 *
572 * @return array
573 */
574 public static function basicPermissions($all = FALSE, $descriptions = FALSE) {
575 $cacheKey = implode('-', [$all, $descriptions]);
576 if (empty(Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey])) {
577 Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey] = self::assembleBasicPermissions($all, $descriptions);
578 }
579 return Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey];
580 }
581
582 /**
583 * @param bool $all
584 * @param bool $descriptions
585 * whether to return descriptions
586 *
587 * @return array
588 */
589 public static function assembleBasicPermissions($all = FALSE, $descriptions = FALSE) {
590 $config = CRM_Core_Config::singleton();
591 $prefix = ts('CiviCRM') . ': ';
592 $permissions = self::getCorePermissions($descriptions);
593
594 if (self::isMultisiteEnabled()) {
595 $permissions['administer Multiple Organizations'] = [$prefix . ts('administer Multiple Organizations')];
596 }
597
598 if (!$descriptions) {
599 foreach ($permissions as $name => $attr) {
600 $permissions[$name] = array_shift($attr);
601 }
602 }
603 if (!$all) {
604 $components = CRM_Core_Component::getEnabledComponents();
605 }
606 else {
607 $components = CRM_Core_Component::getComponents();
608 }
609
610 foreach ($components as $comp) {
611 $perm = $comp->getPermissions($all, $descriptions);
612 if ($perm) {
613 $info = $comp->getInfo();
614 foreach ($perm as $p => $attr) {
615
616 if (!is_array($attr)) {
617 $attr = [$attr];
618 }
619
620 $attr[0] = $info['translatedName'] . ': ' . $attr[0];
621
622 if ($descriptions) {
623 $permissions[$p] = $attr;
624 }
625 else {
626 $permissions[$p] = $attr[0];
627 }
628 }
629 }
630 }
631
632 // Add any permissions defined in hook_civicrm_permission implementations.
633 $module_permissions = $config->userPermissionClass->getAllModulePermissions($descriptions);
634 $permissions = array_merge($permissions, $module_permissions);
635 return $permissions;
636 }
637
638 /**
639 * @return array
640 */
641 public static function getAnonymousPermissionsWarnings() {
642 static $permissions = [];
643 if (empty($permissions)) {
644 $permissions = [
645 'administer CiviCRM',
646 ];
647 $components = CRM_Core_Component::getComponents();
648 foreach ($components as $comp) {
649 if (!method_exists($comp, 'getAnonymousPermissionWarnings')) {
650 continue;
651 }
652 $permissions = array_merge($permissions, $comp->getAnonymousPermissionWarnings());
653 }
654 }
655 return $permissions;
656 }
657
658 /**
659 * @param $anonymous_perms
660 *
661 * @return array
662 */
663 public static function validateForPermissionWarnings($anonymous_perms) {
664 return array_intersect($anonymous_perms, self::getAnonymousPermissionsWarnings());
665 }
666
667 /**
668 * Get core permissions.
669 *
670 * @return array
671 */
672 public static function getCorePermissions() {
673 $prefix = ts('CiviCRM') . ': ';
674 $permissions = [
675 'add contacts' => [
676 $prefix . ts('add contacts'),
677 ts('Create a new contact record in CiviCRM'),
678 ],
679 'view all contacts' => [
680 $prefix . ts('view all contacts'),
681 ts('View ANY CONTACT in the CiviCRM database, export contact info and perform activities such as Send Email, Phone Call, etc.'),
682 ],
683 'edit all contacts' => [
684 $prefix . ts('edit all contacts'),
685 ts('View, Edit and Delete ANY CONTACT in the CiviCRM database; Create and edit relationships, tags and other info about the contacts'),
686 ],
687 'view my contact' => [
688 $prefix . ts('view my contact'),
689 ],
690 'edit my contact' => [
691 $prefix . ts('edit my contact'),
692 ],
693 'delete contacts' => [
694 $prefix . ts('delete contacts'),
695 ],
696 'access deleted contacts' => [
697 $prefix . ts('access deleted contacts'),
698 ts('Access contacts in the trash'),
699 ],
700 'import contacts' => [
701 $prefix . ts('import contacts'),
702 ts('Import contacts and activities'),
703 ],
704 'import SQL datasource' => [
705 $prefix . ts('import SQL datasource'),
706 ts('When importing, consume data directly from a SQL datasource'),
707 ],
708 'edit groups' => [
709 $prefix . ts('edit groups'),
710 ts('Create new groups, edit group settings (e.g. group name, visibility...), delete groups'),
711 ],
712 'administer CiviCRM' => [
713 $prefix . ts('administer CiviCRM'),
714 ts('Perform all tasks in the Administer CiviCRM control panel and Import Contacts'),
715 ],
716 'skip IDS check' => [
717 $prefix . ts('skip IDS check'),
718 ts('Warning: Give to trusted roles only; this permission has security implications. IDS system is bypassed for users with this permission. Prevents false errors for admin users.'),
719 ],
720 'access uploaded files' => [
721 $prefix . ts('access uploaded files'),
722 ts('View / download files including images and photos'),
723 ],
724 'profile listings and forms' => [
725 $prefix . ts('profile listings and forms'),
726 ts('Warning: Give to trusted roles only; this permission has privacy implications. Add/edit data in online forms and access public searchable directories.'),
727 ],
728 'profile listings' => [
729 $prefix . ts('profile listings'),
730 ts('Warning: Give to trusted roles only; this permission has privacy implications. Access public searchable directories.'),
731 ],
732 'profile create' => [
733 $prefix . ts('profile create'),
734 ts('Add data in a profile form.'),
735 ],
736 'profile edit' => [
737 $prefix . ts('profile edit'),
738 ts('Edit data in a profile form.'),
739 ],
740 'profile view' => [
741 $prefix . ts('profile view'),
742 ts('View data in a profile.'),
743 ],
744 'access all custom data' => [
745 $prefix . ts('access all custom data'),
746 ts('View all custom fields regardless of ACL rules'),
747 ],
748 'view all activities' => [
749 $prefix . ts('view all activities'),
750 ts('View all activities (for visible contacts)'),
751 ],
752 'delete activities' => [
753 $prefix . ts('Delete activities'),
754 ],
755 'edit inbound email basic information' => [
756 $prefix . ts('edit inbound email basic information'),
757 ts('Edit all inbound email activities (for visible contacts) basic information. Content editing not allowed.'),
758 ],
759 'edit inbound email basic information and content' => [
760 $prefix . ts('edit inbound email basic information and content'),
761 ts('Edit all inbound email activities (for visible contacts) basic information and content.'),
762 ],
763 'access CiviCRM' => [
764 $prefix . ts('access CiviCRM backend and API'),
765 ts('Master control for access to the main CiviCRM backend and API. Give to trusted roles only.'),
766 ],
767 'access Contact Dashboard' => [
768 $prefix . ts('access Contact Dashboard'),
769 ts('View Contact Dashboard (for themselves and visible contacts)'),
770 ],
771 'translate CiviCRM' => [
772 $prefix . ts('translate CiviCRM'),
773 ts('Allow User to enable multilingual'),
774 ],
775 'manage tags' => [
776 $prefix . ts('manage tags'),
777 ts('Create and rename tags'),
778 ],
779 'administer reserved groups' => [
780 $prefix . ts('administer reserved groups'),
781 ts('Edit and disable Reserved Groups (Needs Edit Groups)'),
782 ],
783 'administer Tagsets' => [
784 $prefix . ts('administer Tagsets'),
785 ],
786 'administer reserved tags' => [
787 $prefix . ts('administer reserved tags'),
788 ],
789 'administer dedupe rules' => [
790 $prefix . ts('administer dedupe rules'),
791 ts('Create and edit rules, change the supervised and unsupervised rules'),
792 ],
793 'merge duplicate contacts' => [
794 $prefix . ts('merge duplicate contacts'),
795 ts('Delete Contacts must also be granted in order for this to work.'),
796 ],
797 'force merge duplicate contacts' => [
798 $prefix . ts('force merge duplicate contacts'),
799 ts('Delete Contacts must also be granted in order for this to work.'),
800 ],
801 'view debug output' => [
802 $prefix . ts('view debug output'),
803 ts('View results of debug and backtrace'),
804 ],
805
806 'view all notes' => [
807 $prefix . ts('view all notes'),
808 ts("View notes (for visible contacts) even if they're marked admin only"),
809 ],
810 'add contact notes' => [
811 $prefix . ts('add contact notes'),
812 ts("Create notes for contacts"),
813 ],
814 'access AJAX API' => [
815 $prefix . ts('access AJAX API'),
816 ts('Allow API access even if Access CiviCRM is not granted'),
817 ],
818 'access contact reference fields' => [
819 $prefix . ts('access contact reference fields'),
820 ts('Allow entering data into contact reference fields'),
821 ],
822 'create manual batch' => [
823 $prefix . ts('create manual batch'),
824 ts('Create an accounting batch (with Access to CiviContribute and View Own/All Manual Batches)'),
825 ],
826 'edit own manual batches' => [
827 $prefix . ts('edit own manual batches'),
828 ts('Edit accounting batches created by user'),
829 ],
830 'edit all manual batches' => [
831 $prefix . ts('edit all manual batches'),
832 ts('Edit all accounting batches'),
833 ],
834 'close own manual batches' => [
835 $prefix . ts('close own manual batches'),
836 ts('Close accounting batches created by user (with Access to CiviContribute)'),
837 ],
838 'close all manual batches' => [
839 $prefix . ts('close all manual batches'),
840 ts('Close all accounting batches (with Access to CiviContribute)'),
841 ],
842 'reopen own manual batches' => [
843 $prefix . ts('reopen own manual batches'),
844 ts('Reopen accounting batches created by user (with Access to CiviContribute)'),
845 ],
846 'reopen all manual batches' => [
847 $prefix . ts('reopen all manual batches'),
848 ts('Reopen all accounting batches (with Access to CiviContribute)'),
849 ],
850 'view own manual batches' => [
851 $prefix . ts('view own manual batches'),
852 ts('View accounting batches created by user (with Access to CiviContribute)'),
853 ],
854 'view all manual batches' => [
855 $prefix . ts('view all manual batches'),
856 ts('View all accounting batches (with Access to CiviContribute)'),
857 ],
858 'delete own manual batches' => [
859 $prefix . ts('delete own manual batches'),
860 ts('Delete accounting batches created by user'),
861 ],
862 'delete all manual batches' => [
863 $prefix . ts('delete all manual batches'),
864 ts('Delete all accounting batches'),
865 ],
866 'export own manual batches' => [
867 $prefix . ts('export own manual batches'),
868 ts('Export accounting batches created by user'),
869 ],
870 'export all manual batches' => [
871 $prefix . ts('export all manual batches'),
872 ts('Export all accounting batches'),
873 ],
874 'administer payment processors' => [
875 $prefix . ts('administer payment processors'),
876 ts('Add, Update, or Disable Payment Processors'),
877 ],
878 'edit message templates' => [
879 $prefix . ts('edit message templates'),
880 ],
881 'edit system workflow message templates' => [
882 $prefix . ts('edit system workflow message templates'),
883 ],
884 'edit user-driven message templates' => [
885 $prefix . ts('edit user-driven message templates'),
886 ],
887 'view my invoices' => [
888 $prefix . ts('view my invoices'),
889 ts('Allow users to view/ download their own invoices'),
890 ],
891 'edit api keys' => [
892 $prefix . ts('edit api keys'),
893 ts('Edit API keys'),
894 ],
895 'edit own api keys' => [
896 $prefix . ts('edit own api keys'),
897 ts('Edit user\'s own API keys'),
898 ],
899 'send SMS' => [
900 $prefix . ts('send SMS'),
901 ts('Send an SMS'),
902 ],
903 'administer CiviCRM system' => [
904 'label' => $prefix . ts('administer CiviCRM System'),
905 'description' => ts('Perform all system administration tasks in CiviCRM'),
906 ],
907 'administer CiviCRM data' => [
908 'label' => $prefix . ts('administer CiviCRM Data'),
909 'description' => ts('Permit altering all restricted data options'),
910 ],
911 ];
912 foreach (self::getImpliedPermissions() as $name => $includes) {
913 foreach ($includes as $permission) {
914 $permissions[$name][] = $permissions[$permission];
915 }
916 }
917 return $permissions;
918 }
919
920 /**
921 * Get permissions implied by 'superset' permissions.
922 *
923 * @return array
924 */
925 public static function getImpliedPermissions() {
926 return [
927 'administer CiviCRM' => ['administer CiviCRM system', 'administer CiviCRM data'],
928 'administer CiviCRM data' => ['edit message templates', 'administer dedupe rules'],
929 'administer CiviCRM system' => ['edit system workflow message templates'],
930 ];
931 }
932
933 /**
934 * Get any super-permissions that imply the given permission.
935 *
936 * @param string $permission
937 *
938 * @return array
939 */
940 public static function getImpliedPermissionsFor(string $permission) {
941 $return = [];
942 foreach (self::getImpliedPermissions() as $superPermission => $components) {
943 if (in_array($permission, $components, TRUE)) {
944 $return[$superPermission] = $superPermission;
945 }
946 }
947 return $return;
948 }
949
950 /**
951 * For each entity provides an array of permissions required for each action
952 *
953 * The action is the array key, possible values:
954 * * create: applies to create (with no id in params)
955 * * update: applies to update, setvalue, create (with id in params)
956 * * get: applies to getcount, getsingle, getvalue and other gets
957 * * delete: applies to delete, replace
958 * * meta: applies to getfields, getoptions, getspec
959 * * default: catch-all for anything not declared
960 *
961 * Note: some APIs declare other actions as well
962 *
963 * Permissions should use arrays for AND and arrays of arrays for OR
964 * @see CRM_Core_Permission::check
965 *
966 * @return array of permissions
967 */
968 public static function getEntityActionPermissions() {
969 $permissions = [];
970 // These are the default permissions - if any entity does not declare permissions for a given action,
971 // (or the entity does not declare permissions at all) - then the action will be used from here
972 $permissions['default'] = [
973 // applies to getfields, getoptions, etc.
974 'meta' => ['access CiviCRM'],
975 // catch-all, applies to create, get, delete, etc.
976 // If an entity declares it's own 'default' action it will override this one
977 'default' => ['administer CiviCRM'],
978 ];
979
980 // Note: Additional permissions in DynamicFKAuthorization
981 $permissions['attachment'] = [
982 'default' => [
983 ['access CiviCRM', 'access AJAX API'],
984 ],
985 ];
986
987 // Contact permissions
988 $permissions['contact'] = [
989 'create' => [
990 'access CiviCRM',
991 'add contacts',
992 ],
993 'delete' => [
994 'access CiviCRM',
995 'delete contacts',
996 ],
997 // managed by query object
998 'get' => [],
999 // managed by _civicrm_api3_check_edit_permissions
1000 'update' => [],
1001 'getquick' => [
1002 ['access CiviCRM', 'access AJAX API'],
1003 ],
1004 'duplicatecheck' => [
1005 'access CiviCRM',
1006 ],
1007 'merge' => ['merge duplicate contacts'],
1008 ];
1009
1010 $permissions['dedupe'] = [
1011 'getduplicates' => ['access CiviCRM'],
1012 'getstatistics' => ['access CiviCRM'],
1013 ];
1014
1015 // CRM-16963 - Permissions for country.
1016 $permissions['country'] = [
1017 'get' => [
1018 'access CiviCRM',
1019 ],
1020 'default' => [
1021 'administer CiviCRM',
1022 ],
1023 ];
1024
1025 // Contact-related data permissions.
1026 $permissions['address'] = [
1027 // get is managed by BAO::addSelectWhereClause
1028 // create/delete are managed by _civicrm_api3_check_edit_permissions
1029 'default' => [],
1030 ];
1031 $permissions['email'] = $permissions['address'];
1032 $permissions['phone'] = $permissions['address'];
1033 $permissions['website'] = $permissions['address'];
1034 $permissions['im'] = $permissions['address'];
1035 $permissions['open_i_d'] = $permissions['address'];
1036
1037 // Also managed by ACLs - CRM-19448
1038 $permissions['entity_tag'] = ['default' => []];
1039 $permissions['note'] = $permissions['entity_tag'];
1040
1041 // Allow non-admins to get and create tags to support tagset widget
1042 // Delete is still reserved for admins
1043 $permissions['tag'] = [
1044 'get' => ['access CiviCRM'],
1045 'create' => ['access CiviCRM'],
1046 'update' => ['access CiviCRM'],
1047 ];
1048
1049 //relationship permissions
1050 $permissions['relationship'] = [
1051 // get is managed by BAO::addSelectWhereClause
1052 'get' => [],
1053 'delete' => [
1054 'access CiviCRM',
1055 'edit all contacts',
1056 ],
1057 'default' => [
1058 'access CiviCRM',
1059 'edit all contacts',
1060 ],
1061 ];
1062
1063 // CRM-17741 - Permissions for RelationshipType.
1064 $permissions['relationship_type'] = [
1065 'get' => [
1066 'access CiviCRM',
1067 ],
1068 'default' => [
1069 'administer CiviCRM',
1070 ],
1071 ];
1072
1073 // Activity permissions
1074 $permissions['activity'] = [
1075 'delete' => [
1076 'access CiviCRM',
1077 'delete activities',
1078 ],
1079 'get' => [
1080 'access CiviCRM',
1081 // Note that view all activities is also required within the api
1082 // if the id is not passed in. Where the id is passed in the activity
1083 // specific check functions are used and tested.
1084 ],
1085 'default' => [
1086 'access CiviCRM',
1087 'view all activities',
1088 ],
1089 ];
1090 $permissions['activity_contact'] = $permissions['activity'];
1091
1092 // Case permissions
1093 $permissions['case'] = [
1094 'create' => [
1095 'access CiviCRM',
1096 'add cases',
1097 ],
1098 'delete' => [
1099 'access CiviCRM',
1100 'delete in CiviCase',
1101 ],
1102 'restore' => [
1103 'administer CiviCase',
1104 ],
1105 'merge' => [
1106 'administer CiviCase',
1107 ],
1108 'default' => [
1109 // At minimum the user needs one of the following. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause
1110 ['access my cases and activities', 'access all cases and activities'],
1111 ],
1112 ];
1113 $permissions['case_contact'] = $permissions['case'];
1114
1115 $permissions['case_type'] = [
1116 'default' => ['administer CiviCase'],
1117 'get' => [
1118 // nested array = OR
1119 ['access my cases and activities', 'access all cases and activities'],
1120 ],
1121 ];
1122
1123 // Campaign permissions
1124 $permissions['campaign'] = [
1125 'get' => ['access CiviCRM'],
1126 'default' => [
1127 // nested array = OR
1128 ['administer CiviCampaign', 'manage campaign'],
1129 ],
1130 ];
1131 $permissions['survey'] = $permissions['campaign'];
1132
1133 // Financial permissions
1134 $permissions['contribution'] = [
1135 'get' => [
1136 'access CiviCRM',
1137 'access CiviContribute',
1138 ],
1139 'delete' => [
1140 'access CiviCRM',
1141 'access CiviContribute',
1142 'delete in CiviContribute',
1143 ],
1144 'completetransaction' => [
1145 'edit contributions',
1146 ],
1147 'default' => [
1148 'access CiviCRM',
1149 'access CiviContribute',
1150 'edit contributions',
1151 ],
1152 ];
1153 $permissions['line_item'] = $permissions['contribution'];
1154
1155 // Payment permissions
1156 $permissions['payment'] = [
1157 'get' => [
1158 'access CiviCRM',
1159 'access CiviContribute',
1160 ],
1161 'delete' => [
1162 'access CiviCRM',
1163 'access CiviContribute',
1164 'delete in CiviContribute',
1165 ],
1166 'cancel' => [
1167 'access CiviCRM',
1168 'access CiviContribute',
1169 'edit contributions',
1170 ],
1171 'create' => [
1172 'access CiviCRM',
1173 'access CiviContribute',
1174 'edit contributions',
1175 ],
1176 'default' => [
1177 'access CiviCRM',
1178 'access CiviContribute',
1179 'edit contributions',
1180 ],
1181 ];
1182 $permissions['contribution_recur'] = $permissions['payment'];
1183
1184 // Custom field permissions
1185 $permissions['custom_field'] = [
1186 'default' => [
1187 'administer CiviCRM',
1188 'access all custom data',
1189 ],
1190 ];
1191 $permissions['custom_group'] = $permissions['custom_field'];
1192
1193 // Event permissions
1194 $permissions['event'] = [
1195 'create' => [
1196 'access CiviCRM',
1197 'access CiviEvent',
1198 'edit all events',
1199 ],
1200 'delete' => [
1201 'access CiviCRM',
1202 'access CiviEvent',
1203 'delete in CiviEvent',
1204 ],
1205 'get' => [
1206 'access CiviCRM',
1207 'access CiviEvent',
1208 'view event info',
1209 ],
1210 'update' => [
1211 'access CiviCRM',
1212 'access CiviEvent',
1213 'edit all events',
1214 ],
1215 ];
1216 // Exception refers to dedupe_exception.
1217 $permissions['exception'] = [
1218 'default' => ['merge duplicate contacts'],
1219 ];
1220
1221 $permissions['job'] = [
1222 'process_batch_merge' => ['merge duplicate contacts'],
1223 ];
1224 $permissions['rule_group']['get'] = [['merge duplicate contacts', 'administer CiviCRM']];
1225 // Loc block is only used for events
1226 $permissions['loc_block'] = $permissions['event'];
1227
1228 $permissions['state_province'] = [
1229 'get' => [
1230 'access CiviCRM',
1231 ],
1232 ];
1233
1234 // Price sets are shared by several components, user needs access to at least one of them
1235 $permissions['price_set'] = [
1236 'default' => [
1237 ['access CiviEvent', 'access CiviContribute', 'access CiviMember'],
1238 ],
1239 'get' => [
1240 ['access CiviCRM', 'view event info', 'make online contributions'],
1241 ],
1242 ];
1243
1244 // File permissions
1245 $permissions['file'] = [
1246 'default' => [
1247 'access CiviCRM',
1248 'access uploaded files',
1249 ],
1250 ];
1251 $permissions['files_by_entity'] = $permissions['file'];
1252
1253 // Group permissions
1254 $permissions['group'] = [
1255 'get' => [
1256 'access CiviCRM',
1257 ],
1258 'default' => [
1259 'access CiviCRM',
1260 'edit groups',
1261 ],
1262 ];
1263
1264 $permissions['group_nesting'] = $permissions['group'];
1265 $permissions['group_organization'] = $permissions['group'];
1266
1267 //Group Contact permission
1268 $permissions['group_contact'] = [
1269 'get' => [
1270 'access CiviCRM',
1271 ],
1272 'default' => [
1273 'access CiviCRM',
1274 'edit all contacts',
1275 ],
1276 ];
1277
1278 // CiviMail Permissions
1279 $civiMailBasePerms = [
1280 // To get/preview/update, one must have least one of these perms:
1281 // Mailing API implementations enforce nuances of create/approve/schedule permissions.
1282 'access CiviMail',
1283 'create mailings',
1284 'schedule mailings',
1285 'approve mailings',
1286 ];
1287 $permissions['mailing'] = [
1288 'get' => [
1289 'access CiviCRM',
1290 $civiMailBasePerms,
1291 ],
1292 'delete' => [
1293 'access CiviCRM',
1294 $civiMailBasePerms,
1295 'delete in CiviMail',
1296 ],
1297 'submit' => [
1298 'access CiviCRM',
1299 ['access CiviMail', 'schedule mailings'],
1300 ],
1301 'default' => [
1302 'access CiviCRM',
1303 $civiMailBasePerms,
1304 ],
1305 ];
1306 $permissions['mailing_group'] = $permissions['mailing'];
1307 $permissions['mailing_job'] = $permissions['mailing'];
1308 $permissions['mailing_recipients'] = $permissions['mailing'];
1309
1310 $permissions['mailing_a_b'] = [
1311 'get' => [
1312 'access CiviCRM',
1313 'access CiviMail',
1314 ],
1315 'delete' => [
1316 'access CiviCRM',
1317 'access CiviMail',
1318 'delete in CiviMail',
1319 ],
1320 'submit' => [
1321 'access CiviCRM',
1322 ['access CiviMail', 'schedule mailings'],
1323 ],
1324 'default' => [
1325 'access CiviCRM',
1326 'access CiviMail',
1327 ],
1328 ];
1329
1330 // Membership permissions
1331 $permissions['membership'] = [
1332 'get' => [
1333 'access CiviCRM',
1334 'access CiviMember',
1335 ],
1336 'delete' => [
1337 'access CiviCRM',
1338 'access CiviMember',
1339 'delete in CiviMember',
1340 ],
1341 'default' => [
1342 'access CiviCRM',
1343 'access CiviMember',
1344 'edit memberships',
1345 ],
1346 ];
1347 $permissions['membership_status'] = $permissions['membership'];
1348 $permissions['membership_type'] = $permissions['membership'];
1349 $permissions['membership_payment'] = [
1350 'create' => [
1351 'access CiviCRM',
1352 'access CiviMember',
1353 'edit memberships',
1354 'access CiviContribute',
1355 'edit contributions',
1356 ],
1357 'delete' => [
1358 'access CiviCRM',
1359 'access CiviMember',
1360 'delete in CiviMember',
1361 'access CiviContribute',
1362 'delete in CiviContribute',
1363 ],
1364 'get' => [
1365 'access CiviCRM',
1366 'access CiviMember',
1367 'access CiviContribute',
1368 ],
1369 'update' => [
1370 'access CiviCRM',
1371 'access CiviMember',
1372 'edit memberships',
1373 'access CiviContribute',
1374 'edit contributions',
1375 ],
1376 ];
1377
1378 // Participant permissions
1379 $permissions['participant'] = [
1380 'create' => [
1381 'access CiviCRM',
1382 'access CiviEvent',
1383 'register for events',
1384 ],
1385 'delete' => [
1386 'access CiviCRM',
1387 'access CiviEvent',
1388 'edit event participants',
1389 ],
1390 'get' => [
1391 'access CiviCRM',
1392 'access CiviEvent',
1393 'view event participants',
1394 ],
1395 'update' => [
1396 'access CiviCRM',
1397 'access CiviEvent',
1398 'edit event participants',
1399 ],
1400 ];
1401 $permissions['participant_payment'] = [
1402 'create' => [
1403 'access CiviCRM',
1404 'access CiviEvent',
1405 'register for events',
1406 'access CiviContribute',
1407 'edit contributions',
1408 ],
1409 'delete' => [
1410 'access CiviCRM',
1411 'access CiviEvent',
1412 'edit event participants',
1413 'access CiviContribute',
1414 'delete in CiviContribute',
1415 ],
1416 'get' => [
1417 'access CiviCRM',
1418 'access CiviEvent',
1419 'view event participants',
1420 'access CiviContribute',
1421 ],
1422 'update' => [
1423 'access CiviCRM',
1424 'access CiviEvent',
1425 'edit event participants',
1426 'access CiviContribute',
1427 'edit contributions',
1428 ],
1429 ];
1430
1431 // Pledge permissions
1432 $permissions['pledge'] = [
1433 'create' => [
1434 'access CiviCRM',
1435 'access CiviPledge',
1436 'edit pledges',
1437 ],
1438 'delete' => [
1439 'access CiviCRM',
1440 'access CiviPledge',
1441 'delete in CiviPledge',
1442 ],
1443 'get' => [
1444 'access CiviCRM',
1445 'access CiviPledge',
1446 ],
1447 'update' => [
1448 'access CiviCRM',
1449 'access CiviPledge',
1450 'edit pledges',
1451 ],
1452 ];
1453
1454 //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission.
1455 $permissions['action_schedule'] = [
1456 'update' => [
1457 [
1458 'access CiviCRM',
1459 'edit all events',
1460 ],
1461 ],
1462 ];
1463
1464 $permissions['pledge_payment'] = [
1465 'create' => [
1466 'access CiviCRM',
1467 'access CiviPledge',
1468 'edit pledges',
1469 'access CiviContribute',
1470 'edit contributions',
1471 ],
1472 'delete' => [
1473 'access CiviCRM',
1474 'access CiviPledge',
1475 'delete in CiviPledge',
1476 'access CiviContribute',
1477 'delete in CiviContribute',
1478 ],
1479 'get' => [
1480 'access CiviCRM',
1481 'access CiviPledge',
1482 'access CiviContribute',
1483 ],
1484 'update' => [
1485 'access CiviCRM',
1486 'access CiviPledge',
1487 'edit pledges',
1488 'access CiviContribute',
1489 'edit contributions',
1490 ],
1491 ];
1492
1493 // Dashboard permissions
1494 $permissions['dashboard'] = [
1495 'get' => [
1496 'access CiviCRM',
1497 ],
1498 ];
1499 $permissions['dashboard_contact'] = [
1500 'default' => [
1501 'access CiviCRM',
1502 ],
1503 ];
1504
1505 // Profile permissions
1506 $permissions['profile'] = [
1507 // the profile will take care of this
1508 'get' => [],
1509 ];
1510
1511 $permissions['uf_group'] = [
1512 'create' => [
1513 'access CiviCRM',
1514 [
1515 'administer CiviCRM',
1516 'manage event profiles',
1517 ],
1518 ],
1519 'get' => [
1520 'access CiviCRM',
1521 ],
1522 'update' => [
1523 'access CiviCRM',
1524 [
1525 'administer CiviCRM',
1526 'manage event profiles',
1527 ],
1528 ],
1529 ];
1530 $permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group'];
1531 $permissions['uf_field']['delete'] = [
1532 'access CiviCRM',
1533 [
1534 'administer CiviCRM',
1535 'manage event profiles',
1536 ],
1537 ];
1538 $permissions['option_value'] = $permissions['uf_group'];
1539 $permissions['option_group'] = $permissions['option_value'];
1540
1541 $permissions['custom_value'] = [
1542 'gettree' => ['access CiviCRM'],
1543 ];
1544
1545 $permissions['message_template'] = [
1546 'get' => ['access CiviCRM'],
1547 'create' => [['edit message templates', 'edit user-driven message templates', 'edit system workflow message templates']],
1548 'update' => [['edit message templates', 'edit user-driven message templates', 'edit system workflow message templates']],
1549 ];
1550
1551 $permissions['report_template']['update'] = 'save Report Criteria';
1552 $permissions['report_template']['create'] = 'save Report Criteria';
1553 return $permissions;
1554 }
1555
1556 /**
1557 * Translate an unknown action to a canonical form.
1558 *
1559 * @param string $action
1560 *
1561 * @return string
1562 * the standardised action name
1563 */
1564 public static function getGenericAction($action) {
1565 $snippet = substr($action, 0, 3);
1566 if ($action == 'replace' || $snippet == 'del') {
1567 // 'Replace' is a combination of get+create+update+delete; however, the permissions
1568 // on each of those will be tested separately at runtime. This is just a sniff-test
1569 // based on the heuristic that 'delete' tends to be the most closely guarded
1570 // of the necessary permissions.
1571 $action = 'delete';
1572 }
1573 elseif ($action == 'setvalue' || $snippet == 'upd') {
1574 $action = 'update';
1575 }
1576 elseif ($action == 'getfields' || $action == 'getfield' || $action == 'getspec' || $action == 'getoptions') {
1577 $action = 'meta';
1578 }
1579 elseif ($snippet == 'get') {
1580 $action = 'get';
1581 }
1582 return $action;
1583 }
1584
1585 /**
1586 * Validate user permission across.
1587 * edit or view or with supportable acls.
1588 *
1589 * @return bool
1590 */
1591 public static function giveMeAllACLs() {
1592 if (CRM_Core_Permission::check('view all contacts') ||
1593 CRM_Core_Permission::check('edit all contacts')
1594 ) {
1595 return TRUE;
1596 }
1597
1598 $session = CRM_Core_Session::singleton();
1599 $contactID = $session->get('userID');
1600
1601 //check for acl.
1602 $aclPermission = self::getPermission();
1603 if (in_array($aclPermission, [
1604 CRM_Core_Permission::EDIT,
1605 CRM_Core_Permission::VIEW,
1606 ])
1607 ) {
1608 return TRUE;
1609 }
1610
1611 // run acl where hook and see if the user is supplying an ACL clause
1612 // that is not false
1613 $tables = $whereTables = [];
1614 $where = NULL;
1615
1616 CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
1617 $tables, $whereTables,
1618 $contactID, $where
1619 );
1620 return empty($whereTables) ? FALSE : TRUE;
1621 }
1622
1623 /**
1624 * Get component name from given permission.
1625 *
1626 * @param string $permission
1627 *
1628 * @return null|string
1629 * the name of component.
1630 */
1631 public static function getComponentName($permission) {
1632 $componentName = NULL;
1633 $permission = trim($permission);
1634 if (empty($permission)) {
1635 return $componentName;
1636 }
1637
1638 static $allCompPermissions = [];
1639 if (empty($allCompPermissions)) {
1640 $components = CRM_Core_Component::getComponents();
1641 foreach ($components as $name => $comp) {
1642 //get all permissions of each components unconditionally
1643 $allCompPermissions[$name] = $comp->getPermissions(TRUE);
1644 }
1645 }
1646
1647 if (is_array($allCompPermissions)) {
1648 foreach ($allCompPermissions as $name => $permissions) {
1649 if (array_key_exists($permission, $permissions)) {
1650 $componentName = $name;
1651 break;
1652 }
1653 }
1654 }
1655
1656 return $componentName;
1657 }
1658
1659 /**
1660 * Get all the contact emails for users that have a specific permission.
1661 *
1662 * @param string $permissionName
1663 * Name of the permission we are interested in.
1664 *
1665 * @return string
1666 * a comma separated list of email addresses
1667 */
1668 public static function permissionEmails($permissionName) {
1669 $config = CRM_Core_Config::singleton();
1670 return $config->userPermissionClass->permissionEmails($permissionName);
1671 }
1672
1673 /**
1674 * Get all the contact emails for users that have a specific role.
1675 *
1676 * @param string $roleName
1677 * Name of the role we are interested in.
1678 *
1679 * @return string
1680 * a comma separated list of email addresses
1681 */
1682 public static function roleEmails($roleName) {
1683 $config = CRM_Core_Config::singleton();
1684 return $config->userRoleClass->roleEmails($roleName);
1685 }
1686
1687 /**
1688 * @return bool
1689 */
1690 public static function isMultisiteEnabled() {
1691 return (bool) Civi::settings()->get('is_enabled');
1692 }
1693
1694 /**
1695 * Verify if the user has permission to get the invoice.
1696 *
1697 * @return bool
1698 * TRUE if the user has download all invoices permission or download my
1699 * invoices permission and the invoice author is the current user.
1700 */
1701 public static function checkDownloadInvoice() {
1702 $cid = CRM_Core_Session::getLoggedInContactID();
1703 if (CRM_Core_Permission::check('access CiviContribute') ||
1704 (CRM_Core_Permission::check('view my invoices') && $_GET['cid'] == $cid)
1705 ) {
1706 return TRUE;
1707 }
1708 return FALSE;
1709 }
1710
1711 }