projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
CRM-12503
[civicrm-core.git] / CRM / Core / Permission.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.3 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2013 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27
28 /**
29 *
30 * @package CRM
31 * @copyright CiviCRM LLC (c) 2004-2013
32 * $Id$
33 *
34 */
35
36 /**
37 * This is the basic permission class wrapper
38 */
39 class CRM_Core_Permission {
40
41 /**
42 * Static strings used to compose permissions
43 *
44 * @const
45 * @var string
46 */
47 CONST EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
48
49 /**
50 * The various type of permissions
51 *
52 * @var int
53 */
54 CONST EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
55
56 /**
57 * get the current permission of this user
58 *
59 * @return string the permission of the user (edit or view or null)
60 */
61 public static function getPermission() {
62 $config = CRM_Core_Config::singleton();
63 return $config->userPermissionClass->getPermission( );
64 }
65
66 /**
67 * given a permission string, check for access requirements
68 *
69 * @param string $str the permission to check
70 *
71 * @return boolean true if yes, else false
72 * @static
73 * @access public
74 */
75 static function check($str) {
76 $config = CRM_Core_Config::singleton();
77 return $config->userPermissionClass->check( $str );
78 }
79
80 /**
81 * Determine if any one of the permissions strings applies to current user
82 *
83 * @param array $perms
84 * @return bool
85 */
86 public static function checkAnyPerm($perms) {
87 foreach ($perms as $perm) {
88 if (CRM_Core_Permission::check($perm)) {
89 return TRUE;
90 }
91 }
92 return FALSE;
93 }
94
95 /**
96 * Given a group/role array, check for access requirements
97 *
98 * @param array $array the group/role to check
99 *
100 * @return boolean true if yes, else false
101 * @static
102 * @access public
103 */
104 static function checkGroupRole($array) {
105 $config = CRM_Core_Config::singleton();
106 return $config->userPermissionClass->checkGroupRole( $array );
107 }
108
109 /**
110 * Get the permissioned where clause for the user
111 *
112 * @param int $type the type of permission needed
113 * @param array $tables (reference ) add the tables that are needed for the select clause
114 * @param array $whereTables (reference ) add the tables that are needed for the where clause
115 *
116 * @return string the group where clause for this user
117 * @access public
118 */
119 public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
120 $config = CRM_Core_Config::singleton();
121 return $config->userPermissionClass->getPermissionedStaticGroupClause( $type, $tables, $whereTables );
122 }
123
124 /**
125 * Get all groups from database, filtered by permissions
126 * for this user
127 *
128 * @param string $groupType type of group(Access/Mailing)
129 * @param boolen $excludeHidden exclude hidden groups.
130 *
131 * @access public
132 * @static
133 *
134 * @return array - array reference of all groups.
135 *
136 */
137 public static function group($groupType, $excludeHidden = TRUE) {
138 $config = CRM_Core_Config::singleton();
139 return $config->userPermissionClass->group( $groupType, $excludeHidden );
140 }
141
142 public static function customGroupAdmin() {
143 $admin = FALSE;
144
145 // check if user has all powerful permission
146 // or administer civicrm permission (CRM-1905)
147 if (self::check('access all custom data')) {
148 return TRUE;
149 }
150
151 if (self::check('administer Multiple Organizations') &&
152 self::isMultisiteEnabled()
153 ) {
154 return TRUE;
155 }
156
157 if (self::check('administer CiviCRM')) {
158 return TRUE;
159 }
160
161 return FALSE;
162 }
163
164 public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
165 $customGroups = CRM_Core_PseudoConstant::customGroup($reset);
166 $defaultGroups = array();
167
168 // check if user has all powerful permission
169 // or administer civicrm permission (CRM-1905)
170 if (self::customGroupAdmin()) {
171 $defaultGroups = array_keys($customGroups);
172 }
173
174 return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
175 }
176
177 static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
178 if (self::customGroupAdmin()) {
179 return ' ( 1 ) ';
180 }
181
182 $groups = self::customGroup($type, $reset);
183 if (empty($groups)) {
184 return ' ( 0 ) ';
185 }
186 else {
187 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
188 }
189 }
190
191 public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
192 if (empty($gid)) {
193 return TRUE;
194 }
195
196 $groups = self::ufGroup($type);
197 return in_array($gid, $groups) ? TRUE : FALSE;
198 }
199
200 public static function ufGroup($type = CRM_Core_Permission::VIEW) {
201 $ufGroups = CRM_Core_PseudoConstant::ufGroup();
202
203 $allGroups = array_keys($ufGroups);
204
205 // check if user has all powerful permission
206 if (self::check('profile listings and forms')) {
207 return $allGroups;
208 }
209
210 switch ($type) {
211 case CRM_Core_Permission::VIEW:
212 if (self::check('profile view')) {
213 return $allGroups;
214 }
215 break;
216
217 case CRM_Core_Permission::CREATE:
218 if (self::check('profile create')) {
219 return $allGroups;
220 }
221 break;
222
223 case CRM_Core_Permission::EDIT:
224 if (self::check('profile edit')) {
225 return $allGroups;
226 }
227 break;
228
229 case CRM_Core_Permission::SEARCH:
230 if (self::check('profile listings')) {
231 return $allGroups;
232 }
233 break;
234 }
235
236 return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
237 }
238
239 static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
240 $groups = self::ufGroup($type);
241 if ($returnUFGroupIds) {
242 return $groups;
243 }
244 elseif (empty($groups)) {
245 return ' ( 0 ) ';
246 }
247 else {
248 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
249 }
250 }
251
252 public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL) {
253 $events = CRM_Event_PseudoConstant::event(NULL, TRUE);
254 $includeEvents = array();
255
256 // check if user has all powerful permission
257 if (self::check('register for events')) {
258 $includeEvents = array_keys($events);
259 }
260
261 if ($type == CRM_Core_Permission::VIEW &&
262 self::check('view event info')
263 ) {
264 $includeEvents = array_keys($events);
265 }
266
267 $permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
268 if (!$eventID) {
269 return $permissionedEvents;
270 }
271 return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
272 }
273
274 static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
275 $events = self::event($type);
276 if (empty($events)) {
277 return ' ( 0 ) ';
278 }
279 else {
280 return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
281 }
282 }
283
284 static function access($module, $checkPermission = TRUE) {
285 $config = CRM_Core_Config::singleton();
286
287 if (!in_array($module, $config->enableComponents)) {
288 return FALSE;
289 }
290
291 if ($checkPermission) {
292 if ($module == 'CiviCase') {
293 return CRM_Case_BAO_Case::accessCiviCase();
294 }
295 else {
296 return CRM_Core_Permission::check("access $module");
297 }
298 }
299
300 return TRUE;
301 }
302
303 /**
304 * check permissions for delete and edit actions
305 *
306 * @param string $module component name.
307 * @param $action action to be check across component
308 *
309 **/
310 static function checkActionPermission($module, $action) {
311 //check delete related permissions.
312 if ($action & CRM_Core_Action::DELETE) {
313 $permissionName = "delete in $module";
314 }
315 else {
316 $editPermissions = array(
317 'CiviEvent' => 'edit event participants',
318 'CiviMember' => 'edit memberships',
319 'CiviPledge' => 'edit pledges',
320 'CiviContribute' => 'edit contributions',
321 'CiviGrant' => 'edit grants',
322 'CiviMail' => 'access CiviMail',
323 'CiviAuction' => 'add auction items',
324 );
325 $permissionName = CRM_Utils_Array::value($module, $editPermissions);
326 }
327
328 if ($module == 'CiviCase' && !$permissionName) {
329 return CRM_Case_BAO_Case::accessCiviCase();
330 }
331 else {
332 //check for permission.
333 return CRM_Core_Permission::check($permissionName);
334 }
335 }
336
337 static function checkMenu(&$args, $op = 'and') {
338 if (!is_array($args)) {
339 return $args;
340 }
341 foreach ($args as $str) {
342 $res = CRM_Core_Permission::check($str);
343 if ($op == 'or' && $res) {
344 return TRUE;
345 }
346 elseif ($op == 'and' && !$res) {
347 return FALSE;
348 }
349 }
350 return ($op == 'or') ? FALSE : TRUE;
351 }
352
353 static function checkMenuItem(&$item) {
354 if (!array_key_exists('access_callback', $item)) {
355 CRM_Core_Error::backtrace();
356 CRM_Core_Error::fatal();
357 }
358
359 // if component_id is present, ensure it is enabled
360 if (isset($item['component_id']) &&
361 $item['component_id']
362 ) {
363 $config = CRM_Core_Config::singleton();
364 if (is_array($config->enableComponentIDs) &&
365 in_array($item['component_id'], $config->enableComponentIDs)
366 ) {
367 // continue with process
368 }
369 else {
370 return FALSE;
371 }
372 }
373
374 // the following is imitating drupal 6 code in includes/menu.inc
375 if (empty($item['access_callback']) ||
376 is_numeric($item['access_callback'])
377 ) {
378 return (boolean ) $item['access_callback'];
379 }
380
381 // check whether the following Ajax requests submitted the right key
382 // FIXME: this should be integrated into ACLs proper
383 if (CRM_Utils_Array::value('page_type', $item) == 3) {
384 if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
385 return FALSE;
386 }
387 }
388
389 // check if callback is for checkMenu, if so optimize it
390 if (is_array($item['access_callback']) &&
391 $item['access_callback'][0] == 'CRM_Core_Permission' &&
392 $item['access_callback'][1] == 'checkMenu'
393 ) {
394 $op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
395 return self::checkMenu($item['access_arguments'][0], $op);
396 }
397 else {
398 return call_user_func_array($item['access_callback'], $item['access_arguments']);
399 }
400 }
401
402 static function &basicPermissions($all = FALSE) {
403 static $permissions = NULL;
404
405 if (!$permissions) {
406 $prefix = ts('CiviCRM') . ': ';
407 $permissions = self::getCorePermissions();
408
409 if (self::isMultisiteEnabled()) {
410 $permissions['administer Multiple Organizations'] = $prefix . ts('administer Multiple Organizations');
411 }
412
413 $config = CRM_Core_Config::singleton();
414
415 if (!$all) {
416 $components = CRM_Core_Component::getEnabledComponents();
417 }
418 else {
419 $components = CRM_Core_Component::getComponents();
420 }
421
422 foreach ($components as $comp) {
423 $perm = $comp->getPermissions();
424 if ($perm) {
425 $info = $comp->getInfo();
426 foreach ($perm as $p) {
427 $permissions[$p] = $info['translatedName'] . ': ' . $p;
428 }
429 }
430 }
431
432 // Add any permissions defined in hook_civicrm_permission implementations.
433 $config = CRM_Core_Config::singleton();
434 $module_permissions = $config->userPermissionClass->getAllModulePermissions();
435 $permissions = array_merge($permissions, $module_permissions);
436 }
437
438 return $permissions;
439 }
440
441 static function getCorePermissions() {
442 $prefix = ts('CiviCRM') . ': ';
443 $permissions = array(
444 'add contacts' => $prefix . ts('add contacts'),
445 'view all contacts' => $prefix . ts('view all contacts'),
446 'edit all contacts' => $prefix . ts('edit all contacts'),
447 'delete contacts' => $prefix . ts('delete contacts'),
448 'access deleted contacts' => $prefix . ts('access deleted contacts'),
449 'import contacts' => $prefix . ts('import contacts'),
450 'edit groups' => $prefix . ts('edit groups'),
451 'administer CiviCRM' => $prefix . ts('administer CiviCRM'),
452 'access uploaded files' => $prefix . ts('access uploaded files'),
453 'profile listings and forms' => $prefix . ts('profile listings and forms'),
454 'profile listings' => $prefix . ts('profile listings'),
455 'profile create' => $prefix . ts('profile create'),
456 'profile edit' => $prefix . ts('profile edit'),
457 'profile view' => $prefix . ts('profile view'),
458 'access all custom data' => $prefix . ts('access all custom data'),
459 'view all activities' => $prefix . ts('view all activities'),
460 'delete activities' => $prefix . ts('delete activities'),
461 'access CiviCRM' => $prefix . ts('access CiviCRM'),
462 'access Contact Dashboard' => $prefix . ts('access Contact Dashboard'),
463 'translate CiviCRM' => $prefix . ts('translate CiviCRM'),
464 'administer reserved groups' => $prefix . ts('administer reserved groups'),
465 'administer Tagsets' => $prefix . ts('administer Tagsets'),
466 'administer reserved tags' => $prefix . ts('administer reserved tags'),
467 'administer dedupe rules' => $prefix . ts('administer dedupe rules'),
468 'merge duplicate contacts' => $prefix . ts('merge duplicate contacts'),
469 'view debug output' => $prefix . ts('view debug output'),
470 'view all notes' => $prefix . ts('view all notes'),
471 'access AJAX API' => $prefix . ts('access AJAX API'),
472 'access contact reference fields' => $prefix . ts('access contact reference fields'),
473 'create manual batch' => $prefix . ts('create manual batch'),
474 'edit own manual batches' => $prefix . ts('edit own manual batches'),
475 'edit all manual batches' => $prefix . ts('edit all manual batches'),
476 'view own manual batches' => $prefix . ts('view own manual batches'),
477 'view all manual batches' => $prefix . ts('view all manual batches'),
478 'delete own manual batches' => $prefix . ts('delete own manual batches'),
479 'delete all manual batches' => $prefix . ts('delete all manual batches'),
480 'export own manual batches' => $prefix . ts('export own manual batches'),
481 'export all manual batches' => $prefix . ts('export all manual batches'),
482 );
483
484 return $permissions;
485 }
486
487 /**
488 * Validate user permission across
489 * edit or view or with supportable acls.
490 *
491 * return boolean true/false.
492 **/
493 static function giveMeAllACLs() {
494 if (CRM_Core_Permission::check('view all contacts') ||
495 CRM_Core_Permission::check('edit all contacts')
496 ) {
497 return TRUE;
498 }
499
500 $session = CRM_Core_Session::singleton();
501 $contactID = $session->get('userID');
502
503 //check for acl.
504 $aclPermission = self::getPermission();
505 if (in_array($aclPermission, array(
506 CRM_Core_Permission::EDIT,
507 CRM_Core_Permission::VIEW,
508 ))) {
509 return TRUE;
510 }
511
512 // run acl where hook and see if the user is supplying an ACL clause
513 // that is not false
514 $tables = $whereTables = array();
515 $where = NULL;
516
517 CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
518 $tables, $whereTables,
519 $contactID, $where
520 );
521 return empty($whereTables) ? FALSE : TRUE;
522 }
523
524 /**
525 * Function to get component name from given permission.
526 *
527 * @param string $permission
528 *
529 * return string $componentName the name of component.
530 * @static
531 */
532 static function getComponentName($permission) {
533 $componentName = NULL;
534 $permission = trim($permission);
535 if (empty($permission)) {
536 return $componentName;
537 }
538
539 static $allCompPermissions = array();
540 if (empty($allCompPermissions)) {
541 $components = CRM_Core_Component::getComponents();
542 foreach ($components as $name => $comp) {
543 //get all permissions of each components unconditionally
544 $allCompPermissions[$name] = $comp->getPermissions(TRUE);
545 }
546 }
547
548 if (is_array($allCompPermissions)) {
549 foreach ($allCompPermissions as $name => $permissions) {
550 if (in_array($permission, $permissions)) {
551 $componentName = $name;
552 break;
553 }
554 }
555 }
556
557 return $componentName;
558 }
559
560 /**
561 * Get all the contact emails for users that have a specific permission
562 *
563 * @param string $permissionName name of the permission we are interested in
564 *
565 * @return string a comma separated list of email addresses
566 */
567 public static function permissionEmails($permissionName) {
568 $config = CRM_Core_Config::singleton();
569 return $config->userPermissionClass->permissionEmails( $permissionName );
570 }
571
572 /**
573 * Get all the contact emails for users that have a specific role
574 *
575 * @param string $roleName name of the role we are interested in
576 *
577 * @return string a comma separated list of email addresses
578 */
579 public static function roleEmails($roleName) {
580 $config = CRM_Core_Config::singleton();
581 return $config->userRoleClass->roleEmails( $roleName );
582 }
583
584 static function isMultisiteEnabled() {
585 return CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::MULTISITE_PREFERENCES_NAME,
586 'is_enabled'
587 ) ? TRUE : FALSE;
588 }
589 }
590