3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.7 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2017 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
31 * @copyright CiviCRM LLC (c) 2004-2017
37 * This is the basic permission class wrapper
39 class CRM_Core_Permission
{
42 * Static strings used to compose permissions.
47 const EDIT_GROUPS
= 'edit contacts in ', VIEW_GROUPS
= 'view contacts in ';
50 * The various type of permissions.
54 const EDIT
= 1, VIEW
= 2, DELETE
= 3, CREATE
= 4, SEARCH
= 5, ALL
= 6, ADMIN
= 7;
57 * A placeholder permission which always fails.
59 const ALWAYS_DENY_PERMISSION
= "*always deny*";
62 * A placeholder permission which always fails.
64 const ALWAYS_ALLOW_PERMISSION
= "*always allow*";
67 * Various authentication sources.
71 const AUTH_SRC_UNKNOWN
= 0, AUTH_SRC_CHECKSUM
= 1, AUTH_SRC_SITEKEY
= 2, AUTH_SRC_LOGIN
= 4;
74 * Get the current permission of this user.
77 * the permission of the user (edit or view or null)
79 public static function getPermission() {
80 $config = CRM_Core_Config
::singleton();
81 return $config->userPermissionClass
->getPermission();
85 * Given a permission string or array, check for access requirements
86 * @param mixed $permissions
87 * The permission to check as an array or string -see examples.
92 * Must have 'access CiviCRM'
93 * (string) 'access CiviCRM'
96 * Ex 2 Must have 'access CiviCRM' and 'access Ajax API'
97 * array('access CiviCRM', 'access Ajax API')
99 * Ex 3 Must have 'access CiviCRM' or 'access Ajax API'
101 * array('access CiviCRM', 'access Ajax API'),
104 * Ex 4 Must have 'access CiviCRM' or 'access Ajax API' AND 'access CiviEvent'
106 * array('access CiviCRM', 'access Ajax API'),
107 * 'access CiviEvent',
110 * Note that in permissions.php this is keyed by the action eg.
111 * (access Civi || access AJAX) && (access CiviEvent || access CiviContribute)
112 * 'myaction' => array(
113 * array('access CiviCRM', 'access Ajax API'),
114 * array('access CiviEvent', 'access CiviContribute')
118 * true if yes, else false
120 public static function check($permissions) {
121 $permissions = (array) $permissions;
123 $tempPerm = CRM_Core_Config
::singleton()->userPermissionTemp
;
125 foreach ($permissions as $permission) {
126 if (is_array($permission)) {
127 foreach ($permission as $orPerm) {
128 if (self
::check($orPerm)) {
129 //one of our 'or' permissions has succeeded - stop checking this permission
133 //none of our our conditions was met
137 // This is an individual permission
138 $granted = CRM_Core_Config
::singleton()->userPermissionClass
->check($permission);
139 // Call the permission_check hook to permit dynamic escalation (CRM-19256)
140 CRM_Utils_Hook
::permission_check($permission, $granted);
143 && !($tempPerm && $tempPerm->check($permission))
145 //one of our 'and' conditions has not been met
154 * Determine if any one of the permissions strings applies to current user.
156 * @param array $perms
159 public static function checkAnyPerm($perms) {
160 foreach ($perms as $perm) {
161 if (CRM_Core_Permission
::check($perm)) {
169 * Given a group/role array, check for access requirements
171 * @param array $array
172 * The group/role to check.
175 * true if yes, else false
177 public static function checkGroupRole($array) {
178 $config = CRM_Core_Config
::singleton();
179 return $config->userPermissionClass
->checkGroupRole($array);
183 * Get the permissioned where clause for the user.
186 * The type of permission needed.
187 * @param array $tables
188 * (reference ) add the tables that are needed for the select clause.
189 * @param array $whereTables
190 * (reference ) add the tables that are needed for the where clause.
193 * the group where clause for this user
195 public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
196 $config = CRM_Core_Config
::singleton();
197 return $config->userPermissionClass
->getPermissionedStaticGroupClause($type, $tables, $whereTables);
201 * Get all groups from database, filtered by permissions
204 * @param string $groupType
205 * Type of group(Access/Mailing).
206 * @param bool $excludeHidden
207 * exclude hidden groups.
211 * array reference of all groups.
213 public static function group($groupType, $excludeHidden = TRUE) {
214 $config = CRM_Core_Config
::singleton();
215 return $config->userPermissionClass
->group($groupType, $excludeHidden);
221 public static function customGroupAdmin() {
224 // check if user has all powerful permission
225 // or administer civicrm permission (CRM-1905)
226 if (self
::check('access all custom data')) {
231 self
::check('administer Multiple Organizations') &&
232 self
::isMultisiteEnabled()
237 if (self
::check('administer CiviCRM')) {
250 public static function customGroup($type = CRM_Core_Permission
::VIEW
, $reset = FALSE) {
251 $customGroups = CRM_Core_PseudoConstant
::get('CRM_Core_DAO_CustomField', 'custom_group_id',
252 array('fresh' => $reset));
253 $defaultGroups = array();
255 // check if user has all powerful permission
256 // or administer civicrm permission (CRM-1905)
257 if (self
::customGroupAdmin()) {
258 $defaultGroups = array_keys($customGroups);
261 return CRM_ACL_API
::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
266 * @param null $prefix
271 public static function customGroupClause($type = CRM_Core_Permission
::VIEW
, $prefix = NULL, $reset = FALSE) {
272 if (self
::customGroupAdmin()) {
276 $groups = self
::customGroup($type, $reset);
277 if (empty($groups)) {
281 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
291 public static function ufGroupValid($gid, $type = CRM_Core_Permission
::VIEW
) {
296 $groups = self
::ufGroup($type);
297 return !empty($groups) && in_array($gid, $groups) ?
TRUE : FALSE;
305 public static function ufGroup($type = CRM_Core_Permission
::VIEW
) {
306 $ufGroups = CRM_Core_PseudoConstant
::get('CRM_Core_DAO_UFField', 'uf_group_id');
308 $allGroups = array_keys($ufGroups);
310 // check if user has all powerful permission
311 if (self
::check('profile listings and forms')) {
316 case CRM_Core_Permission
::VIEW
:
317 if (self
::check('profile view')) {
322 case CRM_Core_Permission
::CREATE
:
323 if (self
::check('profile create')) {
328 case CRM_Core_Permission
::EDIT
:
329 if (self
::check('profile edit')) {
334 case CRM_Core_Permission
::SEARCH
:
335 if (self
::check('profile listings')) {
341 return CRM_ACL_API
::group($type, NULL, 'civicrm_uf_group', $ufGroups);
346 * @param null $prefix
347 * @param bool $returnUFGroupIds
349 * @return array|string
351 public static function ufGroupClause($type = CRM_Core_Permission
::VIEW
, $prefix = NULL, $returnUFGroupIds = FALSE) {
352 $groups = self
::ufGroup($type);
353 if ($returnUFGroupIds) {
356 elseif (empty($groups)) {
360 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
366 * @param int $eventID
367 * @param string $context
371 public static function event($type = CRM_Core_Permission
::VIEW
, $eventID = NULL, $context = '') {
372 if (!empty($context)) {
373 if (CRM_Core_Permission
::check($context)) {
377 $events = CRM_Event_PseudoConstant
::event(NULL, TRUE);
378 $includeEvents = array();
380 // check if user has all powerful permission
381 if (self
::check('register for events')) {
382 $includeEvents = array_keys($events);
385 if ($type == CRM_Core_Permission
::VIEW
&&
386 self
::check('view event info')
388 $includeEvents = array_keys($events);
391 $permissionedEvents = CRM_ACL_API
::group($type, NULL, 'civicrm_event', $events, $includeEvents);
393 return $permissionedEvents;
395 if (!empty($permissionedEvents)) {
396 return array_search($eventID, $permissionedEvents) === FALSE ?
NULL : $eventID;
403 * @param null $prefix
407 public static function eventClause($type = CRM_Core_Permission
::VIEW
, $prefix = NULL) {
408 $events = self
::event($type);
409 if (empty($events)) {
413 return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
418 * Checks that component is enabled and optionally that user has basic perm.
420 * @param string $module
421 * Specifies the name of the CiviCRM component.
422 * @param bool $checkPermission
423 * Check not only that module is enabled, but that user has necessary
425 * @param bool $requireAllCasesPermOnCiviCase
426 * Significant only if $module == CiviCase
427 * Require "access all cases and activities", not just
428 * "access my cases and activities".
431 * Access to specified $module is granted.
433 public static function access($module, $checkPermission = TRUE, $requireAllCasesPermOnCiviCase = FALSE) {
434 $config = CRM_Core_Config
::singleton();
436 if (!in_array($module, $config->enableComponents
)) {
440 if ($checkPermission) {
443 $access_all_cases = CRM_Core_Permission
::check("access all cases and activities");
444 $access_my_cases = CRM_Core_Permission
::check("access my cases and activities");
445 return $access_all_cases ||
(!$requireAllCasesPermOnCiviCase && $access_my_cases);
448 return CRM_Core_Permission
::check("administer $module");
451 return CRM_Core_Permission
::check("access $module");
459 * Check permissions for delete and edit actions.
461 * @param string $module
464 * Action to be check across component.
469 public static function checkActionPermission($module, $action) {
470 //check delete related permissions.
471 if ($action & CRM_Core_Action
::DELETE
) {
472 $permissionName = "delete in $module";
475 $editPermissions = array(
476 'CiviEvent' => 'edit event participants',
477 'CiviMember' => 'edit memberships',
478 'CiviPledge' => 'edit pledges',
479 'CiviContribute' => 'edit contributions',
480 'CiviGrant' => 'edit grants',
481 'CiviMail' => 'access CiviMail',
482 'CiviAuction' => 'add auction items',
484 $permissionName = CRM_Utils_Array
::value($module, $editPermissions);
487 if ($module == 'CiviCase' && !$permissionName) {
488 return CRM_Case_BAO_Case
::accessCiviCase();
491 //check for permission.
492 return CRM_Core_Permission
::check($permissionName);
502 public static function checkMenu(&$args, $op = 'and') {
503 if (!is_array($args)) {
506 foreach ($args as $str) {
507 $res = CRM_Core_Permission
::check($str);
508 if ($op == 'or' && $res) {
511 elseif ($op == 'and' && !$res) {
515 return ($op == 'or') ?
FALSE : TRUE;
524 public static function checkMenuItem(&$item) {
525 if (!array_key_exists('access_callback', $item)) {
526 CRM_Core_Error
::backtrace();
527 CRM_Core_Error
::fatal();
530 // if component_id is present, ensure it is enabled
531 if (isset($item['component_id']) && $item['component_id']) {
532 if (!isset(Civi
::$statics[__CLASS__
]['componentNameId'])) {
533 Civi
::$statics[__CLASS__
]['componentNameId'] = array_flip(CRM_Core_Component
::getComponentIDs());
535 $componentName = Civi
::$statics[__CLASS__
]['componentNameId'][$item['component_id']];
537 $config = CRM_Core_Config
::singleton();
538 if (is_array($config->enableComponents
) && in_array($componentName, $config->enableComponents
)) {
539 // continue with process
546 // the following is imitating drupal 6 code in includes/menu.inc
547 if (empty($item['access_callback']) ||
548 is_numeric($item['access_callback'])
550 return (boolean
) $item['access_callback'];
553 // check whether the following Ajax requests submitted the right key
554 // FIXME: this should be integrated into ACLs proper
555 if (CRM_Utils_Array
::value('page_type', $item) == 3) {
556 if (!CRM_Core_Key
::validate($_REQUEST['key'], $item['path'])) {
561 // check if callback is for checkMenu, if so optimize it
562 if (is_array($item['access_callback']) &&
563 $item['access_callback'][0] == 'CRM_Core_Permission' &&
564 $item['access_callback'][1] == 'checkMenu'
566 $op = CRM_Utils_Array
::value(1, $item['access_arguments'], 'and');
567 return self
::checkMenu($item['access_arguments'][0], $op);
570 return call_user_func_array($item['access_callback'], $item['access_arguments']);
576 * Include disabled components
577 * @param bool $descriptions
578 * Whether to return descriptions
582 public static function basicPermissions($all = FALSE, $descriptions = FALSE) {
583 $cacheKey = implode('-', array($all, $descriptions));
584 if (empty(Civi
::$statics[__CLASS__
][__FUNCTION__
][$cacheKey])) {
585 Civi
::$statics[__CLASS__
][__FUNCTION__
][$cacheKey] = self
::assembleBasicPermissions($all, $descriptions);
587 return Civi
::$statics[__CLASS__
][__FUNCTION__
][$cacheKey];
592 * @param bool $descriptions
593 * whether to return descriptions
597 public static function assembleBasicPermissions($all = FALSE, $descriptions = FALSE) {
598 $config = CRM_Core_Config
::singleton();
599 $prefix = ts('CiviCRM') . ': ';
600 $permissions = self
::getCorePermissions($descriptions);
602 if (self
::isMultisiteEnabled()) {
603 $permissions['administer Multiple Organizations'] = array($prefix . ts('administer Multiple Organizations'));
606 if (!$descriptions) {
607 foreach ($permissions as $name => $attr) {
608 $permissions[$name] = array_shift($attr);
612 $components = CRM_Core_Component
::getEnabledComponents();
615 $components = CRM_Core_Component
::getComponents();
618 foreach ($components as $comp) {
619 $perm = $comp->getPermissions(FALSE, $descriptions);
621 $info = $comp->getInfo();
622 foreach ($perm as $p => $attr) {
624 if (!is_array($attr)) {
625 $attr = array($attr);
628 $attr[0] = $info['translatedName'] . ': ' . $attr[0];
631 $permissions[$p] = $attr;
634 $permissions[$p] = $attr[0];
640 // Add any permissions defined in hook_civicrm_permission implementations.
641 $module_permissions = $config->userPermissionClass
->getAllModulePermissions($descriptions);
642 $permissions = array_merge($permissions, $module_permissions);
643 CRM_Financial_BAO_FinancialType
::permissionedFinancialTypes($permissions, $descriptions);
650 public static function getAnonymousPermissionsWarnings() {
651 static $permissions = array();
652 if (empty($permissions)) {
653 $permissions = array(
654 'administer CiviCRM',
656 $components = CRM_Core_Component
::getComponents();
657 foreach ($components as $comp) {
658 if (!method_exists($comp, 'getAnonymousPermissionWarnings')) {
661 $permissions = array_merge($permissions, $comp->getAnonymousPermissionWarnings());
668 * @param $anonymous_perms
672 public static function validateForPermissionWarnings($anonymous_perms) {
673 return array_intersect($anonymous_perms, self
::getAnonymousPermissionsWarnings());
677 * Get core permissions.
681 public static function getCorePermissions() {
682 $prefix = ts('CiviCRM') . ': ';
683 $permissions = array(
684 'add contacts' => array(
685 $prefix . ts('add contacts'),
686 ts('Create a new contact record in CiviCRM'),
688 'view all contacts' => array(
689 $prefix . ts('view all contacts'),
690 ts('View ANY CONTACT in the CiviCRM database, export contact info and perform activities such as Send Email, Phone Call, etc.'),
692 'edit all contacts' => array(
693 $prefix . ts('edit all contacts'),
694 ts('View, Edit and Delete ANY CONTACT in the CiviCRM database; Create and edit relationships, tags and other info about the contacts'),
696 'view my contact' => array(
697 $prefix . ts('view my contact'),
699 'edit my contact' => array(
700 $prefix . ts('edit my contact'),
702 'delete contacts' => array(
703 $prefix . ts('delete contacts'),
705 'access deleted contacts' => array(
706 $prefix . ts('access deleted contacts'),
707 ts('Access contacts in the trash'),
709 'import contacts' => array(
710 $prefix . ts('import contacts'),
711 ts('Import contacts and activities'),
713 'import SQL datasource' => array(
714 $prefix . ts('import SQL datasource'),
715 ts('When importing, consume data directly from a SQL datasource'),
717 'edit groups' => array(
718 $prefix . ts('edit groups'),
719 ts('Create new groups, edit group settings (e.g. group name, visibility...), delete groups'),
721 'administer CiviCRM' => array(
722 $prefix . ts('administer CiviCRM'),
723 ts('Perform all tasks in the Administer CiviCRM control panel and Import Contacts'),
725 'skip IDS check' => array(
726 $prefix . ts('skip IDS check'),
727 ts('IDS system is bypassed for users with this permission. Prevents false errors for admin users.'),
729 'access uploaded files' => array(
730 $prefix . ts('access uploaded files'),
731 ts('View / download files including images and photos'),
733 'profile listings and forms' => array(
734 $prefix . ts('profile listings and forms'),
735 ts('Access the profile Search form and listings'),
737 'profile listings' => array(
738 $prefix . ts('profile listings'),
740 'profile create' => array(
741 $prefix . ts('profile create'),
742 ts('Use profiles in Create mode'),
744 'profile edit' => array(
745 $prefix . ts('profile edit'),
746 ts('Use profiles in Edit mode'),
748 'profile view' => array(
749 $prefix . ts('profile view'),
751 'access all custom data' => array(
752 $prefix . ts('access all custom data'),
753 ts('View all custom fields regardless of ACL rules'),
755 'view all activities' => array(
756 $prefix . ts('view all activities'),
757 ts('View all activities (for visible contacts)'),
759 'delete activities' => array(
760 $prefix . ts('Delete activities'),
762 'access CiviCRM' => array(
763 $prefix . ts('access CiviCRM'),
764 ts('Master control for access to the main CiviCRM backend and API'),
766 'access Contact Dashboard' => array(
767 $prefix . ts('access Contact Dashboard'),
768 ts('View Contact Dashboard (for themselves and visible contacts)'),
770 'translate CiviCRM' => array(
771 $prefix . ts('translate CiviCRM'),
772 ts('Allow User to enable multilingual'),
774 'manage tags' => array(
775 $prefix . ts('manage tags'),
776 ts('Create and rename tags'),
778 'administer reserved groups' => array(
779 $prefix . ts('administer reserved groups'),
780 ts('Edit and disable Reserved Groups (Needs Edit Groups)'),
782 'administer Tagsets' => array(
783 $prefix . ts('administer Tagsets'),
785 'administer reserved tags' => array(
786 $prefix . ts('administer reserved tags'),
788 'administer dedupe rules' => array(
789 $prefix . ts('administer dedupe rules'),
790 ts('Create and edit rules, change the supervised and unsupervised rules'),
792 'merge duplicate contacts' => array(
793 $prefix . ts('merge duplicate contacts'),
794 ts('Delete Contacts must also be granted in order for this to work.'),
796 'force merge duplicate contacts' => array(
797 $prefix . ts('force merge duplicate contacts'),
798 ts('Delete Contacts must also be granted in order for this to work.'),
800 'view debug output' => array(
801 $prefix . ts('view debug output'),
802 ts('View results of debug and backtrace'),
805 'view all notes' => array(
806 $prefix . ts('view all notes'),
807 ts("View notes (for visible contacts) even if they're marked admin only"),
809 'access AJAX API' => array(
810 $prefix . ts('access AJAX API'),
811 ts('Allow API access even if Access CiviCRM is not granted'),
813 'access contact reference fields' => array(
814 $prefix . ts('access contact reference fields'),
815 ts('Allow entering data into contact reference fields'),
817 'create manual batch' => array(
818 $prefix . ts('create manual batch'),
819 ts('Create an accounting batch (with Access to CiviContribute and View Own/All Manual Batches)'),
821 'edit own manual batches' => array(
822 $prefix . ts('edit own manual batches'),
823 ts('Edit accounting batches created by user'),
825 'edit all manual batches' => array(
826 $prefix . ts('edit all manual batches'),
827 ts('Edit all accounting batches'),
829 'view own manual batches' => array(
830 $prefix . ts('view own manual batches'),
831 ts('View accounting batches created by user (with Access to CiviContribute)'),
833 'view all manual batches' => array(
834 $prefix . ts('view all manual batches'),
835 ts('View all accounting batches (with Access to CiviContribute)'),
837 'delete own manual batches' => array(
838 $prefix . ts('delete own manual batches'),
839 ts('Delete accounting batches created by user'),
841 'delete all manual batches' => array(
842 $prefix . ts('delete all manual batches'),
843 ts('Delete all accounting batches'),
845 'export own manual batches' => array(
846 $prefix . ts('export own manual batches'),
847 ts('Export accounting batches created by user'),
849 'export all manual batches' => array(
850 $prefix . ts('export all manual batches'),
851 ts('Export all accounting batches'),
853 'administer payment processors' => array(
854 $prefix . ts('administer payment processors'),
855 ts('Add, Update, or Disable Payment Processors'),
857 'edit message templates' => array(
858 $prefix . ts('edit message templates'),
860 'view my invoices' => array(
861 $prefix . ts('view my invoices'),
862 ts('Allow users to view/ download their own invoices'),
864 'edit api keys' => array(
865 $prefix . ts('edit api keys'),
868 'edit own api keys' => array(
869 $prefix . ts('edit own api keys'),
870 ts('Edit user\'s own API keys'),
878 * Validate user permission across.
879 * edit or view or with supportable acls.
883 public static function giveMeAllACLs() {
884 if (CRM_Core_Permission
::check('view all contacts') ||
885 CRM_Core_Permission
::check('edit all contacts')
890 $session = CRM_Core_Session
::singleton();
891 $contactID = $session->get('userID');
894 $aclPermission = self
::getPermission();
895 if (in_array($aclPermission, array(
896 CRM_Core_Permission
::EDIT
,
897 CRM_Core_Permission
::VIEW
,
903 // run acl where hook and see if the user is supplying an ACL clause
905 $tables = $whereTables = array();
908 CRM_Utils_Hook
::aclWhereClause(CRM_Core_Permission
::VIEW
,
909 $tables, $whereTables,
912 return empty($whereTables) ?
FALSE : TRUE;
916 * Get component name from given permission.
918 * @param string $permission
920 * @return null|string
921 * the name of component.
923 public static function getComponentName($permission) {
924 $componentName = NULL;
925 $permission = trim($permission);
926 if (empty($permission)) {
927 return $componentName;
930 static $allCompPermissions = array();
931 if (empty($allCompPermissions)) {
932 $components = CRM_Core_Component
::getComponents();
933 foreach ($components as $name => $comp) {
934 //get all permissions of each components unconditionally
935 $allCompPermissions[$name] = $comp->getPermissions(TRUE);
939 if (is_array($allCompPermissions)) {
940 foreach ($allCompPermissions as $name => $permissions) {
941 if (array_key_exists($permission, $permissions)) {
942 $componentName = $name;
948 return $componentName;
952 * Get all the contact emails for users that have a specific permission.
954 * @param string $permissionName
955 * Name of the permission we are interested in.
958 * a comma separated list of email addresses
960 public static function permissionEmails($permissionName) {
961 $config = CRM_Core_Config
::singleton();
962 return $config->userPermissionClass
->permissionEmails($permissionName);
966 * Get all the contact emails for users that have a specific role.
968 * @param string $roleName
969 * Name of the role we are interested in.
972 * a comma separated list of email addresses
974 public static function roleEmails($roleName) {
975 $config = CRM_Core_Config
::singleton();
976 return $config->userRoleClass
->roleEmails($roleName);
982 public static function isMultisiteEnabled() {
983 return Civi
::settings()->get('is_enabled') ?
TRUE : FALSE;
987 * Verify if the user has permission to get the invoice.
990 * TRUE if the user has download all invoices permission or download my
991 * invoices permission and the invoice author is the current user.
993 public static function checkDownloadInvoice() {
995 $cid = CRM_Core_BAO_UFMatch
::getContactId($user->uid
);
996 if (CRM_Core_Permission
::check('access CiviContribute') ||
997 (CRM_Core_Permission
::check('view my invoices') && $_GET['cid'] == $cid)