projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
(NFC) (dev/core#878) Simplify copyright header (CRM/*)
[civicrm-core.git] / CRM / Core / Permission.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
5 | |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
10 */
11
12 /**
13 *
14 * @package CRM
15 * @copyright CiviCRM LLC https://civicrm.org/licensing
16 */
17
18 /**
19 * This is the basic permission class wrapper
20 */
21 class CRM_Core_Permission {
22
23 /**
24 * Static strings used to compose permissions.
25 *
26 * @const
27 * @var string
28 */
29 const EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
30
31 /**
32 * The various type of permissions.
33 *
34 * @var int
35 */
36 const EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
37
38 /**
39 * A placeholder permission which always fails.
40 */
41 const ALWAYS_DENY_PERMISSION = "*always deny*";
42
43 /**
44 * A placeholder permission which always fails.
45 */
46 const ALWAYS_ALLOW_PERMISSION = "*always allow*";
47
48 /**
49 * Various authentication sources.
50 *
51 * @var int
52 */
53 const AUTH_SRC_UNKNOWN = 0, AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;
54
55 /**
56 * Get the current permission of this user.
57 *
58 * @return string
59 * the permission of the user (edit or view or null)
60 */
61 public static function getPermission() {
62 $config = CRM_Core_Config::singleton();
63 return $config->userPermissionClass->getPermission();
64 }
65
66 /**
67 * Given a permission string or array, check for access requirements
68 *
69 * Ex 1: Must have 'access CiviCRM'
70 * (string) 'access CiviCRM'
71 *
72 * Ex 2: Must have 'access CiviCRM' and 'access Ajax API'
73 * ['access CiviCRM', 'access Ajax API']
74 *
75 * Ex 3: Must have 'access CiviCRM' or 'access Ajax API'
76 * [
77 * ['access CiviCRM', 'access Ajax API'],
78 * ],
79 *
80 * Ex 4: Must have 'access CiviCRM' or 'access Ajax API' AND 'access CiviEvent'
81 * [
82 * ['access CiviCRM', 'access Ajax API'],
83 * 'access CiviEvent',
84 * ],
85 *
86 * Note that in permissions.php this is keyed by the action eg.
87 * (access Civi || access AJAX) && (access CiviEvent || access CiviContribute)
88 * 'myaction' => [
89 * ['access CiviCRM', 'access Ajax API'],
90 * ['access CiviEvent', 'access CiviContribute']
91 * ],
92 *
93 * @param string|array $permissions
94 * The permission to check as an array or string -see examples.
95 *
96 * @param int $contactId
97 * Contact id to check permissions for. Defaults to current logged-in user.
98 *
99 * @return bool
100 * true if contact has permission(s), else false
101 */
102 public static function check($permissions, $contactId = NULL) {
103 $permissions = (array) $permissions;
104 $userId = CRM_Core_BAO_UFMatch::getUFId($contactId);
105
106 /** @var CRM_Core_Permission_Temp $tempPerm */
107 $tempPerm = CRM_Core_Config::singleton()->userPermissionTemp;
108
109 foreach ($permissions as $permission) {
110 if (is_array($permission)) {
111 foreach ($permission as $orPerm) {
112 if (self::check($orPerm, $contactId)) {
113 //one of our 'or' permissions has succeeded - stop checking this permission
114 return TRUE;
115 }
116 }
117 //none of our our conditions was met
118 return FALSE;
119 }
120 else {
121 // This is an individual permission
122 $granted = CRM_Core_Config::singleton()->userPermissionClass->check($permission, $userId);
123 // Call the permission_check hook to permit dynamic escalation (CRM-19256)
124 CRM_Utils_Hook::permission_check($permission, $granted, $contactId);
125 if (
126 !$granted
127 && !($tempPerm && $tempPerm->check($permission))
128 ) {
129 //one of our 'and' conditions has not been met
130 return FALSE;
131 }
132 }
133 }
134 return TRUE;
135 }
136
137 /**
138 * Determine if any one of the permissions strings applies to current user.
139 *
140 * @param array $perms
141 * @return bool
142 */
143 public static function checkAnyPerm($perms) {
144 foreach ($perms as $perm) {
145 if (CRM_Core_Permission::check($perm)) {
146 return TRUE;
147 }
148 }
149 return FALSE;
150 }
151
152 /**
153 * Given a group/role array, check for access requirements
154 *
155 * @param array $array
156 * The group/role to check.
157 *
158 * @return bool
159 * true if yes, else false
160 */
161 public static function checkGroupRole($array) {
162 $config = CRM_Core_Config::singleton();
163 return $config->userPermissionClass->checkGroupRole($array);
164 }
165
166 /**
167 * Get the permissioned where clause for the user.
168 *
169 * @param int $type
170 * The type of permission needed.
171 * @param array $tables
172 * (reference ) add the tables that are needed for the select clause.
173 * @param array $whereTables
174 * (reference ) add the tables that are needed for the where clause.
175 *
176 * @return string
177 * the group where clause for this user
178 */
179 public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
180 $config = CRM_Core_Config::singleton();
181 return $config->userPermissionClass->getPermissionedStaticGroupClause($type, $tables, $whereTables);
182 }
183
184 /**
185 * Get all groups from database, filtered by permissions
186 * for this user
187 *
188 * @param string $groupType
189 * Type of group(Access/Mailing).
190 * @param bool $excludeHidden
191 * exclude hidden groups.
192 *
193 *
194 * @return array
195 * array reference of all groups.
196 */
197 public static function group($groupType, $excludeHidden = TRUE) {
198 $config = CRM_Core_Config::singleton();
199 return $config->userPermissionClass->group($groupType, $excludeHidden);
200 }
201
202 /**
203 * @return bool
204 */
205 public static function customGroupAdmin() {
206 $admin = FALSE;
207
208 // check if user has all powerful permission
209 // or administer civicrm permission (CRM-1905)
210 if (self::check('access all custom data')) {
211 return TRUE;
212 }
213
214 if (
215 self::check('administer Multiple Organizations') &&
216 self::isMultisiteEnabled()
217 ) {
218 return TRUE;
219 }
220
221 if (self::check('administer CiviCRM')) {
222 return TRUE;
223 }
224
225 return FALSE;
226 }
227
228 /**
229 * @param int $type
230 * @param bool $reset
231 *
232 * @return array
233 */
234 public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
235 $customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id',
236 ['fresh' => $reset]);
237 $defaultGroups = [];
238
239 // check if user has all powerful permission
240 // or administer civicrm permission (CRM-1905)
241 if (self::customGroupAdmin()) {
242 $defaultGroups = array_keys($customGroups);
243 }
244
245 return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
246 }
247
248 /**
249 * @param int $type
250 * @param null $prefix
251 * @param bool $reset
252 *
253 * @return string
254 */
255 public static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
256 if (self::customGroupAdmin()) {
257 return ' ( 1 ) ';
258 }
259
260 $groups = self::customGroup($type, $reset);
261 if (empty($groups)) {
262 return ' ( 0 ) ';
263 }
264 else {
265 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
266 }
267 }
268
269 /**
270 * @param int $gid
271 * @param int $type
272 *
273 * @return bool
274 */
275 public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
276 if (empty($gid)) {
277 return TRUE;
278 }
279
280 $groups = self::ufGroup($type);
281 return !empty($groups) && in_array($gid, $groups) ? TRUE : FALSE;
282 }
283
284 /**
285 * @param int $type
286 *
287 * @return array
288 */
289 public static function ufGroup($type = CRM_Core_Permission::VIEW) {
290 $ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
291
292 $allGroups = array_keys($ufGroups);
293
294 // check if user has all powerful permission
295 if (self::check('profile listings and forms')) {
296 return $allGroups;
297 }
298
299 switch ($type) {
300 case CRM_Core_Permission::VIEW:
301 if (self::check('profile view')) {
302 return $allGroups;
303 }
304 break;
305
306 case CRM_Core_Permission::CREATE:
307 if (self::check('profile create')) {
308 return $allGroups;
309 }
310 break;
311
312 case CRM_Core_Permission::EDIT:
313 if (self::check('profile edit')) {
314 return $allGroups;
315 }
316 break;
317
318 case CRM_Core_Permission::SEARCH:
319 if (self::check('profile listings')) {
320 return $allGroups;
321 }
322 break;
323 }
324
325 return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
326 }
327
328 /**
329 * @param int $type
330 * @param null $prefix
331 * @param bool $returnUFGroupIds
332 *
333 * @return array|string
334 */
335 public static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
336 $groups = self::ufGroup($type);
337 if ($returnUFGroupIds) {
338 return $groups;
339 }
340 elseif (empty($groups)) {
341 return ' ( 0 ) ';
342 }
343 else {
344 return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
345 }
346 }
347
348 /**
349 * @param int $type
350 * @param int $eventID
351 * @param string $context
352 *
353 * @return array|null
354 */
355 public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL, $context = '') {
356 if (!empty($context)) {
357 if (CRM_Core_Permission::check($context)) {
358 return TRUE;
359 }
360 }
361 $events = CRM_Event_PseudoConstant::event(NULL, TRUE);
362 $includeEvents = [];
363
364 // check if user has all powerful permission
365 if (self::check('register for events')) {
366 $includeEvents = array_keys($events);
367 }
368
369 if ($type == CRM_Core_Permission::VIEW &&
370 self::check('view event info')
371 ) {
372 $includeEvents = array_keys($events);
373 }
374
375 $permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
376 if (!$eventID) {
377 return $permissionedEvents;
378 }
379 if (!empty($permissionedEvents)) {
380 return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
381 }
382 return NULL;
383 }
384
385 /**
386 * @param int $type
387 * @param null $prefix
388 *
389 * @return string
390 */
391 public static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
392 $events = self::event($type);
393 if (empty($events)) {
394 return ' ( 0 ) ';
395 }
396 else {
397 return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
398 }
399 }
400
401 /**
402 * Checks that component is enabled and optionally that user has basic perm.
403 *
404 * @param string $module
405 * Specifies the name of the CiviCRM component.
406 * @param bool $checkPermission
407 * Check not only that module is enabled, but that user has necessary
408 * permission.
409 * @param bool $requireAllCasesPermOnCiviCase
410 * Significant only if $module == CiviCase
411 * Require "access all cases and activities", not just
412 * "access my cases and activities".
413 *
414 * @return bool
415 * Access to specified $module is granted.
416 */
417 public static function access($module, $checkPermission = TRUE, $requireAllCasesPermOnCiviCase = FALSE) {
418 $config = CRM_Core_Config::singleton();
419
420 if (!in_array($module, $config->enableComponents)) {
421 return FALSE;
422 }
423
424 if ($checkPermission) {
425 switch ($module) {
426 case 'CiviCase':
427 $access_all_cases = CRM_Core_Permission::check("access all cases and activities");
428 $access_my_cases = CRM_Core_Permission::check("access my cases and activities");
429 return $access_all_cases || (!$requireAllCasesPermOnCiviCase && $access_my_cases);
430
431 case 'CiviCampaign':
432 return CRM_Core_Permission::check("administer $module");
433
434 default:
435 return CRM_Core_Permission::check("access $module");
436 }
437 }
438
439 return TRUE;
440 }
441
442 /**
443 * Check permissions for delete and edit actions.
444 *
445 * @param string $module
446 * Component name.
447 * @param int $action
448 * Action to be check across component.
449 *
450 *
451 * @return bool
452 */
453 public static function checkActionPermission($module, $action) {
454 //check delete related permissions.
455 if ($action & CRM_Core_Action::DELETE) {
456 $permissionName = "delete in $module";
457 }
458 else {
459 $editPermissions = [
460 'CiviEvent' => 'edit event participants',
461 'CiviMember' => 'edit memberships',
462 'CiviPledge' => 'edit pledges',
463 'CiviContribute' => 'edit contributions',
464 'CiviGrant' => 'edit grants',
465 'CiviMail' => 'access CiviMail',
466 'CiviAuction' => 'add auction items',
467 ];
468 $permissionName = CRM_Utils_Array::value($module, $editPermissions);
469 }
470
471 if ($module == 'CiviCase' && !$permissionName) {
472 return CRM_Case_BAO_Case::accessCiviCase();
473 }
474 else {
475 //check for permission.
476 return CRM_Core_Permission::check($permissionName);
477 }
478 }
479
480 /**
481 * @param $args
482 * @param string $op
483 *
484 * @return bool
485 */
486 public static function checkMenu(&$args, $op = 'and') {
487 if (!is_array($args)) {
488 return $args;
489 }
490 foreach ($args as $str) {
491 $res = CRM_Core_Permission::check($str);
492 if ($op == 'or' && $res) {
493 return TRUE;
494 }
495 elseif ($op == 'and' && !$res) {
496 return FALSE;
497 }
498 }
499 return ($op == 'or') ? FALSE : TRUE;
500 }
501
502 /**
503 * @param $item
504 *
505 * @return bool|mixed
506 * @throws Exception
507 */
508 public static function checkMenuItem(&$item) {
509 if (!array_key_exists('access_callback', $item)) {
510 CRM_Core_Error::backtrace();
511 CRM_Core_Error::fatal();
512 }
513
514 // if component_id is present, ensure it is enabled
515 if (isset($item['component_id']) && $item['component_id']) {
516 if (!isset(Civi::$statics[__CLASS__]['componentNameId'])) {
517 Civi::$statics[__CLASS__]['componentNameId'] = array_flip(CRM_Core_Component::getComponentIDs());
518 }
519 $componentName = Civi::$statics[__CLASS__]['componentNameId'][$item['component_id']];
520
521 $config = CRM_Core_Config::singleton();
522 if (is_array($config->enableComponents) && in_array($componentName, $config->enableComponents)) {
523 // continue with process
524 }
525 else {
526 return FALSE;
527 }
528 }
529
530 // the following is imitating drupal 6 code in includes/menu.inc
531 if (empty($item['access_callback']) ||
532 is_numeric($item['access_callback'])
533 ) {
534 return (boolean ) $item['access_callback'];
535 }
536
537 // check whether the following Ajax requests submitted the right key
538 // FIXME: this should be integrated into ACLs proper
539 if (CRM_Utils_Array::value('page_type', $item) == 3) {
540 if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
541 return FALSE;
542 }
543 }
544
545 // check if callback is for checkMenu, if so optimize it
546 if (is_array($item['access_callback']) &&
547 $item['access_callback'][0] == 'CRM_Core_Permission' &&
548 $item['access_callback'][1] == 'checkMenu'
549 ) {
550 $op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
551 return self::checkMenu($item['access_arguments'][0], $op);
552 }
553 else {
554 return call_user_func_array($item['access_callback'], $item['access_arguments']);
555 }
556 }
557
558 /**
559 * @param bool $all
560 * Include disabled components
561 * @param bool $descriptions
562 * Whether to return descriptions
563 *
564 * @return array
565 */
566 public static function basicPermissions($all = FALSE, $descriptions = FALSE) {
567 $cacheKey = implode('-', [$all, $descriptions]);
568 if (empty(Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey])) {
569 Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey] = self::assembleBasicPermissions($all, $descriptions);
570 }
571 return Civi::$statics[__CLASS__][__FUNCTION__][$cacheKey];
572 }
573
574 /**
575 * @param bool $all
576 * @param bool $descriptions
577 * whether to return descriptions
578 *
579 * @return array
580 */
581 public static function assembleBasicPermissions($all = FALSE, $descriptions = FALSE) {
582 $config = CRM_Core_Config::singleton();
583 $prefix = ts('CiviCRM') . ': ';
584 $permissions = self::getCorePermissions($descriptions);
585
586 if (self::isMultisiteEnabled()) {
587 $permissions['administer Multiple Organizations'] = [$prefix . ts('administer Multiple Organizations')];
588 }
589
590 if (!$descriptions) {
591 foreach ($permissions as $name => $attr) {
592 $permissions[$name] = array_shift($attr);
593 }
594 }
595 if (!$all) {
596 $components = CRM_Core_Component::getEnabledComponents();
597 }
598 else {
599 $components = CRM_Core_Component::getComponents();
600 }
601
602 foreach ($components as $comp) {
603 $perm = $comp->getPermissions($all, $descriptions);
604 if ($perm) {
605 $info = $comp->getInfo();
606 foreach ($perm as $p => $attr) {
607
608 if (!is_array($attr)) {
609 $attr = [$attr];
610 }
611
612 $attr[0] = $info['translatedName'] . ': ' . $attr[0];
613
614 if ($descriptions) {
615 $permissions[$p] = $attr;
616 }
617 else {
618 $permissions[$p] = $attr[0];
619 }
620 }
621 }
622 }
623
624 // Add any permissions defined in hook_civicrm_permission implementations.
625 $module_permissions = $config->userPermissionClass->getAllModulePermissions($descriptions);
626 $permissions = array_merge($permissions, $module_permissions);
627 CRM_Financial_BAO_FinancialType::permissionedFinancialTypes($permissions, $descriptions);
628 return $permissions;
629 }
630
631 /**
632 * @return array
633 */
634 public static function getAnonymousPermissionsWarnings() {
635 static $permissions = [];
636 if (empty($permissions)) {
637 $permissions = [
638 'administer CiviCRM',
639 ];
640 $components = CRM_Core_Component::getComponents();
641 foreach ($components as $comp) {
642 if (!method_exists($comp, 'getAnonymousPermissionWarnings')) {
643 continue;
644 }
645 $permissions = array_merge($permissions, $comp->getAnonymousPermissionWarnings());
646 }
647 }
648 return $permissions;
649 }
650
651 /**
652 * @param $anonymous_perms
653 *
654 * @return array
655 */
656 public static function validateForPermissionWarnings($anonymous_perms) {
657 return array_intersect($anonymous_perms, self::getAnonymousPermissionsWarnings());
658 }
659
660 /**
661 * Get core permissions.
662 *
663 * @return array
664 */
665 public static function getCorePermissions() {
666 $prefix = ts('CiviCRM') . ': ';
667 $permissions = [
668 'add contacts' => [
669 $prefix . ts('add contacts'),
670 ts('Create a new contact record in CiviCRM'),
671 ],
672 'view all contacts' => [
673 $prefix . ts('view all contacts'),
674 ts('View ANY CONTACT in the CiviCRM database, export contact info and perform activities such as Send Email, Phone Call, etc.'),
675 ],
676 'edit all contacts' => [
677 $prefix . ts('edit all contacts'),
678 ts('View, Edit and Delete ANY CONTACT in the CiviCRM database; Create and edit relationships, tags and other info about the contacts'),
679 ],
680 'view my contact' => [
681 $prefix . ts('view my contact'),
682 ],
683 'edit my contact' => [
684 $prefix . ts('edit my contact'),
685 ],
686 'delete contacts' => [
687 $prefix . ts('delete contacts'),
688 ],
689 'access deleted contacts' => [
690 $prefix . ts('access deleted contacts'),
691 ts('Access contacts in the trash'),
692 ],
693 'import contacts' => [
694 $prefix . ts('import contacts'),
695 ts('Import contacts and activities'),
696 ],
697 'import SQL datasource' => [
698 $prefix . ts('import SQL datasource'),
699 ts('When importing, consume data directly from a SQL datasource'),
700 ],
701 'edit groups' => [
702 $prefix . ts('edit groups'),
703 ts('Create new groups, edit group settings (e.g. group name, visibility...), delete groups'),
704 ],
705 'administer CiviCRM' => [
706 $prefix . ts('administer CiviCRM'),
707 ts('Perform all tasks in the Administer CiviCRM control panel and Import Contacts'),
708 ],
709 'skip IDS check' => [
710 $prefix . ts('skip IDS check'),
711 ts('Warning: Give to trusted roles only; this permission has security implications. IDS system is bypassed for users with this permission. Prevents false errors for admin users.'),
712 ],
713 'access uploaded files' => [
714 $prefix . ts('access uploaded files'),
715 ts('View / download files including images and photos'),
716 ],
717 'profile listings and forms' => [
718 $prefix . ts('profile listings and forms'),
719 ts('Warning: Give to trusted roles only; this permission has privacy implications. Add/edit data in online forms and access public searchable directories.'),
720 ],
721 'profile listings' => [
722 $prefix . ts('profile listings'),
723 ts('Warning: Give to trusted roles only; this permission has privacy implications. Access public searchable directories.'),
724 ],
725 'profile create' => [
726 $prefix . ts('profile create'),
727 ts('Add data in a profile form.'),
728 ],
729 'profile edit' => [
730 $prefix . ts('profile edit'),
731 ts('Edit data in a profile form.'),
732 ],
733 'profile view' => [
734 $prefix . ts('profile view'),
735 ts('View data in a profile.'),
736 ],
737 'access all custom data' => [
738 $prefix . ts('access all custom data'),
739 ts('View all custom fields regardless of ACL rules'),
740 ],
741 'view all activities' => [
742 $prefix . ts('view all activities'),
743 ts('View all activities (for visible contacts)'),
744 ],
745 'delete activities' => [
746 $prefix . ts('Delete activities'),
747 ],
748 'edit inbound email basic information' => [
749 $prefix . ts('edit inbound email basic information'),
750 ts('Edit all inbound email activities (for visible contacts) basic information. Content editing not allowed.'),
751 ],
752 'edit inbound email basic information and content' => [
753 $prefix . ts('edit inbound email basic information and content'),
754 ts('Edit all inbound email activities (for visible contacts) basic information and content.'),
755 ],
756 'access CiviCRM' => [
757 $prefix . ts('access CiviCRM backend and API'),
758 ts('Master control for access to the main CiviCRM backend and API. Give to trusted roles only.'),
759 ],
760 'access Contact Dashboard' => [
761 $prefix . ts('access Contact Dashboard'),
762 ts('View Contact Dashboard (for themselves and visible contacts)'),
763 ],
764 'translate CiviCRM' => [
765 $prefix . ts('translate CiviCRM'),
766 ts('Allow User to enable multilingual'),
767 ],
768 'manage tags' => [
769 $prefix . ts('manage tags'),
770 ts('Create and rename tags'),
771 ],
772 'administer reserved groups' => [
773 $prefix . ts('administer reserved groups'),
774 ts('Edit and disable Reserved Groups (Needs Edit Groups)'),
775 ],
776 'administer Tagsets' => [
777 $prefix . ts('administer Tagsets'),
778 ],
779 'administer reserved tags' => [
780 $prefix . ts('administer reserved tags'),
781 ],
782 'administer dedupe rules' => [
783 $prefix . ts('administer dedupe rules'),
784 ts('Create and edit rules, change the supervised and unsupervised rules'),
785 ],
786 'merge duplicate contacts' => [
787 $prefix . ts('merge duplicate contacts'),
788 ts('Delete Contacts must also be granted in order for this to work.'),
789 ],
790 'force merge duplicate contacts' => [
791 $prefix . ts('force merge duplicate contacts'),
792 ts('Delete Contacts must also be granted in order for this to work.'),
793 ],
794 'view debug output' => [
795 $prefix . ts('view debug output'),
796 ts('View results of debug and backtrace'),
797 ],
798
799 'view all notes' => [
800 $prefix . ts('view all notes'),
801 ts("View notes (for visible contacts) even if they're marked admin only"),
802 ],
803 'add contact notes' => [
804 $prefix . ts('add contact notes'),
805 ts("Create notes for contacts"),
806 ],
807 'access AJAX API' => [
808 $prefix . ts('access AJAX API'),
809 ts('Allow API access even if Access CiviCRM is not granted'),
810 ],
811 'access contact reference fields' => [
812 $prefix . ts('access contact reference fields'),
813 ts('Allow entering data into contact reference fields'),
814 ],
815 'create manual batch' => [
816 $prefix . ts('create manual batch'),
817 ts('Create an accounting batch (with Access to CiviContribute and View Own/All Manual Batches)'),
818 ],
819 'edit own manual batches' => [
820 $prefix . ts('edit own manual batches'),
821 ts('Edit accounting batches created by user'),
822 ],
823 'edit all manual batches' => [
824 $prefix . ts('edit all manual batches'),
825 ts('Edit all accounting batches'),
826 ],
827 'close own manual batches' => [
828 $prefix . ts('close own manual batches'),
829 ts('Close accounting batches created by user (with Access to CiviContribute)'),
830 ],
831 'close all manual batches' => [
832 $prefix . ts('close all manual batches'),
833 ts('Close all accounting batches (with Access to CiviContribute)'),
834 ],
835 'reopen own manual batches' => [
836 $prefix . ts('reopen own manual batches'),
837 ts('Reopen accounting batches created by user (with Access to CiviContribute)'),
838 ],
839 'reopen all manual batches' => [
840 $prefix . ts('reopen all manual batches'),
841 ts('Reopen all accounting batches (with Access to CiviContribute)'),
842 ],
843 'view own manual batches' => [
844 $prefix . ts('view own manual batches'),
845 ts('View accounting batches created by user (with Access to CiviContribute)'),
846 ],
847 'view all manual batches' => [
848 $prefix . ts('view all manual batches'),
849 ts('View all accounting batches (with Access to CiviContribute)'),
850 ],
851 'delete own manual batches' => [
852 $prefix . ts('delete own manual batches'),
853 ts('Delete accounting batches created by user'),
854 ],
855 'delete all manual batches' => [
856 $prefix . ts('delete all manual batches'),
857 ts('Delete all accounting batches'),
858 ],
859 'export own manual batches' => [
860 $prefix . ts('export own manual batches'),
861 ts('Export accounting batches created by user'),
862 ],
863 'export all manual batches' => [
864 $prefix . ts('export all manual batches'),
865 ts('Export all accounting batches'),
866 ],
867 'administer payment processors' => [
868 $prefix . ts('administer payment processors'),
869 ts('Add, Update, or Disable Payment Processors'),
870 ],
871 'edit message templates' => [
872 $prefix . ts('edit message templates'),
873 ],
874 'edit system workflow message templates' => [
875 $prefix . ts('edit system workflow message templates'),
876 ],
877 'edit user-driven message templates' => [
878 $prefix . ts('edit user-driven message templates'),
879 ],
880 'view my invoices' => [
881 $prefix . ts('view my invoices'),
882 ts('Allow users to view/ download their own invoices'),
883 ],
884 'edit api keys' => [
885 $prefix . ts('edit api keys'),
886 ts('Edit API keys'),
887 ],
888 'edit own api keys' => [
889 $prefix . ts('edit own api keys'),
890 ts('Edit user\'s own API keys'),
891 ],
892 'send SMS' => [
893 $prefix . ts('send SMS'),
894 ts('Send an SMS'),
895 ],
896 ];
897
898 return $permissions;
899 }
900
901 /**
902 * For each entity provides an array of permissions required for each action
903 *
904 * The action is the array key, possible values:
905 * * create: applies to create (with no id in params)
906 * * update: applies to update, setvalue, create (with id in params)
907 * * get: applies to getcount, getsingle, getvalue and other gets
908 * * delete: applies to delete, replace
909 * * meta: applies to getfields, getoptions, getspec
910 * * default: catch-all for anything not declared
911 *
912 * Note: some APIs declare other actions as well
913 *
914 * Permissions should use arrays for AND and arrays of arrays for OR
915 * @see CRM_Core_Permission::check
916 *
917 * @return array of permissions
918 */
919 public static function getEntityActionPermissions() {
920 $permissions = [];
921 // These are the default permissions - if any entity does not declare permissions for a given action,
922 // (or the entity does not declare permissions at all) - then the action will be used from here
923 $permissions['default'] = [
924 // applies to getfields, getoptions, etc.
925 'meta' => ['access CiviCRM'],
926 // catch-all, applies to create, get, delete, etc.
927 // If an entity declares it's own 'default' action it will override this one
928 'default' => ['administer CiviCRM'],
929 ];
930
931 // Note: Additional permissions in DynamicFKAuthorization
932 $permissions['attachment'] = [
933 'default' => [
934 ['access CiviCRM', 'access AJAX API'],
935 ],
936 ];
937
938 // Contact permissions
939 $permissions['contact'] = [
940 'create' => [
941 'access CiviCRM',
942 'add contacts',
943 ],
944 'delete' => [
945 'access CiviCRM',
946 'delete contacts',
947 ],
948 // managed by query object
949 'get' => [],
950 // managed by _civicrm_api3_check_edit_permissions
951 'update' => [],
952 'getquick' => [
953 ['access CiviCRM', 'access AJAX API'],
954 ],
955 'duplicatecheck' => [
956 'access CiviCRM',
957 ],
958 'merge' => ['merge duplicate contacts'],
959 ];
960
961 $permissions['dedupe'] = [
962 'getduplicates' => ['access CiviCRM'],
963 'getstatistics' => ['access CiviCRM'],
964 ];
965
966 // CRM-16963 - Permissions for country.
967 $permissions['country'] = [
968 'get' => [
969 'access CiviCRM',
970 ],
971 'default' => [
972 'administer CiviCRM',
973 ],
974 ];
975
976 // Contact-related data permissions.
977 $permissions['address'] = [
978 // get is managed by BAO::addSelectWhereClause
979 // create/delete are managed by _civicrm_api3_check_edit_permissions
980 'default' => [],
981 ];
982 $permissions['email'] = $permissions['address'];
983 $permissions['phone'] = $permissions['address'];
984 $permissions['website'] = $permissions['address'];
985 $permissions['im'] = $permissions['address'];
986 $permissions['open_i_d'] = $permissions['address'];
987
988 // Also managed by ACLs - CRM-19448
989 $permissions['entity_tag'] = ['default' => []];
990 $permissions['note'] = $permissions['entity_tag'];
991
992 // Allow non-admins to get and create tags to support tagset widget
993 // Delete is still reserved for admins
994 $permissions['tag'] = [
995 'get' => ['access CiviCRM'],
996 'create' => ['access CiviCRM'],
997 'update' => ['access CiviCRM'],
998 ];
999
1000 //relationship permissions
1001 $permissions['relationship'] = [
1002 // get is managed by BAO::addSelectWhereClause
1003 'get' => [],
1004 'delete' => [
1005 'access CiviCRM',
1006 'edit all contacts',
1007 ],
1008 'default' => [
1009 'access CiviCRM',
1010 'edit all contacts',
1011 ],
1012 ];
1013
1014 // CRM-17741 - Permissions for RelationshipType.
1015 $permissions['relationship_type'] = [
1016 'get' => [
1017 'access CiviCRM',
1018 ],
1019 'default' => [
1020 'administer CiviCRM',
1021 ],
1022 ];
1023
1024 // Activity permissions
1025 $permissions['activity'] = [
1026 'delete' => [
1027 'access CiviCRM',
1028 'delete activities',
1029 ],
1030 'get' => [
1031 'access CiviCRM',
1032 // Note that view all activities is also required within the api
1033 // if the id is not passed in. Where the id is passed in the activity
1034 // specific check functions are used and tested.
1035 ],
1036 'default' => [
1037 'access CiviCRM',
1038 'view all activities',
1039 ],
1040 ];
1041 $permissions['activity_contact'] = $permissions['activity'];
1042
1043 // Case permissions
1044 $permissions['case'] = [
1045 'create' => [
1046 'access CiviCRM',
1047 'add cases',
1048 ],
1049 'delete' => [
1050 'access CiviCRM',
1051 'delete in CiviCase',
1052 ],
1053 'restore' => [
1054 'administer CiviCase',
1055 ],
1056 'merge' => [
1057 'administer CiviCase',
1058 ],
1059 'default' => [
1060 // At minimum the user needs one of the following. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause
1061 ['access my cases and activities', 'access all cases and activities'],
1062 ],
1063 ];
1064 $permissions['case_contact'] = $permissions['case'];
1065
1066 $permissions['case_type'] = [
1067 'default' => ['administer CiviCase'],
1068 'get' => [
1069 // nested array = OR
1070 ['access my cases and activities', 'access all cases and activities'],
1071 ],
1072 ];
1073
1074 // Campaign permissions
1075 $permissions['campaign'] = [
1076 'get' => ['access CiviCRM'],
1077 'default' => [
1078 // nested array = OR
1079 ['administer CiviCampaign', 'manage campaign'],
1080 ],
1081 ];
1082 $permissions['survey'] = $permissions['campaign'];
1083
1084 // Financial permissions
1085 $permissions['contribution'] = [
1086 'get' => [
1087 'access CiviCRM',
1088 'access CiviContribute',
1089 ],
1090 'delete' => [
1091 'access CiviCRM',
1092 'access CiviContribute',
1093 'delete in CiviContribute',
1094 ],
1095 'completetransaction' => [
1096 'edit contributions',
1097 ],
1098 'default' => [
1099 'access CiviCRM',
1100 'access CiviContribute',
1101 'edit contributions',
1102 ],
1103 ];
1104 $permissions['line_item'] = $permissions['contribution'];
1105
1106 // Payment permissions
1107 $permissions['payment'] = [
1108 'get' => [
1109 'access CiviCRM',
1110 'access CiviContribute',
1111 ],
1112 'delete' => [
1113 'access CiviCRM',
1114 'access CiviContribute',
1115 'delete in CiviContribute',
1116 ],
1117 'cancel' => [
1118 'access CiviCRM',
1119 'access CiviContribute',
1120 'edit contributions',
1121 ],
1122 'create' => [
1123 'access CiviCRM',
1124 'access CiviContribute',
1125 'edit contributions',
1126 ],
1127 'default' => [
1128 'access CiviCRM',
1129 'access CiviContribute',
1130 'edit contributions',
1131 ],
1132 ];
1133 $permissions['contribution_recur'] = $permissions['payment'];
1134
1135 // Custom field permissions
1136 $permissions['custom_field'] = [
1137 'default' => [
1138 'administer CiviCRM',
1139 'access all custom data',
1140 ],
1141 ];
1142 $permissions['custom_group'] = $permissions['custom_field'];
1143
1144 // Event permissions
1145 $permissions['event'] = [
1146 'create' => [
1147 'access CiviCRM',
1148 'access CiviEvent',
1149 'edit all events',
1150 ],
1151 'delete' => [
1152 'access CiviCRM',
1153 'access CiviEvent',
1154 'delete in CiviEvent',
1155 ],
1156 'get' => [
1157 'access CiviCRM',
1158 'access CiviEvent',
1159 'view event info',
1160 ],
1161 'update' => [
1162 'access CiviCRM',
1163 'access CiviEvent',
1164 'edit all events',
1165 ],
1166 ];
1167 // Exception refers to dedupe_exception.
1168 $permissions['exception'] = [
1169 'default' => ['merge duplicate contacts'],
1170 ];
1171
1172 $permissions['job'] = [
1173 'process_batch_merge' => ['merge duplicate contacts'],
1174 ];
1175 $permissions['rule_group']['get'] = [['merge duplicate contacts', 'administer CiviCRM']];
1176 // Loc block is only used for events
1177 $permissions['loc_block'] = $permissions['event'];
1178
1179 $permissions['state_province'] = [
1180 'get' => [
1181 'access CiviCRM',
1182 ],
1183 ];
1184
1185 // Price sets are shared by several components, user needs access to at least one of them
1186 $permissions['price_set'] = [
1187 'default' => [
1188 ['access CiviEvent', 'access CiviContribute', 'access CiviMember'],
1189 ],
1190 'get' => [
1191 ['access CiviCRM', 'view event info', 'make online contributions'],
1192 ],
1193 ];
1194
1195 // File permissions
1196 $permissions['file'] = [
1197 'default' => [
1198 'access CiviCRM',
1199 'access uploaded files',
1200 ],
1201 ];
1202 $permissions['files_by_entity'] = $permissions['file'];
1203
1204 // Group permissions
1205 $permissions['group'] = [
1206 'get' => [
1207 'access CiviCRM',
1208 ],
1209 'default' => [
1210 'access CiviCRM',
1211 'edit groups',
1212 ],
1213 ];
1214
1215 $permissions['group_nesting'] = $permissions['group'];
1216 $permissions['group_organization'] = $permissions['group'];
1217
1218 //Group Contact permission
1219 $permissions['group_contact'] = [
1220 'get' => [
1221 'access CiviCRM',
1222 ],
1223 'default' => [
1224 'access CiviCRM',
1225 'edit all contacts',
1226 ],
1227 ];
1228
1229 // CiviMail Permissions
1230 $civiMailBasePerms = [
1231 // To get/preview/update, one must have least one of these perms:
1232 // Mailing API implementations enforce nuances of create/approve/schedule permissions.
1233 'access CiviMail',
1234 'create mailings',
1235 'schedule mailings',
1236 'approve mailings',
1237 ];
1238 $permissions['mailing'] = [
1239 'get' => [
1240 'access CiviCRM',
1241 $civiMailBasePerms,
1242 ],
1243 'delete' => [
1244 'access CiviCRM',
1245 $civiMailBasePerms,
1246 'delete in CiviMail',
1247 ],
1248 'submit' => [
1249 'access CiviCRM',
1250 ['access CiviMail', 'schedule mailings'],
1251 ],
1252 'default' => [
1253 'access CiviCRM',
1254 $civiMailBasePerms,
1255 ],
1256 ];
1257 $permissions['mailing_group'] = $permissions['mailing'];
1258 $permissions['mailing_job'] = $permissions['mailing'];
1259 $permissions['mailing_recipients'] = $permissions['mailing'];
1260
1261 $permissions['mailing_a_b'] = [
1262 'get' => [
1263 'access CiviCRM',
1264 'access CiviMail',
1265 ],
1266 'delete' => [
1267 'access CiviCRM',
1268 'access CiviMail',
1269 'delete in CiviMail',
1270 ],
1271 'submit' => [
1272 'access CiviCRM',
1273 ['access CiviMail', 'schedule mailings'],
1274 ],
1275 'default' => [
1276 'access CiviCRM',
1277 'access CiviMail',
1278 ],
1279 ];
1280
1281 // Membership permissions
1282 $permissions['membership'] = [
1283 'get' => [
1284 'access CiviCRM',
1285 'access CiviMember',
1286 ],
1287 'delete' => [
1288 'access CiviCRM',
1289 'access CiviMember',
1290 'delete in CiviMember',
1291 ],
1292 'default' => [
1293 'access CiviCRM',
1294 'access CiviMember',
1295 'edit memberships',
1296 ],
1297 ];
1298 $permissions['membership_status'] = $permissions['membership'];
1299 $permissions['membership_type'] = $permissions['membership'];
1300 $permissions['membership_payment'] = [
1301 'create' => [
1302 'access CiviCRM',
1303 'access CiviMember',
1304 'edit memberships',
1305 'access CiviContribute',
1306 'edit contributions',
1307 ],
1308 'delete' => [
1309 'access CiviCRM',
1310 'access CiviMember',
1311 'delete in CiviMember',
1312 'access CiviContribute',
1313 'delete in CiviContribute',
1314 ],
1315 'get' => [
1316 'access CiviCRM',
1317 'access CiviMember',
1318 'access CiviContribute',
1319 ],
1320 'update' => [
1321 'access CiviCRM',
1322 'access CiviMember',
1323 'edit memberships',
1324 'access CiviContribute',
1325 'edit contributions',
1326 ],
1327 ];
1328
1329 // Participant permissions
1330 $permissions['participant'] = [
1331 'create' => [
1332 'access CiviCRM',
1333 'access CiviEvent',
1334 'register for events',
1335 ],
1336 'delete' => [
1337 'access CiviCRM',
1338 'access CiviEvent',
1339 'edit event participants',
1340 ],
1341 'get' => [
1342 'access CiviCRM',
1343 'access CiviEvent',
1344 'view event participants',
1345 ],
1346 'update' => [
1347 'access CiviCRM',
1348 'access CiviEvent',
1349 'edit event participants',
1350 ],
1351 ];
1352 $permissions['participant_payment'] = [
1353 'create' => [
1354 'access CiviCRM',
1355 'access CiviEvent',
1356 'register for events',
1357 'access CiviContribute',
1358 'edit contributions',
1359 ],
1360 'delete' => [
1361 'access CiviCRM',
1362 'access CiviEvent',
1363 'edit event participants',
1364 'access CiviContribute',
1365 'delete in CiviContribute',
1366 ],
1367 'get' => [
1368 'access CiviCRM',
1369 'access CiviEvent',
1370 'view event participants',
1371 'access CiviContribute',
1372 ],
1373 'update' => [
1374 'access CiviCRM',
1375 'access CiviEvent',
1376 'edit event participants',
1377 'access CiviContribute',
1378 'edit contributions',
1379 ],
1380 ];
1381
1382 // Pledge permissions
1383 $permissions['pledge'] = [
1384 'create' => [
1385 'access CiviCRM',
1386 'access CiviPledge',
1387 'edit pledges',
1388 ],
1389 'delete' => [
1390 'access CiviCRM',
1391 'access CiviPledge',
1392 'delete in CiviPledge',
1393 ],
1394 'get' => [
1395 'access CiviCRM',
1396 'access CiviPledge',
1397 ],
1398 'update' => [
1399 'access CiviCRM',
1400 'access CiviPledge',
1401 'edit pledges',
1402 ],
1403 ];
1404
1405 //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission.
1406 $permissions['action_schedule'] = [
1407 'update' => [
1408 [
1409 'access CiviCRM',
1410 'edit all events',
1411 ],
1412 ],
1413 ];
1414
1415 $permissions['pledge_payment'] = [
1416 'create' => [
1417 'access CiviCRM',
1418 'access CiviPledge',
1419 'edit pledges',
1420 'access CiviContribute',
1421 'edit contributions',
1422 ],
1423 'delete' => [
1424 'access CiviCRM',
1425 'access CiviPledge',
1426 'delete in CiviPledge',
1427 'access CiviContribute',
1428 'delete in CiviContribute',
1429 ],
1430 'get' => [
1431 'access CiviCRM',
1432 'access CiviPledge',
1433 'access CiviContribute',
1434 ],
1435 'update' => [
1436 'access CiviCRM',
1437 'access CiviPledge',
1438 'edit pledges',
1439 'access CiviContribute',
1440 'edit contributions',
1441 ],
1442 ];
1443
1444 // Profile permissions
1445 $permissions['profile'] = [
1446 // the profile will take care of this
1447 'get' => [],
1448 ];
1449
1450 $permissions['uf_group'] = [
1451 'create' => [
1452 'access CiviCRM',
1453 [
1454 'administer CiviCRM',
1455 'manage event profiles',
1456 ],
1457 ],
1458 'get' => [
1459 'access CiviCRM',
1460 ],
1461 'update' => [
1462 'access CiviCRM',
1463 [
1464 'administer CiviCRM',
1465 'manage event profiles',
1466 ],
1467 ],
1468 ];
1469 $permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group'];
1470 $permissions['uf_field']['delete'] = [
1471 'access CiviCRM',
1472 [
1473 'administer CiviCRM',
1474 'manage event profiles',
1475 ],
1476 ];
1477 $permissions['option_value'] = $permissions['uf_group'];
1478 $permissions['option_group'] = $permissions['option_value'];
1479
1480 $permissions['custom_value'] = [
1481 'gettree' => ['access CiviCRM'],
1482 ];
1483
1484 $permissions['message_template'] = [
1485 'get' => ['access CiviCRM'],
1486 'create' => [['edit message templates', 'edit user-driven message templates', 'edit system workflow message templates']],
1487 'update' => [['edit message templates', 'edit user-driven message templates', 'edit system workflow message templates']],
1488 ];
1489
1490 $permissions['report_template']['update'] = 'save Report Criteria';
1491 $permissions['report_template']['create'] = 'save Report Criteria';
1492 return $permissions;
1493 }
1494
1495 /**
1496 * Translate an unknown action to a canonical form.
1497 *
1498 * @param string $action
1499 *
1500 * @return string
1501 * the standardised action name
1502 */
1503 public static function getGenericAction($action) {
1504 $snippet = substr($action, 0, 3);
1505 if ($action == 'replace' || $snippet == 'del') {
1506 // 'Replace' is a combination of get+create+update+delete; however, the permissions
1507 // on each of those will be tested separately at runtime. This is just a sniff-test
1508 // based on the heuristic that 'delete' tends to be the most closely guarded
1509 // of the necessary permissions.
1510 $action = 'delete';
1511 }
1512 elseif ($action == 'setvalue' || $snippet == 'upd') {
1513 $action = 'update';
1514 }
1515 elseif ($action == 'getfields' || $action == 'getfield' || $action == 'getspec' || $action == 'getoptions') {
1516 $action = 'meta';
1517 }
1518 elseif ($snippet == 'get') {
1519 $action = 'get';
1520 }
1521 return $action;
1522 }
1523
1524 /**
1525 * Validate user permission across.
1526 * edit or view or with supportable acls.
1527 *
1528 * @return bool
1529 */
1530 public static function giveMeAllACLs() {
1531 if (CRM_Core_Permission::check('view all contacts') ||
1532 CRM_Core_Permission::check('edit all contacts')
1533 ) {
1534 return TRUE;
1535 }
1536
1537 $session = CRM_Core_Session::singleton();
1538 $contactID = $session->get('userID');
1539
1540 //check for acl.
1541 $aclPermission = self::getPermission();
1542 if (in_array($aclPermission, [
1543 CRM_Core_Permission::EDIT,
1544 CRM_Core_Permission::VIEW,
1545 ])
1546 ) {
1547 return TRUE;
1548 }
1549
1550 // run acl where hook and see if the user is supplying an ACL clause
1551 // that is not false
1552 $tables = $whereTables = [];
1553 $where = NULL;
1554
1555 CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
1556 $tables, $whereTables,
1557 $contactID, $where
1558 );
1559 return empty($whereTables) ? FALSE : TRUE;
1560 }
1561
1562 /**
1563 * Get component name from given permission.
1564 *
1565 * @param string $permission
1566 *
1567 * @return null|string
1568 * the name of component.
1569 */
1570 public static function getComponentName($permission) {
1571 $componentName = NULL;
1572 $permission = trim($permission);
1573 if (empty($permission)) {
1574 return $componentName;
1575 }
1576
1577 static $allCompPermissions = [];
1578 if (empty($allCompPermissions)) {
1579 $components = CRM_Core_Component::getComponents();
1580 foreach ($components as $name => $comp) {
1581 //get all permissions of each components unconditionally
1582 $allCompPermissions[$name] = $comp->getPermissions(TRUE);
1583 }
1584 }
1585
1586 if (is_array($allCompPermissions)) {
1587 foreach ($allCompPermissions as $name => $permissions) {
1588 if (array_key_exists($permission, $permissions)) {
1589 $componentName = $name;
1590 break;
1591 }
1592 }
1593 }
1594
1595 return $componentName;
1596 }
1597
1598 /**
1599 * Get all the contact emails for users that have a specific permission.
1600 *
1601 * @param string $permissionName
1602 * Name of the permission we are interested in.
1603 *
1604 * @return string
1605 * a comma separated list of email addresses
1606 */
1607 public static function permissionEmails($permissionName) {
1608 $config = CRM_Core_Config::singleton();
1609 return $config->userPermissionClass->permissionEmails($permissionName);
1610 }
1611
1612 /**
1613 * Get all the contact emails for users that have a specific role.
1614 *
1615 * @param string $roleName
1616 * Name of the role we are interested in.
1617 *
1618 * @return string
1619 * a comma separated list of email addresses
1620 */
1621 public static function roleEmails($roleName) {
1622 $config = CRM_Core_Config::singleton();
1623 return $config->userRoleClass->roleEmails($roleName);
1624 }
1625
1626 /**
1627 * @return bool
1628 */
1629 public static function isMultisiteEnabled() {
1630 return Civi::settings()->get('is_enabled') ? TRUE : FALSE;
1631 }
1632
1633 /**
1634 * Verify if the user has permission to get the invoice.
1635 *
1636 * @return bool
1637 * TRUE if the user has download all invoices permission or download my
1638 * invoices permission and the invoice author is the current user.
1639 */
1640 public static function checkDownloadInvoice() {
1641 $cid = CRM_Core_Session::getLoggedInContactID();
1642 if (CRM_Core_Permission::check('access CiviContribute') ||
1643 (CRM_Core_Permission::check('view my invoices') && $_GET['cid'] == $cid)
1644 ) {
1645 return TRUE;
1646 }
1647 return FALSE;
1648 }
1649
1650 }