3 +--------------------------------------------------------------------+
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2020 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
28 namespace Civi\API\Subscriber
;
31 use Symfony\Component\EventDispatcher\EventSubscriberInterface
;
34 * For any API requests that correspond to a Doctrine entity
35 * ($apiRequest['doctrineClass']), check permissions specified in
36 * Civi\API\Annotation\Permission.
38 class PermissionCheck
implements EventSubscriberInterface
{
43 public static function getSubscribedEvents() {
45 Events
::AUTHORIZE
=> [
46 ['onApiAuthorize', Events
::W_LATE
],
52 * @param \Civi\API\Event\AuthorizeEvent $event
53 * API authorization event.
55 * @throws \Civi\API\Exception\UnauthorizedException
57 public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent
$event) {
58 $apiRequest = $event->getApiRequest();
59 if ($apiRequest['version'] < 4) {
60 // return early unless we’re told explicitly to do the permission check
61 if (empty($apiRequest['params']['check_permissions']) or $apiRequest['params']['check_permissions'] == FALSE) {
63 $event->stopPropagation();
67 require_once 'CRM/Core/DAO/permissions.php';
68 $permissions = _civicrm_api3_permissions($apiRequest['entity'], $apiRequest['action'], $apiRequest['params']);
70 // $params might’ve been reset by the alterAPIPermissions() hook
71 if (isset($apiRequest['params']['check_permissions']) and $apiRequest['params']['check_permissions'] == FALSE) {
73 $event->stopPropagation();
77 if (!\CRM_Core_Permission
::check($permissions) and !self
::checkACLPermission($apiRequest)) {
78 if (is_array($permissions)) {
79 foreach ($permissions as &$permission) {
80 if (is_array($permission)) {
81 $permission = '( ' . implode(' or ', $permission) . ' )';
84 $permissions = implode(' and ', $permissions);
86 // FIXME: Generating the exception ourselves allows for detailed error
87 // but doesn't play well with multiple authz subscribers.
88 throw new \Civi\API\Exception\
UnauthorizedException("API permission check failed for {$apiRequest['entity']}/{$apiRequest['action']} call; insufficient permission: require $permissions");
92 $event->stopPropagation();
94 elseif ($apiRequest['version'] == 4) {
95 if (!$apiRequest->getCheckPermissions()) {
97 $event->stopPropagation();
103 * Check API for ACL permission.
105 * @param array $apiRequest
109 public function checkACLPermission($apiRequest) {
110 switch ($apiRequest['entity']) {
113 $ufGroups = \CRM_Core_PseudoConstant
::get('CRM_Core_DAO_UFField', 'uf_group_id');
114 $aclCreate = \CRM_ACL_API
::group(\CRM_Core_Permission
::CREATE
, NULL, 'civicrm_uf_group', $ufGroups);
115 $aclEdit = \CRM_ACL_API
::group(\CRM_Core_Permission
::EDIT
, NULL, 'civicrm_uf_group', $ufGroups);
116 $ufGroupId = $apiRequest['entity'] == 'UFGroup' ?
$apiRequest['params']['id'] : $apiRequest['params']['uf_group_id'];
117 if (in_array($ufGroupId, $aclEdit) or $aclCreate) {
122 //CRM-16777: Disable schedule reminder with ACLs.
123 case 'ActionSchedule':
124 $events = \CRM_Event_BAO_Event
::getEvents();
125 $aclEdit = \CRM_ACL_API
::group(\CRM_Core_Permission
::EDIT
, NULL, 'civicrm_event', $events);
126 $param = ['id' => $apiRequest['params']['id']];
127 $eventId = \CRM_Core_BAO_ActionSchedule
::retrieve($param, $value = []);
128 if (in_array($eventId->entity_value
, $aclEdit)) {