3 +--------------------------------------------------------------------+
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2019 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
29 * "Attachment" is a pseudo-entity which represents a record in civicrm_file
30 * combined with a record in civicrm_entity_file as well as the underlying
32 * For core fields use "entity_table", for custom fields use "field_name"
35 * // Create an attachment for a core field
36 * $result = civicrm_api3('Attachment', 'create', array(
37 * 'entity_table' => 'civicrm_activity',
39 * 'name' => 'README.txt',
40 * 'mime_type' => 'text/plain',
41 * 'content' => 'Please to read the README',
43 * $attachment = $result['values'][$result['id']];
44 * echo sprintf("<a href='%s'>View %s</a>", $attachment['url'], $attachment['name']);
48 * // Create an attachment for a custom file field
49 * $result = civicrm_api3('Attachment', 'create', array(
50 * 'field_name' => 'custom_6',
52 * 'name' => 'README.txt',
53 * 'mime_type' => 'text/plain',
54 * 'content' => 'Please to read the README',
56 * $attachment = $result['values'][$result['id']];
57 * echo sprintf("<a href='%s'>View %s</a>", $attachment['url'], $attachment['name']);
61 * // Move an existing file and save as an attachment
62 * $result = civicrm_api3('Attachment', 'create', array(
63 * 'entity_table' => 'civicrm_activity',
65 * 'name' => 'README.txt',
66 * 'mime_type' => 'text/plain',
68 * 'move-file' => '/tmp/upload1a2b3c4d',
71 * $attachment = $result['values'][$result['id']];
72 * echo sprintf("<a href='%s'>View %s</a>", $attachment['url'], $attachment['name']);
76 * - File content is not returned by default. One must specify 'return => content'.
77 * - Features which deal with local file system (e.g. passing "options.move-file"
78 * or returning a "path") are only valid when executed as a local API (ie
79 * "check_permissions"==false)
81 * @package CiviCRM_APIv3
85 * Adjust metadata for "create" action.
90 function _civicrm_api3_attachment_create_spec(&$spec) {
91 $spec = array_merge($spec, _civicrm_api3_attachment_getfields());
92 $spec['name']['api.required'] = 1;
93 $spec['mime_type']['api.required'] = 1;
94 $spec['entity_id']['api.required'] = 1;
95 $spec['upload_date']['api.default'] = 'now';
99 * Create an Attachment.
101 * @param array $params
104 * @throws API_Exception validation errors
105 * @see Civi\API\Subscriber\DynamicFKAuthorization
107 function civicrm_api3_attachment_create($params) {
108 if (empty($params['id'])) {
109 // When creating we need either entity_table or field_name.
110 civicrm_api3_verify_one_mandatory($params, NULL, ['entity_table', 'field_name']);
113 $config = CRM_Core_Config
::singleton();
114 list($id, $file, $entityFile, $name, $content, $moveFile, $isTrusted, $returnContent) = _civicrm_api3_attachment_parse_params($params);
116 $fileDao = new CRM_Core_BAO_File();
117 $entityFileDao = new CRM_Core_DAO_EntityFile();
120 $file['id'] = $fileDao->id
= $id;
122 if (!$fileDao->find(TRUE)) {
123 throw new API_Exception("Invalid ID");
126 $entityFileDao->file_id
= $id;
127 if (!$entityFileDao->find(TRUE)) {
128 throw new API_Exception("Cannot modify orphaned file");
132 if (!$id && !is_string($content) && !is_string($moveFile)) {
133 throw new API_Exception("Mandatory key(s) missing from params array: 'id' or 'content' or 'options.move-file'");
135 if (!$isTrusted && $moveFile) {
136 throw new API_Exception("options.move-file is only supported on secure calls");
138 if (is_string($content) && is_string($moveFile)) {
139 throw new API_Exception("'content' and 'options.move-file' are mutually exclusive");
141 if ($id && !$isTrusted && isset($file['upload_date']) && $file['upload_date'] != CRM_Utils_Date
::isoToMysql($fileDao->upload_date
)) {
142 throw new API_Exception("Cannot modify upload_date" . var_export([$file['upload_date'], $fileDao->upload_date
, CRM_Utils_Date
::isoToMysql($fileDao->upload_date
)], TRUE));
144 if ($id && $name && $name != CRM_Utils_File
::cleanFileName($fileDao->uri
)) {
145 throw new API_Exception("Cannot modify name");
149 $file['uri'] = CRM_Utils_File
::makeFileName($name);
151 $fileDao = CRM_Core_BAO_File
::create($file);
152 $fileDao->find(TRUE);
154 $entityFileDao->copyValues($entityFile);
155 $entityFileDao->file_id
= $fileDao->id
;
156 $entityFileDao->save();
158 $path = $config->customFileUploadDir
. DIRECTORY_SEPARATOR
. $fileDao->uri
;
159 if (is_string($content)) {
160 file_put_contents($path, $content);
162 elseif (is_string($moveFile)) {
163 // CRM-17432 Do not use rename() since it will break file permissions.
164 // Also avoid move_uplaoded_file() because the API can use options.move-file.
165 copy($moveFile, $path);
169 // Save custom field to entity
170 if (!$id && empty($params['entity_table']) && isset($params['field_name'])) {
171 civicrm_api3('custom_value', 'create', [
172 'entity_id' => $params['entity_id'],
173 $params['field_name'] => $fileDao->id
,
178 $fileDao->id
=> _civicrm_api3_attachment_format_result($fileDao, $entityFileDao, $returnContent, $isTrusted),
180 return civicrm_api3_create_success($result, $params, 'Attachment', 'create');
184 * Adjust metadata for get action.
189 function _civicrm_api3_attachment_get_spec(&$spec) {
190 $spec = array_merge($spec, _civicrm_api3_attachment_getfields());
196 * @param array $params
200 * @throws API_Exception validation errors
202 function civicrm_api3_attachment_get($params) {
203 list($id, $file, $entityFile, $name, $content, $moveFile, $isTrusted, $returnContent) = _civicrm_api3_attachment_parse_params($params);
205 $dao = __civicrm_api3_attachment_find($params, $id, $file, $entityFile, $isTrusted);
207 while ($dao->fetch()) {
208 $result[$dao->id
] = _civicrm_api3_attachment_format_result($dao, $dao, $returnContent, $isTrusted);
210 return civicrm_api3_create_success($result, $params, 'Attachment', 'create');
214 * Adjust metadata for Attachment delete action.
218 function _civicrm_api3_attachment_delete_spec(&$spec) {
219 unset($spec['id']['api.required']);
220 $entityFileFields = CRM_Core_DAO_EntityFile
::fields();
221 $spec['entity_table'] = $entityFileFields['entity_table'];
222 $spec['entity_table']['title'] = CRM_Utils_Array
::value('title', $spec['entity_table'], 'Entity Table') . ' (write-once)';
223 $spec['entity_id'] = $entityFileFields['entity_id'];
224 $spec['entity_id']['title'] = CRM_Utils_Array
::value('title', $spec['entity_id'], 'Entity ID') . ' (write-once)';
230 * @param array $params
233 * @throws API_Exception
235 function civicrm_api3_attachment_delete($params) {
236 if (!empty($params['id'])) {
239 elseif (!empty($params['entity_table']) && !empty($params['entity_id'])) {
243 throw new API_Exception("Mandatory key(s) missing from params array: id or entity_table+entity_table");
246 $config = CRM_Core_Config
::singleton();
247 list($id, $file, $entityFile, $name, $content, $moveFile, $isTrusted, $returnContent) = _civicrm_api3_attachment_parse_params($params);
248 $dao = __civicrm_api3_attachment_find($params, $id, $file, $entityFile, $isTrusted);
252 while ($dao->fetch()) {
253 $filePaths[] = $config->customFileUploadDir
. DIRECTORY_SEPARATOR
. $dao->uri
;
254 $fileIds[] = $dao->id
;
257 if (!empty($fileIds)) {
258 $idString = implode(',', array_filter($fileIds, 'is_numeric'));
259 CRM_Core_DAO
::executeQuery("DELETE FROM civicrm_entity_file WHERE file_id in ($idString)");
260 CRM_Core_DAO
::executeQuery("DELETE FROM civicrm_file WHERE id in ($idString)");
263 // unlink is non-transactional, so we do this as the last step -- just in case the other steps produce errors
264 if (!empty($filePaths)) {
265 foreach ($filePaths as $filePath) {
271 return civicrm_api3_create_success($result, $params, 'Attachment', 'create');
275 * Attachment find helper.
277 * @param array $params
278 * @param int|null $id the user-supplied ID of the attachment record
280 * The user-supplied vales for the file (mime_type, description, upload_date).
281 * @param array $entityFile
282 * The user-supplied values of the entity-file (entity_table, entity_id).
283 * @param bool $isTrusted
285 * @return CRM_Core_DAO
286 * @throws API_Exception
288 function __civicrm_api3_attachment_find($params, $id, $file, $entityFile, $isTrusted) {
289 foreach (['name', 'content', 'path', 'url'] as $unsupportedFilter) {
290 if (!empty($params[$unsupportedFilter])) {
291 throw new API_Exception("Get by $unsupportedFilter is not currently supported");
295 $select = CRM_Utils_SQL_Select
::from('civicrm_file cf')
296 ->join('cef', 'INNER JOIN civicrm_entity_file cef ON cf.id = cef.file_id')
309 $select->where('cf.id = #id', ['#id' => $id]);
311 // Recall: $file is filtered by parse_params.
312 foreach ($file as $key => $value) {
313 $select->where('cf.!field = @value', [
318 // Recall: $entityFile is filtered by parse_params.
319 foreach ($entityFile as $key => $value) {
320 $select->where('cef.!field = @value', [
326 // FIXME ACLs: Add any JOIN or WHERE clauses needed to enforce access-controls for the target entity.
328 // The target entity is identified by "cef.entity_table" (aka $entityFile['entity_table']) and "cef.entity_id".
330 // As a simplification, we *require* the "get" actions to filter on a single "entity_table" which should
331 // avoid the complexity of matching ACL's against multiple entity types.
334 $dao = CRM_Core_DAO
::executeQuery($select->toSQL());
339 * Attachment parsing helper.
341 * @param array $params
344 * (0 => int $id, 1 => array $file, 2 => array $entityFile, 3 => string $name, 4 => string $content,
345 * 5 => string $moveFile, 6 => $isTrusted, 7 => bool $returnContent)
346 * - array $file: whitelisted fields that can pass through directly to civicrm_file
347 * - array $entityFile: whitelisted fields that can pass through directly to civicrm_entity_file
348 * - string $name: the printable name
349 * - string $moveFile: the full path to a local file whose content should be loaded
350 * - bool $isTrusted: whether we trust the requester to do sketchy things (like moving files or reassigning entities)
351 * - bool $returnContent: whether we are expected to return the full content of the file
352 * @throws API_Exception validation errors
354 function _civicrm_api3_attachment_parse_params($params) {
355 $id = CRM_Utils_Array
::value('id', $params, NULL);
356 if ($id && !is_numeric($id)) {
357 throw new API_Exception("Malformed id");
361 foreach (['mime_type', 'description', 'upload_date'] as $field) {
362 if (array_key_exists($field, $params)) {
363 $file[$field] = $params[$field];
368 foreach (['entity_table', 'entity_id'] as $field) {
369 if (array_key_exists($field, $params)) {
370 $entityFile[$field] = $params[$field];
374 if (empty($params['entity_table']) && isset($params['field_name'])) {
375 $tableInfo = CRM_Core_BAO_CustomField
::getTableColumnGroup(intval(str_replace('custom_', '', $params['field_name'])));
376 $entityFile['entity_table'] = $tableInfo[0];
380 if (array_key_exists('name', $params)) {
381 if ($params['name'] != basename($params['name']) ||
preg_match(':[/\\\\]:', $params['name'])) {
382 throw new API_Exception('Malformed name');
384 $name = $params['name'];
388 if (isset($params['content'])) {
389 $content = $params['content'];
393 if (isset($params['options']['move-file'])) {
394 $moveFile = $params['options']['move-file'];
396 elseif (isset($params['options.move-file'])) {
397 $moveFile = $params['options.move-file'];
400 $isTrusted = empty($params['check_permissions']);
402 $returns = isset($params['return']) ?
$params['return'] : [];
403 $returns = is_array($returns) ?
$returns : [$returns];
404 $returnContent = in_array('content', $returns);
406 return [$id, $file, $entityFile, $name, $content, $moveFile, $isTrusted, $returnContent];
410 * Attachment result formatting helper.
412 * @param CRM_Core_DAO_File $fileDao
413 * Maybe "File" or "File JOIN EntityFile".
414 * @param CRM_Core_DAO_EntityFile $entityFileDao
415 * Maybe "EntityFile" or "File JOIN EntityFile".
416 * @param bool $returnContent
417 * Whether to return the full content of the file.
418 * @param bool $isTrusted
419 * Whether the current request is trusted to perform file-specific operations.
423 function _civicrm_api3_attachment_format_result($fileDao, $entityFileDao, $returnContent, $isTrusted) {
424 $config = CRM_Core_Config
::singleton();
425 $path = $config->customFileUploadDir
. DIRECTORY_SEPARATOR
. $fileDao->uri
;
428 'id' => $fileDao->id
,
429 'name' => CRM_Utils_File
::cleanFileName($fileDao->uri
),
430 'mime_type' => $fileDao->mime_type
,
431 'description' => $fileDao->description
,
432 'upload_date' => is_numeric($fileDao->upload_date
) ? CRM_Utils_Date
::mysqlToIso($fileDao->upload_date
) : $fileDao->upload_date
,
433 'entity_table' => $entityFileDao->entity_table
,
434 'entity_id' => $entityFileDao->entity_id
,
435 'icon' => CRM_Utils_File
::getIconFromMimeType($fileDao->mime_type
),
436 'created_id' => $fileDao->created_id
,
438 $fileHash = CRM_Core_BAO_File
::generateFileHash($result['entity_id'], $result['id']);
439 $result['url'] = CRM_Utils_System
::url(
440 'civicrm/file', 'reset=1&id=' . $result['id'] . '&eid=' . $result['entity_id'] . '&fcs=' . $fileHash,
447 $result['path'] = $path;
449 if ($returnContent) {
450 $result['content'] = file_get_contents($path);
456 * Attachment getfields helper.
459 * list of fields (indexed by name)
461 function _civicrm_api3_attachment_getfields() {
462 $fileFields = CRM_Core_DAO_File
::fields();
463 $entityFileFields = CRM_Core_DAO_EntityFile
::fields();
466 $spec['id'] = $fileFields['id'];
468 'title' => 'Name (write-once)',
469 'description' => 'The logical file name (not searchable)',
470 'type' => CRM_Utils_Type
::T_STRING
,
472 $spec['field_name'] = [
473 'title' => 'Field Name (write-once)',
474 'description' => 'Alternative to "entity_table" param - sets custom field value.',
475 'type' => CRM_Utils_Type
::T_STRING
,
477 $spec['mime_type'] = $fileFields['mime_type'];
478 $spec['description'] = $fileFields['description'];
479 $spec['upload_date'] = $fileFields['upload_date'];
480 $spec['entity_table'] = $entityFileFields['entity_table'];
481 // Would be hard to securely handle changes.
482 $spec['entity_table']['title'] = CRM_Utils_Array
::value('title', $spec['entity_table'], 'Entity Table') . ' (write-once)';
483 $spec['entity_id'] = $entityFileFields['entity_id'];
484 $spec['entity_id']['title'] = CRM_Utils_Array
::value('title', $spec['entity_id'], 'Entity ID') . ' (write-once)'; // would be hard to securely handle changes
486 'title' => 'URL (read-only)',
487 'description' => 'URL for downloading the file (not searchable, expire-able)',
488 'type' => CRM_Utils_Type
::T_STRING
,
491 'title' => 'Path (read-only)',
492 'description' => 'Local file path (not searchable, local-only)',
493 'type' => CRM_Utils_Type
::T_STRING
,
496 'title' => 'Content',
497 'description' => 'File content (not searchable, not returned by default)',
498 'type' => CRM_Utils_Type
::T_STRING
,
500 $spec['created_id'] = [
501 'title' => 'Created By Contact ID',
502 'type' => CRM_Utils_Type
::T_INT
,
503 'description' => 'FK to civicrm_contact, who uploaded this file',