* Ex 1: Must have 'access CiviCRM'
* (string) 'access CiviCRM'
*
- * Ex 2: Must have 'access CiviCRM' and 'access Ajax API'
- * ['access CiviCRM', 'access Ajax API']
+ * Ex 2: Must have 'access CiviCRM' and 'access AJAX API'
+ * ['access CiviCRM', 'access AJAX API']
*
- * Ex 3: Must have 'access CiviCRM' or 'access Ajax API'
+ * Ex 3: Must have 'access CiviCRM' or 'access AJAX API'
* [
- * ['access CiviCRM', 'access Ajax API'],
+ * ['access CiviCRM', 'access AJAX API'],
* ],
*
- * Ex 4: Must have 'access CiviCRM' or 'access Ajax API' AND 'access CiviEvent'
+ * Ex 4: Must have 'access CiviCRM' or 'access AJAX API' AND 'access CiviEvent'
* [
- * ['access CiviCRM', 'access Ajax API'],
+ * ['access CiviCRM', 'access AJAX API'],
* 'access CiviEvent',
* ],
*
* Note that in permissions.php this is keyed by the action eg.
* (access Civi || access AJAX) && (access CiviEvent || access CiviContribute)
* 'myaction' => [
- * ['access CiviCRM', 'access Ajax API'],
+ * ['access CiviCRM', 'access AJAX API'],
* ['access CiviEvent', 'access CiviContribute']
* ],
*
'label' => $prefix . ts('administer CiviCRM Data'),
'description' => ts('Permit altering all restricted data options'),
],
+ 'all CiviCRM permissions and ACLs' => [
+ 'label' => $prefix . ts('all CiviCRM permissions and ACLs'),
+ 'description' => ts('Administer and use CiviCRM bypassing any other permission or ACL checks and enabling the creation of displays and forms that allow others to bypass checks. This permission should be given out with care'),
+ ],
];
if (self::isMultisiteEnabled()) {
// This could arguably be moved to the multisite extension but
'description' => ts('Administer multiple organizations. In practice this allows editing the group organization link'),
];
}
- foreach (self::getImpliedPermissions() as $name => $includes) {
- foreach ($includes as $permission) {
- $permissions[$name][] = $permissions[$permission];
- }
- }
return $permissions;
}
*
* @return array
*/
- public static function getImpliedPermissions() {
+ public static function getImpliedAdminPermissions(): array {
return [
- 'administer CiviCRM' => ['administer CiviCRM system', 'administer CiviCRM data'],
- 'administer CiviCRM data' => ['edit message templates', 'administer dedupe rules'],
- 'administer CiviCRM system' => ['edit system workflow message templates'],
+ 'administer CiviCRM' => ['implied_permissions' => ['administer CiviCRM system', 'administer CiviCRM data']],
+ 'administer CiviCRM data' => ['implied_permissions' => ['edit message templates', 'administer dedupe rules']],
+ 'administer CiviCRM system' => ['implied_permissions' => ['edit system workflow message templates']],
];
}
*
* @return array
*/
- public static function getImpliedPermissionsFor(string $permission) {
- $return = [];
- foreach (self::getImpliedPermissions() as $superPermission => $components) {
- if (in_array($permission, $components, TRUE)) {
- $return[$superPermission] = $superPermission;
+ public static function getImpliedPermissionsFor(string $permission): array {
+ if (in_array($permission[0], ['@', '*'], TRUE)) {
+ // Special permissions like '*always deny*' - see DynamicFKAuthorizationTest.
+ // Also '@afform - see AfformUsageTest.
+ return [];
+ }
+ $implied = Civi::cache('metadata')->get('implied_permissions', []);
+ if (isset($implied[$permission])) {
+ return $implied[$permission];
+ }
+ $implied[$permission] = ['all CiviCRM permissions and ACLs'];
+ foreach (self::getImpliedAdminPermissions() as $key => $details) {
+ if (in_array($permission, $details['implied_permissions'] ?? [], TRUE)) {
+ $implied[$permission][] = $key;
}
}
- return $return;
+ Civi::cache('metadata')->set('implied_permissions', $implied);
+ return $implied[$permission];
}
/**
],
];
$permissions['case_contact'] = $permissions['case'];
+ $permissions['case_activity'] = $permissions['case'];
$permissions['case_type'] = [
'default' => ['administer CiviCase'],
protected static function getCoreAndComponentPermissions(bool $all): array {
$permissions = self::getCorePermissions();
$permissions = array_merge($permissions, self::getComponentPermissions($all));
+ $permissions['all CiviCRM permissions and ACLs']['implied_permissions'] = array_keys($permissions);
return $permissions;
}
projects / civicrm-core.git / blobdiff