<?php
/*
+--------------------------------------------------------------------+
- | CiviCRM version 4.5 |
+ | CiviCRM version 4.6 |
+--------------------------------------------------------------------+
- | Copyright CiviCRM LLC (c) 2004-2014 |
+ | Copyright CiviCRM LLC (c) 2004-2015 |
+--------------------------------------------------------------------+
| This file is a part of CiviCRM. |
| |
| GNU Affero General Public License or the licensing of CiviCRM, |
| see the CiviCRM license FAQ at http://civicrm.org/licensing |
+--------------------------------------------------------------------+
-*/
+ */
/**
*
* @package CRM
- * @copyright CiviCRM LLC (c) 2004-2014
+ * @copyright CiviCRM LLC (c) 2004-2015
* $Id$
*
*/
class CRM_Core_Permission {
/**
- * Static strings used to compose permissions
+ * Static strings used to compose permissions.
*
* @const
* @var string
*/
- CONST EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
+ const EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
/**
- * The various type of permissions
+ * The various type of permissions.
*
* @var int
*/
- CONST EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
+ const EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
/**
- * A placeholder permission which always fails
+ * A placeholder permission which always fails.
*/
const ALWAYS_DENY_PERMISSION = "*always deny*";
/**
- * A placeholder permission which always fails
+ * A placeholder permission which always fails.
*/
const ALWAYS_ALLOW_PERMISSION = "*always allow*";
/**
- * Various authentication sources
+ * Various authentication sources.
*
* @var int
*/
- CONST AUTH_SRC_UNKNOWN = 0, AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;
+ const AUTH_SRC_UNKNOWN = 0, AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;
/**
- * get the current permission of this user
+ * Get the current permission of this user.
*
- * @return string the permission of the user (edit or view or null)
+ * @return string
+ * the permission of the user (edit or view or null)
*/
public static function getPermission() {
$config = CRM_Core_Config::singleton();
}
/**
- * given a permission string or array, check for access requirements
- * @param mixed $permissions the permission to check as an array or string -see examples
- * arrays
+ * Given a permission string or array, check for access requirements
+ * @param mixed $permissions
+ * The permission to check as an array or string -see examples.
+ * arrays
*
* Ex 1
*
* array('access CiviEvent', 'access CiviContribute')
* ),
*
- * @return boolean true if yes, else false
- * @static
- * @access public
+ * @return bool
+ * true if yes, else false
*/
- static function check($permissions) {
+ public static function check($permissions) {
$permissions = (array) $permissions;
foreach ($permissions as $permission) {
- if(is_array($permission)) {
+ if (is_array($permission)) {
foreach ($permission as $orPerm) {
- if(self::check($orPerm)) {
+ if (self::check($orPerm)) {
//one of our 'or' permissions has succeeded - stop checking this permission
return TRUE;;
}
return FALSE;
}
else {
- if(!CRM_Core_Config::singleton()->userPermissionClass->check($permission)) {
+ if (!CRM_Core_Config::singleton()->userPermissionClass->check($permission)) {
//one of our 'and' conditions has not been met
return FALSE;
}
}
/**
- * Determine if any one of the permissions strings applies to current user
+ * Determine if any one of the permissions strings applies to current user.
*
* @param array $perms
* @return bool
/**
* Given a group/role array, check for access requirements
*
- * @param array $array the group/role to check
+ * @param array $array
+ * The group/role to check.
*
- * @return boolean true if yes, else false
- * @static
- * @access public
+ * @return bool
+ * true if yes, else false
*/
- static function checkGroupRole($array) {
+ public static function checkGroupRole($array) {
$config = CRM_Core_Config::singleton();
return $config->userPermissionClass->checkGroupRole($array);
}
/**
- * Get the permissioned where clause for the user
+ * Get the permissioned where clause for the user.
*
- * @param int $type the type of permission needed
- * @param array $tables (reference ) add the tables that are needed for the select clause
- * @param array $whereTables (reference ) add the tables that are needed for the where clause
+ * @param int $type
+ * The type of permission needed.
+ * @param array $tables
+ * (reference ) add the tables that are needed for the select clause.
+ * @param array $whereTables
+ * (reference ) add the tables that are needed for the where clause.
*
- * @return string the group where clause for this user
- * @access public
+ * @return string
+ * the group where clause for this user
*/
public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
$config = CRM_Core_Config::singleton();
* Get all groups from database, filtered by permissions
* for this user
*
- * @param string $groupType type of group(Access/Mailing)
- * @param bool|\boolen $excludeHidden exclude hidden groups.
+ * @param string $groupType
+ * Type of group(Access/Mailing).
+ * @param bool $excludeHidden
+ * exclude hidden groups.
*
- * @access public
- * @static
*
- * @return array - array reference of all groups.
+ * @return array
+ * array reference of all groups.
*/
public static function group($groupType, $excludeHidden = TRUE) {
$config = CRM_Core_Config::singleton();
*
* @return string
*/
- static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
+ public static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
if (self::customGroupAdmin()) {
return ' ( 1 ) ';
}
}
/**
- * @param $gid
+ * @param int $gid
* @param int $type
*
* @return bool
*
* @return array|string
*/
- static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
+ public static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
$groups = self::ufGroup($type);
if ($returnUFGroupIds) {
return $groups;
/**
* @param int $type
- * @param null $eventID
+ * @param int $eventID
* @param string $context
*
* @return array|null
*/
public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL, $context = '') {
- if(!empty($context)) {
- if(CRM_Core_Permission::check($context)) {
+ if (!empty($context)) {
+ if (CRM_Core_Permission::check($context)) {
return TRUE;
}
}
*
* @return string
*/
- static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
+ public static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
$events = self::event($type);
if (empty($events)) {
return ' ( 0 ) ';
*
* @return bool
*/
- static function access($module, $checkPermission = TRUE) {
+ public static function access($module, $checkPermission = TRUE) {
$config = CRM_Core_Config::singleton();
if (!in_array($module, $config->enableComponents)) {
}
/**
- * check permissions for delete and edit actions
+ * Check permissions for delete and edit actions.
*
- * @param string $module component name.
- * @param integer $action action to be check across component
+ * @param string $module
+ * Component name.
+ * @param int $action
+ * Action to be check across component.
*
*
* @return bool
*/
- static function checkActionPermission($module, $action) {
+ public static function checkActionPermission($module, $action) {
//check delete related permissions.
if ($action & CRM_Core_Action::DELETE) {
$permissionName = "delete in $module";
*
* @return bool
*/
- static function checkMenu(&$args, $op = 'and') {
+ public static function checkMenu(&$args, $op = 'and') {
if (!is_array($args)) {
return $args;
}
* @return bool|mixed
* @throws Exception
*/
- static function checkMenuItem(&$item) {
+ public static function checkMenuItem(&$item) {
if (!array_key_exists('access_callback', $item)) {
CRM_Core_Error::backtrace();
CRM_Core_Error::fatal();
/**
* @param bool $all
+ * @param bool $descriptions
+ * whether to return descriptions
*
* @return array
*/
- static function &basicPermissions($all = FALSE) {
- static $permissions = NULL;
-
- if (!$permissions) {
- $config = CRM_Core_Config::singleton();
- $prefix = ts('CiviCRM') . ': ';
- $permissions = self::getCorePermissions();
+ public static function &basicPermissions($all = FALSE, $descriptions = FALSE) {
+ if ($descriptions) {
+ static $permissionsDesc = NULL;
- if (self::isMultisiteEnabled()) {
- $permissions['administer Multiple Organizations'] = $prefix . ts('administer Multiple Organizations');
+ if (!$permissionsDesc) {
+ $permissionsDesc = self::assembleBasicPermissions($all, $descriptions);
}
- if (!$all) {
- $components = CRM_Core_Component::getEnabledComponents();
- }
- else {
- $components = CRM_Core_Component::getComponents();
+ return $permissionsDesc;
+ }
+ else {
+ static $permissions = NULL;
+
+ if (!$permissions) {
+ $permissions = self::assembleBasicPermissions($all, $descriptions);
}
- foreach ($components as $comp) {
- $perm = $comp->getPermissions();
- if ($perm) {
- $info = $comp->getInfo();
+ return $permissions;
+ }
+ }
+
+ /**
+ * @param bool $all
+ * @param bool $descriptions
+ * whether to return descriptions
+ *
+ * @return array
+ */
+ public static function assembleBasicPermissions($all = FALSE, $descriptions = FALSE) {
+ $config = CRM_Core_Config::singleton();
+ $prefix = ts('CiviCRM') . ': ';
+ $permissions = self::getCorePermissions($descriptions);
+
+ if (self::isMultisiteEnabled()) {
+ $permissions['administer Multiple Organizations'] = $prefix . ts('administer Multiple Organizations');
+ }
+
+ if (!$all) {
+ $components = CRM_Core_Component::getEnabledComponents();
+ }
+ else {
+ $components = CRM_Core_Component::getComponents();
+ }
+
+ foreach ($components as $comp) {
+ $perm = $comp->getPermissions(FALSE, $descriptions);
+ if ($perm) {
+ $info = $comp->getInfo();
+ if ($descriptions) {
+ foreach ($perm as $p => $attr) {
+ $title = $info['translatedName'] . ': ' . array_shift($attr);
+ array_unshift($attr, $title);
+ $permissions[$p] = $attr;
+ }
+ }
+ else {
foreach ($perm as $p) {
$permissions[$p] = $info['translatedName'] . ': ' . $p;
}
}
}
-
- // Add any permissions defined in hook_civicrm_permission implementations.
- $module_permissions = $config->userPermissionClass->getAllModulePermissions();
- $permissions = array_merge($permissions, $module_permissions);
}
+ // Add any permissions defined in hook_civicrm_permission implementations.
+ $module_permissions = $config->userPermissionClass->getAllModulePermissions($descriptions);
+ $permissions = array_merge($permissions, $module_permissions);
return $permissions;
}
/**
* @return array
*/
- static function getAnonymousPermissionsWarnings() {
+ public static function getAnonymousPermissionsWarnings() {
static $permissions = array();
if (empty($permissions)) {
$permissions = array(
- 'administer CiviCRM'
+ 'administer CiviCRM',
);
$components = CRM_Core_Component::getComponents();
foreach ($components as $comp) {
*
* @return array
*/
- static function validateForPermissionWarnings($anonymous_perms) {
+ public static function validateForPermissionWarnings($anonymous_perms) {
return array_intersect($anonymous_perms, self::getAnonymousPermissionsWarnings());
}
/**
+ * @param bool $descriptions
+ * whether to return descriptions
+ *
* @return array
*/
- static function getCorePermissions() {
+ public static function getCorePermissions($descriptions = FALSE) {
$prefix = ts('CiviCRM') . ': ';
$permissions = array(
- 'add contacts' => $prefix . ts('add contacts'),
- 'view all contacts' => $prefix . ts('view all contacts'),
- 'edit all contacts' => $prefix . ts('edit all contacts'),
- 'view my contact' => $prefix . ts('view my contact'),
- 'edit my contact' => $prefix . ts('edit my contact'),
- 'delete contacts' => $prefix . ts('delete contacts'),
- 'access deleted contacts' => $prefix . ts('access deleted contacts'),
- 'import contacts' => $prefix . ts('import contacts'),
- 'edit groups' => $prefix . ts('edit groups'),
- 'administer CiviCRM' => $prefix . ts('administer CiviCRM'),
- 'skip IDS check' => $prefix . ts('skip IDS check'),
- 'access uploaded files' => $prefix . ts('access uploaded files'),
- 'profile listings and forms' => $prefix . ts('profile listings and forms'),
- 'profile listings' => $prefix . ts('profile listings'),
- 'profile create' => $prefix . ts('profile create'),
- 'profile edit' => $prefix . ts('profile edit'),
- 'profile view' => $prefix . ts('profile view'),
- 'access all custom data' => $prefix . ts('access all custom data'),
- 'view all activities' => $prefix . ts('view all activities'),
- 'delete activities' => $prefix . ts('delete activities'),
- 'access CiviCRM' => $prefix . ts('access CiviCRM'),
- 'access Contact Dashboard' => $prefix . ts('access Contact Dashboard'),
- 'translate CiviCRM' => $prefix . ts('translate CiviCRM'),
- 'administer reserved groups' => $prefix . ts('administer reserved groups'),
- 'administer Tagsets' => $prefix . ts('administer Tagsets'),
- 'administer reserved tags' => $prefix . ts('administer reserved tags'),
- 'administer dedupe rules' => $prefix . ts('administer dedupe rules'),
- 'merge duplicate contacts' => $prefix . ts('merge duplicate contacts'),
- 'view debug output' => $prefix . ts('view debug output'),
- 'view all notes' => $prefix . ts('view all notes'),
- 'access AJAX API' => $prefix . ts('access AJAX API'),
- 'access contact reference fields' => $prefix . ts('access contact reference fields'),
- 'create manual batch' => $prefix . ts('create manual batch'),
- 'edit own manual batches' => $prefix . ts('edit own manual batches'),
- 'edit all manual batches' => $prefix . ts('edit all manual batches'),
- 'view own manual batches' => $prefix . ts('view own manual batches'),
- 'view all manual batches' => $prefix . ts('view all manual batches'),
- 'delete own manual batches' => $prefix . ts('delete own manual batches'),
- 'delete all manual batches' => $prefix . ts('delete all manual batches'),
- 'export own manual batches' => $prefix . ts('export own manual batches'),
- 'export all manual batches' => $prefix . ts('export all manual batches'),
- 'administer payment processors' => $prefix . ts('administer payment processors'),
+ 'add contacts' => array(
+ $prefix . ts('add contacts'),
+ ts('Create a new contact record in CiviCRM'),
+ ),
+ 'view all contacts' => array(
+ $prefix . ts('view all contacts'),
+ ts('View ANY CONTACT in the CiviCRM database, export contact info and perform activities such as Send Email, Phone Call, etc.'),
+ ),
+ 'edit all contacts' => array(
+ $prefix . ts('edit all contacts'),
+ ts('View, Edit and Delete ANY CONTACT in the CiviCRM database; Create and edit relationships, tags and other info about the contacts'),
+ ),
+ 'view my contact' => array(
+ $prefix . ts('view my contact'),
+ ),
+ 'edit my contact' => array(
+ $prefix . ts('edit my contact'),
+ ),
+ 'delete contacts' => array(
+ $prefix . ts('delete contacts'),
+ ),
+ 'access deleted contacts' => array(
+ $prefix . ts('access deleted contacts'),
+ ts('Access contacts in the trash'),
+ ),
+ 'import contacts' => array(
+ $prefix . ts('import contacts'),
+ ts('Import contacts and activities'),
+ ),
+ 'edit groups' => array(
+ $prefix . ts('edit groups'),
+ ts('Create new groups, edit group settings (e.g. group name, visibility...), delete groups'),
+ ),
+ 'administer CiviCRM' => array(
+ $prefix . ts('administer CiviCRM'),
+ ts('Perform all tasks in the Administer CiviCRM control panel and Import Contacts'),
+ ),
+ 'skip IDS check' => array(
+ $prefix . ts('skip IDS check'),
+ ts('IDS system is bypassed for users with this permission. Prevents false errors for admin users.'),
+ ),
+ 'access uploaded files' => array(
+ $prefix . ts('access uploaded files'),
+ ts('View / download files including images and photos'),
+ ),
+ 'profile listings and forms' => array(
+ $prefix . ts('profile listings and forms'),
+ ts('Access the profile Search form and listings'),
+ ),
+ 'profile listings' => array(
+ $prefix . ts('profile listings'),
+ ),
+ 'profile create' => array(
+ $prefix . ts('profile create'),
+ ts('Use profiles in Create mode'),
+ ),
+ 'profile edit' => array(
+ $prefix . ts('profile edit'),
+ ts('Use profiles in Edit mode'),
+ ),
+ 'profile view' => array(
+ $prefix . ts('profile view'),
+ ),
+ 'access all custom data' => array(
+ $prefix . ts('access all custom data'),
+ ts('View all custom fields regardless of ACL rules'),
+ ),
+ 'view all activities' => array(
+ $prefix . ts('view all activities'),
+ ts('View all activities (for visible contacts)'),
+ ),
+ 'delete activities' => array(
+ $prefix . ts('Delete activities'),
+ ),
+ 'access CiviCRM' => array(
+ $prefix . ts('access CiviCRM'),
+ ts('Master control for access to the main CiviCRM backend and API'),
+ ),
+ 'access Contact Dashboard' => array(
+ $prefix . ts('access Contact Dashboard'),
+ ts('View Contact Dashboard (for themselves and visible contacts)'),
+ ),
+ 'translate CiviCRM' => array(
+ $prefix . ts('translate CiviCRM'),
+ ts('Allow User to enable multilingual'),
+ ),
+ 'administer reserved groups' => array(
+ $prefix . ts('administer reserved groups'),
+ ts('Edit and disable Reserved Groups (Needs Edit Groups)'),
+ ),
+ 'administer Tagsets' => array(
+ $prefix . ts('administer Tagsets'),
+ ),
+ 'administer reserved tags' => array(
+ $prefix . ts('administer reserved tags'),
+ ),
+ 'administer dedupe rules' => array(
+ $prefix . ts('administer dedupe rules'),
+ ts('Create and edit rules, change the supervised and unsupervised rules'),
+ ),
+ 'merge duplicate contacts' => array(
+ $prefix . ts('merge duplicate contacts'),
+ ts('Delete Contacts must also be granted in order for this to work.'),
+ ),
+ 'view debug output' => array(
+ $prefix . ts('view debug output'),
+ ts('View results of debug and backtrace'),
+ ),
+ 'view all notes' => array(
+ $prefix . ts('view all notes'),
+ ts("View notes (for visible contacts) even if they're marked admin only"),
+ ),
+ 'access AJAX API' => array(
+ $prefix . ts('access AJAX API'),
+ ts('Allow API access even if Access CiviCRM is not granted'),
+ ),
+ 'access contact reference fields' => array(
+ $prefix . ts('access contact reference fields'),
+ ts('Allow entering data into contact reference fields'),
+ ),
+ 'create manual batch' => array(
+ $prefix . ts('create manual batch'),
+ ts('Create an accounting batch (with Access to CiviContribute and View Own/All Manual Batches)'),
+ ),
+ 'edit own manual batches' => array(
+ $prefix . ts('edit own manual batches'),
+ ts('Edit accounting batches created by user'),
+ ),
+ 'edit all manual batches' => array(
+ $prefix . ts('edit all manual batches'),
+ ts('Edit all accounting batches'),
+ ),
+ 'view own manual batches' => array(
+ $prefix . ts('view own manual batches'),
+ ts('View accounting batches created by user (with Access to CiviContribute)'),
+ ),
+ 'view all manual batches' => array(
+ $prefix . ts('view all manual batches'),
+ ts('View all accounting batches (with Access to CiviContribute)'),
+ ),
+ 'delete own manual batches' => array(
+ $prefix . ts('delete own manual batches'),
+ ts('Delete accounting batches created by user'),
+ ),
+ 'delete all manual batches' => array(
+ $prefix . ts('delete all manual batches'),
+ ts('Delete all accounting batches'),
+ ),
+ 'export own manual batches' => array(
+ $prefix . ts('export own manual batches'),
+ ts('Export accounting batches created by user'),
+ ),
+ 'export all manual batches' => array(
+ $prefix . ts('export all manual batches'),
+ ts('Export all accounting batches'),
+ ),
+ 'administer payment processors' => array(
+ $prefix . ts('administer payment processors'),
+ ts('Add, Update, or Disable Payment Processors'),
+ ),
+ 'edit message templates' => array(
+ $prefix . ts('edit message templates'),
+ ),
);
+ if (!$descriptions) {
+ foreach ($permissions as $name => $attr) {
+ $permissions[$name] = array_shift($attr);
+ }
+ }
+
return $permissions;
}
/**
- * Validate user permission across
+ * Validate user permission across.
* edit or view or with supportable acls.
*
- * return boolean true/false.
- **/
- static function giveMeAllACLs() {
+ * @return bool
+ */
+ public static function giveMeAllACLs() {
if (CRM_Core_Permission::check('view all contacts') ||
CRM_Core_Permission::check('edit all contacts')
) {
}
/**
- * Function to get component name from given permission.
+ * Get component name from given permission.
*
* @param string $permission
*
- * return string $componentName the name of component.
- *
- * @return int|null|string
- * @static
+ * @return null|string
+ * the name of component.
*/
- static function getComponentName($permission) {
+ public static function getComponentName($permission) {
$componentName = NULL;
$permission = trim($permission);
if (empty($permission)) {
}
/**
- * Get all the contact emails for users that have a specific permission
+ * Get all the contact emails for users that have a specific permission.
*
- * @param string $permissionName name of the permission we are interested in
+ * @param string $permissionName
+ * Name of the permission we are interested in.
*
- * @return string a comma separated list of email addresses
+ * @return string
+ * a comma separated list of email addresses
*/
public static function permissionEmails($permissionName) {
$config = CRM_Core_Config::singleton();
}
/**
- * Get all the contact emails for users that have a specific role
+ * Get all the contact emails for users that have a specific role.
*
- * @param string $roleName name of the role we are interested in
+ * @param string $roleName
+ * Name of the role we are interested in.
*
- * @return string a comma separated list of email addresses
+ * @return string
+ * a comma separated list of email addresses
*/
public static function roleEmails($roleName) {
$config = CRM_Core_Config::singleton();
/**
* @return bool
*/
- static function isMultisiteEnabled() {
+ public static function isMultisiteEnabled() {
return CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::MULTISITE_PREFERENCES_NAME,
'is_enabled'
) ? TRUE : FALSE;
}
+
}