X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=CRM%2FContact%2FBAO%2FContact%2FPermission.php;h=731958c98a5f72e1fd1f1a92b210d14a51dd24de;hb=69078420f066e5d038b91372e9a19eb77073121b;hp=09b8925ede78a3255e54b503a77629f68f06f8f1;hpb=c9baa85a27f776bc2b49bc5d38611f537cf19f30;p=civicrm-core.git diff --git a/CRM/Contact/BAO/Contact/Permission.php b/CRM/Contact/BAO/Contact/Permission.php index 09b8925ede..731958c98a 100644 --- a/CRM/Contact/BAO/Contact/Permission.php +++ b/CRM/Contact/BAO/Contact/Permission.php @@ -3,7 +3,7 @@ +--------------------------------------------------------------------+ | CiviCRM version 5 | +--------------------------------------------------------------------+ - | Copyright CiviCRM LLC (c) 2004-2018 | + | Copyright CiviCRM LLC (c) 2004-2019 | +--------------------------------------------------------------------+ | This file is a part of CiviCRM. | | | @@ -28,7 +28,7 @@ /** * * @package CRM - * @copyright CiviCRM LLC (c) 2004-2018 + * @copyright CiviCRM LLC (c) 2004-2019 */ class CRM_Contact_BAO_Contact_Permission { @@ -47,10 +47,10 @@ class CRM_Contact_BAO_Contact_Permission { * @see CRM_Contact_BAO_Contact_Permission::allow * * @return array - * list of contact IDs the logged in user has the given permission for + * list of contact IDs the logged in user has the given permission for */ public static function allowList($contact_ids, $type = CRM_Core_Permission::VIEW) { - $result_set = array(); + $result_set = []; if (empty($contact_ids)) { // empty contact lists would cause trouble in the SQL. And be pointless. return $result_set; @@ -81,7 +81,7 @@ class CRM_Contact_BAO_Contact_Permission { // get logged in user $contactID = CRM_Core_Session::getLoggedInContactID(); if (empty($contactID)) { - return array(); + return []; } // make sure the cache is filled @@ -114,9 +114,9 @@ WHERE contact_id IN ({$contact_id_list}) // if some have been rejected, double check for permissions inherited by relationship if (count($result_set) < count($contact_ids)) { - $rejected_contacts = array_diff_key($contact_ids, $result_set); + $rejected_contacts = array_diff_key($contact_ids, $result_set); // @todo consider storing these to the acl cache for next time, since we have fetched. - $allowed_by_relationship = self::relationshipList($rejected_contacts); + $allowed_by_relationship = self::relationshipList($rejected_contacts, $type); foreach ($allowed_by_relationship as $contact_id) { $result_set[(int) $contact_id] = TRUE; } @@ -161,14 +161,14 @@ WHERE contact_id IN ({$contact_id_list}) } // check permission based on relationship, CRM-2963 - if (self::relationshipList(array($id))) { + if (self::relationshipList([$id], $type)) { return TRUE; } // We should probably do a cheap check whether it's in the cache first. // check permission based on ACL - $tables = array(); - $whereTables = array(); + $tables = []; + $whereTables = []; $permission = CRM_ACL_API::whereClause($type, $tables, $whereTables, NULL, FALSE, FALSE, TRUE); $from = CRM_Contact_BAO_Query::fromClause($whereTables); @@ -180,7 +180,7 @@ WHERE contact_a.id = %1 AND $permission LIMIT 1 "; - if (CRM_Core_DAO::singleValueQuery($query, array(1 => array($id, 'Integer')))) { + if (CRM_Core_DAO::singleValueQuery($query, [1 => [$id, 'Integer']])) { return TRUE; } return FALSE; @@ -214,7 +214,7 @@ WHERE contact_a.id = %1 AND $permission $operationClause = " operation = 'Edit' "; $operation = 'Edit'; } - $queryParams = array(1 => array($userID, 'Integer')); + $queryParams = [1 => [$userID, 'Integer']]; if (!$force) { // skip if already calculated @@ -236,8 +236,8 @@ AND $operationClause } } - $tables = array(); - $whereTables = array(); + $tables = []; + $whereTables = []; $permission = CRM_ACL_API::whereClause($type, $tables, $whereTables, $userID, FALSE, FALSE, TRUE); @@ -273,16 +273,16 @@ AND ac.user_id IS NULL CRM_Core_Permission::check('edit all contacts') ) { if (is_array($contactAlias)) { - $wheres = array(); + $wheres = []; foreach ($contactAlias as $alias) { // CRM-6181 $wheres[] = "$alias.is_deleted = 0"; } - return array(NULL, '(' . implode(' AND ', $wheres) . ')'); + return [NULL, '(' . implode(' AND ', $wheres) . ')']; } else { // CRM-6181 - return array(NULL, "$contactAlias.is_deleted = 0"); + return [NULL, "$contactAlias.is_deleted = 0"]; } } @@ -291,7 +291,7 @@ AND ac.user_id IS NULL if (is_array($contactAlias) && !empty($contactAlias)) { //More than one contact alias - $clauses = array(); + $clauses = []; foreach ($contactAlias as $k => $alias) { $clauses[] = " INNER JOIN civicrm_acl_contact_cache aclContactCache_{$k} ON {$alias}.id = aclContactCache_{$k}.contact_id AND aclContactCache_{$k}.user_id = $contactID "; } @@ -304,7 +304,7 @@ AND ac.user_id IS NULL $whereClase = " aclContactCache.user_id = $contactID AND $contactAlias.is_deleted = 0"; } - return array($fromClause, $whereClase); + return [$fromClause, $whereClase]; } /** @@ -315,7 +315,7 @@ AND ac.user_id IS NULL * @return string|null */ public static function cacheSubquery() { - if (!CRM_Core_Permission::check(array(array('view all contacts', 'edit all contacts')))) { + if (!CRM_Core_Permission::check([['view all contacts', 'edit all contacts']])) { $contactID = (int) CRM_Core_Session::getLoggedInContactID(); self::cache($contactID); return "IN (SELECT contact_id FROM civicrm_acl_contact_cache WHERE user_id = $contactID)"; @@ -330,29 +330,40 @@ AND ac.user_id IS NULL * @param array $contact_ids * List of contact IDs to be filtered * + * @param int $type + * access type CRM_Core_Permission::VIEW or CRM_Core_Permission::EDIT + * * @return array * List of contact IDs that the user has permissions for */ - public static function relationshipList($contact_ids) { - $result_set = array(); + public static function relationshipList($contact_ids, $type) { + $result_set = []; // no processing empty lists (avoid SQL errors as well) if (empty($contact_ids)) { - return array(); + return []; } // get the currently logged in user $contactID = CRM_Core_Session::getLoggedInContactID(); if (empty($contactID)) { - return array(); + return []; } // compile a list of queries (later to UNION) - $queries = array(); + $queries = []; $contact_id_list = implode(',', $contact_ids); - // add a select statement for each direection - $directions = array(array('from' => 'a', 'to' => 'b'), array('from' => 'b', 'to' => 'a')); + // add a select statement for each direction + $directions = [['from' => 'a', 'to' => 'b'], ['from' => 'b', 'to' => 'a']]; + + // CRM_Core_Permission::VIEW is satisfied by either CRM_Contact_BAO_Relationship::VIEW or CRM_Contact_BAO_Relationship::EDIT + if ($type == CRM_Core_Permission::VIEW) { + $is_perm_condition = ' IN ( ' . CRM_Contact_BAO_Relationship::EDIT . ' , ' . CRM_Contact_BAO_Relationship::VIEW . ' ) '; + } + else { + $is_perm_condition = ' = ' . CRM_Contact_BAO_Relationship::EDIT; + } // NORMAL/SINGLE DEGREE RELATIONSHIPS foreach ($directions as $direction) { @@ -373,7 +384,7 @@ SELECT civicrm_relationship.{$contact_id_column} AS contact_id WHERE civicrm_relationship.{$user_id_column} = {$contactID} AND civicrm_relationship.{$contact_id_column} IN ({$contact_id_list}) AND civicrm_relationship.is_active = 1 - AND civicrm_relationship.is_permission_{$direction['from']}_{$direction['to']} = 1 + AND civicrm_relationship.is_permission_{$direction['from']}_{$direction['to']} {$is_perm_condition} $AND_CAN_ACCESS_DELETED"; } @@ -394,14 +405,14 @@ SELECT civicrm_relationship.{$contact_id_column} AS contact_id $queries[] = " SELECT second_degree_relationship.contact_id_{$second_direction['to']} AS contact_id FROM civicrm_relationship first_degree_relationship - LEFT JOIN civicrm_relationship second_degree_relationship ON first_degree_relationship.contact_id_{$first_direction['to']} = second_degree_relationship.contact_id_{$first_direction['from']} + LEFT JOIN civicrm_relationship second_degree_relationship ON first_degree_relationship.contact_id_{$first_direction['to']} = second_degree_relationship.contact_id_{$second_direction['from']} {$LEFT_JOIN_DELETED} WHERE first_degree_relationship.contact_id_{$first_direction['from']} = {$contactID} AND second_degree_relationship.contact_id_{$second_direction['to']} IN ({$contact_id_list}) AND first_degree_relationship.is_active = 1 - AND first_degree_relationship.is_permission_{$first_direction['from']}_{$first_direction['to']} = 1 + AND first_degree_relationship.is_permission_{$first_direction['from']}_{$first_direction['to']} {$is_perm_condition} AND second_degree_relationship.is_active = 1 - AND second_degree_relationship.is_permission_{$second_direction['from']}_{$second_direction['to']} = 1 + AND second_degree_relationship.is_permission_{$second_direction['from']}_{$second_direction['to']} {$is_perm_condition} $AND_CAN_ACCESS_DELETED"; } } @@ -416,7 +427,6 @@ SELECT second_degree_relationship.contact_id_{$second_direction['to']} AS contac return array_keys($result_set); } - /** * @param int $contactID * @param CRM_Core_Form $form @@ -450,7 +460,7 @@ SELECT second_degree_relationship.contact_id_{$second_direction['to']} AS contac // so here the contact is posing as $contactID, lets set the logging contact ID variable // CRM-8965 CRM_Core_DAO::executeQuery('SET @civicrm_user_id = %1', - array(1 => array($contactID, 'Integer')) + [1 => [$contactID, 'Integer']] ); return TRUE;