return self::$_operation;
}
- /**
- * Construct a WHERE clause to handle permissions to $object_*
- *
- * @param array $tables
- * Any tables that may be needed in the FROM.
- * @param string $operation
- * The operation being attempted.
- * @param string $object_table
- * The table of the object in question.
- * @param int $object_id
- * The ID of the object in question.
- * @param int $acl_id
- * If it's a grant/revoke operation, the ACL ID.
- * @param bool $acl_role
- * For grant operations, this flag determines if we're granting a single acl (false) or an entire group.
- *
- * @return string
- * The WHERE clause, or 0 on failure
- * @throws \CRM_Core_Exception
- *
- * @deprecated
- *
- */
- public static function permissionClause(
- &$tables, $operation,
- $object_table = NULL, $object_id = NULL,
- $acl_id = NULL, $acl_role = FALSE
- ) {
- CRM_Core_Error::deprecatedFunctionWarning('unknown - this is really old & not used in core');
- $dao = new CRM_ACL_DAO_ACL();
-
- $t = [
- 'ACL' => self::getTableName(),
- 'ACLRole' => 'civicrm_acl_role',
- 'ACLEntityRole' => CRM_ACL_DAO_EntityRole::getTableName(),
- 'Contact' => CRM_Contact_DAO_Contact::getTableName(),
- 'Group' => CRM_Contact_DAO_Group::getTableName(),
- 'GroupContact' => CRM_Contact_DAO_GroupContact::getTableName(),
- ];
-
- $contact_id = CRM_Core_Session::getLoggedInContactID();
-
- $where = " {$t['ACL']}.operation = '" . CRM_Utils_Type::escape($operation, 'String') . "'";
-
- /* Include clause if we're looking for a specific table/id permission */
-
- if (!empty($object_table)) {
- $where .= " AND ( {$t['ACL']}.object_table IS null
- OR ({$t['ACL']}.object_table = '" . CRM_Utils_Type::escape($object_table, 'String') . "'";
- if (!empty($object_id)) {
- $where .= " AND ({$t['ACL']}.object_id IS null
- OR {$t['ACL']}.object_id = " . CRM_Utils_Type::escape($object_id, 'Integer') . ')';
- }
- $where .= '))';
- }
-
- /* Include clause if we're granting an ACL or ACL Role */
-
- if (!empty($acl_id)) {
- $where .= " AND ({$t['ACL']}.acl_id IS null
- OR {$t['ACL']}.acl_id = " . CRM_Utils_Type::escape($acl_id, 'Integer') . ')';
- if ($acl_role) {
- $where .= " AND {$t['ACL']}.acl_table = '{$t['ACLRole']}'";
- }
- else {
- $where .= " AND {$t['ACL']}.acl_table = '{$t['ACL']}'";
- }
- }
-
- $query = [];
-
- /* Query for permissions granted to all contacts in the domain */
-
- $query[] = "SELECT {$t['ACL']}.*, 0 as override
- FROM {$t['ACL']}
-
- WHERE {$t['ACL']}.entity_table = '{$t['Domain']}'
- AND ($where)";
-
- /* Query for permissions granted to all contacts through an ACL group */
-
- $query[] = "SELECT {$t['ACL']}.*, 0 as override
- FROM {$t['ACL']}
-
- INNER JOIN {$t['ACLEntityRole']}
- ON ({$t['ACL']}.entity_table = '{$t['ACLRole']}'
- AND {$t['ACL']}.entity_id =
- {$t['ACLEntityRole']}.acl_role_id)
-
- INNER JOIN {$t['ACLRole']}
- ON {$t['ACL']}.entity_id =
- {$t['ACLRole']}.id
-
- WHERE {$t['ACLEntityRole']}.entity_table =
- '{$t['Domain']}'
- AND {$t['ACLRole']}.is_active = 1
- AND ($where)";
-
- /* Query for permissions granted directly to the contact */
-
- $query[] = "SELECT {$t['ACL']}.*, 1 as override
- FROM {$t['ACL']}
-
- INNER JOIN {$t['Contact']}
- ON ({$t['ACL']}.entity_table = '{$t['Contact']}'
- AND {$t['ACL']}.entity_id = {$t['Contact']}.id)
-
- WHERE {$t['Contact']}.id = $contact_id
- AND ($where)";
-
- /* Query for permissions granted to the contact through an ACL group */
-
- $query[] = "SELECT {$t['ACL']}.*, 1 as override
- FROM {$t['ACL']}
-
- INNER JOIN {$t['ACLEntityRole']}
- ON ({$t['ACL']}.entity_table = '{$t['ACLRole']}'
- AND {$t['ACL']}.entity_id =
- {$t['ACLEntityRole']}.acl_role_id)
-
- INNER JOIN {$t['ACLRole']}
- ON {$t['ACL']}.entity_id = {$t['ACLRole']}.id
-
- WHERE {$t['ACLEntityRole']}.entity_table =
- '{$t['Contact']}'
- AND {$t['ACLRole']}.is_active = 1
- AND {$t['ACLEntityRole']}.entity_id = $contact_id
- AND ($where)";
-
- /* Query for permissions granted to the contact through a group */
-
- $query[] = "SELECT {$t['ACL']}.*, 0 as override
- FROM {$t['ACL']}
-
- INNER JOIN {$t['GroupContact']}
- ON ({$t['ACL']}.entity_table = '{$t['Group']}'
- AND {$t['ACL']}.entity_id =
- {$t['GroupContact']}.group_id)
-
- WHERE ($where)
- AND {$t['GroupContact']}.contact_id = $contact_id
- AND {$t['GroupContact']}.status = 'Added')";
-
- /* Query for permissions granted through an ACL group to a Contact
- * group */
-
- $query[] = "SELECT {$t['ACL']}.*, 0 as override
- FROM {$t['ACL']}
-
- INNER JOIN {$t['ACLEntityRole']}
- ON ({$t['ACL']}.entity_table = '{$t['ACLRole']}'
- AND {$t['ACL']}.entity_id =
- {$t['ACLEntityRole']}.acl_role_id)
-
- INNER JOIN {$t['ACLRole']}
- ON {$t['ACL']}.entity_id = {$t['ACLRole']}.id
-
- INNER JOIN {$t['GroupContact']}
- ON ({$t['ACLEntityRole']}.entity_table =
- '{$t['Group']}'
- AND {$t['ACLEntityRole']}.entity_id =
- {$t['GroupContact']}.group_id)
-
- WHERE ($where)
- AND {$t['ACLRole']}.is_active = 1
- AND {$t['GroupContact']}.contact_id = $contact_id
- AND {$t['GroupContact']}.status = 'Added'";
-
- $union = '(' . implode(') UNION DISTINCT (', $query) . ')';
-
- $dao->query($union);
-
- $allow = [0];
- $deny = [0];
- $override = [];
-
- while ($dao->fetch()) {
- /* Instant bypass for the following cases:
- * 1) the rule governs all tables
- * 2) the rule governs all objects in the table in question
- * 3) the rule governs the specific object we want
- */
-
- if (empty($dao->object_table) ||
- ($dao->object_table == $object_table
- && (empty($dao->object_id)
- || $dao->object_id == $object_id
- )
- )
- ) {
- $clause = 1;
- }
- else {
- /* Otherwise try to generate a clause for this rule */
-
- $clause = self::getClause(
- $dao->object_table, $dao->object_id, $tables
- );
-
- /* If the clause returned is null, then the rule is a blanket
- * (id is null) on a table other than the one we're interested
- * in. So skip it. */
-
- if (empty($clause)) {
- continue;
- }
- }
-
- /* Now we figure out if this is an allow or deny rule, and possibly
- * a contact-level override */
-
- if ($dao->deny) {
- $deny[] = $clause;
- }
- else {
- $allow[] = $clause;
-
- if ($dao->override) {
- $override[] = $clause;
- }
- }
- }
-
- $allows = '(' . implode(' OR ', $allow) . ')';
- $denies = '(' . implode(' OR ', $deny) . ')';
- if (!empty($override)) {
- $denies = '(NOT (' . implode(' OR ', $override) . ") AND $denies)";
- }
-
- return "($allows AND NOT $denies)";
- }
-
/**
* Given a table and id pair, return the filter clause
*
projects / civicrm-core.git / commitdiff