From b3ace2243f4b2881bc4f6b198054a40398f2e88c Mon Sep 17 00:00:00 2001 From: "Donald A. Lobo" Date: Thu, 24 Oct 2013 14:40:47 -0700 Subject: [PATCH] CRM-13644 - make the acl code common across all 3 CMS. Keep DrupalBase as an empty class shell ---------------------------------------- * CRM-13644: ACL does not protect mailing groups in civiMail in Joomla http://issues.civicrm.org/jira/browse/CRM-13644 --- CRM/Core/Permission/Base.php | 203 +++++++++++++++++++++++++--- CRM/Core/Permission/DrupalBase.php | 206 ----------------------------- 2 files changed, 186 insertions(+), 223 deletions(-) diff --git a/CRM/Core/Permission/Base.php b/CRM/Core/Permission/Base.php index 2716ac07e1..600c19cab0 100644 --- a/CRM/Core/Permission/Base.php +++ b/CRM/Core/Permission/Base.php @@ -38,6 +38,30 @@ */ class CRM_Core_Permission_Base { + /** + * is this user someone with access for the entire system + * + * @var boolean + */ + protected $_viewAdminUser = FALSE; + protected $_editAdminUser = FALSE; + + /** + * am in in view permission or edit permission? + * @var boolean + */ + protected $_viewPermission = FALSE; + protected $_editPermission = FALSE; + + /** + * the current set of permissioned groups for the user + * + * @var array + */ + protected $_viewPermissionedGroups; + protected $_editPermissionedGroups; + + /** * Translate permission * @@ -60,15 +84,6 @@ class CRM_Core_Permission_Base { } } - /** - * get the current permission of this user - * - * @return string the permission of the user (edit or view or null) - */ - public function getPermission() { - return CRM_Core_Permission::EDIT; - } - /** * Get the permissioned where clause for the user * @@ -96,6 +111,8 @@ class CRM_Core_Permission_Base { $this->group(); return $this->groupClause($type, $tables, $whereTables); } + + /** * Get all groups from database, filtered by permissions * for this user @@ -109,21 +126,174 @@ class CRM_Core_Permission_Base { * */ public function group($groupType = NULL, $excludeHidden = TRUE) { - return CRM_Core_PseudoConstant::allGroup($groupType, $excludeHidden); + if (!isset($this->_viewPermissionedGroups)) { + $this->_viewPermissionedGroups = $this->_editPermissionedGroups = array(); + } + + $groupKey = $groupType ? $groupType : 'all'; + + if (!isset($this->_viewPermissionedGroups[$groupKey])) { + $this->_viewPermissionedGroups[$groupKey] = $this->_editPermissionedGroups[$groupKey] = array(); + + $groups = CRM_Core_PseudoConstant::allGroup($groupType, $excludeHidden); + + if ($this->check('edit all contacts')) { + // this is the most powerful permission, so we return + // immediately rather than dilute it further + $this->_editAdminUser = $this->_viewAdminUser = TRUE; + $this->_editPermission = $this->_viewPermission = TRUE; + $this->_editPermissionedGroups[$groupKey] = $groups; + $this->_viewPermissionedGroups[$groupKey] = $groups; + return $this->_viewPermissionedGroups[$groupKey]; + } + elseif ($this->check('view all contacts')) { + $this->_viewAdminUser = TRUE; + $this->_viewPermission = TRUE; + $this->_viewPermissionedGroups[$groupKey] = $groups; + } + + + $ids = CRM_ACL_API::group(CRM_Core_Permission::VIEW, NULL, 'civicrm_saved_search', $groups); + if (!empty($ids)) { + foreach (array_values($ids) as $id) { + $title = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Group', $id, 'title'); + $this->_viewPermissionedGroups[$groupKey][$id] = $title; + $this->_viewPermission = TRUE; + } + } + + $ids = CRM_ACL_API::group(CRM_Core_Permission::EDIT, NULL, 'civicrm_saved_search', $groups); + if (!empty($ids)) { + foreach (array_values($ids) as $id) { + $title = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Group', $id, 'title'); + $this->_editPermissionedGroups[$groupKey][$id] = $title; + $this->_viewPermissionedGroups[$groupKey][$id] = $title; + $this->_editPermission = TRUE; + $this->_viewPermission = TRUE; + } + } + } + + return $this->_viewPermissionedGroups[$groupKey]; } /** - * Get group clause for this user + * Get group clause for this user. The group Clause filters the + * list of groups that the user is permitted to see in a group listing. + * For example it will filter both the list on the 'Manage Groups' page + * and on the contact 'Groups' tab + * + * the aclGroup hook & configured ACLs contribute to this data. + * If the contact is allowed to see all contacts the function will return ( 1 ) + * + * @todo the history of this function is that there was some confusion as to + * whether it was filtering contacts or groups & some cruft may remain * * @param int $type the type of permission needed - * @param array $tables (reference ) add the tables that are needed for the select clause - * @param array $whereTables (reference ) add the tables that are needed for the where clause + * @param array $tables (reference) add the tables that are needed for the select clause + * @param array $whereTables (reference) add the tables that are needed for the where clause * - * @return string the group where clause for this user + * @return string the clause to add to the query retrieving viewable groups * @access public */ public function groupClause($type, &$tables, &$whereTables) { - return ' (1) '; + if (!isset($this->_viewPermissionedGroups)) { + $this->group(); + } + + // we basically get all the groups here + $groupKey = 'all'; + if ($type == CRM_Core_Permission::EDIT) { + if ($this->_editAdminUser) { + $clause = ' ( 1 ) '; + } + elseif (empty($this->_editPermissionedGroups[$groupKey])) { + $clause = ' ( 0 ) '; + } + else { + $clauses = array(); + $groups = implode(', ', $this->_editPermissionedGroups[$groupKey]); + $clauses[] = ' ( civicrm_group_contact.group_id IN ( ' . implode(', ', array_keys($this->_editPermissionedGroups[$groupKey])) . " ) AND civicrm_group_contact.status = 'Added' ) "; + $tables['civicrm_group_contact'] = 1; + $whereTables['civicrm_group_contact'] = 1; + + // foreach group that is potentially a saved search, add the saved search clause + foreach (array_keys($this->_editPermissionedGroups[$groupKey]) as $id) { + $group = new CRM_Contact_DAO_Group(); + $group->id = $id; + if ($group->find(TRUE) && $group->saved_search_id) { + $clause = CRM_Contact_BAO_SavedSearch::whereClause($group->saved_search_id, + $tables, + $whereTables + ); + if (trim($clause)) { + $clauses[] = $clause; + } + } + } + $clause = ' ( ' . implode(' OR ', $clauses) . ' ) '; + } + } + else { + if ($this->_viewAdminUser) { + $clause = ' ( 1 ) '; + } + elseif (empty($this->_viewPermissionedGroups[$groupKey])) { + $clause = ' ( 0 ) '; + } + else { + $clauses = array(); + $groups = implode(', ', $this->_viewPermissionedGroups[$groupKey]); + $clauses[] = ' civicrm_group.id IN (' . implode(', ', array_keys($this->_viewPermissionedGroups[$groupKey])) . " ) "; + $tables['civicrm_group'] = 1; + $whereTables['civicrm_group'] = 1; + $clause = ' ( ' . implode(' OR ', $clauses) . ' ) '; + } + } + + return $clause; + } + + /** + * get the current permission of this user + * + * @return string the permission of the user (edit or view or null) + */ + public function getPermission() { + $this->group(); + + if ($this->_editPermission) { + return CRM_Core_Permission::EDIT; + } + elseif ($this->_viewPermission) { + return CRM_Core_Permission::VIEW; + } + return NULL; + } + + function getContactEmails($uids) { + if (empty($uids)) { + return ''; + } + $uidString = implode(',', $uids); + $sql = " +SELECT e.email +FROM civicrm_contact c +INNER JOIN civicrm_email e ON ( c.id = e.contact_id AND e.is_primary = 1 ) +INNER JOIN civicrm_uf_match uf ON ( c.id = uf.contact_id ) +WHERE c.is_deceased = 0 +AND c.is_deleted = 0 +AND uf.uf_id IN ( $uidString ) +"; + + $dao = CRM_Core_DAO::executeQuery($sql); + + $emails = array(); + while ($dao->fetch()) { + $emails[] = $dao->email; + } + + return implode(', ', $emails); } /** @@ -136,7 +306,7 @@ class CRM_Core_Permission_Base { */ function check($str) { - //no default behaviour + // no default behaviour } /** @@ -147,7 +317,6 @@ class CRM_Core_Permission_Base { * @return boolean true if yes, else false * @access public */ - function checkGroupRole($array) { return FALSE; } diff --git a/CRM/Core/Permission/DrupalBase.php b/CRM/Core/Permission/DrupalBase.php index 9d28eef848..3e1507576f 100644 --- a/CRM/Core/Permission/DrupalBase.php +++ b/CRM/Core/Permission/DrupalBase.php @@ -37,210 +37,4 @@ * */ class CRM_Core_Permission_DrupalBase extends CRM_Core_Permission_Base { - - /** - * is this user someone with access for the entire system - * - * @var boolean - */ - protected $_viewAdminUser = FALSE; - protected $_editAdminUser = FALSE; - - /** - * am in in view permission or edit permission? - * @var boolean - */ - protected $_viewPermission = FALSE; - protected $_editPermission = FALSE; - - /** - * the current set of permissioned groups for the user - * - * @var array - */ - protected $_viewPermissionedGroups; - protected $_editPermissionedGroups; - - /** - * Get all groups from database, filtered by permissions - * for this user - * - * @param string $groupType type of group(Access/Mailing) - * @param boolen $excludeHidden exclude hidden groups. - * - * @access public - * - * @return array - array reference of all groups. - * - */ - public function group($groupType = NULL, $excludeHidden = TRUE) { - if (!isset($this->_viewPermissionedGroups)) { - $this->_viewPermissionedGroups = $this->_editPermissionedGroups = array(); - } - - $groupKey = $groupType ? $groupType : 'all'; - - if (!isset($this->_viewPermissionedGroups[$groupKey])) { - $this->_viewPermissionedGroups[$groupKey] = $this->_editPermissionedGroups[$groupKey] = array(); - - $groups = CRM_Core_PseudoConstant::allGroup($groupType, $excludeHidden); - - if ($this->check('edit all contacts')) { - // this is the most powerful permission, so we return - // immediately rather than dilute it further - $this->_editAdminUser = $this->_viewAdminUser = TRUE; - $this->_editPermission = $this->_viewPermission = TRUE; - $this->_editPermissionedGroups[$groupKey] = $groups; - $this->_viewPermissionedGroups[$groupKey] = $groups; - return $this->_viewPermissionedGroups[$groupKey]; - } - elseif ($this->check('view all contacts')) { - $this->_viewAdminUser = TRUE; - $this->_viewPermission = TRUE; - $this->_viewPermissionedGroups[$groupKey] = $groups; - } - - - $ids = CRM_ACL_API::group(CRM_Core_Permission::VIEW, NULL, 'civicrm_saved_search', $groups); - if (!empty($ids)) { - foreach (array_values($ids) as $id) { - $title = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Group', $id, 'title'); - $this->_viewPermissionedGroups[$groupKey][$id] = $title; - $this->_viewPermission = TRUE; - } - } - - $ids = CRM_ACL_API::group(CRM_Core_Permission::EDIT, NULL, 'civicrm_saved_search', $groups); - if (!empty($ids)) { - foreach (array_values($ids) as $id) { - $title = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Group', $id, 'title'); - $this->_editPermissionedGroups[$groupKey][$id] = $title; - $this->_viewPermissionedGroups[$groupKey][$id] = $title; - $this->_editPermission = TRUE; - $this->_viewPermission = TRUE; - } - } - } - - return $this->_viewPermissionedGroups[$groupKey]; - } - - /** - * Get group clause for this user. The group Clause filters the - * list of groups that the user is permitted to see in a group listing. - * For example it will filter both the list on the 'Manage Groups' page - * and on the contact 'Groups' tab - * - * the aclGroup hook & configured ACLs contribute to this data. - * If the contact is allowed to see all contacts the function will return ( 1 ) - * - * @todo the history of this function is that there was some confusion as to - * whether it was filtering contacts or groups & some cruft may remain - * - * @param int $type the type of permission needed - * @param array $tables (reference) add the tables that are needed for the select clause - * @param array $whereTables (reference) add the tables that are needed for the where clause - * - * @return string the clause to add to the query retrieving viewable groups - * @access public - */ - public function groupClause($type, &$tables, &$whereTables) { - if (!isset($this->_viewPermissionedGroups)) { - $this->group(); - } - - // we basically get all the groups here - $groupKey = 'all'; - if ($type == CRM_Core_Permission::EDIT) { - if ($this->_editAdminUser) { - $clause = ' ( 1 ) '; - } - elseif (empty($this->_editPermissionedGroups[$groupKey])) { - $clause = ' ( 0 ) '; - } - else { - $clauses = array(); - $groups = implode(', ', $this->_editPermissionedGroups[$groupKey]); - $clauses[] = ' ( civicrm_group_contact.group_id IN ( ' . implode(', ', array_keys($this->_editPermissionedGroups[$groupKey])) . " ) AND civicrm_group_contact.status = 'Added' ) "; - $tables['civicrm_group_contact'] = 1; - $whereTables['civicrm_group_contact'] = 1; - - // foreach group that is potentially a saved search, add the saved search clause - foreach (array_keys($this->_editPermissionedGroups[$groupKey]) as $id) { - $group = new CRM_Contact_DAO_Group(); - $group->id = $id; - if ($group->find(TRUE) && $group->saved_search_id) { - $clause = CRM_Contact_BAO_SavedSearch::whereClause($group->saved_search_id, - $tables, - $whereTables - ); - if (trim($clause)) { - $clauses[] = $clause; - } - } - } - $clause = ' ( ' . implode(' OR ', $clauses) . ' ) '; - } - } - else { - if ($this->_viewAdminUser) { - $clause = ' ( 1 ) '; - } - elseif (empty($this->_viewPermissionedGroups[$groupKey])) { - $clause = ' ( 0 ) '; - } - else { - $clauses = array(); - $groups = implode(', ', $this->_viewPermissionedGroups[$groupKey]); - $clauses[] = ' civicrm_group.id IN (' . implode(', ', array_keys($this->_viewPermissionedGroups[$groupKey])) . " ) "; - $tables['civicrm_group'] = 1; - $whereTables['civicrm_group'] = 1; - $clause = ' ( ' . implode(' OR ', $clauses) . ' ) '; - } - } - - return $clause; - } - - /** - * get the current permission of this user - * - * @return string the permission of the user (edit or view or null) - */ - public function getPermission() { - $this->group(); - - if ($this->_editPermission) { - return CRM_Core_Permission::EDIT; - } - elseif ($this->_viewPermission) { - return CRM_Core_Permission::VIEW; - } - return NULL; - } - - function getContactEmails($uids) { - if (empty($uids)) { - return ''; - } - $uidString = implode(',', $uids); - $sql = " - SELECT e.email - FROM civicrm_contact c - INNER JOIN civicrm_email e ON ( c.id = e.contact_id AND e.is_primary = 1 ) - INNER JOIN civicrm_uf_match uf ON ( c.id = uf.contact_id ) - WHERE c.is_deceased = 0 - AND c.is_deleted = 0 - AND uf.uf_id IN ( $uidString ) - "; - - $dao = CRM_Core_DAO::executeQuery($sql); - - $emails = array(); - while ($dao->fetch()) { - $emails[] = $dao->email; - } - - return implode(', ', $emails); - } } -- 2.25.1