crm.fsf.org/20131203/files/sites/all/modules-new/civicrm/Civi/API/Subscriber/PermissionCheck.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | CiviCRM version 4.6                                                |
   5  +--------------------------------------------------------------------+
   6  | Copyright CiviCRM LLC (c) 2004-2015                                |
   7  +--------------------------------------------------------------------+
   8  | This file is a part of CiviCRM.                                    |
   9  |                                                                    |
  10  | CiviCRM is free software; you can copy, modify, and distribute it  |
  11  | under the terms of the GNU Affero General Public License           |
  12  | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
  13  |                                                                    |
  14  | CiviCRM is distributed in the hope that it will be useful, but     |
  15  | WITHOUT ANY WARRANTY; without even the implied warranty of         |
  16  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
  17  | See the GNU Affero General Public License for more details.        |
  18  |                                                                    |
  19  | You should have received a copy of the GNU Affero General Public   |
  20  | License and the CiviCRM Licensing Exception along                  |
  21  | with this program; if not, contact CiviCRM LLC                     |
  22  | at info[AT]civicrm[DOT]org. If you have questions about the        |
  23  | GNU Affero General Public License or the licensing of CiviCRM,     |
  24  | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
  25  +--------------------------------------------------------------------+
  26  */
  27
  28 namespace Civi\API\Subscriber;
  29
  30 use Civi\API\Events;
  31 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  32
  33 /**
  34  * For any API requests that correspond to a Doctrine entity
  35  * ($apiRequest['doctrineClass']), check permissions specified in
  36  * Civi\API\Annotation\Permission.
  37  */
  38 class PermissionCheck implements EventSubscriberInterface {
  39   /**
  40    * @return array
  41    */
  42   public static function getSubscribedEvents() {
  43     return array(
  44       Events::AUTHORIZE => array(
  45         array('onApiAuthorize', Events::W_LATE),
  46       ),
  47     );
  48   }
  49
  50   /**
  51    * @param \Civi\API\Event\AuthorizeEvent $event
  52    *   API authorization event.
  53    *
  54    * @throws \Civi\API\Exception\UnauthorizedException
  55    */
  56   public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event) {
  57     $apiRequest = $event->getApiRequest();
  58     if ($apiRequest['version'] < 4) {
  59       // return early unless we’re told explicitly to do the permission check
  60       if (empty($apiRequest['params']['check_permissions']) or $apiRequest['params']['check_permissions'] == FALSE) {
  61         $event->authorize();
  62         $event->stopPropagation();
  63         return;
  64       }
  65
  66       require_once 'CRM/Core/DAO/permissions.php';
  67       $permissions = _civicrm_api3_permissions($apiRequest['entity'], $apiRequest['action'], $apiRequest['params']);
  68
  69       // $params might’ve been reset by the alterAPIPermissions() hook
  70       if (isset($apiRequest['params']['check_permissions']) and $apiRequest['params']['check_permissions'] == FALSE) {
  71         $event->authorize();
  72         $event->stopPropagation();
  73         return;
  74       }
  75
  76       if (!\CRM_Core_Permission::check($permissions) and !self::checkACLPermission($apiRequest)) {
  77         if (is_array($permissions)) {
  78           $permissions = implode(' and ', $permissions);
  79         }
  80         // FIXME: Generating the exception ourselves allows for detailed error
  81         // but doesn't play well with multiple authz subscribers.
  82         throw new \Civi\API\Exception\UnauthorizedException("API permission check failed for {$apiRequest['entity']}/{$apiRequest['action']} call; insufficient permission: require $permissions");
  83       }
  84
  85       $event->authorize();
  86       $event->stopPropagation();
  87     }
  88   }
  89
  90   /**
  91    * Check API for ACL permission.
  92    *
  93    * @param array $apiRequest
  94    *
  95    * @return bool
  96    */
  97   public function checkACLPermission($apiRequest) {
  98     switch ($apiRequest['entity']) {
  99       case 'UFGroup':
 100       case 'UFField':
 101         $ufGroups = \CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
 102         $aclCreate = \CRM_ACL_API::group(\CRM_Core_Permission::CREATE, NULL, 'civicrm_uf_group', $ufGroups);
 103         $aclEdit = \CRM_ACL_API::group(\CRM_Core_Permission::EDIT, NULL, 'civicrm_uf_group', $ufGroups);
 104         $ufGroupId = $apiRequest['entity'] == 'UFGroup' ? $apiRequest['params']['id'] : $apiRequest['params']['uf_group_id'];
 105         if (in_array($ufGroupId, $aclEdit) or $aclCreate) {
 106           return TRUE;
 107         }
 108         break;
 109
 110       //CRM-16777: Disable schedule reminder with ACLs.
 111       case 'ActionSchedule':
 112         $events = \CRM_Event_BAO_Event::getEvents();
 113         $aclEdit = \CRM_ACL_API::group(\CRM_Core_Permission::EDIT, NULL, 'civicrm_event', $events);
 114         $param = array('id' => $apiRequest['params']['id']);
 115         $eventId = \CRM_Core_BAO_ActionSchedule::retrieve($param, $value = array());
 116         if (in_array($eventId->entity_value, $aclEdit)) {
 117           return TRUE;
 118         }
 119         break;
 120     }
 121
 122     return FALSE;
 123   }
 124
 125 }