3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.6 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2015 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
28 namespace Civi\API\Subscriber
;
31 use Symfony\Component\EventDispatcher\EventSubscriberInterface
;
34 * For any API requests that correspond to a Doctrine entity
35 * ($apiRequest['doctrineClass']), check permissions specified in
36 * Civi\API\Annotation\Permission.
38 class PermissionCheck
implements EventSubscriberInterface
{
42 public static function getSubscribedEvents() {
44 Events
::AUTHORIZE
=> array(
45 array('onApiAuthorize', Events
::W_LATE
),
51 * @param \Civi\API\Event\AuthorizeEvent $event
52 * API authorization event.
54 * @throws \Civi\API\Exception\UnauthorizedException
56 public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent
$event) {
57 $apiRequest = $event->getApiRequest();
58 if ($apiRequest['version'] < 4) {
59 // return early unless we’re told explicitly to do the permission check
60 if (empty($apiRequest['params']['check_permissions']) or $apiRequest['params']['check_permissions'] == FALSE) {
62 $event->stopPropagation();
66 require_once 'CRM/Core/DAO/permissions.php';
67 $permissions = _civicrm_api3_permissions($apiRequest['entity'], $apiRequest['action'], $apiRequest['params']);
69 // $params might’ve been reset by the alterAPIPermissions() hook
70 if (isset($apiRequest['params']['check_permissions']) and $apiRequest['params']['check_permissions'] == FALSE) {
72 $event->stopPropagation();
76 if (!\CRM_Core_Permission
::check($permissions) and !self
::checkACLPermission($apiRequest)) {
77 if (is_array($permissions)) {
78 $permissions = implode(' and ', $permissions);
80 // FIXME: Generating the exception ourselves allows for detailed error
81 // but doesn't play well with multiple authz subscribers.
82 throw new \Civi\API\Exception\
UnauthorizedException("API permission check failed for {$apiRequest['entity']}/{$apiRequest['action']} call; insufficient permission: require $permissions");
86 $event->stopPropagation();
91 * Check API for ACL permission.
93 * @param array $apiRequest
97 public function checkACLPermission($apiRequest) {
98 switch ($apiRequest['entity']) {
101 $ufGroups = \CRM_Core_PseudoConstant
::get('CRM_Core_DAO_UFField', 'uf_group_id');
102 $aclCreate = \CRM_ACL_API
::group(\CRM_Core_Permission
::CREATE
, NULL, 'civicrm_uf_group', $ufGroups);
103 $aclEdit = \CRM_ACL_API
::group(\CRM_Core_Permission
::EDIT
, NULL, 'civicrm_uf_group', $ufGroups);
104 $ufGroupId = $apiRequest['entity'] == 'UFGroup' ?
$apiRequest['params']['id'] : $apiRequest['params']['uf_group_id'];
105 if (in_array($ufGroupId, $aclEdit) or $aclCreate) {
110 //CRM-16777: Disable schedule reminder with ACLs.
111 case 'ActionSchedule':
112 $events = \CRM_Event_BAO_Event
::getEvents();
113 $aclEdit = \CRM_ACL_API
::group(\CRM_Core_Permission
::EDIT
, NULL, 'civicrm_event', $events);
114 $param = array('id' => $apiRequest['params']['id']);
115 $eventId = \CRM_Core_BAO_ActionSchedule
::retrieve($param, $value = array());
116 if (in_array($eventId->entity_value
, $aclEdit)) {