forked from civicrm/civicrm-core
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathAPI.php
205 lines (187 loc) · 5.92 KB
/
API.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
<?php
/*
+--------------------------------------------------------------------+
| Copyright CiviCRM LLC. All rights reserved. |
| |
| This work is published under the GNU AGPLv3 license with some |
| permitted exceptions and without any warranty. For full license |
| and copyright information, see https://civicrm.org/licensing |
+--------------------------------------------------------------------+
*/
/**
*
* @package CRM
* @copyright CiviCRM LLC https://civicrm.org/licensing
*/
class CRM_ACL_API {
/**
* The various type of permissions.
*
* @var int
*/
const EDIT = 1;
const VIEW = 2;
const DELETE = 3;
const CREATE = 4;
const SEARCH = 5;
const ALL = 6;
/**
* Given a permission string, check for access requirements
*
* @param string $str
* The permission to check.
* @param int|null $contactID
* The contactID for whom the check is made.
*
* @return bool
* true if yes, else false
*
* @deprecated
*/
public static function check($str, $contactID = NULL) {
\CRM_Core_Error::deprecatedWarning(__CLASS__ . '::' . __FUNCTION__ . ' is deprecated.');
if ($contactID == NULL) {
$contactID = CRM_Core_Session::getLoggedInContactID();
}
if (!$contactID) {
// anonymous user
$contactID = 0;
}
return CRM_ACL_BAO_ACL::check($str, $contactID);
}
/**
* Get the permissioned where clause for the user.
*
* @param int $type
* The type of permission needed.
* @param array $tables
* (reference ) add the tables that are needed for the select clause.
* @param array $whereTables
* (reference ) add the tables that are needed for the where clause.
* @param int|null $contactID
* The contactID for whom the check is made.
* @param bool $onlyDeleted
* Whether to include only deleted contacts.
* @param bool $skipDeleteClause
* Don't add delete clause if this is true,.
* this means it is handled by generating query
* @param bool $skipOwnContactClause
* Do not add 'OR contact_id = $userID' to the where clause.
* This is a hideously inefficient query and should be avoided
* wherever possible.
*
* @return string
* the group where clause for this user
*/
public static function whereClause(
$type,
&$tables,
&$whereTables,
$contactID = NULL,
$onlyDeleted = FALSE,
$skipDeleteClause = FALSE,
$skipOwnContactClause = FALSE
) {
// the default value which is valid for the final AND
$deleteClause = ' ( 1 ) ';
if (!$skipDeleteClause) {
if (CRM_Core_Permission::check('access deleted contacts')) {
if ($onlyDeleted) {
$deleteClause = '(contact_a.is_deleted)';
}
}
else {
// Exclude deleted contacts due to permissions
$deleteClause = '(contact_a.is_deleted = 0)';
}
}
if (!$contactID) {
$contactID = CRM_Core_Session::getLoggedInContactID();
}
$contactID = (int) $contactID;
// first see if the contact has edit / view all permission
if (CRM_Core_Permission::check('edit all contacts', $contactID) ||
($type == self::VIEW && CRM_Core_Permission::check('view all contacts', $contactID))
) {
return $deleteClause;
}
$whereClause = CRM_ACL_BAO_ACL::whereClause($type,
$tables,
$whereTables,
$contactID
);
$where = implode(' AND ', [$whereClause, $deleteClause]);
// Add permission on self if we really hate our server or have hardly any contacts.
if (!$skipOwnContactClause && $contactID && (CRM_Core_Permission::check('edit my contact') ||
$type == self::VIEW && CRM_Core_Permission::check('view my contact'))
) {
$where = "(contact_a.id = $contactID OR ($where))";
}
return $where;
}
/**
* Get all the groups the user has access to for the given operation.
*
* @param int $type
* The type of permission needed.
* @param int|null $contactID
* The contactID for whom the check is made.
*
* @param string $tableName
* @param array|null $allGroups
* @param array $includedGroups
*
* @return array
* the ids of the groups for which the user has permissions
*/
public static function group(
$type,
$contactID = NULL,
$tableName = 'civicrm_group',
$allGroups = NULL,
$includedGroups = []
) {
if (!is_array($includedGroups)) {
CRM_Core_Error::deprecatedWarning('pass an array for included groups');
$includedGroups = (array) $includedGroups;
}
if ($contactID == NULL) {
$contactID = CRM_Core_Session::getLoggedInContactID();
}
return CRM_ACL_BAO_ACL::group($type, (int) $contactID, $tableName, $allGroups, $includedGroups);
}
/**
* Check if the user has access to this group for operation $type
*
* @param int $type
* The type of permission needed.
* @param int $groupID
* @param int|null $contactID
* The contactID for whom the check is made.
* @param string $tableName
* @param array|null $allGroups
* @param array|null $includedGroups
*
* @return bool
*/
public static function groupPermission(
$type,
$groupID,
$contactID = NULL,
$tableName = 'civicrm_group',
$allGroups = NULL,
$includedGroups = NULL
) {
if (!isset(Civi::$statics[__CLASS__]) || !isset(Civi::$statics[__CLASS__]['group_permission'])) {
Civi::$statics[__CLASS__]['group_permission'] = [];
}
if (!$contactID) {
$contactID = CRM_Core_Session::getLoggedInContactID();
}
$key = "{$tableName}_{$type}_{$contactID}";
if (!array_key_exists($key, Civi::$statics[__CLASS__]['group_permission'])) {
Civi::$statics[__CLASS__]['group_permission'][$key] = self::group($type, $contactID, $tableName, $allGroups, $includedGroups ?? []);
}
return in_array($groupID, Civi::$statics[__CLASS__]['group_permission'][$key]);
}
}