-
-
Notifications
You must be signed in to change notification settings - Fork 805
/
Permission.php
981 lines (896 loc) · 28 KB
/
Permission.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
<?php
/*
+--------------------------------------------------------------------+
| CiviCRM version 4.6 |
+--------------------------------------------------------------------+
| Copyright CiviCRM LLC (c) 2004-2015 |
+--------------------------------------------------------------------+
| This file is a part of CiviCRM. |
| |
| CiviCRM is free software; you can copy, modify, and distribute it |
| under the terms of the GNU Affero General Public License |
| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
| |
| CiviCRM is distributed in the hope that it will be useful, but |
| WITHOUT ANY WARRANTY; without even the implied warranty of |
| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
| See the GNU Affero General Public License for more details. |
| |
| You should have received a copy of the GNU Affero General Public |
| License and the CiviCRM Licensing Exception along |
| with this program; if not, contact CiviCRM LLC |
| at info[AT]civicrm[DOT]org. If you have questions about the |
| GNU Affero General Public License or the licensing of CiviCRM, |
| see the CiviCRM license FAQ at http://civicrm.org/licensing |
+--------------------------------------------------------------------+
*/
/**
*
* @package CRM
* @copyright CiviCRM LLC (c) 2004-2015
* $Id$
*
*/
/**
* This is the basic permission class wrapper
*/
class CRM_Core_Permission {
/**
* Static strings used to compose permissions.
*
* @const
* @var string
*/
const EDIT_GROUPS = 'edit contacts in ', VIEW_GROUPS = 'view contacts in ';
/**
* The various type of permissions.
*
* @var int
*/
const EDIT = 1, VIEW = 2, DELETE = 3, CREATE = 4, SEARCH = 5, ALL = 6, ADMIN = 7;
/**
* A placeholder permission which always fails.
*/
const ALWAYS_DENY_PERMISSION = "*always deny*";
/**
* A placeholder permission which always fails.
*/
const ALWAYS_ALLOW_PERMISSION = "*always allow*";
/**
* Various authentication sources.
*
* @var int
*/
const AUTH_SRC_UNKNOWN = 0, AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;
/**
* Get the current permission of this user.
*
* @return string
* the permission of the user (edit or view or null)
*/
public static function getPermission() {
$config = CRM_Core_Config::singleton();
return $config->userPermissionClass->getPermission();
}
/**
* Given a permission string or array, check for access requirements
* @param mixed $permissions
* The permission to check as an array or string -see examples.
* arrays
*
* Ex 1
*
* Must have 'access CiviCRM'
* (string) 'access CiviCRM'
*
*
* Ex 2 Must have 'access CiviCRM' and 'access Ajax API'
* array('access CiviCRM', 'access Ajax API')
*
* Ex 3 Must have 'access CiviCRM' or 'access Ajax API'
* array(
* array('access CiviCRM', 'access Ajax API'),
* ),
*
* Ex 4 Must have 'access CiviCRM' or 'access Ajax API' AND 'access CiviEvent'
* array(
* array('access CiviCRM', 'access Ajax API'),
* 'access CiviEvent',
* ),
*
* Note that in permissions.php this is keyed by the action eg.
* (access Civi || access AJAX) && (access CiviEvent || access CiviContribute)
* 'myaction' => array(
* array('access CiviCRM', 'access Ajax API'),
* array('access CiviEvent', 'access CiviContribute')
* ),
*
* @return bool
* true if yes, else false
*/
public static function check($permissions) {
$permissions = (array) $permissions;
$tempPerm = CRM_Core_Config::singleton()->userPermissionTemp;
foreach ($permissions as $permission) {
if (is_array($permission)) {
foreach ($permission as $orPerm) {
if (self::check($orPerm)) {
//one of our 'or' permissions has succeeded - stop checking this permission
return TRUE;;
}
}
//none of our our conditions was met
return FALSE;
}
else {
if (
!CRM_Core_Config::singleton()->userPermissionClass->check($permission)
&& !($tempPerm && $tempPerm->check($permission))
) {
//one of our 'and' conditions has not been met
return FALSE;
}
}
}
return TRUE;
}
/**
* Determine if any one of the permissions strings applies to current user.
*
* @param array $perms
* @return bool
*/
public static function checkAnyPerm($perms) {
foreach ($perms as $perm) {
if (CRM_Core_Permission::check($perm)) {
return TRUE;
}
}
return FALSE;
}
/**
* Given a group/role array, check for access requirements
*
* @param array $array
* The group/role to check.
*
* @return bool
* true if yes, else false
*/
public static function checkGroupRole($array) {
$config = CRM_Core_Config::singleton();
return $config->userPermissionClass->checkGroupRole($array);
}
/**
* Get the permissioned where clause for the user.
*
* @param int $type
* The type of permission needed.
* @param array $tables
* (reference ) add the tables that are needed for the select clause.
* @param array $whereTables
* (reference ) add the tables that are needed for the where clause.
*
* @return string
* the group where clause for this user
*/
public static function getPermissionedStaticGroupClause($type, &$tables, &$whereTables) {
$config = CRM_Core_Config::singleton();
return $config->userPermissionClass->getPermissionedStaticGroupClause($type, $tables, $whereTables);
}
/**
* Get all groups from database, filtered by permissions
* for this user
*
* @param string $groupType
* Type of group(Access/Mailing).
* @param bool $excludeHidden
* exclude hidden groups.
*
*
* @return array
* array reference of all groups.
*/
public static function group($groupType, $excludeHidden = TRUE) {
$config = CRM_Core_Config::singleton();
return $config->userPermissionClass->group($groupType, $excludeHidden);
}
/**
* @return bool
*/
public static function customGroupAdmin() {
$admin = FALSE;
// check if user has all powerful permission
// or administer civicrm permission (CRM-1905)
if (self::check('access all custom data')) {
return TRUE;
}
if (
self::check('administer Multiple Organizations') &&
self::isMultisiteEnabled()
) {
return TRUE;
}
if (self::check('administer CiviCRM')) {
return TRUE;
}
return FALSE;
}
/**
* @param int $type
* @param bool $reset
*
* @return array
*/
public static function customGroup($type = CRM_Core_Permission::VIEW, $reset = FALSE) {
$customGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_CustomField', 'custom_group_id',
array('fresh' => $reset));
$defaultGroups = array();
// check if user has all powerful permission
// or administer civicrm permission (CRM-1905)
if (self::customGroupAdmin()) {
$defaultGroups = array_keys($customGroups);
}
return CRM_ACL_API::group($type, NULL, 'civicrm_custom_group', $customGroups, $defaultGroups);
}
/**
* @param int $type
* @param null $prefix
* @param bool $reset
*
* @return string
*/
public static function customGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $reset = FALSE) {
if (self::customGroupAdmin()) {
return ' ( 1 ) ';
}
$groups = self::customGroup($type, $reset);
if (empty($groups)) {
return ' ( 0 ) ';
}
else {
return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
}
}
/**
* @param int $gid
* @param int $type
*
* @return bool
*/
public static function ufGroupValid($gid, $type = CRM_Core_Permission::VIEW) {
if (empty($gid)) {
return TRUE;
}
$groups = self::ufGroup($type);
return !empty($groups) && in_array($gid, $groups) ? TRUE : FALSE;
}
/**
* @param int $type
*
* @return array
*/
public static function ufGroup($type = CRM_Core_Permission::VIEW) {
$ufGroups = CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
$allGroups = array_keys($ufGroups);
// check if user has all powerful permission
if (self::check('profile listings and forms')) {
return $allGroups;
}
switch ($type) {
case CRM_Core_Permission::VIEW:
if (self::check('profile view')) {
return $allGroups;
}
break;
case CRM_Core_Permission::CREATE:
if (self::check('profile create')) {
return $allGroups;
}
break;
case CRM_Core_Permission::EDIT:
if (self::check('profile edit')) {
return $allGroups;
}
break;
case CRM_Core_Permission::SEARCH:
if (self::check('profile listings')) {
return $allGroups;
}
break;
}
return CRM_ACL_API::group($type, NULL, 'civicrm_uf_group', $ufGroups);
}
/**
* @param int $type
* @param null $prefix
* @param bool $returnUFGroupIds
*
* @return array|string
*/
public static function ufGroupClause($type = CRM_Core_Permission::VIEW, $prefix = NULL, $returnUFGroupIds = FALSE) {
$groups = self::ufGroup($type);
if ($returnUFGroupIds) {
return $groups;
}
elseif (empty($groups)) {
return ' ( 0 ) ';
}
else {
return "{$prefix}id IN ( " . implode(',', $groups) . ' ) ';
}
}
/**
* @param int $type
* @param int $eventID
* @param string $context
*
* @return array|null
*/
public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL, $context = '') {
if (!empty($context)) {
if (CRM_Core_Permission::check($context)) {
return TRUE;
}
}
$events = CRM_Event_PseudoConstant::event(NULL, TRUE);
$includeEvents = array();
// check if user has all powerful permission
if (self::check('register for events')) {
$includeEvents = array_keys($events);
}
if ($type == CRM_Core_Permission::VIEW &&
self::check('view event info')
) {
$includeEvents = array_keys($events);
}
$permissionedEvents = CRM_ACL_API::group($type, NULL, 'civicrm_event', $events, $includeEvents);
if (!$eventID) {
return $permissionedEvents;
}
if (!empty($permissionedEvents)) {
return array_search($eventID, $permissionedEvents) === FALSE ? NULL : $eventID;
}
return NULL;
}
/**
* @param int $type
* @param null $prefix
*
* @return string
*/
public static function eventClause($type = CRM_Core_Permission::VIEW, $prefix = NULL) {
$events = self::event($type);
if (empty($events)) {
return ' ( 0 ) ';
}
else {
return "{$prefix}id IN ( " . implode(',', $events) . ' ) ';
}
}
/**
* @param $module
* @param bool $checkPermission
*
* @return bool
*/
public static function access($module, $checkPermission = TRUE) {
$config = CRM_Core_Config::singleton();
if (!in_array($module, $config->enableComponents)) {
return FALSE;
}
if ($checkPermission) {
if ($module == 'CiviCase') {
return CRM_Case_BAO_Case::accessCiviCase();
}
else {
return CRM_Core_Permission::check("access $module");
}
}
return TRUE;
}
/**
* Check permissions for delete and edit actions.
*
* @param string $module
* Component name.
* @param int $action
* Action to be check across component.
*
*
* @return bool
*/
public static function checkActionPermission($module, $action) {
//check delete related permissions.
if ($action & CRM_Core_Action::DELETE) {
$permissionName = "delete in $module";
}
else {
$editPermissions = array(
'CiviEvent' => 'edit event participants',
'CiviMember' => 'edit memberships',
'CiviPledge' => 'edit pledges',
'CiviContribute' => 'edit contributions',
'CiviGrant' => 'edit grants',
'CiviMail' => 'access CiviMail',
'CiviAuction' => 'add auction items',
);
$permissionName = CRM_Utils_Array::value($module, $editPermissions);
}
if ($module == 'CiviCase' && !$permissionName) {
return CRM_Case_BAO_Case::accessCiviCase();
}
else {
//check for permission.
return CRM_Core_Permission::check($permissionName);
}
}
/**
* @param $args
* @param string $op
*
* @return bool
*/
public static function checkMenu(&$args, $op = 'and') {
if (!is_array($args)) {
return $args;
}
foreach ($args as $str) {
$res = CRM_Core_Permission::check($str);
if ($op == 'or' && $res) {
return TRUE;
}
elseif ($op == 'and' && !$res) {
return FALSE;
}
}
return ($op == 'or') ? FALSE : TRUE;
}
/**
* @param $item
*
* @return bool|mixed
* @throws Exception
*/
public static function checkMenuItem(&$item) {
if (!array_key_exists('access_callback', $item)) {
CRM_Core_Error::backtrace();
CRM_Core_Error::fatal();
}
// if component_id is present, ensure it is enabled
if (isset($item['component_id']) &&
$item['component_id']
) {
$config = CRM_Core_Config::singleton();
if (is_array($config->enableComponentIDs) &&
in_array($item['component_id'], $config->enableComponentIDs)
) {
// continue with process
}
else {
return FALSE;
}
}
// the following is imitating drupal 6 code in includes/menu.inc
if (empty($item['access_callback']) ||
is_numeric($item['access_callback'])
) {
return (boolean ) $item['access_callback'];
}
// check whether the following Ajax requests submitted the right key
// FIXME: this should be integrated into ACLs proper
if (CRM_Utils_Array::value('page_type', $item) == 3) {
if (!CRM_Core_Key::validate($_REQUEST['key'], $item['path'])) {
return FALSE;
}
}
// check if callback is for checkMenu, if so optimize it
if (is_array($item['access_callback']) &&
$item['access_callback'][0] == 'CRM_Core_Permission' &&
$item['access_callback'][1] == 'checkMenu'
) {
$op = CRM_Utils_Array::value(1, $item['access_arguments'], 'and');
return self::checkMenu($item['access_arguments'][0], $op);
}
else {
return call_user_func_array($item['access_callback'], $item['access_arguments']);
}
}
/**
* @param bool $all
* @param bool $descriptions
* whether to return descriptions
*
* @return array
*/
public static function &basicPermissions($all = FALSE, $descriptions = FALSE) {
if ($descriptions) {
static $permissionsDesc = NULL;
if (!$permissionsDesc) {
$permissionsDesc = self::assembleBasicPermissions($all, $descriptions);
}
return $permissionsDesc;
}
else {
static $permissions = NULL;
if (!$permissions) {
$permissions = self::assembleBasicPermissions($all, $descriptions);
}
return $permissions;
}
}
/**
* @param bool $all
* @param bool $descriptions
* whether to return descriptions
*
* @return array
*/
public static function assembleBasicPermissions($all = FALSE, $descriptions = FALSE) {
$config = CRM_Core_Config::singleton();
$prefix = ts('CiviCRM') . ': ';
$permissions = self::getCorePermissions($descriptions);
if (self::isMultisiteEnabled()) {
$permissions['administer Multiple Organizations'] = $prefix . ts('administer Multiple Organizations');
}
if (!$all) {
$components = CRM_Core_Component::getEnabledComponents();
}
else {
$components = CRM_Core_Component::getComponents();
}
foreach ($components as $comp) {
$perm = $comp->getPermissions(FALSE, $descriptions);
if ($perm) {
$info = $comp->getInfo();
foreach ($perm as $p => $attr) {
if (!is_array($attr)) {
$attr = array($attr);
}
$attr[0] = $info['translatedName'] . ': ' . $attr[0];
if ($descriptions) {
$permissions[$p] = $attr;
}
else {
$permissions[$p] = $attr[0];
}
}
}
}
// Add any permissions defined in hook_civicrm_permission implementations.
$module_permissions = $config->userPermissionClass->getAllModulePermissions($descriptions);
$permissions = array_merge($permissions, $module_permissions);
return $permissions;
}
/**
* @return array
*/
public static function getAnonymousPermissionsWarnings() {
static $permissions = array();
if (empty($permissions)) {
$permissions = array(
'administer CiviCRM',
);
$components = CRM_Core_Component::getComponents();
foreach ($components as $comp) {
if (!method_exists($comp, 'getAnonymousPermissionWarnings')) {
continue;
}
$permissions = array_merge($permissions, $comp->getAnonymousPermissionWarnings());
}
}
return $permissions;
}
/**
* @param $anonymous_perms
*
* @return array
*/
public static function validateForPermissionWarnings($anonymous_perms) {
return array_intersect($anonymous_perms, self::getAnonymousPermissionsWarnings());
}
/**
* @param bool $descriptions
* whether to return descriptions
*
* @return array
*/
public static function getCorePermissions($descriptions = FALSE) {
$prefix = ts('CiviCRM') . ': ';
$permissions = array(
'add contacts' => array(
$prefix . ts('add contacts'),
ts('Create a new contact record in CiviCRM'),
),
'view all contacts' => array(
$prefix . ts('view all contacts'),
ts('View ANY CONTACT in the CiviCRM database, export contact info and perform activities such as Send Email, Phone Call, etc.'),
),
'edit all contacts' => array(
$prefix . ts('edit all contacts'),
ts('View, Edit and Delete ANY CONTACT in the CiviCRM database; Create and edit relationships, tags and other info about the contacts'),
),
'view my contact' => array(
$prefix . ts('view my contact'),
),
'edit my contact' => array(
$prefix . ts('edit my contact'),
),
'delete contacts' => array(
$prefix . ts('delete contacts'),
),
'access deleted contacts' => array(
$prefix . ts('access deleted contacts'),
ts('Access contacts in the trash'),
),
'import contacts' => array(
$prefix . ts('import contacts'),
ts('Import contacts and activities'),
),
'edit groups' => array(
$prefix . ts('edit groups'),
ts('Create new groups, edit group settings (e.g. group name, visibility...), delete groups'),
),
'administer CiviCRM' => array(
$prefix . ts('administer CiviCRM'),
ts('Perform all tasks in the Administer CiviCRM control panel and Import Contacts'),
),
'skip IDS check' => array(
$prefix . ts('skip IDS check'),
ts('IDS system is bypassed for users with this permission. Prevents false errors for admin users.'),
),
'access uploaded files' => array(
$prefix . ts('access uploaded files'),
ts('View / download files including images and photos'),
),
'profile listings and forms' => array(
$prefix . ts('profile listings and forms'),
ts('Access the profile Search form and listings'),
),
'profile listings' => array(
$prefix . ts('profile listings'),
),
'profile create' => array(
$prefix . ts('profile create'),
ts('Use profiles in Create mode'),
),
'profile edit' => array(
$prefix . ts('profile edit'),
ts('Use profiles in Edit mode'),
),
'profile view' => array(
$prefix . ts('profile view'),
),
'access all custom data' => array(
$prefix . ts('access all custom data'),
ts('View all custom fields regardless of ACL rules'),
),
'view all activities' => array(
$prefix . ts('view all activities'),
ts('View all activities (for visible contacts)'),
),
'delete activities' => array(
$prefix . ts('Delete activities'),
),
'access CiviCRM' => array(
$prefix . ts('access CiviCRM'),
ts('Master control for access to the main CiviCRM backend and API'),
),
'access Contact Dashboard' => array(
$prefix . ts('access Contact Dashboard'),
ts('View Contact Dashboard (for themselves and visible contacts)'),
),
'translate CiviCRM' => array(
$prefix . ts('translate CiviCRM'),
ts('Allow User to enable multilingual'),
),
'administer reserved groups' => array(
$prefix . ts('administer reserved groups'),
ts('Edit and disable Reserved Groups (Needs Edit Groups)'),
),
'administer Tagsets' => array(
$prefix . ts('administer Tagsets'),
),
'administer reserved tags' => array(
$prefix . ts('administer reserved tags'),
),
'administer dedupe rules' => array(
$prefix . ts('administer dedupe rules'),
ts('Create and edit rules, change the supervised and unsupervised rules'),
),
'merge duplicate contacts' => array(
$prefix . ts('merge duplicate contacts'),
ts('Delete Contacts must also be granted in order for this to work.'),
),
'force merge duplicate contacts' => array(
$prefix . ts('force merge duplicate contacts'),
ts('Delete Contacts must also be granted in order for this to work.'),
),
'view debug output' => array(
$prefix . ts('view debug output'),
ts('View results of debug and backtrace'),
),
'view all notes' => array(
$prefix . ts('view all notes'),
ts("View notes (for visible contacts) even if they're marked admin only"),
),
'access AJAX API' => array(
$prefix . ts('access AJAX API'),
ts('Allow API access even if Access CiviCRM is not granted'),
),
'access contact reference fields' => array(
$prefix . ts('access contact reference fields'),
ts('Allow entering data into contact reference fields'),
),
'create manual batch' => array(
$prefix . ts('create manual batch'),
ts('Create an accounting batch (with Access to CiviContribute and View Own/All Manual Batches)'),
),
'edit own manual batches' => array(
$prefix . ts('edit own manual batches'),
ts('Edit accounting batches created by user'),
),
'edit all manual batches' => array(
$prefix . ts('edit all manual batches'),
ts('Edit all accounting batches'),
),
'view own manual batches' => array(
$prefix . ts('view own manual batches'),
ts('View accounting batches created by user (with Access to CiviContribute)'),
),
'view all manual batches' => array(
$prefix . ts('view all manual batches'),
ts('View all accounting batches (with Access to CiviContribute)'),
),
'delete own manual batches' => array(
$prefix . ts('delete own manual batches'),
ts('Delete accounting batches created by user'),
),
'delete all manual batches' => array(
$prefix . ts('delete all manual batches'),
ts('Delete all accounting batches'),
),
'export own manual batches' => array(
$prefix . ts('export own manual batches'),
ts('Export accounting batches created by user'),
),
'export all manual batches' => array(
$prefix . ts('export all manual batches'),
ts('Export all accounting batches'),
),
'administer payment processors' => array(
$prefix . ts('administer payment processors'),
ts('Add, Update, or Disable Payment Processors'),
),
'edit message templates' => array(
$prefix . ts('edit message templates'),
),
'view my invoices' => array(
$prefix . ts('view my invoices'),
ts('Allow users to view/ download their own invoices'),
),
);
if (!$descriptions) {
foreach ($permissions as $name => $attr) {
$permissions[$name] = array_shift($attr);
}
}
return $permissions;
}
/**
* Validate user permission across.
* edit or view or with supportable acls.
*
* @return bool
*/
public static function giveMeAllACLs() {
if (CRM_Core_Permission::check('view all contacts') ||
CRM_Core_Permission::check('edit all contacts')
) {
return TRUE;
}
$session = CRM_Core_Session::singleton();
$contactID = $session->get('userID');
//check for acl.
$aclPermission = self::getPermission();
if (in_array($aclPermission, array(
CRM_Core_Permission::EDIT,
CRM_Core_Permission::VIEW,
))
) {
return TRUE;
}
// run acl where hook and see if the user is supplying an ACL clause
// that is not false
$tables = $whereTables = array();
$where = NULL;
CRM_Utils_Hook::aclWhereClause(CRM_Core_Permission::VIEW,
$tables, $whereTables,
$contactID, $where
);
return empty($whereTables) ? FALSE : TRUE;
}
/**
* Get component name from given permission.
*
* @param string $permission
*
* @return null|string
* the name of component.
*/
public static function getComponentName($permission) {
$componentName = NULL;
$permission = trim($permission);
if (empty($permission)) {
return $componentName;
}
static $allCompPermissions = array();
if (empty($allCompPermissions)) {
$components = CRM_Core_Component::getComponents();
foreach ($components as $name => $comp) {
//get all permissions of each components unconditionally
$allCompPermissions[$name] = $comp->getPermissions(TRUE);
}
}
if (is_array($allCompPermissions)) {
foreach ($allCompPermissions as $name => $permissions) {
if (array_key_exists($permission, $permissions)) {
$componentName = $name;
break;
}
}
}
return $componentName;
}
/**
* Get all the contact emails for users that have a specific permission.
*
* @param string $permissionName
* Name of the permission we are interested in.
*
* @return string
* a comma separated list of email addresses
*/
public static function permissionEmails($permissionName) {
$config = CRM_Core_Config::singleton();
return $config->userPermissionClass->permissionEmails($permissionName);
}
/**
* Get all the contact emails for users that have a specific role.
*
* @param string $roleName
* Name of the role we are interested in.
*
* @return string
* a comma separated list of email addresses
*/
public static function roleEmails($roleName) {
$config = CRM_Core_Config::singleton();
return $config->userRoleClass->roleEmails($roleName);
}
/**
* @return bool
*/
public static function isMultisiteEnabled() {
return CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::MULTISITE_PREFERENCES_NAME,
'is_enabled'
) ? TRUE : FALSE;
}
/**
* Verify if the user has permission to get the invoice.
*
* @return bool
* TRUE if the user has download all invoices permission or download my
* invoices permission and the invoice author is the current user.
*/
public static function checkDownloadInvoice() {
global $user;
$cid = CRM_Core_BAO_UFMatch::getContactId($user->uid);
if (CRM_Core_Permission::check('access CiviContribute') ||
(CRM_Core_Permission::check('view my invoices') && $_GET['cid'] == $cid)
) {
return TRUE;
}
return FALSE;
}
}