From bf9a7c0f25f670ab61d524e64ebb6002863e5dd5 Mon Sep 17 00:00:00 2001 From: Erich Schulz Date: Sun, 19 Mar 2017 20:28:10 +1000 Subject: [PATCH 1/2] extract two core API permission functions This will enable a bit of discoverability for the entity x action matrix. This is pretty much a cut and paste job so should be no functional change. --- CRM/Core/DAO/permissions.php | 571 +--------------------------------- CRM/Core/Permission.php | 583 +++++++++++++++++++++++++++++++++++ 2 files changed, 586 insertions(+), 568 deletions(-) diff --git a/CRM/Core/DAO/permissions.php b/CRM/Core/DAO/permissions.php index d42f29c6d5ae..e74ff526e568 100644 --- a/CRM/Core/DAO/permissions.php +++ b/CRM/Core/DAO/permissions.php @@ -39,557 +39,7 @@ function _civicrm_api3_permissions($entity, $action, &$params) { // FIXME: Lowercase entity_names are nonstandard but difficult to fix here // because this function invokes hook_civicrm_alterAPIPermissions $entity = _civicrm_api_get_entity_name_from_camel($entity); - - /** - * @var array of permissions - * - * For each entity, we declare an array of permissions required for each action - * The action is the array key, possible values: - * * create: applies to create (with no id in params) - * * update: applies to update, setvalue, create (with id in params) - * * get: applies to getcount, getsingle, getvalue and other gets - * * delete: applies to delete, replace - * * meta: applies to getfields, getoptions, getspec - * * default: catch-all for anything not declared - * - * Note: some APIs declare other actions as well - * - * Permissions should use arrays for AND and arrays of arrays for OR - * @see CRM_Core_Permission::check for more documentation - */ - $permissions = array(); - - // These are the default permissions - if any entity does not declare permissions for a given action, - // (or the entity does not declare permissions at all) - then the action will be used from here - $permissions['default'] = array( - // applies to getfields, getoptions, etc. - 'meta' => array('access CiviCRM'), - // catch-all, applies to create, get, delete, etc. - // If an entity declares it's own 'default' action it will override this one - 'default' => array('administer CiviCRM'), - ); - - // Note: Additional permissions in DynamicFKAuthorization - $permissions['attachment'] = array( - 'default' => array( - array('access CiviCRM', 'access AJAX API'), - ), - ); - - // Contact permissions - $permissions['contact'] = array( - 'create' => array( - 'access CiviCRM', - 'add contacts', - ), - 'delete' => array( - 'access CiviCRM', - 'delete contacts', - ), - // managed by query object - 'get' => array(), - // managed by _civicrm_api3_check_edit_permissions - 'update' => array(), - 'getquick' => array( - array('access CiviCRM', 'access AJAX API'), - ), - ); - - // CRM-16963 - Permissions for country. - $permissions['country'] = array( - 'get' => array( - 'access CiviCRM', - ), - 'default' => array( - 'administer CiviCRM', - ), - ); - - // Contact-related data permissions. - $permissions['address'] = array( - // get is managed by BAO::addSelectWhereClause - // create/delete are managed by _civicrm_api3_check_edit_permissions - 'default' => array(), - ); - $permissions['email'] = $permissions['address']; - $permissions['phone'] = $permissions['address']; - $permissions['website'] = $permissions['address']; - $permissions['im'] = $permissions['address']; - $permissions['open_i_d'] = $permissions['address']; - - // Also managed by ACLs - CRM-19448 - $permissions['entity_tag'] = array('default' => array()); - $permissions['note'] = $permissions['entity_tag']; - - // Allow non-admins to get and create tags to support tagset widget - // Delete is still reserved for admins - $permissions['tag'] = array( - 'get' => array('access CiviCRM'), - 'create' => array('access CiviCRM'), - 'update' => array('access CiviCRM'), - ); - - //relationship permissions - $permissions['relationship'] = array( - // get is managed by BAO::addSelectWhereClause - 'get' => array(), - 'delete' => array( - 'access CiviCRM', - 'edit all contacts', - ), - 'default' => array( - 'access CiviCRM', - 'edit all contacts', - ), - ); - - // CRM-17741 - Permissions for RelationshipType. - $permissions['relationship_type'] = array( - 'get' => array( - 'access CiviCRM', - ), - 'default' => array( - 'administer CiviCRM', - ), - ); - - // Activity permissions - $permissions['activity'] = array( - 'delete' => array( - 'access CiviCRM', - 'delete activities', - ), - 'get' => array( - 'access CiviCRM', - // Note that view all activities is also required within the api - // if the id is not passed in. Where the id is passed in the activity - // specific check functions are used and tested. - ), - 'default' => array( - 'access CiviCRM', - 'view all activities', - ), - ); - - // Case permissions - $permissions['case'] = array( - 'create' => array( - 'access CiviCRM', - 'add cases', - ), - 'delete' => array( - 'access CiviCRM', - 'delete in CiviCase', - ), - 'default' => array( - // At minimum the user needs one of the following. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause - array('access my cases and activities', 'access all cases and activities'), - ), - ); - $permissions['case_contact'] = $permissions['case']; - - $permissions['case_type'] = array( - 'default' => array('administer CiviCase'), - 'get' => array( - // nested array = OR - array('access my cases and activities', 'access all cases and activities'), - ), - ); - - // Campaign permissions - $permissions['campaign'] = array( - 'get' => array('access CiviCRM'), - 'default' => array( - // nested array = OR - array('administer CiviCampaign', 'manage campaign'), - ), - ); - $permissions['survey'] = $permissions['campaign']; - - // Financial permissions - $permissions['contribution'] = array( - 'get' => array( - 'access CiviCRM', - 'access CiviContribute', - ), - 'delete' => array( - 'access CiviCRM', - 'access CiviContribute', - 'delete in CiviContribute', - ), - 'completetransaction' => array( - 'edit contributions', - ), - 'default' => array( - 'access CiviCRM', - 'access CiviContribute', - 'edit contributions', - ), - ); - $permissions['line_item'] = $permissions['contribution']; - - // Payment permissions - $permissions['payment'] = array( - 'get' => array( - 'access CiviCRM', - 'access CiviContribute', - ), - 'delete' => array( - 'access CiviCRM', - 'access CiviContribute', - 'delete in CiviContribute', - ), - 'cancel' => array( - 'access CiviCRM', - 'access CiviContribute', - 'edit contributions', - ), - 'create' => array( - 'access CiviCRM', - 'access CiviContribute', - 'edit contributions', - ), - 'default' => array( - 'access CiviCRM', - 'access CiviContribute', - 'edit contributions', - ), - ); - - // Custom field permissions - $permissions['custom_field'] = array( - 'default' => array( - 'administer CiviCRM', - 'access all custom data', - ), - ); - $permissions['custom_group'] = $permissions['custom_field']; - - // Event permissions - $permissions['event'] = array( - 'create' => array( - 'access CiviCRM', - 'access CiviEvent', - 'edit all events', - ), - 'delete' => array( - 'access CiviCRM', - 'access CiviEvent', - 'delete in CiviEvent', - ), - 'get' => array( - 'access CiviCRM', - 'access CiviEvent', - 'view event info', - ), - 'update' => array( - 'access CiviCRM', - 'access CiviEvent', - 'edit all events', - ), - ); - // Loc block is only used for events - $permissions['loc_block'] = $permissions['event']; - - // Price sets are shared by several components, user needs access to at least one of them - $permissions['price_set'] = array( - 'default' => array( - array('access CiviEvent', 'access CiviContribute', 'access CiviMember'), - ), - 'get' => array( - array('access CiviCRM', 'view event info', 'make online contributions'), - ), - ); - - // File permissions - $permissions['file'] = array( - 'default' => array( - 'access CiviCRM', - 'access uploaded files', - ), - ); - $permissions['files_by_entity'] = $permissions['file']; - - // Group permissions - $permissions['group'] = array( - 'get' => array( - 'access CiviCRM', - ), - 'default' => array( - 'access CiviCRM', - 'edit groups', - ), - ); - - $permissions['group_nesting'] = $permissions['group']; - $permissions['group_organization'] = $permissions['group']; - - //Group Contact permission - $permissions['group_contact'] = array( - 'get' => array( - 'access CiviCRM', - ), - 'default' => array( - 'access CiviCRM', - 'edit all contacts', - ), - ); - - // CiviMail Permissions - $civiMailBasePerms = array( - // To get/preview/update, one must have least one of these perms: - // Mailing API implementations enforce nuances of create/approve/schedule permissions. - 'access CiviMail', - 'create mailings', - 'schedule mailings', - 'approve mailings', - ); - $permissions['mailing'] = array( - 'get' => array( - 'access CiviCRM', - $civiMailBasePerms, - ), - 'delete' => array( - 'access CiviCRM', - $civiMailBasePerms, - 'delete in CiviMail', - ), - 'submit' => array( - 'access CiviCRM', - array('access CiviMail', 'schedule mailings'), - ), - 'default' => array( - 'access CiviCRM', - $civiMailBasePerms, - ), - ); - $permissions['mailing_group'] = $permissions['mailing']; - $permissions['mailing_job'] = $permissions['mailing']; - $permissions['mailing_recipients'] = $permissions['mailing']; - - $permissions['mailing_a_b'] = array( - 'get' => array( - 'access CiviCRM', - 'access CiviMail', - ), - 'delete' => array( - 'access CiviCRM', - 'access CiviMail', - 'delete in CiviMail', - ), - 'submit' => array( - 'access CiviCRM', - array('access CiviMail', 'schedule mailings'), - ), - 'default' => array( - 'access CiviCRM', - 'access CiviMail', - ), - ); - - // Membership permissions - $permissions['membership'] = array( - 'get' => array( - 'access CiviCRM', - 'access CiviMember', - ), - 'delete' => array( - 'access CiviCRM', - 'access CiviMember', - 'delete in CiviMember', - ), - 'default' => array( - 'access CiviCRM', - 'access CiviMember', - 'edit memberships', - ), - ); - $permissions['membership_status'] = $permissions['membership']; - $permissions['membership_type'] = $permissions['membership']; - $permissions['membership_payment'] = array( - 'create' => array( - 'access CiviCRM', - 'access CiviMember', - 'edit memberships', - 'access CiviContribute', - 'edit contributions', - ), - 'delete' => array( - 'access CiviCRM', - 'access CiviMember', - 'delete in CiviMember', - 'access CiviContribute', - 'delete in CiviContribute', - ), - 'get' => array( - 'access CiviCRM', - 'access CiviMember', - 'access CiviContribute', - ), - 'update' => array( - 'access CiviCRM', - 'access CiviMember', - 'edit memberships', - 'access CiviContribute', - 'edit contributions', - ), - ); - - // Participant permissions - $permissions['participant'] = array( - 'create' => array( - 'access CiviCRM', - 'access CiviEvent', - 'register for events', - ), - 'delete' => array( - 'access CiviCRM', - 'access CiviEvent', - 'edit event participants', - ), - 'get' => array( - 'access CiviCRM', - 'access CiviEvent', - 'view event participants', - ), - 'update' => array( - 'access CiviCRM', - 'access CiviEvent', - 'edit event participants', - ), - ); - $permissions['participant_payment'] = array( - 'create' => array( - 'access CiviCRM', - 'access CiviEvent', - 'register for events', - 'access CiviContribute', - 'edit contributions', - ), - 'delete' => array( - 'access CiviCRM', - 'access CiviEvent', - 'edit event participants', - 'access CiviContribute', - 'delete in CiviContribute', - ), - 'get' => array( - 'access CiviCRM', - 'access CiviEvent', - 'view event participants', - 'access CiviContribute', - ), - 'update' => array( - 'access CiviCRM', - 'access CiviEvent', - 'edit event participants', - 'access CiviContribute', - 'edit contributions', - ), - ); - - // Pledge permissions - $permissions['pledge'] = array( - 'create' => array( - 'access CiviCRM', - 'access CiviPledge', - 'edit pledges', - ), - 'delete' => array( - 'access CiviCRM', - 'access CiviPledge', - 'delete in CiviPledge', - ), - 'get' => array( - 'access CiviCRM', - 'access CiviPledge', - ), - 'update' => array( - 'access CiviCRM', - 'access CiviPledge', - 'edit pledges', - ), - ); - - //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission. - $permissions['action_schedule'] = array( - 'update' => array( - array( - 'access CiviCRM', - 'edit all events', - ), - ), - ); - - $permissions['pledge_payment'] = array( - 'create' => array( - 'access CiviCRM', - 'access CiviPledge', - 'edit pledges', - 'access CiviContribute', - 'edit contributions', - ), - 'delete' => array( - 'access CiviCRM', - 'access CiviPledge', - 'delete in CiviPledge', - 'access CiviContribute', - 'delete in CiviContribute', - ), - 'get' => array( - 'access CiviCRM', - 'access CiviPledge', - 'access CiviContribute', - ), - 'update' => array( - 'access CiviCRM', - 'access CiviPledge', - 'edit pledges', - 'access CiviContribute', - 'edit contributions', - ), - ); - - // Profile permissions - $permissions['profile'] = array( - 'get' => array(), // the profile will take care of this - ); - - $permissions['uf_group'] = array( - 'create' => array( - 'access CiviCRM', - array( - 'administer CiviCRM', - 'manage event profiles', - ), - ), - 'get' => array( - 'access CiviCRM', - ), - 'update' => array( - 'access CiviCRM', - array( - 'administer CiviCRM', - 'manage event profiles', - ), - ), - ); - $permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group']; - $permissions['uf_field']['delete'] = array( - 'access CiviCRM', - array( - 'administer CiviCRM', - 'manage event profiles', - ), - ); - $permissions['option_value'] = $permissions['uf_group']; - $permissions['option_group'] = $permissions['option_value']; - - $permissions['message_template'] = array( - 'get' => array('access CiviCRM'), - 'create' => array('edit message templates'), - 'update' => array('edit message templates'), - ); + $permissions = CRM_Core_Permission::getEntityActionPermissions(); // Translate 'create' action to 'update' if id is set if ($action == 'create' && (!empty($params['id']) || !empty($params[$entity . '_id']))) { @@ -608,23 +58,8 @@ function _civicrm_api3_permissions($entity, $action, &$params) { } // Translate specific actions into their generic equivalents - $snippet = substr($action, 0, 3); - if ($action == 'replace' || $snippet == 'del') { - // 'Replace' is a combination of get+create+update+delete; however, the permissions - // on each of those will be tested separately at runtime. This is just a sniff-test - // based on the heuristic that 'delete' tends to be the most closely guarded - // of the necessary permissions. - $action = 'delete'; - } - elseif ($action == 'setvalue' || $snippet == 'upd') { - $action = 'update'; - } - elseif ($action == 'getfields' || $action == 'getfield' || $action == 'getspec' || $action == 'getoptions') { - $action = 'meta'; - } - elseif ($snippet == 'get') { - $action = 'get'; - } + $action = CRM_Core_Permission::getGenericAction($action); + return isset($perm[$action]) ? $perm[$action] : $perm['default']; } diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php index c5307c9e8535..c79424c27dcb 100644 --- a/CRM/Core/Permission.php +++ b/CRM/Core/Permission.php @@ -874,6 +874,589 @@ public static function getCorePermissions() { return $permissions; } + /** + * For each entity provides an array of permissions required for each action + * + * The action is the array key, possible values: + * * create: applies to create (with no id in params) + * * update: applies to update, setvalue, create (with id in params) + * * get: applies to getcount, getsingle, getvalue and other gets + * * delete: applies to delete, replace + * * meta: applies to getfields, getoptions, getspec + * * default: catch-all for anything not declared + * + * Note: some APIs declare other actions as well + * + * Permissions should use arrays for AND and arrays of arrays for OR + * @see CRM_Core_Permission::check for more documentation + * + * @return array of permissions + */ + public static function getEntityActionPermissions() { + $permissions = array(); + // These are the default permissions - if any entity does not declare permissions for a given action, + // (or the entity does not declare permissions at all) - then the action will be used from here + $permissions['default'] = array( + // applies to getfields, getoptions, etc. + 'meta' => array('access CiviCRM'), + // catch-all, applies to create, get, delete, etc. + // If an entity declares it's own 'default' action it will override this one + 'default' => array('administer CiviCRM'), + ); + + // Note: Additional permissions in DynamicFKAuthorization + $permissions['attachment'] = array( + 'default' => array( + array('access CiviCRM', 'access AJAX API'), + ), + ); + + // Contact permissions + $permissions['contact'] = array( + 'create' => array( + 'access CiviCRM', + 'add contacts', + ), + 'delete' => array( + 'access CiviCRM', + 'delete contacts', + ), + // managed by query object + 'get' => array(), + // managed by _civicrm_api3_check_edit_permissions + 'update' => array(), + 'getquick' => array( + array('access CiviCRM', 'access AJAX API'), + ), + ); + + // CRM-16963 - Permissions for country. + $permissions['country'] = array( + 'get' => array( + 'access CiviCRM', + ), + 'default' => array( + 'administer CiviCRM', + ), + ); + + // Contact-related data permissions. + $permissions['address'] = array( + // get is managed by BAO::addSelectWhereClause + // create/delete are managed by _civicrm_api3_check_edit_permissions + 'default' => array(), + ); + $permissions['email'] = $permissions['address']; + $permissions['phone'] = $permissions['address']; + $permissions['website'] = $permissions['address']; + $permissions['im'] = $permissions['address']; + $permissions['open_i_d'] = $permissions['address']; + + // Also managed by ACLs - CRM-19448 + $permissions['entity_tag'] = array('default' => array()); + $permissions['note'] = $permissions['entity_tag']; + + // Allow non-admins to get and create tags to support tagset widget + // Delete is still reserved for admins + $permissions['tag'] = array( + 'get' => array('access CiviCRM'), + 'create' => array('access CiviCRM'), + 'update' => array('access CiviCRM'), + ); + + //relationship permissions + $permissions['relationship'] = array( + // get is managed by BAO::addSelectWhereClause + 'get' => array(), + 'delete' => array( + 'access CiviCRM', + 'edit all contacts', + ), + 'default' => array( + 'access CiviCRM', + 'edit all contacts', + ), + ); + + // CRM-17741 - Permissions for RelationshipType. + $permissions['relationship_type'] = array( + 'get' => array( + 'access CiviCRM', + ), + 'default' => array( + 'administer CiviCRM', + ), + ); + + // Activity permissions + $permissions['activity'] = array( + 'delete' => array( + 'access CiviCRM', + 'delete activities', + ), + 'get' => array( + 'access CiviCRM', + // Note that view all activities is also required within the api + // if the id is not passed in. Where the id is passed in the activity + // specific check functions are used and tested. + ), + 'default' => array( + 'access CiviCRM', + 'view all activities', + ), + ); + + // Case permissions + $permissions['case'] = array( + 'create' => array( + 'access CiviCRM', + 'add cases', + ), + 'delete' => array( + 'access CiviCRM', + 'delete in CiviCase', + ), + 'default' => array( + // At minimum the user needs one of the following. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause + array('access my cases and activities', 'access all cases and activities'), + ), + ); + $permissions['case_contact'] = $permissions['case']; + + $permissions['case_type'] = array( + 'default' => array('administer CiviCase'), + 'get' => array( + // nested array = OR + array('access my cases and activities', 'access all cases and activities'), + ), + ); + + // Campaign permissions + $permissions['campaign'] = array( + 'get' => array('access CiviCRM'), + 'default' => array( + // nested array = OR + array('administer CiviCampaign', 'manage campaign'), + ), + ); + $permissions['survey'] = $permissions['campaign']; + + // Financial permissions + $permissions['contribution'] = array( + 'get' => array( + 'access CiviCRM', + 'access CiviContribute', + ), + 'delete' => array( + 'access CiviCRM', + 'access CiviContribute', + 'delete in CiviContribute', + ), + 'completetransaction' => array( + 'edit contributions', + ), + 'default' => array( + 'access CiviCRM', + 'access CiviContribute', + 'edit contributions', + ), + ); + $permissions['line_item'] = $permissions['contribution']; + + // Payment permissions + $permissions['payment'] = array( + 'get' => array( + 'access CiviCRM', + 'access CiviContribute', + ), + 'delete' => array( + 'access CiviCRM', + 'access CiviContribute', + 'delete in CiviContribute', + ), + 'cancel' => array( + 'access CiviCRM', + 'access CiviContribute', + 'edit contributions', + ), + 'create' => array( + 'access CiviCRM', + 'access CiviContribute', + 'edit contributions', + ), + 'default' => array( + 'access CiviCRM', + 'access CiviContribute', + 'edit contributions', + ), + ); + + // Custom field permissions + $permissions['custom_field'] = array( + 'default' => array( + 'administer CiviCRM', + 'access all custom data', + ), + ); + $permissions['custom_group'] = $permissions['custom_field']; + + // Event permissions + $permissions['event'] = array( + 'create' => array( + 'access CiviCRM', + 'access CiviEvent', + 'edit all events', + ), + 'delete' => array( + 'access CiviCRM', + 'access CiviEvent', + 'delete in CiviEvent', + ), + 'get' => array( + 'access CiviCRM', + 'access CiviEvent', + 'view event info', + ), + 'update' => array( + 'access CiviCRM', + 'access CiviEvent', + 'edit all events', + ), + ); + // Loc block is only used for events + $permissions['loc_block'] = $permissions['event']; + + // Price sets are shared by several components, user needs access to at least one of them + $permissions['price_set'] = array( + 'default' => array( + array('access CiviEvent', 'access CiviContribute', 'access CiviMember'), + ), + 'get' => array( + array('access CiviCRM', 'view event info', 'make online contributions'), + ), + ); + + // File permissions + $permissions['file'] = array( + 'default' => array( + 'access CiviCRM', + 'access uploaded files', + ), + ); + $permissions['files_by_entity'] = $permissions['file']; + + // Group permissions + $permissions['group'] = array( + 'get' => array( + 'access CiviCRM', + ), + 'default' => array( + 'access CiviCRM', + 'edit groups', + ), + ); + + $permissions['group_nesting'] = $permissions['group']; + $permissions['group_organization'] = $permissions['group']; + + //Group Contact permission + $permissions['group_contact'] = array( + 'get' => array( + 'access CiviCRM', + ), + 'default' => array( + 'access CiviCRM', + 'edit all contacts', + ), + ); + + // CiviMail Permissions + $civiMailBasePerms = array( + // To get/preview/update, one must have least one of these perms: + // Mailing API implementations enforce nuances of create/approve/schedule permissions. + 'access CiviMail', + 'create mailings', + 'schedule mailings', + 'approve mailings', + ); + $permissions['mailing'] = array( + 'get' => array( + 'access CiviCRM', + $civiMailBasePerms, + ), + 'delete' => array( + 'access CiviCRM', + $civiMailBasePerms, + 'delete in CiviMail', + ), + 'submit' => array( + 'access CiviCRM', + array('access CiviMail', 'schedule mailings'), + ), + 'default' => array( + 'access CiviCRM', + $civiMailBasePerms, + ), + ); + $permissions['mailing_group'] = $permissions['mailing']; + $permissions['mailing_job'] = $permissions['mailing']; + $permissions['mailing_recipients'] = $permissions['mailing']; + + $permissions['mailing_a_b'] = array( + 'get' => array( + 'access CiviCRM', + 'access CiviMail', + ), + 'delete' => array( + 'access CiviCRM', + 'access CiviMail', + 'delete in CiviMail', + ), + 'submit' => array( + 'access CiviCRM', + array('access CiviMail', 'schedule mailings'), + ), + 'default' => array( + 'access CiviCRM', + 'access CiviMail', + ), + ); + + // Membership permissions + $permissions['membership'] = array( + 'get' => array( + 'access CiviCRM', + 'access CiviMember', + ), + 'delete' => array( + 'access CiviCRM', + 'access CiviMember', + 'delete in CiviMember', + ), + 'default' => array( + 'access CiviCRM', + 'access CiviMember', + 'edit memberships', + ), + ); + $permissions['membership_status'] = $permissions['membership']; + $permissions['membership_type'] = $permissions['membership']; + $permissions['membership_payment'] = array( + 'create' => array( + 'access CiviCRM', + 'access CiviMember', + 'edit memberships', + 'access CiviContribute', + 'edit contributions', + ), + 'delete' => array( + 'access CiviCRM', + 'access CiviMember', + 'delete in CiviMember', + 'access CiviContribute', + 'delete in CiviContribute', + ), + 'get' => array( + 'access CiviCRM', + 'access CiviMember', + 'access CiviContribute', + ), + 'update' => array( + 'access CiviCRM', + 'access CiviMember', + 'edit memberships', + 'access CiviContribute', + 'edit contributions', + ), + ); + + // Participant permissions + $permissions['participant'] = array( + 'create' => array( + 'access CiviCRM', + 'access CiviEvent', + 'register for events', + ), + 'delete' => array( + 'access CiviCRM', + 'access CiviEvent', + 'edit event participants', + ), + 'get' => array( + 'access CiviCRM', + 'access CiviEvent', + 'view event participants', + ), + 'update' => array( + 'access CiviCRM', + 'access CiviEvent', + 'edit event participants', + ), + ); + $permissions['participant_payment'] = array( + 'create' => array( + 'access CiviCRM', + 'access CiviEvent', + 'register for events', + 'access CiviContribute', + 'edit contributions', + ), + 'delete' => array( + 'access CiviCRM', + 'access CiviEvent', + 'edit event participants', + 'access CiviContribute', + 'delete in CiviContribute', + ), + 'get' => array( + 'access CiviCRM', + 'access CiviEvent', + 'view event participants', + 'access CiviContribute', + ), + 'update' => array( + 'access CiviCRM', + 'access CiviEvent', + 'edit event participants', + 'access CiviContribute', + 'edit contributions', + ), + ); + + // Pledge permissions + $permissions['pledge'] = array( + 'create' => array( + 'access CiviCRM', + 'access CiviPledge', + 'edit pledges', + ), + 'delete' => array( + 'access CiviCRM', + 'access CiviPledge', + 'delete in CiviPledge', + ), + 'get' => array( + 'access CiviCRM', + 'access CiviPledge', + ), + 'update' => array( + 'access CiviCRM', + 'access CiviPledge', + 'edit pledges', + ), + ); + + //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission. + $permissions['action_schedule'] = array( + 'update' => array( + array( + 'access CiviCRM', + 'edit all events', + ), + ), + ); + + $permissions['pledge_payment'] = array( + 'create' => array( + 'access CiviCRM', + 'access CiviPledge', + 'edit pledges', + 'access CiviContribute', + 'edit contributions', + ), + 'delete' => array( + 'access CiviCRM', + 'access CiviPledge', + 'delete in CiviPledge', + 'access CiviContribute', + 'delete in CiviContribute', + ), + 'get' => array( + 'access CiviCRM', + 'access CiviPledge', + 'access CiviContribute', + ), + 'update' => array( + 'access CiviCRM', + 'access CiviPledge', + 'edit pledges', + 'access CiviContribute', + 'edit contributions', + ), + ); + + // Profile permissions + $permissions['profile'] = array( + 'get' => array(), // the profile will take care of this + ); + + $permissions['uf_group'] = array( + 'create' => array( + 'access CiviCRM', + array( + 'administer CiviCRM', + 'manage event profiles', + ), + ), + 'get' => array( + 'access CiviCRM', + ), + 'update' => array( + 'access CiviCRM', + array( + 'administer CiviCRM', + 'manage event profiles', + ), + ), + ); + $permissions['uf_field'] = $permissions['uf_join'] = $permissions['uf_group']; + $permissions['uf_field']['delete'] = array( + 'access CiviCRM', + array( + 'administer CiviCRM', + 'manage event profiles', + ), + ); + $permissions['option_value'] = $permissions['uf_group']; + $permissions['option_group'] = $permissions['option_value']; + + $permissions['message_template'] = array( + 'get' => array('access CiviCRM'), + 'create' => array('edit message templates'), + 'update' => array('edit message templates'), + ); + return $permissions; + } + + /** + * Translate an unknown action to a canonical form. + * + * @param string $action + * + * @return string + * the standardised action name + */ + public static function getGenericAction($action) { + $snippet = substr($action, 0, 3); + if ($action == 'replace' || $snippet == 'del') { + // 'Replace' is a combination of get+create+update+delete; however, the permissions + // on each of those will be tested separately at runtime. This is just a sniff-test + // based on the heuristic that 'delete' tends to be the most closely guarded + // of the necessary permissions. + $action = 'delete'; + } + elseif ($action == 'setvalue' || $snippet == 'upd') { + $action = 'update'; + } + elseif ($action == 'getfields' || $action == 'getfield' || $action == 'getspec' || $action == 'getoptions') { + $action = 'meta'; + } + elseif ($snippet == 'get') { + $action = 'get'; + } + return $action; + } + /** * Validate user permission across. * edit or view or with supportable acls. From 1a5a2adebe86ded29fd18121ad1eb1ee28dfecc7 Mon Sep 17 00:00:00 2001 From: Erich Schulz Date: Mon, 20 Mar 2017 10:34:07 +1000 Subject: [PATCH 2/2] fix comment to comply with style --- CRM/Core/Permission.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php index c79424c27dcb..826d70a2847d 100644 --- a/CRM/Core/Permission.php +++ b/CRM/Core/Permission.php @@ -888,7 +888,7 @@ public static function getCorePermissions() { * Note: some APIs declare other actions as well * * Permissions should use arrays for AND and arrays of arrays for OR - * @see CRM_Core_Permission::check for more documentation + * @see CRM_Core_Permission::check * * @return array of permissions */