/** * make sure that the user has permission to access this group * * @param int $id the id of the object * @param int $name the name or title of the object * * @return string the permission that the user has (or null) * @access public * @static */ static function checkPermission($id, $title) { require_once 'CRM/ACL/API.php'; require_once 'CRM/Core/Permission.php'; $allGroups = CRM_Core_PseudoConstant::allGroup(); $permissions = null; if (CRM_Core_Permission::check('edit all contacts') || CRM_ACL_API::groupPermission(CRM_ACL_API::EDIT, $id, null, 'civicrm_saved_search', $allGroups)) { $permissions[] = CRM_Core_Permission::EDIT; } if (CRM_Core_Permission::check('view all contacts') || CRM_ACL_API::groupPermission(CRM_ACL_API::VIEW, $id, null, 'civicrm_saved_search', $allGroups)) { $permissions[] = CRM_Core_Permission::VIEW; } if (CRM_Core_Permission::check('delete contacts')) { $permissions[] = CRM_Core_Permission::DELETE; } return $permissions; }
/** * Set up an acl allowing contact to see 2 specified groups * - $this->_permissionedGroup & $this->_permissionedDisabledGroup * * You need to have pre-created these groups & created the user e.g * $this->createLoggedInUser(); * $this->_permissionedDisabledGroup = $this->groupCreate(array('title' => 'pick-me-disabled', 'is_active' => 0, 'name' => 'pick-me-disabled')); * $this->_permissionedGroup = $this->groupCreate(array('title' => 'pick-me-active', 'is_active' => 1, 'name' => 'pick-me-active')); * * @param bool $isProfile */ public function setupACL($isProfile = FALSE) { global $_REQUEST; $_REQUEST = $this->_params; CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM'); $optionGroupID = $this->callAPISuccessGetValue('option_group', array('return' => 'id', 'name' => 'acl_role')); $optionValue = $this->callAPISuccess('option_value', 'create', array('option_group_id' => $optionGroupID, 'label' => 'pick me', 'value' => 55)); CRM_Core_DAO::executeQuery("\n TRUNCATE civicrm_acl_cache\n "); CRM_Core_DAO::executeQuery("\n TRUNCATE civicrm_acl_contact_cache\n "); CRM_Core_DAO::executeQuery("\n INSERT INTO civicrm_acl_entity_role (\n `acl_role_id`, `entity_table`, `entity_id`, `is_active`\n ) VALUES (55, 'civicrm_group', {$this->_permissionedGroup}, 1);\n "); if ($isProfile) { CRM_Core_DAO::executeQuery("\n INSERT INTO civicrm_acl (\n `name`, `entity_table`, `entity_id`, `operation`, `object_table`, `object_id`, `is_active`\n )\n VALUES (\n 'view picked', 'civicrm_acl_role', 55, 'Edit', 'civicrm_uf_group', 0, 1\n );\n "); } else { CRM_Core_DAO::executeQuery("\n INSERT INTO civicrm_acl (\n `name`, `entity_table`, `entity_id`, `operation`, `object_table`, `object_id`, `is_active`\n )\n VALUES (\n 'view picked', 'civicrm_group', {$this->_permissionedGroup} , 'Edit', 'civicrm_saved_search', {$this->_permissionedGroup}, 1\n );\n "); CRM_Core_DAO::executeQuery("\n INSERT INTO civicrm_acl (\n `name`, `entity_table`, `entity_id`, `operation`, `object_table`, `object_id`, `is_active`\n )\n VALUES (\n 'view picked', 'civicrm_group', {$this->_permissionedGroup}, 'Edit', 'civicrm_saved_search', {$this->_permissionedDisabledGroup}, 1\n );\n "); } $this->_loggedInUser = CRM_Core_Session::singleton()->get('userID'); $this->callAPISuccess('group_contact', 'create', array('group_id' => $this->_permissionedGroup, 'contact_id' => $this->_loggedInUser)); if (!$isProfile) { //flush cache CRM_ACL_BAO_Cache::resetCache(); CRM_Contact_BAO_Group::getPermissionClause(TRUE); CRM_ACL_API::groupPermission('whatever', 9999, NULL, 'civicrm_saved_search', NULL, NULL, TRUE); } }
/** * Make sure that the user has permission to access this group. * * @param int $id * The id of the object. * @param bool $excludeHidden * Should hidden groups be excluded. * Logically this is the wrong place to filter hidden groups out as that is * not a permission issue. However, as other functions may rely on that defaulting to * FALSE for now & only the api call is calling with true. * * @return array * The permission that the user has (or NULL) */ public static function checkPermission($id, $excludeHidden = FALSE) { $allGroups = CRM_Core_PseudoConstant::allGroup(NULL, $excludeHidden); $permissions = NULL; if (CRM_Core_Permission::check('edit all contacts') || CRM_ACL_API::groupPermission(CRM_ACL_API::EDIT, $id, NULL, 'civicrm_saved_search', $allGroups)) { $permissions[] = CRM_Core_Permission::EDIT; } if (CRM_Core_Permission::check('view all contacts') || CRM_ACL_API::groupPermission(CRM_ACL_API::VIEW, $id, NULL, 'civicrm_saved_search', $allGroups)) { $permissions[] = CRM_Core_Permission::VIEW; } if (!empty($permissions) && CRM_Core_Permission::check('delete contacts')) { // Note: using !empty() in if condition, restricts the scope of delete // permission to groups/contacts that are editable/viewable. // We can remove this !empty condition once we have ACL support for delete functionality. $permissions[] = CRM_Core_Permission::DELETE; } return $permissions; }
/** * make sure that the user has permission to access this group * * @param int $id the id of the object * @param int $name the name or title of the object * * @return string the permission that the user has (or null) * @access public * @static */ static function checkPermission($id, $title) { require_once 'CRM/ACL/API.php'; require_once 'CRM/Core/Permission.php'; $allGroups = CRM_Core_PseudoConstant::allGroup(); $permissions = null; if (CRM_Core_Permission::check('edit all contacts') || CRM_ACL_API::groupPermission(CRM_ACL_API::EDIT, $id, null, 'civicrm_saved_search', $allGroups)) { $permissions[] = CRM_Core_Permission::EDIT; } if (CRM_Core_Permission::check('view all contacts') || CRM_ACL_API::groupPermission(CRM_ACL_API::VIEW, $id, null, 'civicrm_saved_search', $allGroups)) { $permissions[] = CRM_Core_Permission::VIEW; } if (!empty($permissions) && CRM_Core_Permission::check('delete contacts')) { // Note: using !empty() in if condition, restricts the scope of delete // permission to groups/contacts that are editable/viewable. // We can remove this !empty condition once we have ACL support for delete functionality. $permissions[] = CRM_Core_Permission::DELETE; } return $permissions; }