/** * Gets the ACL's for the module, will also expand them so the client side of the ACL's don't have to do as many checks. * * @param string $module The module we want to fetch the ACL for * @param object $userObject The user object for the ACL's we are retrieving. * @param object|bool $bean The SugarBean for getting specific ACL's for a module * @param bool $showYes Do not unset Yes Results * @return array Array of ACL's, first the action ACL's (access, create, edit, delete) then an array of the field level acl's */ public function getAclForModule($module, $userObject, $bean = false, $showYes = false) { $outputAcl = array('fields' => array()); $outputAcl['admin'] = $userObject->isAdminForModule($module) ? 'yes' : 'no'; $outputAcl['developer'] = $userObject->isDeveloperForModule($module) ? 'yes' : 'no'; if (!SugarACL::moduleSupportsACL($module)) { foreach (array('access', 'view', 'list', 'edit', 'delete', 'import', 'export', 'massupdate') as $action) { $outputAcl[$action] = 'yes'; } } else { $context = array('user' => $userObject); if ($bean instanceof SugarBean) { $context['bean'] = $bean; } // if the bean is not set, or a new bean.. set the owner override // this will allow fields marked Owner to pass through ok. if ($bean == false || empty($bean->id) || isset($bean->new_with_id) && $bean->new_with_id == true) { $context['owner_override'] = true; } $moduleAcls = SugarACL::getUserAccess($module, array(), $context); // Bug56391 - Use the SugarACL class to determine access to different actions within the module foreach (SugarACL::$all_access as $action => $bool) { $outputAcl[$action] = $moduleAcls[$action] == true || !isset($moduleAcls[$action]) ? 'yes' : 'no'; } // Only loop through the fields if we have a reason to, admins give full access on everything, no access gives no access to anything if ($outputAcl['access'] == 'yes') { // Currently create just uses the edit permission, but there is probably a need for a separate permission for create $outputAcl['create'] = $outputAcl['edit']; if ($bean === false) { $bean = BeanFactory::newBean($module); } // we cannot use ACLField::getAvailableFields because it limits the fieldset we return. We need all fields // for instance assigned_user_id is skipped in getAvailableFields, thus making the acl's look odd if Assigned User has ACL's // only assigned_user_name is returned which is a derived ["fake"] field. We really need assigned_user_id to return as well. if (empty($GLOBALS['dictionary'][$bean->object_name]['fields'])) { if (empty($bean->acl_fields)) { $fieldsAcl = array(); } else { $fieldsAcl = $bean->field_defs; } } else { $fieldsAcl = $GLOBALS['dictionary'][$bean->object_name]['fields']; if (isset($GLOBALS['dictionary'][$bean->object_name]['acl_fields']) && $GLOBALS['dictionary'][$bean->object_name] === false) { $fieldsAcl = array(); } } // get the field names SugarACL::listFilter($module, $fieldsAcl, $context, array('add_acl' => true)); $fieldsAcl = $this->getMetaDataHacks()->fixAcls($fieldsAcl); foreach ($fieldsAcl as $field => $fieldAcl) { switch ($fieldAcl['acl']) { case SugarACL::ACL_READ_WRITE: // Default, don't need to send anything down break; case SugarACL::ACL_READ_ONLY: $outputAcl['fields'][$field]['write'] = 'no'; $outputAcl['fields'][$field]['create'] = 'no'; break; case 2: $outputAcl['fields'][$field]['read'] = 'no'; break; case SugarACL::ACL_NO_ACCESS: default: $outputAcl['fields'][$field]['read'] = 'no'; $outputAcl['fields'][$field]['write'] = 'no'; $outputAcl['fields'][$field]['create'] = 'no'; break; } } } } // there are times when we need the yes results, for instance comparing access for a record if ($showYes === false) { // for brevity, filter out 'yes' fields since UI assumes 'yes' foreach ($outputAcl as $k => $v) { if ($v == 'yes') { unset($outputAcl[$k]); } } } $outputAcl['_hash'] = $this->hashChunk($outputAcl); return $outputAcl; }
/** * Get user access for the list of actions * * @param string $module * @param array $access_list List of actions * * @returns array - List of access levels. Access levels not returned are assumed to be "all allowed". */ public function getUserAccess($module, $access_list, $context) { if (!empty($this->parentModule)) { //Don't pass the context bean since it won't match the module. $parentContext = array('owner_override' => true); if (!empty($context['user'])) { $parentContext['user'] = $context['user']; } return SugarACL::getUserAccess($this->parentModule, $access_list, $parentContext); } return array(); }