/**
* Gets the ACL's for the module, will also expand them so the client side of the ACL's don't have to do as many checks.
*
* @param string $module The module we want to fetch the ACL for
* @param object $userObject The user object for the ACL's we are retrieving.
* @param object|bool $bean The SugarBean for getting specific ACL's for a module
* @param bool $showYes Do not unset Yes Results
* @return array Array of ACL's, first the action ACL's (access, create, edit, delete) then an array of the field level acl's
*/
public function getAclForModule($module, $userObject, $bean = false, $showYes = false)
{
$outputAcl = array('fields' => array());
$outputAcl['admin'] = $userObject->isAdminForModule($module) ? 'yes' : 'no';
$outputAcl['developer'] = $userObject->isDeveloperForModule($module) ? 'yes' : 'no';
if (!SugarACL::moduleSupportsACL($module)) {
foreach (array('access', 'view', 'list', 'edit', 'delete', 'import', 'export', 'massupdate') as $action) {
$outputAcl[$action] = 'yes';
}
} else {
$context = array('user' => $userObject);
if ($bean instanceof SugarBean) {
$context['bean'] = $bean;
}
// if the bean is not set, or a new bean.. set the owner override
// this will allow fields marked Owner to pass through ok.
if ($bean == false || empty($bean->id) || isset($bean->new_with_id) && $bean->new_with_id == true) {
$context['owner_override'] = true;
}
$moduleAcls = SugarACL::getUserAccess($module, array(), $context);
// Bug56391 - Use the SugarACL class to determine access to different actions within the module
foreach (SugarACL::$all_access as $action => $bool) {
$outputAcl[$action] = $moduleAcls[$action] == true || !isset($moduleAcls[$action]) ? 'yes' : 'no';
}
// Only loop through the fields if we have a reason to, admins give full access on everything, no access gives no access to anything
if ($outputAcl['access'] == 'yes') {
// Currently create just uses the edit permission, but there is probably a need for a separate permission for create
$outputAcl['create'] = $outputAcl['edit'];
if ($bean === false) {
$bean = BeanFactory::newBean($module);
}
// we cannot use ACLField::getAvailableFields because it limits the fieldset we return. We need all fields
// for instance assigned_user_id is skipped in getAvailableFields, thus making the acl's look odd if Assigned User has ACL's
// only assigned_user_name is returned which is a derived ["fake"] field. We really need assigned_user_id to return as well.
if (empty($GLOBALS['dictionary'][$bean->object_name]['fields'])) {
if (empty($bean->acl_fields)) {
$fieldsAcl = array();
} else {
$fieldsAcl = $bean->field_defs;
}
} else {
$fieldsAcl = $GLOBALS['dictionary'][$bean->object_name]['fields'];
if (isset($GLOBALS['dictionary'][$bean->object_name]['acl_fields']) && $GLOBALS['dictionary'][$bean->object_name] === false) {
$fieldsAcl = array();
}
}
// get the field names
SugarACL::listFilter($module, $fieldsAcl, $context, array('add_acl' => true));
$fieldsAcl = $this->getMetaDataHacks()->fixAcls($fieldsAcl);
foreach ($fieldsAcl as $field => $fieldAcl) {
switch ($fieldAcl['acl']) {
case SugarACL::ACL_READ_WRITE:
// Default, don't need to send anything down
break;
case SugarACL::ACL_READ_ONLY:
$outputAcl['fields'][$field]['write'] = 'no';
$outputAcl['fields'][$field]['create'] = 'no';
break;
case 2:
$outputAcl['fields'][$field]['read'] = 'no';
break;
case SugarACL::ACL_NO_ACCESS:
default:
$outputAcl['fields'][$field]['read'] = 'no';
$outputAcl['fields'][$field]['write'] = 'no';
$outputAcl['fields'][$field]['create'] = 'no';
break;
}
}
}
}
// there are times when we need the yes results, for instance comparing access for a record
if ($showYes === false) {
// for brevity, filter out 'yes' fields since UI assumes 'yes'
foreach ($outputAcl as $k => $v) {
if ($v == 'yes') {
unset($outputAcl[$k]);
}
}
}
$outputAcl['_hash'] = $this->hashChunk($outputAcl);
return $outputAcl;
}
/**
* Get user access for the list of actions
*
* @param string $module
* @param array $access_list List of actions
*
* @returns array - List of access levels. Access levels not returned are assumed to be "all allowed".
*/
public function getUserAccess($module, $access_list, $context)
{
if (!empty($this->parentModule)) {
//Don't pass the context bean since it won't match the module.
$parentContext = array('owner_override' => true);
if (!empty($context['user'])) {
$parentContext['user'] = $context['user'];
}
return SugarACL::getUserAccess($this->parentModule, $access_list, $parentContext);
}
return array();
}
