CRM_Core_Permission
in package
This is the basic permission class wrapper
Table of Contents
Constants
- ADMIN = 7
- The various type of permissions.
- ALL = 6
- The various type of permissions.
- ALWAYS_ALLOW_PERMISSION = "*always allow*"
- A placeholder permission which always fails.
- ALWAYS_DENY_PERMISSION = "*always deny*"
- A placeholder permission which always fails.
- ANY_AUTHENTICATED_CONTACT = '*authenticated*'
- A generic permission which allows access to authenticated contacts.
- AUTH_SRC_CHECKSUM = 1
- Various authentication sources.
- AUTH_SRC_LOGIN = 4
- Various authentication sources.
- AUTH_SRC_SITEKEY = 2
- Various authentication sources.
- AUTH_SRC_UNKNOWN = 0
- Various authentication sources.
- CREATE = 4
- The various type of permissions.
- DELETE = 3
- The various type of permissions.
- EDIT = 1
- The various type of permissions.
- EDIT_GROUPS = 'edit contacts in '
- Static strings used to compose permissions.
- SEARCH = 5
- The various type of permissions.
- VIEW = 2
- The various type of permissions.
- VIEW_GROUPS = 'view contacts in '
- Static strings used to compose permissions.
Methods
- access() : bool
- Checks that component is enabled and optionally that user has basic perm.
- basicPermissions() : array<string|int, array<string|int, mixed>>|array<string|int, string>
- check() : bool
- Given a permission string or array, check for access requirements
- checkActionPermission() : bool
- Check permissions for delete and edit actions.
- checkAnyPerm() : bool
- Determine if any one of the permissions strings applies to current user.
- checkConstPermissions() : mixed
- checkDownloadInvoice() : bool
- Verify if the user has permission to get the invoice.
- checkGroupRole() : bool
- Given a group/role array, check for access requirements
- checkMenu() : bool
- checkMenuItem() : bool|mixed
- customGroup() : array<string|int, int>
- Returns the ids of all custom groups the user is permitted to perform action of "$type"
- customGroupAdmin() : bool
- customGroupClause() : string
- event() : array<string|int, mixed>|null
- eventClause() : string
- getAnonymousPermissionsWarnings() : array<string|int, mixed>
- getComponentName() : null|string
- Get component name from given permission.
- getCorePermissions() : array<string|int, mixed>
- Get core permissions.
- getEntityActionPermissions() : array<string|int, mixed>
- For each entity provides an array of permissions required for each action
- getGenericAction() : string
- Translate an unknown action to a canonical form.
- getPermission() : int|string|null
- Get the maximum permission of the current user with respect to _any_ contact records.
- getPermissionedStaticGroupClause() : string
- Get the permissioned where clause for the user.
- giveMeAllACLs() : bool
- Validate user permission across.
- group() : array<string|int, mixed>
- Get all groups from database, filtered by permissions for this user
- isMultisiteEnabled() : bool
- permissionEmails() : string
- Get all the contact emails for users that have a specific permission.
- roleEmails() : string
- Get all the contact emails for users that have a specific role.
- ufGroup() : array<string|int, mixed>
- ufGroupClause() : array<string|int, mixed>|string
- ufGroupValid() : bool
- validateForPermissionWarnings() : array<string|int, mixed>
- assembleBasicPermissions() : array<string|int, mixed>
- getComponentPermissions() : array<string|int, mixed>
- Get permissions for components.
- getCoreAndComponentPermissions() : array<string|int, mixed>
- Get permissions for core functionality and for that of core components.
- setImpliedBy() : void
- Recursively sets the 'implied_by' value for every sub-permission, based on the 'implies' declaration in meta-permissions.
- getImpliedBy() : array<string|int, mixed>
- Get all permissions that would grant the given permission.
Constants
ADMIN
The various type of permissions.
public
int
ADMIN
= 7
ALL
The various type of permissions.
public
int
ALL
= 6
ALWAYS_ALLOW_PERMISSION
A placeholder permission which always fails.
public
mixed
ALWAYS_ALLOW_PERMISSION
= "*always allow*"
ALWAYS_DENY_PERMISSION
A placeholder permission which always fails.
public
mixed
ALWAYS_DENY_PERMISSION
= "*always deny*"
ANY_AUTHENTICATED_CONTACT
A generic permission which allows access to authenticated contacts.
public
mixed
ANY_AUTHENTICATED_CONTACT
= '*authenticated*'
NOTE: This is slightly different from asking whether there is an authenticated CMS User.
This permission only cares about identifying the CRM Contact.
AUTH_SRC_CHECKSUM
Various authentication sources.
public
int
AUTH_SRC_CHECKSUM
= 1
AUTH_SRC_LOGIN
Various authentication sources.
public
int
AUTH_SRC_LOGIN
= 4
AUTH_SRC_SITEKEY
Various authentication sources.
public
int
AUTH_SRC_SITEKEY
= 2
AUTH_SRC_UNKNOWN
Various authentication sources.
public
int
AUTH_SRC_UNKNOWN
= 0
CREATE
The various type of permissions.
public
int
CREATE
= 4
DELETE
The various type of permissions.
public
int
DELETE
= 3
EDIT
The various type of permissions.
public
int
EDIT
= 1
EDIT_GROUPS
Static strings used to compose permissions.
public
string
EDIT_GROUPS
= 'edit contacts in '
Tags
SEARCH
The various type of permissions.
public
int
SEARCH
= 5
VIEW
The various type of permissions.
public
int
VIEW
= 2
VIEW_GROUPS
Static strings used to compose permissions.
public
string
VIEW_GROUPS
= 'view contacts in '
Tags
Methods
access()
Checks that component is enabled and optionally that user has basic perm.
public
static access(string $module[, bool $checkPermission = TRUE ][, bool $requireAllCasesPermOnCiviCase = FALSE ]) : bool
Parameters
- $module : string
-
Specifies the name of the CiviCRM component.
- $checkPermission : bool = TRUE
-
Check not only that module is enabled, but that user has necessary permission.
- $requireAllCasesPermOnCiviCase : bool = FALSE
-
Significant only if $module == CiviCase Require "access all cases and activities", not just "access my cases and activities".
Return values
bool —Access to specified $module is granted.
basicPermissions()
public
static basicPermissions([bool $includeDisabled = FALSE ][, bool $returnAssociative = FALSE ]) : array<string|int, array<string|int, mixed>>|array<string|int, string>
Parameters
- $includeDisabled : bool = FALSE
-
Include permissions from disabled components/settings.
- $returnAssociative : bool = FALSE
-
If true, returns arrays with keys: [label, description, disabled, implies, implied_by]. If false, returns strings (label only).
Tags
Return values
array<string|int, array<string|int, mixed>>|array<string|int, string>check()
Given a permission string or array, check for access requirements
public
static check(string|array<string|int, mixed> $permissions[, int $contactId = NULL ]) : bool
Ex 1: Must have 'access CiviCRM' (string) 'access CiviCRM'
Ex 2: Must have 'access CiviCRM' and 'access AJAX API' ['access CiviCRM', 'access AJAX API']
Ex 3: Must have 'access CiviCRM' or 'access AJAX API' [ ['access CiviCRM', 'access AJAX API'], ],
Ex 4: Must have 'access CiviCRM' or 'access AJAX API' AND 'access CiviEvent' [ ['access CiviCRM', 'access AJAX API'], 'access CiviEvent', ],
Note that in permissions.php this is keyed by the action eg. (access Civi || access AJAX) && (access CiviEvent || access CiviContribute) 'myaction' => [ ['access CiviCRM', 'access AJAX API'], ['access CiviEvent', 'access CiviContribute'] ],
Parameters
- $permissions : string|array<string|int, mixed>
-
The permission to check as an array or string -see examples.
- $contactId : int = NULL
-
Contact id to check permissions for. Defaults to current logged-in user.
Return values
bool —true if contact has permission(s), else false
checkActionPermission()
Check permissions for delete and edit actions.
public
static checkActionPermission(string $module, int $action) : bool
Parameters
- $module : string
-
Component name.
- $action : int
-
Action to be check across component.
Return values
boolcheckAnyPerm()
Determine if any one of the permissions strings applies to current user.
public
static checkAnyPerm(array<string|int, mixed> $perms) : bool
Parameters
- $perms : array<string|int, mixed>
Return values
boolcheckConstPermissions()
public
static checkConstPermissions(GenericHookEvent $e) : mixed
Parameters
- $e : GenericHookEvent
checkDownloadInvoice()
Verify if the user has permission to get the invoice.
public
static checkDownloadInvoice() : bool
Return values
bool —TRUE if the user has download all invoices permission or download my invoices permission and the invoice author is the current user.
checkGroupRole()
Given a group/role array, check for access requirements
public
static checkGroupRole(array<string|int, mixed> $array) : bool
Parameters
- $array : array<string|int, mixed>
-
The group/role to check.
Return values
bool —true if yes, else false
checkMenu()
public
static checkMenu(mixed &$args[, string $op = 'and' ]) : bool
Parameters
- $args : mixed
- $op : string = 'and'
Return values
boolcheckMenuItem()
public
static checkMenuItem(mixed &$item) : bool|mixed
Parameters
- $item : mixed
Tags
Return values
bool|mixedcustomGroup()
Returns the ids of all custom groups the user is permitted to perform action of "$type"
public
static customGroup([int $type = CRM_Core_Permission::VIEW ][, bool $reset = FALSE ][, int $userId = NULL ]) : array<string|int, int>
Parameters
- $type : int = CRM_Core_Permission::VIEW
-
Type of action e.g. CRM_Core_Permission::VIEW or CRM_Core_Permission::EDIT
- $reset : bool = FALSE
-
Flush cache
- $userId : int = NULL
Return values
array<string|int, int>customGroupAdmin()
public
static customGroupAdmin([int $userId = NULL ]) : bool
Parameters
- $userId : int = NULL
Return values
boolcustomGroupClause()
public
static customGroupClause([int $type = CRM_Core_Permission::VIEW ][, string|null $prefix = NULL ][, bool $reset = FALSE ]) : string
Parameters
- $type : int = CRM_Core_Permission::VIEW
- $prefix : string|null = NULL
- $reset : bool = FALSE
Return values
stringevent()
public
static event([int $type = CRM_Core_Permission::VIEW ][, int $eventID = NULL ][, string $context = '' ]) : array<string|int, mixed>|null
Parameters
- $type : int = CRM_Core_Permission::VIEW
- $eventID : int = NULL
- $context : string = ''
Return values
array<string|int, mixed>|nulleventClause()
public
static eventClause([int $type = CRM_Core_Permission::VIEW ][, null $prefix = NULL ]) : string
Parameters
- $type : int = CRM_Core_Permission::VIEW
- $prefix : null = NULL
Return values
stringgetAnonymousPermissionsWarnings()
public
static getAnonymousPermissionsWarnings() : array<string|int, mixed>
Return values
array<string|int, mixed>getComponentName()
Get component name from given permission.
public
static getComponentName(string $permission) : null|string
Parameters
- $permission : string
Return values
null|string —the name of component.
getCorePermissions()
Get core permissions.
public
static getCorePermissions() : array<string|int, mixed>
Return values
array<string|int, mixed>getEntityActionPermissions()
For each entity provides an array of permissions required for each action
public
static getEntityActionPermissions() : array<string|int, mixed>
The action is the array key, possible values:
- create: applies to create (with no id in params)
- update: applies to update, setvalue, create (with id in params)
- get: applies to getcount, getsingle, getvalue and other gets
- delete: applies to delete, replace
- meta: applies to getfields, getoptions, getspec
- default: catch-all for anything not declared
Note: some APIs declare other actions as well
Permissions should use arrays for AND and arrays of arrays for OR
Tags
Return values
array<string|int, mixed> —of permissions
getGenericAction()
Translate an unknown action to a canonical form.
public
static getGenericAction(string $action) : string
Parameters
- $action : string
Return values
string —the standardised action name
getPermission()
Get the maximum permission of the current user with respect to _any_ contact records.
public
static getPermission() : int|string|null
Note: This appears to be hydrated via CRM_Core_Permission*::group(), which appears to run in
many page-views, but I'm not certain that it's guaranteed.
Tags
Return values
int|string|null —Highest permission held by the current user. If the user has "edit" rights to at least 1 contact (via permission or ACL), then CRM_Core_Permission::EDIT. If the user has "view" rights to at least 1 contact (via permission or ACL), then CRM_Core_Permission::VIEW. Otherwise, NULL.
getPermissionedStaticGroupClause()
Get the permissioned where clause for the user.
public
static getPermissionedStaticGroupClause(int $type, array<string|int, mixed> &$tables, array<string|int, mixed> &$whereTables) : string
Parameters
- $type : int
-
The type of permission needed.
- $tables : array<string|int, mixed>
-
(reference ) add the tables that are needed for the select clause.
- $whereTables : array<string|int, mixed>
-
(reference ) add the tables that are needed for the where clause.
Return values
string —the group where clause for this user
giveMeAllACLs()
Validate user permission across.
public
static giveMeAllACLs() : bool
edit or view or with supportable acls.
Return values
boolgroup()
Get all groups from database, filtered by permissions for this user
public
static group(string $groupType[, bool $excludeHidden = TRUE ]) : array<string|int, mixed>
Parameters
- $groupType : string
-
Type of group(Access/Mailing).
- $excludeHidden : bool = TRUE
-
exclude hidden groups.
Return values
array<string|int, mixed> —array reference of all groups.
isMultisiteEnabled()
public
static isMultisiteEnabled() : bool
Return values
boolpermissionEmails()
Get all the contact emails for users that have a specific permission.
public
static permissionEmails(string $permissionName) : string
Parameters
- $permissionName : string
-
Name of the permission we are interested in.
Return values
string —a comma separated list of email addresses
roleEmails()
Get all the contact emails for users that have a specific role.
public
static roleEmails(string $roleName) : string
Parameters
- $roleName : string
-
Name of the role we are interested in.
Return values
string —a comma separated list of email addresses
ufGroup()
public
static ufGroup([int $type = CRM_Core_Permission::VIEW ]) : array<string|int, mixed>
Parameters
- $type : int = CRM_Core_Permission::VIEW
Return values
array<string|int, mixed>ufGroupClause()
public
static ufGroupClause([int $type = CRM_Core_Permission::VIEW ][, string $prefix = NULL ][, bool $returnUFGroupIds = FALSE ]) : array<string|int, mixed>|string
Parameters
- $type : int = CRM_Core_Permission::VIEW
- $prefix : string = NULL
- $returnUFGroupIds : bool = FALSE
Return values
array<string|int, mixed>|stringufGroupValid()
public
static ufGroupValid(int $gid[, int $type = CRM_Core_Permission::VIEW ]) : bool
Parameters
- $gid : int
- $type : int = CRM_Core_Permission::VIEW
Return values
boolvalidateForPermissionWarnings()
public
static validateForPermissionWarnings(mixed $anonymous_perms) : array<string|int, mixed>
Parameters
- $anonymous_perms : mixed
Return values
array<string|int, mixed>assembleBasicPermissions()
protected
static assembleBasicPermissions() : array<string|int, mixed>
Tags
Return values
array<string|int, mixed>getComponentPermissions()
Get permissions for components.
protected
static getComponentPermissions() : array<string|int, mixed>
Return values
array<string|int, mixed>getCoreAndComponentPermissions()
Get permissions for core functionality and for that of core components.
protected
static getCoreAndComponentPermissions() : array<string|int, mixed>
Return values
array<string|int, mixed>setImpliedBy()
Recursively sets the 'implied_by' value for every sub-permission, based on the 'implies' declaration in meta-permissions.
protected
static setImpliedBy(array<string|int, mixed> $metaPermissions, array<string|int, mixed> $subPermissions, array<string|int, mixed> &$allPermissions[, int $recursionLevel = 0 ]) : void
Parameters
- $metaPermissions : array<string|int, mixed>
- $subPermissions : array<string|int, mixed>
- $allPermissions : array<string|int, mixed>
- $recursionLevel : int = 0
getImpliedBy()
Get all permissions that would grant the given permission.
private
static getImpliedBy(string $permissionName) : array<string|int, mixed>
This always includes the permission itself and the super 'all CiviCRM permissions and ACLs' plus any meta-permissions that imply this one.
Parameters
- $permissionName : string