bsiggel/espocrm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
root
2026-01-19 17:44:46 +01:00
commit 823af8b11d
8721 changed files with 1130846 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
application/Espo/Classes/Acl/ActionHistoryRecord/OwnershipChecker.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\ActionHistoryRecord;
use Espo\Entities\ActionHistoryRecord;
use Espo\Entities\User;
use Espo\ORM\Entity;
use Espo\Core\Acl\OwnershipOwnChecker;
/**
* @implements OwnershipOwnChecker<ActionHistoryRecord>
*/
class OwnershipChecker implements OwnershipOwnChecker
{
public function checkOwn(User $user, Entity $entity): bool
{
return $entity->get('userId') === $user->getId();
}
}

158
application/Espo/Classes/Acl/Attachment/AccessChecker.php Normal file
View File

@@ -0,0 +1,158 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Attachment;
use Espo\Core\Name\Field;
use Espo\Entities\Attachment;
use Espo\Entities\Note;
use Espo\Entities\Settings;
use Espo\Entities\User;
use Espo\ORM\Entity;
use Espo\Core\Acl\AccessEntityCREDChecker;
use Espo\Core\Acl\DefaultAccessChecker;
use Espo\Core\Acl\ScopeData;
use Espo\Core\Acl\Traits\DefaultAccessCheckerDependency;
use Espo\Core\AclManager;
use Espo\Core\ORM\EntityManager;
/**
* @implements AccessEntityCREDChecker<Attachment>
*/
class AccessChecker implements AccessEntityCREDChecker
{
use DefaultAccessCheckerDependency;
public function __construct(
DefaultAccessChecker $defaultAccessChecker,
private AclManager $aclManager,
private EntityManager $entityManager
) {
$this->defaultAccessChecker = $defaultAccessChecker;
}
public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
{
if ($entity->getParentType() === Settings::ENTITY_TYPE) {
// Allow the logo.
return true;
}
$parent = null;
$parentType = $entity->getParentType();
$parentId = $entity->getParent()?->getId();
$relatedType = $entity->getRelatedType();
$relatedId = $entity->getRelated()?->getId();
if ($parentId && $parentType) {
$parent = $this->entityManager->getEntityById($parentType, $parentId);
} else if ($relatedId && $relatedType) {
$parent = $this->entityManager->getEntityById($relatedType, $relatedId);
}
if (!$parent) {
if ($this->defaultAccessChecker->checkEntityRead($user, $entity, $data)) {
return true;
}
return false;
}
if ($parent->getEntityType() === Note::ENTITY_TYPE) {
/** @var Note $parent */
$result = $this->checkEntityReadNoteParent($user, $parent);
if ($result !== null) {
return $result;
}
} else if ($this->aclManager->checkEntity($user, $parent)) {
if (
$entity->getTargetField() &&
!$this->aclManager->checkField($user, $parent->getEntityType(), $entity->getTargetField())
) {
return false;
}
return true;
}
if ($this->defaultAccessChecker->checkEntityRead($user, $entity, $data)) {
return true;
}
return false;
}
private function checkEntityReadNoteParent(User $user, Note $note): ?bool
{
if ($note->getTargetType() === Note::TARGET_TEAMS) {
$intersect = array_intersect(
$note->getLinkMultipleIdList(Field::TEAMS),
$user->getLinkMultipleIdList(Field::TEAMS)
);
if (count($intersect)) {
return true;
}
return null;
}
if ($note->getTargetType() === Note::TARGET_USERS) {
$isRelated = $this->entityManager
->getRDBRepository(Note::ENTITY_TYPE)
->getRelation($note, 'users')
->isRelated($user);
if ($isRelated) {
return true;
}
return null;
}
if ($note->getTargetType() === Note::TARGET_ALL) {
return true;
}
if (!$note->getParentId() || !$note->getParentType()) {
return null;
}
$parent = $this->entityManager->getEntityById($note->getParentType(), $note->getParentId());
if ($parent && $this->aclManager->checkEntity($user, $parent)) {
return true;
}
return null;
}
}

52
application/Espo/Classes/Acl/Attachment/OwnershipChecker.php Normal file
View File

@@ -0,0 +1,52 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Attachment;
use Espo\Entities\Attachment;
use Espo\Entities\User;
use Espo\ORM\Entity;
use Espo\Core\Acl\OwnershipOwnChecker;
/**
* @implements OwnershipOwnChecker<Attachment>
*/
class OwnershipChecker implements OwnershipOwnChecker
{
private const ATTR_CREATED_BY_ID = 'createdById';
public function checkOwn(User $user, Entity $entity): bool
{
if ($user->getId() === $entity->get(self::ATTR_CREATED_BY_ID)) {
return true;
}
return false;
}
}

55
application/Espo/Classes/Acl/AuthToken/AccessChecker.php Normal file
View File

@@ -0,0 +1,55 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\AuthToken;
use Espo\Entities\AuthToken;
use Espo\Entities\User;
use Espo\Core\Acl\AccessEntityCREDChecker;
use Espo\Core\Acl\DefaultAccessChecker;
use Espo\Core\Acl\ScopeData;
use Espo\Core\Acl\Traits\DefaultAccessCheckerDependency;
/**
* @implements AccessEntityCREDChecker<AuthToken>
*/
class AccessChecker implements AccessEntityCREDChecker
{
use DefaultAccessCheckerDependency;
public function __construct(DefaultAccessChecker $defaultAccessChecker)
{
$this->defaultAccessChecker = $defaultAccessChecker;
}
public function checkCreate(User $user, ScopeData $data): bool
{
return false;
}
}

170
application/Espo/Classes/Acl/Email/AccessChecker.php Normal file
View File

@@ -0,0 +1,170 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Email;
use Espo\Core\Name\Field;
use Espo\Entities\User;
use Espo\Entities\Email;
use Espo\ORM\Entity;
use Espo\Core\Acl\AccessEntityCREDSChecker;
use Espo\Core\Acl\DefaultAccessChecker;
use Espo\Core\Acl\ScopeData;
use Espo\Core\Acl\Table;
use Espo\Core\Acl\Traits\DefaultAccessCheckerDependency;
/**
* @implements AccessEntityCREDSChecker<Email>
*/
class AccessChecker implements AccessEntityCREDSChecker
{
use DefaultAccessCheckerDependency;
public function __construct(DefaultAccessChecker $defaultAccessChecker)
{
$this->defaultAccessChecker = $defaultAccessChecker;
}
public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
{
/** @var Email $entity */
if ($this->defaultAccessChecker->checkEntityRead($user, $entity, $data)) {
return true;
}
if ($data->isFalse()) {
return false;
}
if ($data->getRead() === Table::LEVEL_NO) {
return false;
}
if (!$entity->has('usersIds')) {
$entity->loadLinkMultipleField('users');
}
$userIdList = $entity->get('usersIds');
if (is_array($userIdList) && in_array($user->getId(), $userIdList)) {
return true;
}
return false;
}
public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
{
/** @var Email $entity */
if ($user->isAdmin()) {
return true;
}
if ($data->isFalse()) {
return false;
}
if ($data->getDelete() === Table::LEVEL_OWN) {
if ($user->getId() === $entity->get('assignedUserId')) {
return true;
}
if ($user->getId() === $entity->get('createdById')) {
return true;
}
$assignedUserIdList = $entity->getLinkMultipleIdList(Field::ASSIGNED_USERS);
if (
count($assignedUserIdList) === 1 &&
$entity->hasLinkMultipleId(Field::ASSIGNED_USERS, $user->getId())
) {
return true;
}
return false;
}
if ($this->defaultAccessChecker->checkEntityDelete($user, $entity, $data)) {
return true;
}
if ($data->getEdit() === Table::LEVEL_NO && $data->getCreate() === Table::LEVEL_NO) {
return false;
}
if ($entity->get('createdById') !== $user->getId()) {
return false;
}
if (
$entity->getStatus() !== Email::STATUS_SENT &&
$entity->getStatus() !== Email::STATUS_ARCHIVED
) {
return true;
}
return false;
}
public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool
{
/** @var Email $entity */
if (
$entity->getStatus() === Email::STATUS_DRAFT &&
$entity->getCreatedBy() &&
$entity->getCreatedBy()->getId() === $user->getId()
) {
return true;
}
return $this->defaultAccessChecker->checkEntityEdit($user, $entity, $data);
}
public function checkEdit(User $user, ScopeData $data): bool
{
if ($data->getCreate() === Table::LEVEL_YES) {
return true;
}
return $this->defaultAccessChecker->checkEdit($user, $data);
}
public function checkDelete(User $user, ScopeData $data): bool
{
if ($data->getCreate() === Table::LEVEL_YES) {
return true;
}
return $this->defaultAccessChecker->checkDelete($user, $data);
}
}

58
application/Espo/Classes/Acl/Email/AssignmentChecker.php Normal file
View File

@@ -0,0 +1,58 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Email;
use Espo\Core\Acl\AssignmentChecker as AssignmentCheckerInterface;
use Espo\Entities\Email;
use Espo\Entities\User;
use Espo\ORM\Entity;
/**
* @implements AssignmentCheckerInterface<Email>
*/
class AssignmentChecker implements AssignmentCheckerInterface
{
public function __construct(
private AssignmentCheckerInterface\Helper $helper,
) {}
public function check(User $user, Entity $entity): bool
{
if ($entity->getAssignedUser() && !$this->helper->checkAssignedUser($user, $entity)) {
return false;
}
if ($entity->getTeams()->getIdList() !== [] && !$this->helper->checkTeams($user, $entity)) {
return false;
}
return true;
}
}

72
application/Espo/Classes/Acl/Email/LinkCheckers/ParentLinkChecker.php Normal file
View File

@@ -0,0 +1,72 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Email\LinkCheckers;
use Espo\Core\Acl\LinkChecker;
use Espo\Core\AclManager;
use Espo\Entities\Email;
use Espo\Entities\User;
use Espo\ORM\Entity;
/**
* @implements LinkChecker<Email, Entity>
* @noinspection PhpUnused
*/
class ParentLinkChecker implements LinkChecker
{
public function __construct(
private AclManager $aclManager
) {}
public function check(User $user, Entity $entity, Entity $foreignEntity): bool
{
if ($this->aclManager->checkEntityRead($user, $foreignEntity)) {
return true;
}
$replied = $entity->getReplied();
if (!$replied) {
return false;
}
$parent = $replied->getParent();
if (
!$parent ||
$parent->getId() !== $foreignEntity->getId() ||
$parent->getEntityType() !== $foreignEntity->getEntityType()
) {
return false;
}
return $this->aclManager->checkEntityRead($user, $replied);
}
}

67
application/Espo/Classes/Acl/Email/LinkCheckers/TeamsLinkChecker.php Normal file
View File

@@ -0,0 +1,67 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Email\LinkCheckers;
use Espo\Core\Acl\LinkChecker;
use Espo\Core\AclManager;
use Espo\Entities\Email;
use Espo\Entities\Team;
use Espo\Entities\User;
use Espo\ORM\Entity;
/**
* @implements LinkChecker<Email, Team>
* @noinspection PhpUnused
*/
class TeamsLinkChecker implements LinkChecker
{
public function __construct(
private AclManager $aclManager
) {}
public function check(User $user, Entity $entity, Entity $foreignEntity): bool
{
if ($this->aclManager->checkEntityRead($user, $foreignEntity)) {
return true;
}
$replied = $entity->getReplied();
if (!$replied) {
return false;
}
if ($replied->getTeams()->hasId($foreignEntity->getId())) {
return true;
}
return false;
}
}

69
application/Espo/Classes/Acl/Email/OwnershipChecker.php Normal file
View File

@@ -0,0 +1,69 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Email;
use Espo\Entities\User;
use Espo\Entities\Email;
use Espo\ORM\Entity;
use Espo\Core\Acl\DefaultOwnershipChecker;
use Espo\Core\Acl\OwnershipOwnChecker;
use Espo\Core\Acl\OwnershipTeamChecker;
/**
* @implements OwnershipOwnChecker<Email>
* @implements OwnershipTeamChecker<Email>
*/
class OwnershipChecker implements OwnershipOwnChecker, OwnershipTeamChecker
{
public function __construct(private DefaultOwnershipChecker $defaultOwnershipChecker)
{}
public function checkOwn(User $user, Entity $entity): bool
{
if ($user->getId() === $entity->getAssignedUser()?->getId()) {
return true;
}
if ($user->getId() === $entity->getCreatedBy()?->getId()) {
return true;
}
if ($entity->getAssignedUsers()->hasId($user->getId())) {
return true;
}
return false;
}
public function checkTeam(User $user, Entity $entity): bool
{
return $this->defaultOwnershipChecker->checkTeam($user, $entity);
}
}

87
application/Espo/Classes/Acl/EmailFilter/OwnershipChecker.php Normal file
View File

@@ -0,0 +1,87 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\EmailFilter;
use Espo\Entities\EmailAccount;
use Espo\Entities\User;
use Espo\Entities\EmailFilter;
use Espo\ORM\Entity;
use Espo\Core\Acl\OwnershipOwnChecker;
use Espo\Core\ORM\EntityManager;
/**
* @implements OwnershipOwnChecker<EmailFilter>
*/
class OwnershipChecker implements OwnershipOwnChecker
{
private EntityManager $entityManager;
public function __construct(EntityManager $entityManager)
{
$this->entityManager = $entityManager;
}
/**
* @param EmailFilter $entity
*/
public function checkOwn(User $user, Entity $entity): bool
{
if ($entity->isGlobal()) {
return false;
}
$parentType = $entity->getParentType();
$parentId = $entity->getParentId();
if (!$parentType || !$parentId) {
return false;
}
$parent = $this->entityManager->getEntityById($parentType, $parentId);
if (!$parent) {
return false;
}
if ($parent->getEntityType() === User::ENTITY_TYPE) {
return $parent->getId() === $user->getId();
}
if (
$parent instanceof EmailAccount &&
$parent->has('assignedUserId') &&
$parent->get('assignedUserId') === $user->getId()
) {
return true;
}
return false;
}
}

85
application/Espo/Classes/Acl/Import/AccessChecker.php Normal file
View File

@@ -0,0 +1,85 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Import;
use Espo\Entities\Import;
use Espo\Entities\User;
use Espo\ORM\Entity;
use Espo\Core\Acl\AccessEntityDeleteChecker;
use Espo\Core\Acl\AccessEntityReadChecker;
use Espo\Core\Acl\ScopeData;
/**
* @implements AccessEntityReadChecker<Import>
* @implements AccessEntityDeleteChecker<Import>
*/
class AccessChecker implements AccessEntityReadChecker, AccessEntityDeleteChecker
{
public function check(User $user, ScopeData $data): bool
{
return $data->isTrue();
}
public function checkRead(User $user, ScopeData $data): bool
{
return $data->isTrue();
}
public function checkDelete(User $user, ScopeData $data): bool
{
return $data->isTrue();
}
public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
{
if ($user->isAdmin()) {
return true;
}
if ($user->getId() === $entity->get('createdById')) {
return true;
}
return false;
}
public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
{
if ($user->isAdmin()) {
return true;
}
if ($user->getId() === $entity->get('createdById')) {
return true;
}
return false;
}
}

47
application/Espo/Classes/Acl/ImportEml/AccessChecker.php Normal file
View File

@@ -0,0 +1,47 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\ImportEml;
use Espo\Core\Acl\AccessCreateChecker;
use Espo\Core\Acl\ScopeData;
use Espo\Entities\User;
class AccessChecker implements AccessCreateChecker
{
public function check(User $user, ScopeData $data): bool
{
return $data->isTrue();
}
public function checkCreate(User $user, ScopeData $data): bool
{
return $data->isTrue();
}
}

235
application/Espo/Classes/Acl/Note/AccessChecker.php Normal file
View File

@@ -0,0 +1,235 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Note;
use Espo\Core\Acl\Permission;
use Espo\Core\Acl\Table;
use Espo\Core\Name\Field;
use Espo\Entities\Note;
use Espo\Entities\User;
use Espo\ORM\Entity;
use Espo\Core\Acl\AccessEntityCREDChecker;
use Espo\Core\Acl\DefaultAccessChecker;
use Espo\Core\Acl\ScopeData;
use Espo\Core\Acl\Traits\DefaultAccessCheckerDependency;
use Espo\Core\AclManager;
use Espo\Core\ORM\EntityManager;
use Espo\Core\Utils\Config;
use DateTime;
use Exception;
/**
* @implements AccessEntityCREDChecker<Note>
*/
class AccessChecker implements AccessEntityCREDChecker
{
use DefaultAccessCheckerDependency;
private const EDIT_PERIOD = '7 days';
private const DELETE_PERIOD = '1 month';
private DefaultAccessChecker $defaultAccessChecker;
private AclManager $aclManager;
private EntityManager $entityManager;
private Config $config;
public function __construct(
DefaultAccessChecker $defaultAccessChecker,
AclManager $aclManager,
EntityManager $entityManager,
Config $config
) {
$this->defaultAccessChecker = $defaultAccessChecker;
$this->aclManager = $aclManager;
$this->entityManager = $entityManager;
$this->config = $config;
}
/**
* @param Note $entity
*/
public function checkEntityCreate(User $user, Entity $entity, ScopeData $data): bool
{
$parentId = $entity->get('parentId');
$parentType = $entity->get('parentType');
if (!$parentId || !$parentType) {
return true;
}
$parent = $this->entityManager->getEntityById($parentType, $parentId);
if ($parent && $this->aclManager->checkEntityStream($user, $parent)) {
return true;
}
return false;
}
/**
* @param Note $entity
*/
public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
{
if ($user->isAdmin()) {
return true;
}
$parentId = $entity->getParentId();
$parentType = $entity->getParentType();
if ($parentId && $parentType) {
$parent = $this->entityManager->getEntityById($parentType, $parentId);
if (!$parent) {
return false;
}
return $this->aclManager->checkEntityStream($user, $parent);
}
if ($entity->getType() !== Note::TYPE_POST) {
return false;
}
if ($entity->getCreatedById() === $user->getId()) {
return true;
}
if ($entity->getTargetType() === Note::TARGET_ALL) {
return true;
}
if ($entity->getTargetType() === Note::TARGET_TEAMS) {
$targetTeamIdList = $entity->getLinkMultipleIdList(Field::TEAMS);
foreach ($user->getTeamIdList() as $teamId) {
if (in_array($teamId, $targetTeamIdList)) {
return true;
}
}
return false;
}
if ($entity->getTargetType() === Note::TARGET_USERS) {
return in_array($user->getId(), $entity->getLinkMultipleIdList('users'));
}
if ($entity->getTargetType() === Note::TARGET_PORTALS) {
return $this->aclManager->getPermissionLevel($user, Permission::PORTAL) === Table::LEVEL_YES;
}
return false;
}
/**
* @param Note $entity
*/
public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool
{
if ($user->isAdmin()) {
return true;
}
if (!$this->defaultAccessChecker->checkEntityEdit($user, $entity, $data)) {
return false;
}
if (!$this->aclManager->checkOwnershipOwn($user, $entity)) {
return false;
}
$createdAt = $entity->get(Field::CREATED_AT);
if (!$createdAt) {
return true;
}
$noteEditThresholdPeriod =
'-' . $this->config->get('noteEditThresholdPeriod', self::EDIT_PERIOD);
$dt = new DateTime();
$dt->modify($noteEditThresholdPeriod);
try {
if ($dt->format('U') > (new DateTime($createdAt))->format('U')) {
return false;
}
} catch (Exception $e) {
return false;
}
return true;
}
/**
* @param Note $entity
*/
public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
{
if ($user->isAdmin()) {
return true;
}
if (!$this->defaultAccessChecker->checkEntityDelete($user, $entity, $data)) {
return false;
}
if (!$this->aclManager->checkOwnershipOwn($user, $entity)) {
return false;
}
$createdAt = $entity->get(Field::CREATED_AT);
if (!$createdAt) {
return true;
}
$deleteThresholdPeriod =
'-' . $this->config->get('noteDeleteThresholdPeriod', self::DELETE_PERIOD);
$dt = new DateTime();
$dt->modify($deleteThresholdPeriod);
try {
if ($dt->format('U') > (new DateTime($createdAt))->format('U')) {
return false;
}
} catch (Exception $e) {
return false;
}
return true;
}
}

53
application/Espo/Classes/Acl/Note/OwnershipChecker.php Normal file
View File

@@ -0,0 +1,53 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Note;
use Espo\Entities\Note;
use Espo\Entities\User;
use Espo\ORM\Entity;
use Espo\Core\Acl\OwnershipOwnChecker;
/**
* @implements OwnershipOwnChecker<Note>
*/
class OwnershipChecker implements OwnershipOwnChecker
{
/**
* @param Note $entity
*/
public function checkOwn(User $user, Entity $entity): bool
{
if ($entity->getType() === Note::TYPE_POST && $user->getId() === $entity->getCreatedById()) {
return true;
}
return false;
}
}

50
application/Espo/Classes/Acl/Notification/OwnershipChecker.php Normal file
View File

@@ -0,0 +1,50 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Notification;
use Espo\Entities\Notification;
use Espo\Entities\User;
use Espo\ORM\Entity;
use Espo\Core\Acl\OwnershipOwnChecker;
/**
* @implements OwnershipOwnChecker<Notification>
*/
class OwnershipChecker implements OwnershipOwnChecker
{
public function checkOwn(User $user, Entity $entity): bool
{
if ($user->getId() === $entity->get('userId')) {
return true;
}
return false;
}
}

58
application/Espo/Classes/Acl/Portal/AccessChecker.php Normal file
View File

@@ -0,0 +1,58 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Portal;
use Espo\Core\Acl\Permission;
use Espo\Entities\Portal;
use Espo\Entities\User;
use Espo\Core\Acl\AccessEntityCREDChecker;
use Espo\Core\Acl\DefaultAccessChecker;
use Espo\Core\Acl\ScopeData;
use Espo\Core\Acl\Table;
use Espo\Core\Acl\Traits\DefaultAccessCheckerDependency;
use Espo\Core\AclManager;
/**
* @implements AccessEntityCREDChecker<Portal>
*/
class AccessChecker implements AccessEntityCREDChecker
{
use DefaultAccessCheckerDependency;
public function __construct(private DefaultAccessChecker $defaultAccessChecker, private AclManager $aclManager)
{}
public function check(User $user, ScopeData $data): bool
{
$level = $this->aclManager->getPermissionLevel($user, Permission::PORTAL);
return $level === Table::LEVEL_YES;
}
}

89
application/Espo/Classes/Acl/ScheduledJob/AccessChecker.php Normal file
View File

@@ -0,0 +1,89 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\ScheduledJob;
use Espo\Entities\ScheduledJob;
use Espo\Entities\User;
use Espo\ORM\Entity;
use Espo\Core\Acl\AccessEntityCREDChecker;
use Espo\Core\Acl\DefaultAccessChecker;
use Espo\Core\Acl\ScopeData;
use Espo\Core\Acl\Traits\DefaultAccessCheckerDependency;
/**
* @implements AccessEntityCREDChecker<ScheduledJob>
*/
class AccessChecker implements AccessEntityCREDChecker
{
use DefaultAccessCheckerDependency;
private DefaultAccessChecker $defaultAccessChecker;
public function __construct(DefaultAccessChecker $defaultAccessChecker)
{
$this->defaultAccessChecker = $defaultAccessChecker;
}
public function checkEntityCreate(User $user, Entity $entity, ScopeData $data): bool
{
if ($entity->get('isInternal')) {
return false;
}
return $this->defaultAccessChecker->checkEntityCreate($user, $entity, $data);
}
public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
{
if ($entity->get('isInternal')) {
return false;
}
return $this->defaultAccessChecker->checkEntityRead($user, $entity, $data);
}
public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool
{
if ($entity->get('isInternal')) {
return false;
}
return $this->defaultAccessChecker->checkEntityEdit($user, $entity, $data);
}
public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
{
if ($entity->get('isInternal')) {
return false;
}
return $this->defaultAccessChecker->checkEntityDelete($user, $entity, $data);
}
}

49
application/Espo/Classes/Acl/Team/OwnershipChecker.php Normal file
View File

@@ -0,0 +1,49 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Team;
use Espo\Core\Name\Field;
use Espo\Entities\Team;
use Espo\Entities\User;
use Espo\ORM\Entity;
use Espo\Core\Acl\OwnershipOwnChecker;
/**
* @implements OwnershipOwnChecker<Team>
*/
class OwnershipChecker implements OwnershipOwnChecker
{
public function checkOwn(User $user, Entity $entity): bool
{
$userTeamIdList = $user->getLinkMultipleIdList(Field::TEAMS);
return in_array($entity->getId(), $userTeamIdList);
}
}

129
application/Espo/Classes/Acl/User/AccessChecker.php Normal file
View File

@@ -0,0 +1,129 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\User;
use Espo\Core\Acl\Permission;
use Espo\Entities\User;
use Espo\ORM\Entity;
use Espo\Core\Acl\AccessEntityCREDSChecker;
use Espo\Core\Acl\DefaultAccessChecker;
use Espo\Core\Acl\ScopeData;
use Espo\Core\Acl\Table;
use Espo\Core\Acl\Traits\DefaultAccessCheckerDependency;
use Espo\Core\AclManager;
/**
* @implements AccessEntityCREDSChecker<User>
*/
class AccessChecker implements AccessEntityCREDSChecker
{
use DefaultAccessCheckerDependency;
public function __construct(
private DefaultAccessChecker $defaultAccessChecker,
private AclManager $aclManager,
) {}
public function checkEntityCreate(User $user, Entity $entity, ScopeData $data): bool
{
if (!$user->isAdmin()) {
return false;
}
if ($entity->isSuperAdmin() && !$user->isSuperAdmin()) {
return false;
}
return $this->defaultAccessChecker->checkEntityCreate($user, $entity, $data);
}
public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
{
if (!$user->isAdmin() && !$entity->isActive()) {
return false;
}
if ($entity->isSuperAdmin() && !$user->isSuperAdmin()) {
return false;
}
if ($entity->isSystem()) {
return false;
}
if ($entity->isPortal()) {
return $this->aclManager->getPermissionLevel($user, Permission::PORTAL) === Table::LEVEL_YES;
}
return $this->defaultAccessChecker->checkEntityRead($user, $entity, $data);
}
public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool
{
if ($entity->isSystem()) {
return false;
}
if (!$user->isAdmin()) {
if ($user->getId() !== $entity->getId()) {
return false;
}
}
if ($entity->isSuperAdmin() && !$user->isSuperAdmin()) {
return false;
}
return $this->defaultAccessChecker->checkEntityEdit($user, $entity, $data);
}
public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
{
if (!$user->isAdmin()) {
return false;
}
if ($entity->isSystem()) {
return false;
}
if ($entity->isSuperAdmin() && !$user->isSuperAdmin()) {
return false;
}
return $this->defaultAccessChecker->checkEntityDelete($user, $entity, $data);
}
public function checkEntityStream(User $user, Entity $entity, ScopeData $data): bool
{
/** @noinspection PhpRedundantOptionalArgumentInspection */
return $this->aclManager->checkUserPermission($user, $entity, Permission::USER);
}
}

65
application/Espo/Classes/Acl/User/OwnershipChecker.php Normal file
View File

@@ -0,0 +1,65 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\User;
use Espo\Core\Name\Field;
use Espo\Entities\User;
use Espo\ORM\Entity;
use Espo\Core\ORM\Entity as CoreEntity;
use Espo\Core\Acl\OwnershipOwnChecker;
use Espo\Core\Acl\OwnershipTeamChecker;
/**
* @implements OwnershipOwnChecker<User>
* @implements OwnershipTeamChecker<User>
*/
class OwnershipChecker implements OwnershipOwnChecker, OwnershipTeamChecker
{
public function checkOwn(User $user, Entity $entity): bool
{
return $user->getId() === $entity->getId();
}
public function checkTeam(User $user, Entity $entity): bool
{
assert($entity instanceof CoreEntity);
$intersect = array_intersect(
$user->getLinkMultipleIdList(Field::TEAMS),
$entity->getLinkMultipleIdList(Field::TEAMS)
);
if (count($intersect)) {
return true;
}
return false;
}
}

105
application/Espo/Classes/Acl/Webhook/AccessChecker.php Normal file
View File

@@ -0,0 +1,105 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Webhook;
use Espo\Entities\User;
use Espo\Entities\Webhook;
use Espo\ORM\Entity;
use Espo\Core\Acl\AccessEntityCREDChecker;
use Espo\Core\Acl\DefaultAccessChecker;
use Espo\Core\Acl\ScopeData;
use Espo\Core\Acl\Traits\DefaultAccessCheckerDependency;
/**
* @implements AccessEntityCREDChecker<Webhook>
*/
class AccessChecker implements AccessEntityCREDChecker
{
use DefaultAccessCheckerDependency;
public function __construct(DefaultAccessChecker $defaultAccessChecker)
{
$this->defaultAccessChecker = $defaultAccessChecker;
}
public function check(User $user, ScopeData $data): bool
{
if ($user->isAdmin()) {
return true;
}
if (!$user->isApi()) {
return false;
}
if ($data->isFalse()) {
return false;
}
return true;
}
public function checkEntityCreate(User $user, Entity $entity, ScopeData $data): bool
{
return $this->checkEntityInternal($user, $entity, $data);
}
public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
{
return $this->checkEntityInternal($user, $entity, $data);
}
public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool
{
return $this->checkEntityInternal($user, $entity, $data);
}
public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
{
return $this->checkEntityInternal($user, $entity, $data);
}
private function checkEntityInternal(User $user, Entity $entity, ScopeData $data): bool
{
if ($user->isAdmin()) {
return true;
}
if ($data->isFalse()) {
return false;
}
if ($user->isApi() && $user->getId() === $entity->get('userId')) {
return true;
}
return false;
}
}

46
application/Espo/Classes/Acl/Webhook/OwnershipChecker.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\Webhook;
use Espo\Entities\User;
use Espo\ORM\Entity;
use Espo\Core\Acl\OwnershipOwnChecker;
/**
* @implements OwnershipOwnChecker<\Espo\Entities\Webhook>
*/
class OwnershipChecker implements OwnershipOwnChecker
{
public function checkOwn(User $user, Entity $entity): bool
{
return $user->getId() === $entity->get('userId') && $user->isApi();
}
}

90
application/Espo/Classes/Acl/WorkingTimeRange/AssignmentChecker.php Normal file
View File

@@ -0,0 +1,90 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\Acl\WorkingTimeRange;
use Espo\Core\Acl\AssignmentChecker as AssignmentCheckerInterface;
use Espo\Core\Acl\DefaultAssignmentChecker;
use Espo\Core\AclManager;
use Espo\Entities\User;
use Espo\Entities\WorkingTimeRange;
use Espo\ORM\Entity;
use Espo\ORM\EntityManager;
use Espo\ORM\Name\Attribute;
/**
* @implements AssignmentCheckerInterface<WorkingTimeRange>
*/
class AssignmentChecker implements AssignmentCheckerInterface
{
private DefaultAssignmentChecker $defaultAssignmentChecker;
private AclManager $aclManager;
private EntityManager $entityManager;
public function __construct(
DefaultAssignmentChecker $defaultAssignmentChecker,
AclManager $aclManager,
EntityManager $entityManager
) {
$this->defaultAssignmentChecker = $defaultAssignmentChecker;
$this->aclManager = $aclManager;
$this->entityManager = $entityManager;
}
/**
* @param WorkingTimeRange $entity
*/
public function check(User $user, Entity $entity): bool
{
$result = $this->defaultAssignmentChecker->check($user, $entity);
if (!$result) {
return false;
}
if (!$entity->isAttributeChanged('usersIds')) {
return true;
}
$users = $this->entityManager
->getRDBRepositoryByClass(User::class)
->where([Attribute::ID => $entity->getUsers()->getIdList()])
->find();
foreach ($users as $targetUser) {
$accessToUser = $this->aclManager->check($user, $targetUser);
if (!$accessToUser) {
return false;
}
}
return true;
}
}