bsiggel/espocrm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
root
2026-01-19 17:44:46 +01:00
commit 823af8b11d
8721 changed files with 1130846 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
application/Espo/Core/Acl/AccessChecker.php Normal file
View File

@@ -0,0 +1,45 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\Entities\User;
/**
* Bindings:
* - `$entityType` as of v9.1.0.
* - `Espo\Core\AclManager`
*/
interface AccessChecker
{
/**
* Check access to a scope.
*/
public function check(User $user, ScopeData $data): bool;
}

103
application/Espo/Core/Acl/AccessChecker/AccessCheckerFactory.php Normal file
View File

@@ -0,0 +1,103 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\AccessChecker;
use Espo\Core\Acl\AccessChecker;
use Espo\Core\Acl\DefaultAccessChecker;
use Espo\Core\Acl\Exceptions\NotImplemented;
use Espo\Core\AclManager;
use Espo\Core\Binding\Binder;
use Espo\Core\Binding\BindingContainer;
use Espo\Core\Binding\BindingData;
use Espo\Core\InjectableFactory;
use Espo\Core\Utils\Metadata;
class AccessCheckerFactory
{
/** @var class-string<AccessChecker> */
private string $defaultClassName = DefaultAccessChecker::class;
public function __construct(
private Metadata $metadata,
private InjectableFactory $injectableFactory
) {}
/**
* Create an access checker.
*
* @throws NotImplemented
*/
public function create(string $scope, AclManager $aclManager): AccessChecker
{
$className = $this->getClassName($scope);
$bindingContainer = $this->createBindingContainer($className, $aclManager, $scope);
return $this->injectableFactory->createWithBinding($className, $bindingContainer);
}
/**
* @return class-string<AccessChecker>
* @throws NotImplemented
*/
private function getClassName(string $scope): string
{
/** @var ?class-string<AccessChecker> $className1 */
$className1 = $this->metadata->get(['aclDefs', $scope, 'accessCheckerClassName']);
if ($className1) {
return $className1;
}
if (!$this->metadata->get(['scopes', $scope])) {
throw new NotImplemented("Access checker is not implemented for '$scope'.");
}
return $this->defaultClassName;
}
/**
* @param class-string<AccessChecker> $className
*/
private function createBindingContainer(string $className, AclManager $aclManager, string $scope): BindingContainer
{
$bindingData = new BindingData();
$binder = new Binder($bindingData);
$binder->bindInstance(AclManager::class, $aclManager);
$binder
->for($className)
->bindValue('$entityType', $scope);
return new BindingContainer($bindingData);
}
}

168
application/Espo/Core/Acl/AccessChecker/AccessCheckers/Foreign.php Normal file
View File

@@ -0,0 +1,168 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\AccessChecker\AccessCheckers;
use Espo\Entities\User;
use Espo\ORM\Entity;
use Espo\Core\Utils\Metadata;
use Espo\Core\Acl\DefaultAccessChecker;
use Espo\Core\Acl\Traits\DefaultAccessCheckerDependency;
use Espo\Core\Acl\AccessEntityCreateChecker;
use Espo\Core\Acl\AccessEntityReadChecker;
use Espo\Core\Acl\AccessEntityEditChecker;
use Espo\Core\Acl\AccessEntityDeleteChecker;
use Espo\Core\Acl\AccessEntityStreamChecker;
use Espo\Core\Acl\ScopeData;
use Espo\ORM\EntityManager;
use LogicException;
/**
* Access is determined by access to a foreign entity.
*
* @implements AccessEntityCreateChecker<Entity>
* @implements AccessEntityReadChecker<Entity>
* @implements AccessEntityEditChecker<Entity>
* @implements AccessEntityDeleteChecker<Entity>
* @implements AccessEntityStreamChecker<Entity>
*/
class Foreign implements
AccessEntityCreateChecker,
AccessEntityReadChecker,
AccessEntityEditChecker,
AccessEntityDeleteChecker,
AccessEntityStreamChecker
{
use DefaultAccessCheckerDependency;
public function __construct(
private Metadata $metadata,
DefaultAccessChecker $defaultAccessChecker,
private EntityManager $entityManager
) {
$this->defaultAccessChecker = $defaultAccessChecker;
}
private function getForeignEntity(Entity $entity): ?Entity
{
$entityType = $entity->getEntityType();
$link = $this->metadata->get(['aclDefs', $entityType, 'link']);
if (!$link) {
throw new LogicException("No `link` in aclDefs for {$entityType}.");
}
if ($entity->isNew()) {
$foreignEntityType = $this->entityManager
->getDefs()
->getEntity($entityType)
->getRelation($link)
->getForeignEntityType();
/** @var ?string $id */
$id = $entity->get($link . 'Id');
if (!$id) {
return null;
}
return $this->entityManager->getEntityById($foreignEntityType, $id);
}
return $this->entityManager
->getRDBRepository($entityType)
->getRelation($entity, $link)
->findOne();
}
public function checkEntityCreate(User $user, Entity $entity, ScopeData $data): bool
{
$foreign = $this->getForeignEntity($entity);
if (!$foreign) {
return false;
}
// @todo Check parent 'edit' access.
return $this->defaultAccessChecker->checkEntityCreate($user, $foreign, $data);
}
public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
{
$foreign = $this->getForeignEntity($entity);
if (!$foreign) {
return false;
}
return $this->defaultAccessChecker->checkEntityRead($user, $foreign, $data);
}
public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool
{
$foreign = $this->getForeignEntity($entity);
if (!$foreign) {
return false;
}
return $this->defaultAccessChecker->checkEntityEdit($user, $foreign, $data);
}
public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
{
$foreign = $this->getForeignEntity($entity);
if (!$foreign) {
if ($user->isAdmin()) {
return true;
}
return false;
}
return $this->defaultAccessChecker->checkEntityDelete($user, $foreign, $data);
}
public function checkEntityStream(User $user, Entity $entity, ScopeData $data): bool
{
$foreign = $this->getForeignEntity($entity);
if (!$foreign) {
return false;
}
return $this->defaultAccessChecker->checkEntityStream($user, $foreign, $data);
}
}

91
application/Espo/Core/Acl/AccessChecker/ScopeChecker.php Normal file
View File

@@ -0,0 +1,91 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\AccessChecker;
use Espo\Core\Acl\ScopeData;
use Espo\Core\Acl\Table;
/**
* Checks scope access.
*/
class ScopeChecker
{
public function __construct()
{}
public function check(ScopeData $data, ?string $action = null, ?ScopeCheckerData $checkerData = null): bool
{
if ($data->isFalse()) {
return false;
}
if ($data->isTrue()) {
return true;
}
if ($action === null) {
return true;
}
$level = $data->get($action);
if ($level === Table::LEVEL_ALL || $level === Table::LEVEL_YES) {
return true;
}
if ($level === Table::LEVEL_NO) {
return false;
}
if (!$checkerData) {
return false;
}
if ($level === Table::LEVEL_OWN || $level === Table::LEVEL_TEAM) {
if ($checkerData->isOwn()) {
return true;
}
}
if ($level === Table::LEVEL_OWN || $level === Table::LEVEL_TEAM) {
if ($checkerData->isShared()) {
return true;
}
}
if ($level === Table::LEVEL_TEAM) {
if ($checkerData->inTeam()) {
return true;
}
}
return false;
}
}

64
application/Espo/Core/Acl/AccessChecker/ScopeCheckerData.php Normal file
View File

@@ -0,0 +1,64 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\AccessChecker;
use Closure;
/**
* Scope checker data.
*/
class ScopeCheckerData
{
public function __construct(
private Closure $isOwnChecker,
private Closure $inTeamChecker,
private Closure $isSharedChecker,
) {}
public function isOwn(): bool
{
return ($this->isOwnChecker)();
}
public function inTeam(): bool
{
return ($this->inTeamChecker)();
}
public function isShared(): bool
{
return ($this->isSharedChecker)();
}
public static function createBuilder(): ScopeCheckerDataBuilder
{
return new ScopeCheckerDataBuilder();
}
}

131
application/Espo/Core/Acl/AccessChecker/ScopeCheckerDataBuilder.php Normal file
View File

@@ -0,0 +1,131 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\AccessChecker;
use Closure;
/**
* Builds scope checker data.
*/
class ScopeCheckerDataBuilder
{
private Closure $isOwnChecker;
private Closure $inTeamChecker;
private Closure $isSharedChecker;
public function __construct()
{
$this->isOwnChecker = fn(): bool => false;
$this->inTeamChecker = fn(): bool => false;
$this->isSharedChecker = fn(): bool => false;
}
public function setIsOwn(bool $value): self
{
if ($value) {
$this->isOwnChecker = function (): bool {
return true;
};
return $this;
}
$this->isOwnChecker = function (): bool {
return false;
};
return $this;
}
public function setInTeam(bool $value): self
{
if ($value) {
$this->inTeamChecker = function (): bool {
return true;
};
return $this;
}
$this->inTeamChecker = function (): bool {
return false;
};
return $this;
}
public function setIsShared(bool $value): self
{
if ($value) {
$this->isSharedChecker = fn(): bool => true;
return $this;
}
$this->isSharedChecker = fn(): bool => false;
return $this;
}
/**
* @param Closure(): bool $checker
*/
public function setIsOwnChecker(Closure $checker): self
{
$this->isOwnChecker = $checker;
return $this;
}
/**
* @param Closure(): bool $checker
*/
public function setInTeamChecker(Closure $checker): self
{
$this->inTeamChecker = $checker;
return $this;
}
/**
* @param Closure(): bool $checker
*/
public function setIsSharedChecker(Closure $checker): self
{
$this->isSharedChecker = $checker;
return $this;
}
public function build(): ScopeCheckerData
{
return new ScopeCheckerData($this->isOwnChecker, $this->inTeamChecker, $this->isSharedChecker);
}
}

40
application/Espo/Core/Acl/AccessCreateChecker.php Normal file
View File

@@ -0,0 +1,40 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\Entities\User;
interface AccessCreateChecker extends AccessChecker
{
/**
* Check 'create' access.
*/
public function checkCreate(User $user, ScopeData $data): bool;
}

40
application/Espo/Core/Acl/AccessDeleteChecker.php Normal file
View File

@@ -0,0 +1,40 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\Entities\User;
interface AccessDeleteChecker extends AccessChecker
{
/**
* Check 'delete' access.
*/
public function checkDelete(User $user, ScopeData $data): bool;
}

40
application/Espo/Core/Acl/AccessEditChecker.php Normal file
View File

@@ -0,0 +1,40 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\Entities\User;
interface AccessEditChecker extends AccessChecker
{
/**
* Check 'edit' access.
*/
public function checkEdit(User $user, ScopeData $data): bool;
}

48
application/Espo/Core/Acl/AccessEntityCREDChecker.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
/**
* @template TEntity of \Espo\ORM\Entity
* @extends AccessEntityCreateChecker<TEntity>
* @extends AccessEntityCreateChecker<TEntity>
* @extends AccessEntityReadChecker<TEntity>
* @extends AccessEntityEditChecker<TEntity>
* @extends AccessEntityDeleteChecker<TEntity>
*/
interface AccessEntityCREDChecker extends
AccessEntityCreateChecker,
AccessEntityReadChecker,
AccessEntityEditChecker,
AccessEntityDeleteChecker
{
}

47
application/Espo/Core/Acl/AccessEntityCREDSChecker.php Normal file
View File

@@ -0,0 +1,47 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
/**
* @template TEntity of \Espo\ORM\Entity
* @extends AccessEntityCreateChecker<TEntity>
* @extends AccessEntityCreateChecker<TEntity>
* @extends AccessEntityReadChecker<TEntity>
* @extends AccessEntityEditChecker<TEntity>
* @extends AccessEntityDeleteChecker<TEntity>
* @extends AccessEntityStreamChecker<TEntity>
*/
interface AccessEntityCREDSChecker extends
AccessEntityCreateChecker,
AccessEntityReadChecker,
AccessEntityEditChecker,
AccessEntityDeleteChecker,
AccessEntityStreamChecker
{}

46
application/Espo/Core/Acl/AccessEntityCreateChecker.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\ORM\Entity;
use Espo\Entities\User;
/**
* @template TEntity of Entity
*/
interface AccessEntityCreateChecker extends AccessCreateChecker
{
/**
* Check 'create' access for an entity.
*
* @param TEntity $entity
*/
public function checkEntityCreate(User $user, Entity $entity, ScopeData $data): bool;
}

46
application/Espo/Core/Acl/AccessEntityDeleteChecker.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\ORM\Entity;
use Espo\Entities\User;
/**
* @template TEntity of Entity
*/
interface AccessEntityDeleteChecker extends AccessDeleteChecker
{
/**
* Check 'delete' access for an entity.
*
* @param TEntity $entity
*/
public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool;
}

46
application/Espo/Core/Acl/AccessEntityEditChecker.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\ORM\Entity;
use Espo\Entities\User;
/**
* @template TEntity of Entity
*/
interface AccessEntityEditChecker extends AccessEditChecker
{
/**
* Check 'edit' access for an entity.
*
* @param TEntity $entity
*/
public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool;
}

46
application/Espo/Core/Acl/AccessEntityReadChecker.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\ORM\Entity;
use Espo\Entities\User;
/**
* @template TEntity of Entity
*/
interface AccessEntityReadChecker extends AccessReadChecker
{
/**
* Check 'read' access for entity.
*
* @param TEntity $entity
*/
public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool;
}

46
application/Espo/Core/Acl/AccessEntityStreamChecker.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\ORM\Entity;
use Espo\Entities\User;
/**
* @template TEntity of Entity
*/
interface AccessEntityStreamChecker extends AccessStreamChecker
{
/**
* Check 'stream' access for an entity.
*
* @param TEntity $entity
*/
public function checkEntityStream(User $user, Entity $entity, ScopeData $data): bool;
}

40
application/Espo/Core/Acl/AccessReadChecker.php Normal file
View File

@@ -0,0 +1,40 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\Entities\User;
interface AccessReadChecker extends AccessChecker
{
/**
* Check 'read' access.
*/
public function checkRead(User $user, ScopeData $data): bool;
}

40
application/Espo/Core/Acl/AccessStreamChecker.php Normal file
View File

@@ -0,0 +1,40 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\Entities\User;
interface AccessStreamChecker extends AccessChecker
{
/**
* Check 'stream' access.
*/
public function checkStream(User $user, ScopeData $data): bool;
}

47
application/Espo/Core/Acl/AssignmentChecker.php Normal file
View File

@@ -0,0 +1,47 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\ORM\Entity;
use Espo\Entities\User;
/**
* @template TEntity of Entity
*/
interface AssignmentChecker
{
/**
* Check assignment.
*
* @param TEntity $entity
*/
public function check(User $user, Entity $entity): bool;
}

83
application/Espo/Core/Acl/AssignmentChecker/AssignmentCheckerFactory.php Normal file
View File

@@ -0,0 +1,83 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\AssignmentChecker;
use Espo\Core\Acl\AssignmentChecker;
use Espo\Core\Acl\DefaultAssignmentChecker;
use Espo\Core\Acl\Exceptions\NotImplemented;
use Espo\Core\InjectableFactory;
use Espo\Core\ORM\Entity as CoreEntity;
use Espo\Core\Utils\Metadata;
use Espo\ORM\Entity;
class AssignmentCheckerFactory
{
/** @var class-string<AssignmentChecker<CoreEntity>> */
private string $defaultClassName = DefaultAssignmentChecker::class;
public function __construct(
private Metadata $metadata,
private InjectableFactory $injectableFactory
) {}
/**
* Create an access checker.
*
* @return AssignmentChecker<Entity>
* @throws NotImplemented
*/
public function create(string $scope): AssignmentChecker
{
$className = $this->getClassName($scope);
return $this->injectableFactory->create($className);
}
/**
* @return class-string<AssignmentChecker<Entity>>
* @throws NotImplemented
*/
private function getClassName(string $scope): string
{
/** @var ?class-string<AssignmentChecker<Entity>> $className */
$className = $this->metadata->get(['aclDefs', $scope, 'assignmentCheckerClassName']);
if ($className) {
return $className;
}
if (!$this->metadata->get(['scopes', $scope])) {
throw new NotImplemented();
}
/** @var class-string<AssignmentChecker<Entity>> */
return $this->defaultClassName;
}
}

69
application/Espo/Core/Acl/AssignmentChecker/AssignmentCheckerManager.php Normal file
View File

@@ -0,0 +1,69 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\AssignmentChecker;
use Espo\ORM\Entity;
use Espo\Entities\User;
use Espo\Core\Acl\AssignmentChecker;
class AssignmentCheckerManager
{
/** @var array<string, AssignmentChecker<Entity>> */
private $checkerCache = [];
public function __construct(private AssignmentCheckerFactory $factory)
{}
public function check(User $user, Entity $entity): bool
{
$entityType = $entity->getEntityType();
$checker = $this->getChecker($entityType);
return $checker->check($user, $entity);
}
/**
* @return AssignmentChecker<Entity>
*/
private function getChecker(string $entityType): AssignmentChecker
{
if (!array_key_exists($entityType, $this->checkerCache)) {
$this->loadChecker($entityType);
}
return $this->checkerCache[$entityType];
}
private function loadChecker(string $entityType): void
{
$this->checkerCache[$entityType] = $this->factory->create($entityType);
}
}

339
application/Espo/Core/Acl/AssignmentChecker/Helper.php Normal file
View File

@@ -0,0 +1,339 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\AssignmentChecker;
use Espo\Core\Acl\Permission;
use Espo\Core\Acl\Table;
use Espo\Core\AclManager;
use Espo\Core\Name\Field;
use Espo\Core\ORM\Entity as CoreEntity;
use Espo\Core\ORM\Type\FieldType;
use Espo\Core\Utils\Metadata;
use Espo\Entities\User;
use Espo\ORM\Defs;
use Espo\ORM\Entity;
use Espo\ORM\EntityManager;
use Espo\ORM\Name\Attribute;
use Espo\Repositories\User as UserRepository;
class Helper
{
private const ATTR_ASSIGNED_USER_ID = Field::ASSIGNED_USER . 'Id';
private const FIELD_TEAMS = Field::TEAMS;
private const FIELD_ASSIGNED_USERS = Field::ASSIGNED_USERS;
private const FIELD_COLLABORATORS = Field::COLLABORATORS;
public function __construct(
private EntityManager $entityManager,
private AclManager $aclManager,
private Defs $ormDefs,
private Metadata $metadata,
) {}
public function checkAssignedUser(User $user, Entity $entity): bool
{
if (!$entity->hasAttribute(self::ATTR_ASSIGNED_USER_ID)) {
return true;
}
if ($user->isPortal()) {
return !$entity->isAttributeChanged(self::ATTR_ASSIGNED_USER_ID);
}
$assignmentPermission = $this->aclManager->getPermissionLevel($user, Permission::ASSIGNMENT);
if ($assignmentPermission === Table::LEVEL_ALL) {
return true;
}
$toProcess = false;
if (!$entity->isNew()) {
if ($entity->isAttributeChanged(self::ATTR_ASSIGNED_USER_ID)) {
$toProcess = true;
}
} else {
$toProcess = true;
}
if (!$toProcess) {
return true;
}
$assignedUserId = $entity->get(self::ATTR_ASSIGNED_USER_ID);
if (!$assignedUserId) {
if ($assignmentPermission === Table::LEVEL_NO && !$user->isApi()) {
return false;
}
return true;
}
if ($assignmentPermission === Table::LEVEL_NO) {
return $user->getId() === $assignedUserId;
}
if ($assignmentPermission === Table::LEVEL_TEAM) {
$teamIdList = $user->getTeamIdList();
return $this->getUserRepository()->checkBelongsToAnyOfTeams($assignedUserId, $teamIdList);
}
return false;
}
public function checkTeams(User $user, Entity $entity): bool
{
$assignmentPermission = $this->aclManager->getPermissionLevel($user, Permission::ASSIGNMENT);
if (!in_array($assignmentPermission, [Table::LEVEL_TEAM, Table::LEVEL_NO])) {
return true;
}
if (!$entity instanceof CoreEntity) {
return true;
}
if (!$entity->hasLinkMultipleField(self::FIELD_TEAMS)) {
return true;
}
$teamIdList = $entity->getLinkMultipleIdList(self::FIELD_TEAMS);
if ($teamIdList === []) {
return $this->isPermittedTeamsEmpty($user, $entity);
}
$newIdList = [];
if (!$entity->isNew()) {
$existingIdList = [];
$teamCollection = $this->entityManager
->getRelation($entity, self::FIELD_TEAMS)
->select(Attribute::ID)
->find();
foreach ($teamCollection as $team) {
$existingIdList[] = $team->getId();
}
foreach ($teamIdList as $id) {
if (!in_array($id, $existingIdList)) {
$newIdList[] = $id;
}
}
} else {
$newIdList = $teamIdList;
}
if ($newIdList === []) {
return true;
}
$userTeamIdList = $user->getLinkMultipleIdList(self::FIELD_TEAMS);
foreach ($newIdList as $id) {
if (!in_array($id, $userTeamIdList)) {
return false;
}
}
return true;
}
public function checkUsers(User $user, Entity $entity, string $field): bool
{
if (!$entity instanceof CoreEntity) {
return true;
}
$idsAttr = $field . 'Ids';
if (!$entity->hasLinkMultipleField($field)) {
return true;
}
if ($user->isPortal()) {
if (!$entity->isAttributeChanged($idsAttr)) {
return true;
}
return false;
}
$assignmentPermission = $this->aclManager->getPermissionLevel($user, Permission::ASSIGNMENT);
if ($assignmentPermission === Table::LEVEL_ALL) {
if (!$this->hasOnlyInternalUsers($user, $entity, $field)) {
return false;
}
return true;
}
$toProcess = $entity->isNew() || $entity->isAttributeChanged($idsAttr);
if (!$toProcess) {
return true;
}
$userIds = $entity->getLinkMultipleIdList($field);
if ($userIds === []) {
if ($assignmentPermission === Table::LEVEL_NO && !$user->isApi()) {
return false;
}
return true;
}
if ($assignmentPermission === Table::LEVEL_NO) {
return $this->isPermittedUsersLevelNo($user, $entity, $field);
}
if ($assignmentPermission === Table::LEVEL_TEAM) {
return $this->isPermittedUsersLevelTeam($user, $entity, $field);
}
return false;
}
private function isPermittedUsersLevelNo(User $user, CoreEntity $entity, string $field): bool
{
$userIds = $this->getAddedLinkMultipleIds($entity, $field);
foreach ($userIds as $userId) {
if ($user->getId() !== $userId) {
return false;
}
}
return true;
}
private function isPermittedUsersLevelTeam(User $user, CoreEntity $entity, string $field): bool
{
$teamIds = $user->getLinkMultipleIdList(self::FIELD_TEAMS);
$userIds = $this->getAddedLinkMultipleIds($entity, $field);
foreach ($userIds as $userId) {
if (!$this->getUserRepository()->checkBelongsToAnyOfTeams($userId, $teamIds)) {
return false;
}
}
return true;
}
private function hasOnlyInternalUsers(User $user, CoreEntity $entity, string $field): bool
{
$ids = array_diff($this->getAddedLinkMultipleIds($entity, $field), [$user->getId()]);
$ids = array_values($ids);
$count = $this->entityManager
->getRDBRepositoryByClass(User::class)
->where([
'type!=' => [
User::TYPE_REGULAR,
User::TYPE_ADMIN,
],
Attribute::ID => $ids,
])
->count();
return $count === 0;
}
/**
* @return string[]
*/
private function getAddedLinkMultipleIds(CoreEntity $entity, string $field): array
{
/** @var string[] $previousIds */
$previousIds = $entity->getFetched(self::FIELD_COLLABORATORS . 'Ids') ?? [];
return array_values(array_diff($entity->getLinkMultipleIdList($field), $previousIds));
}
private function isPermittedTeamsEmpty(User $user, CoreEntity $entity): bool
{
$assignmentPermission = $this->aclManager->getPermissionLevel($user, Permission::ASSIGNMENT);
if ($assignmentPermission !== Table::LEVEL_TEAM) {
return true;
}
if ($entity->hasLinkMultipleField(self::FIELD_ASSIGNED_USERS)) {
$assignedUserIdList = $entity->getLinkMultipleIdList(self::FIELD_ASSIGNED_USERS);
if ($assignedUserIdList === []) {
return false;
}
} else if ($entity->hasAttribute(self::ATTR_ASSIGNED_USER_ID)) {
if (!$entity->get(self::ATTR_ASSIGNED_USER_ID)) {
return false;
}
}
return true;
}
public function hasAssignedUsersField(string $entityType): bool
{
$entityDefs = $this->ormDefs->getEntity($entityType);
return
$entityDefs->hasField(self::FIELD_ASSIGNED_USERS) &&
$entityDefs->getField(self::FIELD_ASSIGNED_USERS)->getType() === FieldType::LINK_MULTIPLE &&
$entityDefs->hasRelation(self::FIELD_ASSIGNED_USERS) &&
$entityDefs->getRelation(self::FIELD_ASSIGNED_USERS)->getForeignEntityType() === User::ENTITY_TYPE;
}
public function hasCollaboratorsField(string $entityType): bool
{
if (!$this->metadata->get("scopes.$entityType.collaborators")) {
return false;
}
$entityDefs = $this->ormDefs->getEntity($entityType);
return
$entityDefs->tryGetField(self::FIELD_COLLABORATORS)?->getType() === FieldType::LINK_MULTIPLE &&
$entityDefs->tryGetRelation(self::FIELD_COLLABORATORS)?->tryGetForeignEntityType() === User::ENTITY_TYPE;
}
private function getUserRepository(): UserRepository
{
/** @var UserRepository */
return $this->entityManager->getRepository(User::ENTITY_TYPE);
}
}

86
application/Espo/Core/Acl/Cache/Clearer.php Normal file
View File

@@ -0,0 +1,86 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Cache;
use Espo\Core\Utils\File\Manager as FileManager;
use Espo\Entities\Portal;
use Espo\Entities\User;
use Espo\ORM\EntityManager;
use Espo\ORM\Name\Attribute;
/**
* @todo Clear cache in AclManager.
*/
class Clearer
{
public function __construct(private FileManager $fileManager, private EntityManager $entityManager)
{}
public function clearForAllInternalUsers(): void
{
$this->fileManager->removeInDir('data/cache/application/acl');
$this->fileManager->removeInDir('data/cache/application/aclMap');
}
public function clearForAllPortalUsers(): void
{
$this->fileManager->removeInDir('data/cache/application/aclPortal');
$this->fileManager->removeInDir('data/cache/application/aclPortalMap');
}
public function clearForUser(User $user): void
{
if ($user->isPortal()) {
$this->clearForPortalUser($user);
return;
}
$part = $user->getId() . '.php';
$this->fileManager->remove('data/cache/application/acl/' . $part);
$this->fileManager->remove('data/cache/application/aclMap/' . $part);
}
private function clearForPortalUser(User $user): void
{
$portals = $this->entityManager
->getRDBRepositoryByClass(Portal::class)
->select(Attribute::ID)
->find();
foreach ($portals as $portal) {
$part = $portal->getId() . '/' . $user->getId() . '.php';
$this->fileManager->remove('data/cache/application/aclPortal/' . $part);
$this->fileManager->remove('data/cache/application/aclPortalMap/' . $part);
}
}
}

236
application/Espo/Core/Acl/DefaultAccessChecker.php Normal file
View File

@@ -0,0 +1,236 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\Core\Name\Field;
use Espo\Entities\User;
use Espo\ORM\Entity;
use Espo\Core\Acl\AccessChecker\ScopeChecker;
use Espo\Core\Acl\AccessChecker\ScopeCheckerData;
use Espo\Core\AclManager;
use Espo\Core\Utils\Config;
use DateTime;
use Exception;
/**
* A default implementation for access checking.
*
* @implements AccessEntityCreateChecker<Entity>
* @implements AccessEntityReadChecker<Entity>
* @implements AccessEntityEditChecker<Entity>
* @implements AccessEntityDeleteChecker<Entity>
* @implements AccessEntityStreamChecker<Entity>
*/
class DefaultAccessChecker implements
AccessEntityCreateChecker,
AccessEntityReadChecker,
AccessEntityEditChecker,
AccessEntityDeleteChecker,
AccessEntityStreamChecker
{
private const ATTR_CREATED_BY_ID = Field::CREATED_BY . 'Id';
private const ATTR_CREATED_AT = Field::CREATED_AT;
private const ATTR_ASSIGNED_USER_ID = Field::ASSIGNED_USER . 'Id';
private const ALLOW_DELETE_OWN_CREATED_PERIOD = '24 hours';
public function __construct(
private AclManager $aclManager,
private Config $config,
private ScopeChecker $scopeChecker
) {}
/**
* @param Table::ACTION_* $action
* @noinspection PhpDocSignatureInspection
*/
private function checkEntity(User $user, Entity $entity, ScopeData $data, string $action): bool
{
$checkerData = ScopeCheckerData
::createBuilder()
->setIsOwnChecker(
fn(): bool => $this->aclManager->checkOwnershipOwn($user, $entity)
)
->setInTeamChecker(
fn(): bool => $this->aclManager->checkOwnershipTeam($user, $entity)
)
->setIsSharedChecker(
fn(): bool => $this->aclManager->checkOwnershipShared($user, $entity, $action)
)
->build();
return $this->scopeChecker->check($data, $action, $checkerData);
}
private function checkScope(ScopeData $data, ?string $action = null): bool
{
$checkerData = ScopeCheckerData
::createBuilder()
->setIsOwn(true)
->setInTeam(true)
->setIsShared(true)
->build();
return $this->scopeChecker->check($data, $action, $checkerData);
}
public function check(User $user, ScopeData $data): bool
{
return $this->checkScope($data);
}
public function checkCreate(User $user, ScopeData $data): bool
{
return $this->checkScope($data, Table::ACTION_CREATE);
}
public function checkRead(User $user, ScopeData $data): bool
{
return $this->checkScope($data, Table::ACTION_READ);
}
public function checkEdit(User $user, ScopeData $data): bool
{
return $this->checkScope($data, Table::ACTION_EDIT);
}
public function checkDelete(User $user, ScopeData $data): bool
{
if ($this->checkScope($data, Table::ACTION_DELETE)) {
return true;
}
if ($data->getCreate() === Table::LEVEL_NO) {
return false;
}
if ($this->config->get('aclAllowDeleteCreated')) {
return true;
}
return false;
}
public function checkStream(User $user, ScopeData $data): bool
{
return $this->checkScope($data, Table::ACTION_STREAM);
}
public function checkEntityCreate(User $user, Entity $entity, ScopeData $data): bool
{
return $this->checkEntity($user, $entity, $data, Table::ACTION_CREATE);
}
public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
{
return $this->checkEntity($user, $entity, $data, Table::ACTION_READ);
}
public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool
{
return $this->checkEntity($user, $entity, $data, Table::ACTION_EDIT);
}
public function checkEntityStream(User $user, Entity $entity, ScopeData $data): bool
{
return $this->checkEntity($user, $entity, $data, Table::ACTION_STREAM);
}
public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
{
if ($this->checkEntity($user, $entity, $data, Table::ACTION_DELETE)) {
return true;
}
if ($data->getCreate() === Table::LEVEL_NO) {
return false;
}
if (
!$this->config->get('aclAllowDeleteCreated') ||
!$entity->has(self::ATTR_CREATED_BY_ID) ||
$entity->get(self::ATTR_CREATED_BY_ID) !== $user->getId()
) {
return false;
}
$isDeletedAllowed = false;
if (!$entity->has(self::ATTR_ASSIGNED_USER_ID)) {
$isDeletedAllowed = true;
} else {
if (!$entity->get(self::ATTR_ASSIGNED_USER_ID)) {
$isDeletedAllowed = true;
} else if ($entity->get(self::ATTR_ASSIGNED_USER_ID) === $entity->get(self::ATTR_CREATED_BY_ID)) {
$isDeletedAllowed = true;
}
}
if (!$isDeletedAllowed) {
return false;
}
$createdAt = $entity->get(self::ATTR_CREATED_AT);
if (!$createdAt) {
return true;
}
$deleteThresholdPeriod =
$this->config->get('aclAllowDeleteCreatedThresholdPeriod') ??
self::ALLOW_DELETE_OWN_CREATED_PERIOD;
if (self::isDateTimeAfterPeriod($createdAt, $deleteThresholdPeriod)) {
return false;
}
return true;
}
private static function isDateTimeAfterPeriod(string $value, string $period): bool
{
try {
$dt = new DateTime($value);
} catch (Exception) {
return false;
}
$dt->modify($period);
$dtNow = new DateTime();
if ($dtNow->format('U') > $dt->format('U')) {
return true;
}
return false;
}
}

92
application/Espo/Core/Acl/DefaultAssignmentChecker.php Normal file
View File

@@ -0,0 +1,92 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\Core\Acl\AssignmentChecker\Helper;
use Espo\Core\Name\Field;
use Espo\Core\ORM\Entity as CoreEntity;
use Espo\ORM\Entity;
use Espo\Entities\User;
/**
* @implements AssignmentChecker<CoreEntity>
*/
class DefaultAssignmentChecker implements AssignmentChecker
{
protected const FIELD_ASSIGNED_USERS = Field::ASSIGNED_USERS;
private const FIELD_COLLABORATORS = Field::COLLABORATORS;
public function __construct(
private Helper $helper,
) {}
public function check(User $user, Entity $entity): bool
{
if (!$this->isPermittedAssignedUser($user, $entity)) {
return false;
}
if (!$this->isPermittedTeams($user, $entity)) {
return false;
}
if ($this->helper->hasAssignedUsersField($entity->getEntityType())) {
if (!$this->isPermittedAssignedUsers($user, $entity)) {
return false;
}
}
if ($this->helper->hasCollaboratorsField($entity->getEntityType())) {
if (!$this->helper->checkUsers($user, $entity, self::FIELD_COLLABORATORS)) {
return false;
}
}
return true;
}
protected function isPermittedAssignedUser(User $user, Entity $entity): bool
{
return $this->helper->checkAssignedUser($user, $entity);
}
protected function isPermittedTeams(User $user, Entity $entity): bool
{
return $this->helper->checkTeams($user, $entity);
}
/**
* Left for backward compatibility.
*/
protected function isPermittedAssignedUsers(User $user, Entity $entity): bool
{
return $this->helper->checkUsers($user, $entity, self::FIELD_ASSIGNED_USERS);
}
}

135
application/Espo/Core/Acl/DefaultOwnershipChecker.php Normal file
View File

@@ -0,0 +1,135 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\Core\Name\Field;
use Espo\ORM\Entity;
use Espo\Core\ORM\Entity as CoreEntity;
use Espo\Entities\User;
/**
* A default implementation for ownership checking.
*
* @implements OwnershipOwnChecker<CoreEntity>
* @implements OwnershipTeamChecker<CoreEntity>
* @implements OwnershipSharedChecker<CoreEntity>
*/
class DefaultOwnershipChecker implements OwnershipOwnChecker, OwnershipTeamChecker, OwnershipSharedChecker
{
private const ATTR_CREATED_BY_ID = Field::CREATED_BY . 'Id';
private const ATTR_ASSIGNED_USER_ID = Field::ASSIGNED_USER . 'Id';
private const ATTR_ASSIGNED_TEAMS_IDS = Field::TEAMS . 'Ids';
private const FIELD_TEAMS = Field::TEAMS;
private const FIELD_ASSIGNED_USERS = Field::ASSIGNED_USERS;
private const FIELD_COLLABORATORS = Field::COLLABORATORS;
public function checkOwn(User $user, Entity $entity): bool
{
if ($entity instanceof CoreEntity && $entity->hasLinkMultipleField(self::FIELD_ASSIGNED_USERS)) {
if ($entity->hasLinkMultipleId(self::FIELD_ASSIGNED_USERS, $user->getId())) {
return true;
}
return false;
}
if ($entity->hasAttribute(self::ATTR_ASSIGNED_USER_ID)) {
if (
$entity->has(self::ATTR_ASSIGNED_USER_ID) &&
$user->getId() === $entity->get(self::ATTR_ASSIGNED_USER_ID)
) {
return true;
}
return false;
}
if ($entity->hasAttribute(self::ATTR_CREATED_BY_ID)) {
if (
$entity->has(self::ATTR_CREATED_BY_ID) &&
$user->getId() === $entity->get(self::ATTR_CREATED_BY_ID)
) {
return true;
}
}
return false;
}
public function checkTeam(User $user, Entity $entity): bool
{
if (!$entity instanceof CoreEntity) {
return false;
}
$userTeamIdList = $user->getLinkMultipleIdList(self::FIELD_TEAMS);
if (
!$entity->hasRelation(self::FIELD_TEAMS) ||
!$entity->hasAttribute(self::ATTR_ASSIGNED_TEAMS_IDS)
) {
return false;
}
$entityTeamIdList = $entity->getLinkMultipleIdList(self::FIELD_TEAMS);
if (empty($entityTeamIdList)) {
return false;
}
foreach ($userTeamIdList as $id) {
if (in_array($id, $entityTeamIdList)) {
return true;
}
}
return false;
}
public function checkShared(User $user, Entity $entity, string $action): bool
{
if (!$entity instanceof CoreEntity) {
return false;
}
if ($action !== Table::ACTION_READ && $action !== Table::ACTION_STREAM) {
return false;
}
if (
!$entity->hasRelation(self::FIELD_COLLABORATORS) ||
!$entity->hasLinkMultipleField(self::FIELD_COLLABORATORS)
) {
return false;
}
return in_array($user->getId(), $entity->getLinkMultipleIdList(self::FIELD_COLLABORATORS));
}
}

34
application/Espo/Core/Acl/Exceptions/NotAvailable.php Normal file
View File

@@ -0,0 +1,34 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Exceptions;
use RuntimeException;
class NotAvailable extends RuntimeException {}

34
application/Espo/Core/Acl/Exceptions/NotImplemented.php Normal file
View File

@@ -0,0 +1,34 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Exceptions;
use RuntimeException;
class NotImplemented extends RuntimeException {}

96
application/Espo/Core/Acl/FieldData.php Normal file
View File

@@ -0,0 +1,96 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use stdClass;
use RuntimeException;
/**
* Field data.
*/
class FieldData
{
/**
* @var array<string, string>
*/
private $actionData = [];
private function __construct() {}
/**
* @return never
*/
public function __get(string $name)
{
throw new RuntimeException("Accessing ScopeData properties is not allowed.");
}
/**
* Get a level for an action.
*/
public function get(string $action): string
{
return $this->actionData[$action] ?? Table::LEVEL_NO;
}
/**
* Get a 'read' level.
*/
public function getRead(): string
{
return $this->get(Table::ACTION_READ);
}
/**
* Get an 'edit' level.
*/
public function getEdit(): string
{
return $this->get(Table::ACTION_EDIT);
}
/**
* Create from a raw table value.
*/
public static function fromRaw(stdClass $raw): self
{
$obj = new self();
$obj->actionData = get_object_vars($raw);
foreach ($obj->actionData as $item) {
if (!is_string($item)) {
throw new RuntimeException("Bad raw scope data.");
}
}
return $obj;
}
}

273
application/Espo/Core/Acl/GlobalRestriction.php Normal file
View File

@@ -0,0 +1,273 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\Core\Utils\Config\SystemConfig;
use Espo\Core\Utils\DataCache;
use Espo\Core\Utils\FieldUtil;
use Espo\Core\Utils\Metadata;
use stdClass;
/**
* Lists of restricted fields can be obtained from here. Restricted fields
* are specified in metadata > entityAcl.
*/
class GlobalRestriction
{
/** Totally forbidden. */
public const TYPE_FORBIDDEN = 'forbidden';
/** Reading forbidden, writing allowed. */
public const TYPE_INTERNAL = 'internal';
/** Forbidden for non-admin users. */
public const TYPE_ONLY_ADMIN = 'onlyAdmin';
/** Read-only for all users. */
public const TYPE_READ_ONLY = 'readOnly';
/** Read-only for non-admin users. */
public const TYPE_NON_ADMIN_READ_ONLY = 'nonAdminReadOnly';
/**
* @var array<int, self::TYPE_*>
*/
private $fieldTypeList = [
self::TYPE_FORBIDDEN,
self::TYPE_INTERNAL,
self::TYPE_ONLY_ADMIN,
self::TYPE_READ_ONLY,
self::TYPE_NON_ADMIN_READ_ONLY,
];
/**
* @var array<int, self::TYPE_*>
*/
private $linkTypeList = [
self::TYPE_FORBIDDEN,
self::TYPE_INTERNAL,
self::TYPE_ONLY_ADMIN,
self::TYPE_READ_ONLY,
self::TYPE_NON_ADMIN_READ_ONLY,
];
/**
* Types that should also be taken from entityDefs.
* @var array<int, self::TYPE_*>
*/
private array $entityDefsTypeList = [
self::TYPE_READ_ONLY,
];
private ?stdClass $data = null;
private string $cacheKey = 'entityAcl';
public function __construct(
private Metadata $metadata,
private DataCache $dataCache,
private FieldUtil $fieldUtil,
SystemConfig $systemConfig,
) {
$useCache = $systemConfig->useCache();
if ($useCache && $this->dataCache->has($this->cacheKey)) {
/** @var stdClass $cachedData */
$cachedData = $this->dataCache->get($this->cacheKey);
$this->data = $cachedData;
return;
}
if (!$this->data) {
$this->buildData();
}
if ($useCache) {
$this->storeCacheFile();
}
}
private function storeCacheFile(): void
{
assert($this->data !== null);
$this->dataCache->store($this->cacheKey, $this->data);
}
private function buildData(): void
{
/** @var string[] $scopeList */
$scopeList = array_keys($this->metadata->get(['entityDefs']) ?? []);
$data = (object) [];
foreach ($scopeList as $scope) {
/** @var string[] $fieldList */
$fieldList = array_keys($this->metadata->get(['entityDefs', $scope, 'fields']) ?? []);
/** @var string[] $linkList */
$linkList = array_keys($this->metadata->get(['entityDefs', $scope, 'links']) ?? []);
$isNotEmpty = false;
$scopeData = (object) [
'fields' => (object) [],
'attributes' => (object) [],
'links' => (object) [],
];
foreach ($this->fieldTypeList as $type) {
$resultFieldList = [];
$resultAttributeList = [];
foreach ($fieldList as $field) {
$value = $this->metadata->get(['entityAcl', $scope, 'fields', $field, $type]);
if (!$value && in_array($type, $this->entityDefsTypeList)) {
$value = $this->metadata->get(['entityDefs', $scope, 'fields', $field, $type]);
}
if (!$value) {
continue;
}
$isNotEmpty = true;
$resultFieldList[] = $field;
$fieldAttributeList = $this->fieldUtil->getAttributeList($scope, $field);
foreach ($fieldAttributeList as $attribute) {
$resultAttributeList[] = $attribute;
}
}
$scopeData->fields->$type = $resultFieldList;
$scopeData->attributes->$type = $resultAttributeList;
}
foreach ($this->linkTypeList as $type) {
$resultLinkList = [];
foreach ($linkList as $link) {
$value = $this->metadata->get(['entityAcl', $scope, 'links', $link, $type]);
if (!$value && in_array($type, $this->entityDefsTypeList)) {
$value = $this->metadata->get(['entityDefs', $scope, 'links', $link, $type]);
}
if (!$value) {
continue;
}
$isNotEmpty = true;
$resultLinkList[] = $link;
}
$scopeData->links->$type = $resultLinkList;
}
if ($isNotEmpty) {
$data->$scope = $scopeData;
}
}
$this->data = $data;
}
/**
* @param self::TYPE_* $type
* @return string[]
*/
public function getScopeRestrictedFieldList(string $scope, string $type): array
{
assert($this->data !== null);
if (!property_exists($this->data, $scope)) {
return [];
}
if (!property_exists($this->data->$scope, 'fields')) {
return [];
}
if (!property_exists($this->data->$scope->fields, $type)) {
return [];
}
return $this->data->$scope->fields->$type;
}
/**
* @param self::TYPE_* $type
* @return string[]
*/
public function getScopeRestrictedAttributeList(string $scope, string $type): array
{
assert($this->data !== null);
if (!property_exists($this->data, $scope)) {
return [];
}
if (!property_exists($this->data->$scope, 'attributes')) {
return [];
}
if (!property_exists($this->data->$scope->attributes, $type)) {
return [];
}
return $this->data->$scope->attributes->$type;
}
/**
* @param self::TYPE_* $type
* @return string[]
*/
public function getScopeRestrictedLinkList(string $scope, string $type): array
{
assert($this->data !== null);
if (!property_exists($this->data, $scope)) {
return [];
}
if (!property_exists($this->data->$scope, 'links')) {
return [];
}
if (!property_exists($this->data->$scope->links, $type)) {
return [];
}
return $this->data->$scope->links->$type;
}
}

48
application/Espo/Core/Acl/LinkChecker.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\Entities\User;
use Espo\ORM\Entity;
/**
* Checks access for linking/unlinking two records.
*
* @template TEntity of Entity
* @template TForeignEntity of Entity
*/
interface LinkChecker
{
/**
* @param TEntity $entity
* @param TForeignEntity $foreignEntity
*/
public function check(User $user, Entity $entity, Entity $foreignEntity): bool;
}

74
application/Espo/Core/Acl/LinkChecker/LinkCheckerFactory.php Normal file
View File

@@ -0,0 +1,74 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\LinkChecker;
use Espo\Core\Acl\LinkChecker;
use Espo\Core\InjectableFactory;
use Espo\Core\Utils\Metadata;
use Espo\ORM\Entity;
use RuntimeException;
class LinkCheckerFactory
{
public function __construct(
private Metadata $metadata,
private InjectableFactory $injectableFactory
) {}
/**
* Create a link checker.
*
* @return LinkChecker<Entity, Entity>
*/
public function create(string $scope, string $link): LinkChecker
{
$className = $this->getClassName($scope, $link);
if (!$className) {
throw new RuntimeException("Link checker is not implemented for {$scope}.{$link}.");
}
return $this->injectableFactory->create($className);
}
public function isCreatable(string $scope, string $link): bool
{
return (bool) $this->getClassName($scope, $link);
}
/**
* @return ?class-string<LinkChecker<Entity, Entity>>
*/
private function getClassName(string $scope, string $link): ?string
{
/** @var ?class-string<LinkChecker<Entity, Entity>> */
return $this->metadata->get(['aclDefs', $scope, 'linkCheckerClassNameMap', $link]);
}
}

35
application/Espo/Core/Acl/Map/CacheKeyProvider.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Map;
interface CacheKeyProvider
{
public function get(): string;
}

189
application/Espo/Core/Acl/Map/DataBuilder.php Normal file
View File

@@ -0,0 +1,189 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Map;
use Espo\Core\Acl\Table;
use Espo\Core\Utils\FieldUtil;
use stdClass;
class DataBuilder
{
/** @var string[] */
private $actionList = [
Table::ACTION_READ,
Table::ACTION_STREAM,
Table::ACTION_EDIT,
Table::ACTION_DELETE,
Table::ACTION_CREATE,
];
/** @var string[] */
private $fieldActionList = [
Table::ACTION_READ,
Table::ACTION_EDIT,
];
/** @var string[] */
private $fieldLevelList = [
Table::LEVEL_YES,
Table::LEVEL_NO,
];
public function __construct(private MetadataProvider $metadataProvider, private FieldUtil $fieldUtil)
{}
/**
* @return stdClass&object{table: stdClass, fieldTable: stdClass}
*/
public function build(Table $table): stdClass
{
$data = (object) [
'table' => (object) [],
'fieldTable' => (object) [],
];
foreach ($this->metadataProvider->getScopeList() as $scope) {
$data->table->$scope = $this->getScopeRawData($table, $scope);
$fieldData = $this->getScopeFieldData($table, $scope);
if ($fieldData !== null) {
$data->fieldTable->$scope = $fieldData;
}
}
foreach ($this->metadataProvider->getPermissionList() as $permission) {
$data->{$permission . 'Permission'} = $table->getPermissionLevel($permission);
}
$data->fieldTableQuickAccess = $this->buildFieldTableQuickAccess($data->fieldTable);
return $data;
}
/**
* @return bool|stdClass
*/
private function getScopeRawData(Table $table, string $scope)
{
$data = $table->getScopeData($scope);
if ($data->isBoolean()) {
return $data->isTrue();
}
$rawData = (object) [];
foreach ($this->actionList as $action) {
$rawData->$action = $data->get($action);
}
return $rawData;
}
private function getScopeFieldData(Table $table, string $scope): ?stdClass
{
if (!$this->metadataProvider->isScopeEntity($scope)) {
return null;
}
$fieldList = $this->metadataProvider->getScopeFieldList($scope);
$rawData = (object) [];
foreach ($fieldList as $field) {
$data = $table->getFieldData($scope, $field);
if (
$data->getRead() === Table::LEVEL_YES &&
$data->getEdit() === Table::LEVEL_YES
) {
continue;
}
$rawData->$field = (object) [
Table::ACTION_READ => $data->getRead(),
Table::ACTION_EDIT => $data->getEdit(),
];
}
return $rawData;
}
protected function buildFieldTableQuickAccess(stdClass $fieldTable): stdClass
{
$quickAccess = (object) [];
foreach (get_object_vars($fieldTable) as $scope => $scopeData) {
$quickAccess->$scope = $this->buildFieldTableQuickAccessScope($scope, $scopeData);
}
return $quickAccess;
}
private function buildFieldTableQuickAccessScope(string $scope, stdClass $data): stdClass
{
$quickAccess = (object) [
'attributes' => (object) [],
'fields' => (object) [],
];
foreach ($this->fieldActionList as $action) {
$quickAccess->attributes->$action = (object) [];
$quickAccess->fields->$action = (object) [];
foreach ($this->fieldLevelList as $level) {
$quickAccess->attributes->$action->$level = [];
$quickAccess->fields->$action->$level = [];
}
}
foreach (get_object_vars($data) as $field => $fieldData) {
$attributeList = $this->fieldUtil->getAttributeList($scope, $field);
foreach ($this->fieldActionList as $action) {
if (!isset($fieldData->$action)) {
continue;
}
foreach ($this->fieldLevelList as $level) {
if ($fieldData->$action === $level) {
$quickAccess->fields->$action->{$level}[] = $field;
foreach ($attributeList as $attribute) {
$quickAccess->attributes->$action->{$level}[] = $attribute;
}
}
}
}
}
return $quickAccess;
}
}

43
application/Espo/Core/Acl/Map/DefaultCacheKeyProvider.php Normal file
View File

@@ -0,0 +1,43 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Map;
use Espo\Entities\User;
class DefaultCacheKeyProvider implements CacheKeyProvider
{
public function __construct(private User $user)
{}
public function get(): string
{
return 'aclMap/' . $this->user->getId();
}
}

232
application/Espo/Core/Acl/Map/Map.php Normal file
View File

@@ -0,0 +1,232 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Map;
use Espo\Core\Acl\Table;
use Espo\Core\Utils\Config;
use Espo\Core\Utils\DataCache;
use Espo\Core\Utils\ObjectUtil;
use stdClass;
use RuntimeException;
/**
* Provides quick access to ACL data.
*/
class Map
{
private stdClass $data;
private string $cacheKey;
/** @var array<string, string[]> */
private $forbiddenFieldsCache = [];
/** @var array<string, string[]> */
private $forbiddenAttributesCache;
/** @var string[] */
private $fieldLevelList = [
Table::LEVEL_YES,
Table::LEVEL_NO,
];
public function __construct(
Table $table,
private DataBuilder $dataBuilder,
private DataCache $dataCache,
CacheKeyProvider $cacheKeyProvider,
Config\SystemConfig $systemConfig,
) {
$this->cacheKey = $cacheKeyProvider->get();
if ($systemConfig->useCache() && $this->dataCache->has($this->cacheKey)) {
/** @var stdClass $cachedData */
$cachedData = $this->dataCache->get($this->cacheKey);
$this->data = $cachedData;
} else {
$this->data = $this->dataBuilder->build($table);
if ($systemConfig->useCache()) {
$this->dataCache->store($this->cacheKey, $this->data);
}
}
}
/**
* Get raw data (for front-end).
*/
public function getData(): stdClass
{
return ObjectUtil::clone($this->data);
}
/**
* Get a list of forbidden attributes for a scope and action.
*
* @param string $scope A scope.
* @param string $action An action.
* @param string $thresholdLevel An attribute will be treated as forbidden if the level is
* equal to or lower than the threshold.
* @return string[]
*/
public function getScopeForbiddenAttributeList(
string $scope,
string $action = Table::ACTION_READ,
string $thresholdLevel = Table::LEVEL_NO
): array {
if (
!in_array($thresholdLevel, $this->fieldLevelList) ||
$thresholdLevel === Table::LEVEL_YES
) {
throw new RuntimeException("Bad threshold level.");
}
$key = $scope . '_'. $action . '_' . $thresholdLevel;
if (isset($this->forbiddenAttributesCache[$key])) {
return $this->forbiddenAttributesCache[$key];
}
$fieldTableQuickAccess = $this->data->fieldTableQuickAccess;
if (
!isset($fieldTableQuickAccess->$scope) ||
!isset($fieldTableQuickAccess->$scope->attributes) ||
!isset($fieldTableQuickAccess->$scope->attributes->$action)
) {
$this->forbiddenAttributesCache[$key] = [];
return [];
}
$levelList = [];
foreach ($this->fieldLevelList as $level) {
if (
array_search($level, $this->fieldLevelList) >=
array_search($thresholdLevel, $this->fieldLevelList)
) {
$levelList[] = $level;
}
}
$attributeList = [];
foreach ($levelList as $level) {
if (!isset($fieldTableQuickAccess->$scope->attributes->$action->$level)) {
continue;
}
foreach ($fieldTableQuickAccess->$scope->attributes->$action->$level as $attribute) {
if (in_array($attribute, $attributeList)) {
continue;
}
$attributeList[] = $attribute;
}
}
$this->forbiddenAttributesCache[$key] = $attributeList;
return $attributeList;
}
/**
* Get a list of forbidden fields for a scope and action.
*
* @param string $scope A scope.
* @param string $action An action.
* @param string $thresholdLevel An attribute will be treated as forbidden if the level is
* equal to or lower than the threshold.
* @return string[]
*/
public function getScopeForbiddenFieldList(
string $scope,
string $action = Table::ACTION_READ,
string $thresholdLevel = Table::LEVEL_NO
): array {
if (
!in_array($thresholdLevel, $this->fieldLevelList) ||
$thresholdLevel === Table::LEVEL_YES
) {
throw new RuntimeException("Bad threshold level.");
}
$key = $scope . '_'. $action . '_' . $thresholdLevel;
if (isset($this->forbiddenFieldsCache[$key])) {
return $this->forbiddenFieldsCache[$key];
}
$fieldTableQuickAccess = $this->data->fieldTableQuickAccess;
if (
!isset($fieldTableQuickAccess->$scope) ||
!isset($fieldTableQuickAccess->$scope->fields) ||
!isset($fieldTableQuickAccess->$scope->fields->$action)
) {
$this->forbiddenFieldsCache[$key] = [];
return [];
}
$levelList = [];
foreach ($this->fieldLevelList as $level) {
if (
array_search($level, $this->fieldLevelList) >=
array_search($thresholdLevel, $this->fieldLevelList)
) {
$levelList[] = $level;
}
}
$fieldList = [];
foreach ($levelList as $level) {
if (!isset($fieldTableQuickAccess->$scope->fields->$action->$level)) {
continue;
}
foreach ($fieldTableQuickAccess->$scope->fields->$action->$level as $field) {
if (in_array($field, $fieldList)) {
continue;
}
$fieldList[] = $field;
}
}
$this->forbiddenFieldsCache[$key] = $fieldList;
return $fieldList;
}
}

64
application/Espo/Core/Acl/Map/MapFactory.php Normal file
View File

@@ -0,0 +1,64 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Map;
use Espo\Entities\User;
use Espo\Core\Acl\Table;
use Espo\Core\Binding\Binder;
use Espo\Core\Binding\BindingContainer;
use Espo\Core\Binding\BindingData;
use Espo\Core\InjectableFactory;
class MapFactory
{
public function __construct(private InjectableFactory $injectableFactory)
{}
public function create(User $user, Table $table): Map
{
$bindingContainer = $this->createBindingContainer($user, $table);
return $this->injectableFactory->createWithBinding(Map::class, $bindingContainer);
}
private function createBindingContainer(User $user, Table $table): BindingContainer
{
$bindingData = new BindingData();
$binder = new Binder($bindingData);
$binder
->bindInstance(User::class, $user)
->bindInstance(Table::class, $table)
->bindImplementation(CacheKeyProvider::class, DefaultCacheKeyProvider::class);
return new BindingContainer($bindingData);
}
}

82
application/Espo/Core/Acl/Map/MetadataProvider.php Normal file
View File

@@ -0,0 +1,82 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Map;
use Espo\Core\Utils\Metadata;
class MetadataProvider
{
protected string $type = 'acl';
public function __construct(private Metadata $metadata)
{}
/**
* @return string[]
*/
public function getScopeList(): array
{
/** @var string[] */
return array_keys($this->metadata->get('scopes') ?? []);
}
public function isScopeEntity(string $scope): bool
{
return (bool) $this->metadata->get(['scopes', $scope, 'entity']);
}
/**
* @return string[]
*/
public function getScopeFieldList(string $scope): array
{
/** @var string[] */
return array_keys($this->metadata->get(['entityDefs', $scope, 'fields']) ?? []);
}
/**
* @return array<int, string>
*/
public function getPermissionList(): array
{
$itemList = $this->metadata->get(['app', $this->type, 'valuePermissionList']) ?? [];
return array_map(
function (string $item): string {
if (str_ends_with($item, 'Permission')) {
return substr($item, 0, -10);
}
return $item;
},
$itemList
);
}
}

90
application/Espo/Core/Acl/OwnerUserFieldProvider.php Normal file
View File

@@ -0,0 +1,90 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\Core\Name\Field;
use Espo\Core\ORM\Type\FieldType;
use Espo\Core\Utils\Metadata;
use Espo\Entities\User;
use Espo\ORM\Defs;
class OwnerUserFieldProvider
{
protected const FIELD_ASSIGNED_USERS = Field::ASSIGNED_USERS;
protected const FIELD_ASSIGNED_USER = Field::ASSIGNED_USER;
protected const FIELD_CREATED_BY = Field::CREATED_BY;
public function __construct(private Defs $ormDefs, private Metadata $metadata)
{}
/**
* Get an entity field that stores an owner-user (or multiple users).
* Must be a link or linkMultiple field. NULL means no owner.
*/
public function get(string $entityType): ?string
{
$value = $this->metadata->get(['aclDefs', $entityType, 'readOwnerUserField']);
if ($value) {
return $value;
}
$defs = $this->ormDefs->getEntity($entityType);
if (
$defs->hasField(self::FIELD_ASSIGNED_USERS) &&
$defs->getField(self::FIELD_ASSIGNED_USERS)->getType() === FieldType::LINK_MULTIPLE &&
$defs->hasRelation(self::FIELD_ASSIGNED_USERS) &&
$defs->getRelation(self::FIELD_ASSIGNED_USERS)->getForeignEntityType() === User::ENTITY_TYPE
) {
return self::FIELD_ASSIGNED_USERS;
}
if (
$defs->hasField(self::FIELD_ASSIGNED_USER) &&
$defs->getField(self::FIELD_ASSIGNED_USER)->getType() === FieldType::LINK &&
$defs->hasRelation(self::FIELD_ASSIGNED_USER) &&
$defs->getRelation(self::FIELD_ASSIGNED_USER)->getForeignEntityType() === User::ENTITY_TYPE
) {
return self::FIELD_ASSIGNED_USER;
}
if (
$defs->hasField(self::FIELD_CREATED_BY) &&
$defs->getField(self::FIELD_CREATED_BY)->getType() === FieldType::LINK &&
$defs->hasRelation(self::FIELD_CREATED_BY) &&
$defs->getRelation(self::FIELD_CREATED_BY)->getForeignEntityType() === User::ENTITY_TYPE
) {
return self::FIELD_CREATED_BY;
}
return null;
}
}

37
application/Espo/Core/Acl/OwnershipChecker.php Normal file
View File

@@ -0,0 +1,37 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
/**
* Bindings:
* - `$entityType` as of v9.1.0.
* - `Espo\Core\AclManager`
*/
interface OwnershipChecker {}

103
application/Espo/Core/Acl/OwnershipChecker/OwnershipCheckerFactory.php Normal file
View File

@@ -0,0 +1,103 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\OwnershipChecker;
use Espo\Core\Acl\DefaultOwnershipChecker;
use Espo\Core\Acl\Exceptions\NotImplemented;
use Espo\Core\Acl\OwnershipChecker;
use Espo\Core\AclManager;
use Espo\Core\Binding\Binder;
use Espo\Core\Binding\BindingContainer;
use Espo\Core\Binding\BindingData;
use Espo\Core\InjectableFactory;
use Espo\Core\Utils\Metadata;
class OwnershipCheckerFactory
{
/** @var class-string<OwnershipChecker> */
private string $defaultClassName = DefaultOwnershipChecker::class;
public function __construct(
private Metadata $metadata,
private InjectableFactory $injectableFactory
) {}
/**
* Create an ownership checker.
*
* @throws NotImplemented
*/
public function create(string $scope, AclManager $aclManager): OwnershipChecker
{
$className = $this->getClassName($scope);
$bindingContainer = $this->createBindingContainer($className, $aclManager, $scope);
return $this->injectableFactory->createWithBinding($className, $bindingContainer);
}
/**
* @return class-string<OwnershipChecker>
* @throws NotImplemented
*/
private function getClassName(string $scope): string
{
/** @var ?class-string<OwnershipChecker> $className */
$className = $this->metadata->get(['aclDefs', $scope, 'ownershipCheckerClassName']);
if ($className) {
return $className;
}
if (!$this->metadata->get(['scopes', $scope])) {
throw new NotImplemented();
}
return $this->defaultClassName;
}
/**
* @param class-string<OwnershipChecker> $className
*/
private function createBindingContainer(string $className, AclManager $aclManager, string $scope): BindingContainer
{
$bindingData = new BindingData();
$binder = new Binder($bindingData);
$binder->bindInstance(AclManager::class, $aclManager);
$binder
->for($className)
->bindValue('$entityType', $scope);
return new BindingContainer($bindingData);
}
}

46
application/Espo/Core/Acl/OwnershipOwnChecker.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\ORM\Entity;
use Espo\Entities\User;
/**
* @template TEntity of Entity
*/
interface OwnershipOwnChecker extends OwnershipChecker
{
/**
* Check whether a user is an owner of an entity.
*
* @param TEntity $entity
*/
public function checkOwn(User $user, Entity $entity): bool;
}

48
application/Espo/Core/Acl/OwnershipSharedChecker.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\ORM\Entity;
use Espo\Entities\User;
/**
* @template TEntity of Entity
*/
interface OwnershipSharedChecker extends OwnershipChecker
{
/**
* Check whether an entity is shared with a user.
*
* @param TEntity $entity
* @param Table::ACTION_* $action
* @noinspection PhpDocSignatureInspection
*/
public function checkShared(User $user, Entity $entity, string $action): bool;
}

46
application/Espo/Core/Acl/OwnershipTeamChecker.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use Espo\ORM\Entity;
use Espo\Entities\User;
/**
* @template TEntity of Entity
*/
interface OwnershipTeamChecker extends OwnershipChecker
{
/**
* Check whether an entity belongs to a user team.
*
* @param TEntity $entity
*/
public function checkTeam(User $user, Entity $entity): bool;
}

46
application/Espo/Core/Acl/Permission.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
class Permission
{
public const ASSIGNMENT = 'assignment';
public const USER = 'user';
public const PORTAL = 'portal';
public const MASS_UPDATE = 'massUpdate';
public const EXPORT = 'export';
public const AUDIT = 'audit';
public const DATA_PRIVACY = 'dataPrivacy';
public const MESSAGE = 'message';
public const MENTION = 'mention';
public const USER_CALENDAR = 'userCalendar';
public const FOLLOWER_MANAGEMENT = 'followerManagement';
public const GROUP_EMAIL_ACCOUNT = 'groupEmailAccount';
}

183
application/Espo/Core/Acl/ScopeData.php Normal file
View File

@@ -0,0 +1,183 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
use stdClass;
use InvalidArgumentException;
use RuntimeException;
/**
* Scope data.
*/
class ScopeData
{
/** @var stdClass|bool */
private $raw;
/** @var array<string, string> */
private $actionData = [];
private bool $isBoolean = false;
private function __construct() {}
/**
* @return never
*/
public function __get(string $name)
{
throw new RuntimeException("Accessing ScopeData properties is not allowed.");
}
/**
* Is of boolean type.
*/
public function isBoolean(): bool
{
return $this->isBoolean;
}
/**
* Is true.
*/
public function isTrue(): bool
{
if (!$this->isBoolean) {
return false;
}
return $this->raw === true;
}
/**
* Is false.
*/
public function isFalse(): bool
{
if (!$this->isBoolean) {
return false;
}
return $this->raw === false;
}
/**
* Has any level other than 'no'.
*/
public function hasNotNo(): bool
{
foreach ($this->actionData as $level) {
if ($level !== Table::LEVEL_NO) {
return true;
}
}
return false;
}
/**
* Get a level for an action.
*/
public function get(string $action): string
{
return $this->actionData[$action] ?? Table::LEVEL_NO;
}
/**
* Get a 'read' level.
*/
public function getRead(): string
{
return $this->get(Table::ACTION_READ);
}
/**
* Get a 'stream' level.
*/
public function getStream(): string
{
return $this->get(Table::ACTION_STREAM);
}
/**
* Get a 'create' level.
*/
public function getCreate(): string
{
return $this->get(Table::ACTION_CREATE);
}
/**
* Get an 'edit' level.
*/
public function getEdit(): string
{
return $this->get(Table::ACTION_EDIT);
}
/**
* Get a 'delete' level.
*/
public function getDelete(): string
{
return $this->get(Table::ACTION_DELETE);
}
/**
* Create from a raw table value.
*
* @param stdClass|bool $raw
* @return self
*/
public static function fromRaw($raw): self
{
/** @var mixed $raw */
$obj = new self();
if ($raw instanceof stdClass) {
$obj->isBoolean = false;
$obj->actionData = get_object_vars($raw);
foreach ($obj->actionData as $item) {
if (!is_string($item)) {
throw new RuntimeException("Bad raw scope data.");
}
}
} else if (is_bool($raw)) {
$obj->isBoolean = true;
} else {
throw new InvalidArgumentException();
}
$obj->raw = $raw;
return $obj;
}
}

65
application/Espo/Core/Acl/Table.php Normal file
View File

@@ -0,0 +1,65 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl;
/**
* Access levels for a user.
*/
interface Table
{
public const LEVEL_YES = 'yes';
public const LEVEL_NO = 'no';
public const LEVEL_ALL = 'all';
public const LEVEL_TEAM = 'team';
public const LEVEL_OWN = 'own';
public const ACTION_READ = 'read';
public const ACTION_STREAM = 'stream';
public const ACTION_EDIT = 'edit';
public const ACTION_DELETE = 'delete';
public const ACTION_CREATE = 'create';
/**
* Get scope data.
*/
public function getScopeData(string $scope): ScopeData;
/**
* Get field data.
*/
public function getFieldData(string $scope, string $field): FieldData;
/**
* Get a permission level.
*
* @return self::ACTION_*
*/
public function getPermissionLevel(string $permission): string;
}

35
application/Espo/Core/Acl/Table/CacheKeyProvider.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Table;
interface CacheKeyProvider
{
public function get(): string;
}

47
application/Espo/Core/Acl/Table/DefaultCacheKeyProvider.php Normal file
View File

@@ -0,0 +1,47 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Table;
use Espo\Entities\User;
class DefaultCacheKeyProvider implements CacheKeyProvider
{
private $user;
public function __construct(User $user)
{
$this->user = $user;
}
public function get(): string
{
return 'acl/' . $this->user->getId();
}
}

103
application/Espo/Core/Acl/Table/DefaultRoleListProvider.php Normal file
View File

@@ -0,0 +1,103 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Table;
use Espo\Core\Name\Field;
use Espo\Core\Utils\Config;
use Espo\Entities\Team;
use Espo\ORM\EntityManager;
use Espo\Entities\User;
use Espo\Entities\Role as RoleEntity;
class DefaultRoleListProvider implements RoleListProvider
{
private const PARAM_BASELINE_ROLE_ID = 'baselineRoleId';
public function __construct(
private User $user,
private EntityManager $entityManager,
private Config $config,
) {}
/**
* @return Role[]
*/
public function get(): array
{
$roleList = [];
$baselineRole = $this->getBaselineRole();
if ($baselineRole) {
$roleList[] = $baselineRole;
}
/** @var iterable<RoleEntity> $userRoleList */
$userRoleList = $this->entityManager
->getRelation($this->user, User::LINK_ROLES)
->find();
foreach ($userRoleList as $role) {
$roleList[] = $role;
}
/** @var iterable<Team> $teamList */
$teamList = $this->entityManager
->getRelation($this->user, Field::TEAMS)
->find();
foreach ($teamList as $team) {
/** @var iterable<RoleEntity> $teamRoleList */
$teamRoleList = $this->entityManager
->getRelation($team, Team::LINK_ROLES)
->find();
foreach ($teamRoleList as $role) {
$roleList[] = $role;
}
}
return array_map(
fn (RoleEntity $role) => new RoleEntityWrapper($role),
$roleList
);
}
private function getBaselineRole(): ?RoleEntity
{
$roleId = $this->config->get(self::PARAM_BASELINE_ROLE_ID);
if (!$roleId) {
return null;
}
return $this->entityManager->getRDBRepositoryByClass(RoleEntity::class)->getById($roleId);
}
}

699
application/Espo/Core/Acl/Table/DefaultTable.php Normal file
View File

@@ -0,0 +1,699 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Table;
use Espo\Core\Utils\Config\SystemConfig;
use Espo\Entities\User;
use Espo\Core\Acl\FieldData;
use Espo\Core\Acl\ScopeData;
use Espo\Core\Acl\Table;
use Espo\Core\Utils\DataCache;
use Espo\Core\Utils\Metadata;
use stdClass;
use RuntimeException;
/**
* A table is generated for a user. Multiple roles are merged into a single table.
* Stores access levels.
*/
class DefaultTable implements Table
{
private const LEVEL_NOT_SET = 'not-set';
protected string $type = 'acl';
/** @var string[] */
private $actionList = [
self::ACTION_READ,
self::ACTION_STREAM,
self::ACTION_EDIT,
self::ACTION_DELETE,
self::ACTION_CREATE,
];
/** @var string[] */
private $booleanActionList = [
self::ACTION_CREATE,
];
/** @var string[] */
protected $levelList = [
self::LEVEL_YES,
self::LEVEL_ALL,
self::LEVEL_TEAM,
self::LEVEL_OWN,
self::LEVEL_NO,
];
/** @var string[] */
private $fieldActionList = [
self::ACTION_READ,
self::ACTION_EDIT,
];
/** @var string[] */
protected $fieldLevelList = [
self::LEVEL_YES,
self::LEVEL_NO,
];
private stdClass $data;
private string $cacheKey;
/** @var string[] */
private $valuePermissionList = [];
private ScopeDataResolver $scopeDataResolver;
public function __construct(
private RoleListProvider $roleListProvider,
CacheKeyProvider $cacheKeyProvider,
protected User $user,
SystemConfig $systemConfig,
protected Metadata $metadata,
DataCache $dataCache,
) {
$this->data = (object) [
'scopes' => (object) [],
'fields' => (object) [],
'permissions' => (object) [],
];
if (!$this->user->isFetched()) {
throw new RuntimeException('User must be fetched before ACL check.');
}
$this->valuePermissionList = $this->metadata
->get(['app', $this->type, 'valuePermissionList'], []);
$this->cacheKey = $cacheKeyProvider->get();
if ($systemConfig->useCache() && $dataCache->has($this->cacheKey)) {
/** @var stdClass $cachedData */
$cachedData = $dataCache->get($this->cacheKey);
$this->data = $cachedData;
} else {
$this->load();
if ($systemConfig->useCache()) {
$dataCache->store($this->cacheKey, $this->data);
}
}
$this->scopeDataResolver = new ScopeDataResolver($this);
}
/**
* Get scope data.
*/
public function getScopeData(string $scope): ScopeData
{
if (!isset($this->data->scopes->$scope)) {
return ScopeData::fromRaw(false);
}
$data = $this->data->scopes->$scope;
return $this->scopeDataResolver->resolve($data);
}
/**
* Get field data.
*/
public function getFieldData(string $scope, string $field): FieldData
{
if (!isset($this->data->fields->$scope)) {
return FieldData::fromRaw((object) [
self::ACTION_READ => self::LEVEL_YES,
self::ACTION_EDIT => self::LEVEL_YES,
]);
}
$data = $this->data->fields->$scope->$field ?? (object) [
self::ACTION_READ => self::LEVEL_YES,
self::ACTION_EDIT => self::LEVEL_YES,
];
return FieldData::fromRaw($data);
}
/**
* Get a permission level.
*/
public function getPermissionLevel(string $permission): string
{
return $this->data->permissions->$permission ?? self::LEVEL_NO;
}
private function load(): void
{
$valuePermissionLists = (object) [];
foreach ($this->valuePermissionList as $permission) {
$valuePermissionLists->$permission = [];
}
$aclTableList = [];
$fieldTableList = [];
$aclTable = (object) [];
$fieldTable = (object) [];
if (!$this->user->isAdmin()) {
$roleList = $this->roleListProvider->get();
foreach ($roleList as $role) {
$aclTableList[] = $role->getScopeTableData();
$fieldTableList[] = $role->getFieldTableData();
foreach ($this->valuePermissionList as $permissionKey) {
$permission = $this->normalizePermissionName($permissionKey);
$valuePermissionLists->{$permissionKey}[] = $role->getPermissionLevel($permission);
}
}
$aclTable = $this->mergeTableList($aclTableList);
$fieldTable = $this->mergeFieldTableList($fieldTableList);
$this->applyDefault($aclTable, $fieldTable);
$this->applyDisabled($aclTable, $fieldTable);
$this->applyMandatory($aclTable, $fieldTable);
}
if ($this->user->isAdmin()) {
$aclTable = (object) [];
$fieldTable = (object) [];
$this->applyHighest($aclTable);
$this->applyDisabled($aclTable, $fieldTable);
$this->applyAdminMandatory($aclTable, $fieldTable);
}
foreach (get_object_vars($aclTable) as $scope => $data) {
if (is_string($data) && isset($aclTable->$data)) {
$aclTable->$scope = $aclTable->$data;
}
}
$this->data->scopes = $aclTable;
$this->data->fields = $fieldTable;
if (!$this->user->isAdmin()) {
foreach ($this->valuePermissionList as $permissionKey) {
$permission = $this->normalizePermissionName($permissionKey);
$defaultLevel = $this->metadata
->get(['app', $this->type, 'permissionsStrictDefaults', $permissionKey]) ??
self::LEVEL_NO;
$this->data->permissions->$permission = $this->mergeValueList(
$valuePermissionLists->$permissionKey,
$defaultLevel
);
$mandatoryLevel = $this->metadata->get(['app', $this->type, 'mandatory', $permissionKey]);
if ($mandatoryLevel !== null) {
$this->data->permissions->$permission = $mandatoryLevel;
}
}
}
if ($this->user->isAdmin()) {
foreach ($this->valuePermissionList as $permissionKey) {
$permission = $this->normalizePermissionName($permissionKey);
$highestLevel = $this->metadata
->get(['app', $this->type, 'valuePermissionHighestLevels', $permissionKey]);
if ($highestLevel !== null) {
$this->data->permissions->$permission = $highestLevel;
continue;
}
$this->data->permissions->$permission = self::LEVEL_ALL;
}
}
}
private function normalizePermissionName(string $permissionKey): string
{
$permission = $permissionKey;
if (str_ends_with($permissionKey, 'Permission')) {
$permission = substr($permissionKey, 0, -10);
}
return $permission;
}
private function applyHighest(stdClass $table): void
{
foreach ($this->getScopeList() as $scope) {
if ($this->metadata->get(['scopes', $scope, $this->type]) === ScopeDataType::BOOLEAN) {
$table->$scope = true;
continue;
}
if (!$this->metadata->get(['scopes', $scope, 'entity'])) {
continue;
}
$table->$scope = (object) [];
$actionList = $this->metadata->get(
['scopes', $scope, $this->type . 'ActionList'],
$this->actionList
);
$highest = $this->metadata->get(
['scopes', $scope, $this->type . 'HighestLevel'],
self::LEVEL_ALL
);
foreach ($actionList as $action) {
$table->$scope->$action = $highest;
if (in_array($action, $this->booleanActionList)) {
$table->$scope->$action = self::LEVEL_YES;
}
}
}
}
protected function applyDefault(stdClass &$table, stdClass &$fieldTable): void
{
if ($this->user->isAdmin()) {
return;
}
$data = $this->metadata->get(['app', $this->type, 'strictDefault', 'scopeLevel'], []);
foreach ($data as $scope => $item) {
if (isset($table->$scope)) {
continue;
}
$value = $item;
if (is_array($item)) {
$value = (object) $item;
}
$table->$scope = $value;
}
$defaultFieldData = $this->metadata
->get(['app', $this->type, 'strictDefault', 'fieldLevel']) ?? [];
foreach ($this->getScopeList() as $scope) {
if (isset($table->$scope) && $table->$scope === false) {
continue;
}
if (!$this->metadata->get(['scopes', $scope, 'entity'])) {
continue;
}
$fieldList = array_keys($this->metadata->get(['entityDefs', $scope, 'fields']) ?? []);
$defaultScopeFieldData = $this->metadata
->get(['app', $this->type, 'strictDefault', 'scopeFieldLevel', $scope]) ?? [];
foreach (array_merge($defaultFieldData, $defaultScopeFieldData) as $field => $f) {
if (!in_array($field, $fieldList)) {
continue;
}
if (!isset($fieldTable->$scope)) {
$fieldTable->$scope = (object) [];
}
if (isset($fieldTable->$scope->$field)) {
continue;
}
$fieldTable->$scope->$field = (object) [];
foreach ($this->fieldActionList as $action) {
$level = self::LEVEL_NO;
if ($f === true) {
$level = self::LEVEL_YES;
} else {
if (is_array($f) && isset($f[$action])) {
$level = $f[$action];
}
}
$fieldTable->$scope->$field->$action = $level;
}
}
}
foreach ($this->getScopeWithAclList() as $scope) {
if (isset($table->$scope)) {
continue;
}
$aclType = $this->metadata->get(['scopes', $scope, $this->type]);
if (empty($aclType)) {
continue;
}
$table->$scope = false;
}
}
private function applyMandatoryInternal(stdClass $table, stdClass $fieldTable, string $type): void
{
$data = $this->metadata->get(['app', $this->type, $type, 'scopeLevel']) ?? [];
foreach ($data as $scope => $item) {
$value = $item;
if (is_array($item)) {
$value = (object) $item;
}
$table->$scope = $value;
}
$mandatoryFieldData = $this->metadata->get(['app', $this->type, $type, 'fieldLevel']) ?? [];
foreach ($this->getScopeList() as $scope) {
if (isset($table->$scope) && $table->$scope === false) {
continue;
}
if (!$this->metadata->get(['scopes', $scope, 'entity'])) {
continue;
}
$fieldList = array_keys($this->metadata->get(['entityDefs', $scope, 'fields']) ?? []);
$mandatoryScopeFieldData = $this->metadata
->get(['app', $this->type, $type, 'scopeFieldLevel', $scope]) ?? [];
foreach (array_merge($mandatoryFieldData, $mandatoryScopeFieldData) as $field => $item) {
if (!in_array($field, $fieldList)) {
continue;
}
if (!isset($fieldTable->$scope)) {
$fieldTable->$scope = (object) [];
}
$fieldTable->$scope->$field = (object) [];
foreach ($this->fieldActionList as $action) {
$level = self::LEVEL_NO;
if ($item === true) {
$level = self::LEVEL_YES;
} else {
if (is_array($item) && isset($item[$action])) {
$level = $item[$action];
}
}
$fieldTable->$scope->$field->$action = $level;
}
}
}
}
private function applyMandatory(stdClass $table, stdClass $fieldTable): void
{
$this->applyMandatoryInternal($table, $fieldTable, 'mandatory');
}
private function applyAdminMandatory(stdClass $table, stdClass $fieldTable): void
{
$this->applyMandatoryInternal($table, $fieldTable, 'adminMandatory');
}
protected function applyDisabled(stdClass $table, stdClass $fieldTable): void
{
foreach ($this->getScopeList() as $scope) {
if ($this->metadata->get(['scopes', $scope, 'disabled'])) {
$table->$scope = false;
unset($fieldTable->$scope);
}
}
}
/**
* @param string[] $list
*/
private function mergeValueList(array $list, string $defaultValue): string
{
$result = null;
foreach ($list as $level) {
if ($level === self::LEVEL_NOT_SET) {
continue;
}
if (is_null($result)) {
$result = $level;
continue;
}
if (
array_search($result, $this->levelList) >
array_search($level, $this->levelList)
) {
$result = $level;
}
}
if (is_null($result)) {
$result = $defaultValue;
}
return $result;
}
/**
* @return string[]
*/
protected function getScopeWithAclList(): array
{
$scopeList = [];
$scopes = $this->metadata->get('scopes');
foreach ($scopes as $scope => $d) {
if (empty($d['acl'])) {
continue;
}
$scopeList[] = $scope;
}
return $scopeList;
}
/**
* @return string[]
*/
protected function getScopeList(): array
{
$scopeList = [];
$scopes = $this->metadata->get('scopes');
foreach ($scopes as $scope => $item) {
$scopeList[] = $scope;
}
return $scopeList;
}
/**
* @param stdClass[] $tableList
*/
private function mergeTableList(array $tableList): stdClass
{
$data = (object) [];
$scopeList = $this->getScopeWithAclList();
foreach ($tableList as $table) {
foreach ($scopeList as $scope) {
if (!isset($table->$scope)) {
continue;
}
$this->mergeTableListItem($data, $scope, $table->$scope);
}
}
return $data;
}
/**
* @param stdClass|bool|null $row
*/
private function mergeTableListItem(stdClass $data, string $scope, $row): void
{
if ($row === false || $row === null) {
if (!isset($data->$scope)) {
$data->$scope = false;
}
return;
}
if ($row === true) {
$data->$scope = true;
return;
}
if (!isset($data->$scope)) {
$data->$scope = (object) [];
}
if ($data->$scope === false) {
$data->$scope = (object) [];
}
if (!is_object($row)) {
return;
}
$actionList = $this->metadata
->get(['scopes', $scope, $this->type . 'ActionList']) ?? $this->actionList;
foreach ($actionList as $i => $action) {
if (isset($row->$action)) {
$level = $row->$action;
if (!isset($data->$scope->$action)) {
$data->$scope->$action = $level;
} else if (
array_search($data->$scope->$action, $this->levelList) >
array_search($level, $this->levelList)
) {
$data->$scope->$action = $level;
}
continue;
}
if ($i === 0) {
continue;
}
// @todo Remove everything below.
$previousAction = $this->actionList[$i - 1];
if (in_array($action, $this->booleanActionList)) {
$data->$scope->$action = self::LEVEL_YES;
} else if ($action === self::ACTION_STREAM && isset($data->$scope->$previousAction)) {
$data->$scope->$action = $data->$scope->$previousAction;
}
}
}
/**
* @param stdClass[] $tableList
*/
private function mergeFieldTableList(array $tableList): stdClass
{
$data = (object) [];
$scopeList = $this->getScopeWithAclList();
foreach ($tableList as $table) {
foreach ($scopeList as $scope) {
if (!isset($table->$scope)) {
continue;
}
if (!isset($data->$scope)) {
$data->$scope = (object) [];
}
if (!is_object($table->$scope)) {
continue;
}
$fieldList = array_keys($this->metadata->get(['entityDefs', $scope, 'fields']) ?? []);
foreach (get_object_vars($table->$scope) as $field => $row) {
if (!is_object($row)) {
continue;
}
if (!in_array($field, $fieldList)) {
continue;
}
if (!isset($data->$scope->$field)) {
$data->$scope->$field = (object) [];
}
foreach ($this->fieldActionList as $action) {
if (!isset($row->$action)) {
continue;
}
$level = $row->$action;
if (!isset($data->$scope->$field->$action)) {
$data->$scope->$field->$action = $level;
} else {
if (
array_search(
$data->$scope->$field->$action,
$this->fieldLevelList
) > array_search($level, $this->fieldLevelList)
) {
$data->$scope->$field->$action = $level;
}
}
}
}
}
}
return $data;
}
}

67
application/Espo/Core/Acl/Table/DefaultTableFactory.php Normal file
View File

@@ -0,0 +1,67 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Table;
use Espo\Entities\User;
use Espo\Core\Acl\Table;
use Espo\Core\Binding\Binder;
use Espo\Core\Binding\BindingContainer;
use Espo\Core\Binding\BindingData;
use Espo\Core\InjectableFactory;
class DefaultTableFactory implements TableFactory
{
public function __construct(private InjectableFactory $injectableFactory)
{}
/**
* Create a table.
*/
public function create(User $user): Table
{
$bindingContainer = $this->createBindingContainer($user);
return $this->injectableFactory->createWithBinding(DefaultTable::class, $bindingContainer);
}
private function createBindingContainer(User $user): BindingContainer
{
$bindingData = new BindingData();
$binder = new Binder($bindingData);
$binder
->bindInstance(User::class, $user)
->bindImplementation(RoleListProvider::class, DefaultRoleListProvider::class)
->bindImplementation(CacheKeyProvider::class, DefaultCacheKeyProvider::class);
return new BindingContainer($bindingData);
}
}

41
application/Espo/Core/Acl/Table/Role.php Normal file
View File

@@ -0,0 +1,41 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Table;
use stdClass;
interface Role
{
public function getScopeTableData(): stdClass;
public function getFieldTableData(): stdClass;
public function getPermissionLevel(string $permission): ?string;
}

55
application/Espo/Core/Acl/Table/RoleEntityWrapper.php Normal file
View File

@@ -0,0 +1,55 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Table;
use Espo\ORM\Entity;
use stdClass;
class RoleEntityWrapper implements Role
{
public function __construct(private Entity $entity)
{}
public function getScopeTableData(): stdClass
{
return $this->entity->get('data') ?? (object) [];
}
public function getFieldTableData(): stdClass
{
return $this->entity->get('fieldData') ?? (object) [];
}
public function getPermissionLevel(string $permission): ?string
{
return $this->entity->get($permission . 'Permission');
}
}

38
application/Espo/Core/Acl/Table/RoleListProvider.php Normal file
View File

@@ -0,0 +1,38 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Table;
interface RoleListProvider
{
/**
* @return array<int, Role>
*/
public function get(): array;
}

66
application/Espo/Core/Acl/Table/ScopeDataResolver.php Normal file
View File

@@ -0,0 +1,66 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Table;
use Espo\Core\Acl\ScopeData;
use Espo\Core\Acl\Table;
/**
* @internal
*/
class ScopeDataResolver
{
public function __construct(
private Table $table,
) {}
public function resolve(mixed $data): ScopeData
{
if (!is_string($data)) {
return ScopeData::fromRaw($data);
}
$foreignScope = $data;
$isBoolean = false;
if (str_starts_with($data, 'boolean:')) {
[, $foreignScope] = explode(':', $data, 2);
$isBoolean = true;
}
$scopeData = $this->table->getScopeData($foreignScope);
if ($isBoolean && !$scopeData->isBoolean()) {
return ScopeData::fromRaw(true);
}
return $scopeData;
}
}

35
application/Espo/Core/Acl/Table/ScopeDataType.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Table;
class ScopeDataType
{
const BOOLEAN = 'boolean';
}

42
application/Espo/Core/Acl/Table/TableFactory.php Normal file
View File

@@ -0,0 +1,42 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Table;
use Espo\Entities\User;
use Espo\Core\Acl\Table;
interface TableFactory
{
/**
* Create a table.
*/
public function create(User $user): Table;
}

95
application/Espo/Core/Acl/Traits/DefaultAccessCheckerDependency.php Normal file
View File

@@ -0,0 +1,95 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Acl\Traits;
use Espo\ORM\Entity;
use Espo\Entities\User;
use Espo\Core\Acl\DefaultAccessChecker;
use Espo\Core\Acl\ScopeData;
trait DefaultAccessCheckerDependency
{
private DefaultAccessChecker $defaultAccessChecker;
public function check(User $user, ScopeData $data): bool
{
return $this->defaultAccessChecker->check($user, $data);
}
public function checkCreate(User $user, ScopeData $data): bool
{
return $this->defaultAccessChecker->checkCreate($user, $data);
}
public function checkRead(User $user, ScopeData $data): bool
{
return $this->defaultAccessChecker->checkRead($user, $data);
}
public function checkEdit(User $user, ScopeData $data): bool
{
return $this->defaultAccessChecker->checkEdit($user, $data);
}
public function checkDelete(User $user, ScopeData $data): bool
{
return $this->defaultAccessChecker->checkDelete($user, $data);
}
public function checkStream(User $user, ScopeData $data): bool
{
return $this->defaultAccessChecker->checkStream($user, $data);
}
public function checkEntityCreate(User $user, Entity $entity, ScopeData $data): bool
{
return $this->defaultAccessChecker->checkEntityCreate($user, $entity, $data);
}
public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
{
return $this->defaultAccessChecker->checkEntityRead($user, $entity, $data);
}
public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool
{
return $this->defaultAccessChecker->checkEntityEdit($user, $entity, $data);
}
public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
{
return $this->defaultAccessChecker->checkEntityDelete($user, $entity, $data);
}
public function checkEntityStream(User $user, Entity $entity, ScopeData $data): bool
{
return $this->defaultAccessChecker->checkEntityStream($user, $entity, $data);
}
}