. * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "EspoCRM" word. ************************************************************************/ namespace Espo\Classes\Acl\User; use Espo\Core\Acl\Permission; use Espo\Entities\User; use Espo\ORM\Entity; use Espo\Core\Acl\AccessEntityCREDSChecker; use Espo\Core\Acl\DefaultAccessChecker; use Espo\Core\Acl\ScopeData; use Espo\Core\Acl\Table; use Espo\Core\Acl\Traits\DefaultAccessCheckerDependency; use Espo\Core\AclManager; /** * @implements AccessEntityCREDSChecker */ class AccessChecker implements AccessEntityCREDSChecker { use DefaultAccessCheckerDependency; public function __construct( private DefaultAccessChecker $defaultAccessChecker, private AclManager $aclManager, ) {} public function checkEntityCreate(User $user, Entity $entity, ScopeData $data): bool { if (!$user->isAdmin()) { return false; } if ($entity->isSuperAdmin() && !$user->isSuperAdmin()) { return false; } return $this->defaultAccessChecker->checkEntityCreate($user, $entity, $data); } public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool { if (!$user->isAdmin() && !$entity->isActive()) { return false; } if ($entity->isSuperAdmin() && !$user->isSuperAdmin()) { return false; } if ($entity->isSystem()) { return false; } if ($entity->isPortal()) { return $this->aclManager->getPermissionLevel($user, Permission::PORTAL) === Table::LEVEL_YES; } return $this->defaultAccessChecker->checkEntityRead($user, $entity, $data); } public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool { if ($entity->isSystem()) { return false; } if (!$user->isAdmin()) { if ($user->getId() !== $entity->getId()) { return false; } } if ($entity->isSuperAdmin() && !$user->isSuperAdmin()) { return false; } return $this->defaultAccessChecker->checkEntityEdit($user, $entity, $data); } public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool { if (!$user->isAdmin()) { return false; } if ($entity->isSystem()) { return false; } if ($entity->isSuperAdmin() && !$user->isSuperAdmin()) { return false; } return $this->defaultAccessChecker->checkEntityDelete($user, $entity, $data); } public function checkEntityStream(User $user, Entity $entity, ScopeData $data): bool { /** @noinspection PhpRedundantOptionalArgumentInspection */ return $this->aclManager->checkUserPermission($user, $entity, Permission::USER); } }