CAllCrmActivity::BuildPermSql

static function BuildPermSql($aliasPrefix = 'A', $permType = 'READ', $arOptions = array())
{
	if(!(is_string($aliasPrefix) && $aliasPrefix !== ''))
	{
		$aliasPrefix = 'A';
	}

	if(!is_array($arOptions))
	{
		$arOptions = array();
	}

	$userPermissions = isset($arOptions['PERMS']) ? $arOptions['PERMS'] : null;
	$userID =
		($userPermissions !== null && is_object($userPermissions))
			? $userPermissions->GetUserID()
			: Container::getInstance()->getContext()->getUserId()
	;
	if (CCrmPerms::IsAdmin($userID))
	{
		return '';
	}

	if(!CCrmPerms::IsAccessEnabled($userPermissions))
	{
		// User does not have permissions at all.
		return false;
	}

	$entitiesSql = array();
	$permOptions = array_merge(array('IDENTITY_COLUMN' => 'OWNER_ID'), $arOptions);
	unset($permOptions['RAW_QUERY']);

	//Ignore RESTRICT_BY_IDS. We can not apply filter by activity ID for Lead, Deal, Contact or Company
	unset($permOptions['RESTRICT_BY_IDS']);

	$entitiesSql[(string)CCrmOwnerType::Lead] = CCrmLead::BuildPermSql($aliasPrefix, $permType, $permOptions);
	$entitiesSql[(string)CCrmOwnerType::Deal] = CCrmDeal::BuildPermSql($aliasPrefix, $permType, $permOptions);
	$entitiesSql[(string)CCrmOwnerType::Contact] = CCrmContact::BuildPermSql($aliasPrefix, $permType, $permOptions);
	$entitiesSql[(string)CCrmOwnerType::Company] = CCrmCompany::BuildPermSql($aliasPrefix, $permType, $permOptions);
	$entitiesSql[(string)CCrmOwnerType::Order] =
		CCrmPerms::BuildSql(CCrmOwnerType::OrderName, $aliasPrefix, $permType, $permOptions);
	$entitiesSql[(string)CCrmOwnerType::Quote] =
		CCrmPerms::BuildSql(CCrmOwnerType::QuoteName, $aliasPrefix, $permType, $permOptions);

	$userPermissions = Container::getInstance()->getUserPermissions($userID);
	$typesMap = Container::getInstance()->getTypesMap();

	foreach ($typesMap->getFactories() as $factory)
	{
		if (array_key_exists((string)$factory->getEntityTypeId(), $entitiesSql))
		{
			continue;
		}

		if (!$userPermissions->canReadType($factory->getEntityTypeId()))
		{
			continue;
		}

		$entityTypesHelper = new Crm\Category\PermissionEntityTypeHelper($factory->getEntityTypeId());
		$entitiesSql[(string)$factory->getEntityTypeId()] = CCrmPerms::BuildSqlForEntitySet(
			$entityTypesHelper->getAllPermissionEntityTypesForEntity(),
			$aliasPrefix,
			$permType,
			$permOptions
		);
	}

	//Invoice does not have activities
	//$entitiesSql[strval(CCrmOwnerType::Invoice)] = CCrmInvoice::BuildPermSql($aliasPrefix, $permType, $permOptions);

	foreach($entitiesSql as $entityTypeID => $entitySql)
	{
		if(!is_string($entitySql))
		{
			//If $entityPermSql is not string - access denied. Clear permission SQL and related records will be ignored.
			unset($entitiesSql[$entityTypeID]);
			continue;
		}

		if($entitySql !== '')
		{
			$entitiesSql[$entityTypeID] = '('.$aliasPrefix.'.OWNER_TYPE_ID = '.$entityTypeID.' AND ('.$entitySql.') )';
		}
		else
		{
			// No permissions check - fetch all related records
			$entitiesSql[$entityTypeID] = '('.$aliasPrefix.'.OWNER_TYPE_ID = '.$entityTypeID.')';
		}
	}

	//If $entitiesSql is empty - user does not have permissions at all.
	if(empty($entitiesSql))
	{
		return false;
	}

	$userID = CCrmSecurityHelper::GetCurrentUserID();
	if($userID > 0)
	{
		//Allow responsible user to view activity without permissions check.
		$sql = $aliasPrefix.'.RESPONSIBLE_ID = '.$userID.' OR '.implode(' OR ', $entitiesSql);
	}
	else
	{
		$sql = implode(' OR ', $entitiesSql);
	}

	if(isset($arOptions['RAW_QUERY']) && $arOptions['RAW_QUERY'] === true)
	{
		$tableName = \CCrmActivity::TABLE_NAME;
		$sql = "SELECT {$aliasPrefix}.ID FROM {$tableName} {$aliasPrefix} WHERE {$sql}";
	}

	return $sql;
}