[civicrm-core.git] / tests / phpunit / api / v3 / ACLPermissionTest.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.4                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2013                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
 */

require_once 'CiviTest/CiviUnitTestCase.php';

/**
 * This class is intended to test ACL permission using the multisite module
 *
 * @package CiviCRM_APIv3
 * @subpackage API_Contact
 */

class api_v3_ACLPermissionTest extends CiviUnitTestCase {
  protected $_apiversion = 3;
  protected $_params;
  protected $hookClass = NULL;
  public $DBResetRequired = FALSE;

  public $_eNoticeCompliant = TRUE;

  protected $_entity;

  function setUp() {
    parent::setUp();
    $baoObj = new CRM_Core_DAO();
    $baoObj->createTestObject('CRM_Pledge_BAO_Pledge', array(), 1, 0);
    $baoObj->createTestObject('CRM_Core_BAO_Phone', array(), 1, 0);
    $this->hookClass = CRM_Utils_Hook::singleton();
    $config = CRM_Core_Config::singleton();
    $config->userPermissionClass->permissions = array();
  }

  /**
   * (non-PHPdoc)
   * @see CiviUnitTestCase::tearDown()
   */
  function tearDown() {
    CRM_Utils_Hook::singleton()->reset();
    $tablesToTruncate = array(
      'civicrm_contact',
    );
    $this->quickCleanup($tablesToTruncate);
    $config = CRM_Core_Config::singleton();
    unset($config->userPermissionClass->permissions);
  }

  /**
   * Function tests that an empty where hook returns no results
   */
  function testContactGetNoResultsHook() {
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
    $result = $this->callAPISuccess('contact', 'get', array(
      'check_permissions' => 1,
      'return' => 'display_name',
    ));
    $this->assertEquals(0, $result['count']);
  }

  /**
   * Function tests all results are returned
   */
  function testContactGetAllResultsHook() {
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
    $result = $this->callAPISuccess('contact', 'get', array(
      'check_permissions' => 1,
      'return' => 'display_name',
    ));

    $this->assertEquals(2, $result['count']);
  }

  /**
   * Function tests that deleted contacts are not returned
   */
  function testContactGetPermissionHookNoDeleted() {
    $result = $this->callAPISuccess('contact', 'create', array('id' => 2, 'is_deleted' => 1));
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
    $result = $this->callAPISuccess('contact', 'get', array(
      'check_permissions' => 1,
      'return' => 'display_name',
    ));
    $this->assertEquals(1, $result['count']);
  }

  /**
   * test permissions limited by hook
   */
  function testContactGetHookLimitingHook() {
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));

    $result = $this->callAPISuccess('contact', 'get', array(
      'check_permissions' => 1,
      'return' => 'display_name',
    ));
    $this->assertEquals(1, $result['count']);
  }

  /**
   * confirm that without check permissions we still get 2 contacts returned
   */
  function testContactGetHookLimitingHookDontCheck() {
    //
    $result = $this->callAPISuccess('contact', 'get', array(
      'check_permissions' => 0,
      'return' => 'display_name',
    ));
    $this->assertEquals(2, $result['count']);
  }

  /**
   * Check that id works as a filter
   */
  function testContactGetIDFilter() {
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
    $result = $this->callAPISuccess('contact', 'get', array(
      'sequential' => 1,
      'id' => 2,
      'check_permissions' => 1,
    ));

    $this->assertEquals(1, $result['count']);
    $this->assertEquals(2, $result['id']);
  }

  /**
   * Check that address IS returned
   */
  function testContactGetAddressReturned() {
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
    $fullresult = $this->callAPISuccess('contact', 'get', array(
      'sequential' => 1,
    ));
    //return doesn't work for all keys - can't fix that here so let's skip ...
    //prefix & suffix are inconsistent due to  CRM-7929
    // unsure about others but return doesn't work on them
    $elementsReturnDoesntSupport = array(
      'prefix',
      'suffix',
      'gender',
      'current_employer',
      'phone_id',
      'phone_type_id',
      'phone',
      'worldregion_id',
      'world_region'
    );
    $expectedReturnElements = array_diff(array_keys($fullresult['values'][0]), $elementsReturnDoesntSupport);
    $result = $this->callAPISuccess('contact', 'get', array(
      'check_permissions' => 1,
      'return' => $expectedReturnElements,
      'sequential' => 1,
    ));
    $this->assertEquals(1, $result['count']);
    foreach ($expectedReturnElements as $element) {
      $this->assertArrayHasKey($element, $result['values'][0]);
    }
  }

  /**
   * Check that pledge IS not returned
   */
  function testContactGetPledgeIDNotReturned() {
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
    $fullresult = $this->callAPISuccess('contact', 'get', array(
      'sequential' => 1,
    ));
    $result = $this->callAPISuccess('contact', 'get', array(
      'check_permissions' => 1,
      'return' => 'pledge_id',
      'sequential' => 1,
    ));
    $this->assertArrayNotHasKey('pledge_id', $result['values'][0]);
  }

  /**
   * Check that pledge IS not an allowable filter
   */
  function testContactGetPledgeIDNotFiltered() {
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
    $fullresult = $this->callAPISuccess('contact', 'get', array(
      'sequential' => 1,
    ));
    $result = $this->callAPISuccess('contact', 'get', array(
      'check_permissions' => 1,
      'pledge_id' => 1,
      'sequential' => 1,
    ));
    $this->assertEquals(2, $result['count']);
  }

  /**
   * Check that chaining doesn't bypass permissions
   */
  function testContactGetPledgeNotChainable() {
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
    $fullresult = $this->callAPISuccess('contact', 'get', array(
      'sequential' => 1,
    ));
    $result = $this->callAPIFailure('contact', 'get', array(
        'check_permissions' => 1,
        'api.pledge.get' => 1,
        'sequential' => 1,
      ),
      'Error in call to pledge_get : API permission check failed for pledge/get call; missing permission: access CiviCRM.'
    );
  }

  /**
   * no results returned
   */
  function aclWhereHookNoResults($type, &$tables, &$whereTables, &$contactID, &$where) {
  }

  /**
   * all results returned
   */
  function aclWhereHookAllResults($type, &$tables, &$whereTables, &$contactID, &$where) {
    $where = " (1) ";
  }

  /**
   * full results returned
   */
  function aclWhereOnlySecond($type, &$tables, &$whereTables, &$contactID, &$where) {
    $where = " contact_a.id > 1";
  }


}
Commit	Line	Data
6a488035	1	<?php
6a488035 TO	2	/*
6a488035 TO	3	+--------------------------------------------------------------------+
232624b1	4	\| CiviCRM version 4.4 \|
6a488035 TO	5	+--------------------------------------------------------------------+
	6	\| Copyright CiviCRM LLC (c) 2004-2013 \|
	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
	26	*/
	27
	28	require_once 'CiviTest/CiviUnitTestCase.php';
	29
	30	/**
	31	* This class is intended to test ACL permission using the multisite module
	32	*
7884d958	33	* @package CiviCRM_APIv3
7884d958	34	* @subpackage API_Contact
6a488035 TO	35	*/
	36
	37	class api_v3_ACLPermissionTest extends CiviUnitTestCase {
4e420887	38	protected $_apiversion = 3;
6a488035	39	protected $_params;
7884d958	40	protected $hookClass = NULL;
4e420887	41	public $DBResetRequired = FALSE;
6a488035 TO	42
	43	public $_eNoticeCompliant = TRUE;
	44
430ae6dd TO	45	protected $_entity;
	46
	47	function setUp() {
6a488035 TO	48	parent::setUp();
	49	$baoObj = new CRM_Core_DAO();
	50	$baoObj->createTestObject('CRM_Pledge_BAO_Pledge', array(), 1, 0);
	51	$baoObj->createTestObject('CRM_Core_BAO_Phone', array(), 1, 0);
	52	$this->hookClass = CRM_Utils_Hook::singleton();
	53	$config = CRM_Core_Config::singleton();
	54	$config->userPermissionClass->permissions = array();
	55	}
7884d958	56
	57	/**
	58	* (non-PHPdoc)
	59	* @see CiviUnitTestCase::tearDown()
	60	*/
6a488035	61	function tearDown() {
e182b859	62	CRM_Utils_Hook::singleton()->reset();
6a488035	63	$tablesToTruncate = array(
7884d958	64	'civicrm_contact',
6a488035 TO	65	);
	66	$this->quickCleanup($tablesToTruncate);
	67	$config = CRM_Core_Config::singleton();
	68	unset($config->userPermissionClass->permissions);
	69	}
7884d958	70
	71	/**
	72	* Function tests that an empty where hook returns no results
	73	*/
	74	function testContactGetNoResultsHook() {
6a488035	75	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
4e420887	76	$result = $this->callAPISuccess('contact', 'get', array(
6a488035 TO	77	'check_permissions' => 1,
	78	'return' => 'display_name',
	79	));
6a488035 TO	80	$this->assertEquals(0, $result['count']);
	81	}
	82
	83	/**
	84	* Function tests all results are returned
7884d958	85	*/
7884d958	86	function testContactGetAllResultsHook() {
6a488035	87	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
4e420887	88	$result = $this->callAPISuccess('contact', 'get', array(
7884d958	89	'check_permissions' => 1,
7884d958	90	'return' => 'display_name',
6a488035 TO	91	));
6a488035 TO	92
6a488035 TO	93	$this->assertEquals(2, $result['count']);
6a488035 TO	94	}
7884d958	95
6a488035	96	/**
5d3b3d60	97	* Function tests that deleted contacts are not returned
7884d958	98	*/
7884d958	99	function testContactGetPermissionHookNoDeleted() {
6fa193fb	100	$result = $this->callAPISuccess('contact', 'create', array('id' => 2, 'is_deleted' => 1));
6a488035	101	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
4e420887	102	$result = $this->callAPISuccess('contact', 'get', array(
7884d958	103	'check_permissions' => 1,
7884d958	104	'return' => 'display_name',
6a488035	105	));
6a488035 TO	106	$this->assertEquals(1, $result['count']);
	107	}
	108
	109	/**
	110	* test permissions limited by hook
	111	*/
7884d958	112	function testContactGetHookLimitingHook() {
6a488035 TO	113	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
6a488035 TO	114
4e420887	115	$result = $this->callAPISuccess('contact', 'get', array(
6a488035 TO	116	'check_permissions' => 1,
6a488035 TO	117	'return' => 'display_name',
7884d958	118	));
6a488035 TO	119	$this->assertEquals(1, $result['count']);
	120	}
	121
7884d958	122	/**
	123	* confirm that without check permissions we still get 2 contacts returned
	124	*/
	125	function testContactGetHookLimitingHookDontCheck() {
6a488035	126	//
4e420887	127	$result = $this->callAPISuccess('contact', 'get', array(
	128	'check_permissions' => 0,
	129	'return' => 'display_name',
6a488035	130	));
6a488035 TO	131	$this->assertEquals(2, $result['count']);
6a488035 TO	132	}
7884d958	133
6a488035 TO	134	/**
	135	* Check that id works as a filter
	136	*/
7884d958	137	function testContactGetIDFilter() {
6a488035	138	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
4e420887	139	$result = $this->callAPISuccess('contact', 'get', array(
6a488035 TO	140	'sequential' => 1,
	141	'id' => 2,
	142	'check_permissions' => 1,
	143	));
	144
6a488035 TO	145	$this->assertEquals(1, $result['count']);
	146	$this->assertEquals(2, $result['id']);
	147	}
	148
7884d958	149	/**
	150	* Check that address IS returned
	151	*/
	152	function testContactGetAddressReturned() {
	153	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
	154	$fullresult = $this->callAPISuccess('contact', 'get', array(
	155	'sequential' => 1,
	156	));
	157	//return doesn't work for all keys - can't fix that here so let's skip ...
	158	//prefix & suffix are inconsistent due to CRM-7929
	159	// unsure about others but return doesn't work on them
	160	$elementsReturnDoesntSupport = array(
7884d958	161	'prefix',
7884d958	162	'suffix',
7884d958	163	'gender',
	164	'current_employer',
	165	'phone_id',
	166	'phone_type_id',
	167	'phone',
	168	'worldregion_id',
	169	'world_region'
	170	);
	171	$expectedReturnElements = array_diff(array_keys($fullresult['values'][0]), $elementsReturnDoesntSupport);
	172	$result = $this->callAPISuccess('contact', 'get', array(
	173	'check_permissions' => 1,
	174	'return' => $expectedReturnElements,
	175	'sequential' => 1,
	176	));
	177	$this->assertEquals(1, $result['count']);
	178	foreach ($expectedReturnElements as $element) {
	179	$this->assertArrayHasKey($element, $result['values'][0]);
6a488035	180	}
7884d958	181	}
	182
	183	/**
	184	* Check that pledge IS not returned
	185	*/
	186	function testContactGetPledgeIDNotReturned() {
	187	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
	188	$fullresult = $this->callAPISuccess('contact', 'get', array(
	189	'sequential' => 1,
	190	));
	191	$result = $this->callAPISuccess('contact', 'get', array(
	192	'check_permissions' => 1,
	193	'return' => 'pledge_id',
	194	'sequential' => 1,
	195	));
	196	$this->assertArrayNotHasKey('pledge_id', $result['values'][0]);
	197	}
6a488035	198
7884d958	199	/**
	200	* Check that pledge IS not an allowable filter
	201	*/
	202	function testContactGetPledgeIDNotFiltered() {
	203	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
	204	$fullresult = $this->callAPISuccess('contact', 'get', array(
	205	'sequential' => 1,
	206	));
	207	$result = $this->callAPISuccess('contact', 'get', array(
	208	'check_permissions' => 1,
	209	'pledge_id' => 1,
	210	'sequential' => 1,
	211	));
	212	$this->assertEquals(2, $result['count']);
	213	}
	214
	215	/**
	216	* Check that chaining doesn't bypass permissions
	217	*/
	218	function testContactGetPledgeNotChainable() {
	219	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
	220	$fullresult = $this->callAPISuccess('contact', 'get', array(
	221	'sequential' => 1,
	222	));
	223	$result = $this->callAPIFailure('contact', 'get', array(
6a488035	224	'check_permissions' => 1,
7884d958	225	'api.pledge.get' => 1,
6a488035	226	'sequential' => 1,
4e420887	227	),
4e420887	228	'Error in call to pledge_get : API permission check failed for pledge/get call; missing permission: access CiviCRM.'
7884d958	229	);
7884d958	230	}
6a488035 TO	231
	232	/**
	233	* no results returned
	234	*/
	235	function aclWhereHookNoResults($type, &$tables, &$whereTables, &$contactID, &$where) {
	236	}
7884d958	237
6a488035 TO	238	/**
6a488035 TO	239	* all results returned
7884d958	240	*/
6a488035 TO	241	function aclWhereHookAllResults($type, &$tables, &$whereTables, &$contactID, &$where) {
	242	$where = " (1) ";
	243	}
7884d958	244
6a488035 TO	245	/**
6a488035 TO	246	* full results returned
7884d958	247	*/
6a488035 TO	248	function aclWhereOnlySecond($type, &$tables, &$whereTables, &$contactID, &$where) {
	249	$where = " contact_a.id > 1";
	250	}
	251
	252
	253	}
	254