Commit | Line | Data |
---|---|---|
6a488035 | 1 | <?php |
6a488035 TO |
2 | /* |
3 | +--------------------------------------------------------------------+ | |
2fe49090 | 4 | | CiviCRM version 5 | |
6a488035 | 5 | +--------------------------------------------------------------------+ |
8c9251b3 | 6 | | Copyright CiviCRM LLC (c) 2004-2018 | |
6a488035 TO |
7 | +--------------------------------------------------------------------+ |
8 | | This file is a part of CiviCRM. | | |
9 | | | | |
10 | | CiviCRM is free software; you can copy, modify, and distribute it | | |
11 | | under the terms of the GNU Affero General Public License | | |
12 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | | |
13 | | | | |
14 | | CiviCRM is distributed in the hope that it will be useful, but | | |
15 | | WITHOUT ANY WARRANTY; without even the implied warranty of | | |
16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | |
17 | | See the GNU Affero General Public License for more details. | | |
18 | | | | |
19 | | You should have received a copy of the GNU Affero General Public | | |
20 | | License and the CiviCRM Licensing Exception along | | |
21 | | with this program; if not, contact CiviCRM LLC | | |
22 | | at info[AT]civicrm[DOT]org. If you have questions about the | | |
23 | | GNU Affero General Public License or the licensing of CiviCRM, | | |
24 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | | |
25 | +--------------------------------------------------------------------+ | |
26 | */ | |
27 | ||
6a488035 TO |
28 | /** |
29 | * This class is intended to test ACL permission using the multisite module | |
30 | * | |
7884d958 | 31 | * @package CiviCRM_APIv3 |
32 | * @subpackage API_Contact | |
acb109b7 | 33 | * @group headless |
6a488035 | 34 | */ |
6a488035 | 35 | class api_v3_ACLPermissionTest extends CiviUnitTestCase { |
4e420887 | 36 | protected $_apiversion = 3; |
4e420887 | 37 | public $DBResetRequired = FALSE; |
430ae6dd | 38 | protected $_entity; |
c16ed19b | 39 | protected $allowedContactId = 0; |
f404486e | 40 | protected $allowedContacts = array(); |
430ae6dd | 41 | |
00be9182 | 42 | public function setUp() { |
6a488035 TO |
43 | parent::setUp(); |
44 | $baoObj = new CRM_Core_DAO(); | |
45 | $baoObj->createTestObject('CRM_Pledge_BAO_Pledge', array(), 1, 0); | |
46 | $baoObj->createTestObject('CRM_Core_BAO_Phone', array(), 1, 0); | |
5e8daa54 | 47 | $this->prepareForACLs(); |
6a488035 | 48 | } |
7884d958 | 49 | |
50 | /** | |
51 | * (non-PHPdoc) | |
52 | * @see CiviUnitTestCase::tearDown() | |
53 | */ | |
00be9182 | 54 | public function tearDown() { |
5e8daa54 | 55 | $this->cleanUpAfterACLs(); |
6a488035 | 56 | $tablesToTruncate = array( |
7884d958 | 57 | 'civicrm_contact', |
ae4bb4c9 EM |
58 | 'civicrm_group_contact', |
59 | 'civicrm_group', | |
60 | 'civicrm_acl', | |
61 | 'civicrm_acl_cache', | |
62 | 'civicrm_acl_entity_role', | |
63 | 'civicrm_acl_contact_cache', | |
64 | 'civicrm_contribution', | |
65 | 'civicrm_participant', | |
225d474b | 66 | 'civicrm_uf_match', |
bbd2743b | 67 | 'civicrm_activity', |
68 | 'civicrm_activity_contact', | |
c6835264 CW |
69 | 'civicrm_note', |
70 | 'civicrm_entity_tag', | |
71 | 'civicrm_tag', | |
6a488035 TO |
72 | ); |
73 | $this->quickCleanup($tablesToTruncate); | |
6a488035 | 74 | } |
7884d958 | 75 | |
76 | /** | |
eceb18cc | 77 | * Function tests that an empty where hook returns no results. |
7884d958 | 78 | */ |
00be9182 | 79 | public function testContactGetNoResultsHook() { |
6a488035 | 80 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); |
4e420887 | 81 | $result = $this->callAPISuccess('contact', 'get', array( |
6a488035 TO |
82 | 'check_permissions' => 1, |
83 | 'return' => 'display_name', | |
84 | )); | |
6a488035 TO |
85 | $this->assertEquals(0, $result['count']); |
86 | } | |
87 | ||
1028f75e | 88 | /** |
1a4651ba | 89 | * Function tests that an empty where hook returns exactly 1 result with "view my contact". |
1028f75e | 90 | * |
91 | * CRM-16512 caused contacts with Edit my contact to be able to view all records. | |
92 | */ | |
1a4651ba | 93 | public function testContactGetOneResultHookWithViewMyContact() { |
1028f75e | 94 | $this->createLoggedInUser(); |
95 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); | |
96 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'view my contact'); | |
97 | $result = $this->callAPISuccess('contact', 'get', array( | |
98 | 'check_permissions' => 1, | |
99 | 'return' => 'display_name', | |
100 | )); | |
1a4651ba CW |
101 | $this->assertEquals(1, $result['count']); |
102 | } | |
103 | ||
104 | /** | |
105 | * Function tests that a user with "edit my contact" can edit themselves. | |
106 | */ | |
107 | public function testContactEditHookWithEditMyContact() { | |
1a4651ba CW |
108 | $cid = $this->createLoggedInUser(); |
109 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); | |
110 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'edit my contact'); | |
111 | $this->callAPISuccess('contact', 'create', array( | |
112 | 'check_permissions' => 1, | |
113 | 'id' => $cid, | |
114 | )); | |
1028f75e | 115 | } |
116 | ||
52ed95a8 | 117 | /** |
118 | * Ensure contact permissions do not block contact-less location entities. | |
119 | */ | |
120 | public function testAddressWithoutContactIDAccess() { | |
121 | $ownID = $this->createLoggedInUser(); | |
122 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'view all contacts'); | |
123 | $this->callAPISuccess('Address', 'create', array( | |
124 | 'city' => 'Mouseville', | |
125 | 'location_type_id' => 'Main', | |
126 | 'api.LocBlock.create' => 1, | |
127 | 'contact_id' => $ownID, | |
128 | )); | |
129 | $this->callAPISuccessGetSingle('Address', array('city' => 'Mouseville', 'check_permissions' => 1)); | |
130 | CRM_Core_DAO::executeQuery('UPDATE civicrm_address SET contact_id = NULL WHERE contact_id = %1', array(1 => array($ownID, 'Integer'))); | |
131 | $this->callAPISuccessGetSingle('Address', array('city' => 'Mouseville', 'check_permissions' => 1)); | |
132 | } | |
133 | ||
c16ed19b CW |
134 | /** |
135 | * Ensure contact permissions extend to related entities like email | |
136 | */ | |
137 | public function testRelatedEntityPermissions() { | |
0a61b6e2 | 138 | $this->createLoggedInUser(); |
c16ed19b CW |
139 | $disallowedContact = $this->individualCreate(array(), 0); |
140 | $this->allowedContactId = $this->individualCreate(array(), 1); | |
141 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlyOne')); | |
142 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM'); | |
143 | $testEntities = array( | |
0a61b6e2 CW |
144 | 'Email' => array('email' => 'null@nothing', 'location_type_id' => 1), |
145 | 'Phone' => array('phone' => '123456', 'location_type_id' => 1), | |
146 | 'IM' => array('name' => 'hello', 'location_type_id' => 1), | |
c16ed19b | 147 | 'Website' => array('url' => 'http://test'), |
0a61b6e2 | 148 | 'Address' => array('street_address' => '123 Sesame St.', 'location_type_id' => 1), |
c16ed19b CW |
149 | ); |
150 | foreach ($testEntities as $entity => $params) { | |
151 | $params += array( | |
152 | 'contact_id' => $disallowedContact, | |
153 | 'check_permissions' => 1, | |
154 | ); | |
155 | // We should be prevented from getting or creating entities for a contact we don't have permission for | |
156 | $this->callAPIFailure($entity, 'create', $params); | |
c6835264 | 157 | $this->callAPISuccess($entity, 'create', array('check_permissions' => 0) + $params); |
c16ed19b CW |
158 | $results = $this->callAPISuccess($entity, 'get', array('contact_id' => $disallowedContact, 'check_permissions' => 1)); |
159 | $this->assertEquals(0, $results['count']); | |
160 | ||
161 | // We should be allowed to create and get for contacts we do have permission on | |
162 | $params['contact_id'] = $this->allowedContactId; | |
163 | $this->callAPISuccess($entity, 'create', $params); | |
164 | $results = $this->callAPISuccess($entity, 'get', array('contact_id' => $this->allowedContactId, 'check_permissions' => 1)); | |
165 | $this->assertGreaterThan(0, $results['count']); | |
166 | } | |
c6835264 CW |
167 | $newTag = civicrm_api3('Tag', 'create', array( |
168 | 'name' => 'Foo123', | |
169 | )); | |
170 | $relatedEntities = array( | |
171 | 'Note' => array('note' => 'abc'), | |
172 | 'EntityTag' => array('tag_id' => $newTag['id']), | |
173 | ); | |
174 | foreach ($relatedEntities as $entity => $params) { | |
175 | $params += array( | |
176 | 'entity_id' => $disallowedContact, | |
177 | 'entity_table' => 'civicrm_contact', | |
178 | 'check_permissions' => 1, | |
179 | ); | |
180 | // We should be prevented from getting or creating entities for a contact we don't have permission for | |
181 | $this->callAPIFailure($entity, 'create', $params); | |
182 | $this->callAPISuccess($entity, 'create', array('check_permissions' => 0) + $params); | |
183 | $results = $this->callAPISuccess($entity, 'get', array('entity_id' => $disallowedContact, 'entity_table' => 'civicrm_contact', 'check_permissions' => 1)); | |
184 | $this->assertEquals(0, $results['count']); | |
185 | ||
186 | // We should be allowed to create and get for entities we do have permission on | |
187 | $params['entity_id'] = $this->allowedContactId; | |
188 | $this->callAPISuccess($entity, 'create', $params); | |
189 | $results = $this->callAPISuccess($entity, 'get', array('entity_id' => $this->allowedContactId, 'entity_table' => 'civicrm_contact', 'check_permissions' => 1)); | |
190 | $this->assertGreaterThan(0, $results['count']); | |
191 | } | |
c16ed19b CW |
192 | } |
193 | ||
6a488035 | 194 | /** |
eceb18cc | 195 | * Function tests all results are returned. |
7884d958 | 196 | */ |
00be9182 | 197 | public function testContactGetAllResultsHook() { |
6a488035 | 198 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); |
4e420887 | 199 | $result = $this->callAPISuccess('contact', 'get', array( |
7884d958 | 200 | 'check_permissions' => 1, |
201 | 'return' => 'display_name', | |
6a488035 TO |
202 | )); |
203 | ||
6a488035 TO |
204 | $this->assertEquals(2, $result['count']); |
205 | } | |
7884d958 | 206 | |
6a488035 | 207 | /** |
eceb18cc | 208 | * Function tests that deleted contacts are not returned. |
7884d958 | 209 | */ |
00be9182 | 210 | public function testContactGetPermissionHookNoDeleted() { |
f5052d4d | 211 | $this->callAPISuccess('contact', 'create', array('id' => 2, 'is_deleted' => 1)); |
6a488035 | 212 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); |
4e420887 | 213 | $result = $this->callAPISuccess('contact', 'get', array( |
7884d958 | 214 | 'check_permissions' => 1, |
215 | 'return' => 'display_name', | |
6a488035 | 216 | )); |
6a488035 TO |
217 | $this->assertEquals(1, $result['count']); |
218 | } | |
219 | ||
220 | /** | |
eceb18cc | 221 | * Test permissions limited by hook. |
6a488035 | 222 | */ |
00be9182 | 223 | public function testContactGetHookLimitingHook() { |
6a488035 TO |
224 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond')); |
225 | ||
4e420887 | 226 | $result = $this->callAPISuccess('contact', 'get', array( |
6a488035 TO |
227 | 'check_permissions' => 1, |
228 | 'return' => 'display_name', | |
7884d958 | 229 | )); |
6a488035 TO |
230 | $this->assertEquals(1, $result['count']); |
231 | } | |
232 | ||
7884d958 | 233 | /** |
1028f75e | 234 | * Confirm that without check permissions we still get 2 contacts returned. |
7884d958 | 235 | */ |
00be9182 | 236 | public function testContactGetHookLimitingHookDontCheck() { |
4e420887 | 237 | $result = $this->callAPISuccess('contact', 'get', array( |
238 | 'check_permissions' => 0, | |
239 | 'return' => 'display_name', | |
6a488035 | 240 | )); |
6a488035 TO |
241 | $this->assertEquals(2, $result['count']); |
242 | } | |
7884d958 | 243 | |
6a488035 | 244 | /** |
eceb18cc | 245 | * Check that id works as a filter. |
6a488035 | 246 | */ |
00be9182 | 247 | public function testContactGetIDFilter() { |
6a488035 | 248 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); |
4e420887 | 249 | $result = $this->callAPISuccess('contact', 'get', array( |
6a488035 TO |
250 | 'sequential' => 1, |
251 | 'id' => 2, | |
252 | 'check_permissions' => 1, | |
253 | )); | |
254 | ||
6a488035 TO |
255 | $this->assertEquals(1, $result['count']); |
256 | $this->assertEquals(2, $result['id']); | |
257 | } | |
258 | ||
7884d958 | 259 | /** |
eceb18cc | 260 | * Check that address IS returned. |
7884d958 | 261 | */ |
00be9182 | 262 | public function testContactGetAddressReturned() { |
7884d958 | 263 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond')); |
264 | $fullresult = $this->callAPISuccess('contact', 'get', array( | |
265 | 'sequential' => 1, | |
266 | )); | |
267 | //return doesn't work for all keys - can't fix that here so let's skip ... | |
268 | //prefix & suffix are inconsistent due to CRM-7929 | |
269 | // unsure about others but return doesn't work on them | |
270 | $elementsReturnDoesntSupport = array( | |
7884d958 | 271 | 'prefix', |
7884d958 | 272 | 'suffix', |
7884d958 | 273 | 'gender', |
274 | 'current_employer', | |
275 | 'phone_id', | |
276 | 'phone_type_id', | |
277 | 'phone', | |
278 | 'worldregion_id', | |
21dfd5f5 | 279 | 'world_region', |
7884d958 | 280 | ); |
281 | $expectedReturnElements = array_diff(array_keys($fullresult['values'][0]), $elementsReturnDoesntSupport); | |
282 | $result = $this->callAPISuccess('contact', 'get', array( | |
283 | 'check_permissions' => 1, | |
284 | 'return' => $expectedReturnElements, | |
285 | 'sequential' => 1, | |
286 | )); | |
287 | $this->assertEquals(1, $result['count']); | |
288 | foreach ($expectedReturnElements as $element) { | |
289 | $this->assertArrayHasKey($element, $result['values'][0]); | |
6a488035 | 290 | } |
7884d958 | 291 | } |
292 | ||
293 | /** | |
eceb18cc | 294 | * Check that pledge IS not returned. |
7884d958 | 295 | */ |
00be9182 | 296 | public function testContactGetPledgeIDNotReturned() { |
7884d958 | 297 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); |
f5052d4d | 298 | $this->callAPISuccess('contact', 'get', array( |
7884d958 | 299 | 'sequential' => 1, |
300 | )); | |
301 | $result = $this->callAPISuccess('contact', 'get', array( | |
302 | 'check_permissions' => 1, | |
303 | 'return' => 'pledge_id', | |
304 | 'sequential' => 1, | |
305 | )); | |
306 | $this->assertArrayNotHasKey('pledge_id', $result['values'][0]); | |
307 | } | |
6a488035 | 308 | |
7884d958 | 309 | /** |
eceb18cc | 310 | * Check that pledge IS not an allowable filter. |
7884d958 | 311 | */ |
00be9182 | 312 | public function testContactGetPledgeIDNotFiltered() { |
7884d958 | 313 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); |
f5052d4d | 314 | $this->callAPISuccess('contact', 'get', array( |
7884d958 | 315 | 'sequential' => 1, |
316 | )); | |
317 | $result = $this->callAPISuccess('contact', 'get', array( | |
318 | 'check_permissions' => 1, | |
319 | 'pledge_id' => 1, | |
320 | 'sequential' => 1, | |
321 | )); | |
322 | $this->assertEquals(2, $result['count']); | |
323 | } | |
324 | ||
325 | /** | |
326 | * Check that chaining doesn't bypass permissions | |
327 | */ | |
00be9182 | 328 | public function testContactGetPledgeNotChainable() { |
7884d958 | 329 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond')); |
f5052d4d | 330 | $this->callAPISuccess('contact', 'get', array( |
7884d958 | 331 | 'sequential' => 1, |
332 | )); | |
f5052d4d | 333 | $this->callAPIFailure('contact', 'get', array( |
6a488035 | 334 | 'check_permissions' => 1, |
7884d958 | 335 | 'api.pledge.get' => 1, |
6a488035 | 336 | 'sequential' => 1, |
4e420887 | 337 | ), |
d235daf6 | 338 | 'Error in call to Pledge_get : API permission check failed for Pledge/get call; insufficient permission: require access CiviCRM and access CiviPledge' |
7884d958 | 339 | ); |
340 | } | |
6a488035 | 341 | |
00be9182 | 342 | public function setupCoreACL() { |
ae4bb4c9 | 343 | $this->createLoggedInUser(); |
5896d037 | 344 | $this->_permissionedDisabledGroup = $this->groupCreate(array( |
92915c55 TO |
345 | 'title' => 'pick-me-disabled', |
346 | 'is_active' => 0, | |
347 | 'name' => 'pick-me-disabled', | |
348 | )); | |
5896d037 | 349 | $this->_permissionedGroup = $this->groupCreate(array( |
92915c55 TO |
350 | 'title' => 'pick-me-active', |
351 | 'is_active' => 1, | |
352 | 'name' => 'pick-me-active', | |
353 | )); | |
ae4bb4c9 EM |
354 | $this->setupACL(); |
355 | } | |
5896d037 | 356 | |
ae4bb4c9 EM |
357 | /** |
358 | * @dataProvider entities | |
359 | * confirm that without check permissions we still get 2 contacts returned | |
1e1fdcf6 | 360 | * @param $entity |
ae4bb4c9 | 361 | */ |
00be9182 | 362 | public function testEntitiesGetHookLimitingHookNoCheck($entity) { |
ae4bb4c9 EM |
363 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array(); |
364 | $this->setUpEntities($entity); | |
365 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); | |
366 | $result = $this->callAPISuccess($entity, 'get', array( | |
367 | 'check_permissions' => 0, | |
368 | 'return' => 'contact_id', | |
369 | )); | |
370 | $this->assertEquals(2, $result['count']); | |
371 | } | |
372 | ||
373 | /** | |
374 | * @dataProvider entities | |
375 | * confirm that without check permissions we still get 2 entities returned | |
1e1fdcf6 | 376 | * @param $entity |
ae4bb4c9 | 377 | */ |
00be9182 | 378 | public function testEntitiesGetCoreACLLimitingHookNoCheck($entity) { |
ae4bb4c9 EM |
379 | $this->setupCoreACL(); |
380 | //CRM_Core_Config::singleton()->userPermissionClass->permissions = array(); | |
381 | $this->setUpEntities($entity); | |
382 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); | |
383 | $result = $this->callAPISuccess($entity, 'get', array( | |
384 | 'check_permissions' => 0, | |
385 | 'return' => 'contact_id', | |
386 | )); | |
387 | $this->assertEquals(2, $result['count']); | |
388 | } | |
5896d037 | 389 | |
ae4bb4c9 EM |
390 | /** |
391 | * @dataProvider entities | |
392 | * confirm that with check permissions we don't get entities | |
1e1fdcf6 EM |
393 | * @param $entity |
394 | * @throws \PHPUnit_Framework_IncompleteTestError | |
ae4bb4c9 | 395 | */ |
00be9182 | 396 | public function testEntitiesGetCoreACLLimitingCheck($entity) { |
ae4bb4c9 EM |
397 | $this->setupCoreACL(); |
398 | $this->setUpEntities($entity); | |
ae4bb4c9 EM |
399 | $result = $this->callAPISuccess($entity, 'get', array( |
400 | 'check_permissions' => 1, | |
401 | 'return' => 'contact_id', | |
402 | )); | |
403 | $this->assertEquals(0, $result['count']); | |
404 | } | |
405 | ||
ae4bb4c9 EM |
406 | /** |
407 | * @dataProvider entities | |
408 | * Function tests that an empty where hook returns no results | |
1028f75e | 409 | * @param string $entity |
1e1fdcf6 | 410 | * @throws \PHPUnit_Framework_IncompleteTestError |
ae4bb4c9 | 411 | */ |
00be9182 | 412 | public function testEntityGetNoResultsHook($entity) { |
ae4bb4c9 EM |
413 | $this->markTestIncomplete('hook acls only work with contacts so far'); |
414 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array(); | |
415 | $this->setUpEntities($entity); | |
416 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); | |
417 | $result = $this->callAPISuccess($entity, 'get', array( | |
418 | 'check_permission' => 1, | |
419 | )); | |
420 | $this->assertEquals(0, $result['count']); | |
421 | } | |
422 | ||
423 | /** | |
424 | * @return array | |
425 | */ | |
426 | public static function entities() { | |
6c6e6187 | 427 | return array(array('contribution'), array('participant'));// @todo array('pledge' => 'pledge') |
ae4bb4c9 EM |
428 | } |
429 | ||
430 | /** | |
431 | * Create 2 entities | |
1e1fdcf6 | 432 | * @param $entity |
ae4bb4c9 EM |
433 | */ |
434 | public function setUpEntities($entity) { | |
435 | $baoObj = new CRM_Core_DAO(); | |
5896d037 | 436 | $baoObj->createTestObject(_civicrm_api3_get_BAO($entity), array(), 2, 0); |
ae4bb4c9 EM |
437 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array( |
438 | 'access CiviCRM', | |
439 | 'access CiviContribute', | |
440 | 'access CiviEvent', | |
441 | 'view event participants', | |
442 | ); | |
443 | } | |
444 | ||
6a488035 | 445 | /** |
eceb18cc | 446 | * All results returned. |
24602943 | 447 | * |
f5052d4d | 448 | * @implements CRM_Utils_Hook::aclWhereClause |
24602943 | 449 | * |
450 | * @param string $type | |
451 | * @param array $tables | |
452 | * @param array $whereTables | |
453 | * @param int $contactID | |
454 | * @param string $where | |
7884d958 | 455 | */ |
00be9182 | 456 | public function aclWhereHookAllResults($type, &$tables, &$whereTables, &$contactID, &$where) { |
6a488035 TO |
457 | $where = " (1) "; |
458 | } | |
7884d958 | 459 | |
6a488035 | 460 | /** |
c16ed19b | 461 | * All but first results returned. |
f5052d4d | 462 | * @implements CRM_Utils_Hook::aclWhereClause |
1e1fdcf6 EM |
463 | * @param $type |
464 | * @param $tables | |
465 | * @param $whereTables | |
466 | * @param $contactID | |
467 | * @param $where | |
7884d958 | 468 | */ |
00be9182 | 469 | public function aclWhereOnlySecond($type, &$tables, &$whereTables, &$contactID, &$where) { |
6a488035 TO |
470 | $where = " contact_a.id > 1"; |
471 | } | |
96025800 | 472 | |
c16ed19b CW |
473 | /** |
474 | * Only specified contact returned. | |
475 | * @implements CRM_Utils_Hook::aclWhereClause | |
476 | * @param $type | |
477 | * @param $tables | |
478 | * @param $whereTables | |
479 | * @param $contactID | |
480 | * @param $where | |
481 | */ | |
482 | public function aclWhereOnlyOne($type, &$tables, &$whereTables, &$contactID, &$where) { | |
483 | $where = " contact_a.id = " . $this->allowedContactId; | |
484 | } | |
485 | ||
bbd2743b | 486 | /** |
487 | * Basic check that an unpermissioned call keeps working and permissioned call fails. | |
488 | */ | |
489 | public function testGetActivityNoPermissions() { | |
490 | $this->setPermissions(array()); | |
491 | $this->callAPISuccess('Activity', 'get', array()); | |
492 | $this->callAPIFailure('Activity', 'get', array('check_permissions' => 1)); | |
493 | } | |
494 | ||
495 | /** | |
496 | * View all activities is enough regardless of contact ACLs. | |
497 | */ | |
498 | public function testGetActivityViewAllActivitiesEnoughWithOrWithoutID() { | |
499 | $activity = $this->activityCreate(); | |
500 | $this->setPermissions(array('view all activities', 'access CiviCRM')); | |
501 | $this->callAPISuccess('Activity', 'getsingle', array('check_permissions' => 1, 'id' => $activity['id'])); | |
502 | $this->callAPISuccess('Activity', 'getsingle', array('check_permissions' => 1)); | |
503 | } | |
504 | ||
505 | /** | |
506 | * View all activities is required unless id is passed in. | |
507 | */ | |
3c9d67b0 | 508 | public function testGetActivityViewAllContactsEnoughWIthoutID() { |
bbd2743b | 509 | $this->setPermissions(array('view all contacts', 'access CiviCRM')); |
3c9d67b0 | 510 | $this->callAPISuccess('Activity', 'get', array('check_permissions' => 1)); |
bbd2743b | 511 | } |
512 | ||
513 | /** | |
514 | * View all activities is required unless id is passed in, in which case ACLs are used. | |
515 | */ | |
516 | public function testGetActivityViewAllContactsEnoughWIthID() { | |
517 | $activity = $this->activityCreate(); | |
518 | $this->setPermissions(array('view all contacts', 'access CiviCRM')); | |
519 | $this->callAPISuccess('Activity', 'getsingle', array('check_permissions' => 1, 'id' => $activity['id'])); | |
520 | } | |
521 | ||
522 | /** | |
523 | * View all activities is required unless id is passed in, in which case ACLs are used. | |
524 | */ | |
525 | public function testGetActivityAccessCiviCRMNotEnough() { | |
526 | $activity = $this->activityCreate(); | |
527 | $this->setPermissions(array('access CiviCRM')); | |
528 | $this->callAPIFailure('Activity', 'getsingle', array('check_permissions' => 1, 'id' => $activity['id'])); | |
529 | } | |
530 | ||
531 | /** | |
532 | * Check that activities can be retrieved by ACL. | |
533 | * | |
534 | * The activities api applies ACLs in a very limited circumstance, if id is passed in. | |
535 | * Otherwise it sticks with the blunt original permissions. | |
536 | */ | |
537 | public function testGetActivityByACL() { | |
538 | $this->setPermissions(array('access CiviCRM')); | |
539 | $activity = $this->activityCreate(); | |
540 | ||
541 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); | |
542 | $this->callAPISuccess('Activity', 'getsingle', array('check_permissions' => 1, 'id' => $activity['id'])); | |
543 | } | |
544 | ||
545 | /** | |
546 | * To leverage ACL permission to view an activity you must be able to see all of the contacts. | |
547 | */ | |
548 | public function testGetActivityByAclCannotViewAllContacts() { | |
549 | $activity = $this->activityCreate(); | |
550 | $contacts = $this->getActivityContacts($activity); | |
551 | $this->setPermissions(array('access CiviCRM')); | |
552 | ||
553 | foreach ($contacts as $contact_id) { | |
554 | $this->allowedContactId = $contact_id; | |
555 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlyOne')); | |
556 | $this->callAPIFailure('Activity', 'getsingle', array('check_permissions' => 1, 'id' => $activity['id'])); | |
557 | } | |
558 | } | |
559 | ||
560 | /** | |
561 | * Check that if the source contact is deleted but we can view the others we can see the activity. | |
562 | * | |
563 | * CRM-18409. | |
564 | * | |
565 | * @throws \CRM_Core_Exception | |
566 | */ | |
567 | public function testGetActivityACLSourceContactDeleted() { | |
568 | $this->setPermissions(array('access CiviCRM', 'delete contacts')); | |
569 | $activity = $this->activityCreate(); | |
570 | $contacts = $this->getActivityContacts($activity); | |
571 | ||
572 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); | |
573 | $this->contactDelete($contacts['source_contact_id']); | |
574 | $this->callAPISuccess('Activity', 'getsingle', array('check_permissions' => 1, 'id' => $activity['id'])); | |
575 | } | |
576 | ||
f404486e SL |
577 | /** |
578 | * Test get activities multiple ids with check permissions | |
579 | * CRM-20441 | |
580 | */ | |
581 | public function testActivitiesGetMultipleIdsCheckPermissions() { | |
582 | $this->createLoggedInUser(); | |
583 | $activity = $this->activityCreate(); | |
584 | $activity2 = $this->activityCreate(); | |
585 | $this->setPermissions(array('access CiviCRM')); | |
586 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); | |
587 | // Get activities associated with contact $this->_contactID. | |
588 | $params = array( | |
589 | 'id' => array('IN' => array($activity['id'], $activity2['id'])), | |
590 | 'check_permissions' => TRUE, | |
591 | ); | |
592 | $result = $this->callAPISuccess('activity', 'get', $params); | |
593 | $this->assertEquals(2, $result['count']); | |
594 | } | |
595 | ||
596 | /** | |
597 | * Test get activities multiple ids with check permissions | |
598 | * Limit access to One contact | |
599 | * CRM-20441 | |
600 | */ | |
601 | public function testActivitiesGetMultipleIdsCheckPermissionsLimitedACL() { | |
602 | $this->createLoggedInUser(); | |
603 | $activity = $this->activityCreate(); | |
604 | $contacts = $this->getActivityContacts($activity); | |
605 | $this->setPermissions(array('access CiviCRM')); | |
606 | foreach ($contacts as $contact_id) { | |
607 | $this->allowedContacts[] = $contact_id; | |
608 | } | |
609 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereMultipleContacts')); | |
610 | $contact2 = $this->individualCreate(); | |
611 | $activity2 = $this->activityCreate(array('source_contact_id' => $contact2)); | |
612 | // Get activities associated with contact $this->_contactID. | |
613 | $params = array( | |
614 | 'id' => array('IN' => array($activity['id'])), | |
615 | 'check_permissions' => TRUE, | |
616 | ); | |
617 | $result = $this->callAPISuccess('activity', 'get', $params); | |
618 | $this->assertEquals(1, $result['count']); | |
619 | $this->callAPIFailure('activity', 'get', array_merge($params, array('id' => array('IN', array($activity2['id']))))); | |
620 | } | |
621 | ||
dfe0e2e1 SL |
622 | /** |
623 | * Test get activities multiple ids with check permissions | |
624 | * CRM-20441 | |
625 | */ | |
626 | public function testActivitiesGetMultipleIdsCheckPermissionsNotIN() { | |
627 | $this->createLoggedInUser(); | |
628 | $activity = $this->activityCreate(); | |
629 | $activity2 = $this->activityCreate(); | |
630 | $this->setPermissions(array('access CiviCRM')); | |
631 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); | |
632 | // Get activities associated with contact $this->_contactID. | |
633 | $params = array( | |
634 | 'id' => array('NOT IN' => array($activity['id'], $activity2['id'])), | |
635 | 'check_permissions' => TRUE, | |
636 | ); | |
3c9d67b0 | 637 | $result = $this->callAPISuccess('activity', 'get', $params); |
638 | $this->assertEquals(0, $result['count']); | |
dfe0e2e1 SL |
639 | } |
640 | ||
bbd2743b | 641 | /** |
642 | * Get the contacts for the activity. | |
643 | * | |
644 | * @param $activity | |
645 | * | |
646 | * @return array | |
647 | * @throws \CRM_Core_Exception | |
648 | */ | |
649 | protected function getActivityContacts($activity) { | |
650 | $contacts = array(); | |
651 | ||
652 | $activityContacts = $this->callAPISuccess('ActivityContact', 'get', array( | |
653 | 'activity_id' => $activity['id'], | |
654 | ) | |
655 | ); | |
656 | ||
657 | $activityRecordTypes = $this->callAPISuccess('ActivityContact', 'getoptions', array('field' => 'record_type_id')); | |
658 | foreach ($activityContacts['values'] as $activityContact) { | |
659 | $type = $activityRecordTypes['values'][$activityContact['record_type_id']]; | |
660 | switch ($type) { | |
661 | case 'Activity Source': | |
662 | $contacts['source_contact_id'] = $activityContact['contact_id']; | |
663 | break; | |
664 | ||
665 | case 'Activity Targets': | |
666 | $contacts['target_contact_id'] = $activityContact['contact_id']; | |
667 | break; | |
668 | ||
669 | case 'Activity Assignees': | |
670 | $contacts['assignee_contact_id'] = $activityContact['contact_id']; | |
671 | break; | |
672 | ||
673 | } | |
674 | } | |
675 | return $contacts; | |
676 | } | |
677 | ||
6a488035 | 678 | } |