Commit | Line | Data |
---|---|---|
6a488035 | 1 | <?php |
6a488035 TO |
2 | /* |
3 | +--------------------------------------------------------------------+ | |
81621fee | 4 | | CiviCRM version 4.7 | |
6a488035 | 5 | +--------------------------------------------------------------------+ |
fa938177 | 6 | | Copyright CiviCRM LLC (c) 2004-2016 | |
6a488035 TO |
7 | +--------------------------------------------------------------------+ |
8 | | This file is a part of CiviCRM. | | |
9 | | | | |
10 | | CiviCRM is free software; you can copy, modify, and distribute it | | |
11 | | under the terms of the GNU Affero General Public License | | |
12 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | | |
13 | | | | |
14 | | CiviCRM is distributed in the hope that it will be useful, but | | |
15 | | WITHOUT ANY WARRANTY; without even the implied warranty of | | |
16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | |
17 | | See the GNU Affero General Public License for more details. | | |
18 | | | | |
19 | | You should have received a copy of the GNU Affero General Public | | |
20 | | License and the CiviCRM Licensing Exception along | | |
21 | | with this program; if not, contact CiviCRM LLC | | |
22 | | at info[AT]civicrm[DOT]org. If you have questions about the | | |
23 | | GNU Affero General Public License or the licensing of CiviCRM, | | |
24 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | | |
25 | +--------------------------------------------------------------------+ | |
26 | */ | |
27 | ||
6a488035 TO |
28 | /** |
29 | * This class is intended to test ACL permission using the multisite module | |
30 | * | |
7884d958 | 31 | * @package CiviCRM_APIv3 |
32 | * @subpackage API_Contact | |
acb109b7 | 33 | * @group headless |
6a488035 | 34 | */ |
6a488035 | 35 | class api_v3_ACLPermissionTest extends CiviUnitTestCase { |
4e420887 | 36 | protected $_apiversion = 3; |
4e420887 | 37 | public $DBResetRequired = FALSE; |
430ae6dd | 38 | protected $_entity; |
c16ed19b | 39 | protected $allowedContactId = 0; |
430ae6dd | 40 | |
00be9182 | 41 | public function setUp() { |
6a488035 TO |
42 | parent::setUp(); |
43 | $baoObj = new CRM_Core_DAO(); | |
44 | $baoObj->createTestObject('CRM_Pledge_BAO_Pledge', array(), 1, 0); | |
45 | $baoObj->createTestObject('CRM_Core_BAO_Phone', array(), 1, 0); | |
6a488035 TO |
46 | $config = CRM_Core_Config::singleton(); |
47 | $config->userPermissionClass->permissions = array(); | |
48 | } | |
7884d958 | 49 | |
50 | /** | |
51 | * (non-PHPdoc) | |
52 | * @see CiviUnitTestCase::tearDown() | |
53 | */ | |
00be9182 | 54 | public function tearDown() { |
e182b859 | 55 | CRM_Utils_Hook::singleton()->reset(); |
6a488035 | 56 | $tablesToTruncate = array( |
7884d958 | 57 | 'civicrm_contact', |
ae4bb4c9 EM |
58 | 'civicrm_group_contact', |
59 | 'civicrm_group', | |
60 | 'civicrm_acl', | |
61 | 'civicrm_acl_cache', | |
62 | 'civicrm_acl_entity_role', | |
63 | 'civicrm_acl_contact_cache', | |
64 | 'civicrm_contribution', | |
65 | 'civicrm_participant', | |
225d474b | 66 | 'civicrm_uf_match', |
bbd2743b | 67 | 'civicrm_activity', |
68 | 'civicrm_activity_contact', | |
6a488035 TO |
69 | ); |
70 | $this->quickCleanup($tablesToTruncate); | |
71 | $config = CRM_Core_Config::singleton(); | |
72 | unset($config->userPermissionClass->permissions); | |
73 | } | |
7884d958 | 74 | |
75 | /** | |
eceb18cc | 76 | * Function tests that an empty where hook returns no results. |
7884d958 | 77 | */ |
00be9182 | 78 | public function testContactGetNoResultsHook() { |
6a488035 | 79 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); |
4e420887 | 80 | $result = $this->callAPISuccess('contact', 'get', array( |
6a488035 TO |
81 | 'check_permissions' => 1, |
82 | 'return' => 'display_name', | |
83 | )); | |
6a488035 TO |
84 | $this->assertEquals(0, $result['count']); |
85 | } | |
86 | ||
1028f75e | 87 | /** |
1a4651ba | 88 | * Function tests that an empty where hook returns exactly 1 result with "view my contact". |
1028f75e | 89 | * |
90 | * CRM-16512 caused contacts with Edit my contact to be able to view all records. | |
91 | */ | |
1a4651ba | 92 | public function testContactGetOneResultHookWithViewMyContact() { |
1028f75e | 93 | $this->createLoggedInUser(); |
94 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); | |
95 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'view my contact'); | |
96 | $result = $this->callAPISuccess('contact', 'get', array( | |
97 | 'check_permissions' => 1, | |
98 | 'return' => 'display_name', | |
99 | )); | |
1a4651ba CW |
100 | $this->assertEquals(1, $result['count']); |
101 | } | |
102 | ||
103 | /** | |
104 | * Function tests that a user with "edit my contact" can edit themselves. | |
105 | */ | |
106 | public function testContactEditHookWithEditMyContact() { | |
1a4651ba CW |
107 | $cid = $this->createLoggedInUser(); |
108 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); | |
109 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'edit my contact'); | |
110 | $this->callAPISuccess('contact', 'create', array( | |
111 | 'check_permissions' => 1, | |
112 | 'id' => $cid, | |
113 | )); | |
1028f75e | 114 | } |
115 | ||
c16ed19b CW |
116 | /** |
117 | * Ensure contact permissions extend to related entities like email | |
118 | */ | |
119 | public function testRelatedEntityPermissions() { | |
0a61b6e2 | 120 | $this->createLoggedInUser(); |
c16ed19b CW |
121 | $disallowedContact = $this->individualCreate(array(), 0); |
122 | $this->allowedContactId = $this->individualCreate(array(), 1); | |
123 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlyOne')); | |
124 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM'); | |
125 | $testEntities = array( | |
0a61b6e2 CW |
126 | 'Email' => array('email' => 'null@nothing', 'location_type_id' => 1), |
127 | 'Phone' => array('phone' => '123456', 'location_type_id' => 1), | |
128 | 'IM' => array('name' => 'hello', 'location_type_id' => 1), | |
c16ed19b | 129 | 'Website' => array('url' => 'http://test'), |
0a61b6e2 | 130 | 'Address' => array('street_address' => '123 Sesame St.', 'location_type_id' => 1), |
c16ed19b CW |
131 | ); |
132 | foreach ($testEntities as $entity => $params) { | |
133 | $params += array( | |
134 | 'contact_id' => $disallowedContact, | |
135 | 'check_permissions' => 1, | |
136 | ); | |
137 | // We should be prevented from getting or creating entities for a contact we don't have permission for | |
138 | $this->callAPIFailure($entity, 'create', $params); | |
139 | $results = $this->callAPISuccess($entity, 'get', array('contact_id' => $disallowedContact, 'check_permissions' => 1)); | |
140 | $this->assertEquals(0, $results['count']); | |
141 | ||
142 | // We should be allowed to create and get for contacts we do have permission on | |
143 | $params['contact_id'] = $this->allowedContactId; | |
144 | $this->callAPISuccess($entity, 'create', $params); | |
145 | $results = $this->callAPISuccess($entity, 'get', array('contact_id' => $this->allowedContactId, 'check_permissions' => 1)); | |
146 | $this->assertGreaterThan(0, $results['count']); | |
147 | } | |
148 | } | |
149 | ||
6a488035 | 150 | /** |
eceb18cc | 151 | * Function tests all results are returned. |
7884d958 | 152 | */ |
00be9182 | 153 | public function testContactGetAllResultsHook() { |
6a488035 | 154 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); |
4e420887 | 155 | $result = $this->callAPISuccess('contact', 'get', array( |
7884d958 | 156 | 'check_permissions' => 1, |
157 | 'return' => 'display_name', | |
6a488035 TO |
158 | )); |
159 | ||
6a488035 TO |
160 | $this->assertEquals(2, $result['count']); |
161 | } | |
7884d958 | 162 | |
6a488035 | 163 | /** |
eceb18cc | 164 | * Function tests that deleted contacts are not returned. |
7884d958 | 165 | */ |
00be9182 | 166 | public function testContactGetPermissionHookNoDeleted() { |
f5052d4d | 167 | $this->callAPISuccess('contact', 'create', array('id' => 2, 'is_deleted' => 1)); |
6a488035 | 168 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); |
4e420887 | 169 | $result = $this->callAPISuccess('contact', 'get', array( |
7884d958 | 170 | 'check_permissions' => 1, |
171 | 'return' => 'display_name', | |
6a488035 | 172 | )); |
6a488035 TO |
173 | $this->assertEquals(1, $result['count']); |
174 | } | |
175 | ||
176 | /** | |
eceb18cc | 177 | * Test permissions limited by hook. |
6a488035 | 178 | */ |
00be9182 | 179 | public function testContactGetHookLimitingHook() { |
6a488035 TO |
180 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond')); |
181 | ||
4e420887 | 182 | $result = $this->callAPISuccess('contact', 'get', array( |
6a488035 TO |
183 | 'check_permissions' => 1, |
184 | 'return' => 'display_name', | |
7884d958 | 185 | )); |
6a488035 TO |
186 | $this->assertEquals(1, $result['count']); |
187 | } | |
188 | ||
7884d958 | 189 | /** |
1028f75e | 190 | * Confirm that without check permissions we still get 2 contacts returned. |
7884d958 | 191 | */ |
00be9182 | 192 | public function testContactGetHookLimitingHookDontCheck() { |
4e420887 | 193 | $result = $this->callAPISuccess('contact', 'get', array( |
194 | 'check_permissions' => 0, | |
195 | 'return' => 'display_name', | |
6a488035 | 196 | )); |
6a488035 TO |
197 | $this->assertEquals(2, $result['count']); |
198 | } | |
7884d958 | 199 | |
6a488035 | 200 | /** |
eceb18cc | 201 | * Check that id works as a filter. |
6a488035 | 202 | */ |
00be9182 | 203 | public function testContactGetIDFilter() { |
6a488035 | 204 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); |
4e420887 | 205 | $result = $this->callAPISuccess('contact', 'get', array( |
6a488035 TO |
206 | 'sequential' => 1, |
207 | 'id' => 2, | |
208 | 'check_permissions' => 1, | |
209 | )); | |
210 | ||
6a488035 TO |
211 | $this->assertEquals(1, $result['count']); |
212 | $this->assertEquals(2, $result['id']); | |
213 | } | |
214 | ||
7884d958 | 215 | /** |
eceb18cc | 216 | * Check that address IS returned. |
7884d958 | 217 | */ |
00be9182 | 218 | public function testContactGetAddressReturned() { |
7884d958 | 219 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond')); |
220 | $fullresult = $this->callAPISuccess('contact', 'get', array( | |
221 | 'sequential' => 1, | |
222 | )); | |
223 | //return doesn't work for all keys - can't fix that here so let's skip ... | |
224 | //prefix & suffix are inconsistent due to CRM-7929 | |
225 | // unsure about others but return doesn't work on them | |
226 | $elementsReturnDoesntSupport = array( | |
7884d958 | 227 | 'prefix', |
7884d958 | 228 | 'suffix', |
7884d958 | 229 | 'gender', |
230 | 'current_employer', | |
231 | 'phone_id', | |
232 | 'phone_type_id', | |
233 | 'phone', | |
234 | 'worldregion_id', | |
21dfd5f5 | 235 | 'world_region', |
7884d958 | 236 | ); |
237 | $expectedReturnElements = array_diff(array_keys($fullresult['values'][0]), $elementsReturnDoesntSupport); | |
238 | $result = $this->callAPISuccess('contact', 'get', array( | |
239 | 'check_permissions' => 1, | |
240 | 'return' => $expectedReturnElements, | |
241 | 'sequential' => 1, | |
242 | )); | |
243 | $this->assertEquals(1, $result['count']); | |
244 | foreach ($expectedReturnElements as $element) { | |
245 | $this->assertArrayHasKey($element, $result['values'][0]); | |
6a488035 | 246 | } |
7884d958 | 247 | } |
248 | ||
249 | /** | |
eceb18cc | 250 | * Check that pledge IS not returned. |
7884d958 | 251 | */ |
00be9182 | 252 | public function testContactGetPledgeIDNotReturned() { |
7884d958 | 253 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); |
f5052d4d | 254 | $this->callAPISuccess('contact', 'get', array( |
7884d958 | 255 | 'sequential' => 1, |
256 | )); | |
257 | $result = $this->callAPISuccess('contact', 'get', array( | |
258 | 'check_permissions' => 1, | |
259 | 'return' => 'pledge_id', | |
260 | 'sequential' => 1, | |
261 | )); | |
262 | $this->assertArrayNotHasKey('pledge_id', $result['values'][0]); | |
263 | } | |
6a488035 | 264 | |
7884d958 | 265 | /** |
eceb18cc | 266 | * Check that pledge IS not an allowable filter. |
7884d958 | 267 | */ |
00be9182 | 268 | public function testContactGetPledgeIDNotFiltered() { |
7884d958 | 269 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); |
f5052d4d | 270 | $this->callAPISuccess('contact', 'get', array( |
7884d958 | 271 | 'sequential' => 1, |
272 | )); | |
273 | $result = $this->callAPISuccess('contact', 'get', array( | |
274 | 'check_permissions' => 1, | |
275 | 'pledge_id' => 1, | |
276 | 'sequential' => 1, | |
277 | )); | |
278 | $this->assertEquals(2, $result['count']); | |
279 | } | |
280 | ||
281 | /** | |
282 | * Check that chaining doesn't bypass permissions | |
283 | */ | |
00be9182 | 284 | public function testContactGetPledgeNotChainable() { |
7884d958 | 285 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond')); |
f5052d4d | 286 | $this->callAPISuccess('contact', 'get', array( |
7884d958 | 287 | 'sequential' => 1, |
288 | )); | |
f5052d4d | 289 | $this->callAPIFailure('contact', 'get', array( |
6a488035 | 290 | 'check_permissions' => 1, |
7884d958 | 291 | 'api.pledge.get' => 1, |
6a488035 | 292 | 'sequential' => 1, |
4e420887 | 293 | ), |
294 | 'Error in call to pledge_get : API permission check failed for pledge/get call; missing permission: access CiviCRM.' | |
7884d958 | 295 | ); |
296 | } | |
6a488035 | 297 | |
00be9182 | 298 | public function setupCoreACL() { |
ae4bb4c9 | 299 | $this->createLoggedInUser(); |
5896d037 | 300 | $this->_permissionedDisabledGroup = $this->groupCreate(array( |
92915c55 TO |
301 | 'title' => 'pick-me-disabled', |
302 | 'is_active' => 0, | |
303 | 'name' => 'pick-me-disabled', | |
304 | )); | |
5896d037 | 305 | $this->_permissionedGroup = $this->groupCreate(array( |
92915c55 TO |
306 | 'title' => 'pick-me-active', |
307 | 'is_active' => 1, | |
308 | 'name' => 'pick-me-active', | |
309 | )); | |
ae4bb4c9 EM |
310 | $this->setupACL(); |
311 | } | |
5896d037 | 312 | |
ae4bb4c9 EM |
313 | /** |
314 | * @dataProvider entities | |
315 | * confirm that without check permissions we still get 2 contacts returned | |
1e1fdcf6 | 316 | * @param $entity |
ae4bb4c9 | 317 | */ |
00be9182 | 318 | public function testEntitiesGetHookLimitingHookNoCheck($entity) { |
ae4bb4c9 EM |
319 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array(); |
320 | $this->setUpEntities($entity); | |
321 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); | |
322 | $result = $this->callAPISuccess($entity, 'get', array( | |
323 | 'check_permissions' => 0, | |
324 | 'return' => 'contact_id', | |
325 | )); | |
326 | $this->assertEquals(2, $result['count']); | |
327 | } | |
328 | ||
329 | /** | |
330 | * @dataProvider entities | |
331 | * confirm that without check permissions we still get 2 entities returned | |
1e1fdcf6 | 332 | * @param $entity |
ae4bb4c9 | 333 | */ |
00be9182 | 334 | public function testEntitiesGetCoreACLLimitingHookNoCheck($entity) { |
ae4bb4c9 EM |
335 | $this->setupCoreACL(); |
336 | //CRM_Core_Config::singleton()->userPermissionClass->permissions = array(); | |
337 | $this->setUpEntities($entity); | |
338 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); | |
339 | $result = $this->callAPISuccess($entity, 'get', array( | |
340 | 'check_permissions' => 0, | |
341 | 'return' => 'contact_id', | |
342 | )); | |
343 | $this->assertEquals(2, $result['count']); | |
344 | } | |
5896d037 | 345 | |
ae4bb4c9 EM |
346 | /** |
347 | * @dataProvider entities | |
348 | * confirm that with check permissions we don't get entities | |
1e1fdcf6 EM |
349 | * @param $entity |
350 | * @throws \PHPUnit_Framework_IncompleteTestError | |
ae4bb4c9 | 351 | */ |
00be9182 | 352 | public function testEntitiesGetCoreACLLimitingCheck($entity) { |
ae4bb4c9 EM |
353 | $this->setupCoreACL(); |
354 | $this->setUpEntities($entity); | |
ae4bb4c9 EM |
355 | $result = $this->callAPISuccess($entity, 'get', array( |
356 | 'check_permissions' => 1, | |
357 | 'return' => 'contact_id', | |
358 | )); | |
359 | $this->assertEquals(0, $result['count']); | |
360 | } | |
361 | ||
ae4bb4c9 EM |
362 | /** |
363 | * @dataProvider entities | |
364 | * Function tests that an empty where hook returns no results | |
1028f75e | 365 | * @param string $entity |
1e1fdcf6 | 366 | * @throws \PHPUnit_Framework_IncompleteTestError |
ae4bb4c9 | 367 | */ |
00be9182 | 368 | public function testEntityGetNoResultsHook($entity) { |
ae4bb4c9 EM |
369 | $this->markTestIncomplete('hook acls only work with contacts so far'); |
370 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array(); | |
371 | $this->setUpEntities($entity); | |
372 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); | |
373 | $result = $this->callAPISuccess($entity, 'get', array( | |
374 | 'check_permission' => 1, | |
375 | )); | |
376 | $this->assertEquals(0, $result['count']); | |
377 | } | |
378 | ||
379 | /** | |
380 | * @return array | |
381 | */ | |
382 | public static function entities() { | |
6c6e6187 | 383 | return array(array('contribution'), array('participant'));// @todo array('pledge' => 'pledge') |
ae4bb4c9 EM |
384 | } |
385 | ||
386 | /** | |
387 | * Create 2 entities | |
1e1fdcf6 | 388 | * @param $entity |
ae4bb4c9 EM |
389 | */ |
390 | public function setUpEntities($entity) { | |
391 | $baoObj = new CRM_Core_DAO(); | |
5896d037 | 392 | $baoObj->createTestObject(_civicrm_api3_get_BAO($entity), array(), 2, 0); |
ae4bb4c9 EM |
393 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array( |
394 | 'access CiviCRM', | |
395 | 'access CiviContribute', | |
396 | 'access CiviEvent', | |
397 | 'view event participants', | |
398 | ); | |
399 | } | |
400 | ||
6a488035 | 401 | /** |
eceb18cc | 402 | * No results returned. |
24602943 | 403 | * |
c16ed19b | 404 | * @implements CRM_Utils_Hook::aclWhereClause |
24602943 | 405 | * |
406 | * @param string $type | |
407 | * @param array $tables | |
408 | * @param array $whereTables | |
409 | * @param int $contactID | |
410 | * @param string $where | |
6a488035 | 411 | */ |
00be9182 | 412 | public function aclWhereHookNoResults($type, &$tables, &$whereTables, &$contactID, &$where) { |
6a488035 | 413 | } |
7884d958 | 414 | |
6a488035 | 415 | /** |
eceb18cc | 416 | * All results returned. |
24602943 | 417 | * |
f5052d4d | 418 | * @implements CRM_Utils_Hook::aclWhereClause |
24602943 | 419 | * |
420 | * @param string $type | |
421 | * @param array $tables | |
422 | * @param array $whereTables | |
423 | * @param int $contactID | |
424 | * @param string $where | |
7884d958 | 425 | */ |
00be9182 | 426 | public function aclWhereHookAllResults($type, &$tables, &$whereTables, &$contactID, &$where) { |
6a488035 TO |
427 | $where = " (1) "; |
428 | } | |
7884d958 | 429 | |
6a488035 | 430 | /** |
c16ed19b | 431 | * All but first results returned. |
f5052d4d | 432 | * @implements CRM_Utils_Hook::aclWhereClause |
1e1fdcf6 EM |
433 | * @param $type |
434 | * @param $tables | |
435 | * @param $whereTables | |
436 | * @param $contactID | |
437 | * @param $where | |
7884d958 | 438 | */ |
00be9182 | 439 | public function aclWhereOnlySecond($type, &$tables, &$whereTables, &$contactID, &$where) { |
6a488035 TO |
440 | $where = " contact_a.id > 1"; |
441 | } | |
96025800 | 442 | |
c16ed19b CW |
443 | /** |
444 | * Only specified contact returned. | |
445 | * @implements CRM_Utils_Hook::aclWhereClause | |
446 | * @param $type | |
447 | * @param $tables | |
448 | * @param $whereTables | |
449 | * @param $contactID | |
450 | * @param $where | |
451 | */ | |
452 | public function aclWhereOnlyOne($type, &$tables, &$whereTables, &$contactID, &$where) { | |
453 | $where = " contact_a.id = " . $this->allowedContactId; | |
454 | } | |
455 | ||
bbd2743b | 456 | /** |
457 | * Basic check that an unpermissioned call keeps working and permissioned call fails. | |
458 | */ | |
459 | public function testGetActivityNoPermissions() { | |
460 | $this->setPermissions(array()); | |
461 | $this->callAPISuccess('Activity', 'get', array()); | |
462 | $this->callAPIFailure('Activity', 'get', array('check_permissions' => 1)); | |
463 | } | |
464 | ||
465 | /** | |
466 | * View all activities is enough regardless of contact ACLs. | |
467 | */ | |
468 | public function testGetActivityViewAllActivitiesEnoughWithOrWithoutID() { | |
469 | $activity = $this->activityCreate(); | |
470 | $this->setPermissions(array('view all activities', 'access CiviCRM')); | |
471 | $this->callAPISuccess('Activity', 'getsingle', array('check_permissions' => 1, 'id' => $activity['id'])); | |
472 | $this->callAPISuccess('Activity', 'getsingle', array('check_permissions' => 1)); | |
473 | } | |
474 | ||
475 | /** | |
476 | * View all activities is required unless id is passed in. | |
477 | */ | |
478 | public function testGetActivityViewAllContactsNotEnoughWIthoutID() { | |
479 | $this->setPermissions(array('view all contacts', 'access CiviCRM')); | |
480 | $this->callAPIFailure('Activity', 'get', array('check_permissions' => 1)); | |
481 | } | |
482 | ||
483 | /** | |
484 | * View all activities is required unless id is passed in, in which case ACLs are used. | |
485 | */ | |
486 | public function testGetActivityViewAllContactsEnoughWIthID() { | |
487 | $activity = $this->activityCreate(); | |
488 | $this->setPermissions(array('view all contacts', 'access CiviCRM')); | |
489 | $this->callAPISuccess('Activity', 'getsingle', array('check_permissions' => 1, 'id' => $activity['id'])); | |
490 | } | |
491 | ||
492 | /** | |
493 | * View all activities is required unless id is passed in, in which case ACLs are used. | |
494 | */ | |
495 | public function testGetActivityAccessCiviCRMNotEnough() { | |
496 | $activity = $this->activityCreate(); | |
497 | $this->setPermissions(array('access CiviCRM')); | |
498 | $this->callAPIFailure('Activity', 'getsingle', array('check_permissions' => 1, 'id' => $activity['id'])); | |
499 | } | |
500 | ||
501 | /** | |
502 | * Check that activities can be retrieved by ACL. | |
503 | * | |
504 | * The activities api applies ACLs in a very limited circumstance, if id is passed in. | |
505 | * Otherwise it sticks with the blunt original permissions. | |
506 | */ | |
507 | public function testGetActivityByACL() { | |
508 | $this->setPermissions(array('access CiviCRM')); | |
509 | $activity = $this->activityCreate(); | |
510 | ||
511 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); | |
512 | $this->callAPISuccess('Activity', 'getsingle', array('check_permissions' => 1, 'id' => $activity['id'])); | |
513 | } | |
514 | ||
515 | /** | |
516 | * To leverage ACL permission to view an activity you must be able to see all of the contacts. | |
517 | */ | |
518 | public function testGetActivityByAclCannotViewAllContacts() { | |
519 | $activity = $this->activityCreate(); | |
520 | $contacts = $this->getActivityContacts($activity); | |
521 | $this->setPermissions(array('access CiviCRM')); | |
522 | ||
523 | foreach ($contacts as $contact_id) { | |
524 | $this->allowedContactId = $contact_id; | |
525 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlyOne')); | |
526 | $this->callAPIFailure('Activity', 'getsingle', array('check_permissions' => 1, 'id' => $activity['id'])); | |
527 | } | |
528 | } | |
529 | ||
530 | /** | |
531 | * Check that if the source contact is deleted but we can view the others we can see the activity. | |
532 | * | |
533 | * CRM-18409. | |
534 | * | |
535 | * @throws \CRM_Core_Exception | |
536 | */ | |
537 | public function testGetActivityACLSourceContactDeleted() { | |
538 | $this->setPermissions(array('access CiviCRM', 'delete contacts')); | |
539 | $activity = $this->activityCreate(); | |
540 | $contacts = $this->getActivityContacts($activity); | |
541 | ||
542 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); | |
543 | $this->contactDelete($contacts['source_contact_id']); | |
544 | $this->callAPISuccess('Activity', 'getsingle', array('check_permissions' => 1, 'id' => $activity['id'])); | |
545 | } | |
546 | ||
547 | /** | |
548 | * Get the contacts for the activity. | |
549 | * | |
550 | * @param $activity | |
551 | * | |
552 | * @return array | |
553 | * @throws \CRM_Core_Exception | |
554 | */ | |
555 | protected function getActivityContacts($activity) { | |
556 | $contacts = array(); | |
557 | ||
558 | $activityContacts = $this->callAPISuccess('ActivityContact', 'get', array( | |
559 | 'activity_id' => $activity['id'], | |
560 | ) | |
561 | ); | |
562 | ||
563 | $activityRecordTypes = $this->callAPISuccess('ActivityContact', 'getoptions', array('field' => 'record_type_id')); | |
564 | foreach ($activityContacts['values'] as $activityContact) { | |
565 | $type = $activityRecordTypes['values'][$activityContact['record_type_id']]; | |
566 | switch ($type) { | |
567 | case 'Activity Source': | |
568 | $contacts['source_contact_id'] = $activityContact['contact_id']; | |
569 | break; | |
570 | ||
571 | case 'Activity Targets': | |
572 | $contacts['target_contact_id'] = $activityContact['contact_id']; | |
573 | break; | |
574 | ||
575 | case 'Activity Assignees': | |
576 | $contacts['assignee_contact_id'] = $activityContact['contact_id']; | |
577 | break; | |
578 | ||
579 | } | |
580 | } | |
581 | return $contacts; | |
582 | } | |
583 | ||
6a488035 | 584 | } |