Commit | Line | Data |
---|---|---|
6a488035 | 1 | <?php |
6a488035 TO |
2 | /* |
3 | +--------------------------------------------------------------------+ | |
06a1bc01 | 4 | | CiviCRM version 4.5 | |
6a488035 | 5 | +--------------------------------------------------------------------+ |
06a1bc01 | 6 | | Copyright CiviCRM LLC (c) 2004-2014 | |
6a488035 TO |
7 | +--------------------------------------------------------------------+ |
8 | | This file is a part of CiviCRM. | | |
9 | | | | |
10 | | CiviCRM is free software; you can copy, modify, and distribute it | | |
11 | | under the terms of the GNU Affero General Public License | | |
12 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | | |
13 | | | | |
14 | | CiviCRM is distributed in the hope that it will be useful, but | | |
15 | | WITHOUT ANY WARRANTY; without even the implied warranty of | | |
16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | |
17 | | See the GNU Affero General Public License for more details. | | |
18 | | | | |
19 | | You should have received a copy of the GNU Affero General Public | | |
20 | | License and the CiviCRM Licensing Exception along | | |
21 | | with this program; if not, contact CiviCRM LLC | | |
22 | | at info[AT]civicrm[DOT]org. If you have questions about the | | |
23 | | GNU Affero General Public License or the licensing of CiviCRM, | | |
24 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | | |
25 | +--------------------------------------------------------------------+ | |
26 | */ | |
27 | ||
28 | require_once 'CiviTest/CiviUnitTestCase.php'; | |
29 | ||
30 | /** | |
31 | * This class is intended to test ACL permission using the multisite module | |
32 | * | |
7884d958 | 33 | * @package CiviCRM_APIv3 |
34 | * @subpackage API_Contact | |
6a488035 TO |
35 | */ |
36 | ||
37 | class api_v3_ACLPermissionTest extends CiviUnitTestCase { | |
4e420887 | 38 | protected $_apiversion = 3; |
6a488035 | 39 | protected $_params; |
f5052d4d EM |
40 | |
41 | /** | |
42 | * @var CRM_Utils_Hook_UnitTests | |
43 | */ | |
7884d958 | 44 | protected $hookClass = NULL; |
4e420887 | 45 | public $DBResetRequired = FALSE; |
6a488035 | 46 | |
b7c9bc4c | 47 | |
6a488035 | 48 | |
430ae6dd TO |
49 | protected $_entity; |
50 | ||
51 | function setUp() { | |
6a488035 TO |
52 | parent::setUp(); |
53 | $baoObj = new CRM_Core_DAO(); | |
54 | $baoObj->createTestObject('CRM_Pledge_BAO_Pledge', array(), 1, 0); | |
55 | $baoObj->createTestObject('CRM_Core_BAO_Phone', array(), 1, 0); | |
56 | $this->hookClass = CRM_Utils_Hook::singleton(); | |
57 | $config = CRM_Core_Config::singleton(); | |
58 | $config->userPermissionClass->permissions = array(); | |
59 | } | |
7884d958 | 60 | |
61 | /** | |
62 | * (non-PHPdoc) | |
63 | * @see CiviUnitTestCase::tearDown() | |
64 | */ | |
6a488035 | 65 | function tearDown() { |
e182b859 | 66 | CRM_Utils_Hook::singleton()->reset(); |
6a488035 | 67 | $tablesToTruncate = array( |
7884d958 | 68 | 'civicrm_contact', |
ae4bb4c9 EM |
69 | 'civicrm_group_contact', |
70 | 'civicrm_group', | |
71 | 'civicrm_acl', | |
72 | 'civicrm_acl_cache', | |
73 | 'civicrm_acl_entity_role', | |
74 | 'civicrm_acl_contact_cache', | |
75 | 'civicrm_contribution', | |
76 | 'civicrm_participant', | |
6a488035 TO |
77 | ); |
78 | $this->quickCleanup($tablesToTruncate); | |
79 | $config = CRM_Core_Config::singleton(); | |
80 | unset($config->userPermissionClass->permissions); | |
81 | } | |
7884d958 | 82 | |
83 | /** | |
84 | * Function tests that an empty where hook returns no results | |
85 | */ | |
86 | function testContactGetNoResultsHook() { | |
6a488035 | 87 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); |
4e420887 | 88 | $result = $this->callAPISuccess('contact', 'get', array( |
6a488035 TO |
89 | 'check_permissions' => 1, |
90 | 'return' => 'display_name', | |
91 | )); | |
6a488035 TO |
92 | $this->assertEquals(0, $result['count']); |
93 | } | |
94 | ||
95 | /** | |
96 | * Function tests all results are returned | |
7884d958 | 97 | */ |
98 | function testContactGetAllResultsHook() { | |
6a488035 | 99 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); |
4e420887 | 100 | $result = $this->callAPISuccess('contact', 'get', array( |
7884d958 | 101 | 'check_permissions' => 1, |
102 | 'return' => 'display_name', | |
6a488035 TO |
103 | )); |
104 | ||
6a488035 TO |
105 | $this->assertEquals(2, $result['count']); |
106 | } | |
7884d958 | 107 | |
6a488035 | 108 | /** |
5d3b3d60 | 109 | * Function tests that deleted contacts are not returned |
7884d958 | 110 | */ |
111 | function testContactGetPermissionHookNoDeleted() { | |
f5052d4d | 112 | $this->callAPISuccess('contact', 'create', array('id' => 2, 'is_deleted' => 1)); |
6a488035 | 113 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); |
4e420887 | 114 | $result = $this->callAPISuccess('contact', 'get', array( |
7884d958 | 115 | 'check_permissions' => 1, |
116 | 'return' => 'display_name', | |
6a488035 | 117 | )); |
6a488035 TO |
118 | $this->assertEquals(1, $result['count']); |
119 | } | |
120 | ||
121 | /** | |
100fef9d | 122 | * Test permissions limited by hook |
6a488035 | 123 | */ |
7884d958 | 124 | function testContactGetHookLimitingHook() { |
6a488035 TO |
125 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond')); |
126 | ||
4e420887 | 127 | $result = $this->callAPISuccess('contact', 'get', array( |
6a488035 TO |
128 | 'check_permissions' => 1, |
129 | 'return' => 'display_name', | |
7884d958 | 130 | )); |
6a488035 TO |
131 | $this->assertEquals(1, $result['count']); |
132 | } | |
133 | ||
7884d958 | 134 | /** |
100fef9d | 135 | * Confirm that without check permissions we still get 2 contacts returned |
7884d958 | 136 | */ |
137 | function testContactGetHookLimitingHookDontCheck() { | |
6a488035 | 138 | // |
4e420887 | 139 | $result = $this->callAPISuccess('contact', 'get', array( |
140 | 'check_permissions' => 0, | |
141 | 'return' => 'display_name', | |
6a488035 | 142 | )); |
6a488035 TO |
143 | $this->assertEquals(2, $result['count']); |
144 | } | |
7884d958 | 145 | |
6a488035 TO |
146 | /** |
147 | * Check that id works as a filter | |
148 | */ | |
7884d958 | 149 | function testContactGetIDFilter() { |
6a488035 | 150 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); |
4e420887 | 151 | $result = $this->callAPISuccess('contact', 'get', array( |
6a488035 TO |
152 | 'sequential' => 1, |
153 | 'id' => 2, | |
154 | 'check_permissions' => 1, | |
155 | )); | |
156 | ||
6a488035 TO |
157 | $this->assertEquals(1, $result['count']); |
158 | $this->assertEquals(2, $result['id']); | |
159 | } | |
160 | ||
7884d958 | 161 | /** |
162 | * Check that address IS returned | |
163 | */ | |
164 | function testContactGetAddressReturned() { | |
165 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond')); | |
166 | $fullresult = $this->callAPISuccess('contact', 'get', array( | |
167 | 'sequential' => 1, | |
168 | )); | |
169 | //return doesn't work for all keys - can't fix that here so let's skip ... | |
170 | //prefix & suffix are inconsistent due to CRM-7929 | |
171 | // unsure about others but return doesn't work on them | |
172 | $elementsReturnDoesntSupport = array( | |
7884d958 | 173 | 'prefix', |
7884d958 | 174 | 'suffix', |
7884d958 | 175 | 'gender', |
176 | 'current_employer', | |
177 | 'phone_id', | |
178 | 'phone_type_id', | |
179 | 'phone', | |
180 | 'worldregion_id', | |
181 | 'world_region' | |
182 | ); | |
183 | $expectedReturnElements = array_diff(array_keys($fullresult['values'][0]), $elementsReturnDoesntSupport); | |
184 | $result = $this->callAPISuccess('contact', 'get', array( | |
185 | 'check_permissions' => 1, | |
186 | 'return' => $expectedReturnElements, | |
187 | 'sequential' => 1, | |
188 | )); | |
189 | $this->assertEquals(1, $result['count']); | |
190 | foreach ($expectedReturnElements as $element) { | |
191 | $this->assertArrayHasKey($element, $result['values'][0]); | |
6a488035 | 192 | } |
7884d958 | 193 | } |
194 | ||
195 | /** | |
196 | * Check that pledge IS not returned | |
197 | */ | |
198 | function testContactGetPledgeIDNotReturned() { | |
199 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); | |
f5052d4d | 200 | $this->callAPISuccess('contact', 'get', array( |
7884d958 | 201 | 'sequential' => 1, |
202 | )); | |
203 | $result = $this->callAPISuccess('contact', 'get', array( | |
204 | 'check_permissions' => 1, | |
205 | 'return' => 'pledge_id', | |
206 | 'sequential' => 1, | |
207 | )); | |
208 | $this->assertArrayNotHasKey('pledge_id', $result['values'][0]); | |
209 | } | |
6a488035 | 210 | |
7884d958 | 211 | /** |
212 | * Check that pledge IS not an allowable filter | |
213 | */ | |
214 | function testContactGetPledgeIDNotFiltered() { | |
215 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults')); | |
f5052d4d | 216 | $this->callAPISuccess('contact', 'get', array( |
7884d958 | 217 | 'sequential' => 1, |
218 | )); | |
219 | $result = $this->callAPISuccess('contact', 'get', array( | |
220 | 'check_permissions' => 1, | |
221 | 'pledge_id' => 1, | |
222 | 'sequential' => 1, | |
223 | )); | |
224 | $this->assertEquals(2, $result['count']); | |
225 | } | |
226 | ||
227 | /** | |
228 | * Check that chaining doesn't bypass permissions | |
229 | */ | |
230 | function testContactGetPledgeNotChainable() { | |
231 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond')); | |
f5052d4d | 232 | $this->callAPISuccess('contact', 'get', array( |
7884d958 | 233 | 'sequential' => 1, |
234 | )); | |
f5052d4d | 235 | $this->callAPIFailure('contact', 'get', array( |
6a488035 | 236 | 'check_permissions' => 1, |
7884d958 | 237 | 'api.pledge.get' => 1, |
6a488035 | 238 | 'sequential' => 1, |
4e420887 | 239 | ), |
240 | 'Error in call to pledge_get : API permission check failed for pledge/get call; missing permission: access CiviCRM.' | |
7884d958 | 241 | ); |
242 | } | |
6a488035 | 243 | |
ae4bb4c9 EM |
244 | function setupCoreACL() { |
245 | $this->createLoggedInUser(); | |
246 | $this->_permissionedDisabledGroup = $this->groupCreate(array('title' => 'pick-me-disabled', 'is_active' => 0, 'name' => 'pick-me-disabled')); | |
247 | $this->_permissionedGroup = $this->groupCreate(array('title' => 'pick-me-active', 'is_active' => 1, 'name' => 'pick-me-active')); | |
248 | $this->setupACL(); | |
249 | } | |
250 | /** | |
251 | * @dataProvider entities | |
252 | * confirm that without check permissions we still get 2 contacts returned | |
253 | */ | |
254 | function testEntitiesGetHookLimitingHookNoCheck($entity) { | |
255 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array(); | |
256 | $this->setUpEntities($entity); | |
257 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); | |
258 | $result = $this->callAPISuccess($entity, 'get', array( | |
259 | 'check_permissions' => 0, | |
260 | 'return' => 'contact_id', | |
261 | )); | |
262 | $this->assertEquals(2, $result['count']); | |
263 | } | |
264 | ||
265 | /** | |
266 | * @dataProvider entities | |
267 | * confirm that without check permissions we still get 2 entities returned | |
268 | */ | |
269 | function testEntitiesGetCoreACLLimitingHookNoCheck($entity) { | |
270 | $this->setupCoreACL(); | |
271 | //CRM_Core_Config::singleton()->userPermissionClass->permissions = array(); | |
272 | $this->setUpEntities($entity); | |
273 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); | |
274 | $result = $this->callAPISuccess($entity, 'get', array( | |
275 | 'check_permissions' => 0, | |
276 | 'return' => 'contact_id', | |
277 | )); | |
278 | $this->assertEquals(2, $result['count']); | |
279 | } | |
280 | /** | |
281 | * @dataProvider entities | |
282 | * confirm that with check permissions we don't get entities | |
283 | */ | |
9730e9e3 EM |
284 | function testEntitiesGetCoreACLLimitingCheck($entity) { |
285 | $this->markTestIncomplete('this does not work in 4.4 but can be enabled in 4.5 or a security release of 4.4 including the important security fix CRM-14877'); | |
ae4bb4c9 EM |
286 | $this->setupCoreACL(); |
287 | $this->setUpEntities($entity); | |
ae4bb4c9 EM |
288 | $result = $this->callAPISuccess($entity, 'get', array( |
289 | 'check_permissions' => 1, | |
290 | 'return' => 'contact_id', | |
291 | )); | |
292 | $this->assertEquals(0, $result['count']); | |
293 | } | |
294 | ||
295 | ||
296 | /** | |
297 | * @dataProvider entities | |
298 | * Function tests that an empty where hook returns no results | |
299 | */ | |
300 | function testEntityGetNoResultsHook($entity) { | |
301 | $this->markTestIncomplete('hook acls only work with contacts so far'); | |
302 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array(); | |
303 | $this->setUpEntities($entity); | |
304 | $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); | |
305 | $result = $this->callAPISuccess($entity, 'get', array( | |
306 | 'check_permission' => 1, | |
307 | )); | |
308 | $this->assertEquals(0, $result['count']); | |
309 | } | |
310 | ||
311 | /** | |
312 | * @return array | |
313 | */ | |
314 | public static function entities() { | |
315 | return array(array('contribution'), array('participant'),);// @todo array('pledge' => 'pledge') | |
316 | } | |
317 | ||
318 | /** | |
319 | * Create 2 entities | |
320 | */ | |
321 | public function setUpEntities($entity) { | |
322 | $baoObj = new CRM_Core_DAO(); | |
323 | $baoObj->createTestObject( _civicrm_api3_get_BAO($entity), array(), 2, 0); | |
324 | CRM_Core_Config::singleton()->userPermissionClass->permissions = array( | |
325 | 'access CiviCRM', | |
326 | 'access CiviContribute', | |
327 | 'access CiviEvent', | |
328 | 'view event participants', | |
329 | ); | |
330 | } | |
331 | ||
6a488035 | 332 | /** |
100fef9d | 333 | * No results returned |
6a488035 TO |
334 | */ |
335 | function aclWhereHookNoResults($type, &$tables, &$whereTables, &$contactID, &$where) { | |
336 | } | |
7884d958 | 337 | |
6a488035 | 338 | /** |
100fef9d | 339 | * All results returned |
f5052d4d | 340 | * @implements CRM_Utils_Hook::aclWhereClause |
7884d958 | 341 | */ |
6a488035 TO |
342 | function aclWhereHookAllResults($type, &$tables, &$whereTables, &$contactID, &$where) { |
343 | $where = " (1) "; | |
344 | } | |
7884d958 | 345 | |
6a488035 | 346 | /** |
100fef9d | 347 | * Full results returned |
f5052d4d | 348 | * @implements CRM_Utils_Hook::aclWhereClause |
7884d958 | 349 | */ |
6a488035 TO |
350 | function aclWhereOnlySecond($type, &$tables, &$whereTables, &$contactID, &$where) { |
351 | $where = " contact_a.id > 1"; | |
352 | } | |
6a488035 | 353 | } |