[civicrm-core.git] / tests / phpunit / api / v3 / ACLPermissionTest.php

<?php

/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.3                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2013                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
 */

require_once 'CiviTest/CiviUnitTestCase.php';

/**
 * This class is intended to test ACL permission using the multisite module
 *
 *  @package CiviCRM_APIv3
 *  @subpackage API_Contact
 */

class api_v3_ACLPermissionTest extends CiviUnitTestCase {
  protected $_apiversion;
  protected $_params;
  protected $hookClass = null;

  public $_eNoticeCompliant = TRUE;

  protected $_entity; function setUp() {
    $this->_apiversion = 3;

    parent::setUp();
    $baoObj = new CRM_Core_DAO();
    $baoObj->createTestObject('CRM_Pledge_BAO_Pledge', array(), 1, 0);
    $baoObj->createTestObject('CRM_Core_BAO_Phone', array(), 1, 0);
    $this->hookClass = CRM_Utils_Hook::singleton();
    $config = CRM_Core_Config::singleton();
    $config->userPermissionClass->permissions = array();
  }
/**
 * (non-PHPdoc)
 * @see CiviUnitTestCase::tearDown()
 */
  function tearDown() {
    $this->hookClass->reset();
    $tablesToTruncate = array(
        'civicrm_contact',
    );
    $this->quickCleanup($tablesToTruncate);
    $config = CRM_Core_Config::singleton();
    unset($config->userPermissionClass->permissions);
  }
/**
 * Function just tests that an empty where hook returns the 2 expected results
 */
  function testContactGetNoResultsHook(){
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
    $result = civicrm_api('contact', 'get', array(
      'version' => $this->_apiversion,
      'check_permissions' => 1,
      'return' => 'display_name',
    ));

    $this->assertAPISuccess($result,"this should succeed but return no results. line " . __LINE__);
    $this->assertEquals(0, $result['count']);
  }

  /**
   * Function tests all results are returned
  */
  function testContactGetAllResultsHook(){
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
    $result = civicrm_api('contact', 'get', array(
        'version' => $this->_apiversion,
        'check_permissions' => 1,
        'return' => 'display_name',
    ));

    $this->assertAPISuccess($result,"this should succeed but return no results. line " . __LINE__);
    $this->assertEquals(2, $result['count']);
  }
  /**
   * Function just tests that an empty where hook returns the 2 expected results
  */
  function testContactGetPermissionHookNoDeleted(){
    civicrm_api('contact', 'create', array('id' => 2, 'version' => $this->_apiversion, 'is_deleted' => 1));
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
    $result = civicrm_api('contact', 'get', array(
        'version' => $this->_apiversion,
        'check_permissions' => 1,
        'return' => 'display_name',
    ));

    $this->assertAPISuccess($result,"this should succeed but return one results. line " . __LINE__);
    $this->assertEquals(1, $result['count']);
  }

  /**
   * test permissions limited by hook
   */
  function testContactGetHookLimitingHook(){
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));

    $result = civicrm_api('contact', 'get', array(
      'version' => $this->_apiversion,
      'check_permissions' => 1,
      'return' => 'display_name',
      ));
    $this->assertAPISuccess($result, 'api call succeeded');
    $this->assertEquals(1, $result['count']);
  }

/**
 * confirm that without check permissions we still get 2 contacts returned
 */
  function testContactGetHookLimitingHookDontCheck(){
    //
    $result = civicrm_api('contact', 'get', array(
        'version' => $this->_apiversion,
        'check_permissions' => 0,
        'return' => 'display_name',
    ));
    $this->assertAPISuccess($result, 'api call succeeded');
    $this->assertEquals(2, $result['count']);
  }
  /**
   * Check that id works as a filter
   */
  function testContactGetIDFilter(){
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
    $result = civicrm_api('contact', 'get', array(
      'version' => $this->_apiversion,
      'sequential' => 1,
      'id' => 2,
      'check_permissions' => 1,
    ));

    $this->assertAPISuccess($result, 'api call succeeded');
    $this->assertEquals(1, $result['count']);
    $this->assertEquals(2, $result['id']);
  }

/**
 * Check that address IS returned
 */
    function testContactGetAddressReturned(){
      $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
      $fullresult = civicrm_api('contact', 'get', array(
          'version' => $this->_apiversion,
          'sequential' => 1,
      ));
      //return doesn't work for all keys - can't fix that here so let's skip ...
      //prefix & suffix are inconsistent due to  CRM-7929
      // unsure about others but return doesn't work on them
      $elementsReturnDoesntSupport = array(
        'prefix_id',
        'prefix',
        'suffix_id',
        'suffix',
        'gender_id',
        'gender',
        'current_employer',
        'phone_id',
        'phone_type_id',
        'phone',
        'worldregion_id',
        'world_region');
      $expectedReturnElements = array_diff(array_keys($fullresult['values'][0]),$elementsReturnDoesntSupport);
      $result = civicrm_api('contact', 'get', array(
          'version' => $this->_apiversion,
          'check_permissions' => 1,
          'return' => $expectedReturnElements,
          'sequential' => 1,
      ));
      $this->assertAPISuccess($result, 'api call succeeded');
      $this->assertEquals(1, $result['count']);
      foreach ($expectedReturnElements as $element){
        $this->assertArrayHasKey($element, $result['values'][0]);
      }
    }
    /**
     * Check that pledge IS not returned
    */
    function testContactGetPledgeIDNotReturned(){
      $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
      $fullresult = civicrm_api('contact', 'get', array(
          'version' => $this->_apiversion,
          'sequential' => 1,
      ));
      $result = civicrm_api('contact', 'get', array(
        'version' => $this->_apiversion,
        'check_permissions' => 1,
        'return' => 'pledge_id',
        'sequential' => 1,
      ));
      $this->assertAPISuccess($result);
      $this->assertArrayNotHasKey('pledge_id', $result['values'][0]);
    }

    /**
     * Check that pledge IS not an allowable filter
    */
    function testContactGetPledgeIDNotFiltered(){
      $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
      $fullresult = civicrm_api('contact', 'get', array(
          'version' => $this->_apiversion,
          'sequential' => 1,
      ));
      $result = civicrm_api('contact', 'get', array(
        'version' => $this->_apiversion,
        'check_permissions' => 1,
        'pledge_id' => 1,
        'sequential' => 1,
      ));
      $this->assertAPISuccess($result, 'api call succeeded');
      $this->assertEquals(2, $result['count']);
    }

    /**
     * Check that chaining doesn't bypass permissions
    */
    function testContactGetPledgeNotChainable(){
      $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
      $fullresult = civicrm_api('contact', 'get', array(
          'version' => $this->_apiversion,
          'sequential' => 1,
      ));
      $result = civicrm_api('contact', 'get', array(
          'version' => $this->_apiversion,
          'check_permissions' => 1,
          'api.pledge.get' => 1,
          'sequential' => 1,
      ));
      $this->assertEquals('Error in call to pledge_get : API permission check failed for pledge/get call; missing permission: access CiviCRM.', $result['error_message']);
    }

  /**
   * no results returned
   */
  function aclWhereHookNoResults($type, &$tables, &$whereTables, &$contactID, &$where) {
  }
  /**
   * all results returned
  */
  function aclWhereHookAllResults($type, &$tables, &$whereTables, &$contactID, &$where) {
    $where = " (1) ";
  }
  /**
   * full results returned
  */
  function aclWhereOnlySecond($type, &$tables, &$whereTables, &$contactID, &$where) {
    $where = " contact_a.id > 1";
  }


}
Commit	Line	Data
6a488035	1	<?php
6a488035 TO	2
	3	/*
	4	+--------------------------------------------------------------------+
	5	\| CiviCRM version 4.3 \|
	6	+--------------------------------------------------------------------+
	7	\| Copyright CiviCRM LLC (c) 2004-2013 \|
	8	+--------------------------------------------------------------------+
	9	\| This file is a part of CiviCRM. \|
	10	\| \|
	11	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	12	\| under the terms of the GNU Affero General Public License \|
	13	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	14	\| \|
	15	\| CiviCRM is distributed in the hope that it will be useful, but \|
	16	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	17	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	18	\| See the GNU Affero General Public License for more details. \|
	19	\| \|
	20	\| You should have received a copy of the GNU Affero General Public \|
	21	\| License and the CiviCRM Licensing Exception along \|
	22	\| with this program; if not, contact CiviCRM LLC \|
	23	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	24	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	25	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	26	+--------------------------------------------------------------------+
	27	*/
	28
	29	require_once 'CiviTest/CiviUnitTestCase.php';
	30
	31	/**
	32	* This class is intended to test ACL permission using the multisite module
	33	*
	34	* @package CiviCRM_APIv3
	35	* @subpackage API_Contact
	36	*/
	37
	38	class api_v3_ACLPermissionTest extends CiviUnitTestCase {
	39	protected $_apiversion;
	40	protected $_params;
	41	protected $hookClass = null;
	42
	43	public $_eNoticeCompliant = TRUE;
	44
	45	protected $_entity; function setUp() {
	46	$this->_apiversion = 3;
	47
	48	parent::setUp();
	49	$baoObj = new CRM_Core_DAO();
	50	$baoObj->createTestObject('CRM_Pledge_BAO_Pledge', array(), 1, 0);
	51	$baoObj->createTestObject('CRM_Core_BAO_Phone', array(), 1, 0);
	52	$this->hookClass = CRM_Utils_Hook::singleton();
	53	$config = CRM_Core_Config::singleton();
	54	$config->userPermissionClass->permissions = array();
	55	}
	56	/**
	57	* (non-PHPdoc)
	58	* @see CiviUnitTestCase::tearDown()
	59	*/
	60	function tearDown() {
	61	$this->hookClass->reset();
	62	$tablesToTruncate = array(
	63	'civicrm_contact',
	64	);
	65	$this->quickCleanup($tablesToTruncate);
66	$config = CRM_Core_Config::singleton();
67	unset($config->userPermissionClass->permissions);
68	}
69	/**
70	* Function just tests that an empty where hook returns the 2 expected results
71	*/
72	function testContactGetNoResultsHook(){
73	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
74	$result = civicrm_api('contact', 'get', array(
75	'version' => $this->_apiversion,
76	'check_permissions' => 1,
77	'return' => 'display_name',
78	));
79
80	$this->assertAPISuccess($result,"this should succeed but return no results. line " . __LINE__);
81	$this->assertEquals(0, $result['count']);
82	}
83
84	/**
85	* Function tests all results are returned
86	*/
87	function testContactGetAllResultsHook(){
88	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
89	$result = civicrm_api('contact', 'get', array(
90	'version' => $this->_apiversion,
91	'check_permissions' => 1,
92	'return' => 'display_name',
93	));
94
95	$this->assertAPISuccess($result,"this should succeed but return no results. line " . __LINE__);
96	$this->assertEquals(2, $result['count']);
97	}
98	/**
99	* Function just tests that an empty where hook returns the 2 expected results
100	*/
101	function testContactGetPermissionHookNoDeleted(){
102	civicrm_api('contact', 'create', array('id' => 2, 'version' => $this->_apiversion, 'is_deleted' => 1));
103	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
104	$result = civicrm_api('contact', 'get', array(
105	'version' => $this->_apiversion,
106	'check_permissions' => 1,
107	'return' => 'display_name',
108	));
109
110	$this->assertAPISuccess($result,"this should succeed but return one results. line " . __LINE__);
111	$this->assertEquals(1, $result['count']);
112	}
113
114	/**
115	* test permissions limited by hook
116	*/
117	function testContactGetHookLimitingHook(){
118	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
119
120	$result = civicrm_api('contact', 'get', array(
121	'version' => $this->_apiversion,
122	'check_permissions' => 1,
123	'return' => 'display_name',
124	));
125	$this->assertAPISuccess($result, 'api call succeeded');
126	$this->assertEquals(1, $result['count']);
127	}
128
129	/**
130	* confirm that without check permissions we still get 2 contacts returned
131	*/
132	function testContactGetHookLimitingHookDontCheck(){
133	//
134	$result = civicrm_api('contact', 'get', array(
135	'version' => $this->_apiversion,
136	'check_permissions' => 0,
137	'return' => 'display_name',
138	));
139	$this->assertAPISuccess($result, 'api call succeeded');
140	$this->assertEquals(2, $result['count']);
141	}
142	/**
143	* Check that id works as a filter
144	*/
145	function testContactGetIDFilter(){
146	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
147	$result = civicrm_api('contact', 'get', array(
148	'version' => $this->_apiversion,
149	'sequential' => 1,
150	'id' => 2,
151	'check_permissions' => 1,
152	));
153
154	$this->assertAPISuccess($result, 'api call succeeded');
155	$this->assertEquals(1, $result['count']);
156	$this->assertEquals(2, $result['id']);
157	}
158
159	/**
160	* Check that address IS returned
161	*/
162	function testContactGetAddressReturned(){
163	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
164	$fullresult = civicrm_api('contact', 'get', array(
165	'version' => $this->_apiversion,
166	'sequential' => 1,
167	));
168	//return doesn't work for all keys - can't fix that here so let's skip ...
169	//prefix & suffix are inconsistent due to CRM-7929
170	// unsure about others but return doesn't work on them
171	$elementsReturnDoesntSupport = array(
172	'prefix_id',
173	'prefix',
174	'suffix_id',
175	'suffix',
176	'gender_id',
177	'gender',
178	'current_employer',
179	'phone_id',
180	'phone_type_id',
181	'phone',
182	'worldregion_id',
183	'world_region');
184	$expectedReturnElements = array_diff(array_keys($fullresult['values'][0]),$elementsReturnDoesntSupport);
185	$result = civicrm_api('contact', 'get', array(
186	'version' => $this->_apiversion,
187	'check_permissions' => 1,
188	'return' => $expectedReturnElements,
189	'sequential' => 1,
190	));
191	$this->assertAPISuccess($result, 'api call succeeded');
192	$this->assertEquals(1, $result['count']);
193	foreach ($expectedReturnElements as $element){
194	$this->assertArrayHasKey($element, $result['values'][0]);
195	}
196	}
197	/**
198	* Check that pledge IS not returned
199	*/
200	function testContactGetPledgeIDNotReturned(){
201	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
202	$fullresult = civicrm_api('contact', 'get', array(
203	'version' => $this->_apiversion,
204	'sequential' => 1,
205	));
206	$result = civicrm_api('contact', 'get', array(
207	'version' => $this->_apiversion,
208	'check_permissions' => 1,
209	'return' => 'pledge_id',
210	'sequential' => 1,
211	));
212	$this->assertAPISuccess($result);
213	$this->assertArrayNotHasKey('pledge_id', $result['values'][0]);
214	}
215
216	/**
217	* Check that pledge IS not an allowable filter
218	*/
219	function testContactGetPledgeIDNotFiltered(){
220	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
221	$fullresult = civicrm_api('contact', 'get', array(
222	'version' => $this->_apiversion,
223	'sequential' => 1,
224	));
225	$result = civicrm_api('contact', 'get', array(
226	'version' => $this->_apiversion,
227	'check_permissions' => 1,
228	'pledge_id' => 1,
229	'sequential' => 1,
230	));
231	$this->assertAPISuccess($result, 'api call succeeded');
232	$this->assertEquals(2, $result['count']);
233	}
234
235	/**
236	* Check that chaining doesn't bypass permissions
237	*/
238	function testContactGetPledgeNotChainable(){
239	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
240	$fullresult = civicrm_api('contact', 'get', array(
241	'version' => $this->_apiversion,
242	'sequential' => 1,
243	));
244	$result = civicrm_api('contact', 'get', array(
245	'version' => $this->_apiversion,
246	'check_permissions' => 1,
247	'api.pledge.get' => 1,
248	'sequential' => 1,
249	));
250	$this->assertEquals('Error in call to pledge_get : API permission check failed for pledge/get call; missing permission: access CiviCRM.', $result['error_message']);
251	}
252
253	/**
254	* no results returned
255	*/
256	function aclWhereHookNoResults($type, &$tables, &$whereTables, &$contactID, &$where) {
257	}
258	/**
259	* all results returned
260	*/
261	function aclWhereHookAllResults($type, &$tables, &$whereTables, &$contactID, &$where) {
262	$where = " (1) ";
263	}
264	/**
265	* full results returned
266	*/
267	function aclWhereOnlySecond($type, &$tables, &$whereTables, &$contactID, &$where) {
268	$where = " contact_a.id > 1";
269	}
270
271
272	}
273