[civicrm-core.git] / tests / phpunit / api / v3 / EntityTagACLTest.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.7                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2015                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
 */

/**
 *  Test APIv3 civicrm_entity_tag_* functions
 *
 * @package CiviCRM_APIv3
 * @subpackage API_Core
 */

/**
 * Class api_v3_EntityTagTest.
 *
 * This test class was introduced to ensure that the fix for CRM-17350 (reducing the required permission
 * from edit all contacts to has right to edit this contact) would not result in inappropriate permission opening on
 * other entities. Other entities are still too restricted but that is a larger job.
 * @group headless
 */
class api_v3_EntityTagACLTest extends CiviUnitTestCase {

  /**
   * API Version in use.
   *
   * @var int
   */
  protected $_apiversion = 3;

  /**
   * Entity being tested.
   *
   * @var string
   */
  protected $_entity = 'entity_tag';

  /**
   * Set up permissions for test.
   */
  public function setUp() {
    $this->useTransaction(TRUE);
    parent::setUp();
    $individualID = $this->individualCreate();
    $daoObj = new CRM_Core_DAO();
    $this->callAPISuccess('Attachment', 'create', array(
      'entity_table' => 'civicrm_contact',
      'entity_id' => $individualID,
      'mime_type' => 'k',
      'name' => 'p',
      'content' => 'l',
    ));
    $daoObj->createTestObject('CRM_Activity_BAO_Activity', array(), 1, 0);
    $daoObj->createTestObject('CRM_Case_BAO_Case', array(), 1, 0);
    $entities = $this->getTagOptions();
    foreach ($entities as $key => $entity) {
      $this->callAPISuccess('Tag', 'create', array(
        'used_for' => $key,
        'name' => $entity,
        'description' => $entity,
        )
      );
    }
    CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM');
  }

  /**
   * Get the options for the used_for fields.
   *
   * @return array
   */
  public function getTagOptions() {
    $options = $this->callAPISuccess('Tag', 'getoptions', array('field' => 'used_for'));
    return $options['values'];
  }

  /**
   * Get the entity table for a tag label.
   *
   * @param string $entity
   *
   * @return string
   */
  protected function getTableForTag($entity) {
    $options = $this->getTagOptions();
    return array_search($entity, $options);
  }
  /**
   * Get entities which can be tagged in data provider format.
   */
  public function taggableEntities() {
    $return = array();
    foreach ($this->getTagOptions() as $entity) {
      $return[] = array($entity);
    }
    return $return;
  }

  /**
   * This test checks that users with edit all contacts can edit all tags.
   *
   * @dataProvider taggableEntities
   *
   * We are looking to see that a contact with edit all contacts can still add all tags (for all
   * tag entities since that was how it was historically and we are not fixing non-contact entities).
   *
   * @param string $entity
   *   Entity to test
   */
  public function testThatForEntitiesEditAllContactsCanAddTags($entity) {

    CRM_Core_Config::singleton()->userPermissionClass->permissions = array('edit all contacts', 'access CiviCRM');
    $this->callAPISuccess('EntityTag', 'create', array(
      'entity_id' => 1,
      'tag_id' => $entity,
      'check_permissions' => TRUE,
      'entity_table' => $this->getTableForTag($entity),
    ));
    $this->callAPISuccessGetCount('EntityTag', array(
      'entity_id' => 1,
      'entity_table' => $this->getTableForTag($entity),
    ), 1);
  }

  /**
   * This test checks that an ACL or edit all contacts is required to be able to create a contact.
   *
   * @dataProvider taggableEntities
   */
  public function testThatForEntityWithoutACLOrEditAllThereIsNoAccess($entity) {

    CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'view all contacts');
    $this->callAPISuccess('EntityTag', 'create', array(
      'entity_id' => 1,
      'tag_id' => $entity,
      'check_permissions' => TRUE,
      'entity_table' => $this->getTableForTag($entity),
    ));
    $this->callAPISuccessGetCount('EntityTag', array(
      'entity_id' => 1,
      'entity_table' => $this->getTableForTag($entity),
    ), 0);
  }

  /**
   * This test checks that permissions are not applied when check_permissions is off.
   *
   * @dataProvider taggableEntities
   *
   * @param string $entity
   *   Entity to test
   */
  public function testCheckPermissionsOffWorks($entity) {

    CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'view all contacts');
    $result = $this->callAPISuccess('EntityTag', 'create', array(
      'entity_id' => 1,
      'tag_id' => $entity,
      'check_permissions' => 0,
      'entity_table' => $this->getTableForTag($entity),
    ));
    $this->assertEquals(1, $result['added']);
    $this->callAPISuccessGetCount('EntityTag', array(
      'entity_id' => 1,
      'entity_table' => $this->getTableForTag($entity),
      'check_permissions' => 0,
    ), 1);
  }

  /**
   * This test checks ACLs can be used to control who can edit a contact.
   *
   * Note that for other entities this hook will not allow them to edit the entity_tag and they still need
   * edit all contacts (pending a more extensive fix).
   *
   * @dataProvider taggableEntities
   *
   * @param string $entity
   *   Entity to test
   */
  public function testThatForEntitiesACLApplies($entity) {

    CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'view all contacts');
    $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
    $this->callAPISuccess('EntityTag', 'create', array(
      'entity_id' => 1,
      'tag_id' => $entity,
      'entity_table' => $this->getTableForTag($entity),
      'check_permissions' => TRUE,
    ));
    $this->callAPISuccessGetCount('EntityTag', array(
      'entity_id' => 1,
      'entity_table' => $this->getTableForTag($entity),
    ), ($entity == 'Contacts' ? 1 : 0));
  }

  /**
   * All results returned.
   *
   * @implements CRM_Utils_Hook::aclWhereClause
   *
   * @param string $type
   * @param array $tables
   * @param array $whereTables
   * @param int $contactID
   * @param string $where
   */
  public function aclWhereHookAllResults($type, &$tables, &$whereTables, &$contactID, &$where) {
    $where = " (1) ";
  }

}
Commit	Line	Data
83a2ebb6	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
	4	\| CiviCRM version 4.7 \|
	5	+--------------------------------------------------------------------+
	6	\| Copyright CiviCRM LLC (c) 2004-2015 \|
	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
	26	*/
	27
	28	/**
	29	* Test APIv3 civicrm_entity_tag_* functions
	30	*
	31	* @package CiviCRM_APIv3
	32	* @subpackage API_Core
	33	*/
	34
83a2ebb6	35	/**
	36	* Class api_v3_EntityTagTest.
	37	*
	38	* This test class was introduced to ensure that the fix for CRM-17350 (reducing the required permission
	39	* from edit all contacts to has right to edit this contact) would not result in inappropriate permission opening on
	40	* other entities. Other entities are still too restricted but that is a larger job.
acb109b7	41	* @group headless
83a2ebb6	42	*/
	43	class api_v3_EntityTagACLTest extends CiviUnitTestCase {
	44
	45	/**
	46	* API Version in use.
	47	*
	48	* @var int
	49	*/
	50	protected $_apiversion = 3;
	51
	52	/**
	53	* Entity being tested.
	54	*
	55	* @var string
	56	*/
	57	protected $_entity = 'entity_tag';
	58
	59	/**
	60	* Set up permissions for test.
	61	*/
	62	public function setUp() {
	63	$this->useTransaction(TRUE);
	64	parent::setUp();
	65	$individualID = $this->individualCreate();
	66	$daoObj = new CRM_Core_DAO();
	67	$this->callAPISuccess('Attachment', 'create', array(
	68	'entity_table' => 'civicrm_contact',
	69	'entity_id' => $individualID,
	70	'mime_type' => 'k',
	71	'name' => 'p',
	72	'content' => 'l',
	73	));
	74	$daoObj->createTestObject('CRM_Activity_BAO_Activity', array(), 1, 0);
	75	$daoObj->createTestObject('CRM_Case_BAO_Case', array(), 1, 0);
	76	$entities = $this->getTagOptions();
	77	foreach ($entities as $key => $entity) {
	78	$this->callAPISuccess('Tag', 'create', array(
	79	'used_for' => $key,
	80	'name' => $entity,
	81	'description' => $entity,
	82	)
	83	);
	84	}
	85	CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM');
	86	}
	87
	88	/**
	89	* Get the options for the used_for fields.
	90	*
	91	* @return array
	92	*/
	93	public function getTagOptions() {
	94	$options = $this->callAPISuccess('Tag', 'getoptions', array('field' => 'used_for'));
	95	return $options['values'];
	96	}
	97
	98	/**
	99	* Get the entity table for a tag label.
	100	*
	101	* @param string $entity
	102	*
	103	* @return string
	104	*/
	105	protected function getTableForTag($entity) {
106	$options = $this->getTagOptions();
107	return array_search($entity, $options);
108	}
109	/**
110	* Get entities which can be tagged in data provider format.
111	*/
112	public function taggableEntities() {
113	$return = array();
114	foreach ($this->getTagOptions() as $entity) {
115	$return[] = array($entity);
116	}
117	return $return;
118	}
119
120	/**
121	* This test checks that users with edit all contacts can edit all tags.
122	*
123	* @dataProvider taggableEntities
124	*
125	* We are looking to see that a contact with edit all contacts can still add all tags (for all
126	* tag entities since that was how it was historically and we are not fixing non-contact entities).
127	*
128	* @param string $entity
129	* Entity to test
130	*/
131	public function testThatForEntitiesEditAllContactsCanAddTags($entity) {
132
980fd807	133	CRM_Core_Config::singleton()->userPermissionClass->permissions = array('edit all contacts', 'access CiviCRM');
83a2ebb6	134	$this->callAPISuccess('EntityTag', 'create', array(
	135	'entity_id' => 1,
	136	'tag_id' => $entity,
	137	'check_permissions' => TRUE,
	138	'entity_table' => $this->getTableForTag($entity),
	139	));
	140	$this->callAPISuccessGetCount('EntityTag', array(
	141	'entity_id' => 1,
	142	'entity_table' => $this->getTableForTag($entity),
	143	), 1);
	144	}
	145
	146	/**
	147	* This test checks that an ACL or edit all contacts is required to be able to create a contact.
	148	*
	149	* @dataProvider taggableEntities
	150	*/
	151	public function testThatForEntityWithoutACLOrEditAllThereIsNoAccess($entity) {
	152
	153	CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'view all contacts');
	154	$this->callAPISuccess('EntityTag', 'create', array(
	155	'entity_id' => 1,
	156	'tag_id' => $entity,
	157	'check_permissions' => TRUE,
	158	'entity_table' => $this->getTableForTag($entity),
	159	));
	160	$this->callAPISuccessGetCount('EntityTag', array(
	161	'entity_id' => 1,
	162	'entity_table' => $this->getTableForTag($entity),
	163	), 0);
	164	}
	165
	166	/**
	167	* This test checks that permissions are not applied when check_permissions is off.
	168	*
	169	* @dataProvider taggableEntities
	170	*
	171	* @param string $entity
	172	* Entity to test
	173	*/
	174	public function testCheckPermissionsOffWorks($entity) {
	175
	176	CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'view all contacts');
	177	$result = $this->callAPISuccess('EntityTag', 'create', array(
	178	'entity_id' => 1,
	179	'tag_id' => $entity,
	180	'check_permissions' => 0,
	181	'entity_table' => $this->getTableForTag($entity),
	182	));
	183	$this->assertEquals(1, $result['added']);
	184	$this->callAPISuccessGetCount('EntityTag', array(
	185	'entity_id' => 1,
	186	'entity_table' => $this->getTableForTag($entity),
	187	'check_permissions' => 0,
	188	), 1);
	189	}
	190
	191	/**
	192	* This test checks ACLs can be used to control who can edit a contact.
	193	*
	194	* Note that for other entities this hook will not allow them to edit the entity_tag and they still need
	195	* edit all contacts (pending a more extensive fix).
	196	*
	197	* @dataProvider taggableEntities
198	*
199	* @param string $entity
200	* Entity to test
201	*/
202	public function testThatForEntitiesACLApplies($entity) {
203
204	CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'view all contacts');
205	$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
206	$this->callAPISuccess('EntityTag', 'create', array(
207	'entity_id' => 1,
208	'tag_id' => $entity,
209	'entity_table' => $this->getTableForTag($entity),
210	'check_permissions' => TRUE,
211	));
212	$this->callAPISuccessGetCount('EntityTag', array(
213	'entity_id' => 1,
214	'entity_table' => $this->getTableForTag($entity),
215	), ($entity == 'Contacts' ? 1 : 0));
216	}
217
218	/**
219	* All results returned.
220	*
221	* @implements CRM_Utils_Hook::aclWhereClause
222	*
223	* @param string $type
224	* @param array $tables
225	* @param array $whereTables
226	* @param int $contactID
227	* @param string $where
228	*/
229	public function aclWhereHookAllResults($type, &$tables, &$whereTables, &$contactID, &$where) {
230	$where = " (1) ";
231	}
232
233	}