| 1 | <?php |
| 2 | |
| 3 | /** |
| 4 | * Class CRM_ACL_Test |
| 5 | * |
| 6 | * This test focuses on testing the (new) ID list-based functions: |
| 7 | * CRM_Contact_BAO_Contact_Permission::allowList() |
| 8 | * CRM_Contact_BAO_Contact_Permission::relationshipList() |
| 9 | * @group headless |
| 10 | */ |
| 11 | class CRM_ACL_ListTest extends CiviUnitTestCase { |
| 12 | |
| 13 | /** |
| 14 | * Set up function. |
| 15 | */ |
| 16 | public function setUp() { |
| 17 | parent::setUp(); |
| 18 | // $this->quickCleanup(array('civicrm_acl_contact_cache'), TRUE); |
| 19 | $this->useTransaction(TRUE); |
| 20 | $this->allowedContactsACL = []; |
| 21 | } |
| 22 | |
| 23 | /** |
| 24 | * general test for the 'view all contacts' permission |
| 25 | */ |
| 26 | public function testViewAllPermission() { |
| 27 | // create test contacts |
| 28 | $contacts = $this->createScenarioPlain(); |
| 29 | |
| 30 | // test WITH all permissions |
| 31 | // NULL means 'all permissions' in UnitTests environment |
| 32 | CRM_Core_Config::singleton()->userPermissionClass->permissions = NULL; |
| 33 | $result = CRM_Contact_BAO_Contact_Permission::allowList($contacts); |
| 34 | sort($result); |
| 35 | $this->assertEquals($result, $contacts, "Contacts should be viewable when 'view all contacts'"); |
| 36 | |
| 37 | // test WITH explicit permission |
| 38 | CRM_Core_Config::singleton()->userPermissionClass->permissions = ['view all contacts']; |
| 39 | $result = CRM_Contact_BAO_Contact_Permission::allowList($contacts, CRM_Core_Permission::VIEW); |
| 40 | sort($result); |
| 41 | $this->assertEquals($result, $contacts, "Contacts should be viewable when 'view all contacts'"); |
| 42 | |
| 43 | // test WITH EDIT permissions (should imply VIEW) |
| 44 | CRM_Core_Config::singleton()->userPermissionClass->permissions = ['edit all contacts']; |
| 45 | $result = CRM_Contact_BAO_Contact_Permission::allowList($contacts, CRM_Core_Permission::VIEW); |
| 46 | sort($result); |
| 47 | $this->assertEquals($result, $contacts, "Contacts should be viewable when 'edit all contacts'"); |
| 48 | |
| 49 | // test WITHOUT permission |
| 50 | CRM_Core_Config::singleton()->userPermissionClass->permissions = []; |
| 51 | $result = CRM_Contact_BAO_Contact_Permission::allowList($contacts); |
| 52 | sort($result); |
| 53 | $this->assertEmpty($result, "Contacts should NOT be viewable when 'view all contacts' is not set"); |
| 54 | } |
| 55 | |
| 56 | /** |
| 57 | * general test for the 'view all contacts' permission |
| 58 | */ |
| 59 | public function testEditAllPermission() { |
| 60 | // create test contacts |
| 61 | $contacts = $this->createScenarioPlain(); |
| 62 | |
| 63 | // test WITH explicit permission |
| 64 | CRM_Core_Config::singleton()->userPermissionClass->permissions = ['edit all contacts']; |
| 65 | $result = CRM_Contact_BAO_Contact_Permission::allowList($contacts, CRM_Core_Permission::EDIT); |
| 66 | sort($result); |
| 67 | $this->assertEquals($result, $contacts, "Contacts should be viewable when 'edit all contacts'"); |
| 68 | |
| 69 | // test WITHOUT permission |
| 70 | CRM_Core_Config::singleton()->userPermissionClass->permissions = []; |
| 71 | $result = CRM_Contact_BAO_Contact_Permission::allowList($contacts); |
| 72 | sort($result); |
| 73 | $this->assertEmpty($result, "Contacts should NOT be viewable when 'edit all contacts' is not set"); |
| 74 | } |
| 75 | |
| 76 | /** |
| 77 | * Test access related to the 'access deleted contact' permission |
| 78 | */ |
| 79 | public function testViewEditDeleted() { |
| 80 | // create test contacts |
| 81 | $contacts = $this->createScenarioPlain(); |
| 82 | |
| 83 | // delete one contact |
| 84 | $deleted_contact_id = $contacts[2]; |
| 85 | $this->callAPISuccess('Contact', 'create', ['id' => $deleted_contact_id, 'contact_is_deleted' => 1]); |
| 86 | $deleted_contact = $this->callAPISuccess('Contact', 'getsingle', ['id' => $deleted_contact_id]); |
| 87 | $this->assertEquals($deleted_contact['contact_is_deleted'], 1, "Contact should've been deleted"); |
| 88 | |
| 89 | // test WITH explicit permission |
| 90 | CRM_Core_Config::singleton()->userPermissionClass->permissions = ['edit all contacts', 'view all contacts']; |
| 91 | $result = CRM_Contact_BAO_Contact_Permission::allowList($contacts, CRM_Core_Permission::EDIT); |
| 92 | sort($result); |
| 93 | $this->assertNotContains($deleted_contact_id, $result, "Deleted contacts should be excluded"); |
| 94 | $this->assertEquals(count($result), count($contacts) - 1, "Only deleted contacts should be excluded"); |
| 95 | } |
| 96 | |
| 97 | /** |
| 98 | * Test access based on relations |
| 99 | * |
| 100 | * There should be the following permission-relationship |
| 101 | * contact[0] -> contact[1] -> contact[2] |
| 102 | */ |
| 103 | public function testPermissionByRelation() { |
| 104 | // create test scenario |
| 105 | $contacts = $this->createScenarioRelations(); |
| 106 | |
| 107 | // remove all permissions |
| 108 | $config = CRM_Core_Config::singleton(); |
| 109 | $config->userPermissionClass->permissions = []; |
| 110 | $permissions_to_check = [CRM_Core_Permission::VIEW => 'View', CRM_Core_Permission::EDIT => 'Edit']; |
| 111 | |
| 112 | // run this for SIMPLE relations |
| 113 | $config->secondDegRelPermissions = FALSE; |
| 114 | $this->assertFalse($config->secondDegRelPermissions); |
| 115 | foreach ($permissions_to_check as $permission => $permission_label) { |
| 116 | $result = CRM_Contact_BAO_Contact_Permission::allowList($contacts, $permission); |
| 117 | sort($result); |
| 118 | |
| 119 | $this->assertNotContains($contacts[0], $result, "User[0] should NOT have $permission_label permission on contact[0]."); |
| 120 | $this->assertContains($contacts[1], $result, "User[0] should have $permission_label permission on contact[1]."); |
| 121 | $this->assertNotContains($contacts[2], $result, "User[0] should NOT have $permission_label permission on contact[2]."); |
| 122 | $this->assertNotContains($contacts[3], $result, "User[0] should NOT have $permission_label permission on contact[3]."); |
| 123 | $this->assertNotContains($contacts[4], $result, "User[0] should NOT have $permission_label permission on contact[4]."); |
| 124 | // view (b_a) |
| 125 | if ($permission == CRM_Core_Permission::VIEW) { |
| 126 | $this->assertContains($contacts[5], $result, "User[0] should have $permission_label permission on contact[5]."); |
| 127 | } |
| 128 | else { |
| 129 | $this->assertNotContains($contacts[5], $result, "User[0] should NOT have $permission_label permission on contact[5]."); |
| 130 | } |
| 131 | $this->assertNotContains($contacts[6], $result, "User[0] should NOT have $permission_label permission on contact[6]."); |
| 132 | $this->assertNotContains($contacts[7], $result, "User[0] should NOT have $permission_label permission on contact[7]."); |
| 133 | // edit (a_b) |
| 134 | $this->assertContains($contacts[8], $result, "User[0] should have $permission_label permission on contact[8]."); |
| 135 | $this->assertNotContains($contacts[9], $result, "User[0] should NOT have $permission_label permission on contact[9]."); |
| 136 | } |
| 137 | |
| 138 | // run this for SECOND DEGREE relations |
| 139 | $config->secondDegRelPermissions = TRUE; |
| 140 | $this->assertTrue($config->secondDegRelPermissions); |
| 141 | foreach ($permissions_to_check as $permission => $permission_label) { |
| 142 | $result = CRM_Contact_BAO_Contact_Permission::allowList($contacts, $permission); |
| 143 | sort($result); |
| 144 | |
| 145 | $this->assertNotContains($contacts[0], $result, "User[0] should NOT have second degree $permission_label permission on contact[0]."); |
| 146 | $this->assertContains($contacts[1], $result, "User[0] should have second degree $permission_label permission on contact[1]."); |
| 147 | // Edit then edit -> edit |
| 148 | $this->assertContains($contacts[2], $result, "User[0] should have second degree $permission_label permission on contact[2]."); |
| 149 | $this->assertNotContains($contacts[3], $result, "User[0] should NOT have second degree $permission_label permission on contact[3]."); |
| 150 | $this->assertNotContains($contacts[4], $result, "User[0] should NOT have second degree $permission_label permission on contact[4]."); |
| 151 | // View then Edit -> View |
| 152 | if ($permission == CRM_Core_Permission::VIEW) { |
| 153 | $this->assertContains($contacts[5], $result, "User[0] should have second degree $permission_label permission on contact[5]."); |
| 154 | $this->assertContains($contacts[6], $result, "User[0] should have second degree $permission_label permission on contact[6]."); |
| 155 | } |
| 156 | else { |
| 157 | $this->assertNotContains($contacts[5], $result, "User[0] should NOT have second degree $permission_label permission on contact[5]."); |
| 158 | $this->assertNotContains($contacts[6], $result, "User[0] should NOT have second degree $permission_label permission on contact[6]."); |
| 159 | } |
| 160 | // View then Edit -> View |
| 161 | if ($permission == CRM_Core_Permission::VIEW) { |
| 162 | $this->assertContains($contacts[7], $result, "User[0] should have second degree $permission_label permission on contact[7]."); |
| 163 | } |
| 164 | else { |
| 165 | $this->assertNotContains($contacts[7], $result, "User[0] should NOT have second degree $permission_label permission on contact[7]."); |
| 166 | } |
| 167 | // Edit then View -> View |
| 168 | $this->assertContains($contacts[8], $result, "User[0] should have second degree $permission_label permission on contact[8]."); |
| 169 | if ($permission == CRM_Core_Permission::VIEW) { |
| 170 | $this->assertContains($contacts[9], $result, "User[0] should have second degree $permission_label permission on contact[9]."); |
| 171 | } |
| 172 | else { |
| 173 | $this->assertNotContains($contacts[9], $result, "User[0] should NOT have second degree $permission_label permission on contact[9]."); |
| 174 | } |
| 175 | } |
| 176 | } |
| 177 | |
| 178 | /** |
| 179 | * Test access based on ACL |
| 180 | */ |
| 181 | public function testPermissionByACL() { |
| 182 | $contacts = $this->createScenarioPlain(); |
| 183 | |
| 184 | // set custom hook |
| 185 | $this->hookClass->setHook('civicrm_aclWhereClause', [$this, 'hook_civicrm_aclWhereClause']); |
| 186 | |
| 187 | // run simple test |
| 188 | $permissions_to_check = [CRM_Core_Permission::VIEW => 'View', CRM_Core_Permission::EDIT => 'Edit']; |
| 189 | |
| 190 | $this->allowedContactsACL = [$contacts[0], $contacts[1], $contacts[4]]; |
| 191 | CRM_Core_Config::singleton()->userPermissionClass->permissions = []; |
| 192 | $result = CRM_Contact_BAO_Contact_Permission::allowList($contacts); |
| 193 | sort($result); |
| 194 | |
| 195 | $this->assertContains($contacts[0], $result, "User[0] should NOT have an ACL permission on contact[0]."); |
| 196 | $this->assertContains($contacts[1], $result, "User[0] should have an ACL permission on contact[1]."); |
| 197 | $this->assertNotContains($contacts[2], $result, "User[0] should NOT have an ACL permission on contact[2]."); |
| 198 | $this->assertNotContains($contacts[3], $result, "User[0] should NOT have an RELATION permission on contact[3]."); |
| 199 | $this->assertContains($contacts[4], $result, "User[0] should NOT have an ACL permission on contact[4]."); |
| 200 | } |
| 201 | |
| 202 | /** |
| 203 | * Test access with a mix of ACL and relationship |
| 204 | */ |
| 205 | public function testPermissionACLvsRelationship() { |
| 206 | $contacts = $this->createScenarioRelations(); |
| 207 | |
| 208 | // set custom hook |
| 209 | $this->hookClass->setHook('civicrm_aclWhereClause', [$this, 'hook_civicrm_aclWhereClause']); |
| 210 | |
| 211 | $config = CRM_Core_Config::singleton(); |
| 212 | $config->userPermissionClass->permissions = []; |
| 213 | $config->secondDegRelPermissions = TRUE; |
| 214 | |
| 215 | $this->allowedContactsACL = [$contacts[0], $contacts[1], $contacts[4]]; |
| 216 | CRM_Core_Config::singleton()->userPermissionClass->permissions = []; |
| 217 | $result = CRM_Contact_BAO_Contact_Permission::allowList($contacts); |
| 218 | sort($result); |
| 219 | |
| 220 | $this->assertContains($contacts[0], $result, "User[0] should have an ACL permission on contact[0]."); |
| 221 | $this->assertContains($contacts[1], $result, "User[0] should have an ACL permission on contact[1]."); |
| 222 | $this->assertContains($contacts[2], $result, "User[0] should have second degree an relation permission on contact[2]."); |
| 223 | $this->assertNotContains($contacts[3], $result, "User[0] should NOT have an ACL permission on contact[3]."); |
| 224 | $this->assertContains($contacts[4], $result, "User[0] should have an ACL permission on contact[4]."); |
| 225 | } |
| 226 | |
| 227 | /** |
| 228 | * Test access related to the 'access deleted contact' permission |
| 229 | */ |
| 230 | public function testPermissionCompare() { |
| 231 | $contacts = $this->createScenarioRelations(); |
| 232 | $contact_index = array_flip($contacts); |
| 233 | |
| 234 | // set custom hook |
| 235 | $this->hookClass->setHook('civicrm_aclWhereClause', [$this, 'hook_civicrm_aclWhereClause']); |
| 236 | |
| 237 | $config = CRM_Core_Config::singleton(); |
| 238 | $this->allowedContactsACL = [$contacts[0], $contacts[1], $contacts[4]]; |
| 239 | $config->secondDegRelPermissions = TRUE; |
| 240 | |
| 241 | // test configurations |
| 242 | $permissions_to_check = [CRM_Core_Permission::VIEW => 'View', CRM_Core_Permission::EDIT => 'Edit']; |
| 243 | $user_permission_options = [/*ALL*/ NULL, /*NONE*/ [], ['view all contacts'], ['edit all contacts'], ['view all contacts', 'edit all contacts']]; |
| 244 | |
| 245 | // run all combinations of those |
| 246 | foreach ($permissions_to_check as $permission_to_check => $permission_label) { |
| 247 | foreach ($user_permission_options as $user_permissions) { |
| 248 | // select the contact range |
| 249 | $contact_range = $contacts; |
| 250 | if (is_array($user_permissions) && count($user_permissions) == 0) { |
| 251 | // slight (explainable) deviation on the own contact |
| 252 | unset($contact_range[0]); |
| 253 | } |
| 254 | |
| 255 | $config->userPermissionClass->permissions = $user_permissions; |
| 256 | $user_permissions_label = json_encode($user_permissions); |
| 257 | |
| 258 | // get the list result |
| 259 | $list_result = CRM_Contact_BAO_Contact_Permission::allowList($contact_range, $permission_to_check); |
| 260 | $this->assertTrue(count($list_result) <= count($contact_range), "Permission::allowList should return a subset of the contats."); |
| 261 | foreach ($list_result as $contact_id) { |
| 262 | $this->assertContains($contact_id, $contact_range, "Permission::allowList should return a subset of the contats."); |
| 263 | } |
| 264 | |
| 265 | // now compare the results |
| 266 | foreach ($contact_range as $contact_id) { |
| 267 | $individual_result = CRM_Contact_BAO_Contact_Permission::allow($contact_id, $permission_to_check); |
| 268 | |
| 269 | if (in_array($contact_id, $list_result)) { |
| 270 | // listPermission reports PERMISSION GRANTED |
| 271 | $this->assertTrue($individual_result, "Permission::allow denies {$permission_label} access for contact[{$contact_index[$contact_id]}], while Permission::allowList grants it. User permission: '{$user_permissions_label}'"); |
| 272 | |
| 273 | } |
| 274 | else { |
| 275 | // listPermission reports PERMISSION DENIED |
| 276 | $this->assertFalse($individual_result, "Permission::allow grantes {$permission_label} access for contact[{$contact_index[$contact_id]}], while Permission::allowList denies it. User permission: '{$user_permissions_label}'"); |
| 277 | |
| 278 | } |
| 279 | } |
| 280 | } |
| 281 | } |
| 282 | } |
| 283 | |
| 284 | /* |
| 285 | * Scenario Builders |
| 286 | */ |
| 287 | |
| 288 | /** |
| 289 | * create plain test scenario, no relationships/ACLs |
| 290 | */ |
| 291 | protected function createScenarioPlain() { |
| 292 | // get logged in user |
| 293 | $user_id = $this->createLoggedInUser(); |
| 294 | $this->assertNotEmpty($user_id); |
| 295 | |
| 296 | // create test contacts |
| 297 | $bush_sr_id = $this->individualCreate(['first_name' => 'George', 'middle_name' => 'H. W.', 'last_name' => 'Bush']); |
| 298 | $bush_jr_id = $this->individualCreate(['first_name' => 'George', 'middle_name' => 'W.', 'last_name' => 'Bush']); |
| 299 | $bush_laura_id = $this->individualCreate(['first_name' => 'Laura Lane', 'last_name' => 'Bush']); |
| 300 | $bush_brbra_id = $this->individualCreate(['first_name' => 'Barbara', 'last_name' => 'Bush']); |
| 301 | $bush_brother_id = $this->individualCreate(['first_name' => 'Brother', 'last_name' => 'Bush']); |
| 302 | $bush_nephew_id = $this->individualCreate(['first_name' => 'Nephew', 'last_name' => 'Bush']); |
| 303 | $bush_nephew2_id = $this->individualCreate(['first_name' => 'Nephew2', 'last_name' => 'Bush']); |
| 304 | $bush_otherbro_id = $this->individualCreate(['first_name' => 'Other Brother', 'last_name' => 'Bush']); |
| 305 | $bush_otherneph_id = $this->individualCreate(['first_name' => 'Other Nephew', 'last_name' => 'Bush']); |
| 306 | |
| 307 | $contacts = [$user_id, $bush_sr_id, $bush_jr_id, $bush_laura_id, $bush_brbra_id, $bush_brother_id, $bush_nephew_id, $bush_nephew2_id, $bush_otherbro_id, $bush_otherneph_id]; |
| 308 | sort($contacts); |
| 309 | return $contacts; |
| 310 | } |
| 311 | |
| 312 | /** |
| 313 | * create plain test scenario, no relationships/ACLs |
| 314 | */ |
| 315 | protected function createScenarioRelations() { |
| 316 | $contacts = $this->createScenarioPlain(); |
| 317 | |
| 318 | // create some relationships |
| 319 | $this->callAPISuccess('Relationship', 'create', [ |
| 320 | // CHILD OF |
| 321 | 'relationship_type_id' => 1, |
| 322 | 'contact_id_a' => $contacts[1], |
| 323 | 'contact_id_b' => $contacts[0], |
| 324 | 'is_permission_b_a' => 1, |
| 325 | 'is_active' => 1, |
| 326 | ]); |
| 327 | |
| 328 | $this->callAPISuccess('Relationship', 'create', [ |
| 329 | // CHILD OF |
| 330 | 'relationship_type_id' => 1, |
| 331 | 'contact_id_a' => $contacts[2], |
| 332 | 'contact_id_b' => $contacts[1], |
| 333 | 'is_permission_b_a' => 1, |
| 334 | 'is_active' => 1, |
| 335 | ]); |
| 336 | |
| 337 | $this->callAPISuccess('Relationship', 'create', [ |
| 338 | // CHILD OF |
| 339 | 'relationship_type_id' => 1, |
| 340 | 'contact_id_a' => $contacts[4], |
| 341 | 'contact_id_b' => $contacts[2], |
| 342 | 'is_permission_b_a' => 1, |
| 343 | 'is_active' => 1, |
| 344 | ]); |
| 345 | |
| 346 | $this->callAPISuccess('Relationship', 'create', [ |
| 347 | // SIBLING OF |
| 348 | 'relationship_type_id' => 4, |
| 349 | 'contact_id_a' => $contacts[5], |
| 350 | 'contact_id_b' => $contacts[0], |
| 351 | // View |
| 352 | 'is_permission_b_a' => 2, |
| 353 | 'is_active' => 1, |
| 354 | ]); |
| 355 | |
| 356 | $this->callAPISuccess('Relationship', 'create', [ |
| 357 | // CHILD OF |
| 358 | 'relationship_type_id' => 1, |
| 359 | 'contact_id_a' => $contacts[6], |
| 360 | 'contact_id_b' => $contacts[5], |
| 361 | // Edit |
| 362 | 'is_permission_b_a' => 1, |
| 363 | 'is_active' => 1, |
| 364 | ]); |
| 365 | |
| 366 | $this->callAPISuccess('Relationship', 'create', [ |
| 367 | // CHILD OF |
| 368 | 'relationship_type_id' => 1, |
| 369 | 'contact_id_a' => $contacts[7], |
| 370 | 'contact_id_b' => $contacts[5], |
| 371 | // View |
| 372 | 'is_permission_b_a' => 2, |
| 373 | 'is_active' => 1, |
| 374 | ]); |
| 375 | |
| 376 | $this->callAPISuccess('Relationship', 'create', [ |
| 377 | // SIBLING OF |
| 378 | 'relationship_type_id' => 4, |
| 379 | 'contact_id_a' => $contacts[0], |
| 380 | 'contact_id_b' => $contacts[8], |
| 381 | // edit (as a_b) |
| 382 | 'is_permission_a_b' => 1, |
| 383 | 'is_active' => 1, |
| 384 | ]); |
| 385 | |
| 386 | $this->callAPISuccess('Relationship', 'create', [ |
| 387 | // CHILD OF |
| 388 | 'relationship_type_id' => 1, |
| 389 | 'contact_id_a' => $contacts[9], |
| 390 | 'contact_id_b' => $contacts[8], |
| 391 | // view |
| 392 | 'is_permission_b_a' => 2, |
| 393 | 'is_active' => 1, |
| 394 | ]); |
| 395 | |
| 396 | return $contacts; |
| 397 | } |
| 398 | |
| 399 | /** |
| 400 | * ACL HOOK implementation for various tests |
| 401 | */ |
| 402 | public function hook_civicrm_aclWhereClause($type, &$tables, &$whereTables, &$contactID, &$where) { |
| 403 | if (!empty($this->allowedContactsACL)) { |
| 404 | $contact_id_list = implode(',', $this->allowedContactsACL); |
| 405 | $where = " contact_a.id IN ($contact_id_list)"; |
| 406 | } |
| 407 | } |
| 408 | |
| 409 | } |