tests/phpunit/CRM/Event/BAO/EventPermissionsTest.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | Copyright CiviCRM LLC. All rights reserved.                        |
   5  |                                                                    |
   6  | This work is published under the GNU AGPLv3 license with some      |
   7  | permitted exceptions and without any warranty. For full license    |
   8  | and copyright information, see https://civicrm.org/licensing       |
   9  +--------------------------------------------------------------------+
  10  */
  11
  12 /**
  13  * Class CRM_Event_BAO_EventPermissionsTest
  14  * @group headless
  15  */
  16 class CRM_Event_BAO_EventPermissionsTest extends CiviUnitTestCase {
  17
  18   use Civi\Test\ACLPermissionTrait;
  19
  20   public function setUp(): void {
  21     parent::setUp();
  22     $this->_contactId = $this->createLoggedInUser();
  23     $this->createOwnEvent();
  24     $this->createOtherEvent();
  25   }
  26
  27   public function createOwnEvent() {
  28     $event = $this->eventCreate([
  29       'created_id' => $this->_contactId,
  30     ]);
  31     $this->_ownEventId = $event['id'];
  32   }
  33
  34   public function createOtherEvent() {
  35     $this->_otherContactId = $this->_contactId + 1;
  36     $event = $this->eventCreate([
  37       'created_id' => $this->_otherContactId,
  38     ]);
  39     $this->_otherEventId = $event['id'];
  40   }
  41
  42   private function setViewOwnEventPermissions() {
  43     CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'access CiviEvent', 'view event info'];
  44   }
  45
  46   private function setViewAllEventPermissions() {
  47     CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'access CiviEvent', 'view event info', 'view event participants'];
  48   }
  49
  50   private function setEditAllEventPermissions() {
  51     CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'access CiviEvent', 'view event info', 'edit all events'];
  52   }
  53
  54   private function setDeleteAllEventPermissions() {
  55     CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'access CiviEvent', 'view event info', 'delete in CiviEvent'];
  56   }
  57
  58   public function testViewOwnEvent() {
  59     $this->setViewOwnEventPermissions();
  60     unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
  61     $permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::VIEW);
  62     $this->assertTrue($permissions);
  63     // Now check that caching is actually working
  64     \Civi::$statics['CRM_Event_BAO_Event']['permission']['view'][$this->_ownEventId] = FALSE;
  65     $permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::VIEW);
  66     $this->assertFalse($permissions);
  67   }
  68
  69   public function testEditOwnEvent() {
  70     $this->setViewOwnEventPermissions();
  71     unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
  72     $this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
  73     $permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::EDIT);
  74     $this->assertTrue($permissions);
  75   }
  76
  77   /**
  78    * This requires the same permissions as testDeleteOtherEvent()
  79    */
  80   public function testDeleteOwnEvent() {
  81     // Check that you can't delete your own event without "Delete in CiviEvent" permission
  82     $this->setViewOwnEventPermissions();
  83     unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
  84     $permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::DELETE);
  85     $this->assertFalse($permissions);
  86   }
  87
  88   public function testViewOtherEventDenied() {
  89     $this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
  90     self::setViewOwnEventPermissions();
  91     unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
  92     $permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::VIEW);
  93     $this->assertFalse($permissions);
  94   }
  95
  96   public function testViewOtherEventAllowed() {
  97     $this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
  98     self::setViewAllEventPermissions();
  99     unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
 100     $permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::VIEW);
 101     $this->assertTrue($permissions);
 102   }
 103
 104   /**
 105    * Test that the contact can view an event with an ACL permitting everyone to view it.
 106    */
 107   public function testViewAclEventAllowed() {
 108     $this->setupScenarioCoreACLEveryonePermittedToEvent();
 109     $permittedEventID = CRM_Core_Permission::event(CRM_Core_Permission::VIEW, $this->scenarioIDs['Event']['permitted_event']);
 110     $this->assertEquals($this->scenarioIDs['Event']['permitted_event'], $permittedEventID);
 111   }
 112
 113   public function testEditOtherEventDenied() {
 114     $this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
 115     $this->setViewAllEventPermissions();
 116     unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
 117     $permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::EDIT);
 118     $this->assertFalse($permissions);
 119   }
 120
 121   public function testEditOtherEventAllowed() {
 122     $this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
 123     self::setEditAllEventPermissions();
 124     unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
 125     $permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::EDIT);
 126     $this->assertTrue($permissions);
 127   }
 128
 129   public function testDeleteOtherEventAllowed() {
 130     self::setDeleteAllEventPermissions();
 131     unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
 132     $permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::DELETE);
 133     $this->assertTrue($permissions);
 134   }
 135
 136   public function testDeleteOtherEventDenied() {
 137     // FIXME: This test could be improved, but for now it checks that we can't delete if we don't have "Delete in CiviEvent"
 138     $this->setEditAllEventPermissions();
 139     unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
 140     $permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::DELETE);
 141     $this->assertFalse($permissions);
 142   }
 143
 144   /**
 145    * Test get complete info function returns all info for contacts with view all info.
 146    */
 147   public function testGetCompleteInfo() {
 148     $this->setupScenarioCoreACLEveryonePermittedToEvent();
 149     $info = CRM_Event_BAO_Event::getCompleteInfo('20000101');
 150     $this->assertEquals('Annual CiviCRM meet', $info[0]['title']);
 151     $this->assertEquals('Annual CiviCRM meet', $info[1]['title']);
 152   }
 153
 154 }