3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
13 * Class CRM_Event_BAO_EventPermissionsTest
16 class CRM_Event_BAO_EventPermissionsTest
extends CiviUnitTestCase
{
18 public function setUp() {
20 $this->_contactId
= $this->createLoggedInUser();
21 $this->createOwnEvent();
22 $this->createOtherEvent();
25 public function createOwnEvent() {
26 $event = $this->eventCreate([
27 'created_id' => $this->_contactId
,
29 $this->_ownEventId
= $event['id'];
32 public function createOtherEvent() {
33 $this->_otherContactId
= $this->_contactId +
1;
34 $event = $this->eventCreate([
35 'created_id' => $this->_otherContactId
,
37 $this->_otherEventId
= $event['id'];
40 private function setViewOwnEventPermissions() {
41 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= ['access CiviCRM', 'access CiviEvent', 'view event info'];
44 private function setViewAllEventPermissions() {
45 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= ['access CiviCRM', 'access CiviEvent', 'view event info', 'view event participants'];
48 private function setEditAllEventPermissions() {
49 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= ['access CiviCRM', 'access CiviEvent', 'view event info', 'edit all events'];
52 private function setDeleteAllEventPermissions() {
53 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= ['access CiviCRM', 'access CiviEvent', 'view event info', 'delete in CiviEvent'];
56 public function testViewOwnEvent() {
57 self
::setViewOwnEventPermissions();
58 unset(\Civi
::$statics['CRM_Event_BAO_Event']['permissions']);
59 $permissions = CRM_Event_BAO_Event
::checkPermission($this->_ownEventId
, CRM_Core_Permission
::VIEW
);
60 $this->assertTrue($permissions);
61 // Now check that caching is actually working
62 \Civi
::$statics['CRM_Event_BAO_Event']['permission']['view'][$this->_ownEventId
] = FALSE;
63 $permissions = CRM_Event_BAO_Event
::checkPermission($this->_ownEventId
, CRM_Core_Permission
::VIEW
);
64 $this->assertFalse($permissions);
67 public function testEditOwnEvent() {
68 self
::setViewOwnEventPermissions();
69 unset(\Civi
::$statics['CRM_Event_BAO_Event']['permissions']);
70 $this->_loggedInUser
= CRM_Core_Session
::singleton()->get('userID');
71 $permissions = CRM_Event_BAO_Event
::checkPermission($this->_ownEventId
, CRM_Core_Permission
::EDIT
);
72 $this->assertTrue($permissions);
76 * This requires the same permissions as testDeleteOtherEvent()
78 public function testDeleteOwnEvent() {
79 // Check that you can't delete your own event without "Delete in CiviEvent" permission
80 self
::setViewOwnEventPermissions();
81 unset(\Civi
::$statics['CRM_Event_BAO_Event']['permissions']);
82 $permissions = CRM_Event_BAO_Event
::checkPermission($this->_ownEventId
, CRM_Core_Permission
::DELETE
);
83 $this->assertFalse($permissions);
86 public function testViewOtherEventDenied() {
87 $this->_loggedInUser
= CRM_Core_Session
::singleton()->get('userID');
88 self
::setViewOwnEventPermissions();
89 unset(\Civi
::$statics['CRM_Event_BAO_Event']['permissions']);
90 $permissions = CRM_Event_BAO_Event
::checkPermission($this->_otherEventId
, CRM_Core_Permission
::VIEW
);
91 $this->assertFalse($permissions);
94 public function testViewOtherEventAllowed() {
95 $this->_loggedInUser
= CRM_Core_Session
::singleton()->get('userID');
96 self
::setViewAllEventPermissions();
97 unset(\Civi
::$statics['CRM_Event_BAO_Event']['permissions']);
98 $permissions = CRM_Event_BAO_Event
::checkPermission($this->_otherEventId
, CRM_Core_Permission
::VIEW
);
99 $this->assertTrue($permissions);
102 public function testEditOtherEventDenied() {
103 $this->_loggedInUser
= CRM_Core_Session
::singleton()->get('userID');
104 self
::setViewAllEventPermissions();
105 unset(\Civi
::$statics['CRM_Event_BAO_Event']['permissions']);
106 $permissions = CRM_Event_BAO_Event
::checkPermission($this->_otherEventId
, CRM_Core_Permission
::EDIT
);
107 $this->assertFalse($permissions);
110 public function testEditOtherEventAllowed() {
111 $this->_loggedInUser
= CRM_Core_Session
::singleton()->get('userID');
112 self
::setEditAllEventPermissions();
113 unset(\Civi
::$statics['CRM_Event_BAO_Event']['permissions']);
114 $permissions = CRM_Event_BAO_Event
::checkPermission($this->_otherEventId
, CRM_Core_Permission
::EDIT
);
115 $this->assertTrue($permissions);
118 public function testDeleteOtherEventAllowed() {
119 self
::setDeleteAllEventPermissions();
120 unset(\Civi
::$statics['CRM_Event_BAO_Event']['permissions']);
121 $permissions = CRM_Event_BAO_Event
::checkPermission($this->_otherEventId
, CRM_Core_Permission
::DELETE
);
122 $this->assertTrue($permissions);
125 public function testDeleteOtherEventDenied() {
126 // FIXME: This test could be improved, but for now it checks that we can't delete if we don't have "Delete in CiviEvent"
127 self
::setEditAllEventPermissions();
128 unset(\Civi
::$statics['CRM_Event_BAO_Event']['permissions']);
129 $permissions = CRM_Event_BAO_Event
::checkPermission($this->_otherEventId
, CRM_Core_Permission
::DELETE
);
130 $this->assertFalse($permissions);