tests/phpunit/api/v3/ACLPermissionTest.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | CiviCRM version 4.4                                                |
   5  +--------------------------------------------------------------------+
   6  | Copyright CiviCRM LLC (c) 2004-2013                                |
   7  +--------------------------------------------------------------------+
   8  | This file is a part of CiviCRM.                                    |
   9  |                                                                    |
  10  | CiviCRM is free software; you can copy, modify, and distribute it  |
  11  | under the terms of the GNU Affero General Public License           |
  12  | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
  13  |                                                                    |
  14  | CiviCRM is distributed in the hope that it will be useful, but     |
  15  | WITHOUT ANY WARRANTY; without even the implied warranty of         |
  16  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
  17  | See the GNU Affero General Public License for more details.        |
  18  |                                                                    |
  19  | You should have received a copy of the GNU Affero General Public   |
  20  | License and the CiviCRM Licensing Exception along                  |
  21  | with this program; if not, contact CiviCRM LLC                     |
  22  | at info[AT]civicrm[DOT]org. If you have questions about the        |
  23  | GNU Affero General Public License or the licensing of CiviCRM,     |
  24  | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
  25  +--------------------------------------------------------------------+
  26  */
  27
  28 require_once 'CiviTest/CiviUnitTestCase.php';
  29
  30 /**
  31  * This class is intended to test ACL permission using the multisite module
  32  *
  33  * @package CiviCRM_APIv3
  34  * @subpackage API_Contact
  35  */
  36
  37 class api_v3_ACLPermissionTest extends CiviUnitTestCase {
  38   protected $_apiversion = 3;
  39   protected $_params;
  40   protected $hookClass = NULL;
  41   public $DBResetRequired = FALSE;
  42
  43   public $_eNoticeCompliant = TRUE;
  44
  45   protected $_entity;
  46
  47   function setUp() {
  48     parent::setUp();
  49     $baoObj = new CRM_Core_DAO();
  50     $baoObj->createTestObject('CRM_Pledge_BAO_Pledge', array(), 1, 0);
  51     $baoObj->createTestObject('CRM_Core_BAO_Phone', array(), 1, 0);
  52     $this->hookClass = CRM_Utils_Hook::singleton();
  53     $config = CRM_Core_Config::singleton();
  54     $config->userPermissionClass->permissions = array();
  55   }
  56
  57   /**
  58    * (non-PHPdoc)
  59    * @see CiviUnitTestCase::tearDown()
  60    */
  61   function tearDown() {
  62     CRM_Utils_Hook::singleton()->reset();
  63     $tablesToTruncate = array(
  64       'civicrm_contact',
  65     );
  66     $this->quickCleanup($tablesToTruncate);
  67     $config = CRM_Core_Config::singleton();
  68     unset($config->userPermissionClass->permissions);
  69   }
  70
  71   /**
  72    * Function tests that an empty where hook returns no results
  73    */
  74   function testContactGetNoResultsHook() {
  75     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
  76     $result = $this->callAPISuccess('contact', 'get', array(
  77       'check_permissions' => 1,
  78       'return' => 'display_name',
  79     ));
  80     $this->assertEquals(0, $result['count']);
  81   }
  82
  83   /**
  84    * Function tests all results are returned
  85    */
  86   function testContactGetAllResultsHook() {
  87     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
  88     $result = $this->callAPISuccess('contact', 'get', array(
  89       'check_permissions' => 1,
  90       'return' => 'display_name',
  91     ));
  92
  93     $this->assertEquals(2, $result['count']);
  94   }
  95
  96   /**
  97    * Function tests that deleted contacts are not returned
  98    */
  99   function testContactGetPermissionHookNoDeleted() {
 100     $result = $this->callAPISuccess('contact', 'create', array('id' => 2, 'is_deleted' => 1));
 101     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
 102     $result = $this->callAPISuccess('contact', 'get', array(
 103       'check_permissions' => 1,
 104       'return' => 'display_name',
 105     ));
 106     $this->assertEquals(1, $result['count']);
 107   }
 108
 109   /**
 110    * test permissions limited by hook
 111    */
 112   function testContactGetHookLimitingHook() {
 113     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
 114
 115     $result = $this->callAPISuccess('contact', 'get', array(
 116       'check_permissions' => 1,
 117       'return' => 'display_name',
 118     ));
 119     $this->assertEquals(1, $result['count']);
 120   }
 121
 122   /**
 123    * confirm that without check permissions we still get 2 contacts returned
 124    */
 125   function testContactGetHookLimitingHookDontCheck() {
 126     //
 127     $result = $this->callAPISuccess('contact', 'get', array(
 128       'check_permissions' => 0,
 129       'return' => 'display_name',
 130     ));
 131     $this->assertEquals(2, $result['count']);
 132   }
 133
 134   /**
 135    * Check that id works as a filter
 136    */
 137   function testContactGetIDFilter() {
 138     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
 139     $result = $this->callAPISuccess('contact', 'get', array(
 140       'sequential' => 1,
 141       'id' => 2,
 142       'check_permissions' => 1,
 143     ));
 144
 145     $this->assertEquals(1, $result['count']);
 146     $this->assertEquals(2, $result['id']);
 147   }
 148
 149   /**
 150    * Check that address IS returned
 151    */
 152   function testContactGetAddressReturned() {
 153     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
 154     $fullresult = $this->callAPISuccess('contact', 'get', array(
 155       'sequential' => 1,
 156     ));
 157     //return doesn't work for all keys - can't fix that here so let's skip ...
 158     //prefix & suffix are inconsistent due to  CRM-7929
 159     // unsure about others but return doesn't work on them
 160     $elementsReturnDoesntSupport = array(
 161       'prefix',
 162       'suffix',
 163       'gender',
 164       'current_employer',
 165       'phone_id',
 166       'phone_type_id',
 167       'phone',
 168       'worldregion_id',
 169       'world_region'
 170     );
 171     $expectedReturnElements = array_diff(array_keys($fullresult['values'][0]), $elementsReturnDoesntSupport);
 172     $result = $this->callAPISuccess('contact', 'get', array(
 173       'check_permissions' => 1,
 174       'return' => $expectedReturnElements,
 175       'sequential' => 1,
 176     ));
 177     $this->assertEquals(1, $result['count']);
 178     foreach ($expectedReturnElements as $element) {
 179       $this->assertArrayHasKey($element, $result['values'][0]);
 180     }
 181   }
 182
 183   /**
 184    * Check that pledge IS not returned
 185    */
 186   function testContactGetPledgeIDNotReturned() {
 187     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
 188     $fullresult = $this->callAPISuccess('contact', 'get', array(
 189       'sequential' => 1,
 190     ));
 191     $result = $this->callAPISuccess('contact', 'get', array(
 192       'check_permissions' => 1,
 193       'return' => 'pledge_id',
 194       'sequential' => 1,
 195     ));
 196     $this->assertArrayNotHasKey('pledge_id', $result['values'][0]);
 197   }
 198
 199   /**
 200    * Check that pledge IS not an allowable filter
 201    */
 202   function testContactGetPledgeIDNotFiltered() {
 203     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
 204     $fullresult = $this->callAPISuccess('contact', 'get', array(
 205       'sequential' => 1,
 206     ));
 207     $result = $this->callAPISuccess('contact', 'get', array(
 208       'check_permissions' => 1,
 209       'pledge_id' => 1,
 210       'sequential' => 1,
 211     ));
 212     $this->assertEquals(2, $result['count']);
 213   }
 214
 215   /**
 216    * Check that chaining doesn't bypass permissions
 217    */
 218   function testContactGetPledgeNotChainable() {
 219     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
 220     $fullresult = $this->callAPISuccess('contact', 'get', array(
 221       'sequential' => 1,
 222     ));
 223     $result = $this->callAPIFailure('contact', 'get', array(
 224         'check_permissions' => 1,
 225         'api.pledge.get' => 1,
 226         'sequential' => 1,
 227       ),
 228       'Error in call to pledge_get : API permission check failed for pledge/get call; missing permission: access CiviCRM.'
 229     );
 230   }
 231
 232   /**
 233    * no results returned
 234    */
 235   function aclWhereHookNoResults($type, &$tables, &$whereTables, &$contactID, &$where) {
 236   }
 237
 238   /**
 239    * all results returned
 240    */
 241   function aclWhereHookAllResults($type, &$tables, &$whereTables, &$contactID, &$where) {
 242     $where = " (1) ";
 243   }
 244
 245   /**
 246    * full results returned
 247    */
 248   function aclWhereOnlySecond($type, &$tables, &$whereTables, &$contactID, &$where) {
 249     $where = " contact_a.id > 1";
 250   }
 251
 252
 253 }
 254