tests/phpunit/api/v3/ACLPermissionTest.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | CiviCRM version 4.6                                                |
   5  +--------------------------------------------------------------------+
   6  | Copyright CiviCRM LLC (c) 2004-2014                                |
   7  +--------------------------------------------------------------------+
   8  | This file is a part of CiviCRM.                                    |
   9  |                                                                    |
  10  | CiviCRM is free software; you can copy, modify, and distribute it  |
  11  | under the terms of the GNU Affero General Public License           |
  12  | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
  13  |                                                                    |
  14  | CiviCRM is distributed in the hope that it will be useful, but     |
  15  | WITHOUT ANY WARRANTY; without even the implied warranty of         |
  16  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
  17  | See the GNU Affero General Public License for more details.        |
  18  |                                                                    |
  19  | You should have received a copy of the GNU Affero General Public   |
  20  | License and the CiviCRM Licensing Exception along                  |
  21  | with this program; if not, contact CiviCRM LLC                     |
  22  | at info[AT]civicrm[DOT]org. If you have questions about the        |
  23  | GNU Affero General Public License or the licensing of CiviCRM,     |
  24  | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
  25  +--------------------------------------------------------------------+
  26  */
  27
  28 require_once 'CiviTest/CiviUnitTestCase.php';
  29
  30 /**
  31  * This class is intended to test ACL permission using the multisite module
  32  *
  33  * @package CiviCRM_APIv3
  34  * @subpackage API_Contact
  35  */
  36 class api_v3_ACLPermissionTest extends CiviUnitTestCase {
  37   protected $_apiversion = 3;
  38   public $DBResetRequired = FALSE;
  39   protected $_entity;
  40
  41   public function setUp() {
  42     parent::setUp();
  43     $baoObj = new CRM_Core_DAO();
  44     $baoObj->createTestObject('CRM_Pledge_BAO_Pledge', array(), 1, 0);
  45     $baoObj->createTestObject('CRM_Core_BAO_Phone', array(), 1, 0);
  46     $config = CRM_Core_Config::singleton();
  47     $config->userPermissionClass->permissions = array();
  48   }
  49
  50   /**
  51    * (non-PHPdoc)
  52    * @see CiviUnitTestCase::tearDown()
  53    */
  54   public function tearDown() {
  55     CRM_Utils_Hook::singleton()->reset();
  56     $tablesToTruncate = array(
  57       'civicrm_contact',
  58       'civicrm_group_contact',
  59       'civicrm_group',
  60       'civicrm_acl',
  61       'civicrm_acl_cache',
  62       'civicrm_acl_entity_role',
  63       'civicrm_acl_contact_cache',
  64       'civicrm_contribution',
  65       'civicrm_participant',
  66     );
  67     $this->quickCleanup($tablesToTruncate);
  68     $config = CRM_Core_Config::singleton();
  69     unset($config->userPermissionClass->permissions);
  70   }
  71
  72   /**
  73    * Function tests that an empty where hook returns no results
  74    */
  75   public function testContactGetNoResultsHook() {
  76     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
  77     $result = $this->callAPISuccess('contact', 'get', array(
  78       'check_permissions' => 1,
  79       'return' => 'display_name',
  80     ));
  81     $this->assertEquals(0, $result['count']);
  82   }
  83
  84   /**
  85    * Function tests all results are returned
  86    */
  87   public function testContactGetAllResultsHook() {
  88     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
  89     $result = $this->callAPISuccess('contact', 'get', array(
  90       'check_permissions' => 1,
  91       'return' => 'display_name',
  92     ));
  93
  94     $this->assertEquals(2, $result['count']);
  95   }
  96
  97   /**
  98    * Function tests that deleted contacts are not returned
  99    */
 100   public function testContactGetPermissionHookNoDeleted() {
 101     $this->callAPISuccess('contact', 'create', array('id' => 2, 'is_deleted' => 1));
 102     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
 103     $result = $this->callAPISuccess('contact', 'get', array(
 104       'check_permissions' => 1,
 105       'return' => 'display_name',
 106     ));
 107     $this->assertEquals(1, $result['count']);
 108   }
 109
 110   /**
 111    * Test permissions limited by hook
 112    */
 113   public function testContactGetHookLimitingHook() {
 114     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
 115
 116     $result = $this->callAPISuccess('contact', 'get', array(
 117       'check_permissions' => 1,
 118       'return' => 'display_name',
 119     ));
 120     $this->assertEquals(1, $result['count']);
 121   }
 122
 123   /**
 124    * Confirm that without check permissions we still get 2 contacts returned
 125    */
 126   public function testContactGetHookLimitingHookDontCheck() {
 127     $result = $this->callAPISuccess('contact', 'get', array(
 128       'check_permissions' => 0,
 129       'return' => 'display_name',
 130     ));
 131     $this->assertEquals(2, $result['count']);
 132   }
 133
 134   /**
 135    * Check that id works as a filter
 136    */
 137   public function testContactGetIDFilter() {
 138     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
 139     $result = $this->callAPISuccess('contact', 'get', array(
 140       'sequential' => 1,
 141       'id' => 2,
 142       'check_permissions' => 1,
 143     ));
 144
 145     $this->assertEquals(1, $result['count']);
 146     $this->assertEquals(2, $result['id']);
 147   }
 148
 149   /**
 150    * Check that address IS returned
 151    */
 152   public function testContactGetAddressReturned() {
 153     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
 154     $fullresult = $this->callAPISuccess('contact', 'get', array(
 155       'sequential' => 1,
 156     ));
 157     //return doesn't work for all keys - can't fix that here so let's skip ...
 158     //prefix & suffix are inconsistent due to  CRM-7929
 159     // unsure about others but return doesn't work on them
 160     $elementsReturnDoesntSupport = array(
 161       'prefix',
 162       'suffix',
 163       'gender',
 164       'current_employer',
 165       'phone_id',
 166       'phone_type_id',
 167       'phone',
 168       'worldregion_id',
 169       'world_region',
 170     );
 171     $expectedReturnElements = array_diff(array_keys($fullresult['values'][0]), $elementsReturnDoesntSupport);
 172     $result = $this->callAPISuccess('contact', 'get', array(
 173       'check_permissions' => 1,
 174       'return' => $expectedReturnElements,
 175       'sequential' => 1,
 176     ));
 177     $this->assertEquals(1, $result['count']);
 178     foreach ($expectedReturnElements as $element) {
 179       $this->assertArrayHasKey($element, $result['values'][0]);
 180     }
 181   }
 182
 183   /**
 184    * Check that pledge IS not returned
 185    */
 186   public function testContactGetPledgeIDNotReturned() {
 187     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
 188     $this->callAPISuccess('contact', 'get', array(
 189       'sequential' => 1,
 190     ));
 191     $result = $this->callAPISuccess('contact', 'get', array(
 192       'check_permissions' => 1,
 193       'return' => 'pledge_id',
 194       'sequential' => 1,
 195     ));
 196     $this->assertArrayNotHasKey('pledge_id', $result['values'][0]);
 197   }
 198
 199   /**
 200    * Check that pledge IS not an allowable filter
 201    */
 202   public function testContactGetPledgeIDNotFiltered() {
 203     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
 204     $this->callAPISuccess('contact', 'get', array(
 205       'sequential' => 1,
 206     ));
 207     $result = $this->callAPISuccess('contact', 'get', array(
 208       'check_permissions' => 1,
 209       'pledge_id' => 1,
 210       'sequential' => 1,
 211     ));
 212     $this->assertEquals(2, $result['count']);
 213   }
 214
 215   /**
 216    * Check that chaining doesn't bypass permissions
 217    */
 218   public function testContactGetPledgeNotChainable() {
 219     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
 220     $this->callAPISuccess('contact', 'get', array(
 221       'sequential' => 1,
 222     ));
 223     $this->callAPIFailure('contact', 'get', array(
 224         'check_permissions' => 1,
 225         'api.pledge.get' => 1,
 226         'sequential' => 1,
 227       ),
 228       'Error in call to pledge_get : API permission check failed for pledge/get call; missing permission: access CiviCRM.'
 229     );
 230   }
 231
 232   public function setupCoreACL() {
 233     $this->createLoggedInUser();
 234     $this->_permissionedDisabledGroup = $this->groupCreate(array(
 235       'title' => 'pick-me-disabled',
 236       'is_active' => 0,
 237       'name' => 'pick-me-disabled',
 238     ));
 239     $this->_permissionedGroup = $this->groupCreate(array(
 240       'title' => 'pick-me-active',
 241       'is_active' => 1,
 242       'name' => 'pick-me-active',
 243     ));
 244     $this->setupACL();
 245   }
 246
 247   /**
 248    * @dataProvider entities
 249    * confirm that without check permissions we still get 2 contacts returned
 250    */
 251   public function testEntitiesGetHookLimitingHookNoCheck($entity) {
 252     CRM_Core_Config::singleton()->userPermissionClass->permissions = array();
 253     $this->setUpEntities($entity);
 254     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
 255     $result = $this->callAPISuccess($entity, 'get', array(
 256       'check_permissions' => 0,
 257       'return' => 'contact_id',
 258     ));
 259     $this->assertEquals(2, $result['count']);
 260   }
 261
 262   /**
 263    * @dataProvider entities
 264    * confirm that without check permissions we still get 2 entities returned
 265    */
 266   public function testEntitiesGetCoreACLLimitingHookNoCheck($entity) {
 267     $this->setupCoreACL();
 268     //CRM_Core_Config::singleton()->userPermissionClass->permissions = array();
 269     $this->setUpEntities($entity);
 270     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
 271     $result = $this->callAPISuccess($entity, 'get', array(
 272       'check_permissions' => 0,
 273       'return' => 'contact_id',
 274     ));
 275     $this->assertEquals(2, $result['count']);
 276   }
 277
 278   /**
 279    * @dataProvider entities
 280    * confirm that with check permissions we don't get entities
 281    */
 282   public function testEntitiesGetCoreACLLimitingCheck($entity) {
 283     $this->markTestIncomplete('this does not work in 4.4 but can be enabled in 4.5 or a security release of 4.4 including the important security fix CRM-14877');
 284     $this->setupCoreACL();
 285     $this->setUpEntities($entity);
 286     $result = $this->callAPISuccess($entity, 'get', array(
 287       'check_permissions' => 1,
 288       'return' => 'contact_id',
 289     ));
 290     $this->assertEquals(0, $result['count']);
 291   }
 292
 293
 294   /**
 295    * @dataProvider entities
 296    * Function tests that an empty where hook returns no results
 297    */
 298   public function testEntityGetNoResultsHook($entity) {
 299     $this->markTestIncomplete('hook acls only work with contacts so far');
 300     CRM_Core_Config::singleton()->userPermissionClass->permissions = array();
 301     $this->setUpEntities($entity);
 302     $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
 303     $result = $this->callAPISuccess($entity, 'get', array(
 304       'check_permission' => 1,
 305     ));
 306     $this->assertEquals(0, $result['count']);
 307   }
 308
 309   /**
 310    * @return array
 311    */
 312   public static function entities() {
 313     return array(array('contribution'), array('participant'));// @todo array('pledge' => 'pledge')
 314   }
 315
 316   /**
 317    * Create 2 entities
 318    */
 319   public function setUpEntities($entity) {
 320     $baoObj = new CRM_Core_DAO();
 321     $baoObj->createTestObject(_civicrm_api3_get_BAO($entity), array(), 2, 0);
 322     CRM_Core_Config::singleton()->userPermissionClass->permissions = array(
 323       'access CiviCRM',
 324       'access CiviContribute',
 325       'access CiviEvent',
 326       'view event participants',
 327     );
 328   }
 329
 330   /**
 331    * No results returned
 332    */
 333   public function aclWhereHookNoResults($type, &$tables, &$whereTables, &$contactID, &$where) {
 334   }
 335
 336   /**
 337    * All results returned
 338    * @implements CRM_Utils_Hook::aclWhereClause
 339    */
 340   public function aclWhereHookAllResults($type, &$tables, &$whereTables, &$contactID, &$where) {
 341     $where = " (1) ";
 342   }
 343
 344   /**
 345    * Full results returned
 346    * @implements CRM_Utils_Hook::aclWhereClause
 347    */
 348   public function aclWhereOnlySecond($type, &$tables, &$whereTables, &$contactID, &$where) {
 349     $where = " contact_a.id > 1";
 350   }
 351 }