3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.7 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2015 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
29 * This class is intended to test ACL permission using the multisite module
31 * @package CiviCRM_APIv3
32 * @subpackage API_Contact
35 class api_v3_ACLPermissionTest
extends CiviUnitTestCase
{
36 protected $_apiversion = 3;
37 public $DBResetRequired = FALSE;
39 protected $allowedContactId = 0;
41 public function setUp() {
43 $baoObj = new CRM_Core_DAO();
44 $baoObj->createTestObject('CRM_Pledge_BAO_Pledge', array(), 1, 0);
45 $baoObj->createTestObject('CRM_Core_BAO_Phone', array(), 1, 0);
46 $config = CRM_Core_Config
::singleton();
47 $config->userPermissionClass
->permissions
= array();
52 * @see CiviUnitTestCase::tearDown()
54 public function tearDown() {
55 CRM_Utils_Hook
::singleton()->reset();
56 $tablesToTruncate = array(
58 'civicrm_group_contact',
62 'civicrm_acl_entity_role',
63 'civicrm_acl_contact_cache',
64 'civicrm_contribution',
65 'civicrm_participant',
68 $this->quickCleanup($tablesToTruncate);
69 $config = CRM_Core_Config
::singleton();
70 unset($config->userPermissionClass
->permissions
);
74 * Function tests that an empty where hook returns no results.
76 public function testContactGetNoResultsHook() {
77 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
78 $result = $this->callAPISuccess('contact', 'get', array(
79 'check_permissions' => 1,
80 'return' => 'display_name',
82 $this->assertEquals(0, $result['count']);
86 * Function tests that an empty where hook returns exactly 1 result with "view my contact".
88 * CRM-16512 caused contacts with Edit my contact to be able to view all records.
90 public function testContactGetOneResultHookWithViewMyContact() {
91 $this->createLoggedInUser();
92 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
93 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= array('access CiviCRM', 'view my contact');
94 $result = $this->callAPISuccess('contact', 'get', array(
95 'check_permissions' => 1,
96 'return' => 'display_name',
98 $this->assertEquals(1, $result['count']);
102 * Function tests that a user with "edit my contact" can edit themselves.
104 public function testContactEditHookWithEditMyContact() {
105 $cid = $this->createLoggedInUser();
106 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
107 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= array('access CiviCRM', 'edit my contact');
108 $this->callAPISuccess('contact', 'create', array(
109 'check_permissions' => 1,
115 * Ensure contact permissions extend to related entities like email
117 public function testRelatedEntityPermissions() {
118 $this->createLoggedInUser();
119 $disallowedContact = $this->individualCreate(array(), 0);
120 $this->allowedContactId
= $this->individualCreate(array(), 1);
121 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlyOne'));
122 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= array('access CiviCRM');
123 $testEntities = array(
124 'Email' => array('email' => 'null@nothing', 'location_type_id' => 1),
125 'Phone' => array('phone' => '123456', 'location_type_id' => 1),
126 'IM' => array('name' => 'hello', 'location_type_id' => 1),
127 'Website' => array('url' => 'http://test'),
128 'Address' => array('street_address' => '123 Sesame St.', 'location_type_id' => 1),
130 foreach ($testEntities as $entity => $params) {
132 'contact_id' => $disallowedContact,
133 'check_permissions' => 1,
135 // We should be prevented from getting or creating entities for a contact we don't have permission for
136 $this->callAPIFailure($entity, 'create', $params);
137 $results = $this->callAPISuccess($entity, 'get', array('contact_id' => $disallowedContact, 'check_permissions' => 1));
138 $this->assertEquals(0, $results['count']);
140 // We should be allowed to create and get for contacts we do have permission on
141 $params['contact_id'] = $this->allowedContactId
;
142 $this->callAPISuccess($entity, 'create', $params);
143 $results = $this->callAPISuccess($entity, 'get', array('contact_id' => $this->allowedContactId
, 'check_permissions' => 1));
144 $this->assertGreaterThan(0, $results['count']);
149 * Function tests all results are returned.
151 public function testContactGetAllResultsHook() {
152 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
153 $result = $this->callAPISuccess('contact', 'get', array(
154 'check_permissions' => 1,
155 'return' => 'display_name',
158 $this->assertEquals(2, $result['count']);
162 * Function tests that deleted contacts are not returned.
164 public function testContactGetPermissionHookNoDeleted() {
165 $this->callAPISuccess('contact', 'create', array('id' => 2, 'is_deleted' => 1));
166 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
167 $result = $this->callAPISuccess('contact', 'get', array(
168 'check_permissions' => 1,
169 'return' => 'display_name',
171 $this->assertEquals(1, $result['count']);
175 * Test permissions limited by hook.
177 public function testContactGetHookLimitingHook() {
178 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
180 $result = $this->callAPISuccess('contact', 'get', array(
181 'check_permissions' => 1,
182 'return' => 'display_name',
184 $this->assertEquals(1, $result['count']);
188 * Confirm that without check permissions we still get 2 contacts returned.
190 public function testContactGetHookLimitingHookDontCheck() {
191 $result = $this->callAPISuccess('contact', 'get', array(
192 'check_permissions' => 0,
193 'return' => 'display_name',
195 $this->assertEquals(2, $result['count']);
199 * Check that id works as a filter.
201 public function testContactGetIDFilter() {
202 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
203 $result = $this->callAPISuccess('contact', 'get', array(
206 'check_permissions' => 1,
209 $this->assertEquals(1, $result['count']);
210 $this->assertEquals(2, $result['id']);
214 * Check that address IS returned.
216 public function testContactGetAddressReturned() {
217 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
218 $fullresult = $this->callAPISuccess('contact', 'get', array(
221 //return doesn't work for all keys - can't fix that here so let's skip ...
222 //prefix & suffix are inconsistent due to CRM-7929
223 // unsure about others but return doesn't work on them
224 $elementsReturnDoesntSupport = array(
235 $expectedReturnElements = array_diff(array_keys($fullresult['values'][0]), $elementsReturnDoesntSupport);
236 $result = $this->callAPISuccess('contact', 'get', array(
237 'check_permissions' => 1,
238 'return' => $expectedReturnElements,
241 $this->assertEquals(1, $result['count']);
242 foreach ($expectedReturnElements as $element) {
243 $this->assertArrayHasKey($element, $result['values'][0]);
248 * Check that pledge IS not returned.
250 public function testContactGetPledgeIDNotReturned() {
251 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
252 $this->callAPISuccess('contact', 'get', array(
255 $result = $this->callAPISuccess('contact', 'get', array(
256 'check_permissions' => 1,
257 'return' => 'pledge_id',
260 $this->assertArrayNotHasKey('pledge_id', $result['values'][0]);
264 * Check that pledge IS not an allowable filter.
266 public function testContactGetPledgeIDNotFiltered() {
267 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookAllResults'));
268 $this->callAPISuccess('contact', 'get', array(
271 $result = $this->callAPISuccess('contact', 'get', array(
272 'check_permissions' => 1,
276 $this->assertEquals(2, $result['count']);
280 * Check that chaining doesn't bypass permissions
282 public function testContactGetPledgeNotChainable() {
283 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond'));
284 $this->callAPISuccess('contact', 'get', array(
287 $this->callAPIFailure('contact', 'get', array(
288 'check_permissions' => 1,
289 'api.pledge.get' => 1,
292 'Error in call to pledge_get : API permission check failed for pledge/get call; missing permission: access CiviCRM.'
296 public function setupCoreACL() {
297 $this->createLoggedInUser();
298 $this->_permissionedDisabledGroup
= $this->groupCreate(array(
299 'title' => 'pick-me-disabled',
301 'name' => 'pick-me-disabled',
303 $this->_permissionedGroup
= $this->groupCreate(array(
304 'title' => 'pick-me-active',
306 'name' => 'pick-me-active',
312 * @dataProvider entities
313 * confirm that without check permissions we still get 2 contacts returned
316 public function testEntitiesGetHookLimitingHookNoCheck($entity) {
317 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= array();
318 $this->setUpEntities($entity);
319 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
320 $result = $this->callAPISuccess($entity, 'get', array(
321 'check_permissions' => 0,
322 'return' => 'contact_id',
324 $this->assertEquals(2, $result['count']);
328 * @dataProvider entities
329 * confirm that without check permissions we still get 2 entities returned
332 public function testEntitiesGetCoreACLLimitingHookNoCheck($entity) {
333 $this->setupCoreACL();
334 //CRM_Core_Config::singleton()->userPermissionClass->permissions = array();
335 $this->setUpEntities($entity);
336 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
337 $result = $this->callAPISuccess($entity, 'get', array(
338 'check_permissions' => 0,
339 'return' => 'contact_id',
341 $this->assertEquals(2, $result['count']);
345 * @dataProvider entities
346 * confirm that with check permissions we don't get entities
348 * @throws \PHPUnit_Framework_IncompleteTestError
350 public function testEntitiesGetCoreACLLimitingCheck($entity) {
351 $this->markTestIncomplete('this does not work in 4.4 but can be enabled in 4.5 or a security release of 4.4 including the important security fix CRM-14877');
352 $this->setupCoreACL();
353 $this->setUpEntities($entity);
354 $result = $this->callAPISuccess($entity, 'get', array(
355 'check_permissions' => 1,
356 'return' => 'contact_id',
358 $this->assertEquals(0, $result['count']);
362 * @dataProvider entities
363 * Function tests that an empty where hook returns no results
364 * @param string $entity
365 * @throws \PHPUnit_Framework_IncompleteTestError
367 public function testEntityGetNoResultsHook($entity) {
368 $this->markTestIncomplete('hook acls only work with contacts so far');
369 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= array();
370 $this->setUpEntities($entity);
371 $this->hookClass
->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
372 $result = $this->callAPISuccess($entity, 'get', array(
373 'check_permission' => 1,
375 $this->assertEquals(0, $result['count']);
381 public static function entities() {
382 return array(array('contribution'), array('participant'));// @todo array('pledge' => 'pledge')
389 public function setUpEntities($entity) {
390 $baoObj = new CRM_Core_DAO();
391 $baoObj->createTestObject(_civicrm_api3_get_BAO($entity), array(), 2, 0);
392 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= array(
394 'access CiviContribute',
396 'view event participants',
401 * No results returned.
403 * @implements CRM_Utils_Hook::aclWhereClause
405 * @param string $type
406 * @param array $tables
407 * @param array $whereTables
408 * @param int $contactID
409 * @param string $where
411 public function aclWhereHookNoResults($type, &$tables, &$whereTables, &$contactID, &$where) {
415 * All results returned.
417 * @implements CRM_Utils_Hook::aclWhereClause
419 * @param string $type
420 * @param array $tables
421 * @param array $whereTables
422 * @param int $contactID
423 * @param string $where
425 public function aclWhereHookAllResults($type, &$tables, &$whereTables, &$contactID, &$where) {
430 * All but first results returned.
431 * @implements CRM_Utils_Hook::aclWhereClause
434 * @param $whereTables
438 public function aclWhereOnlySecond($type, &$tables, &$whereTables, &$contactID, &$where) {
439 $where = " contact_a.id > 1";
443 * Only specified contact returned.
444 * @implements CRM_Utils_Hook::aclWhereClause
447 * @param $whereTables
451 public function aclWhereOnlyOne($type, &$tables, &$whereTables, &$contactID, &$where) {
452 $where = " contact_a.id = " . $this->allowedContactId
;