3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
13 * This class is intended to test ACL permission using the multisite module
15 * @package CiviCRM_APIv3
16 * @subpackage API_Contact
19 class api_v3_ACLPermissionTest
extends CiviUnitTestCase
{
21 use CRMTraits_ACL_PermissionTrait
;
23 public $DBResetRequired = FALSE;
26 public function setUp() {
28 $baoObj = new CRM_Core_DAO();
29 $baoObj->createTestObject('CRM_Pledge_BAO_Pledge', [], 1, 0);
30 $baoObj->createTestObject('CRM_Core_BAO_Phone', [], 1, 0);
31 $this->prepareForACLs();
36 * @see CiviUnitTestCase::tearDown()
38 public function tearDown() {
39 $this->cleanUpAfterACLs();
42 'civicrm_group_contact',
46 'civicrm_acl_entity_role',
47 'civicrm_acl_contact_cache',
48 'civicrm_contribution',
49 'civicrm_participant',
52 'civicrm_activity_contact',
57 $this->quickCleanup($tablesToTruncate);
61 * Function tests that an empty where hook returns no results.
63 * @dataProvider versionThreeAndFour
65 public function testContactGetNoResultsHook($version) {
66 $this->_apiversion
= $version;
67 $this->hookClass
->setHook('civicrm_aclWhereClause', [
69 'aclWhereHookNoResults',
71 $result = $this->callAPISuccess('contact', 'get', [
72 'check_permissions' => 1,
73 'return' => 'display_name',
75 $this->assertEquals(0, $result['count']);
79 * Function tests that an empty where hook returns exactly 1 result with "view my contact".
81 * CRM-16512 caused contacts with Edit my contact to be able to view all records.
83 * @dataProvider versionThreeAndFour
85 public function testContactGetOneResultHookWithViewMyContact($version) {
86 $this->_apiversion
= $version;
87 $this->createLoggedInUser();
88 $this->hookClass
->setHook('civicrm_aclWhereClause', [
90 'aclWhereHookNoResults',
92 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= [
96 $result = $this->callAPISuccess('contact', 'get', [
97 'check_permissions' => 1,
98 'return' => 'display_name',
100 $this->assertEquals(1, $result['count']);
104 * Function tests that a user with "edit my contact" can edit themselves.
105 * @param int $version
106 * @dataProvider versionThreeAndFour
108 public function testContactEditHookWithEditMyContact($version) {
109 $this->_apiversion
= $version;
110 $cid = $this->createLoggedInUser();
111 $this->hookClass
->setHook('civicrm_aclWhereClause', [
113 'aclWhereHookNoResults',
115 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= [
119 $this->callAPISuccess('contact', 'create', [
120 'check_permissions' => 1,
122 'first_name' => 'NewName',
127 * Ensure contact permissions do not block contact-less location entities.
128 * @param int $version
129 * @dataProvider versionThreeAndFour
131 public function testAddressWithoutContactIDAccess($version) {
132 $this->_apiversion
= $version;
133 $ownID = $this->createLoggedInUser();
134 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= [
138 $this->callAPISuccess('Address', 'create', [
139 'city' => 'Mouseville',
140 'location_type_id' => 'Main',
141 'api.LocBlock.create' => 1,
142 'contact_id' => $ownID,
144 $this->callAPISuccessGetSingle('Address', [
145 'city' => 'Mouseville',
146 'check_permissions' => 1,
148 CRM_Core_DAO
::executeQuery('UPDATE civicrm_address SET contact_id = NULL WHERE contact_id = %1', [
154 $this->callAPISuccessGetSingle('Address', [
155 'city' => 'Mouseville',
156 'check_permissions' => 1,
161 * Ensure contact permissions extend to related entities like email
162 * @param int $version
163 * @dataProvider versionThreeAndFour
164 * FIXME: Finish api4 part
166 public function testRelatedEntityPermissions($version) {
167 $this->_apiversion
= $version;
168 $this->createLoggedInUser();
169 $disallowedContact = $this->individualCreate([], 0);
170 $this->allowedContactId
= $this->individualCreate([], 1);
171 $this->hookClass
->setHook('civicrm_aclWhereClause', [
175 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= ['access CiviCRM'];
177 'Email' => ['email' => 'null@nothing', 'location_type_id' => 1],
178 'Phone' => ['phone' => '123456', 'location_type_id' => 1],
179 'IM' => ['name' => 'hello', 'location_type_id' => 1],
180 'Website' => ['url' => 'http://test'],
182 'street_address' => '123 Sesame St.',
183 'location_type_id' => 1,
186 foreach ($testEntities as $entity => $params) {
188 'contact_id' => $disallowedContact,
189 'check_permissions' => 1,
191 // We should be prevented from getting or creating entities for a contact we don't have permission for
192 $this->callAPIFailure($entity, 'create', $params);
193 $this->callAPISuccess($entity, 'create', ['check_permissions' => 0] +
$params);
194 $results = $this->callAPISuccess($entity, 'get', [
195 'contact_id' => $disallowedContact,
196 'check_permissions' => 1,
198 $this->assertEquals(0, $results['count']);
200 // We should be allowed to create and get for contacts we do have permission on
201 $params['contact_id'] = $this->allowedContactId
;
202 $this->callAPISuccess($entity, 'create', $params);
203 $results = $this->callAPISuccess($entity, 'get', [
204 'contact_id' => $this->allowedContactId
,
205 'check_permissions' => 1,
207 $this->assertGreaterThan(0, $results['count']);
210 $this->markTestIncomplete('Skipping entity_id related perms in api4 for now.');
212 $newTag = civicrm_api3('Tag', 'create', [
216 'Note' => ['note' => 'abc'],
217 'EntityTag' => ['tag_id' => $newTag['id']],
219 foreach ($relatedEntities as $entity => $params) {
221 'entity_id' => $disallowedContact,
222 'entity_table' => 'civicrm_contact',
223 'check_permissions' => 1,
225 // We should be prevented from getting or creating entities for a contact we don't have permission for
226 $this->callAPIFailure($entity, 'create', $params);
227 $this->callAPISuccess($entity, 'create', ['check_permissions' => 0] +
$params);
228 $results = $this->callAPISuccess($entity, 'get', [
229 'entity_id' => $disallowedContact,
230 'entity_table' => 'civicrm_contact',
231 'check_permissions' => 1,
233 $this->assertEquals(0, $results['count']);
235 // We should be allowed to create and get for entities we do have permission on
236 $params['entity_id'] = $this->allowedContactId
;
237 $this->callAPISuccess($entity, 'create', $params);
238 $results = $this->callAPISuccess($entity, 'get', [
239 'entity_id' => $this->allowedContactId
,
240 'entity_table' => 'civicrm_contact',
241 'check_permissions' => 1,
243 $this->assertGreaterThan(0, $results['count']);
248 * Function tests all results are returned.
249 * @param int $version
250 * @dataProvider versionThreeAndFour
252 public function testContactGetAllResultsHook($version) {
253 $this->_apiversion
= $version;
254 $this->hookClass
->setHook('civicrm_aclWhereClause', [
256 'aclWhereHookAllResults',
258 $result = $this->callAPISuccess('contact', 'get', [
259 'check_permissions' => 1,
260 'return' => 'display_name',
263 $this->assertEquals(2, $result['count']);
267 * Function tests that deleted contacts are not returned.
268 * @param int $version
269 * @dataProvider versionThreeAndFour
271 public function testContactGetPermissionHookNoDeleted($version) {
272 $this->_apiversion
= $version;
273 $this->callAPISuccess('contact', 'create', ['id' => 2, 'is_deleted' => 1]);
274 $this->hookClass
->setHook('civicrm_aclWhereClause', [
276 'aclWhereHookAllResults',
278 $result = $this->callAPISuccess('contact', 'get', [
279 'check_permissions' => 1,
280 'return' => 'display_name',
282 $this->assertEquals(1, $result['count']);
286 * Test permissions limited by hook.
287 * @param int $version
288 * @dataProvider versionThreeAndFour
290 public function testContactGetHookLimitingHook($version) {
291 $this->_apiversion
= $version;
292 $this->hookClass
->setHook('civicrm_aclWhereClause', [
294 'aclWhereOnlySecond',
297 $result = $this->callAPISuccess('contact', 'get', [
298 'check_permissions' => 1,
299 'return' => 'display_name',
301 $this->assertEquals(1, $result['count']);
305 * Confirm that without check permissions we still get 2 contacts returned.
306 * @param int $version
307 * @dataProvider versionThreeAndFour
309 public function testContactGetHookLimitingHookDontCheck($version) {
310 $this->_apiversion
= $version;
311 $result = $this->callAPISuccess('contact', 'get', [
312 'check_permissions' => 0,
313 'return' => 'display_name',
315 $this->assertEquals(2, $result['count']);
319 * Check that id works as a filter.
320 * @param int $version
321 * @dataProvider versionThreeAndFour
323 public function testContactGetIDFilter($version) {
324 $this->_apiversion
= $version;
325 $this->hookClass
->setHook('civicrm_aclWhereClause', [
327 'aclWhereHookAllResults',
329 $result = $this->callAPISuccess('contact', 'get', [
332 'check_permissions' => 1,
335 $this->assertEquals(1, $result['count']);
336 $this->assertEquals(2, $result['id']);
340 * Check that address IS returned.
342 public function testContactGetAddressReturned() {
343 $this->hookClass
->setHook('civicrm_aclWhereClause', [
345 'aclWhereOnlySecond',
347 $fullresult = $this->callAPISuccess('contact', 'get', [
350 //return doesn't work for all keys - can't fix that here so let's skip ...
351 //prefix & suffix are inconsistent due to CRM-7929
352 // unsure about others but return doesn't work on them
353 $elementsReturnDoesntSupport = [
364 $expectedReturnElements = array_diff(array_keys($fullresult['values'][0]), $elementsReturnDoesntSupport);
365 $result = $this->callAPISuccess('contact', 'get', [
366 'check_permissions' => 1,
367 'return' => $expectedReturnElements,
370 $this->assertEquals(1, $result['count']);
371 foreach ($expectedReturnElements as $element) {
372 $this->assertArrayHasKey($element, $result['values'][0]);
377 * Check that pledge IS not returned.
378 * @param int $version
379 * @dataProvider versionThreeAndFour
381 public function testContactGetPledgeIDNotReturned($version) {
382 $this->_apiversion
= $version;
383 $this->hookClass
->setHook('civicrm_aclWhereClause', [
385 'aclWhereHookAllResults',
387 $this->callAPISuccess('contact', 'get', [
390 $result = $this->callAPISuccess('contact', 'get', [
391 'check_permissions' => 1,
392 'return' => 'pledge_id',
395 $this->assertArrayNotHasKey('pledge_id', $result['values'][0]);
399 * Check that pledge IS not an allowable filter.
401 public function testContactGetPledgeIDNotFiltered() {
402 $this->hookClass
->setHook('civicrm_aclWhereClause', [
404 'aclWhereHookAllResults',
406 $this->callAPISuccess('contact', 'get', [
409 $result = $this->callAPISuccess('contact', 'get', [
410 'check_permissions' => 1,
414 $this->assertEquals(2, $result['count']);
418 * Check that chaining doesn't bypass permissions
419 * @param int $version
420 * @dataProvider versionThreeAndFour
422 public function testContactGetPledgeNotChainable($version) {
423 $this->_apiversion
= $version;
424 $this->hookClass
->setHook('civicrm_aclWhereClause', [
426 'aclWhereOnlySecond',
428 $this->callAPISuccess('contact', 'get', [
431 $this->callAPIFailure('contact', 'get', [
432 'check_permissions' => 1,
433 'api.pledge.get' => 1,
436 'Error in call to Pledge_get : API permission check failed for Pledge/get call; insufficient permission: require access CiviCRM and access CiviPledge'
440 public function setupCoreACL() {
441 $this->createLoggedInUser();
442 $this->_permissionedDisabledGroup
= $this->groupCreate([
443 'title' => 'pick-me-disabled',
445 'name' => 'pick-me-disabled',
447 $this->_permissionedGroup
= $this->groupCreate([
448 'title' => 'pick-me-active',
450 'name' => 'pick-me-active',
456 * @dataProvider entities
457 * confirm that without check permissions we still get 2 contacts returned
460 public function testEntitiesGetHookLimitingHookNoCheck($entity) {
461 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= [];
462 $this->setUpEntities($entity);
463 $this->hookClass
->setHook('civicrm_aclWhereClause', [
465 'aclWhereHookNoResults',
467 $result = $this->callAPISuccess($entity, 'get', [
468 'check_permissions' => 0,
469 'return' => 'contact_id',
471 $this->assertEquals(2, $result['count']);
475 * @dataProvider entities
476 * confirm that without check permissions we still get 2 entities returned
479 public function testEntitiesGetCoreACLLimitingHookNoCheck($entity) {
480 $this->setupCoreACL();
481 //CRM_Core_Config::singleton()->userPermissionClass->permissions = array();
482 $this->setUpEntities($entity);
483 $this->hookClass
->setHook('civicrm_aclWhereClause', [
485 'aclWhereHookNoResults',
487 $result = $this->callAPISuccess($entity, 'get', [
488 'check_permissions' => 0,
489 'return' => 'contact_id',
491 $this->assertEquals(2, $result['count']);
495 * @dataProvider entities
496 * confirm that with check permissions we don't get entities
498 * @throws \PHPUnit\Framework\IncompleteTestError
500 public function testEntitiesGetCoreACLLimitingCheck($entity) {
501 $this->setupCoreACL();
502 $this->setUpEntities($entity);
503 $result = $this->callAPISuccess($entity, 'get', [
504 'check_permissions' => 1,
505 'return' => 'contact_id',
507 $this->assertEquals(0, $result['count']);
511 * @dataProvider entities
512 * Function tests that an empty where hook returns no results
513 * @param string $entity
514 * @throws \PHPUnit\Framework\IncompleteTestError
516 public function testEntityGetNoResultsHook($entity) {
517 $this->markTestIncomplete('hook acls only work with contacts so far');
518 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= [];
519 $this->setUpEntities($entity);
520 $this->hookClass
->setHook('civicrm_aclWhereClause', [
522 'aclWhereHookNoResults',
524 $result = $this->callAPISuccess($entity, 'get', [
525 'check_permission' => 1,
527 $this->assertEquals(0, $result['count']);
533 public static function entities() {
537 // @todo array('pledge' => 'pledge')
545 public function setUpEntities($entity) {
546 $baoObj = new CRM_Core_DAO();
547 $baoObj->createTestObject(_civicrm_api3_get_BAO($entity), [], 2, 0);
548 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= [
550 'access CiviContribute',
552 'view event participants',
557 * Basic check that an unpermissioned call keeps working and permissioned call fails.
558 * @param int $version
559 * @dataProvider versionThreeAndFour
561 public function testGetActivityNoPermissions($version) {
562 $this->_apiversion
= $version;
563 $this->setPermissions([]);
564 $this->callAPISuccess('Activity', 'get', []);
565 $this->callAPIFailure('Activity', 'get', ['check_permissions' => 1]);
569 * View all activities is enough regardless of contact ACLs.
570 * @param int $version
571 * @dataProvider versionThreeAndFour
573 public function testGetActivityViewAllActivitiesDoesntCutItAnymore($version) {
574 $this->_apiversion
= $version;
575 $activity = $this->activityCreate();
576 $this->setPermissions(['view all activities', 'access CiviCRM']);
577 $this->callAPISuccessGetCount('Activity', [
578 'check_permissions' => 1,
579 'id' => $activity['id'],
584 * View all activities is required unless id is passed in.
585 * @param int $version
586 * @dataProvider versionThreeAndFour
588 public function testGetActivityViewAllContactsEnoughWithoutID($version) {
589 $this->_apiversion
= $version;
590 $this->setPermissions(['view all contacts', 'access CiviCRM']);
591 $this->callAPISuccess('Activity', 'get', ['check_permissions' => 1]);
595 * Without view all activities contact level acls are used.
596 * @param int $version
597 * @dataProvider versionThreeAndFour
599 public function testGetActivityViewAllContactsEnoughWIthID($version) {
600 $this->_apiversion
= $version;
601 $activity = $this->activityCreate();
602 $this->setPermissions(['view all contacts', 'access CiviCRM']);
603 $this->callAPISuccess('Activity', 'getsingle', [
604 'check_permissions' => 1,
605 'id' => $activity['id'],
610 * Check the error message is not a permission error.
611 * @param int $version
612 * @dataProvider versionThreeAndFour
614 public function testGetActivityAccessCiviCRMEnough($version) {
615 $this->_apiversion
= $version;
616 $activity = $this->activityCreate();
617 $this->setPermissions(['access CiviCRM']);
618 $this->callAPIFailure('Activity', 'getsingle', [
619 'check_permissions' => 1,
620 'id' => $activity['id'],
621 ], 'Expected one Activity but found 0');
622 $this->callAPISuccessGetCount('Activity', [
623 'check_permissions' => 1,
624 'id' => $activity['id'],
629 * Check that component related activity filtering.
631 * If the contact does NOT have permission to 'view all contacts' but they DO have permission
632 * to view the contact in question they will only see the activities of components they have access too.
634 * (logically the same component limit should apply when they have access to view all too but....
635 * adding test for 'how it is at the moment.)
636 * @param int $version
637 * @dataProvider versionThreeAndFour
639 public function testGetActivityCheckPermissionsByComponent($version) {
640 $this->_apiversion
= $version;
641 $activity = $this->activityCreate(['activity_type_id' => 'Contribution']);
642 $activity2 = $this->activityCreate(['activity_type_id' => 'Pledge Reminder']);
643 $this->hookClass
->setHook('civicrm_aclWhereClause', [
645 'aclWhereHookAllResults',
647 $this->setPermissions(['access CiviCRM', 'access CiviContribute']);
648 $this->callAPISuccessGetSingle('Activity', [
649 'check_permissions' => 1,
650 'id' => ['IN' => [$activity['id'], $activity2['id']]],
652 $this->callAPISuccessGetCount('Activity', [
653 'check_permissions' => 1,
654 'id' => ['IN' => [$activity['id'], $activity2['id']]],
660 * Check that component related activity filtering works for CiviCase.
661 * @param int $version
662 * @dataProvider versionThreeAndFour
664 public function testGetActivityCheckPermissionsByCaseComponent($version) {
665 $this->_apiversion
= $version;
666 CRM_Core_BAO_ConfigSetting
::enableComponent('CiviCase');
667 $activity = $this->activityCreate(['activity_type_id' => 'Open Case']);
668 $activity2 = $this->activityCreate(['activity_type_id' => 'Pledge Reminder']);
669 $this->hookClass
->setHook('civicrm_aclWhereClause', [
671 'aclWhereHookAllResults',
673 $this->setPermissions([
675 'access CiviContribute',
676 'access all cases and activities',
678 $this->callAPISuccessGetSingle('Activity', [
679 'check_permissions' => 1,
680 'id' => ['IN' => [$activity['id'], $activity2['id']]],
682 $this->callAPISuccessGetCount('Activity', [
683 'check_permissions' => 1,
684 'id' => ['IN' => [$activity['id'], $activity2['id']]],
689 * Check that activities can be retrieved by ACL.
691 * The activities api applies ACLs in a very limited circumstance, if id is passed in.
692 * Otherwise it sticks with the blunt original permissions.
693 * @param int $version
694 * @dataProvider versionThreeAndFour
696 public function testGetActivityByACL($version) {
697 $this->_apiversion
= $version;
698 $this->setPermissions(['access CiviCRM']);
699 $activity = $this->activityCreate();
701 $this->hookClass
->setHook('civicrm_aclWhereClause', [
703 'aclWhereHookAllResults',
705 $this->callAPISuccessGetSingle('Activity', [
706 'check_permissions' => 1,
707 'id' => $activity['id'],
709 $this->callAPISuccessGetCount('Activity', [
710 'check_permissions' => 1,
711 'id' => $activity['id'],
716 * To leverage ACL permission to view an activity you must be able to see any of the contacts.
719 public function testGetActivityByAclCannotViewAllContacts() {
720 $activity = $this->activityCreate(['assignee_contact_id' => $this->individualCreate()]);
721 $contacts = $this->getActivityContacts($activity);
722 $this->setPermissions(['access CiviCRM']);
724 foreach ($contacts as $role => $contact_id) {
725 $this->allowedContactId
= $contact_id;
726 $this->hookClass
->setHook('civicrm_aclWhereClause', [
730 $this->cleanupCachedPermissions();
731 $result = $this->callAPISuccessGetSingle('Activity', [
732 'check_permissions' => 1,
733 'id' => $activity['id'],
737 'assignee_contact_id',
745 $roleKey = $roleName . '_id';
746 if ($role !== $roleKey) {
747 $this->assertTrue(empty($result[$roleKey]), "Only contact in $role is permissioned to be returned, not $roleKey");
750 $this->assertEquals([$contact_id], (array) $result[$roleKey]);
751 $this->assertTrue(!empty($result[$roleName . '_name']));
758 * To leverage ACL permission to view an activity you must be able to see any of the contacts.
759 * @param int $version
760 * @dataProvider versionThreeAndFour
762 public function testGetActivityByAclCannotViewAnyContacts($version) {
763 $this->_apiversion
= $version;
764 $activity = $this->activityCreate();
765 $contacts = $this->getActivityContacts($activity);
766 $this->setPermissions(['access CiviCRM']);
768 foreach ($contacts as $contact_id) {
769 $this->callAPIFailure('Activity', 'getsingle', [
770 'check_permissions' => 1,
771 'id' => $activity['id'],
777 * Check that if the source contact is deleted but we can view the others we can see the activity.
781 * @throws \CRM_Core_Exception
782 * @param int $version
783 * @dataProvider versionThreeAndFour
785 public function testGetActivityACLSourceContactDeleted($version) {
786 $this->_apiversion
= $version;
787 $this->setPermissions(['access CiviCRM', 'delete contacts']);
788 $activity = $this->activityCreate();
789 $contacts = $this->getActivityContacts($activity);
791 $this->hookClass
->setHook('civicrm_aclWhereClause', [
793 'aclWhereHookAllResults',
795 $this->contactDelete($contacts['source_contact_id']);
796 $this->callAPISuccess('Activity', 'getsingle', [
797 'check_permissions' => 1,
798 'id' => $activity['id'],
803 * Test get activities multiple ids with check permissions
805 * @param int $version
806 * @dataProvider versionThreeAndFour
808 public function testActivitiesGetMultipleIdsCheckPermissions($version) {
809 $this->_apiversion
= $version;
810 $this->createLoggedInUser();
811 $activity = $this->activityCreate();
812 $activity2 = $this->activityCreate();
813 $this->setPermissions(['access CiviCRM']);
814 $this->hookClass
->setHook('civicrm_aclWhereClause', [
816 'aclWhereHookAllResults',
818 // Get activities associated with contact $this->_contactID.
820 'id' => ['IN' => [$activity['id'], $activity2['id']]],
821 'check_permissions' => TRUE,
823 $result = $this->callAPISuccess('activity', 'get', $params);
824 $this->assertEquals(2, $result['count']);
828 * Test get activities multiple ids with check permissions
829 * Limit access to One contact
831 * @param int $version
832 * @dataProvider versionThreeAndFour
834 public function testActivitiesGetMultipleIdsCheckPermissionsLimitedACL($version) {
835 $this->_apiversion
= $version;
836 $this->createLoggedInUser();
837 $activity = $this->activityCreate();
838 $contacts = $this->getActivityContacts($activity);
839 $this->setPermissions(['access CiviCRM']);
840 foreach ($contacts as $contact_id) {
841 $this->allowedContacts
[] = $contact_id;
843 $this->hookClass
->setHook('civicrm_aclWhereClause', [
845 'aclWhereMultipleContacts',
847 $contact2 = $this->individualCreate();
848 $activity2 = $this->activityCreate(['source_contact_id' => $contact2]);
849 // Get activities associated with contact $this->_contactID.
851 'id' => ['IN' => [$activity['id']]],
852 'check_permissions' => TRUE,
854 $result = $this->callAPISuccess('activity', 'get', $params);
855 $this->assertEquals(1, $result['count']);
856 $this->callAPIFailure('activity', 'getsingle', array_merge($params, [
865 * Test get activities multiple ids with check permissions
867 * @param int $version
868 * @dataProvider versionThreeAndFour
870 public function testActivitiesGetMultipleIdsCheckPermissionsNotIN($version) {
871 $this->_apiversion
= $version;
872 $this->createLoggedInUser();
873 $activity = $this->activityCreate();
874 $activity2 = $this->activityCreate();
875 $this->setPermissions(['access CiviCRM']);
876 $this->hookClass
->setHook('civicrm_aclWhereClause', [
878 'aclWhereHookAllResults',
880 // Get activities associated with contact $this->_contactID.
882 'id' => ['NOT IN' => [$activity['id'], $activity2['id']]],
883 'check_permissions' => TRUE,
885 $result = $this->callAPISuccess('activity', 'get', $params);
886 $this->assertEquals(0, $result['count']);
890 * Get the contacts for the activity.
895 * @throws \CRM_Core_Exception
897 protected function getActivityContacts($activity) {
900 $activityContacts = $this->callAPISuccess('ActivityContact', 'get', [
901 'activity_id' => $activity['id'],
904 $activityRecordTypes = $this->callAPISuccess('ActivityContact', 'getoptions', ['field' => 'record_type_id']);
905 foreach ($activityContacts['values'] as $activityContact) {
906 $type = $activityRecordTypes['values'][$activityContact['record_type_id']];
908 case 'Activity Source':
909 $contacts['source_contact_id'] = $activityContact['contact_id'];
912 case 'Activity Targets':
913 $contacts['target_contact_id'] = $activityContact['contact_id'];
916 case 'Activity Assignees':
917 $contacts['assignee_contact_id'] = $activityContact['contact_id'];
926 * Test that the 'everyone' group can be given access to a contact.
929 public function testGetACLEveryonePermittedEntity() {
930 $this->setupScenarioCoreACLEveryonePermittedToGroup();
931 $this->callAPISuccessGetCount('Contact', [
932 'id' => $this->scenarioIDs
['Contact']['permitted_contact'],
933 'check_permissions' => 1,
936 $this->callAPISuccessGetCount('Contact', [
937 'id' => $this->scenarioIDs
['Contact']['non_permitted_contact'],
938 'check_permissions' => 1,
941 // Also check that we can access ACLs through a path that uses the acl_contact_cache table.
942 // historically this has caused errors due to the key_constraint on that table.
943 // This is a bit of an artificial check as we have to amp up permissions to access this api.
944 // However, the lower level function is more directly accessed through the Contribution & Event & Profile
945 $dupes = $this->callAPISuccess('Contact', 'duplicatecheck', [
947 'first_name' => 'Anthony',
948 'last_name' => 'Anderson',
949 'contact_type' => 'Individual',
950 'email' => 'anthony_anderson@civicrm.org',
952 'check_permissions' => 0,
954 $this->assertEquals(2, $dupes['count']);
955 CRM_Core_Config
::singleton()->userPermissionClass
->permissions
= ['access CiviCRM'];
957 $dupes = $this->callAPISuccess('Contact', 'duplicatecheck', [
959 'first_name' => 'Anthony',
960 'last_name' => 'Anderson',
961 'contact_type' => 'Individual',
962 'email' => 'anthony_anderson@civicrm.org',
964 'check_permissions' => 1,
966 $this->assertEquals(1, $dupes['count']);